Skip to content

Use a list to log resolved ACRs in events #11307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lmgeorge merged 4 commits into from
Oct 9, 2024
Merged

Use a list to log resolved ACRs in events #11307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d246b9d
Use a list to log resolved ACRs in events
lmgeorge Oct 2, 2024
498db9b
Use a non-facial-matched proofed user in spec
lmgeorge Oct 3, 2024
0a1f5e7
do not build the authn context when vtr and acr_values are both blank
lmgeorge Oct 4, 2024
0080ca4
Revert changes to sp_request.component_values and add sp_request.comp…
lmgeorge Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions app/services/analytics.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,9 @@ def sp_request_attributes

attributes = resolved_result.to_h
attributes[:component_values] = resolved_result.component_values.map do |v|
[v.name.sub('http://idmanagement.gov/ns/assurance/', ''), true]
[v.name.sub("#{Saml::Idp::Constants::LEGACY_ACR_PREFIX}/", ''), true]
end.to_h
attributes[:component_names] = resolved_result.component_names
attributes.reject! { |_key, value| value == false }

if differentiator.present?
Expand All @@ -157,7 +158,9 @@ def differentiator
end

def resolved_authn_context_result
return nil if sp.nil? || session[:sp].blank?
return nil if sp.blank? ||
session[:sp].blank? ||
(session[:sp][:vtr].blank? && session[:sp][:acr_values].blank?)
return @resolved_authn_context_result if defined?(@resolved_authn_context_result)

service_provider = ServiceProvider.find_by(issuer: sp)
Expand Down
13 changes: 8 additions & 5 deletions lib/saml_idp_constants.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,13 @@
module Saml
module Idp
module Constants
LOA1_AUTHN_CONTEXT_CLASSREF = 'http://idmanagement.gov/ns/assurance/loa/1'
LOA3_AUTHN_CONTEXT_CLASSREF = 'http://idmanagement.gov/ns/assurance/loa/3'
LEGACY_ACR_NS = 'http://idmanagement.gov/ns'
LEGACY_ACR_PREFIX = "#{LEGACY_ACR_NS}/assurance".freeze

IAL_AUTHN_CONTEXT_PREFIX = 'http://idmanagement.gov/ns/assurance/ial'
LOA1_AUTHN_CONTEXT_CLASSREF = "#{LEGACY_ACR_PREFIX}/loa/1".freeze
LOA3_AUTHN_CONTEXT_CLASSREF = "#{LEGACY_ACR_PREFIX}/loa/3".freeze

IAL_AUTHN_CONTEXT_PREFIX = "#{LEGACY_ACR_PREFIX}/ial".freeze
IAL1_AUTHN_CONTEXT_CLASSREF = "#{IAL_AUTHN_CONTEXT_PREFIX}/1".freeze
IAL2_AUTHN_CONTEXT_CLASSREF = "#{IAL_AUTHN_CONTEXT_PREFIX}/2".freeze
IALMAX_AUTHN_CONTEXT_CLASSREF = "#{IAL_AUTHN_CONTEXT_PREFIX}/0".freeze
Expand All @@ -29,7 +32,7 @@ module Constants
].freeze

DEFAULT_AAL_AUTHN_CONTEXT_CLASSREF = 'urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo'
AAL_AUTHN_CONTEXT_PREFIX = 'http://idmanagement.gov/ns/assurance/aal'
AAL_AUTHN_CONTEXT_PREFIX = "#{LEGACY_ACR_PREFIX}/aal".freeze
AAL1_AUTHN_CONTEXT_CLASSREF = "#{AAL_AUTHN_CONTEXT_PREFIX}/1".freeze
AAL2_AUTHN_CONTEXT_CLASSREF = "#{AAL_AUTHN_CONTEXT_PREFIX}/2".freeze
AAL2_PHISHING_RESISTANT_AUTHN_CONTEXT_CLASSREF = "#{AAL_AUTHN_CONTEXT_PREFIX}/2?phishing_resistant=true".freeze
Expand All @@ -42,7 +45,7 @@ module Constants
NAME_ID_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
VALID_NAME_ID_FORMATS = [NAME_ID_FORMAT_PERSISTENT, NAME_ID_FORMAT_EMAIL].freeze

REQUESTED_ATTRIBUTES_CLASSREF = 'http://idmanagement.gov/ns/requested_attributes?ReqAttr='
REQUESTED_ATTRIBUTES_CLASSREF = "#{LEGACY_ACR_NS}/requested_attributes?ReqAttr=".freeze

VALID_AUTHN_CONTEXTS = (if FeatureManagement.use_semantic_authn_contexts?
IdentityConfig.store.valid_authn_contexts_semantic
Expand Down
Loading