diff --git a/config/openconext/parameters.yaml.dist b/config/openconext/parameters.yaml.dist index f3d53eaf..5705b9f8 100644 --- a/config/openconext/parameters.yaml.dist +++ b/config/openconext/parameters.yaml.dist @@ -41,11 +41,6 @@ parameters: # PCRE as accepted by preg_match (http://php.net/preg_match). mobile_app_user_agent_pattern: "/^.*$/" - # When logging authentication related messages, having a reference to the session id of the user - # makes auditing the logs much easier. We do not want to log the session_id for obvious reasons, that's why - # a salt is used to hash a part of the session id. Ensuring we do not disclose sensitive data in the logs. - session_correlation_salt: 'Mr6LpJYtuWRDdVR2_7VgTChFhzQ' - # Options for the tiqr library tiqr_library_options: general: diff --git a/config/services.yaml b/config/services.yaml index ffcdc91c..47edf6a0 100644 --- a/config/services.yaml +++ b/config/services.yaml @@ -20,7 +20,6 @@ services: $tiqrConfiguration: '%tiqr_library_options%' $appSecret: '%app_secret%' $sessionOptions: '%session.storage.options%' - $sessionCorrelationSalt: '%session_correlation_salt%' # makes classes in src/ available to be used as services # this creates a service per class whose id is the fully-qualified class name diff --git a/src/Controller/AuthenticationNotificationController.php b/src/Controller/AuthenticationNotificationController.php index 54f56de5..f0f0568d 100644 --- a/src/Controller/AuthenticationNotificationController.php +++ b/src/Controller/AuthenticationNotificationController.php @@ -3,7 +3,7 @@ declare(strict_types = 1); /** - * Copyright 2018 SURFnet B.V. + * Copyright 2024 SURFnet B.V. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/Controller/AuthenticationQrController.php b/src/Controller/AuthenticationQrController.php index e42fa319..78fc71a6 100644 --- a/src/Controller/AuthenticationQrController.php +++ b/src/Controller/AuthenticationQrController.php @@ -3,7 +3,7 @@ declare(strict_types = 1); /** - * Copyright 2018 SURFnet B.V. + * Copyright 2024 SURFnet B.V. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,7 +53,6 @@ public function __invoke(): Response $logger = WithContextLogger::from($this->logger, ['nameId' => $nameId, 'sari' => $sari]); $logger->info('Client request QR image'); - // Do have a valid sample AuthnRequest?. if (!$this->authenticationService->authenticationRequired()) { $logger->error('There is no pending authentication request from SP'); diff --git a/src/Controller/AuthenticationStatusController.php b/src/Controller/AuthenticationStatusController.php index d45bfb0f..5a130c9c 100644 --- a/src/Controller/AuthenticationStatusController.php +++ b/src/Controller/AuthenticationStatusController.php @@ -3,7 +3,7 @@ declare(strict_types = 1); /** - * Copyright 2018 SURFnet B.V. + * Copyright 2024 SURFnet B.V. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/Service/SessionCorrelationIdService.php b/src/Service/SessionCorrelationIdService.php index 1338f156..9f5a6645 100644 --- a/src/Service/SessionCorrelationIdService.php +++ b/src/Service/SessionCorrelationIdService.php @@ -27,22 +27,24 @@ { private string $sessionName; + /** + * @param array $sessionOptions + */ public function __construct( private RequestStack $requestStack, - /** @var array */ - private array $sessionOptions, - private string $sessionCorrelationSalt, + array $sessionOptions, + private string $appSecret, ) { - if (!array_key_exists('name', $this->sessionOptions)) { + if (!array_key_exists('name', $sessionOptions)) { throw new RuntimeException( 'The session name (PHP session cookie identifier) could not be found in the session configuration.' ); } - if (empty($this->sessionCorrelationSalt)) { - throw new RuntimeException('Please configure a non empty session correlation salt.'); + if (empty($this->appSecret)) { + throw new RuntimeException('App Secret cannot be a non empty string.'); } - $this->sessionName = $this->sessionOptions['name']; + $this->sessionName = $sessionOptions['name']; } public function generateCorrelationId(): ?string @@ -53,6 +55,6 @@ public function generateCorrelationId(): ?string return null; } - return hash('sha256', $this->sessionCorrelationSalt . substr($sessionCookie, 0, 10)); + return hash('sha256', $this->appSecret . substr($sessionCookie, 0, 10)); } } diff --git a/src/Tiqr/TiqrConfiguration.php b/src/Tiqr/TiqrConfiguration.php index 92cc0e30..d861fc68 100644 --- a/src/Tiqr/TiqrConfiguration.php +++ b/src/Tiqr/TiqrConfiguration.php @@ -35,7 +35,7 @@ class TiqrConfiguration implements TiqrConfigurationInterface /** * @param array> $tiqrConfiguration * - * @throws \Assert\AssertionFailedException\ + * @throws \Assert\AssertionFailedException * @SuppressWarnings(PHPMD.ExcessiveMethodLength) */ public function __construct(array $tiqrConfiguration) @@ -108,12 +108,12 @@ public function __construct(array $tiqrConfiguration) $this->options['firebase.credentialsFile'] = $tiqrConfiguration['library']['firebase']['credentialsFile']; Assertion::boolean( $tiqrConfiguration['library']['firebase']['cacheTokens'], - 'TiqrConfiguration: library -> firebase -> cacheTokens must be of type string' + 'TiqrConfiguration: library -> firebase -> cacheTokens must be of type boolean' ); $this->options['firebase.cacheTokens'] = $tiqrConfiguration['library']['firebase']['cacheTokens']; Assertion::string( $tiqrConfiguration['library']['firebase']['tokenCacheDir'], - 'TiqrConfiguration: library -> firebase -> tokenCacheDir must be of type string' + 'TiqrConfiguration: library -> firebase -> tokenCacheDir must be of type string' ); $this->options['firebase.tokenCacheDir'] = $tiqrConfiguration['library']['firebase']['tokenCacheDir']; }