nevis
/
adn-agov-iam-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

eid passthrough fixes

This commit is contained in:
aca 2025-06-02 13:52:49 +00:00
parent 2e0e3a1cca
commit d062b6978f
11 changed files with 40 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bundles.yml
View File

@ -1,13 +1,13 @@
schemaVersion: "1.0" schemaVersion: "1.0"
bundles: bundles:
- "nevisadmin-plugin-authcloud:8.2411.2.4"
- "nevisadmin-plugin-base-generation:8.2411.2.4" - "nevisadmin-plugin-base-generation:8.2411.2.4"
- "nevisadmin-plugin-fido2:8.2411.2.4"
- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
- "nevisadmin-plugin-nevisauth:8.2411.2.4"
- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
- "nevisadmin-plugin-nevisdp:8.2411.2.4"
- "nevisadmin-plugin-nevisidm:8.2411.2.4"
- "nevisadmin-plugin-nevisproxy:8.2411.2.4" - "nevisadmin-plugin-nevisproxy:8.2411.2.4"
- "nevisadmin-plugin-nevisauth:8.2411.2.4"
- "nevisadmin-plugin-nevisidm:8.2411.2.4"
- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
- "nevisadmin-plugin-fido2:8.2411.2.4"
- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
- "nevisadmin-plugin-oauth:8.2411.2.4" - "nevisadmin-plugin-oauth:8.2411.2.4"
- "nevisadmin-plugin-authcloud:8.2411.2.4"
- "nevisadmin-plugin-nevisdp:8.2411.2.4"

BIN
patterns/1f0702aaabef60a615abf41f_resources/resources.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/204c22beaccdfd22727af378_template/webdata.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
View File

Binary file not shown.

BIN
patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
View File

Binary file not shown.

6
patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
View File

@ -26,6 +26,12 @@ int getRequestedLevel(String authnContextClassRef, def roleList){
def session = request.getAuthSession(true) def session = request.getAuthSession(true)
def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef') def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef')
if (!context || context == '' || context == 'null') {
// EPD call, we set a default of aq300
session.setAttribute('ch.nevis.auth.saml.request.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:300')
conext = 'urn:qa.agov.ch:names:tc:ac:classes:300'
}
def roleLevels = [100,200,300,400,500,600] def roleLevels = [100,200,300,400,500,600]
def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels) def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels)

4
patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
View File

@ -6,7 +6,7 @@
</Response> </Response>
<property name="scriptTraceGroup" value="AGOV-ACCT"/> <property name="scriptTraceGroup" value="AGOV-ACCT"/>
<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/> <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
<property name="eidPassthroughEnabled" value="${vareid.passthrough.enabled}"/> <property name="parameter.eidPassthroughEnabled" value="${var.eid.passthrough.enabled}"/>
<property name="eidFullEnabled" value="${vareid.full.enabled}"/> <property name="parameter.eidFullEnabled" value="${var.eid.full.enabled}"/>
<property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/> <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
</AuthState> </AuthState>

4
patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
View File

@ -78,6 +78,10 @@ if (inargs['SAMLRequest'] != null) {
request.getInArgs().setProperty('onReload', 'now') request.getInArgs().setProperty('onReload', 'now')
def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true" def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
eidEnabled
LOG.error("EID?: " + eidEnabled)
LOG.error("Full?: " + parameters.get('eidFullEnabled'))
LOG.error("Pass?: " + parameters.get('eidPassthroughEnabled'))
def requestedLoa = s.getAttribute("agov.requestedRoleLevel") def requestedLoa = s.getAttribute("agov.requestedRoleLevel")
if( eidEnabled && ( requestedLoa == "600" || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork' ) ){ if( eidEnabled && ( requestedLoa == "600" || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork' ) ){
// EID request -> goto correct state // EID request -> goto correct state

2
patterns/IDM_DB_2951ead44a7a9362a4545094.yml
View File

@ -13,8 +13,6 @@ pattern:
user: "var://idm_db-database-user" user: "var://idm_db-database-user"
password: "var://idm_db-database-password" password: "var://idm_db-database-password"
encryption: "var://idm_db-tls-encryption" encryption: "var://idm_db-tls-encryption"
trustStore:
- "pattern://326adce95ad1a0761f2259b7"
jdbcDriver: "var://idm_db-database-jdbc-driver" jdbcDriver: "var://idm_db-database-jdbc-driver"
oracleVolumeClaimName: "var://idm_db-database-volume-claim" oracleVolumeClaimName: "var://idm_db-database-volume-claim"
databaseManagement: "var://agov_dev_idm-db-management" databaseManagement: "var://agov_dev_idm-db-management"

28
patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
View File

@ -225,6 +225,7 @@ HttpClient httpClient = HttpClients.create(parameters)
def spanCtxt = Span.current().getSpanContext() def spanCtxt = Span.current().getSpanContext()
def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}" def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
/*
if (!session['agov.eid.verification']) { if (!session['agov.eid.verification']) {
LOG.debug("Initializing verification") LOG.debug("Initializing verification")
if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){ if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
@ -232,20 +233,28 @@ if (!session['agov.eid.verification']) {
return return
} }
} }
*/
if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) { if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
LOG.debug("Request Status Update") LOG.debug("Request Status Update")
// request for a status update from the verifier // request for a status update from the verifier
def result def result
// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v // FE requested a new verification
// and that authRequestId is correct if (inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') {
def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v'] LOG.debug("Initializing new verification")
if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
response.setResult('error')
return
}
}
// check, whether we are still processing the correct verification request def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') ? session['agov.eid.verification.id'] : inargs['o.id.v']
//
if(inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])){ LOG.error("IDValSent: " + idvalue)
//if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != session['agov.eid.verification.id']){
// check, whether we are still processing the same verification request or if a new one was generated in e.g. another Tab
if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != 'RESET' && inargs['o.id.v'] != session['agov.eid.verification.id']){
// wrong request, tell fe to stop polling and request a timeout // wrong request, tell fe to stop polling and request a timeout
LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408') LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
result = """{ result = """{
@ -356,6 +365,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
LOG LOG
.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})") .error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR' def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'
// Send new request & return variables with new id and url // Send new request & return variables with new id and url
@ -379,7 +389,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
else { else {
result = """{ result = """{
"oid4vp": { "oid4vp": {
"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}", "status": "${inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET' ? 'INITIATED' : 'PENDING'}",
"verification_url": "${session['agov.eid.verification.link']}", "verification_url": "${session['agov.eid.verification.link']}",
"id": "${idvalue}", "id": "${idvalue}",
"error_code": "NONE" "error_code": "NONE"
@ -400,6 +410,8 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
}}""" }}"""
} }
response.setContent(result.toString()) response.setContent(result.toString())
response.setContentType('application/json') response.setContentType('application/json')
response.setHttpStatusCode(200) response.setHttpStatusCode(200)