diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index f69fb9f..9e51618 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
- tag: "r-9af6a792e2720efb1d09318c1e3f4a2ab355af31"
+ tag: "r-db9522d1110b41177e7d034419ef1fb68f95b0b8"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
credentials: "git-credentials"
keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
index 87ef5fb..d86fe01 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
@@ -68,6 +68,32 @@ def getUserIdVerificationForRecovery() {
return result
}
+def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber) {
+ def result = 'urn:qa.agov.ch:names:tc:ac:classes:'
+
+ switch (idVerification) {
+ case 'None':
+ result = result.concat('100')
+ break
+ case 'SimpleLetter':
+ result = result.concat('200')
+ break
+ case 'Video':
+ case 'VideoSelfPaid':
+ case 'Bmid':
+ case 'BmidSelfPaid':
+ case 'Counter':
+ result = result.concat((highestRoleLevelNumber == 400) ? '400' : '300')
+ break
+ default:
+ LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
+ // safest default, should work in any case
+ result = result.concat('' + highestRoleLevelNumber)
+ }
+
+ return result
+}
+
def getUserMustRecoverValidFrom() {
// set attibutes from DTO: -> validFrom
def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -95,9 +121,9 @@ try {
adressVerification = adressVerificationList[0]
}
- LOG.debug('Requested role level '+ requestedRoleLevelNumber)
- LOG.debug('idVerification: ' + getUserAGOVLoiIdVerification())
- LOG.debug('adressVerification : ' + adressVerification)
+ LOG.debug('CheckLoa: Requested role level '+ requestedRoleLevelNumber)
+ LOG.debug('CheckLoa: idVerification: ' + getUserAGOVLoiIdVerification())
+ LOG.debug('CheckLoa: adressVerification : ' + adressVerification)
def idVerificationMethodList = getUserAGOVLoiIdVerification()
@@ -143,12 +169,12 @@ try {
}
}
}
- LOG.debug('Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString())
- LOG.debug(' Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
+ LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString())
+ LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
//set attribute Actual Role Level
session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
- LOG.debug('actual role level (agov) '+ highestRoleLevelNumber)
+ LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
if (highestRoleLevelNumber > 0) {
// set attribute contextClassRefToSet
@@ -165,18 +191,19 @@ try {
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
- if (highestRoleLevelNumber < 300) {
- // plus 100, if mustRecover
- highestRoleLevelNumber += 100
- }
- session.setAttribute('agov.recovery.currentAgovAq', 'urn:qa.agov.ch:names:tc:ac:classes:'.concat(highestRoleLevelNumber.toString()) )
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+ // align currentAgovAq with the method selected for idVerification
+ def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
+ session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
+
def validFrom = getUserMustRecoverValidFrom() ?: ''
session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
+ LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
+
response.setResult('exit.2')
return
@@ -184,7 +211,7 @@ try {
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
- LOG.debug('idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+ LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
@@ -202,8 +229,8 @@ try {
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
def validTo = getUserAGOVLoiValidTo('level'.concat(highestRoleLevelNumber.toString()))
- LOG.debug('ValidFrom :' + validFrom)
- LOG.debug('ValidTo :' + validTo)
+ LOG.debug('CheckLoa: ValidFrom :' + validFrom)
+ LOG.debug('CheckLoa: ValidTo :' + validTo)
if(validFrom != '') {
session.setAttribute('ValidFrom', '' + validFrom)
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy
index 2388610..391afdb 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy
@@ -4,7 +4,6 @@ import ch.nevis.idm.client.IdmRestClientFactory
import ch.nevis.idm.client.HTTPRequestWrapper
import groovy.json.JsonSlurper
-import groovy.xml.XmlSlurper
// Accounting
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
@@ -15,91 +14,112 @@ def credentialType = session['authenticatedWith'] ?: 'unknown'
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
-
-
-
-
IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
-String sessionId = session.get('ch.nevis.session.conversationId')
+String loginId = session.get('ch.adnovum.nevisidm.user.loginId')
+String profileExtId = session.get('ch.adnovum.nevisidm.profileExtId')
-String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/code"
+String unitExtid= parameters.get('unitExtid')
+String level100RoleExtid = parameters.get('level100.roleExtid')
-def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.state.text() == 'ACTIVE' && node.context.text() == 'RECOVERY'}
+String baseUrl = "${parameters.get('idm.baseUrl')}/core/v1/$clientExtId"
+boolean audited = false
+String agovAq100AuthEndpoint = null
+String endpoint = null
-// 1a) check if user has a credential
-if ( recoveryCredential != null ) {
- LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
- response.setResult('done')
- return
-}
+// 1) create the profile if needed
+if (profileExtId == null || profileExtId.isEmpty()) {
-// 1b) check if a recovery is ongoing (nothing to do)
-if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) {
- LOG.debug("Account '${user}' is in recovery, no need to create new code")
- response.setResult('done')
- return
-}
+ endpoint = "${baseUrl}/users/${userExtId}/profiles"
+ profileExtId = UUID.randomUUID().toString()
+ def postRequest = new HTTPRequestWrapper()
+ postRequest.addToHeaders('Content-Type', ['application/json'])
-// 2) set cookie for recoveryCode
-if (outargs.containsKey('out.JWTToken')) {
- def token = outargs.getProperty('out.JWTToken').bytes.encodeBase64().toString()
- def agovRecoveryCodeCookie = "agovRecoveryCode=${token }; Domain=${parameters.get('cookie.domain')}; Path=/; SameSite=Strict; Secure; HttpOnly"
- response.setHeader('Set-Cookie', agovRecoveryCodeCookie)
- outargs.remove('out.JWTToken')
-}
+ def dto = "{\"extId\":\"${profileExtId}\",\"unitExtId\":\"${unitExtid}\",\"profileState\":\"active\",\"name\":\"Profile-${loginId}\",\"isDefaultProfile\":true,\"modificationComment\":\"Repaired for request ${requestId}\"}"
+ postRequest.setPayLoad(dto.getBytes('UTF-8'))
-// 3) generate code if not yet done
-if (!session['agov.new.recovery.code.generated']) {
- inargs.remove('submit')
- try {
- def postRequest = new HTTPRequestWrapper()
- postRequest.addToHeaders('Content-Type', ['application/json'])
+ def result = idmRestClient.postWithResponse(endpoint, postRequest)
+ if (result.getStatusCode() != 201) {
+ LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing profile (http status code ${result.getStatusCode()})'")
- postRequest.setPayLoad("{\"userExtId\":\"$userExtId\",\"userSessionId\": \"$sessionId\"}".getBytes('UTF-8'))
-
- def result = idmRestClient.postWithResponse(endPoint, postRequest)
- if (result.getStatusCode() != 200) {
- LOG.debug("Payload: ${new String(postRequest.getPayLoad())}")
- LOG.debug("Result: ${result}")
- LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${result.getStatusCode()})")
- response.setResult('failed')
- return
- }
+ response.setNote('saml.errorCode', 'Responder')
+ response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
- def json = new JsonSlurper().parseText(new String(result.getPayLoad(), 'UTF-8'))
-
- notes.setProperty('agov.new.recovery.code', json['recoveryCode']['code'].replaceAll('^(....)(....)(.*)$', '$1-$2-$3'))
- LOG.debug("agov.new.recovery.code: ${notes['agov.new.recovery.code']}")
-
- response.setSessionAttribute('agov.new.recovery.code.generated', 'true')
- def validTil = "${json['recoveryCode']['validUntil'][2]}.${json['recoveryCode']['validUntil'][1]}.${json['recoveryCode']['validUntil'][0]}"
- response.setSessionAttribute('agov.new.recovery.code.validTil', validTil)
- response.setSessionAttribute('agov.new.recovery.code.pdfAuthToken', json['authToken'])
-
- LOG.info("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-
- } catch(Exception e) {
- LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${e.getMessage()})")
- LOG.error("Recoverycode processing failed: $e")
response.setResult('failed')
return
+ } else {
+ LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing profile'")
+ audited = true
+ }
+}
+
+
+// 2) add level 100 role if needed
+if (!Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-Loi.level100')).findAny().isPresent()) {
+ endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
+ def postRequest = new HTTPRequestWrapper()
+ postRequest.addToHeaders('Content-Type', ['application/json'])
+
+ def dto = "{\"extId\":\"${UUID.randomUUID().toString()}\",\"roleExtId\":\"${level100RoleExtid}\"}"
+ postRequest.setPayLoad(dto.getBytes('UTF-8'))
+
+ def result = idmRestClient.postWithResponse(endpoint, postRequest)
+ if (result.getStatusCode() != 201) {
+ LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing AGOVaq 100 role (http status code ${result.getStatusCode()})'")
+
+ response.setNote('saml.errorCode', 'Responder')
+ response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
+
+ response.setResult('failed')
+ return
+ } else if (!audited) {
+ LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing AGOVaq 100 role'")
+ audited = true
+ }
+ agovAq100AuthEndpoint = result.getLocation()
+}
+
+
+// 3) set the AQ level 100 verification to None
+if (!session['ch.adnovum.nevisidm.userDto'].contains("idVerificationNoneAGOV-Loi,level100")) {
+
+ if (agovAq100AuthEndpoint == null) {
+ endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
+
+ def result = idmRestClient.get(endpoint)
+ def json = new JsonSlurper().parseText(result)
+
+ json['items'].eachWithIndex { az, i ->
+ if (az.roleExtId == level100RoleExtid) {
+ agovAq100AuthEndpoint = "${endpoint}/${az.extId}"
+ }
+ }
}
- response.setResult('encryptCode')
- return
+ endpoint = "${agovAq100AuthEndpoint}/properties"
+
+ def patchRequest = new HTTPRequestWrapper()
+ patchRequest.addToHeaders('Content-Type', ['application/json'])
+
+ patchRequest.setPayLoad('{"idVerification":"None"}'.getBytes('UTF-8'))
+
+ def result = idmRestClient.patchWithResponse(endpoint, patchRequest)
+
+ if (result.getStatusCode() != 200) {
+ LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to patch the AGOVaq 100 role (http status code ${result.getStatusCode()})'")
+
+ } else if (!audited) {
+ LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='patched AGOVaq 100 role with idVerification'")
+ audited = true
+ }
}
-if (inargs['submit']) {
- def agovRecoveryCodeCookie = "agovRecoveryCode=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
- response.setHeader('Set-Cookie', agovRecoveryCodeCookie)
+
+if (audited) {
+ response.setResult('reload')
+} else {
response.setResult('done')
- return
-}
-
-// show the GUI
-response.setStatus(AuthResponse.AUTH_CONTINUE)
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy
index e1e6320..2388610 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy
@@ -4,6 +4,7 @@ import ch.nevis.idm.client.IdmRestClientFactory
import ch.nevis.idm.client.HTTPRequestWrapper
import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
// Accounting
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
@@ -26,8 +27,11 @@ String sessionId = session.get('ch.nevis.session.conversationId')
String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/code"
+def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
+def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.state.text() == 'ACTIVE' && node.context.text() == 'RECOVERY'}
+
// 1a) check if user has a credential
-if (session['ch.nevis.idm.User.cred.context_password1.state'] == 'ACTIVE' ) {
+if ( recoveryCredential != null ) {
LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
response.setResult('done')
return
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index 5e9bd46..7c31156 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -521,6 +521,8 @@
+
+
@@ -653,6 +655,8 @@
+
+
@@ -722,6 +726,8 @@
+
+
@@ -1425,7 +1431,7 @@
-
+
@@ -1562,6 +1568,8 @@
+
+
@@ -1572,6 +1580,8 @@
+
+
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy
