diff --git a/bundles.yml b/bundles.yml
index 7783fa0..8b092fd 100644
--- a/bundles.yml
+++ b/bundles.yml
@@ -1,13 +1,13 @@
schemaVersion: "1.0"
bundles:
-- "nevisadmin-plugin-base-generation:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisproxy:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisauth:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisidm:8.2411.2.rc2"
-- "nevisadmin-plugin-mobile-auth:8.2411.2.rc2"
-- "nevisadmin-plugin-fido2:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisadapt:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisdetect:8.2411.2.rc2"
-- "nevisadmin-plugin-oauth:8.2411.2.rc2"
-- "nevisadmin-plugin-authcloud:8.2411.2.rc2"
-- "nevisadmin-plugin-nevisdp:8.2411.2.rc2"
+- "nevisadmin-plugin-authcloud:8.2411.2.4"
+- "nevisadmin-plugin-base-generation:8.2411.2.4"
+- "nevisadmin-plugin-fido2:8.2411.2.4"
+- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
+- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
+- "nevisadmin-plugin-nevisauth:8.2411.2.4"
+- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
+- "nevisadmin-plugin-nevisdp:8.2411.2.4"
+- "nevisadmin-plugin-nevisidm:8.2411.2.4"
+- "nevisadmin-plugin-nevisproxy:8.2411.2.4"
+- "nevisadmin-plugin-oauth:8.2411.2.4"
diff --git a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
index e15d0fc..ebbeb82 100644
Binary files a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip and b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_labels/labels.zip b/patterns/204c22beaccdfd22727af378_labels/labels.zip
index e3328b9..d8768dc 100644
Binary files a/patterns/204c22beaccdfd22727af378_labels/labels.zip and b/patterns/204c22beaccdfd22727af378_labels/labels.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_template/webdata.zip b/patterns/204c22beaccdfd22727af378_template/webdata.zip
index 9c3cd16..99fdfca 100644
Binary files a/patterns/204c22beaccdfd22727af378_template/webdata.zip and b/patterns/204c22beaccdfd22727af378_template/webdata.zip differ
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
index e3328b9..d8768dc 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip and b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip differ
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
index 9c3cd16..99fdfca 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip and b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip differ
diff --git a/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy b/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
index bc75ffc..0756d87 100644
--- a/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
+++ b/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
@@ -58,12 +58,6 @@ if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.sco
return
}
-// TODO/haburger/2024-03-21: move this later, now here for a simple start
-if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
- session.setAttribute('agov.appSvnrAllowed', 'true')
- response.setResult('exit.1');
- return
-}
try {
def spanCtxt = Span.current().getSpanContext()
@@ -79,6 +73,28 @@ try {
if (httpResponse.code() == 200) {
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+
+ session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
+ session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
+ session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
+ session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
+
+ def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
+
+ // NOTE/aca/2024-04-07: Moved here to solve the issue of not getting display names
+ if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
+ if(eidEnabled){
+ session.setAttribute('agov.appSvnrAllowed', 'true')
+ response.setResult('exit.1')
+ return
+ }else{
+ response.setResult('error')
+ response.setError(9071, "LoA 600 not supported")
+ return
+ }
+
+ }
+
LOG.debug('AdressRequired: ' + json.addrRequired)
LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
@@ -94,10 +110,6 @@ try {
// BUNDBITBK-4307: or best token for svnr is enabled
session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
- session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
- session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
- session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
- session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
response.setResult('ok')
return
} else {
diff --git a/patterns/7022472ae407577ae604bbb8_dependencies/java-uuid-generator-5.0.0.jar b/patterns/7022472ae407577ae604bbb8_dependencies/java-uuid-generator-5.0.0.jar
new file mode 100644
index 0000000..f281857
Binary files /dev/null and b/patterns/7022472ae407577ae604bbb8_dependencies/java-uuid-generator-5.0.0.jar differ
diff --git a/patterns/7022472ae407577ae604bbb8_resources/java-uuid-generator-5.0.0.jar b/patterns/7022472ae407577ae604bbb8_resources/java-uuid-generator-5.0.0.jar
new file mode 100644
index 0000000..f281857
Binary files /dev/null and b/patterns/7022472ae407577ae604bbb8_resources/java-uuid-generator-5.0.0.jar differ
diff --git a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
index a5898a8..f191f07 100644
--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@@ -1,9 +1,12 @@
+
+
+
diff --git a/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy b/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
index d538db9..2e18d45 100644
--- a/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
+++ b/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
@@ -77,7 +77,15 @@ if (inargs['SAMLRequest'] != null) {
// process it the same way, as if frontend triggered a reload
request.getInArgs().setProperty('onReload', 'now')
- response.setResult('continueAfterRepost')
+ def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
+ def requestedLoa = s.getAttribute("agov.requestedRoleLevel")
+ if( eidEnabled && ( requestedLoa == "600" || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork' ) ){
+ // EID request -> goto correct state
+ response.setResult('continueEidAfterRepost')
+ }else{
+ response.setResult('continueAfterRepost')
+ }
+
return
}
// else, the new replaces the on-going one
diff --git a/patterns/FIDO_UAF_Instance_ca92034f995b39fde562293c.yml b/patterns/FIDO_UAF_Instance_ca92034f995b39fde562293c.yml
index 6d2ff3c..ce266b8 100644
--- a/patterns/FIDO_UAF_Instance_ca92034f995b39fde562293c.yml
+++ b/patterns/FIDO_UAF_Instance_ca92034f995b39fde562293c.yml
@@ -22,6 +22,7 @@ pattern:
database:
- "pattern://9385d1b33aefe975fb1c5914"
facets: "var://fido_uaf_instance-facets"
+ basicFullAttestation: "strict"
firebaseServiceAccount: "var://fido_uaf_instance-firebase-configuration"
firebaseProxyAddress: "var://fido_uaf_instance-firebase-proxy-url"
link: "Custom URI"
diff --git a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
index 1797a7a..9fe0ac7 100644
--- a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
+++ b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
@@ -10,4 +10,5 @@ pattern:
- "pattern://03326b180687860ffe06a58c"
nextSteps:
- "pattern://f63c475c35b616b7c6c1901c"
+ - "pattern://e335f57d4c64dfc97223697a"
resources: "res://7a913eec7f78ce674cd87854#resources"
diff --git a/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml b/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml
index 7476fe6..1c7e7cc 100644
--- a/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml
+++ b/patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml
@@ -10,6 +10,8 @@ pattern:
- url: "${var.connect.metadataservice.url}"
- bestTokenAddressWhitelist: "${var.bestToken.address.whitelist}"
- bestTokenSvnrWhitelist: "${var.bestToken.svnr.whitelist}"
+ - eidPassthroughEnabled: "${var.eid.passthrough.enabled}"
+ - eidFullEnabled: "${var.eid.full.enabled}"
onSuccess:
- "pattern://f63c475c35b616b7c6c1901c"
onFailure:
diff --git a/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy b/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
index 956a024..ad2f7a0 100644
--- a/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
+++ b/patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy
@@ -11,18 +11,25 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
// BUNDBITBK-4824: Address was missing after bmid verification
-def session = request.getAuthSession(true)
-int loa = session.get('agov.actualRoleLevel') as int
-// Best Token Available only if account's AQlevel is high enough
-if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
- LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
- session.setAttribute('agov.appAddressRequired', 'false')
-}
