1.7.5 RC1

This commit is contained in:
haburger 2024-11-29 12:40:56 +00:00
parent 5b9299caa8
commit 60eb1a7192
20 changed files with 90 additions and 21 deletions

View File

@ -2,7 +2,7 @@
<Response value="AUTH_ERROR"> <Response value="AUTH_ERROR">
<Gui name="NotUsed"/> <Gui name="NotUsed"/>
</Response> </Response>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
<property name="scriptTraceGroup" value="AGOV-ACCT"/> <property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
</AuthState> </AuthState>

View File

@ -0,0 +1,12 @@
function outputHeader(request, response)
trace = request:getTracer()
-- rename Set-Cookie2 header
local setCookieHeader = response:getHeader("Set-Cookie2")
if (setCookieHeader ~= nil) then
trace:debug("Set a new cookie: " .. setCookieHeader)
response:addHeader("Set-Cookie", setCookieHeader)
response:removeHeader("Set-Cookie2")
end
end

View File

@ -2,8 +2,9 @@
<ResultCond name="done" next="${state.done}"/> <ResultCond name="done" next="${state.done}"/>
<Response value="AUTH_CONTINUE"> <Response value="AUTH_CONTINUE">
<Gui name="ask_mobile_number" label="general.askMobileNumber"> <Gui name="ask_mobile_number" label="general.askMobileNumber">
<GuiElem name="mobile" type="text" optional="true"/> <GuiElem name="mobile" type="text" label="mobile number" optional="true"/>
<GuiElem name="skip" type="checkbox" value="false" optional="true"/> <!-- GuiElem name="skip" type="checkbox" label="skip me" value="false" optional="true"/ -->
<GuiElem name="skip" type="text" label="skip me" value="false" optional="true"/>
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/> <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/> <GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
</Gui> </Gui>
@ -13,5 +14,5 @@
<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/> <property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
<property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/> <property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/> <property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
</AuthState> </AuthState>

View File

@ -6,6 +6,15 @@ import ch.nevis.idm.client.HTTPRequestWrapper
import groovy.json.JsonSlurper import groovy.json.JsonSlurper
import groovy.xml.XmlSlurper import groovy.xml.XmlSlurper
def getHeader(String name) {
def inctx = request.getLoginContext()
// case-insensitive lookup of HTTP headers
def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
map.putAll(inctx)
return map['connection.HttpHeader.' + name]
}
// Accounting // Accounting
def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown' def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown' def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
@ -28,7 +37,45 @@ if (mobile) {
response.setResult('done') response.setResult('done')
return return
} }
if (inargs['submit'] && inargs['mobile']) {
if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
// language switch, nothing else to do, just display again the GUI
response.setStatus(AuthResponse.AUTH_CONTINUE)
return
}
// TODO/haburger/2024-11-24: check/adapt value of skip checkbox
if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip'] && inargs['skip'] == 'true') {
// no mobile, and user wants to skip it
LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
// persistent cookie for 30d;
def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
// setHeader doesn't support multiple headers with the same name, so we use
// a different one, and rewrite it in the proxy with Lua
response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
response.setResult('done')
return
}
def agovSkipAskingMobileCookie = 'missing'
if (getHeader('cookie') != null) {
def cookies = getHeader('cookie')
if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
agovSkipAskingMobileCookie = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
}
}
if (agovSkipAskingMobileCookie == 'true') {
// Don't aske the user again...
LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
response.setResult('done')
return
}
if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
String result String result
def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}" def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"

View File

@ -4,6 +4,6 @@
<Response value="AUTH_ERROR"> <Response value="AUTH_ERROR">
</Response> </Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/> <property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
</AuthState> </AuthState>

View File

@ -2,6 +2,6 @@
<Response value="AUTH_CONTINUE"> <Response value="AUTH_CONTINUE">
<Gui name="NotUsed"/> <Gui name="NotUsed"/>
</Response> </Response>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
</AuthState> </AuthState>

View File

@ -35,7 +35,7 @@
<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/> <property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/--> <!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/> <property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false"> <AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
<ResultCond name="default" next="${state.entry}_Process"/> <ResultCond name="default" next="${state.entry}_Process"/>

View File

@ -24,6 +24,6 @@ pattern:
cookieName: "agov" cookieName: "agov"
initialSessionTimeout: "var://idp-authentication-session-timeout" initialSessionTimeout: "var://idp-authentication-session-timeout"
sessionTimeout: "30m" sessionTimeout: "30m"
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain" langCookieDomain: "var://agov-language-cookie-domain"
resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\ resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\
\ ? 'restart' : '' }" \ ? 'restart' : '' }"

View File

@ -9,9 +9,9 @@ pattern:
authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile" authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
parameters: "var://ensure_recovery_code-parameters" parameters: "var://ensure_recovery_code-parameters"
onSuccess: onSuccess:
- "pattern://6d83506dfcc430c12d81dfa3" - "pattern://2cdd910036aa06b102863a4f"
onFailure: onFailure:
- "pattern://6d83506dfcc430c12d81dfa3" - "pattern://2cdd910036aa06b102863a4f"
resources: "res://9ff0369f3cf662f95d94ff09#resources" resources: "res://9ff0369f3cf662f95d94ff09#resources"
keyObjects: keyObjects:
- "pattern://bcfe78c02cbe0588528bc3cb" - "pattern://bcfe78c02cbe0588528bc3cb"

View File

@ -0,0 +1,8 @@
schemaVersion: "1.0"
pattern:
id: "4f6692a69e4f33c8ed4c145f"
className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
name: "IdP_ResponseHeader_Post_Processing"
properties:
script: "res://4f6692a69e4f33c8ed4c145f#script"
phase: "BEFORE_SANITATION"

View File

@ -20,4 +20,4 @@ pattern:
logrend: logrend:
- "pattern://097929211988398a87bcbb0c" - "pattern://097929211988398a87bcbb0c"
initialSessionTimeout: "var://idp-authentication-session-timeout" initialSessionTimeout: "var://idp-authentication-session-timeout"
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain" langCookieDomain: "var://agov-language-cookie-domain"

View File

@ -19,6 +19,7 @@ pattern:
- "pattern://bcca48cd422668aa2f78ea42" - "pattern://bcca48cd422668aa2f78ea42"
- "pattern://3d45f250b698005a29eb58b6" - "pattern://3d45f250b698005a29eb58b6"
- "pattern://162d4ee18e469c146df153cc" - "pattern://162d4ee18e469c146df153cc"
- "pattern://4f6692a69e4f33c8ed4c145f"
- "pattern://0d3511bed6798a78cc3237f6" - "pattern://0d3511bed6798a78cc3237f6"
- "pattern://64f16c5d4c99eff0acbc8fdf" - "pattern://64f16c5d4c99eff0acbc8fdf"
- "pattern://0573c2491a56e59daca47e95" - "pattern://0573c2491a56e59daca47e95"

View File

@ -16,6 +16,6 @@ pattern:
labels: "res://204c22beaccdfd22727af378#labels" labels: "res://204c22beaccdfd22727af378#labels"
cookieName: "agovRecovery" cookieName: "agovRecovery"
cookieSameSite: "Lax" cookieSameSite: "Lax"
langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain" langCookieDomain: "var://agov-language-cookie-domain"
resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\ resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\
\ }" \ }"

View File

@ -3,7 +3,7 @@
<Response value="AUTH_DONE"> <Response value="AUTH_DONE">
<Gui name="not_used"/> <Gui name="not_used"/>
</Response> </Response>
<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
<property name="scriptTraceGroup" value="AGOV-ACCT"/> <property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
</AuthState> </AuthState>

View File

@ -1,5 +1,12 @@
schemaVersion: "1.0" schemaVersion: "1.0"
variables: variables:
agov-language-cookie-domain:
className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
parameters:
minRequired: 0
maxAllowed: 1
value: ".agov-d.azure.adnovum.net"
requireOverloading: true
agov_dev_idm-db-management: agov_dev_idm-db-management:
className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
parameters: parameters:
@ -92,13 +99,6 @@ variables:
maxAllowed: 1 maxAllowed: 1
value: "nevisauth" value: "nevisauth"
requireOverloading: true requireOverloading: true
auth_realm_main_idp-language-cookie-domain:
className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
parameters:
minRequired: 0
maxAllowed: 1
value: ".agov-d.azure.adnovum.net"
requireOverloading: true
auth_realm_main_sts_parameters: auth_realm_main_sts_parameters:
className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty" className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
parameters: parameters: