Class: SignIn::CredentialLevelCreator

Inherits:

Object

• Object
• SignIn::CredentialLevelCreator

Defined in:

app/services/sign_in/credential_level_creator.rb

Instance Attribute Summary

• #credential_ial ⇒ Object readonly

  Returns the value of attribute credential_ial.

• #credential_uuid ⇒ Object readonly

  Returns the value of attribute credential_uuid.

• #dslogon_assurance ⇒ Object readonly

  Returns the value of attribute dslogon_assurance.

• #level_of_assurance ⇒ Object readonly

  Returns the value of attribute level_of_assurance.

• #logingov_acr ⇒ Object readonly

  Returns the value of attribute logingov_acr.

• #mhv_assurance ⇒ Object readonly

  Returns the value of attribute mhv_assurance.

• #requested_acr ⇒ Object readonly

  Returns the value of attribute requested_acr.

• #type ⇒ Object readonly

  Returns the value of attribute type.

• #verified_at ⇒ Object readonly

  Returns the value of attribute verified_at.

Instance Method Summary

• #auto_uplevel ⇒ Object private
• #check_required_verification_level ⇒ Object private
• #create_credential_level ⇒ Object private
• #current_ial ⇒ Object private
• #initialize(requested_acr:, type:, logingov_acr:, user_info:) ⇒ CredentialLevelCreator constructor

  A new instance of CredentialLevelCreator.

• #max_ial ⇒ Object private
• #perform ⇒ Object
• #previously_verified?(identifier_type) ⇒ Boolean private
• #raise_unverified_credential_blocked_error(code:) ⇒ Object private
• #requested_verified_account? ⇒ Boolean private
• #unverified_account_with_forced_verification? ⇒ Boolean private
• #verified_ial_level(verified) ⇒ Object private

Constructor Details

#initialize(requested_acr:, type:, logingov_acr:, user_info:) ⇒ CredentialLevelCreator

Returns a new instance of CredentialLevelCreator.

# File 'app/services/sign_in/credential_level_creator.rb', line 15

def initialize(requested_acr:, type:, logingov_acr:, user_info:)
  @requested_acr = requested_acr
  @type = type
  @logingov_acr = logingov_acr
  @verified_at = user_info.verified_at
  @mhv_assurance = user_info.mhv_assurance
  @dslogon_assurance = user_info.dslogon_assurance
  @level_of_assurance = user_info.level_of_assurance
  @credential_ial = user_info.credential_ial
  @credential_uuid = user_info.sub
end

Instance Attribute Details

#credential_ial ⇒ Object (readonly)

Returns the value of attribute credential_ial.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def credential_ial
  @credential_ial
end

#credential_uuid ⇒ Object (readonly)

Returns the value of attribute credential_uuid.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def credential_uuid
  @credential_uuid
end

#dslogon_assurance ⇒ Object (readonly)

Returns the value of attribute dslogon_assurance.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def dslogon_assurance
  @dslogon_assurance
end

#level_of_assurance ⇒ Object (readonly)

Returns the value of attribute level_of_assurance.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def level_of_assurance
  @level_of_assurance
end

#logingov_acr ⇒ Object (readonly)

Returns the value of attribute logingov_acr.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def logingov_acr
  @logingov_acr
end

#mhv_assurance ⇒ Object (readonly)

Returns the value of attribute mhv_assurance.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def mhv_assurance
  @mhv_assurance
end

#requested_acr ⇒ Object (readonly)

Returns the value of attribute requested_acr.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def requested_acr
  @requested_acr
end

#type ⇒ Object (readonly)

Returns the value of attribute type.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def type
  @type
end

#verified_at ⇒ Object (readonly)

Returns the value of attribute verified_at.

# File 'app/services/sign_in/credential_level_creator.rb', line 5

def verified_at
  @verified_at
end

Instance Method Details

#auto_uplevel ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 109

def auto_uplevel
  case type
  when Constants::Auth::LOGINGOV
    logingov_acr != Constants::Auth::LOGIN_GOV_IAL2 && previously_verified?(:logingov_uuid)
  when Constants::Auth::IDME
    credential_ial != Constants::Auth::IDME_CLASSIC_LOA3 && previously_verified?(:idme_uuid)
  else
    false
  end
end

#check_required_verification_level ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 34

def check_required_verification_level
  if unverified_account_with_forced_verification?
    case type
    when Constants::Auth::MHV
      raise_unverified_credential_blocked_error(code: Constants::ErrorCode::MHV_UNVERIFIED_BLOCKED)
    else
      raise_unverified_credential_blocked_error(code: Constants::ErrorCode::GENERIC_EXTERNAL_ISSUE)
    end
  end
end

#create_credential_level ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 51

def create_credential_level
  CredentialLevel.new(requested_acr:,
                      credential_type: type,
                      current_ial:,
                      max_ial:,
                      auto_uplevel:)
rescue ActiveModel::ValidationError
  raise Errors::InvalidCredentialLevelError.new message: 'Unsupported credential authorization levels'
end

#current_ial ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 76

def current_ial
  case type
  when Constants::Auth::LOGINGOV
    verified_ial_level(logingov_acr == Constants::Auth::LOGIN_GOV_IAL2 || previously_verified?(:logingov_uuid))
  when Constants::Auth::MHV
    verified_ial_level(requested_verified_account? && Constants::Auth::MHV_PREMIUM_VERIFIED.include?(mhv_assurance))
  when Constants::Auth::DSLOGON
    verified_ial_level(requested_verified_account? &&
                       Constants::Auth::DSLOGON_PREMIUM_VERIFIED.include?(dslogon_assurance))
  else
    verified_ial_level(credential_ial == Constants::Auth::IDME_CLASSIC_LOA3 || previously_verified?(:idme_uuid))
  end
end

#max_ial ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 61

def max_ial
  case type
  when Constants::Auth::LOGINGOV
    verified_ial_level(verified_at)
  when Constants::Auth::MHV
    verified_ial_level(Constants::Auth::MHV_PREMIUM_VERIFIED.include?(mhv_assurance))
  when Constants::Auth::DSLOGON
    Rails.logger.info("[CredentialLevelCreator] DSLogon level of assurance: #{dslogon_assurance}, " \
                      "credential_uuid: #{credential_uuid}")
    verified_ial_level(Constants::Auth::DSLOGON_PREMIUM_VERIFIED.include?(dslogon_assurance))
  else
    verified_ial_level(level_of_assurance == Constants::Auth::LOA_THREE)
  end
end

#perform ⇒ Object

# File 'app/services/sign_in/credential_level_creator.rb', line 27

def perform
  check_required_verification_level
  create_credential_level
end

#previously_verified?(identifier_type) ⇒ Boolean (private)

Returns:

• (Boolean)

# File 'app/services/sign_in/credential_level_creator.rb', line 102

def previously_verified?(identifier_type)
  return false unless Settings.sign_in.auto_uplevel && requested_verified_account?

  user_verification = UserVerification.find_by(identifier_type => credential_uuid)
  user_verification&.verified?
end

#raise_unverified_credential_blocked_error(code:) ⇒ Object (private)

Raises:

• (Errors::UnverifiedCredentialBlockedError)

# File 'app/services/sign_in/credential_level_creator.rb', line 45

def raise_unverified_credential_blocked_error(code:)
  raise Errors::UnverifiedCredentialBlockedError.new(
    message: 'Unverified credential for authorization requiring verified credential', code:
  )
end

#requested_verified_account? ⇒ Boolean (private)

Returns:

• (Boolean)

# File 'app/services/sign_in/credential_level_creator.rb', line 94

def requested_verified_account?
  [Constants::Auth::IAL2, Constants::Auth::LOA3, Constants::Auth::MIN].include?(requested_acr)
end

#unverified_account_with_forced_verification? ⇒ Boolean (private)

Returns:

• (Boolean)

# File 'app/services/sign_in/credential_level_creator.rb', line 98

def unverified_account_with_forced_verification?
  [Constants::Auth::IAL2, Constants::Auth::LOA3].include?(requested_acr) && current_ial < Constants::Auth::IAL_TWO
end

#verified_ial_level(verified) ⇒ Object (private)

# File 'app/services/sign_in/credential_level_creator.rb', line 90

def verified_ial_level(verified)
  verified ? Constants::Auth::IAL_TWO : Constants::Auth::IAL_ONE
end