Refactoring attempt

mrvanes · mrvanes · commit 3d2cb21f6067 · 2025-04-17T17:41:00.000+02:00
diff --git a/library/EngineBlock/Corto/Filter/Input.php b/library/EngineBlock/Corto/Filter/Input.php
@@ -90,6 +90,8 @@ public function getCommands()
                 $diContainer->getAttributeAggregationClient()
             ),
 
+            // Check if we need to callout to SRAM to enforce AUP's
+            // Add SRAM attributes if not
             new EngineBlock_Corto_Filter_Command_SRAMInterruptFilter(),
 
             // Check if the Policy Decision Point needs to be consulted for this request
diff --git a/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php b/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php
@@ -170,69 +170,18 @@ public function serve($serviceName, Request $httpRequest)
 
         $this->_server->filterInputAssertionAttributes($receivedResponse, $receivedRequest);
 
-        // Add the consent step
-        $currentProcessStep = $this->_processingStateHelper->addStep(
-            $receivedRequest->getId(),
-            ProcessingStateHelperInterface::STEP_CONSENT,
-            $this->getEngineSpRole($this->_server),
-            $receivedResponse
-        );
-
-        // Send SRAM Interrupt call
-        if ("" != $receivedResponse->getSRAMInterruptNonce()) {
-            $log->info('Handle SRAM Interrupt callout');
-
-            // Add the SRAM step
-            $this->_processingStateHelper->addStep(
-                $receivedRequest->getId(),
-                ProcessingStateHelperInterface::STEP_SRAM,
-                $this->getEngineSpRole($this->_server),
-                $receivedResponse
-            );
-
-            // Redirect to SRAM
-            $this->_server->sendSRAMInterruptRequest($receivedResponse, $receivedRequest);
-
+        //Send SRAM Interrupt call
+        if ($this->_server->handleSRAMInterruptCallout($receivedResponse, $receivedRequest)) {
             return;
         }
 
-        // When dealing with an SP that acts as a trusted proxy, we should use the proxying SP and not the proxy itself.
-        if ($sp->getCoins()->isTrustedProxy()) {
-            // Overwrite the trusted proxy SP instance with that of the SP that uses the trusted proxy.
-            $sp = $this->_server->findOriginalServiceProvider($receivedRequest, $log);
-        }
-
-        $pdpLoas = $receivedResponse->getPdpRequestedLoas();
-        $loaRepository = $application->getDiContainer()->getLoaRepository();
-        $authnRequestLoas = $receivedRequest->getStepupObligations($loaRepository->getStepUpLoas());
-        // Goto consent if no Stepup authentication is needed
-        if (!$this->_stepupGatewayCallOutHelper->shouldUseStepup($idp, $sp, $authnRequestLoas, $pdpLoas)) {
-            $this->_server->sendConsentAuthenticationRequest($receivedResponse, $receivedRequest, $currentProcessStep->getRole(), $this->getAuthenticationState());
+        // Handle Consent authentication callout
+        if ($this->_server->handleConsentAuthenticationCallout($receivedResponse, $receivedRequest)) {
             return;
         }
 
-        $log->info('Handle Stepup authentication callout');
-
-        // Add Stepup authentication step
-        $currentProcessStep = $this->_processingStateHelper->addStep(
-            $receivedRequest->getId(),
-            ProcessingStateHelperInterface::STEP_STEPUP,
-            $application->getDiContainer()->getStepupIdentityProvider($this->_server),
-            $receivedResponse
-        );
-
-        // Get mapped AuthnClassRef and get NameId
-        $nameId = clone $receivedResponse->getNameId();
-        $authnClassRef = $this->_stepupGatewayCallOutHelper->getStepupLoa($idp, $sp, $authnRequestLoas, $pdpLoas);
-
-        $this->_server->sendStepupAuthenticationRequest(
-            $receivedRequest,
-            $currentProcessStep->getRole(),
-            $authnClassRef,
-            $nameId,
-            $sp->getCoins()->isStepupForceAuthn()
-        );
-
+        // Handle Stepup authentication callout
+        $this->_server->handleStepupAuthenticationCallout($receivedResponse, $receivedRequest);
    }
 
     /**
diff --git a/library/EngineBlock/Corto/Module/Service/SRAMInterrupt.php b/library/EngineBlock/Corto/Module/Service/SRAMInterrupt.php
@@ -105,56 +105,11 @@ public function serve($serviceName, Request $httpRequest)
          * Continue to Consent/StepUp
          */
 
-        // Flush log if SP or IdP has additional logging enabled
-        $issuer = $receivedResponse->getIssuer() ? $receivedResponse->getIssuer()->getValue() : '';
-        $idp = $this->_server->getRepository()->fetchIdentityProviderByEntityId($issuer);
-
-        if ($receivedRequest->isDebugRequest()) {
-            $sp = $this->_server->getEngineSpRole($this->_server);
-        } else {
-            $issuer = $receivedRequest->getIssuer() ? $receivedRequest->getIssuer()->getValue() : '';
-            $sp = $this->_server->getRepository()->fetchServiceProviderByEntityId($issuer);
-        }
-
-        // When dealing with an SP that acts as a trusted proxy, we should use the proxying SP and not the proxy itself.
-        if ($sp->getCoins()->isTrustedProxy()) {
-            // Overwrite the trusted proxy SP instance with that of the SP that uses the trusted proxy.
-            $sp = $this->_server->findOriginalServiceProvider($receivedRequest, $this->_server->getLogger());
-        }
-
-        $pdpLoas = $receivedResponse->getPdpRequestedLoas();
-        $loaRepository = $application->getDiContainer()->getLoaRepository();
-        $authnRequestLoas = $receivedRequest->getStepupObligations($loaRepository->getStepUpLoas());
-
-        $shouldUseStepup = $this->_stepupGatewayCallOutHelper->shouldUseStepup($idp, $sp, $authnRequestLoas, $pdpLoas);
-
-        // Goto consent if no Stepup authentication is needed
-        if (!$shouldUseStepup) {
-            $this->_server->sendConsentAuthenticationRequest($receivedResponse, $receivedRequest, $nextProcessStep->getRole(), $this->_authenticationStateHelper->getAuthenticationState());
+        if ($this->_server->handleConsentAuthenticationCallout($receivedResponse, $receivedRequest)) {
             return;
         }
 
-        $this->_server->getLogger()->info('Handle Stepup authentication callout');
-
-        // Add Stepup authentication step
-        $currentProcessStep = $this->_processingStateHelper->addStep(
-            $receivedRequest->getId(),
-            ProcessingStateHelperInterface::STEP_STEPUP,
-            $application->getDiContainer()->getStepupIdentityProvider($this->_server),
-            $receivedResponse
-        );
-
-        // Get mapped AuthnClassRef and get NameId
-        $nameId = clone $receivedResponse->getNameId();
-        $authnClassRef = $this->_stepupGatewayCallOutHelper->getStepupLoa($idp, $sp, $authnRequestLoas, $pdpLoas);
-
-        $this->_server->sendStepupAuthenticationRequest(
-            $receivedRequest,
-            $currentProcessStep->getRole(),
-            $authnClassRef,
-            $nameId,
-            $sp->getCoins()->isStepupForceAuthn()
-        );
+        $this->_server->handleStepupAuthenticationCallout($receivedResponse, $receivedRequest);
     }
 
     private function getSbsClient()
diff --git a/library/EngineBlock/Corto/ProxyServer.php b/library/EngineBlock/Corto/ProxyServer.php
@@ -26,8 +26,10 @@
 use OpenConext\EngineBlock\Metadata\MfaEntity;
 use OpenConext\EngineBlock\Metadata\Service;
 use OpenConext\EngineBlock\Metadata\TransparentMfaEntity;
+use OpenConext\EngineBlock\Metadata\X509\KeyPairFactory;
 use OpenConext\EngineBlockBundle\Authentication\AuthenticationState;
 use OpenConext\EngineBlockBundle\Exception\UnknownKeyIdException;
+use OpenConext\EngineBlock\Service\ProcessingStateHelperInterface;
 use OpenConext\Value\Saml\Entity;
 use OpenConext\Value\Saml\EntityId;
 use OpenConext\Value\Saml\EntityType;
@@ -126,6 +128,8 @@ class EngineBlock_Corto_ProxyServer
     protected $_templateSource;
     protected $_processingMode = false;
 
