LG-12563 add vot to user info controller

app/presenters/openid_connect_user_info_presenter.rb

@@ -21,8 +21,13 @@ def user_info
     info.merge!(ial2_attributes) if scoper.ial2_scopes_requested? && ial2_data.present?
     info.merge!(x509_attributes) if scoper.x509_scopes_requested?
     info[:verified_at] = verified_at if scoper.verified_at_requested?
-    info[:ial] = Saml::Idp::Constants::AUTHN_CONTEXT_IAL_TO_CLASSREF[identity.ial]
-    info[:aal] = identity.requested_aal_value
+    if identity.vtr.nil?
+      info[:ial] = Saml::Idp::Constants::AUTHN_CONTEXT_IAL_TO_CLASSREF[identity.ial]
+      info[:aal] = identity.requested_aal_value
+    else
+      info[:vot] = vot_values
+      info[:vtm] = IdentityConfig.store.vtm_url
+    end
 
     scoper.filter(info)
   end
@@ -33,6 +38,12 @@ def url_options
 
   private
 
+  def vot_values
+    vot = JSON.parse(identity.vtr).first
+    parsed_vot = Vot::Parser.new(vector_of_trust: vot).parse
+    parsed_vot.expanded_component_values
+  end
+
   def uuid_from_sp_identity(identity)
     AgencyIdentityLinker.new(identity).link_identity.uuid
   end

app/services/id_token_builder.rb

@@ -36,16 +36,19 @@ def jwt_payload
   end
 
   def id_token_claims
-    {
-      acr: (acr if !sp_requests_vot?),
-      vot: (vot if sp_requests_vot?),
-      vtm: (IdentityConfig.store.vtm_url if sp_requests_vot?),
+    claims = {
       nonce: identity.nonce,
       aud: identity.service_provider,
       jti: SecureRandom.urlsafe_base64,
       at_hash: hash_token(identity.access_token),
       c_hash: hash_token(code),
-    }.compact
+    }
+
+    if !sp_requests_vot?
+      claims[:acr] = acr
+    end
+
+    claims
   end
 
   def timestamp_claims

app/services/vot/parser.rb

@@ -26,6 +26,10 @@ def self.no_sp_result
       def identity_proofing_or_ialmax?
         identity_proofing? || ialmax?
       end
+
+      def expanded_component_values
+        component_values.map(&:name).join('.')
+      end
     end
 
     attr_reader :vector_of_trust, :acr_values

spec/features/openid_connect/openid_connect_spec.rb

@@ -27,7 +27,7 @@
 
   context 'with client_secret_jwt' do
     it 'succeeds with prompt login and no prior session' do
-      oidc_end_client_secret_jwt(vtr: 'C1.C2.P1', prompt: 'login')
+      oidc_end_client_secret_jwt(vot: 'C1.C2.P1', prompt: 'login')
     end
 
     it 'succeeds in forcing login with prompt login and prior session' do
@@ -58,8 +58,7 @@
     end
 
     it 'succeeds with a vtr param' do
-      allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).and_return(true)
-      oidc_end_client_secret_jwt(vtr: 'C1.C2.P1')
+      oidc_end_client_secret_jwt(vot: 'C1.C2.P1')
     end
   end
 
@@ -1159,14 +1158,14 @@ def client_private_key
     end
   end
 
-  def oidc_end_client_secret_jwt(vtr: nil, prompt: nil, user: nil, redirs_to: nil)
+  def oidc_end_client_secret_jwt(vot: nil, prompt: nil, user: nil, redirs_to: nil)
     client_id = 'urn:gov:gsa:openidconnect:sp:server'
     state = SecureRandom.hex
     nonce = SecureRandom.hex
 
-    if vtr.present?
+    if vot.present?
       visit_idp_from_oidc_sp_with_vtr(
-        vtr: vtr,
+        vtr: [vot],
         prompt: prompt,
         state: state,
         nonce: nonce,
@@ -1234,9 +1233,9 @@ def oidc_end_client_secret_jwt(vtr: nil, prompt: nil, user: nil, redirs_to: nil)
     expect(decoded_id_token[:given_name]).to eq('John')
     expect(decoded_id_token[:social_security_number]).to eq('111223333')
 
-    if vtr.present?
+    if vot.present?
       expect(decoded_id_token[:acr]).to eq(nil)
-      expect(decoded_id_token[:vot]).to eq(Array(vtr).first)
+      expect(decoded_id_token[:vot]).to eq(vot)
     else
       expect(decoded_id_token[:acr]).to eq(Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF)
       expect(decoded_id_token[:vot]).to eq(nil)
@@ -1254,6 +1253,19 @@ def oidc_end_client_secret_jwt(vtr: nil, prompt: nil, user: nil, redirs_to: nil)
     expect(userinfo_response[:email]).to eq(user.email)
     expect(userinfo_response[:given_name]).to eq('John')
     expect(userinfo_response[:social_security_number]).to eq('111223333')
+
+    if vot.present?
+      expect(userinfo_response).not_to have_key(:ial)
+      expect(userinfo_response).not_to have_key(:aal)
+      expect(userinfo_response[:vot]).to eq(vot)
+    else
+      expect(userinfo_response[:ial]).to eq(Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF)
+      expect(userinfo_response[:aal]).to eq(
+        Saml::Idp::Constants::DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF,
+      )
+      expect(userinfo_response).not_to have_key(:vot)
+    end
+
     user
   end
 end

spec/features/openid_connect/vtr_spec.rb

@@ -13,7 +13,7 @@
   scenario 'sign in with VTR request for authentication', :js do
     user = create(:user, :fully_registered)
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'C1')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['C1'])
 
     expect(page).to have_content(t('headings.sign_in_existing_users'))
 
@@ -38,7 +38,7 @@
     click_submit_default
     first(:button, t('links.sign_out')).click
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'C1.C2')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['C1.C2'])
     sign_in_user(user)
 
     # MFA is required despite remember device
@@ -55,7 +55,7 @@
     mock_webauthn_setup_challenge
     user = create(:user, :fully_registered)
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'C1.Ca')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['C1.Ca'])
     sign_in_live_with_2fa(user)
 
     # More secure MFA is required
@@ -80,7 +80,7 @@
 
     user = create(:user, :fully_registered)
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'C1.Cb')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['C1.Cb'])
     sign_in_live_with_2fa(user)
 
     # More secure MFA is required
@@ -107,7 +107,7 @@
   scenario 'sign in with VTR request for idv requires idv', :js do
     user = create(:user, :fully_registered)
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'P1')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['P1'])
 
     expect(page).to have_content(t('headings.sign_in_existing_users'))
 
@@ -121,7 +121,7 @@
 
     user = create(:user, :fully_registered)
 
-    visit_idp_from_oidc_sp_with_vtr(vtr: 'Pb')
+    visit_idp_from_oidc_sp_with_vtr(vtr: ['Pb'])
 
     expect(page).to have_content(t('headings.sign_in_existing_users'))