Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grab and save the branch number from eHerkenning service restriction #4525

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
EHERKENNING_PLUGIN_ID = "eherkenning"
EHERKENNING_AUTH_SESSION_KEY = f"{EHERKENNING_PLUGIN_ID}:kvk"
EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS = f"{EHERKENNING_PLUGIN_ID}:authn_contexts"
EHERKENNING_BRANCH_NUMBERS_SESSION_KEY = f"{EHERKENNING_PLUGIN_ID}:branch_numbers"
EIDAS_AUTH_SESSION_KEY = "eidas:pseudo"
EIDAS_AUTH_SESSION_AUTHN_CONTEXTS = "eidas:authn_contexts"
23 changes: 23 additions & 0 deletions src/openforms/authentication/contrib/eherkenning/plugin.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import logging
from typing import Any, NoReturn

from django.http import HttpRequest, HttpResponseBadRequest, HttpResponseRedirect
Expand All @@ -24,9 +25,12 @@
from .constants import (
EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS,
EHERKENNING_AUTH_SESSION_KEY,
EHERKENNING_BRANCH_NUMBERS_SESSION_KEY,
EIDAS_AUTH_SESSION_KEY,
)

logger = logging.getLogger(__name__)

_LOA_ORDER = [loa.value for loa in AssuranceLevels]


Expand Down Expand Up @@ -108,13 +112,17 @@ def handle_return(self, request: HttpRequest, form: Form):
"attribute": self.provides_auth,
"value": identifier,
"loa": self.get_session_loa(request.session),
**self.get_extra_form_auth_kwargs(request.session),
}

return HttpResponseRedirect(form_url)

def get_session_loa(self, session):
return ""

def get_extra_form_auth_kwargs(self, session) -> dict[str, Any]:
return {}

def logout(self, request: HttpRequest):
if self.session_key in request.session:
del request.session[self.session_key]
Expand All @@ -130,6 +138,21 @@ def get_session_loa(self, session) -> str:
authn_contexts = session.get(EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS, [""])
return max(authn_contexts, key=loa_order)

def get_extra_form_auth_kwargs(self, session) -> dict[str, Any]:
branch_numbers = session.get(EHERKENNING_BRANCH_NUMBERS_SESSION_KEY)
if not branch_numbers:
return {}
if (num := len(branch_numbers)) > 1:
# https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm
# explicitly mentions that "one or more ServiceRestrictions" can be provided,
# we currently only support one.
logger.warning(
"Got more than one branch number (got %d), this is unexpected!",
num,
)
branch_number = branch_numbers[0]
return {"legal_subject_service_restriction": branch_number}

def check_requirements(self, request, config):
# check LoA requirements
authenticated_loa = request.session[FORM_AUTH_SESSION_KEY]["loa"]
Expand Down
12 changes: 12 additions & 0 deletions src/openforms/authentication/contrib/eherkenning/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
from .constants import (
EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS,
EHERKENNING_AUTH_SESSION_KEY,
EHERKENNING_BRANCH_NUMBERS_SESSION_KEY,
EIDAS_AUTH_SESSION_KEY,
)

Expand Down Expand Up @@ -126,6 +127,17 @@ def get(self, request):
"urn:etoegang:1.9:EntityConcernedID:Pseudo"
]

# Extract the branch number service restriction(s) - this is all super vague and
# we don't seem to have proper test accounts for this...
# See https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm,
# section "AttributeStatement" for an example response.
# This translates to a list of strings (12 chars, all digits)
if branch_numbers := attributes.get(
"urn:etoegang:1.9:ServiceRestriction:Vestigingsnr"
):
logger.info("Got branch numbers: %r", branch_numbers)
request.session[EHERKENNING_BRANCH_NUMBERS_SESSION_KEY] = branch_numbers
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is pretty nasty and a setup similar to the OIDC variants where everything is scoped under a single session key would be better


# store the authn contexts so the plugin can check persmission when
# accessing/creating an object
request.session[EHERKENNING_AUTH_SESSION_AUTHN_CONTEXTS] = (
Expand Down
Loading