new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-3661d1b94c95cb7ba123e574390d8dbaaed8e7a2"
+    tag: "r-c58cc47a5227560a26f98d3aa610b057d4a540ac"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy

@@ -185,43 +185,47 @@ try {
   }
 
   // no login for users with a recovery role
-  for (String role : getUserAGOVRecoveryRoles()) {
+  def recoveryRoleList = getUserAGOVRecoveryRoles()
-    if (role == 'mustRecover') {
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
   
-      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+  if (recoveryRoleList.contains('mustRecover')) {
+    session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
 
-      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+    def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
-      session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+    def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+    session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
 
-      // align currentAgovAq with the method selected for idVerification
+    // align currentAgovAq with the method selected for idVerification
-      def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
+    def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
-      session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
+    session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
 
-      def validFrom = getUserMustRecoverValidFrom() ?: ''
+    def validFrom = getUserMustRecoverValidFrom() ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
 
-      LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
+    LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
 
-      response.setResult('exit.2')
+    response.setResult('exit.2')
-      return
+    return
 
-    } else if (role == 'recovery') {
+  } else if (recoveryRoleList.contains('recovery')) {
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+    if (recoveryRoleList.contains('recoveryCascade')) {
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
-      session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+    } else {
-      LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
-      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
-      session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
-      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
-
-      response.setResult('exit.2')
-      return
     }
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
+    session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+    LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+    def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
+    session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
+    def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
+
+    response.setResult('exit.2')
+    return
   } 
 
+
   if (highestRoleLevelNumber>=requestedRoleLevelNumber) { 
 
     // set attribute ValidFrom and ValidTo (only for higher than 100)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml

@@ -1673,7 +1673,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="cancel" next="Auth_Realm_Recovery_Recovery_handleCode"/>
+            <ResultCond name="doCancel" next="Auth_Realm_Recovery_Recovery_handleCode"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="loginFactorNo" next="Auth_Realm_Recovery_Recovery_Auth_reasonSelection"/>
             <!-- source: pattern://584964c837512845d7940809 -->
@@ -1805,7 +1805,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_reasonSelection" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="cancel" next="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion"/>
+            <ResultCond name="doCancel" next="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="invalidReasons" next="Auth_Realm_Recovery_Recovery_Auth_noRecovery"/>
             <!-- source: pattern://584964c837512845d7940809 -->

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy

@@ -4,7 +4,7 @@ if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
   def s = request.getAuthSession(true)
   s.removeAttribute('agov.recovery.moreThanOneLf')
 
-  response.setResult('cancel')
+  response.setResult('doCancel')
   return
 }
 

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy

@@ -9,7 +9,7 @@ if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
   s.removeAttribute('agov.recovery.moreThanOneLf')
   s.removeAttribute('agov.recovery.reason')
 
-  response.setResult('cancel')
+  response.setResult('doCancel')
   return
 }