Merge branch 'main' into release/6.18

Author: baszoetekouw

CHANGELOG.md

@@ -79,6 +79,14 @@ Bugfixes
 * Validate numeric key in ARP settings on metadata push (#1285)
 * Set the correct database version in doctrine (#1811)
 
+## 6.15.4
+
+Maintenance:
+  * Fix composer lockfile (#1785)
+  * Add qa tooling helper scripts and drop Ant build.xml (#1781)
+  * Update Devconf installation and docs (#1781)
+  * Remove confusing key_id from stepup callout logging
+
 ## 6.15.3
 
 Maintenance:

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -168,6 +168,7 @@ public function serve($serviceName, Request $httpRequest)
         // or another service.
         EngineBlock_Corto_Model_Response_Cache::rememberIdp($receivedRequest, $receivedResponse);
 
+        $originalAssertions = clone $receivedResponse->getAssertions()[0];
         $this->_server->filterInputAssertionAttributes($receivedResponse, $receivedRequest);
 
         // Add the consent step
@@ -213,7 +214,7 @@ public function serve($serviceName, Request $httpRequest)
             $authnClassRef,
             $nameId,
             $sp->getCoins()->isStepupForceAuthn(),
-            $receivedResponse->getAssertions()[0]
+            $originalAssertions
         );
     }
 

library/EngineBlock/Corto/Module/Service/SingleSignOn.php

@@ -516,23 +516,8 @@ protected function _transformIdpsForWayf(array $idpEntityIds, $isDebugRequest, $
                 continue;
             }
 
-            $additionalInfo = AdditionalInfo::create()->setIdp($identityProvider->entityId);
-
             $isAccessible = $identityProvider->enabledInWayf || $isDebugRequest;
 
-            $name = $this->getName($currentLocale, $identityProvider, $additionalInfo);
-
-            $wayfIdp = $this->buildIdp(
-                $name,
-                $identityProvider->getMdui()->hasLogo() ? $identityProvider->getMdui()->getLogo()->url : '/images/placeholder.png',
-                $this->getKeywords($currentLocale, $identityProvider),
-                $identityProvider->entityId,
-                $isAccessible,
-                $isDefaultIdP,
-                null
-            );
-            $wayfIdps[] = $wayfIdp;
-
             foreach ($identityProvider->getDiscoveries() as $discovery) {
                 /** @var Discovery $discovery */
                 $wayfIdps[] = $this->buildIdp(
@@ -609,96 +594,6 @@ protected function _sendDebugMail(EngineBlock_Saml2_ResponseAnnotationDecorator
         $diContainer->getMailer()->send($message);
     }
 
-    private function getName(string $locale, IdentityProvider $identityProvider, AdditionalInfo $additionalInfo)
-    {
-        switch ($locale) {
-            case "nl":
-                return $this->getNameNl($identityProvider, $additionalInfo);
-            case "en":
-                return $this->getNameEn($identityProvider, $additionalInfo);
-            case "pt":
-                return $this->getNamePt($identityProvider, $additionalInfo);
-            default:
-                throw new EngineBlockBundleInvalidArgumentException(
-                    sprintf('Trying to get the IdP name for an unsupported language (%s)', $locale)
-                );
-        }
-    }
-
-    private function getNameNl(
-        IdentityProvider $identityProvider,
-        AdditionalInfo $additionalLogInfo
-    ) {
-        if ($identityProvider->getMdui()->hasDisplayName('nl')) {
-            return $identityProvider->getMdui()->getDisplayName('nl');
-        }
-
-        if ($identityProvider->nameNl) {
-            return $identityProvider->nameNl;
-        }
-
-        EngineBlock_ApplicationSingleton::getLog()->notice(
-            'No NL displayName and name found for idp: ' . $identityProvider->entityId,
-            array('additional_info' => $additionalLogInfo->toArray())
-        );
-
-        return $identityProvider->entityId;
-    }
-
-    private function getNameEn(
-        IdentityProvider $identityProvider,
-        AdditionalInfo $additionalInfo
-    ) {
-        if ($identityProvider->getMdui()->hasDisplayName('en')) {
-            return $identityProvider->getMdui()->getDisplayName('en');
-        }
-
-        if ($identityProvider->nameEn) {
-            return $identityProvider->nameEn;
-        }
-
-        EngineBlock_ApplicationSingleton::getLog()->notice(
-            'No EN displayName and name found for idp: ' . $identityProvider->entityId,
-            array('additional_info' => $additionalInfo->toArray())
-        );
-
-        return $identityProvider->entityId;
-    }
-
-    private function getNamePt(
-        IdentityProvider $identityProvider,
-        AdditionalInfo $additionalInfo
-    ) {
-        if ($identityProvider->getMdui()->hasDisplayName('pt')) {
-            return $identityProvider->getMdui()->getDisplayName('pt');
-        }
-
-        if ($identityProvider->namePt) {
-            return $identityProvider->namePt;
-        }
-
-        EngineBlock_ApplicationSingleton::getLog()->notice(
-            'No PT displayName and name found for idp: ' . $identityProvider->entityId,
-            array('additional_info' => $additionalInfo->toArray())
-        );
-
-        return $identityProvider->entityId;
-    }
-
-    private function getKeywords(string $locale, IdentityProvider $identityProvider)
-    {
-        if ($identityProvider->getMdui()->hasKeywords($locale)) {
-            return explode(' ', $identityProvider->getMdui()->getKeywords($locale));
-        }
-
-        // Fall back to EN if current language has no keywords
-        if ($identityProvider->getMdui()->hasKeywords('en')) {
-            return explode(' ', $identityProvider->getMdui()->getKeywords('en'));
-        }
-
-        return 'Undefined';
-    }
-
     /**
      * @param $serviceName
      * @return bool

