Merge remote-tracking branch 'origin/release/2.10'

.gitignore

@@ -1,6 +1,7 @@
 /web/bundles/
 /web/app_dev.php
 /web/app_dev.php.dist
+/web/app_test.php
 /app/bootstrap.php.cache
 /app/cache/*
 /app/config/parameters.yml

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2.10.4
+**Improvements**
+* Open help in new tab #187 
+* Introduce multi-lingual logout redirect #186 
+
+**Bugfixes**
+* Fix the token sorting #185
+
 ## 2.10.3
 **Bugfix**
 * Flip value/label in choice form type definitions #168

app/Resources/views/base.html.twig

@@ -96,7 +96,7 @@
                 <div class="span8 offset2">
                     <hr>
                     <ul class="nav nav-pills">
-                        <li><a href="{{ global_view_parameters.supportUrl }}">{{ 'footer.documentation'|trans }}</a></li>
+                        <li><a href="{{ global_view_parameters.supportUrl }}" target="_blank">{{ 'footer.documentation'|trans }}</a></li>
                     </ul>
                 </div>
             </div>

app/config/config_test.yml

@@ -1,5 +1,6 @@
 imports:
     - { resource: config_dev.yml }
+    - { resource: service_test.yml }
 
 framework:
     test: ~
@@ -17,3 +18,19 @@ nelmio_security:
         img: [ self, 'data:' ]
         script: [ self, unsafe-inline ]
         style: [ self, unsafe-inline ]
+
+surfnet_stepup_middleware_client:
+    authorisation:
+        password: secret
+
+surfnet_saml:
+    hosted:
+        service_provider:
+            public_key: /vagrant/deploy/tests/behat/fixtures/test_public_key.crt
+            private_key: /vagrant/deploy/tests/behat/fixtures/test_private_key.key
+        metadata:
+            public_key: /vagrant/deploy/tests/behat/fixtures/test_public_key.crt
+            private_key: /vagrant/deploy/tests/behat/fixtures/test_private_key.key
+    remote:
+        identity_provider:
+            certificate: MIIC6jCCAdICCQC9cRx5wiwWOjANBgkqhkiG9w0BAQsFADA3MRwwGgYDVQQDDBNTZWxmU2VydmljZSBTQU1MIFNQMRcwFQYDVQQKDA5EZXZlbG9wbWVudCBWTTAeFw0xODA3MzAxMjMwNDdaFw0yMzA3MjkxMjMwNDdaMDcxHDAaBgNVBAMME1NlbGZTZXJ2aWNlIFNBTUwgU1AxFzAVBgNVBAoMDkRldmVsb3BtZW50IFZNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqhbI0Xy682DuvWchg6FYnI+DNwLXef2XExM4YVRBaMMsOZ3rBtQUTMSqYan6SK/BOEXLs0rNiJjyM0dn+F98wg3fv5zIADlvfk3LBVdcGsrpVfFUWtSa73yMgbROy8/RJADbUJE/HUB3ZmdjdiuD2Cui2aoWwT2HR8ukJwmoxiu45IWFPbqPQ7/1mH644JPOWTPLTv4OGGLQo8MNrP1oRCiZ0IEL4CQeGOOju5rfIJ0bTVm0UmelT4hGaqZovBMwXp3QV41akJ7UEMEBK2YMnLQy47Xuzi7aTDhJlvHcJ8mfH2NbjRh7hJoACVRTvQloxajgkr1iGMiWiiqT0e+YYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBwZ0gRHvR8B8KivrXrhWNL9uLvWhEAH7OiDqo+fywkBp5KEuDJcbbvEPftHunSAGylg7M2xKuBIGamFpp74WDJccrtZ1jJ4qqnacUDRQrTLqqMZKqGpFOU0xjKkSxSGRuMtGN9/7er/TeonjQ0XBvjYvTomy3b5aCLVWRvEfKu2g1sDd8uhr62RY/HfMgidEt7LHDolkCVg+6JzY3OTcgeHga3cvYObOYPplxw1YPq5+BqqxaUW4nfb5DtK33bZBYMeyV6BZtSggc5Z/19aPx/s0bf6ySTUyB3lRqe5d3etCns4bGidORCl/6EZiXwVcPvmYmxYXqmuNWfps7isUvo

app/config/parameters.yml.dist

@@ -50,7 +50,9 @@ parameters:
     stepup_loa_loa2: https://gateway.tld/authentication/loa2
     stepup_loa_loa3: https://gateway.tld/authentication/loa3
 
-    logout_redirect_url: https://www.surf.nl/over-surf/werkmaatschappijen/surfnet
+    logout_redirect_url:
+            nl_NL: https://www.surf.nl/over-surf/werkmaatschappijen/surfnet
+            en_GB: https://www.surf.nl/en/about-surf/subsidiaries/surfnet
 
     u2f_app_id: https://gateway.tld/u2f/app-id
 

app/config/security.yml

@@ -26,7 +26,7 @@ security:
             logout_on_user_change: true
             logout:
                 path: /logout
-                target: "%logout_redirect_url%"
+                success_handler: "ra.security.authentication.handler.logout_success"
                 invalidate_session: true
                 csrf_token_generator: security.csrf.token_manager
                 csrf_parameter: 't'

app/config/service_test.yml

@@ -0,0 +1,30 @@
+# Use this service definition file to override services and parameters in the test environment.
+# For example to mock certain services, or override a parameter for test.
+
+parameters:
+  middleware_credentials_password: secret
+
+services:
+  surfnet_stepup.service.sms_second_factor:
+    class: Surfnet\StepupBundle\Tests\TestDouble\Service\SmsSecondFactorService
+    arguments:
+      - "@surfnet_stepup.service.challenge_handler"
+
+  # The middleware client bundle guzzle client is overloaded to be able to pass the testcookie to the ensure MW is
+  # loaded in test mode. This way people setting the testcookie in prod will not switch their mw api into testmode
+  # resulting in 500 errors.
+  surfnet_stepup_middleware_client.guzzle.api:
+    public: false
+    class: GuzzleHttp\Client
+    factory: ['Surfnet\StepupRa\RaBundle\Tests\TestDouble\Factory\GuzzleApiFactory', createApiGuzzleClient]
+    arguments:
+    - "%middleware_url_api%"
+    - "%middleware_credentials_username%"
+    - "%middleware_credentials_password%"
+
+  surfnet_stepup_middleware_client.guzzle.commands:
+    public: false
+    class: GuzzleHttp\Client
+    factory: ['Surfnet\StepupRa\RaBundle\Tests\TestDouble\Factory\GuzzleApiFactory', createCommandGuzzleClient]
+    arguments:
+    - "%middleware_url_command_api%"

app_dev.php.dist

@@ -7,12 +7,7 @@ Debug::enable(~E_USER_DEPRECATED);
 
 $request = Request::createFromGlobals();
 
-$env = 'dev';
-if (isset($_SERVER['APP_DEV'])) {
-    $env = $_SERVER['APP_DEV'];
-}
-
-$kernel = new AppKernel($env, true);
+$kernel = new AppKernel('dev', true);
 $kernel->boot();
 
 $trustedProxies = $kernel->getContainer()->getParameter('trusted_proxies');

app_test.php.dist

@@ -0,0 +1,18 @@
+<?php
+
+use Symfony\Component\Debug\Debug;
+use Symfony\Component\HttpFoundation\Request;
+$loader = require __DIR__.'/../app/autoload.php';
+Debug::enable(~E_USER_DEPRECATED);
+
+$request = Request::createFromGlobals();
+
+$kernel = new AppKernel('test', true);
+$kernel->boot();
+
+$trustedProxies = $kernel->getContainer()->getParameter('trusted_proxies');
+Request::setTrustedProxies($trustedProxies, Request::HEADER_X_FORWARDED_ALL);
+
+$response = $kernel->handle($request);
+$response->send();
+$kernel->terminate($request, $response);

src/Surfnet/StepupRa/RaBundle/Controller/SecondFactorController.php

@@ -18,6 +18,7 @@
 
 namespace Surfnet\StepupRa\RaBundle\Controller;
 
+use Knp\Component\Pager\Paginator;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
 use Surfnet\StepupRa\RaBundle\Command\ExportRaSecondFactorsCommand;
 use Surfnet\StepupRa\RaBundle\Command\RevokeSecondFactorCommand;
@@ -65,8 +66,10 @@ public function searchAction(Request $request)
             return $this->forward('SurfnetStepupRaRaBundle:SecondFactor:export', ['command' => $command]);
         }
 
-        $pagination = $this->get('knp_paginator')->paginate(
-            $secondFactors->getTotalItems() > 0 ? array_fill(0, $secondFactors->getTotalItems(), 1) : [],
+        /** @var Paginator $paginator */
+        $paginator = $this->get('knp_paginator');
+        $pagination = $paginator->paginate(
+            $secondFactors->getTotalItems() > 0 ? $secondFactors->getElements() : [],
             $secondFactors->getCurrentPage(),
             $secondFactors->getItemsPerPage()
         );

src/Surfnet/StepupRa/RaBundle/Resources/config/security.yml

@@ -113,3 +113,9 @@ services:
         factory: [Surfnet\StepupRa\RaBundle\Value\TimeFrame, ofSeconds]
         arguments:
             - "%ra.security.authentication.session.maximum_relative_lifetime_in_seconds%"
+
+    ra.security.authentication.handler.logout_success:
+        class: Surfnet\StepupRa\RaBundle\Security\Authentication\Handler\LogoutSuccessHandler
+        arguments:
+            - "@security.token_storage"
+            - "%logout_redirect_url%"

src/Surfnet/StepupRa/RaBundle/Security/Authentication/Handler/LogoutSuccessHandler.php

@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * Copyright 2019 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupRa\RaBundle\Security\Authentication\Handler;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
+
+final class LogoutSuccessHandler implements LogoutSuccessHandlerInterface
+{
+    /**
+     * @var TokenStorageInterface
+     */
+    private $tokenStorage;
+
+    /**
+     * @var string[]
+     */
+    private $logoutRedirectUrl;
+
+    /**
+     * @param TokenStorageInterface $tokenStorage
+     * @param string[] $logoutRedirectUrl
+     */
+    public function __construct(TokenStorageInterface $tokenStorage, array $logoutRedirectUrl)
+    {
+        $this->tokenStorage = $tokenStorage;
+        $this->logoutRedirectUrl = $logoutRedirectUrl;
+    }
+
+    public function onLogoutSuccess(Request $request)
+    {
+        $token    = $this->tokenStorage->getToken();
+        $identity = $token->getUser();
+
+        return new RedirectResponse($this->logoutRedirectUrl[$identity->preferredLocale]);
+    }
+}

src/Surfnet/StepupRa/RaBundle/Service/VettingService.php

@@ -23,7 +23,7 @@
 use Surfnet\StepupBundle\Command\VerifyPossessionOfPhoneCommand;
 use Surfnet\StepupBundle\Service\SecondFactorTypeService;
 use Surfnet\StepupBundle\Service\SmsSecondFactor\OtpVerification;
-use Surfnet\StepupBundle\Service\SmsSecondFactorService;
+use Surfnet\StepupBundle\Service\SmsSecondFactorServiceInterface;
 use Surfnet\StepupBundle\Value\PhoneNumber\InternationalPhoneNumber;
 use Surfnet\StepupBundle\Value\SecondFactorType;
 use Surfnet\StepupMiddlewareClientBundle\Identity\Command\VetSecondFactorCommand;
@@ -57,7 +57,7 @@ class VettingService
         'Surfnet\Stepup\Exception\DomainException: Cannot vet second factor, the registration window is closed.';
 
     /**
-     * @var \Surfnet\StepupBundle\Service\SmsSecondFactorService
+     * @var \Surfnet\StepupBundle\Service\SmsSecondFactorServiceInterface
      */
     private $smsSecondFactorService;
 
@@ -102,7 +102,7 @@ class VettingService
     private $secondFactorTypeService;
 
     public function __construct(
-        SmsSecondFactorService $smsSecondFactorService,
+        SmsSecondFactorServiceInterface $smsSecondFactorService,
         YubikeySecondFactorService $yubikeySecondFactorService,
         GssfService $gssfService,
         U2fService $u2fService,

src/Surfnet/StepupRa/RaBundle/Tests/TestDouble/Factory/GuzzleApiFactory.php

@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * Copyright 2018 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupRa\RaBundle\Tests\TestDouble\Factory;
+
+use GuzzleHttp\Client;
+use GuzzleHttp\Cookie\CookieJar;
+
+/**
+ * This factory builds replacements for the Guzzle clients that are normally provided by the middleware bundle. The
+ * added extra in this factory is that the testcookie is added to the configuration.
+ */
+class GuzzleApiFactory
+{
+    /**
+     * @param $apiUri
+     * @param $username
+     * @param $password
+     * @return Client
+     * 
+     * @see \Surfnet\StepupMiddlewareClientBundle\DependencyInjection\SurfnetStepupMiddlewareClientExtension::configureMiddlewareReadApiClient
+     */
+    public static function createApiGuzzleClient($apiUri, $username, $password)
+    {
+        $arguments = [
+            'base_uri' => $apiUri,
+            'auth' => [
+                $username,
+                $password,
+                'basic',
+            ],
+            'headers' => [
+                'Accept' => 'application/json',
+            ],
+            'cookies' => self::makeCookieJar($apiUri),
+        ];
+
+        return new Client($arguments);
+    }
+
+    /**
+     * @param $apiUri
+     * @return Client
+     * 
+     * @see \Surfnet\StepupMiddlewareClientBundle\DependencyInjection\SurfnetStepupMiddlewareClientExtension::configureMiddlewareCommandApiUrl
+     */
+    public static function createCommandGuzzleClient($apiUri)
+    {
+        return new Client(
+            [
+                'base_uri' => $apiUri,
+                'cookies' => self::makeCookieJar($apiUri),
+            ]
+        );
+    }
+
+    /**
+     * @param string $uri
+     * @return CookieJar
+     */
+    private static function makeCookieJar($uri)
+    {
+        $cookieDomain = parse_url($uri, PHP_URL_HOST);
+
+        return CookieJar::fromArray(
+            [
+                'testcookie' => 'testcookie',
+            ],
+            $cookieDomain
+        );
+    }
+}