Merge pull request #5740 from govuk-one-login/ATO-1178-max-age-audit-…

…event-extension ATO-1178: Adds maximumSessionAge to audit event if supported
govuk-one-login · Jan 16, 2025 · 70956fb · 70956fb
2 parents 1a6318d + 4eb047f
commit 70956fb
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 17 deletions.
diff --git a/oidc-api/src/main/java/uk/gov/di/authentication/oidc/lambda/AuthorisationHandler.java b/oidc-api/src/main/java/uk/gov/di/authentication/oidc/lambda/AuthorisationHandler.java
@@ -393,14 +393,28 @@ public APIGatewayProxyResponseEvent authoriseRequestHandler(
         var vtrList = getVtrList(reauthRequested, authRequest);
         var requestedCredentialTrustLevel = VectorOfTrust.getLowestCredentialTrustLevel(vtrList);
 
+        var auditEventExtensions =
+                new ArrayList<>(
+                        List.of(
+                                pair("rpSid", getRpSid(authRequest)),
+                                pair("identityRequested", identityRequested),
+                                pair("reauthRequested", reauthRequested),
+                                pair(
+                                        "credential_trust_level",
+                                        requestedCredentialTrustLevel.toString())));
+
+        var maxAgeParam = getMaxAge(authRequest);
+        if (configurationService.supportMaxAgeEnabled()
+                && client.getMaxAgeEnabled()
+                && maxAgeParam.isPresent()) {
+            auditEventExtensions.add(pair("maximumSessionAge", maxAgeParam.get()));
+        }
+
         auditService.submitAuditEvent(
                 OidcAuditableEvent.AUTHORISATION_REQUEST_PARSED,
                 authRequest.getClientID().getValue(),
                 user,
-                pair("rpSid", getRpSid(authRequest)),
-                pair("identityRequested", identityRequested),
-                pair("reauthRequested", reauthRequested),
-                pair("credential_trust_level", requestedCredentialTrustLevel.toString()));
+                auditEventExtensions.toArray(AuditService.MetadataPair[]::new));
 
         Optional<Session> session = sessionService.getSessionFromSessionCookie(input.getHeaders());
         Optional<OrchSessionItem> orchSessionOptional =

diff --git a/oidc-api/src/test/java/uk/gov/di/authentication/oidc/lambda/AuthorisationHandlerTest.java b/oidc-api/src/test/java/uk/gov/di/authentication/oidc/lambda/AuthorisationHandlerTest.java
@@ -109,6 +109,7 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.regex.Pattern;
 import java.util.stream.Stream;
@@ -1519,7 +1520,7 @@ void shouldReturnServerErrorOnJwksException()
         }
 
         @Test
-        void shouldAuditRequestParsedWhenRpSidPresent() {
+        void shouldSendAuditRequestParsedWithRpSidPresent() {
             var rpSid = "test-rp-sid";
             Map<String, String> requestParams = buildRequestParams(Map.of("rp_sid", rpSid));
             APIGatewayProxyRequestEvent event = withRequestEvent(requestParams);
@@ -1531,7 +1532,7 @@ void shouldAuditRequestParsedWhenRpSidPresent() {
         }
 
         @Test
-        void shouldAuditRequestParsedWhenRpSidNotPresent() {
+        void shouldSendAuditRequestParsedWhenRpSidNotPresent() {
             Map<String, String> requestParams = buildRequestParams(null);
             APIGatewayProxyRequestEvent event = withRequestEvent(requestParams);
             event.setRequestContext(
@@ -1544,7 +1545,7 @@ void shouldAuditRequestParsedWhenRpSidNotPresent() {
         }
 
         @Test
-        void shouldAuditRequestParsedWhenOnAuthOnlyFlow() {
+        void shouldSendAuditRequestParsedWhenOnAuthOnlyFlow() {
             Map<String, String> requestParams = buildRequestParams(Map.of("vtr", "[\"Cl.Cm\"]"));
             APIGatewayProxyRequestEvent event = withRequestEvent(requestParams);
             event.setRequestContext(
@@ -1557,7 +1558,7 @@ void shouldAuditRequestParsedWhenOnAuthOnlyFlow() {
         }
 
         @Test
-        void shouldAuditRequestParsedWhenOnIdentityFlow() {
+        void shouldSendAuditRequestParsedWhenOnIdentityFlow() {
             Map<String, String> requestParams = buildRequestParams(Map.of("vtr", "[\"P2.Cl.Cm\"]"));
             APIGatewayProxyRequestEvent event = withRequestEvent(requestParams);
             event.setRequestContext(
@@ -1569,6 +1570,24 @@ void shouldAuditRequestParsedWhenOnIdentityFlow() {
                     AuditService.UNKNOWN, true, false, "MEDIUM_LEVEL");
         }
 
+        @Test
+        void shouldSendAuditRequestParsedWithMaxAgeExtensionWhenSupportedByClient() {
+            var client = generateClientRegistry();
+            client.setMaxAgeEnabled(true);
+            when(configService.supportMaxAgeEnabled()).thenReturn(true);
+            when(clientService.getClient(anyString())).thenReturn(Optional.of(client));
+            Map<String, String> requestParams =
+                    buildRequestParams(Map.of("vtr", "[\"Cl.Cm\"]", "max_age", "123"));
+            APIGatewayProxyRequestEvent event = withRequestEvent(requestParams);
+            event.setRequestContext(
+                    new ProxyRequestContext()
+                            .withIdentity(new RequestIdentity().withSourceIp("123.123.123.123")));
+            makeHandlerRequest(event);
+
+            verifyAuthorisationRequestParsedAuditEvent(
+                    AuditService.UNKNOWN, false, false, "MEDIUM_LEVEL", 123);
+        }
+
         @Test
         void shouldNotAddReauthenticateOrPreviousJourneyIdClaimForQueryParameters() {
             Map<String, String> requestParams =
@@ -3068,15 +3087,38 @@ private void verifyAuthorisationRequestParsedAuditEvent(
             boolean identityRequested,
             boolean reauthRequested,
             String credentialTrustLevel) {
-        inOrder.verify(auditService)
-                .submitAuditEvent(
-                        OidcAuditableEvent.AUTHORISATION_REQUEST_PARSED,
-                        CLIENT_ID.getValue(),
-                        BASE_AUDIT_USER,
-                        pair("rpSid", rpSid),
-                        pair("identityRequested", identityRequested),
-                        pair("reauthRequested", reauthRequested),
-                        pair("credential_trust_level", credentialTrustLevel));
+        verifyAuthorisationRequestParsedAuditEvent(
+                rpSid, identityRequested, reauthRequested, credentialTrustLevel, null);
+    }
+
+    private void verifyAuthorisationRequestParsedAuditEvent(
+            String rpSid,
+            boolean identityRequested,
+            boolean reauthRequested,
+            String credentialTrustLevel,
+            Integer maxAge) {
+        if (Objects.isNull(maxAge)) {
+            inOrder.verify(auditService)
+                    .submitAuditEvent(
+                            OidcAuditableEvent.AUTHORISATION_REQUEST_PARSED,
+                            CLIENT_ID.getValue(),
+                            BASE_AUDIT_USER,
+                            pair("rpSid", rpSid),
+                            pair("identityRequested", identityRequested),
+                            pair("reauthRequested", reauthRequested),
+                            pair("credential_trust_level", credentialTrustLevel));
+        } else {
+            inOrder.verify(auditService)
+                    .submitAuditEvent(
+                            OidcAuditableEvent.AUTHORISATION_REQUEST_PARSED,
+                            CLIENT_ID.getValue(),
+                            BASE_AUDIT_USER,
+                            pair("rpSid", rpSid),
+                            pair("identityRequested", identityRequested),
+                            pair("reauthRequested", reauthRequested),
+                            pair("credential_trust_level", credentialTrustLevel),
+                            pair("maximumSessionAge", maxAge));
+        }
     }
 
     private static ECKey generateECSigningKey() {