- 
+ 
{% if app.user %}
+
{{ 'app.name'|trans }}
-{{ 'app.subname'|trans }}
diff --git a/app/config/config.yml b/app/config/config.yml
index 06135c32a..a38fa677f 100644
--- a/app/config/config.yml
+++ b/app/config/config.yml
@@ -35,7 +35,7 @@ framework:
twig:
debug: "%kernel.debug%"
strict_variables: "%kernel.debug%"
- exception_controller: SurfnetStepupBundle:Exception:show
+ exception_controller: SurfnetStepupSelfServiceSelfServiceBundle:Exception:show
globals:
global_view_parameters: "@self_service.service.global_view_parameters"
@@ -67,27 +67,6 @@ nelmio_security:
# Content types: default, script, object, style, img, media, frame, font, connect
default: [ self ]
-monolog:
- handlers:
- main:
- type: group
- members:
- - main_graylog
- - main_logfile
- main_graylog:
- type: buffer
- handler: graylog
- level: NOTICE
- main_logfile:
- type: stream
- handler: logfile
- level: NOTICE
- path: %kernel.logs_dir%/%kernel.environment%.log
- graylog:
- type: gelf
- publisher: { hostname: %graylog_hostname% }
- formatter: surfnet_stepup.monolog.full_message_exception_gelf_message_formatter
-
mopa_bootstrap:
form:
show_legend: false
@@ -114,6 +93,8 @@ surfnet_stepup_middleware_client:
surfnet_saml:
hosted:
+ attribute_dictionary:
+ ignore_unknown_attributes: true
service_provider:
enabled: true
assertion_consumer_route: selfservice_serviceprovider_consume_assertion
@@ -165,7 +146,6 @@ jms_translation:
extractors: []
surfnet_stepup_self_service_self_service:
- max_number_of_tokens: %number_of_tokens_per_identity%
enabled_second_factors: %enabled_second_factors%
enabled_generic_second_factors: %enabled_generic_second_factors%
second_factor_test_identity_provider:
diff --git a/app/config/config_dev.yml b/app/config/config_dev.yml
index 9d9254b05..08ca0450c 100644
--- a/app/config/config_dev.yml
+++ b/app/config/config_dev.yml
@@ -11,45 +11,27 @@ web_profiler:
toolbar: "%debug_toolbar%"
intercept_redirects: "%debug_redirects%"
-# Be careful not to remove the prod-signaler handler, which overwrites
-# the prod-signaler handler defined in logging.yml. The handler defined
-# in logging.yml disables bubbling which means that none of the handlers
-# below are invoked. Since the current dev setup is incompatible with the
-# prod setup defined in logging.yml, this means we won't see any logs in
-# the infrastructure currently used (graylog). Overwriting the handler
-# here resolves that and reinstates the dev logging setup.
-#
-# this configuration must be replaced to reflect production setup
-# see https://www.pivotaltracker.com/story/show/96056010
-#
+# The monolog configuration below overwrites the in logging.yml that
+# is normally used for production.
monolog:
handlers:
prod-signaler:
- type: group
- members:
- - main_graylog
- - main_logfile
- - main_debuglog
- main_graylog:
- type: buffer
- handler: graylog
- level: NOTICE
- main_logfile:
- type: stream
- handler: logfile
- level: NOTICE
- path: %kernel.logs_dir%/%kernel.environment%.log
+ type: fingers_crossed
+ action_level: ERROR
+ passthru_level: DEBUG # DEV setting: this means that all message of level DEBUG or higher are always logged
+ #passthru_level: NOTICE # PROD setting this means that all message of level NOTICE or higher are always logged
+ handler: main_syslog
+ bubble: true
+ main_syslog:
+ type: syslog
+ ident: stepup-selfservice
+ facility: user
formatter: surfnet_stepup.monolog.json_formatter
- main_debuglog:
- type: stream
+ main_logfile:
+ type: stream
handler: logfile
- level: DEBUG
- path: "%kernel.logs_dir%/%kernel.environment%.debug.log"
- formatter: surfnet_stepup.monolog.json_formatter
- graylog:
- type: gelf
- publisher: { hostname: %graylog_hostname% }
- formatter: surfnet_stepup.monolog.full_message_exception_gelf_message_formatter
+ level: NOTICE
+ path: %kernel.logs_dir%/%kernel.environment%.log
assetic:
use_controller: "%use_assetic_controller%"
diff --git a/app/config/global_view_parameters.yml.dist b/app/config/global_view_parameters.yml.dist
index 126fa4e7f..225cf9ee5 100644
--- a/app/config/global_view_parameters.yml.dist
+++ b/app/config/global_view_parameters.yml.dist
@@ -3,5 +3,5 @@
# Strings containing '%' should be escaped by prepending '%'
parameters:
support_url:
- en_GB: "https://support.surfconext.nl/faq-strong-authentication"
- nl_NL: "https://support.surfconext.nl/faq-sterke-authenticatie"
+ en_GB: "https://support.example.org/faq-strong-authentication"
+ nl_NL: "https://support.example.org/faq-sterke-authenticatie"
diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist
index 4e119b8e4..d6efd89ac 100644
--- a/app/config/parameters.yml.dist
+++ b/app/config/parameters.yml.dist
@@ -3,7 +3,7 @@ parameters:
default_locale: en_GB
locales: [nl_NL, en_GB]
- locale_cookie_domain: surfconext.nl
+ locale_cookie_domain: example.org
secret: NotSoSecretReplaceMe!
debug_toolbar: true
@@ -32,7 +32,6 @@ parameters:
saml_remote_idp_entity_id:
saml_remote_idp_sso_url:
saml_remote_idp_certificate: 'FOR CI ONLY, REPLACE WITH ACTUAL VALUE'
- graylog_hostname: g2-dev.stepup.coin.surf.net
asset_version: 1
second_factor_test_idp_entity_id: ~
@@ -61,6 +60,3 @@ parameters:
session_max_absolute_lifetime: 3600 # 1 hours * 60 minutes * 60 seconds
session_max_relative_lifetime: 600 # 10 minutes * 60 seconds
-
- # The maximum number of tokens each identity (person) can register.
- number_of_tokens_per_identity: 2
diff --git a/composer.json b/composer.json
index 1d522565a..bdb951de8 100644
--- a/composer.json
+++ b/composer.json
@@ -23,10 +23,10 @@
"fortawesome/font-awesome": "~4.2.0",
"jms/translation-bundle": "~1.3.0",
"jms/di-extra-bundle": "~1.4.0",
- "surfnet/stepup-middleware-client-bundle": "^2.0",
+ "surfnet/stepup-middleware-client-bundle": "^2.4",
"guzzlehttp/guzzle": "^6",
- "surfnet/stepup-saml-bundle": "^3.0",
- "surfnet/stepup-bundle": "^3.2",
+ "surfnet/stepup-saml-bundle": "^4.0",
+ "surfnet/stepup-bundle": "^3.4.0",
"surfnet/stepup-u2f-bundle": "dev-develop",
"mopa/composer-bridge": "~1.5",
"openconext/monitor-bundle": "^1.0",
diff --git a/composer.lock b/composer.lock
index 6f35e5811..8ab79fc49 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
- "content-hash": "0ded687d1bc7a1d86d78d88c1c92baba",
+ "content-hash": "9fad25912e1c03a983366445cb4510f8",
"packages": [
{
"name": "beberlei/assert",
@@ -511,59 +511,6 @@
],
"time": "2014-08-26T16:36:44+00:00"
},
- {
- "name": "graylog2/gelf-php",
- "version": "1.5.0",
- "source": {
- "type": "git",
- "url": "https://github.com/bzikarsky/gelf-php.git",
- "reference": "bc1175a5b40f585e69a017647286d84211e82544"
- },
- "dist": {
- "type": "zip",
- "url": "https://api.github.com/repos/bzikarsky/gelf-php/zipball/bc1175a5b40f585e69a017647286d84211e82544",
- "reference": "bc1175a5b40f585e69a017647286d84211e82544",
- "shasum": ""
- },
- "require": {
- "php": ">=5.3.9",
- "psr/log": "~1.0"
- },
- "provide": {
- "psr/log-implementation": "~1.0"
- },
- "require-dev": {
- "phpunit/phpunit": "~4.3",
- "squizlabs/php_codesniffer": "~2.0"
- },
- "type": "library",
- "extra": {
- "branch-alias": {
- "dev-master": "1.4.x-dev"
- }
- },
- "autoload": {
- "psr-4": {
- "Gelf\\": "src/Gelf"
- }
- },
- "notification-url": "https://packagist.org/downloads/",
- "license": [
- "MIT"
- ],
- "authors": [
- {
- "name": "Benjamin Zikarsky",
- "email": "benjamin@zikarsky.de"
- },
- {
- "name": "gelf-php contributors",
- "homepage": "https://github.com/bzikarsky/gelf-php/contributors"
- }
- ],
- "description": "A php implementation to send log-messages to a GELF compatible backend like Graylog2.",
- "time": "2016-06-02T06:04:56+00:00"
- },
{
"name": "guzzlehttp/guzzle",
"version": "6.2.3",
@@ -2144,26 +2091,26 @@
},
{
"name": "surfnet/stepup-bundle",
- "version": "3.2.0",
+ "version": "3.4.2",
"source": {
"type": "git",
"url": "https://github.com/OpenConext/Stepup-bundle.git",
- "reference": "547c5bcb8fe1841fa657bbf43c5ea4b8e575ec3a"
+ "reference": "2542a5f0d3032bc8c995b995dcc029999007393f"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/OpenConext/Stepup-bundle/zipball/547c5bcb8fe1841fa657bbf43c5ea4b8e575ec3a",
- "reference": "547c5bcb8fe1841fa657bbf43c5ea4b8e575ec3a",
+ "url": "https://api.github.com/repos/OpenConext/Stepup-bundle/zipball/2542a5f0d3032bc8c995b995dcc029999007393f",
+ "reference": "2542a5f0d3032bc8c995b995dcc029999007393f",
"shasum": ""
},
"require": {
"ext-gmp": "*",
"ext-openssl": "*",
- "graylog2/gelf-php": "^1.5",
"guzzlehttp/guzzle": "^6.0",
"monolog/monolog": "~1.11",
"php": "^5.6|^7.0",
"sensio/framework-extra-bundle": "~3",
+ "surfnet/stepup-saml-bundle": "^4.0",
"symfony/config": "^2.7",
"symfony/dependency-injection": "^2.7",
"symfony/form": "^2.7",
@@ -2173,7 +2120,6 @@
"symfony/validator": "^2.7"
},
"require-dev": {
- "liip/rmt": "1.1.*",
"mockery/mockery": "0.9.*",
"phpmd/phpmd": "^2.0",
"phpunit/phpunit": "^4.0",
@@ -2197,20 +2143,20 @@
"suaas",
"surfnet"
],
- "time": "2018-03-14T13:11:17+00:00"
+ "time": "2018-04-12T14:02:19+00:00"
},
{
"name": "surfnet/stepup-middleware-client-bundle",
- "version": "2.3.0",
+ "version": "2.4.0",
"source": {
"type": "git",
"url": "https://github.com/OpenConext/Stepup-Middleware-clientbundle.git",
- "reference": "ae0912254c4090de400a84a76db387e76e896c4d"
+ "reference": "83aa482f74d290167d8d4713484c6882fd4983c0"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/OpenConext/Stepup-Middleware-clientbundle/zipball/ae0912254c4090de400a84a76db387e76e896c4d",
- "reference": "ae0912254c4090de400a84a76db387e76e896c4d",
+ "url": "https://api.github.com/repos/OpenConext/Stepup-Middleware-clientbundle/zipball/83aa482f74d290167d8d4713484c6882fd4983c0",
+ "reference": "83aa482f74d290167d8d4713484c6882fd4983c0",
"shasum": ""
},
"require": {
@@ -2220,6 +2166,7 @@
"php": "^5.6|^7.0",
"psr/log": "~1.0",
"ramsey/uuid": "^3.4",
+ "surfnet/stepup-bundle": "^3.0",
"symfony/config": "^2.7",
"symfony/dependency-injection": "^2.7",
"symfony/http-kernel": "^2.7",
@@ -2250,20 +2197,20 @@
"Apache-2.0"
],
"description": "Symfony2 bundle for consuming the Step-up Middleware API.",
- "time": "2018-01-18T08:54:37+00:00"
+ "time": "2018-04-11T07:19:11+00:00"
},
{
"name": "surfnet/stepup-saml-bundle",
- "version": "3.0.0",
+ "version": "4.0.0",
"source": {
"type": "git",
"url": "https://github.com/OpenConext/Stepup-saml-bundle.git",
- "reference": "67e24599a6402fdf602304851bfff915c0c4609c"
+ "reference": "9bb7098248c7b60c8b2cbc74d996b027de69e68a"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/OpenConext/Stepup-saml-bundle/zipball/67e24599a6402fdf602304851bfff915c0c4609c",
- "reference": "67e24599a6402fdf602304851bfff915c0c4609c",
+ "url": "https://api.github.com/repos/OpenConext/Stepup-saml-bundle/zipball/9bb7098248c7b60c8b2cbc74d996b027de69e68a",
+ "reference": "9bb7098248c7b60c8b2cbc74d996b027de69e68a",
"shasum": ""
},
"require": {
@@ -2298,7 +2245,7 @@
"stepup",
"surfnet"
],
- "time": "2018-01-17T12:59:03+00:00"
+ "time": "2018-03-21T09:35:58+00:00"
},
{
"name": "surfnet/stepup-u2f-bundle",
@@ -2306,12 +2253,12 @@
"source": {
"type": "git",
"url": "https://github.com/OpenConext/Stepup-u2f-bundle.git",
- "reference": "b28737d7b8df5ecbdf7a1e952ecfb530a2951c05"
+ "reference": "67d8400160c5c9048cdd4354303d59243edbb7bf"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/OpenConext/Stepup-u2f-bundle/zipball/b28737d7b8df5ecbdf7a1e952ecfb530a2951c05",
- "reference": "b28737d7b8df5ecbdf7a1e952ecfb530a2951c05",
+ "url": "https://api.github.com/repos/OpenConext/Stepup-u2f-bundle/zipball/67d8400160c5c9048cdd4354303d59243edbb7bf",
+ "reference": "67d8400160c5c9048cdd4354303d59243edbb7bf",
"shasum": ""
},
"require": {
@@ -2340,7 +2287,7 @@
"Apache-2.0"
],
"description": "The SURFnet Step-up U2F bundle contains server-side device verification, and the necessary forms and resources to enable client-side U2F interaction with Step-up Identities",
- "time": "2015-09-17T15:02:04+00:00"
+ "time": "2017-01-27T08:45:00+00:00"
},
{
"name": "symfony/assetic-bundle",
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/ExceptionController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/ExceptionController.php
new file mode 100644
index 000000000..8593d1815
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/ExceptionController.php
@@ -0,0 +1,49 @@
+getTranslator();
+
+ if ($exception instanceof MissingRequiredAttributeException) {
+ $title = $translator->trans('stepup.error.missing_required_attribute.title');
+ $description = $exception->getMessage();
+ }
+
+ if (isset($title) && isset($description)) {
+ return [
+ 'title' => $title,
+ 'description' => $description,
+ ];
+ }
+
+ return parent::getPageTitleAndDescription($exception);
+ }
+}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RegistrationController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RegistrationController.php
index 070779135..acc8ad401 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RegistrationController.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RegistrationController.php
@@ -23,6 +23,7 @@
use Mpdf\Output\Destination as MpdfDestination;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
use Surfnet\StepupSelfService\SelfServiceBundle\Service\SecondFactorService;
+use Surfnet\StepupSelfService\SelfServiceBundle\Value\AvailableTokenCollection;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -49,7 +50,7 @@ public function displaySecondFactorTypesAction()
$identity,
$allSecondFactors,
$institutionConfigurationOptions->allowedSecondFactors,
- $this->getParameter('self_service.second_factor.max_tokens_per_identity')
+ $institutionConfigurationOptions->numberOfTokensPerIdentity
);
if ($secondFactors->getRegistrationsLeft() <= 0) {
@@ -70,10 +71,12 @@ public function displaySecondFactorTypesAction()
unset($secondFactors->available[$index]);
}
}
+
+ $availableTokens = AvailableTokenCollection::from($secondFactors->available, $availableGsspSecondFactors);
+
return [
'commonName' => $this->getIdentity()->commonName,
- 'availableSecondFactors' => $secondFactors->available,
- 'availableGsspSecondFactors' => $availableGsspSecondFactors,
+ 'availableSecondFactors' => $availableTokens,
'verifyEmail' => $this->emailVerificationIsRequired(),
];
}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SamlController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SamlController.php
index e73be9428..c2726c6b5 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SamlController.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SamlController.php
@@ -21,7 +21,7 @@
use Exception;
use Surfnet\SamlBundle\Http\XMLResponse;
use Surfnet\SamlBundle\SAML2\Response\Assertion\InResponseTo;
-use Surfnet\StepupBundle\Value\SecondFactorType;
+use Surfnet\StepupBundle\Value\Loa;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -30,41 +30,39 @@
class SamlController extends Controller
{
/**
- * @param string $secondFactorId
+ * A SelfService user is able to test it's token in this endpoint
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
* @throws \Symfony\Component\Security\Core\Exception\AccessDeniedException
*/
- public function testSecondFactorAction($secondFactorId)
+ public function testSecondFactorAction()
{
$logger = $this->get('logger');
$logger->notice('Starting second factor test');
$secondFactorService = $this->get('surfnet_stepup_self_service_self_service.service.second_factor');
- $identity = $this->getIdentity();
+ $loaResolutionService = $this->get('surfnet_stepup.service.loa_resolution');
+ $identity = $this->getIdentity();
- if (!$secondFactorService->identityHasSecondFactorOfStateWithId($identity->id, 'vetted', $secondFactorId)) {
+ $vettedSecondFactors = $secondFactorService->findVettedByIdentity($identity->id);
+ if (!$vettedSecondFactors || $vettedSecondFactors->getTotalItems() === 0) {
$logger->error(
sprintf(
- 'Identity "%s" tried to test second factor "%s", but does not own that second factor or it is not vetted',
- $identity->id,
- $secondFactorId
+ 'Identity "%s" tried to test a second factor, but does not own a suitable vetted token.',
+ $identity->id
)
);
throw new NotFoundHttpException();
}
- $loaResolutionService = $this->get('surfnet_stepup.service.loa_resolution');
$authenticationRequestFactory = $this->get('self_service.test_second_factor_authentication_request_factory');
- $secondFactorTypeService = $this->get('surfnet_stepup.service.second_factor_type');
- $secondFactor = $secondFactorService->findOneVetted($secondFactorId);
- $secondFactorType = new SecondFactorType($secondFactor->type);
+ // By requesting LoA 2 any relevant token can be tested (LoA 2 and 3)
$authenticationRequest = $authenticationRequestFactory->createSecondFactorTestRequest(
$identity->nameId,
- $loaResolutionService->getLoaByLevel($secondFactorTypeService->getLevel($secondFactorType))
+ $loaResolutionService->getLoaByLevel(Loa::LOA_2)
);
$this->get('session')->set('second_factor_test_request_id', $authenticationRequest->getRequestId());
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SecondFactorController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SecondFactorController.php
index 14c70d6e0..dba29fbe4 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SecondFactorController.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SecondFactorController.php
@@ -41,11 +41,13 @@ public function listAction()
// Get all available second factors from the config.
$allSecondFactors = $this->getParameter('ss.enabled_second_factors');
+ $expirationHelper = $this->get('surfnet_stepup.registration_expiration_helper');
+
$secondFactors = $service->getSecondFactorsForIdentity(
$identity,
$allSecondFactors,
$institutionConfigurationOptions->allowedSecondFactors,
- $this->getParameter('self_service.second_factor.max_tokens_per_identity')
+ $institutionConfigurationOptions->numberOfTokensPerIdentity
);
return [
@@ -56,6 +58,7 @@ public function listAction()
'verifiedSecondFactors' => $secondFactors->verified,
'vettedSecondFactors' => $secondFactors->vetted,
'availableSecondFactors' => $secondFactors->available,
+ 'expirationHelper' => $expirationHelper,
];
}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php
index 0e423ac29..3cf42db72 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php
@@ -34,9 +34,6 @@ public function getConfigTreeBuilder()
$this->appendSecondFactorTestIdentityProvider($childNodes);
$this->appendSessionConfiguration($childNodes);
- $childNodes->integerNode('max_number_of_tokens')
- ->isRequired();
-
return $treeBuilder;
}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php
index 81384ed63..5d7acafe5 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php
@@ -63,11 +63,6 @@ public function load(array $configs, ContainerBuilder $container)
'self_service.security.authentication.session.maximum_relative_lifetime_in_seconds',
$config['session_lifetimes']['max_relative_lifetime']
);
- $container->setParameter(
- 'self_service.second_factor.max_tokens_per_identity',
- $config['max_number_of_tokens']
- );
-
$this->parseSecondFactorTestIdentityProviderConfiguration(
$config['second_factor_test_identity_provider'],
$container
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Exception/MissingRequiredAttributeException.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Exception/MissingRequiredAttributeException.php
new file mode 100644
index 000000000..cf0d17949
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Exception/MissingRequiredAttributeException.php
@@ -0,0 +1,25 @@
+{{ block('page_title') }}
{% endif %}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Handler/ProcessSamlAuthenticationHandler.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Handler/ProcessSamlAuthenticationHandler.php
index fea07b282..9f393de1e 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Handler/ProcessSamlAuthenticationHandler.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Handler/ProcessSamlAuthenticationHandler.php
@@ -18,9 +18,6 @@
namespace Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Handler;
-use Exception;
-use SAML2\Response\Exception\PreconditionNotMetException;
-use Surfnet\SamlBundle\Http\Exception\AuthnFailedSamlResponseException;
use Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger;
use Surfnet\SamlBundle\SAML2\Response\Assertion\InResponseTo;
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\AuthenticatedSessionStateHandler;
@@ -29,7 +26,6 @@
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Token\SamlToken;
use Symfony\Bundle\FrameworkBundle\Templating\EngineInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
-use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
@@ -109,37 +105,9 @@ public function process(GetResponseEvent $event)
$logger->notice('No authenticated user and AuthnRequest pending, attempting to process SamlResponse');
- try {
- $assertion = $this->samlInteractionProvider->processSamlResponse($event->getRequest());
- } catch (AuthnFailedSamlResponseException $exception) {
- $logger->notice(sprintf('SAML Authentication failed at IdP: "%s"', $exception->getMessage()));
- $responseBody = $this->templating->render(
- 'SurfnetStepupSelfServiceSelfServiceBundle:Saml/Exception:authnFailed.html.twig',
- ['exception' => $exception]
- );
-
- $event->setResponse(new Response($responseBody, Response::HTTP_UNAUTHORIZED));
-
- return;
- } catch (PreconditionNotMetException $exception) {
- $logger->notice(sprintf('SAMLResponse precondition not met: "%s"', $exception->getMessage()));
- $responseBody = $this->templating->render(
- 'SurfnetStepupSelfServiceSelfServiceBundle:Saml/Exception:preconditionNotMet.html.twig',
- ['exception' => $exception]
- );
-
- $event->setResponse(new Response($responseBody, Response::HTTP_UNAUTHORIZED));
-
- return;
- } catch (Exception $exception) {
- $logger->error(sprintf('Failed SAMLResponse Parsing: "%s"', $exception->getMessage()));
-
- throw new AuthenticationException('Failed SAMLResponse parsing', 0, $exception);
- }
+ $assertion = $this->samlInteractionProvider->processSamlResponse($event->getRequest());
if (!InResponseTo::assertEquals($assertion, $expectedInResponseTo)) {
- $logger->error('Unknown or unexpected InResponseTo in SAMLResponse');
-
throw new AuthenticationException('Unknown or unexpected InResponseTo in SAMLResponse');
}
@@ -148,16 +116,7 @@ public function process(GetResponseEvent $event)
$token = new SamlToken();
$token->assertion = $assertion;
- try {
- $authToken = $this->authenticationManager->authenticate($token);
- } catch (AuthenticationException $failed) {
- $logger->error(sprintf('Authentication Failed, reason: "%s"', $failed->getMessage()));
-
- // By default deny authorization
- $event->setResponse(new Response('', Response::HTTP_FORBIDDEN));
-
- return;
- }
+ $authToken = $this->authenticationManager->authenticate($token);
$this->authenticatedSession->logAuthenticationMoment();
$this->tokenStorage->setToken($authToken);
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Provider/SamlProvider.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Provider/SamlProvider.php
index bfaf0ab7a..1918d6394 100644
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Provider/SamlProvider.php
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Authentication/Provider/SamlProvider.php
@@ -23,6 +23,7 @@
use Surfnet\SamlBundle\SAML2\Response\AssertionAdapter;
use Surfnet\StepupMiddlewareClientBundle\Identity\Dto\Identity;
use Surfnet\StepupMiddlewareClientBundle\Uuid\Uuid;
+use Surfnet\StepupSelfService\SelfServiceBundle\Exception\MissingRequiredAttributeException;
use Surfnet\StepupSelfService\SelfServiceBundle\Locale\PreferredLocaleProvider;
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Token\SamlToken;
use Surfnet\StepupSelfService\SelfServiceBundle\Service\IdentityService;
@@ -118,7 +119,7 @@ private function getSingleStringValue($attribute, AssertionAdapter $translatedAs
$values = $translatedAssertion->getAttributeValue($attribute);
if (empty($values)) {
- throw new BadCredentialsException(sprintf('Missing value for required attribute "%s"', $attribute));
+ throw new MissingRequiredAttributeException(sprintf('Missing value for required attribute "%s"', $attribute));
}
// see https://www.pivotaltracker.com/story/show/121296389
@@ -141,7 +142,7 @@ private function getSingleStringValue($attribute, AssertionAdapter $translatedAs
$this->logger->warning($message);
- throw new BadCredentialsException($message);
+ throw new MissingRequiredAttributeException($message);
}
return $value;
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Value/AvailableTokenCollectionTest.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Value/AvailableTokenCollectionTest.php
new file mode 100644
index 000000000..0022fffa5
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Value/AvailableTokenCollectionTest.php
@@ -0,0 +1,79 @@
+ 'sms', 'yubikey' => 'yubikey'];
+ $gssp = [
+ 'fatima' => $this->getViewConfig('fatima', 2),
+ 'tiqr' => $this->getViewConfig('tiqr', 3),
+ 'biometric' => $this->getViewConfig('biometric', 3),
+ 'intrinsic' => $this->getViewConfig('intrinsic', 1),
+ ];
+ $collection = AvailableTokenCollection::from($nonGssp, $gssp);
+
+ $this->assertCount(6, $collection->getData());
+
+ $expextedSortOrder = ['intrinsic', 'fatima', 'sms', 'biometric', 'tiqr', 'yubikey'];
+ $this->assertEquals($expextedSortOrder, array_keys($collection->getData()));
+ }
+
+ public function test_create_from_empty_input()
+ {
+ $nonGssp = [];
+ $gssp = [];
+ $collection = AvailableTokenCollection::from($nonGssp, $gssp);
+
+ $this->assertCount(0, $collection->getData());
+ }
+
+ public function test_create_from_only_gssp()
+ {
+ $nonGssp = [];
+ $gssp = [
+ 'irma' => $this->getViewConfig('irma', 2),
+ 'tiqr' => $this->getViewConfig('tiqr', 3),
+ 'aauth' => $this->getViewConfig('aauth', 3),
+ 'xerxes' => $this->getViewConfig('xerxes', 2),
+ 'biometric' => $this->getViewConfig('biometric', 3),
+ 'fatima' => $this->getViewConfig('fatima', 2),
+ ];
+ $collection = AvailableTokenCollection::from($nonGssp, $gssp);
+
+ $this->assertCount(6, $collection->getData());
+
+ $expextedSortOrder = ['fatima', 'irma', 'xerxes', 'aauth', 'biometric', 'tiqr'];
+ $this->assertEquals($expextedSortOrder, array_keys($collection->getData()));
+ }
+
+ private function getViewConfig($tokenType, $loa)
+ {
+ $mock = \Mockery::mock(ViewConfig::class);
+ $mock->shouldReceive('getLoa')->andReturn($loa);
+ $mock->shouldReceive('getType')->andReturn($tokenType);
+ return $mock;
+ }
+}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenCollection.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenCollection.php
new file mode 100644
index 000000000..c635ae9cc
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenCollection.php
@@ -0,0 +1,72 @@
+collection[$token] = BuiltInToken::fromSecondFactorType($token);
+ }
+
+ foreach ($gsspTokens as $type => $token) {
+ $collection->collection[$type] = GsspToken::fromViewConfig($token, $type);
+ }
+
+ return $collection;
+ }
+
+ /**
+ * Sorts and returns the available tokens
+ * @return AvailableTokenInterface[]
+ */
+ public function getData()
+ {
+ $this->sortCollection();
+ return $this->collection;
+ }
+
+ private function sortCollection()
+ {
+ // The collection is first sorted by LoA level and then in alphabetic order.
+ uasort($this->collection, function (AvailableTokenInterface $a, AvailableTokenInterface $b) {
+ if ($a->getLoaLevel() === $b->getLoaLevel()) {
+ return strcmp($a->getType(), $b->getType());
+ }
+ return $a->getLoaLevel() > $b->getLoaLevel() ? 1 : -1;
+ });
+ }
+}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenInterface.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenInterface.php
new file mode 100644
index 000000000..6454969c5
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/AvailableTokenInterface.php
@@ -0,0 +1,42 @@
+ [
+ 'loaLevel' => 2,
+ 'route' => 'ss_registration_sms_send_challenge'
+ ],
+ 'u2f' => [
+ 'loaLevel' => 3,
+ 'route' => 'ss_registration_u2f_registration'
+ ],
+ 'yubikey' => [
+ 'loaLevel' => 3,
+ 'route' => 'ss_registration_yubikey_prove_possession'
+ ],
+ ];
+
+ private $type;
+
+ /**
+ * @param $type
+ * @return BuiltInToken
+ */
+ public static function fromSecondFactorType($type)
+ {
+ return new self($type);
+ }
+
+ private function __construct($type)
+ {
+ if (!isset($this->supportedTypes[$type])) {
+ throw InvalidArgumentException::invalidType('valid second factor type', 'type', $type);
+ }
+ $this->type = $type;
+ }
+
+ /**
+ * @return string
+ */
+ public function getRoute()
+ {
+ return $this->supportedTypes[$this->type]['route'];
+ }
+
+ /**
+ * @return mixed
+ */
+ public function getType()
+ {
+ return $this->type;
+ }
+
+ /**
+ * @return int
+ */
+ public function getLoaLevel()
+ {
+ return $this->supportedTypes[$this->type]['loaLevel'];
+ }
+
+ /**
+ * @return boolean
+ */
+ public function isGssp()
+ {
+ return false;
+ }
+}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/GsspToken.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/GsspToken.php
new file mode 100644
index 000000000..705723790
--- /dev/null
+++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Value/GsspToken.php
@@ -0,0 +1,104 @@
+viewConfig = $viewConfig;
+ $this->type = $type;
+ }
+
+ /**
+ * @return string
+ */
+ public function getRoute()
+ {
+ return 'ss_registration_gssf_initiate';
+ }
+
+ /**
+ * @return mixed
+ */
+ public function getType()
+ {
+ return $this->type;
+ }
+
+ /**
+ * @return int
+ */
+ public function getLoaLevel()
+ {
+ return (int) $this->viewConfig->getLoa();
+ }
+
+ /**
+ * @return boolean
+ */
+ public function isGssp()
+ {
+ return true;
+ }
+
+ public function getRouteParams()
+ {
+ return [
+ 'provider' => $this->type,
+ ];
+ }
+
+ public function getViewConfig()
+ {
+ return $this->viewConfig;
+ }
+}
diff --git a/web/images/SURFconext.png b/web/images/SURFconext.png
deleted file mode 100644
index 5252e4753..000000000
Binary files a/web/images/SURFconext.png and /dev/null differ
diff --git a/web/images/header-logo.png b/web/images/header-logo.png
new file mode 100644
index 000000000..a644b41fa
Binary files /dev/null and b/web/images/header-logo.png differ
- {% if availableSecondFactors.sms is defined %}
- {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
- 'type': 'sms',
- 'security': 2,
- 'url': path('ss_registration_sms_send_challenge'),
- } only %}
- {% endif %}
- {% if availableSecondFactors.yubikey is defined %}
- {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
- 'type': 'yubikey',
- 'security': 3,
- 'url': path('ss_registration_yubikey_prove_possession'),
- } only %}
- {% endif %}
- {% if availableSecondFactors.u2f is defined %}
- {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
- 'type': 'u2f',
- 'security': 3,
- 'url': path('ss_registration_u2f_registration'),
- } only %}
- {% endif %}
- {% for type, secondFactor in availableGsspSecondFactors %}
- {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/genericSecondFactor.html.twig' with {
- 'type': type,
- 'security': secondFactor.loa,
- 'url': path('ss_registration_gssf_initiate', {'provider': type}),
- 'appAndroidUrl': secondFactor.androidUrl,
- 'appIosUrl': secondFactor.iosUrl,
- 'secondFactor': secondFactor
- } only %}
+ {% for type, secondFactor in availableSecondFactors.data %}
+ {% if secondFactor.isGssp %}
+ {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/genericSecondFactor.html.twig' with {
+ 'type': type,
+ 'security': secondFactor.loaLevel,
+ 'url': path(secondFactor.route, secondFactor.routeParams),
+ 'appAndroidUrl': secondFactor.viewConfig.androidUrl,
+ 'appIosUrl': secondFactor.viewConfig.iosUrl,
+ 'secondFactor': secondFactor.viewConfig
+ } only %}
+ {% else %}
+ {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
+ 'type': type,
+ 'security': secondFactor.loaLevel,
+ 'url': path(secondFactor.route),
+ } only %}
+ {% endif %}
{% endfor %}
{% endblock %}
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/authnFailed.html.twig b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/authnFailed.html.twig
deleted file mode 100644
index beab512ac..000000000
--- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/authnFailed.html.twig
+++ /dev/null
@@ -1,12 +0,0 @@
-{% extends '::base.html.twig' %}
-
-{% block page_title %}{{ 'ss.error.saml_authn_failed.title'|trans }}{% endblock %}
-
-{% block content %}
- {{ block('page_title') }}
- -{{ 'ss.error.saml_authn_failed.text.authn_failed'|trans }}
- - {{ 'ss.error.saml_authn_failed.button.try_again'|trans }} - -{% endblock %} diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/preconditionNotMet.html.twig b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/preconditionNotMet.html.twig deleted file mode 100644 index c02a8acee..000000000 --- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Saml/Exception/preconditionNotMet.html.twig +++ /dev/null @@ -1,9 +0,0 @@ -{% extends '::base.html.twig' %} - -{% block page_title %}{{ 'ss.error.saml_precondition_not_met.title'|trans }}{% endblock %} - -{% block content %} -{{ block('page_title') }}
- -{{ 'ss.error.saml_precondition_not_met.text.precondition_not_met'|trans }}
-{% endblock %} diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig index 8f6388805..58a968b87 100644 --- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig +++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig @@ -6,9 +6,9 @@ {% block content %}{{ block('page_title') }}
- {{ macro.secondFactorTable(vettedSecondFactors, 'ss.second_factor.list.text.vetted', 'vetted', email) }} - {{ macro.secondFactorTable(verifiedSecondFactors, 'ss.second_factor.list.text.verified', 'verified', email) }} - {{ macro.secondFactorTable(unverifiedSecondFactors, 'ss.second_factor.list.text.unverified', 'unverified', email) }} + {{ macro.secondFactorTable(vettedSecondFactors, 'ss.second_factor.list.text.vetted', 'vetted', email, expirationHelper) }} + {{ macro.secondFactorTable(verifiedSecondFactors, 'ss.second_factor.list.text.verified', 'verified', email, expirationHelper) }} + {{ macro.secondFactorTable(unverifiedSecondFactors, 'ss.second_factor.list.text.unverified', 'unverified', email, expirationHelper) }} {% if registrationsLeft > 0 and ((unverifiedSecondFactors.elements is empty and verifiedSecondFactors.elements is empty and vettedSecondFactors.elements is empty) @@ -16,19 +16,18 @@ %} {% if (unverifiedSecondFactors.elements is empty and verifiedSecondFactors.elements is empty and vettedSecondFactors.elements is empty) %}{{ 'ss.second_factor.list.text.no_second_factors'|trans }}
- {% else %} -{{ 'ss.second_factor.list.text.add_second_factor'|trans }}
{% endif %} - - {{ 'ss.second_factor.list.button.register_second_factor'|trans }} - + + {{ 'ss.second_factor.list.button.register_second_factor'|trans }} + {% endif %} {% endblock %} -{% macro secondFactorTable(secondFactorCollection, text, state, email) %} +{% macro secondFactorTable(secondFactorCollection, text, state, email, expirationHelper, locale) %} {% if secondFactorCollection.elements is not empty %} + {% set hasExpired = false %}{{ text|trans({'%email%': email}) }}
@@ -37,6 +36,9 @@
{{ 'ss.second_factor_list.header.type'|trans }}
{{ 'ss.second_factor_list.header.second_factor_identifier'|trans }}
+ {% if state == 'verified' %}
+ {{ 'ss.second_factor_list.header.expiration_date'|trans }}
+ {% endif %}
{# Action button #}
@@ -45,13 +47,17 @@
{{ secondFactor.type|trans_second_factor_type }}
{{ secondFactor.secondFactorIdentifier }}
+ {% if state == 'verified' %}
+
+ {{ expirationHelper.expiresAt(secondFactor.registrationRequestedAt)|localizeddate('full', 'none', locale) }}
+ {% if expirationHelper.hasExpired(secondFactor.registrationRequestedAt) %}
+ {% set hasExpired = true %}
+ {{ 'ss.second_factor_list.header.expired_warning'|trans }}
+ {% endif %}
+
+ {% endif %}
{% endfor %}
+ {% if state == 'vetted' %}
+
+
+
+
+ {{ 'ss.second_factor.revoke.button.test'|trans }}
+
+
+
+
+ {% endif %}
+
+ {% if hasExpired %}
+
- {% if state == 'vetted' %}
-
- {{ 'ss.second_factor.revoke.button.test'|trans }}
- {% endif %}
{{ 'ss.second_factor.revoke.button.revoke'|trans }}
@@ -61,7 +67,22 @@
{{ 'ss.second_factor_list.header.expired_warning'|trans }} {{ 'ss.second_factor_list.header.expired_explanation'|trans }} + {% endif %}