Upgrade Authorization::assertSatIsAllowed method

Only when the Identity owned a self-asserted token (SAT), or when the identity does not have a tokey yet, allow the Identity to vet a self asesrted token.
OpenConext · Aug 25, 2022 · b7c9806 · b7c9806
1 parent 32a5791
commit b7c9806
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Authorization/Service/AuthorizationService.php b/src/Surfnet/StepupMiddleware/ApiBundle/Authorization/Service/AuthorizationService.php
@@ -78,6 +78,16 @@ public function assertRegistrationOfSelfAssertedTokensIsAllowed(IdentityId $iden
             return $this->deny('Identity already has a vetted second factor');
         }
 
+        // Only allow self-asserted token (SAT) if the user does not have a token yet, or the first
+        // registered token was a SAT.
+        $options = $this->identityService->getSelfAssertedTokenRegistrationOptions(
+            $identity,
+            $this->secondFactorService->hasVettedByIdentity($identityId)
+        );
+        if ($options->possessedSelfAssertedToken === false) {
+            return $this->deny('Identity never possessed a self-asserted token, but did/does possess one of the other types');
+        }
+
         return $this->allow();
     }
 

diff --git a/...rfnet/StepupMiddleware/ApiBundle/Tests/Authorization/Service/AuthorizationServiceTest.php b/...rfnet/StepupMiddleware/ApiBundle/Tests/Authorization/Service/AuthorizationServiceTest.php
@@ -129,6 +129,7 @@ public function test_it_rejects_when_identity_has_vetted_token()
     {
         $identity = new Identity();
         $identity->institution = new Institution('Known institution');
+        $identity->possessedSelfAssertedToken = null;
 
         $this->identityService
             ->shouldReceive('find')
@@ -155,10 +156,42 @@ public function test_it_rejects_when_identity_has_vetted_token()
         $this->assertEquals('Identity already has a vetted second factor', reset($messages));
     }
 
+    public function test_it_rejects_when_identity_had_prior_non_sat_token()
+    {
+        $identity = new Identity();
+        $identity->institution = new Institution('Known institution');
+        $identity->possessedSelfAssertedToken = false;
+
+        $this->identityService
+            ->shouldReceive('find')
+            ->once()
+            ->andReturn($identity);
+
+        $options = new InstitutionConfigurationOptions();
+        $options->selfAssertedTokensOption = new SelfAssertedTokensOption(true);
+        $this->institutionConfigurationService
+            ->shouldReceive('findInstitutionConfigurationOptionsFor')
+            ->once()
+            ->andReturn($options);
+
+        $identityId = new IdentityId('known-user-id');
+        $this->secondFactorService
+            ->shouldReceive('hasVettedByIdentity')
+            ->with($identityId)
+            ->andReturnFalse();
+
+        $decision = $this->service->assertRegistrationOfSelfAssertedTokensIsAllowed($identityId);
+        $messages = $decision->getErrorMessages();
+
+        $this->assertEquals(403, $decision->getCode());
+        $this->assertEquals('Identity never possessed a self-asserted token, but did/does possess one of the other types', reset($messages));
+    }
+
     public function test_it_allows_when_identity_meets_all_requirements()
     {
         $identity = new Identity();
         $identity->institution = new Institution('Known institution');
+        $identity->possessedSelfAssertedToken = null;
 
         $this->identityService
             ->shouldReceive('find')
@@ -185,5 +218,34 @@ public function test_it_allows_when_identity_meets_all_requirements()
         $this->assertEmpty($messages);
     }
 
+    public function test_it_allows_when_identity_with_prior_sat_meets_all_requirements()
+    {
+        $identity = new Identity();
+        $identity->institution = new Institution('Known institution');
+        $identity->possessedSelfAssertedToken = true;
+
+        $this->identityService
+            ->shouldReceive('find')
+            ->once()
+            ->andReturn($identity);
 
+        $options = new InstitutionConfigurationOptions();
+        $options->selfAssertedTokensOption = new SelfAssertedTokensOption(true);
+        $this->institutionConfigurationService
+            ->shouldReceive('findInstitutionConfigurationOptionsFor')
+            ->once()
+            ->andReturn($options);
+
+        $identityId = new IdentityId('known-user-id');
+        $this->secondFactorService
+            ->shouldReceive('hasVettedByIdentity')
+            ->with($identityId)
+            ->andReturnFalse();
+
+        $decision = $this->service->assertRegistrationOfSelfAssertedTokensIsAllowed($identityId);
+        $messages = $decision->getErrorMessages();
+
+        $this->assertEquals(200, $decision->getCode());
+        $this->assertEmpty($messages);
+    }
 }