BUNDBITBK-4307: Implementation
This commit is contained in:
haburger
parent
3f9044fce2
commit
5cc9b308e9
|
|
@ -44,11 +44,14 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
|
||||||
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
|
def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
|
||||||
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
|
def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
|
||||||
|
|
||||||
LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ','
|
||||||
|
def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',')
|
||||||
|
|
||||||
|
def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ','
|
||||||
|
def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',')
|
||||||
|
|
||||||
|
LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||||
|
|
||||||
def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
|
|
||||||
def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')
|
|
||||||
|
|
||||||
if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
|
if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
|
||||||
response.setResult('error');
|
response.setResult('error');
|
||||||
|
|
@ -71,16 +74,18 @@ try {
|
||||||
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
|
def json = jsonSlurper.parseText(httpResponse.bodyAsString())
|
||||||
LOG.debug('AdressRequired: ' + json.addrRequired)
|
LOG.debug('AdressRequired: ' + json.addrRequired)
|
||||||
LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
|
LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
|
||||||
LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
|
LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
|
||||||
|
LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr)
|
||||||
|
|
||||||
// address will be returned to the application if allowed by connect (json.addrRequired)
|
// address will be returned to the application if allowed by connect (json.addrRequired)
|
||||||
// and the authRequest was done with at least AGOVaq 200
|
// and the authRequest was done with at least AGOVaq 200
|
||||||
// BITBKAGOVSUP-362: or whitelisted to receive the address
|
// BUNDBITBK-4307: or best token for address is enabled
|
||||||
session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
|
session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress)))
|
||||||
|
|
||||||
// address will be returned to the application if allowed by connect (json.svnrAllowed)
|
// address will be returned to the application if allowed by connect (json.svnrAllowed)
|
||||||
// and the authRequest was done with at least AGOVaq 300
|
// and the authRequest was done with at least AGOVaq 300
|
||||||
session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
|
// BUNDBITBK-4307: or best token for svnr is enabled
|
||||||
|
session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
|
||||||
|
|
||||||
session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
|
session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
|
||||||
session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
|
session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,8 @@ pattern:
|
||||||
scriptFile: "res://68665057549fd887ea09fb86#scriptFile"
|
scriptFile: "res://68665057549fd887ea09fb86#scriptFile"
|
||||||
parameters:
|
parameters:
|
||||||
- url: "${var.connect.metadataservice.url}"
|
- url: "${var.connect.metadataservice.url}"
|
||||||
- appAddressRequired.whitelist: "${var.appAddressRequired.whitelist}"
|
- bestTokenAddressWhitelist: "${var.bestToken.address.whitelist}"
|
||||||
|
- bestTokenSvnrWhitelist: "${var.bestToken.svnr.whitelist}"
|
||||||
onSuccess:
|
onSuccess:
|
||||||
- "pattern://f63c475c35b616b7c6c1901c"
|
- "pattern://f63c475c35b616b7c6c1901c"
|
||||||
onFailure:
|
onFailure:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue