Determine authorizations based on RA listing

MKodde · MKodde · commit 9347353058b2 · 2024-02-19T15:31:29.000+01:00
The institution configuration FGA auth rules are evaluated to specify
which institutions the RA(A) is active at. But these rules were not
matched against the actual rules accredited to the RA(A). This made it
possible that a RA would be granted RAA rights even tho it had only RA
rights for his/her institution(s)

By evaluating the RA listing authorizations alongside the insittutional
authz, we now have a realistic vision of the roles of the RA(A)
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ProfileController.php b/src/Surfnet/StepupMiddleware/ApiBundle/Controller/ProfileController.php
@@ -18,12 +18,14 @@
 
 namespace Surfnet\StepupMiddleware\ApiBundle\Controller;
 
+use Psr\Log\LoggerInterface;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\ProfileService;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use function sprintf;
 
 class ProfileController extends Controller
 {
@@ -32,10 +34,15 @@ class ProfileController extends Controller
      */
     private $profileService;
 
+    /** @var LoggerInterface */
+    private $logger;
+
     public function __construct(
-        ProfileService $profileService
+        ProfileService $profileService,
+        LoggerInterface $logger
     ) {
         $this->profileService = $profileService;
+        $this->logger = $logger;
     }
 
     public function getAction(Request $request, $identityId)
@@ -47,6 +54,7 @@ public function getAction(Request $request, $identityId)
         if ($identityId !== $actorId) {
             throw new AccessDeniedHttpException("Identity and actor id should match. It is not yet allowed to view the profile of somebody else.");
         }
+        $this->logger->notice(sprintf('Retrieving profile (autzh) information for IdentityId "%s"', $identityId));
 
         $profile = $this->profileService->createProfile($identityId);
         if (!$profile) {
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Service/IdentityService.php b/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Service/IdentityService.php
@@ -18,6 +18,7 @@
 
 namespace Surfnet\StepupMiddleware\ApiBundle\Identity\Service;
 
+use Psr\Log\LoggerInterface;
 use Surfnet\Stepup\Identity\Value\IdentityId;
 use Surfnet\Stepup\Identity\Value\Institution;
 use Surfnet\Stepup\Identity\Value\NameId;
@@ -57,16 +58,23 @@ class IdentityService extends AbstractSearchService
      */
     private $sraaRepository;
 
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     public function __construct(
         IdentityRepository $repository,
         IdentitySelfAssertedTokenOptionsRepository $identitySelfAssertedTokenOptionsRepository,
         RaListingRepository $raListingRepository,
-        SraaRepository $sraaRepository
+        SraaRepository $sraaRepository,
+        LoggerInterface $logger
     ) {
         $this->repository = $repository;
         $this->identitySelfAssertedTokensOptionsRepository = $identitySelfAssertedTokenOptionsRepository;
         $this->raListingRepository = $raListingRepository;
         $this->sraaRepository = $sraaRepository;
+        $this->logger = $logger;
     }
 
     /**
@@ -147,11 +155,13 @@ public function findRegistrationAuthorityCredentialsByNameIdAndInstitution(NameI
      */
     private function findRegistrationAuthorityCredentialsByIdentity(Identity $identity)
     {
+        $this->logger->notice(sprintf('Getting profile for IdentityId "%s" NameId "%s"', $identity->id, $identity->nameId ));
         $raListing = $this->raListingRepository->findByIdentityId(new IdentityId($identity->id));
         $sraa = $this->sraaRepository->findByNameId($identity->nameId);
 
         if (!empty($raListing)) {
-            $credentials = RegistrationAuthorityCredentials::fromRaListings($raListing);
+            $this->logger->notice(sprintf('RA listing(s) found for IdentityId "%s"', $identity->id));
+            $credentials = RegistrationAuthorityCredentials::fromRaListings($raListing, $this->logger);
 
             if ($sraa) {
                 $credentials = $credentials->grantSraa();
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Service/ProfileService.php b/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Service/ProfileService.php
@@ -18,13 +18,16 @@
 
 namespace Surfnet\StepupMiddleware\ApiBundle\Identity\Service;
 
+use Psr\Log\LoggerInterface;
 use Surfnet\Stepup\Configuration\Value\InstitutionRole;
 use Surfnet\Stepup\Identity\Value\IdentityId;
 use Surfnet\StepupMiddleware\ApiBundle\Authorization\Service\AuthorizationContextService;
-use Surfnet\StepupMiddleware\ApiBundle\Identity\Repository\InstitutionListingRepository;
+use Surfnet\StepupMiddleware\ApiBundle\Identity\Entity\RaListing;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Repository\RaListingRepository;
+use Surfnet\StepupMiddleware\ApiBundle\Identity\Value\AuthorityRole;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Value\AuthorizedInstitutionCollection;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Value\Profile;
+use function sprintf;
 
 class ProfileService extends AbstractSearchService
 {
@@ -43,14 +46,21 @@ class ProfileService extends AbstractSearchService
      */
     private $authorizationService;
 
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     public function __construct(
         RaListingRepository $raListingRepository,
         IdentityService $identityService,
-        AuthorizationContextService $institutionAuthorizationService
+        AuthorizationContextService $institutionAuthorizationService,
+        LoggerInterface $logger
     ) {
         $this->raListingRepository = $raListingRepository;
         $this->identityService = $identityService;
         $this->authorizationService = $institutionAuthorizationService;
+        $this->logger = $logger;
     }
 
