Compare commits
No commits in common. "master" and "r-c14e16281a1c61da4a3ccd6370f1299410b47d72" have entirely different histories.
master
...
r-c14e1628
|
|
@ -46,7 +46,7 @@ spec:
|
||||||
podDisruptionBudget:
|
podDisruptionBudget:
|
||||||
maxUnavailable: "50%"
|
maxUnavailable: "50%"
|
||||||
git:
|
git:
|
||||||
tag: "r-53c09bd6632aebeda2b892197a01a8f7f185561d"
|
tag: "r-c14e16281a1c61da4a3ccd6370f1299410b47d72"
|
||||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
|
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
|
||||||
credentials: "git-credentials"
|
credentials: "git-credentials"
|
||||||
database:
|
database:
|
||||||
|
|
|
||||||
|
|
@ -950,18 +950,50 @@
|
||||||
<!-- source: pattern://92cb6d5256008a32f12ceb93 -->
|
<!-- source: pattern://92cb6d5256008a32f12ceb93 -->
|
||||||
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
|
<property name="out.attribute.http://schemas.agov.ch/ws/2025/07/identity/claims/op/conversationId" value="${inctx:connection.HttpHeader.traceparent:^([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)-([0-9a-f]+)$:$2}"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="false">
|
<AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
<ResultCond name="default" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post"/>
|
<ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
<ResultCond name="useArtifact" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact"/>
|
<ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
<Response value="AUTH_ERROR">
|
<Response value="AUTH_ERROR">
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
<Gui name="AuthErrorDialog"/>
|
<Gui name="saml_idp" label="title.saml.failed">
|
||||||
</Response>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
<property name="condition:useArtifact" value="${sess:agov.idp.use.artifact:^true$}"/>
|
<GuiElem name="lasterror" type="error" label="error.saml.failed"/>
|
||||||
|
</Gui>
|
||||||
|
</Response>
|
||||||
|
<propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<property name="out.binding" value="http-artifact"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<property name="out.post.relayStateEncoding" value="HTML"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<property name="out.encrypt" value="none"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
|
||||||
|
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
||||||
|
<property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
|
<AuthState name="Auth_Realm_Main_IDP_ReturnTimeoutButKeepSession" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
|
||||||
<!-- source: pattern://826166d230a6a4849f2837ae -->
|
<!-- source: pattern://826166d230a6a4849f2837ae -->
|
||||||
|
|
@ -1218,100 +1250,6 @@
|
||||||
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
||||||
</Response>
|
</Response>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_post" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<Response value="AUTH_ERROR">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<Gui name="saml_idp" label="title.saml.failed">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<GuiElem name="lasterror" type="error" label="error.saml.failed"/>
|
|
||||||
</Gui>
|
|
||||||
</Response>
|
|
||||||
<propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.binding" value="http-post"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.post.relayStateEncoding" value="HTML"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt" value="none"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
|
|
||||||
</AuthState>
|
|
||||||
<AuthState name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC_artifact" class="ch.nevis.esauth.auth.states.saml.IdentityProviderState" final="false" resumeState="true">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="IDP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="IDP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="LogoutCompleted" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="LogoutFailed" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Logout_Fail"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="SP-initiated-ConcurrentLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Concurrent_Logout"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="SP-initiated-SingleLogout" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="authenticate:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="authenticate:SP-initiated-SSO" next="Auth_Realm_Main_IDP_RequestedRoleLevel"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="invalidAssertionConsumerUrl" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="ok" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Prepare_Done"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="stepup:IDP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<ResultCond name="stepup:SP-initiated-SSO" next="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_Selector"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<Response value="AUTH_ERROR">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<Gui name="saml_idp" label="title.saml.failed">
