Override EntityId on outgoing AR to SA GW

OpenConext · Nov 21, 2023 · 57fe036 · 57fe036
1 parent eabfc29
commit 57fe036
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 10 deletions.
diff --git a/library/EngineBlock/Application/DiContainer.php b/library/EngineBlock/Application/DiContainer.php
@@ -17,7 +17,7 @@
  */
 
 use Doctrine\ORM\EntityManager;
-use OpenConext\EngineBlock\Metadata\Factory\Factory\ServiceProviderFactor;
+use OpenConext\EngineBlock\Metadata\Factory\Factory\ServiceProviderFactory;
 use OpenConext\EngineBlock\Metadata\LoaRepository;
 use OpenConext\EngineBlock\Metadata\MetadataRepository\MetadataRepositoryInterface;
 use OpenConext\EngineBlock\Service\MfaHelperInterface;
@@ -521,6 +521,12 @@ protected function getStepupEndpoint()
         return $this->container->get('engineblock.configuration.stepup.endpoint');
     }
 
+    /** @return string */
+    public function getStepupEntityIdOverrideValue()
+    {
+        return $this->container->getParameter('stepup.sfo.override_engine_entityid');
+    }
+
     public function getCookieDomain()
     {
         return $this->container->getParameter('cookie.locale.domain');

diff --git a/library/EngineBlock/Corto/ProxyServer.php b/library/EngineBlock/Corto/ProxyServer.php
@@ -16,6 +16,7 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlock\Exception\MissingParameterException;
 use OpenConext\EngineBlock\Metadata\Entity\AbstractRole;
 use OpenConext\EngineBlock\Metadata\Entity\IdentityProvider;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
@@ -487,6 +488,32 @@ public function sendStepupAuthenticationRequest(
         $nameIdOverwrite->setFormat(Constants::NAMEID_UNSPECIFIED);
         $sspMessage->setNameId($nameIdOverwrite);
 
+        // See: UPGRADING.md -> ## 6.13 -> 6.14
+        $container = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
+        $entityIdOverrideValue = $container->getStepupEntityIdOverrideValue();
+        $features = $container->getFeatureConfiguration();
+        $isConfigured = $features->hasFeature('eb.stepup.sfo.override_engine_entityid');
+        $isEnabled = $features->isEnabled('eb.stepup.sfo.override_engine_entityid');
+
+        if ($isEnabled && $isConfigured) {
+            if (empty($entityIdOverrideValue)) {
+                throw new MissingParameterException(
+                    'When feature "feature_stepup_sfo_override_engine_entityid" is enabled,
+                     you must provide the "stepup.sfo.override_engine_entityid" parameter.'
+                );
+            }
+            $this->_logger->notice(
+                sprintf(
+                    'Feature eb.stepup.sfo.override_engine_entityid is enabled, overriding the Issuer of the AR to the ' .
+                    'StepUp Gateway. Updated the Issuer to "%s"',
+                    $entityIdOverrideValue
+                )
+            );
+            $issuer = new Issuer();
+            $issuer->setValue($entityIdOverrideValue);
+            $sspMessage->setIssuer($issuer);
+        }
+
         // Link with the original Request
         $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($this->_logger);
         $authnRequestRepository->store($spRequest);

diff --git a/src/OpenConext/EngineBlock/Metadata/Factory/Factory/ServiceProviderFactory.php b/src/OpenConext/EngineBlock/Metadata/Factory/Factory/ServiceProviderFactory.php
@@ -35,6 +35,7 @@
 /**
  * This factory is used for instantiating an entity with the required adapters and/or decorators set.
  * It also makes sure that static, internally used, entities can be generated without the use of the database.
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class ServiceProviderFactory
 {
@@ -108,7 +109,10 @@ public function createStepupEntityFrom(string $keyId): ServiceProviderEntityInte
 
         if ($isEnabled && $isConfigured) {
             if (empty($this->entityIdOverrideValue)) {
-                throw new MissingParameterException('When feature "feature_stepup_sfo_override_engine_entityid" is enabled, you must provide the "stepup.sfo.override_engine_entityid" parameter.');
+                throw new MissingParameterException(
+                    'When feature "feature_stepup_sfo_override_engine_entityid" is enabled, you must provide the '.
+                    '"stepup.sfo.override_engine_entityid" parameter.'
+                );
             }
             $entityId = $this->entityIdOverrideValue;
         }

diff --git a/src/OpenConext/EngineBlock/Stepup/StepupEntityFactory.php b/src/OpenConext/EngineBlock/Stepup/StepupEntityFactory.php
@@ -18,7 +18,6 @@
 namespace OpenConext\EngineBlock\Stepup;
 
 use EngineBlock_X509_CertificateFactory;
-use OpenConext\EngineBlock\Metadata\EmptyMduiElement;
 use OpenConext\EngineBlock\Metadata\Entity\IdentityProvider;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Metadata\IndexedService;
@@ -29,7 +28,6 @@
 
 class StepupEntityFactory
 {
-
     /**
      * @throws \EngineBlock_Exception
      */

diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/StepupKeyRollover.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/StepupKeyRollover.feature
@@ -25,11 +25,19 @@ Feature:
     When I go to Engineblock URL "/authentication/stepup/metadata"
     Then the response should match xpath '//md:EntityDescriptor[@entityID="https://engine.vm.openconext.com/new/stepup/metadata"]'
 
+  # Note that we can not ascertain programatically if the Issuer is updated as this is an internal
+  # redirect response where we can not easily intervene with the browser (we would need to disable
+  # auto-following of redirects). This test does hit the code, and proves that the authentication
+  # is not broken by it.
   Scenario: When stepup.sfo.override_engine_entityid is configured, the the Issuer is updated
-    Given the SP "SSO-SP" requires Stepup LoA "http://vm.openconext.org/assurance/loa2"
-    And feature "eb.stepup.sfo.override_engine_entityid" is enabled
+    Given feature "eb.stepup.sfo.override_engine_entityid" is enabled
+    And the SP "SSO-SP" requires Stepup LoA "http://vm.openconext.org/assurance/loa2"
     When I log in at "SSO-SP"
     And I select "SSO-IdP" on the WAYF
-    Then the response should match xpath '//md:EntityDescriptor[@entityID="https://engine.vm.openconext.com/new/stepup/metadata"]'
-
-
+    And I pass through EngineBlock
+    # This is where the Issuer is overridden. See: \EngineBlock_Corto_ProxyServer::sendStepupAuthenticationRequest
+    And I pass through the IdP
+    And Stepup will successfully verify a user
+    And I give my consent
+    And I pass through EngineBlock
+    Then the url should match "/functional-testing/SSO-SP/acs"
diff --git a/...ext/EngineBlockFunctionalTestingBundle/Fixtures/FunctionalTestingFeatureConfiguration.php b/...ext/EngineBlockFunctionalTestingBundle/Fixtures/FunctionalTestingFeatureConfiguration.php
@@ -42,7 +42,7 @@ final class FunctionalTestingFeatureConfiguration implements FeatureConfiguratio
      */
     private $dataStore;
 
-    public function __construct(TestFeatureConfiguration $featureConfiguration, AbstractDataStore $dataStore)
+    public function __construct(FeatureConfigurationInterface $featureConfiguration, AbstractDataStore $dataStore)
     {
         $this->featureConfiguration = $featureConfiguration;
         $this->dataStore            = $dataStore;