Merge pull request #1160 from OpenConext/feature/engin-api-remove-consent

Support removal of consent by collab person id and SP entity id

Author: MKodde

app/config/config.yml

@@ -17,6 +17,7 @@ open_conext_engine_block:
     features:
         api.metadata_push:   "%feature_api_metadata_push%"
         api.consent_listing: "%feature_api_consent_listing%"
+        api.consent_remove: "%feature_api_consent_remove%"
         api.metadata_api:    "%feature_api_metadata_api%"
         api.deprovision:     "%feature_api_deprovision%"
         eb.encrypted_assertions: "%feature_eb_encrypted_assertions%"

app/config/parameters.yml.dist

@@ -212,6 +212,7 @@ parameters:
     feature_eb_encrypted_assertions_require_outer_signature: true
     feature_api_metadata_push: true
     feature_api_consent_listing: true
+    feature_api_consent_remove: true
     feature_api_metadata_api: true
     feature_api_deprovision: true
     feature_run_all_manipulations_prior_to_consent: false

database/DoctrineMigrations/Version20220425090852.php

@@ -0,0 +1,34 @@
+<?php declare(strict_types=1);
+
+namespace OpenConext\EngineBlock\Doctrine\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20220425090852 extends AbstractMigration
+{
+    public function up(Schema $schema) : void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on \'mysql\'.');
+
+        $this->addSql('ALTER TABLE consent DROP PRIMARY KEY');
+        $this->addSql('ALTER TABLE consent ADD deleted_at DATETIME NOT NULL');
+        $this->addSql('CREATE INDEX deleted_at ON consent (deleted_at)');
+        $this->addSql('ALTER TABLE consent ADD PRIMARY KEY (hashed_user_id, service_id, deleted_at)');
+    }
+
+    public function down(Schema $schema) : void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on \'mysql\'.');
+
+        $this->addSql('DROP INDEX deleted_at ON consent');
+        $this->addSql('ALTER TABLE consent DROP PRIMARY KEY');
+        $this->addSql('ALTER TABLE consent DROP deleted_at');
+        $this->addSql('ALTER TABLE consent ADD PRIMARY KEY (hashed_user_id, service_id)');
+    }
+}

library/EngineBlock/Corto/Model/Consent.php

@@ -149,8 +149,8 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType)
             return false;
         }
 
-        $query = "INSERT INTO consent (hashed_user_id, service_id, attribute, consent_type, consent_date)
-                  VALUES (?, ?, ?, ?, NOW())
+        $query = "INSERT INTO consent (hashed_user_id, service_id, attribute, consent_type, consent_date, deleted_at)
+                  VALUES (?, ?, ?, ?, NOW(), '0000-00-00 00:00:00')
                   ON DUPLICATE KEY UPDATE attribute=VALUES(attribute), consent_type=VALUES(consent_type), consent_date=NOW()";
         $parameters = array(
             sha1($this->_getConsentUid()),
@@ -174,7 +174,6 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType)
                 EngineBlock_Exception::CODE_CRITICAL
             );
         }
-
         return true;
     }
 
@@ -188,7 +187,15 @@ private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentTyp
 
             $attributesHash = $this->_getAttributesHash($this->_responseAttributes);
 
-            $query = "SELECT * FROM {$this->_tableName} WHERE hashed_user_id = ? AND service_id = ? AND attribute = ? AND consent_type = ?";
+            $query = "
+                SELECT *
+                FROM {$this->_tableName}
+                WHERE hashed_user_id = ?
+                  AND service_id = ?
+                  AND attribute = ?
+                  AND consent_type = ?
+                  AND deleted_at IS NULL
+            ";
             $hashedUserId = sha1($this->_getConsentUid());
             $parameters = array(
                 $hashedUserId,

library/EngineBlock/User.php

@@ -59,7 +59,8 @@ public function getConsent()
     {
         $pdo = $this->_getDatabaseConnection();
         $query = 'SELECT service_id FROM consent
-                    WHERE hashed_user_id = ?';
+                    WHERE hashed_user_id = ?
+                    AND deleted_at IS NULL';
         $parameters = array(
             sha1($this->getUid())
         );

src/OpenConext/EngineBlock/Authentication/Repository/ConsentRepository.php

@@ -35,4 +35,6 @@ public function findAllFor($userId);
      * @return Consent[]
      */
     public function deleteAllFor($userId);
+
+    public function deleteOneFor(string $userId, string $serviceProviderEntityId): bool;
 }

src/OpenConext/EngineBlock/Service/ConsentService.php

@@ -23,9 +23,11 @@
 use OpenConext\EngineBlock\Authentication\Dto\ConsentList;
 use OpenConext\EngineBlock\Authentication\Model\Consent as ConsentEntity;
 use OpenConext\EngineBlock\Authentication\Repository\ConsentRepository;
+use OpenConext\EngineBlock\Authentication\Value\CollabPersonId;
 use OpenConext\EngineBlock\Exception\RuntimeException;
 use OpenConext\Value\Saml\EntityId;
 use Psr\Log\LoggerInterface;
+use function sprintf;
 
