nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

2 files added and 7 files updated

This commit is contained in:
haburger 2024-12-17 07:56:54 +00:00
parent 76a7ac7695
commit 49d8eaf672
13 changed files with 285 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
patterns/1f0702aaabef60a615abf41f_resources/resources.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_template/webdata.zip
View File

Binary file not shown.

42
patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua Normal file
View File

@ -0,0 +1,42 @@
package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
local Utils = require "Utils"
function inputHeader(request, response)
local trace = request:getTracer()
local queryParams = Utils.getQueryParameters(request)
local path = request:getRequestPath()
-- only allow calls to the countries service
if path == nil then
trace:error("path is nil")
end
if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
trace:info("utility service called with invalid path " .. request:getRequestPath())
response:send(404)
return
end
-- only alloq one query-parameter 'lang' with the values DE, FR, IT, EN, RS
for param, values in pairs(queryParams) do
if (param ~= 'lang') then
trace:info("utility service called with invalid query param " .. param)
response:send(404)
return
end
if Helpers.tableLength(values) ~= 1 then
trace:info("utility service called with invalid value for query param " .. param)
response:send(404)
return
end
for i, value in pairs(values) do
local lang = string.upper(value)
if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
response:send(404)
return
end
end
end
end

BIN
patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
View File

Binary file not shown.

13
patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
View File

@ -193,11 +193,12 @@
</Gui> </Gui>
</Response> </Response>
<property name="scriptTraceGroup" value="Recovery"/> <property name="scriptTraceGroup" value="Recovery"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-preprocessing.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-processing.groovy"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_IdmUserIdPasswordLogin" final="true" resumeState="true" class="ch.nevis.idm.authstate.IdmPasswordVerifyState"> <AuthState name="${state.entry}_IdmUserIdPasswordLogin" final="true" resumeState="true" class="ch.nevis.idm.authstate.IdmPasswordVerifyState">
<ResultCond name="ok" next="${state.exit.1}" authLevel="auth.weak"/> <ResultCond name="no_code-true" next="${state.exit.1}"/>
<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin" authLevel="auth.weak"/> <ResultCond name="ok" next="${state.entry}_codeVerified"/>
<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/> <ResultCond name="nowLocked" next="${state.entry}_codeLocked"/>
<ResultCond name="locked" next="${state.entry}_codeLocked"/> <ResultCond name="locked" next="${state.entry}_codeLocked"/>
@ -209,6 +210,7 @@
<Gui name="recovery_check_code"> <Gui name="recovery_check_code">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/> <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/> <GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/> <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
</Gui> </Gui>
</Response> </Response>
@ -220,6 +222,11 @@
<property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/> <property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
<property name="client.name" value="agov"/> <property name="client.name" value="agov"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<ResultCond name="default" next="${state.exit.1}"/>
<Response value="AUTH_CONTINUE"/>
<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
</AuthState>
<AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false"> <AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
<Response value="AUTH_ERROR"> <Response value="AUTH_ERROR">
<Gui name="recovery_check_noCode"> <Gui name="recovery_check_noCode">

3
patterns/584964c837512845d7940809_resources/recovery-preprocessing.groovy → patterns/584964c837512845d7940809_resources/recovery-processing.groovy
View File

@ -94,6 +94,7 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
if (userState == 'ACTIVE') { if (userState == 'ACTIVE') {
session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery') session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
session.setAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
def maxLoiList = userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() }) def maxLoiList = userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last() maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
@ -139,12 +140,10 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
if ((maxLoi == 'level100') && (mustRecover == null)) { if ((maxLoi == 'level100') && (mustRecover == null)) {
// mustRecover role not set, so code needs to be checked // mustRecover role not set, so code needs to be checked
LOG.debug("Recovery: emailAndCode") LOG.debug("Recovery: emailAndCode")
response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:emailAndCode')
response.setResult('needCode') response.setResult('needCode')
return return
} else { } else {
LOG.debug("Recovery: email") LOG.debug("Recovery: email")
response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
response.setResult('ok') response.setResult('ok')
return return
} }

12
patterns/9ff0369f3cf662f95d94ff09_resources/ensureRecoveryCode.groovy
View File

@ -30,14 +30,22 @@ String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/
def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto')) def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'} def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
// 1a) check if user has a credential // Only for aq 100, skip for the rest
if (Arrays.stream(response.getActualRoles()).filter( r -> r.matches('^.*AGOV-Loi\\.level[2345]00.*$')).findAny().isPresent()) {
LOG.debug("Account '${user}' has a higher AQ-level than 100, no need to check code")
response.setResult('done')
return
}
// 1b) check if user has a credential
if ( recoveryCredential != null ) { if ( recoveryCredential != null ) {
LOG.debug("Account '${user}' has an active recovery code, no need to create new code") LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
response.setResult('done') response.setResult('done')
return return
} }
// 1b) check if a recovery is ongoing (nothing to do) // 1c) check if a recovery is ongoing (nothing to do)
if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) { if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) {
LOG.debug("Account '${user}' is in recovery, no need to create new code") LOG.debug("Account '${user}' is in recovery, no need to create new code")
response.setResult('done') response.setResult('done')

1
patterns/Fetch_Country_Name_594764b3b866d7855f6990a1.yml
View File

@ -3,6 +3,7 @@ pattern:
id: "594764b3b866d7855f6990a1" id: "594764b3b866d7855f6990a1"
className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep" className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
name: "Fetch_Country_Name" name: "Fetch_Country_Name"
notes: "TODO/haburger/2024-12-17: replace this with a call to http://utility-application-be.adn-agov-me-01-dev:8081/utility/api/v1/countries?lang=DE"
properties: properties:
authStatesFile: "res://594764b3b866d7855f6990a1#authStatesFile" authStatesFile: "res://594764b3b866d7855f6990a1#authStatesFile"
onSuccess: onSuccess:

7
patterns/Utility_Resource_Service_Countries_Security_Filter_3a982aa242ff4f8ebd823693.yml Normal file
View File

@ -0,0 +1,7 @@
schemaVersion: "1.0"
pattern:
id: "3a982aa242ff4f8ebd823693"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
name: "Utility_Resource_Service_Countries_Security_Filter"
properties:
script: "res://3a982aa242ff4f8ebd823693#script"

13
patterns/Utility_Resource_Service_eaa622e2a760704c1e0e22f2.yml Normal file
View File

@ -0,0 +1,13 @@
schemaVersion: "1.0"
pattern:
id: "eaa622e2a760704c1e0e22f2"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RESTServiceAccess"
name: "Utility_Resource_Service"
properties:
host:
- "pattern://1f0702aaabef60a615abf41f"
path: "/resource/utility/"
addons:
- "pattern://3a982aa242ff4f8ebd823693"
backends: "var://utility_resource_service-backend-address"
allowedMethods: "GET"

11
variables.yml
View File

@ -965,6 +965,17 @@ variables:
minRequired: 0 minRequired: 0
value: null value: null
requireOverloading: true requireOverloading: true
utility_resource_service-backend-address:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
parameters:
minRequired: 1
schemeInputMode: "OPTIONAL"
allowedSchemes: "http,https"
hostNameInputMode: "REQUIRED"
portInputMode: "OPTIONAL"
pathInputMode: "OPTIONAL"
value: "http://utility-application-be.adn-agov-me-01-dev:8081/utility/"
requireOverloading: true
verify_shadow_user-parameters: verify_shadow_user-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters: parameters: