new configuration version
This commit is contained in:
parent
2ceacadd97
commit
15910a05e8
|
@ -45,13 +45,15 @@ spec:
|
||||||
podDisruptionBudget:
|
podDisruptionBudget:
|
||||||
maxUnavailable: "50%"
|
maxUnavailable: "50%"
|
||||||
git:
|
git:
|
||||||
tag: "r-6c7464eb8d6ece1e29939bf3c8d50b1c424a0b45"
|
tag: "r-4d495f8f73f00597da5fbe633d85d96ac04db24e"
|
||||||
dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth"
|
dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-auth"
|
||||||
credentials: "git-credentials"
|
credentials: "git-credentials"
|
||||||
keystores:
|
keystores:
|
||||||
- "ob-auth-default-identity"
|
- "ob-auth-default-identity"
|
||||||
|
- "ob-auth-ob-realm-accessapp-registration-nevisfido-tls-client-ke"
|
||||||
truststores:
|
truststores:
|
||||||
- "ob-auth-agov-work-internal-trust-store"
|
- "ob-auth-agov-work-internal-trust-store"
|
||||||
|
- "ob-auth-ob-realm-accessapp-registration-nevisfido-tls-trust-sto"
|
||||||
- "ob-auth-default-tls-client-trust"
|
- "ob-auth-default-tls-client-trust"
|
||||||
podSecurity:
|
podSecurity:
|
||||||
policy: "baseline"
|
policy: "baseline"
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisKeyStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-auth-ob-realm-accessapp-registration-nevisfido-tls-client-ke"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-auth"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d00b0dcbe241793d30daf91c"
|
||||||
|
spec:
|
||||||
|
cn: "ob-auth"
|
||||||
|
usage: "<reserved for future use>"
|
||||||
|
san:
|
||||||
|
dns:
|
||||||
|
- "ob-auth"
|
||||||
|
- "ob-auth.adn-agov-nevisidm-ob-01-uat"
|
||||||
|
email: []
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisTrustStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-auth-ob-realm-accessapp-registration-nevisfido-tls-trust-sto"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-auth"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d00b0dcbe241793d30daf91c"
|
||||||
|
spec:
|
||||||
|
keystores:
|
||||||
|
- name: "ob-fido-uaf-default-server-identity"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
|
@ -35,11 +35,21 @@
|
||||||
<!-- source: pattern://d00b0dcbe241793d30daf91c -->
|
<!-- source: pattern://d00b0dcbe241793d30daf91c -->
|
||||||
<KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/ob-auth-signer/cert.pem" privateKey="/var/opt/keys/own/ob-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/ob-auth-signer/keypass"/>
|
<KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/ob-auth-signer/cert.pem" privateKey="/var/opt/keys/own/ob-auth-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/ob-auth-signer/keypass"/>
|
||||||
</KeyStore>
|
</KeyStore>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<KeyStore name="ob-realm-accessapp-registration-nevisfido-tls-trust-store">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<KeyObject name="ob-realm-accessapp-registration-nevisfido-tls-certificate" certificate="/var/opt/keys/trust/ob-auth-ob-realm-accessapp-registration-nevisfido-tls-trust-sto/truststore.jks" passPhrase="pipe:///var/opt/keys/trust/ob-auth-ob-realm-accessapp-registration-nevisfido-tls-trust-sto/keypass"/>
|
||||||
|
</KeyStore>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<KeyStore name="ob-realm-accessapp-registration-nevisfido-tls-client-key-store">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<KeyObject name="ob-realm-accessapp-registration-nevisfido-tls-client-key-object" certificate="/var/opt/keys/own/ob-auth-ob-realm-accessapp-registration-nevisfido-tls-client-ke/cert.pem" privateKey="/var/opt/keys/own/ob-auth-ob-realm-accessapp-registration-nevisfido-tls-client-ke/keystore.jks" passPhrase="pipe:///var/opt/keys/own/ob-auth-ob-realm-accessapp-registration-nevisfido-tls-client-ke/keypass"/>
|
||||||
|
</KeyStore>
|
||||||
</SessionCoordinator>
|
</SessionCoordinator>
|
||||||
<!-- source: pattern://d00b0dcbe241793d30daf91c -->
|
<!-- source: pattern://d00b0dcbe241793d30daf91c -->
|
||||||
<LocalOutOfContextDataStore reaperPeriod="60"/>
|
<LocalOutOfContextDataStore reaperPeriod="60"/>
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe, pattern://d00b0dcbe241793d30daf91c, pattern://e1784eecf2db74484dd1e1bb, pattern://d00b0dcbe241793d30daf91c -->
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe, pattern://d00b0dcbe241793d30daf91c, pattern://e1784eecf2db74484dd1e1bb, pattern://25bdd7e6f5b76694f6688ab8, pattern://d00b0dcbe241793d30daf91c -->
|
||||||
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
|
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/opt/nevisidmcl/nevisauth/lib:/opt/nevisfidocl/nevisauth/lib:/opt/nevisauth/plugin" propagateSession="false">
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
<Domain name="ob-realm" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
<Domain name="ob-realm" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
||||||
<Entry method="authenticate" state="ob-realm_ob-realm-idm-pwd-login"/>
|
<Entry method="authenticate" state="ob-realm_ob-realm-idm-pwd-login"/>
|
||||||
|
@ -88,11 +98,11 @@
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="ob-realm_ob-realm-idm-pwd-login-IdmPostProcessing" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false">
|
<AuthState name="ob-realm_ob-realm-idm-pwd-login-IdmPostProcessing" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false">
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
<ResultCond name="SOAP:showGui" next="ob-realm_ob-realm-fido2-registration"/>
|
<ResultCond name="SOAP:showGui" next="ob-realm_ob-realm-dispatch-cred-type"/>
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
<ResultCond name="default" next="ob-realm_ob-realm-fido2-registration"/>
|
<ResultCond name="default" next="ob-realm_ob-realm-dispatch-cred-type"/>
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
<ResultCond name="ok" next="ob-realm_ob-realm-fido2-registration" startOver="true"/>
|
<ResultCond name="ok" next="ob-realm_ob-realm-dispatch-cred-type" startOver="true"/>
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
<ResultCond name="showGui" next="ob-realm_ob-realm-idm-pwd-login-IdmPostProcessing"/>
|
<ResultCond name="showGui" next="ob-realm_ob-realm-idm-pwd-login-IdmPostProcessing"/>
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
|
@ -202,6 +212,56 @@
|
||||||
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
<!-- source: pattern://e1784eecf2db74484dd1e1bb -->
|
||||||
<property name="admin.service.connection.0" value="https://idm.adn-agov-nevisidm-01-uat:8989/nevisidm/services/v1/AdminService"/>
|
<property name="admin.service.connection.0" value="https://idm.adn-agov-nevisidm-01-uat:8989/nevisidm/services/v1/AdminService"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
|
<AuthState name="ob-realm_ob-realm-dispatch-cred-type" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="true">
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<ResultCond name="accessapp" next="ob-realm_ob-realm-accessapp-registration"/>
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<ResultCond name="default" next="ob-realm_ob-realm-dispatch-cred-type"/>
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<ResultCond name="fido2" next="ob-realm_ob-realm-fido2-registration"/>
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<Response value="AUTH_CONTINUE">
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<Gui name="ChooseCredType" label="Choose Credential Type">
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<GuiElem name="infotext" type="info" label="Choose the type of credential to register"/>
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<GuiElem name="fido2" type="button" label="FIDO2 Key" value="fido2"/>
|
||||||
|
<!-- source: pattern://5f192f6e91687b30b5868750 -->
|
||||||
|
<GuiElem name="accessapp" type="button" label="AGOV access App" value="accessapp"/>
|
||||||
|
</Gui>
|
||||||
|
</Response>
|
||||||
|
</AuthState>
|
||||||
|
<AuthState name="ob-realm_ob-realm-accessapp-registration" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<ResultCond name="failed" next="ob-realm_Authentication_Failed"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<ResultCond name="fallback" next="ob-realm_ob-realm-idm-pwd-login"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<ResultCond name="ok" next="ob-realm_Prepare_Done"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<Response value="AUTH_CONTINUE">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<Gui name="mauth_onboard">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<GuiElem name="fallback" type="button" label="mobile_auth.cancel.button.label" value="true" optional="true"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<GuiElem name="mauth_dispatcher_link" type="hidden" value="${sess:mauth_dispatcher_link}" optional="true"/>
|
||||||
|
</Gui>
|
||||||
|
</Response>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="parameter.username" value="#{session['ch.adnovum.nevisidm.user.extId'] != null ? session['ch.adnovum.nevisidm.user.extId'] : session['ch.nevis.idm.User.extId'] != null ? session['ch.nevis.idm.User.extId'] : request.getUserId() != null ? request.getUserId() : notes['userid']}"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="parameter.httpclient.authorization.basic.sectoken.userId" value="#{session['ch.adnovum.nevisidm.user.extId'] != null ? session['ch.adnovum.nevisidm.user.extId'] : session['ch.nevis.idm.User.extId'] != null ? session['ch.nevis.idm.User.extId'] : request.getUserId() != null ? request.getUserId() : notes['userid']}"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="parameter.httpclient.authorization.basic.sectoken.profileId" value="${sess:ch.adnovum.nevisidm.profileId}"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="parameter.httpclient.authorization.basic.sectoken.roles" value="unused"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="parameter.fidoUrl" value="https://ob-fido-uaf:9443/nevisfido"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/ob-realm-accessapp-registration.groovy"/>
|
||||||
|
</AuthState>
|
||||||
<AuthState name="ob-realm_ob-realm-fido2-registration" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
<AuthState name="ob-realm_ob-realm-fido2-registration" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||||
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
||||||
<ResultCond name="cancel" next="ob-realm_ob-realm-idm-pwd-login"/>
|
<ResultCond name="cancel" next="ob-realm_ob-realm-idm-pwd-login"/>
|
||||||
|
@ -248,6 +308,29 @@
|
||||||
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/ob-realm-fido2-registration.groovy"/>
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/ob-realm-fido2-registration.groovy"/>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
|
<AuthState name="ob-realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<Response value="AUTH_ERROR">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<Gui name="Error">
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<GuiElem name="info" type="error" label="error_99"/>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||||
|
</Gui>
|
||||||
|
</Response>
|
||||||
|
</AuthState>
|
||||||
|
<AuthState name="ob-realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||||
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
|
<ResultCond name="default" next="ob-realm_Auth_Done"/>
|
||||||
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
|
<Response value="AUTH_DONE">
|
||||||
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
|
<Gui name="ContinueResponse"/>
|
||||||
|
</Response>
|
||||||
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
|
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
||||||
|
</AuthState>
|
||||||
<AuthState name="ob-realm_ob-realm-fido2-registration_Failed" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
|
<AuthState name="ob-realm_ob-realm-fido2-registration_Failed" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true">
|
||||||
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
<!-- source: pattern://3d382e0cf987535b6fa989b4 -->
|
||||||
<ResultCond name="default:${inargs:cancel-bottom:^.+$:true}" next="ob-realm_ob-realm-idm-pwd-login"/>
|
<ResultCond name="default:${inargs:cancel-bottom:^.+$:true}" next="ob-realm_ob-realm-idm-pwd-login"/>
|
||||||
|
@ -278,17 +361,6 @@
|
||||||
</Gui>
|
</Gui>
|
||||||
</Response>
|
</Response>
|
||||||
</AuthState>
|
</AuthState>
|
||||||
<AuthState name="ob-realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
|
||||||
<ResultCond name="default" next="ob-realm_Auth_Done"/>
|
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
|
||||||
<Response value="AUTH_DONE">
|
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
|
||||||
<Gui name="ContinueResponse"/>
|
|
||||||
</Response>
|
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
|
||||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
|
||||||
</AuthState>
|
|
||||||
<AuthState name="ob-realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
<AuthState name="ob-realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
<Response value="AUTH_DONE">
|
<Response value="AUTH_DONE">
|
||||||
|
|
|
@ -0,0 +1,169 @@
|
||||||
|
import groovy.json.JsonSlurper
|
||||||
|
import groovy.json.JsonOutput
|
||||||
|
|
||||||
|
import ch.nevis.esauth.auth.engine.AuthUtil
|
||||||
|
import ch.nevis.esauth.util.httpclient.configuration.HttpClientConfiguration
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Initiate the registration process with a `POST /nevisfido/token/dispatch/registration` to nevisFIDO.
|
||||||
|
*
|
||||||
|
* @param username - required
|
||||||
|
* @param policy - default policy is used when null
|
||||||
|
*/
|
||||||
|
void dispatchRegistration(HttpClient httpClient, String baseUrl, String username, String policy) {
|
||||||
|
|
||||||
|
LOG.debug(" ==> Starting out-of-band mobile onboarding for username '{}'.", username)
|
||||||
|
|
||||||
|
String context = '{"username":"' + username + '", "policy":"' + (policy ?: 'default') + '"}'
|
||||||
|
|
||||||
|
def jsonBody = JsonOutput.toJson([
|
||||||
|
dispatcher: 'link',
|
||||||
|
getUafRequest: [
|
||||||
|
op: 'Reg',
|
||||||
|
context: context
|
||||||
|
]
|
||||||
|
])
|
||||||
|
|
||||||
|
LOG.debug("JSON body: {}", jsonBody)
|
||||||
|
|
||||||
|
def fidoRequest = Http.post().url(baseUrl + "/token/dispatch/registration")
|
||||||
|
.header('Accept', 'application/json; charset=utf-8')
|
||||||
|
.header('Content-Type', 'application/json; charset=utf-8')
|
||||||
|
.entity(Http.entity().content(jsonBody).build())
|
||||||
|
.build()
|
||||||
|
|
||||||
|
def fidoResponse = fidoRequest.send(httpClient)
|
||||||
|
|
||||||
|
def responseCode = fidoResponse.code()
|
||||||
|
if (responseCode != 200) {
|
||||||
|
LOG.error('<== Failed to enroll user with username: ' + username + '. Response: ' + responseCode + ": " + fidoResponse.bodyAsString())
|
||||||
|
response.setResult('failed')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
def json = new JsonSlurper().parseText(fidoResponse.bodyAsString())
|
||||||
|
LOG.debug('JSON response: {}', json)
|
||||||
|
|
||||||
|
if (json.dispatchResult != 'dispatched') {
|
||||||
|
LOG.error('<== Failed to enroll user with username: ' + username + '. Response: ' + responseCode + ": " + fidoResponse.bodyAsString())
|
||||||
|
response.setResult('failed')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
String dispatcherLink = json.dispatcherInformation.response
|
||||||
|
String sessionId = json.sessionId
|
||||||
|
|
||||||
|
// store dispatcher information and session ID as session variables
|
||||||
|
// to handle page refresh and status polling
|
||||||
|
|
||||||
|
// the session variable is rendered as a hidden field
|
||||||
|
// and picked up by the mauth_onboard.js to render a link / QR code
|
||||||
|
session.put('mauth_dispatcher_link', dispatcherLink)
|
||||||
|
|
||||||
|
// the session ID is used to handle status polling
|
||||||
|
session.put('mauth_session_id', sessionId)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* Check registration status by sending a `POST /nevisfido/status` to nevisFIDO.