 final class ConsentService implements ConsentServiceInterface
 {
@@ -46,7 +48,7 @@ final class ConsentService implements ConsentServiceInterface
 
     public function __construct(
         ConsentRepository $consentRepository,
-        MetadataService $metadataService,
+        MetadataServiceInterface $metadataService,
         LoggerInterface $logger
     ) {
         $this->consentRepository = $consentRepository;
@@ -92,6 +94,24 @@ public function countAllFor($userId)
         return count($consents);
     }
 
+    public function deleteOneConsentFor(CollabPersonId $id, string $serviceProviderEntityId): bool
+    {
+        $collabPersonId = $id->getCollabPersonId();
+        try {
+            return $this->consentRepository->deleteOneFor($collabPersonId, $serviceProviderEntityId);
+        } catch (Exception $e) {
+            throw new RuntimeException(
+                sprintf(
+                    'An exception occurred while removing consent for a service provider("%s") and user ("%s").',
+                    $serviceProviderEntityId,
+                    $collabPersonId
+                ),
+                0,
+                $e
+            );
+        }
+    }
+
     /**
      * @param ConsentEntity $consent
      * @return Consent|null

src/OpenConext/EngineBlock/Service/ConsentServiceInterface.php

@@ -19,6 +19,7 @@
 namespace OpenConext\EngineBlock\Service;
 
 use OpenConext\EngineBlock\Authentication\Dto\ConsentList;
+use OpenConext\EngineBlock\Authentication\Value\CollabPersonId;
 
 interface ConsentServiceInterface
 {
@@ -33,4 +34,6 @@ public function findAllFor($userId);
      * @return int
      */
     public function countAllFor($userId);
+
+    public function deleteOneConsentFor(CollabPersonId $id, string $serviceProviderEntityId): bool;
 }

src/OpenConext/EngineBlock/Service/DeprovisionService.php

@@ -18,12 +18,15 @@
 
 namespace OpenConext\EngineBlock\Service;
 
+use Exception;
 use OpenConext\EngineBlock\Authentication\Model\User;
 use OpenConext\EngineBlock\Authentication\Repository\ConsentRepository;
 use OpenConext\EngineBlock\Authentication\Repository\UserDirectory;
 use OpenConext\EngineBlock\Authentication\Value\CollabPersonId;
+use OpenConext\EngineBlock\Exception\RuntimeException;
 use OpenConext\EngineBlockBundle\Authentication\Repository\SamlPersistentIdRepository;
 use OpenConext\EngineBlockBundle\Authentication\Repository\ServiceProviderUuidRepository;
+use function sprintf;
 
 final class DeprovisionService implements DeprovisionServiceInterface
 {

src/OpenConext/EngineBlock/Service/MetadataService.php

@@ -25,7 +25,7 @@
 use OpenConext\EngineBlock\Metadata\MetadataRepository\MetadataRepositoryInterface;
 use OpenConext\Value\Saml\EntityId;
 
-final class MetadataService
+final class MetadataService implements MetadataServiceInterface
 {
     /**
      * @var MetadataRepositoryInterface
@@ -37,11 +37,7 @@ public function __construct(MetadataRepositoryInterface $metadataRepository)
         $this->metadataRepository = $metadataRepository;
     }
 
-    /**
-     * @param EntityId $entityId
-     * @return null|IdentityProvider
-     */
-    public function findIdentityProvider(EntityId $entityId)
+    public function findIdentityProvider(EntityId $entityId): ?IdentityProvider
     {
         try {
             $identityProvider = $this->metadataRepository->fetchIdentityProviderByEntityId($entityId->getEntityId());
@@ -52,11 +48,7 @@ public function findIdentityProvider(EntityId $entityId)
         return $identityProvider;
     }
 
-    /**
-     * @param EntityId $entityId
-     * @return null|ServiceProvider
-     */
-    public function findServiceProvider(EntityId $entityId)
+    public function findServiceProvider(EntityId $entityId): ?ServiceProvider
     {
         try {
             $serviceProvider = $this->metadataRepository->fetchServiceProviderByEntityId($entityId->getEntityId());
@@ -67,11 +59,7 @@ public function findServiceProvider(EntityId $entityId)
         return $serviceProvider;
     }
 
-    /**
-     * @param EntityId $entityId
-     * @return null|AttributeReleasePolicy
-     */
-    public function findArpForServiceProviderByEntityId(EntityId $entityId)
+    public function findArpForServiceProviderByEntityId(EntityId $entityId): ?AttributeReleasePolicy
     {
         $serviceProvider = $this->findServiceProvider($entityId);