-if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
- LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
- session.setAttribute('agov.appSvnrAllowed', 'false')
+
+def session = request.getAuthSession(true)
+def loa_str = session.get('agov.actualRoleLevel')
+
+if(loa_str){
+ int loa = loa_str as int
+
+ // Best Token Available only if account's AQlevel is high enough
+ if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
+ LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
+ session.setAttribute('agov.appAddressRequired', 'false')
+ }
+ if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
+ LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
+ session.setAttribute('agov.appSvnrAllowed', 'false')
+ }
}
+
// BUNDBITBK-4824 END
// delete the login cookie
diff --git a/patterns/e335f57d4c64dfc97223697a_authStatesFile/EId_Verification_Auth.xml b/patterns/e335f57d4c64dfc97223697a_authStatesFile/EId_Verification_Auth.xml
index c94f25e..ca22bfd 100644
--- a/patterns/e335f57d4c64dfc97223697a_authStatesFile/EId_Verification_Auth.xml
+++ b/patterns/e335f57d4c64dfc97223697a_authStatesFile/EId_Verification_Auth.xml
@@ -16,4 +16,5 @@
+
\ No newline at end of file
diff --git a/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy b/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
index ed3ec94..f7336e0 100644
--- a/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
+++ b/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
@@ -1,8 +1,11 @@
import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.sess.Session
import ch.nevis.esauth.util.httpclient.api.HttpClient
import groovy.json.JsonSlurper
import io.opentelemetry.api.trace.Span
+import com.fasterxml.uuid.Generators
+
def getHeader(String name) {
def inctx = request.getLoginContext()
// case-insensitive lookup of HTTP headers
@@ -11,6 +14,49 @@ def getHeader(String name) {
return map['connection.HttpHeader.' + name]
}
+// returns true on success and false on failure
+def getNewVerification(Session sess, HttpClient httpClient, String verification_request_template, String traceparent){
+ // Initialize the verification session on the verifier
+ def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+
+ try {
+ def httpResponse = Http.post()
+ .url(endPoint)
+ .header("Accept", "application/json")
+ .header("traceparent", traceparent)
+ .entity(Http.entity()
+ .content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
+ .contentType("application/json")
+ .build())
+ .build()
+ .send(httpClient)
+
+
+ if (httpResponse.code() != 200) {
+ LOG.debug("Result: ${httpResponse}")
+ return false
+ }
+
+ def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+ LOG.debug("Result: ${json}")
+
+ sess.setAttribute('agov.eid.verification', 'true')
+ sess.setAttribute('agov.eid.verification.id', json.id)
+ sess.setAttribute('agov.eid.verification.link', json.verification_url)
+
+
+ // TODO/aca/2025-04-04:This could probably also be INITIATED, once the verifier supports this status
+ if (json.state != 'PENDING') {
+ return false
+ }
+ }
+ catch (Exception e) {
+ LOG.error("Eid verification failed: $e")
+ return false
+ }
+ return true
+}
+
def verification_request_template = '''
{ "presentation_definition": {
"id": "{{UUID}}",
@@ -135,9 +181,10 @@ def ERROR_CODE_TO_STATUS_MAPPER = [
// ---------------
// check, whether we are still processing the correct AuthnRequest
-if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+// or if the frontend requested a timeout
+if ( (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) || inargs['oid4vp'] == 'TIMEOUT') {
// wrong request, "force" a timeout
- LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
+ LOG.debug('authentication timeout enforced, due to concurrent requests (authRequestId missmatch) -> return a 408')
response.setIsDirectResponse(true)
response.setContentType('text/html; charset=UTF-8')
@@ -150,66 +197,44 @@ if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['
return
}
+def sess = request.getAuthSession(true)
+
if (inargs['oid4vp'] == 'ERROR') {
+ LOG.debug("oid4vp error")
response.setResult('error')
return
}
if (inargs['oid4vp'] == 'SUCCEEDED') {
+ LOG.debug("oid4vp succeeded")
response.setResult('ok')
return
}
+/*
+// Temporary for CANCELED
+if (inargs['oid4vp'] == 'CANCELED') {
