Handle second factor test response #120
Conversation
| $loaResolutionService->getLoaByLevel($secondFactorType->getLevel()) | ||
| ); | ||
|
|
||
| $this->get('session')->set('second_factor_test_mode', true); |
There was a problem hiding this comment.
A bit more should be stored (and tracked) in the session; e.g. the request ID of the AuthnRequest.
| $translator = $this->get('translator'); | ||
|
|
||
| try { | ||
| $postBinding->processResponse( |
There was a problem hiding this comment.
it must be verified that the received response is in response to the sent request; for reference see here
There was a problem hiding this comment.
Should the second factor test flow also use an implementation of the SamlAuthenticationStateHandler? Or is it more appropriate to use the session directly?
There was a problem hiding this comment.
Ideally we would want to keep the test implementation as close to the actual implementation. However, the intent and flow is different. Therefore, one would ideally create a wrapper for this specific case. For now, I'd use the session and register the improvement as technical debt.
There was a problem hiding this comment.
Tech debt ticket created: https://www.pivotaltracker.com/story/show/141126081
|
|
||
| $this->get('session')->set('second_factor_test_mode', true); | ||
|
|
||
| $this->get('logger')->notice( |
There was a problem hiding this comment.
The moment we have an AuthnRequest and thus a RequestID, we should use the SamlAuthenticationLogger (same when processing the response). For an example as how to use that, see here
There was a problem hiding this comment.
Is it correct that this logger can only be used when the request ID is set? In other words, the SamlAuthenticationLogger is invalid without a request ID and the default logger service should be used before we know the request ID?
There was a problem hiding this comment.
Also, do you prefer to keep the request ID in the log message (as an argument for the sprintf call), or is it enough to have it to the logging context?
There was a problem hiding this comment.
The SamlAuthenticationLogger can only be used when the requestId is set.
It is enough to have it in the logging context.
|
|
||
| $session->getFlashBag()->add( | ||
| 'success', | ||
| $translator->trans('ss.test_second_factor.verification_successful') |
There was a problem hiding this comment.
I noticed from the logs that this string is being translated twice: once here in the controller, and once more in the session_flash macro that is provided by the MopaBootstrapBundle. This triggers a warning, because the already translated string cannot be translated again.
However, when I remove the translation here, the string is no longer recognized as a translation key by the JMSTranslationBundle, so it will be removed from the result of the extract-translations script.
I have found a translations.twig file in the SelfServiceBundle which (I presume) exists to work around this problem. Is that correct? So then I could remove the translator here and add the translation keys to that file?
There was a problem hiding this comment.
Nice find. I think that should work. It is consistent with how other flash messages are done, see SmsController.php (82) and translations.twig (31)
The flash messages are being translated again in the session_flash macro provided by the MopaBootstrapBundle. Trying to translate an already translated string results in a warning from the translation component.
The currently installed version of JMSTranslationBundle requires an old version of the nikic/php-parser package, which doesn't support the ::class keyword introduced in PHP 5.5. This should be fixed by upgrading JMSTranslationBundle to a more recent version. See nikic/PHP-Parser#200 for more information.
nicwortel
force-pushed
the
handle-second-factor-test-response
branch
from
cd16c94
to
eb56708
Compare
The SamlAuthenticationLogger already adds the ID to the context.
|
Note that I could not reproduce a situation where testing the second factor fails because the request ID differs from the one that is stored in the session (for instance by firing two requests in parallel), because the gateway also fails in such a scenario. |
| */ | ||
| public function testSecondFactorAction($secondFactorId) | ||
| { | ||
| $this->get('logger')->notice( |
There was a problem hiding this comment.
You could extract $this->get('logger') to a variable as it is reused later on.
Also, this could fit on a single line.
The latter $logger could be renamed to $samlLogger or something else.
| ) | ||
| ); | ||
|
|
||
| throw $this->createNotFoundException(); |
There was a problem hiding this comment.
This is just a Symfony convenience method that creates a NotFoundHttpException with a default message, I guess it is a matter of personal preference.
| 'Received an authentication response for testing a second factor, but no second factor test response was expected' | ||
| ); | ||
|
|
||
| throw $this->createAccessDeniedException('Did not expect an authentication response'); |
There was a problem hiding this comment.
Same here; why not throw the exception itself?
|
|
||
| $initiatedRequestId = $session->get('second_factor_test_request_id'); | ||
|
|
||
| $logger = $this->get('surfnet_saml.logger')->forAuthentication($initiatedRequestId); |
There was a problem hiding this comment.
You are reassigning the $logger here, you would probably want to rename this to prevent confusion.
| } | ||
|
|
||
| $session->getFlashBag()->add('success', 'ss.test_second_factor.verification_successful'); | ||
| } catch (Exception $exception) { |
There was a problem hiding this comment.
With regards to your comment above; this would also catch an Exception if anything goes wrong in Gateway or client bundles (which is possible when sessions are somehow tainted during testing), which should also result in an error message. I think this suffices for now.
nicwortel
force-pushed
the
handle-second-factor-test-response
branch
from
062cb4a
to
56f90c1
Compare
Part of https://www.pivotaltracker.com/story/show/79436876