Compare commits
7 Commits
r-a42d028a
...
master
| Author | SHA1 | Date |
|---|---|---|
aca
|
07286b9fb4 | |
|
aca
|
81e7ad3071 | |
|
aca
|
2ef76e0d1b | |
|
aca
|
35d7325a20 | |
|
aca
|
10b146e346 | |
|
aca
|
6c3b7e672a | |
haburger
|
b938bd429b |
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisAuth"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.3"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -45,7 +45,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-654fc77cfe9eeb743896b19166144c379a1ad337"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
|
||||
"-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-sts-default-tls-trust/truststore.p12"
|
||||
"-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-sts-default-tls-trust/keypass}"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisTrustStore"
|
||||
metadata:
|
||||
name: "auth-default-default-signer-trust"
|
||||
name: "auth-internal-idp-auth-signer-trust"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
labels:
|
||||
deploymentTarget: "auth"
|
||||
|
|
@ -10,5 +10,7 @@ metadata:
|
|||
patternId: "7022472ae407577ae604bbb8"
|
||||
spec:
|
||||
keystores:
|
||||
- name: "auth-sts-sh4r3d-internal-idp-auth-signer"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
- name: "auth-sh4r3d-internal-idp-auth-signer"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
|
|
@ -12,6 +12,8 @@ spec:
|
|||
keystores:
|
||||
- name: "proxy-idp-notused-auth-realm-identity"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
- name: "proxy-idp-auth-realm-main-idp-identity"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
- name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
|
||||
namespace: "adn-agov-nevisidm-01-uat"
|
||||
- name: "proxy-idp-auth-realm-recovery-identity"
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisAuth"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.3"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -45,7 +45,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-a42d028a31e525195a4836e6364a21cb0ad6f04e"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
@ -55,7 +55,7 @@ spec:
|
|||
truststores:
|
||||
- "auth-default-tls-trust"
|
||||
- "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
|
||||
- "auth-default-default-signer-trust"
|
||||
- "auth-internal-idp-auth-signer-trust"
|
||||
- "auth-technical-trust-store"
|
||||
podSecurity:
|
||||
policy: "baseline"
|
||||
|
|
|
|||
|
|
@ -10,6 +10,20 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
|
|||
|
||||
LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||
|
||||
// BUNDBITBK-4824: Address was missing after bmid verification
|
||||
def session = request.getAuthSession(true)
|
||||
int loa = session.get('agov.actualRoleLevel') as int
|
||||
|
||||
// Best Token Available only if account's AQlevel is high enough
|
||||
if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
|
||||
LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
|
||||
session.setAttribute('agov.appAddressRequired', 'false')
|
||||
}
|
||||
if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
|
||||
LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
|
||||
session.setAttribute('agov.appSvnrAllowed', 'false')
|
||||
}
|
||||
// BUNDBITBK-4824 END
|
||||
|
||||
// delete the login cookie
|
||||
def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"
|
||||
|
|
|
|||
|
|
@ -167,8 +167,8 @@ def i2r = [:]
|
|||
|
||||
// issuer to ResultCond name
|
||||
def i2e = [:]
|
||||
i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
|
||||
i2e.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'forbidden_1')
|
||||
i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
|
||||
i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
|
||||
|
||||
|
||||
if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {
|
||||
|
|
@ -162,33 +162,22 @@ try {
|
|||
|
||||
|
||||
for (String role : getUserAGOVLoiRoles()) {
|
||||
if (role.startsWith('level')) {
|
||||
def roleLevel = role.substring(5)
|
||||
int roleLevelNumber = Integer.parseInt(roleLevel)
|
||||
if (highestRoleLevelNumber< roleLevelNumber) {
|
||||
highestRoleLevelNumber=roleLevelNumber
|
||||
}
|
||||
if (role.startsWith('level')) {
|
||||
def roleLevel = role.substring(5)
|
||||
int roleLevelNumber = Integer.parseInt(roleLevel)
|
||||
|
||||
if (highestRoleLevelNumber< roleLevelNumber) {
|
||||
highestRoleLevelNumber=roleLevelNumber
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString())
|
||||
LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
|
||||
LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
|
||||
|
||||
//set attribute Actual Role Level
|
||||
session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
|
||||
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
|
||||
|
||||
|
||||
// Best Token Available only if account's AQlevel is high enough
|
||||
if ((session.getAttribute('agov.appAddressRequired') == 'true') && (highestRoleLevelNumber < 200)) {
|
||||
LOG.debug("Best Token: Address requested but account has to low AQ (${highestRoleLevelNumber})")
|
||||
session.setAttribute('agov.appAddressRequired', 'false')
|
||||
}
|
||||
if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (highestRoleLevelNumber < 400)) {
|
||||
LOG.debug("Best Token: SVNr requested but account has to low AQ (${highestRoleLevelNumber})")
|
||||
session.setAttribute('agov.appSvnrAllowed', 'false')
|
||||
}
|
||||
|
||||
if (highestRoleLevelNumber > 0) {
|
||||
// set attribute contextClassRefToSet
|
||||
session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
|
||||
|
|
|
|||
|
|
@ -1,25 +1,14 @@
|
|||
import groovy.json.JsonSlurper
|
||||
import ch.nevis.esauth.auth.engine.AuthResponse
|
||||
import ch.nevis.esauth.util.httpclient.api.HttpClient
|
||||
|
||||
import groovy.json.JsonSlurper
|
||||
import io.opentelemetry.api.trace.Span
|
||||
|
||||
def getHeader(String name) {
|
||||
def inctx = request.getLoginContext()
|
||||
// case-insensitive lookup of HTTP headers
|
||||
def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
|
||||
map.putAll(inctx)
|
||||
return map['connection.HttpHeader.' + name]
|
||||
}
|
||||
|
||||
def clearIdmSessionAttributes() {
|
||||
def s = request.getAuthSession(true)
|
||||
def sessionKeySet = new HashSet(session.keySet())
|
||||
sessionKeySet.each { key ->
|
||||
if ( key ==~ /ch.nevis.idm.*/ || key ==~ /ch.adnovum.nevisidm.*/ ) {
|
||||
s.removeAttribute(key)
|
||||
}
|
||||
}
|
||||
def inctx = request.getLoginContext()
|
||||
// case-insensitive lookup of HTTP headers
|
||||
def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
|
||||
map.putAll(inctx)
|
||||
return map['connection.HttpHeader.' + name]
|
||||
}
|
||||
|
||||
def verification_request_template = '''
|
||||
|
|
@ -127,32 +116,48 @@ def verification_request_template = '''
|
|||
}
|
||||
'''
|
||||
|
||||
def ERROR_CODE_TO_STATUS_MAPPER = [
|
||||
'CREDENTIAL_INVALID' : 'FAILED',
|
||||
'JWT_EXPIRED' : 'ERROR',
|
||||
'INVALID_FORMAT' : 'ERROR',
|
||||
'CREDENTIAL_EXPIRED' : 'FAILED',
|
||||
'MISSING_NONCE' : 'ERROR',
|
||||
'UNSUPPORTED_FORMAT' : 'ERROR',
|
||||
'CREDENTIAL_REVOKED' : 'FAILED',
|
||||
'CREDENTIAL_SUSPENDED' : 'FAILED',
|
||||
'HOLDER_BINDING_MISMATCH' : 'ERROR',
|
||||
'CREDENTIAL_MISSING_DATA' : 'FAILED',
|
||||
'UNRESOLVABLE_STATUS_LIST' : 'ERROR',
|
||||
'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
|
||||
'CLIENT_REJECTED' : 'CANCELED',
|
||||
'ISSUER_NOT_ACCEPTED' : 'ERROR'
|
||||
]
|
||||
|
||||
// ---------------
|
||||
// check, whether we are still processing the correct AuthnRequest
|
||||
if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
|
||||
// wrong request, "force" a timeout
|
||||
LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
|
||||
// wrong request, "force" a timeout
|
||||
LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
|
||||
|
||||
response.setIsDirectResponse(true)
|
||||
