LG-12190 Store vtr and acr_values in sp_session

app/forms/openid_connect_authorize_form.rb

@@ -20,6 +20,7 @@ class OpenidConnectAuthorizeForm
   ATTRS = [
     :unauthorized_scope,
     :acr_values,
+    :vtr,
     :scope,
     :verified_within,
     :biometric_comparison_required,
@@ -37,7 +38,7 @@ class OpenidConnectAuthorizeForm
   RANDOM_VALUE_MINIMUM_LENGTH = 22
   MINIMUM_REPROOF_VERIFIED_WITHIN_DAYS = 30
 
-  validates :acr_values, presence: true
+  validates :acr_values, presence: true, if: ->(form) { form.vtr.empty? }
   validates :client_id, presence: true
   validates :redirect_uri, presence: true
   validates :scope, presence: true
@@ -49,6 +50,7 @@ class OpenidConnectAuthorizeForm
   validates :code_challenge_method, inclusion: { in: %w[S256] }, if: :code_challenge
 
   validate :validate_acr_values
+  validate :validate_vtr
   validate :validate_client_id
   validate :validate_scope
   validate :validate_unauthorized_scope
@@ -59,6 +61,7 @@ class OpenidConnectAuthorizeForm
 
   def initialize(params)
     @acr_values = parse_to_values(params[:acr_values], Saml::Idp::Constants::VALID_AUTHN_CONTEXTS)
+    @vtr = parse_vtr(params[:vtr])
     SIMPLE_ATTRS.each { |key| instance_variable_set(:"@#{key}", params[key]) }
     @prompt ||= 'select_account'
     @scope = parse_to_values(params[:scope], scopes)
@@ -119,15 +122,27 @@ def ial_context
   end
 
   def ial
-    Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_IAL[ial_values.sort.max]
+    if parsed_vector_of_trust&.identity_proofing?
+      2
+    elsif parsed_vector_of_trust.present?
+      1
+    else
+      Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_IAL[ial_values.sort.max]
+    end
   end
 
   def aal_values
     acr_values.filter { |acr| acr.include?('aal') }
   end
 
   def aal
-    Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_AAL[requested_aal_value]
+    if parsed_vector_of_trust&.aal2?
+      2
+    elsif parsed_vector_of_trust.present?
+      1
+    else
+      Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_AAL[requested_aal_value]
+    end
   end
 
   def requested_aal_value
@@ -163,7 +178,18 @@ def parse_to_values(param_value, possible_values)
     param_value.split(' ').compact & possible_values
   end
 
+  def parse_vtr(param_value)
+    return if !IdentityConfig.store.use_vot_in_sp_requests
+    return [] if param_value.blank?
+
+    JSON.parse(param_value)
+  rescue JSON::ParserError
+    nil
+  end
+
   def validate_acr_values
+    return if vtr.present?
+
     if acr_values.empty?
       errors.add(
         :acr_values, t('openid_connect.authorization.errors.no_valid_acr_values'),
@@ -177,6 +203,15 @@ def validate_acr_values
     end
   end
 
+  def validate_vtr
+    return if vtr.blank?
+    return if parsed_vector_of_trust.present?
+    errors.add(
+      :vtr, t('openid_connect.authorization.errors.no_valid_vtr'),
+      type: :no_valid_vtr
+    )
+  end
+
   # This checks that the SP matches something in the database
   # OpenidConnect::AuthorizationController#check_sp_active checks that it's currently active
   def validate_client_id
@@ -246,6 +281,7 @@ def extra_analytics_attributes
       redirect_uri: result_uri,
       scope: scope&.sort&.join(' '),
       acr_values: acr_values&.sort&.join(' '),
+      vtr: vtr,
       unauthorized_scope: @unauthorized_scope,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_challenge_present: code_challenge.present?,
@@ -275,6 +311,19 @@ def scopes
     OpenidConnectAttributeScoper::VALID_IAL1_SCOPES
   end
 
+  def parsed_vector_of_trust
+    return @parsed_vector_of_trust if defined?(@parsed_vector_of_trust)
+    return @parsed_vector_of_trust = nil if vtr.blank?
+
+    @parsed_vector_of_trust = begin
+      if vtr.is_a?(Array) && !vtr.empty?
+        Vot::Parser.new(vector_of_trust: vtr.first).parse
+      end
+    rescue Vot::Parser::ParseException
+      nil
+    end
+  end
+
   def validate_privileges
     if (ial2_requested? && !ial_context.ial2_service_provider?) ||
        (ial_context.ialmax_requested? &&

app/models/federated_protocols/oidc.rb

@@ -16,6 +16,14 @@ def aal
       request.aal_values.sort.max
     end
 
+    def acr_values
+      [aal, ial].compact.join(' ')
+    end
+
+    def vtr
+      request.vtr
+    end
+
     def requested_attributes
       OpenidConnectAttributeScoper.new(request.scope).requested_attributes
     end

app/models/federated_protocols/saml.rb

@@ -16,6 +16,14 @@ def aal
       request.requested_aal_authn_context
     end
 
+    def acr_values
+      [aal, ial].compact.join(' ')
+    end
+
+    def vtr
+      nil
+    end
+
     def requested_attributes
       @requested_attributes ||= SamlRequestPresenter.new(
         request: request, service_provider: current_service_provider,

app/models/service_provider_request.rb

@@ -3,7 +3,7 @@ class ServiceProviderRequest
   # since these objects are serialized to/from Redis and may be present
   # upon deployment
   attr_accessor :uuid, :issuer, :url, :ial, :aal, :requested_attributes,
-                :biometric_comparison_required
+                :biometric_comparison_required, :acr_values, :vtr
 
   def initialize(
     uuid: nil,
@@ -13,8 +13,8 @@ def initialize(
     aal: nil,
     requested_attributes: [],
     biometric_comparison_required: false,
-    acr_values: nil, # rubocop:disable Lint/UnusedMethodArgument
-    vtr: nil # rubocop:disable Lint/UnusedMethodArgument
+    acr_values: nil,
+    vtr: nil
   )
     @uuid = uuid
     @issuer = issuer
@@ -23,6 +23,8 @@ def initialize(
     @aal = aal
     @requested_attributes = requested_attributes&.map(&:to_s)
     @biometric_comparison_required = biometric_comparison_required
+    @acr_values = acr_values
+    @vtr = vtr
   end
 
   def ==(other)

app/services/analytics_events.rb

@@ -3636,12 +3636,14 @@ def openid_connect_bearer_token(success:, ial:, client_id:, errors:, **extra)
   # @param [String] client_id
   # @param [String] scope
   # @param [Array] acr_values
+  # @param [Array] vtr
   # @param [Boolean] unauthorized_scope
   # @param [Boolean] user_fully_authenticated
   def openid_connect_request_authorization(
     client_id:,
     scope:,
     acr_values:,
+    vtr:,
     unauthorized_scope:,
     user_fully_authenticated:,
     **extra
@@ -3651,6 +3653,7 @@ def openid_connect_request_authorization(
       client_id: client_id,
       scope: scope,
       acr_values: acr_values,
+      vtr: vtr,
       unauthorized_scope: unauthorized_scope,
       user_fully_authenticated: user_fully_authenticated,
       **extra,

app/services/service_provider_request_handler.rb

@@ -63,6 +63,8 @@ def attributes
       issuer: protocol.issuer,
       ial: protocol.ial,
       aal: protocol.aal,
+      acr_values: protocol.acr_values,
+      vtr: protocol.vtr,
       requested_attributes: protocol.requested_attributes,
       biometric_comparison_required: protocol.biometric_comparison_required?,
       uuid: request_id,

app/services/service_provider_request_proxy.rb

@@ -34,7 +34,7 @@ def self.find_or_create_by(uuid:)
     spr = ServiceProviderRequest.new(
       uuid: uuid, issuer: nil, url: nil, ial: nil,
       aal: nil, requested_attributes: nil,
-      biometric_comparison_required: false
+      biometric_comparison_required: false, acr_values: nil, vtr: nil
     )
     yield(spr)
     create(
@@ -45,13 +45,22 @@ def self.find_or_create_by(uuid:)
       aal: spr.aal,
       requested_attributes: spr.requested_attributes,
       biometric_comparison_required: spr.biometric_comparison_required,
+      acr_values: spr.acr_values,
+      vtr: spr.vtr,
     )
   end
 
   def self.create(hash)
     uuid = hash[:uuid]
     obj = hash.slice(
-      :issuer, :url, :ial, :aal, :requested_attributes, :biometric_comparison_required
+      :issuer,
+      :url,
+      :ial,
+      :aal,
+      :requested_attributes,
+      :biometric_comparison_required,
+      :acr_values,
+      :vtr,
     )
     write(obj, uuid)
     hash_to_spr(obj, uuid)

app/services/store_sp_metadata_in_session.rb

@@ -37,6 +37,8 @@ def update_session
       request_id: sp_request.uuid,
       requested_attributes: sp_request.requested_attributes,
       biometric_comparison_required: sp_request.biometric_comparison_required,
+      acr_values: sp_request.acr_values,
+      vtr: sp_request.vtr,
     }
   end
 

config/application.yml.default

@@ -321,6 +321,7 @@ team_ursula_email: ''
 test_ssn_allowed_list: ''
 totp_code_interval: 30
 unauthorized_scope_enabled: false
+use_vot_in_sp_requests: true
 usps_upload_enabled: false
 usps_upload_sftp_timeout: 5
 valid_authn_contexts: '["http://idmanagement.gov/ns/assurance/loa/1", "http://idmanagement.gov/ns/assurance/loa/3", "http://idmanagement.gov/ns/assurance/ial/1", "http://idmanagement.gov/ns/assurance/ial/2", "http://idmanagement.gov/ns/assurance/ial/0", "http://idmanagement.gov/ns/assurance/ial/2?strict=true", "urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo", "http://idmanagement.gov/ns/assurance/aal/2", "http://idmanagement.gov/ns/assurance/aal/3", "http://idmanagement.gov/ns/assurance/aal/3?hspd12=true","http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true","http://idmanagement.gov/ns/assurance/aal/2?hspd12=true"]'
@@ -494,6 +495,7 @@ production:
   state_tracking_enabled: false
   telephony_adapter: pinpoint
   use_kms: true
+  use_vot_in_sp_requests: false
   usps_auth_token_refresh_job_enabled: true
   usps_confirmation_max_days: 30
   usps_upload_sftp_directory: ''

config/locales/openid_connect/en.yml

@@ -12,6 +12,7 @@ en:
         no_auth: The acr_values are not authorized
         no_valid_acr_values: No acceptable acr_values found
         no_valid_scope: No valid scope values found
+        no_valid_vtr: No acceptable vots found
         prompt_invalid: No valid prompt values found
         redirect_uri_invalid: redirect_uri is invalid
         redirect_uri_no_match: redirect_uri does not match registered redirect_uri

config/locales/openid_connect/es.yml

@@ -12,6 +12,7 @@ es:
         no_auth: Los acr_values no están autorizados
         no_valid_acr_values: ial_valores encontrados no aceptables
         no_valid_scope: No se han encontrado valores de magnitud válidos
+        no_valid_vtr: vots encontrados no aceptables
         prompt_invalid: Prompt no es válido
         redirect_uri_invalid: Redirect_uri no es válido
         redirect_uri_no_match: Redirect_uri no coincide con redirect_uri registrado

config/locales/openid_connect/fr.yml

@@ -12,6 +12,7 @@ fr:
         no_auth: Les acr_values ne sont pas autorisées
         no_valid_acr_values: Valeurs acr_values inacceptables trouvées
         no_valid_scope: Aucune étendue de données valide trouvée
+        no_valid_vtr: vots encontrados no aceptables
         prompt_invalid: prompt est non valide
         redirect_uri_invalid: redirect_uri est non valide
         redirect_uri_no_match: redirect_uri ne correspond pas au redirect_uri enregistré

lib/identity_config.rb

@@ -461,6 +461,7 @@ def self.build_store(config_map)
     config.add(:unauthorized_scope_enabled, type: :boolean)
     config.add(:use_dashboard_service_providers, type: :boolean)
     config.add(:use_kms, type: :boolean)
+    config.add(:use_vot_in_sp_requests, type: :boolean)
     config.add(:usps_auth_token_refresh_job_enabled, type: :boolean)
     config.add(:usps_confirmation_max_days, type: :integer)
     config.add(:usps_ipp_client_id, type: :string)