|
||||||
|
*
|
||||||
|
* @param sessionId - required
|
||||||
|
*/
|
||||||
|
void checkRegistrationStatus(HttpClient httpClient, String baseUrl, String sessionId) {
|
||||||
|
|
||||||
|
LOG.debug(" ==> Checking out-of-band mobile registration status for session '{}'.", sessionId)
|
||||||
|
|
||||||
|
def jsonBody = JsonOutput.toJson([
|
||||||
|
sessionId: sessionId
|
||||||
|
])
|
||||||
|
|
||||||
|
def fidoRequest = Http.post().url(baseUrl + "/status")
|
||||||
|
.header('Accept', 'application/json; charset=utf-8')
|
||||||
|
.header('Content-Type', 'application/json; charset=utf-8')
|
||||||
|
.entity(Http.entity().content(jsonBody).build())
|
||||||
|
.build()
|
||||||
|
|
||||||
|
def fidoResponse = fidoRequest.send(httpClient)
|
||||||
|
|
||||||
|
def responseCode = fidoResponse.code()
|
||||||
|
if (responseCode == 200) {
|
||||||
|
|
||||||
|
def json = new JsonSlurper().parseText(fidoResponse.bodyAsString())
|
||||||
|
LOG.debug('JSON response: {}', json)
|
||||||
|
|
||||||
|
String status = json.status
|
||||||
|
LOG.debug('status: {}', status)
|
||||||
|
|
||||||
|
def inctx = request.getLoginContext()
|
||||||
|
|
||||||
|
def contentType = request.getHttpHeader('Content-Type')
|
||||||
|
LOG.debug("incoming request has Content-Type: {}", contentType)
|
||||||
|
|
||||||
|
if (contentType ==~ /.*json.*/) {
|
||||||
|
LOG.debug("detected AJAX call")
|
||||||
|
|
||||||
|
// responding AJAX call from JS and returning only the status (nothing else)
|
||||||
|
def statusJson = JsonOutput.toJson([
|
||||||
|
status: status
|
||||||
|
])
|
||||||
|
|
||||||
|
response.setContent(statusJson)
|
||||||
|
response.setContentType('application/json')
|
||||||
|
response.setHttpStatusCode(200)
|
||||||
|
response.setIsDirectResponse(true)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// this is a form POST and thus we have to check if we have to continue
|
||||||
|
if (status == 'succeeded') {
|
||||||
|
response.setResult('ok')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
LOG.error('<== Failed to check status for session ' + sessionId + '. Response: ' + responseCode + ": " + fidoResponse.bodyAsString())
|
||||||
|
response.setResult('failed')
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// convert parameters to Properties
|
||||||
|
Properties properties = new Properties()
|
||||||
|
for (Map.Entry<String, String> entry : parameters.entrySet()) {
|
||||||
|
properties.setProperty(entry.getKey(), entry.getValue())
|
||||||
|
}
|
||||||
|
|
||||||
|
def httpClientConfig = HttpClientConfiguration.from(properties, request, response)
|
||||||
|
|
||||||
|
// we cannot use a cached HTTP client here as the parameters contain expressions that depend on the request
|
||||||
|
def httpClient = HttpClients.create(httpClientConfig)
|
||||||
|
|
||||||
|
def baseUrl = parameters.get('fidoUrl')
|
||||||
|
|
||||||
|
if (session.containsKey('mauth_session_id')) {
|
||||||
|
|
||||||
|
def sessionId = session['mauth_session_id']
|
||||||
|
|
||||||
|
// mauth_onboard.js sends empty AJAX calls to check for completion.
|
||||||
|
// we have to check the status by sending a `POST /nevisfido/status` to nevisFIDO respond to the AJAX call.
|
||||||
|
checkRegistrationStatus(httpClient, baseUrl, sessionId)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
def usernameSource = parameters.get('username')
|
||||||
|
if (usernameSource == null || usernameSource.isBlank()) {
|
||||||
|
LOG.error('out-of-band mobile onboarding failed. no expression to determine username.')
|
||||||
|
response.setResult('failed')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
def username = AuthUtil.substituteVariables(request, response, usernameSource)
|
||||||
|
if (username == null || username.isBlank()) {
|
||||||
|
LOG.error('out-of-band mobile onboarding failed. missing username.')
|
||||||
|
response.setResult('failed')
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
def policy = parameters.get('policy')
|
||||||
|
dispatchRegistration(httpClient, baseUrl, username, policy)
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisTrustStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-fido-uaf-agov-work-internal-trust-store"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-fido-uaf"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
spec:
|
||||||
|
keystores: []
|
||||||
|
extraCerts:
|
||||||
|
- "-----BEGIN CERTIFICATE-----\nMIIBcTCCARagAwIBAgIQWRl1eifIt8yohQYzh6yr/jAKBggqhkjOPQQDAjAYMRYw\nFAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTIzMDYyODE0MzI0MFoXDTQzMDYyODE0\nMzI0MFowGDEWMBQGA1UEAxMNc2VsZnNpZ25lZC1jYTBZMBMGByqGSM49AgEGCCqG\nSM49AwEHA0IABEwcjsIhSyyh0i9zP1G7ReOkFt/djzlGoUtSd5v3ZEk5QoZYjfl9\n04HdaZzrmveB2aRppbXgW7//s2Ma8wTd5uejQjBAMA4GA1UdDwEB/wQEAwICpDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT7YRoWIjHwkvFicwvk0Tx/yA4uUTAK\nBggqhkjOPQQDAgNJADBGAiEAgyg9t0qgb+czuscs07pNGI+12BedrD+y71psIlqx\nt2UCIQC/85UXyjYI9zg7Mg7rROTbGNCU3Jq/KIC3VzbbD+68VA==\n-----END CERTIFICATE-----\n"
|
|
@ -0,0 +1,61 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisComponent"
|
||||||
|
metadata:
|
||||||
|
name: "ob-fido-uaf"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-fido-uaf"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
spec:
|
||||||
|
type: "NevisFIDO"
|
||||||
|
replicas: 1
|
||||||
|
version: "8.2405.0"
|
||||||
|
gitInitVersion: "1.3.0"
|
||||||
|
runAsNonRoot: true
|
||||||
|
ports:
|
||||||
|
rest: 9443
|
||||||
|
management: 9089
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "1000m"
|
||||||
|
memory: "1000Mi"
|
||||||
|
requests:
|
||||||
|
cpu: "100m"
|
||||||
|
memory: "700Mi"
|
||||||
|
livenessProbe:
|
||||||
|
management:
|
||||||
|
httpGet:
|
||||||
|
path: "/nevisfido/liveness"
|
||||||
|
periodSeconds: 5
|
||||||
|
timeoutSeconds: 6
|
||||||
|
readinessProbe:
|
||||||
|
management:
|
||||||
|
httpGet:
|
||||||
|
path: "/nevisfido/health"
|
||||||
|
periodSeconds: 5
|
||||||
|
timeoutSeconds: 6
|
||||||
|
startupProbe:
|
||||||
|
management:
|
||||||
|
httpGet:
|
||||||
|
path: "/nevisfido/health"
|
||||||
|
periodSeconds: 5
|
||||||
|
timeoutSeconds: 6
|
||||||
|
failureThreshold: 50
|
||||||
|
podDisruptionBudget:
|
||||||
|
maxUnavailable: "50%"
|
||||||
|
git:
|
||||||
|
tag: "r-4d495f8f73f00597da5fbe633d85d96ac04db24e"
|
||||||
|
dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-fido-uaf"
|
||||||
|
credentials: "git-credentials"
|
||||||
|
keystores:
|
||||||
|
- "ob-fido-uaf-default-server-identity"
|
||||||
|
truststores:
|
||||||
|
- "ob-fido-uaf-agov-work-internal-trust-store"
|
||||||
|
- "ob-fido-uaf-default-signer-trust"
|
||||||
|
- "ob-fido-uaf-default-client-trust"
|
||||||
|
podSecurity:
|
||||||
|
policy: "baseline"
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
timeZone: "Europe/Zurich"
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisTrustStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-fido-uaf-default-client-trust"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-fido-uaf"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
spec:
|
||||||
|
keystores: []
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisKeyStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-fido-uaf-default-server-identity"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-fido-uaf"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
spec:
|
||||||
|
cn: "ob-fido-uaf"
|
||||||
|
usage: "<reserved for future use>"
|
||||||
|
san:
|
||||||
|
dns:
|
||||||
|
- "ob-fido-uaf"
|
||||||
|
- "ob-fido-uaf.adn-agov-nevisidm-ob-01-uat"
|
||||||
|
email: []
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: "operator.nevis-security.ch/v1"
|
||||||
|
kind: "NevisTrustStore"
|
||||||
|
metadata:
|
||||||
|
name: "ob-fido-uaf-default-signer-trust"
|
||||||
|
namespace: "adn-agov-nevisidm-ob-01-uat"
|
||||||
|
labels:
|
||||||
|
deploymentTarget: "ob-fido-uaf"
|
||||||
|
annotations:
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
spec:
|
||||||
|
keystores: []
|
|
@ -0,0 +1,18 @@
|
||||||
|
schemaVersion: 1.0
|
||||||
|
instance:
|
||||||
|
type: "nevisfido"
|
||||||
|
name: "default"
|
||||||
|
directory: "/var/opt/nevisfido/default"
|
||||||
|
pid: "systemctl show nevisfido@default -p MainPID | cut -d '=' -f2"
|
||||||
|
source:
|
||||||
|
url: "/nevisadmin/#/projects/DEFAULT-ADN-AGOV-WORK-OB-PROJECT/patterns/d990accd4fedae1acbc7109d"
|
||||||
|
projectKey: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT"
|
||||||
|
patternId: "d990accd4fedae1acbc7109d"
|
||||||
|
patternClass: "ch.nevis.admin.v4.plugin.nevisfido.deployable.patterns.NevisFIDODeployable"
|
||||||
|
resources:
|
||||||
|
ports:
|
||||||
|
- "0.0.0.0:9443"
|
||||||
|
control:
|
||||||
|
start: "systemctl restart nevisfido@default"
|
||||||
|
stop: "systemctl stop nevisfido@default"
|
||||||
|
status: "systemctl status nevisfido@default"
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC6TCCAo+gAwIBAgIQfcfd9dgdKT/5gdDbpAiKlDAKBggqhkjOPQQDAjAYMRYw
|
||||||
|
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTI0MDUwNTE1NTAzOFoXDTI1MDUwNTE1
|
||||||
|
NTAzOFowWDELMAkGA1UEBhMCQ0gxDDAKBgNVBAgTA0s4UzEMMAoGA1UEBxMDSzhT
|
||||||
|
MQwwCgYDVQQKEwNLOFMxDDAKBgNVBAsTA0s4UzERMA8GA1UEAxMIZmlkby11YWYw
|
||||||
|
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWcQPIzUN2zbPkB3yISIGw
|
||||||
|
mDAd285YKm/ZLbE4WWw2SIHhjfh0XoYZ6QvLMENWcC8/iOX/6g6upQnYegzZKlST
|
||||||
|
Lix0zJjEbtMlK8fITiPhwziWPSOeqtuW66Rj+13G6kKYVtZ8vviu73LBDkXKHSNi
|
||||||
|
g4knNgACJpIItiDhOmtmD3Wsb8JAIQ161m7D3i2jr/kqBFKLc2DXcCHYSwxBXu3A
