Move logic to dedicated GsspFallbackService

Author: pablothedude

src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php

@@ -40,7 +40,7 @@
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService;
 use Surfnet\StepupGateway\GatewayBundle\Sso2fa\CookieService;
 use Surfnet\StepupGateway\SamlStepupProviderBundle\Controller\SamlProxyController;
-use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\SecondfactorGsspFallback;
+use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\GsspFallbackService;
 use Symfony\Component\Form\FormError;
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -125,7 +125,7 @@ public function selectSecondFactorForVerification(
             // Now read the SSO cookie
             $ssoCookie = $this->getCookieService()->read($request);
             // Test if the SSO cookie can satisfy the second factor authentication requirements
-            if ($this->getCookieService()->maySkipAuthentication($requiredLoa->getLevel(), $identityNameId, $ssoCookie, $context)) {
+            if ($this->getCookieService()->maySkipAuthentication($requiredLoa->getLevel(), $identityNameId, $ssoCookie)) {
                 $logger->notice(
                     'Skipping second factor authentication. Required LoA was met by the LoA recorded in the cookie',
                     [
@@ -134,7 +134,7 @@ public function selectSecondFactorForVerification(
                     ],
                 );
                 // We use the SF from the cookie as the SF that was used for authenticating the second factor authentication
-                $secondFactor = $this->getSecondFactorService()->findByUuid($ssoCookie->secondFactorId(), $context);
+                $secondFactor = $this->getSecondFactorService()->findByUuid($ssoCookie->secondFactorId());
                 $this->getResponseContext($authenticationMode)->saveSelectedSecondFactor($secondFactor);
                 $this->getResponseContext($authenticationMode)->markSecondFactorVerified();
                 $this->getResponseContext($authenticationMode)->markVerifiedBySsoOn2faCookie(
@@ -146,6 +146,17 @@ public function selectSecondFactorForVerification(
             }
         }
 
+        // Determine if the GSSP fallback flow is allowed so we can continue without a previous registered token
+        if ($this->getGsspFallbackService()->determineGsspFallbackNeeded(
+            $identityNameId,
+            $authenticationMode,
+            $requiredLoa,
+            $this->get('gateway.service.whitelist'),
+        )) {
+            $secondFactor = $this->getGsspFallbackService()->createSecondFactor();
+            return $this->selectAndRedirectTo($secondFactor, $context, $authenticationMode);
+        }
+
         $secondFactorCollection = $this
             ->getStepupService()
             ->determineViableSecondFactors(
@@ -156,24 +167,6 @@ public function selectSecondFactorForVerification(
         switch (count($secondFactorCollection)) {
             case 0:
                 $logger->notice('No second factors can give the determined Loa');
-
-                // todo: handle sso registration bypass.
-                if ($authenticationMode === self::MODE_SFO) {
-                    // - the user does not have an active token
-
-                    // - a LoA1.5 (i.e. self asserted) authentication is requested
-                    // - a fallback GSSP is configured
-                    // - this "fallback" option is enabled for the institution that the user belongs to.
-                    // - the configured user attribute is present in the AuthnRequest
-                    // - handle authentication by forwarding it to a designated GSSP using the GSSP protocol instead of returning an error.
-
-//                    var_dump($requiredLoa);
-//                    die();
-
-                    $secondFactor = SecondfactorGsspFallback::create('azuremfa', $request->getLocale());
-                    return $this->selectAndRedirectTo($secondFactor, $context, $authenticationMode);
-                }
-
                 return $this->forward(
                     'Surfnet\StepupGateway\GatewayBundle\Controller\GatewayController::sendLoaCannotBeGiven',
                     ['authenticationMode' => $authenticationMode],
@@ -357,7 +350,7 @@ public function verifyGssf(Request $request): Response
 
         /** @var SecondFactorService $secondFactorService */
         $secondFactorService = $this->get('gateway.service.second_factor_service');
-        $secondFactor = $secondFactorService->findByUuid($selectedSecondFactor, $context);
+        $secondFactor = $secondFactorService->findByUuid($selectedSecondFactor);
         if (!$secondFactor) {
             throw new RuntimeException(
                 sprintf(
@@ -395,11 +388,11 @@ public function gssfVerified(Request $request): Response
 
         $selectedSecondFactor = $this->getSelectedSecondFactor($context, $logger);
 
-        if (!$context->isSecondFactorFallback()) {
+        if (!$this->getGsspFallbackService()->isSecondFactorFallback()) {
             /** @var SecondFactor $secondFactor */
             $secondFactor = $this->get('gateway.service.second_factor_service')->findByUuid($selectedSecondFactor);
         } else {
-            $secondFactor = SecondfactorGsspFallback::create('azuremfa', $context->getSelectedLocale());
+            $secondFactor = $this->getGsspFallbackService()->createSecondFactor();
         }
 
         if (!$secondFactor) {
@@ -705,6 +698,11 @@ private function getSecondFactorService(): SecondFactorService
         return $this->get('gateway.service.second_factor_service');
     }
 
+    private function getGsspFallbackService(): GsspFallbackService
+    {
+        return $this->get('second_factor_only.gssp_fallback_service');
+    }
+
     private function getSelectedSecondFactor(ResponseContext $context, LoggerInterface $logger): string
     {
         $selectedSecondFactor = $context->getSelectedSecondFactor();

src/Surfnet/StepupGateway/GatewayBundle/EventListener/SecondFactorLocaleListener.php

@@ -58,7 +58,7 @@ public function getLocaleFromSelectedSecondFactor()
             return;
         }
 
-        $secondFactor = $this->secondFactorService->findByUuid($secondFactorId, $this->responseContext);
+        $secondFactor = $this->secondFactorService->findByUuid($secondFactorId);
         if ($secondFactor) {
             return $secondFactor->displayLocale;
         }

src/Surfnet/StepupGateway/GatewayBundle/Monolog/Logger/AuthenticationLogger.php

@@ -60,7 +60,7 @@ public function logSecondFactorAuthentication(string $requestId, string $authent
     {
         $context = $this->getResponseContext($authenticationMode);
 
-        $secondFactor = $this->secondFactorService->findByUuid($context->getSelectedSecondFactor(), $context);
+        $secondFactor = $this->secondFactorService->findByUuid($context->getSelectedSecondFactor());
         $loa = $this->secondFactorService->getLoaLevel($secondFactor);
 
         $data = [
@@ -73,7 +73,7 @@ public function logSecondFactorAuthentication(string $requestId, string $authent
         ];
 
         if ($context->isVerifiedBySsoOn2faCookie()) {
-            $context['sso_cookie_id'] = $context->getSsoOn2faCookieFingerprint();
+            $data['sso_cookie_id'] = $context->getSsoOn2faCookieFingerprint();
         }
 
         $this->log('Second Factor Authenticated', $data, $requestId, $authenticationMode);

src/Surfnet/StepupGateway/GatewayBundle/Resources/config/services.yml

@@ -75,6 +75,7 @@ services:
             - "@gateway.repository.second_factor"
             - "@surfnet_stepup.service.loa_resolution"
             - "@surfnet_stepup.service.second_factor_type"
+            - "@second_factor_only.gssp_fallback_service"
 
     gateway.service.response_proxy:
         class: Surfnet\StepupGateway\GatewayBundle\Service\ProxyResponseService

src/Surfnet/StepupGateway/GatewayBundle/Saml/ResponseContext.php

@@ -257,11 +257,6 @@ public function getSelectedLocale(): string
         return $this->stateHandler->getPreferredLocale();
     }
 
-    public function isSecondFactorFallback(): bool
-    {
-        return $this->stateHandler->isSecondFactorFallback();
-    }
-
     /**
      * @return null|string
      */

src/Surfnet/StepupGateway/GatewayBundle/Service/Gateway/RespondService.php

@@ -83,7 +83,7 @@ public function respond(ResponseContext $responseContext)
 
         $grantedLoa = null;
         if ($responseContext->isSecondFactorVerified()) {
-            $secondFactor = $this->secondFactorService->findByUuid($responseContext->getSelectedSecondFactor(), $responseContext);
+            $secondFactor = $this->secondFactorService->findByUuid($responseContext->getSelectedSecondFactor());
             $grantedLoa = $this->secondFactorService->getLoaLevel($secondFactor);
         }
 

src/Surfnet/StepupGateway/GatewayBundle/Service/SecondFactorService.php

@@ -24,34 +24,37 @@
 use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactor;
 use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactorRepository;
 use Surfnet\StepupGateway\GatewayBundle\Exception\RuntimeException;
-use Surfnet\StepupGateway\GatewayBundle\Saml\ResponseContext;
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactor\SecondFactorInterface;
+use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\GsspFallbackService;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\SecondfactorGsspFallback;
 
 class SecondFactorService
 {
     private SecondFactorRepository $repository;
     private LoaResolutionService $loaResolutionService;
     private SecondFactorTypeService $secondFactorTypeService;
+    private GsspFallbackService $gsspFallbackService;
 
     public function __construct(
         SecondFactorRepository  $repository,
         LoaResolutionService    $loaResolutionService,
-        SecondFactorTypeService $secondFactorTypeService
+        SecondFactorTypeService $secondFactorTypeService,
+        GsspFallbackService     $gsspFallbackService
     ) {
         $this->repository = $repository;
         $this->loaResolutionService = $loaResolutionService;
         $this->secondFactorTypeService = $secondFactorTypeService;
+        $this->gsspFallbackService = $gsspFallbackService;
     }
 
     /**
      * @param $uuid
      * @return null|SecondFactorInterface
      */
-    public function findByUuid($uuid, ResponseContext $responseContext)
+    public function findByUuid($uuid)
     {
-        if ($responseContext->isSecondFactorFallback()) {
-            return SecondfactorGsspFallback::create('azuremfa', $responseContext->getSelectedLocale());
+        if ($this->gsspFallbackService->isSecondFactorFallback()) {
+            return $this->gsspFallbackService->createSecondFactor();
         }
 
         return $this->repository->findOneBySecondFactorId($uuid);

src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/CookieService.php

@@ -106,7 +106,7 @@ public function handleSsoOn2faCookieStorage(
 
         // We can only set an SSO on 2FA cookie if a second factor authentication is being handled.
         if ($secondFactorId) {
-            $secondFactor = $this->secondFactorService->findByUuid($secondFactorId, $responseContext);
+            $secondFactor = $this->secondFactorService->findByUuid($secondFactorId);
             if (!$secondFactor) {
                 throw new RuntimeException(sprintf('Second Factor token not found with ID: %s', $secondFactorId));
             }
@@ -141,16 +141,15 @@ public function handleSsoOn2faCookieStorage(
     public function maySkipAuthentication(
         float $requiredLoa,
         string $identityNameId,
-        CookieValueInterface $ssoCookie,
-        ResponseContext $responseContext
+        CookieValueInterface $ssoCookie
     ): bool {
 
         // Perform validation on the cookie and its contents
         if (!$this->isCookieValid($ssoCookie, $requiredLoa, $identityNameId)) {
             return false;
         }
 
-        if (!$this->secondFactorService->findByUuid($ssoCookie->secondFactorId(), $responseContext)) {
+        if (!$this->secondFactorService->findByUuid($ssoCookie->secondFactorId(),)) {
             $this->logger->notice(
                 'The second factor stored in the SSO cookie was revoked or has otherwise became unknown to Gateway',
                 [

src/Surfnet/StepupGateway/GatewayBundle/Tests/Service/Gateway/RespondServiceTest.php

@@ -144,7 +144,7 @@ public function it_should_return_a_valid_saml_response_and_update_state_when_the
 
         // Mock second factor service
         $this->secondFactorService->shouldReceive('findByUuid')
-            ->with('mocked-second-factor-id', $this->responseContext)
+            ->with('mocked-second-factor-id')
             ->andReturn($secondFactor);
 
         $this->secondFactorService->shouldReceive('getLoaLevel')

src/Surfnet/StepupGateway/GatewayBundle/Tests/Sso2fa/CookieServiceTest.php

@@ -229,7 +229,7 @@ public function test_storing_a_session_cookie(): void
             ->shouldReceive('finalizeAuthentication');
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('sf-id-1234', $this->responseContext)
+            ->with('sf-id-1234')
             ->andReturn($sfMock);
         $this->secondFactorService
             ->shouldReceive('getLoaLevel')
@@ -290,7 +290,7 @@ public function test_storing_a_persistent_cookie(): void
             ->shouldReceive('finalizeAuthentication');
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('sf-id-1234', $this->responseContext)
+            ->with('sf-id-1234')
             ->andReturn($sfMock);
         $this->secondFactorService
             ->shouldReceive('getLoaLevel')
@@ -349,7 +349,7 @@ public function test_storing_a_session_cookie_new_authentication(): void
             ->shouldReceive('finalizeAuthentication');
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('sf-id-1234', $this->responseContext)
+            ->with('sf-id-1234')
             ->andReturn($sfMock);
         $this->secondFactorService
             ->shouldReceive('getLoaLevel')
@@ -402,7 +402,7 @@ public function test_storing_a_session_cookie_second_factor_not_found(): void
             ->shouldReceive('finalizeAuthentication');
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('non-existant', $this->responseContext)
+            ->with('non-existant')
             ->andReturnNull();
 
         self::expectException(RuntimeException::class);
@@ -471,7 +471,7 @@ public function test_storing_a_session_cookie_not_enabled_for_institution(): voi
             ->andReturn(false);
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('sf-id-1234', $this->responseContext)
+            ->with('sf-id-1234')
             ->andReturn($sfMock);
         $this->institutionService
             ->shouldReceive('ssoOn2faEnabled')
@@ -503,7 +503,7 @@ public function test_skipping_authentication_succeeds(): void
 
         $this->secondFactorService
             ->shouldReceive('findByUuid')
-            ->with('abcdef-1234', $this->responseContext)
+            ->with('abcdef-1234')
             ->andReturn($yubikey);
 
         self::assertTrue(

src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Controller/SecondFactorOnlyController.php

@@ -24,6 +24,7 @@
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Adfs\Exception\InvalidAdfsResponseException;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Exception\InvalidSecondFactorMethodException;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\AdfsService;
+use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\GsspFallbackService;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\LoginService;
 use Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\RespondService;
 use Symfony\Component\HttpFoundation\Request;
@@ -88,6 +89,10 @@ public function sso(Request $httpRequest): Response
             return $responseRendering->renderRequesterFailureResponse($this->getResponseContext(), $httpRequest);
         }
 
+        // Handle SAML GSSP user attibutes extension
+        $logger->notice('Determine if GSSP user attributes are present for processing later on');
+        $this->getGsspFallbackService()->handleSamlGsspExtension($originalRequest);
+
         $logger->notice('Forwarding to second factor controller for loa determination and handling');
 
         // Forward to the selectSecondFactorForVerificationSsoAction,
@@ -200,4 +205,12 @@ public function getSecondFactorAdfsService()
     {
         return $this->get('second_factor_only.adfs_service');
     }
+
+    /**
+     * @return AdfsService
+     */
+    public function getGsspFallbackService(): GsspFallbackService
+    {
+        return $this->get('second_factor_only.gssp_fallback_service');
+    }
 }

src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Resources/config/services.yml

@@ -170,3 +170,11 @@ services:
         arguments:
             - "@second_factor_only.adfs.request_helper"
             - "@second_factor_only.adfs.response_helper"
+
+
+    second_factor_only.gssp_fallback_service:
+        class: Surfnet\StepupGateway\SecondFactorOnlyBundle\Service\Gateway\GsspFallbackService
+        arguments:
+            - "@gateway.repository.second_factor"
+            - "@gateway.proxy.sfo.state_handler"
+            - "@surfnet_saml.logger"