Remove vectors of trust

app/controllers/application_controller.rb

@@ -134,7 +134,6 @@ def resolved_authn_context_result
       @resolved_authn_context_result = AuthnContextResolver.new(
         user: current_user,
         service_provider: service_provider,
-        vtr: sp_session[:vtr],
         acr_values: sp_session[:acr_values],
       ).result
     end

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -135,12 +135,7 @@ def default_ial_context
   end
 
   def response_authn_context
-    if saml_request.requested_vtr_authn_contexts.present?
-      resolved_authn_context_result.expanded_component_values
-    else
-      FederatedProtocols::Saml.new(saml_request).aal ||
-        default_aal_context
-    end
+    FederatedProtocols::Saml.new(saml_request).aal || default_aal_context
   end
 
   def link_identity_from_session_data

app/controllers/openid_connect/authorization_controller.rb

@@ -173,7 +173,6 @@ def pre_validate_authorize_form
         **result.to_h.except(:redirect_uri, :code_digest, :integration_errors).merge(
           user_fully_authenticated: user_fully_authenticated?,
           referer: request.referer,
-          vtr_param: params[:vtr],
           unknown_authn_contexts:,
         ),
       )
@@ -234,7 +233,6 @@ def track_events
         ial: ial_context.ial,
         billed_ial: ial_context.bill_for_ial_1_or_2,
         sign_in_flow: session[:sign_in_flow],
-        vtr: sp_session[:vtr],
         acr_values: sp_session[:acr_values],
         sign_in_duration_seconds:,
       )
@@ -272,7 +270,7 @@ def sp_handoff_bouncer
     end
 
     def unknown_authn_contexts
-      return nil if params[:vtr].present? || params[:acr_values].blank?
+      return nil if params[:acr_values].blank?
 
       (params[:acr_values].split - Saml::Idp::Constants::VALID_AUTHN_CONTEXTS)
         .join(' ').presence

app/controllers/saml_idp_controller.rb

@@ -172,7 +172,6 @@ def log_external_saml_auth_request
       requested_ial: requested_ial,
       authn_context: requested_authn_contexts,
       requested_aal_authn_context: FederatedProtocols::Saml.new(saml_request).aal,
-      requested_vtr_authn_contexts: saml_request&.requested_vtr_authn_contexts.presence,
       force_authn: saml_request&.force_authn?,
       final_auth_request: sp_session[:final_auth_request],
       service_provider: saml_request&.issuer,
@@ -222,7 +221,6 @@ def track_events
       ial: resolved_authn_context_int_ial,
       billed_ial: ial_context.bill_for_ial_1_or_2,
       sign_in_flow: session[:sign_in_flow],
-      vtr: sp_session[:vtr],
       acr_values: sp_session[:acr_values],
       sign_in_duration_seconds:,
     )
@@ -254,7 +252,6 @@ def require_path_year
   end
 
   def unknown_authn_contexts
-    return nil if saml_request.requested_vtr_authn_contexts.present?
     return nil if requested_authn_contexts.blank?
 
     unmatched_authn_contexts.reject do |authn_context|

app/forms/openid_connect_authorize_form.rb

@@ -20,7 +20,6 @@ class OpenidConnectAuthorizeForm
   ATTRS = [
     :unauthorized_scope,
     :acr_values,
-    :vtr,
     :scope,
     :verified_within,
     *SIMPLE_ATTRS,
@@ -50,7 +49,7 @@ class OpenidConnectAuthorizeForm
   RANDOM_VALUE_MINIMUM_LENGTH = 22
   MINIMUM_REPROOF_VERIFIED_WITHIN_DAYS = 30
 
-  validates :acr_values, presence: true, if: ->(form) { form.vtr.blank? }
+  validates :acr_values, presence: true
   validates :client_id, presence: true
   validates :redirect_uri, presence: true
   validates :scope, presence: true
@@ -62,7 +61,6 @@ class OpenidConnectAuthorizeForm
   validates :code_challenge_method, inclusion: { in: %w[S256] }, if: :code_challenge
 
   validate :validate_acr_values
-  validate :validate_vtr
   validate :validate_client_id
   validate :validate_scope
   validate :validate_unauthorized_scope
@@ -73,7 +71,6 @@ class OpenidConnectAuthorizeForm
 
   def initialize(params)
     @acr_values = parse_to_values(params[:acr_values], Saml::Idp::Constants::VALID_AUTHN_CONTEXTS)
-    @vtr = parse_vtr(params[:vtr])
     SIMPLE_ATTRS.each { |key| instance_variable_set(:"@#{key}", params[key]) }
     @prompt ||= 'select_account'
     @scope = parse_to_values(params[:scope], scopes)
@@ -121,7 +118,6 @@ def link_identity_to_service_provider(
       rails_session_id: rails_session_id,
       ial: ial,
       acr_values: acr_values&.join(' '),
-      vtr: vtr,
       requested_aal_value: requested_aal_value,
       scope: scope.join(' '),
       code_challenge: code_challenge,
@@ -164,35 +160,12 @@ def check_for_unauthorized_scope(params)
     @scope != param_value.split(' ').compact
   end
 
-  def parsed_vectors_of_trust
-    return @parsed_vectors_of_trust if defined?(@parsed_vectors_of_trust)
-
-    @parsed_vectors_of_trust = begin
-      if vtr.is_a?(Array) && !vtr.empty?
-        vtr.map { |vot| Vot::Parser.new(vector_of_trust: vot).parse }
-      end
-    rescue Vot::Parser::ParseException
-      nil
-    end
-  end
-
   def parse_to_values(param_value, possible_values)
     return [] if param_value.blank?
     param_value.split(' ').compact & possible_values
   end
 
-  def parse_vtr(param_value)
-    return if !IdentityConfig.store.use_vot_in_sp_requests
-    return if param_value.blank?
-
-    JSON.parse(param_value)
-  rescue JSON::ParserError
-    nil
-  end
-
   def validate_acr_values
-    return if vtr.present?
-
     if acr_values.empty?
       errors.add(
         :acr_values, t('openid_connect.authorization.errors.no_valid_acr_values'),
@@ -206,15 +179,6 @@ def validate_acr_values
     end
   end
 
-  def validate_vtr
-    return if vtr.blank?
-    return if parsed_vectors_of_trust.present?
-    errors.add(
-      :vtr, t('openid_connect.authorization.errors.no_valid_vtr'),
-      type: :no_valid_vtr
-    )
-  end
-
   # This checks that the SP matches something in the database
   # OpenidConnect::AuthorizationController#check_sp_active checks that it's currently active
   def validate_client_id
@@ -284,7 +248,6 @@ def extra_analytics_attributes
       redirect_uri: result_uri,
       scope: scope&.sort&.join(' '),
       acr_values: acr_values&.sort&.join(' '),
-      vtr: vtr,
       unauthorized_scope: @unauthorized_scope,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_challenge_present: code_challenge.present?,
@@ -333,15 +296,11 @@ def identity_proofing_requested_or_default?
   end
 
   def sp_defaults_to_identity_proofing?
-    vtr.blank? && ial_values.blank? && identity_proofing_service_provider?
+    ial_values.blank? && identity_proofing_service_provider?
   end
 
   def identity_proofing_requested?
-    if parsed_vectors_of_trust.present?
-      parsed_vectors_of_trust.any?(&:identity_proofing?)
-    else
-      Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_IAL[ial_values.sort.max] == 2
-    end
+    Saml::Idp::Constants::AUTHN_CONTEXT_CLASSREF_TO_IAL[ial_values.sort.max] == 2
   end
 
   def identity_proofing_service_provider?

app/models/federated_protocols/oidc.rb

@@ -22,10 +22,6 @@ def acr_values
       [aal, ial].compact.join(' ')
     end
 
-    def vtr
-      request.vtr
-    end
-
     def requested_attributes
       OpenidConnectAttributeScoper.new(request.scope).requested_attributes
     end

app/models/federated_protocols/saml.rb

@@ -34,15 +34,10 @@ def acr_values
       [aal, ial].compact.join(' ')
     end
 
-    def vtr
-      request.requested_vtr_authn_contexts.presence
-    end
-
     def requested_attributes
       @requested_attributes ||= SamlRequestedAttributesPresenter.new(
         service_provider: current_service_provider,
         ial: ial,
-        vtr: vtr,
         authn_request_attribute_bundle: SamlRequestParser.new(request).requested_attributes,
       ).requested_attributes
     end

app/models/service_provider_request.rb

@@ -15,7 +15,6 @@ def initialize(
     url: nil,
     requested_attributes: [],
     acr_values: nil,
-    vtr: nil,
     # Deprecated attributes to remove
     # rubocop:disable Lint/UnusedMethodArgument
     ial: nil,
@@ -28,7 +27,7 @@ def initialize(
     @url = url
     @requested_attributes = requested_attributes&.map(&:to_s)
     @acr_values = acr_values
-    @vtr = vtr
+    @vtr = nil
   end
 
   def ==(other)

app/presenters/openid_connect_user_info_presenter.rb

@@ -24,13 +24,8 @@ def user_info
     info.merge!(ial2_attributes) if identity_proofing_requested_for_verified_user?
     info.merge!(x509_attributes) if scoper.x509_scopes_requested?
     info[:verified_at] = verified_at if scoper.verified_at_requested?
-    if identity.vtr.nil?
-      info[:ial] = authn_context_resolver.asserted_ial_acr
-      info[:aal] = requested_aal_value
-    else
-      info[:vot] = vot_values
-      info[:vtm] = IdentityConfig.store.vtm_url
-    end
+    info[:ial] = authn_context_resolver.asserted_ial_acr
+    info[:aal] = requested_aal_value
 
     scoper.filter(info)
   end
@@ -57,15 +52,6 @@ def requested_aal_value
     identity.requested_aal_value
   end
 
-  def vot_values
-    AuthnContextResolver.new(
-      user: identity.user,
-      vtr: JSON.parse(identity.vtr),
-      service_provider: identity&.service_provider_record,
-      acr_values: nil,
-    ).result.expanded_component_values
-  end
-
   def uuid_from_sp_identity(identity)
     AgencyIdentityLinker.new(identity).link_identity.uuid
   end
@@ -158,7 +144,6 @@ def authn_context_resolver
     @authn_context_resolver ||= AuthnContextResolver.new(
       user: identity.user,
       service_provider: identity&.service_provider_record,
-      vtr: identity.vtr.presence && JSON.parse(identity.vtr),
       acr_values: identity.acr_values,
     )
   end

app/presenters/saml_requested_attributes_presenter.rb

@@ -18,10 +18,9 @@ class SamlRequestedAttributesPresenter
     zipcode: :address,
   }.freeze
 
-  def initialize(service_provider:, ial:, vtr:, authn_request_attribute_bundle:)
+  def initialize(service_provider:, ial:, authn_request_attribute_bundle:)
     @service_provider = service_provider
     @ial = ial
-    @vtr = vtr
     @authn_request_attribute_bundle = authn_request_attribute_bundle
   end
 
@@ -39,26 +38,18 @@ def requested_attributes
 
   private
 
-  attr_reader :service_provider, :ial, :vtr, :authn_request_attribute_bundle
+  attr_reader :service_provider, :ial, :authn_request_attribute_bundle
 
   def identity_proofing_requested?
-    if vtr.present?
-      parsed_vectors_of_trust.any? { |vot_result| vot_result.identity_proofing? }
-    else
-      Vot::AcrComponentValues.by_name[ial]&.requirements&.include?(
-        :identity_proofing,
-      )
-    end
+    Vot::AcrComponentValues.by_name[ial]&.requirements&.include?(
+      :identity_proofing,
+    )
   end
 
   def ialmax_requested?
     Vot::AcrComponentValues.by_name[ial]&.requirements&.include?(:ialmax)
   end
 
-  def parsed_vectors_of_trust
-    vtr.map { |vot| Vot::Parser.new(vector_of_trust: vot).parse }
-  end
-
   def bundle
     @bundle ||= (
       authn_request_attribute_bundle || service_provider&.attribute_bundle || []

app/services/analytics.rb

@@ -166,15 +166,14 @@ def differentiator
   def resolved_authn_context_result
     return nil if sp.blank? ||
                   session[:sp].blank? ||
-                  (session[:sp][:vtr].blank? && session[:sp][:acr_values].blank?)
+                  session[:sp][:acr_values].blank?
     return @resolved_authn_context_result if defined?(@resolved_authn_context_result)
 
     service_provider = ServiceProvider.find_by(issuer: sp)
 
     @resolved_authn_context_result = AuthnContextResolver.new(
       user: user,
       service_provider:,
-      vtr: session[:sp][:vtr],
       acr_values: session[:sp][:acr_values],
     ).result
   rescue Vot::Parser::ParseException

app/services/analytics_events.rb

@@ -6722,12 +6722,12 @@ def openid_connect_request_authorization(
     client_id:,
     scope:,
     acr_values:,
-    vtr:,
-    vtr_param:,
     unauthorized_scope:,
     user_fully_authenticated:,
     error_details: nil,
     unknown_authn_contexts: nil,
+    vtr: nil,
+    vtr_param: nil,
     **extra
   )
     track_event(
@@ -7601,14 +7601,14 @@ def saml_auth_request(
     requested_ial:,
     authn_context:,
     requested_aal_authn_context:,
-    requested_vtr_authn_contexts:,
     force_authn:,
     final_auth_request:,
     service_provider:,
     request_signed:,
     matching_cert_serial:,
     unknown_authn_contexts:,
     user_fully_authenticated:,
+    requested_vtr_authn_contexts: nil,
     **extra
   )
     track_event(
@@ -7800,18 +7800,18 @@ def sp_redirect_initiated(
     ial:,
     billed_ial:,
     sign_in_flow:,
-    vtr:,
     acr_values:,
     sign_in_duration_seconds:,
+    vtr: nil,
     **extra
   )
     track_event(
       'SP redirect initiated',
       ial:,
       billed_ial:,
       sign_in_flow:,
-      vtr: vtr,
-      acr_values: acr_values,
+      vtr:,
+      acr_values:,
       sign_in_duration_seconds:,
       **extra,
     )