Fix role authentication deprecated or logic

OpenConext · Nov 11, 2024 · adf7350 · adf7350
1 parent cacf2a8
commit adf7350
Show file tree

Hide file tree

Showing 25 changed files with 84 additions and 57 deletions.
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
@@ -28,6 +28,8 @@ when@smoketest: &testOverride
             collect: false
         php_errors:
             log: false # prevents user deprecated warnings
+        session:
+            storage_factory_id: session.storage.factory.mock_file
 
 when@test: *testOverride
 when@sometest_event_replay: *testOverride
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AbstractController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AbstractController.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Surfnet\StepupMiddleware\ApiBundle\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController as SymfonyAbstractController;
+
+class AbstractController extends SymfonyAbstractController
+{
+    protected function denyAccessUnlessGrantedOneOff(mixed $attribute, mixed $subject = null, string $message = 'Access Denied.'): void
+    {
+        if (is_array($attribute)) {
+            foreach($attribute as $role){
+                if ($this->isGranted($role, $subject)) {
+                    return;
+                }
+            }
+
+            throw $this->createAccessDeniedException($message);
+        }
+        parent::denyAccessUnlessGranted($attribute, $subject, $message);
+    }
+
+}
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AuditLogController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AuditLogController.php
@@ -24,7 +24,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\SecondFactorAuditLogQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\AuditLogService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 
 final class AuditLogController extends AbstractController
@@ -36,7 +36,7 @@ public function __construct(
 
     public function secondFactorAuditLog(Request $request, Institution $institution): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $identityId = $request->get('identityId');
         if (empty($identityId)) {

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AuthorizationController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/AuthorizationController.php
@@ -21,7 +21,7 @@
 use Surfnet\Stepup\Identity\Value\IdentityId;
 use Surfnet\StepupMiddleware\ApiBundle\Authorization\Service\AuthorizationService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonAuthorizationResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 
 class AuthorizationController extends AbstractController
 {

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/CommandController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/CommandController.php
@@ -31,7 +31,7 @@
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Pipeline\TransactionAwarePipeline;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
@@ -54,7 +54,7 @@ public function __construct(
 
     public function handle(AbstractCommand $command, Metadata $metadata, Request $request): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS']);
         $this->logger->notice(sprintf('Received request to process Command "%s"', $command));
 
         $this->metadataEnricher->setMetadata($metadata);

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ConfiguredInstitutionController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ConfiguredInstitutionController.php
@@ -19,7 +19,7 @@
 namespace Surfnet\StepupMiddleware\ApiBundle\Controller;
 
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Service\ConfiguredInstitutionService;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 class ConfiguredInstitutionController extends AbstractController
@@ -31,7 +31,7 @@ public function __construct(
 
     public function collection(): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $allListings = $this->configuredInstitutionService->getAllAsInstitution();
 

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/DeprovisionController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/DeprovisionController.php
@@ -22,7 +22,7 @@
 use Surfnet\Stepup\Exception\DomainException;
 use Surfnet\Stepup\Helper\UserDataFormatterInterface;
 use Surfnet\StepupMiddleware\ApiBundle\Service\DeprovisionServiceInterface;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 class DeprovisionController extends AbstractController
@@ -35,7 +35,7 @@ public function __construct(
 
     public function deprovision(string $collabPersonId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_DEPROVISION']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_DEPROVISION']);
         $errors = [];
         try {
             $userData = $this->deprovisionService->readUserData($collabPersonId);
@@ -56,7 +56,7 @@ public function deprovision(string $collabPersonId): JsonResponse
 
     public function dryRun(string $collabPersonId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_DEPROVISION']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_DEPROVISION']);
         $errors = [];
         try {
             $userData = $this->deprovisionService->readUserData($collabPersonId);

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/IdentityController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/IdentityController.php
@@ -24,7 +24,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\IdentityService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonNotFoundResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -38,7 +38,7 @@ public function __construct(
 
     public function get(string $id): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $identity = $this->identityService->find($id);
 
@@ -51,7 +51,7 @@ public function get(string $id): JsonResponse
 
     public function collection(Request $request, Institution $institution): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $query = new IdentityQuery();
         $query->institution = $institution;
@@ -67,7 +67,7 @@ public function collection(Request $request, Institution $institution): JsonColl
 
     public function getRegistrationAuthorityCredentials(string $identityId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $identityService = $this->identityService;
 

diff --git a/...rfnet/StepupMiddleware/ApiBundle/Controller/InstitutionConfigurationOptionsController.php b/...rfnet/StepupMiddleware/ApiBundle/Controller/InstitutionConfigurationOptionsController.php
@@ -23,7 +23,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Service\AllowedSecondFactorListService;
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Service\InstitutionAuthorizationService;
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Service\InstitutionConfigurationOptionsService;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
@@ -38,7 +38,7 @@ public function __construct(
 
     public function getForInstitution(string $institutionName): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_SS', 'ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_SS', 'ROLE_RA', 'ROLE_READ']);
 
         $institution = new Institution($institutionName);
 

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ProfileController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ProfileController.php
@@ -20,7 +20,7 @@
 
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\ProfileService;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Value\Profile;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
@@ -35,7 +35,7 @@ public function __construct(
 
     public function get(Request $request, string $identityId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         // Is the actor allowed to view the profile page?
         $actorId = $request->get('actorId');

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaCandidateController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaCandidateController.php
@@ -24,7 +24,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RaCandidateQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaCandidateService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -43,7 +43,7 @@ public function __construct(
      */
     public function search(Request $request): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $actorId = new IdentityId($request->get('actorId'));
 
@@ -71,7 +71,7 @@ public function search(Request $request): JsonCollectionResponse
      */
     public function get(Request $request): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $actorId = new IdentityId($request->get('actorId'));
 

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaController.php
@@ -21,7 +21,7 @@
 use Surfnet\Stepup\Identity\Value\Institution;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaListingService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 
 class RaController extends AbstractController
 {
@@ -32,7 +32,7 @@ public function __construct(
 
     public function list(Institution $institution): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_SS', 'ROLE_READ']);
 
         $registrationAuthorityCredentials = $this->raListingService->listRegistrationAuthoritiesFor($institution);
         $count = count($registrationAuthorityCredentials);

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaListingController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaListingController.php
@@ -25,7 +25,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RaListingQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaListingService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -40,7 +40,7 @@ public function __construct(
 
     public function get(Request $request, string $identityId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $actorId = new IdentityId($request->get('actorId'));
         $institution = new Institution($request->get('institution'));
@@ -68,7 +68,7 @@ public function get(Request $request, string $identityId): JsonResponse
      */
     public function search(Request $request): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $actorId = new IdentityId($request->get('actorId'));
 

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaLocationController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaLocationController.php
@@ -23,7 +23,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Query\RaLocationQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Configuration\Service\RaLocationService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -36,7 +36,7 @@ public function __construct(
 
     public function search(Request $request, Institution $institution): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $query = new RaLocationQuery();
         $query->institution = $institution;
@@ -51,7 +51,7 @@ public function search(Request $request, Institution $institution): JsonCollecti
 
     public function get(Request $request): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $raLocationId = new RaLocationId($request->get('raLocationId'));
         $raLocation = $this->raLocationService->findByRaLocationId($raLocationId);

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaSecondFactorController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaSecondFactorController.php
@@ -24,7 +24,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RaSecondFactorQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaSecondFactorService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -38,7 +38,7 @@ public function __construct(
 
     public function collection(Request $request): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $query = $this->buildRaSecondFactorQuery($request);
 
@@ -51,7 +51,7 @@ public function collection(Request $request): JsonCollectionResponse
 
     public function export(Request $request): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $query = $this->buildRaSecondFactorQuery($request);
 

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RecoveryTokenController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/RecoveryTokenController.php
@@ -27,7 +27,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RecoveryTokenQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RecoveryTokenService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -47,7 +47,7 @@ public function __construct(
 
     public function get(string $id): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
         $this->logger->info(sprintf('Received request to get recovery token: %s', $id));
 
         try {
@@ -60,7 +60,7 @@ public function get(string $id): JsonResponse
 
     public function collection(Request $request): JsonCollectionResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
         $this->logger->info(
             sprintf('Received search request for recovery tokens with params: %s', $request->getQueryString()),
         );

diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/SraaController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/SraaController.php
@@ -21,7 +21,7 @@
 use Surfnet\Stepup\Identity\Value\NameId;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\SraaService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonNotFoundResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 
 class SraaController extends AbstractController
@@ -36,7 +36,7 @@ public function __construct(private readonly SraaService $sraaService)
      */
     public function get(string $nameId): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         $sraa = $this->sraaService->findByNameId(new NameId($nameId));
 
@@ -49,7 +49,7 @@ public function get(string $nameId): JsonResponse
 
     public function list(): JsonResponse
     {
-        $this->denyAccessUnlessGranted(['ROLE_RA', 'ROLE_READ']);
+        $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
         return new JsonResponse($this->sraaService->findAll());
     }