new configuration version
This commit is contained in:
thb
parent
a39960ad3a
commit
3542fe6754
|
|
@ -45,7 +45,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-621ede89458f283cbfccdeb8f940bdd13fc87352"
|
||||
tag: "r-76cf157bd18ad492e7eea17645c765177d3ffea5"
|
||||
dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
|||
|
|
@ -12,5 +12,3 @@ spec:
|
|||
keystores:
|
||||
- name: "npi-cossa-realm-identity"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
- name: "npi-mockrelam-identity"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
|
||||
<esauth-server instance="nai">
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
||||
<LocalSessionStore maxSessions="100000"/>
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
||||
<TokenAssembler name="DefaultTokenAssembler">
|
||||
<Selector default="true"/>
|
||||
<!-- source: pattern://b67f81a971e4c08aa79040a2, pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<TokenSpec ttl="28800">
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
||||
<field src="session" key="ch.nevis.session.sessid" as="sessid"/>
|
||||
|
|
@ -45,87 +45,84 @@
|
|||
</SessionCoordinator>
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622 -->
|
||||
<LocalOutOfContextDataStore reaperPeriod="60"/>
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://8523f0587aa8cfa7008f8171, pattern://6ec6739e824c8e56d9633622 -->
|
||||
<!-- source: pattern://6ec6739e824c8e56d9633622, pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin" propagateSession="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Domain name="MockRelam" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
||||
<Entry method="authenticate" state="MockRelam_DispatchMockRequests"/>
|
||||
<Entry method="stepup" state="MockRelam_Selector"/>
|
||||
</Domain>
|
||||
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<Domain name="cossa_realm" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
||||
<Entry method="authenticate" state="cossa_realm_AuthorizationServer"/>
|
||||
<Entry method="authenticate" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
||||
<Entry method="authenticate" state="cossa_realm_TokenExchangeEndpoint"/>
|
||||
<Entry method="authenticate" state="cossa_realm_TokenExchangeEndpoint" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
||||
<Entry method="logout" state="cossa_realm_AuthorizationServer"/>
|
||||
<Entry method="logout" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
||||
<Entry method="stepup" state="cossa_realm_Selector"/>
|
||||
<Entry method="stepup" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
||||
<Entry method="stepup" state="cossa_realm_TokenExchangeEndpoint" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
|
||||
</Domain>
|
||||
<AuthState name="MockRelam_DispatchMockRequests" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<ResultCond name="metadata" next="MockRelam_MetadataMock"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<ResultCond name="nomatch" next="MockRelam_KlpApiMock"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<AuthState name="cossa_realm_TokenExchangeEndpoint" class="ch.adnovum.cossa.TokenExchangeEndpoint" authLevel="auth.weak" final="false" resumeState="true">
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="failed" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="invalid_client" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="invalid_request" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="invalid_scope" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="ok" next="cossa_realm_IdTokenVerification"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="refresh_token" next="cossa_realm_RewriteRequestForAuthorizationServerAuthstate"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="unauthorized_client" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<ResultCond name="unsupported_grant_type" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<!-- source: pattern://89578db79d2bc15d55e11141 -->
|
||||
<Gui name="Default"/>
|
||||
</Response>
|
||||
<propertyRef name="cossa_realm_AuthorizationServer"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_auth_failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<Gui name="Error">
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<GuiElem name="info" type="error" label="error_99"/>
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_IdTokenVerification" class="ch.adnovum.cossa.IdTokenVerification" final="false" resumeState="false">
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<ResultCond name="failed" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<ResultCond name="ok" next="cossa_realm_klpscope"/>
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<Gui name="Default"/>
|
||||
</Response>
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<property name="well_known_url" value="https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration"/>
|
||||
<!-- source: pattern://a976546c6a56dc04c0d34592 -->
|
||||
<property name="httpclient.tls.trustAll" value="true"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_RewriteRequestForAuthorizationServerAuthstate" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
|
||||
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
||||
<ResultCond name="ok" next="cossa_realm_AuthorizationServer"/>
|
||||
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
||||
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
||||
</Response>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<property name="condition:metadata" value="${request:currentResource:/metadata:true}"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_MetadataMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<Gui name="none"/>
|
||||
</Response>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_metadatamock.json"/>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="contentType" value="application/json"/>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="statusCode" value="200"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_KlpApiMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<Gui name="none"/>
|
||||
</Response>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_klpapimock.json"/>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="contentType" value="application/json"/>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="statusCode" value="200"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<ResultCond name="nomatch" next="MockRelam_Prepare_Done"/>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<ResultCond name="default" next="MockRelam_Auth_Done"/>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_DONE">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Gui name="ContinueResponse"/>
|
||||
</Response>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_DONE">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Gui name="ContinueResponse"/>
|
||||
</Response>
|
||||
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
||||
<property name="inargs:grant_type" value="refresh_token"/>
|
||||
<!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
|
||||
<property name="inargs:refresh_token" value="${inargs:subject_token}"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_AuthorizationServer" class="ch.nevis.esauth.auth.states.oauth2.AuthorizationServer" final="false" resumeState="true">
|
||||
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
||||
|
|
@ -223,6 +220,16 @@
|
|||
<!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
|
||||
<property name="scope.phone.clientCredentialsFlowPolicy" value="true"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_klpscope" class="ch.adnovum.cossa.KLPScopeToProfileBinding" final="false" resumeState="true">
|
||||
<!-- source: pattern://9c293034211ea47bd3e9c12b -->
|
||||
<ResultCond name="default" next="cossa_realm_CallPolicyVerificationAPI"/>
|
||||
<!-- source: pattern://9c293034211ea47bd3e9c12b -->
|
||||
<Response value="AUTH_CONTINUE"/>
|
||||
<!-- source: pattern://9c293034211ea47bd3e9c12b -->
|
||||
<property name="prioritiesSource" value="klp-profiles.conf"/>
|
||||
<!-- source: pattern://9c293034211ea47bd3e9c12b -->
|
||||
<property name="profileExpression" value="oauth2.scope.${notes:scope}.metadata.klp_profile"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_simulatelogin" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
|
||||
<!-- source: pattern://680c047dd9a5220fae3c9c3e -->
|
||||
<ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
|
||||
|
|
@ -242,18 +249,6 @@
|
|||
<!-- source: pattern://680c047dd9a5220fae3c9c3e -->
|
||||
<property name="session:ch.nevis.session.loginid" value="meta.admin@adnovum.ch"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_auth_failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<Gui name="Error">
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<GuiElem name="info" type="error" label="error_99"/>
|
||||
<!-- source: pattern://72e29eb80a951e518ce123e4 -->
|
||||
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_JwtToken" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
|
||||
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
||||
<ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
|
||||
|
|
@ -272,6 +267,27 @@
|
|||
<!-- source: pattern://a1e5d0192e082e689465a0c9 -->
|
||||
<property name="keyobjectref" value="tokensigner"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_CallPolicyVerificationAPI" class="ch.adnovum.cossa.CallPolicyVerificationAPI" final="false" resumeState="false">
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<ResultCond name="multiple_profiles" next="cossa_realm_Authentication_Failed"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<ResultCond name="no_valid_profile" next="cossa_realm_Authentication_Failed"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<Response value="AUTH_CONTINUE">
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<Gui name="Default"/>
|
||||
</Response>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<property name="evaluatePoliciesForAllProfiles" value="false"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<property name="klpURL" value="https://klp.agov-w.azure.adnovum.net/api/endpoint"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<property name="basicAuthUsername" value="testbasicauth"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<property name="basicAuthPassword" value="testtesttest"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<ResultCond name="default" next="cossa_realm_Auth_Done"/>
|
||||
|
|
@ -283,6 +299,18 @@
|
|||
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<Gui name="Error">
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<GuiElem name="info" type="error" label="error_99"/>
|
||||
<!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
|
||||
<GuiElem name="submit" type="button" label="continue.button.label"/>
|
||||
</Gui>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="cossa_realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
||||
<!-- source: pattern://b67f81a971e4c08aa79040a2 -->
|
||||
<Response value="AUTH_DONE">
|
||||
|
|
|
|||
|
|
@ -0,0 +1,25 @@
|
|||
suisseid_auth_address_verified
|
||||
suisseid_auth_address_required
|
||||
suisseid_auth_mobile_verified
|
||||
suisseid_auth_mobile_required
|
||||
suisseid_auth_phone_required
|
||||
suisseid_auth
|
||||
password_auth_address_verified
|
||||
password_auth_address_required
|
||||
password_auth_mobile_verified
|
||||
password_auth_mobile_required
|
||||
password_auth_phone_required
|
||||
password_auth
|
||||
email_auth_address_verified
|
||||
email_auth_address_required
|
||||
email_auth_mobile_verified
|
||||
email_auth_mobile_required
|
||||
email_auth_phone_required
|
||||
email_auth
|
||||
autologin_auth_address_verified
|
||||
autologin_auth_address_required
|
||||
autologin_auth_mobile_verified
|
||||
autologin_auth_mobile_required
|
||||
autologin_auth_phone_required
|
||||
autologin_auth
|
||||
default
|
||||
Binary file not shown.
|
|
@ -0,0 +1,60 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisComponent"
|
||||
metadata:
|
||||
name: "nai2"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
labels:
|
||||
deploymentTarget: "nai2"
|
||||
annotations:
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
spec:
|
||||
type: "NevisAuth"
|
||||
replicas: 1
|
||||
version: "8.2405.2"
|
||||
gitInitVersion: "1.3.0"
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
management: 9000
|
||||
soap: 8991
|
||||
resources:
|
||||
limits:
|
||||
cpu: "2"
|
||||
memory: "2000Mi"
|
||||
requests:
|
||||
cpu: "20m"
|
||||
memory: "1000Mi"
|
||||
livenessProbe:
|
||||
soap:
|
||||
tcpSocket: true
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 4
|
||||
readinessProbe:
|
||||
management:
|
||||
httpGet:
|
||||
path: "/nevisauth/liveness"
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 6
|
||||
startupProbe:
|
||||
management:
|
||||
httpGet:
|
||||
path: "/nevisauth/liveness"
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 6
|
||||
failureThreshold: 50
|
||||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-76cf157bd18ad492e7eea17645c765177d3ffea5"
|
||||
dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
- "nai2-sh4r3d-default-default-signer"
|
||||
- "nai2-default-identity"
|
||||
truststores:
|
||||
- "nai2-default-default-signer-trust"
|
||||
- "nai2-default-tls-client-trust"
|
||||
podSecurity:
|
||||
policy: "baseline"
|
||||
automountServiceAccountToken: false
|
||||
timeZone: "Europe/Zurich"
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisTrustStore"
|
||||
metadata:
|
||||
name: "nai2-default-default-signer-trust"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
labels:
|
||||
deploymentTarget: "nai2"
|
||||
annotations:
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
spec:
|
||||
keystores:
|
||||
- name: "nai2-sh4r3d-default-default-signer"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisKeyStore"
|
||||
metadata:
|
||||
name: "nai2-default-identity"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
labels:
|
||||
deploymentTarget: "nai2"
|
||||
annotations:
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
spec:
|
||||
cn: "nai2"
|
||||
usage: "<reserved for future use>"
|
||||
san:
|
||||
dns:
|
||||
- "nai2"
|
||||
- "nai2.adn-postit-tknxchng-01-dev"
|
||||
email: []
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisTrustStore"
|
||||
metadata:
|
||||
name: "nai2-default-tls-client-trust"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
labels:
|
||||
deploymentTarget: "nai2"
|
||||
annotations:
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
spec:
|
||||
keystores:
|
||||
- name: "npi-mockrelam-identity"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: "operator.nevis-security.ch/v1"
|
||||
kind: "NevisKeyStore"
|
||||
metadata:
|
||||
name: "nai2-sh4r3d-default-default-signer"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
labels:
|
||||
deploymentTarget: "nai2"
|
||||
annotations:
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
spec:
|
||||
cn: "signer"
|
||||
usage: "signer"
|
||||
san:
|
||||
dns: []
|
||||
email: []
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
schemaVersion: 1.0
|
||||
instance:
|
||||
type: "nevisauth"
|
||||
name: "default"
|
||||
directory: "/var/opt/nevisauth/default"
|
||||
pid: "systemctl show nevisauth@default -p MainPID | cut -d '=' -f2"
|
||||
source:
|
||||
url: "/nevisadmin/#/projects/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/patterns/5a02ce1399ca42298422a320"
|
||||
projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
|
||||
patternId: "5a02ce1399ca42298422a320"
|
||||
patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
|
||||
resources:
|
||||
ports:
|
||||
- "0.0.0.0:8991"
|
||||
control:
|
||||
start: "systemctl restart nevisauth@default &"
|
||||
stop: "systemctl stop nevisauth@default"
|
||||
status: "systemctl status nevisauth@default"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
echo 'password'
|
||||
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,38 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIGkzCCBHugAwIBAgIULa4PojoMOF/785XA2QNkLRQYTS4wDQYJKoZIhvcNAQEL
|
||||
BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
|
||||
AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2Mjkw
|
||||
OTMwNDdaFw0zNjA2MjkwOTMwNDdaMFAxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
|
||||
d2lzc1NpZ24gQUcxKjAoBgNVBAMTIVN3aXNzU2lnbiBSU0EgVExTIEVWIElDQSAy
|
||||
MDIyIC0gMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL61hlRf7Jxo
|
||||
0msjavo1pgChwWBDYix5Zd0CnhciVYUCk30Ko6BxFBICoSsZ1gXGqlT20g/AYqYL
|
||||
xuKcdNNAJ/LHT6k2zL3UhSpx+eHjeTGQ7id2jC1HKRZ9zA8YXdhtY3oJom7B3ykE
|
||||
d/j0KVmHy9tP1A0rt3ntbJLfLIS6uWogx2KfFs8MwtoAZLiGvp49SHly6p450fcz
|
||||
payPIWu12PfVQjLg7b9NitlDlYEWiCAL7R3jINw2yMwcdBvq2gy+ZZsiYkSb1m+h
|
||||
ABOGxU6SCN6w7GgRWWveSaJBvRokUvIon/wsZK51j8RM4TsoR60Wei8ftSBL75BI
|
||||
g9Us8dkBXDa8vqoDVpc9zs6pan5XN8KymNT52j4gEe161eYTtbiME4KdSWtVsA7e
|
||||
rdkHsXKJTRIxxdpUkQXxhLXEoyDed/BVgV1yhTeN6YCFX7AiocAi5rPUplc6LV58
|
||||
CCUWFMSWEJxOYQUrwWFLNzQMnE969hnvdhuO8ZeqtpwFwX/OLryWoil+jGobRm/1
|
||||
OQS9+urcVygrzZ9Dy9Q/OF/oq9NeaijvL2Ncjkj5f6uJzgXkm7PwjnHrL2FWBkhp
|
||||
oM/vyT1VAgWNoku3jIyedtyJ9lUECwPIzQuddQYOL8FwhaFmvtHnOLpiy2ctbwir
|
||||
gJW+KcsNkpHg0N5stJcPzPvlssmNBHbNAgMBAAGjggFiMIIBXjBcBggrBgEFBQcB
|
||||
AQRQME4wTAYIKwYBBQUHMAKGQGh0dHA6Ly9haWEuc3dpc3NzaWduLmNoL2Fpci1h
|
||||
ZWZmMzc0ZC0wZjdhLTRjNTUtYTAzNC0xNDQwMjkwY2ZhMzIwEgYDVR0TAQH/BAgw
|
||||
BgEB/wIBADAoBgNVHSAEITAfMAcGBWeBDAEBMAgGBgQAj3oBBDAKBghghXQBWQIB
|
||||
AzBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vY3JsLnN3aXNzc2lnbi5jaC9jZHAt
|
||||
OTY2MWMyOWYtOTEyMS00ZjQ2LWFjZDgtZWFkNGEyMmY3MTYwMB0GA1UdJQQWMBQG
|
||||
CCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFElS
|
||||
3zCGkllfNJwlSCSrwOvRBvLWMB8GA1UdIwQYMBaAFG+OYouTQ7DhQPanw/3xD7gP
|
||||
FTilMA0GCSqGSIb3DQEBCwUAA4ICAQBugn943V4fbEbG+Leb4YXTWLLfPIC+mrdc
|
||||
H6v1+Iws+XCzoKthaDk0c346mSaXZM9to5xDOWgfEnBYbVioMyI/5EABbg4ARkgp
|
||||
dj50FPe9MtLD4kOZFv/8LoRH+WdAfQUsxS1RQincUnYWAxmRNOHLdnbyiQt3sYDl
|
||||
6tZzURSMnMUec4stxfLT4VQE1Ew6Phr06CouYOd5ON+mWkFhROz3jx5PTXcECrqQ
|
||||
IT27wJ4mzKA6W9p69ZDFi/+FcpN9vCjzksi0w8i62DwtbO8Pj3ZEOL8z6+cwXyT7
|
||||
X7Zt96vufj+bsxFo1IXQ6cb2i13qpThSHL4NA1NhUbB/ipMbxNtBJ4fwtcG8SAUs
|
||||
jRXgG/RYrXRorG90KU/dcezixY4yKnlIdkkhpV7h8jY2+XS7GbjaKee8pPeAFXgs
|
||||
Hzdi+EhZvHOVfshaKL2CAELrYn8Tzo2Zt9zsbif8L7bPJROS3xqzn+GbCFt67/8Y
|
||||
jTh84Taa4D49H6V+p01QPkvG7ub7Rw52fm56zY3mabbhbsREOceswsfunxSN/SOE
|
||||
pLKVMopuVnRcwVIWmnzH9BlBhIzLqOS4kCYA5E5Irw217j/JTGVWEdMN0ar09nGh
|
||||
WA2Eq8aDANjAP1bao/4nmxsFU2zKbTR40Tb7/HKB5jaItYdkz6ppnxQDLTWe7T6+
|
||||
nGZwqmYtbQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
|
||||
accept.button.label=Accept
|
||||
cancel.button.label=Cancel
|
||||
continue.button.label=Continue
|
||||
deputy.profile.label=(Deputy Profile)
|
||||
error.saml.failed=Please close your browser and try again.
|
||||
error_1=Please check your input.
|
||||
error_10=Please select the correct user account.
|
||||
error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
|
||||
error_101=The entered email address is not valid.
|
||||
error_11=Please use another certficate or login with another credential type.
|
||||
error_2=Please select another login name.
|
||||
error_3=Your account will be locked if next authentication fails.
|
||||
error_4=Your new password does not comply with the security policy. Please choose a different password.
|
||||
error_5=Error in password confirmation.
|
||||
error_50=The new password is too short.
|
||||
error_55=The new password has to differ from old passwords.
|
||||
error_6=Password change required.
|
||||
error_7=Change of login ID required.
|
||||
error_8=Your account has been locked due to repeated authentication failures.
|
||||
error_81=No access card found, access from internet denied.
|
||||
error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
|
||||
error_9=Session take over failed.
|
||||
error_97=You are not authorized to access this resource.
|
||||
error_98=Your account has been locked.
|
||||
error_99=System problems. Please try later.
|
||||
info.logout.confirmation=Please confirm that you want to log out.
|
||||
info.logout.reminder=Your session on this application has expired. Try again with a login.
|
||||
info.oauth.consent=Do you want to authorise this application to access your data?
|
||||
info.timeout.page=Your session on this application has expired. Try again with a login.
|
||||
login.button.label=Login
|
||||
logout.label=Logout
|
||||
logout.text=You have successfully logged out.
|
||||
method.certificate.label=Certificate
|
||||
method.fido.label=Mobile Authentication
|
||||
method.fido2.label=FIDO 2
|
||||
method.mtan.label=mTAN Code
|
||||
method.oath.label=OATH Authenticator App
|
||||
method.otp.label=OTP (One-Time Password)
|
||||
method.recovery.label=Recovery Codes
|
||||
method.safeword.label=SafeWord
|
||||
method.securid.label=SecurID
|
||||
method.ticket.label=Ticket
|
||||
outarg.lastLogin.never=Never
|
||||
policyFailure.dictionary=▪ must not be taken from a dictionary.
|
||||
policyFailure.history.History=▪ must be different from previously selected passwords.
|
||||
policyFailure.regex.control=▪ cannot contain more than {0} control characters.
|
||||
policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
|
||||
policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
|
||||
policyFailure.regex.maxLength=▪ must be at most {0} characters long.
|
||||
policyFailure.regex.minLength=▪ must be at least {0} characters long.
|
||||
policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
|
||||
policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
|
||||
policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
|
||||
policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
|
||||
policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
|
||||
policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
|
||||
policyInfo.dictionary=▪ must not be taken from a dictionary.
|
||||
policyInfo.history.History=▪ must be different from previously selected passwords.
|
||||
policyInfo.regex.control=▪ cannot contain more than {0} control characters.
|
||||
policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
|
||||
policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
|
||||
policyInfo.regex.maxLength=▪ must be at most {0} characters long.
|
||||
policyInfo.regex.minLength=▪ must be at least {0} characters long.
|
||||
policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
|
||||
policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
|
||||
policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
|
||||
policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
|
||||
policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
|
||||
policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
|
||||
policyInfo.title=The password has to comply with the following password policy:
|
||||
reject.button.label=Deny
|
||||
submit.button.label=Submit
|
||||
tan.sent=Please enter the security code which has been sent to your mobile phone.
|
||||
title.logout=Logout
|
||||
title.logout.confirmation=Logout
|
||||
title.logout.reminder=Logout
|
||||
title.oauth.consent=Client Authorization
|
||||
title.saml.failed=Error
|
||||
title.timeout.page=Logout
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
|
||||
accept.button.label=Akzeptieren
|
||||
cancel.button.label=Abbrechen
|
||||
continue.button.label=Weiter
|
||||
deputy.profile.label=(Profil Stellvertreter)
|
||||
error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
|
||||
error_1=Bitte überprüfen Sie Ihre Eingabe.
|
||||
error_10=Bitte wählen Sie den gewünschten Benutzer.
|
||||
error_100=Zertifikat-Upload nicht möglich. Zertifikat bereits vorhanden. Bitte kontaktieren Sie Ihren Helpdesk.
|
||||
error_101=Die angegebene E-Mail Adresse ist ungültig.
|
||||
error_11=Bitte verwenden Sie ein anderes Zertifikat oder ein alternatives Authentisierungsmittel.
|
||||
error_2=Bitte wählen Sie einen anderen Login-Namen.
|
||||
error_3=Falls Ihr nächster Login fehlschlägt, wird Ihr Konto gesperrt.
|
||||
error_4=Ihr neues Passwort wurde nicht akzeptiert. Bitte wählen Sie eines, das den Passwortvorgaben entspricht.
|
||||
error_5=Die Eingabe zur Bestätigung des Passwortes ist falsch.
|
||||
error_50=Das neue Passwort ist zu kurz.
|
||||
error_55=Das neue Passwort muss sich von alten Passwörtern unterscheiden.
|
||||
error_6=Passwortwechsel erforderlich.
|
||||
error_7=Wechsel der Login-ID erforderlich.
|
||||
error_8=Ihr Konto wurde infolge wiederholt fehlgeschlagener Authentisierung gesperrt.
|
||||
error_81=Keine Rasterkarte gefunden, Zugang vom Internet verweigert.
|
||||
error_83=Ihre Rasterkarte ist aufgebraucht. Bitte kontaktieren Sie Ihren Berater, um eine neue zu erhalten.
|
||||
error_9=Die SSO-Session konnte nicht übernommen werden.
|
||||
error_97=Sie verfügen nicht über die für den Zugriff auf diese Ressource benötigte Berechtigung.
|
||||
error_98=Ihr Konto ist gesperrt.
|
||||
error_99=Systemfehler. Bitte versuchen Sie es später.
|
||||
info.logout.confirmation=Bitte bestätigen Sie, dass Sie sich abmelden möchten.
|
||||
info.logout.reminder=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
|
||||
info.oauth.consent=Wollen Sie der Anwendung den Zugriff erlauben?
|
||||
info.timeout.page=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
|
||||
login.button.label=Login
|
||||
logout.label=Logout
|
||||
logout.text=Sie haben sich erfolgreich abgemeldet.
|
||||
method.certificate.label=Zertifikat
|
||||
method.fido.label=Mobile Authentication
|
||||
method.fido2.label=FIDO 2
|
||||
method.mtan.label=mTAN-Code
|
||||
method.oath.label=OATH Authenticator-App
|
||||
method.otp.label=OTP (One-Time Passwort)
|
||||
method.recovery.label=Wiederherstellungscodes
|
||||
method.safeword.label=SafeWord
|
||||
method.securid.label=SecurID
|
||||
method.ticket.label=Ticket
|
||||
outarg.lastLogin.never=Nie
|
||||
policyFailure.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
|
||||
policyFailure.history.History=▪ muss sich von vorhergehenden Passwörtern unterscheiden.
|
||||
policyFailure.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
|
||||
policyFailure.regex.lower=▪ muss {0} Kleinbuchstaben enthalten.
|
||||
policyFailure.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
|
||||
policyFailure.regex.maxLength=Länge des Passwortes darf höchstens {0} sein.
|
||||
policyFailure.regex.minLength=Länge des Passwortes muss mindestens {0} sein.
|
||||
policyFailure.regex.nonAlnum=▪ muss {0} nicht-alphanumerische Zeichen enthalten.
|
||||
policyFailure.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
|
||||
policyFailure.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
|
||||
policyFailure.regex.nonLetter=▪ muss {0} Zeichen enthalten, die keine Buchstaben sind.
|
||||
policyFailure.regex.numeric=▪ muss {0} numerische Zeichen enthalten.
|
||||
policyFailure.regex.upper=▪ muss {0} Grossbuchstaben enthalten.
|
||||
policyInfo.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
|
||||
policyInfo.history.History=▪ darf keines der zuletzt verwendeten Passwörtern sein.
|
||||
policyInfo.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
|
||||
policyInfo.regex.lower=▪ muss mindestens {0} Kleinbuchstaben enthalten.
|
||||
policyInfo.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
|
||||
policyInfo.regex.maxLength=▪ darf höchstens {0} Zeichen enthalten.
|
||||
policyInfo.regex.minLength=▪ muss mindestens {0} Zeichen enthalten.
|
||||
policyInfo.regex.nonAlnum=▪ muss mindestens {0} Zeichen enthalten, die nicht Alphanumerisch sind.
|
||||
policyInfo.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
|
||||
policyInfo.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
|
||||
policyInfo.regex.nonLetter=▪ muss mindestens {0} Zeichen enthalten, die keine Buchstaben sind.
|
||||
policyInfo.regex.numeric=▪ muss mindestens {0} numerische Zeichen enthalten.
|
||||
policyInfo.regex.upper=▪ muss mindestens {0} Grossbuchstaben enthalten.
|
||||
policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
|
||||
reject.button.label=Ablehnen
|
||||
submit.button.label=Senden
|
||||
tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
|
||||
title.logout=Logout
|
||||
title.logout.confirmation=Logout
|
||||
title.logout.reminder=Logout
|
||||
title.oauth.consent=Client Authorisierung
|
||||
title.saml.failed=Error
|
||||
title.timeout.page=Logout
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
|
||||
accept.button.label=Accept
|
||||
cancel.button.label=Cancel
|
||||
continue.button.label=Continue
|
||||
deputy.profile.label=(Deputy Profile)
|
||||
error.saml.failed=Please close your browser and try again.
|
||||
error_1=Please check your input.
|
||||
error_10=Please select the correct user account.
|
||||
error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
|
||||
error_101=The entered email address is not valid.
|
||||
error_11=Please use another certficate or login with another credential type.
|
||||
error_2=Please select another login name.
|
||||
error_3=Your account will be locked if next authentication fails.
|
||||
error_4=Your new password does not comply with the security policy. Please choose a different password.
|
||||
error_5=Error in password confirmation.
|
||||
error_50=The new password is too short.
|
||||
error_55=The new password has to differ from old passwords.
|
||||
error_6=Password change required.
|
||||
error_7=Change of login ID required.
|
||||
error_8=Your account has been locked due to repeated authentication failures.
|
||||
error_81=No access card found, access from internet denied.
|
||||
error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
|
||||
error_9=Session take over failed.
|
||||
error_97=You are not authorized to access this resource.
|
||||
error_98=Your account has been locked.
|
||||
error_99=System problems. Please try later.
|
||||
info.logout.confirmation=Please confirm that you want to log out.
|
||||
info.logout.reminder=Your session on this application has expired. Try again with a login.
|
||||
info.oauth.consent=Do you want to authorise this application to access your data?
|
||||
info.timeout.page=Your session on this application has expired. Try again with a login.
|
||||
login.button.label=Login
|
||||
logout.label=Logout
|
||||
logout.text=You have successfully logged out.
|
||||
method.certificate.label=Certificate
|
||||
method.fido.label=Mobile Authentication
|
||||
method.fido2.label=FIDO 2
|
||||
method.mtan.label=mTAN Code
|
||||
method.oath.label=OATH Authenticator App
|
||||
method.otp.label=OTP (One-Time Password)
|
||||
method.recovery.label=Recovery Codes
|
||||
method.safeword.label=SafeWord
|
||||
method.securid.label=SecurID
|
||||
method.ticket.label=Ticket
|
||||
outarg.lastLogin.never=Never
|
||||
policyFailure.dictionary=▪ must not be taken from a dictionary.
|
||||
policyFailure.history.History=▪ must be different from previously selected passwords.
|
||||
policyFailure.regex.control=▪ cannot contain more than {0} control characters.
|
||||
policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
|
||||
policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
|
||||
policyFailure.regex.maxLength=▪ must be at most {0} characters long.
|
||||
policyFailure.regex.minLength=▪ must be at least {0} characters long.
|
||||
policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
|
||||
policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
|
||||
policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
|
||||
policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
|
||||
policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
|
||||
policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
|
||||
policyInfo.dictionary=▪ must not be taken from a dictionary.
|
||||
policyInfo.history.History=▪ must be different from previously selected passwords.
|
||||
policyInfo.regex.control=▪ cannot contain more than {0} control characters.
|
||||
policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
|
||||
policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
|
||||
policyInfo.regex.maxLength=▪ must be at most {0} characters long.
|
||||
policyInfo.regex.minLength=▪ must be at least {0} characters long.
|
||||
policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
|
||||
policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
|
||||
policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
|
||||
policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
|
||||
policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
|
||||
policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
|
||||
policyInfo.title=The password has to comply with the following password policy:
|
||||
reject.button.label=Deny
|
||||
submit.button.label=Submit
|
||||
tan.sent=Please enter the security code which has been sent to your mobile phone.
|
||||
title.logout=Logout
|
||||
title.logout.confirmation=Logout
|
||||
title.logout.reminder=Logout
|
||||
title.oauth.consent=Client Authorization
|
||||
title.saml.failed=Error
|
||||
title.timeout.page=Logout
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
|
||||
accept.button.label=Accepter
|
||||
cancel.button.label=Abandonner
|
||||
continue.button.label=Continuer
|
||||
deputy.profile.label=(Profil du suppléant)
|
||||
error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
|
||||
error_1=Veuillez vérifier vos données, s.v.p.
|
||||
error_10=Choisissez votre compte.
|
||||
error_100=Téléchargement du certificat pas possible. Certificat existe déjà. Veuillez contacter le helpdesk s.v.p.
|
||||
error_101=L'adresse e-mail é n'est pas valide.
|
||||
error_11=Choisissez un autre certificat, s.v.p.
|
||||
error_2=Choisissez un autre nom, s.v.p.
|
||||
error_3=Si l'authentification ne réussit pas au prochain essai, votre compte sera bloqué.
|
||||
error_4=Votre nouveau mot de passe ne conforme pas aux mesures de sécurité
|
||||
error_5=Votre confirmation du mot de passe ne correspond pas au mot de passe donné.
|
||||
error_50=Le nouveau mot de passe est trop court.
|
||||
error_55=Le nouveau mot de passe doit différer de l'ancien.
|
||||
error_6=Veuillez changer votre mot de passe, s.v.p.
|
||||
error_7=Veuillez changer votre login ID, s.v.p.
|
||||
error_8=Votre compte n'est pas active.
|
||||
error_81=Pas d'access card trouvé, l'accès par l'internet est refusé.
|
||||
error_83=Votre access card n'est plus valable, veuillez contacter votre gestionnaire.
|
||||
error_9=Il n'est pas possible de transmettre la session.
|
||||
error_97=Vous n'avez pas les autorisations nécessaires pour accéder à cette ressource.
|
||||
error_98=Votre compte a été bloqué.
|
||||
error_99=Problème technique. Veuillez essayer plus tard, s.v.p.
|
||||
info.logout.confirmation=Veuillez confirmer que vous souhaitez vous déconnecter.
|
||||
info.logout.reminder=Votre session sur cette application a expirée. Essayez encore avec un login.
|
||||
info.oauth.consent=Voulez-vous autoriser l'application?
|
||||
info.timeout.page=Votre session sur cette application a expirée. Essayez encore avec un login.
|
||||
login.button.label=Login
|
||||
logout.label=Logout
|
||||
logout.text=Au revoir
|
||||
method.certificate.label=Certificat
|
||||
method.fido.label=Mobile Authentication
|
||||
method.fido2.label=FIDO 2
|
||||
method.mtan.label=Code mTAN
|
||||
method.oath.label=Application d'authentification OATH
|
||||
method.otp.label=OTP (One-Time Password)
|
||||
method.recovery.label=Codes de récupération
|
||||
method.safeword.label=SafeWord
|
||||
method.securid.label=SecurID
|
||||
method.ticket.label=Ticket
|
||||
outarg.lastLogin.never=Jamais
|
||||
policyFailure.dictionary=▪ ne peut pas être pris d'un dictionnaire.
|
||||
policyFailure.history.History=▪ doit être différent des mots de passe préalablement sélectionnés.
|
||||
policyFailure.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
|
||||
policyFailure.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
|
||||
policyFailure.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
|
||||
policyFailure.regex.maxLength=La longueur doit être d'au plus {0}.
|
||||
policyFailure.regex.minLength=La longueur doit être d'au moins {0}.
|
||||
policyFailure.regex.nonAlnum=▪ doit contenir au moins {0} caractères non alphanumériques.
|
||||
policyFailure.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII ({1}).
|
||||
policyFailure.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables ({1}).
|
||||
policyFailure.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
|
||||
policyFailure.regex.numeric=▪ doit comprendre {0} caractères numériques.
|
||||
policyFailure.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
|
||||
policyInfo.dictionary=▪ ne peut pas être pris d'un dictionnaire.
|
||||
policyInfo.history.History=▪ ne peut pas être l' précédemment choisis.
|
||||
policyInfo.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
|
||||
policyInfo.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
|
||||
policyInfo.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
|
||||
policyInfo.regex.maxLength=▪ la longueur doit être d'au plus {0}.
|
||||
policyInfo.regex.minLength=▪ la longueur doit être d'au moins {0}.
|
||||
policyInfo.regex.nonAlnum=▪ doit contenir au moins {0} caractères non alphanumériques.
|
||||
policyInfo.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII.
|
||||
policyInfo.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables.
|
||||
policyInfo.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
|
||||
policyInfo.regex.numeric=▪ doit comprendre au minimum {0} caractères numériques.
|
||||
policyInfo.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
|
||||
policyInfo.title=Le mot de passe doit respecter les règles suivantes:
|
||||
reject.button.label=Refuser
|
||||
submit.button.label=Envoyer
|
||||
tan.sent=Veuillez saisir le code de sécurité que vous avez reçu au votre téléphone mobile.