library/EngineBlock/Corto/ProxyServer.php

@@ -472,7 +472,7 @@ public function sendStepupAuthenticationRequest(
         Loa $authnContextClassRef,
         NameID $nameId,
         bool $isForceAuthn,
-        Assertion $assertion
+        Assertion $originalAssertion
     ) {
         $ebRequest = EngineBlock_Saml2_AuthnRequestFactory::createFromRequest(
             $spRequest,
@@ -537,7 +537,7 @@ public function sendStepupAuthenticationRequest(
         if ($isSendUserAttributesConfigured && $isSendUserAttributesEnabled) {
             $stepupUserAttributes = $container->getStepupUserAttributes();
             if (!empty($stepupUserAttributes)) {
-                StepupGsspUserAttributeExtension::add($sspMessage, $assertion, $container->getStepupUserAttributes());
+                StepupGsspUserAttributeExtension::add($sspMessage, $originalAssertion, $container->getStepupUserAttributes());
             }
         }
 

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/Discoveries.feature

@@ -29,7 +29,7 @@ Feature:
         | Name                                      |  Value | Source |
         | urn:mace:dir:attribute-def:eduPersonOrcid | 123456 | voot   |
 
-  Scenario: The user is asked for consent to share information with the SP showing the discovery name instead of the IdP name
+  Scenario: The user is asked for consent to share information with the SP showing the discovery name
     Given I log in at "Dummy-SP"
     And I select IdP by label "Dummy Discovery" on the WAYF
     And I pass through EngineBlock
@@ -41,16 +41,3 @@ Feature:
     And the response should contain "Proceed to Dummy-SP"
     When I give my consent
     Then I pass through EngineBlock
-
-  Scenario: Showing the IdP name when the main IdP is used instead of the discovery
-    Given I log in at "Dummy-SP"
-    And I select IdP by label "Dummy-IdP" on the WAYF
-    And I pass through EngineBlock
-    And I pass through the IdP
-    Then the response should not contain "Do you agree with sharing this data?"
-    And the response should not contain "Yes, proceed to Dummy-SP"
-    And the response should contain "Dummy-SP will receive"
-    And the response should contain "provided by  <strong>Dummy-IdP</strong>"
-    And the response should contain "Proceed to Dummy-SP"
-    When I give my consent
-    Then I pass through EngineBlock

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MockIdpContext.php

@@ -88,6 +88,8 @@ public function anIdentityProviderNamed($name, string $discoveryName = null)
         $discoveries = [];
         if ($discoveryName !== null) {
             $discoveries[] = Discovery::create(['en' => $discoveryName], [], null);
+        } else {
+            $discoveries[] = Discovery::create(['en' => $name], [], null);
         }
 
         $mockIdp = $this->mockIdpFactory->createNew($name);

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Stepup.feature

@@ -280,3 +280,14 @@ Feature:
       And I pass through EngineBlock
       And I pass through the IdP
     Then the received AuthnRequest should not match xpath '/samlp:AuthnRequest/samlp:Extensions/gssp:UserAttributes/saml:Attribute[@Name="urn:mace:dir:attribute-def:mail"]/saml:AttributeValue[text()="j.doe@institution-a.example.org"]'
+
+  Scenario: Stepup authentication should pass user attributes when configured even if an ARP is configured
+    Given feature "eb.stepup.send_user_attributes" is enabled
+      And the IdP "SSO-IdP" sends attribute "urn:mace:dir:attribute-def:mail" with value "j.doe@institution-a.example.org"
+      And SP "SSO-SP" requests LoA "http://dev.openconext.local/assurance/loa3"
+      And SP "SSO-SP" allows no attributes
+    When I log in at "SSO-SP"
+      And I select "SSO-IdP" on the WAYF
+      And I pass through EngineBlock
+      And I pass through the IdP
+    Then the received AuthnRequest should match xpath '/samlp:AuthnRequest/samlp:Extensions/gssp:UserAttributes/saml:Attribute[@Name="urn:mace:dir:attribute-def:mail"]/saml:AttributeValue[text()="j.doe@institution-a.example.org"]'