2 files added and 7 files updated

2024-12-17 07:56:54 +00:00 · 2024-12-17 07:56:54 +00:00 · 49d8eaf672
parent 76a7ac7695
commit 49d8eaf672
13 changed files with 285 additions and 197 deletions
--- a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
+++ b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
--- a/patterns/204c22beaccdfd22727af378_labels/labels.zip
+++ b/patterns/204c22beaccdfd22727af378_labels/labels.zip
--- a/patterns/204c22beaccdfd22727af378_template/webdata.zip
+++ b/patterns/204c22beaccdfd22727af378_template/webdata.zip
--- a/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
+++ b/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
@ -0,0 +1,42 @@
+package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
+local Utils = require "Utils"
+
+function inputHeader(request, response)
+  local trace = request:getTracer()
+
+  local queryParams = Utils.getQueryParameters(request)
+  local path = request:getRequestPath()
+
+  -- only allow calls to the countries service
+  if path == nil then
+    trace:error("path is nil")
+  end 
+
+  if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
+    trace:info("utility service called with invalid path " .. request:getRequestPath())
+    response:send(404)
+    return
+  end
+
+  -- only alloq one query-parameter 'lang' with the values DE, FR, IT, EN, RS
+  for param, values in pairs(queryParams) do
+    if (param ~= 'lang') then
+      trace:info("utility service called with invalid query param " .. param)
+      response:send(404)
+      return
+    end
+    if Helpers.tableLength(values) ~= 1 then
+      trace:info("utility service called with invalid value for query param " .. param)
+      response:send(404)
+      return
+    end
+    for i, value in pairs(values) do
+      local lang = string.upper(value)
+      if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
+        trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
+        response:send(404)
+        return
+      end
+    end
+  end
+end
--- a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
--- a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
--- a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
+++ b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
@ -193,11 +193,12 @@
 		</Gui>
 	</Response>
 	<property name="scriptTraceGroup" value="Recovery"/>
-	<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-preprocessing.groovy"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/recovery-processing.groovy"/>
 </AuthState>
 <AuthState name="${state.entry}_IdmUserIdPasswordLogin" final="true" resumeState="true" class="ch.nevis.idm.authstate.IdmPasswordVerifyState">
-	<ResultCond name="ok" next="${state.exit.1}" authLevel="auth.weak"/>
-	<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin" authLevel="auth.weak"/>
+	<ResultCond name="no_code-true" next="${state.exit.1}"/>
+	<ResultCond name="ok" next="${state.entry}_codeVerified"/>
+	<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/>
 	<ResultCond name="locked" next="${state.entry}_codeLocked"/>
@ -209,6 +210,7 @@
 		<Gui name="recovery_check_code">
 			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
 			<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
+			<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
 		</Gui>
 	</Response>
@ -220,6 +222,11 @@
 	<property name="user.loginid" value="${sess:ch.adnovum.nevisidm.user.loginId}"/>
 	<property name="client.name" value="agov"/>
 </AuthState>
+<AuthState name="${state.entry}_codeVerified" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
+	<ResultCond name="default" next="${state.exit.1}"/>
+	<Response value="AUTH_CONTINUE"/>
+	<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
+</AuthState>
 <AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
 	<Response value="AUTH_ERROR">
 		<Gui name="recovery_check_noCode">
--- a/patterns/584964c837512845d7940809_resources/recovery-preprocessing.groovy
+++ b/patterns/584964c837512845d7940809_resources/recovery-preprocessing.groovy
@ -94,6 +94,7 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
    if (userState == 'ACTIVE') {

      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      session.setAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')

      def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
      maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
@ -139,12 +140,10 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
          if ((maxLoi == 'level100') && (mustRecover == null)) {
            // mustRecover role not set, so code needs to be checked
            LOG.debug("Recovery: emailAndCode")
-            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:emailAndCode')
            response.setResult('needCode')
            return
          } else {
            LOG.debug("Recovery: email")
-            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
            response.setResult('ok')
            return
          }
--- a/patterns/9ff0369f3cf662f95d94ff09_resources/ensureRecoveryCode.groovy
+++ b/patterns/9ff0369f3cf662f95d94ff09_resources/ensureRecoveryCode.groovy
@ -30,14 +30,22 @@ String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/
 def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
 def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}

-// 1a) check if user has a credential
+// Only for aq 100, skip for the rest
+if (Arrays.stream(response.getActualRoles()).filter( r -> r.matches('^.*AGOV-Loi\\.level[2345]00.*$')).findAny().isPresent()) {
+	LOG.debug("Account '${user}' has a higher AQ-level than 100, no need to check code")
+	response.setResult('done')
+	return
+}
+
+
+// 1b) check if user has a credential
 if ( recoveryCredential != null ) {
 	LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
 	response.setResult('done')
 	return
 }

-// 1b) check if a recovery is ongoing (nothing to do)
+// 1c) check if a recovery is ongoing (nothing to do)
 if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-AccountStatus.recovery')).findAny().isPresent()) {
 	LOG.debug("Account '${user}' is in recovery, no need to create new code")
 	response.setResult('done')
--- a/patterns/Fetch_Country_Name_594764b3b866d7855f6990a1.yml
+++ b/patterns/Fetch_Country_Name_594764b3b866d7855f6990a1.yml
@ -3,6 +3,7 @@ pattern:
  id: "594764b3b866d7855f6990a1"
  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
  name: "Fetch_Country_Name"
+  notes: "TODO/haburger/2024-12-17: replace this with a call to http://utility-application-be.adn-agov-me-01-dev:8081/utility/api/v1/countries?lang=DE"
  properties:
    authStatesFile: "res://594764b3b866d7855f6990a1#authStatesFile"
    onSuccess:
--- a/patterns/Utility_Resource_Service_Countries_Security_Filter_3a982aa242ff4f8ebd823693.yml
+++ b/patterns/Utility_Resource_Service_Countries_Security_Filter_3a982aa242ff4f8ebd823693.yml
@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+  id: "3a982aa242ff4f8ebd823693"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "Utility_Resource_Service_Countries_Security_Filter"
+  properties:
+    script: "res://3a982aa242ff4f8ebd823693#script"
--- a/patterns/Utility_Resource_Service_eaa622e2a760704c1e0e22f2.yml
+++ b/patterns/Utility_Resource_Service_eaa622e2a760704c1e0e22f2.yml
@ -0,0 +1,13 @@
+schemaVersion: "1.0"
+pattern:
+  id: "eaa622e2a760704c1e0e22f2"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.RESTServiceAccess"
+  name: "Utility_Resource_Service"
+  properties:
+    host:
+    - "pattern://1f0702aaabef60a615abf41f"
+    path: "/resource/utility/"
+    addons:
+    - "pattern://3a982aa242ff4f8ebd823693"
+    backends: "var://utility_resource_service-backend-address"
+    allowedMethods: "GET"
--- a/variables.yml
+++ b/variables.yml
@ -965,6 +965,17 @@ variables:
      minRequired: 0
    value: null
    requireOverloading: true
+  utility_resource_service-backend-address:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"
+    parameters:
+      minRequired: 1
+      schemeInputMode: "OPTIONAL"
+      allowedSchemes: "http,https"
+      hostNameInputMode: "REQUIRED"
+      portInputMode: "OPTIONAL"
+      pathInputMode: "OPTIONAL"
+    value: "http://utility-application-be.adn-agov-me-01-dev:8081/utility/"
+    requireOverloading: true
  verify_shadow_user-parameters:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
    parameters: