Class: SAML::PostURLService

Inherits:

URLService

• Object
• URLService
• SAML::PostURLService

Includes:

SentryLogging

Defined in:

lib/saml/post_url_service.rb

Overview

This class is responsible for providing the requests for the various SSO and SLO endpoints. It provides a similar interface to URLService, but for most endpoints it returns an SSO URL and form request parameters for use in a SAML POST submission, instead of a self-contained redirect URL.

See Also:

• URLService

Constant Summary

Constants inherited from URLService

URLService::BROKER_CODE, URLService::LOGIN_REDIRECT_PARTIAL, URLService::LOGOUT_REDIRECT_PARTIAL, URLService::MOBILE_CLIENT_ID, URLService::TERMS_OF_USE_DECLINED_PATH, URLService::TERMS_OF_USE_ENABLED_CLIENTS, URLService::UNIFIED_SIGN_IN_CLIENTS, URLService::VIRTUAL_HOST_MAPPINGS, URLService::WEB_CLIENT_ID

Instance Attribute Summary

Attributes inherited from URLService

#authn_context, #query_params, #saml_settings, #session, #tracker, #type, #user

Instance Method Summary

• #initialize(saml_settings, session: nil, user: nil, params: {}, loa3_context: LOA::IDME_LOA3_VETS) ⇒ PostURLService constructor

  A new instance of PostURLService.

• #login_redirect_url(auth: 'success', code: nil, request_id: nil) ⇒ Object
• #logout_redirect_url ⇒ Object
• #ssoe_slo_url ⇒ Object

  logout URL for SSOe.

• #terms_of_use_redirect_url ⇒ Object
• #tou_declined_logout_redirect_url ⇒ Object

Methods included from SentryLogging

#log_exception_to_sentry, #log_message_to_sentry, #non_nil_hash?, #normalize_level, #rails_logger

Methods inherited from URLService

#base_redirect_url, #callback_verify_url, #custom_url, #idme_signup_url, #login_url, #logingov_signup_url, #mfa_url, #slo_url, #verify_url

Constructor Details

#initialize(saml_settings, session: nil, user: nil, params: {}, loa3_context: LOA::IDME_LOA3_VETS) ⇒ PostURLService

Returns a new instance of PostURLService.

# File 'lib/saml/post_url_service.rb', line 17

def initialize(saml_settings, session: nil, user: nil, params: {}, loa3_context: LOA::IDME_LOA3_VETS)
  unless %w[new saml_callback saml_logout_callback ssoe_slo_callback].include?(params[:action])
    raise Common::Exceptions::RoutingError, params[:path]
  end

  if session.present?
    @session = session
    @user = user
    @authn_context = user&.authn_context
  end

  @saml_settings = saml_settings
  @loa3_context = loa3_context

  if (params[:action] == 'saml_callback') && params[:RelayState].present?
    @type = JSON.parse(CGI.unescapeHTML(params[:RelayState]))['type']
  end
  @query_params = {}
  @tracker = initialize_tracker(params)

  Raven.extra_context(params:)
  Raven.user_context(session:, user:)
end

Instance Method Details

#login_redirect_url(auth: 'success', code: nil, request_id: nil) ⇒ Object

# File 'lib/saml/post_url_service.rb', line 41

def login_redirect_url(auth: 'success', code: nil, request_id: nil)
  return client_redirect_target if auth == 'success' && @tracker.payload_attr(:redirect).present?

  # if the original auth request was an inbound ssoe autologin (type custom)
  # and authentication failed, set 'force-needed' so the FE can silently fail
  # authentication and NOT show the user an error page
  auth = 'force-needed' if auth != 'success' && @tracker&.payload_attr(:type) == 'custom'
  set_query_params(auth, code, request_id)

  if Settings.saml_ssoe.relay.present?
    add_query(Settings.saml_ssoe.relay, query_params)
  else
    add_query("#{base_redirect_url}#{LOGIN_REDIRECT_PARTIAL}", query_params)
  end
end

#logout_redirect_url ⇒ Object

# File 'lib/saml/post_url_service.rb', line 57

def logout_redirect_url
  "#{base_redirect_url}#{LOGOUT_REDIRECT_PARTIAL}"
end

#ssoe_slo_url ⇒ Object

logout URL for SSOe

# File 'lib/saml/post_url_service.rb', line 75

def ssoe_slo_url
  Settings.saml_ssoe.logout_url
end

#terms_of_use_redirect_url ⇒ Object

# File 'lib/saml/post_url_service.rb', line 65

def terms_of_use_redirect_url
  application = @tracker&.payload_attr(:application) || 'vaweb'
  if TERMS_OF_USE_ENABLED_CLIENTS.include?(application)
    add_query(terms_of_use_url, { redirect_url: login_redirect_url })
  else
    login_redirect_url
  end
end

#tou_declined_logout_redirect_url ⇒ Object

# File 'lib/saml/post_url_service.rb', line 61

def tou_declined_logout_redirect_url
  "#{base_redirect_url}#{TERMS_OF_USE_DECLINED_PATH}"
end