COmmit of intermediate work

composer.json

@@ -32,6 +32,7 @@
         "ext-json": "*",
         "ext-mbstring": "*",
         "ext-openssl": "*",
+        "doctrine/annotations": "^2.0",
         "guzzlehttp/guzzle": "^7",
         "incenteev/composer-parameter-handler": "~2.0",
         "jms/translation-bundle": "^2.0.0",

config/packages/security.yaml

@@ -20,15 +20,10 @@ security:
             security: false
 
         saml_based:
-            saml: true
-            logout:
-                path: /logout
-                #        success_handler: "self_service.security.authentication.handler.logout_success"
-                invalidate_session: true
-                csrf_token_generator: security.csrf.token_manager
-                csrf_parameter: 't'
-                csrf_token_id: 'self_service_logout_token'
+            custom_authenticators:
+                - Surfnet\SamlBundle\Security\Authentication\SamlAuthenticator
 
     access_control:
-        - { path: ^/authentication, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
+        - { path: ^/saml, roles: PUBLIC_ACCESS, requires_channel: https }
+        - { path: ^/authentication, roles: PUBLIC_ACCESS, requires_channel: https }
         - { path: ^/, roles: ROLE_USER, requires_channel: https }

config/packages/surfnet_saml.yaml

@@ -1,5 +1,5 @@
 surfnet_saml:
-  enable_authentication: false
+  enable_authentication: true
   hosted:
     attribute_dictionary:
       ignore_unknown_attributes: true

config/services.yaml

@@ -5,6 +5,10 @@ imports:
   - { resource: 'legacy/samlstepupproviders.yaml' }
 
 services:
+  # default configuration for services in *this* file
+  _defaults:
+    autowire: true      # Automatically injects dependencies in your services.
+    autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
 
   Surfnet\StepupSelfService\SelfServiceBundle\Controller\:
     # Setting class is redundant, but adds autocompletions for the IDE.
@@ -30,3 +34,30 @@ services:
 #  twig.extension.intl:
 #    class: Twig_Extensions_Extension_Intl
 #    tags: [{ name: twig.extension }]
+
+    # Firewall
+  surfnet_saml.saml_provider:
+    class: Surfnet\Controller\Security\AcsInitController
+    arguments:
+      - '@request_stack'
+      - '@Surfnet\SamlBundle\Entity\HostedEntities'
+      - '@Surfnet\SamlBundle\Entity\IdentityProvider'
+      - '@Surfnet\SamlBundle\Entity\IdentityProvider'
+      - '@logger'
+
+  Surfnet\Controller\Security\AcsInitController:
+    alias: surfnet_saml.saml_provider
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Service\InstitutionConfigurationOptionsService:
+    alias: self_service.service.institution_configuration_options
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Service\TestSecondFactor\TestAuthenticationRequestFactory:
+    alias: self_service.test_second_factor_authentication_request_factory
+
+  Surfnet\StepupSelfService\SelfServiceBundle\Service\SelfVetMarshaller:
+    alias: self_service.service.self_vet_marshaller
+#  self_service.service.institution_configuration_options:
+#    class: Surfnet\StepupSelfService\SelfServiceBundle\Service\InstitutionConfigurationOptionsService
+#    arguments:
+#      - "@surfnet_stepup_middleware_client.configuration.service.institution_configuration_options"
+#    public: true

src/Controller/Security/AcsInitController.php

@@ -0,0 +1,67 @@
+<?php
+
+/**
+ * Copyright 2016 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace YourApp\Controller\Saml;
+
+use Symfony\Component\Routing\Annotation\Route;
+use YourApp\Saml\AcsContextInterface;
+use Psr\Log\LoggerInterface;
+use Surfnet\SamlBundle\Entity\HostedEntities;
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class AcsInitController
+{
+    #[Route(path: '/saml/acs/init', name: 'saml_acs_init', requirements: ['_format' => 'xml'], methods: ['GET'])]
+    public function __invoke(
+        Request $httpRequest,
+        HostedEntities $hostedEntities,
+        IdentityProvider $idp,
+        AcsContextInterface $context,
+        LoggerInterface $logger
+    ): Response {
+        $request = AuthnRequestFactory::createNewRequest(
+            $hostedEntities->getServiceProvider(),
+            $idp
+        );
+
+        $logger->info(
+            sprintf(
+                'Starting SSO request with ID %s to IDP %s',
+                $request->getRequestId(),
+                $idp->getEntityId()
+            ),
+            ['request' => $request->getUnsignedXML()]
+        );
+
+        // Store the request so we can validate the response on acs respond.
+        $context->setAuthnRequest($request);
+
+        // That's it, we're good to go!
+        return new RedirectResponse(
+            sprintf(
+                '%s?%s',
+                $idp->getSsoUrl(),
+                $request->buildRequestQuery()
+            )
+        );
+    }
+}

src/Surfnet/StepupSelfService/SelfServiceBundle/Security/Firewall/SamlListener.php

@@ -25,12 +25,12 @@
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 
-class SamlListener
+readonly class SamlListener
 {
     public function __construct(
-        private readonly AuthenticationHandler $authenticationHandler,
-        private readonly SamlInteractionProvider $samlInteractionProvider,
-        private readonly LoggerInterface $logger
+        private AuthenticationHandler   $authenticationHandler,
+        private SamlInteractionProvider $samlInteractionProvider,
+        private LoggerInterface         $logger
     ) {
     }
 

src/Surfnet/StepupSelfService/SelfServiceBundle/Service/InstitutionConfigurationOptionsService.php

@@ -23,15 +23,12 @@
 
 class InstitutionConfigurationOptionsService
 {
-    public function __construct(private readonly ApiInstitutionConfigurationOptionsService $apiInstitutionConfigurationOptionsService)
-    {
+    public function __construct(
+        private readonly ApiInstitutionConfigurationOptionsService $apiInstitutionConfigurationOptionsService,
+    ) {
     }
 
-    /**
-     * @param string $institution
-     * @return null|InstitutionConfigurationOptions
-     */
-    public function getInstitutionConfigurationOptionsFor($institution)
+    public function getInstitutionConfigurationOptionsFor($institution): ?InstitutionConfigurationOptions
     {
         return $this->apiInstitutionConfigurationOptionsService->getInstitutionConfigurationOptionsFor($institution);
     }

symfony.lock

@@ -11,6 +11,15 @@
     "composer/xdebug-handler": {
         "version": "1.4.5"
     },
+    "doctrine/annotations": {
+        "version": "2.0",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "1.10",
+            "ref": "64d8583af5ea57b7afa4aba4b159907f3a148b05"
+        }
+    },
     "doctrine/cache": {
         "version": "2.1.1"
     },