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<GuiElem name="lasterror" type="error" label="error.saml.failed"/>
|
|
||||||
</Gui>
|
|
||||||
</Response>
|
|
||||||
<propertyRef name="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.binding" value="http-artifact"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.post.relayStateEncoding" value="HTML"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt" value="none"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt.keystoreref" value="EncryptionKeys"/>
|
|
||||||
<!-- source: pattern://bb9e7806a04578e0ad468829 -->
|
|
||||||
<property name="out.encrypt.keyobjectref" value="DefaultEncryptionKey"/>
|
|
||||||
</AuthState>
|
|
||||||
<AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
|
<AuthState name="Auth_Realm_Main_IDP_Fido_Email_Verify" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="false">
|
||||||
<!-- source: pattern://7fb39bfd6c34685866a22180 -->
|
<!-- source: pattern://7fb39bfd6c34685866a22180 -->
|
||||||
<ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
|
<ResultCond name="clientNotFound" next="Auth_Realm_Main_IDP_AuthnFailed_Client_NotFound"/>
|
||||||
|
|
@ -3573,17 +3511,11 @@
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
||||||
<WebService name="IDP_AGOV_SEC_ARS" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/ars/sec" SSODomain="Auth_Realm_Main_IDP">
|
<WebService name="IDP_AGOV_SEC_ARS" class="ch.nevis.esauth.auth.adapter.saml.ArtifactResolutionService" uri="/nevisauth/services/ars/sec" SSODomain="Auth_Realm_Main_IDP">
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
||||||
<property name="issuer" value="https://auth.agov-w.azure.adnovum.net/SAML2SEC/"/>
|
<property name="issuer" value="Auth_Realm_Main_IDP_Auth_Realm_Main_IDP_Custom_AGOV_IDP_SEC"/>
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
||||||
<property name="out.keystoreref" value="Store_IDP_AGOV"/>
|
<property name="out.keystoreref" value="Store_IDP_AGOV"/>
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
||||||
<property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
|
<property name="out.keyobjectref" value="Signer_IDP_AGOV"/>
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
|
||||||
<property name="in.keystoreref" value="Store_IDP_AGOV"/>
|
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
|
||||||
<property name="in.verify" value="ArtifactResolve"/>
|
|
||||||
<!-- source: pattern://14efdcb489f3f295fcbdf811 -->
|
|
||||||
<property name="in.prospectVerification" value=""/>
|
|
||||||
</WebService>
|
</WebService>
|
||||||
<!-- source: pattern://7022472ae407577ae604bbb8 -->
|
<!-- source: pattern://7022472ae407577ae604bbb8 -->
|
||||||
<RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService"/>
|
<RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService"/>
|
||||||
|
|
|
||||||
|
|
@ -23,25 +23,13 @@ def redirect(String url) {
|
||||||
outargs.put('nevis.transfer.destination', url)
|
outargs.put('nevis.transfer.destination', url)
|
||||||
}
|
}
|
||||||
|
|
||||||
String getNormalisedSamlMessage(String parameter) {
|
/**
|
||||||
if (parameter == null) {
|
* Extracts the content of the Issuer element from a parsed SAML message.
|
||||||
return
|
* The Issuer is optional according to SAML specification but we need it for dispatching.
|
||||||
}
|
*
|
||||||
String text
|
* @param xml - as parsed by Groovy XmlSlurper
|
||||||
byte[] decoded
|
* @return text content of Issuer element converted or null
|
||||||
|
*/
|
||||||
// if parameter is raw xml then continue otherwise try to parse the base64 encoding
|
|
||||||
if (parameter.startsWith("<")) {
|
|
||||||
text = new String(parameter)
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
decoded = parameter.decodeBase64()
|
|
||||||
text = new String(decoded)
|
|
||||||
}
|
|
||||||
return text
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
String getNodeText(GPathResult xml, String nodeName) {
|
String getNodeText(GPathResult xml, String nodeName) {
|
||||||
return xml.depthFirst().find { GPathResult node -> {
|
return xml.depthFirst().find { GPathResult node -> {
|
||||||
node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
|
node.name().endsWith(":${nodeName}") || node.name().equalsIgnoreCase(nodeName)
|
||||||
|
|
@ -49,46 +37,45 @@ String getNodeText(GPathResult xml, String nodeName) {
|
||||||
}?.text()?.trim()
|
}?.text()?.trim()
|
||||||
}
|
}
|
||||||
|
|
||||||
String getAttribute(GPathResult xml, String attributeName) {
|
String getNodeText(String samlMessage, String nodeName) {
|
||||||
return xml.depthFirst().find { GPathResult node -> {
|
|
||||||
node.attributes().containsKey(attributeName)
|
|
||||||
}
|
|
||||||
}?.attributes()?.get(attributeName)
|
|
||||||
}
|
|
||||||
|
|
||||||
