Add biometric second factor type

app/Resources/translations/validators.en_GB.xliff

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2015-07-27T15:51:48Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
+  <file date="2016-04-29T10:22:50Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
@@ -366,14 +366,6 @@
         <source>middleware_client.dto.vetted_second_factor.type.must_not_be_blank</source>
         <target state="new">middleware_client.dto.vetted_second_factor.type.must_not_be_blank</target>
       </trans-unit>
-      <trans-unit id="64327d0cfa154721029978c67ef52df2fd18cacb" resname="ss.revoke_own_second_factor_command.identity_id.must_be_string">
-        <source>ss.revoke_own_second_factor_command.identity_id.must_be_string</source>
-        <target>Identity ID must be a string</target>
-      </trans-unit>
-      <trans-unit id="590d26b3eb954c44862a6cf2bf4cf7a382b7119c" resname="ss.revoke_own_second_factor_command.second_factor_id.must_be_string">
-        <source>ss.revoke_own_second_factor_command.second_factor_id.must_be_string</source>
-        <target>Second factor ID must be a string</target>
-      </trans-unit>
       <trans-unit id="d23ad73b357db56cd8de5ead80613a379e7fb7f9" resname="ss.send_sms_challenge_command.recipient.may_not_be_empty">
         <source>ss.send_sms_challenge_command.recipient.may_not_be_empty</source>
         <target>SMS challenge recipient may not be empty.</target>

app/Resources/translations/validators.nl_NL.xliff

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2015-07-27T15:51:43Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
+  <file date="2016-04-29T10:22:48Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
@@ -366,14 +366,6 @@
         <source>middleware_client.dto.vetted_second_factor.type.must_not_be_blank</source>
         <target state="new">middleware_client.dto.vetted_second_factor.type.must_not_be_blank</target>
       </trans-unit>
-      <trans-unit id="64327d0cfa154721029978c67ef52df2fd18cacb" resname="ss.revoke_own_second_factor_command.identity_id.must_be_string">
-        <source>ss.revoke_own_second_factor_command.identity_id.must_be_string</source>
-        <target>Identity ID must be a string</target>
-      </trans-unit>
-      <trans-unit id="590d26b3eb954c44862a6cf2bf4cf7a382b7119c" resname="ss.revoke_own_second_factor_command.second_factor_id.must_be_string">
-        <source>ss.revoke_own_second_factor_command.second_factor_id.must_be_string</source>
-        <target>Second factor ID must be a string</target>
-      </trans-unit>
       <trans-unit id="d23ad73b357db56cd8de5ead80613a379e7fb7f9" resname="ss.send_sms_challenge_command.recipient.may_not_be_empty">
         <source>ss.send_sms_challenge_command.recipient.may_not_be_empty</source>
         <target>SMS challenge recipient may not be empty.</target>

app/config/samlstepupproviders.yml

@@ -3,8 +3,8 @@ imports:
 
 surfnet_stepup_self_service_saml_stepup_provider:
     routes:
-        consume_assertion: %gssp_routes_consume_assertion%
-        metadata: %gssp_routes_metadata%
+        consume_assertion: ss_registration_gssf_consume_assertion
+        metadata: ss_registration_gssf_saml_metadata
     providers:
         tiqr:
             hosted:
@@ -18,3 +18,15 @@ surfnet_stepup_self_service_saml_stepup_provider:
                 entity_id: %gssp_tiqr_remote_entity_id%
                 sso_url: %gssp_tiqr_remote_sso_url%
                 certificate: %gssp_tiqr_remote_certificate%
+        biometric:
+            hosted:
+                service_provider:
+                    public_key: %gssp_biometric_sp_publickey%
+                    private_key: %gssp_biometric_sp_privatekey%
+                metadata:
+                    public_key: %gssp_biometric_metadata_publickey%
+                    private_key: %gssp_biometric_metadata_privatekey%
+            remote:
+                entity_id: %gssp_biometric_remote_entity_id%
+                sso_url: %gssp_biometric_remote_sso_url%
+                certificate: %gssp_biometric_remote_certificate%

app/config/samlstepupproviders_parameters.yml.dist

@@ -1,11 +1,17 @@
 parameters:
-    # the routes should be kept as is, they map to specific URLs on the gateway
-    gssp_routes_consume_assertion: ss_registration_gssf_consume_assertion
-    gssp_routes_metadata: ss_registration_gssf_saml_metadata
+
     gssp_tiqr_sp_publickey: '/full/path/to/the/gateway-as-sp/public-key-file.cer'
     gssp_tiqr_sp_privatekey: '/full/path/to/the/gateway-as-sp/private-key-file.pem'
     gssp_tiqr_metadata_publickey: '/full/path/to/the/gateway-metadata/public-key-file.cer'
     gssp_tiqr_metadata_privatekey: '/full/path/to/the/gateway-as-sp/private-key-file.pem'
     gssp_tiqr_remote_entity_id: 'https://actual-gssp.entity-id.tld'
     gssp_tiqr_remote_sso_url: 'https://actual-gssp.entity-id.tld/single-sign-on/url'
     gssp_tiqr_remote_certificate: 'The contents of the certificate published by the gssp'
+
+    gssp_biometric_sp_publickey: '/full/path/to/the/gateway-as-sp/public-key-file.cer'
+    gssp_biometric_sp_privatekey: '/full/path/to/the/gateway-as-sp/private-key-file.pem'
+    gssp_biometric_metadata_publickey: '/full/path/to/the/gateway-metadata/public-key-file.cer'
+    gssp_biometric_metadata_privatekey: '/full/path/to/the/gateway-as-sp/private-key-file.pem'
+    gssp_biometric_remote_entity_id: 'https://actual-gssp.entity-id.tld'
+    gssp_biometric_remote_sso_url: 'https://actual-gssp.entity-id.tld/single-sign-on/url'
+    gssp_biometric_remote_certificate: 'The contents of the certificate published by the gssp'

composer.json

@@ -26,7 +26,7 @@
         "surfnet/stepup-middleware-client-bundle": "dev-develop",
         "guzzlehttp/guzzle": "~4",
         "surfnet/stepup-saml-bundle": "dev-develop",
-        "surfnet/stepup-bundle": "dev-develop",
+        "surfnet/stepup-bundle": "^1.3.0",
         "symfony/swiftmailer-bundle": "~2.3",
         "surfnet/stepup-u2f-bundle": "dev-develop",
         "mopa/composer-bridge": "dev-master as v1.5.0"

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/Registration/displaySecondFactorTypes.html.twig

@@ -40,5 +40,12 @@
                 'url': path('ss_registration_u2f_registration')
             } only %}
         {% endif %}
+        {% if enabledSecondFactors.biometric is defined %}
+            {% include 'SurfnetStepupSelfServiceSelfServiceBundle::Registration/partial/secondFactor.html.twig' with {
+                'type': 'biometric',
+                'security': 3,
+                'url': path('ss_registration_gssf_initiate', {'provider': 'biometric'})
+            } only %}
+        {% endif %}
     </div>
 {% endblock %}

src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/views/translations.twig

@@ -15,6 +15,10 @@
 {{ 'ss.registration.selector.u2f.title'|trans }}
 {{ 'ss.registration.selector.u2f.description'|trans }}
 {{ 'ss.registration.selector.u2f.button.use'|trans }}
+{{ 'ss.registration.selector.biometric.alt'|trans }}
+{{ 'ss.registration.selector.biometric.title'|trans }}
+{{ 'ss.registration.selector.biometric.description'|trans }}
+{{ 'ss.registration.selector.biometric.button.use'|trans }}
 
 {# SmsController form errors #}
 {{ 'ss.prove_phone_possession.send_sms_challenge_failed'|trans }}
@@ -40,12 +44,14 @@
 {{ 'ss.second_factor.type.yubikey'|trans }}
 {{ 'ss.second_factor.type.tiqr'|trans }}
 {{ 'ss.second_factor.type.u2f'|trans }}
+{{ 'ss.second_factor.type.biometric'|trans }}
 
 {# SecondFactorController revoke #}
 {{ 'ss.second_factor.revoke.second_factor_type.sms'|trans }}
 {{ 'ss.second_factor.revoke.second_factor_type.yubikey'|trans }}
 {{ 'ss.second_factor.revoke.second_factor_type.tiqr'|trans }}
 {{ 'ss.second_factor.revoke.second_factor_type.u2f'|trans }}
+{{ 'ss.second_factor.revoke.second_factor_type.biometric'|trans }}
 {{ 'ss.second_factor.revoke.alert.revocation_successful'|trans }}
 {{ 'ss.second_factor.revoke.alert.revocation_failed'|trans }}
 
@@ -55,6 +61,11 @@
 {{ ('ss.registration.gssf.initiate.tiqr.button.initiate')|trans }}
 {{ ('ss.registration.gssf.initiate.tiqr.error.authn_failed')|trans }}
 {{ ('ss.registration.gssf.initiate.tiqr.error.proof_of_possession_failed')|trans }}
+{{ ('ss.registration.gssf.initiate.biometric.title.page')|trans }}
+{{ ('ss.registration.gssf.initiate.biometric.text.explanation')|trans }}
+{{ ('ss.registration.gssf.initiate.biometric.button.initiate')|trans }}
+{{ ('ss.registration.gssf.initiate.biometric.error.authn_failed')|trans }}
+{{ ('ss.registration.gssf.initiate.biometric.error.proof_of_possession_failed')|trans }}
 
 {# U2fController #}
 {{ 'ss.registration.u2f.alert.device_reported_an_error'|trans }}