eid passthrough fixes

2025-06-02 13:52:49 +00:00 · 2025-06-02 13:52:49 +00:00 · d062b6978f
parent 2e0e3a1cca
commit d062b6978f
11 changed files with 40 additions and 20 deletions
--- a/bundles.yml
+++ b/bundles.yml
@ -1,13 +1,13 @@
 schemaVersion: "1.0"
 bundles:
- "nevisadmin-plugin-authcloud:8.2411.2.4"
 - "nevisadmin-plugin-base-generation:8.2411.2.4"
- "nevisadmin-plugin-fido2:8.2411.2.4"
- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
- "nevisadmin-plugin-nevisauth:8.2411.2.4"
- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
- "nevisadmin-plugin-nevisdp:8.2411.2.4"
- "nevisadmin-plugin-nevisidm:8.2411.2.4"
 - "nevisadmin-plugin-nevisproxy:8.2411.2.4"
+- "nevisadmin-plugin-nevisauth:8.2411.2.4"
+- "nevisadmin-plugin-nevisidm:8.2411.2.4"
+- "nevisadmin-plugin-mobile-auth:8.2411.2.4"
+- "nevisadmin-plugin-fido2:8.2411.2.4"
+- "nevisadmin-plugin-nevisadapt:8.2411.2.4"
+- "nevisadmin-plugin-nevisdetect:8.2411.2.4"
 - "nevisadmin-plugin-oauth:8.2411.2.4"
+- "nevisadmin-plugin-authcloud:8.2411.2.4"
+- "nevisadmin-plugin-nevisdp:8.2411.2.4"
--- a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
+++ b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
--- a/patterns/204c22beaccdfd22727af378_labels/labels.zip
+++ b/patterns/204c22beaccdfd22727af378_labels/labels.zip
--- a/patterns/204c22beaccdfd22727af378_template/webdata.zip
+++ b/patterns/204c22beaccdfd22727af378_template/webdata.zip
--- a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
--- a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
+++ b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
--- a/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
+++ b/patterns/68665057549fd887ea09fb86_scriptFile/requestedRoleLevel.groovy
@ -26,6 +26,12 @@ int getRequestedLevel(String authnContextClassRef, def roleList){

 def session = request.getAuthSession(true)
 def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef')
+if (!context || context == '' || context == 'null') {
+  // EPD call, we set a default of aq300
+  session.setAttribute('ch.nevis.auth.saml.request.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:300')
+  conext = 'urn:qa.agov.ch:names:tc:ac:classes:300'
+}
+
 def roleLevels = [100,200,300,400,500,600]
 def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels)

--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@ -6,7 +6,7 @@
    </Response>
    <property name="scriptTraceGroup" value="AGOV-ACCT"/>
    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
-    <property name="eidPassthroughEnabled" value="${vareid.passthrough.enabled}"/>
-    <property name="eidFullEnabled" value="${vareid.full.enabled}"/>
+    <property name="parameter.eidPassthroughEnabled" value="${var.eid.passthrough.enabled}"/>
+    <property name="parameter.eidFullEnabled" value="${var.eid.full.enabled}"/>
    <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
 </AuthState>
--- a/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
+++ b/patterns/7a913eec7f78ce674cd87854_resources/idp_status_check.groovy
@ -78,6 +78,10 @@ if (inargs['SAMLRequest'] != null) {
      request.getInArgs().setProperty('onReload', 'now')

      def eidEnabled = parameters.get('eidPassthroughEnabled') == "true" || parameters.get('eidFullEnabled') == "true"
+      eidEnabled
+      LOG.error("EID?: " + eidEnabled)
+      LOG.error("Full?: " + parameters.get('eidFullEnabled'))
+      LOG.error("Pass?: " + parameters.get('eidPassthroughEnabled'))
      def requestedLoa = s.getAttribute("agov.requestedRoleLevel")
      if( eidEnabled && ( requestedLoa == "600" || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork' ) ){
        // EID request -> goto correct state
--- a/patterns/IDM_DB_2951ead44a7a9362a4545094.yml
+++ b/patterns/IDM_DB_2951ead44a7a9362a4545094.yml
@ -13,8 +13,6 @@ pattern:
    user: "var://idm_db-database-user"
    password: "var://idm_db-database-password"
    encryption: "var://idm_db-tls-encryption"
-    trustStore:
-    - "pattern://326adce95ad1a0761f2259b7"
    jdbcDriver: "var://idm_db-database-jdbc-driver"
    oracleVolumeClaimName: "var://idm_db-database-volume-claim"
    databaseManagement: "var://agov_dev_idm-db-management"
--- a/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
+++ b/patterns/e335f57d4c64dfc97223697a_resources/eid_verification_auth.groovy
@ -225,6 +225,7 @@ HttpClient httpClient = HttpClients.create(parameters)
 def spanCtxt = Span.current().getSpanContext()
 def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"

+/*
 if (!session['agov.eid.verification']) {
    LOG.debug("Initializing verification")
 	if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
@ -232,20 +233,28 @@ if (!session['agov.eid.verification']) {
        return
    }
 }
+*/

 if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
    LOG.debug("Request Status Update")
 	// request for a status update from the verifier
 	def result

-	// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v
-	// and that authRequestId is correct
-	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+    // FE requested a new verification
+    if (inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') {
+        LOG.debug("Initializing new verification")
+	    if(!getNewVerification(sess, httpClient, verification_request_template, traceparent)){
+            response.setResult('error') 
+            return
+        }
+    }

-    // check, whether we are still processing the correct verification request
-    //
-    if(inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])){
-    //if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != session['agov.eid.verification.id']){
+	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+
+    LOG.error("IDValSent: " + idvalue)
+
+    // check, whether we are still processing the same verification request or if a new one was generated in e.g. another Tab
+    if(inargs['o.id.v'] && inargs['o.id.v'] != 'NEW' && inargs['o.id.v'] != 'RESET' && inargs['o.id.v'] != session['agov.eid.verification.id']){
        // wrong request, tell fe to stop polling and request a timeout
        LOG.debug('authentication timeout enforced, due to concurrent requests (verificationRequest missmatch) -> Notify FE & then return a 408')
        result = """{
@ -356,6 +365,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.

 				LOG
 						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+                       
                def status = ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'

                // Send new request & return variables with new id and url
@ -379,7 +389,7 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 			else {
 				result = """{
 				"oid4vp": {
-					"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}",
+					"status": "${inargs['o.id.v'] == 'NEW' || inargs['o.id.v'] == 'RESET' ? 'INITIATED' : 'PENDING'}",
 					"verification_url": "${session['agov.eid.verification.link']}",
 					"id": "${idvalue}",
 					"error_code": "NONE"
@ -400,6 +410,8 @@ if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.
 				}}"""
 	}

+    
+
 	response.setContent(result.toString())
 	response.setContentType('application/json')
 	response.setHttpStatusCode(200)