Make the IDP to test second factors with configurable

OpenConext · Feb 27, 2017 · 2ed65ce · 2ed65ce
1 parent e79a58b
commit 2ed65ce
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 1 deletion.
diff --git a/app/config/config.yml b/app/config/config.yml
@@ -170,6 +170,10 @@ jms_translation:
 
 surfnet_stepup_self_service_self_service:
     enabled_second_factors: %enabled_second_factors%
+    second_factor_test_identity_provider:
+        entity_id: '%second_factor_test_idp_entity_id%'
+        sso_url: '%second_factor_test_idp_sso_url%'
+        certificate: '%second_factor_test_idp_certificate%'
     session_lifetimes:
         max_absolute_lifetime: "%session_max_absolute_lifetime%"
         max_relative_lifetime: "%session_max_relative_lifetime%"

diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist
@@ -40,6 +40,10 @@ parameters:
     graylog_hostname: g2-dev.stepup.coin.surf.net
     asset_version: 1
 
+    second_factor_test_idp_entity_id: ~
+    second_factor_test_idp_sso_url: ~
+    second_factor_test_idp_certificate: ~
+
     stepup_loa_loa1: https://gateway.tld/authentication/loa1
     stepup_loa_loa2: https://gateway.tld/authentication/loa2
     stepup_loa_loa3: https://gateway.tld/authentication/loa3

diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php
@@ -34,6 +34,7 @@ public function getConfigTreeBuilder()
 
         $childNodes = $rootNode->children();
         $this->appendEnabledSecondFactorTypesConfiguration($childNodes);
+        $this->appendSecondFactorTestIdentityProvider($childNodes);
         $this->appendSessionConfiguration($childNodes);
 
         return $treeBuilder;
@@ -83,6 +84,30 @@ function ($lifetime) {
             ->end();
     }
 
+    private function appendSecondFactorTestIdentityProvider(NodeBuilder $childNodes)
+    {
+        $childNodes
+            ->arrayNode('second_factor_test_identity_provider')
+                ->isRequired()
+                ->children()
+                    ->scalarNode('entity_id')
+                        ->isRequired()
+                        ->info('The EntityID of the remote identity provider')
+                    ->end()
+                    ->scalarNode('sso_url')
+                        ->isRequired()
+                        ->info('The name of the route to generate the SSO URL')
+                    ->end()
+                    ->scalarNode('certificate')
+                        ->info('The contents of the certificate used to sign the AuthnResponse with')
+                    ->end()
+                    ->scalarNode('certificate_file')
+                        ->info('A file containing the certificate used to sign the AuthnResponse with')
+                    ->end()
+                ->end()
+            ->end();
+    }
+
     /**
      * @param NodeBuilder $childNodes
      */

diff --git a/...ce/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php b/...ce/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php
@@ -18,8 +18,11 @@
 
 namespace Surfnet\StepupSelfService\SelfServiceBundle\DependencyInjection;
 
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Loader;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 
@@ -56,5 +59,38 @@ public function load(array $configs, ContainerBuilder $container)
             'self_service.security.authentication.session.maximum_relative_lifetime_in_seconds',
             $config['session_lifetimes']['max_relative_lifetime']
         );
+
+        $this->parseSecondFactorTestIdentityProviderConfiguration(
+            $config['second_factor_test_identity_provider'],
+            $container
+        );
+    }
+
+    /**
+     * @param array            $identityProvider
+     * @param ContainerBuilder $container
+     */
+    private function parseSecondFactorTestIdentityProviderConfiguration(
+        array $identityProvider,
+        ContainerBuilder $container
+    ) {
+        $definition = new Definition(IdentityProvider::class);
+        $configuration = [
+            'entityId' => $identityProvider['entity_id'],
+            'ssoUrl' => $identityProvider['sso_url'],
+        ];
+
+        if (isset($identityProvider['certificate_file']) && !isset($identityProvider['certificate'])) {
+            $configuration['certificateFile'] = $identityProvider['certificate_file'];
+        } elseif (isset($identityProvider['certificate'])) {
+            $configuration['certificateData'] = $identityProvider['certificate'];
+        } else {
+            throw new InvalidConfigurationException(
+                'Either surfnet_stepup_self_service_self_service.second_factor_test_identity_provider.certificate_file or surfnet_stepup_self_service_self_service.second_factor_test_identity_provider.certificate must be set.'
+            );
+        }
+
+        $definition->setArguments([$configuration]);
+        $container->setDefinition('self_service.second_factor_test_idp', $definition);
     }
 }
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/services.yml b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/services.yml
@@ -131,7 +131,7 @@ services:
         class: Surfnet\StepupSelfService\SelfServiceBundle\Service\TestSecondFactor\TestAuthenticationRequestFactory
         arguments:
             - '@surfnet_saml.hosted.service_provider'
-            - '@surfnet_saml.remote.idp'
+            - '@self_service.second_factor_test_idp'
 
     self_service.event_listener.locale:
         class: Surfnet\StepupSelfService\SelfServiceBundle\EventListener\LocaleListener