nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1 file added, 19 files updated and 2 files deleted

This commit is contained in:
haburger 2024-10-21 07:33:30 +00:00
parent 2705180320
commit 196c3ba3a0
28 changed files with 261 additions and 396 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
bundles.yml
View File

@ -1,12 +1,12 @@
schemaVersion: "1.0" schemaVersion: "1.0"
bundles: bundles:
- "nevisadmin-plugin-oauth:8.2405.2.0"
- "nevisadmin-plugin-authcloud:8.2405.2.0"
- "nevisadmin-plugin-nevisidm:8.2405.2.0"
- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
- "nevisadmin-plugin-fido2:8.2405.2.0"
- "nevisadmin-plugin-nevisdp:8.2405.2.0"
- "nevisadmin-plugin-nevisauth:8.2405.2.0"
- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
- "nevisadmin-plugin-base-generation:8.2405.2.0" - "nevisadmin-plugin-base-generation:8.2405.2.0"
- "nevisadmin-plugin-oauth:8.2405.2.0"
- "nevisadmin-plugin-nevisdetect:8.2405.2.0"
- "nevisadmin-plugin-nevisauth:8.2405.2.0"
- "nevisadmin-plugin-nevisdp:8.2405.2.0"
- "nevisadmin-plugin-nevisproxy:8.2405.2.0"
- "nevisadmin-plugin-mobile-auth:8.2405.2.0"
- "nevisadmin-plugin-nevisidm:8.2405.2.0"
- "nevisadmin-plugin-fido2:8.2405.2.0"
- "nevisadmin-plugin-authcloud:8.2405.2.0"

BIN
patterns/1f0702aaabef60a615abf41f_resources/resources.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_template/webdata.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
View File

Binary file not shown.

20
patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
View File

@ -5,14 +5,6 @@
</AuthState> </AuthState>
<AuthState name="${state.entry}_dispatch" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true"> <AuthState name="${state.entry}_dispatch" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
<ResultCond name="default" next="${state.exit.5}"/> <ResultCond name="default" next="${state.exit.5}"/>
<!-- TODO/haburger/2024-AUG-20: remove Google after successfull migration to Friendly Captcha -->
<!-- <ResultCond name="cancel, hasCaptchaInfos, visible" next="${state.exit.2}"/> -->
<!-- <ResultCond name="hasCode, hasCaptchaInfos, visible" next="${state.exit.2}"/> -->
<!-- <ResultCond name="hasCaptchaInfos, invalidUrlTicket, visible" next="${state.entry}_enterEmail"/> -->
<!-- <ResultCond name="hasCaptchaInfos, continue, visible" next="${state.entry}_enterEmail"/> -->
<!-- <ResultCond name="invalidUrl, hasCaptchaInfos, visible" next="${state.entry}_ticketInvalid"/> -->
<ResultCond name="invalidUrlTicket" next="${state.exit.5}"/> <ResultCond name="invalidUrlTicket" next="${state.exit.5}"/>
<ResultCond name="hasCode" next="${state.exit.2}"/> <ResultCond name="hasCode" next="${state.exit.2}"/>
<ResultCond name="cancel" next="${state.exit.2}"/> <ResultCond name="cancel" next="${state.exit.2}"/>
@ -36,11 +28,6 @@
<property name="condition:invalidUrl" value="#{!inctx.getProperty('connection.actualURL').matches('((https://.*/AUTH/RECOVERY/\\?$)|(https://.*/AUTH/RECOVERY/$)|(https://.*/AUTH/RECOVERY/\\?language=(de|fr|it|en))|(https://.*/AUTH/RECOVERY/\\?cd=.*))')}"/> <property name="condition:invalidUrl" value="#{!inctx.getProperty('connection.actualURL').matches('((https://.*/AUTH/RECOVERY/\\?$)|(https://.*/AUTH/RECOVERY/$)|(https://.*/AUTH/RECOVERY/\\?language=(de|fr|it|en))|(https://.*/AUTH/RECOVERY/\\?cd=.*))')}"/>
<property name="condition:invalidUrlTicket" value="${notes:invalidUrlTicket}"/> <property name="condition:invalidUrlTicket" value="${notes:invalidUrlTicket}"/>
<property name="condition:hasCaptchaInfos" value="#{sess.get('agov.recovery.captchaSettings.puzzleUrl')}"/> <property name="condition:hasCaptchaInfos" value="#{sess.get('agov.recovery.captchaSettings.puzzleUrl')}"/>
<!-- TODO/haburger/2024-AUG-20: remove Google after successfull migration to Friendly Captcha -->
<!-- <property name="condition:hasCaptchaInfos" value="#{sess.get('agov.recovery.json.accountUrl')}"/> -->
<!-- <property name="condition:continue" value="#{inargs.containsKey('continue')}"/> -->
<!-- <property name="condition:visible" value="#{sess.get('agov.recovery.X-ReCAPTCHA-Integration') eq 'VISIBLE'}"/> -->
</AuthState> </AuthState>
<AuthState name="${state.entry}_loginFactorQuestion" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true"> <AuthState name="${state.entry}_loginFactorQuestion" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
<ResultCond name="cancel" next="${state.exit.2}"/> <ResultCond name="cancel" next="${state.exit.2}"/>
@ -113,13 +100,6 @@
<GuiElem name="captchaSettings.enabled" type="hidden" value="${sess:agov.recovery.captchaSettings.enabled}" optional="true"/> <GuiElem name="captchaSettings.enabled" type="hidden" value="${sess:agov.recovery.captchaSettings.enabled}" optional="true"/>
<GuiElem name="friendlyCaptchaSettings.siteKey" type="hidden" value="${sess:agov.recovery.captchaSettings.siteKey}" optional="true"/> <GuiElem name="friendlyCaptchaSettings.siteKey" type="hidden" value="${sess:agov.recovery.captchaSettings.siteKey}" optional="true"/>
<GuiElem name="friendlyCaptchaSettings.puzzleUrl" type="hidden" value="${sess:agov.recovery.captchaSettings.puzzleUrl}" optional="true"/> <GuiElem name="friendlyCaptchaSettings.puzzleUrl" type="hidden" value="${sess:agov.recovery.captchaSettings.puzzleUrl}" optional="true"/>
<!-- TODO/haburger/2024-AUG-20: remove Google after successfull migration to Friendly Captcha -->
<!-- <GuiElem name="captchaSettings.reCaptchaInvisibleSiteKey" type="hidden" value="${sess:agov.recovery.json.captchaSettings.reCaptchaInvisibleSiteKey}" optional="true"/> -->
<!-- <GuiElem name="captchaSettings.reCaptchaVisibleSiteKey" type="hidden" value="${sess:agov.recovery.json.captchaSettings.reCaptchaVisibleSiteKey}" optional="true"/> -->
<!-- <GuiElem name="X-ReCAPTCHA-Integration" type="hidden" value="${sess:agov.recovery.X-ReCAPTCHA-Integration}" optional="true"/> -->
<GuiElem name="cancel" type="submit" label="cancel.button.label" value="cancel"/> <GuiElem name="cancel" type="submit" label="cancel.button.label" value="cancel"/>
<GuiElem name="submit" type="submit" label="submit.button.label" value="submit"/> <GuiElem name="submit" type="submit" label="submit.button.label" value="submit"/>
</Gui> </Gui>

8
patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
View File

@ -1,8 +1,6 @@
import groovy.xml.XmlSlurper import groovy.xml.XmlSlurper
import groovy.json.JsonSlurper import groovy.json.JsonSlurper
//import ch.nevis.esauth.util.httpclient.api.HttpClients import io.opentelemetry.api.trace.Span
//import ch.nevis.esauth.util.httpclient.api.Http
int getRequestedLevel(String authnContextClassRef, def roleList){ int getRequestedLevel(String authnContextClassRef, def roleList){
if (!authnContextClassRef) { if (!authnContextClassRef) {
@ -58,11 +56,13 @@ if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.sco
} }
try { try {
def spanCtxt = Span.current().getSpanContext()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
def jsonSlurper = new JsonSlurper() def jsonSlurper = new JsonSlurper()
def url = parameters.get('url') + '?entity-id=' + session.get('ch.nevis.auth.saml.request.scoping.requesterId') def url = parameters.get('url') + '?entity-id=' + session.get('ch.nevis.auth.saml.request.scoping.requesterId')
LOG.debug('Request url: ' + url) LOG.debug('Request url: ' + url)
def httpClient = HttpClients.create(parameters) def httpClient = HttpClients.create(parameters)
def httpResponse = Http.get().url(url).build().send(httpClient) def httpResponse = Http.get().url(url).header('traceparent', traceparent).build().send(httpClient)
LOG.debug('Response Message: ' + httpResponse.reasonPhrase()) LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
LOG.debug('Response Status Code: ' + httpResponse.code()) LOG.debug('Response Status Code: ' + httpResponse.code())
LOG.debug('Response: ' + httpResponse.bodyAsString()) LOG.debug('Response: ' + httpResponse.bodyAsString())

164
patterns/699f22cf1cd4ad08bd973f31_scriptFile/fido2_fetchCaptchaResult.gy → patterns/699f22cf1cd4ad08bd973f31_scriptFile/fido2_fetchCaptchaResult.groovy
View File

@ -1,101 +1,63 @@
def url = parameters.get('url') import io.opentelemetry.api.trace.Span
def email = inargs['userInputValue_prompt.email'] def url = parameters.get('url')
def token = inargs['captcha_response']?: 'MISSING'
def email = inargs['userInputValue_prompt.email']
def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown' def token = inargs['captcha_response']?: 'MISSING'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown' def enabled = (session['agov.fido2.captchaSettings.enabled']?:'true').toBoolean()
def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }" def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
LOG.debug('Token: ' + token)
LOG.debug('Payload: ' + payload) def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }"
try { LOG.debug('Token: ' + token)
LOG.debug('Payload: ' + payload)
def httpClient = HttpClients.create(parameters)
def httpResponse = Http.post() try {
.url(url)
.header("Accept", "application/json") if (!enabled) {
.header("X-FriendlyCAPTCHA-Token", token) LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
.entity(Http.entity() response.setResult('ok')
.content(payload) return
.contentType("application/json") }
.build())
.build() def spanCtxt = Span.current().getSpanContext()
.send(httpClient) def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
LOG.debug('Response Message: ' + httpResponse.reasonPhrase()) def httpClient = HttpClients.create(parameters)
LOG.debug('Response Status Code: ' + httpResponse.code()) def httpResponse = Http.post()
LOG.debug('Response: ' + httpResponse.bodyAsString()) .url(url)
.header("Accept", "application/json")
if (httpResponse.code() == 200) { .header("X-FriendlyCAPTCHA-Token", token)
if (httpResponse.bodyAsString().contains('SUCCESSFUL')) { .header("traceparent", traceparent)
response.setResult('ok') .entity(Http.entity()
return .content(payload)
} else { .contentType("application/json")
LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'") .build())
response.setResult('exit.1') .build()
return .send(httpClient)
}
} else { LOG.debug('Response Status Code: ' + httpResponse.code())
LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'") LOG.debug('Response: ' + httpResponse.bodyAsString())
response.setResult('error')
response.setError(1, 'Unexpected HTTP reponse') if (httpResponse.code() == 200) {
} if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
} catch (all) { response.setResult('ok')
// Handle exception and set the transition return
LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}") } else {
response.setResult('error') LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
response.setError(1, 'Exception during HTTP call') response.setResult('exit.1')
} return
}
} else {
// TODO/haburger/2024-AUG-20: remove if reCaptcha is not needed anymore LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
// response.setResult('error')
// def payload = '{ "email": "' + inargs['userInputValue_prompt.email'] + '", "action": "LOGIN", "userIp": "' + ip + '", "userAgent": "' + userAgent + '"}' response.setError(1, 'Unexpected HTTP reponse')
// }
// LOG.info('Token: ' + inargs['recaptcha_response']) } catch (all) {
// LOG.info('Integration: ' + session['agov.fido2.X-ReCAPTCHA-Integration']) // Handle exception and set the transition
// LOG.info('Payload: ' + payload) LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
// response.setResult('error')
// try { response.setError(1, 'Exception during HTTP call')
// }
// def httpClient = HttpClients.create(parameters)
// def httpResponse = Http.post()
// .url(url)
// .header("Accept", "application/json")
// .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
// .header("X-ReCAPTCHA-Integration", session['agov.fido2.X-ReCAPTCHA-Integration'])
// .entity(Http.entity()
// .content(payload)
// .contentType("application/json")
// .build())
// .build()
// .send(httpClient)
//
// LOG.info('Response Message: ' + httpResponse.reasonPhrase())
// LOG.info('Response Status Code: ' + httpResponse.code())
// LOG.info('Response: ' + httpResponse.bodyAsString())
//
// if (httpResponse.code() == 200) {
// if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
// response.setResult('ok')
// return
// } else {
//
// response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE')
// response.setResult('exit.1')
// return
// }
// } else {
// LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
// response.setResult('error')
// response.setError(1, 'Unexpected HTTP reponse')
// }
// } catch (all) {
// // Handle exception and set the transition
// LOG.error('error: ' + all, all)
// response.setResult('error')
// response.setError(1, 'Exception during HTTP call')
// }

65
patterns/717094cbd4ddbadeab4b2cc1_scriptFile/Recovery_fetchCaptchaResult.groovy
View File

@ -1,7 +1,10 @@
import io.opentelemetry.api.trace.Span
def url = parameters.get('url') def url = parameters.get('url')
def email = inargs['email'] def email = inargs['email']
def token = inargs['captcha_response']?: 'MISSING' def token = inargs['captcha_response']?: 'MISSING'
def enabled = (session['agov.recovery.captchaSettings.enabled']?:'true').toBoolean()
def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown' def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown' def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
@ -13,11 +16,21 @@ LOG.debug('Payload: ' + payload)
try { try {
if (!enabled) {
LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
response.setResult('ok')
return
}
def spanCtxt = Span.current().getSpanContext()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
def httpClient = HttpClients.create(parameters) def httpClient = HttpClients.create(parameters)
def httpResponse = Http.post() def httpResponse = Http.post()
.url(url) .url(url)
.header("Accept", "application/json") .header("Accept", "application/json")
.header("X-FriendlyCAPTCHA-Token", token) .header("X-FriendlyCAPTCHA-Token", token)
.header("traceparent", traceparent)
.entity(Http.entity() .entity(Http.entity()
.content(payload) .content(payload)
.contentType("application/json") .contentType("application/json")
@ -25,7 +38,6 @@ try {
.build() .build()
.send(httpClient) .send(httpClient)
LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
LOG.debug('Response Status Code: ' + httpResponse.code()) LOG.debug('Response Status Code: ' + httpResponse.code())
LOG.debug('Response: ' + httpResponse.bodyAsString()) LOG.debug('Response: ' + httpResponse.bodyAsString())
@ -49,54 +61,3 @@ try {
response.setResult('error') response.setResult('error')
response.setError(1, 'Exception during HTTP call') response.setError(1, 'Exception during HTTP call')
} }
// TODO/haburger/2024-AUG-20: remove if reCaptcha is not needed anymore
// def payload = '{ "email": "' + inargs['email'] + '", "action": "LOGIN", "userIp": "' + session.get('agov.recovery.ip') + '", "userAgent": "' + session.get('agov.recovery.userAgent') + '"}'
//
// LOG.info('Token: ' + inargs['recaptcha_response'])
// LOG.info('Integration: ' + session['agov.recovery.X-ReCAPTCHA-Integration'])
// LOG.info('Payload: ' + payload)
//
// try {
//
// def httpClient = HttpClients.create(parameters)
// def httpResponse = Http.post()
// .url(url)
// .header("Accept", "application/json")
// .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
// .header("X-ReCAPTCHA-Integration", session['agov.recovery.X-ReCAPTCHA-Integration'])
// .entity(Http.entity()
// .content(payload)
// .contentType("application/json")
// // .charSet("utf-8")
// .build())
// .build()
// .send(httpClient)
//
// LOG.info('Response Message: ' + httpResponse.reasonPhrase())
// LOG.info('Response Status Code: ' + httpResponse.code())
// LOG.info('Response: ' + httpResponse.bodyAsString())
//
// if (httpResponse.code() == 200) {
// if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
// response.setResult('ok')
// return
// } else {
//
// response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
// response.setResult('exit.1')
// return
// }
// } else {
// LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
// response.setResult('error')
// response.setError(1, 'Unexpected HTTP reponse')
// }
// } catch (all) {
// // Handle exception and set the transition
// LOG.error('error: ' + all, all)
// response.setResult('error')
// response.setError(1, 'Exception during HTTP call')
// }

80
patterns/9f443ce76f9522dfae4c3aa0_scriptFile/recovery_sendEmail.gy → patterns/9f443ce76f9522dfae4c3aa0_scriptFile/recovery_sendEmail.groovy
View File

@ -1,41 +1,41 @@
//import ch.nevis.esauth.util.httpclient.api.HttpClient; import io.opentelemetry.api.trace.Span
//import ch.nevis.esauth.util.httpclient.api.HttpClients;
//import ch.nevis.esauth.util.httpclient.api.Http; def url = parameters.get('url')
def email = inargs['email']
def url = parameters.get('url') def language = session['ch.nevis.session.user.language'] ?: 'en'
//def payload = parameters.get('json') def payload = '{ "email": "' + email + '", "language": "' + language + '"}'
//def url = "https://me.agov-d.azure.adnovum.net:48081/utility/api/v1/email/031"
def email = inargs['email'] try {
def language = session['ch.nevis.session.user.language'] ?: 'en' def spanCtxt = Span.current().getSpanContext()
def payload = '{ "email": "' + email + '", "language": "' + language + '"}' def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
try { def httpClient = HttpClients.create(parameters)
def httpClient = HttpClients.create(parameters) def httpResponse = Http.post()
def httpResponse = Http.post() .url(url)
.url(url) .header("Accept", "application/json")
.header("Accept", "application/json") .header("traceparent", traceparent)
.entity(Http.entity() .entity(Http.entity()
.content(payload) .content(payload)
.contentType("application/json") .contentType("application/json")
// .charSet("utf-8") // .charSet("utf-8")
.build()) .build())
.build() .build()
.send(httpClient) .send(httpClient)
LOG.info('Response Message: ' + httpResponse.reasonPhrase()) LOG.info('Response Message: ' + httpResponse.reasonPhrase())
LOG.info('Response Status Code: ' + httpResponse.code()) LOG.info('Response Status Code: ' + httpResponse.code())
LOG.info('Response: ' + httpResponse.bodyAsString()) LOG.info('Response: ' + httpResponse.bodyAsString())
if (httpResponse.code() == 200) { if (httpResponse.code() == 200) {
response.setResult('ok') response.setResult('ok')
} else { } else {
LOG.error('Unexcpected HTTP response code: ' + httpResponse.code()) LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
response.setResult('error') response.setResult('error')
response.setError(1, 'Unexpected HTTP reponse') response.setError(1, 'Unexpected HTTP reponse')
} }
} catch (all) { } catch (all) {
// Handle exception and set the transition // Handle exception and set the transition
LOG.error('error: ' + all, all) LOG.error('error: ' + all, all)
response.setResult('error') response.setResult('error')
response.setError(1, 'Exception during HTTP call') response.setError(1, 'Exception during HTTP call')
} }

18
patterns/AuthnFailed_LockedAccount_3cc9ad9d0cc771665881abcc.yml
View File

@ -1,18 +0,0 @@
schemaVersion: "1.0"
pattern:
id: "3cc9ad9d0cc771665881abcc"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.TransformVariablesStep"
name: "AuthnFailed_LockedAccount"
label: "UTILS"
notes: "Display screen : informing the user that a problem blocking his account\
\ has been encountered\n\nmissing info : if you didn't lock the account then go\
\ consult the support page for unlocking the account\n\nErrors : 1: user verification\
\ failed (user not found); 98: account disabled or archived (98 not in use yet)"
properties:
variables:
- notes:saml.errorCode: "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"
- notes:saml.errorMessage: "Your account is locked , Request ID: ${request:transferId}"
- notes:saml.errorInfo: "If you didn't lock the account then go consult the support\
\ page for unlocking the account"
onSuccess:
- "pattern://473f9d6b4ab9d61c1eb8c689"

13
patterns/FIDO2_ResetSessionInfos_887ada57500885703a4a9408.yml
View File

@ -1,13 +0,0 @@
schemaVersion: "1.0"
pattern:
id: "887ada57500885703a4a9408"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.TransformVariablesStep"
name: "FIDO2_ResetSessionInfos"
notes: "TODO/haburger/2024-AUG-20: remove after migration to Friendly Captcha is\
\ done"
properties:
variables:
- sess:agov.fido2.X-ReCAPTCHA-Integration: ""
emptyValue: "remove-variable"
onSuccess:
- "pattern://f39352769cb2a1c88e1a176d"

9
patterns/IdP-Idm-SecToken-Signer-Trust_2d8151249e6734ccc072422b.yml Normal file
View File

@ -0,0 +1,9 @@
schemaVersion: "1.0"
pattern:
id: "2d8151249e6734ccc072422b"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.AutomaticTrustStoreProvider"
name: "IdP-Idm-SecToken-Signer-Trust"
properties:
keystore:
- "pattern://aeb2fed9962dcd5f7893db51"
truststoreFile: "var://idp-idm-sectoken-signer-trust-additional-trusted-certificates"

2
patterns/Mobile_NLess_Auth_f63c475c35b616b7c6c1901c.yml
View File

@ -9,7 +9,7 @@ pattern:
onSuccess: onSuccess:
- "pattern://56c67433c7a47b6cb06f011a" - "pattern://56c67433c7a47b6cb06f011a"
nextSteps: nextSteps:
- "pattern://887ada57500885703a4a9408" - "pattern://f39352769cb2a1c88e1a176d"
- "pattern://d76231eaa88cb1645ce44cf3" - "pattern://d76231eaa88cb1645ce44cf3"
resources: "res://f63c475c35b616b7c6c1901c#resources" resources: "res://f63c475c35b616b7c6c1901c#resources"
keyObjects: keyObjects:

1
patterns/Recovery_fetchCaptchaInfos_bea3ca0c85381d07d632be52.yml
View File

@ -7,6 +7,7 @@ pattern:
scriptFile: "res://bea3ca0c85381d07d632be52#scriptFile" scriptFile: "res://bea3ca0c85381d07d632be52#scriptFile"
parameters: parameters:
- url: "${var.captcha-service.configinfo.url}" - url: "${var.captcha-service.configinfo.url}"
- realIpHttpHeaderName: "${var.captcha-service.configinfo.realIpHttpHeaderName}"
onSuccess: onSuccess:
- "pattern://584964c837512845d7940809" - "pattern://584964c837512845d7940809"
scriptTraceGroup: "AgovCaptcha" scriptTraceGroup: "AgovCaptcha"

32
patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
View File

@ -3,34 +3,6 @@ pattern:
id: "0d3511bed6798a78cc3237f6" id: "0d3511bed6798a78cc3237f6"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders" className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
name: "Security Response Headers" name: "Security Response Headers"
label: "PROXY"
properties: properties:
responseHeaders: responseHeaders: "var://security-response-headers-response-headers"
- Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
- X-Content-Type-Options: "nosniff"
- Referrer-Policy: "strict-origin-when-cross-origin"
- X-Frame-Options: "DENY"
- Cross-Origin-Opener-Policy: "same-origin"
- Cross-Origin-Embedder-Policy: "require-corp"
- Cross-Origin-Resource-Policy: "same-site"
- Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
- Content-Security-Policy-Report-Only: "default-src 'none'; script-src 'self'\
\ 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM=' 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM='\
\ 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM=' 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM='\
\ 'unsafe-inline'; script-src-elem https://www.google.com https://www.gstatic.com\
\ 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM=' 'sha256-VVRbrI9TGfTX6IQoysg2+krJFUO9Ckt6G7Gcs1q2dgM='\
\ 'sha256-6FA//NVJWFgnJwirzDKHC42MZIXYrIxtNaKCahX3DLg=' 'sha256-3whVsWq2brmbgJQdoqbeJgW+43c+XyGdWbKl7sqG3YQ='\
\ 'sha256-3whVsWq2brmbgJQdoqbeJgW+43c+XyGdWbKl7sqG3YQ=' 'self'; connect-src\
\ 'self'; img-src 'self'; style-src 'self' 'sha256-Q5DmyIIE+GwAh03yBzctDxvuwMTX0uUUUP5UU3yFoF0='\
\ 'sha256-Q5DmyIIE+GwAh03yBzctDxvuwMTX0uUUUP5UU3yFoF0=' 'sha256-JnkgaYe2Kqj0SvIYv1vTPV72Rnsp5aU6c015YNij5Ks='\
\ 'sha256-jRcpQ00xp7HFefM8uuubCrmPgr9Q/zMqq+Be8IyLXyM=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
\ 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
\ 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
\ 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-Q5DmyIIE+GwAh03yBzctDxvuwMTX0uUUUP5UU3yFoF0='\
\ 'sha256-Q5DmyIIE+GwAh03yBzctDxvuwMTX0uUUUP5UU3yFoF0=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='\
\ 'unsafe-hashes' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-src\
\ https://www.google.com"

44
patterns/bea3ca0c85381d07d632be52_scriptFile/Recovery_fetchCaptchaInfos
View File

@ -1,44 +0,0 @@
import groovy.json.JsonSlurper
def url = parameters.get('url')
try {
def jsonSlurper = new JsonSlurper()
def httpClient = HttpClients.create(parameters)
def httpResponse = Http.get().url(url).build().send(httpClient)
LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
LOG.debug('Response Status Code: ' + httpResponse.code())
LOG.debug('Response: ' + httpResponse.bodyAsString())
if (httpResponse.code() == 200) {
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
// TODO/haburger/2024-AUG-20: remove if reCaptcha is not needed anymore
// response.setSessionAttribute('agov.recovery.json.accountUrl', json.accountUrl)
// response.setSessionAttribute('agov.recovery.json.registrationUrl', json.registrationUrl)
// response.setSessionAttribute('agov.recovery.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
// response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey)
// response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey)
// if (session.get('agov.recovery.X-ReCAPTCHA-Integration') == null) {
// response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'INVISIBLE')
// } else {
// response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
// }
response.setSessionAttribute('agov.recovery.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
response.setSessionAttribute('agov.recovery.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
response.setSessionAttribute('agov.recovery.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
response.setResult('ok')
} else {
LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
response.setResult('error')
response.setError(1, 'Unexpected HTTP reponse')
}
} catch (all) {
// Handle exception and set the transition
LOG.error('error: ' + all, all)
response.setResult('error')
response.setError(1, 'Exception during HTTP call')
}

39
patterns/bea3ca0c85381d07d632be52_scriptFile/Recovery_fetchCaptchaInfos.groovy Normal file
View File

@ -0,0 +1,39 @@
import groovy.json.JsonSlurper
import io.opentelemetry.api.trace.Span
def url = parameters.get('url')
def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
try {
def spanCtxt = Span.current().getSpanContext()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
def jsonSlurper = new JsonSlurper()
def httpClient = HttpClients.create(parameters)
def httpResponse = Http.get().url(url).header('traceparent', traceparent)
.header(realIpHttpHeaderName, ip).build().send(httpClient)
LOG.debug('Response Status Code: ' + httpResponse.code())
LOG.debug('Response: ' + httpResponse.bodyAsString())
if (httpResponse.code() == 200) {
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
response.setSessionAttribute('agov.recovery.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
response.setSessionAttribute('agov.recovery.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
response.setSessionAttribute('agov.recovery.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
response.setResult('ok')
} else {
LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
response.setResult('error')
response.setError(1, 'Unexpected HTTP reponse')
}
} catch (all) {
// Handle exception and set the transition
LOG.error('error: ' + all, all)
response.setResult('error')
response.setError(1, 'Exception during HTTP call')
}

1
patterns/db4acd487dc7e8b82de8abb4_scriptFile/handleCodeParameter.groovy
View File

@ -1,4 +1,5 @@
import ch.nevis.esauth.auth.engine.AuthResponse import ch.nevis.esauth.auth.engine.AuthResponse
if (inargs['cancel'] == 'cancel') { if (inargs['cancel'] == 'cancel') {
//cleanSession() //cleanSession()
response.setStatus(AuthResponse.AUTH_ERROR) response.setStatus(AuthResponse.AUTH_ERROR)

6
patterns/e3cac41e75980361d7d26bde_authStatesFile/EmailInput.xml
View File

@ -8,12 +8,6 @@
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/> <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
<GuiElem name="email" type="text" label="prompt.email" value="#{(inargs.getProperty('userInputValue_prompt.email') != null) ? inargs.getProperty('userInputValue_prompt.email') : session.get('ch.nevis.idm.User.email')}" optional="true"/> <GuiElem name="email" type="text" label="prompt.email" value="#{(inargs.getProperty('userInputValue_prompt.email') != null) ? inargs.getProperty('userInputValue_prompt.email') : session.get('ch.nevis.idm.User.email')}" optional="true"/>
<GuiElem name="captchaSettings.enabled" type="hidden" value="${sess:agov.fido2.captchaSettings.enabled}" optional="true"/> <GuiElem name="captchaSettings.enabled" type="hidden" value="${sess:agov.fido2.captchaSettings.enabled}" optional="true"/>
<!-- TODO/haburger/2024-AUG-20: remove Google after successfull migration to Friendly Captcha -->
<!-- <GuiElem name="captchaSettings.reCaptchaInvisibleSiteKey" type="hidden" value="${sess:agov.fido2.json.captchaSettings.reCaptchaInvisibleSiteKey}" optional="true"/> -->
<!-- <GuiElem name="captchaSettings.reCaptchaVisibleSiteKey" type="hidden" value="${sess:agov.fido2.json.captchaSettings.reCaptchaVisibleSiteKey}" optional="true"/> -->
<!-- <GuiElem name="X-ReCAPTCHA-Integration" type="hidden" value="${sess:agov.fido2.X-ReCAPTCHA-Integration}" optional="true"/> -->
<GuiElem name="friendlyCaptchaSettings.siteKey" type="hidden" value="${sess:agov.fido2.captchaSettings.siteKey}" optional="true"/> <GuiElem name="friendlyCaptchaSettings.siteKey" type="hidden" value="${sess:agov.fido2.captchaSettings.siteKey}" optional="true"/>
<GuiElem name="friendlyCaptchaSettings.puzzleUrl" type="hidden" value="${sess:agov.fido2.captchaSettings.puzzleUrl}" optional="true"/> <GuiElem name="friendlyCaptchaSettings.puzzleUrl" type="hidden" value="${sess:agov.fido2.captchaSettings.puzzleUrl}" optional="true"/>

6
patterns/f393012a278e525956a362d3_authStatesFile/ensureAccountState.xml
View File

@ -5,9 +5,9 @@
<Response value="AUTH_CONTINUE"/> <Response value="AUTH_CONTINUE"/>
<property name="scriptTraceGroup" value="AGOV-ACCT"/> <property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/ensureAccountState.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/ensureAccountState.groovy"/>
<property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm}:8989/nevisidm/api"/> <property name="parameter.idm.baseUrl" value="https://${param.idm-service}:8989/nevisidm/api"/>
<property name="parameter.unitExtid" value="${param.agov.unitExtId:9907b8d4-a0cb-4028-a850-03efadbc73ad}"/> <property name="parameter.unitExtid" value="${param.agov.unitExtId}"/>
<property name="parameter.level100.roleExtid" value="${param.agov.level100.roleExtid:aee52e9f-7084-4e55-9aea-9383ac7757f7}"/> <property name="parameter.level100.roleExtid" value="${param.agov.level100.roleExtid}"/>
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Account_State"/> <property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Account_State"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_Reload" final="false" class="ch.nevis.idm.authstate.IdmGetPropertiesState" resumeState="false"> <AuthState name="${state.entry}_Reload" final="false" class="ch.nevis.idm.authstate.IdmGetPropertiesState" resumeState="false">

5
patterns/f393012a278e525956a362d3_resources/ensureAccountState.groovy
View File

@ -94,12 +94,13 @@ if (!session['ch.adnovum.nevisidm.userDto'].contains("<properties><name>idVerifi
json['items'].eachWithIndex { az, i -> json['items'].eachWithIndex { az, i ->
if (az.roleExtId == level100RoleExtid) { if (az.roleExtId == level100RoleExtid) {
agovAq100AuthEndpoint = "${endpoint}/${az.extId}" aq100AuthRestURL = "${endpoint}/${az.extId}"
} }
} }
} }
endpoint = "${aq100AuthRestURL}/properties"
endpoint = "${aq100AuthRestURL}/properties"
def patchRequest = new HTTPRequestWrapper() def patchRequest = new HTTPRequestWrapper()
patchRequest.addToHeaders('Content-Type', ['application/json']) patchRequest.addToHeaders('Content-Type', ['application/json'])

88
patterns/f39352769cb2a1c88e1a176d_scriptFile/fido2_fetchCaptchaInfos.gy → patterns/f39352769cb2a1c88e1a176d_scriptFile/fido2_fetchCaptchaInfos.groovy
View File

@ -1,52 +1,38 @@
import groovy.json.JsonSlurper import groovy.json.JsonSlurper
import io.opentelemetry.api.trace.Span import io.opentelemetry.api.trace.Span
def url = parameters.get('url') def url = parameters.get('url')
def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
try { def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
//TODO/haburger/2024-AUG-20: remove if reCaptcha is not needed anymore
session.remove('agov.fido2.X-ReCAPTCHA-Integration') try {
def spanCtxt = Span.current().getSpanContext()
def spanCtxt = Span.current().getSpanContext() def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
def jsonSlurper = new JsonSlurper()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}" def httpClient = HttpClients.create(parameters)
LOG.error('traceparent: ' + traceparent) def httpResponse = Http.get().url(url).header('traceparent', traceparent)
.header(realIpHttpHeaderName, ip).build().send(httpClient)
def jsonSlurper = new JsonSlurper()
def httpClient = HttpClients.create(parameters) LOG.debug('Response Status Code: ' + httpResponse.code())
def httpResponse = Http.get().url(url).build().send(httpClient) LOG.debug('Response: ' + httpResponse.bodyAsString())
LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
LOG.debug('Response Status Code: ' + httpResponse.code()) if (httpResponse.code() == 200) {
LOG.debug('Response: ' + httpResponse.bodyAsString()) def json = jsonSlurper.parseText(httpResponse.bodyAsString())
if (httpResponse.code() == 200) { response.setSessionAttribute('agov.fido2.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
def json = jsonSlurper.parseText(httpResponse.bodyAsString()) response.setSessionAttribute('agov.fido2.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
response.setSessionAttribute('agov.fido2.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
// TODO/haburger/2024-AUG-20: remove if reCaptcha is not needed anymore
// response.setSessionAttribute('agov.fido2.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled)) response.setResult('ok')
// response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey) } else {
// response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey) LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
// response.setResult('error')
// if (session.get('agov.fido2.X-ReCAPTCHA-Integration') == null) { response.setError(1, 'Unexpected HTTP reponse')
// response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'INVISIBLE') }
// } else { } catch (all) {
// response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE') // Handle exception and set the transition
// } LOG.error('error: ' + all, all)
response.setResult('error')
response.setSessionAttribute('agov.fido2.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled)) response.setError(1, 'Exception during HTTP call')
response.setSessionAttribute('agov.fido2.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
response.setSessionAttribute('agov.fido2.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
response.setResult('ok')
} else {
LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
response.setResult('error')
response.setError(1, 'Unexpected HTTP reponse')
}
} catch (all) {
// Handle exception and set the transition
LOG.error('error: ' + all, all)
response.setResult('error')
response.setError(1, 'Exception during HTTP call')
} }

1
patterns/fido2_fetchCaptchaInfos_f39352769cb2a1c88e1a176d.yml
View File

@ -7,6 +7,7 @@ pattern:
scriptFile: "res://f39352769cb2a1c88e1a176d#scriptFile" scriptFile: "res://f39352769cb2a1c88e1a176d#scriptFile"
parameters: parameters:
- url: "${var.captcha-service.configinfo.url}" - url: "${var.captcha-service.configinfo.url}"
- realIpHttpHeaderName: "${var.captcha-service.configinfo.realIpHttpHeaderName}"
onSuccess: onSuccess:
- "pattern://e3cac41e75980361d7d26bde" - "pattern://e3cac41e75980361d7d26bde"
onFailure: onFailure:

1
patterns/nevisAuth_Database_b7b59e97b3fd18bb60178573.yml
View File

@ -14,3 +14,4 @@ pattern:
user: "var://auth-session-store-database-user" user: "var://auth-session-store-database-user"
password: "var://auth-session-store-database-password" password: "var://auth-session-store-database-password"
databaseManagement: "var://auth-session-store-database-management" databaseManagement: "var://auth-session-store-database-management"
parameters: "serverTimezone=UTC"

2
patterns/nevisIDM_b8a36646f81c3247cdb5d90b.yml
View File

@ -10,7 +10,7 @@ pattern:
frontendTrustStore: frontendTrustStore:
- "pattern://c0722fc79e7314c9cdcd20ff" - "pattern://c0722fc79e7314c9cdcd20ff"
authSignerTrustStore: authSignerTrustStore:
- "pattern://55bf63a1b1716e9631f7080d" - "pattern://2d8151249e6734ccc072422b"
database: database:
- "pattern://2951ead44a7a9362a4545094" - "pattern://2951ead44a7a9362a4545094"
logging: logging:

34
variables.yml
View File

@ -450,6 +450,12 @@ variables:
value: "cors.allowed.fqdns: '{\"trustbroker.agov-d.azure.adnovum.net\", \"auth.agov-d.azure.adnovum.net\"\ value: "cors.allowed.fqdns: '{\"trustbroker.agov-d.azure.adnovum.net\", \"auth.agov-d.azure.adnovum.net\"\
}'" }'"
requireOverloading: true requireOverloading: true
idp-idm-sectoken-signer-trust-additional-trusted-certificates:
className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
parameters:
minRequired: 0
value: null
requireOverloading: true
idp-sp-connector-properties: idp-sp-connector-properties:
className: "ch.nevis.admin.v4.plugin.base.generation.property.AuthStateProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.AuthStateProperty"
parameters: parameters:
@ -571,7 +577,8 @@ variables:
separators: separators:
- "=" - "="
switchedSeparators: [] switchedSeparators: []
value: null value:
- OpTrace: "DEBUG"
requireOverloading: true requireOverloading: true
log_idm-default-log-level: log_idm-default-log-level:
className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
@ -883,6 +890,31 @@ variables:
secret: true secret: true
value: "sample password" value: "sample password"
requireOverloading: true requireOverloading: true
security-response-headers-response-headers:
className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
parameters:
minRequired: 1
separators:
- ":"
switchedSeparators: []
value:
- Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
- X-Content-Type-Options: "nosniff"
- Referrer-Policy: "strict-origin-when-cross-origin"
- X-Frame-Options: "DENY"
- Cross-Origin-Opener-Policy: "same-origin"
- Cross-Origin-Embedder-Policy: "require-corp"
- Cross-Origin-Resource-Policy: "same-site"
- Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
- Content-Security-Policy-Report-Only: "default-src 'none'; script-src 'self'\
\ 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw=' 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw='\
\ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self';\
\ img-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
\ 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='\
\ 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=';\
\ form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls;\
\ font-src 'self'; "
requireOverloading: true
service_provider_state-registration-template-parameters: service_provider_state-registration-template-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters: parameters: