From 7761db1b15baa66f0fff26fe24392e5454cb31d3 Mon Sep 17 00:00:00 2001
From: Vraj Mohan <vraj.mohan@gsa.gov>
Date: Thu, 29 Aug 2024 13:25:47 -0700
Subject: [PATCH] Restrict ial and aal determination to the idp app

This was unnecessarily leaking into the saml_idp gem. A subsequent PR in
that repo will remove these concerns there.
---
 app/models/federated_protocols/saml.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/models/federated_protocols/saml.rb b/app/models/federated_protocols/saml.rb
index d3f0b5cd08b..7bafa6e67c9 100644
--- a/app/models/federated_protocols/saml.rb
+++ b/app/models/federated_protocols/saml.rb
@@ -2,6 +2,9 @@
 
 module FederatedProtocols
   class Saml
+    IAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/ial}
+    AAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/aal|urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo}
+
     def initialize(request)
       @request = request
     end
@@ -19,11 +22,15 @@ def ial
     end
 
     def requested_ial_authn_context
-      request.requested_ial_authn_context
+      request.requested_authn_contexts.find do |classref|
+        IAL_PREFIX.match?(classref)
+      end
     end
 
     def aal
-      request.requested_aal_authn_context
+      request.requested_authn_contexts.find do |classref|
+        AAL_PREFIX.match?(classref)
+      end
     end
 
     def acr_values