From 5b9299caa8eb1ab1129cb2cda28bbb80f7dcae6e Mon Sep 17 00:00:00 2001 From: haburger Date: Mon, 25 Nov 2024 15:29:20 +0000 Subject: [PATCH] 1.8 RC1 --- .../setCspHeaders.lua | 18 +++++ .../SendSamlResponseWithErrorState.xml | 2 +- .../AskMobileNumber.xml | 17 +++++ .../askMobileNumber.groovy | 46 +++++++++++++ .../IDP_IDP_Status_Check_State.xml | 2 +- .../returnTimeoutButKeepSessionState.xml | 2 +- .../EnsureRecoveryCode.xml | 2 +- ...Mobile_Number_6d83506dfcc430c12d81dfa3.yml | 15 +++++ ...ponse_Headers_0d3511bed6798a78cc3237f6.yml | 18 +++++ ...ponse_Headers_162d4ee18e469c146df153cc.yml | 9 +++ ...Recovery_Code_9ff0369f3cf662f95d94ff09.yml | 4 +- ..._Status_Check_7a913eec7f78ce674cd87854.yml | 1 - ...utKeepSession_826166d230a6a4849f2837ae.yml | 1 - ...ponse_Headers_0d3511bed6798a78cc3237f6.yml | 8 --- ...WithAssertion_b87d0d2b640e8e545ad70234.yml | 1 - ...onseWithError_4c65de021d362462324a3a5f.yml | 1 - ...tual_Host_idp_1f0702aaabef60a615abf41f.yml | 1 + .../SendSamlResponseWithAssertionState.xml | 2 +- variables.yml | 66 ++++++++----------- 19 files changed, 160 insertions(+), 56 deletions(-) create mode 100644 patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua create mode 100644 patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml create mode 100644 patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy create mode 100644 patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml create mode 100644 patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml create mode 100644 patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml delete mode 100644 patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml diff --git a/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua b/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua new file mode 100644 index 0000000..0a061d5 --- /dev/null +++ b/patterns/162d4ee18e469c146df153cc_script/setCspHeaders.lua @@ -0,0 +1,18 @@ +function outputHeader(request, response) + trace = request:getTracer() + + cspHeader = response:getHeader("content-security-policy") + if (cspHeader ~= nil) then + trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").") + else + trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").") + response:setHeader("content-security-policy", param_csp) + end + + if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then + trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")") + response:setHeader("content-security-policy-report-only", param_report_only_csp) + else + trace:debug("AGOV CSP: No report only CSP-header set") + end +end diff --git a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml index 2e91ab7..1e5ed6b 100644 --- a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml +++ b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml @@ -2,7 +2,7 @@ - + \ No newline at end of file diff --git a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml new file mode 100644 index 0000000..625bd28 --- /dev/null +++ b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + diff --git a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy new file mode 100644 index 0000000..46cd9f0 --- /dev/null +++ b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy @@ -0,0 +1,46 @@ +import ch.nevis.esauth.auth.engine.AuthResponse +import ch.nevis.idm.client.IdmRestClient +import ch.nevis.idm.client.IdmRestClientFactory +import ch.nevis.idm.client.HTTPRequestWrapper + +import groovy.json.JsonSlurper +import groovy.xml.XmlSlurper + +// Accounting +def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown' +def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown' +def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown' +def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown' +def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown' + +IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters) + +String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId') +String userExtId = session.get('ch.adnovum.nevisidm.user.extId') +String mobile = session.get('ch.nevis.idm.User.mobile') + +String baseUrl = parameters.get('baseUrl') +String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}" + + +if (mobile) { + LOG.debug("User '${user}' has already registered a mobile number") + response.setResult('done') + return +} +if (inargs['submit'] && inargs['mobile']) { + String result + + def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}" + try { + result = idmRestClient.patch(endPoint, patchBdy) + } catch(Exception e) { + LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'") + } + response.setResult('done') + return +} + + +// we should ask the user +response.setStatus(AuthResponse.AUTH_CONTINUE) diff --git a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml index 6188d8d..1af8a28 100644 --- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml +++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml @@ -4,6 +4,6 @@ - + diff --git a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml index 2f64364..dafeec6 100644 --- a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml +++ b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml @@ -2,6 +2,6 @@ - + diff --git a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml index 362cd85..a02ff3c 100644 --- a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml +++ b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml @@ -35,7 +35,7 @@ - + diff --git a/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml b/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml new file mode 100644 index 0000000..c99db7c --- /dev/null +++ b/patterns/Ask_Mobile_Number_6d83506dfcc430c12d81dfa3.yml @@ -0,0 +1,15 @@ +schemaVersion: "1.0" +pattern: + id: "6d83506dfcc430c12d81dfa3" + className: "ch.nevis.admin.v4.plugin.nevisauth.patterns2.GenericAuthenticationStep" + name: "Ask_Mobile_Number" + properties: + authStatesFile: "res://6d83506dfcc430c12d81dfa3#authStatesFile" + parameters: "var://ask_mobile_number-template-parameters" + onSuccess: + - "pattern://2cdd910036aa06b102863a4f" + onFailure: + - "pattern://2cdd910036aa06b102863a4f" + resources: "res://6d83506dfcc430c12d81dfa3#resources" + keyObjects: + - "pattern://bcfe78c02cbe0588528bc3cb" diff --git a/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml b/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml new file mode 100644 index 0000000..1e34d8a --- /dev/null +++ b/patterns/Base_Security_Response_Headers_0d3511bed6798a78cc3237f6.yml @@ -0,0 +1,18 @@ +schemaVersion: "1.0" +pattern: + id: "0d3511bed6798a78cc3237f6" + className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders" + name: "Base Security Response Headers" + label: "PROXY" + notes: "The security response headers, which are environment independent and/or\ + \ static" + properties: + responseHeaders: + - Strict-Transport-Security: "max-age=63072000; includeSubDomains;" + - X-Content-Type-Options: "nosniff" + - Referrer-Policy: "strict-origin-when-cross-origin" + - X-Frame-Options: "DENY" + - Cross-Origin-Opener-Policy: "same-origin" + - Cross-Origin-Embedder-Policy: "require-corp" + - Cross-Origin-Resource-Policy: "same-site" + - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()" diff --git a/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml b/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml new file mode 100644 index 0000000..541bbfa --- /dev/null +++ b/patterns/CSP_Security_Response_Headers_162d4ee18e469c146df153cc.yml @@ -0,0 +1,9 @@ +schemaVersion: "1.0" +pattern: + id: "162d4ee18e469c146df153cc" + className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern" + name: "CSP Security Response Headers" + properties: + script: "res://162d4ee18e469c146df153cc#script" + phase: "BEFORE_SANITATION" + parameters: "var://csp-security-response-headers" diff --git a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml index 179af8b..7dd2db3 100644 --- a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml +++ b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml @@ -9,9 +9,9 @@ pattern: authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile" parameters: "var://ensure_recovery_code-parameters" onSuccess: - - "pattern://2cdd910036aa06b102863a4f" + - "pattern://6d83506dfcc430c12d81dfa3" onFailure: - - "pattern://2cdd910036aa06b102863a4f" + - "pattern://6d83506dfcc430c12d81dfa3" resources: "res://9ff0369f3cf662f95d94ff09#resources" keyObjects: - "pattern://bcfe78c02cbe0588528bc3cb" diff --git a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml index 005d511..b11cbd8 100644 --- a/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml +++ b/patterns/IDP_Status_Check_7a913eec7f78ce674cd87854.yml @@ -6,7 +6,6 @@ pattern: label: "IDP" properties: authStatesFile: "res://7a913eec7f78ce674cd87854#authStatesFile" - parameters: "var://idp_domain_settings" nextSteps: - "pattern://f63c475c35b616b7c6c1901c" resources: "res://7a913eec7f78ce674cd87854#resources" diff --git a/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml b/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml index 80b5610..b94e0b2 100644 --- a/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml +++ b/patterns/ReturnTimeoutButKeepSession_826166d230a6a4849f2837ae.yml @@ -6,5 +6,4 @@ pattern: label: "AUTH" properties: authStatesFile: "res://826166d230a6a4849f2837ae#authStatesFile" - parameters: "var://idp_domain_settings" resources: "res://826166d230a6a4849f2837ae#resources" diff --git a/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml b/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml deleted file mode 100644 index 4ea6f80..0000000 --- a/patterns/Security_Response_Headers_0d3511bed6798a78cc3237f6.yml +++ /dev/null @@ -1,8 +0,0 @@ -schemaVersion: "1.0" -pattern: - id: "0d3511bed6798a78cc3237f6" - className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.SecurityResponseHeaders" - name: "Security Response Headers" - label: "PROXY" - properties: - responseHeaders: "var://security-response-headers-response-headers" diff --git a/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml b/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml index a63ea53..0dfc816 100644 --- a/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml +++ b/patterns/SendSamlResponseWithAssertion_b87d0d2b640e8e545ad70234.yml @@ -8,7 +8,6 @@ pattern: \ IdP pattern generates a followup state)" properties: authStatesFile: "res://b87d0d2b640e8e545ad70234#authStatesFile" - parameters: "var://idp_domain_settings" onSuccess: - "pattern://0eb5c0c45d7239987a22435a" resources: "res://b87d0d2b640e8e545ad70234#resources" diff --git a/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml b/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml index fbab084..071b166 100644 --- a/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml +++ b/patterns/SendSamlResponseWithError_4c65de021d362462324a3a5f.yml @@ -6,5 +6,4 @@ pattern: label: "IDP" properties: authStatesFile: "res://4c65de021d362462324a3a5f#authStatesFile" - parameters: "var://idp_domain_settings" resources: "res://4c65de021d362462324a3a5f#resources" diff --git a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml index 80cf58a..3284825 100644 --- a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml +++ b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml @@ -18,6 +18,7 @@ pattern: - "pattern://cc7f74cd87053a74a70588ad" - "pattern://bcca48cd422668aa2f78ea42" - "pattern://3d45f250b698005a29eb58b6" + - "pattern://162d4ee18e469c146df153cc" - "pattern://0d3511bed6798a78cc3237f6" - "pattern://64f16c5d4c99eff0acbc8fdf" - "pattern://0573c2491a56e59daca47e95" diff --git a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml index ce1e48f..c5690f0 100644 --- a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml +++ b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml @@ -3,7 +3,7 @@ - + \ No newline at end of file diff --git a/variables.yml b/variables.yml index 35b7c77..0723a4b 100644 --- a/variables.yml +++ b/variables.yml @@ -22,6 +22,13 @@ variables: - "disabled" value: "disabled" requireOverloading: true + ask_mobile_number-template-parameters: + className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" + parameters: + required: false + syntax: "YAML" + value: "idm-service: idm\n" + requireOverloading: true auth-session-store-database-host: className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty" parameters: @@ -132,14 +139,31 @@ variables: pathInputMode: "OPTIONAL" value: "http://connect-application-billing.adn-agov-connect-01-dev:8082/connect/billing/relying-party/app-icon" requireOverloading: true + csp-security-response-headers: + className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty" + parameters: + separators: + - "=" + switchedSeparators: [] + value: + - param_csp: "default-src 'none'; script-src 'wasm-unsafe-eval' 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM='\ + \ 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo='\ + \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; worker-src blob:;\ + \ child-src blob:; connect-src 'self' https://api.friendlycaptcha.com/api/v1/puzzle;\ + \ img-src 'self'; style-src 'self' 'unsafe-inline' ; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls\ + \ https://me.agov-d.azure.adnovum.net/registration/api/login/saml2/sso/agovidpdirect\ + \ https://me.agov-d.azure.adnovum.net/account/api/login/saml2/sso/agovidpdirect;\ + \ font-src 'self';" + - param_report_only_csp: "none" + requireOverloading: true ensure_recovery_code-parameters: className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" parameters: required: false syntax: "YAML" value: "utility-service.baseUrl: http://me-application-me-be.adn-agov-me-01-dev:8081/utility\n\ - cookie.domain: auth.agov-d.azure.adnovum.net\ntoken.algorithm: RS512\ntoken.time_to_live:\ - \ 600\ntoken.keystoreref: DefaultKeyStore\ntoken.keyobjectref: DefaultSigner" + token.algorithm: RS512\ntoken.time_to_live: 600\ntoken.keystoreref: DefaultKeyStore\n\ + token.keyobjectref: DefaultSigner" requireOverloading: true env_ca-trusted-certificates: className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty" @@ -168,9 +192,9 @@ variables: parameters: required: false syntax: "YAML" - value: "client.name: agov\nattributes: loginId,extId,firstName,name,email\nproperties:\ - \ eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId: 1000\n\ - agov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7" + value: "client.name: agov\nattributes: loginId,extId,firstName,name,email,mobile\n\ + properties: eIdNumber,gender,placeOfBirth,svnr\nidm-service: idm\nagov.unitExtId:\ + \ 1000\nagov.level100.roleExtid: aee52e9f-7084-4e55-9aea-9383ac7757f7" requireOverloading: true fido-session-store-database-host: className: "ch.nevis.admin.v4.plugin.base.generation.property.HostPortProperty" @@ -490,13 +514,6 @@ variables: format: "^[^\\s,]*$" value: "https://idp.agov-d.azure.adnovum.net/SAML2/" requireOverloading: true - idp_domain_settings: - className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" - parameters: - required: false - syntax: "YAML" - value: "cookie.domain: auth.agov-d.azure.adnovum.net" - requireOverloading: true idp_pem_atb-trusted-certificates: className: "ch.nevis.admin.v4.plugin.base.generation.property.AttachmentProperty" parameters: @@ -906,31 +923,6 @@ variables: secret: true value: "sample password" requireOverloading: true - security-response-headers-response-headers: - className: "ch.nevis.admin.v4.plugin.base.generation.property.KeyValueProperty" - parameters: - minRequired: 1 - separators: - - ":" - switchedSeparators: [] - value: - - Strict-Transport-Security: "max-age=63072000; includeSubDomains;" - - X-Content-Type-Options: "nosniff" - - Referrer-Policy: "strict-origin-when-cross-origin" - - X-Frame-Options: "DENY" - - Cross-Origin-Opener-Policy: "same-origin" - - Cross-Origin-Embedder-Policy: "require-corp" - - Cross-Origin-Resource-Policy: "same-site" - - Permissions-Policy: "geolocation=(), camera=(), microphone=(), interest-cohort=()" - - Content-Security-Policy-Report-Only: "default-src 'none'; script-src 'self'\ - \ 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw=' 'sha256-YPbtYpCQA51uSiLa2ux1TkGQoRDNbpdlYd50ospNgYw='\ - \ 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self';\ - \ img-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='\ - \ 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='\ - \ 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=';\ - \ form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls;\ - \ font-src 'self'; " - requireOverloading: true service_provider_state-registration-template-parameters: className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" parameters: