8 files updated

This commit is contained in:
haburger 2025-07-09 15:48:01 +00:00
parent 991bfbd7c3
commit 1e3b12f009
11 changed files with 295 additions and 296 deletions

View File

@ -84,6 +84,9 @@ def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelN
case 'Counter':
result = result.concat((highestRoleLevelNumber == 400) ? '400' : '300')
break
case 'Eid':
result = result.concat('400')
break
default:
LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
// safest default, should work in any case
@ -111,56 +114,47 @@ def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?:
try {
// beef
def session = request.getAuthSession(true)
def s = request.getAuthSession(true)
def highestRoleLevelNumber = 0
def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
def adressVerificationList = getUserAGOVLoiIdVerification('200')
def adressVerification = 'None'
if (adressVerificationList && !adressVerificationList.isEmpty()) {
adressVerification = adressVerificationList[0]
if (!session.get('agov.requestedRoleLevel')) {
LOG.error("IDP: internal error: agov.requestedRoleLevel not set in session")
response.setResult('error');
return
}
def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
def authenticationMethod = session.get('authenticatedWith')
LOG.debug('CheckLoa: Requested role level '+ requestedRoleLevelNumber)
LOG.debug('CheckLoa: idVerification: ' + getUserAGOVLoiIdVerification())
LOG.debug('CheckLoa: adressVerification : ' + adressVerification)
def idVerificationMethodList = getUserAGOVLoiIdVerification()
session.setAttribute('idVerification', idVerificationMethodList.isEmpty() ? 'None' : idVerificationMethodList.last())
session.setAttribute('agov.adressVerification', '' + adressVerification)
if (requestedRoleLevelNumber == 0) {
// AuthnFailed_Zero_RoleLvl
if (!authenticationMethod) {
LOG.error("IDP: internal error: authenticationMethod not set in session")
response.setResult('error');
return
}
if (session.get('ch.adnovum.nevisidm.profileExtId') == '') {
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
// if the account has no profile, we must not return address or svnr
session.setAttribute('agov.appAddressRequired', 'false')
session.setAttribute('agov.appSvnrAllowed', 'false')
response.setResult('ok')
return
}
// data transformations needed for SAML and OIDC
// Transform sex to number
if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
session.setAttribute('ch.nevis.idm.User.gender', '1')
s.setAttribute('ch.nevis.idm.User.gender', '1')
}
if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
session.setAttribute('ch.nevis.idm.User.gender', '2')
s.setAttribute('ch.nevis.idm.User.gender', '2')
}
if(session.get('ch.nevis.idm.User.gender') == 'OTHER'){
if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
session.setAttribute('ch.nevis.idm.User.gender', '3')
}
// handle accounts qa attributes, and set them in session
// account itself, only needed if not authenticated with e-ID
if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
def idVerificationList = getUserAGOVLoiIdVerification()
def idVerification = 'None'
if (idVerificationList && !idVerificationList.isEmpty()) {
idVerification = idVerificationList.last()
}
s.setAttribute('idVerification', idVerification)
// contextClassRefToSet based on highest level-role assigned to default profile
for (String role : getUserAGOVLoiRoles()) {
if (role.startsWith('level')) {
def roleLevel = role.substring(5)
@ -176,61 +170,9 @@ try {
LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
//set attribute Actual Role Level
session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
if (highestRoleLevelNumber > 0) {
// set attribute contextClassRefToSet
session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
} else {
// by default 100
session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
}
// no login for users with a recovery role
def recoveryRoleList = getUserAGOVRecoveryRoles()
if (recoveryRoleList.contains('mustRecover')) {
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
// align currentAgovAq with the method selected for idVerification
def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
def validFrom = getUserMustRecoverValidFrom() ?: ''
session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
response.setResult('exit.2')
return
} else if (recoveryRoleList.contains('recovery')) {
if (recoveryRoleList.contains('recoveryCascade')) {
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
} else {
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
}
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
response.setResult('exit.2')
return
}
if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
// set attribute ValidFrom and ValidTo (only for higher than 100)
if (highestRoleLevelNumber > 100) {
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString()))
@ -240,12 +182,91 @@ try {
LOG.debug('CheckLoa: ValidTo :' + validTo)
if(validFrom != '') {
session.setAttribute('ValidFrom', '' + validFrom)
s.setAttribute('ValidFrom', '' + validFrom)
}
if(validTo != '') {
session.setAttribute('ValidTo', '' + validTo)
s.setAttribute('ValidTo', '' + validTo)
}
}
if (highestRoleLevelNumber > 0) {
// set attribute contextClassRefToSet
s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
} else {
// by default 100
s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
}
}
// address related, needed in any case (also e-ID)
def adressVerificationList = getUserAGOVLoiIdVerification('200')
def adressVerification = 'None'
if (adressVerificationList && !adressVerificationList.isEmpty()) {
adressVerification = adressVerificationList[0]
}
s.setAttribute('agov.adressVerification', '' + adressVerification)
if (!session.get('ch.adnovum.nevisidm.profileExtId')) {
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
// if the account has no profile, we must not return address or svnr
s.setAttribute('agov.appAddressRequired', 'false')
s.setAttribute('agov.appSvnrAllowed', 'false')
response.setResult('ok')
return
}
// no login for users with a recovery role (but onyl when not logging in with e-Id)
// TODO/haburger/2025-07-01: automatic recovery if logging in with e-Id
if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
// no login for users with a recovery role
def recoveryRoleList = getUserAGOVRecoveryRoles()
if (recoveryRoleList.contains('mustRecover')) {
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
s.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
// align currentAgovAq with the method selected for idVerification
def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
s.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
def validFrom = getUserMustRecoverValidFrom() ?: ''
s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
response.setResult('exit.2')
return
} else if (recoveryRoleList.contains('recovery')) {
if (recoveryRoleList.contains('recoveryCascade')) {
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
} else {
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
}
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
s.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
response.setResult('exit.2')
return
}
} else {
// authenticated with e-ID, we adjust highestRoleLevelNumber to e-ID login
highestRoleLevelNumber = 500
s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
}
// verifiy that AQ level is high enough
if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
response.setResult('ok')
return;
} else {

View File

@ -27,6 +27,7 @@ def compareAndUpdateSessionVariables(sess, keys, isProperty){
return updatedKeys
}
// TODO/haburger/2025-07-01: we should also set the verificationMethod, etc. of the level400 role
String user_update_dto_template = '''
{
"name": {

View File

@ -33,31 +33,6 @@ def clearEidSession(){
s.removeAttribute('agov.eid.User.origin')
}
def updateLoginHistory(idmRestClient, userExtId, credentialExtId) {
try {
def baseUrl = parameters.get("baseUrl")
def clientExtId = parameters.get("clientExtId")
def endpoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/login-info"
def dto = "{\"success\": true,\"credentialExtId\": \"${credentialExtId}\"}"
def postRequest = new HTTPRequestWrapper()
postRequest.addToHeaders('Content-Type', ['application/json'])
postRequest.setPayLoad(dto.getBytes('UTF-8'))
postRequest.setPayLoad(dto.getBytes('UTF-8'))
def result = idmRestClient.postWithResponse(endpoint, postRequest)
if (result.getStatusCode() != 200) {
// best effort, we log only
// TODO/haburger/2025-06-24: context parameters are missing here (also in getAccounts)
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${userExtId}, CredentialType='E-ID Link', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to update login history for credential ${credentialExtId} (http status: ${result.getStatusCode()})'")
}
} catch (Exception e) {
// best effort, we log only
// TODO/haburger/2025-06-24: context parameters are missing here (also in getAccounts)
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${userExtId}, CredentialType='E-ID Link', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to update login history for credential ${credentialExtId} (${e})'")
}
}
def getAccounts(json, String svnr) {
def idm_users_dto = json["Resources"]
def accounts = [:]
@ -126,9 +101,6 @@ if(inargs['submit'] && inargs['login'] && inargs['login'] != ''){
sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
// update login history
updateLoginHistory(idmRestClient, account["extId"], account["credentialExtId"])
if(account["firstLogin"]){
response.setResult('firstLogin')
return
@ -206,9 +178,6 @@ try {
sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
// update login history
updateLoginHistory(idmRestClient, account["extId"], account["credentialExtId"])
if(account["firstLogin"]){
response.setResult('firstLogin')
return

View File

@ -5,6 +5,7 @@ pattern:
name: "Ask_Mobile_Number"
properties:
authStatesFile: "res://6d83506dfcc430c12d81dfa3#authStatesFile"
parameters: "var://ask_mobile_number-template-parameters"
onSuccess:
- "pattern://2cdd910036aa06b102863a4f"
onFailure:

View File

@ -8,7 +8,7 @@ pattern:
properties:
authStatesFile: "res://306ce091fd87bad6174d9e8b#authStatesFile"
onSuccess:
- "pattern://b87d0d2b640e8e545ad70234"
- "pattern://2cdd910036aa06b102863a4f"
onFailure:
- "pattern://4c65de021d362462324a3a5f"
nextSteps:

View File

@ -7,6 +7,13 @@ variables:
maxAllowed: 1
value: ".agov-d.azure.adnovum.net"
requireOverloading: true
ask_mobile_number-template-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters:
required: false
syntax: "YAML"
value: null
requireOverloading: true
auth-session-store-database-host:
className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
parameters: