Retrieve old/new style attribute hash in one go

Previously when testing if previous consent was given was based on
testing for old-style attribute hash calculation. And if that one did
not exist, the new (stable) attribute hash was tested.

Having that in two queries made little sense as it can easily be
performed in one action.

The interface of the repo and service changed slightly, as now a value
object is returned instead of a boolean value. The value object reflects
the version (type of attribute hash) of consent that was given. That can
either be: unstable, stable or not given at all.

Author: MKodde

library/EngineBlock/Corto/Model/Consent.php

@@ -178,31 +178,13 @@ private function _updateConsent(ServiceProvider $serviceProvider, $consentType):
     private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentType): ConsentVersion
     {
         $consentUuid = sha1($this->_getConsentUid());
-        $parameters = [
-            $consentUuid,
-            $serviceProvider->entityId,
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $consentType,
-        ];
-        $hasStableConsentHash = $this->_hashService->retrieveStableConsentHash($parameters);
-
-        if ($hasStableConsentHash) {
-            return ConsentVersion::stable();
-        }
-
         $parameters = [
             $consentUuid,
             $serviceProvider->entityId,
             $this->_getAttributesHash($this->_responseAttributes),
+            $this->_getStableAttributesHash($this->_responseAttributes),
             $consentType,
         ];
-
-        $hasUnstableConsentHash = $this->_hashService->retrieveConsentHash($parameters);
-
-        if ($hasUnstableConsentHash) {
-            return ConsentVersion::unstable();
-        }
-
-        return ConsentVersion::notGiven();
+        return $this->_hashService->retrieveConsentHash($parameters);
     }
 }

src/OpenConext/EngineBlock/Authentication/Repository/ConsentRepository.php

@@ -19,6 +19,7 @@
 namespace OpenConext\EngineBlock\Authentication\Repository;
 
 use OpenConext\EngineBlock\Authentication\Model\Consent;
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 
 interface ConsentRepository
 {
@@ -39,21 +40,9 @@ public function deleteAllFor($userId);
     public function deleteOneFor(string $userId, string $serviceProviderEntityId): bool;
 
     /**
-     * Test if the consent row is set with the legacy (unstable) consent hash
-     * This is the consent hash that was originally created by EB. It can change
-     * based on factors that should not result in a hash change per se. Think of the
-     * change of the attribute ordering, case change or the existence of empty
-     * attribute values.
+     * Test if the consent row is set with an attribute hash either stable or unstable
      */
-    public function hasConsentHash(array $parameters): bool;
-
-    /**
-     * Tests the presence of the stable consent hash
-     *
-     * The stable consent hash is used by default, it is not affected by attribute order, case change
-     * or other irrelevant factors that could result in a changed hash calculation.
-     */
-    public function hasStableConsentHash(array $parameters): bool;
+    public function hasConsentHash(array $parameters): ConsentVersion;
 
     /**
      * By default stores the stable consent hash. The legacy consent hash is left.

src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php

@@ -19,6 +19,7 @@
 namespace OpenConext\EngineBlock\Service\Consent;
 
 use OpenConext\EngineBlock\Authentication\Repository\ConsentRepository;
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\UserLifecycle\Domain\ValueObject\Client\Name;
 use SAML2\XML\saml\NameID;
 use function array_filter;
@@ -48,16 +49,11 @@ public function __construct(ConsentRepository $consentHashRepository)
         $this->consentRepository = $consentHashRepository;
     }
 
-    public function retrieveConsentHash(array $parameters): bool
+    public function retrieveConsentHash(array $parameters): ConsentVersion
     {
         return $this->consentRepository->hasConsentHash($parameters);
     }
 
-    public function retrieveStableConsentHash(array $parameters): bool
-    {
-        return $this->consentRepository->hasStableConsentHash($parameters);
-    }
-
     public function storeConsentHash(array $parameters): bool
     {
         return $this->consentRepository->storeConsentHash($parameters);

src/OpenConext/EngineBlock/Service/Consent/ConsentHashServiceInterface.php

@@ -18,17 +18,14 @@
 
 namespace OpenConext\EngineBlock\Service\Consent;
 
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
+
 interface ConsentHashServiceInterface
 {
     /**
-     * Retrieve the old-style (deprecated) unstable consent hash
-     */
-    public function retrieveConsentHash(array $parameters): bool;
-
-    /**
-     * Retrieve the stable consent hash
+     * Retrieve the consent hash
      */
-    public function retrieveStableConsentHash(array $parameters): bool;
+    public function retrieveConsentHash(array $parameters): ConsentVersion;
 
     public function storeConsentHash(array $parameters): bool;
 

src/OpenConext/EngineBlockBundle/Authentication/Repository/DbalConsentRepository.php

@@ -24,6 +24,7 @@
 use OpenConext\EngineBlock\Authentication\Model\Consent;
 use OpenConext\EngineBlock\Authentication\Repository\ConsentRepository;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Exception\RuntimeException;
 use PDO;
 use PDOException;
@@ -167,7 +168,7 @@ public function deleteOneFor(string $userId, string $serviceProviderEntityId): b
     /**
      * @throws RuntimeException
      */
-    public function hasConsentHash(array $parameters): bool
+    public function hasConsentHash(array $parameters): ConsentVersion
     {
         try {
             $query = " SELECT
@@ -179,7 +180,7 @@ public function hasConsentHash(array $parameters): bool
                         AND
                             service_id = ?
                         AND
-                            attribute = ?
+                            (attribute = ? OR attribute_stable = ?)
                         AND
                             consent_type = ?
                         AND
@@ -192,45 +193,17 @@ public function hasConsentHash(array $parameters): bool
 
             if (count($rows) < 1) {
                 // No stored consent found
-                return false;
+                return ConsentVersion::notGiven();
             }
 
-            return true;
+            if ($rows[0]['attribute_stable'] !== '') {
+                return ConsentVersion::stable();
+            }
+            return ConsentVersion::unstable();
         } catch (PDOException $e) {
             throw new RuntimeException(sprintf('Consent retrieval failed! Error: "%s"', $e->getMessage()));
         }
     }
-    /**
-     * @throws RuntimeException
-     */
-    public function hasStableConsentHash(array $parameters): bool
-    {
-        try {
-            $query = " SELECT
-                            *
-                        FROM
-                            consent
-                        WHERE
-                            hashed_user_id = ?
-                        AND
-                            service_id = ?
-                        AND
-                            attribute_stable = ?
-                        AND
-                            consent_type = ?
-                        AND
-                            deleted_at IS NULL
-            ";
-
-            $statement = $this->connection->prepare($query);
-            $statement->execute($parameters);
-            $rows = $statement->fetchAll();
-
-            return count($rows) >= 1;
-        } catch (PDOException $e) {
-            throw new RuntimeException(sprintf('Consent retrieval on stable consent hash failed! Error: "%s"', $e->getMessage()));
-        }
-    }
 
     /**
      * @throws RuntimeException

tests/library/EngineBlock/Test/Corto/Model/ConsentIntegrationTest.php

@@ -20,6 +20,7 @@
 use Mockery\MockInterface;
 use OpenConext\EngineBlock\Authentication\Repository\ConsentRepository;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Service\Consent\ConsentHashService;
 use OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository;
@@ -73,11 +74,7 @@ public function test_no_previous_consent_given($consentType)
         $this->consentRepository
             ->shouldReceive('hasConsentHash')
             ->once()
-            ->andReturn(false);
-        $this->consentRepository
-            ->shouldReceive('hasStableConsentHash')
-            ->once()
-            ->andReturn(false);
+            ->andReturn(ConsentVersion::notGiven());
         switch ($consentType) {
             case ConsentType::TYPE_EXPLICIT:
                 $this->assertFalse($this->consent->explicitConsentWasGivenFor($serviceProvider));
@@ -98,18 +95,11 @@ public function test_unstable_previous_consent_given($consentType)
             ->once()
             ->andReturn('collab:person:id:org-a:joe-a');
         // Stable consent is not yet stored
-        $this->consentRepository
-            ->shouldReceive('hasStableConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
-            ->once()
-            ->andReturn(false);
-        // Old-style (unstable) consent was given previously
         $this->consentRepository
             ->shouldReceive('hasConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
+            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
             ->once()
-            ->andReturn(true);
-
+            ->andReturn(ConsentVersion::unstable());
 
         switch ($consentType) {
             case ConsentType::TYPE_EXPLICIT:
@@ -132,13 +122,10 @@ public function test_stable_consent_given($consentType)
             ->andReturn('collab:person:id:org-a:joe-a');
         // Stable consent is not yet stored
         $this->consentRepository
-            ->shouldReceive('hasStableConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
+            ->shouldReceive('hasConsentHash')
+            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
             ->once()
-            ->andReturn(true);
-        // Old-style (unstable) consent was given previously
-        $this->consentRepository
-            ->shouldNotReceive('hasConsentHash');
+            ->andReturn(ConsentVersion::stable());
 
         switch ($consentType) {
             case ConsentType::TYPE_EXPLICIT:
@@ -211,18 +198,12 @@ public function test_upgrade_to_stable_consent($consentType)
         $this->response->shouldReceive('getNameIdValue')
             ->twice()
             ->andReturn('collab:person:id:org-a:joe-a');
-        // Stable consent is not yet stored
-        $this->consentRepository
-            ->shouldReceive('hasStableConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
-            ->once()
-            ->andReturn(false);
         // Old-style (unstable) consent was given previously
         $this->consentRepository
             ->shouldReceive('hasConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
+            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
             ->once()
-            ->andReturn(true);
+            ->andReturn(ConsentVersion::unstable());
         // Now assert that the new stable consent hash is going to be set
         $this->consentRepository
             ->shouldReceive('updateConsentHash')
@@ -242,12 +223,12 @@ public function test_upgrade_to_stable_consent_not_applied_when_stable($consentT
         $this->response->shouldReceive('getNameIdValue')
             ->once()
             ->andReturn('collab:person:id:org-a:joe-a');
-        // Stable consent is not yet stored
+        // Stable consent is stored
         $this->consentRepository
-            ->shouldReceive('hasStableConsentHash')
-            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
+            ->shouldReceive('hasConsentHash')
+            ->with(['0e54805079c56c2b1c1197a760af86ac337b7bac', 'service-provider-entity-id', '8739602554c7f3241958e3cc9b57fdecb474d508', '8739602554c7f3241958e3cc9b57fdecb474d508', $consentType])
             ->once()
-            ->andReturn(true);
+            ->andReturn(ConsentVersion::stable());
         // Now assert that the new stable consent hash is NOT going to be set
         $this->consentRepository
             ->shouldNotReceive('storeConsentHash');

tests/library/EngineBlock/Test/Corto/Model/ConsentTest.php

@@ -17,6 +17,7 @@
  */
 
 use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Service\Consent\ConsentHashServiceInterface;
 use PHPUnit\Framework\TestCase;
@@ -76,8 +77,7 @@ public function testConsentWriteToDatabase()
         $serviceProvider = new ServiceProvider("service-provider-entity-id");
         $this->consentService->shouldReceive('getStableAttributesHash');
         $this->consentService->shouldReceive('getUnstableAttributesHash')->andReturn(sha1('unstable'));
-        $this->consentService->shouldReceive('retrieveConsentHash')->andReturn(sha1('unstable'));
-        $this->consentService->shouldReceive('retrieveStableConsentHash');
+        $this->consentService->shouldReceive('retrieveConsentHash')->andReturn(ConsentVersion::stable());
         $this->consent->explicitConsentWasGivenFor($serviceProvider);
 
         $this->consentService->shouldReceive('getStableAttributesHash')->andReturn(sha1('stable'));