Skip to content

Commit 6eca10c

Browse files
authored
Merge pull request #336 from OpenConext/feature/use-entiltlement-saml-attributes-for-activation-flow
Use saml entitlement attribute for activation flow
2 parents a2ea132 + 6b4ed2b commit 6eca10c

17 files changed

+367
-184
lines changed

ci/qa/phpstan-baseline.php

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -741,21 +741,6 @@
741741
'count' => 1,
742742
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Factory/SamlFactory.php',
743743
];
744-
$ignoreErrors[] = [
745-
'message' => '#^Method Surfnet\\\\StepupSelfService\\\\SelfServiceBundle\\\\Service\\\\ActivationFlowService\\:\\:__construct\\(\\) has parameter \\$options with no value type specified in iterable type array\\.$#',
746-
'count' => 1,
747-
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Service/ActivationFlowService.php',
748-
];
749-
$ignoreErrors[] = [
750-
'message' => '#^Method Surfnet\\\\StepupSelfService\\\\SelfServiceBundle\\\\Service\\\\ActivationFlowService\\:\\:getPreference\\(\\) should return Surfnet\\\\StepupSelfService\\\\SelfServiceBundle\\\\Value\\\\ActivationFlowPreferenceInterface but returns mixed\\.$#',
751-
'count' => 1,
752-
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Service/ActivationFlowService.php',
753-
];
754-
$ignoreErrors[] = [
755-
'message' => '#^Parameter \\#1 \\$preference of class Surfnet\\\\StepupSelfService\\\\SelfServiceBundle\\\\Value\\\\ActivationFlowPreference constructor expects string, array\\|string given\\.$#',
756-
'count' => 1,
757-
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Service/ActivationFlowService.php',
758-
];
759744
$ignoreErrors[] = [
760745
'message' => '#^Parameter \\#2 \\$array of function array_key_exists expects array, array\\<string, int\\|string\\>\\|false given\\.$#',
761746
'count' => 1,
@@ -1126,11 +1111,6 @@
11261111
'count' => 1,
11271112
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Twig/Extensions/Extension/SecondFactorType.php',
11281113
];
1129-
$ignoreErrors[] = [
1130-
'message' => '#^Property Surfnet\\\\StepupSelfService\\\\SelfServiceBundle\\\\Value\\\\ActivationFlowPreference\\:\\:\\$allowedPreferences type has no value type specified in iterable type array\\.$#',
1131-
'count' => 1,
1132-
'path' => __DIR__ . '/../../src/Surfnet/StepupSelfService/SelfServiceBundle/Value/ActivationFlowPreference.php',
1133-
];
11341114
$ignoreErrors[] = [
11351115
'message' => '#^Cannot cast mixed to string\\.$#',
11361116
'count' => 2,

config/openconext/parameters.yaml.dist

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,10 @@ parameters:
7575

7676
preferred_activation_flow_name: activate
7777
preferred_activation_flow_options: [ra, self]
78+
activation_flow_attribute_name: urn:mace:dir:attribute-def:eduPersonEntitlement
79+
activation_flow_attributes:
80+
ra: urn:mace:surf.nl:surfsecureid:activation:ra
81+
self: urn:mace:surf.nl:surfsecureid:activation:self
7882

7983
# Self-asserted tokens: enable/disable recovery methods
8084
#

config/packages/security.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ security:
1717

1818
saml_based:
1919
custom_authenticators:
20-
- Surfnet\SamlBundle\Security\Authentication\SamlAuthenticator
20+
- Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\SamlAuthenticator
2121
logout:
2222
path: /logout
2323

config/packages/surfnet_stepup_self_service_self_service.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,5 @@ surfnet_stepup_self_service_self_service:
1111
preferred_activation_flow:
1212
query_string_field_name: "%preferred_activation_flow_name%"
1313
options: "%preferred_activation_flow_options%"
14+
saml_attribute_field_name: "%activation_flow_attribute_name%"
15+
saml_attributes: "%activation_flow_attributes%"

config/services.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ services:
5757
- '@security.helper'
5858
- "%logout_redirect_url%"
5959

60+
Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\SamlAuthenticator:
6061

6162
Surfnet\StepupSelfService\SelfServiceBundle\EventListener\AuthenticatedUserListener:
6263
Surfnet\StepupSelfService\SelfServiceBundle\EventListener\ExplicitSessionTimeoutListener:

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/EntryPointController.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,12 @@
2020

2121
namespace Surfnet\StepupSelfService\SelfServiceBundle\Controller;
2222

23-
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\AuthenticatedSessionStateHandler;
2423
use Surfnet\StepupSelfService\SelfServiceBundle\Service\ActivationFlowService;
2524
use Surfnet\StepupSelfService\SelfServiceBundle\Service\SecondFactorService;
2625
use Surfnet\StepupSelfService\SelfServiceBundle\Service\SelfAssertedTokens\RecoveryTokenService;
2726
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
2827
use Symfony\Component\HttpFoundation\RedirectResponse;
28+
use Symfony\Component\HttpFoundation\Request;
2929
use Symfony\Component\Routing\Attribute\Route;
3030

3131
class EntryPointController extends AbstractController
@@ -34,17 +34,17 @@ public function __construct(
3434
private readonly SecondFactorService $secondFactorService,
3535
private readonly RecoveryTokenService $recoveryTokenService,
3636
private readonly ActivationFlowService $activationFlowService,
37-
private readonly AuthenticatedSessionStateHandler $authStateHandler
3837
) {
3938
}
4039
#[Route(path: '/', name: 'ss_entry_point', methods:['GET'])]
41-
public function decideSecondFactorFlow() : RedirectResponse
40+
public function decideSecondFactorFlow(Request $request) : RedirectResponse
4241
{
4342
$identity = $this->getUser()->getIdentity();
4443
$hasSecondFactor = $this->secondFactorService->doSecondFactorsExistForIdentity($identity->id);
4544
$hasRecoveryToken = $this->recoveryTokenService->hasRecoveryToken($identity);
4645
// Check if we need to do a registration flow nudge
47-
$this->activationFlowService->process($this->authStateHandler->getCurrentRequestUri());
46+
// This is only used when already logged in
47+
$this->activationFlowService->processPreferenceFromUri($request->getUri());
4848

4949
return $hasSecondFactor || $hasRecoveryToken
5050
? $this->redirectToRoute('ss_second_factor_list')

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -132,10 +132,29 @@ private function appendActivationFlow(NodeBuilder $childNodes): void
132132
->end()
133133
->arrayNode('options')
134134
->prototype('scalar')
135+
->isRequired()
136+
->info('The options describing the preferred activation flow. Example: ra, self')
137+
->end()
138+
->end()
139+
->scalarNode('saml_attribute_field_name')
135140
->isRequired()
136-
->info('The options describing the preferred activation flow. Example: ra, self')
141+
->info('The name of the entitlement attribute (in SAML assertion) that is read to determine the preferred activation flow')
137142
->end()
138-
->end()
139-
->end();
143+
->arrayNode('saml_attributes')
144+
->isRequired()
145+
->children()
146+
->scalarNode('ra')
147+
->isRequired()
148+
->info('The entitlement attribute name for the ra vetting flow')
149+
->end()
150+
->scalarNode('self')
151+
->isRequired()
152+
->info('The entitlement attribute name for the self vetting flow')
153+
->end()
154+
->end()
155+
->end()
156+
157+
->end()
158+
;
140159
}
141160
}

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,9 @@ private function parseActivationFlowPreferenceConfiguration(
109109
ContainerBuilder $container
110110
): void {
111111
$container->getDefinition(ActivationFlowService::class)
112-
->replaceArgument(2, $preferenceConfig['query_string_field_name'])
113-
->replaceArgument(3, $preferenceConfig['options']);
112+
->replaceArgument(3, $preferenceConfig['query_string_field_name'])
113+
->replaceArgument(4, $preferenceConfig['options'])
114+
->replaceArgument(5, $preferenceConfig['saml_attribute_field_name'])
115+
->replaceArgument(6, $preferenceConfig['saml_attributes']);
114116
}
115117
}

src/Surfnet/StepupSelfService/SelfServiceBundle/EventListener/AuthenticatedUserListener.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ public function updateLastInteractionMoment(RequestEvent $event): void
5656
}
5757
$this->logger->notice('Logged in user with a session within time limits detected, updating session state');
5858

59-
// see ExplicitSessionTimeoutHandler for the rationale
59+
// see ExplicitSessionTimeoutListener for the rationale
6060
if ($event->getRequest()->getMethod() === 'GET') {
6161
$this->sessionStateHandler->setCurrentRequestUri($event->getRequest()->getRequestUri());
6262
}

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/services.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -192,10 +192,13 @@ services:
192192

193193
Surfnet\StepupSelfService\SelfServiceBundle\Service\ActivationFlowService:
194194
arguments:
195-
- '@request_stack'
195+
- '@Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\AuthenticatedSessionStateHandler'
196+
- "@security.token_storage"
196197
- "@logger"
197198
- '' # See extension
198199
- [] # See extension
200+
- '' # See extension
201+
- [] # See extension
199202

200203

201204
Surfnet\StepupSelfService\SelfServiceBundle\Service\IdentityService:

0 commit comments

Comments
 (0)