Open
Conversation
MKodde
requested changes
May 20, 2021
Member
MKodde
left a comment
MKodde
left a comment
There was a problem hiding this comment.
A first review looks very promising! See some improvement suggestions below.
src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php
Outdated
Show resolved
Hide resolved
src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php
Outdated
Show resolved
Hide resolved
tests/unit/OpenConext/EngineBlock/Service/Consent/ConsentHashServiceTest.php
Outdated
Show resolved
Hide resolved
Badlapje
force-pushed
the
feature/stabilize-consent-hash
branch
6 times, most recently
from
4e3a85e to
dff4b53
Compare
Badlapje
force-pushed
the
feature/stabilize-consent-hash
branch
from
dff4b53 to
595c767
Compare
BackEndTea
reviewed
Jun 7, 2021
src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php
Outdated
Show resolved
Hide resolved
MKodde
force-pushed
the
feature/stabilize-consent-hash
branch
8 times, most recently
from
c716bf8 to
a5dd163
Compare
thijskh
reviewed
May 4, 2022
src/OpenConext/EngineBlockBundle/Authentication/Repository/DbalConsentRepository.php
Outdated
Show resolved
Hide resolved
MKodde
force-pushed
the
feature/stabilize-consent-hash
branch
from
26e8ac1 to
145ebd9
Compare
kayjoosten
added a commit
that referenced
this pull request
Mar 9, 2026
Based on requirements from issue #1721, PR #1137 review threads, and newly added code paths: ConsentIntegrationTest: - test_upgrade_not_applied_when_no_consent_given: upgradeAttributeHashFor does nothing when hasConsentHash returns notGiven() - test_upgrade_continues_gracefully_when_attributes_changed: when updateConsentHash returns false (0 rows, attributes changed since consent was given), upgradeAttributeHashFor must not throw ConsentTest (eb4): - testNullNameIdReturnsNoConsentWithoutCallingRepository: when getNameIdValue() returns null, all three private guards (_storeConsent, _hasStoredConsent, _updateConsent) must return early without touching the repository ConsentVersionTest (new): - isStable/isUnstable/given behaviour for all three states - invalid value throws InvalidArgumentException ConsentHashServiceTest: - test_stable_attribute_hash_attribute_name_casing_normalized: issue #1721 explicitly requires 'Case normalize all attribute names'; verifies keys like 'displayName' and 'DISPLAYNAME' produce the same hash - test_stable_attribute_hash_attribute_name_ordering_normalized: issue #1721 requires 'Sort all attribute names'; verifies key order is stable
kayjoosten
force-pushed
the
feature/stabilize-consent-hash
branch
from
d30ca90 to
b183015
Compare
kayjoosten
added a commit
that referenced
this pull request
Mar 9, 2026
Based on requirements from issue #1721, PR #1137 review threads, and newly added code paths: ConsentIntegrationTest: - test_upgrade_not_applied_when_no_consent_given: upgradeAttributeHashFor does nothing when hasConsentHash returns notGiven() - test_upgrade_continues_gracefully_when_attributes_changed: when updateConsentHash returns false (0 rows, attributes changed since consent was given), upgradeAttributeHashFor must not throw ConsentTest (eb4): - testNullNameIdReturnsNoConsentWithoutCallingRepository: when getNameIdValue() returns null, all three private guards (_storeConsent, _hasStoredConsent, _updateConsent) must return early without touching the repository ConsentVersionTest (new): - isStable/isUnstable/given behaviour for all three states - invalid value throws InvalidArgumentException ConsentHashServiceTest: - test_stable_attribute_hash_attribute_name_casing_normalized: issue #1721 explicitly requires 'Case normalize all attribute names'; verifies keys like 'displayName' and 'DISPLAYNAME' produce the same hash - test_stable_attribute_hash_attribute_name_ordering_normalized: issue #1721 requires 'Sort all attribute names'; verifies key order is stable
kayjoosten
force-pushed
the
feature/stabilize-consent-hash
branch
from
b183015 to
c3faaec
Compare
Contributor
|
As we disscused we will make a feature toggle to set the old column to a null value when the new consent hash is set |
kayjoosten
added a commit
that referenced
this pull request
Mar 16, 2026
Based on requirements from issue #1721, PR #1137 review threads, and newly added code paths: ConsentIntegrationTest: - test_upgrade_not_applied_when_no_consent_given: upgradeAttributeHashFor does nothing when hasConsentHash returns notGiven() - test_upgrade_continues_gracefully_when_attributes_changed: when updateConsentHash returns false (0 rows, attributes changed since consent was given), upgradeAttributeHashFor must not throw ConsentTest (eb4): - testNullNameIdReturnsNoConsentWithoutCallingRepository: when getNameIdValue() returns null, all three private guards (_storeConsent, _hasStoredConsent, _updateConsent) must return early without touching the repository ConsentVersionTest (new): - isStable/isUnstable/given behaviour for all three states - invalid value throws InvalidArgumentException ConsentHashServiceTest: - test_stable_attribute_hash_attribute_name_casing_normalized: issue #1721 explicitly requires 'Case normalize all attribute names'; verifies keys like 'displayName' and 'DISPLAYNAME' produce the same hash - test_stable_attribute_hash_attribute_name_ordering_normalized: issue #1721 requires 'Sort all attribute names'; verifies key order is stable
kayjoosten
force-pushed
the
feature/stabilize-consent-hash
branch
7 times, most recently
from
b5009cb to
260c436
Compare
johanib
reviewed
Mar 26, 2026
johanib
reviewed
Mar 30, 2026
johanib
force-pushed
the
feature/stabilize-consent-hash
branch
from
df2737c to
868562f
Compare
Prior to this change, all consent hashing and persistence logic lived inside the legacy Corto consent model (a God object). This commit extracts a dedicated ConsentHashService that encapsulates both the existing (unstable) hashing algorithm and a new stable hashing algorithm. - Add ConsentHashService with both old and stable hashing methods - Move DB consent queries to the existing DbalConsentRepository, applying naming conventions to query methods - Extract ConsentHashServiceInterface to allow mocking in tests (the concrete class is final) - Wire up service configuration Pivotal ticket: https://www.pivotaltracker.com/story/show/176513931
The old consent hash was sensitive to attribute ordering, case changes, stray empty attributes, and sparse array indexes — causing spurious re-consent prompts. This commit introduces a stable hashing algorithm alongside the existing one, with a migration path that avoids invalidating all existing consent records at once. Key changes: - Add `attribute_stable` VARCHAR(80) nullable column to `consent` table; make existing `attribute` column nullable for future cleanup - Add ConsentVersion value object with three states: stable, unstable, not-given (replaces boolean return from consent-check methods) - Retrieve old-style and new-style attribute hash in a single query instead of two sequential lookups - When existing consent matches only the unstable hash, silently upgrade by writing the stable hash (no re-consent prompt shown) - Newly given consent is stored with the stable hash - Normalize NameID objects before hashing to prevent serialization errors - Only fetch stored consent when consent is enabled (short-circuit optimization) The migration strategy (from the Pivotal story): - Existing consent hashing is left untouched - Consent lookup checks both old and new hash: match on either means consent was given - New consent is stored with the new stable hash - Old consent that matches unstable hash is upgraded in-place Pivotal ticket: https://www.pivotaltracker.com/story/show/176513931
Introduces the `feature_stable_consent_hash_migration` toggle (default: false) to control when the legacy `attribute` column is phased out, and adds edge-case test coverage. Toggle OFF (default): new consent writes both `attribute` and `attribute_stable` so old EB instances still find records during a rolling deploy; hash upgrades leave `attribute` intact. Toggle ON: new consent writes only `attribute_stable` (attribute=NULL) and upgrades null the old column, cleaning it up over time once all instances run the new version. Also: - Add edge-case tests for consent hash versioning - Fix test configuration for consent scenarios - Drop redundant unserialize/serialize deep copies in ConsentHashService (PHP passes arrays by value; a mutation-safety regression test is added to guard against future changes)
* refactor: convert ConsentType to a PHP 8.1 backed enum Replace the ConsentType value class (with its deprecated public constructor since ~2015) with a proper backed enum. - ConsentType is now `enum ConsentType: string` with cases Explicit = 'explicit' and Implicit = 'implicit' - The deprecated public constructor, the explicit()/implicit() named constructors and the equals() method are removed - DbalConsentRepository uses ConsentType::from() to hydrate from DB - Legacy Consent model methods now accept ConsentType and pass ->value into SQL parameter arrays - All call sites updated from TYPE_EXPLICIT/TYPE_IMPLICIT constants and named constructors to enum cases - ConsentTypeTest updated: invalid-string rejection tested via from(), equality via assertSame() on enum singletons
johanib
force-pushed
the
feature/stabilize-consent-hash
branch
from
868562f to
e52f282
Compare
…eanup
Encapsulate stable consent hash normalisation in the ConsentAttributes
value object. The raw-array + boolean flag signature of
getStableAttributesHash scattered the "which strategy" decision across
every call boundary. ConsentAttributes with named constructors
(withValues / namesOnly) makes the strategy choice once at the call
site, removes the boolean from downstream signatures, and centralises
all normalisation logic with a single testable output (getCompareValue).
Also in this commit:
- Use Symfony DI for Consent factory instead of relying on the old Corto
service provider singleton (EngineBlock_ApplicationSingleton)
- Make empty-attribute stripping explicit: rename sortArrayRecursive to
sortRecursive (sort-only), make removeEmptyAttributes recursive so
nested empty sub-values are stripped without relying on the sort pass
- Add tests pinning the empty-attribute stripping policy:
* Attribute going from having values to empty array -> different hash
(triggers re-consent: SP was receiving data, now isn't)
* Stray empty string in value list -> stripped, same hash as without it
(no spurious re-consent)
* Zero values (0, 0.0, "0") -> preserved, not stripped
- Remove unused parameters and properties
- Add CHANGELOG entry for feature_stable_consent_hash_migration
- Annotate deprecated code for removal after next release
- Expand unit test coverage for consent hashing
johanib
force-pushed
the
feature/stabilize-consent-hash
branch
from
e52f282 to
ed2bcf2
Compare
Contributor
|
@kayjoosten @MKodde Can you do a review? |
kayjoosten
reviewed
Mar 30, 2026
|
|
||
| use OpenConext\EngineBlock\Assert\Assertion; | ||
|
|
||
| final class ConsentVersion |
Contributor
There was a problem hiding this comment.
note: this could have been a enum. Don't you agree?
| $this->addSql('ALTER TABLE consent ADD attribute_stable VARCHAR(80) DEFAULT NULL, CHANGE attribute attribute VARCHAR(80) DEFAULT NULL'); | ||
| } | ||
|
|
||
| public function down(Schema $schema): void |
Contributor
There was a problem hiding this comment.
Maybe we should remove the down. This looks like trouble when both cols are null
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prior to this commit, there was no stable hashing algorithm used for consent attributes. Casing, order of attributes, ... could all change the hash used to store consent attributes. As such, it couldn't be relied upon.
This commit adds a stable hashing algorithm. It stores all new consent attributes with the new hash, but when retrieving does so checking first the old hash and then the new one.
Edit 4-5-2022 MKodde
After @Badlapje s work was finished on the project, I inherited his work and have finished the work remaining on this ticket.
The QA tests fail on a security check on the JS dependencies. This will be fixed on another PR.
Pivotal ticket: https://www.pivotaltracker.com/story/show/176513931