eid switch + new frontend resources

bundles.yml

@@ -1,13 +1,13 @@
 schemaVersion: "1.0"
 bundles:
-- "nevisadmin-plugin-base-generation:8.2411.2.rc2"
+- "nevisadmin-plugin-authcloud:8.2411.2.4"
-- "nevisadmin-plugin-nevisproxy:8.2411.2.rc2"
+- "nevisadmin-plugin-base-generation:8.2411.2.4"
-- "nevisadmin-plugin-nevisauth:8.2411.2.rc2"
+- "nevisadmin-plugin-fido2:8.2411.2.4"
-- "nevisadmin-plugin-nevisidm:8.2411.2.rc2"
+- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
-- "nevisadmin-plugin-mobile-auth:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
-- "nevisadmin-plugin-fido2:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisauth:8.2411.2.4"
-- "nevisadmin-plugin-nevisadapt:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
-- "nevisadmin-plugin-nevisdetect:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisdp:8.2411.2.4"
-- "nevisadmin-plugin-oauth:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisidm:8.2411.2.4"
-- "nevisadmin-plugin-authcloud:8.2411.2.rc2"
+- "nevisadmin-plugin-nevisproxy:8.2411.2.4"
-- "nevisadmin-plugin-nevisdp:8.2411.2.rc2"
+- "nevisadmin-plugin-oauth:8.2411.2.4"

patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy

@@ -58,12 +58,6 @@ if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.sco
   return
 }
 
-// TODO/haburger/2024-03-21: move this later, now here for a simple start
-if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
-  session.setAttribute('agov.appSvnrAllowed', 'true')
-  response.setResult('exit.1');
-  return
-}
 
 try {
       def spanCtxt = Span.current().getSpanContext()
@@ -79,6 +73,28 @@ try {
 
       if (httpResponse.code() == 200) {
         def json = jsonSlurper.parseText(httpResponse.bodyAsString())
+
+        session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
+        session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
+        session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
+        session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
+
+        def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
+
+        // NOTE/aca/2024-04-07: Moved here to solve the issue of not getting display names
+        if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
+            if(eidEnabled){
+                session.setAttribute('agov.appSvnrAllowed', 'true')
+                response.setResult('exit.1')
+                return
+            }else{
+                response.setResult('error')
+                response.setError(9071, "LoA 600 not supported")
+                return
+            }
+            
+        }
+        
         LOG.debug('AdressRequired: ' + json.addrRequired)
         LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
         LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
@@ -94,10 +110,6 @@ try {
         // BUNDBITBK-4307: or best token for svnr is enabled
         session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
 
-        session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
-        session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
-        session.setAttribute('agov.appDisplayNameIT', '' + json.displayNameIt)
-        session.setAttribute('agov.appDisplayNameEN', '' + json.displayNameEn)
         response.setResult('ok')
         return
       } else {

patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml

@@ -1,9 +1,12 @@
 <AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="false">
     <ResultCond name="ok" next="${state.done}"/>
     <ResultCond name="continueAfterRepost" next="${state.exit.1}"/>
+    <ResultCond name="continueEidAfterRepost" next="${state.exit.2}"/>
     <Response value="AUTH_ERROR">
     </Response>
     <property name="scriptTraceGroup" value="AGOV-ACCT"/>
     <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
+    <property name="eidPassthroughEnabled" value="${vareid.passthrough.enabled}"/>
+    <property name="eidFullEnabled" value="${vareid.full.enabled}"/>
     <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
 </AuthState>

patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy

@@ -77,7 +77,15 @@ if (inargs['SAMLRequest'] != null) {
       // process it the same way, as if frontend triggered a reload
       request.getInArgs().setProperty('onReload', 'now')
 
+      def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
+      def requestedLoa = s.getAttribute("agov.requestedRoleLevel")
+      if( eidEnabled && ( requestedLoa == "600" || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork' ) ){
+        // EID request -> goto correct state
+        response.setResult('continueEidAfterRepost')
+      }else{
         response.setResult('continueAfterRepost')
+      }
+
       return
     }
     // else, the new replaces the on-going one

patterns/FIDO_UAF_Instance_ca92034f995b39fde562293c.yml

@@ -22,6 +22,7 @@ pattern:
     database:
     - "pattern://9385d1b33aefe975fb1c5914"
     facets: "var://fido_uaf_instance-facets"
+    basicFullAttestation: "strict"
     firebaseServiceAccount: "var://fido_uaf_instance-firebase-configuration"
     firebaseProxyAddress: "var://fido_uaf_instance-firebase-proxy-url"
     link: "Custom URI"

patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml

@@ -10,4 +10,5 @@ pattern:
     - "pattern://03326b180687860ffe06a58c"
     nextSteps:
     - "pattern://f63c475c35b616b7c6c1901c"
+    - "pattern://e335f57d4c64dfc97223697a"
     resources: "res://7a913eec7f78ce674cd87854#resources"

patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml

@@ -10,6 +10,8 @@ pattern:
     - url: "${var.connect.metadataservice.url}"
     - bestTokenAddressWhitelist: "${var.bestToken.address.whitelist}"
     - bestTokenSvnrWhitelist: "${var.bestToken.svnr.whitelist}"
+    - eidPassthroughEnabled: "${var.eid.passthrough.enabled}"
+    - eidFullEnabled: "${var.eid.full.enabled}"
     onSuccess:
     - "pattern://f63c475c35b616b7c6c1901c"
     onFailure:

patterns/b87d0d2b640e8e545ad70234_resources/SendSamlResponseWithAssertion.groovy

@@ -11,8 +11,13 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
 LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
 // BUNDBITBK-4824: Address was missing after bmid verification
+
+
 def session = request.getAuthSession(true)
-int loa = session.get('agov.actualRoleLevel') as int
+def loa_str = session.get('agov.actualRoleLevel')
+
+if(loa_str){
+    int loa = loa_str as int
 
     // Best Token Available only if account's AQlevel is high enough
     if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
@@ -23,6 +28,8 @@ if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
         LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
         session.setAttribute('agov.appSvnrAllowed', 'false')
     }
+}
+
 // BUNDBITBK-4824 END
 
 // delete the login cookie

patterns/e335f57d4c64dfc97223697a_authStatesFile/EId_Verification_Auth.xml

@@ -16,4 +16,5 @@
     <property name="scriptTraceGroup" value="AGOV-ACCT"/>
 	<property name="script" value="file:///var/opt/nevisauth/default/conf/eid_verification_auth.groovy"/>
 	<property name="parameter.eidVerifierBaseUrl" value="${var.eidVerifierBaseUrl}"/>
+    <property name="parameter.eidUUIDNamespace" value="${var.eidUUIDNamespace}"/>
 </AuthState>

patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy

@@ -1,8 +1,11 @@
 import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.sess.Session
 import ch.nevis.esauth.util.httpclient.api.HttpClient
 import groovy.json.JsonSlurper
 import io.opentelemetry.api.trace.Span
 
+import com.fasterxml.uuid.Generators
+
 def getHeader(String name) {
 	def inctx = request.getLoginContext()
 	// case-insensitive lookup of HTTP headers
@@ -11,6 +14,49 @@ def getHeader(String name) {
 	return map['connection.HttpHeader.' + name]
 }
 
+// returns true on success and false on failure
+def getNewVerification(Session sess, HttpClient httpClient, String verification_request_template, String traceparent){
+	// Initialize the verification session on the verifier
+	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+
+	try {
+		def httpResponse = Http.post()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.entity(Http.entity()
+						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
+						.contentType("application/json")
+						.build())
+				.build()
+				.send(httpClient)
+
+
+		if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+			return false
+		}
+
+		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+		LOG.debug("Result: ${json}")
+
+		sess.setAttribute('agov.eid.verification', 'true')
+		sess.setAttribute('agov.eid.verification.id', json.id)
+		sess.setAttribute('agov.eid.verification.link', json.verification_url)
+
+
+        //  TODO/aca/2025-04-04:This could probably also be INITIATED, once the verifier supports this status
+		if (json.state != 'PENDING') {
+			return false
+		}
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: $e")
+		return false
+	}
+    return true
+}
+
 def verification_request_template = '''
 { "presentation_definition": {
     "id": "{{UUID}}",
@@ -135,9 +181,10 @@ def ERROR_CODE_TO_STATUS_MAPPER = [
 
 // ---------------
 // check, whether we are still processing the correct AuthnRequest
-if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+// or if the frontend requested a timeout
+if ( (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) || inargs['oid4vp'] == 'TIMEOUT') {
 	// wrong request, "force" a timeout
-	LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
+	LOG.debug('authentication timeout enforced, due to concurrent requests (authRequestId missmatch) -> return a 408')
 
 	response.setIsDirectResponse(true)
 	response.setContentType('text/html; charset=UTF-8')
@@ -150,66 +197,44 @@ if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['
 	return
 }
 
+def sess = request.getAuthSession(true)
+
 if (inargs['oid4vp'] == 'ERROR') {
+    LOG.debug("oid4vp error")
 	response.setResult('error')
 	return
 }
 
 if (inargs['oid4vp'] == 'SUCCEEDED') {
+    LOG.debug("oid4vp succeeded")
 	response.setResult('ok')
 	return
 }
 
+/*
+// Temporary for CANCELED
+if (inargs['oid4vp'] == 'CANCELED') {
+    LOG.debug("oid4vp canceled")
+	response.setResult('error')
+	return
+}
+*/
 
-def sess = request.getAuthSession(true)
 
 HttpClient httpClient = HttpClients.create(parameters)
 def spanCtxt = Span.current().getSpanContext()
 def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
 
 if (!session['agov.eid.verification']) {
-	// Initialize the verification session on the verifier
+    LOG.debug("Initializing verification")
-	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+	if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
-
-	try {
-		def httpResponse = Http.post()
-				.url(endPoint)
-				.header("Accept", "application/json")
-				.header("traceparent", traceparent)
-				.entity(Http.entity()
-						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
-						.contentType("application/json")
-						.build())
-				.build()
-				.send(httpClient)
-
-
-		if (httpResponse.code() != 200) {
-			LOG.debug("Result: ${httpResponse}")
-			response.setResult('error')
-			return
-		}
-
-		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
-		LOG.debug("Result: ${json}")
-
-		sess.setAttribute('agov.eid.verification', 'true')
-		sess.setAttribute('agov.eid.verification.id', json.id)
-		sess.setAttribute('agov.eid.verification.link', json.verification_url)
-
-		if (json.state != 'PENDING') {
-			response.setResult('error')
-			return
-		}
-	}
-	catch (Exception e) {
-		LOG.error("Eid verification failed: $e")
         response.setResult('error') 
         return
     }
 }
 
 if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
+    LOG.debug("Request Status Update")
 	// request for a status update from the verifier
 	def result
 
@@ -217,6 +242,29 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 	// and that authRequestId is correct
 	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
 
+    // check, whether we are still processing the correct verification request
+    //
+    if(inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])){
+    //if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != session['agov.eid.verification.id']){
+        // wrong request, tell fe to stop polling and request a timeout
+        LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
+        result = """{
+				"oid4vp": {
+					"status": "TIMEOUT",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "REQUEST-MISMATCH",
+					"error_message": "Request Mismatch Detected: Forcing Timeout"
+				}}"""
+
+        response.setContent(result.toString())
+	    response.setContentType('application/json')
+	    response.setHttpStatusCode(200)
+	    response.setIsDirectResponse(true)
+	    response.setStatus(AuthResponse.AUTH_CONTINUE)
+	    return
+    }
+
 	try {
 		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
 
@@ -227,12 +275,32 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 				.build()
 				.send(httpClient)
 
-		if (httpResponse.code() != 200) {
+
-			// TODO/haburger/2025-03-25: 404 we should create a new verification request
+        // 404 -> request a new verification
-			LOG.debug("Result: ${httpResponse}")
+        if(httpResponse.code() == 404){
+            // Frontend should know that we are starting a new request and not recieve an error
+            def status = "FAILED"
+            // Delete session variable to start a new verification
+            sess.removeAttribute('agov.eid.verification')
+
             result = """{
 				"oid4vp": {
-					"status": "ERROR",
+					"status": "${status}",
+					"verification_url": "",
+					"id": "",
+					"error_code": "HTTP-ERROR",
+					"error_message": "Faild to verify status of verification, http status: ${httpResponse.code()}"
+				}}"""
+			LOG.warn("<== Response: ${responseCode}")
+		}
+		else if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+            
+            def status = "ERROR"
+            
+			result = """{
+				"oid4vp": {
+					"status": "${status}",
 					"verification_url": "${session['agov.eid.verification.link']}",
 					"id": "${idvalue}",
 					"error_code": "HTTP-ERROR",
@@ -243,18 +311,18 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 		else {
 
 			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
-
+            LOG.debug(httpResponse.bodyAsString())
 			if (json.state == 'SUCCESS') {
 				def claims = json.wallet_response.credential_subject_data
-
+                LOG.debug("Store user data in session")
-				// TODO/haburger/2025-03-25: format changes to align with IDM read data
+				// TODO/haburger/2025-03-25: format changes to align with IDM read data => No changes needed(?)
 				sess.setAttribute('ch.nevis.idm.User.firstName', claims.given_name)
 				sess.setAttribute('ch.nevis.idm.User.lastName', claims.family_name)
 				sess.setAttribute('ch.nevis.idm.User.birthDate', claims.birth_date)
 				sess.setAttribute('ch.nevis.idm.User.gender', claims.sex)
-				sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number.replace('.',''))
 				sess.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', claims.birth_place)
-				sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.document_number)
 				sess.setAttribute('ch.nevis.idm.User.prop.nationality', claims.nationality.toString())
 				sess.setAttribute('ValidFrom', claims.issuance_date)
 				sess.setAttribute('ValidTo', claims.expiry_date)
@@ -262,7 +330,15 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 				sess.setAttribute('idVerification', "Eid")
 				sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
 
-				response.setUserId(claims.personal_administrative_number)
+                // subjectUUID v5
+                def namespace = UUID.fromString(parameters.get('eidUUIDNamespace'))
+                def uuid = Generators.nameBasedGenerator(namespace).generate(claims.personal_administrative_number)
+                LOG.debug("UUID: ${uuid}")
+                String uuidString = uuid.toString()
+                sess.setAttribute('agov.subjectUUID', '' + uuidString)
+
+				response.setUserId(uuidString)
+                sess.setAttribute('ch.adnovum.nevisidm.user.extId', uuidString)
 				response.setLoginId(claims.document_number)
 				response.setAuthLevel("EID")
 
@@ -280,9 +356,20 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 
 				LOG
 						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+                def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'
+
+                // Send new request & return variables with new id and url
+                if(status == 'FAILED' || status == 'CANCELED'){
+                    // Delete session variable to start a new verification
+                    sess.removeAttribute('agov.eid.verification')
+
+                    // Clear variables for for a cleaner result
+                    sess.removeAttribute('agov.eid.verification.link')
+                }
+
 				result = """{
 				"oid4vp": {
-					"status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
+					"status": "${status}",
 					"verification_url": "${session['agov.eid.verification.link']}",
 					"id": "${idvalue}",
 					"error_code": "${json.wallet_response.error_code}",
@@ -318,10 +405,12 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 	response.setHttpStatusCode(200)
 	response.setIsDirectResponse(true)
 	response.setStatus(AuthResponse.AUTH_CONTINUE)
+    LOG.debug("Recieved json: End")
 	return
 }
 
 // if we reach this place, display GUI
+LOG.debug("Show GUI")
 response.setStatus(AuthResponse.AUTH_CONTINUE)
 return
 

patterns/nevisAuth_7022472ae407577ae604bbb8.yml

@@ -16,5 +16,6 @@ pattern:
     - "pattern://aeb2fed9962dcd5f7893db51"
     signerTrustStore:
     - "pattern://55bf63a1b1716e9631f7080d"
+    dependencies: "res://7022472ae407577ae604bbb8#dependencies"
     addons:
     - "pattern://90af8358cc587f5c5aa79fec"

variables.yml

@@ -147,6 +147,23 @@ variables:
       pathInputMode: "OPTIONAL"
     value: "http://connect-application-billing.adn-agov-connect-01-dev:8082/connect/billing/relying-party/app-icon"
     requireOverloading: true
+  base-security-response-headers-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      minRequired: 1
+      separators:
+      - ":"
+      switchedSeparators: []
+    value:
+    - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+    - X-Content-Type-Options: "nosniff"
+    - Referrer-Policy: "strict-origin-when-cross-origin"
+    - X-Frame-Options: "DENY"
+    - Cross-Origin-Opener-Policy: "same-origin"
+    - Cross-Origin-Embedder-Policy: "require-corp"
+    - Cross-Origin-Resource-Policy: "same-site"
+    - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
+    requireOverloading: true
   csp-security-response-headers:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
     parameters: