Restrict ial and aal determination to the idp app

This was unnecessarily leaking into the saml_idp gem. A subsequent PR in that repo will remove these concerns there.
18F · Aug 29, 2024 · 7761db1 · 7761db1
1 parent 0177872
commit 7761db1
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/app/models/federated_protocols/saml.rb b/app/models/federated_protocols/saml.rb
@@ -2,6 +2,9 @@
 
 module FederatedProtocols
   class Saml
+    IAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/ial}
+    AAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/aal|urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo}
+
     def initialize(request)
       @request = request
     end
@@ -19,11 +22,15 @@ def ial
     end
 
     def requested_ial_authn_context
-      request.requested_ial_authn_context
+      request.requested_authn_contexts.find do |classref|
+        IAL_PREFIX.match?(classref)
+      end
     end
 
     def aal
-      request.requested_aal_authn_context
+      request.requested_authn_contexts.find do |classref|
+        AAL_PREFIX.match?(classref)
+      end
     end
 
     def acr_values