String getNodeText(String parameter, String nodeName) {
|
|
||||||
String samlMessage = getNormalisedSamlMessage(parameter)
|
|
||||||
if (samlMessage == null) {
|
if (samlMessage == null) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
String text
|
||||||
|
byte[] decoded
|
||||||
def parser = new XmlSlurper()
|
def parser = new XmlSlurper()
|
||||||
def xml = parser.parseText(samlMessage)
|
// if samlMessage is raw xml then continue otherwise try to parse the base64 encoding
|
||||||
|
if (samlMessage.startsWith("<")) {
|
||||||
|
text = new String(samlMessage)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
decoded = samlMessage.decodeBase64()
|
||||||
|
text = new String(decoded)
|
||||||
|
}
|
||||||
|
|
||||||
|
// after decoded, if redirect binding, we need to parse string to xml
|
||||||
|
if (text.startsWith("<")) {
|
||||||
|
// plain String (POST/SOAP parameter)
|
||||||
|
def xml = parser.parseText(text)
|
||||||
|
return getNodeText(xml, nodeName)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// should be deflate encoded (query parameter)
|
||||||
|
def is = new InflaterInputStream(new ByteArrayInputStream(decoded), new Inflater(true))
|
||||||
|
def xml = parser.parse(is)
|
||||||
return getNodeText(xml, nodeName)
|
return getNodeText(xml, nodeName)
|
||||||
}
|
|
||||||
|
|
||||||
String getAttribute(String parameter, String attributeName) {
|
|
||||||
String samlMessage = getNormalisedSamlMessage(parameter)
|
|
||||||
if (samlMessage == null) {
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
def parser = new XmlSlurper()
|
|
||||||
def xml = parser.parseText(samlMessage)
|
|
||||||
return getAttribute(xml, attributeName)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
String getIssuer(String value) {
|
String getIssuer(String value) {
|
||||||
return getNodeText(value, 'Issuer')
|
return getNodeText(value, 'Issuer')
|
||||||
}
|
}
|
||||||
|
|
||||||
String getAttributeConsumingServiceIndex(String value) {
|
String getRequesterID(String value) {
|
||||||
return getAttribute(value, 'AttributeConsumingServiceIndex')
|
return getNodeText(value, 'RequesterID')
|
||||||
}
|
}
|
||||||
|
|
||||||
String getProtocolBinding(String value) {
|
def dispatchIssuer(i2s, String issuer, String requester) {
|
||||||
return getAttribute(value, 'ProtocolBinding')
|
|
||||||
}
|
|
||||||
|
|
||||||
def dispatchIssuer(i2s, String issuer, boolean secureMode) {
|
|
||||||
def result = i2s.get(issuer)
|
def result = i2s.get(issuer)
|
||||||
if (result == null) {
|
if (result == null) {
|
||||||
LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
|
LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
|
||||||
|
|
@ -98,33 +85,30 @@ def dispatchIssuer(i2s, String issuer, boolean secureMode) {
|
||||||
if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
|
if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
|
||||||
LOG.debug("EPD: Artifact mode")
|
LOG.debug("EPD: Artifact mode")
|
||||||
result = result + "_artifact"
|
result = result + "_artifact"
|
||||||
} else if (result == 'main' && secureMode) {
|
} else if (result == 'main') {
|
||||||
LOG.debug("AGOV: Secure mode requested")
|
if ('https://op.agov-w.azure.adnovum.net/SAML2/ACS/' == requester) {
|
||||||
result = result + "_secure"
|
result = result + "_secure"
|
||||||
}
|
}
|
||||||
|
}
|
||||||
response.setResult(result)
|
response.setResult(result)
|
||||||
session.put('saml.inbound.issuer', issuer)
|
session.put("saml.inbound.issuer", issuer)
|
||||||
session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
|
session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
def dispatchIssuer(i2s, String issuer) {
|
def dispatchIssuer(i2s, String issuer) {
|
||||||
dispatchIssuer(i2s, issuer, false)
|
dispatchIssuer(i2s, issuer, 'unknown')
|
||||||
}
|
}
|
||||||
|
|
||||||
def dispatchMessage(i2s, String message) {
|
def dispatchMessage(i2s, String message) {
|
||||||
def issuer = getIssuer(message)
|
def issuer = getIssuer(message)
|
||||||
def secureMode = (getAttributeConsumingServiceIndex(message) == '10101')
|
def requester = getRequesterID(message)
|
||||||
def useArtifact = ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' == getProtocolBinding(message))
|
|
||||||
|
|
||||||
LOG.info("secureMode requested: ${secureMode}")
|
|
||||||
|
|
||||||
if (issuer == null) {
|
if (issuer == null) {
|
||||||
LOG.info("No issuer found in incoming SAML message. Giving up.")
|
LOG.info("No issuer found in incoming SAML message. Giving up.")
|
||||||
}
|
}
|
||||||
session.put('saml.inbound.issuer', issuer)
|
session.put("saml.inbound.issuer", issuer)
|
||||||
session.put('agov.idp.use.artifact', '' + useArtifact)
|
dispatchIssuer(i2s, issuer, requester)
|
||||||
dispatchIssuer(i2s, issuer, secureMode)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
|
if (parameters.get('logoutConfirmation') == 'true' && "stepup" == request.getMethod()) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue