Add AAL3 usage to protocols report

lib/reporting/protocols_report.rb

@@ -49,7 +49,7 @@ def as_tables
         overview_table,
         protocols_table,
         saml_signature_issues_table,
-        loa_acr_requests_table,
+        deprecated_parameters_table,
       ]
     end
 
@@ -68,8 +68,8 @@ def as_emailable_reports
           table: saml_signature_issues_table,
         ),
         Reporting::EmailableReport.new(
-          title: 'LOA ACR Requests',
-          table: loa_acr_requests_table,
+          title: 'Deprecated Parameter Usage',
+          table: deprecated_parameters_table,
         ),
       ]
     end
@@ -246,26 +246,34 @@ def saml_signature_issues_table
       ]
     end
 
-    def loa_acr_requests_table
+    def deprecated_parameters_table
       [
-        ['Count of issuers using LOA', 'List of issuers with the issue'],
         [
+          'Deprecated Parameter',
+          'Count of issuers using the parameter',
+          'List of issuers using the parameter',
+        ],
+        [
+          'LOA',
           loa_issuers_data.length,
           loa_issuers_data.join(', '),
         ],
+        [
+          'AAL3',
+          aal3_issuers_data.length,
+          aal3_issuers_data.join(', '),
+        ],
       ]
     end
 
     def loa_issuers_data
-      @loa_issuers_data ||= begin
-        cloudwatch_client.fetch(
-          query: loa_issuers_query,
-          from: time_range.begin,
-          to: time_range.end,
-        ).
-          map { |slice| slice['issuer'] }.
-          uniq
-      end
+      @loa_issuers_data ||= cloudwatch_client.fetch(
+        query: loa_issuers_query,
+        from: time_range.begin,
+        to: time_range.end,
+      ).
+        map { |slice| slice['issuer'] }.
+        uniq
     end
 
     def loa_issuers_query
@@ -288,6 +296,36 @@ def loa_issuers_query
       QUERY
     end
 
+    def aal3_issuers_data
+      @aal3_issuers_data ||= cloudwatch_client.fetch(
+        query: aal3_issuers_query,
+        from: time_range.begin,
+        to: time_range.end,
+      ).
+        map { |slice| slice['issuer'] }.
+        uniq
+    end
+
+    def aal3_issuers_query
+      params = {
+        event: quote([SAML_AUTH_EVENT, OIDC_AUTH_EVENT]),
+      }
+
+      format(<<~QUERY, params)
+        fields
+          coalesce(properties.event_properties.service_provider, properties.event_properties.client_id) as issuer,
+          properties.event_properties.acr_values as acr
+        | parse @message '"authn_context":[*]' as authn
+        | filter
+          name IN %{event}
+          AND (authn like /aal\\/3/ or acr like /aal\\/3/)
+          AND properties.event_properties.success= 1
+        | display issuer
+        | sort issuer
+        | dedup issuer
+      QUERY
+    end
+
     def to_percent(numerator, denominator)
       (100.0 * numerator / denominator).round(2)
     end

spec/lib/reporting/protocols_report_spec.rb

@@ -72,11 +72,20 @@
         'issuer' => 'Issuer3',
       },
     ]
+    aal3_issuers_query_response = [
+      {
+        'issuer' => 'Issuer1',
+      },
+      {
+        'issuer' => 'Issuer3',
+      },
+    ]
 
     stub_multiple_cloudwatch_logs(
       protocol_query_response,
       saml_signature_query_response,
       loa_issuers_query_response,
+      aal3_issuers_query_response,
     )
   end
 
@@ -202,11 +211,21 @@ def expected_tables(strings: false)
         ['Incorrectly signing SAML authentication requests', string_or_num(strings, 1), 'Issuer1'],
       ],
       [
-        ['Count of issuers using LOA', 'List of issuers with the issue'],
         [
+          'Deprecated Parameter',
+          'Count of issuers using the parameter',
+          'List of issuers using the parameter',
+        ],
+        [
+          'LOA',
           string_or_num(strings, 3),
           'Issuer1, Issuer2, Issuer3',
         ],
+        [
+          'AAL3',
+          string_or_num(strings, 2),
+          'Issuer1, Issuer3',
+        ],
       ],
     ]
   end