     /**
@@ -72,29 +82,73 @@ public function __construct(
     public function createProfile($identityId)
     {
         $identity = $this->identityService->find($identityId);
+
         if ($identity === null) {
+            $this->logger->notice(sprintf('No Identity found with IdentityId %s', $identityId));
             return null;
         }
+        $this->logger->notice(sprintf('Found IdentityId "%s" NameId "%s"', $identityId, $identity->nameId ));
 
-        $authorizationContextRa = $this->authorizationService->buildInstitutionAuthorizationContext(
-            new IdentityId($identityId),
-            InstitutionRole::useRa()
+        $raListing = $this->raListingRepository->findByIdentityId(new IdentityId($identityId));
+        $isRa = $this->getRoleFromListing($raListing, AuthorityRole::ROLE_RA);
+        $isRaa = $this->getRoleFromListing($raListing, AuthorityRole::ROLE_RAA);
+
+        $this->logger->notice(
+            sprintf(
+                'Based on RaListing Identity %s has roles(RA: %s, RAA: %s)',
+                $identityId,
+                $isRa ? "YES" : "NO",
+                $isRaa ? "YES" : "NO"
+            )
         );
 
-        $authorizationContextRaa = $this->authorizationService->buildInstitutionAuthorizationContext(
+
+        if ($raListing === null) {
+            $this->logger->notice(sprintf('No RA listing found for IdentityId %s', $identityId));
+            return null;
+        }
+
+        $authorizationContextRa = $this->authorizationService->buildInstitutionAuthorizationContext(
             new IdentityId($identityId),
-            InstitutionRole::useRaa()
+            InstitutionRole::useRa()
         );
-
         $authorizations = AuthorizedInstitutionCollection::from(
-            $authorizationContextRa->getInstitutions(),
-            $authorizationContextRaa->getInstitutions()
+            $authorizationContextRa->getInstitutions()
         );
 
+        $this->logger->notice(sprintf('IdentityId "%s" is RA for: %s', $identityId, json_encode($authorizationContextRa->getInstitutions()->jsonSerialize())));
+
+        if ($isRaa) {
+            $authorizationContextRaa = $this->authorizationService->buildInstitutionAuthorizationContext(
+                new IdentityId($identityId),
+                InstitutionRole::useRaa()
+            );
+
+            $this->logger->notice(sprintf('IdentityId "%s" is RAA for: %s', $identityId, json_encode($authorizationContextRaa->getInstitutions()->jsonSerialize())));
+
+            $authorizations = AuthorizedInstitutionCollection::from(
+                $authorizationContextRa->getInstitutions(),
+                $authorizationContextRaa->getInstitutions()
+            );
+        }
+
         return new Profile(
             $identity,
             $authorizations,
             $authorizationContextRa->isActorSraa()
         );
     }
+
+    /**
+     * @param array<int, RaListing> $raListing
+     */
+    private function getRoleFromListing(array $raListing, string $role): bool
+    {
+        foreach ($raListing as $listing) {
+            if ($listing->role->getRole() === $role) {
+                return true;
+            }
+        }
+        return false;
+    }
 }
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Value/RegistrationAuthorityCredentials.php b/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Value/RegistrationAuthorityCredentials.php
@@ -19,6 +19,7 @@
 namespace Surfnet\StepupMiddleware\ApiBundle\Identity\Value;
 
 use Assert\Assertion;
+use Psr\Log\LoggerInterface;
 use Surfnet\Stepup\Identity\Value\CommonName;
 use Surfnet\Stepup\Identity\Value\ContactInformation;
 use Surfnet\Stepup\Identity\Value\Institution;
@@ -106,18 +107,20 @@ public static function fromSraa(Sraa $sraa, Identity $identity)
      * @param RaListing[] $raListings
      * @return RegistrationAuthorityCredentials
      */
-    public static function fromRaListings(array $raListings)
+    public static function fromRaListings(array $raListings, LoggerInterface $logger)
     {
         $raListingCredentials = current($raListings);
         $isRa = false;
         $isRaa = false;
 
         foreach ($raListings as $raListing) {
             if ($raListing->role->equals(AuthorityRole::ra())) {
+                $logger->info(sprintf('Identity "%s" is RA, for institution "%s"', $raListing->identityId, $raListing->institution->getInstitution()));
                 $isRa = true;
             }
 
             if ($raListing->role->equals(AuthorityRole::raa())) {
+                $logger->info(sprintf('Identity "%s" is RAA, for institution "%s"', $raListing->identityId, $raListing->institution->getInstitution()));
                 $isRaa = true;
             }
         }
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Resources/config/services.yml b/src/Surfnet/StepupMiddleware/ApiBundle/Resources/config/services.yml
@@ -98,6 +98,7 @@ services:
             - "@surfnet_stepup_middleware_api.repository.identity_self_asserted_token_options"
             - "@surfnet_stepup_middleware_api.repository.ra_listing"
             - "@surfnet_stepup_middleware_api.repository.sraa"
+            - "@logger"
 
     surfnet_stepup_middleware_api.service.ra_listing:
         class: Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaListingService
