feat: LG13235 consume eipp data from sinatra

[KeithNava]

Adding the ability to pull Enhanced IPP from the VTR parameter

🎫 Ticket

Link to the relevant ticket:
LG-13235

🛠 Summary of changes

Allow the application to recognize the Enhanced In Person Proofing flow coming from the Vector of Trust request (VTR) parameter by introducing a new value of Pe which represents the Enhanced Proofing component.

📜 Testing Plan

Most of the confirmation is done through the spec tests but the follow on ticket to actually enable the passing of the values from the Sinatra application would be the true end to end test -> https://cm-jira.usa.gov/browse/LG-12858

[JackRyan1989]

LGTM

[svalexander]

what does Pe mean here?

[KeithNava]

"Proofing Enhanced?" 😆 I really put it out there for feedback. I initially had it as "P2" since it was a step up from the P1 component. I'm really happy to change it to whatever is more intuitive though.

[svalexander]

ahh ok, I wonder what the convention was here? It isn't obvious to me what any of the other names in the file mean either.

[jmhooper]

I don't think that P2 is the way to go. This isn't necessarily as step up from the base proofing experience since it is scoped to in-person. For the same reason proofing with a biometric was named Pb instead of P2.

The naming convention for vectors of trust is described in [RFC 8485]. They are an upper-case letter followed by a lower-case letter or a number.

[svalexander]

also what does P1 signify?

[KeithNava]

I was understanding the "P" to signify proofing related components and "1" was because it was the initial component in the proofing category...I could be wrong though 😅

[svalexander]

hmm ok, i guess i wonder what implied_component_values is supposed to be? This file is totally new to me

[gina-yamada]

The description in this PR is super helpful!

The P component represents identity proofing. It contains the following values:
1: Identity proofing is performed

[gina-yamada]

@KeithNava I started to set up the Sinatra app side. I am testing with your branch. Can you add enhanced_ipp_required to the Service Provider session on this branch? I am able to login with your branch (and not with main).

Update: I can see the vtr on your branch has Pe included when I sign in from my branch (yamada/LG-12858-EIPP-Option) after selected Enhance IPP.

[gina-yamada]

Nice work Keith! 👏 🥳

1. I got our branches to work together by adding to app/forms/openid_connect_authorize_form.rb this function:

def enhanced_ipp_required?
   parsed_vector_of_trust&.enhanced_ipp?
end

2. Not needed to work but I think we should add it to saml. app/models/federated_protocols/saml.rb

def enhanced_ipp_required?
   false
end

3. What do you think about moving enhanced_ipp_required on sp_session to be next to biometric_comparison_required? I think the acr values and vtr values are nice on the end. Only my preference so if you don't like it- ignore it.

[gina-yamada]

@KeithNava I am not sure what precautions are needed. I would ask to ensure you handled everything for a smooth deployment since you made some modifications.

[jmhooper]

What is this method doing on the authorization controller? I'm not sure I see where it is used.

[jmhooper]

We have been trying to get away from including these methods on the protocol classes or adding the to the session. This was the way we would forward along SP request requirements before we built the AuthnContextResolver and resolved them based on VTRs and ARC values downstream.

[jmhooper]

2 things here:

1. This is going to be problematic in the 50/50 state because this could get serialized to the session by a new instance and read from an old instance. That would result in an ArgumentError because the old instance will not know about this arg.

[jmhooper]

Looking back over this and I forgot to write out the second thing. How embarrassing. I believe I was going to describe here what I described in this comment: #10618 (comment)

[jmhooper]

This seems like an odd test-case here since PII being locked isn't necessarily related to enhanced in-person. I am not actually sure that we need changes to the authorization controller since its behavior should not change. It should continue forward the VTR along and we will operate on it downstream when we decide if we need enhanced in-person proofing.

[jmhooper]

It looks like this change is adding the enhanced_ipp_required to sp_session. We have actually been moving away from this pattern. Recently I actually merged a change to stop writing biometric_comparison_required in the session (ref). This was done for a few reasons:

1. It is difficult to keep in sync between ACR values and VTR with the code for determining what is required spread amongst other concerns
2. It doesn't work well with multiple vector of trust requests where the vector that is in-use can change over the course of a request
3. It makes adding and removing new requirements challenging because they SP request and SP session need to be modified and both introduce 50/50 state concerns

We should be able to introduce the Pe vector component and update the parser to return the requirement for enhance in-person. The VTR will be passed along into the SP session and the AuthnContextResolver will pick it up there. From there we can call resolved_authn_context_result.enhanced_ipp? without needing to make any changes to the SAML/OIDC interface code or the code that writes into the SP session.

[jmhooper]

This one looks like a good model implementation for what you need to do to add a new vector. Thank you @KeithNava!

[svalexander]

looks like there are just lint fixes that are needed to be able to merge this

[gina-yamada]

LGTM! 🥳 I tested your last commit with branch yamada/LG-12858-EIPP-Option and I can see vtr values C1.P1.Pb on sp_session.

@KeithNava Can you have this merged in before the next deployment? I cannot push my Sinatra PR in until this makes it into prod. Thanks

[KeithNava]

Thanks so much everyone! I learned a lot during this review, really appreciated all the feedback! 💯