✨ [open-formulieren/open-forms#3950] Make eIDAS LoA independent of eH…

…erkenning
maykinmedia · Mar 13, 2024 · ed5a54f · ed5a54f
1 parent 0985701
commit ed5a54f
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 10 deletions.
diff --git a/digid_eherkenning/migrations/0008_update_loa_fields.py b/digid_eherkenning/migrations/0008_update_loa_fields.py
@@ -0,0 +1,73 @@
+# Generated by Django 4.2.10 on 2024-03-08 08:45
+
+from django.db import migrations, models
+
+import digid_eherkenning.choices
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "digid_eherkenning",
+            "0007_eherkenningconfiguration_service_description_url",
+        ),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="eherkenningconfiguration",
+            name="valid_loa",
+        ),
+        migrations.RenameField(
+            model_name="eherkenningconfiguration",
+            old_name="loa",
+            new_name="eh_loa",
+        ),
+        migrations.AlterField(
+            model_name="eherkenningconfiguration",
+            name="eh_loa",
+            field=models.CharField(
+                choices=[
+                    ("urn:etoegang:core:assurance-class:loa1", "Non existent (1)"),
+                    ("urn:etoegang:core:assurance-class:loa2", "Low (2)"),
+                    ("urn:etoegang:core:assurance-class:loa2plus", "Low (2+)"),
+                    ("urn:etoegang:core:assurance-class:loa3", "Substantial (3)"),
+                    ("urn:etoegang:core:assurance-class:loa4", "High (4)"),
+                ],
+                default="urn:etoegang:core:assurance-class:loa3",
+                help_text="Level of Assurance (LoA) to use for the eHerkenning service.",
+                max_length=100,
+                verbose_name="eHerkenning LoA",
+            ),
+        ),
+        migrations.AddField(
+            model_name="eherkenningconfiguration",
+            name="eidas_loa",
+            field=models.CharField(
+                choices=[
+                    ("urn:etoegang:core:assurance-class:loa1", "Non existent (1)"),
+                    ("urn:etoegang:core:assurance-class:loa2", "Low (2)"),
+                    ("urn:etoegang:core:assurance-class:loa2plus", "Low (2+)"),
+                    ("urn:etoegang:core:assurance-class:loa3", "Substantial (3)"),
+                    ("urn:etoegang:core:assurance-class:loa4", "High (4)"),
+                ],
+                default="urn:etoegang:core:assurance-class:loa3",
+                help_text="Level of Assurance (LoA) to use for the eIDAS service.",
+                max_length=100,
+                verbose_name="eIDAS LoA",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="eherkenningconfiguration",
+            constraint=models.CheckConstraint(
+                check=models.Q(
+                    models.Q(
+                        ("eh_loa__in", digid_eherkenning.choices.AssuranceLevels),
+                        ("eidas_loa__in", digid_eherkenning.choices.AssuranceLevels),
+                    )
+                ),
+                name="valid_loa",
+            ),
+        ),
+    ]
diff --git a/digid_eherkenning/models/eherkenning.py b/digid_eherkenning/models/eherkenning.py
@@ -5,6 +5,7 @@
 from django.utils.translation import gettext_lazy as _
 
 from ..choices import AssuranceLevels
+from ..types import EHerkenningConfig
 from ..validators import oin_validator
 from .base import BaseConfiguration
 
@@ -60,11 +61,11 @@ def get_default_requested_attributes_eidas():
 
 
 class EherkenningConfiguration(BaseConfiguration):
-    loa = models.CharField(
-        _("LoA"),
+    eh_loa = models.CharField(
+        _("eHerkenning LoA"),
         choices=AssuranceLevels.choices,
         default=AssuranceLevels.substantial,
-        help_text=_("Level of Assurance (LoA) to use for all the services."),
+        help_text=_("Level of Assurance (LoA) to use for the eHerkenning service."),
         max_length=100,
     )
     eh_attribute_consuming_service_index = models.CharField(
@@ -99,6 +100,13 @@ class EherkenningConfiguration(BaseConfiguration):
             "changing the value is a manual process."
         ),
     )
+    eidas_loa = models.CharField(
+        _("eIDAS LoA"),
+        choices=AssuranceLevels.choices,
+        default=AssuranceLevels.substantial,
+        help_text=_("Level of Assurance (LoA) to use for the eIDAS service."),
+        max_length=100,
+    )
     eidas_attribute_consuming_service_index = models.CharField(
         _("eIDAS attribute consuming service index"),
         blank=True,
@@ -176,11 +184,15 @@ class Meta:
         verbose_name = _("Eherkenning/eIDAS configuration")
         constraints = [
             models.constraints.CheckConstraint(
-                name="valid_loa", check=models.Q(loa__in=AssuranceLevels)
+                name="valid_loa",
+                check=models.Q(
+                    models.Q(eh_loa__in=AssuranceLevels)
+                    & models.Q(eidas_loa__in=AssuranceLevels)
+                ),
             ),
         ]
 
-    def as_dict(self) -> dict:
+    def as_dict(self) -> EHerkenningConfig:
         """
         Emit the configuration as a dictionary compatible with the old settings format.
         """
@@ -215,6 +227,7 @@ def as_dict(self) -> dict:
                 "service_description": self.service_description,
                 "service_description_url": self.service_description_url,
                 "service_url": self.base_url,
+                "loa": self.eh_loa,
                 "privacy_policy_url": self.privacy_policy,
                 "herkenningsmakelaars_id": self.makelaar_id,
                 "requested_attributes": self.eh_requested_attributes,
@@ -247,6 +260,7 @@ def as_dict(self) -> dict:
                 "service_description": self.service_description,
                 "service_description_url": self.service_description_url,
                 "service_url": self.base_url,
+                "loa": self.eidas_loa,
                 "privacy_policy_url": self.privacy_policy,
                 "herkenningsmakelaars_id": self.makelaar_id,
                 "requested_attributes": self.eidas_requested_attributes,
@@ -270,7 +284,6 @@ def as_dict(self) -> dict:
             "service_entity_id": self.idp_service_entity_id,
             "oin": self.oin,
             "services": services,
-            "loa": self.loa,
             # optional in runtime code
             "want_assertions_encrypted": self.want_assertions_encrypted,
             "want_assertions_signed": self.want_assertions_signed,

diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py
@@ -366,7 +366,7 @@ def create_service_catalogus(conf, validate=True):
             service_description,
             service_description_url,
             # https://afsprakenstelsel.etoegang.nl/display/as/Level+of+assurance
-            conf["loa"],
+            service["loa"],
             entity_concerned_types_allowed,
             requested_attributes,
             herkenningsmakelaars_id,
@@ -515,9 +515,7 @@ def create_config(self, config_dict):
                 "metadataValidUntil": "",
                 "metadataCacheDuration": "",
                 "requestedAuthnContextComparison": "minimum",
-                "requestedAuthnContext": [
-                    self.loa or self.conf["loa"],
-                ],
+                "requestedAuthnContext": False if not self.loa else [self.loa],
             }
         )
         return super().create_config(config_dict)