new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-28e22366b5275caf004643b5b80134140fa1fd6d"
+    tag: "r-beaf79e44e7ba37c49fe5e4cd4ac1aa2d15208e2"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy

@@ -13,7 +13,7 @@ LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${request
 
 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
-response.setHeader('Set-Cookie2', agovLoginCookie)
+response.setHeader('Set-Cookie', agovLoginCookie)
 
 response.setResult('ok')
 return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/askMobileNumber.groovy

@@ -3,8 +3,6 @@ import ch.nevis.idm.client.IdmRestClient
 import ch.nevis.idm.client.IdmRestClientFactory
 import ch.nevis.idm.client.HTTPRequestWrapper
 
-import java.time.Duration
-
 import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper
 
@@ -51,11 +49,12 @@ if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && ina
     // no mobile, and user wants to skip it
 
     LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-
-    response.setCookie("testcookie", "testvalue", "/path", "Thu, 01 Jan 2025 00:00:00 GMT",
-				Duration.ofDays(1), true, false);
-    def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=86400; SameSite=Strict; Secure; HttpOnly"
-    response.setHeader('Set-Cookie', agovSkipAskingMobileCookie)
+    
+    // persistent cookie for 30d;
+    def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
+    // setHeader doesn't support multiple headers with the same name, so we use
+    // a different one, and rewrite it in the proxy with Lua
+    response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
     response.setResult('done')
     return
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/etc/nevis/k8s-nevisproxy-idp-0ceb05c56644a59d648c13b9.yaml

@@ -46,7 +46,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-be07db7d106d7437ffe94f8044ae723f7acf4b7c"
+    tag: "r-beaf79e44e7ba37c49fe5e4cd4ac1aa2d15208e2"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/idp_responseheader_post_processing.lua

@@ -0,0 +1,12 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    -- rename Set-Cookie2 header
+    local setCookieHeader = response:getHeader("Set-Cookie2")
+    if (setCookieHeader ~= nil) then 
+        trace:debug("Set a new cookie: " .. setCookieHeader)
+        response:addHeader("Set-Cookie", setCookieHeader)
+        response:removeHeader("Set-Cookie2")
+    end
+
+end

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/web.xml

@@ -532,6 +532,21 @@
             <param-value>outputHeader</param-value>
         </init-param>
     </filter>
+    <!-- source: pattern://4f6692a69e4f33c8ed4c145f -->
+    <filter>
+        <filter-name>Lua_IdP_ResponseHeader_Post_Processing</filter-name>
+        <filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
+        <!-- source: pattern://4f6692a69e4f33c8ed4c145f -->
+        <init-param>
+            <param-name>Script.OutputHeaderFunctionName</param-name>
+            <param-value>outputHeader</param-value>
+        </init-param>
+        <!-- source: pattern://4f6692a69e4f33c8ed4c145f -->
+        <init-param>
+            <param-name>Script.Path</param-name>
+            <param-value>/var/opt/nevisproxy/default/host-auth.agov-w.azure.adnovum.net/WEB-INF/idp_responseheader_post_processing.lua</param-value>
+        </init-param>
+    </filter>
     <!-- source: pattern://64f16c5d4c99eff0acbc8fdf -->
     <filter>
         <filter-name>Lua_Lua_HTTP_Processing_terminate_session</filter-name>
@@ -993,6 +1008,11 @@
         <filter-name>Lua_CSP_Security_Response_Headers</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
+    <!-- source: pattern://4f6692a69e4f33c8ed4c145f -->
+    <filter-mapping>
+        <filter-name>Lua_IdP_ResponseHeader_Post_Processing</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <!-- source: pattern://0d3511bed6798a78cc3237f6 -->
     <filter-mapping>
         <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>