|
||||
title.logout=Logout
|
||||
title.logout.confirmation=Logout
|
||||
title.logout.reminder=Logout
|
||||
title.oauth.consent=Autorisation du client
|
||||
title.saml.failed=Error
|
||||
title.timeout.page=Logout
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
|
||||
accept.button.label=Accettare
|
||||
cancel.button.label=Abortire
|
||||
continue.button.label=Continua
|
||||
deputy.profile.label=(profilo del delegato)
|
||||
error.saml.failed=Chiudi il browser e riprova.
|
||||
error_1=Verificare i dati immessi.
|
||||
error_10=Per favore selezionare il conto utente corretto.
|
||||
error_100=Impossibile caricare il certificato. Questo certificato esiste già. La preghiamo di contattare il Suo help desk.
|
||||
error_101=L'indirizzo e-mail inserito non è valido.
|
||||
error_11=Scegliere un altro certificato.
|
||||
error_2=Per favore scegliere un altro nome.
|
||||
error_3=Il conto verrà bloccato se il prossimo login non andrà a buon fine.
|
||||
error_4=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
|
||||
error_5=La conferma della password è errata.
|
||||
error_50=La nuova password è troppo corta.
|
||||
error_55=La nuova password deve essere diversa dalla vecchia.
|
||||
error_6=È necessario modificare la password.
|
||||
error_7=Set up inizale dell'account per il portale necessario.
|
||||
error_8=L'account è stato bloccato. Rivolgersi al servizio assistenza oppure provare con un altro strumento di autenticazione.
|
||||
error_81=Nessuna carta di accesso trovata, accesso da internet rifiutato.
|
||||
error_83=La sua carta di accesso non è più valida. Per favore contatti il suo assistente per ricevere una nuova carta di accesso.
|
||||
error_9=La sessione non può essere ripresa.
|
||||
error_97=Non si dispone delle autorizzazioni necessarie per accedere a questa risorsa.
|
||||
error_98=L'account è stato bloccato.
|
||||
error_99=Errore di sistema. Riprovare.
|
||||
info.logout.confirmation=Si prega di confermare che si desidera disconnettersi.
|
||||
info.logout.reminder=La sessione su questa applicazione &egrave; scaduta. Prova ancora con un login.
|
||||
info.oauth.consent=Vuoi consentire all'applicazione?
|
||||
info.timeout.page=La sessione su questa applicazione &egrave; scaduta. Prova ancora con un login.
|
||||
login.button.label=Login
|
||||
logout.label=Logout
|
||||
logout.text=È uscito con successo.
|
||||
method.certificate.label=Certificato
|
||||
method.fido.label=Mobile Authentication
|
||||
method.fido2.label=FIDO 2
|
||||
method.mtan.label=Codice mTAN
|
||||
method.oath.label=App di autenticazione OATH
|
||||
method.otp.label=OTP (One-Time Password)
|
||||
method.recovery.label=Codici di ripristino
|
||||
method.safeword.label=SafeWord
|
||||
method.securid.label=SecurID
|
||||
method.ticket.label=Ticket
|
||||
outarg.lastLogin.never=Mai
|
||||
policyFailure.dictionary=▪ non può essere presa da un dizionario.
|
||||
policyFailure.history.History=▪ deve essere diversa da password precedenti.
|
||||
policyFailure.regex.control=▪ non può contenere più di {0} caratteri di controllo.
|
||||
policyFailure.regex.lower=▪ deve conenere almeno {0} caratteri minuscoli.
|
||||
policyFailure.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
|
||||
policyFailure.regex.maxLength=▪ deve contenere al massimo {0} caratteri.
|
||||
policyFailure.regex.minLength=▪ deve contenere almeno {0} caratteri.
|
||||
policyFailure.regex.nonAlnum=▪ deve conenere almeno {0} caratteri non alfanumerici.
|
||||
policyFailure.regex.nonAscii=▪ non può contenere più di {0} caratteri non ASCII.
|
||||
policyFailure.regex.nonGraph=▪ non può contenere più di {0} caratteri non stampabili.
|
||||
policyFailure.regex.nonLetter=▪ non può contenere più di {0} numeri o caratteri speciali.
|
||||
policyFailure.regex.numeric=▪ deve contenere {0} caratteri numerici.
|
||||
policyFailure.regex.upper=▪ deve conenere almeno {0} caratteri maiuscoli.
|
||||
policyInfo.dictionary=▪ non può essere presa da un dizionario.
|
||||
policyInfo.history.History=▪ deve essere diversa dalle password precedenti.
|
||||
policyInfo.regex.control=▪ non può contenere più di {0} carattere/i di controllo.
|
||||
policyInfo.regex.lower=▪ deve conenere almeno {0} carattere/i minuscolo/i.
|
||||
policyInfo.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
|
||||
policyInfo.regex.maxLength=▪ deve contenere al massimo {0} carattere/i.
|
||||
policyInfo.regex.minLength=▪ deve contenere almeno {0} carattere/i.
|
||||
policyInfo.regex.nonAlnum=▪ deve conenere almeno {0} carattere/i non alfanumerico/i.
|
||||
policyInfo.regex.nonAscii=▪ non può contenere più di {0} carattere/i non ASCII.
|
||||
policyInfo.regex.nonGraph=▪ non può contenere più di {0} carattere/i non stampabile/i.
|
||||
policyInfo.regex.nonLetter=▪ non può contenere più di {0} numero/i o caratere/i speciale/i.
|
||||
policyInfo.regex.numeric=▪ deve contenere un minimo di {0} carattere/i numerico/i.
|
||||
policyInfo.regex.upper=▪ deve conenere almeno {0} carattere/i maiuscolo/i.
|
||||
policyInfo.title=La password deve rispettare le seguenti direttive:
|
||||
reject.button.label=Rifiuti
|
||||
submit.button.label=Continua
|
||||
tan.sent=Inserisci il codice di sicurezza che è stato inviato al tuo telefono cellulare.
|
||||
title.logout=Logout
|
||||
title.logout.confirmation=Logout
|
||||
title.logout.reminder=Logout
|
||||
title.oauth.consent=Autorizzazione del client
|
||||
title.saml.failed=Error
|
||||
title.timeout.page=Logout
|
||||
|
|
@ -0,0 +1 @@
|
|||
bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
RTENV_SECURITY_CHECK=no_shell
|
||||
|
||||
JAVA_OPTS=(
|
||||
"-XX:+UseContainerSupport"
|
||||
"-Dfile.encoding=UTF-8"
|
||||
"-XX:MaxRAMPercentage=80.0"
|
||||
"-Djava.net.preferIPv4Stack=true"
|
||||
"-Djava.net.connectionTimeout=10000"
|
||||
"-Djava.net.readTimeout=15000"
|
||||
"-Dch.nevis.esauth.config=/var/opt/nevisauth/default/conf/esauth4.xml"
|
||||
"-Djava.awt.headless=true"
|
||||
"-javaagent:/opt/agent/opentelemetry-javaagent.jar"
|
||||
"-Dotel.javaagent.logging=application"
|
||||
"-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
|
||||
"-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
|
||||
"-Djavax.net.ssl.trustStore=/var/opt/keys/trust/tls-swissid/truststore.p12"
|
||||
"-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/tls-swissid/keypass}"
|
||||
)
|
||||
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
# this file is generated by nevisAdmin 4
|
||||
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
|
||||
|
|
@ -0,0 +1,121 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
|
||||
<esauth-server instance="nai2">
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320, pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<LocalSessionStore maxSessions="100000"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<TokenAssembler name="DefaultTokenAssembler">
|
||||
<Selector default="true"/>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<TokenSpec ttl="28800">
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.sessid" as="sessid"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.userid" as="userid"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.entryid" as="entryid"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.loginid" as="loginId"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.domain" as="domain"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<field src="session" key="ch.nevis.session.secroles" as="roles"/>
|
||||
</TokenSpec>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<Signer key="DefaultSigner"/>
|
||||
</TokenAssembler>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<KeyStore name="DefaultKeyStore">
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/nai2-sh4r3d-default-default-signer/cert.pem" privateKey="/var/opt/keys/own/nai2-sh4r3d-default-default-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/nai2-sh4r3d-default-default-signer/keypass"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/nai2-default-default-signer-trust/truststore.jks"/>
|
||||
</KeyStore>
|
||||
</SessionCoordinator>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320 -->
|
||||
<LocalOutOfContextDataStore reaperPeriod="60"/>
|
||||
<!-- source: pattern://5a02ce1399ca42298422a320, pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin" propagateSession="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Domain name="MockRelam" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
|
||||
<Entry method="authenticate" state="MockRelam_DispatchMockRequests"/>
|
||||
<Entry method="stepup" state="MockRelam_Selector"/>
|
||||
</Domain>
|
||||
<AuthState name="MockRelam_DispatchMockRequests" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<ResultCond name="metadata" next="MockRelam_MetadataMock"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<ResultCond name="nomatch" next="MockRelam_KlpApiMock"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
||||
</Response>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<property name="condition:jwk" value="${request:currentResource:/jwk:true}"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<property name="condition:metadata" value="${request:currentResource:/metadata:true}"/>
|
||||
<!-- source: pattern://1641a38402138546573b7e71 -->
|
||||
<property name="condition:wellknown" value="${request:currentResource:/.well-known:true}"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_MetadataMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<Gui name="none"/>
|
||||
</Response>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_metadatamock.json"/>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="contentType" value="application/json"/>
|
||||
<!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
|
||||
<property name="statusCode" value="200"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_KlpApiMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<Gui name="none"/>
|
||||
</Response>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_klpapimock.json"/>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="contentType" value="application/json"/>
|
||||
<!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
|
||||
<property name="statusCode" value="200"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<ResultCond name="nomatch" next="MockRelam_Prepare_Done"/>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_ERROR">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Arg name="ch.nevis.isiweb4.response.status" value="403"/>
|
||||
</Response>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<ResultCond name="default" next="MockRelam_Auth_Done"/>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_DONE">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Gui name="ContinueResponse"/>
|
||||
</Response>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
|
||||
</AuthState>
|
||||
<AuthState name="MockRelam_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Response value="AUTH_DONE">
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<Gui name="ContinueResponse"/>
|
||||
</Response>
|
||||
</AuthState>
|
||||
</AuthEngine>
|
||||
</esauth-server>
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
Configuration:
|
||||
monitorInterval: 60
|
||||
Appenders:
|
||||
Console:
|
||||
- name: "SERVER"
|
||||
target: "SYSTEM_OUT"
|
||||
PatternLayout:
|
||||
pattern: "[esauth4sv.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-20.20c %-5.5p %m%n"
|
||||
RegexFilter:
|
||||
regex: ".*GET /nevisauth/liveness.*"
|
||||
onMatch: "DENY"
|
||||
onMismatch: "ACCEPT"
|
||||
Loggers:
|
||||
Logger:
|
||||
- name: "EsAuthStart"
|
||||
level: "INFO"
|
||||
- name: "org.apache.catalina.loader.WebappClassLoader"
|
||||
level: "FATAL"
|
||||
- name: "org.apache.catalina.startup.HostConfig"
|
||||
level: "ERROR"
|
||||
- name: "ch.nevis.esauth.events"
|
||||
level: "FATAL"
|
||||
- name: "AuthEngine"
|
||||
level: "INFO"
|
||||
- name: "HttpClient"
|
||||
level: "TRACE"
|
||||
- name: "OAuth2"
|
||||
level: "DEBUG"
|
||||
- name: "StdStates"
|
||||
level: "DEBUG"
|
||||
- name: "Vars"
|
||||
level: "INFO"
|
||||
- name: "ch.adnovum.cossa.CallPolicyVerificationAPI"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.IdTokenVerification"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.KLPScopeToProfileBinding"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.SimpleIDTokenValidator"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.TokenExchangeEndpoint"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.TokenExchangeEndpointRefresh"
|
||||
level: "DEBUG"
|
||||
- name: "ch.adnovum.cossa.TokenGenerator"
|
||||
level: "DEBUG"
|
||||
Root:
|
||||
level: "WARN"
|
||||
additivity: "false"
|
||||
AppenderRef:
|
||||
- ref: "SERVER"
|
||||
|
|
@ -0,0 +1 @@
|
|||
{"keys":[{"kty":"RSA","kid":"yTX9hiBfyqkvtil57ivmlbK7a6c=","use":"sig","x5t":"9WDlp2619xwm3BQd1Xrx4cTAs1Y","x5c":["MIIDXzCCAkegAwIBAgIEXhUdxzANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHQnJpc3RvbDEQMA4GA1UEBxMHQnJpc3RvbDESMBAGA1UEChMJRm9yZ2VSb2NrMRkwFwYDVQQDExByc2Fqd3RzaWduaW5na2V5MB4XDTIwMTExMzExMjMxOFoXDTMwMTExMTExMjMxOFowYDELMAkGA1UEBhMCVUsxEDAOBgNVBAgTB0JyaXN0b2wxEDAOBgNVBAcTB0JyaXN0b2wxEjAQBgNVBAoTCUZvcmdlUm9jazEZMBcGA1UEAxMQcnNhand0c2lnbmluZ2tleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8q9sa2tIzt0BT1A1aRBZaMa7Y1jHYNi94na4/9txTekY6CyKm0RsYg4ImBJlbu3KkF6TUnIo3YCC8Mcxc2W3FCxP74Y7PwxqKz9wGshE+Tj2GkDR438apq2ckB/uN/vEcHts6Vd/yBUaVxwBqYU2wjKAh8X+sFiPWSO+RsZxNQo3IF0JrjzgzVmR+7tU+voXvnL785J6eXAvGune+CsvgDxn2xuMGXhAeZKL5ZvToT62aucMxbiUY+CSyWvPILzwxllAVspwE+gP/pMJly52sE0ya72VbqTJPhSrDhhl68FAS43yv52Fv4khS6La79ShZPv0fk3VUKKfZOta6CZWcCAwEAAaMhMB8wHQYDVR0OBBYEFP3hiLj4fppAnV6ILez0WZN2W2DYMA0GCSqGSIb3DQEBCwUAA4IBAQBt6KLUwIsI6gP6tpU/Ppli/xpzY/Z3d/wf8ezYPI6tBr3S2iN0CmSNlvn1jfGVplCjVUBIfKGKtycBiUoADWSGMIn33CJuM5hFewKJzldYwkY1QVVxcRRVKVNBVzF7AazVj1KMT+IKqbFAjuZvniraTaV4I1WA5innUzkCZ2MwUacwUDhGKSXVWLtgCP4k/PfUS++i/TpI/mSGcReL8JJ1Q7YNUwz8qfisQvr2d21xPk6uPK24Jq9ZdSb7IZ+hDbGa4RlzOHDFXfU1ht33IKbHqc/RkGJVfU7GAbo1thlNJdlYcF+OjAnuruvwyCB0wi/O4I0JRuoeXSyD7AOfNM4V"],"n":"jyr2xra0jO3QFPUDVpEFloxrtjWMdg2L3idrj_23FN6RjoLIqbRGxiDgiYEmVu7cqQXpNScijdgILwxzFzZbcULE_vhjs_DGorP3AayET5OPYaQNHjfxqmrZyQH-43-8Rwe2zpV3_IFRpXHAGphTbCMoCHxf6wWI9ZI75GxnE1CjcgXQmuPODNWZH7u1T6-he-cvvzknp5cC8a6d74Ky-APGfbG4wZeEB5kovlm9OhPrZq5wzFuJRj4JLJa88gvPDGWUBWynAT6A_-kwmXLnawTTJrvZVupMk-FKsOGGXrwUBLjfK_nYW_iSFLotrv1KFk-_R-TdVQop9k61roJlZw","e":"AQAB"}]}
|
||||
File diff suppressed because one or more lines are too long
|
|
@ -0,0 +1,16 @@
|
|||
server:
|
||||
name: "default"
|
||||
protocol: "https"
|
||||
port: "8991"
|
||||
host: "0.0.0.0"
|
||||
tls:
|
||||
keystore: "/var/opt/keys/own/nai2-default-identity/keystore.p12"
|
||||
keystore-passphrase: "${exec:/var/opt/keys/own/nai2-default-identity/keypass}"
|
||||
client-auth: "required"
|
||||
truststore: "/var/opt/keys/trust/nai2-default-tls-client-trust/truststore.p12"
|
||||
truststore-passphrase: "${exec:/var/opt/keys/trust/nai2-default-tls-client-trust/keypass}"
|
||||
management:
|
||||
server:
|
||||
port: "9000"
|
||||
healthchecks:
|
||||
enabled: "true"
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
otel.service.name = nai2
|
||||
otel.traces.exporter = none
|
||||
otel.metrics.exporter = none
|
||||
otel.logs.exporter = none
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
// nevisProxy replaces the entire AUTH: scope when new outargs are returned by nevisAuth.
|
||||
// Thus, we have to store tokens in the session (as a String) and restore them on subsequent step-ups.
|
||||
|
||||
// restore tokens
|
||||
session.each { key, value ->
|
||||
if (key.startsWith('outarg.token.')) {
|
||||
def name = key.substring(7)
|
||||
if (outargs.containsKey(name)) {
|
||||
LOG.debug("not restoring token (outarg: $name) from session: outarg already set")
|
||||
}
|
||||
else {
|
||||
LOG.debug("restoring token (outarg: $name) from session")
|
||||
outargs.put(name, value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// store tokens
|
||||
outargs.each { name, value ->
|
||||
if (name.startsWith('token.')) {
|
||||
session.put('outarg.' + name, value)
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
|
@ -0,0 +1,79 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# NAME
|
||||
# status.sh - Checks the status of the nevisAuth instance.
|
||||
#
|
||||
# SYNOPSIS
|
||||
# status.sh
|
||||
#
|
||||
# DESCRIPTION
|
||||
# Performs periodic checks until the instance is up or broken or timeout is reached.
|
||||
# The script terminates when the process of the instance stops running.
|
||||
# There are no arguments for this script.
|
||||
#
|
||||
# EXIT CODES
|
||||
# 0 Instance is up.
|
||||
# 1 Instance process is not running.
|
||||
# 2 Instance is broken.
|
||||
# 3 Timeout reached.
|
||||
|
||||
# Defines how much we should sleep between checking if the instance is up.
|
||||
interval=1
|
||||
# Defines how much we should wait the instance to start up until we give up and exit.
|
||||
timeout=70
|
||||
((end_time=${SECONDS}+$timeout))
|
||||
|
||||
# Checks if the process of the instance is still running.
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# In case it is running, returns 0, otherwise non-zero (exit code of systemctl).
|
||||
isProcessRunning() {
|
||||
systemctl is-active --quiet nevisauth@default
|
||||
IS_RUNNING=$?
|
||||
return $IS_RUNNING
|
||||
}
|
||||
|
||||
# Checks if the instance is up. (Attempts connecting to the instance)
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# If the connection was successful and the instance up (is not broken), returns 0.
|
||||
# If the connection was not successful, returns 1.
|
||||
checkInstance() {
|
||||
lsof -i :8991 -sTCP:LISTEN
|
||||
EXIT_CODE=$?
|
||||
return $EXIT_CODE
|
||||
}
|
||||
|
||||
# This function encapsulates the logic of checking if the process is running and if the instance is up.
|
||||
# In case the process is not running, exits with exit code 1.
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# If the instance process is running, returns the result of the instance check function.
|
||||
check() {
|
||||
if isProcessRunning
|
||||
then
|
||||
checkInstance
|
||||
CS=$?
|
||||
return $CS
|
||||
else
|
||||
echo "Process is not running."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Check the status of the instance periodically.
|
||||
while ((${SECONDS} < ${end_time}))
|
||||
do
|
||||
sleep ${interval}
|
||||
if check
|
||||
then
|
||||
echo "Instance is up."
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Exceeded check timeout (70s). Instance is down."
|
||||
exit 3
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
podDisruptionBudget:
|
||||
maxUnavailable: "50%"
|
||||
git:
|
||||
tag: "r-9cad45a7b0512ebf6892f792c3aa8ba7cd7e169b"
|
||||
tag: "r-76cf157bd18ad492e7eea17645c765177d3ffea5"
|
||||
dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/npi"
|
||||
credentials: "git-credentials"
|
||||
keystores:
|
||||
|
|
|
|||
|
|
@ -10,5 +10,5 @@ metadata:
|
|||
patternId: "92e282d1dc2b69d9e4f91fc0"
|
||||
spec:
|
||||
keystores:
|
||||
- name: "nai-sh4r3d-default-default-signer"
|
||||
- name: "nai2-sh4r3d-default-default-signer"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
|
|
|
|||
|
|
@ -10,5 +10,5 @@ metadata:
|
|||
patternId: "92e282d1dc2b69d9e4f91fc0"
|
||||
spec:
|
||||
keystores:
|
||||
- name: "nai-default-identity"
|
||||
- name: "nai2-default-identity"
|
||||
namespace: "adn-postit-tknxchng-01-dev"
|
||||
|
|
|
|||
|
|
@ -177,7 +177,7 @@
|
|||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<init-param>
|
||||
<param-name>Transport.InetAddress</param-name>
|
||||
<param-value>nai:8991</param-value>
|
||||
<param-value>nai2:8991</param-value>
|
||||
</init-param>
|
||||
<!-- source: pattern://8523f0587aa8cfa7008f8171 -->
|
||||
<init-param>
|
||||
|
|
|
|||
Loading…
Reference in New Issue