-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle second factor test response #120
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before reviewing in depth these issues should be resolved.
$loaResolutionService->getLoaByLevel($secondFactorType->getLevel()) | ||
); | ||
|
||
$this->get('session')->set('second_factor_test_mode', true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit more should be stored (and tracked) in the session; e.g. the request ID of the AuthnRequest.
$translator = $this->get('translator'); | ||
|
||
try { | ||
$postBinding->processResponse( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it must be verified that the received response is in response to the sent request; for reference see here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the second factor test flow also use an implementation of the SamlAuthenticationStateHandler
? Or is it more appropriate to use the session
directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally we would want to keep the test implementation as close to the actual implementation. However, the intent and flow is different. Therefore, one would ideally create a wrapper for this specific case. For now, I'd use the session and register the improvement as technical debt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tech debt ticket created: https://www.pivotaltracker.com/story/show/141126081
|
||
$this->get('session')->set('second_factor_test_mode', true); | ||
|
||
$this->get('logger')->notice( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The moment we have an AuthnRequest and thus a RequestID, we should use the SamlAuthenticationLogger (same when processing the response). For an example as how to use that, see here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct that this logger can only be used when the request ID is set? In other words, the SamlAuthenticationLogger
is invalid without a request ID and the default logger
service should be used before we know the request ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, do you prefer to keep the request ID in the log message (as an argument for the sprintf
call), or is it enough to have it to the logging context?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SamlAuthenticationLogger can only be used when the requestId is set.
It is enough to have it in the logging context.
|
||
$session->getFlashBag()->add( | ||
'success', | ||
$translator->trans('ss.test_second_factor.verification_successful') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed from the logs that this string is being translated twice: once here in the controller, and once more in the session_flash
macro that is provided by the MopaBootstrapBundle. This triggers a warning, because the already translated string cannot be translated again.
However, when I remove the translation here, the string is no longer recognized as a translation key by the JMSTranslationBundle, so it will be removed from the result of the extract-translations
script.
I have found a translations.twig
file in the SelfServiceBundle which (I presume) exists to work around this problem. Is that correct? So then I could remove the translator here and add the translation keys to that file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice find. I think that should work. It is consistent with how other flash messages are done, see SmsController.php (82) and translations.twig (31)
The flash messages are being translated again in the session_flash macro provided by the MopaBootstrapBundle. Trying to translate an already translated string results in a warning from the translation component.
The currently installed version of JMSTranslationBundle requires an old version of the nikic/php-parser package, which doesn't support the ::class keyword introduced in PHP 5.5. This should be fixed by upgrading JMSTranslationBundle to a more recent version. See nikic/PHP-Parser#200 for more information.
cd16c94
to
eb56708
Compare
The SamlAuthenticationLogger already adds the ID to the context.
Note that I could not reproduce a situation where testing the second factor fails because the request ID differs from the one that is stored in the session (for instance by firing two requests in parallel), because the gateway also fails in such a scenario. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All in all, this looks good to me -- bar a few nits.
*/ | ||
public function testSecondFactorAction($secondFactorId) | ||
{ | ||
$this->get('logger')->notice( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could extract $this->get('logger')
to a variable as it is reused later on.
Also, this could fit on a single line.
The latter $logger
could be renamed to $samlLogger
or something else.
) | ||
); | ||
|
||
throw $this->createNotFoundException(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not throw the exception itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just a Symfony convenience method that creates a NotFoundHttpException with a default message, I guess it is a matter of personal preference.
'Received an authentication response for testing a second factor, but no second factor test response was expected' | ||
); | ||
|
||
throw $this->createAccessDeniedException('Did not expect an authentication response'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here; why not throw the exception itself?
|
||
$initiatedRequestId = $session->get('second_factor_test_request_id'); | ||
|
||
$logger = $this->get('surfnet_saml.logger')->forAuthentication($initiatedRequestId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are reassigning the $logger
here, you would probably want to rename this to prevent confusion.
} | ||
|
||
$session->getFlashBag()->add('success', 'ss.test_second_factor.verification_successful'); | ||
} catch (Exception $exception) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With regards to your comment above; this would also catch an Exception if anything goes wrong in Gateway or client bundles (which is possible when sessions are somehow tainted during testing), which should also result in an error message. I think this suffices for now.
062cb4a
to
56f90c1
Compare
Part of https://www.pivotaltracker.com/story/show/79436876