+ LOG.debug("oid4vp canceled")
+ response.setResult('error')
+ return
+}
+*/
-def sess = request.getAuthSession(true)
HttpClient httpClient = HttpClients.create(parameters)
def spanCtxt = Span.current().getSpanContext()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
if (!session['agov.eid.verification']) {
- // Initialize the verification session on the verifier
- def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
-
- try {
- def httpResponse = Http.post()
- .url(endPoint)
- .header("Accept", "application/json")
- .header("traceparent", traceparent)
- .entity(Http.entity()
- .content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
- .contentType("application/json")
- .build())
- .build()
- .send(httpClient)
-
-
- if (httpResponse.code() != 200) {
- LOG.debug("Result: ${httpResponse}")
- response.setResult('error')
- return
- }
-
- def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
- LOG.debug("Result: ${json}")
-
- sess.setAttribute('agov.eid.verification', 'true')
- sess.setAttribute('agov.eid.verification.id', json.id)
- sess.setAttribute('agov.eid.verification.link', json.verification_url)
-
- if (json.state != 'PENDING') {
- response.setResult('error')
- return
- }
- }
- catch (Exception e) {
- LOG.error("Eid verification failed: $e")
- response.setResult('error')
- return
- }
+ LOG.debug("Initializing verification")
+ if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
+ response.setResult('error')
+ return
+ }
}
if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
+ LOG.debug("Request Status Update")
// request for a status update from the verifier
def result
@@ -217,6 +242,29 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
// and that authRequestId is correct
def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+ // check, whether we are still processing the correct verification request
+ //
+ if(inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])){
+ //if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != session['agov.eid.verification.id']){
+ // wrong request, tell fe to stop polling and request a timeout
+ LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
+ result = """{
+ "oid4vp": {
+ "status": "TIMEOUT",
+ "verification_url": "${session['agov.eid.verification.link']}",
+ "id": "${idvalue}",
+ "error_code": "REQUEST-MISMATCH",
+ "error_message": "Request Mismatch Detected: Forcing Timeout"
+ }}"""
+
+ response.setContent(result.toString())
+ response.setContentType('application/json')
+ response.setHttpStatusCode(200)
+ response.setIsDirectResponse(true)
+ response.setStatus(AuthResponse.AUTH_CONTINUE)
+ return
+ }
+
try {
def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
@@ -227,12 +275,32 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
.build()
.send(httpClient)
- if (httpResponse.code() != 200) {
- // TODO/haburger/2025-03-25: 404 we should create a new verification request
+
+ // 404 -> request a new verification
+ if(httpResponse.code() == 404){
+ // Frontend should know that we are starting a new request and not recieve an error
+ def status = "FAILED"
+ // Delete session variable to start a new verification
+ sess.removeAttribute('agov.eid.verification')
+
+ result = """{
+ "oid4vp": {
+ "status": "${status}",
+ "verification_url": "",
+ "id": "",
+ "error_code": "HTTP-ERROR",
+ "error_message": "Faild to verify status of verification, http status: ${httpResponse.code()}"
+ }}"""
+ LOG.warn("<== Response: ${responseCode}")
+ }
+ else if (httpResponse.code() != 200) {
LOG.debug("Result: ${httpResponse}")
+
+ def status = "ERROR"
+
result = """{
"oid4vp": {
- "status": "ERROR",
+ "status": "${status}",
"verification_url": "${session['agov.eid.verification.link']}",
"id": "${idvalue}",
"error_code": "HTTP-ERROR",
@@ -243,18 +311,18 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
else {
def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
-
+ LOG.debug(httpResponse.bodyAsString())
if (json.state == 'SUCCESS') {
def claims = json.wallet_response.credential_subject_data
-
- // TODO/haburger/2025-03-25: format changes to align with IDM read data
+ LOG.debug("Store user data in session")
+ // TODO/haburger/2025-03-25: format changes to align with IDM read data => No changes needed(?)
sess.setAttribute('ch.nevis.idm.User.firstName', claims.given_name)
sess.setAttribute('ch.nevis.idm.User.lastName', claims.family_name)
sess.setAttribute('ch.nevis.idm.User.birthDate', claims.birth_date)
sess.setAttribute('ch.nevis.idm.User.gender', claims.sex)
- sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number)
+ sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number.replace('.',''))
sess.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', claims.birth_place)
- sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.personal_administrative_number)
+ sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.document_number)
sess.setAttribute('ch.nevis.idm.User.prop.nationality', claims.nationality.toString())
sess.setAttribute('ValidFrom', claims.issuance_date)
sess.setAttribute('ValidTo', claims.expiry_date)
@@ -262,7 +330,15 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
sess.setAttribute('idVerification', "Eid")
sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
- response.setUserId(claims.personal_administrative_number)
+ // subjectUUID v5
+ def namespace = UUID.fromString(parameters.get('eidUUIDNamespace'))
+ def uuid = Generators.nameBasedGenerator(namespace).generate(claims.personal_administrative_number)
+ LOG.debug("UUID: ${uuid}")
+ String uuidString = uuid.toString()
+ sess.setAttribute('agov.subjectUUID', '' + uuidString)
+
+ response.setUserId(uuidString)
+ sess.setAttribute('ch.adnovum.nevisidm.user.extId', uuidString)
response.setLoginId(claims.document_number)
response.setAuthLevel("EID")
@@ -280,9 +356,20 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
LOG
.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+ def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'
+
+ // Send new request & return variables with new id and url
+ if(status == 'FAILED' || status == 'CANCELED'){
+ // Delete session variable to start a new verification
+ sess.removeAttribute('agov.eid.verification')
+
+ // Clear variables for for a cleaner result
+ sess.removeAttribute('agov.eid.verification.link')
+ }
+
result = """{
"oid4vp": {
- "status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
+ "status": "${status}",
"verification_url": "${session['agov.eid.verification.link']}",
"id": "${idvalue}",
"error_code": "${json.wallet_response.error_code}",
@@ -318,10 +405,12 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
response.setHttpStatusCode(200)
response.setIsDirectResponse(true)
response.setStatus(AuthResponse.AUTH_CONTINUE)
+ LOG.debug("Recieved json: End")
return
}
// if we reach this place, display GUI
+LOG.debug("Show GUI")
response.setStatus(AuthResponse.AUTH_CONTINUE)
return
diff --git a/patterns/nevisAuth_7022472ae407577ae604bbb8.yml b/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
index 6f22ae0..c4c3f30 100644
--- a/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
+++ b/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
@@ -16,5 +16,6 @@ pattern:
- "pattern://aeb2fed9962dcd5f7893db51"
signerTrustStore:
- "pattern://55bf63a1b1716e9631f7080d"
+ dependencies: "res://7022472ae407577ae604bbb8#dependencies"
addons:
- "pattern://90af8358cc587f5c5aa79fec"
diff --git a/variables.yml b/variables.yml
index 6fa8f42..03f7f43 100644
--- a/variables.yml
+++ b/variables.yml
@@ -147,6 +147,23 @@ variables:
pathInputMode: "OPTIONAL"
value: "http://connect-application-billing.adn-agov-connect-01-dev:8082/connect/billing/relying-party/app-icon"
requireOverloading: true
+ base-security-response-headers-response-headers:
+ className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+ parameters:
+ minRequired: 1
+ separators:
+ - ":"
+ switchedSeparators: []
+ value:
+ - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+ - X-Content-Type-Options: "nosniff"
+ - Referrer-Policy: "strict-origin-when-cross-origin"
+ - X-Frame-Options: "DENY"
+ - Cross-Origin-Opener-Policy: "same-origin"
+ - Cross-Origin-Embedder-Policy: "require-corp"
+ - Cross-Origin-Resource-Policy: "same-site"
+ - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+ requireOverloading: true
csp-security-response-headers:
className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
parameters: