1.8 RC1

2024-11-25 15:29:20 +00:00 · 2024-11-25 15:29:20 +00:00 · 5b9299caa8
parent d6128aeb03
commit 5b9299caa8
19 changed files with 160 additions and 56 deletions
--- a/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua
+++ b/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua
@ -0,0 +1,18 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    cspHeader = response:getHeader("content-security-policy")
+    if (cspHeader ~= nil) then 
+        trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
+    else
+        trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
+        response:setHeader("content-security-policy", param_csp)
+    end
+
+    if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
+        trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
+        response:setHeader("content-security-policy-report-only", param_report_only_csp)
+    else
+        trace:debug("AGOV CSP: No report only CSP-header set")
+    end
+end
--- a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
+++ b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
@ -2,7 +2,7 @@
    <Response value="AUTH_ERROR">
        <Gui name="NotUsed"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${param.cookie.domain}"/>
+    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
 </AuthState>
--- a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
+++ b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
@ -0,0 +1,17 @@
+<AuthState name="${state.entry}" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+	<ResultCond name="done" next="${state.done}"/>
+	<Response value="AUTH_CONTINUE">
+		<Gui name="ask_mobile_number" label="general.askMobileNumber">
+			<GuiElem name="mobile" type="text" optional="true"/>
+			<GuiElem name="skip" type="checkbox" value="false" optional="true"/>
+			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
+			<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
+		</Gui>
+	</Response>
+	<property name="scriptTraceGroup" value="AGOV-ACCT"/>
+	<property name="script" value="file:///var/opt/nevisauth/default/conf/askMobileNumber.groovy"/>
+	<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
+    <property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
+	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
+	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+</AuthState>
--- a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
+++ b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
@ -0,0 +1,46 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String mobile = session.get('ch.nevis.idm.User.mobile')
+
+String baseUrl = parameters.get('baseUrl')
+String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}"
+
+
+if (mobile) {
+    LOG.debug("User '${user}' has already registered a mobile number")
+    response.setResult('done')
+    return
+}
+if (inargs['submit'] && inargs['mobile']) {
+    String result
+
+    def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
+    try {
+        result = idmRestClient.patch(endPoint, patchBdy)
+    } catch(Exception e) {
+        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'")
+    }
+    response.setResult('done')
+    return
+}
+
+
+// we should ask the user
+response.setStatus(AuthResponse.AUTH_CONTINUE)
--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@ -4,6 +4,6 @@
    <Response value="AUTH_ERROR">
    </Response>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-    <property name="parameter.cookie.domain" value="${param.cookie.domain}"/>
+    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
 </AuthState>
--- a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
+++ b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
@ -2,6 +2,6 @@
    <Response value="AUTH_CONTINUE">
        <Gui name="NotUsed"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${param.cookie.domain}"/>
+    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
 </AuthState>
--- a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
+++ b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
@ -35,7 +35,7 @@
 	<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
 	<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
 	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
-	<property name="parameter.cookie.domain" value="${param.cookie.domain}"/>
+	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
 </AuthState>
 <AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
 	<ResultCond name="default" next="${state.entry}_Process"/>
--- a/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml
+++ b/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml
@ -0,0 +1,15 @@
+schemaVersion: "1.0"
+pattern:
+  id: "6d83506dfcc430c12d81dfa3"
+  className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+  name: "Ask_Mobile_Number"
+  properties:
+    authStatesFile: "res://6d83506dfcc430c12d81dfa3#authStatesFile"
+    parameters: "var://ask_mobile_number-template-parameters"
+    onSuccess:
+    - "pattern://2cdd910036aa06b102863a4f"
+    onFailure:
+    - "pattern://2cdd910036aa06b102863a4f"
+    resources: "res://6d83506dfcc430c12d81dfa3#resources"
+    keyObjects:
+    - "pattern://bcfe78c02cbe0588528bc3cb"
--- a/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
+++ b/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
@ -0,0 +1,18 @@
+schemaVersion: "1.0"
+pattern:
+  id: "0d3511bed6798a78cc3237f6"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+  name: "Base Security Response Headers"
+  label: "PROXY"
+  notes: "The security response headers, which are environment independent and/or\
+    \ static"
+  properties:
+    responseHeaders:
+    - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+    - X-Content-Type-Options: "nosniff"
+    - Referrer-Policy: "strict-origin-when-cross-origin"
+    - X-Frame-Options: "DENY"
+    - Cross-Origin-Opener-Policy: "same-origin"
+    - Cross-Origin-Embedder-Policy: "require-corp"
+    - Cross-Origin-Resource-Policy: "same-site"
+    - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
--- a/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml
+++ b/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml
@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+  id: "162d4ee18e469c146df153cc"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "CSP Security Response Headers"
+  properties:
+    script: "res://162d4ee18e469c146df153cc#script"
+    phase: "BEFORE_SANITATION"
+    parameters: "var://csp-security-response-headers"
--- a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
+++ b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
@ -9,9 +9,9 @@ pattern:
    authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
    parameters: "var://ensure_recovery_code-parameters"
    onSuccess:
-    - "pattern://2cdd910036aa06b102863a4f"
+    - "pattern://6d83506dfcc430c12d81dfa3"
    onFailure:
-    - "pattern://2cdd910036aa06b102863a4f"
+    - "pattern://6d83506dfcc430c12d81dfa3"
    resources: "res://9ff0369f3cf662f95d94ff09#resources"
    keyObjects:
    - "pattern://bcfe78c02cbe0588528bc3cb"
--- a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
+++ b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
@ -6,7 +6,6 @@ pattern:
  label: "IDP"
  properties:
    authStatesFile: "res://7a913eec7f78ce674cd87854#authStatesFile"
-    parameters: "var://idp_domain_settings"
    nextSteps:
    - "pattern://f63c475c35b616b7c6c1901c"
    resources: "res://7a913eec7f78ce674cd87854#resources"
--- a/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml
+++ b/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml
@ -6,5 +6,4 @@ pattern:
  label: "AUTH"
  properties:
    authStatesFile: "res://826166d230a6a4849f2837ae#authStatesFile"
-    parameters: "var://idp_domain_settings"
    resources: "res://826166d230a6a4849f2837ae#resources"
--- a/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
+++ b/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
@ -1,8 +0,0 @@
-schemaVersion: "1.0"
-pattern:
-  id: "0d3511bed6798a78cc3237f6"
-  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
-  name: "Security Response Headers"
-  label: "PROXY"
-  properties:
-    responseHeaders: "var://security-response-headers-response-headers"
--- a/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml
+++ b/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml
@ -8,7 +8,6 @@ pattern:
    \ IdP pattern generates a followup state)"
  properties:
    authStatesFile: "res://b87d0d2b640e8e545ad70234#authStatesFile"
-    parameters: "var://idp_domain_settings"
    onSuccess:
    - "pattern://0eb5c0c45d7239987a22435a"
    resources: "res://b87d0d2b640e8e545ad70234#resources"
--- a/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml
+++ b/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml
@ -6,5 +6,4 @@ pattern:
  label: "IDP"
  properties:
    authStatesFile: "res://4c65de021d362462324a3a5f#authStatesFile"
-    parameters: "var://idp_domain_settings"
    resources: "res://4c65de021d362462324a3a5f#resources"
--- a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
+++ b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
@ -18,6 +18,7 @@ pattern:
    - "pattern://cc7f74cd87053a74a70588ad"
    - "pattern://bcca48cd422668aa2f78ea42"
    - "pattern://3d45f250b698005a29eb58b6"
+    - "pattern://162d4ee18e469c146df153cc"
    - "pattern://0d3511bed6798a78cc3237f6"
    - "pattern://64f16c5d4c99eff0acbc8fdf"
    - "pattern://0573c2491a56e59daca47e95"
--- a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
+++ b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
@ -3,7 +3,7 @@
    <Response value="AUTH_DONE">
        <Gui name="not_used"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${param.cookie.domain}"/>
+    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
 </AuthState>
--- a/variables.yml
+++ b/variables.yml
@ -22,6 +22,13 @@ variables:
      - "disabled"
    value: "disabled"
    requireOverloading: true
+  ask_mobile_number-template-parameters:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
+    parameters:
+      required: false
+      syntax: "YAML"
+    value: "idm-service: idm\n"
+    requireOverloading: true
  auth-session-store-database-host:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
    parameters:
@ -132,14 +139,31 @@ variables:
      pathInputMode: "OPTIONAL"
    value: "http://connect-application-billing.adn-agov-connect-01-dev:8082/connect/billing/relying-party/app-icon"
    requireOverloading: true
+  csp-security-response-headers:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+    parameters:
+      separators:
+      - "="
+      switchedSeparators: []
+    value:
+    - param_csp: "default-src 'none'; script-src 'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM='\
+        \ 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo='\
+        \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:;\
+        \ child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle;\
+        \ img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\
+        \ https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect\
+        \ https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect;\
+        \ font-src 'self';"
+    - param_report_only_csp: "none"
+    requireOverloading: true
  ensure_recovery_code-parameters:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
    parameters:
      required: false
      syntax: "YAML"
    value: "utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility\n\
-      cookie.domain: auth.agov-d.azure.adnovum.net\ntoken.algorithm: RS512\ntoken.time_to_live:\
-      \ 600\ntoken.keystoreref: DefaultKeyStore\ntoken.keyobjectref: DefaultSigner"
+      token.algorithm: RS512\ntoken.time_to_live: 600\ntoken.keystoreref: DefaultKeyStore\n\
+      token.keyobjectref: DefaultSigner"
    requireOverloading: true
  env_ca-trusted-certificates:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
@ -168,9 +192,9 @@ variables:
    parameters:
      required: false
      syntax: "YAML"
-    value: "client.name: agov\nattributes: loginId,extId,firstName,name,email\nproperties:\
-      \ eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId: 1000\n\
-      agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7"
+    value: "client.name: agov\nattributes: loginId,extId,firstName,name,email,mobile\n\
+      properties: eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId:\
+      \ 1000\nagov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7"
    requireOverloading: true
  fido-session-store-database-host:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
@ -490,13 +514,6 @@ variables:
      format: "^[^\\s,]*$"
    value: "https://idp.agov-d.azure.adnovum.net/SAML2/"
    requireOverloading: true
-  idp_domain_settings:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
-    parameters:
-      required: false
-      syntax: "YAML"
-    value: "cookie.domain: auth.agov-d.azure.adnovum.net"
-    requireOverloading: true
  idp_pem_atb-trusted-certificates:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
    parameters:
@ -906,31 +923,6 @@ variables:
      secret: true
    value: "sample password"
    requireOverloading: true
-  security-response-headers-response-headers:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
-    parameters:
-      minRequired: 1
-      separators:
-      - ":"
-      switchedSeparators: []
-    value:
-    - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
-    - X-Content-Type-Options: "nosniff"
-    - Referrer-Policy: "strict-origin-when-cross-origin"
-    - X-Frame-Options: "DENY"
-    - Cross-Origin-Opener-Policy: "same-origin"
-    - Cross-Origin-Embedder-Policy: "require-corp"
-    - Cross-Origin-Resource-Policy: "same-site"
-    - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
-    - Content-Security-Policy-Report-Only: "default-src 'none'; script-src  'self'\
-        \ 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw=' 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw='\
-        \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI=';  connect-src 'self';\
-        \ img-src 'self'; style-src  'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
-        \ 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='\
-        \ 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=';\
-        \ form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls;\
-        \ font-src 'self';                 "
-    requireOverloading: true
  service_provider_state-registration-template-parameters:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
    parameters: