Update Assertion audience in mock Gateway

When rollover is enabled, let the mock gateway update the assertion audience to the new entity id. That way, the engineblock is able to receive the assertion from the new entity
OpenConext · Mar 13, 2024 · 02f0238 · 02f0238
1 parent a31118e
commit 02f0238
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 8 deletions.
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Controllers/StepupMockController.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Controllers/StepupMockController.php
@@ -96,6 +96,10 @@ private function getAvailableResponses(Request $request)
         $samlResponse = $this->mockStepupGateway->handleSsoSuccess($request, $this->getFullRequestUri($request));
         $results['success'] = $this->getResponseData($request, $samlResponse);
 
+        // Parse successfull loa3 with changed audience
+        $samlResponse = $this->mockStepupGateway->handleSsoSuccess($request, $this->getFullRequestUri($request), true);
+        $results['success-audience'] = $this->getResponseData($request, $samlResponse);
+
         // Parse successfull loa2
         $samlResponse = $this->mockStepupGateway->handleSsoSuccessLoa2($request, $this->getFullRequestUri($request));
         $results['loa2'] = $this->getResponseData($request, $samlResponse);

diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/StepupContext.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/StepupContext.php
@@ -71,6 +71,16 @@ public function stepupWillsSuccessfullyVerifyAUser()
         $mink->pressButton('Submit-success');
     }
 
+    /**
+     * @Given /^Stepup will successfully verify a user with override entityID$/
+     */
+    public function stepupWillsSuccessfullyVerifyAUserAndUpdateAudience()
+    {
+        $mink = $this->getMinkContext();
+
+        $mink->pressButton('Submit-success-audience');
+    }
+
     /**
      * @Given /^Stepup will successfully verify a user with a LoA 2 token$/
      */

diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/StepupKeyRollover.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/StepupKeyRollover.feature
@@ -37,7 +37,7 @@ Feature:
     And I pass through EngineBlock
     # This is where the Issuer is overridden. See: \EngineBlock_Corto_ProxyServer::sendStepupAuthenticationRequest
     And I pass through the IdP
-    And Stepup will successfully verify a user
+    And Stepup will successfully verify a user with override entityID
     And I give my consent
     And I pass through EngineBlock
     Then the url should match "/functional-testing/SSO-SP/acs"
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Mock/MockStepupGateway.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Mock/MockStepupGateway.php
@@ -57,23 +57,31 @@ class MockStepupGateway
      */
     private $gatewayConfiguration;
 
+    /**
+     * @var string
+     */
+    private $sfoRolloverEntityId;
+
     /**
      * @param FunctionalTestingStepupGatewayMockConfiguration $gatewayConfiguration
      * @throws \Exception
      */
     public function __construct(
-        FunctionalTestingStepupGatewayMockConfiguration $gatewayConfiguration
+        FunctionalTestingStepupGatewayMockConfiguration $gatewayConfiguration,
+        $sfoRolloverEntityId
     ) {
         $this->gatewayConfiguration = $gatewayConfiguration;
         $this->currentTime = new DateTime();
+        $this->sfoRolloverEntityId = $sfoRolloverEntityId;
     }
 
     /**
      * @param Request $request
      * @param string $fullRequestUri
+     * @param bool $updateAudience [default] false
      * @return Response
      */
-    public function handleSsoSuccess(Request $request, $fullRequestUri)
+    public function handleSsoSuccess(Request $request, $fullRequestUri, $updateAudience = false)
     {
         // parse the authnRequest
         $authnRequest = $this->parseRequest($request, $fullRequestUri);
@@ -89,7 +97,8 @@ public function handleSsoSuccess(Request $request, $fullRequestUri)
             $nameId,
             $destination,
             $authnContextClassRef,
-            $requestId
+            $requestId,
+            $updateAudience
         );
     }
 
@@ -144,16 +153,18 @@ public function handleSsoFailure(Request $request, $fullRequestUri, $status, $su
      * @param string $destination The ACS location
      * @param string|null $authnContextClassRef The loa level
      * @param string $requestId The requestId
+     * @param bool $updateAudience [default] false
      * @return Response
      */
-    private function createSecondFactorOnlyResponse($nameId, $destination, $authnContextClassRef, $requestId)
+    private function createSecondFactorOnlyResponse($nameId, $destination, $authnContextClassRef, $requestId, $updateAudience = false)
     {
         return $this->createNewAuthnResponse(
             $this->createNewAssertion(
                 $nameId,
                 $authnContextClassRef,
                 $destination,
-                $requestId
+                $requestId,
+                $updateAudience
             ),
             $destination,
             $requestId
@@ -320,9 +331,10 @@ private function createNewAuthnResponse(Assertion $newAssertion, $destination, $
      * @param string $authnContextClassRef
      * @param string $destination The ACS location
      * @param string $requestId The requestId
+     * @param bool $updateAudience [default] false
      * @return Assertion
      */
-    private function createNewAssertion($nameId, $authnContextClassRef, $destination, $requestId)
+    private function createNewAssertion($nameId, $authnContextClassRef, $destination, $requestId, $updateAudience = false)
     {
         $newAssertion = new Assertion();
         $newAssertion->setNotBefore($this->currentTime->getTimestamp());
@@ -337,7 +349,12 @@ private function createNewAssertion($nameId, $authnContextClassRef, $destination
         $newNameId->setValue($nameId);
         $newNameId->setFormat(Constants::NAMEID_UNSPECIFIED);
         $newAssertion->setNameId($newNameId);
-        $newAssertion->setValidAudiences([$this->gatewayConfiguration->getServiceProviderEntityId()]);
+        $audiences = [$this->gatewayConfiguration->getServiceProviderEntityId()];
+        // If the entity id being updated, then set that new EntityId as the audience for this assertion
+        if ($updateAudience) {
+            $audiences = [$this->sfoRolloverEntityId];
+        }
+        $newAssertion->setValidAudiences($audiences);
         $this->addAuthenticationStatementTo($newAssertion, $authnContextClassRef);
 
         return $newAssertion;

diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/mocks.yml b/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/mocks.yml
@@ -30,3 +30,4 @@ services:
         class: OpenConext\EngineBlockFunctionalTestingBundle\Mock\MockStepupGateway
         arguments:
             - "@engineblock.functional_testing.fixture.stepup_gateway_mock"
+            - '%stepup.sfo.override_engine_entityid%'