new configuration version

2025-09-04 08:32:43 +00:00 · 2025-09-04 08:32:43 +00:00 · 3f615f856b
parent 8820fd4bb5
commit 3f615f856b
2 changed files with 49 additions and 40 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -46,7 +46,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-2942bf9fcda0947d8f79b347d28c4097cbbf8c68"
+    tag: "r-8ef0fba9376830a56ab841d506cbf4b17c459453"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  database:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy
@ -23,13 +23,25 @@ def redirect(String url) {
    outargs.put('nevis.transfer.destination', url)
 }

-/**
- * Extracts the content of the Issuer element from a parsed SAML message.
- * The Issuer is optional according to SAML specification but we need it for dispatching.
- *
- * @param xml - as parsed by Groovy XmlSlurper
- * @return text content of Issuer element converted or null
- */
+String getNormalisedSamlMessage(String parameter) {
+    if (parameter == null) {
+        return
+    }
+    String text
+    byte[] decoded
+
+    // if parameter is raw xml then continue otherwise try to parse the base64 encoding
+    if (parameter.startsWith("<")) {
+        text = new String(parameter)
+    }
+    else {
+        decoded = parameter.decodeBase64()
+        text = new String(decoded)
+    }
+    return text
+}
+
+
 String getNodeText(GPathResult xml, String nodeName) {
    return xml.depthFirst().find { GPathResult node -> {
        node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
@ -37,45 +49,42 @@ String getNodeText(GPathResult xml, String nodeName) {
    }?.text()?.trim()
 }

-String getNodeText(String samlMessage, String nodeName) {
+String getAttribute(GPathResult xml, String attributeName) {
+    return xml.depthFirst().find { GPathResult node -> {
+        node.attributes().containsKey(attributeName)
+      }
+    }?.attributes()?.get(attributeName)
+}
+
+String getNodeText(String parameter, String nodeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
    if (samlMessage == null) {
        return
    }
-    String text
-    byte[] decoded
    def parser = new XmlSlurper()
-    // if samlMessage is raw xml then continue otherwise try to parse the base64 encoding
-    if (samlMessage.startsWith("<")) {
-        text = new String(samlMessage)
-    }
-    else {
-        decoded = samlMessage.decodeBase64()
-        text = new String(decoded)
-    }
+    def xml = parser.parseText(samlMessage)
+    return getNodeText(xml, nodeName)
+}

-    // after decoded, if redirect binding, we need to parse string to xml
-    if (text.startsWith("<")) {
-        // plain String (POST/SOAP parameter)
-        def xml = parser.parseText(text)
-        return getNodeText(xml, nodeName)
-    }
-    else {
-        // should be deflate encoded (query parameter)
-        def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
-        def xml = parser.parse(is)
-        return getNodeText(xml, nodeName)
+String getAttribute(String parameter, String attributeName) {
+    String samlMessage = getNormalisedSamlMessage(parameter)
+    if (samlMessage == null) {
+        return
    }
+    def parser = new XmlSlurper()
+    def xml = parser.parseText(samlMessage)
+    return getAttribute(xml, attributeName)
 }

 String getIssuer(String value) {
  return getNodeText(value, 'Issuer')
 }

-String getRequesterID(String value) {
-  return getNodeText(value, 'RequesterID')
+String getAttributeConsumingServiceIndex(String value) {
+  return getAttribute(value, 'AttributeConsumingServiceIndex')
 }

-def dispatchIssuer(i2s, String issuer, String requester) {
+def dispatchIssuer(i2s, String issuer, boolean secureMode) {
    def result = i2s.get(issuer)
    if (result == null) {
        LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
@ -85,11 +94,10 @@ def dispatchIssuer(i2s, String issuer, String requester) {
    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
        LOG.debug("EPD: Artifact mode")
        result = result + "_artifact"
-    } else if (result == 'main') {
-        if ('https://op.agov-w.azure.adnovum.net/SAML2/ACS/' == requester) {
+    } else if (result == 'main' && secureMode) {
+        LOG.debug("AGOV: Secure mode requested")
        result =  result + "_secure"
    } 
-    } 
    response.setResult(result)
    session.put("saml.inbound.issuer", issuer)
    session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
@ -97,18 +105,19 @@ def dispatchIssuer(i2s, String issuer, String requester) {
 }

 def dispatchIssuer(i2s, String issuer) {
-  dispatchIssuer(i2s, issuer, 'unknown')
+  dispatchIssuer(i2s, issuer, false)
 }

 def dispatchMessage(i2s, String message) {
    def issuer = getIssuer(message)
-    def requester = getRequesterID(message)
+    def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
+    LOG.info("secureMode requested: ${secureMode}")

    if (issuer == null) {
        LOG.info("No issuer found in incoming SAML message. Giving up.")
    }
    session.put("saml.inbound.issuer", issuer)
-    dispatchIssuer(i2s, issuer, requester)
+    dispatchIssuer(i2s, issuer, secureMode)
 }

 if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {