new configuration version

2025-03-31 09:06:25 +00:00 · 2025-03-31 09:06:25 +00:00 · 6c3b7e672a
parent b938bd429b
commit 6c3b7e672a
3 changed files with 108 additions and 98 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -45,7 +45,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-68680b2182672bd8a81d786c163e95b91fb89a64"
+    tag: "r-1663a8d1d9ae71e0fb7c5af2e10bfc2536ee973b"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  keystores:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy
@ -10,6 +10,20 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi

 LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")

+// BUNDBITBK-4824: Address was missing after bmid verification
+def session = request.getAuthSession(true)
+int loa = session.get('agov.actualRoleLevel') as int
+
+// Best Token Available only if account's AQlevel is high enough
+if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
+    LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appAddressRequired', 'false')
+}
+if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
+    LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+}
+// BUNDBITBK-4824 END

 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_verification_auth.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_verification_auth.groovy
@ -1,8 +1,6 @@
-import groovy.json.JsonSlurper
-
 import ch.nevis.esauth.auth.engine.AuthResponse
 import ch.nevis.esauth.util.httpclient.api.HttpClient
-
+import groovy.json.JsonSlurper
 import io.opentelemetry.api.trace.Span

 def getHeader(String name) {
@ -13,16 +11,6 @@ def getHeader(String name) {
 	return map['connection.HttpHeader.' + name]
 }

-def clearIdmSessionAttributes() {
-  def s = request.getAuthSession(true)
-  def sessionKeySet = new HashSet(session.keySet())
-  sessionKeySet.each { key ->
-    if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
-      s.removeAttribute(key)
-    }
-  }
-}
-
 def verification_request_template = '''
 { "presentation_definition": {
    "id": "{{UUID}}",
@ -129,19 +117,19 @@ def verification_request_template = '''
 '''

 def ERROR_CODE_TO_STATUS_MAPPER = [
-	'CREDENTIAL_INVALID': 'FAILED',
-	'JWT_EXPIRED': 'ERROR',
-	'INVALID_FORMAT': 'ERROR',
-	'CREDENTIAL_EXPIRED': 'FAILED',
-	'MISSING_NONCE': 'ERROR',
-	'UNSUPPORTED_FORMAT': 'ERROR',
-	'CREDENTIAL_REVOKED': 'FAILED',
-	'CREDENTIAL_SUSPENDED': 'FAILED',
-	'HOLDER_BINDING_MISMATCH': 'ERROR',
-	'CREDENTIAL_MISSING_DATA': 'FAILED',
-	'UNRESOLVABLE_STATUS_LIST': 'ERROR',
+		'CREDENTIAL_INVALID'               : 'FAILED',
+		'JWT_EXPIRED'                      : 'ERROR',
+		'INVALID_FORMAT'                   : 'ERROR',
+		'CREDENTIAL_EXPIRED'               : 'FAILED',
+		'MISSING_NONCE'                    : 'ERROR',
+		'UNSUPPORTED_FORMAT'               : 'ERROR',
+		'CREDENTIAL_REVOKED'               : 'FAILED',
+		'CREDENTIAL_SUSPENDED'             : 'FAILED',
+		'HOLDER_BINDING_MISMATCH'          : 'ERROR',
+		'CREDENTIAL_MISSING_DATA'          : 'FAILED',
+		'UNRESOLVABLE_STATUS_LIST'         : 'ERROR',
 		'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
-	'CLIENT_REJECTED': 'CANCELED',
+		'CLIENT_REJECTED'                  : 'CANCELED',
 		'ISSUER_NOT_ACCEPTED'              : 'ERROR'
 ]

@ -189,7 +177,7 @@ if (!session['agov.eid.verification']) {
 				.header("Accept", "application/json")
 				.header("traceparent", traceparent)
 				.entity(Http.entity()
-				.content(verification_request_template.replaceAll("\\{\\{UUID\\}\\}", UUID.randomUUID().toString()))
+						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
 						.contentType("application/json")
 						.build())
 				.build()
@ -213,7 +201,8 @@ if (!session['agov.eid.verification']) {
 			response.setResult('error')
 			return
 		}
-	} catch(Exception e) {
+	}
+	catch (Exception e) {
 		LOG.error("Eid verification failed: $e")
 		response.setResult('error')
 		return
@ -226,7 +215,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.

 	// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v
 	// and that authRequestId is correct
-	def idvalue = ( !inargs['o.id.v'] || inargs['o.id.v'] == 'NEW' ) ? session['agov.eid.verification.id'] : inargs['o.id.v']
+	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']

 	try {
 		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
@ -251,6 +240,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 				}}"""
 			LOG.warn("<== Response: ${responseCode}")
 		}
+		else {

 			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())

@ -283,11 +273,13 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 					"id": "${idvalue}",
 					"error_code": "NONE"
 				}}"""
-        } else if (json.state == 'FAILED') {
+			}
+			else if (json.state == 'FAILED') {
 				// TODO/haburger/2025-03-25: ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] == 'FAILED' we should
 				//  initiate a new verification and return the new id, url together with the message

-			LOG.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+				LOG
+						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
 				result = """{
 				"oid4vp": {
 					"status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
@ -296,7 +288,8 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 					"error_code": "${json.wallet_response.error_code}",
 					"error_message": "${json.wallet_response.error_description}"
 				}}"""
-		} else {
+			}
+			else {
 				result = """{
 				"oid4vp": {
 					"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}",
@ -305,7 +298,10 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 					"error_code": "NONE"
 				}}"""
 			}
-	} catch(Exception e) {
+		}
+
+	}
+	catch (Exception e) {
 		LOG.error("Eid verification failed: ${e}")
 		result = """{
 				"oid4vp": {