Class: SAML::UserAttributes::SSOe

Inherits:

Object

• Object
• SAML::UserAttributes::SSOe

Includes:

Identity::Parsers::GCIds, SentryLogging

Defined in:

lib/saml/user_attributes/ssoe.rb

Constant Summary

SERIALIZABLE_ATTRIBUTES =

%i[email first_name middle_name last_name gender ssn birth_date
uuid idme_uuid logingov_uuid verified_at sec_id mhv_icn
mhv_correlation_id mhv_account_type edipi loa sign_in multifactor icn].freeze

INBOUND_AUTHN_CONTEXT =

'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'

Constants included from Identity::Parsers::GCIdsConstants

Identity::Parsers::GCIdsConstants::ACTIVE_MHV_IDS_REGEX, Identity::Parsers::GCIdsConstants::BIRLS_IDS_REGEX, Identity::Parsers::GCIdsConstants::CERNER_FACILITY_IDS_REGEX, Identity::Parsers::GCIdsConstants::CERNER_ID_REGEX, Identity::Parsers::GCIdsConstants::DOD_ROOT_OID, Identity::Parsers::GCIdsConstants::EDIPI_REGEX, Identity::Parsers::GCIdsConstants::ICN_ASSIGNING_AUTHORITY_ID, Identity::Parsers::GCIdsConstants::ICN_REGEX, Identity::Parsers::GCIdsConstants::IDENTIFIERS_SPLIT_TOKEN, Identity::Parsers::GCIdsConstants::IDME_ID_REGEX, Identity::Parsers::GCIdsConstants::IDS_SPLIT_TOKEN, Identity::Parsers::GCIdsConstants::ID_MAPPINGS, Identity::Parsers::GCIdsConstants::LOGINGOV_ID_REGEX, Identity::Parsers::GCIdsConstants::MHV_IDS_REGEX, Identity::Parsers::GCIdsConstants::MHV_IEN_REGEX, Identity::Parsers::GCIdsConstants::PERMANENT_ICN_REGEX, Identity::Parsers::GCIdsConstants::SEC_ID_REGEX, Identity::Parsers::GCIdsConstants::VA_ROOT_OID, Identity::Parsers::GCIdsConstants::VBA_CORP_ID_REGEX, Identity::Parsers::GCIdsConstants::VET360_ID_REGEX, Identity::Parsers::GCIdsConstants::VHA_FACILITY_IDS_REGEX

Instance Attribute Summary

• #attributes ⇒ Object readonly

  Returns the value of attribute attributes.

• #authn_context ⇒ Object readonly

  Returns the value of attribute authn_context.

• #tracker_uuid ⇒ Object readonly

  Returns the value of attribute tracker_uuid.

• #warnings ⇒ Object readonly

  Returns the value of attribute warnings.

Instance Method Summary

• #account_type ⇒ Object
• #birth_date ⇒ Object
• #dslogon_account_type ⇒ Object
• #dslogon_loa_highest ⇒ Object
• #edipi ⇒ Object
• #email ⇒ Object
• #first_name ⇒ Object

  Personal attributes.

• #gender ⇒ Object
• #icn ⇒ Object
• #idme_uuid ⇒ Object
• #initialize(saml_attributes, authn_context, tracker_uuid) ⇒ SSOe constructor

  A new instance of SSOe.

• #last_name ⇒ Object
• #loa ⇒ Object
• #loa_current ⇒ Object

  va_eauth_credentialassurancelevel is supposed to roll up the federated assurance level from credential provider and broker.

• #loa_highest ⇒ Object

  This is the ID.me highest level of assurance attained.

• #logingov_uuid ⇒ Object
• #mhv_account_type ⇒ Object
• #mhv_correlation_id ⇒ Object
• #mhv_icn ⇒ Object
• #mhv_loa_highest ⇒ Object
• #middle_name ⇒ Object
• #multifactor ⇒ Object
• #needs_csp_id_mpi_update? ⇒ Boolean
• #sec_id ⇒ Object
• #sign_in ⇒ Object
• #ssn ⇒ Object

  This attribute may sometimes be TIN, Patient identifier, etc.

• #to_hash ⇒ Object
• #transactionid ⇒ Object
• #uuid ⇒ Object

  Identifiers.

• #validate! ⇒ Object

  Raise any fatal exceptions due to validation issues.

• #verified_at ⇒ Object

  only applies to Login.gov IAL2 verification used to automatically upcert IAL1 users without additional service calls.

• #vha_facility_hash ⇒ Object
• #vha_facility_ids ⇒ Object

Methods included from Identity::Parsers::GCIds

#parse_string_gcids, #parse_xml_gcids

Methods included from Identity::Parsers::GCIdsHelper

#sanitize_edipi, #sanitize_id, #sanitize_id_array

Methods included from SentryLogging

#log_exception_to_sentry, #log_message_to_sentry, #non_nil_hash?, #normalize_level, #rails_logger

Constructor Details

#initialize(saml_attributes, authn_context, tracker_uuid) ⇒ SSOe

Returns a new instance of SSOe.

# File 'lib/saml/user_attributes/ssoe.rb', line 19

def initialize(saml_attributes, authn_context, tracker_uuid)
  @attributes = saml_attributes # never default this to {}
  @authn_context = authn_context
  @tracker_uuid = tracker_uuid
  @warnings = []
end

Instance Attribute Details

#attributes ⇒ Object (readonly)

Returns the value of attribute attributes.

# File 'lib/saml/user_attributes/ssoe.rb', line 17

def attributes
  @attributes
end

#authn_context ⇒ Object (readonly)

Returns the value of attribute authn_context.

# File 'lib/saml/user_attributes/ssoe.rb', line 17

def authn_context
  @authn_context
end

#tracker_uuid ⇒ Object (readonly)

Returns the value of attribute tracker_uuid.

# File 'lib/saml/user_attributes/ssoe.rb', line 17

def tracker_uuid
  @tracker_uuid
end

#warnings ⇒ Object (readonly)

Returns the value of attribute warnings.

# File 'lib/saml/user_attributes/ssoe.rb', line 17

def warnings
  @warnings
end

Instance Method Details

#account_type ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 167

def account_type
  result = mhv_account_type
  result ||= dslogon_account_type
  result ||= 'N/A'
  result
end

#birth_date ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 54

def birth_date
  bd = safe_attr('va_eauth_birthDate_v1')
  begin
    Date.parse(bd).strftime('%Y-%m-%d')
  rescue TypeError, ArgumentError
    nil
  end
end

#dslogon_account_type ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 116

def dslogon_account_type
  safe_attr('va_eauth_dslogonassurance')
end

#dslogon_loa_highest ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 146

def dslogon_loa_highest
  dslogon_assurance = dslogon_account_type
  LOA::DSLOGON_PREMIUM_VERIFIED.include?(dslogon_assurance) ? 3 : nil
end

#edipi ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 120

def edipi
  edipi_ids[:edipi]
end

#email ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 63

def email
  safe_attr('va_eauth_emailaddress')
end

#first_name ⇒ Object

Personal attributes

# File 'lib/saml/user_attributes/ssoe.rb', line 27

def first_name
  safe_attr('va_eauth_firstname')
end

#gender ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 43

def gender
  gender = safe_attr('va_eauth_gender')&.chars&.first&.upcase
  %w[M F].include?(gender) ? gender : nil
end

#icn ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 39

def icn
  mvi_ids[:icn]
end

#idme_uuid ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 82

def idme_uuid
  return safe_attr('va_eauth_uid') if csid == SAML::User::IDME_CSID

  mvi_ids[:idme_id]
end

#last_name ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 35

def last_name
  safe_attr('va_eauth_lastname')
end

#loa ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 174

def loa
  { current: loa_current, highest: [loa_current, loa_highest].max }
end

#loa_current ⇒ Object

va_eauth_credentialassurancelevel is supposed to roll up the federated assurance level from credential provider and broker. It is currently returning a value of “2” for DSLogon level 2 so we are interpreting any value greater than 1 as “LOA 3”.

# File 'lib/saml/user_attributes/ssoe.rb', line 128

def loa_current
  assurance =
    if csid == 'logingov'
      safe_attr('va_eauth_ial')&.to_i
    else
      safe_attr('va_eauth_credentialassurancelevel')&.to_i
    end
  @loa_current ||= assurance.present? && assurance > 1 ? 3 : 1
rescue NoMethodError, KeyError => e
  @warnings << "loa_current error: #{e.message}"
  @loa_current = 1
end

#loa_highest ⇒ Object

This is the ID.me highest level of assurance attained

# File 'lib/saml/user_attributes/ssoe.rb', line 152

def loa_highest
  result = mhv_loa_highest
  result ||= dslogon_loa_highest
  result ||= %w[2 classic_loa3].include?(safe_attr('va_eauth_ial_idme_highest')) ? 3 : 1
  result
end

#logingov_uuid ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 88

def logingov_uuid
  return safe_attr('va_eauth_uid') if csid == SAML::User::LOGINGOV_CSID

  mvi_ids[:logingov_id]
end

#mhv_account_type ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 112

def mhv_account_type
  safe_attr('va_eauth_mhvassurance')
end

#mhv_correlation_id ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 108

def mhv_correlation_id
  safe_attr('va_eauth_mhvuuid') || mvi_ids[:mhv_ien]
end

#mhv_icn ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 104

def mhv_icn
  safe_attr('va_eauth_icn')
end

#mhv_loa_highest ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 141

def mhv_loa_highest
  mhv_assurance = mhv_account_type
  LOA::MHV_PREMIUM_VERIFIED.include?(mhv_assurance) ? 3 : nil
end

#middle_name ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 31

def middle_name
  safe_attr('va_eauth_middlename')
end

#multifactor ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 159

def multifactor
  if csid == SAML::User::LOGINGOV_CSID
    safe_attr('va_eauth_aal') == AAL::TWO
  else
    safe_attr('va_eauth_multifactor')&.downcase == 'true'
  end
end

#needs_csp_id_mpi_update? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/saml/user_attributes/ssoe.rb', line 199

def needs_csp_id_mpi_update?
  idme_uuid == safe_attr('va_eauth_uid') && mvi_ids[:idme_id].blank?
end

#sec_id ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 100

def sec_id
  safe_attr('va_eauth_secid')
end

#sign_in ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 190

def sign_in
  sign_in = if authn_context == INBOUND_AUTHN_CONTEXT
              { service_name: csid }
            else
              SAML::User::AUTHN_CONTEXTS.fetch(authn_context).fetch(:sign_in)
            end
  sign_in.merge(account_type:, auth_broker: SAML::URLService::BROKER_CODE)
end

#ssn ⇒ Object

This attribute may sometimes be TIN, Patient identifier, etc. It is not guaranteed to be a SSN

# File 'lib/saml/user_attributes/ssoe.rb', line 50

def ssn
  safe_attr('va_eauth_pnid')&.delete('-') if safe_attr('va_eauth_pnidtype') == 'SSN'
end

#to_hash ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 203

def to_hash
  SERIALIZABLE_ATTRIBUTES.index_with { |k| send(k) }.merge(authn_context:)
end

#transactionid ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 178

def transactionid
  safe_attr('va_eauth_transactionid')
end

#uuid ⇒ Object

Identifiers

Raises:

• (Common::Exceptions::InvalidResource)

# File 'lib/saml/user_attributes/ssoe.rb', line 68

def uuid
  return idme_uuid if idme_uuid
  return logingov_uuid if logingov_uuid
  # The sec_id is not a UUID, and while unique this has a potential to cause issues
  # in downstream processes that are expecting a user UUID to be 32 bytes. For
  # example, if there is a log filtering process that was striping out any 32 byte
  # id, an 10 byte sec id would be missed. Using a one way UUID hash, will convert
  # the sec id to a 32 byte unique identifier so that any downstream processes will
  # will treat it exactly the same as a typical 32 byte ID.me identifier.
  return Digest::UUID.uuid_v3('sec-id', sec_id).tr('-', '') if sec_id

  raise Common::Exceptions::InvalidResource, @attributes
end

#validate! ⇒ Object

Raise any fatal exceptions due to validation issues

# File 'lib/saml/user_attributes/ssoe.rb', line 208

def validate!
  multiple_id_validations
  if should_raise_missing_uuid_error
    data = SAML::UserAttributeError::ERRORS[:uuid_missing]
    raise SAML::UserAttributeError.new(code: data[:code],
                                       message: data[:message],
                                       tag: data[:tag],
                                       identifier: mhv_icn)
  end
end

#verified_at ⇒ Object

only applies to Login.gov IAL2 verification used to automatically upcert IAL1 users without additional service calls

# File 'lib/saml/user_attributes/ssoe.rb', line 96

def verified_at
  safe_attr('va_eauth_verifiedAt')
end

#vha_facility_hash ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 186

def vha_facility_hash
  mvi_ids[:vha_facility_hash]
end

#vha_facility_ids ⇒ Object

# File 'lib/saml/user_attributes/ssoe.rb', line 182

def vha_facility_ids
  mvi_ids[:vha_facility_ids]
end