-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor ial/aal determination #11160
Conversation
9912852
to
77dfbad
Compare
77dfbad
to
7761db1
Compare
bb80c71
to
ac888d0
Compare
requested_ial_authn_context || default_ial_authn_context | ||
end | ||
end | ||
|
||
def requested_ial_authn_context | ||
request.requested_authn_contexts.find do |classref| | ||
IAL_PREFIX.match?(classref) | ||
end | ||
end | ||
|
||
def aal | ||
request.requested_aal_authn_context | ||
request.requested_authn_contexts.find do |classref| | ||
AAL_PREFIX.match?(classref) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note to other reviewers: this code is a lift and shift from the saml_idp gem (see: PR#117: Remove ial/aal concerns) and will be replaced in the next sprint with a long term solution.
0fe705f
to
ac888d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change looks good! i think we should add the LOA prefix back to avoid changing any behavior, and a couple formatting nitpicks in the tests, but just minor changes. once the LOA prefix is back i'll approve
if requested_ial_acr == ::Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF | ||
return 'ialmax' | ||
else | ||
saml_protocol.requested_ial_authn_context.presence || 'none' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not in scope to your change, but interesting that we return 'none' here instead of nil 🤔
@@ -5845,7 +5845,7 @@ def rules_of_use_visit | |||
# @param [String] endpoint | |||
# @param [Boolean] idv | |||
# @param [Boolean] finish_profile | |||
# @param [Integer] requested_ial | |||
# @param [String] requested_ial |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice catch on these two
app/services/attribute_asserter.rb
Outdated
@@ -42,7 +42,7 @@ def build | |||
add_vot(attrs) | |||
else | |||
add_aal(attrs) | |||
add_ial(attrs) if authn_request.requested_ial_authn_context || !service_provider.ial.nil? | |||
add_ial(attrs) if requested_ial_authn_context || !service_provider.ial.nil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since requested_ial_authn_context
is only used in the case of this conditional, i might pull the whole conditional into a method (and/or update the .nil?
check to a present?
check so it can be positive) but it's not a big deal really
@@ -2,6 +2,9 @@ | |||
|
|||
module FederatedProtocols | |||
class Saml | |||
IAL_PREFIX = %r{^http://idmanagement.gov/ns/assurance/ial} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[suggestion] it looks like the LOA prefix is not being included. we should probably add that back as this is a refactor, not a code change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made this change on the basis of https://gsa-tts.slack.com/archives/C0NGESUN5/p1724965595589029.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, i understand it's maybe not what we want, but if we're going to make a change that affects partner requests or responses, we have to consider it fully and not just include it in a refactor. feel free to make a ticket for it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell (and the tests), it only affects the logged analytics event, and doesn't affect what we send to partners.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll open a separate issue - https://gitlab.login.gov/lg-people/Melba/backlog-fy24/-/issues/99
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks! once you add the LOA prefix back in i'll approve
db51015
to
806feef
Compare
This was unnecessarily leaking into the saml_idp gem. A separate PR (18F/saml_idp#117) in that repo will remove these concerns from there. See https://gitlab.login.gov/lg-people/Melba/backlog-fy24/-/issues/95 changelog: Internal, Refactoring, Refactor saml_request.requested_ial_authn_context calls to single place
806feef
to
ae88f6c
Compare
Restrict ial and aal determination to the idp app.
This was unnecessarily leaking into the saml_idp gem. A subsequent PR in
that repo will remove these concerns there.
As part of the move to semantic ACR values, we will also replace the regex prefix matching for IALs and AALs with explicit enumerations.