Work on MW authorizations

ci/qa/phpunit

@@ -9,5 +9,5 @@ cd $(dirname $0)/../../
 
 # PHPUnit Bridge should always be used in Symfony applications. (https://symfony.com/doc/current/components/phpunit_bridge.html)
 # This will create a phpunit executable in /bin/ instead of /vendor/bin/
-XDEBUG_MODE=coverage ./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --coverage-text --testsuite=unit $1
-#./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --testsuite=database
+XDEBUG_MODE=coverage ./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --coverage-text --testsuite=unit --stop-on-error $1
+./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --testsuite=database

composer.json

@@ -48,6 +48,7 @@
         "symfony/intl": "6.4.*",
         "symfony/mailer": "6.4.*",
         "symfony/monolog-bundle": "^v3.9",
+        "symfony/password-hasher": "6.4.*",
         "symfony/security-bundle": "6.4.*",
         "symfony/translation": "6.4.*",
         "symfony/twig-bundle": "6.4.*",

config/packages/security.yaml

@@ -12,9 +12,9 @@ security:
             stateless:  true
 
     access_control:
-        - { path: ^/management, roles: [ROLE_MANAGEMENT] } # can be expanded with hosts: or ip:
-        - { path: ^/deprovision, roles: [ROLE_DEPROVISION] }
-        - { roles: [ROLE_SS,ROLE_RA,ROLE_READ] }
+        - { path: ^/management, roles: [IS_AUTHENTICATED_FULLY, ROLE_MANAGEMENT] } # can be expanded with hosts: or ip:
+        - { path: ^/deprovision, roles: [IS_AUTHENTICATED_FULLY, ROLE_DEPROVISION] }
+        - { roles: [IS_AUTHENTICATED_FULLY, ROLE_SS, ROLE_RA, ROLE_READ] }
 
     providers:
         in_memory:
@@ -37,4 +37,5 @@ security:
                         roles: 'ROLE_DEPROVISION'
 
     password_hashers:
-        Symfony\Component\Security\Core\User\User: plaintext
+        Symfony\Component\Security\Core\User\InMemoryUser:
+            algorithm: plaintext

config/packages/smoketest/doctrine.yaml

@@ -7,13 +7,19 @@ doctrine:
         host: mariadb
         password: mw_deploy_secret
         user: mw_deploy_user
+        options:
+          1002: 0
       gateway:
         dbname: gateway_test
         host: mariadb
         password: mw_deploy_secret
         user: mw_deploy_user
+        options:
+          1002: 0
       deploy:
         dbname: middleware_test
         host: mariadb
         password: mw_deploy_secret
         user: mw_deploy_user
+        options:
+          1002: 0

config/packages/smoketest/monolog.yaml

@@ -3,17 +3,10 @@ monolog:
         prod-signaler:
             type: fingers_crossed
             action_level: ERROR
-            passthru_level: DEBUG # DEV setting: this means that all message of level DEBUG or higher are always logged
-            #passthru_level: NOTICE # PROD setting this means that all message of level NOTICE or higher are always logged
+            passthru_level: NOTICE # this means that all message of level NOTICE or higher are always logged
             handler: main_syslog
-            bubble: true
+            bubble: false # if we handle it, nothing else should
         main_syslog:
-            type: syslog
-            ident: stepup-middleware
-            facility: user
-            formatter: surfnet_stepup.monolog.json_formatter
-        main_logfile:
             type: stream
-            handler: logfile
-            level: NOTICE
-            path: "%kernel.logs_dir%/%kernel.environment%.log"
+            path: "php://stderr"
+            formatter: surfnet_stepup.monolog.json_formatter

config/packages/test/doctrine.yaml

@@ -4,7 +4,13 @@ doctrine:
     connections:
       middleware:
         url: "sqlite:///%kernel.project_dir%/var/middleware.db"
+        options:
+          1002: 0
       gateway:
         url: "sqlite:///%kernel.project_dir%/var/gateway.db"
+        options:
+          1002: 0
       deploy:
         url: "sqlite:///%kernel.project_dir%/var/deploy.db"
+        options:
+          1002: 0

config/packages/test/monolog.yaml

@@ -1,12 +1,16 @@
 monolog:
     handlers:
-        # Handlers are merged in from config.yml and config_dev.yml. They cannot be disabled or removed. The practical
-        # solution is to assign them the `null` handler, which discards the records.
         prod-signaler:
-            type: "null"
+            type: fingers_crossed
+            action_level: ERROR
+            passthru_level: NOTICE # this means that all message of level NOTICE or higher are always logged
+            handler: main_syslog
+            bubble: false # if we handle it, nothing else should
         main_syslog:
+            type: stream
+            path: "php://stderr"
+            formatter: surfnet_stepup.monolog.json_formatter
+        console:
             type: "null"
         main_logfile:
             type: "null"
-        console:
-            type: "null"

config/routes/routes.yml

@@ -1,5 +1,5 @@
 surfnet_stepup_middleware_management:
-    resource: "Surfnet/StepupMiddleware/ManagementBundle/Resources/config/routing.yml"
+    resource: "@SurfnetStepupMiddlewareManagementBundle/Resources/config/routing.yml"
     prefix:   /management
 
 openconext_monitor:
@@ -12,4 +12,4 @@ nelmio_security_report:
     methods: [POST]
 
 surfnet_stepup_middleware_api:
-    resource: "Surfnet/StepupMiddleware/ApiBundle/Resources/config/routing.yml"
+    resource: "@SurfnetStepupMiddlewareApiBundle/Resources/config/routing.yml"

src/Kernel.php

@@ -7,8 +7,7 @@
 use Symfony\Component\Config\Resource\FileResource;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpKernel\Kernel as BaseKernel;
-use Symfony\Component\Routing\RouteCollectionBuilder;
-use function dirname;
+use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 use const PHP_VERSION_ID;
 
 class Kernel extends BaseKernel
@@ -45,12 +44,12 @@ protected function configureContainer(ContainerBuilder $container, LoaderInterfa
         $loader->load($confDir . '/{services}_' . $this->environment . self::CONFIG_EXTS, 'glob');
     }
 
-    protected function configureRoutes(RouteCollectionBuilder $routes): void
+    protected function configureRoutes(RoutingConfigurator $routes): void
     {
-        $confDir = $this->getProjectDir() . '/config';
+        $extensions = '{php,yml,yaml}';
 
-        $routes->import($confDir . '/{routes}/' . $this->environment . '/*' . self::CONFIG_EXTS, '/', 'glob');
-        $routes->import($confDir . '/{routes}/*' . self::CONFIG_EXTS, '/', 'glob');
-        $routes->import($confDir . '/{routes}' . self::CONFIG_EXTS, '/', 'glob');
+        $routes->import('../config/{routes}/' . $this->environment . "/*.$extensions");
+        $routes->import("../config/{routes}/*.$extensions");
+        $routes->import("../config/{routes}.$extensions");
     }
 }

src/Surfnet/StepupMiddleware/ApiBundle/Tests/Endpoint/ConfiguredInstitutionControllerTest.php

@@ -49,11 +49,13 @@ class ConfiguredInstitutionControllerTest extends WebTestCase
 
     public function setUp(): void
     {
+        self::ensureKernelShutdown();
+        $this->client = static::createClient();
+
         $this->databaseTool = static::getContainer()->get(DatabaseToolCollection::class)->get();
         // Initialises schema.
         $this->databaseTool->loadFixtures([]);
 
-        $this->client = static::createClient();
 
         $passwordSs = $this->client->getKernel()->getContainer()->getParameter('selfservice_api_password');
         $passwordRa = $this->client->getKernel()->getContainer()->getParameter('registration_authority_api_password');