Introduce a second factor interface

This will allow the token fallback without the need of an entity.

Author: pablothedude

src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php

@@ -36,9 +36,11 @@
 use Surfnet\StepupGateway\GatewayBundle\Form\Type\VerifySmsChallengeType;
 use Surfnet\StepupGateway\GatewayBundle\Form\Type\VerifyYubikeyOtpType;
 use Surfnet\StepupGateway\GatewayBundle\Saml\ResponseContext;
+use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactor\SecondFactorInterface;
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService;
 use Surfnet\StepupGateway\GatewayBundle\Sso2fa\CookieService;
 use Surfnet\StepupGateway\SamlStepupProviderBundle\Controller\SamlProxyController;
+use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\SecondfactorGsspFallback;
 use Symfony\Component\Form\FormError;
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -123,7 +125,7 @@ public function selectSecondFactorForVerification(
             // Now read the SSO cookie
             $ssoCookie = $this->getCookieService()->read($request);
             // Test if the SSO cookie can satisfy the second factor authentication requirements
-            if ($this->getCookieService()->maySkipAuthentication($requiredLoa->getLevel(), $identityNameId, $ssoCookie)) {
+            if ($this->getCookieService()->maySkipAuthentication($requiredLoa->getLevel(), $identityNameId, $ssoCookie, $context)) {
                 $logger->notice(
                     'Skipping second factor authentication. Required LoA was met by the LoA recorded in the cookie',
                     [
@@ -132,7 +134,7 @@ public function selectSecondFactorForVerification(
                     ],
                 );
                 // We use the SF from the cookie as the SF that was used for authenticating the second factor authentication
-                $secondFactor = $this->getSecondFactorService()->findByUuid($ssoCookie->secondFactorId());
+                $secondFactor = $this->getSecondFactorService()->findByUuid($ssoCookie->secondFactorId(), $context);
                 $this->getResponseContext($authenticationMode)->saveSelectedSecondFactor($secondFactor);
                 $this->getResponseContext($authenticationMode)->markSecondFactorVerified();
                 $this->getResponseContext($authenticationMode)->markVerifiedBySsoOn2faCookie(
@@ -168,9 +170,8 @@ public function selectSecondFactorForVerification(
 //                    var_dump($requiredLoa);
 //                    die();
 
-                    $secondFactor = SecondFactor::create('gssp_fallback', 'azuremfa', '');
+                    $secondFactor = SecondfactorGsspFallback::create('azuremfa', $request->getLocale());
                     return $this->selectAndRedirectTo($secondFactor, $context, $authenticationMode);
-
                 }
 
                 return $this->forward(
@@ -356,25 +357,7 @@ public function verifyGssf(Request $request): Response
 
         /** @var SecondFactorService $secondFactorService */
         $secondFactorService = $this->get('gateway.service.second_factor_service');
-        /** @var SecondFactor $secondFactor */
-
-        if ($selectedSecondFactor === 'gssp_fallback') {
-            // Also send the response context service id, as later we need to know if this is regular SSO or SFO authn.
-            $responseContextServiceId = $context->getResponseContextServiceId();
-
-            return $this->forward(
-                SamlProxyController::class . '::sendSecondFactorVerificationAuthnRequest',
-                [
-                    'provider' => 'azuremfa',
-                    'subjectNameId' => '[email protected]',
-                    'responseContextServiceId' => $responseContextServiceId,
-                    'relayState' => $context->getRelayState(),
-                ],
-            );
-
-        }
-
-        $secondFactor = $secondFactorService->findByUuid($selectedSecondFactor);
+        $secondFactor = $secondFactorService->findByUuid($selectedSecondFactor, $context);
         if (!$secondFactor) {
             throw new RuntimeException(
                 sprintf(
@@ -390,8 +373,8 @@ public function verifyGssf(Request $request): Response
         return $this->forward(
             SamlProxyController::class . '::sendSecondFactorVerificationAuthnRequest',
             [
-                'provider' => $secondFactor->secondFactorType,
-                'subjectNameId' => $secondFactor->secondFactorIdentifier,
+                'provider' => $secondFactor->getSecondFactorType(),
+                'subjectNameId' => $secondFactor->getSecondFactorIdentifier(),
                 'responseContextServiceId' => $responseContextServiceId,
                 'relayState' => $context->getRelayState(),
             ],
@@ -412,20 +395,13 @@ public function gssfVerified(Request $request): Response
 
         $selectedSecondFactor = $this->getSelectedSecondFactor($context, $logger);
 
-        if ($selectedSecondFactor === 'gssp_fallback') {
-//            $this->getAuthenticationLogger()->logSecondFactorAuthentication($originalRequestId, $authenticationMode);
-            $context->markSecondFactorVerified();
-
-            $logger->info(sprintf(
-                'Marked GSSF "%s" as verified, forwarding to Gateway controller to respond',
-                $selectedSecondFactor,
-            ));
-
-            return $this->forward($context->getResponseAction());
+        if (!$context->isSecondFactorFallback()) {
+            /** @var SecondFactor $secondFactor */
+            $secondFactor = $this->get('gateway.service.second_factor_service')->findByUuid($selectedSecondFactor);
+        } else {
+            $secondFactor = SecondfactorGsspFallback::create('azuremfa', $context->getSelectedLocale());
         }
 
-            /** @var SecondFactor $secondFactor */
-        $secondFactor = $this->get('gateway.service.second_factor_service')->findByUuid($selectedSecondFactor);
         if (!$secondFactor) {
             throw new RuntimeException(
                 sprintf(
@@ -743,16 +719,16 @@ private function getSelectedSecondFactor(ResponseContext $context, LoggerInterfa
     }
 
     private function selectAndRedirectTo(
-        SecondFactor $secondFactor,
+        SecondFactorInterface $secondFactor,
         ResponseContext $context,
         $authenticationMode,
     ): RedirectResponse {
         $context->saveSelectedSecondFactor($secondFactor);
 
-        $this->getStepupService()->clearSmsVerificationState($secondFactor->secondFactorId);
+        $this->getStepupService()->clearSmsVerificationState($secondFactor->getSecondFactorId());
 
         $secondFactorTypeService = $this->get('surfnet_stepup.service.second_factor_type');
-        $secondFactorType = new SecondFactorType($secondFactor->secondFactorType);
+        $secondFactorType = new SecondFactorType($secondFactor->getSecondFactorType());
 
         $route = 'gateway_verify_second_factor_';
         if ($secondFactorTypeService->isGssf($secondFactorType)) {

src/Surfnet/StepupGateway/GatewayBundle/Entity/SecondFactor.php

@@ -23,6 +23,7 @@
 use Surfnet\StepupBundle\Value\Loa;
 use Surfnet\StepupBundle\Value\SecondFactorType;
 use Surfnet\StepupBundle\Value\VettingType;
+use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactor\SecondFactorInterface;
 
 /**
  * WARNING: Any schema change made to this entity should also be applied to the Middleware SecondFactor entity!
@@ -37,7 +38,7 @@
  *      }
  * )
  */
-class SecondFactor
+class SecondFactor implements SecondFactorInterface
 {
     /**
      * @var int
@@ -118,15 +119,6 @@ final private function __construct()
     {
     }
 
-    public static function create(string $id, string $type, string $displayLocale)
-    {
-        $sf = new self();
-        $sf->secondFactorId = $id;
-        $sf->secondFactorType = $type;
-        $sf->displayLocale = $displayLocale;
-        return $sf;
-    }
-
     public function canSatisfy(Loa $loa, SecondFactorTypeService $service): bool
     {
         $secondFactorType = new SecondFactorType($this->secondFactorType);
@@ -153,4 +145,29 @@ private function determineVettingType(bool $identityVetted): VettingType
         }
         return new VettingType(VettingType::TYPE_SELF_ASSERTED_REGISTRATION);
     }
+
+    public function getSecondFactorId(): string
+    {
+        return $this->secondFactorId;
+    }
+
+    public function getSecondFactorType(): string
+    {
+        return $this->secondFactorType;
+    }
+
+    public function getDisplayLocale(): string
+    {
+        return $this->displayLocale;
+    }
+
+    public function getSecondFactorIdentifier(): string
+    {
+        return $this->secondFactorIdentifier;
+    }
+
+    public function getInstitution(): string
+    {
+        return $this->institution;
+    }
 }

src/Surfnet/StepupGateway/GatewayBundle/EventListener/SecondFactorLocaleListener.php

@@ -58,7 +58,7 @@ public function getLocaleFromSelectedSecondFactor()
             return;
         }
 
-        $secondFactor = $this->secondFactorService->findByUuid($secondFactorId);
+        $secondFactor = $this->secondFactorService->findByUuid($secondFactorId, $this->responseContext);
         if ($secondFactor) {
             return $secondFactor->displayLocale;
         }

src/Surfnet/StepupGateway/GatewayBundle/Monolog/Logger/AuthenticationLogger.php

@@ -20,75 +20,36 @@
 
 use DateTime;
 use Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger;
-use Surfnet\StepupBundle\Service\LoaResolutionService;
-use Surfnet\StepupBundle\Service\SecondFactorTypeService;
-use Surfnet\StepupBundle\Value\Loa;
 use Surfnet\StepupGateway\GatewayBundle\Exception\InvalidArgumentException;
-use Surfnet\StepupGateway\GatewayBundle\Saml\Proxy\ProxyStateHandler;
+use Surfnet\StepupGateway\GatewayBundle\Saml\ResponseContext;
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService;
 
 class AuthenticationLogger
 {
-    /**
-     * @var ProxyStateHandler
-     */
-    private $ssoProxyStateHandler;
-
-    /**
-     * @var ProxyStateHandler
-     */
-    private $sfoProxyStateHandler;
 
     /**
      * @var SecondFactorService
      */
     private $secondFactorService;
 
-    /**
-     * @var LoaResolutionService
-     */
-    private $loaResolutionService;
-
     /**
      * @var SamlAuthenticationLogger
      */
     private $authenticationChannelLogger;
+    private ResponseContext $sfoResponseContext;
+    private ResponseContext $ssoResponseContext;
 
-    /**
-     * @var SecondFactorTypeService
-     */
-    private $secondFactorTypeService;
 
     public function __construct(
-        LoaResolutionService $loaResolutionService,
-        ProxyStateHandler $ssoProxyStateHandler,
-        ProxyStateHandler $sfoProxyStateHandler,
         SecondFactorService $secondFactorService,
         SamlAuthenticationLogger $authenticationChannelLogger,
-        SecondFactorTypeService $service
+        ResponseContext     $sfoResponseContext,
+        ResponseContext     $ssoResponseContext,
     ) {
-        $this->loaResolutionService = $loaResolutionService;
-        $this->ssoProxyStateHandler = $ssoProxyStateHandler;
-        $this->sfoProxyStateHandler = $sfoProxyStateHandler;
         $this->secondFactorService  = $secondFactorService;
         $this->authenticationChannelLogger = $authenticationChannelLogger;
-        $this->secondFactorTypeService = $service;
-    }
-
-    /**
-     * @param string $requestId The SAML authentication request ID of the original request (not the proxy request).
-     */
-    public function logIntrinsicLoaAuthentication($requestId): void
-    {
-        $context = [
-            'second_factor_id'      => '',
-            'second_factor_type'    => '',
-            'institution'           => '',
-            'authentication_result' => 'NONE',
-            'resulting_loa'         => (string) $this->loaResolutionService->getLoaByLevel(Loa::LOA_1),
-        ];
-
-        $this->log('Intrinsic Loa Requested', $context, $requestId);
+        $this->sfoResponseContext = $sfoResponseContext;
+        $this->ssoResponseContext = $ssoResponseContext;
     }
 
     /**
@@ -97,62 +58,53 @@ public function logIntrinsicLoaAuthentication($requestId): void
      */
     public function logSecondFactorAuthentication(string $requestId, string $authenticationMode): void
     {
-        $stateHandler = $this->getStateHandler($authenticationMode);
-        $secondFactor = $this->secondFactorService->findByUuid($stateHandler->getSelectedSecondFactorId());
-        $loa = $this->loaResolutionService->getLoaByLevel($secondFactor->getLoaLevel($this->secondFactorTypeService));
-
-        $context = [
-            'second_factor_id'      => $secondFactor->secondFactorId,
-            'second_factor_type'    => $secondFactor->secondFactorType,
-            'institution'           => $secondFactor->institution,
-            'authentication_result' => $stateHandler->isSecondFactorVerified() ? 'OK' : 'FAILED',
+        $context = $this->getResponseContext($authenticationMode);
+
+        $secondFactor = $this->secondFactorService->findByUuid($context->getSelectedSecondFactor(), $context);
+        $loa = $this->secondFactorService->getLoaLevel($secondFactor);
+
+        $data = [
+            'second_factor_id'      => $secondFactor->getSecondFactorId(),
+            'second_factor_type'    => $secondFactor->getSecondFactorType(),
+            'institution'           => $secondFactor->getInstitution(),
+            'authentication_result' => $context->isSecondFactorVerified() ? 'OK' : 'FAILED',
             'resulting_loa'         => (string) $loa,
-            'sso' => $stateHandler->isVerifiedBySsoOn2faCookie() ? 'YES': 'NO',
+            'sso' => $context->isVerifiedBySsoOn2faCookie() ? 'YES': 'NO',
         ];
 
-        if ($stateHandler->isVerifiedBySsoOn2faCookie()) {
-            $context['sso_cookie_id'] = $stateHandler->getSsoOn2faCookieFingerprint();
+        if ($context->isVerifiedBySsoOn2faCookie()) {
+            $context['sso_cookie_id'] = $context->getSsoOn2faCookieFingerprint();
         }
 
-        $this->log('Second Factor Authenticated', $context, $requestId);
+        $this->log('Second Factor Authenticated', $data, $requestId, $authenticationMode);
     }
 
     /**
      * @param string $message
-     * @param array  $context
+     * @param array  $data
      * @param string $requestId
      */
-    private function log($message, array $context, $requestId): void
+    private function log(string $message, array $data, string $requestId, string $authenticationMode): void
     {
-        if (!is_string($requestId)) {
-            throw InvalidArgumentException::invalidType('string', 'requestId', $requestId);
-        }
-        // Regardless of authentication type, the authentication mode can be retrieved from any state handler
-        // given you provide the request id
-        $authenticationMode = $this->getStateHandler('sso')->getAuthenticationModeForRequestId($requestId);
-        $stateHandler = $this->getStateHandler($authenticationMode);
+        $context = $this->getResponseContext($authenticationMode);
 
-        $context['identity_id']        = $stateHandler->getIdentityNameId();
-        $context['authenticating_idp'] = $stateHandler->getAuthenticatingIdp();
-        $context['requesting_sp']      = $stateHandler->getRequestServiceProvider();
-        $context['datetime']           = (new DateTime())->format('Y-m-d\\TH:i:sP');
+        $data['identity_id']        = $context->getIdentityNameId();
+        $data['authenticating_idp'] = $context->getAuthenticatingIdp();
+        $data['requesting_sp']      = $context->getRequestServiceProvider();
+        $data['datetime']           = (new DateTime())->format('Y-m-d\\TH:i:sP');
 
-        $this->authenticationChannelLogger->forAuthentication($requestId)->notice($message, $context);
+        $this->authenticationChannelLogger->forAuthentication($requestId)->notice($message, $data);
     }
 
-    /**
-     * @param string $authenticationMode
-     * @return ProxyStateHandler
-     */
-    private function getStateHandler($authenticationMode)
+    private function getResponseContext(string $authenticationMode): ResponseContext
     {
         if ($authenticationMode === 'sfo') {
-            return $this->sfoProxyStateHandler;
+            return $this->sfoResponseContext;
         } elseif ($authenticationMode === 'sso') {
-            return $this->ssoProxyStateHandler;
+            return $this->ssoResponseContext;
         }
         throw new InvalidArgumentException(
-            sprintf('Retrieving a state handler for authentication type %s is not supported', $authenticationMode)
+            sprintf('Retrieving a response context for authentication type %s is not supported', $authenticationMode)
         );
     }
 }

src/Surfnet/StepupGateway/GatewayBundle/Resources/config/services.yml

@@ -73,6 +73,8 @@ services:
         class: Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService
         arguments:
             - "@gateway.repository.second_factor"
+            - "@surfnet_stepup.service.loa_resolution"
+            - "@surfnet_stepup.service.second_factor_type"
 
     gateway.service.response_proxy:
         class: Surfnet\StepupGateway\GatewayBundle\Service\ProxyResponseService
@@ -172,12 +174,10 @@ services:
     gateway.authentication_logger:
         class: Surfnet\StepupGateway\GatewayBundle\Monolog\Logger\AuthenticationLogger
         arguments:
-            - "@surfnet_stepup.service.loa_resolution"
-            - "@gateway.proxy.sso.state_handler"
-            - "@gateway.proxy.sfo.state_handler"
             - "@gateway.service.second_factor_service"
             - "@gateway.authentication_logger.logger"
-            - "@surfnet_stepup.service.second_factor_type"
+            - "@second_factor_only.response_context"
+            - "@gateway.proxy.response_context"
 
     gateway.authentication_logger.logger:
         class: Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger