Skip to content

Commit

Permalink
✨ [#3967] Implement recording branch number service restriction
Browse files Browse the repository at this point in the history
  • Loading branch information
sergei-maertens committed Jul 3, 2024
1 parent b56c9a9 commit 7d0fa25
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@ def get_logo(self, request) -> LoginLogo | None:
return LoginLogo(title=self.get_label(), **get_eherkenning_logo(request))

def transform_claims(self, normalized_claims: EHClaims) -> FormAuth:
return {
form_auth: FormAuth = {
"plugin": self.identifier,
# TODO: look at `identifier_type_claim` and return kvk or rsin accordingly.
# Currently we have no support for RSIN at all, so that will need to be
Expand All @@ -225,6 +225,9 @@ def transform_claims(self, normalized_claims: EHClaims) -> FormAuth:
"acting_subject_claim"
],
}
if service_restriction := normalized_claims.get("branch_number_claim", ""):
form_auth["legal_subject_service_restriction"] = service_restriction
return form_auth


class DigiDmachtigenClaims(TypedDict):
Expand Down Expand Up @@ -340,7 +343,7 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth
}
)

return {
form_auth: FormAuth = {
"plugin": self.identifier,
"attribute": self.provides_auth,
"value": normalized_claims["representee_claim"],
Expand Down Expand Up @@ -368,6 +371,10 @@ def transform_claims(self, normalized_claims: EHBewindvoeringClaims) -> FormAuth
},
}

if service_restriction := normalized_claims.get("branch_number_claim", ""):
form_auth["legal_subject_service_restriction"] = service_restriction
return form_auth

def get_label(self) -> str:
return "eHerkenning bewindvoering"

Expand Down
8 changes: 8 additions & 0 deletions src/openforms/authentication/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,10 @@ def to_auth_context_data(
},
},
}
if branch_number := self.legal_subject_service_restriction:
eh_context["authorizee"]["legalSubject"][
"branchNumber"
] = branch_number
return eh_context

# EHerkenning with machtigen/mandate
Expand All @@ -340,6 +344,10 @@ def to_auth_context_data(
},
"mandate": self.mandate_context,
}
if branch_number := self.legal_subject_service_restriction:
ehm_context["authorizee"]["legalSubject"][
"branchNumber"
] = branch_number
return ehm_context
case _: # pragma: no cover
raise RuntimeError(f"Unknown attribute: {self.attribute}")
Expand Down
57 changes: 57 additions & 0 deletions src/openforms/authentication/tests/test_authentication_context.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,30 @@ def test_plain_eherkenning_auth(self):
auth_context = auth_info.to_auth_context_data()

self.assertValidContext(auth_context)
self.assertNotIn("branchNumber", auth_context["authorizee"]["legalSubject"])

def test_plain_eherkenning_auth_with_service_restriction(self):
auth_info = AuthInfo(
submission=SubmissionFactory.build(),
plugin="dummy",
attribute=AuthAttribute.kvk,
value="90002768",
attribute_hashed=False,
loa=AssuranceLevels.substantial,
legal_subject_identifier_type="",
legal_subject_identifier_value="",
legal_subject_service_restriction="123123123123",
acting_subject_identifier_type=ActingSubjectIdentifierType.opaque,
acting_subject_identifier_value=(
"4B75A0EA107B3D36C82FD675B5B78CC2F181B22E33D85F2D4A5DA63452EE3018"
"@2D8FF1EF10279BC2643F376D89835151"
),
)

auth_context = auth_info.to_auth_context_data()

self.assertValidContext(auth_context)
self.assertIn("branchNumber", auth_context["authorizee"]["legalSubject"])

def test_eherkenning_machtigen_bewindvoering_auth(self):
auth_info = AuthInfo(
Expand Down Expand Up @@ -111,3 +135,36 @@ def test_eherkenning_machtigen_bewindvoering_auth(self):
auth_context = auth_info.to_auth_context_data()

self.assertValidContext(auth_context)
self.assertNotIn("branchNumber", auth_context["authorizee"]["legalSubject"])

def test_eherkenning_machtigen_bewindvoering_auth_with_service_restriction(self):
auth_info = AuthInfo(
submission=SubmissionFactory.build(),
plugin="dummy",
attribute=AuthAttribute.bsn,
value="999991607",
attribute_hashed=False,
loa=AssuranceLevels.substantial,
legal_subject_identifier_type=LegalSubjectIdentifierType.kvk,
legal_subject_identifier_value="90002768",
legal_subject_service_restriction="123123123123",
acting_subject_identifier_type=ActingSubjectIdentifierType.opaque,
acting_subject_identifier_value=(
"4B75A0EA107B3D36C82FD675B5B78CC2F181B22E33D85F2D4A5DA63452EE3018"
"@2D8FF1EF10279BC2643F376D89835151"
),
mandate_context={
"role": "bewindvoerder",
"services": [
{
"id": "urn:etoegang:DV:00000001002308836000:services:9113",
"uuid": "34085d78-21aa-4481-a219-b28d7f3282fc",
}
],
},
)

auth_context = auth_info.to_auth_context_data()

self.assertValidContext(auth_context)
self.assertIn("branchNumber", auth_context["authorizee"]["legalSubject"])
1 change: 1 addition & 0 deletions src/openforms/authentication/types.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ class DigiDMachtigenContext(DigiDContext):
class EHerkenningLegalSubject(TypedDict):
identifierType: Literal["kvkNummer"]
identifier: str
branchNumber: NotRequired[str]


class EHerkenningActingSubject(TypedDict):
Expand Down
1 change: 1 addition & 0 deletions src/openforms/authentication/typing.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ class FormAuth(BaseAuth):
acting_subject_identifier_value: NotRequired[str]
legal_subject_identifier_type: NotRequired[str]
legal_subject_identifier_value: NotRequired[str]
legal_subject_service_restriction: NotRequired[str]
mandate_context: NotRequired[JSONObject]

# deprecated
Expand Down

0 comments on commit 7d0fa25

Please sign in to comment.