8 files updated
This commit is contained in:
parent
991bfbd7c3
commit
1e3b12f009
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -84,6 +84,9 @@ def getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelN
|
|||
case 'Counter':
|
||||
result = result.concat((highestRoleLevelNumber == 400) ? '400' : '300')
|
||||
break
|
||||
case 'Eid':
|
||||
result = result.concat('400')
|
||||
break
|
||||
default:
|
||||
LOG.warn("unexpected idVerification for recovery on account: ${idVerification}")
|
||||
// safest default, should work in any case
|
||||
|
@ -111,57 +114,48 @@ def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?:
|
|||
|
||||
try {
|
||||
// beef
|
||||
def session = request.getAuthSession(true)
|
||||
def s = request.getAuthSession(true)
|
||||
def highestRoleLevelNumber = 0
|
||||
def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
|
||||
def adressVerificationList = getUserAGOVLoiIdVerification('200')
|
||||
def adressVerification = 'None'
|
||||
if (adressVerificationList && !adressVerificationList.isEmpty()) {
|
||||
adressVerification = adressVerificationList[0]
|
||||
|
||||
if (!session.get('agov.requestedRoleLevel')) {
|
||||
LOG.error("IDP: internal error: agov.requestedRoleLevel not set in session")
|
||||
response.setResult('error');
|
||||
return
|
||||
}
|
||||
def requestedRoleLevelNumber = session.get('agov.requestedRoleLevel').toInteger()
|
||||
|
||||
def authenticationMethod = session.get('authenticatedWith')
|
||||
|
||||
LOG.debug('CheckLoa: Requested role level '+ requestedRoleLevelNumber)
|
||||
LOG.debug('CheckLoa: idVerification: ' + getUserAGOVLoiIdVerification())
|
||||
LOG.debug('CheckLoa: adressVerification : ' + adressVerification)
|
||||
|
||||
def idVerificationMethodList = getUserAGOVLoiIdVerification()
|
||||
|
||||
session.setAttribute('idVerification', idVerificationMethodList.isEmpty() ? 'None' : idVerificationMethodList.last())
|
||||
session.setAttribute('agov.adressVerification', '' + adressVerification)
|
||||
|
||||
|
||||
if (requestedRoleLevelNumber == 0) {
|
||||
// AuthnFailed_Zero_RoleLvl
|
||||
if (!authenticationMethod) {
|
||||
LOG.error("IDP: internal error: authenticationMethod not set in session")
|
||||
response.setResult('error');
|
||||
return
|
||||
}
|
||||
|
||||
if (session.get('ch.adnovum.nevisidm.profileExtId') == '') {
|
||||
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||
|
||||
session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
|
||||
|
||||
// if the account has no profile, we must not return address or svnr
|
||||
session.setAttribute('agov.appAddressRequired', 'false')
|
||||
session.setAttribute('agov.appSvnrAllowed', 'false')
|
||||
|
||||
response.setResult('ok')
|
||||
return
|
||||
}
|
||||
|
||||
// data transformations needed for SAML and OIDC
|
||||
// Transform sex to number
|
||||
if(session.get('ch.nevis.idm.User.gender') == 'MALE'){
|
||||
session.setAttribute('ch.nevis.idm.User.gender', '1')
|
||||
s.setAttribute('ch.nevis.idm.User.gender', '1')
|
||||
}
|
||||
if(session.get('ch.nevis.idm.User.gender') == 'FEMALE'){
|
||||
session.setAttribute('ch.nevis.idm.User.gender', '2')
|
||||
s.setAttribute('ch.nevis.idm.User.gender', '2')
|
||||
}
|
||||
if(session.get('ch.nevis.idm.User.gender') == 'OTHER'){
|
||||
session.setAttribute('ch.nevis.idm.User.gender', '3')
|
||||
if(s.get('ch.nevis.idm.User.gender') == 'OTHER'){
|
||||
session.setAttribute('ch.nevis.idm.User.gender', '3')
|
||||
}
|
||||
|
||||
for (String role : getUserAGOVLoiRoles()) {
|
||||
|
||||
// handle accounts qa attributes, and set them in session
|
||||
// account itself, only needed if not authenticated with e-ID
|
||||
if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
|
||||
def idVerificationList = getUserAGOVLoiIdVerification()
|
||||
def idVerification = 'None'
|
||||
if (idVerificationList && !idVerificationList.isEmpty()) {
|
||||
idVerification = idVerificationList.last()
|
||||
}
|
||||
s.setAttribute('idVerification', idVerification)
|
||||
|
||||
// contextClassRefToSet based on highest level-role assigned to default profile
|
||||
for (String role : getUserAGOVLoiRoles()) {
|
||||
if (role.startsWith('level')) {
|
||||
def roleLevel = role.substring(5)
|
||||
int roleLevelNumber = Integer.parseInt(roleLevel)
|
||||
|
@ -170,66 +164,14 @@ try {
|
|||
highestRoleLevelNumber=roleLevelNumber
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString())
|
||||
LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
|
||||
|
||||
//set attribute Actual Role Level
|
||||
session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
|
||||
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
|
||||
|
||||
if (highestRoleLevelNumber > 0) {
|
||||
// set attribute contextClassRefToSet
|
||||
session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
|
||||
} else {
|
||||
// by default 100
|
||||
session.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
|
||||
}
|
||||
|
||||
// no login for users with a recovery role
|
||||
def recoveryRoleList = getUserAGOVRecoveryRoles()
|
||||
|
||||
if (recoveryRoleList.contains('mustRecover')) {
|
||||
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
|
||||
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
|
||||
|
||||
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
|
||||
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
|
||||
session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
|
||||
|
||||
// align currentAgovAq with the method selected for idVerification
|
||||
def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
|
||||
session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
|
||||
|
||||
def validFrom = getUserMustRecoverValidFrom() ?: ''
|
||||
session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
|
||||
|
||||
LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
|
||||
|
||||
response.setResult('exit.2')
|
||||
return
|
||||
|
||||
} else if (recoveryRoleList.contains('recovery')) {
|
||||
if (recoveryRoleList.contains('recoveryCascade')) {
|
||||
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
|
||||
} else {
|
||||
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
|
||||
}
|
||||
session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
|
||||
session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
|
||||
LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
|
||||
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
|
||||
session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
|
||||
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
|
||||
session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
|
||||
|
||||
response.setResult('exit.2')
|
||||
return
|
||||
}
|
||||
LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString())
|
||||
LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))
|
||||
|
||||
|
||||
if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
|
||||
//set attribute Actual Role Level
|
||||
s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
|
||||
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
|
||||
|
||||
// set attribute ValidFrom and ValidTo (only for higher than 100)
|
||||
if (highestRoleLevelNumber > 100) {
|
||||
|
@ -240,12 +182,91 @@ try {
|
|||
LOG.debug('CheckLoa: ValidTo :' + validTo)
|
||||
|
||||
if(validFrom != '') {
|
||||
session.setAttribute('ValidFrom', '' + validFrom)
|
||||
s.setAttribute('ValidFrom', '' + validFrom)
|
||||
}
|
||||
if(validTo != '') {
|
||||
session.setAttribute('ValidTo', '' + validTo)
|
||||
s.setAttribute('ValidTo', '' + validTo)
|
||||
}
|
||||
}
|
||||
if (highestRoleLevelNumber > 0) {
|
||||
// set attribute contextClassRefToSet
|
||||
s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:' .concat(highestRoleLevelNumber.toString()))
|
||||
} else {
|
||||
// by default 100
|
||||
s.setAttribute('contextClassRefToSet','urn:qa.agov.ch:names:tc:ac:classes:100' )
|
||||
}
|
||||
}
|
||||
// address related, needed in any case (also e-ID)
|
||||
def adressVerificationList = getUserAGOVLoiIdVerification('200')
|
||||
def adressVerification = 'None'
|
||||
if (adressVerificationList && !adressVerificationList.isEmpty()) {
|
||||
adressVerification = adressVerificationList[0]
|
||||
}
|
||||
s.setAttribute('agov.adressVerification', '' + adressVerification)
|
||||
|
||||
if (!session.get('ch.adnovum.nevisidm.profileExtId')) {
|
||||
LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||
|
||||
// if the account has no profile, we must not return address or svnr
|
||||
s.setAttribute('agov.appAddressRequired', 'false')
|
||||
s.setAttribute('agov.appSvnrAllowed', 'false')
|
||||
|
||||
response.setResult('ok')
|
||||
return
|
||||
}
|
||||
|
||||
// no login for users with a recovery role (but onyl when not logging in with e-Id)
|
||||
// TODO/haburger/2025-07-01: automatic recovery if logging in with e-Id
|
||||
if (!'urn:qa.agov.ch:names:tc:authfactor:eid'.equalsIgnoreCase(authenticationMethod)) {
|
||||
// no login for users with a recovery role
|
||||
def recoveryRoleList = getUserAGOVRecoveryRoles()
|
||||
|
||||
if (recoveryRoleList.contains('mustRecover')) {
|
||||
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
|
||||
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' )
|
||||
|
||||
def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
|
||||
def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
|
||||
s.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
|
||||
|
||||
// align currentAgovAq with the method selected for idVerification
|
||||
def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
|
||||
s.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
|
||||
|
||||
def validFrom = getUserMustRecoverValidFrom() ?: ''
|
||||
s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom )
|
||||
|
||||
LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
|
||||
|
||||
response.setResult('exit.2')
|
||||
return
|
||||
|
||||
} else if (recoveryRoleList.contains('recovery')) {
|
||||
if (recoveryRoleList.contains('recoveryCascade')) {
|
||||
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
|
||||
} else {
|
||||
s.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
|
||||
}
|
||||
s.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown')
|
||||
s.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
|
||||
LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
|
||||
def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
|
||||
s.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
|
||||
def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
|
||||
s.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom)
|
||||
|
||||
response.setResult('exit.2')
|
||||
return
|
||||
}
|
||||
} else {
|
||||
// authenticated with e-ID, we adjust highestRoleLevelNumber to e-ID login
|
||||
highestRoleLevelNumber = 500
|
||||
s.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
|
||||
LOG.debug('CheckLoa: actual role level (agov) '+ highestRoleLevelNumber)
|
||||
}
|
||||
|
||||
// verifiy that AQ level is high enough
|
||||
if (highestRoleLevelNumber>=requestedRoleLevelNumber) {
|
||||
response.setResult('ok')
|
||||
return;
|
||||
} else {
|
|
@ -27,6 +27,7 @@ def compareAndUpdateSessionVariables(sess, keys, isProperty){
|
|||
return updatedKeys
|
||||
}
|
||||
|
||||
// TODO/haburger/2025-07-01: we should also set the verificationMethod, etc. of the level400 role
|
||||
String user_update_dto_template = '''
|
||||
{
|
||||
"name": {
|
||||
|
|
|
@ -33,31 +33,6 @@ def clearEidSession(){
|
|||
s.removeAttribute('agov.eid.User.origin')
|
||||
}
|
||||
|
||||
def updateLoginHistory(idmRestClient, userExtId, credentialExtId) {
|
||||
try {
|
||||
def baseUrl = parameters.get("baseUrl")
|
||||
def clientExtId = parameters.get("clientExtId")
|
||||
def endpoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/login-info"
|
||||
def dto = "{\"success\": true,\"credentialExtId\": \"${credentialExtId}\"}"
|
||||
|
||||
def postRequest = new HTTPRequestWrapper()
|
||||
postRequest.addToHeaders('Content-Type', ['application/json'])
|
||||
postRequest.setPayLoad(dto.getBytes('UTF-8'))
|
||||
postRequest.setPayLoad(dto.getBytes('UTF-8'))
|
||||
|
||||
def result = idmRestClient.postWithResponse(endpoint, postRequest)
|
||||
if (result.getStatusCode() != 200) {
|
||||
// best effort, we log only
|
||||
// TODO/haburger/2025-06-24: context parameters are missing here (also in getAccounts)
|
||||
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${userExtId}, CredentialType='E-ID Link', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to update login history for credential ${credentialExtId} (http status: ${result.getStatusCode()})'")
|
||||
}
|
||||
} catch (Exception e) {
|
||||
// best effort, we log only
|
||||
// TODO/haburger/2025-06-24: context parameters are missing here (also in getAccounts)
|
||||
LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${userExtId}, CredentialType='E-ID Link', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to update login history for credential ${credentialExtId} (${e})'")
|
||||
}
|
||||
}
|
||||
|
||||
def getAccounts(json, String svnr) {
|
||||
def idm_users_dto = json["Resources"]
|
||||
def accounts = [:]
|
||||
|
@ -126,9 +101,6 @@ if(inargs['submit'] && inargs['login'] && inargs['login'] != ''){
|
|||
sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
|
||||
sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
|
||||
|
||||
// update login history
|
||||
updateLoginHistory(idmRestClient, account["extId"], account["credentialExtId"])
|
||||
|
||||
if(account["firstLogin"]){
|
||||
response.setResult('firstLogin')
|
||||
return
|
||||
|
@ -206,9 +178,6 @@ try {
|
|||
sess.setAttribute('agov.eid.linkingCredentialExtId', account["credentialExtId"])
|
||||
sess.setAttribute('agov.eid.linkedAccountExtId', account["extId"])
|
||||
|
||||
// update login history
|
||||
updateLoginHistory(idmRestClient, account["extId"], account["credentialExtId"])
|
||||
|
||||
if(account["firstLogin"]){
|
||||
response.setResult('firstLogin')
|
||||
return
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -5,6 +5,7 @@ pattern:
|
|||
name: "Ask_Mobile_Number"
|
||||
properties:
|
||||
authStatesFile: "res://6d83506dfcc430c12d81dfa3#authStatesFile"
|
||||
parameters: "var://ask_mobile_number-template-parameters"
|
||||
onSuccess:
|
||||
- "pattern://2cdd910036aa06b102863a4f"
|
||||
onFailure:
|
||||
|
|
|
@ -8,7 +8,7 @@ pattern:
|
|||
properties:
|
||||
authStatesFile: "res://306ce091fd87bad6174d9e8b#authStatesFile"
|
||||
onSuccess:
|
||||
- "pattern://b87d0d2b640e8e545ad70234"
|
||||
- "pattern://2cdd910036aa06b102863a4f"
|
||||
onFailure:
|
||||
- "pattern://4c65de021d362462324a3a5f"
|
||||
nextSteps:
|
||||
|
|
|
@ -7,6 +7,13 @@ variables:
|
|||
maxAllowed: 1
|
||||
value: ".agov-d.azure.adnovum.net"
|
||||
requireOverloading: true
|
||||
ask_mobile_number-template-parameters:
|
||||
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
|
||||
parameters:
|
||||
required: false
|
||||
syntax: "YAML"
|
||||
value: null
|
||||
requireOverloading: true
|
||||
auth-session-store-database-host:
|
||||
className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
|
||||
parameters:
|
||||
|
|
Loading…
Reference in New Issue