Merge branch 'feature/fine-grained-authorization' of github.com:OpenConext/Stepup-Middleware into feature/fine-grained-authorization

Author: pablothedude

src/Surfnet/Stepup/Configuration/InstitutionConfiguration.php

@@ -469,19 +469,14 @@ public function getAggregateRootId()
     }
 
     /**
-     * Check if role is allowed
+     * Check if role from institution is allowed to accredit roles
      *
-     * @param RegistrationAuthorityRole $role
      * @param Institution $institution
      * @return bool
      */
-    public function isAllowed(RegistrationAuthorityRole $role, Institution $institution)
+    public function isInstitutionAllowedToAccreditRoles(Institution $institution)
     {
-        if ($role->isRa() && $this->useRaOption->hasInstitution($institution)) {
-            return true;
-        }
-
-        if ($role->isRaa() && $this->useRaaOption->hasInstitution($institution)) {
+        if ($this->selectRaaOption->hasInstitution($institution, $this->institution)) {
             return true;
         }
 

src/Surfnet/Stepup/Configuration/Value/InstitutionAuthorizationOption.php

@@ -182,11 +182,12 @@ public function getInstitutions(Institution $institution)
 
     /**
      * @param Institution $institution
+     * @param Institution $default
      * @return bool
      */
-    public function hasInstitution(Institution $institution)
+    public function hasInstitution(Institution $institution, Institution $default)
     {
-        $institutions = $this->getInstitutions($institution);
+        $institutions = $this->getInstitutions($default);
         $list = array_map(
             function (Institution $institution) {
                 return $institution->getInstitution();

src/Surfnet/Stepup/Identity/Identity.php

@@ -586,8 +586,8 @@ public function accreditWith(
     ) {
         $this->assertNotForgotten();
 
-        if (!$institutionConfiguration->isAllowed($role, new ConfigurationInstitution($institution->getInstitution()))) {
-            throw new DomainException('An Identity may only be accredited with configured institutions');
+        if (!$institutionConfiguration->isInstitutionAllowedToAccreditRoles(new ConfigurationInstitution($institution->getInstitution()))) {
+            throw new DomainException('An Identity may only be accredited by configured institutions.');
         }
 
         if (!$this->vettedSecondFactors->count()) {
@@ -661,7 +661,7 @@ public function appointAs(
     ) {
         $this->assertNotForgotten();
 
-        if (!$institutionConfiguration->isAllowed($role, new ConfigurationInstitution($institution->getInstitution()))) {
+        if (!$institutionConfiguration->isInstitutionAllowedToAccreditRoles(new ConfigurationInstitution($institution->getInstitution()))) {
             throw new DomainException(
                 'Cannot appoint as different RegistrationAuthorityRole: identity is not a registration authority for institution'
             );

src/Surfnet/Stepup/Tests/Configuration/Value/InstitutionAuthorizationOptionTest.php

@@ -162,7 +162,7 @@ public function the_has_institution_method_should_check_for_institutions($expect
         }
         $option = InstitutionAuthorizationOption::fromInstitutions(InstitutionRole::useRa(), $this->institution, $list);
 
-        $this->assertEquals($expectation, $option->hasInstitution($institution));
+        $this->assertEquals($expectation, $option->hasInstitution($institution, $this->institution));
     }
 
 

src/Surfnet/StepupMiddleware/CommandHandlingBundle/Identity/CommandHandler/RegistrationAuthorityCommandHandler.php

@@ -101,7 +101,7 @@ public function handleAppointRoleCommand(AppointRoleCommand $command)
         /** @var \Surfnet\Stepup\Identity\Api\Identity $identity */
         $identity = $this->repository->load(new IdentityId($command->identityId));
 
-        $institutionConfiguration = $this->loadInstitutionConfigurationFor(new Institution($identity->getInstitution()->getInstitution()));
+        $institutionConfiguration = $this->loadInstitutionConfigurationFor(new Institution($command->raInstitution));
 
         $newRole = $this->assertValidRoleAndConvertIfValid($command->role, $command->UUID);
 

src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/RegistrationAuthorityCommandHandlerTest.php

@@ -100,9 +100,9 @@ protected function createCommandHandler(EventStoreInterface $eventStore, EventBu
      * @group                    command-handler
      * @group                    ra-command-handler
      * @expectedException        \Surfnet\Stepup\Exception\DomainException
-     * @expectedExceptionMessage An Identity may only be accredited with configured institutions
+     * @expectedExceptionMessage An Identity may only be accredited by configured institutions
      */
-    public function an_identity_cannot_be_accredited_for_another_institution_than_its_own()
+    public function an_identity_cannot_be_accredited_for_another_institution_than_configured()
     {
         $command                     = new AccreditIdentityCommand();
         $command->identityId         = static::uuid();
@@ -121,7 +121,7 @@ public function an_identity_cannot_be_accredited_for_another_institution_than_it
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(false);
 
         $this->scenario
@@ -173,7 +173,7 @@ public function an_identity_cannot_be_accredited_when_it_does_not_have_a_vetted_
         $commonName           = new CommonName('Henk Westbroek');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -218,7 +218,7 @@ public function an_identity_cannot_be_accredited_when_it_already_has_been_accred
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -332,7 +332,7 @@ public function an_identity_can_be_accredited_with_ra_role()
         $raInstitution        = new Institution($command->raInstitution);
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -398,7 +398,7 @@ public function an_identity_can_be_accredited_with_raa_role()
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -584,7 +584,7 @@ public function an_identity_without_vetted_second_factor_may_not_be_accredited_a
         $commonName           = new CommonName('Henk Westbroek');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -627,7 +627,7 @@ public function an_identity_with_a_vetted_second_factor_can_be_accredited_as_ra(
         $raInstitution        = new Institution($command->raInstitution);
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -694,7 +694,7 @@ public function an_identity_cannot_be_accredited_twice()
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -800,7 +800,7 @@ public function an_identity_that_is_accredited_as_raa_can_be_appointed_as_ra()
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -867,7 +867,7 @@ public function an_identity_that_is_accredited_as_ra_can_be_appointed_as_raa()
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(true);
 
         $this->scenario
@@ -935,7 +935,7 @@ public function an_unaccredited_identity_cannot_be_appointed_a_registration_auth
         $secondFactorPublicId = new YubikeyPublicId('8329283834');
 
         $this->institutionConfiguration
-            ->shouldReceive('isAllowed')
+            ->shouldReceive('isInstitutionAllowedToAccreditRoles')
             ->andReturn(false);
 
         $this->scenario