index e8fc47e..157eb70 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-preprocessing.groovy
@@ -11,14 +11,6 @@ def maxLoiRoleToCtxClssConvertorMap = [
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
]
-def maxLoiRecoveryStepupMap = [
- "level100": "level200",
- "level200": "level300",
- "level300": "level300",
- "level400": "level400",
- "level500": "level500"
-]
-
def getUserIdVerificationForRecovery(currentLoaRole) {
// application is AGOV-AccountStatus
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -49,6 +41,32 @@ def getUserIdVerificationForRecovery(currentLoaRole) {
return result
}
+def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevel) {
+ def result = 'level'
+
+ switch (idVerification) {
+ case 'None':
+ result = result.concat('100')
+ break
+ case 'SimpleLetter':
+ result = result.concat('200')
+ break
+ case 'Video':
+ case 'VideoSelfPaid':
+ case 'Bmid':
+ case 'BmidSelfPaid':
+ case 'Counter':
+ result = result.concat((highestRoleLevel == 'level400') ? '400' : '300')
+ break
+ default:
+ LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
+ // safest default, should work in any case
+ result = highestRoleLevel
+ }
+
+ return result
+}
+
def getUserMustRecoverValidFrom() {
// set attibutes from DTO: -> validFrom
def payload = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -98,18 +116,17 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
// attributes are defined over the mustRecover authorization
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
- def recoveryVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-AccountStatus,mustRecover' }?.value?.text()
idVerification = getUserIdVerificationForRecovery(maxLoi ?: 'level100') ?: idVerification
agovAqValidFrom = getUserMustRecoverValidFrom()
- maxLoi = maxLoiRecoveryStepupMap[maxLoi ?: 'level100'] ?: 'level100'
-
+ maxLoi = getAqLevelBasedOnIdVerificationForRecovery(idVerification, maxLoi)
}
LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
LOG.debug("Recovery: IdVerification is ${idVerification}")
LOG.debug("Recovery: agovAqValidFrom is ${agovAqValidFrom}")
+ LOG.debug("Recovery: mustRecover is '${mustRecover}'")
LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
if (maxLoi != null) {
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml
index ec459b7..a908634 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml
@@ -46,7 +46,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
- tag: "r-9af6a792e2720efb1d09318c1e3f4a2ab355af31"
+ tag: "r-db9522d1110b41177e7d034419ef1fb68f95b0b8"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2"
credentials: "git-credentials"
keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml
index 8214e3a..d8b1f3c 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml
@@ -48,4 +48,4 @@ fido2:
- ES256
- ES384
- ES512
- display-name-source: loginId
\ No newline at end of file
+ display-name-source: email
\ No newline at end of file
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml
index c926517..5d2bcd7 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml
@@ -44,7 +44,7 @@ spec:
podDisruptionBudget:
maxUnavailable: "50%"
git:
- tag: "r-9af6a792e2720efb1d09318c1e3f4a2ab355af31"
+ tag: "r-db9522d1110b41177e7d034419ef1fb68f95b0b8"
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend"
credentials: "git-credentials"
podSecurity:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/footer.vm b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/footer.vm
index 160a871..657e72f 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/footer.vm
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/footer.vm
@@ -3,7 +3,7 @@
$text.get("footer.text")
$text.get("footer.link.label")
- 1.5.0.1980-20240604T133737Z
+ 1.5.3.51-20240709T140654Z
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_questionnaire_loginfactor.vm b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_questionnaire_loginfactor.vm
index f47fcfe..fb8a9c6 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_questionnaire_loginfactor.vm
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/template/recovery_questionnaire_loginfactor.vm
@@ -62,7 +62,7 @@