-
-
Notifications
You must be signed in to change notification settings - Fork 931
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(session): respect 2fa enforcement in whoami
- Loading branch information
Showing
13 changed files
with
470 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package identity | ||
|
||
func DetermineAAL(cts []CredentialsType) AuthenticatorAssuranceLevel { | ||
aal := NoAuthenticatorAssuranceLevel | ||
|
||
var firstFactor bool | ||
var secondFactor bool | ||
for _, a := range cts { | ||
switch a { | ||
case CredentialsTypeRecoveryLink: | ||
fallthrough | ||
case CredentialsTypeOIDC: | ||
fallthrough | ||
case CredentialsTypePassword: | ||
firstFactor = true | ||
case CredentialsTypeTOTP: | ||
secondFactor = true | ||
case CredentialsTypeLookup: | ||
secondFactor = true | ||
case CredentialsTypeWebAuthn: | ||
secondFactor = true | ||
} | ||
} | ||
|
||
if firstFactor && secondFactor { | ||
aal = AuthenticatorAssuranceLevel2 | ||
} else if firstFactor { | ||
aal = AuthenticatorAssuranceLevel1 | ||
} | ||
|
||
// Using only the second factor is not enough for any type of assurance. | ||
return aal | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
package identity | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestDetermineAAL(t *testing.T) { | ||
|
||
for _, tc := range []struct { | ||
d string | ||
methods []CredentialsType | ||
expected AuthenticatorAssuranceLevel | ||
}{ | ||
{ | ||
d: "no amr means no assurance", | ||
expected: NoAuthenticatorAssuranceLevel, | ||
}, | ||
{ | ||
d: "password is aal1", | ||
methods: []CredentialsType{CredentialsTypePassword}, | ||
expected: AuthenticatorAssuranceLevel1, | ||
}, | ||
{ | ||
d: "oidc is aal1", | ||
methods: []CredentialsType{CredentialsTypeOIDC}, | ||
expected: AuthenticatorAssuranceLevel1, | ||
}, | ||
{ | ||
d: "recovery is aal1", | ||
methods: []CredentialsType{CredentialsTypeRecoveryLink}, | ||
expected: AuthenticatorAssuranceLevel1, | ||
}, | ||
{ | ||
d: "mix of password, oidc, recovery is still aal1", | ||
methods: []CredentialsType{ | ||
CredentialsTypeRecoveryLink, CredentialsTypeOIDC, CredentialsTypePassword, | ||
}, | ||
expected: AuthenticatorAssuranceLevel1, | ||
}, | ||
{ | ||
d: "just totp is aal0", | ||
methods: []CredentialsType{ | ||
CredentialsTypeTOTP, | ||
}, | ||
expected: NoAuthenticatorAssuranceLevel, | ||
}, | ||
{ | ||
d: "password + totp is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypePassword, | ||
CredentialsTypeTOTP, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "password + lookup is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypePassword, | ||
CredentialsTypeLookup, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "password + webauthn is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypePassword, | ||
CredentialsTypeWebAuthn, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "oidc + totp is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypeOIDC, | ||
CredentialsTypeTOTP, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "oidc + lookup is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypeOIDC, | ||
CredentialsTypeLookup, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "recovery link + totp is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypeRecoveryLink, | ||
CredentialsTypeTOTP, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
{ | ||
d: "recovery link + lookup is aal2", | ||
methods: []CredentialsType{ | ||
CredentialsTypeRecoveryLink, | ||
CredentialsTypeLookup, | ||
}, | ||
expected: AuthenticatorAssuranceLevel2, | ||
}, | ||
} { | ||
t.Run("case="+tc.d, func(t *testing.T) { | ||
assert.Equal(t, tc.expected, DetermineAAL(tc.methods)) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.