Merge pull request #89 from SURFnet/feature/sf-toggle

Allow enabling of second factors by configuration

Author: rjkip

app/config/config.yml

@@ -162,3 +162,6 @@ jms_translation:
             excluded_names: ['*TestCase.php', '*Test.php']
             excluded_dirs: [cache, data, logs, Tests]
             extractors: []
+
+surfnet_stepup_self_service_self_service:
+    enabled_second_factors: %enabled_second_factors%

app/config/parameters.yml.dist

@@ -44,3 +44,7 @@ parameters:
     stepup_loa_loa3: https://gateway.tld/authentication/loa3
 
     logout_redirect_url: https://www.surf.nl/over-surf/werkmaatschappijen/surfnet
+
+    enabled_second_factors:
+        - sms
+        - yubikey

composer.json

@@ -30,6 +30,7 @@
         "symfony/swiftmailer-bundle": "~2.3"
     },
     "require-dev": {
+        "matthiasnoback/symfony-config-test": "^1.2.0",
         "mockery/mockery": "~0.9.0",
         "sensio/generator-bundle": "~2.3",
         "ibuildings/qa-tools": "~1.1,>=1.1.27",

composer.lock

@@ -48,4 +48,16 @@ protected function getIdentity()
 
         return $user;
     }
+
+    /**
+     * @param string $type
+     */
+    protected function assertSecondFactorEnabled($type)
+    {
+        if (!in_array($type, $this->getParameter('ss.enabled_second_factors'))) {
+            $this->get('logger')->warning('A controller action was called for a disabled second factor');
+
+            throw $this->createNotFoundException();
+        }
+    }
 }

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Controller.php

@@ -38,6 +38,8 @@ final class GssfController extends Controller
      */
     public function initiateAction($provider)
     {
+        $this->assertSecondFactorEnabled($provider);
+
         return $this->renderInitiateForm($provider);
     }
 
@@ -47,6 +49,8 @@ public function initiateAction($provider)
      */
     public function authenticateAction($provider)
     {
+        $this->assertSecondFactorEnabled($provider);
+
         $provider = $this->getProvider($provider);
 
         $authnRequest = AuthnRequestFactory::createNewRequest(
@@ -77,6 +81,8 @@ public function authenticateAction($provider)
      */
     public function consumeAssertionAction(Request $httpRequest, $provider)
     {
+        $this->assertSecondFactorEnabled($provider);
+
         $provider = $this->getProvider($provider);
 
         $this->get('logger')->notice(
@@ -145,6 +151,8 @@ public function consumeAssertionAction(Request $httpRequest, $provider)
      */
     public function metadataAction($provider)
     {
+        $this->assertSecondFactorEnabled($provider);
+
         $provider = $this->getProvider($provider);
 
         /** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/GssfController.php

@@ -33,6 +33,8 @@ class SmsController extends Controller
      */
     public function sendChallengeAction(Request $request)
     {
+        $this->assertSecondFactorEnabled('sms');
+
         $identity = $this->getIdentity();
 
         $command = new SendSmsChallengeCommand();
@@ -71,6 +73,8 @@ public function sendChallengeAction(Request $request)
      */
     public function provePossessionAction(Request $request)
     {
+        $this->assertSecondFactorEnabled('sms');
+
         /** @var SmsSecondFactorService $service */
         $service = $this->get('surfnet_stepup_self_service_self_service.service.sms_second_factor');
 

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php

@@ -32,6 +32,8 @@ class YubikeyController extends Controller
      */
     public function provePossessionAction(Request $request)
     {
+        $this->assertSecondFactorEnabled('yubikey');
+
         $identity = $this->getIdentity();
 
         $command = new VerifyYubikeyOtpCommand();

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/YubikeyController.php

@@ -31,7 +31,12 @@ class RegistrationController extends Controller
      */
     public function displaySecondFactorTypesAction()
     {
-        return ['commonName' => $this->getIdentity()->commonName];
+        $enabledSecondFactors = $this->getParameter('ss.enabled_second_factors');
+
+        return [
+            'commonName' => $this->getIdentity()->commonName,
+            'enabledSecondFactors' => array_combine($enabledSecondFactors, $enabledSecondFactors),
+        ];
     }
 
     /**

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RegistrationController.php

@@ -0,0 +1,59 @@
+<?php
+
+/**
+ * Copyright 2015 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupSelfService\SelfServiceBundle\DependencyInjection;
+
+use Surfnet\StepupBundle\Exception\DomainException;
+use Surfnet\StepupBundle\Exception\InvalidArgumentException;
+use Surfnet\StepupBundle\Value\SecondFactorType;
+use Symfony\Component\Config\Definition\Builder\TreeBuilder;
+use Symfony\Component\Config\Definition\ConfigurationInterface;
+
+class Configuration implements ConfigurationInterface
+{
+    public function getConfigTreeBuilder()
+    {
+        $treeBuilder = new TreeBuilder();
+
+        $treeBuilder
+            ->root('surfnet_stepup_self_service_self_service')
+            ->children()
+                ->arrayNode('enabled_second_factors')
+                    ->isRequired()
+                    ->prototype('scalar')
+                        ->validate()
+                            ->ifTrue(function ($type) {
+                                try {
+                                    new SecondFactorType($type);
+                                } catch (InvalidArgumentException $e) {
+                                    return true;
+                                } catch (DomainException $e) {
+                                    return true;
+                                }
+                            })
+                            ->thenInvalid(
+                                'Enabled second factor type "%s" is not one of the valid types. See SecondFactorType'
+                            )
+                        ->end()
+                    ->end()
+                ->end()
+            ->end();
+
+        return $treeBuilder;
+    }
+}

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php

@@ -35,11 +35,16 @@ class SurfnetStepupSelfServiceSelfServiceExtension extends Extension
      */
     public function load(array $configs, ContainerBuilder $container)
     {
+        $configuration = new Configuration();
+        $config = $this->processConfiguration($configuration, $configs);
+
         $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
         $loader->load('services.yml');
 
         $container->getDefinition('self_service.locale.request_stack_locale_provider')
             ->replaceArgument(1, $container->getParameter('default_locale'))
             ->replaceArgument(2, $container->getParameter('locales'));
+
+        $container->setParameter('ss.enabled_second_factors', $config['enabled_second_factors']);
     }
 }

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php

@@ -12,22 +12,26 @@
     <h2>{{ block('page_title') }}</h2>
 
     <div class="row">
-        {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
-            'type': 'sms',
-            'security': 2,
-            'url': path('ss_registration_sms_send_challenge')
-        } only %}
-        {#
-        {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
-            'type': 'tiqr',
-            'security': 2,
-            'url': path('ss_registration_gssf_initiate', {'provider': 'tiqr'})
-        } only %}
-        #}
-        {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
-        'type': 'yubikey',
-        'security': 3,
-        'url': path('ss_registration_yubikey_prove_possession')
-        } only %}
+        {% if enabledSecondFactors.sms is defined %}
+            {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
+                'type': 'sms',
+                'security': 2,
+                'url': path('ss_registration_sms_send_challenge')
+            } only %}
+        {% endif %}
+        {% if enabledSecondFactors.tiqr is defined %}
+            {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
+                'type': 'tiqr',
+                'security': 2,
+                'url': path('ss_registration_gssf_initiate', {'provider': 'tiqr'})
+            } only %}
+        {% endif %}
+        {% if enabledSecondFactors.yubikey is defined %}
+            {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
+                'type': 'yubikey',
+                'security': 3,
+                'url': path('ss_registration_yubikey_prove_possession')
+            } only %}
+        {% endif %}
     </div>
 {% endblock %}