diff --git a/lib/reporting/protocols_report.rb b/lib/reporting/protocols_report.rb index c0cdfc62905..d574c686b17 100644 --- a/lib/reporting/protocols_report.rb +++ b/lib/reporting/protocols_report.rb @@ -49,7 +49,7 @@ def as_tables overview_table, protocols_table, saml_signature_issues_table, - loa_acr_requests_table, + deprecated_parameters_table, ] end @@ -68,8 +68,8 @@ def as_emailable_reports table: saml_signature_issues_table, ), Reporting::EmailableReport.new( - title: 'LOA ACR Requests', - table: loa_acr_requests_table, + title: 'Deprecated Parameter Usage', + table: deprecated_parameters_table, ), ] end @@ -246,26 +246,34 @@ def saml_signature_issues_table ] end - def loa_acr_requests_table + def deprecated_parameters_table [ - ['Count of issuers using LOA', 'List of issuers with the issue'], [ + 'Deprecated Parameter', + 'Count of issuers using the parameter', + 'List of issuers using the parameter', + ], + [ + 'LOA', loa_issuers_data.length, loa_issuers_data.join(', '), ], + [ + 'AAL3', + aal3_issuers_data.length, + aal3_issuers_data.join(', '), + ], ] end def loa_issuers_data - @loa_issuers_data ||= begin - cloudwatch_client.fetch( - query: loa_issuers_query, - from: time_range.begin, - to: time_range.end, - ). - map { |slice| slice['issuer'] }. - uniq - end + @loa_issuers_data ||= cloudwatch_client.fetch( + query: loa_issuers_query, + from: time_range.begin, + to: time_range.end, + ). + map { |slice| slice['issuer'] }. + uniq end def loa_issuers_query @@ -288,6 +296,36 @@ def loa_issuers_query QUERY end + def aal3_issuers_data + @aal3_issuers_data ||= cloudwatch_client.fetch( + query: aal3_issuers_query, + from: time_range.begin, + to: time_range.end, + ). + map { |slice| slice['issuer'] }. + uniq + end + + def aal3_issuers_query + params = { + event: quote([SAML_AUTH_EVENT, OIDC_AUTH_EVENT]), + } + + format(<<~QUERY, params) + fields + coalesce(properties.event_properties.service_provider, properties.event_properties.client_id) as issuer, + properties.event_properties.acr_values as acr + | parse @message '"authn_context":[*]' as authn + | filter + name IN %{event} + AND (authn like /aal\\/3/ or acr like /aal\\/3/) + AND properties.event_properties.success= 1 + | display issuer + | sort issuer + | dedup issuer + QUERY + end + def to_percent(numerator, denominator) (100.0 * numerator / denominator).round(2) end diff --git a/spec/lib/reporting/protocols_report_spec.rb b/spec/lib/reporting/protocols_report_spec.rb index 0a47332ef1b..f4ba6e1104a 100644 --- a/spec/lib/reporting/protocols_report_spec.rb +++ b/spec/lib/reporting/protocols_report_spec.rb @@ -72,11 +72,20 @@ 'issuer' => 'Issuer3', }, ] + aal3_issuers_query_response = [ + { + 'issuer' => 'Issuer1', + }, + { + 'issuer' => 'Issuer3', + }, + ] stub_multiple_cloudwatch_logs( protocol_query_response, saml_signature_query_response, loa_issuers_query_response, + aal3_issuers_query_response, ) end @@ -202,11 +211,21 @@ def expected_tables(strings: false) ['Incorrectly signing SAML authentication requests', string_or_num(strings, 1), 'Issuer1'], ], [ - ['Count of issuers using LOA', 'List of issuers with the issue'], [ + 'Deprecated Parameter', + 'Count of issuers using the parameter', + 'List of issuers using the parameter', + ], + [ + 'LOA', string_or_num(strings, 3), 'Issuer1, Issuer2, Issuer3', ], + [ + 'AAL3', + string_or_num(strings, 2), + 'Issuer1, Issuer3', + ], ], ] end