Move to generic client instantiation to client repo

Author: cicnavi

src/Admin/Authorization.php

@@ -9,17 +9,20 @@
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\Services\AuthContextService;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 
 class Authorization
 {
     public function __construct(
         protected readonly SspBridge $sspBridge,
         protected readonly AuthContextService $authContextService,
+        protected readonly LoggerService $loggerService,
     ) {
     }
 
     public function isAdmin(): bool
     {
+        $this->loggerService->debug('Authorization::isAdmin');
         return $this->sspBridge->utils()->auth()->isAdmin();
     }
 
@@ -28,10 +31,19 @@ public function isAdmin(): bool
      */
     public function requireAdmin(bool $forceAdminAuthentication = false): void
     {
+        $this->loggerService->debug('Authorization::requireAdmin');
+        $this->loggerService->debug(
+            'Authorization: Force admin authentication:',
+            ['forceAdminAuthentication' => $forceAdminAuthentication],
+        );
         if ($forceAdminAuthentication) {
+            $this->loggerService->debug('Authorization: Forcing admin authentication.');
             try {
                 $this->sspBridge->utils()->auth()->requireAdmin();
             } catch (Exception $exception) {
+                $this->loggerService->error(
+                    'Authorization: Forcing admin authentication failed: ' . $exception->getMessage(),
+                );
                 throw new AuthorizationException(
                     Translate::noop('Unable to initiate SimpleSAMLphp admin authentication.'),
                     $exception->getCode(),
@@ -41,7 +53,10 @@ public function requireAdmin(bool $forceAdminAuthentication = false): void
         }
 
         if (! $this->isAdmin()) {
+            $this->loggerService->error('Authorization: User is NOT admin.');
             throw new AuthorizationException(Translate::noop('SimpleSAMLphp admin access required.'));
+        } else {
+            $this->loggerService->debug('Authorization: User is admin.');
         }
     }
 
@@ -50,16 +65,29 @@ public function requireAdmin(bool $forceAdminAuthentication = false): void
      */
     public function requireAdminOrUserWithPermission(string $permission): void
     {
+        $this->loggerService->debug('Authorization::requireAdminOrUserWithPermission');
+        $this->loggerService->debug('Authorization: For permission: ' . $permission);
+
         if ($this->isAdmin()) {
+            $this->loggerService->debug('Authorization: User is admin, returning.');
             return;
+        } else {
+            $this->loggerService->debug('Authorization: User is not (authenticated as) admin.');
         }
 
         try {
+            $this->loggerService->debug('Authorization: Checking for user permission.');
             $this->authContextService->requirePermission($permission);
-        } catch (\Exception) {
-            // TODO mivanci v7 log this exception
+            $this->loggerService->debug('Authorization: User has permission, returning.');
+            return;
+        } catch (\Exception $exception) {
+            $this->loggerService->warning(
+                'Authorization: User permission check failed: ' . $exception->getMessage(),
+            );
         }
 
+        $this->loggerService->debug('Authorization: Falling back to admin authentication.');
+
         // If we get here, the user does not have the required permission, or permissions are not enabled.
         // Fallback to admin authentication.
         $this->requireAdmin(true);

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -69,21 +69,22 @@ public function __construct(
      */
     public function credential(Request $request): Response
     {
+        $this->loggerService->debug('CredentialIssuerCredentialController::credential');
+
         $requestData = $this->requestParamsResolver->getAllFromRequestBasedOnAllowedMethods(
             $this->psrHttpBridge->getPsrHttpFactory()->createRequest($request),
             [HttpMethodsEnum::POST],
         );
 
         $this->loggerService->debug(
-            'CredentialIssuerCredentialController::credential: Verifiable Credential request data: ',
+            'CredentialIssuerCredentialController: Request data: ',
             $requestData,
         );
 
         $authorization = $this->resourceServer->validateAuthenticatedRequest(
             $this->psrHttpBridge->getPsrHttpFactory()->createRequest($request),
         );
 
-        // TODO mivanci validate access token
         $accessToken = $this->accessTokenRepository->findById(
             (string)$authorization->getAttribute('oauth_access_token_id'),
         );
@@ -109,8 +110,8 @@ public function credential(Request $request): Response
             $flowType->isVciFlow() === false
         ) {
             $this->loggerService->warning(
-                'CredentialIssuerCredentialController::credential: Access token is not intended for verifiable' .
-                ' credential issuance.',
+                'CredentialIssuerCredentialController::credential: Access token is not intended for Verifiable' .
+                ' Credential Issuance.',
                 ['access_token' => $accessToken],
             );
             return $this->routes->newJsonErrorResponse(

src/Factories/CredentialOfferUriFactory.php

@@ -13,7 +13,6 @@
 use SimpleSAML\Module\oidc\Entities\ScopeEntity;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\IssuerStateEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
@@ -36,7 +35,6 @@ public function __construct(
         protected readonly SspBridge $sspBridge,
         protected readonly AuthCodeRepository $authCodeRepository,
         protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
-        protected readonly ClientEntityFactory $clientEntityFactory,
         protected readonly ClientRepository $clientRepository,
         protected readonly LoggerService $loggerService,
         protected readonly UserRepository $userRepository,
@@ -132,13 +130,9 @@ public function buildPreAuthorized(
         );
 
         // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
-        // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes.
-        $client = $this->clientEntityFactory->getGenericForVci();
-        if ($this->clientRepository->findById($client->getIdentifier()) === null) {
-            $this->clientRepository->add($client);
-        } else {
-            $this->clientRepository->update($client);
-        }
+        // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes once the dynamic
+        // client registration is enabled.
+        $client = $this->clientRepository->getGenericForVci();
 
         $userId = null;
         try {

src/Repositories/ClientRepository.php

@@ -564,4 +564,16 @@ protected function preparePdoState(array $state): array
 
         return $state;
     }
+
+    public function getGenericForVci(): ClientEntityInterface
+    {
+        $client = $this->clientEntityFactory->getGenericForVci();
+        if ($this->findById($client->getIdentifier()) === null) {
+            $this->add($client);
+        } else {
+            $this->update($client);
+        }
+
+        return $client;
+    }
 }

src/Server/RequestRules/Rules/ClientRule.php

@@ -132,7 +132,7 @@ public function checkRule(
                 'Falling back to generic VCI client.',
             );
 
-            return new Result($this->getKey(), $this->getGenericVciClient());
+            return new Result($this->getKey(), $this->clientRepository->getGenericForVci());
         } else {
             $this->loggerService->debug(
                 'ClientRule: Not a VCI request, or VCI capabilities not enabled, or VCI with non-registered' .
@@ -365,16 +365,4 @@ public function resolveFromFederation(
 
         return $registrationClient;
     }
-
-    protected function getGenericVciClient(): ClientEntityInterface
-    {
-        $client = $this->clientEntityFactory->getGenericForVci();
-        if ($this->clientRepository->findById($client->getIdentifier()) === null) {
-            $this->clientRepository->add($client);
-        } else {
-            $this->clientRepository->update($client);
-        }
-
-        return $client;
-    }
 }

tests/unit/src/Admin/AuthorizationTest.php

@@ -13,6 +13,7 @@
 use SimpleSAML\Module\oidc\Bridges\SspBridge\Utils;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\Services\AuthContextService;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Utils\Auth;
 
 #[CoversClass(Authorization::class)]
@@ -22,6 +23,7 @@ class AuthorizationTest extends TestCase
     protected MockObject $sspBridgeUtilsMock;
     protected MockObject $sspBridgeUtilsAuthMock;
     protected MockObject $authContextServiceMock;
+    protected MockObject $loggerServiceMock;
 
     protected function setUp(): void
     {
@@ -32,16 +34,19 @@ protected function setUp(): void
         $this->sspBridgeUtilsMock->method('auth')->willReturn($this->sspBridgeUtilsAuthMock);
 
         $this->authContextServiceMock = $this->createMock(AuthContextService::class);
+        $this->loggerServiceMock = $this->createMock(LoggerService::class);
     }
 
     protected function sut(
         ?SspBridge $sspBridge = null,
         ?AuthContextService $authContextService = null,
+        ?LoggerService $loggerService = null,
     ): Authorization {
         $sspBridge ??= $this->sspBridgeMock;
         $authContextService ??= $this->authContextServiceMock;
+        $loggerService ??= $this->loggerServiceMock;
 
-        return new Authorization($sspBridge, $authContextService);
+        return new Authorization($sspBridge, $authContextService, $loggerService);
     }
 
     public function testCanCreateInstance(): void
@@ -100,7 +105,7 @@ public function testRequireAdminOrUserWithPermissionReturnsIfUser(): void
                 false,
                 true, // After requireAdmin called, isAdmin will return true
             );
-        $this->sspBridgeUtilsAuthMock->expects($this->once())->method('requireAdmin');
+        $this->sspBridgeUtilsAuthMock->expects($this->never())->method('requireAdmin');
         $this->authContextServiceMock->expects($this->once())->method('requirePermission');
 
         $this->sut()->requireAdminOrUserWithPermission('permission');