Refactor ial/aal determination #11160
Conversation
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
3 times, most recently
from
9912852
to
77dfbad
Compare
vrajmohan
changed the title
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
from
77dfbad
to
7761db1
Compare
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
3 times, most recently
from
bb80c71
to
ac888d0
Compare
| requested_ial_authn_context || default_ial_authn_context | ||
| end | ||
| end | ||
|
|
||
| def requested_ial_authn_context | ||
| request.requested_authn_contexts.find do |classref| | ||
| IAL_PREFIX.match?(classref) | ||
| end | ||
| end | ||
|
|
||
| def aal | ||
| request.requested_aal_authn_context | ||
| request.requested_authn_contexts.find do |classref| | ||
| AAL_PREFIX.match?(classref) | ||
| end |
There was a problem hiding this comment.
note to other reviewers: this code is a lift and shift from the saml_idp gem (see: PR#117: Remove ial/aal concerns) and will be replaced in the next sprint with a long term solution.
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
from
0fe705f
to
ac888d0
Compare
| if requested_ial_acr == ::Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF | ||
| return 'ialmax' | ||
| else | ||
| saml_protocol.requested_ial_authn_context.presence || 'none' |
There was a problem hiding this comment.
this is not in scope to your change, but interesting that we return 'none' here instead of nil 🤔
| @@ -5845,7 +5845,7 @@ def rules_of_use_visit | |||
| # @param [String] endpoint | |||
| # @param [Boolean] idv | |||
| # @param [Boolean] finish_profile | |||
| # @param [Integer] requested_ial | |||
| # @param [String] requested_ial | |||
app/services/attribute_asserter.rb
Outdated
| @@ -42,7 +42,7 @@ def build | |||
| add_vot(attrs) | |||
| else | |||
| add_aal(attrs) | |||
| add_ial(attrs) if authn_request.requested_ial_authn_context || !service_provider.ial.nil? | |||
| add_ial(attrs) if requested_ial_authn_context || !service_provider.ial.nil? | |||
There was a problem hiding this comment.
since requested_ial_authn_context is only used in the case of this conditional, i might pull the whole conditional into a method (and/or update the .nil? check to a present? check so it can be positive) but it's not a big deal really
| @@ -2,6 +2,9 @@ | |||
|
|
|||
| module FederatedProtocols | |||
| class Saml | |||
| IAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/ial} | |||
There was a problem hiding this comment.
[suggestion] it looks like the LOA prefix is not being included. we should probably add that back as this is a refactor, not a code change
There was a problem hiding this comment.
I made this change on the basis of https://gsa-tts.slack.com/archives/C0NGESUN5/p1724965595589029.
There was a problem hiding this comment.
yes, i understand it's maybe not what we want, but if we're going to make a change that affects partner requests or responses, we have to consider it fully and not just include it in a refactor. feel free to make a ticket for it!
There was a problem hiding this comment.
As far as I can tell (and the tests), it only affects the logged analytics event, and doesn't affect what we send to partners.
There was a problem hiding this comment.
I'll open a separate issue - https://gitlab.login.gov/lg-people/Melba/backlog-fy24/-/issues/99
There was a problem hiding this comment.
thanks! once you add the LOA prefix back in i'll approve
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
2 times, most recently
from
db51015
to
806feef
Compare
This was unnecessarily leaking into the saml_idp gem. A separate PR (18F/saml_idp#117) in that repo will remove these concerns from there. See https://gitlab.login.gov/lg-people/Melba/backlog-fy24/-/issues/95 changelog: Internal, Refactoring, Refactor saml_request.requested_ial_authn_context calls to single place
vrajmohan
force-pushed
the
vm/refactor-ial-aal-determination
branch
from
806feef
to
ae88f6c
Compare
Restrict ial and aal determination to the idp app.
This was unnecessarily leaking into the saml_idp gem. A subsequent PR in
that repo will remove these concerns there.
As part of the move to semantic ACR values, we will also replace the regex prefix matching for IALs and AALs with explicit enumerations.