new configuration version

2025-03-11 09:57:47 +00:00 · 2025-03-11 09:57:47 +00:00 · 6f5dd59161
parent 0e6d812f80
commit 6f5dd59161
2 changed files with 24 additions and 14 deletions
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@ -45,7 +45,7 @@ spec:
  podDisruptionBudget:
    maxUnavailable: "50%"
  git:
-    tag: "r-10ac923164dfe2ce1b64ff3b8b03dd1e5e240a5b"
+    tag: "r-e2938d9f50d18f0c7df1e51a7cc98a1e4fe2f6fa"
    dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
    credentials: "git-credentials"
  keystores:
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
@ -2,9 +2,8 @@ import org.codehaus.groovy.runtime.StackTraceUtils
 import groovy.xml.XmlSlurper

 def getUserAGOVLoiRoles() {
-  // set attibutes from DTO: -> AGOVaq
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+  // we take the roles from actualRoles
+  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
 }

 def getUserAGOVRecoveryRoles() {
@ -141,6 +140,11 @@ try {
    LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")

    session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+
+    // if the account has no profile, we must not return address or svnr
+    session.setAttribute('agov.appAddressRequired', 'false')
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+
    response.setResult('ok')
    return
  }
@ -158,17 +162,23 @@ try {


  for (String role : getUserAGOVLoiRoles()) {
-  if (role.startsWith('level')) {
-    def roleLevel = role.substring(5)
-    int roleLevelNumber = Integer.parseInt(roleLevel)
-    if (highestRoleLevelNumber == 0) {
-      highestRoleLevelNumber = roleLevelNumber
-    }
-    if (highestRoleLevelNumber< roleLevelNumber) { 
-      highestRoleLevelNumber=roleLevelNumber 
+    if (role.startsWith('level')) {
+      def roleLevel = role.substring(5)
+      int roleLevelNumber = Integer.parseInt(roleLevel)
+      if (highestRoleLevelNumber< roleLevelNumber) { 
+        highestRoleLevelNumber=roleLevelNumber 
+      } 
    } 
-  } 
-  } 
+  }
+  // Best Token Available only if account's AQlevel is high enough
+  if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) {
+     LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})") 
+     session.setAttribute('agov.appAddressRequired', 'false')
+  }
+  if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) {
+     LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})") 
+     session.setAttribute('agov.appSvnrAllowed', 'false')
+  }
  LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
  LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber))