Merge commit 'c49e1c19b130636b4070c6c2227f544da1946512' into remote-v…

…etting * commit 'c49e1c19b130636b4070c6c2227f544da1946512': Add ApplicationHelper to RemoteVettingService integration test Use a dedicated encryption keypair for tests Add assertions in the SessionStorage tests Cleanup configuration and separate dev test and prod config Use mock IdP for testing Fix double escaping of RemoteVettingProcessDto Remove RV SP configuration and make it static Remove double escaping from match logging
OpenConext · Feb 26, 2021 · 9b6a174 · 9b6a174
2 parents bd02995 + c49e1c1
commit 9b6a174
Show file tree

Hide file tree

Showing 26 changed files with 600 additions and 400 deletions.
diff --git a/composer.json b/composer.json
@@ -14,6 +14,7 @@
     "prefer-stable": true,
     "require": {
         "php": "~7.2",
+        "ext-json": "*",
         "guzzlehttp/guzzle": "^6",
         "incenteev/composer-parameter-handler": "~2.0",
         "jms/translation-bundle": "^1.3.0",

diff --git a/composer.lock b/composer.lock
diff --git a/config/legacy/parameters.yaml.dist b/config/legacy/parameters.yaml.dist
@@ -62,6 +62,8 @@ parameters:
 
     # remote vetting
 
+    remote_vetting_entity_id: https://selfservice.stepup.example.com/rv/metadata
+
     # For each remote vetting IdP we require some parameters.
     remote_vetting_idps:
           # The display name
@@ -82,7 +84,6 @@ parameters:
           ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
           # Certificates for the remote vetting IdP
           certificateFile: "%saml_rv_publickey%"
-          privateKey: "%saml_rv_privatekey%"
           # The attribute mapping should map the institute IdP attributes with the ones received from the remote vetting
           # IdP.
           attributeMapping:
@@ -97,7 +98,6 @@ parameters:
           entityId: https://selfservice.stepup.example.com/mock/metadata
           ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
           certificateFile: "%saml_rv_publickey%"
-          privateKey: "%saml_rv_privatekey%"
           attributeMapping:
             givenName: firstName
             surname: lastName
@@ -110,16 +110,21 @@ parameters:
           entityId: https://selfservice.stepup.example.com/mock/metadata
           ssoUrl: https://selfservice.stepup.example.com/second-factor/mock/sso
           certificateFile: '%saml_rv_publickey%'
-          privateKey: '%saml_rv_privatekey%'
           attributeMapping:
             givenName: firstName
             surname: lastName
-    # SelfService acts as the remote vetting SP, this metadata is used by the remote vetting IdP's to post their SAML
-    # responses to
-    remote_vetting_sp:
-      entityId: https://selfservice.stepup.example.com/saml/metadata
-      assertionConsumerUrl: https://selfservice.stepup.example.com/second-factor/acs
-      privateKey: '%saml_rv_privatekey%'
+        - slug: mock
+          name: 'Mock IDP'
+          logo: /images/remote-vetting/mock.png
+          description:
+              nl_NL: 'This is an integration test IdP.'
+              en_GB: 'This is an integration test IdP.'
+          entityId: 'https://selfservice.stepup.example.com/mock/metadata'
+          ssoUrl: 'https://selfservice.stepup.example.com/second-factor/mock/sso'
+          certificateFile: '%saml_rv_publickey%'
+          attributeMapping:
+              givenName: firstName
+              surname: lastName
 
     identity_encryption_configuration:
       # The public key used to encrypt the remote vetting user data. The private key matching this is used to decrypt,
@@ -147,6 +152,8 @@ parameters:
       # The location on disk where the encrypted remote vetting user data is stored
       storage_location: '%kernel.project_dir%/var/rv'
 
-    # For test, we use a mock remote vetting IdP, these certificates are used for that.
-    saml_rv_publickey: /src/Stepup-SelfService/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt
-    saml_rv_privatekey: /src/Stepup-SelfService/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key
+
+    # Saml Remote Vetting SP public key
+    saml_rv_publickey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt'
+    # Saml Remote Vetting Mock IdP private key (used for development and testing, this value should be omitted in production)
+    saml_rv_privatekey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key'
diff --git a/config/legacy/samlstepupproviders.yaml b/config/legacy/samlstepupproviders.yaml
@@ -7,56 +7,6 @@ surfnet_stepup_self_service_saml_stepup_provider:
         metadata: ss_registration_gssf_saml_metadata
 
     providers:
-        tiqr:
-            hosted:
-                service_provider:
-                    public_key: "%gssp_tiqr_sp_publickey%"
-                    private_key: "%gssp_tiqr_sp_privatekey%"
-                metadata:
-                    public_key: "%gssp_tiqr_metadata_publickey%"
-                    private_key: "%gssp_tiqr_metadata_privatekey%"
-            remote:
-                entity_id: "%gssp_tiqr_remote_entity_id%"
-                sso_url: "%gssp_tiqr_remote_sso_url%"
-                certificate: "%gssp_tiqr_remote_certificate%"
-            view_config:
-                loa: "%gssp_tiqr_loa%"
-                logo: "%gssp_tiqr_logo%"
-                alt: "%gssp_tiqr_alt%"
-                title: "%gssp_tiqr_title%"
-                description: "%gssp_tiqr_description%"
-                button_use: "%gssp_tiqr_button_use%"
-                initiate_title: "%gssp_tiqr_initiate_title%"
-                initiate_button: "%gssp_tiqr_initiate_button%"
-                explanation: "%gssp_tiqr_explanation%"
-                authn_failed: "%gssp_tiqr_authn_failed%"
-                pop_failed: "%gssp_tiqr_pop_failed%"
-                app_android_url: "%gssp_tiqr_app_android_url%"
-                app_ios_url: "%gssp_tiqr_app_ios_url%"
-        biometric:
-          hosted:
-            service_provider:
-              public_key: "%gssp_biometric_sp_publickey%"
-              private_key: "%gssp_biometric_sp_privatekey%"
-            metadata:
-              public_key: "%gssp_biometric_metadata_publickey%"
-              private_key: "%gssp_biometric_metadata_privatekey%"
-          remote:
-            entity_id: "%gssp_biometric_remote_entity_id%"
-            sso_url: "%gssp_biometric_remote_sso_url%"
-            certificate: "%gssp_biometric_remote_certificate%"
-          view_config:
-            loa: "%gssp_biometric_loa%"
-            logo: "%gssp_biometric_logo%"
-            alt: "%gssp_biometric_alt%"
-            title: "%gssp_biometric_title%"
-            description: "%gssp_biometric_description%"
-            button_use: "%gssp_biometric_button_use%"
-            initiate_title: "%gssp_biometric_initiate_title%"
-            initiate_button: "%gssp_biometric_initiate_button%"
-            explanation: "%gssp_biometric_explanation%"
-            authn_failed: "%gssp_biometric_authn_failed%"
-            pop_failed: "%gssp_biometric_pop_failed%"
         webauthn:
             hosted:
                 service_provider:
@@ -83,32 +33,58 @@ surfnet_stepup_self_service_saml_stepup_provider:
                 pop_failed: "%gssp_webauthn_pop_failed%"
                 app_android_url: "%gssp_webauthn_app_android_url%"
                 app_ios_url: "%gssp_webauthn_app_ios_url%"
-        azuremfa:
+        demo_gssp_2:
             hosted:
                 service_provider:
-                    public_key: "%gssp_azuremfa_sp_publickey%"
-                    private_key: "%gssp_azuremfa_sp_privatekey%"
+                    public_key: "%gssp_demo_gssp_2_sp_publickey%"
+                    private_key: "%gssp_demo_gssp_2_sp_privatekey%"
                 metadata:
-                    public_key: "%gssp_azuremfa_metadata_publickey%"
-                    private_key: "%gssp_azuremfa_metadata_privatekey%"
+                    public_key: "%gssp_demo_gssp_2_metadata_publickey%"
+                    private_key: "%gssp_demo_gssp_2_metadata_privatekey%"
             remote:
-                entity_id: "%gssp_azuremfa_remote_entity_id%"
-                sso_url: "%gssp_azuremfa_remote_sso_url%"
-                certificate: "%gssp_azuremfa_remote_certificate%"
+                entity_id: "%gssp_demo_gssp_2_remote_entity_id%"
+                sso_url: "%gssp_demo_gssp_2_remote_sso_url%"
+                certificate: "%gssp_demo_gssp_2_remote_certificate%"
+            view_config:
+                loa: 3
+                logo: "%gssp_demo_gssp_2_logo%"
+                alt: "%gssp_demo_gssp_2_alt%"
+                title: "%gssp_demo_gssp_2_title%"
+                description: "%gssp_demo_gssp_2_description%"
+                button_use: "%gssp_demo_gssp_2_button_use%"
+                initiate_title: "%gssp_demo_gssp_2_initiate_title%"
+                initiate_button: "%gssp_demo_gssp_2_initiate_button%"
+                explanation: "%gssp_demo_gssp_2_explanation%"
+                authn_failed: "%gssp_demo_gssp_2_authn_failed%"
+                pop_failed: "%gssp_demo_gssp_2_pop_failed%"
+                app_android_url: "%gssp_demo_gssp_2_app_android_url%"
+                app_ios_url: "%gssp_demo_gssp_2_app_ios_url%"
+        tiqr:
+            hosted:
+                service_provider:
+                    public_key: "%gssp_tiqr_sp_publickey%"
+                    private_key: "%gssp_tiqr_sp_privatekey%"
+                metadata:
+                    public_key: "%gssp_tiqr_metadata_publickey%"
+                    private_key: "%gssp_tiqr_metadata_privatekey%"
+            remote:
+                entity_id: "%gssp_tiqr_remote_entity_id%"
+                sso_url: "%gssp_tiqr_remote_sso_url%"
+                certificate: "%gssp_tiqr_remote_certificate%"
             view_config:
                 loa: 2
-                logo: "%gssp_azuremfa_logo%"
-                alt: "%gssp_azuremfa_alt%"
-                title: "%gssp_azuremfa_title%"
-                description: "%gssp_azuremfa_description%"
-                button_use: "%gssp_azuremfa_button_use%"
-                initiate_title: "%gssp_azuremfa_initiate_title%"
-                initiate_button: "%gssp_azuremfa_initiate_button%"
-                explanation: "%gssp_azuremfa_explanation%"
-                authn_failed: "%gssp_azuremfa_authn_failed%"
-                pop_failed: "%gssp_azuremfa_pop_failed%"
-                app_android_url: "%gssp_azuremfa_app_android_url%"
-                app_ios_url: "%gssp_azuremfa_app_ios_url%"
+                logo: "%gssp_tiqr_logo%"
+                alt: "%gssp_tiqr_alt%"
+                title: "%gssp_tiqr_title%"
+                description: "%gssp_tiqr_description%"
+                button_use: "%gssp_tiqr_button_use%"
+                initiate_title: "%gssp_tiqr_initiate_title%"
+                initiate_button: "%gssp_tiqr_initiate_button%"
+                explanation: "%gssp_tiqr_explanation%"
+                authn_failed: "%gssp_tiqr_authn_failed%"
+                pop_failed: "%gssp_tiqr_pop_failed%"
+                app_android_url: "%gssp_tiqr_app_android_url%"
+                app_ios_url: "%gssp_tiqr_app_ios_url%"
         demo_gssp:
             hosted:
                 service_provider:
@@ -135,29 +111,3 @@ surfnet_stepup_self_service_saml_stepup_provider:
                 pop_failed: "%gssp_demo_gssp_pop_failed%"
                 app_android_url: "%gssp_demo_gssp_app_android_url%"
                 app_ios_url: "%gssp_demo_gssp_app_ios_url%"
-        demo_gssp_2:
-            hosted:
-                service_provider:
-                    public_key: "%gssp_demo_gssp_2_sp_publickey%"
-                    private_key: "%gssp_demo_gssp_2_sp_privatekey%"
-                metadata:
-                    public_key: "%gssp_demo_gssp_2_metadata_publickey%"
-                    private_key: "%gssp_demo_gssp_2_metadata_privatekey%"
-            remote:
-                entity_id: "%gssp_demo_gssp_2_remote_entity_id%"
-                sso_url: "%gssp_demo_gssp_2_remote_sso_url%"
-                certificate: "%gssp_demo_gssp_2_remote_certificate%"
-            view_config:
-                loa: 3
-                logo: "%gssp_demo_gssp_2_logo%"
-                alt: "%gssp_demo_gssp_2_alt%"
-                title: "%gssp_demo_gssp_2_title%"
-                description: "%gssp_demo_gssp_2_description%"
-                button_use: "%gssp_demo_gssp_2_button_use%"
-                initiate_title: "%gssp_demo_gssp_2_initiate_title%"
-                initiate_button: "%gssp_demo_gssp_2_initiate_button%"
-                explanation: "%gssp_demo_gssp_2_explanation%"
-                authn_failed: "%gssp_demo_gssp_2_authn_failed%"
-                pop_failed: "%gssp_demo_gssp_2_pop_failed%"
-                app_android_url: "%gssp_demo_gssp_2_app_android_url%"
-                app_ios_url: "%gssp_demo_gssp_2_app_ios_url%"
diff --git a/config/services_dev.yaml b/config/services_dev.yaml
@@ -0,0 +1,28 @@
+# Use this service definition file to override services and parameters in the dev environment.
+# For example to mock certain services, or override a password for test.
+services:
+  # A remote vetting mock IdP is used in order to mock the attributes released from a remote RV (Remote Vetting) IdP.
+  # This IdP is utilized as a drop in replacement to test the attribute matching between a remote IdP to vet with and the local
+  # OpenConext IdP.
+  Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration:
+    arguments:
+      $privateKey: '%saml_rv_privatekey%'
+      $configurationSettings: '%identity_encryption_configuration%'
+      $remoteVettingIdpConfig: '%remote_vetting_idps%'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration:
+    arguments:
+      $identityProviderEntityId: 'https://selfservice.stepup.example.com/mock/idp/metadata'
+      $serviceProviderEntityId: 'https://selfservice.stepup.example.com/rv/metadata'
+      $privateKeyPath: '%saml_rv_privatekey%'
+      $publicCertPath: '%saml_rv_publickey%'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockRemoteVetController:
+    public: true
+    arguments:
+      - '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway'
+      - '@twig'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway:
+    arguments:
+      - '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration'
diff --git a/config/services_test.yaml b/config/services_test.yaml
@@ -4,10 +4,6 @@
 parameters:
   middleware_credentials_password: secret
 
-  saml_rv_publickey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.crt'
-  saml_rv_privatekey: '%kernel.project_dir%/src/Surfnet/StepupSelfService/SelfServiceBundle/Tests/Resources/test.key'
-
-
 services:
   surfnet_stepup_self_service_self_service.service.sms_second_factor:
     class: Surfnet\StepupSelfService\SelfServiceBundle\Tests\TestDouble\Service\SmsSecondFactorService
@@ -35,8 +31,28 @@ services:
         - "%middleware_url_command_api%"
 
 
-  Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Encryption\IdentityEncrypter:
-    class: \Surfnet\StepupSelfService\SelfServiceBundle\Tests\Service\RemoteVetting\Encryption\FakeIdentityEncrypter
+  # A remote vetting mock IdP is used in order to mock the attributes released from a remote RV (Remote Vetting) IdP.
+  # This IdP is utilized as a drop in replacement to test the attribute matching between a remote IdP to vet with and the local
+  # OpenConext IdP.
+  Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration:
+    arguments:
+      $privateKey: '%saml_rv_privatekey%'
+      $configurationSettings: '%identity_encryption_configuration%'
+      $remoteVettingIdpConfig: '%remote_vetting_idps%'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration:
+    arguments:
+      $identityProviderEntityId: 'https://selfservice.stepup.example.com/mock/idp/metadata'
+      $serviceProviderEntityId: 'https://selfservice.stepup.example.com/rv/metadata'
+      $privateKeyPath: '%saml_rv_privatekey%'
+      $publicCertPath: '%saml_rv_publickey%'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockRemoteVetController:
+    public: true
+    arguments:
+      - '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway'
+      - '@twig'
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockGateway:
     arguments:
-      $configuration: '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Configuration\RemoteVettingConfiguration'
-      $writer: '@Surfnet\StepupSelfService\SelfServiceBundle\Service\RemoteVetting\Encryption\IdentityFilesystemWriter'
+      - '@Surfnet\StepupSelfService\SelfServiceBundle\Mock\RemoteVetting\MockConfiguration'