Merge pull request #65 from maykinmedia/feature/remove-overriding-loa

Remove feature for overriding LoA in authentication request

digid_eherkenning/saml2/eherkenning.py

@@ -1,7 +1,7 @@
 import binascii
 from base64 import b64encode
 from io import BytesIO
-from typing import Literal, Union
+from typing import Union
 from uuid import uuid4
 
 from django.urls import reverse
@@ -14,7 +14,6 @@
 from lxml.etree import Element, tostring
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 
-from ..choices import AssuranceLevels
 from ..models import EherkenningConfiguration
 from ..settings import EHERKENNING_DS_XSD
 from ..types import EHerkenningConfig, EHerkenningSAMLConfig, ServiceConfig
@@ -458,15 +457,6 @@ class eHerkenningClient(BaseSaml2Client):
     cache_key_prefix = "eherkenning"
     cache_timeout = 60 * 60  # 1 hour
 
-    def __init__(
-        self,
-        *args,
-        loa: Union[AssuranceLevels, Literal[""]] = "",
-        **kwargs,
-    ):
-        super().__init__(*args, **kwargs)
-        self.loa = loa
-
     @property
     def conf(self) -> EHerkenningConfig:
         if not hasattr(self, "_conf"):
@@ -518,8 +508,7 @@ def create_config(
                 # there is no need for an expiry date.
                 "metadataValidUntil": "",
                 "metadataCacheDuration": "",
-                "requestedAuthnContextComparison": "minimum",
-                "requestedAuthnContext": False if not self.loa else [self.loa],
+                "requestedAuthnContext": False,
             }
         )
         return super().create_config(config_dict)

digid_eherkenning/views/eherkenning.py

@@ -17,15 +17,6 @@
 class eHerkenningLoginView(TemplateView):
     template_name = "digid_eherkenning/post_binding.html"
 
-    def get_level_of_assurance(self) -> Union[AssuranceLevels, Literal[""]]:
-        """
-        Override the AssuranceLevel from the global `EherkenningConfiguration`.
-
-        To use the level from the global config, return `""`
-        NB When overriding this, remember the user has control over the request!
-        """
-        return ""
-
     def get_relay_state(self):
         """
         TODO: It might be a good idea to sign the relay state.
@@ -48,7 +39,7 @@ def get_attribute_consuming_service_index(self) -> Optional[str]:
     #
     def get_context_data(self, **kwargs):
         context_data = super().get_context_data(**kwargs)
-        client = eHerkenningClient(loa=self.get_level_of_assurance())
+        client = eHerkenningClient()
         location, parameters = client.create_authn_request(
             self.request,
             attr_consuming_service_index=self.get_attribute_consuming_service_index(),

tests/test_eherkenning_views.py

@@ -107,33 +107,6 @@ def test_login(self, uuid_mock):
             ).decode("utf-8"),
         )
 
-    def test_login_views_can_override_minimum_loa(self):
-        class CustomLoginView(eHerkenningLoginView):
-            def get_level_of_assurance(self):
-                return (
-                    AssuranceLevels.high
-                    if "special" in self.request.GET.get("next")
-                    else AssuranceLevels.middle
-                )
-
-        request = RequestFactory().get(reverse("eherkenning:login") + "?next=/special")
-
-        response = CustomLoginView.as_view()(request)
-
-        saml_request = b64decode(
-            response.context_data["form"].initial["SAMLRequest"].encode("utf-8")
-        )
-        tree = etree.fromstring(saml_request)
-        auth_context_class_ref = tree.xpath(
-            "samlp:RequestedAuthnContext[@Comparison='minimum']/saml:AuthnContextClassRef",
-            namespaces={
-                "samlp": "urn:oasis:names:tc:SAML:2.0:protocol",
-                "saml": "urn:oasis:names:tc:SAML:2.0:assertion",
-            },
-        )[0]
-
-        self.assertEqual(auth_context_class_ref.text, AssuranceLevels.high.value)
-
     @freeze_time("2020-04-09T08:31:46Z")
     @patch("onelogin.saml2.utils.uuid4")
     def test_login_with_attribute_consuming_service_index(self, uuid_mock):