response.setContentType('text/html; charset=UTF-8')
|
||||
response.setContent('Timeout')
|
||||
response.setHttpStatusCode(205)
|
||||
response.setHeader('IDP-AUTH', 'Timeout')
|
||||
response.setIsDirectResponse(true)
|
||||
response.setContentType('text/html; charset=UTF-8')
|
||||
response.setContent('Timeout')
|
||||
response.setHttpStatusCode(205)
|
||||
response.setHeader('IDP-AUTH', 'Timeout')
|
||||
|
||||
// CONTINUE to keep the other request beeing processed
|
||||
response.setStatus(AuthResponse.AUTH_CONTINUE)
|
||||
return
|
||||
// CONTINUE to keep the other request beeing processed
|
||||
response.setStatus(AuthResponse.AUTH_CONTINUE)
|
||||
return
|
||||
}
|
||||
|
||||
if (inargs['oid4vp'] == 'ERROR') {
|
||||
response.setResult('error')
|
||||
return
|
||||
response.setResult('error')
|
||||
return
|
||||
}
|
||||
|
||||
if (inargs['oid4vp'] == 'SUCCEEDED') {
|
||||
response.setResult('ok')
|
||||
return
|
||||
response.setResult('ok')
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -163,39 +168,41 @@ def spanCtxt = Span.current().getSpanContext()
|
|||
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
|
||||
|
||||
if (!session['agov.eid.verification']) {
|
||||
def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
|
||||
// Initialize the verification session on the verifier
|
||||
def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
|
||||
|
||||
try {
|
||||
def httpResponse = Http.post()
|
||||
.url(endPoint)
|
||||
.header("Accept", "application/json")
|
||||
.header("traceparent", traceparent)
|
||||
.entity(Http.entity()
|
||||
.content(verification_request_template.replaceAll("\\{\\{UUID\\}\\}", UUID.randomUUID().toString()))
|
||||
.contentType("application/json")
|
||||
.build())
|
||||
.build()
|
||||
.send(httpClient)
|
||||
.url(endPoint)
|
||||
.header("Accept", "application/json")
|
||||
.header("traceparent", traceparent)
|
||||
.entity(Http.entity()
|
||||
.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
|
||||
.contentType("application/json")
|
||||
.build())
|
||||
.build()
|
||||
.send(httpClient)
|
||||
|
||||
|
||||
if (httpResponse.code() != 200) {
|
||||
LOG.debug("Result: ${httpResponse}")
|
||||
LOG.debug("Result: ${httpResponse}")
|
||||
response.setResult('error')
|
||||
return
|
||||
}
|
||||
|
||||
def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
|
||||
LOG.debug("Result: ${json}")
|
||||
LOG.debug("Result: ${json}")
|
||||
|
||||
sess.setAttribute('agov.eid.verification', 'true')
|
||||
sess.setAttribute('agov.eid.verification.id', json.id)
|
||||
sess.setAttribute('agov.eid.verification.link', json.verification_url)
|
||||
|
||||
if (json.state != 'PENDING') {
|
||||
if (json.state != 'PENDING') {
|
||||
response.setResult('error')
|
||||
return
|
||||
}
|
||||
} catch(Exception e) {
|
||||
}
|
||||
}
|
||||
catch (Exception e) {
|
||||
LOG.error("Eid verification failed: $e")
|
||||
response.setResult('error')
|
||||
return
|
||||
|
|
@ -203,48 +210,115 @@ if (!session['agov.eid.verification']) {
|
|||
}
|
||||
|
||||
if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
|
||||
try {
|
||||
// request for a status update from the verifier
|
||||
def result
|
||||
|
||||
def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${inargs['o.id.v']}"
|
||||
// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v
|
||||
// and that authRequestId is correct
|
||||
def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
|
||||
|
||||
try {
|
||||
def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
|
||||
|
||||
def httpResponse = Http.get()
|
||||
.url(endPoint)
|
||||
.header("Accept", "application/json")
|
||||
.header("traceparent", traceparent)
|
||||
.build()
|
||||
.send(httpClient)
|
||||
|
||||
.url(endPoint)
|
||||
.header("Accept", "application/json")
|
||||
.header("traceparent", traceparent)
|
||||
.build()
|
||||
.send(httpClient)
|
||||
|
||||
if (httpResponse.code() != 200) {
|
||||
LOG.debug("Result: ${httpResponse}")
|
