1.7.5 RC1
This commit is contained in:
parent
5b9299caa8
commit
60eb1a7192
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -2,7 +2,7 @@
|
||||||
<Response value="AUTH_ERROR">
|
<Response value="AUTH_ERROR">
|
||||||
<Gui name="NotUsed"/>
|
<Gui name="NotUsed"/>
|
||||||
</Response>
|
</Response>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
|
||||||
</AuthState>
|
</AuthState>
|
|
@ -0,0 +1,12 @@
|
||||||
|
function outputHeader(request, response)
|
||||||
|
trace = request:getTracer()
|
||||||
|
|
||||||
|
-- rename Set-Cookie2 header
|
||||||
|
local setCookieHeader = response:getHeader("Set-Cookie2")
|
||||||
|
if (setCookieHeader ~= nil) then
|
||||||
|
trace:debug("Set a new cookie: " .. setCookieHeader)
|
||||||
|
response:addHeader("Set-Cookie", setCookieHeader)
|
||||||
|
response:removeHeader("Set-Cookie2")
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Binary file not shown.
Binary file not shown.
|
@ -2,8 +2,9 @@
|
||||||
<ResultCond name="done" next="${state.done}"/>
|
<ResultCond name="done" next="${state.done}"/>
|
||||||
<Response value="AUTH_CONTINUE">
|
<Response value="AUTH_CONTINUE">
|
||||||
<Gui name="ask_mobile_number" label="general.askMobileNumber">
|
<Gui name="ask_mobile_number" label="general.askMobileNumber">
|
||||||
<GuiElem name="mobile" type="text" optional="true"/>
|
<GuiElem name="mobile" type="text" label="mobile number" optional="true"/>
|
||||||
<GuiElem name="skip" type="checkbox" value="false" optional="true"/>
|
<!-- GuiElem name="skip" type="checkbox" label="skip me" value="false" optional="true"/ -->
|
||||||
|
<GuiElem name="skip" type="text" label="skip me" value="false" optional="true"/>
|
||||||
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
|
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
|
||||||
<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
|
<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
|
||||||
</Gui>
|
</Gui>
|
||||||
|
@ -13,5 +14,5 @@
|
||||||
<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
|
<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
|
||||||
<property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
|
<property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
|
||||||
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
|
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
|
|
|
@ -6,6 +6,15 @@ import ch.nevis.idm.client.HTTPRequestWrapper
|
||||||
import groovy.json.JsonSlurper
|
import groovy.json.JsonSlurper
|
||||||
import groovy.xml.XmlSlurper
|
import groovy.xml.XmlSlurper
|
||||||
|
|
||||||
|
def getHeader(String name) {
|
||||||
|
def inctx = request.getLoginContext()
|
||||||
|
// case-insensitive lookup of HTTP headers
|
||||||
|
def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
|
||||||
|
map.putAll(inctx)
|
||||||
|
return map['connection.HttpHeader.' + name]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
// Accounting
|
// Accounting
|
||||||
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
|
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
|
||||||
def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
|
def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
|
||||||
|
@ -28,7 +37,45 @@ if (mobile) {
|
||||||
response.setResult('done')
|
response.setResult('done')
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if (inargs['submit'] && inargs['mobile']) {
|
|
||||||
|
if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
|
||||||
|
// language switch, nothing else to do, just display again the GUI
|
||||||
|
response.setStatus(AuthResponse.AUTH_CONTINUE)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO/haburger/2024-11-24: check/adapt value of skip checkbox
|
||||||
|
if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip'] && inargs['skip'] == 'true') {
|
||||||
|
// no mobile, and user wants to skip it
|
||||||
|
|
||||||
|
LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||||
|
|
||||||
|
// persistent cookie for 30d;
|
||||||
|
def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
|
||||||
|
// setHeader doesn't support multiple headers with the same name, so we use
|
||||||
|
// a different one, and rewrite it in the proxy with Lua
|
||||||
|
response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
|
||||||
|
response.setResult('done')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
def agovSkipAskingMobileCookie = 'missing'
|
||||||
|
|
||||||
|
if (getHeader('cookie') != null) {
|
||||||
|
def cookies = getHeader('cookie')
|
||||||
|
if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
|
||||||
|
agovSkipAskingMobileCookie = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (agovSkipAskingMobileCookie == 'true') {
|
||||||
|
// Don't aske the user again...
|
||||||
|
LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
|
||||||
|
response.setResult('done')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
|
||||||
String result
|
String result
|
||||||
|
|
||||||
def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
|
def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
|
||||||
|
|
|
@ -4,6 +4,6 @@
|
||||||
<Response value="AUTH_ERROR">
|
<Response value="AUTH_ERROR">
|
||||||
</Response>
|
</Response>
|
||||||
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
|
|
|
@ -2,6 +2,6 @@
|
||||||
<Response value="AUTH_CONTINUE">
|
<Response value="AUTH_CONTINUE">
|
||||||
<Gui name="NotUsed"/>
|
<Gui name="NotUsed"/>
|
||||||
</Response>
|
</Response>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
|
<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
|
||||||
<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
|
<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
|
||||||
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
|
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
|
<AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
|
||||||
<ResultCond name="default" next="${state.entry}_Process"/>
|
<ResultCond name="default" next="${state.entry}_Process"/>
|
||||||
|
|
|
@ -24,6 +24,6 @@ pattern:
|
||||||
cookieName: "agov"
|
cookieName: "agov"
|
||||||
initialSessionTimeout: "var://idp-authentication-session-timeout"
|
initialSessionTimeout: "var://idp-authentication-session-timeout"
|
||||||
sessionTimeout: "30m"
|
sessionTimeout: "30m"
|
||||||
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
|
langCookieDomain: "var://agov-language-cookie-domain"
|
||||||
resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\
|
resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\
|
||||||
\ ? 'restart' : '' }"
|
\ ? 'restart' : '' }"
|
||||||
|
|
|
@ -9,9 +9,9 @@ pattern:
|
||||||
authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
|
authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
|
||||||
parameters: "var://ensure_recovery_code-parameters"
|
parameters: "var://ensure_recovery_code-parameters"
|
||||||
onSuccess:
|
onSuccess:
|
||||||
- "pattern://6d83506dfcc430c12d81dfa3"
|
- "pattern://2cdd910036aa06b102863a4f"
|
||||||
onFailure:
|
onFailure:
|
||||||
- "pattern://6d83506dfcc430c12d81dfa3"
|
- "pattern://2cdd910036aa06b102863a4f"
|
||||||
resources: "res://9ff0369f3cf662f95d94ff09#resources"
|
resources: "res://9ff0369f3cf662f95d94ff09#resources"
|
||||||
keyObjects:
|
keyObjects:
|
||||||
- "pattern://bcfe78c02cbe0588528bc3cb"
|
- "pattern://bcfe78c02cbe0588528bc3cb"
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
schemaVersion: "1.0"
|
||||||
|
pattern:
|
||||||
|
id: "4f6692a69e4f33c8ed4c145f"
|
||||||
|
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
|
||||||
|
name: "IdP_ResponseHeader_Post_Processing"
|
||||||
|
properties:
|
||||||
|
script: "res://4f6692a69e4f33c8ed4c145f#script"
|
||||||
|
phase: "BEFORE_SANITATION"
|
|
@ -20,4 +20,4 @@ pattern:
|
||||||
logrend:
|
logrend:
|
||||||
- "pattern://097929211988398a87bcbb0c"
|
- "pattern://097929211988398a87bcbb0c"
|
||||||
initialSessionTimeout: "var://idp-authentication-session-timeout"
|
initialSessionTimeout: "var://idp-authentication-session-timeout"
|
||||||
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
|
langCookieDomain: "var://agov-language-cookie-domain"
|
||||||
|
|
|
@ -19,6 +19,7 @@ pattern:
|
||||||
- "pattern://bcca48cd422668aa2f78ea42"
|
- "pattern://bcca48cd422668aa2f78ea42"
|
||||||
- "pattern://3d45f250b698005a29eb58b6"
|
- "pattern://3d45f250b698005a29eb58b6"
|
||||||
- "pattern://162d4ee18e469c146df153cc"
|
- "pattern://162d4ee18e469c146df153cc"
|
||||||
|
- "pattern://4f6692a69e4f33c8ed4c145f"
|
||||||
- "pattern://0d3511bed6798a78cc3237f6"
|
- "pattern://0d3511bed6798a78cc3237f6"
|
||||||
- "pattern://64f16c5d4c99eff0acbc8fdf"
|
- "pattern://64f16c5d4c99eff0acbc8fdf"
|
||||||
- "pattern://0573c2491a56e59daca47e95"
|
- "pattern://0573c2491a56e59daca47e95"
|
||||||
|
|
|
@ -16,6 +16,6 @@ pattern:
|
||||||
labels: "res://204c22beaccdfd22727af378#labels"
|
labels: "res://204c22beaccdfd22727af378#labels"
|
||||||
cookieName: "agovRecovery"
|
cookieName: "agovRecovery"
|
||||||
cookieSameSite: "Lax"
|
cookieSameSite: "Lax"
|
||||||
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
|
langCookieDomain: "var://agov-language-cookie-domain"
|
||||||
resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\
|
resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\
|
||||||
\ }"
|
\ }"
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
<Response value="AUTH_DONE">
|
<Response value="AUTH_DONE">
|
||||||
<Gui name="not_used"/>
|
<Gui name="not_used"/>
|
||||||
</Response>
|
</Response>
|
||||||
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
|
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
|
||||||
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
<property name="scriptTraceGroup" value="AGOV-ACCT"/>
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
|
||||||
</AuthState>
|
</AuthState>
|
|
@ -1,5 +1,12 @@
|
||||||
schemaVersion: "1.0"
|
schemaVersion: "1.0"
|
||||||
variables:
|
variables:
|
||||||
|
agov-language-cookie-domain:
|
||||||
|
className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
|
||||||
|
parameters:
|
||||||
|
minRequired: 0
|
||||||
|
maxAllowed: 1
|
||||||
|
value: ".agov-d.azure.adnovum.net"
|
||||||
|
requireOverloading: true
|
||||||
agov_dev_idm-db-management:
|
agov_dev_idm-db-management:
|
||||||
className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
|
className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
|
||||||
parameters:
|
parameters:
|
||||||
|
@ -92,13 +99,6 @@ variables:
|
||||||
maxAllowed: 1
|
maxAllowed: 1
|
||||||
value: "nevisauth"
|
value: "nevisauth"
|
||||||
requireOverloading: true
|
requireOverloading: true
|
||||||
auth_realm_main_idp-language-cookie-domain:
|
|
||||||
className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
|
|
||||||
parameters:
|
|
||||||
minRequired: 0
|
|
||||||
maxAllowed: 1
|
|
||||||
value: ".agov-d.azure.adnovum.net"
|
|
||||||
requireOverloading: true
|
|
||||||
auth_realm_main_sts_parameters:
|
auth_realm_main_sts_parameters:
|
||||||
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
|
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
|
||||||
parameters:
|
parameters:
|
||||||
|
|
Loading…
Reference in New Issue