nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BUNDBITBK-4307: Implementation

This commit is contained in:
haburger 2025-03-05 06:38:13 +00:00
parent 3f9044fce2
commit 5cc9b308e9
2 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
View File

@ -44,11 +44,14 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ','
def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',')
def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ','
def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',')
LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')
if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
response.setResult('error');
@ -71,16 +74,18 @@ try {
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
LOG.debug('AdressRequired: ' + json.addrRequired)
LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr)
// address will be returned to the application if allowed by connect (json.addrRequired)
// and the authRequest was done with at least AGOVaq 200
// BITBKAGOVSUP-362: or whitelisted to receive the address
session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
// BUNDBITBK-4307: or best token for address is enabled
session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress)))
// address will be returned to the application if allowed by connect (json.svnrAllowed)
// and the authRequest was done with at least AGOVaq 300
session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
// BUNDBITBK-4307: or best token for svnr is enabled
session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)

3
patterns/RequestedRoleLevel_68665057549fd887ea09fb86.yml
View File

@ -8,7 +8,8 @@ pattern:
scriptFile: "res://68665057549fd887ea09fb86#scriptFile"
parameters:
- url: "${var.connect.metadataservice.url}"
- appAddressRequired.whitelist: "${var.appAddressRequired.whitelist}"
- bestTokenAddressWhitelist: "${var.bestToken.address.whitelist}"
- bestTokenSvnrWhitelist: "${var.bestToken.svnr.whitelist}"
onSuccess:
- "pattern://f63c475c35b616b7c6c1901c"
onFailure: