diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml index 592af2f..8515a22 100644 --- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml +++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml @@ -45,7 +45,7 @@ spec: podDisruptionBudget: maxUnavailable: "50%" git: - tag: "r-10ac923164dfe2ce1b64ff3b8b03dd1e5e240a5b" + tag: "r-e2938d9f50d18f0c7df1e51a7cc98a1e4fe2f6fa" dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth" credentials: "git-credentials" keystores: diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy index 5f56cba..ca33274 100644 --- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy +++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy @@ -2,9 +2,8 @@ import org.codehaus.groovy.runtime.StackTraceUtils import groovy.xml.XmlSlurper def getUserAGOVLoiRoles() { - // set attibutes from DTO: -> AGOVaq - def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto')) - return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() }) + // we take the roles from actualRoles + return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) }) } def getUserAGOVRecoveryRoles() { @@ -141,6 +140,11 @@ try { LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'") session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100') + + // if the account has no profile, we must not return address or svnr + session.setAttribute('agov.appAddressRequired', 'false') + session.setAttribute('agov.appSvnrAllowed', 'false') + response.setResult('ok') return } @@ -158,17 +162,23 @@ try { for (String role : getUserAGOVLoiRoles()) { - if (role.startsWith('level')) { - def roleLevel = role.substring(5) - int roleLevelNumber = Integer.parseInt(roleLevel) - if (highestRoleLevelNumber == 0) { - highestRoleLevelNumber = roleLevelNumber - } - if (highestRoleLevelNumber< roleLevelNumber) { - highestRoleLevelNumber=roleLevelNumber + if (role.startsWith('level')) { + def roleLevel = role.substring(5) + int roleLevelNumber = Integer.parseInt(roleLevel) + if (highestRoleLevelNumber< roleLevelNumber) { + highestRoleLevelNumber=roleLevelNumber + } } - } - } + } + // Best Token Available only if account's AQlevel is high enough + if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) { + LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})") + session.setAttribute('agov.appAddressRequired', 'false') + } + if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) { + LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})") + session.setAttribute('agov.appSvnrAllowed', 'false') + } LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber))