Cover additional flows and add correlation id on the feedback page

Author: johanib

languages/messages.en.php

@@ -49,6 +49,7 @@
 
         // Feedback
     'requestId'             => 'UR ID',
+    'correlationId'         => 'CID',
     'identityProvider'      => 'IdP',
     'serviceProvider'       => 'SP',
     'serviceProviderName'   => 'SP Name',

languages/messages.nl.php

@@ -49,6 +49,7 @@
 
      // Feedback
     'requestId'             => 'UR ID',
+    'correlationId'         => 'CID',
     'identityProvider'      => 'IdP',
     'serviceProvider'       => 'SP',
     'serviceProviderName'   => 'SP Name',

library/EngineBlock/Application/DiContainer.php

@@ -21,6 +21,7 @@
 use OpenConext\EngineBlock\Metadata\LoaRepository;
 use OpenConext\EngineBlock\Metadata\MetadataRepository\MetadataRepositoryInterface;
 use OpenConext\EngineBlock\Request\CorrelationIdService;
+use OpenConext\EngineBlock\Request\CurrentCorrelationId;
 use OpenConext\EngineBlock\Service\MfaHelperInterface;
 use OpenConext\EngineBlock\Service\ReleaseAsEnforcer;
 use OpenConext\EngineBlock\Service\TimeProvider\TimeProviderInterface;
@@ -623,6 +624,14 @@ public function getCorrelationIdService(): CorrelationIdService
         return $this->container->get(CorrelationIdService::class);
     }
 
+    /**
+     * @return CurrentCorrelationId
+     */
+    public function getCurrentCorrelationId(): CurrentCorrelationId
+    {
+        return $this->container->get(CurrentCorrelationId::class);
+    }
+
     /**
      * @return EngineBlock_Saml2_AuthnRequestSessionRepository
      */

library/EngineBlock/ApplicationSingleton.php

@@ -269,6 +269,11 @@ public function collectFeedbackInfo(Throwable $exception)
         $feedbackInfo['ipAddress'] = $this->getClientIpAddress();
         $feedbackInfo['artCode'] = Art::forException($exception);
 
+        $currentCorrelationId = $this->getDiContainer()->getCurrentCorrelationId()->correlationId;
+        if ($currentCorrelationId !== null) {
+            $feedbackInfo['correlationId'] = $currentCorrelationId;
+        }
+
         // @todo  reset this when login is succesful
         // Find the current identity provider
         $spEntityId = $_SESSION['originalServiceProvider'] ?? $_SESSION['currentServiceProvider'] ?? null;

library/EngineBlock/Corto/Module/Service/SramInterrupt.php

@@ -50,6 +50,8 @@ public function serve($serviceName, Request $httpRequest): void
     {
         $id = $httpRequest->get('ID');
 
+        EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getCorrelationIdService()->resolve($id);
+
         $nextProcessStep = $this->_processingStateHelper->getStepByRequestId(
             $id,
             ProcessingStateHelperInterface::STEP_SRAM

library/EngineBlock/Corto/Module/Service/StepupAssertionConsumer.php

@@ -115,6 +115,8 @@ public function serve($serviceName, Request $httpRequest)
             $log->warning('After failed Stepup authentication set LoA to Loa1', ['result' => $mappedLoa]);
         }
 
+        $application->getDiContainer()->getCorrelationIdService()->resolve($receivedRequest->getId());
+
         if ($checkResponseSignature) {
             $this->_server->checkResponseSignatureMethods($receivedResponse);
         }

src/OpenConext/EngineBlockBundle/Controller/FeedbackController.php

@@ -19,6 +19,7 @@
 namespace OpenConext\EngineBlockBundle\Controller;
 
 use EngineBlock_Corto_ProxyServer;
+use OpenConext\EngineBlock\Request\CurrentCorrelationId;
 use OpenConext\EngineBlockBundle\Pdp\PolicyDecision;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\Request;
@@ -50,14 +51,18 @@ class FeedbackController
      */
     private $logger;
 
+    private CurrentCorrelationId $currentCorrelationId;
+
     public function __construct(
         TranslatorInterface $translator,
         Environment $twig,
-        LoggerInterface $logger
+        LoggerInterface $logger,
+        CurrentCorrelationId $currentCorrelationId
     ) {
         $this->translator = $translator;
         $this->twig = $twig;
         $this->logger = $logger;
+        $this->currentCorrelationId = $currentCorrelationId;
 
         // we have to start the old session in order to be able to retrieve the feedback info
         $server = new EngineBlock_Corto_ProxyServer($twig);
@@ -545,6 +550,9 @@ public function stepupCalloutUnknownAction(Request $request)
      */
     private function setFeedbackInformationOnSession(SessionInterface $session, array $customFeedbackInfo)
     {
+        if ($this->currentCorrelationId->correlationId !== null) {
+            $customFeedbackInfo['correlationId'] = $this->currentCorrelationId->correlationId;
+        }
         $feedbackInfo = $session->get('feedbackInfo', []);
         $session->set('feedbackInfo', array_merge($customFeedbackInfo, $feedbackInfo));
     }

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/LoggingContext.php

@@ -96,10 +96,10 @@ public function theLogShouldContainMultipleDistinctRequestIds(): void
     {
         $records = $this->readRecords();
 
-        $requestIds = array_column($records, 'extra')
-                |> (static fn($x) => array_column($x, 'request_id',))
-                |> array_unique(...);
-
+        $requestIds = array_unique(array_column(
+            array_column($records, 'extra'),
+            'request_id',
+        ));
         if (count($requestIds) < 2) {
             throw new RuntimeException(sprintf(
                 'Expected multiple distinct request_ids in the log, but found only %d: %s.',

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/CorrelationId.feature

@@ -65,7 +65,7 @@ Feature:
     And I give my consent
     And I pass through EngineBlock
     Then the url should match "functional-testing/CorrId-SP/acs"
-    And I dump the log records
+#    And I dump the log records
     And the following log messages should have a correlation_id:
       | message                                                                                              |
       | HTTP-Post: Sending Message                                                                           |
@@ -102,6 +102,41 @@ Feature:
       | Done calling service 'processedAssertionConsumerService'                                             |
       | Done calling service 'processConsentService'                                                         |
 
+  Scenario: A user completing a Stepup flow has a single correlation_id across all log entries
+    Given the SP "CorrId-SP" requires Stepup LoA "http://dev.openconext.local/assurance/loa2"
+    And an Identity Provider named "CorrId-IdP"
+    When I log in at "CorrId-SP"
+    And I pass through EngineBlock
+    And I pass through the IdP
+    And Stepup will successfully verify a user
+    And I give my consent
+    And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+    And the log should contain multiple distinct request_ids
+    And the following log messages should have a correlation_id:
+      | message                                            |
+      | Handle Stepup authentication callout               |
+      | Handled Stepup authentication callout successfully |
+
+  Scenario: A user completing an SRAM interrupt flow has a single correlation_id across all log entries
+    Given the SP "CorrId-SP" requires SRAM collaboration
+    And feature "eb.feature_enable_sram_interrupt" is enabled
+    And the sbs server will trigger the "interrupt" authz flow when called
+    And the sbs server will return valid attributes
+    And an Identity Provider named "CorrId-IdP-SRAM"
+    When I log in at "CorrId-SP"
+    And I pass through EngineBlock
+    And I pass through the IdP
+    And I pass through SBS
+    And I give my consent
+    And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+    And the log should contain multiple distinct request_ids
+    And the following log messages should have a correlation_id:
+      | message                                     |
+      | Handle SRAM interrupt callout               |
+      | Done calling service 'SramInterruptService' |
+
   @functional
   Scenario: Two concurrent authentication flows each complete independently
     Given an Identity Provider named "CorrId-IdP-A"

tests/unit/OpenConext/EngineBlockBundle/Controller/FeedbackControllerTest.php

@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * Copyright 2026 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlockBundle\Tests;
+
+use Mockery;
+use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
+use OpenConext\EngineBlock\Request\CurrentCorrelationId;
+use OpenConext\EngineBlockBundle\Controller\FeedbackController;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Contracts\Translation\TranslatorInterface;
+use Twig\Environment;
+
+class FeedbackControllerTest extends TestCase
+{
+    use MockeryPHPUnitIntegration;
+
+    #[Test]
+    public function correlation_id_is_added_to_feedback_session_when_set(): void
+    {
+        $currentCorrelationId = new CurrentCorrelationId();
+        $currentCorrelationId->correlationId = 'test-correlation-id-abc123';
+
+        $controller = $this->buildController($currentCorrelationId);
+        $request = $this->buildRequestWithSession();
+
+        $controller->unknownServiceProviderAction($request);
+
+        $feedbackInfo = $request->getSession()->get('feedbackInfo');
+        $this->assertArrayHasKey('correlationId', $feedbackInfo);
+        $this->assertSame('test-correlation-id-abc123', $feedbackInfo['correlationId']);
+    }
+
+    #[Test]
+    public function correlation_id_is_not_added_to_feedback_session_when_null(): void
+    {
+        $currentCorrelationId = new CurrentCorrelationId();
+        $currentCorrelationId->correlationId = null;
+
+        $controller = $this->buildController($currentCorrelationId);
+        $request = $this->buildRequestWithSession();
+
+        $controller->unknownServiceProviderAction($request);
+
+        $feedbackInfo = $request->getSession()->get('feedbackInfo');
+        $this->assertArrayNotHasKey('correlationId', $feedbackInfo);
+    }
+
+    private function buildController(CurrentCorrelationId $currentCorrelationId): FeedbackController
+    {
+        $translator = Mockery::mock(TranslatorInterface::class);
+        $twig = Mockery::mock(Environment::class);
+        $twig->allows('render')->andReturn('<html></html>');
+        $logger = Mockery::mock(LoggerInterface::class);
+
+        return new FeedbackController($translator, $twig, $logger, $currentCorrelationId);
+    }
+
+    private function buildRequestWithSession(): Request
+    {
+        $request = Request::create('/authentication/feedback/unknown-service-provider?entity-id=https://sp.example.com');
+        $session = new Session(new MockArraySessionStorage());
+        $request->setSession($session);
+
+        return $request;
+    }
+}