Prevent remote vetting of expired tokens

Only non expired tokens could be remote vetted. This wasn't fixed
earlier because it came in handy during development.

app/config/remote_vetting.yml

@@ -110,6 +110,7 @@ services:
     arguments:
       - '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVettingService'
       - '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\SamlCalloutHelper'
+      - '@surfnet_stepup.registration_expiration_helper'
       - '@logger'
 
   Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration:

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RemoteVettingController.php

@@ -21,6 +21,7 @@
 use Psr\Log\LoggerInterface;
 use SAML2\Response\Exception\PreconditionNotMetException;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
+use Surfnet\StepupBundle\DateTime\RegistrationExpirationHelper;
 use Surfnet\StepupSelfService\SelfServiceBundle\Command\RemoteVetCommand;
 use Surfnet\StepupSelfService\SelfServiceBundle\Command\RemoteVetValidationCommand;
 use Surfnet\StepupSelfService\SelfServiceBundle\Exception\InvalidRemoteVettingContextException;
@@ -58,14 +59,20 @@ class RemoteVettingController extends Controller
      * @var LoggerInterface
      */
     private $logger;
+    /**
+     * @var RegistrationExpirationHelper
+     */
+    private $expirationHelper;
 
     public function __construct(
         RemoteVettingService $remoteVettingService,
         SamlCalloutHelper $samlCalloutHelper,
+        RegistrationExpirationHelper $expirationHelper,
         LoggerInterface $logger
     ) {
         $this->remoteVettingService = $remoteVettingService;
         $this->samlCalloutHelper = $samlCalloutHelper;
+        $this->expirationHelper = $expirationHelper;
         $this->logger = $logger;
     }
 
@@ -93,14 +100,12 @@ public function remoteVetAction(Request $request, $secondFactorId, $identityProv
         }
 
         $secondFactor = $service->findOneVerified($secondFactorId);
-        if ($secondFactor === null) {
+        if ($secondFactor === null || $this->expirationHelper->hasExpired($secondFactor->registrationRequestedAt)) {
             throw new NotFoundHttpException(
                 sprintf("No %s second factor with id '%s' exists.", 'verified', $secondFactorId)
             );
         }
 
-        // todo: validate expired
-
         $command = new RemoteVetCommand();
         $command->identity = $identity;
         $command->secondFactor = $secondFactor;

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig

@@ -65,7 +65,7 @@
                             {% endif %}
                             <td>
                                 <div class="btn-group pull-right" role="group">
-                                    {% if state == 'verified' %}
+                                    {% if state == 'verified' and not expirationHelper.hasExpired(secondFactor.registrationRequestedAt) %}
                                         <a class="btn btn-mini btn-default"
                                            href="{{ path('ss_second_factor_remote_vetting_types', {'secondFactorId': secondFactor.id}) }}">
                                             {{ 'ss.second_factor.revoke.button.remote_vet'|trans }}