diff --git a/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua b/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua
new file mode 100644
index 0000000..0a061d5
--- /dev/null
+++ b/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua
@@ -0,0 +1,18 @@
+function outputHeader(request, response)
+ trace = request:getTracer()
+
+ cspHeader = response:getHeader("content-security-policy")
+ if (cspHeader ~= nil) then
+ trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
+ else
+ trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
+ response:setHeader("content-security-policy", param_csp)
+ end
+
+ if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
+ trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
+ response:setHeader("content-security-policy-report-only", param_report_only_csp)
+ else
+ trace:debug("AGOV CSP: No report only CSP-header set")
+ end
+end
diff --git a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
index 2e91ab7..1e5ed6b 100644
--- a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
+++ b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
@@ -2,7 +2,7 @@
-
+
\ No newline at end of file
diff --git a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
new file mode 100644
index 0000000..625bd28
--- /dev/null
+++ b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
new file mode 100644
index 0000000..46cd9f0
--- /dev/null
+++ b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
@@ -0,0 +1,46 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String mobile = session.get('ch.nevis.idm.User.mobile')
+
+String baseUrl = parameters.get('baseUrl')
+String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}"
+
+
+if (mobile) {
+ LOG.debug("User '${user}' has already registered a mobile number")
+ response.setResult('done')
+ return
+}
+if (inargs['submit'] && inargs['mobile']) {
+ String result
+
+ def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
+ try {
+ result = idmRestClient.patch(endPoint, patchBdy)
+ } catch(Exception e) {
+ LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'")
+ }
+ response.setResult('done')
+ return
+}
+
+
+// we should ask the user
+response.setStatus(AuthResponse.AUTH_CONTINUE)
diff --git a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
index 6188d8d..1af8a28 100644
--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@@ -4,6 +4,6 @@
-
+
diff --git a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
index 2f64364..dafeec6 100644
--- a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
+++ b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
@@ -2,6 +2,6 @@
-
+
diff --git a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
index 362cd85..a02ff3c 100644
--- a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
+++ b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
@@ -35,7 +35,7 @@
-
+
diff --git a/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml b/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml
new file mode 100644
index 0000000..c99db7c
--- /dev/null
+++ b/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml
@@ -0,0 +1,15 @@
+schemaVersion: "1.0"
+pattern:
+ id: "6d83506dfcc430c12d81dfa3"
+ className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep"
+ name: "Ask_Mobile_Number"
+ properties:
+ authStatesFile: "res://6d83506dfcc430c12d81dfa3#authStatesFile"
+ parameters: "var://ask_mobile_number-template-parameters"
+ onSuccess:
+ - "pattern://2cdd910036aa06b102863a4f"
+ onFailure:
+ - "pattern://2cdd910036aa06b102863a4f"
+ resources: "res://6d83506dfcc430c12d81dfa3#resources"
+ keyObjects:
+ - "pattern://bcfe78c02cbe0588528bc3cb"
diff --git a/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml b/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
new file mode 100644
index 0000000..1e34d8a
--- /dev/null
+++ b/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
@@ -0,0 +1,18 @@
+schemaVersion: "1.0"
+pattern:
+ id: "0d3511bed6798a78cc3237f6"
+ className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
+ name: "Base Security Response Headers"
+ label: "PROXY"
+ notes: "The security response headers, which are environment independent and/or\
+ \ static"
+ properties:
+ responseHeaders:
+ - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
+ - X-Content-Type-Options: "nosniff"
+ - Referrer-Policy: "strict-origin-when-cross-origin"
+ - X-Frame-Options: "DENY"
+ - Cross-Origin-Opener-Policy: "same-origin"
+ - Cross-Origin-Embedder-Policy: "require-corp"
+ - Cross-Origin-Resource-Policy: "same-site"
+ - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
diff --git a/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml b/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml
new file mode 100644
index 0000000..541bbfa
--- /dev/null
+++ b/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml
@@ -0,0 +1,9 @@
+schemaVersion: "1.0"
+pattern:
+ id: "162d4ee18e469c146df153cc"
+ className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+ name: "CSP Security Response Headers"
+ properties:
+ script: "res://162d4ee18e469c146df153cc#script"
+ phase: "BEFORE_SANITATION"
+ parameters: "var://csp-security-response-headers"
diff --git a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
index 179af8b..7dd2db3 100644
--- a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
+++ b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
@@ -9,9 +9,9 @@ pattern:
authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
parameters: "var://ensure_recovery_code-parameters"
onSuccess:
- - "pattern://2cdd910036aa06b102863a4f"
+ - "pattern://6d83506dfcc430c12d81dfa3"
onFailure:
- - "pattern://2cdd910036aa06b102863a4f"
+ - "pattern://6d83506dfcc430c12d81dfa3"
resources: "res://9ff0369f3cf662f95d94ff09#resources"
keyObjects:
- "pattern://bcfe78c02cbe0588528bc3cb"
diff --git a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
index 005d511..b11cbd8 100644
--- a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
+++ b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml
@@ -6,7 +6,6 @@ pattern:
label: "IDP"
properties:
authStatesFile: "res://7a913eec7f78ce674cd87854#authStatesFile"
- parameters: "var://idp_domain_settings"
nextSteps:
- "pattern://f63c475c35b616b7c6c1901c"
resources: "res://7a913eec7f78ce674cd87854#resources"
diff --git a/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml b/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml
index 80b5610..b94e0b2 100644
--- a/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml
+++ b/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml
@@ -6,5 +6,4 @@ pattern:
label: "AUTH"
properties:
authStatesFile: "res://826166d230a6a4849f2837ae#authStatesFile"
- parameters: "var://idp_domain_settings"
resources: "res://826166d230a6a4849f2837ae#resources"
diff --git a/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml b/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
deleted file mode 100644
index 4ea6f80..0000000
--- a/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-schemaVersion: "1.0"
-pattern:
- id: "0d3511bed6798a78cc3237f6"
- className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders"
- name: "Security Response Headers"
- label: "PROXY"
- properties:
- responseHeaders: "var://security-response-headers-response-headers"
diff --git a/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml b/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml
index a63ea53..0dfc816 100644
--- a/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml
+++ b/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml
@@ -8,7 +8,6 @@ pattern:
\ IdP pattern generates a followup state)"
properties:
authStatesFile: "res://b87d0d2b640e8e545ad70234#authStatesFile"
- parameters: "var://idp_domain_settings"
onSuccess:
- "pattern://0eb5c0c45d7239987a22435a"
resources: "res://b87d0d2b640e8e545ad70234#resources"
diff --git a/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml b/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml
index fbab084..071b166 100644
--- a/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml
+++ b/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml
@@ -6,5 +6,4 @@ pattern:
label: "IDP"
properties:
authStatesFile: "res://4c65de021d362462324a3a5f#authStatesFile"
- parameters: "var://idp_domain_settings"
resources: "res://4c65de021d362462324a3a5f#resources"
diff --git a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
index 80cf58a..3284825 100644
--- a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
+++ b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
@@ -18,6 +18,7 @@ pattern:
- "pattern://cc7f74cd87053a74a70588ad"
- "pattern://bcca48cd422668aa2f78ea42"
- "pattern://3d45f250b698005a29eb58b6"
+ - "pattern://162d4ee18e469c146df153cc"
- "pattern://0d3511bed6798a78cc3237f6"
- "pattern://64f16c5d4c99eff0acbc8fdf"
- "pattern://0573c2491a56e59daca47e95"
diff --git a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
index ce1e48f..c5690f0 100644
--- a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
+++ b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
@@ -3,7 +3,7 @@
-
+
\ No newline at end of file
diff --git a/variables.yml b/variables.yml
index 35b7c77..0723a4b 100644
--- a/variables.yml
+++ b/variables.yml
@@ -22,6 +22,13 @@ variables:
- "disabled"
value: "disabled"
requireOverloading: true
+ ask_mobile_number-template-parameters:
+ className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
+ parameters:
+ required: false
+ syntax: "YAML"
+ value: "idm-service: idm\n"
+ requireOverloading: true
auth-session-store-database-host:
className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
parameters:
@@ -132,14 +139,31 @@ variables:
pathInputMode: "OPTIONAL"
value: "http://connect-application-billing.adn-agov-connect-01-dev:8082/connect/billing/relying-party/app-icon"
requireOverloading: true
+ csp-security-response-headers:
+ className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
+ parameters:
+ separators:
+ - "="
+ switchedSeparators: []
+ value:
+ - param_csp: "default-src 'none'; script-src 'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM='\
+ \ 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo='\
+ \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:;\
+ \ child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle;\
+ \ img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\
+ \ https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect\
+ \ https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect;\
+ \ font-src 'self';"
+ - param_report_only_csp: "none"
+ requireOverloading: true
ensure_recovery_code-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters:
required: false
syntax: "YAML"
value: "utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility\n\
- cookie.domain: auth.agov-d.azure.adnovum.net\ntoken.algorithm: RS512\ntoken.time_to_live:\
- \ 600\ntoken.keystoreref: DefaultKeyStore\ntoken.keyobjectref: DefaultSigner"
+ token.algorithm: RS512\ntoken.time_to_live: 600\ntoken.keystoreref: DefaultKeyStore\n\
+ token.keyobjectref: DefaultSigner"
requireOverloading: true
env_ca-trusted-certificates:
className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
@@ -168,9 +192,9 @@ variables:
parameters:
required: false
syntax: "YAML"
- value: "client.name: agov\nattributes: loginId,extId,firstName,name,email\nproperties:\
- \ eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId: 1000\n\
- agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7"
+ value: "client.name: agov\nattributes: loginId,extId,firstName,name,email,mobile\n\
+ properties: eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId:\
+ \ 1000\nagov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7"
requireOverloading: true
fido-session-store-database-host:
className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty"
@@ -490,13 +514,6 @@ variables:
format: "^[^\\s,]*$"
value: "https://idp.agov-d.azure.adnovum.net/SAML2/"
requireOverloading: true
- idp_domain_settings:
- className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
- parameters:
- required: false
- syntax: "YAML"
- value: "cookie.domain: auth.agov-d.azure.adnovum.net"
- requireOverloading: true
idp_pem_atb-trusted-certificates:
className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty"
parameters:
@@ -906,31 +923,6 @@ variables:
secret: true
value: "sample password"
requireOverloading: true
- security-response-headers-response-headers:
- className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty"
- parameters:
- minRequired: 1
- separators:
- - ":"
- switchedSeparators: []
- value:
- - Strict-Transport-Security: "max-age=63072000; includeSubDomains;"
- - X-Content-Type-Options: "nosniff"
- - Referrer-Policy: "strict-origin-when-cross-origin"
- - X-Frame-Options: "DENY"
- - Cross-Origin-Opener-Policy: "same-origin"
- - Cross-Origin-Embedder-Policy: "require-corp"
- - Cross-Origin-Resource-Policy: "same-site"
- - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()"
- - Content-Security-Policy-Report-Only: "default-src 'none'; script-src 'self'\
- \ 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw=' 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw='\
- \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self';\
- \ img-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\
- \ 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='\
- \ 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=';\
- \ form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls;\
- \ font-src 'self'; "
- requireOverloading: true
service_provider_state-registration-template-parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters: