Skip to content

Revert "LG-9958 add allow list for IALMAX" #8737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Sgtpluck wants to merge 1 commit into from
Closed

Revert "LG-9958 add allow list for IALMAX" #8737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions app/forms/openid_connect_authorize_form.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,8 +260,7 @@ def scopes

def validate_privileges
if (ial2_requested? && !ial_context.ial2_service_provider?) ||
(ial_context.ialmax_requested? &&
!IdentityConfig.store.allowed_ialmax_providers.include?(client_id))
(ial_context.ialmax_requested? && !ial_context.ial2_service_provider?)
errors.add(
:acr_values, t('openid_connect.authorization.errors.no_auth'),
type: :no_auth
Expand Down
8 changes: 1 addition & 7 deletions app/services/saml_request_validator.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,7 @@ def authorized_service_provider

def authorized_authn_context
if !valid_authn_context? ||
(ial2_context_requested? && service_provider&.ial != 2) ||
(ial_max_requested? &&
!IdentityConfig.store.allowed_ialmax_providers.include?(service_provider&.issuer))
(ial2_context_requested? && service_provider&.ial != 2)
errors.add(:authn_context, :unauthorized_authn_context, type: :unauthorized_authn_context)
end
end
Expand Down Expand Up @@ -73,10 +71,6 @@ def ial2_context_requested?
end
end

def ial_max_requested?
Array(authn_context).include?(Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF)
end

def authorized_email_nameid_format
return unless email_nameid_format?
return if service_provider&.email_nameid_format_allowed
Expand Down
1 change: 0 additions & 1 deletion config/application.yml.default
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ aamva_supported_jurisdictions: '["AL","AR","AZ","CO","CT","DC","DE","FL","GA","H
aamva_verification_request_timeout: 5.0
aamva_verification_url: https://example.org:12345/verification/url
all_redirect_uris_cache_duration_minutes: 2
allowed_ialmax_providers: '[]'
account_reset_token_valid_for_days: 1
account_reset_wait_period_days: 1
account_suspended_support_code: EFGHI
Expand Down
1 change: 0 additions & 1 deletion lib/identity_config.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@ def self.build_store(config_map)
config.add(:aamva_verification_request_timeout, type: :float)
config.add(:aamva_verification_url)
config.add(:all_redirect_uris_cache_duration_minutes, type: :integer)
config.add(:allowed_ialmax_providers, type: :json)
config.add(:account_reset_token_valid_for_days, type: :integer)
config.add(:account_reset_wait_period_days, type: :integer)
config.add(:account_suspended_support_code, type: :string)
Expand Down
291 changes: 134 additions & 157 deletions spec/controllers/openid_connect/authorization_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,166 +182,161 @@
end

context 'with ialmax requested' do
context 'provider is on the ialmax allow list' do
before do
params[:acr_values] = Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF
allow(IdentityConfig.store).to receive(:allowed_ialmax_providers) { [client_id] }
end
before { params[:acr_values] = Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF }

context 'account is already verified' do
let(:user) do
create(
:profile, :active, :verified, proofing_components: { liveness_check: true }
).user
end
context 'account is already verified' do
let(:user) do
create(
:profile, :active, :verified, proofing_components: { liveness_check: true }
).user
end

it 'redirects to the redirect_uri immediately when pii is unlocked' do
IdentityLinker.new(user, service_provider).link_identity(ial: 3)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(false)
action
it 'redirects to the redirect_uri immediately when pii is unlocked' do
IdentityLinker.new(user, service_provider).link_identity(ial: 3)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(false)
action

expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end
expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end

it 'redirects to the password capture url when pii is locked' do
IdentityLinker.new(user, service_provider).link_identity(ial: 3)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(true)
action
it 'redirects to the password capture url when pii is locked' do
IdentityLinker.new(user, service_provider).link_identity(ial: 3)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(true)
action

expect(response).to redirect_to(capture_password_url)
end
expect(response).to redirect_to(capture_password_url)
end

it 'tracks IAL2 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 2,
)

IdentityLinker.new(user, service_provider).link_identity(ial: 2)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
it 'tracks IAL2 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 2,
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(false)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(2)
end
IdentityLinker.new(user, service_provider).link_identity(ial: 2)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
allow(controller).to receive(:pii_requested_but_locked?).and_return(false)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(2)
end
end

context 'account is not already verified' do
it 'redirects to the redirect_uri immediately without proofing' do
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
context 'account is not already verified' do
it 'redirects to the redirect_uri immediately without proofing' do
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)

action
expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end
action
expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end

it 'tracks IAL1 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 1,
)

IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
it 'tracks IAL1 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 1,
)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(1)
end
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(1)
end
end

context 'profile is reset' do
let(:user) { create(:profile, :verified, :password_reset).user }
context 'profile is reset' do
let(:user) { create(:profile, :verified, :password_reset).user }

it 'redirects to the redirect_uri immediately without proofing' do
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
it 'redirects to the redirect_uri immediately without proofing' do
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)

action
expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end
action
expect(response).to redirect_to(/^#{params[:redirect_uri]}/)
end

it 'tracks IAL1 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 1,
)

IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
it 'tracks IAL1 authentication event' do
stub_analytics
expect(@analytics).to receive(:track_event).
with('OpenID Connect: authorization request',
success: true,
client_id: client_id,
prompt: 'select_account',
referer: nil,
user_sp_authorized: true,
allow_prompt_login: true,
errors: {},
unauthorized_scope: false,
user_fully_authenticated: true,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
scope: 'openid profile',
code_digest: kind_of(String))
expect(@analytics).to receive(:track_event).
with(
'SP redirect initiated',
ial: 0,
billed_ial: 1,
)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(1)
end
IdentityLinker.new(user, service_provider).link_identity(ial: 1)
user.identities.last.update!(
verified_attributes: %w[given_name family_name birthdate verified_at],
)
action

sp_return_log = SpReturnLog.find_by(issuer: client_id)
expect(sp_return_log.ial).to eq(1)
end
end
end
Expand Down Expand Up @@ -470,24 +465,6 @@
end
end

context 'ialmax requested when service provider is not in allowlist' do
before do
params[:acr_values] = Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF
end

it 'redirect the user' do
action

expect(response).to redirect_to(/^#{params[:redirect_uri]}/)

redirect_params = UriService.params(response.location)

expect(redirect_params[:error]).to eq('invalid_request')
expect(redirect_params[:error_description]).to be_present
expect(redirect_params[:state]).to eq(params[:state])
end
end

it 'redirects to SP landing page with the request_id in the params' do
action
sp_request_id = ServiceProviderRequestProxy.last.uuid
Expand Down
Loading