2 files updated

2024-12-17 12:57:54 +00:00 · 2024-12-17 12:57:54 +00:00 · d4399075f0
parent 49d8eaf672
commit d4399075f0
3 changed files with 33 additions and 25 deletions
--- a/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
+++ b/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
@ -1,11 +1,11 @@
 package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
 local Utils = require "Utils"

-function inputHeader(request, response)
-  local trace = request:getTracer()
+function inputHeader(req, resp)
+  local trace = req:getTracer()

-  local queryParams = Utils.getQueryParameters(request)
-  local path = request:getRequestPath()
+  local queryParams = Utils.getQueryParameters(req)
+  local path = req:getRequestPath()

  -- only allow calls to the countries service
  if path == nil then
@ -13,8 +13,8 @@ function inputHeader(request, response)
  end 

  if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
-    trace:info("utility service called with invalid path " .. request:getRequestPath())
-    response:send(404)
+    trace:info("utility service called with invalid path " .. path)
+    resp:send(404)
    return
  end

@ -22,19 +22,19 @@ function inputHeader(request, response)
  for param, values in pairs(queryParams) do
    if (param ~= 'lang') then
      trace:info("utility service called with invalid query param " .. param)
-      response:send(404)
+      resp:send(404)
      return
    end
    if Helpers.tableLength(values) ~= 1 then
      trace:info("utility service called with invalid value for query param " .. param)
-      response:send(404)
+      resp:send(404)
      return
    end
    for i, value in pairs(values) do
      local lang = string.upper(value)
      if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
        trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
-        response:send(404)
+        resp:send(404)
        return
      end
    end
--- a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
+++ b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
@ -117,7 +117,6 @@
 	<property name="sess:agov.recovery.email" value="${inargs:email}"/>
 </AuthState>
 <AuthState name="${state.entry}_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
-	<ResultCond name="cancel" next="${state.failed}"/>
 	<ResultCond name="confirm" next="${state.entry}_verifyUrlTicket"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="recovery_start_info">
@ -200,15 +199,15 @@
 	<ResultCond name="ok" next="${state.entry}_codeVerified"/>
 	<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/>
-	<ResultCond name="locked" next="${state.entry}_codeLocked"/>
-	<ResultCond name="tmpLocked" next="${state.entry}_codeLocked"/>
+	<ResultCond name="nowLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
+	<ResultCond name="locked" next="${state.entry}_IdmUserIdPasswordLogin"/>
+	<ResultCond name="tmpLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="failed" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="clientNotFound" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="disabled" next="${state.entry}_codeLocked"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<ResultCond name="disabled" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="recovery_check_code">
-			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="#{ notes.containsKey('lasterror') ? (notes.getProperty('lasterror') == '3' ? 'check' : 'locked' ): '' }"/>
 			<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
 			<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
@ -227,9 +226,3 @@
 	<Response value="AUTH_CONTINUE"/>
 	<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
 </AuthState>
-<AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
-	<Response value="AUTH_ERROR">
-		<Gui name="recovery_check_noCode">
-    </Gui>
-	</Response>
-</AuthState>
--- a/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
+++ b/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
    "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
 ]

+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
 def getUserIdVerificationForRecovery(currentLoaRole) {
  // application is AGOV-AccountStatus
  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
  try {
    def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
    def userState = userDto.state
+    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
    LOG.debug("Recovery: Dto is '${userDto}")
    LOG.debug("Recovery: state is '${userState}")
+    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'") 
    def session = request.getAuthSession(true)

    if (userState == 'ACTIVE') {
@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
          response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)

          if ((maxLoi == 'level100') && (mustRecover == null)) {
+            // AQ100 accounts need to used the recovery code, if they can
+            // check the status of recoveryCode credential
+            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+              LOG.debug("Recovery: emailAndCode")
+              response.setResult('needCode')
+              return
+            } else {
+             LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+             response.setResult('ok')
+              return
+            }
+
            // mustRecover role not set, so code needs to be checked
-            LOG.debug("Recovery: emailAndCode")
-            response.setResult('needCode')
-            return
          } else {
            LOG.debug("Recovery: email")
            response.setResult('ok')