nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BUNDBITBK-4339

This commit is contained in:
haburger 2025-02-07 09:44:47 +00:00
parent 90b50d4367
commit 26bb8332f0
5 changed files with 38 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
patterns/1d38203c48e017b5b3812385_resources/recovery_ongoing.groovy
View File

@ -9,7 +9,7 @@ if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
def sessionKeySet = new HashSet(session.keySet()) def sessionKeySet = new HashSet(session.keySet())
sessionKeySet.each { key -> sessionKeySet.each { key ->
if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) { if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
LOG.info("Deleted session attribute '${key}'") LOG.debug("Deleted session attribute '${key}'")
s.removeAttribute(key) s.removeAttribute(key)
} }
} }

14
patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
View File

@ -185,7 +185,7 @@
<property name="detaillevel.credential" value="HIGH"/> <property name="detaillevel.credential" value="HIGH"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_verifyUser" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true"> <AuthState name="${state.entry}_verifyUser" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<ResultCond name="ok" next="${state.exit.1}"/> <ResultCond name="ok" next="${state.entry}_prepareRedirect"/>
<ResultCond name="needCode" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="needCode" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="error" next="${state.failed}"/> <ResultCond name="error" next="${state.failed}"/>
<ResultCond name="alreadyInRecovery" next="${state.exit.3}"/> <ResultCond name="alreadyInRecovery" next="${state.exit.3}"/>
@ -230,14 +230,14 @@
<property name="client.name" value="agov"/> <property name="client.name" value="agov"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false"> <AuthState name="${state.entry}_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<ResultCond name="default" next="${state.exit.1}"/> <ResultCond name="default" next="${state.entry}_prepareRedirect"/>
<Response value="AUTH_CONTINUE"/> <Response value="AUTH_CONTINUE"/>
<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/> <property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
<property name="sess:agov.recovery.codeStatus" value="verified"/> <property name="sess:agov.recovery.codeStatus" value="verified"/>
<property name="sess:agov.recovery.codeDetailStatus" value="n/a"/> <property name="sess:agov.recovery.codeDetailStatus" value="n/a"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_codeSkipped" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false"> <AuthState name="${state.entry}_codeSkipped" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<ResultCond name="default" next="${state.exit.1}"/> <ResultCond name="default" next="${state.entry}_prepareRedirect"/>
<Response value="AUTH_CONTINUE"/> <Response value="AUTH_CONTINUE"/>
<property name="sess:agov.recovery.codeStatus" value="skipped"/> <property name="sess:agov.recovery.codeStatus" value="skipped"/>
<property name="${sess:agov.recovery.codeDetailStatus}==n/a?sess:agov.recovery.codeDetailStatus" value="directly skipped by user"/> <property name="${sess:agov.recovery.codeDetailStatus}==n/a?sess:agov.recovery.codeDetailStatus" value="directly skipped by user"/>
@ -247,3 +247,11 @@
<Response value="AUTH_CONTINUE"/> <Response value="AUTH_CONTINUE"/>
<property name="sess:agov.recovery.codeDetailStatus" value="${notes:lasterrorinfo} (${notes:lasterror})"/> <property name="sess:agov.recovery.codeDetailStatus" value="${notes:lasterrorinfo} (${notes:lasterror})"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_prepareRedirect" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
<!-- acts as resumeState, if the user comes back from agov.me -->
<ResultCond name="back" next="${state.entry}_IdmGetPropertiesStateTicket"/>
<ResultCond name="redirect" next="${state.exit.1}"/>
<Response value="AUTH_CONTINUE"/>
<property name="scriptTraceGroup" value="Recovery"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy"/>
</AuthState>

22
patterns/584964c837512845d7940809_resources/recovery-prepareRedirect.groovy Normal file
View File

@ -0,0 +1,22 @@
if (session['agov.recovery.redirectDone']) {
// user navigated back from AGOV.me, go again for the code
// clean up SAML state first,
// IdentityProviderState sets session attributes as follows
// <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
// State name contains the name of the pattern 'Recovery_redirectAgovMe'
def s = request.getAuthSession(true)
def sessionKeySet = new HashSet(session.keySet())
sessionKeySet.each { key ->
if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
LOG.debug("Deleted session attribute '${key}'")
s.removeAttribute(key)
}
}
s.removeAttribute('agov.recovery.redirectDone')
response.setResult('back')
} else {
// redirect
response.setSessionAttribute('agov.recovery.redirectDone', 'true')
response.setResult('redirect')
}

2
patterns/584964c837512845d7940809_resources/recovery-processing.groovy
View File

@ -16,7 +16,7 @@ def maxLoiRoleToCtxClssConvertorMap = [
] ]
// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types // https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE'] def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
def getUserIdVerificationForRecovery(currentLoaRole) { def getUserIdVerificationForRecovery(currentLoaRole) {
// application is AGOV-AccountStatus // application is AGOV-AccountStatus

1
patterns/f63c475c35b616b7c6c1901c_resources/mobile_nless_auth.groovy
View File

@ -82,6 +82,7 @@ if (inargs['fidoUafDone'] == 'true' ||
if (inargs['fallback'] == 'fallback') { if (inargs['fallback'] == 'fallback') {
response.setResult('fido2') response.setResult('fido2')
} }
// dispatch to recovery // dispatch to recovery
if (inargs['fallback'] == 'recovery') { if (inargs['fallback'] == 'recovery') {
response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl')) response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))