new configuration version

2025-09-04 08:32:43 +00:00 · 2025-09-04 08:32:43 +00:00 · 3f615f856b
parent 8820fd4bb5
commit 3f615f856b
2 changed files with 49 additions and 40 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -46,7 +46,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-2942bf9fcda0947d8f79b347d28c4097cbbf8c68"
+    tag: "r-8ef0fba9376830a56ab841d506cbf4b17c459453"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  database:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
@ -23,13 +23,25 @@ def redirect(String url) {
    outargs.put('nevis.transfer.destination', url)
 }
-/**
+String getNormalisedSamlMessage(String parameter) {
- * Extracts the content of the Issuer element from a parsed SAML message.
+    if (parameter == null) {
- * The Issuer is optional according to SAML specification but we need it for dispatching.
+        return
- *
+    }
- * @param xml - as parsed by Groovy XmlSlurper
+    String text
- * @return text content of Issuer element converted or null
+    byte[] decoded
- */
+
    // if parameter is raw xml then continue otherwise try to parse the base64 encoding
    if (parameter.startsWith("<")) {
        text = new String(parameter)
    }
    else {
        decoded = parameter.decodeBase64()
        text = new String(decoded)
    }
    return text
 }
 String getNodeText(GPathResult xml, String nodeName) {
    return xml.depthFirst().find { GPathResult node -> {
        node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
@ -37,45 +49,42 @@ String getNodeText(GPathResult xml, String nodeName) {
    }?.text()?.trim()
 }
-String getNodeText(String samlMessage, String nodeName) {
+String getAttribute(GPathResult xml, String attributeName) {
    return xml.depthFirst().find { GPathResult node -> {
        node.attributes().containsKey(attributeName)
      }
    }?.attributes()?.get(attributeName)
 }
 String getNodeText(String parameter, String nodeName) {
    String samlMessage = getNormalisedSamlMessage(parameter)
    if (samlMessage == null) {
        return
    }
    String text
    byte[] decoded
    def parser = new XmlSlurper()
-    // if samlMessage is raw xml then continue otherwise try to parse the base64 encoding
+    def xml = parser.parseText(samlMessage)
-    if (samlMessage.startsWith("<")) {
+    return getNodeText(xml, nodeName)
-        text = new String(samlMessage)
+}
    }
    else {
        decoded = samlMessage.decodeBase64()
        text = new String(decoded)
    }
-    // after decoded, if redirect binding, we need to parse string to xml
+String getAttribute(String parameter, String attributeName) {
-    if (text.startsWith("<")) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
-        // plain String (POST/SOAP parameter)
+    if (samlMessage == null) {
-        def xml = parser.parseText(text)
+        return
        return getNodeText(xml, nodeName)
    }
    else {
        // should be deflate encoded (query parameter)
        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
        def xml = parser.parse(is)
        return getNodeText(xml, nodeName)
    }
    def parser = new XmlSlurper()
    def xml = parser.parseText(samlMessage)
    return getAttribute(xml, attributeName)
 }
 String getIssuer(String value) {
  return getNodeText(value, 'Issuer')
 }
-String getRequesterID(String value) {
+String getAttributeConsumingServiceIndex(String value) {
-  return getNodeText(value, 'RequesterID')
+  return getAttribute(value, 'AttributeConsumingServiceIndex')
 }
-def dispatchIssuer(i2s, String issuer, String requester) {
+def dispatchIssuer(i2s, String issuer, boolean secureMode) {
    def result = i2s.get(issuer)
    if (result == null) {
        LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
@ -85,10 +94,9 @@ def dispatchIssuer(i2s, String issuer, String requester) {
    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
        LOG.debug("EPD: Artifact mode")
        result = result + "_artifact"
-    } else if (result == 'main') {
+    } else if (result == 'main' && secureMode) {
-        if ('https://op.agov-w.azure.adnovum.net/SAML2/ACS/' == requester) {
+        LOG.debug("AGOV: Secure mode requested")
-            result =  result + "_secure"
+        result =  result + "_secure"
        }
    } 
    response.setResult(result)
    session.put("saml.inbound.issuer", issuer)
@ -97,18 +105,19 @@ def dispatchIssuer(i2s, String issuer, String requester) {
 }
 def dispatchIssuer(i2s, String issuer) {
-  dispatchIssuer(i2s, issuer, 'unknown')
+  dispatchIssuer(i2s, issuer, false)
 }
 def dispatchMessage(i2s, String message) {
    def issuer = getIssuer(message)
-    def requester = getRequesterID(message)
+    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
    LOG.info("secureMode requested: ${secureMode}")
    if (issuer == null) {
        LOG.info("No issuer found in incoming SAML message. Giving up.")
    }
    session.put("saml.inbound.issuer", issuer)
-    dispatchIssuer(i2s, issuer, requester)
+    dispatchIssuer(i2s, issuer, secureMode)
 }
 if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {