zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-15 00:57:02 +02:00
Code Issues Projects Releases Packages Wiki Activity

Remove step up acr check

Browse source
This commit is contained in:
zandercymatics 2024-05-16 13:18:45 -06:00
parent f3f1b896bb
commit bd7660de27
No known key found for this signature in database
GPG key ID: FF4636ABEC9682B7
3 changed files with 20 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/djangooidc/oidc.py
View file

@ -85,7 +85,7 @@ class Client(oic.Client):
def create_authn_request(
self,
session,
add_acr=True,
do_biometric_auth=False,
extra_args=None,
):
"""Step 2: Construct a login URL at OP's domain and send the user to it."""
@ -103,10 +103,10 @@ class Client(oic.Client):
"nonce": session["nonce"],
"redirect_uri": self.registration_response["redirect_uris"][0],
}
if add_acr:
request_args["acr_values"] = self.behaviour.get("acr_value")
if do_biometric_auth:
self._set_args_for_biometric_auth_request(session, request_args)
else:
request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))
request_args["acr_values"] = self.behaviour.get("acr_value")
if extra_args is not None:
request_args.update(extra_args)
@ -153,6 +153,12 @@ class Client(oic.Client):
return response
def _set_args_for_biometric_auth_request(self, session, request_args):
if "acr_value" in session:
session.pop("acr_value")
request_args["vtr"] = self.get_vtr_value()
request_args["vtm"] = self.get_vtm_value()
def callback(self, unparsed_response, session):
"""Step 3: Receive OP's response, request an access token, and user info."""
logger.debug("Processing the OpenID Connect callback response...")
@ -300,16 +306,12 @@ class Client(oic.Client):
this helper function is called from djangooidc views"""
return self.behaviour.get("acr_value")
def get_step_up_acr_value(self):
"""returns the step_up_acr_value from settings
this helper function is called from djangooidc views"""
return self.behaviour.get("step_up_acr_value")
def get_vtm_value(self):
return self.behaviour.get("vtm")
def get_vtr_value(self):
return self.behaviour.get("vtr")
def get_vtr_value(self, cleaned=True):
vtr = self.behaviour.get("vtr")
return json.dumps(vtr) if cleaned else vtr
def __repr__(self):
return "Client {} {} {}".format(

22
src/djangooidc/views.py
View file

@ -93,17 +93,11 @@ def login_callback(request):
userinfo = CLIENT.callback(query, request.session)
# test for need for identity verification and if it is satisfied
# if not satisfied, redirect user to login with stepped up acr_value
request.session["needs_biometric_validation"] = False
if _requires_step_up_auth(userinfo):
# add acr_value to request.session
if "acr_value" in request.session:
request.session.pop("acr_value")
extra_args = {
"vtm": CLIENT.get_vtm_value(),
}
request.session["needs_biometric_validation"] = True
print(f"session is: {request.session}")
return CLIENT.create_authn_request(request.session, add_acr=False, extra_args=extra_args)
needs_biometric_validation = _requires_biometric_auth(userinfo)
request.session["needs_biometric_validation"] = needs_biometric_validation
if needs_biometric_validation:
return CLIENT.create_authn_request(request.session, do_biometric_auth=True)
user = authenticate(request=request, **userinfo)
if user:
@ -145,14 +139,12 @@ def login_callback(request):
return error_page(request, err)
def _requires_step_up_auth(userinfo):
def _requires_biometric_auth(userinfo):
"""if User.needs_identity_verification and step_up_acr_value not in
ial returned from callback, return True"""
step_up_acr_value = CLIENT.get_step_up_acr_value()
acr_value = userinfo.get("ial", "")
uuid = userinfo.get("sub", "")
email = userinfo.get("email", "")
if acr_value != step_up_acr_value and (not userinfo.get("vtm") and not userinfo.get("vtr")):
if not userinfo.get("vtm") or not userinfo.get("vtr"):
# The acr of this attempt is not at the highest level
# so check if the user needs the higher level
return User.needs_identity_verification(email, uuid)