|
||||||
|
99iqWxoHfprL/L7RfxBo7mKbk+xjRvw6wFHBb76m6hd8fe4yg3g9zZTsZ5KeKqtA
|
||||||
|
8NT7CTG26F/MEBEmreU6NcNP62sYBkQiY+K5WweUs5qnDCAUPz+Upu0lX49ZDsvZ
|
||||||
|
AgMBAAGjga8wgawwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
|
||||||
|
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFPthGhYiMfCS8WJz
|
||||||
|
C+TRPH/IDi5RMEwGA1UdEQRFMEOCCGZpZG8tdWFmgiFmaWRvLXVhZi5hZG4tYWdv
|
||||||
|
di1uZXZpc2lkbS0wMS11YXSBFG5vcmVwbHlAbG9jYWwuZG9tYWluMAoGCCqGSM49
|
||||||
|
BAMCA0gAMEUCIBCueTTUwnN53/dIs6W4FpbFtF/wkAhYjLZGuKgY08ZAAiEA9VFz
|
||||||
|
WoaxaINHqGPR10Sh1hqeuCHRzHxnQUt07sZf2DU=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,30 @@
|
||||||
|
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||||
|
MIIFKzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUWtp2pbSNdJCf9jA9
|
||||||
|
KTzjbdorVLQCAggAMB0GCWCGSAFlAwQBKgQQb0NJGFGc8MxZaCZ71uYlEASCBND5
|
||||||
|
XhsSZKjT6CN02euPCcN5ssgXTfOlHG5hl4KcpNl/K61CH+gNH3rTzzao8utmd5ko
|
||||||
|
cWbl6o6nj2IdiU8IlaqI+VIR2nfHaqoGhJHfLbvPu/SItKTFjFTRRKddyKTIjN0o
|
||||||
|
eVbHMzt8pHvNKnNK2JmKQ+TqphGTaDIgEEqPRSniE6WHLGuCfG/VdaeRxTZldj9D
|
||||||
|
QDR41gC2kgDbsenkZZjhGEJpgM4g3mD7bc0IHMRG1wfSW8qyd+S+XxjYdgMJmffc
|
||||||
|
PCMPv3TJ0Xbxfw+BKED9WeSIaXfCFmVprNXhWhMMN8Z7o3WxigVo2oRkHWbhSff4
|
||||||
|
hFy4AQgyq8TOE1C2xeAcADEFagCHDdf0cs5LgwytpH5/0oTsm0+pFol6yEa7X1rF
|
||||||
|
Eu7NT8zLxXxqUdlCJ1A2AWbi17ER6snst4RfT7cCiI3d6q6IO2dsfuHSs17AHY2m
|
||||||
|
1KSfgVwH05o3W58ADUVuoZxtqCS0xMv2mvlTJ7xSb90R4hz5w1JBKjrYqq1Xy1Lr
|
||||||
|
pDc9kBEwJKtN9V63veUnHR5tFku9mVTEK6iykYWRNORexNEas5wsiuxrgaXtGN5G
|
||||||
|
ouhq9MCe5DI0coQOHM0Bvw1zfQ+wj8RUgrt0290WF0VtHW+zH0qbVHYZ6dKRY5YX
|
||||||
|
azzLvyu5AlH9p2MZr/+oZn6lgjmVEYq0UbsUvFoZy65qwi2XqL7FvXIVSVTgr7YY
|
||||||
|
hiODL4FBWJEevE+MujfOpOftzivdx1+/cuiQHcbqKlPQLnQXaUKI337u2o8uAEch
|
||||||
|
lP3AvI4DVi4m6IC9lo6657r8MqwMGmdEK9PRDPHUf7SP3HGX8fYArwRWILtHrcmc
|
||||||
|
/kHhKUkMxHduFb0nYQTVFnlpLEidcv6gYIVsh8Fx5pQWW+HyBD4sJuG7mLMgtmtY
|
||||||
|
vk9zayWbq0lw0Bb+E83vk9xtE0tUoFF/Wcl2nBf5PjfCqesGqr9CHElcQGfcINCg
|
||||||
|
3llXoeceN868e5DKgtQE6Fp5KukclgeeeX4kPj+UK7x4UGtdGcdghwH6EO7McQX1
|
||||||
|
67kyLDcF4p5HnrzEhP2CVcVDHXoeykMCitvHaInwmJQsR209PVa/XxXB8YoMAAV1
|
||||||
|
DB3GT024dAxFEl5r1HJm3A7BiFFuvQdUi+recFGKfmSNZ1Pwp2+8DV7UiAYLJ5Wf
|
||||||
|
o/aAwUQByITI3fBPvmEAA86FeWwtQ5BG5e+q7imH1ooOzrHQzaqwzQKU+IQCzaDF
|
||||||
|
sAqMtSD/hzIRjMKOSAL8bA2SVIXlLUnulWjPwW9zhUTv9yS1q2EsiFUJnOyq7iAI
|
||||||
|
fX72qEBvBXLFBdGhotMAXeg1YsXLUxbldqAWuPxpZMQ5S6J7GZZloXSe1Gy/ZZh4
|
||||||
|
tKD8qQTS5Rfwiqxxo3kgaB/z0qG99pTB/wWv4fwnv6lFjJRjgyGONRYIGCVCFH2X
|
||||||
|
mdV2rTUxtwB1cIr71ksA64O3YkUObyfT8gSbLjPoBDBBPQQ3crbaQdiOjGUE9zUF
|
||||||
|
8kp3/mVj/kBCNtlc4dR/lJGuM97h2OpR5sLvb/5TN9C3tcXUyRmDjqJY/eX9ui0D
|
||||||
|
pEe6juN9Wy1yZtHauTIK0dqol+DJr56mMdMzBBmDagdr17Q2XK+GKrp5Z9rPbXJv
|
||||||
|
8qjMHKVFlbQRMtOY8N/PQenRyl1XmZIPk9HWj+9+6w==
|
||||||
|
-----END ENCRYPTED PRIVATE KEY-----
|
|
@ -0,0 +1,2 @@
|
||||||
|
#!/bin/bash
|
||||||
|
echo 'Hsk+IJIkp1oGu8i1S+w6p2QMDB+9WFSNjNlSYdUCfA8='
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,49 @@
|
||||||
|
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||||
|
MIIFKzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUWtp2pbSNdJCf9jA9
|
||||||
|
KTzjbdorVLQCAggAMB0GCWCGSAFlAwQBKgQQb0NJGFGc8MxZaCZ71uYlEASCBND5
|
||||||
|
XhsSZKjT6CN02euPCcN5ssgXTfOlHG5hl4KcpNl/K61CH+gNH3rTzzao8utmd5ko
|
||||||
|
cWbl6o6nj2IdiU8IlaqI+VIR2nfHaqoGhJHfLbvPu/SItKTFjFTRRKddyKTIjN0o
|
||||||
|
eVbHMzt8pHvNKnNK2JmKQ+TqphGTaDIgEEqPRSniE6WHLGuCfG/VdaeRxTZldj9D
|
||||||
|
QDR41gC2kgDbsenkZZjhGEJpgM4g3mD7bc0IHMRG1wfSW8qyd+S+XxjYdgMJmffc
|
||||||
|
PCMPv3TJ0Xbxfw+BKED9WeSIaXfCFmVprNXhWhMMN8Z7o3WxigVo2oRkHWbhSff4
|
||||||
|
hFy4AQgyq8TOE1C2xeAcADEFagCHDdf0cs5LgwytpH5/0oTsm0+pFol6yEa7X1rF
|
||||||
|
Eu7NT8zLxXxqUdlCJ1A2AWbi17ER6snst4RfT7cCiI3d6q6IO2dsfuHSs17AHY2m
|
||||||
|
1KSfgVwH05o3W58ADUVuoZxtqCS0xMv2mvlTJ7xSb90R4hz5w1JBKjrYqq1Xy1Lr
|
||||||
|
pDc9kBEwJKtN9V63veUnHR5tFku9mVTEK6iykYWRNORexNEas5wsiuxrgaXtGN5G
|
||||||
|
ouhq9MCe5DI0coQOHM0Bvw1zfQ+wj8RUgrt0290WF0VtHW+zH0qbVHYZ6dKRY5YX
|
||||||
|
azzLvyu5AlH9p2MZr/+oZn6lgjmVEYq0UbsUvFoZy65qwi2XqL7FvXIVSVTgr7YY
|
||||||
|
hiODL4FBWJEevE+MujfOpOftzivdx1+/cuiQHcbqKlPQLnQXaUKI337u2o8uAEch
|
||||||
|
lP3AvI4DVi4m6IC9lo6657r8MqwMGmdEK9PRDPHUf7SP3HGX8fYArwRWILtHrcmc
|
||||||
|
/kHhKUkMxHduFb0nYQTVFnlpLEidcv6gYIVsh8Fx5pQWW+HyBD4sJuG7mLMgtmtY
|
||||||
|
vk9zayWbq0lw0Bb+E83vk9xtE0tUoFF/Wcl2nBf5PjfCqesGqr9CHElcQGfcINCg
|
||||||
|
3llXoeceN868e5DKgtQE6Fp5KukclgeeeX4kPj+UK7x4UGtdGcdghwH6EO7McQX1
|
||||||
|
67kyLDcF4p5HnrzEhP2CVcVDHXoeykMCitvHaInwmJQsR209PVa/XxXB8YoMAAV1
|
||||||
|
DB3GT024dAxFEl5r1HJm3A7BiFFuvQdUi+recFGKfmSNZ1Pwp2+8DV7UiAYLJ5Wf
|
||||||
|
o/aAwUQByITI3fBPvmEAA86FeWwtQ5BG5e+q7imH1ooOzrHQzaqwzQKU+IQCzaDF
|
||||||
|
sAqMtSD/hzIRjMKOSAL8bA2SVIXlLUnulWjPwW9zhUTv9yS1q2EsiFUJnOyq7iAI
|
||||||
|
fX72qEBvBXLFBdGhotMAXeg1YsXLUxbldqAWuPxpZMQ5S6J7GZZloXSe1Gy/ZZh4
|
||||||
|
tKD8qQTS5Rfwiqxxo3kgaB/z0qG99pTB/wWv4fwnv6lFjJRjgyGONRYIGCVCFH2X
|
||||||
|
mdV2rTUxtwB1cIr71ksA64O3YkUObyfT8gSbLjPoBDBBPQQ3crbaQdiOjGUE9zUF
|
||||||
|
8kp3/mVj/kBCNtlc4dR/lJGuM97h2OpR5sLvb/5TN9C3tcXUyRmDjqJY/eX9ui0D
|
||||||
|
pEe6juN9Wy1yZtHauTIK0dqol+DJr56mMdMzBBmDagdr17Q2XK+GKrp5Z9rPbXJv
|
||||||
|
8qjMHKVFlbQRMtOY8N/PQenRyl1XmZIPk9HWj+9+6w==
|
||||||
|
-----END ENCRYPTED PRIVATE KEY-----
|
||||||
|
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC6TCCAo+gAwIBAgIQfcfd9dgdKT/5gdDbpAiKlDAKBggqhkjOPQQDAjAYMRYw
|
||||||
|
FAYDVQQDEw1zZWxmc2lnbmVkLWNhMB4XDTI0MDUwNTE1NTAzOFoXDTI1MDUwNTE1
|
||||||
|
NTAzOFowWDELMAkGA1UEBhMCQ0gxDDAKBgNVBAgTA0s4UzEMMAoGA1UEBxMDSzhT
|
||||||
|
MQwwCgYDVQQKEwNLOFMxDDAKBgNVBAsTA0s4UzERMA8GA1UEAxMIZmlkby11YWYw
|
||||||
|
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWcQPIzUN2zbPkB3yISIGw
|
||||||
|
mDAd285YKm/ZLbE4WWw2SIHhjfh0XoYZ6QvLMENWcC8/iOX/6g6upQnYegzZKlST
|
||||||
|
Lix0zJjEbtMlK8fITiPhwziWPSOeqtuW66Rj+13G6kKYVtZ8vviu73LBDkXKHSNi
|
||||||
|
g4knNgACJpIItiDhOmtmD3Wsb8JAIQ161m7D3i2jr/kqBFKLc2DXcCHYSwxBXu3A
|
||||||
|
99iqWxoHfprL/L7RfxBo7mKbk+xjRvw6wFHBb76m6hd8fe4yg3g9zZTsZ5KeKqtA
|
||||||
|
8NT7CTG26F/MEBEmreU6NcNP62sYBkQiY+K5WweUs5qnDCAUPz+Upu0lX49ZDsvZ
|
||||||
|
AgMBAAGjga8wgawwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
|
||||||
|
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFPthGhYiMfCS8WJz
|
||||||
|
C+TRPH/IDi5RMEwGA1UdEQRFMEOCCGZpZG8tdWFmgiFmaWRvLXVhZi5hZG4tYWdv
|
||||||
|
di1uZXZpc2lkbS0wMS11YXSBFG5vcmVwbHlAbG9jYWwuZG9tYWluMAoGCCqGSM49
|
||||||
|
BAMCA0gAMEUCIBCueTTUwnN53/dIs6W4FpbFtF/wkAhYjLZGuKgY08ZAAiEA9VFz
|
||||||
|
WoaxaINHqGPR10Sh1hqeuCHRzHxnQUt07sZf2DU=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,10 @@
|
||||||
|
RUN_ARGS="--config conf/nevisfido.yml --log-config conf/logging.yml"
|
||||||
|
|
||||||
|
JAVA_OPTS=(
|
||||||
|
"-XX:+UseContainerSupport"
|
||||||
|
"-XX:MaxRAMPercentage=80.0"
|
||||||
|
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||||
|
"-Dotel.javaagent.logging=application"
|
||||||
|
"-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
|
||||||
|
"-Dotel.resource.attributes=service.version=8.2405.0,service.instance.id=$HOSTNAME"
|
||||||
|
)
|
|
@ -0,0 +1,21 @@
|
||||||
|
Configuration:
|
||||||
|
monitorInterval: 60
|
||||||
|
Appenders:
|
||||||
|
Console:
|
||||||
|
- name: "SERVER"
|
||||||
|
target: "SYSTEM_OUT"
|
||||||
|
PatternLayout:
|
||||||
|
pattern: "[nevisfido.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-40.40c %-5.5p %m%n"
|
||||||
|
RegexFilter:
|
||||||
|
regex: ".*GET /nevisfido/liveness.*"
|
||||||
|
onMatch: "DENY"
|
||||||
|
onMismatch: "ACCEPT"
|
||||||
|
Loggers:
|
||||||
|
Logger:
|
||||||
|
- name: "ch.nevis.auth.fido.application.Application"
|
||||||
|
level: "INFO"
|
||||||
|
Root:
|
||||||
|
level: "WARN"
|
||||||
|
additivity: "false"
|
||||||
|
AppenderRef:
|
||||||
|
- ref: "SERVER"
|
|
@ -0,0 +1,231 @@
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#0001",
|
||||||
|
"description" : "Android NEVIS Mobile Authentication PIN Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 4
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 9,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 1,
|
||||||
|
"matcherProtection" : 1,
|
||||||
|
"publicKeyAlgAndEncoding" : 256,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#0002",
|
||||||
|
"description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 2
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 9,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 4,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 256,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#0003",
|
||||||
|
"description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 346
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 9,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 4,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 256,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#0004",
|
||||||
|
"description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 132
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 9,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 4,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 259,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#0005",
|
||||||
|
"description" : "Android NEVIS Mobile Authentication Password Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 4
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 9,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 1,
|
||||||
|
"matcherProtection" : 1,
|
||||||
|
"publicKeyAlgAndEncoding" : 256,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#1001",
|
||||||
|
"description" : "iOS NEVIS Mobile Authentication PIN Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 4
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 2,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 1,
|
||||||
|
"matcherProtection" : 1,
|
||||||
|
"publicKeyAlgAndEncoding" : 257,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#1002",
|
||||||
|
"description" : "iOS NEVIS Mobile Authentication Fingerprint Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 2
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 2,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 6,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 257,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#1003",
|
||||||
|
"description" : "iOS NEVIS Mobile Authentication Face Recognition Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 16
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 2,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 6,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 257,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#1004",
|
||||||
|
"description" : "iOS NEVIS Mobile Authentication Device Passcode Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 4
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 2,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 6,
|
||||||
|
"matcherProtection" : 2,
|
||||||
|
"publicKeyAlgAndEncoding" : 257,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"aaid" : "F1D0#1005",
|
||||||
|
"description" : "iOS NEVIS Mobile Authentication Password Authenticator",
|
||||||
|
"assertionScheme" : "UAFV1TLV",
|
||||||
|
"attestationRootCertificates" : [],
|
||||||
|
"attestationTypes" : [ 15880 ],
|
||||||
|
"upv" : [ {
|
||||||
|
"major" : 1,
|
||||||
|
"minor" : 1
|
||||||
|
} ],
|
||||||
|
"userVerificationDetails" : [ [ {
|
||||||
|
"userVerification" : 4
|
||||||
|
} ] ],
|
||||||
|
"attachmentHint" : 1,
|
||||||
|
"authenticationAlgorithm" : 2,
|
||||||
|
"authenticatorVersion" : 1,
|
||||||
|
"isSecondFactorOnly" : false,
|
||||||
|
"keyProtection" : 1,
|
||||||
|
"matcherProtection" : 1,
|
||||||
|
"publicKeyAlgAndEncoding" : 257,
|
||||||
|
"tcDisplay" : 1,
|
||||||
|
"tcDisplayContentType" : "text/plain"
|
||||||
|
}]
|
|
@ -0,0 +1,104 @@
|
||||||
|
server:
|
||||||
|
port: 9443
|
||||||
|
host: 0.0.0.0
|
||||||
|
protocol: https
|
||||||
|
tls:
|
||||||
|
keystore: /var/opt/keys/own/ob-fido-uaf-default-server-identity/keystore.p12
|
||||||
|
keystore-passphrase: ${exec:/var/opt/keys/own/ob-fido-uaf-default-server-identity/keypass}
|
||||||
|
keystore-type: pkcs12
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-default-client-trust/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-default-client-trust/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
|
||||||
|
management:
|
||||||
|
server:
|
||||||
|
port: 9089
|
||||||
|
healthchecks:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
credential-repository:
|
||||||
|
type: nevisidm
|
||||||
|
rest-url: https://idm.adn-agov-nevisidm-01-uat:8989/nevisidm
|
||||||
|
administration-url: https://idm.adn-agov-nevisidm-01-uat:8989/nevisidm/services/v1_46/AdminService
|
||||||
|
keystore: /var/opt/keys/own/nevisfido-techuser-key/keystore.p12
|
||||||
|
keystore-passphrase: ${exec:/var/opt/keys/own/nevisfido-techuser-key/keypass}
|
||||||
|
keystore-type: pkcs12
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-agov-work-internal-trust-store/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-agov-work-internal-trust-store/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
admin-service-version: v1_46
|
||||||
|
client-id: 100
|
||||||
|
user-attribute: extId
|
||||||
|
|
||||||
|
session-repository:
|
||||||
|
type: in-memory
|
||||||
|
jdbc-url:
|
||||||
|
max-connection-lifetime:
|
||||||
|
user:
|
||||||
|
password:
|
||||||
|
schema-user:
|
||||||
|
schema-user-password:
|
||||||
|
automatic-db-schema-setup: false
|
||||||
|
|
||||||
|
fido-uaf:
|
||||||
|
enabled: true
|
||||||
|
app-id: https://auth.agov-w.azure.adnovum.net//nevisfido/uaf/1.1/facets
|
||||||
|
facets:
|
||||||
|
- android:apk-key-hash:kdcDr+sJVydAkZ6nT/HR3UpJFSd+vPORXLww8DIHV7c
|
||||||
|
- ios:bundle-id:ch.nevis.accessapp
|
||||||
|
- android:apk-key-hash:ch.nevis.mobile.authentication.sdk.android.example
|
||||||
|
- android:apk-key-hash:ch.nevis.mobile.authentication.sdk.flutter.example
|
||||||
|
- android:apk-key-hash:ch.nevis.mobile.authentication.sdk.react.example
|
||||||
|
- ios:bundle-id:ch.nevis.mobile.authentication.sdk.ios.example
|
||||||
|
- ios:bundle-id:ch.nevis.mobile.authentication.sdk.flutter.example
|
||||||
|
- ios:bundle-id:ch.nevis.mobile.authentication.sdk.objc.proxy.example
|
||||||
|
- ios:bundle-id:ch.nevis.mobile.authentication.sdk.react.example
|
||||||
|
metadata:
|
||||||
|
path: conf/metadata/metadata.json
|
||||||
|
policy:
|
||||||
|
path: conf/policy/
|
||||||
|
timeout:
|
||||||
|
registration: 600s
|
||||||
|
authentication: 600s
|
||||||
|
token-registration: 600s
|
||||||
|
token-authentication: 600s
|
||||||
|
token-deregistration: 600s
|
||||||
|
transaction-confirmation:
|
||||||
|
max-text-length: 2000
|
||||||
|
authorization:
|
||||||
|
registration:
|
||||||
|
type: sectoken
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-default-signer-trust/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-default-signer-trust/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
username-attribute-names:
|
||||||
|
- loginId
|
||||||
|
- userid
|
||||||
|
authentication:
|
||||||
|
type: none
|
||||||
|
deregistration:
|
||||||
|
type: sectoken
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-default-signer-trust/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-default-signer-trust/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
username-attribute-names:
|
||||||
|
- loginId
|
||||||
|
- userid
|
||||||
|
create-dispatch-target:
|
||||||
|
type: sectoken
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-default-signer-trust/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-default-signer-trust/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
username-attribute-names:
|
||||||
|
- loginId
|
||||||
|
- userid
|
||||||
|
query-dispatch-target:
|
||||||
|
type: none
|
||||||
|
delete-dispatch-target:
|
||||||
|
type: sectoken
|
||||||
|
truststore: /var/opt/keys/trust/ob-fido-uaf-default-signer-trust/truststore.p12
|
||||||
|
truststore-passphrase: ${exec:/var/opt/keys/trust/ob-fido-uaf-default-signer-trust/keypass}
|
||||||
|
truststore-type: pkcs12
|
||||||
|
username-attribute-names:
|
||||||
|
- userid
|
||||||
|
dispatchers: []
|
|
@ -0,0 +1,4 @@
|
||||||
|
otel.service.name = ob-fido-uaf
|
||||||
|
otel.traces.exporter = none
|
||||||
|
otel.metrics.exporter = none
|
||||||
|
otel.logs.exporter = none
|
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
"accepted": [
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0002"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0003"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1002"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1003"]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,44 @@
|
||||||
|
{
|
||||||
|
"accepted": [
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0001"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0002"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0003"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0004"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1001"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1002"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1003"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1004"]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
{
|
||||||
|
"accepted": [
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#0001"]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"aaid": ["F1D0#1001"]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,47 @@
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
import urllib.request, urllib.error, urllib.parse
|
||||||
|
|
||||||
|
health_endpoint = 'http://localhost:9089/nevisfido/health'
|
||||||
|
log_file_path = '/var/opt/nevisfido/default/log/nevisfido.log'
|
||||||
|
|
||||||
|
# Calls nevisFIDO's health check endpoint repeatedly to determine whether it is up and running
|
||||||
|
# Returns True if the service is available or False otherwise
|
||||||
|
def is_nevisfido_healthy():
|
||||||
|
for timeout in [0.1, 2, 4, 8, 16, 30]:
|
||||||
|
try:
|
||||||
|
time.sleep(timeout)
|
||||||
|
response = urllib.request.urlopen(health_endpoint)
|
||||||
|
if response.getcode() == 200:
|
||||||
|
return True
|
||||||
|
except urllib.error.URLError:
|
||||||
|
continue
|
||||||
|
return False
|
||||||
|
|
||||||
|
# Parses the nevisFIDO logs for the last error registered and raises and exception about it.
|
||||||
|
def raise_last_error_in_log():
|
||||||
|
event_buffer = []
|
||||||
|
for line in reversed(open(log_file_path).readlines()):
|
||||||
|
stripped_line = line.rstrip()
|
||||||
|
event_buffer.append(stripped_line)
|
||||||
|
if '[main] ERROR' in stripped_line:
|
||||||
|
raise Exception('\n'.join(reversed(event_buffer)))
|
||||||
|
break
|
||||||
|
# Log events (by default) starts with logging the time in the following format: '2019-11-04 12:44:45,071 21512 [main]'
|
||||||
|
# but these events can be multi-lined.
|
||||||
|
# We check here whether the current line is a start of a new event - in which case we flush the buffer.
|
||||||
|
if is_year(stripped_line[:4]):
|
||||||
|
event_buffer = []
|
||||||
|
|
||||||
|
# This method returns True if the provided string can be parsed to a year (4 digit int), or False otherwise.
|
||||||
|
def is_year(str):
|
||||||
|
try:
|
||||||
|
return int(str) > 999 and int(str) < 10000
|
||||||
|
except ValueError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if is_nevisfido_healthy():
|
||||||
|
sys.exit(0)
|
||||||
|
else:
|
||||||
|
raise_last_error_in_log()
|
||||||
|
sys.exit(1)
|
|
@ -46,7 +46,7 @@ spec:
|
||||||
podDisruptionBudget:
|
podDisruptionBudget:
|
||||||
maxUnavailable: "50%"
|
maxUnavailable: "50%"
|
||||||
git:
|
git:
|
||||||
tag: "r-f65a315ec4cfd8575904ed12349257a59adbd1e2"
|
tag: "r-4d495f8f73f00597da5fbe633d85d96ac04db24e"
|
||||||
dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-proxy"
|
dir: "DEFAULT-ADN-AGOV-WORK-OB-PROJECT/DEFAULT-DEFAULT-ADN-AGOV-OB-INV/ob-proxy"
|
||||||
credentials: "git-credentials"
|
credentials: "git-credentials"
|
||||||
keystores:
|
keystores:
|
||||||
|
|
|
@ -282,6 +282,22 @@
|
||||||
<listener>
|
<listener>
|
||||||
<listener-class>ch::nevis::isiweb4::listener::SessionListener</listener-class>
|
<listener-class>ch::nevis::isiweb4::listener::SessionListener</listener-class>
|
||||||
</listener>
|
</listener>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<init-param>
|
||||||
|
<param-name>AutoRewrite</param-name>
|
||||||
|
<param-value>none</param-value>
|
||||||
|
</init-param>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<init-param>
|
||||||
|
<param-name>InetAddress</param-name>
|
||||||
|
<param-value>ob-fido-uaf:9443</param-value>
|
||||||
|
</init-param>
|
||||||
|
</servlet>
|
||||||
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
<!-- source: pattern://6e7b5a087711bd0ada9985fe -->
|
||||||
<servlet>
|
<servlet>
|
||||||
<servlet-name>Connector_ob-realm</servlet-name>
|
<servlet-name>Connector_ob-realm</servlet-name>
|
||||||
|
@ -418,6 +434,31 @@
|
||||||
<param-value>/nevislogrend</param-value>
|
<param-value>/nevislogrend</param-value>
|
||||||
</init-param>
|
</init-param>
|
||||||
</servlet>
|
</servlet>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-mapping>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<url-pattern>/nevisfido/devices/credentials/*</url-pattern>
|
||||||
|
</servlet-mapping>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-mapping>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<url-pattern>/nevisfido/token/dispatch/targets/*</url-pattern>
|
||||||
|
</servlet-mapping>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-mapping>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<url-pattern>/nevisfido/token/redeem/registration</url-pattern>
|
||||||
|
</servlet-mapping>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-mapping>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<url-pattern>/nevisfido/uaf/1.1/facets</url-pattern>
|
||||||
|
</servlet-mapping>
|
||||||
|
<!-- source: pattern://25bdd7e6f5b76694f6688ab8 -->
|
||||||
|
<servlet-mapping>
|
||||||
|
<servlet-name>Connector_NevisFIDO</servlet-name>
|
||||||
|
<url-pattern>/nevisfido/uaf/1.1/registration/</url-pattern>
|
||||||
|
</servlet-mapping>
|
||||||
<!-- source: pattern://bed300e1196a171ca12db431 -->
|
<!-- source: pattern://bed300e1196a171ca12db431 -->
|
||||||
<servlet-mapping>
|
<servlet-mapping>
|
||||||
<servlet-name>NevisLogrendConnector_ob-logrend</servlet-name>
|
<servlet-name>NevisLogrendConnector_ob-logrend</servlet-name>
|
||||||
|
|
Loading…
Reference in New Issue