2 files updated

This commit is contained in:
haburger 2024-12-17 12:57:54 +00:00
parent 49d8eaf672
commit d4399075f0
3 changed files with 33 additions and 25 deletions

View File

@ -1,11 +1,11 @@
package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua" package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
local Utils = require "Utils" local Utils = require "Utils"
function inputHeader(request, response) function inputHeader(req, resp)
local trace = request:getTracer() local trace = req:getTracer()
local queryParams = Utils.getQueryParameters(request) local queryParams = Utils.getQueryParameters(req)
local path = request:getRequestPath() local path = req:getRequestPath()
-- only allow calls to the countries service -- only allow calls to the countries service
if path == nil then if path == nil then
@ -13,8 +13,8 @@ function inputHeader(request, response)
end end
if path ~= nil and path ~= '/resource/utility/api/v1/countries' then if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
trace:info("utility service called with invalid path " .. request:getRequestPath()) trace:info("utility service called with invalid path " .. path)
response:send(404) resp:send(404)
return return
end end
@ -22,19 +22,19 @@ function inputHeader(request, response)
for param, values in pairs(queryParams) do for param, values in pairs(queryParams) do
if (param ~= 'lang') then if (param ~= 'lang') then
trace:info("utility service called with invalid query param " .. param) trace:info("utility service called with invalid query param " .. param)
response:send(404) resp:send(404)
return return
end end
if Helpers.tableLength(values) ~= 1 then if Helpers.tableLength(values) ~= 1 then
trace:info("utility service called with invalid value for query param " .. param) trace:info("utility service called with invalid value for query param " .. param)
response:send(404) resp:send(404)
return return
end end
for i, value in pairs(values) do for i, value in pairs(values) do
local lang = string.upper(value) local lang = string.upper(value)
if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
trace:info("utility service called with invalid value for query param " .. param .. "=" .. value) trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
response:send(404) resp:send(404)
return return
end end
end end

View File

@ -117,7 +117,6 @@
<property name="sess:agov.recovery.email" value="${inargs:email}"/> <property name="sess:agov.recovery.email" value="${inargs:email}"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true"> <AuthState name="${state.entry}_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
<ResultCond name="cancel" next="${state.failed}"/>
<ResultCond name="confirm" next="${state.entry}_verifyUrlTicket"/> <ResultCond name="confirm" next="${state.entry}_verifyUrlTicket"/>
<Response value="AUTH_CONTINUE"> <Response value="AUTH_CONTINUE">
<Gui name="recovery_start_info"> <Gui name="recovery_start_info">
@ -200,15 +199,15 @@
<ResultCond name="ok" next="${state.entry}_codeVerified"/> <ResultCond name="ok" next="${state.entry}_codeVerified"/>
<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/> <ResultCond name="nowLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="locked" next="${state.entry}_codeLocked"/> <ResultCond name="locked" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="tmpLocked" next="${state.entry}_codeLocked"/> <ResultCond name="tmpLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="failed" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="failed" next="${state.entry}_IdmUserIdPasswordLogin"/>
<ResultCond name="clientNotFound" next="${state.entry}_IdmUserIdPasswordLogin"/> <ResultCond name="clientNotFound" next="${state.failed}"/>
<ResultCond name="disabled" next="${state.entry}_codeLocked"/> <ResultCond name="disabled" next="${state.entry}_IdmUserIdPasswordLogin"/>
<Response value="AUTH_CONTINUE"> <Response value="AUTH_CONTINUE">
<Gui name="recovery_check_code"> <Gui name="recovery_check_code">
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/> <GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="#{ notes.containsKey('lasterror') ? (notes.getProperty('lasterror') == '3' ? 'check' : 'locked' ): '' }"/>
<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/> <GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/> <GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/> <GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
@ -227,9 +226,3 @@
<Response value="AUTH_CONTINUE"/> <Response value="AUTH_CONTINUE"/>
<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/> <property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
</AuthState> </AuthState>
<AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
<Response value="AUTH_ERROR">
<Gui name="recovery_check_noCode">
</Gui>
</Response>
</AuthState>

View File

@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500" "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
] ]
// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
def getUserIdVerificationForRecovery(currentLoaRole) { def getUserIdVerificationForRecovery(currentLoaRole) {
// application is AGOV-AccountStatus // application is AGOV-AccountStatus
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto')) def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
try { try {
def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto']) def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
def userState = userDto.state def userState = userDto.state
def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
LOG.debug("Recovery: Dto is '${userDto}") LOG.debug("Recovery: Dto is '${userDto}")
LOG.debug("Recovery: state is '${userState}") LOG.debug("Recovery: state is '${userState}")
LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'")
def session = request.getAuthSession(true) def session = request.getAuthSession(true)
if (userState == 'ACTIVE') { if (userState == 'ACTIVE') {
@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom) response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
if ((maxLoi == 'level100') && (mustRecover == null)) { if ((maxLoi == 'level100') && (mustRecover == null)) {
// AQ100 accounts need to used the recovery code, if they can
// check the status of recoveryCode credential
if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
LOG.debug("Recovery: emailAndCode")
response.setResult('needCode')
return
} else {
LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
response.setResult('ok')
return
}
// mustRecover role not set, so code needs to be checked // mustRecover role not set, so code needs to be checked
LOG.debug("Recovery: emailAndCode")
response.setResult('needCode')
return
} else { } else {
LOG.debug("Recovery: email") LOG.debug("Recovery: email")
response.setResult('ok') response.setResult('ok')