adn-agov-iam-project/patterns/f393012a278e525956a362d3_re.../ensureAccountState.groovy

125 lines
5.8 KiB
Groovy
Raw Normal View History

2024-08-21 10:52:51 +00:00
import ch.nevis.esauth.auth.engine.AuthResponse
import ch.nevis.idm.client.IdmRestClient
import ch.nevis.idm.client.IdmRestClientFactory
import ch.nevis.idm.client.HTTPRequestWrapper
import groovy.json.JsonSlurper
// Accounting
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
def credentialType = session['authenticatedWith'] ?: 'unknown'
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
String loginId = session.get('ch.adnovum.nevisidm.user.loginId')
String profileExtId = session.get('ch.adnovum.nevisidm.profileExtId')
String unitExtid= parameters.get('unitExtid')
String level100RoleExtid = parameters.get('level100.roleExtid')
String baseUrl = "${parameters.get('idm.baseUrl')}/core/v1/$clientExtId"
boolean audited = false
2024-10-21 07:31:23 +00:00
String aq100AuthRestURL = null
2024-08-21 10:52:51 +00:00
String endpoint = null
// 1) create the profile if needed
if (profileExtId == null || profileExtId.isEmpty()) {
endpoint = "${baseUrl}/users/${userExtId}/profiles"
profileExtId = UUID.randomUUID().toString()
def postRequest = new HTTPRequestWrapper()
postRequest.addToHeaders('Content-Type', ['application/json'])
def dto = "{\"extId\":\"${profileExtId}\",\"unitExtId\":\"${unitExtid}\",\"profileState\":\"active\",\"name\":\"Profile-${loginId}\",\"isDefaultProfile\":true,\"modificationComment\":\"Repaired for request ${requestId}\"}"
postRequest.setPayLoad(dto.getBytes('UTF-8'))
def result = idmRestClient.postWithResponse(endpoint, postRequest)
if (result.getStatusCode() != 201) {
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing profile (http status code ${result.getStatusCode()})'")
response.setNote('saml.errorCode', 'Responder')
response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
response.setResult('failed')
return
} else {
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing profile'")
audited = true
}
}
// 2) add level 100 role if needed
if (!Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-Loi.level100')).findAny().isPresent()) {
endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
def postRequest = new HTTPRequestWrapper()
postRequest.addToHeaders('Content-Type', ['application/json'])
def dto = "{\"extId\":\"${UUID.randomUUID().toString()}\",\"roleExtId\":\"${level100RoleExtid}\"}"
postRequest.setPayLoad(dto.getBytes('UTF-8'))
def result = idmRestClient.postWithResponse(endpoint, postRequest)
if (result.getStatusCode() != 201) {
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create the missing AGOVaq 100 role (http status code ${result.getStatusCode()})'")
response.setNote('saml.errorCode', 'Responder')
response.setNote('saml.errorMessage', "account of the user with agovId ${userExtId} is in a corrupt state, should contact agov help")
response.setResult('failed')
return
} else if (!audited) {
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing AGOVaq 100 role'")
audited = true
}
2024-10-21 07:31:23 +00:00
aq100AuthRestURL = result.getLocation()
2024-08-21 10:52:51 +00:00
}
// 3) set the AQ level 100 verification to None
if (!session['ch.adnovum.nevisidm.userDto'].contains("<properties><name>idVerification</name><value>None</value><scopeName>AGOV-Loi,level100</scopeName></properties>")) {
2024-10-21 07:31:23 +00:00
if (aq100AuthRestURL == null) {
2024-08-21 10:52:51 +00:00
endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
def result = idmRestClient.get(endpoint)
def json = new JsonSlurper().parseText(result)
json['items'].eachWithIndex { az, i ->
if (az.roleExtId == level100RoleExtid) {
agovAq100AuthEndpoint = "${endpoint}/${az.extId}"
}
}
}
2024-10-21 07:31:23 +00:00
endpoint = "${aq100AuthRestURL}/properties"
2024-08-21 10:52:51 +00:00
def patchRequest = new HTTPRequestWrapper()
patchRequest.addToHeaders('Content-Type', ['application/json'])
patchRequest.setPayLoad('{"idVerification":"None"}'.getBytes('UTF-8'))
def result = idmRestClient.patchWithResponse(endpoint, patchRequest)
if (result.getStatusCode() != 200) {
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to patch the AGOVaq 100 role (http status code ${result.getStatusCode()})'")
} else if (!audited) {
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='patched AGOVaq 100 role with idVerification'")
audited = true
}
}
if (audited) {
response.setResult('reload')
} else {
response.setResult('done')
}