1.7.5 RC1

2024-11-29 12:40:56 +00:00 · 2024-11-29 12:40:56 +00:00 · 60eb1a7192
parent 5b9299caa8
commit 60eb1a7192
20 changed files with 90 additions and 21 deletions
--- a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
+++ b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
--- a/patterns/204c22beaccdfd22727af378_labels/labels.zip
+++ b/patterns/204c22beaccdfd22727af378_labels/labels.zip
--- a/patterns/204c22beaccdfd22727af378_template/webdata.zip
+++ b/patterns/204c22beaccdfd22727af378_template/webdata.zip
--- a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
+++ b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
@ -2,7 +2,7 @@
    <Response value="AUTH_ERROR">
        <Gui name="NotUsed"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
 </AuthState>
--- a/patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua
+++ b/patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua
@ -0,0 +1,12 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    -- rename Set-Cookie2 header
+    local setCookieHeader = response:getHeader("Set-Cookie2")
+    if (setCookieHeader ~= nil) then 
+        trace:debug("Set a new cookie: " .. setCookieHeader)
+        response:addHeader("Set-Cookie", setCookieHeader)
+        response:removeHeader("Set-Cookie2")
+    end
+
+end
--- a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
--- a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
--- a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
+++ b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
@ -2,8 +2,9 @@
 	<ResultCond name="done" next="${state.done}"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="ask_mobile_number" label="general.askMobileNumber">
-			<GuiElem name="mobile" type="text" optional="true"/>
-			<GuiElem name="skip" type="checkbox" value="false" optional="true"/>
+			<GuiElem name="mobile" type="text" label="mobile number" optional="true"/>
+			<!-- GuiElem name="skip" type="checkbox" label="skip me" value="false" optional="true"/ -->
+			<GuiElem name="skip" type="text" label="skip me" value="false" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
 			<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
 		</Gui>
@ -13,5 +14,5 @@
 	<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
    <property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
 	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
-	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+	<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
 </AuthState>
--- a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
+++ b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
@ -6,6 +6,15 @@ import ch.nevis.idm.client.HTTPRequestWrapper
 import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper

+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+
 // Accounting
 def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
 def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
@ -28,7 +37,45 @@ if (mobile) {
    response.setResult('done')
    return
 }
-if (inargs['submit'] && inargs['mobile']) {
+
+if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language switch, nothing else to do, just display again the GUI
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+
+// TODO/haburger/2024-11-24: check/adapt value of skip checkbox
+if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip'] && inargs['skip'] == 'true') {
+    // no mobile, and user wants to skip it
+
+    LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    
+    // persistent cookie for 30d;
+    def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
+    // setHeader doesn't support multiple headers with the same name, so we use
+    // a different one, and rewrite it in the proxy with Lua
+    response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
+    response.setResult('done')
+    return
+}
+
+def agovSkipAskingMobileCookie = 'missing'
+
+if (getHeader('cookie') != null) {
+    def cookies = getHeader('cookie')
+    if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
+        agovSkipAskingMobileCookie = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
+    }
+}
+if (agovSkipAskingMobileCookie == 'true') {
+    // Don't aske the user again...
+    LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    response.setResult('done')
+    return
+}
+
+
+if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
    String result

    def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@ -4,6 +4,6 @@
    <Response value="AUTH_ERROR">
    </Response>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
 </AuthState>
--- a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
+++ b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
@ -2,6 +2,6 @@
    <Response value="AUTH_CONTINUE">
        <Gui name="NotUsed"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
 </AuthState>
--- a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
+++ b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
@ -35,7 +35,7 @@
 	<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
 	<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
 	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
-	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+	<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
 </AuthState>
 <AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
 	<ResultCond name="default" next="${state.entry}_Process"/>
--- a/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml
+++ b/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml
@ -24,6 +24,6 @@ pattern:
    cookieName: "agov"
    initialSessionTimeout: "var://idp-authentication-session-timeout"
    sessionTimeout: "30m"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
    resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\
      \ ? 'restart' : '' }"
--- a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
+++ b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
@ -9,9 +9,9 @@ pattern:
    authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
    parameters: "var://ensure_recovery_code-parameters"
    onSuccess:
-    - "pattern://6d83506dfcc430c12d81dfa3"
+    - "pattern://2cdd910036aa06b102863a4f"
    onFailure:
-    - "pattern://6d83506dfcc430c12d81dfa3"
+    - "pattern://2cdd910036aa06b102863a4f"
    resources: "res://9ff0369f3cf662f95d94ff09#resources"
    keyObjects:
    - "pattern://bcfe78c02cbe0588528bc3cb"
--- a/patterns/IdP_ResponseHeader_Post_Processing_4f6692a69e4f33c8ed4c145f.yml
+++ b/patterns/IdP_ResponseHeader_Post_Processing_4f6692a69e4f33c8ed4c145f.yml
@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "4f6692a69e4f33c8ed4c145f"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "IdP_ResponseHeader_Post_Processing"
+  properties:
+    script: "res://4f6692a69e4f33c8ed4c145f#script"
+    phase: "BEFORE_SANITATION"
--- a/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml
+++ b/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml
@ -20,4 +20,4 @@ pattern:
    logrend:
    - "pattern://097929211988398a87bcbb0c"
    initialSessionTimeout: "var://idp-authentication-session-timeout"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
--- a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
+++ b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
@ -19,6 +19,7 @@ pattern:
    - "pattern://bcca48cd422668aa2f78ea42"
    - "pattern://3d45f250b698005a29eb58b6"
    - "pattern://162d4ee18e469c146df153cc"
+    - "pattern://4f6692a69e4f33c8ed4c145f"
    - "pattern://0d3511bed6798a78cc3237f6"
    - "pattern://64f16c5d4c99eff0acbc8fdf"
    - "pattern://0573c2491a56e59daca47e95"
--- a/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml
+++ b/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml
@ -16,6 +16,6 @@ pattern:
    labels: "res://204c22beaccdfd22727af378#labels"
    cookieName: "agovRecovery"
    cookieSameSite: "Lax"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
    resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\
      \ }"
--- a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
+++ b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
@ -3,7 +3,7 @@
    <Response value="AUTH_DONE">
        <Gui name="not_used"/>
    </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
 </AuthState>
--- a/variables.yml
+++ b/variables.yml
@ -1,5 +1,12 @@
 schemaVersion: "1.0"
 variables:
+  agov-language-cookie-domain:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: ".agov-d.azure.adnovum.net"
+    requireOverloading: true
  agov_dev_idm-db-management:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
    parameters:
@ -92,13 +99,6 @@ variables:
      maxAllowed: 1
    value: "nevisauth"
    requireOverloading: true
-  auth_realm_main_idp-language-cookie-domain:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
-    parameters:
-      minRequired: 0
-      maxAllowed: 1
-    value: ".agov-d.azure.adnovum.net"
-    requireOverloading: true
  auth_realm_main_sts_parameters:
    className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
    parameters: