2 files updated
This commit is contained in:
parent
49d8eaf672
commit
d4399075f0
|
@ -1,11 +1,11 @@
|
|||
package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
|
||||
local Utils = require "Utils"
|
||||
|
||||
function inputHeader(request, response)
|
||||
local trace = request:getTracer()
|
||||
function inputHeader(req, resp)
|
||||
local trace = req:getTracer()
|
||||
|
||||
local queryParams = Utils.getQueryParameters(request)
|
||||
local path = request:getRequestPath()
|
||||
local queryParams = Utils.getQueryParameters(req)
|
||||
local path = req:getRequestPath()
|
||||
|
||||
-- only allow calls to the countries service
|
||||
if path == nil then
|
||||
|
@ -13,8 +13,8 @@ function inputHeader(request, response)
|
|||
end
|
||||
|
||||
if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
|
||||
trace:info("utility service called with invalid path " .. request:getRequestPath())
|
||||
response:send(404)
|
||||
trace:info("utility service called with invalid path " .. path)
|
||||
resp:send(404)
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -22,19 +22,19 @@ function inputHeader(request, response)
|
|||
for param, values in pairs(queryParams) do
|
||||
if (param ~= 'lang') then
|
||||
trace:info("utility service called with invalid query param " .. param)
|
||||
response:send(404)
|
||||
resp:send(404)
|
||||
return
|
||||
end
|
||||
if Helpers.tableLength(values) ~= 1 then
|
||||
trace:info("utility service called with invalid value for query param " .. param)
|
||||
response:send(404)
|
||||
resp:send(404)
|
||||
return
|
||||
end
|
||||
for i, value in pairs(values) do
|
||||
local lang = string.upper(value)
|
||||
if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
|
||||
trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
|
||||
response:send(404)
|
||||
resp:send(404)
|
||||
return
|
||||
end
|
||||
end
|
||||
|
|
|
@ -117,7 +117,6 @@
|
|||
<property name="sess:agov.recovery.email" value="${inargs:email}"/>
|
||||
</AuthState>
|
||||
<AuthState name="${state.entry}_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
|
||||
<ResultCond name="cancel" next="${state.failed}"/>
|
||||
<ResultCond name="confirm" next="${state.entry}_verifyUrlTicket"/>
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<Gui name="recovery_start_info">
|
||||
|
@ -200,15 +199,15 @@
|
|||
<ResultCond name="ok" next="${state.entry}_codeVerified"/>
|
||||
<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/>
|
||||
<ResultCond name="locked" next="${state.entry}_codeLocked"/>
|
||||
<ResultCond name="tmpLocked" next="${state.entry}_codeLocked"/>
|
||||
<ResultCond name="nowLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="locked" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="tmpLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="failed" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="clientNotFound" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<ResultCond name="disabled" next="${state.entry}_codeLocked"/>
|
||||
<ResultCond name="clientNotFound" next="${state.failed}"/>
|
||||
<ResultCond name="disabled" next="${state.entry}_IdmUserIdPasswordLogin"/>
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<Gui name="recovery_check_code">
|
||||
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
|
||||
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="#{ notes.containsKey('lasterror') ? (notes.getProperty('lasterror') == '3' ? 'check' : 'locked' ): '' }"/>
|
||||
<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
|
||||
<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
|
||||
<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
|
||||
|
@ -227,9 +226,3 @@
|
|||
<Response value="AUTH_CONTINUE"/>
|
||||
<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
|
||||
</AuthState>
|
||||
<AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
|
||||
<Response value="AUTH_ERROR">
|
||||
<Gui name="recovery_check_noCode">
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
|
@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
|
|||
"level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
|
||||
]
|
||||
|
||||
// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
|
||||
def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
|
||||
|
||||
def getUserIdVerificationForRecovery(currentLoaRole) {
|
||||
// application is AGOV-AccountStatus
|
||||
def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
|
||||
|
@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
|
|||
try {
|
||||
def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
|
||||
def userState = userDto.state
|
||||
def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
|
||||
|
||||
LOG.debug("Recovery: Dto is '${userDto}")
|
||||
LOG.debug("Recovery: state is '${userState}")
|
||||
LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'")
|
||||
def session = request.getAuthSession(true)
|
||||
|
||||
if (userState == 'ACTIVE') {
|
||||
|
@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
|
|||
response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
|
||||
|
||||
if ((maxLoi == 'level100') && (mustRecover == null)) {
|
||||
// mustRecover role not set, so code needs to be checked
|
||||
// AQ100 accounts need to used the recovery code, if they can
|
||||
// check the status of recoveryCode credential
|
||||
if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
|
||||
LOG.debug("Recovery: emailAndCode")
|
||||
response.setResult('needCode')
|
||||
return
|
||||
} else {
|
||||
LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
|
||||
response.setResult('ok')
|
||||
return
|
||||
}
|
||||
|
||||
// mustRecover role not set, so code needs to be checked
|
||||
} else {
|
||||
LOG.debug("Recovery: email")
|
||||
response.setResult('ok')
|
||||
|
|
Loading…
Reference in New Issue