Small fixes

OpenConext · Nov 19, 2024 · 947862a · 947862a
1 parent 2097a47
commit 947862a
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 21 deletions.
diff --git a/config/openconext/parameters.yaml.dist b/config/openconext/parameters.yaml.dist
@@ -41,11 +41,6 @@ parameters:
     # PCRE as accepted by preg_match (http://php.net/preg_match).
     mobile_app_user_agent_pattern: "/^.*$/"
 
-    # When logging authentication related messages, having a reference to the session id of the user
-    # makes auditing the logs much easier. We do not want to log the session_id for obvious reasons, that's why
-    # a salt is used to hash a part of the session id. Ensuring we do not disclose sensitive data in the logs.
-    session_correlation_salt: 'Mr6LpJYtuWRDdVR2_7VgTChFhzQ'
-
     # Options for the tiqr library
     tiqr_library_options:
         general:

diff --git a/config/services.yaml b/config/services.yaml
@@ -20,7 +20,6 @@ services:
             $tiqrConfiguration: '%tiqr_library_options%'
             $appSecret: '%app_secret%'
             $sessionOptions: '%session.storage.options%'
-            $sessionCorrelationSalt: '%session_correlation_salt%'
 
     # makes classes in src/ available to be used as services
     # this creates a service per class whose id is the fully-qualified class name

diff --git a/src/Controller/AuthenticationNotificationController.php b/src/Controller/AuthenticationNotificationController.php
@@ -3,7 +3,7 @@
 declare(strict_types = 1);
 
 /**
- * Copyright 2018 SURFnet B.V.
+ * Copyright 2024 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/src/Controller/AuthenticationQrController.php b/src/Controller/AuthenticationQrController.php
@@ -3,7 +3,7 @@
 declare(strict_types = 1);
 
 /**
- * Copyright 2018 SURFnet B.V.
+ * Copyright 2024 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,7 +53,6 @@ public function __invoke(): Response
         $logger = WithContextLogger::from($this->logger, ['nameId' => $nameId, 'sari' => $sari]);
         $logger->info('Client request QR image');
 
-        // Do have a valid sample AuthnRequest?.
         if (!$this->authenticationService->authenticationRequired()) {
             $logger->error('There is no pending authentication request from SP');
 

diff --git a/src/Controller/AuthenticationStatusController.php b/src/Controller/AuthenticationStatusController.php
@@ -3,7 +3,7 @@
 declare(strict_types = 1);
 
 /**
- * Copyright 2018 SURFnet B.V.
+ * Copyright 2024 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/src/Service/SessionCorrelationIdService.php b/src/Service/SessionCorrelationIdService.php
@@ -27,22 +27,24 @@
 {
     private string $sessionName;
 
+    /**
+     * @param array<string, string> $sessionOptions
+     */
     public function __construct(
         private RequestStack $requestStack,
-        /** @var array<string, string> */
-        private array $sessionOptions,
-        private string $sessionCorrelationSalt,
+        array $sessionOptions,
+        private string $appSecret,
     ) {
-        if (!array_key_exists('name', $this->sessionOptions)) {
+        if (!array_key_exists('name', $sessionOptions)) {
             throw new RuntimeException(
                 'The session name (PHP session cookie identifier) could not be found in the session configuration.'
             );
         }
-        if (empty($this->sessionCorrelationSalt)) {
-            throw new RuntimeException('Please configure a non empty session correlation salt.');
+        if (empty($this->appSecret)) {
+            throw new RuntimeException('App Secret cannot be a non empty string.');
         }
 
-        $this->sessionName = $this->sessionOptions['name'];
+        $this->sessionName = $sessionOptions['name'];
     }
 
     public function generateCorrelationId(): ?string
@@ -53,6 +55,6 @@ public function generateCorrelationId(): ?string
             return null;
         }
 
-        return hash('sha256', $this->sessionCorrelationSalt . substr($sessionCookie, 0, 10));
+        return hash('sha256', $this->appSecret . substr($sessionCookie, 0, 10));
     }
 }
diff --git a/src/Tiqr/TiqrConfiguration.php b/src/Tiqr/TiqrConfiguration.php
@@ -35,7 +35,7 @@ class TiqrConfiguration implements TiqrConfigurationInterface
     /**
      * @param array<string, array<string, mixed>> $tiqrConfiguration
      *
-     * @throws \Assert\AssertionFailedException\
+     * @throws \Assert\AssertionFailedException
      * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      */
     public function __construct(array $tiqrConfiguration)
@@ -108,12 +108,12 @@ public function __construct(array $tiqrConfiguration)
             $this->options['firebase.credentialsFile'] = $tiqrConfiguration['library']['firebase']['credentialsFile'];
             Assertion::boolean(
                 $tiqrConfiguration['library']['firebase']['cacheTokens'],
-                'TiqrConfiguration: library -> firebase ->  cacheTokens must be of type string'
+                'TiqrConfiguration: library -> firebase -> cacheTokens must be of type boolean'
             );
             $this->options['firebase.cacheTokens'] = $tiqrConfiguration['library']['firebase']['cacheTokens'];
             Assertion::string(
                 $tiqrConfiguration['library']['firebase']['tokenCacheDir'],
-                'TiqrConfiguration: library -> firebase ->  tokenCacheDir must be of type string'
+                'TiqrConfiguration: library -> firebase -> tokenCacheDir must be of type string'
             );
             $this->options['firebase.tokenCacheDir'] = $tiqrConfiguration['library']['firebase']['tokenCacheDir'];
         }