Port to main: Use RA roles when testing authorizations (#418)

* Test the authorization repository * Use RA roles when testing authorizations Using the Insitution configuration role setting is semantically incorrect. Using the RA role here is the right way here. In order to get the select raa input for the select list displayed on the forms that allow selection of RA(A) users, a new method was added on the AuthorizationContextService * Improve documentation of authorization decision Documentation is improved by sharpening the logging. Making logging much more verbose should give quick insights into which commands are executed by which identity. The in-line code documentation was also improved by adding insights to some of the classes where this was lacking. * Improve documentation of authorization decision Documentation is improved by sharpening the logging. Making logging much more verbose should give quick insights into which commands are executed by which identity. The in-line code documentation was also improved by adding insights to some of the classes where this was lacking. * Add BC support for authoringSecondFactorIdentifier This field was renamed in the new MW release and updated in the mw client bundle. But we need to allow the old self service to work with the new Middleware. So adding (temporal) support for the old field seems the easiest fix. See: https://www.pivotaltracker.com/story/show/184749323 * Update CHANGELOG.md * Loosen authorization rule for recoverty token search The authorization to read recovery tokens (RT) for ones institution was set to require the RAA role. However, reading and removing RT is a RA action. This commit lowers authz to RA for searching the RT See: https://www.pivotaltracker.com/story/show/184938232 * Allow RA to revoke Recovery Token The RA user was not yet allowed to revoke a recovery token. This is now allowed. As this is a RA role. See: https://www.pivotaltracker.com/story/show/184938232 * Support recovery token revocation in tests The CommandAuthorizationServiceTest did not yet correctly support the RT revocation scenario. Resulting in two failing tests. They were previously under the radar as the phpunit scritp would still return a 0 exit code even tho the tests failed. That was remedied by adding a 'set -e' instruction to that file
OpenConext · Feb 26, 2024 · fd4d739 · fd4d739
1 parent 1fbbbe9
commit fd4d739
Show file tree

Hide file tree

Showing 28 changed files with 1,152 additions and 315 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,15 @@
 - See docs/MiddlewareConfiguration.md
 - See https://www.pivotaltracker.com/epic/show/5024251 for details
 
+# 5.0.10
+- Bugfix: ensure RA(A) authorisations are verified against the ra_listing projection
+  this caused RAA authorisations to be available to RA users.
+- BC: SelfService 3.5 was not compatible with Middleware 5.0.9. The self vet command changed
+  from using the authoring second factor identifier to use the authoring loa. Underwater, the
+  second factor identifier field already transported the loa, in version 5.0 that field was 
+  renamed. In this release MW can support use of both fields. Version 5.1 should remove this
+  support. #402
+
 # 5.0.9
 - Support self-vetting of self-asserted tokens #401
 

diff --git a/ci/qa/create-test-db b/ci/qa/create-test-db
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+cd $(dirname $0)/../../
+
+printf "\nCreating 'middleware' test database\n\n"
+
+./bin/console doctrine:schema:drop -qf --env=test
+./bin/console doctrine:schema:create -q --env=test
diff --git a/ci/qa/phpunit b/ci/qa/phpunit
@@ -1,7 +1,13 @@
 #!/usr/bin/env bash
 
+# Exit the script when any of the statements has a non-true return value
+set -e
+
 cd $(dirname $0)/../../
 
+./ci/qa/create-test-db
+
 # PHPUnit Bridge should always be used in Symfony applications. (https://symfony.com/doc/current/components/phpunit_bridge.html)
 # This will create a phpunit executable in /bin/ instead of /vendor/bin/
-XDEBUG_MODE=coverage ./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --coverage-text
+XDEBUG_MODE=coverage ./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --coverage-text --testsuite=unit
+./vendor/bin/phpunit --configuration=ci/qa/phpunit.xml --testsuite=database
diff --git a/ci/qa/phpunit.xml b/ci/qa/phpunit.xml
@@ -16,9 +16,13 @@
     </php>
 
     <testsuites>
-        <testsuite name="Project Test Suite">
+        <testsuite name="unit">
             <directory suffix="Test.php">../../src</directory>
         </testsuite>
+
+        <testsuite name="database">
+            <directory suffix="Test.php">../../tests/database</directory>
+        </testsuite>
     </testsuites>
 
     <filter>

diff --git a/composer.json b/composer.json
@@ -12,6 +12,9 @@
         ]
     },
     "autoload-dev": {
+        "psr-4": {
+            "Surfnet\\StepupMiddleware\\Test\\Database\\": "tests\\database"
+        },
         "classmap": [
             "src/Surfnet/StepupMiddleware/ApiBundle/Tests/Request/commands.php"
         ]
@@ -24,7 +27,6 @@
         "broadway/broadway": "^2.3",
         "broadway/event-store-dbal": "^0.5.0",
         "doctrine/doctrine-bundle": "^1.12",
-        "doctrine/doctrine-fixtures-bundle": "^3.3",
         "doctrine/doctrine-migrations-bundle": "^1.2",
         "doctrine/orm": "^2.5",
         "incenteev/composer-parameter-handler": "~2.0",
@@ -53,7 +55,7 @@
     },
     "require-dev": {
         "doctrine/data-fixtures": "~1.1",
-        "doctrine/doctrine-fixtures-bundle": "^3.3",
+        "doctrine/doctrine-fixtures-bundle": "^3.4",
         "liip/test-fixtures-bundle": "^1.0.0",
         "mockery/mockery": "^1.3",
         "moontoast/math": "~1.1",