Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grab and save the branch number from eHerkenning service restriction #4525

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Grab and save the branch number from eHerkenning service restriction #4525

wants to merge 1 commit into from

Conversation

sergei-maertens
Copy link
Member

Closes #3967

This is really hard to test/try out because we don't have a real eherkenning setup with a branch service restriction as far as I can tell...

However, piecing together the documentation on:
https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm (which describes the interface between service provider and makelaar), we should get back the ServiceRestriction SAML attribute if information is available in the MR (machtigingsregister). The examples show that it would not be an encrypted attribute (it sits in the AttributeStatement element):

<saml:Attribute Name=urn:etoegang:1.9:ServiceRestriction:Vestigingsnr>
    <saml:AttributeValue xsi:type=xs:string>123456789012</saml:AttributeValue>
</saml:Attribute>

The documentation says it would be one or more restriction, so we're assuming that it returns a list of strings of values after processing, similar to the urn:etoegang:core:ServiceID and urn:etoegang:core:ServiceUUID attributes.

I checked our code in django-digid-eherkenning, and we already by default include the service restriction request in the catalogus request, so no extra work should be needed there, see: https://github.com/maykinmedia/django-digid-eherkenning/blob/0189aceea660d2f4774d238397365f17adeb354a/digid_eherkenning/models/eherkenning.py#L234

Changes

  • Grab the service restriction from the extracted attributes
  • Add tests (preferably VCR with a real setup and no mocking)

Checklist

Check off the items that are completed or not relevant.

  • Impact on features

    • Checked copying a form
    • Checked import/export of a form
    • Config checks in the configuration overview admin page
    • Problem detection in the admin email digest is handled

  • Release management

    • I have labelled the PR as "needs-backport" accordingly

  • I have updated the translations assets (you do NOT need to provide translations)

    • Ran ./bin/makemessages_js.sh
    • Ran ./bin/compilemessages_js.sh

  • Commit hygiene

    • Commit messages refer to the relevant Github issue
    • Commit messages explain the "why" of change, not the how

@sergei-maertens
⚗️ [#3967] See if we can grab the branch number from eHerkenning
824aea1 
This is really hard to test/try out because we don't have a real
eherkenning setup with a branch service restriction as far as I can
tell...

However, piecing together the documentation on:
https://afsprakenstelsel.etoegang.nl/Startpagina/v2/interface-specifications-dv-hm
(which describes the interface between service provider and makelaar),
we should get back the ServiceRestriction SAML attribute if information
is available in the MR (machtigingsregister). The examples show that
it would not be an encrypted attribute (it sits in the AttributeStatement
element):

    <saml:Attribute Name=urn:etoegang:1.9:ServiceRestriction:Vestigingsnr>
        <saml:AttributeValue xsi:type=xs:string>123456789012</saml:AttributeValue>
    </saml:Attribute>

The documentation says it would be one or more restriction, so we're
assuming that it returns a list of strings of values after processing,
similar to the urn:etoegang:core:ServiceID and urn:etoegang:core:ServiceUUID
attributes.

I checked our code in django-digid-eherkenning, and we already by
default include the service restriction request in the catalogus
request, so no extra work should be needed there, see:
https://github.com/maykinmedia/django-digid-eherkenning/blob/0189aceea660d2f4774d238397365f17adeb354a/digid_eherkenning/models/eherkenning.py#L234
sergei-maertens
sergei-maertens commented Jul 15, 2024
View reviewed changes
src/openforms/authentication/contrib/eherkenning/views.py
"urn:etoegang:1.9:ServiceRestriction:Vestigingsnr"
):
logger.info("Got branch numbers: %r", branch_numbers)
request.session[EHERKENNING_BRANCH_NUMBERS_SESSION_KEY] = branch_numbers
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is pretty nasty and a setup similar to the OIDC variants where everything is scoped under a single session key would be better

@sergei-maertens
Copy link
Member Author

@joeribekker we really need to test this with a representative test account that has a branch restriction

@sergei-maertens
Copy link
Member Author

Reached out to a SAAS customer to see if we can get "inspiration" for Signicat configuration for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
blocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add vestiging to eherkenning auth variable.
1 participant
@sergei-maertens