FSN#39750 Authenticatie 'Apps', savepoint

svn path=/Website/trunk/; revision=33235

APPL/API2/model_aut_client.inc

@@ -0,0 +1,80 @@
+<% /*
+    $Revision$
+    $Id$
+
+    File:           model_aut_client.inc
+    Description:
+    Notes:
+*/
+
+%>
+<!-- #include file="./model_aut_client_perslid.inc" -->
+<%
+function model_aut_client()
+{
+    this.records_name = "autclients";
+    this.record_name = "autclient";
+    this.table = "aut_client";
+    this.primary = "aut_client_key";
+    this.autfunction = "WEB_FACFAC";
+    this.record_title = L("aut_client");
+    this.records_title = L("aut_client_m");
+
+    this.fields = {
+        "id": {
+            "dbs": "aut_client_key",
+            "label": L("lcl_key"),
+            "typ": "key",
+            "seq": "aut_s_aut_client_key"
+        },
+        "code": {
+            "dbs": "aut_client_id",
+            "label": L("aut_client_code"),
+            "typ": "varchar",
+            "filter": "exact"
+        },
+        "name": {
+            "dbs": "aut_client_omschrijving",
+            "label": L("aut_client_omschrijving"),
+            "typ": "varchar",
+            "required": true
+        },
+        "type": {
+            "dbs": "aut_client_type",
+            "label": L("aut_client_type"),
+            "typ": "key",
+            "required": true,
+            "LOV": L("fac_idp_typeLOV") // TODO?
+        },
+        "remark": {
+            "dbs": "aut_client_opmerking",
+            "label": L("aut_client_opmerking"),
+            "typ": "memo"
+        },
+        "secret": {
+            "dbs": "aut_client_secret",
+            "label": L("aut_client_secret"),
+            "typ": "varchar",
+            "defaultvalue": shared.random(32),
+            "secret": true
+        }
+/*        ,
+        "redirect_uri": {
+            "dbs": "aut_client_redirect_uri",
+            "label": L("aut_client_redirect_uri"),
+            "typ": "varchar"
+        }*/
+    }
+
+    this.includes =
+               {  "clientpersons": { model: new model_aut_client_perslid(),
+                                     joinfield: "autclient"
+                  }
+              };
+
+    this.REST_GET    = generic_REST_GET(this);
+    this.REST_POST   = generic_REST_POST(this);
+    this.REST_PUT    = generic_REST_PUT(this);
+    this.REST_DELETE = generic_REST_DELETE(this);
+}
+%>

APPL/API2/model_aut_client_perslid.inc

@@ -0,0 +1,75 @@
+<% /*
+    $Revision$
+    $Id$
+
+    File:           model_aut_client_perslid.inc
+    Description:    Persoonlijke instellingen per SP
+    Notes:
+*/
+
+function model_aut_client_perslid()
+{
+    this.records_name = "clientpersons";
+    this.record_name = "clientperson";
+    this.table = "aut_client_perslid";
+    this.primary = "aut_client_perslid_key";
+    this.autfunction = "WEB_FACFAC";
+    this.record_title = L("aut_client_perslid");
+    this.records_title = L("aut_client_perslid_m");
+
+    this.fields = {
+        "id": {
+            "dbs": "aut_client_perslid_key",
+            "label": L("lcl_key"),
+            "typ": "key",
+            "seq": "aut_s_aut_client_perslid_key"
+        },
+        "autclient": {
+            "dbs": "aut_client_key",
+            "label": L("aut_client"),
+            "typ": "key",
+            "hidden_fld": true,
+            "required": true
+        },
+        "scope": {
+            "dbs": "aut_client_perslid_scope",
+            "label": L("aut_client_perslid_scope"),
+            "typ": "varchar"
+        },
+        "pushtoken": {
+            "dbs": "aut_client_perslid_pushtoken",
+            "label": L("aut_client_perslid_pushtoken"),
+            "typ": "varchar"
+        },
+        "refreshtoken": {
+            "dbs": "aut_client_perslid_refreshtkn",
+            "label": L("aut_client_perslid_refreshtoken"),
+            "typ": "varchar"
+        },
+        "accesstoken": {
+            "dbs": "aut_client_perslid_accesstoken",
+            "label": L("aut_client_perslid_accesstoken"),
+            "typ": "varchar"
+        },
+        "person": {
+            "dbs": "prs_perslid_key",
+            "label": L("lcl_user"),
+            "typ": "key",
+            "foreign" : "prs_perslid"
+        }
+    }
+
+    this.edit = {
+        "modal": true
+    };
+
+    this.list = {
+        "columns": ["person", "scope"]
+    };
+
+    this.REST_GET    = generic_REST_GET(this);
+    this.REST_POST   = generic_REST_POST(this);
+    //this.REST_PUT    = generic_REST_PUT(this);
+    this.REST_DELETE = generic_REST_DELETE(this);
+}
+%>

APPL/API2/model_fac_idp.inc

@@ -32,7 +32,8 @@ function fac_idp()
         "code": {
             "dbs": "fac_idp_code",
             "label": L("fac_idp_code"),
-            "typ": "varchar"
+            "typ": "varchar",
+            "filter": "exact"
         },
         "name": {
             "dbs": "fac_idp_omschrijving",
@@ -92,6 +93,11 @@ function fac_idp()
             "label": L("fac_idp_remote_loginurl"),
             "typ": "varchar"
         },
+        "samlmetaurl": {
+            "dbs": "fac_idp_saml_metaurl",
+            "label": L("fac_idp_saml_metaurl"),
+            "typ": "varchar"
+        },
         "remotelogouturl": {
             "dbs": "fac_idp_remote_logouturl",
             "label": L("fac_idp_remote_logouturl"),
@@ -123,7 +129,10 @@ function fac_idp()
         "company": {
              "dbs": "prs_bedrijf_key",
              "typ": "key",
-             "foreign": "prs_bedrijf",
+             "foreign": { tbl: "prs_bedrijf",
+                          key: "prs_bedrijf_key",
+                          desc: "prs_bedrijf_naam",
+                          "where": "prs_bedrijf_intern = 1" },
              "label": L("lcl_idp_company")
         },
         "department": {

APPL/API2/model_fac_sp.inc

@@ -10,7 +10,7 @@
 %>
 <!-- #include file="./model_fac_sp_map.inc" -->
 <%
-function fac_sp()
+function model_fac_sp()
 {
     this.records_name = "identityproviders";
     this.record_name = "identityprovider";
@@ -30,7 +30,8 @@ function fac_sp()
         "code": {
             "dbs": "fac_sp_code",
             "label": L("fac_sp_code"),
-            "typ": "varchar"
+            "typ": "varchar",
+            "filter": "exact"
         },
         "name": {
             "dbs": "fac_sp_omschrijving",
@@ -94,11 +95,6 @@ function fac_sp()
             "label": L("fac_sp_remote_logouturl"),
             "typ": "varchar"
         },
-        "usermapping": {
-            "dbs": "fac_sp_usermapping",
-            "label": L("fac_sp_usermapping"),
-            "typ": "varchar"
-        },
         "ipfilter": {
             "dbs": "fac_sp_ipfilter",
             "label": L("fac_sp_ipfilter"),
@@ -145,10 +141,10 @@ function fac_sp()
     }
 
     this.includes =
-               {"spmappings": { model: new model_fac_sp_map(),
-                                joinfield: "serviceprovider",
-                                enable_update: true
-                              }
+               {  "spmappings": { model: new model_fac_sp_map(),
+                                  joinfield: "serviceprovider",
+                                  enable_update: true
+                                }
               };
 
     this.REST_GET    = generic_REST_GET(this);

APPL/API2/model_fac_sp_map.inc

@@ -9,8 +9,8 @@
 
 function model_fac_sp_map()
 {
-    this.records_name = "idpappings";
-    this.record_name = "idpapping";
+    this.records_name = "spmappings";
+    this.record_name = "spmapping";
     this.table = "fac_sp_map";
     this.primary = "fac_sp_map_key";
     this.autfunction = "WEB_FACFAC";

APPL/API2/model_prs_perslid.inc

@@ -10,6 +10,8 @@
 
     - Notes:        - Standaard voegen we de gegevens van de hoofdwerkplek toe
                     - Ooit doen we er nog een include bij van alle werkplekken.
+
+                    TODO: autorisatie op met name de GET
 */
 
 %>
@@ -33,7 +35,7 @@ function genderLOV()
     return s;
 }
 
-function model_prs_perslid()
+function model_prs_perslid(params)
 {
     this.records_name = "persons";
     this.record_name = "person";
@@ -276,8 +278,11 @@ function model_prs_perslid()
             return json;
         };
 
-    this.REST_POST   = generic_REST_POST(this);
-    this.REST_PUT    = generic_REST_PUT(this);
-    this.REST_DELETE = generic_REST_DELETE(this);
+    if (params.internal) // bijvoorbeeld idp die personen kan aanmaken
+    {
+        this.REST_POST   = generic_REST_POST(this);
+        this.REST_PUT    = generic_REST_PUT(this);
+        this.REST_DELETE = generic_REST_DELETE(this);
+    }
 }
 %>

APPL/AUT/Login.inc

@@ -962,7 +962,6 @@ function jwt_create(perslid_key, aud)
 {
     var thisPrs = new Perslid(perslid_key)
 
-    var params = aud_or_prop;
     var sp_key = -1;
 
     var sql = "SELECT *"

APPL/AUT/getapptoken.asp

@@ -0,0 +1,71 @@
+<%@language = "javascript" %>
+<% /*
+    $Revision$
+    $Id$
+
+    File:           getapptoken.asp
+    Description:    Vraag een nieuw token op voor een bepaalde App
+    Parameters:
+    Context:
+    Note:           Enigszins conform oAuth/ OpenID Connect maar daar (nog) niet
+                    noodzakelijkerwijs compatible mee.
+
+*/
+%>
+<!-- #include file="../Shared/common.inc" -->
+<!-- #include file="./login.inc" -->
+<!-- #include file="../api2/api2.inc" -->
+<!-- #include file="../api2/model_aut_client.inc" -->
+<%
+    var client_id = getQParam("client_id");
+    var model_client = new model_aut_client();
+    var client_data = api2.GET(model_client, { filter: { "code": client_id } }); // sp moet er dan zijn voor Service Provider
+    if (!client_data && client_id == "NWNX") // Voor NWNX ondersteunen we auto-create
+    {
+        var client_data =
+        {
+            "code": client_id,
+            "name": "New Nexus app",
+            "type": {
+              "id": 4,
+              "name": "JWT sso"
+            },
+            "remark": "Automatisch aangemaakt voor New Nexus app",
+            "secret": shared.random(32),
+            "audience": "{0}.facilitor.nl".format(customerId.toLowerCase()),
+            "issuer": "FACILITOR NWNX",
+            "algorithm": "HS256"
+        }
+        var result = model_client.REST_POST({}, client_data);
+        client_data = api2.GET(model_client, result.key );
+    }
+    if (!client_data)
+        INTERNAL_ERROR_MISSING_SP;
+
+    var model_client_perslid = new model_aut_client_perslid();
+    var cp_data = api2.GET(model_client_perslid, { filter: { "autclient": client_data.id, "person": user_key } });
+    if (!cp_data)
+    {
+        var cp_data = { "autclient": client_data.id,
+                        "scope": "*",
+                        "refreshtoken": customerId + "_" + shared.random(32), // unused yet
+                        "accesstoken": customerId + "_" + shared.random(32), // Does not expire yet?
+                        "person": user_key,
+                        "pushtoken": customerId + "_" + shared.random(32)
+                      }
+        var result = model_client_perslid.REST_POST({}, cp_data);
+        cp_data = api2.GET(model_client_perslid, result.key );
+    }
+    var result =
+    {
+        weburl: HTTP.urlzelf() + "?mobile=1",
+        push_token: cp_data.pushtoken,
+        access_token: cp_data.accesstoken // JWT met SP 'NWNX'? Of JWT met IDP 'FACILITOR'?
+                                          // Wel bij elke klant aan te maken dan? Of automatisch?
+                                          // bearer is stateless/ single request dus geen redirect
+                                          // maar via url &jwt= zou wel kunnen?
+        // refresh_url: HTTP.urlzelf() + "/appl/aut/getapptoken.asp?client_id={0}&auth={1}".format(sp, spp_data.refreshtoken)
+    }
+    Response.Write(JSON.stringify(result));
+    Response.End;
+%>

APPL/AUT/loginTry.asp

@@ -181,7 +181,7 @@ if ((user_key < 0 || getQParamInt("jwtforce", 0) == 1) && jwt)
 //        /*global*/ user_key = 33083; // Moet PRSSYS hebben
 //        /*global*/ user = new Perslid(user_key);
 
-        var person = new model_prs_perslid();
+        var person = new model_prs_perslid({ internal: true });
         var persdata = {};
         var sql = "SELECT *"
                 + "  FROM fac_idp_map"
@@ -194,17 +194,16 @@ if ((user_key < 0 || getQParamInt("jwtforce", 0) == 1) && jwt)
                 val = claim.payload[oRsMap("fac_idp_map_from").Value];
             switch (oRsMap("fac_idp_map_to").Value) // zie model_fac_idp_map.inc voor codering
             {
-                case 1: persdata["login"] = val; break;
-                case 2: persdata["lastname"] = val; break;
-                case 3: persdata["firstname"] = val; break;
-                case 4: persdata["email"] = val; break;
+                case 1: persdata["login"]               = val; break;
+                case 2: persdata["lastname"]            = val; break;
+                case 3: persdata["firstname"]           = val; break;
+                case 4: persdata["email"]               = val; break;
                 case 5: if (val) persdata["department"] = { name: val }; break;
                 // kostenplaats case 6: persdata["costcenter"] = { name: val }; break;
-                case 7: if (val) persdata["function"] = { name: val }; break;
-                //case 100: persdata.werkplekken = val; break;
-                case 101: persdata.authorisation = val; break;
+                case 7: if (val) persdata["function"]   = { name: val }; break;
+                //case 100: persdata.werkplekken        = val; break;
+                case 101: persdata.authorisation        = val; break;
             }
-
             oRsMap.MoveNext();
         }
         oRsMap.Close();
@@ -222,12 +221,13 @@ if ((user_key < 0 || getQParamInt("jwtforce", 0) == 1) && jwt)
             var res = person.REST_POST( persparams, persdata);
 //            user = user_key = null;
             __DoLog("Created user '{0} {1}' with key {2} for idp '{3}'".format(persdata["firstname"], persdata["lastname"], res.key, idp_code));
-            doLogin(res.key, { noFacSession: by_bearer, idp_code: idp_code, isFACFACinternal: isFACFACinternal });
+            // De nieuw aangemaakte gebruiker inloggen:
+            doLogin(res.key, { idp_code: idp_code, isFACFACinternal: isFACFACinternal });
         }
         // Nu authorisatie groepen nog bijwerken
         // Via het model was me even iets te hoog gegrepen: ik zou toch (nog) de id's er bij moeten halen
         if ("authorisation" in persdata)
-        {
+        {   // authorisation bevat gebruikersgroepen gescheiden door '|'
             var autharr = persdata["authorisation"].toLowerCase().split("|");
             var sql = "DELETE FROM fac_gebruikersgroep"
                     + " WHERE prs_perslid_key = " + user_key

APPL/MGT/aut_client.asp

@@ -0,0 +1,42 @@
+<%@language = "javascript" %>
+<% /*
+    $Revision$
+    $Id$
+
+    File:           aut_client.asp
+
+    Description:
+
+    Context:
+
+    Notes:
+*/
+%>
+<!-- #include file="../scf/scaffolding.inc" -->
+<!-- #include file="../mgt/mgt_tools.inc" -->
+<!-- #include file="../api2/model_aut_client.inc" -->
+<%
+var this_model = new model_aut_client();
+
+scaffolding(this_model,
+    {
+        "search": {
+            "autosearch": true,
+            "filters": [
+                "name",
+                "action"
+            ]
+        },
+        "list": {
+            "columns": [
+                "id",
+                "code",
+                "name",
+                "type"
+            ]
+        },
+        "edit": {
+            "modal": false
+        }
+    });
+%>

APPL/MGT/fac_idp.asp

@@ -18,6 +18,15 @@
 <%
 var this_model = new fac_idp();
 
+this_model.hook_pre_edit = function (obj, fld)
+{
+%>
+    <script>
+        var s_vis_parking_key = <%=S("vis_parking_key")%>;
+    </script>
+<%
+}
+
 scaffolding(this_model,
     {
         "search": {
@@ -37,6 +46,9 @@ scaffolding(this_model,
             ]
         },
         "edit": {
+            "requires": {
+                "js": ["../mgt/fac_idp.js"]
+            },
             "modal": false
         }
     });

APPL/MGT/fac_idp.js

@@ -0,0 +1,31 @@
+$(document).ready(function () {
+    setTimeout("init_fac_idp()", 10);
+  });
+
+function init_fac_idp()
+{
+    var typ = $("input#type").val();
+    var fld_hide = "";
+    var fld_show = "";
+    switch(typ)
+    {
+        case "4": // jwt
+        {
+            fld_hide = "samlmetaurl";
+            break;
+        }
+        case "5": // saml
+        {
+            fld_hide = "algorithm audience issuer secret timeout duration remoteloginurl remotelogouturl ipfilter ipauto";
+            break;
+        }
+    }
+    jQuery.each(fld_hide.split(" "), function(i, name) {
+    	$("#" + this).closest("tr").hide();
+    });
+    jQuery.each(fld_show.split(" "), function(i, name) {
+    	$("#" + this).closest("tr").show();
+    });
+
+}
+

APPL/MGT/fac_sp.asp

@@ -16,7 +16,7 @@
 <!-- #include file="../mgt/mgt_tools.inc" -->
 <!-- #include file="../api2/model_fac_sp.inc" -->
 <%
-var this_model = new fac_sp();
+var this_model = new model_fac_sp();
 
 scaffolding(this_model,
     {

APPL/PRS/prs_perslid_qr_confirm.asp

@@ -32,7 +32,15 @@ var user_key = getQParamInt("user_key"); // is toch beschermd met HMAC
 
 doLogin(user_key);
 
-makeSessionCookie(""); // Altijd 'definitief' cookie plaatsen
+var getToken = getQParamInt("gettoken", 0) == 1;
+if (getToken)
+{
+    Server.Transfer("../aut/getapptoken.asp"); // Die doet dat verder
+}
+else
+{
+    makeSessionCookie(""); // Altijd 'definitief' cookie plaatsen
 
-shared.simpel_page(L("lcl_qrc_auth_mail_confirmed").format(rooturl + "/default.asp")+"<br>" +L("lcl_bookmarkthis_hint"));
+    shared.simpel_page(L("lcl_qrc_auth_mail_confirmed").format(rooturl + "/default.asp")+"<br>" +L("lcl_bookmarkthis_hint"));
+}
 %>