||||
response.setResult('error')
|
||||
return
|
||||
// TODO/haburger/2025-03-25: 404 we should create a new verification request
|
||||
LOG.debug("Result: ${httpResponse}")
|
||||
result = """{
|
||||
"oid4vp": {
|
||||
"status": "ERROR",
|
||||
"verification_url": "${session['agov.eid.verification.link']}",
|
||||
"id": "${idvalue}",
|
||||
"error_code": "HTTP-ERROR",
|
||||
"error_message": "failed to verify status of verification ${idvalue}, http status: ${httpResponse.code()}"
|
||||
}}"""
|
||||
LOG.warn("<== Response: ${responseCode}")
|
||||
}
|
||||
else {
|
||||
|
||||
def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
|
||||
|
||||
if (json.state == 'SUCCESS') {
|
||||
def claims = json.wallet_response.credential_subject_data
|
||||
|
||||
// TODO/haburger/2025-03-25: format changes to align with IDM read data
|
||||
sess.setAttribute('ch.nevis.idm.User.firstName', claims.given_name)
|
||||
sess.setAttribute('ch.nevis.idm.User.lastName', claims.family_name)
|
||||
sess.setAttribute('ch.nevis.idm.User.birthDate', claims.birth_date)
|
||||
sess.setAttribute('ch.nevis.idm.User.gender', claims.sex)
|
||||
sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number)
|
||||
sess.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', claims.birth_place)
|
||||
sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.personal_administrative_number)
|
||||
sess.setAttribute('ch.nevis.idm.User.prop.nationality', claims.nationality.toString())
|
||||
sess.setAttribute('ValidFrom', claims.issuance_date)
|
||||
sess.setAttribute('ValidTo', claims.expiry_date)
|
||||
sess.setAttribute('authenticatedWith', "urn:qa.agov.ch:names:tc:authfactor:eid")
|
||||
sess.setAttribute('idVerification', "Eid")
|
||||
sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
|
||||
|
||||
response.setUserId(claims.personal_administrative_number)
|
||||
response.setLoginId(claims.document_number)
|
||||
response.setAuthLevel("EID")
|
||||
|
||||
result = """{
|
||||
"oid4vp": {
|
||||
"status": "SUCCEEDED",
|
||||
"verification_url": "${session['agov.eid.verification.link']}",
|
||||
"id": "${idvalue}",
|
||||
"error_code": "NONE"
|
||||
}}"""
|
||||
}
|
||||
else if (json.state == 'FAILED') {
|
||||
// TODO/haburger/2025-03-25: ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] == 'FAILED' we should
|
||||
// initiate a new verification and return the new id, url together with the message
|
||||
|
||||
LOG
|
||||
.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
|
||||
result = """{
|
||||
"oid4vp": {
|
||||
"status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
|
||||
"verification_url": "${session['agov.eid.verification.link']}",
|
||||
"id": "${idvalue}",
|
||||
"error_code": "${json.wallet_response.error_code}",
|
||||
"error_message": "${json.wallet_response.error_description}"
|
||||
}}"""
|
||||
}
|
||||
else {
|
||||
result = """{
|
||||
"oid4vp": {
|
||||
"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}",
|
||||
"verification_url": "${session['agov.eid.verification.link']}",
|
||||
"id": "${idvalue}",
|
||||
"error_code": "NONE"
|
||||
}}"""
|
||||
}
|
||||
}
|
||||
|
||||
def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
|
||||
|
||||
if (json.state == 'SUCCESS') {
|
||||
sesss.setAttribute('ch.nevis.idm.User.firstName', json.wallet_response.given_name)
|
||||
sesss.setAttribute('ch.nevis.idm.User.lastName', json.wallet_response.family_name)
|
||||
sesss.setAttribute('ch.nevis.idm.User.birthDate', json.wallet_response.birth_date)
|
||||
sesss.setAttribute('ch.nevis.idm.User.gender', json.wallet_response.sex)
|
||||
sesss.setAttribute('ch.nevis.idm.User.prop.svnr', json.wallet_response.personal_administrative_number)
|
||||
sesss.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', json.wallet_response.birth_place)
|
||||
sesss.setAttribute('ch.nevis.idm.User.prop.eIdNumber', json.wallet_response.personal_administrative_number)
|
||||
sesss.setAttribute('ch.nevis.idm.User.prop.nationality', json.wallet_response.nationality)
|
||||
sesss.setAttribute('ValidFrom', json.wallet_response.issuance_date)
|
||||
sesss.setAttribute('ValidTo', json.wallet_response.expiry_date)
|
||||
sesss.setAttribute('authenticatedWith', "EID")
|
||||
|
||||
}
|
||||
|
||||
|
||||
} catch(Exception e) {
|
||||
LOG.error("Eid verification failed: $e")
|
||||
response.setResult('error')
|
||||
return
|
||||
}
|
||||
catch (Exception e) {
|
||||
LOG.error("Eid verification failed: ${e}")
|
||||
result = """{
|
||||
"oid4vp": {
|
||||
"status": "ERROR",
|
||||
"verification_url": "${session['agov.eid.verification.link']}",
|
||||
"id": "${idvalue}",
|
||||
"error_code": "HTTP-ERROR",
|
||||
"error_message": "failed to verify status of verification ${idvalue}, http exception"
|
||||
}}"""
|
||||
}
|
||||
|
||||
response.setContent(result.toString())
|
||||
response.setContentType('application/json')
|
||||
response.setHttpStatusCode(200)
|
||||
response.setIsDirectResponse(true)
|
||||
response.setStatus(AuthResponse.AUTH_CONTINUE)
|
||||
return
|
||||
}
|
||||
|
||||
// if we reach this place, display GUI
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
|
||||
"-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-default-tls-trust/truststore.p12"
|
||||
"-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-default-tls-trust/keypass}"
|
||||
)
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -75,9 +75,18 @@ def dispatchIssuer(i2s, String issuer) {
|
|||
if (result == null) {
|
||||
LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
|
||||
}
|
||||
|
||||
// dispatch different idp if artifact binding is enabled
|
||||
if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
|
||||
LOG.debug("EPD: Artifact mode")
|
||||
result = result + "_artifact"
|
||||
}else{
|
||||
LOG.debug("EPD: POST mode")
|
||||
}
|
||||
response.setResult(result)
|
||||
session.put("saml.inbound.issuer", issuer)
|
||||
session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
|
||||
|
||||
}
|
||||
|
||||
def dispatchMessage(i2s, String message) {
|
||||
|
|
@ -108,8 +117,8 @@ if (request.getSession(false) == null) {
|
|||
def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
|
||||
|
||||
|
||||
i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
|
||||
i2s.put('https://trustbroker-idp.agov-w.azure.adnovum.net', 'state1')
|
||||
i2s.put(parameters.get('atb'), 'main')
|
||||
i2s.put(parameters.get('epd_atb'), 'epd')
|
||||
|
||||
if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
|
||||
LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
|
||||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisFIDO"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.2"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-ba0282a303be16d9f91b594506c93c0ad7c1eefb"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf"
|
||||
credentials: "git-credentials"
|
||||
database:
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
|
||||
)
|
||||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisFIDO"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.2"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-b0ee5bf8f21b6deb852634ece4565dee10c29032"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
|
||||
)
|
||||
|
|
@ -29,7 +29,7 @@ fido2:
|
|||
rp-name: "AGOV-RelPartName"
|
||||
rp-id: "adnovum.net"
|
||||
origins:
|
||||
- "https://me.agov-w.azure.adnovum.net"
|
||||
- "https://ob.agov-w.azure.adnovum.net"
|
||||
- "https://nevisidm.agov-w.azure.adnovum.net"
|
||||
- "https://auth.agov-w.azure.adnovum.net"
|
||||
signature-algorithms:
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisIDM"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.2"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-35527ce0c286b4891eee379a626de7c5db786735"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm"
|
||||
credentials: "git-credentials"
|
||||
database:
|
||||
|
|
|
|||
|
|
@ -4,5 +4,5 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
|
||||
)
|
||||
|
|
@ -11,7 +11,7 @@ metadata:
|
|||
spec:
|
||||
type: "NevisLogrend"
|
||||
replicas: 1
|
||||
version: "8.2411.1"
|
||||
version: "8.2411.2"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
|
|
@ -44,7 +44,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-a42d028a31e525195a4836e6364a21cb0ad6f04e"
|
||||
tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend"
|
||||
credentials: "git-credentials"
|
||||
podSecurity:
|
||||
|
|
|
|||
|
|
@ -10,5 +10,5 @@ JAVA_OPTS=(
|
|||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevislogrend/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.1,service.instance.id=$HOSTNAME"
|
||||
"-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
|
||||
)
|
||||
File diff suppressed because one or more lines are too long
|
|
@ -3,7 +3,7 @@
|
|||
$text.get("footer.text")
|
||||
<a target="_blank" class='text-hyperlink dark:text-dark-hyperlink underline' href='$text.get("footer.link")'>$text.get("footer.link.label")</a>
|
||||
</div>
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="${login.appDataPath}/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -3,7 +3,7 @@
|
|||
$text.get("footer.text")
|
||||
<a target="_blank" class='text-hyperlink dark:text-dark-hyperlink underline' href='$text.get("footer.link")'>$text.get("footer.link.label")</a>
|
||||
</div>
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="${login.appDataPath}/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-a42d028a31e525195a4836e6364a21cb0ad6f04e"
|
||||
tag: "r-d9f8becba9a6acfa30f490d16e18038ab79e9d92"
|
||||
dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/proxy-idp"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
|||
|
|
@ -507,7 +507,7 @@
|
|||
trace = request:getTracer()
|
||||
if request:getHeader("Origin") then
|
||||
if not response:getHeader("Access-Control-Allow-Origin") then
|
||||
domains = {"trustbroker.agov-d.azure.adnovum.net", "auth.agov-w.azure.adnovum.net", "ob.agov-w.azure.adnovum.net"}
|
||||
domains = {"trustbroker.agov-d.azure.adnovum.net", "auth.agov-w.azure.adnovum.net", "trustbroker-idp.agov-w.azure.adnovum.net", "ob.agov-w.azure.adnovum.net"}
|
||||
for k, v in pairs(domains) do
|
||||
trace:info("Accepted domains="..v)
|
||||
end
|
||||
|
|
@ -1597,10 +1597,10 @@
|
|||
<param-value>true</param-value>
|
||||
</init-param>
|
||||
</servlet>
|
||||
<!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
|
||||
<!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
|
||||
<servlet>
|
||||
<servlet-name>Hosting_Default</servlet-name>
|
||||
<!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://c642107fde6b2e07f16bfedb, pattern://decb9b3f88d430fb5c95f466 -->
|
||||
<!-- source: pattern://e0fda9336be9c69dafc9b69e, pattern://a6f6dc6affdc7c692ff857b9, pattern://decb9b3f88d430fb5c95f466 -->
|
||||
<servlet-class>ch::nevis::isiweb4::servlet::defaults::DefaultServlet</servlet-class>
|
||||
</servlet>
|
||||
<!-- source: pattern://cb8c63274fe346280de0ffd5 -->
|
||||
|
|
@ -1671,7 +1671,7 @@
|
|||
<servlet-name>Hosting_Default</servlet-name>
|
||||
<url-pattern>/AUTH/RECOVERY/*</url-pattern>
|
||||
</servlet-mapping>
|
||||
<!-- source: pattern://c642107fde6b2e07f16bfedb -->
|
||||
<!-- source: pattern://a6f6dc6affdc7c692ff857b9 -->
|
||||
<servlet-mapping>
|
||||
<servlet-name>Hosting_Default</servlet-name>
|
||||
<url-pattern>/SAML2/SSO/*</url-pattern>
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
</body>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<footer class="hidden sm:flex mt-auto font-body text-body-s text-disabled-grey dark:text-silver w-full p-2 justify-end">
|
||||
<p>1.10.0.local-20250320T124958Z-haburger: Fri Mar 21 15:29:13 CET 2025</p>
|
||||
<p>1.10.0.local-20250321T164316Z-haburger: Tue Mar 25 11:16:24 CET 2025</p>
|
||||
</footer>
|
||||
<script src="/resources/static/bundle.js"></script>
|
||||
</body>
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue