Second factor test action

README.md

@@ -19,3 +19,15 @@ This component is part of "Step-up Authentication as-a Service" and requires oth
 Clone the repository or download the archive to a directory. Install the dependencies by running `composer install`.
 
 Run `app/console mopa:bootstrap:symlink:less` to configure Bootstrap symlinks.
+
+## Updating translations
+
+Run the following command to extract translation strings from templates, form labels, etc:
+
+```bash
+bin/extract-translations.sh
+```
+
+Then, translate the strings using the web interface available at: https://ss-dev.stepup.coin.surf.net/app_dev.php/_trans/
+
+For more information about the JMSTranslationBundle, see http://jmsyst.com/bundles/JMSTranslationBundle

app/Resources/translations/messages.en_GB.xliff

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2016-11-02T14:23:44Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
+  <file date="2017-02-23T22:02:30Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
@@ -597,10 +597,15 @@ An e-mail with your activation code has been sent to the e-mail address %email%.
         <target>Your token has been removed.</target>
       </trans-unit>
       <trans-unit id="39bf5f5849cef0ac9b176c769c79169676fc7b96" resname="ss.second_factor.revoke.button.revoke">
-        <jms:reference-file line="44">views/SecondFactor/list.html.twig</jms:reference-file>
+        <jms:reference-file line="48">views/SecondFactor/list.html.twig</jms:reference-file>
         <source>ss.second_factor.revoke.button.revoke</source>
         <target>Remove</target>
       </trans-unit>
+      <trans-unit id="17d18b6bcd8642fedf8e5371cb722efc604e8281" resname="ss.second_factor.revoke.button.test">
+        <jms:reference-file line="45">views/SecondFactor/list.html.twig</jms:reference-file>
+        <source>ss.second_factor.revoke.button.test</source>
+        <target>Test</target>
+      </trans-unit>
       <trans-unit id="6fb0acf21df652aef6e8da27aefff89ad52b6e1a" resname="ss.second_factor.revoke.second_factor_type.biometric">
         <jms:reference-file line="54">Resources/views/translations.twig</jms:reference-file>
         <source>ss.second_factor.revoke.second_factor_type.biometric</source>

app/Resources/translations/messages.nl_NL.xliff

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2016-11-02T14:23:52Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
+  <file date="2017-02-23T22:02:59Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
@@ -595,10 +595,15 @@ Er is een e-mail met activatiecode gestuurd naar het e-mailadres %email%. Volg d
         <target>Je token is verwijderd.</target>
       </trans-unit>
       <trans-unit id="39bf5f5849cef0ac9b176c769c79169676fc7b96" resname="ss.second_factor.revoke.button.revoke">
-        <jms:reference-file line="44">views/SecondFactor/list.html.twig</jms:reference-file>
+        <jms:reference-file line="48">views/SecondFactor/list.html.twig</jms:reference-file>
         <source>ss.second_factor.revoke.button.revoke</source>
         <target>Verwijderen</target>
       </trans-unit>
+      <trans-unit id="17d18b6bcd8642fedf8e5371cb722efc604e8281" resname="ss.second_factor.revoke.button.test">
+        <jms:reference-file line="45">views/SecondFactor/list.html.twig</jms:reference-file>
+        <source>ss.second_factor.revoke.button.test</source>
+        <target>Testen</target>
+      </trans-unit>
       <trans-unit id="6fb0acf21df652aef6e8da27aefff89ad52b6e1a" resname="ss.second_factor.revoke.second_factor_type.biometric">
         <jms:reference-file line="54">Resources/views/translations.twig</jms:reference-file>
         <source>ss.second_factor.revoke.second_factor_type.biometric</source>

app/config/config.yml

@@ -170,6 +170,10 @@ jms_translation:
 
 surfnet_stepup_self_service_self_service:
     enabled_second_factors: %enabled_second_factors%
+    second_factor_test_identity_provider:
+        entity_id: '%second_factor_test_idp_entity_id%'
+        sso_url: '%second_factor_test_idp_sso_url%'
+        certificate: '%second_factor_test_idp_certificate%'
     session_lifetimes:
         max_absolute_lifetime: "%session_max_absolute_lifetime%"
         max_relative_lifetime: "%session_max_relative_lifetime%"

app/config/parameters.yml.dist

@@ -40,6 +40,10 @@ parameters:
     graylog_hostname: g2-dev.stepup.coin.surf.net
     asset_version: 1
 
+    second_factor_test_idp_entity_id: ~
+    second_factor_test_idp_sso_url: ~
+    second_factor_test_idp_certificate: 'FOR CI ONLY, REPLACE WITH ACTUAL VALUE'
+
     stepup_loa_loa1: https://gateway.tld/authentication/loa1
     stepup_loa_loa2: https://gateway.tld/authentication/loa2
     stepup_loa_loa3: https://gateway.tld/authentication/loa3

src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/SamlController.php

@@ -20,11 +20,62 @@
 
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
 use Surfnet\SamlBundle\Http\XMLResponse;
-use Symfony\Bundle\FrameworkBundle\Controller\Controller as FrameworkController;
+use Surfnet\StepupBundle\Value\SecondFactorType;
 use Symfony\Component\HttpFoundation\Request;
 
-class SamlController extends FrameworkController
+class SamlController extends Controller
 {
+    /**
+     * @param string $secondFactorId
+     *
+     * @return \Symfony\Component\HttpFoundation\RedirectResponse
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
+     * @throws \Symfony\Component\Security\Core\Exception\AccessDeniedException
+     */
+    public function testSecondFactorAction($secondFactorId)
+    {
+        $this->get('logger')->notice(
+            'Starting second factor test'
+        );
+
+        $secondFactorService = $this->get('surfnet_stepup_self_service_self_service.service.second_factor');
+        $identity            = $this->getIdentity();
+
+        if (!$secondFactorService->identityHasSecondFactorOfStateWithId($identity->id, 'vetted', $secondFactorId)) {
+            $this->get('logger')->error(
+                sprintf(
+                    'Identity "%s" tried to test second factor "%s", but does not own that second factor or it is not vetted',
+                    $identity->id,
+                    $secondFactorId
+                )
+            );
+
+            throw $this->createNotFoundException();
+        }
+
+        $loaResolutionService         = $this->get('surfnet_stepup.service.loa_resolution');
+        $authenticationRequestFactory = $this->get('self_service.test_second_factor_authentication_request_factory');
+
+        $secondFactor     = $secondFactorService->findOneVetted($secondFactorId);
+        $secondFactorType = new SecondFactorType($secondFactor->type);
+
+        $authenticationRequest = $authenticationRequestFactory->createSecondFactorTestRequest(
+            $identity->nameId,
+            $loaResolutionService->getLoaByLevel($secondFactorType->getLevel())
+        );
+
+        $this->get('session')->set('second_factor_test_mode', true);
+
+        $this->get('logger')->notice(
+            sprintf(
+                'Sending authentication request with ID "%s" to the second factor test IDP',
+                $authenticationRequest->getRequestId()
+            )
+        );
+
+        return $this->get('surfnet_saml.http.redirect_binding')->createRedirectResponseFor($authenticationRequest);
+    }
+
     /**
      * @Template
      */

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/Configuration.php

@@ -34,6 +34,7 @@ public function getConfigTreeBuilder()
 
         $childNodes = $rootNode->children();
         $this->appendEnabledSecondFactorTypesConfiguration($childNodes);
+        $this->appendSecondFactorTestIdentityProvider($childNodes);
         $this->appendSessionConfiguration($childNodes);
 
         return $treeBuilder;
@@ -83,6 +84,30 @@ function ($lifetime) {
             ->end();
     }
 
+    private function appendSecondFactorTestIdentityProvider(NodeBuilder $childNodes)
+    {
+        $childNodes
+            ->arrayNode('second_factor_test_identity_provider')
+                ->isRequired()
+                ->children()
+                    ->scalarNode('entity_id')
+                        ->isRequired()
+                        ->info('The EntityID of the remote identity provider')
+                    ->end()
+                    ->scalarNode('sso_url')
+                        ->isRequired()
+                        ->info('The name of the route to generate the SSO URL')
+                    ->end()
+                    ->scalarNode('certificate')
+                        ->info('The contents of the certificate used to sign the AuthnResponse with')
+                    ->end()
+                    ->scalarNode('certificate_file')
+                        ->info('A file containing the certificate used to sign the AuthnResponse with')
+                    ->end()
+                ->end()
+            ->end();
+    }
+
     /**
      * @param NodeBuilder $childNodes
      */

src/Surfnet/StepupSelfService/SelfServiceBundle/DependencyInjection/SurfnetStepupSelfServiceSelfServiceExtension.php

@@ -18,8 +18,11 @@
 
 namespace Surfnet\StepupSelfService\SelfServiceBundle\DependencyInjection;
 
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Loader;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 
@@ -56,5 +59,39 @@ public function load(array $configs, ContainerBuilder $container)
             'self_service.security.authentication.session.maximum_relative_lifetime_in_seconds',
             $config['session_lifetimes']['max_relative_lifetime']
         );
+
+        $this->parseSecondFactorTestIdentityProviderConfiguration(
+            $config['second_factor_test_identity_provider'],
+            $container
+        );
+    }
+
+    /**
+     * @param array            $identityProvider
+     * @param ContainerBuilder $container
+     */
+    private function parseSecondFactorTestIdentityProviderConfiguration(
+        array $identityProvider,
+        ContainerBuilder $container
+    ) {
+        $definition = new Definition(IdentityProvider::class);
+        $configuration = [
+            'entityId' => $identityProvider['entity_id'],
+            'ssoUrl' => $identityProvider['sso_url'],
+        ];
+
+        if (isset($identityProvider['certificate_file']) && !isset($identityProvider['certificate'])) {
+            $configuration['certificateFile'] = $identityProvider['certificate_file'];
+        } elseif (isset($identityProvider['certificate'])) {
+            $configuration['certificateData'] = $identityProvider['certificate'];
+        } else {
+            throw new InvalidConfigurationException(
+                'Either "certificate_file" or "certificate" must be set in the ' .
+                'surfnet_stepup_self_service_self_service.second_factor_test_identity_provider configuration.'
+            );
+        }
+
+        $definition->setArguments([$configuration]);
+        $container->setDefinition('self_service.second_factor_test_idp', $definition);
     }
 }

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml

@@ -8,6 +8,11 @@ ss_second_factor_list:
     methods:  [GET]
     defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:SecondFactor:list }
 
+ss_second_factor_test:
+    path:     /second-factor/{secondFactorId}/test
+    methods:  [GET]
+    defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:Saml:testSecondFactor }
+
 ss_second_factor_revoke:
     path:     /second-factor/{state}/{secondFactorId}/revoke
     methods:  [GET,POST]

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/services.yml

@@ -127,6 +127,12 @@ services:
             - "%locales%"
             - "%support_url%"
 
+    self_service.test_second_factor_authentication_request_factory:
+        class: Surfnet\StepupSelfService\SelfServiceBundle\Service\TestSecondFactor\TestAuthenticationRequestFactory
+        arguments:
+            - '@surfnet_saml.hosted.service_provider'
+            - '@self_service.second_factor_test_idp'
+
     self_service.event_listener.locale:
         class: Surfnet\StepupSelfService\SelfServiceBundle\EventListener\LocaleListener
         arguments: [ "@security.token_storage", "@translator" ]

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/SecondFactor/list.html.twig

@@ -39,10 +39,17 @@
                             <td>{{ ('ss.second_factor.type.'~secondFactor.type)|trans }}</td>
                             <td>{{ secondFactor.secondFactorIdentifier }}</td>
                             <td>
-                                <a class="btn btn-mini btn-warning pull-right"
-                                   href="{{ path('ss_second_factor_revoke', {'state': state, 'secondFactorId': secondFactor.id}) }}">
-                                    {{ 'ss.second_factor.revoke.button.revoke'|trans }}
-                                </a>
+                                <div class="btn-group pull-right" role="group">
+                                    {% if state == 'vetted' %}
+                                        <a class="btn btn-mini btn-default"
+                                            href="{{ path('ss_second_factor_test', {'secondFactorId': secondFactor.id}) }}">
+                                            {{ 'ss.second_factor.revoke.button.test'|trans }}</a>
+                                    {% endif %}
+                                    <a class="btn btn-mini btn-warning"
+                                        href="{{ path('ss_second_factor_revoke', {'state': state, 'secondFactorId': secondFactor.id}) }}">
+                                        {{ 'ss.second_factor.revoke.button.revoke'|trans }}
+                                    </a>
+                                </div>
                             </td>
                         </tr>
                     {% endfor %}

src/Surfnet/StepupSelfService/SelfServiceBundle/Service/TestSecondFactor/TestAuthenticationRequestFactory.php

@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * Copyright 2017 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupSelfService\SelfServiceBundle\Service\TestSecondFactor;
+
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+use Surfnet\SamlBundle\Entity\ServiceProvider;
+use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
+use Surfnet\StepupBundle\Value\Loa;
+
+final class TestAuthenticationRequestFactory
+{
+    /**
+     * @var ServiceProvider
+     */
+    private $serviceProvider;
+
+    /**
+     * @var IdentityProvider
+     */
+    private $identityProvider;
+
+    public function __construct(
+        ServiceProvider $serviceProvider,
+        IdentityProvider $identityProvider
+    ) {
+        $this->serviceProvider = $serviceProvider;
+        $this->identityProvider = $identityProvider;
+    }
+
+    /**
+     * @param string $nameId
+     * @param Loa    $loa
+     *
+     * @return \Surfnet\SamlBundle\SAML2\AuthnRequest
+     */
+    public function createSecondFactorTestRequest($nameId, Loa $loa)
+    {
+        $authenticationRequest = AuthnRequestFactory::createNewRequest(
+            $this->serviceProvider,
+            $this->identityProvider
+        );
+
+        $authenticationRequest->setSubject($nameId);
+        $authenticationRequest->setAuthenticationContextClassRef((string) $loa);
+
+        return $authenticationRequest;
+    }
+}