+    protected $_diContainer = null;
+
     /**
      * @var EngineBlock_Saml2_AuthnRequestAnnotationDecorator
      */
@@ -144,6 +148,7 @@ class EngineBlock_Corto_ProxyServer
     public function __construct(Twig_Environment $twig)
     {
         $this->_server = $this;
+        $this->_diContainer = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
         $this->twig = $twig;
     }
 
@@ -353,6 +358,20 @@ public function getRepository()
         return $this->_repository;
     }
 
+    /**
+     * @return ServiceProvider
+     */
+    public function getEngineSpRole()
+    {
+        $keyId = $this->getKeyId();
+        if (!$keyId) {
+            $keyId = KeyPairFactory::DEFAULT_KEY_PAIR_IDENTIFIER;
+        }
+
+        $serviceProvider = $this->_diContainer->getServiceProviderFactory()->createEngineBlockEntityFrom($keyId);
+        return ServiceProvider::fromServiceProviderEntity($serviceProvider);
+    }
+
 //////// MAIN /////////
 
     public function serve($serviceName, $remoteIdpMd5 = "")
@@ -402,6 +421,131 @@ public function setRemoteIdpMd5($remoteIdPMd5)
         return $this;
     }
 
+
+////////  CALLOUT HANDLERS ////////
+
+    function handleSRAMInterruptCallout(
+        $receivedResponse,
+        $receivedRequest
+    ) {
+        $logger = $this->getLogger();
+        $logger->info('Handle SRAM interrupt callout');
+
+        if ("" != $receivedResponse->getSRAMInterruptNonce()) {
+
+            // Add the SRAM step
+            $this->_diContainer->getProcessingStateHelper()->addStep(
+                $receivedRequest->getId(),
+                ProcessingStateHelperInterface::STEP_SRAM,
+                $this->getEngineSpRole(),
+                $receivedResponse
+            );
+
+            // Redirect to SRAM
+            $this->sendSRAMInterruptRequest($receivedResponse, $receivedRequest);
+
+            return true;
+        }
+
+        return false;
+    }
+
+    function handleStepupAuthenticationCallout(
+        $receivedResponse,
+        $receivedRequest
+    ) {
+        $logger = $this->getLogger();
+        $logger->info('Handle Stepup authentication callout');
+
+        // Add Stepup authentication step
+        $currentProcessStep = $this->_diContainer->getProcessingStateHelper()->addStep(
+            $receivedRequest->getId(),
+            ProcessingStateHelperInterface::STEP_STEPUP,
+            $this->_diContainer->getStepupIdentityProvider($this),
+            $receivedResponse
+        );
+
+        if ($receivedRequest->isDebugRequest()) {
+            $sp = $this->getEngineSpRole();
+        } else {
+            $issuer = $receivedRequest->getIssuer() ? $receivedRequest->getIssuer()->getValue() : '';
+            $sp = $this->getRepository()->fetchServiceProviderByEntityId($issuer);
+        }
+
+        $issuer = $receivedResponse->getIssuer() ? $receivedResponse->getIssuer()->getValue() : '';
+        $idp = $this->getRepository()->fetchIdentityProviderByEntityId($issuer);
+
+        // When dealing with an SP that acts as a trusted proxy, we should use the proxying SP and not the proxy itself.
+        if ($sp->getCoins()->isTrustedProxy()) {
+            // Overwrite the trusted proxy SP instance with that of the SP that uses the trusted proxy.
+            $sp = $this->findOriginalServiceProvider($receivedRequest, $logger);
+        }
+
+        $pdpLoas = $receivedResponse->getPdpRequestedLoas();
+        $loaRepository = $this->_diContainer->getLoaRepository();
+        $authnRequestLoas = $receivedRequest->getStepupObligations($loaRepository->getStepUpLoas());
+
+        // Get mapped AuthnClassRef and get NameId
+        $nameId = clone $receivedResponse->getNameId();
+        $authnClassRef = $this->_diContainer->getStepupGatewayCallOutHelper()->getStepupLoa($idp, $sp, $authnRequestLoas, $pdpLoas);
+
+        $this->sendStepupAuthenticationRequest(
+            $receivedRequest,
+            $currentProcessStep->getRole(),
+            $authnClassRef,
+            $nameId,
+            $sp->getCoins()->isStepupForceAuthn()
+        );
+    }
+
+    function handleConsentAuthenticationCallout(
+        $receivedResponse,
+        $receivedRequest
+        // $currentProcessStep
+    ) {
+        $logger = $this->getLogger();
+        $logger->info('Handle Consent authentication callout');
+
+        // Add the consent step
+        $currentProcessStep = $this->_diContainer->getProcessingStateHelper()->addStep(
+            $receivedRequest->getId(),
+            ProcessingStateHelperInterface::STEP_CONSENT,
+            $this->getEngineSpRole(),
+            $receivedResponse
+        );
+
+        $issuer = $receivedResponse->getIssuer() ? $receivedResponse->getIssuer()->getValue() : '';
+        $idp = $this->getRepository()->fetchIdentityProviderByEntityId($issuer);
+
+        if ($receivedRequest->isDebugRequest()) {
+            $sp = $this->getEngineSpRole();
+        } else {
+            $issuer = $receivedRequest->getIssuer() ? $receivedRequest->getIssuer()->getValue() : '';
+            $sp = $this->getRepository()->fetchServiceProviderByEntityId($issuer);
+        }
+
+        // When dealing with an SP that acts as a trusted proxy, we should use the proxying SP and not the proxy itself.
+        if ($sp->getCoins()->isTrustedProxy()) {
+            // Overwrite the trusted proxy SP instance with that of the SP that uses the trusted proxy.
+            $sp = $this->_server->findOriginalServiceProvider($receivedRequest, $this->getLogger());
+        }
+
+        $pdpLoas = $receivedResponse->getPdpRequestedLoas();
+        $loaRepository = $this->_diContainer->getLoaRepository();
+        $authnRequestLoas = $receivedRequest->getStepupObligations($loaRepository->getStepUpLoas());
+
+        $shouldUseStepup = $this->_diContainer->getStepupGatewayCallOutHelper()->shouldUseStepup($idp, $sp, $authnRequestLoas, $pdpLoas);
+
+        // Goto consent if no Stepup authentication is needed
+        if (!$shouldUseStepup) {
+            $this->sendConsentAuthenticationRequest($receivedResponse, $receivedRequest, $currentProcessStep->getRole(), $this->_diContainer->getAuthenticationStateHelper()->getAuthenticationState());
+            return true;
+        }
+
+        return false;
+    }
+
+
 ////////  REQUEST HANDLING /////////
 
     public function sendAuthenticationRequest(
@@ -467,7 +611,15 @@ public function sendAuthenticationRequest(
         $this->getBindingsModule()->send($ebRequest, $identityProvider);
     }
 
-    public function sendStepupAuthenticationRequest(
+    function sendSRAMInterruptRequest($response, $request) {
+        $nonce = $response->getSRAMInterruptNonce();
+
+        $sbsClient = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getSbsClient();
+        $redirect_url = $sbsClient->getInterruptLocationLink($nonce);
+        $this->redirect($redirect_url, '');
+    }
+
+    function sendStepupAuthenticationRequest(
         EngineBlock_Saml2_AuthnRequestAnnotationDecorator $spRequest,
         IdentityProvider $identityProvider,
         Loa $authnContextClassRef,
@@ -558,14 +710,6 @@ function sendConsentAuthenticationRequest(
         $this->_server->getBindingsModule()->send($newResponse, $serviceProvider);
     }
 
-    function sendSRAMInterruptRequest($response, $request) {
-        $nonce = $response->getSRAMInterruptNonce();
-
-        $sbsClient = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getSbsClient();
-        $redirect_url = $sbsClient->getInterruptLocationLink($nonce);
-        $this->redirect($redirect_url, '');
-    }
-
 //////// RESPONSE HANDLING ////////
 
     public function createProxyCountExceededResponse(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request)
