Fix consent hash implementation and code quality

- Guard upgradeAttributeHashFor against consent-disabled state: returns
  early without hitting the DB or recalculating hashes when consent is off
- Fix DIP violation in Factory.php: type-hint ConsentHashServiceInterface
  instead of concrete ConsentHashService
- Fix countAllFor memory issue: delegate to COUNT(*) query instead of
  loading all consent rows into memory
- Fix null-guards in _hasStoredConsent() and _updateConsent(): return
  early when getConsentUid() returns null, consistent with _storeConsent()
- Fix risky PHPUnit tests in ConsentTest: add assertions, use shouldNotReceive()
- findAllFor: select attribute_stable alongside attribute, prefer it for
  new-format rows (fixes null attribute_hash in /api/consent response)
- updateConsentHash: check rowCount(), log warning and return false on 0 rows
- hasConsentHash: SELECT attribute_stable instead of SELECT *
- ProcessConsent/ProvideConsent: skip upgradeAttributeHashFor on fresh consent
- ConsentVersion: add isStable() counterpart to isUnstable()
- Restore display_errors=0 in phpunit.xml to prevent PHP deprecation noise

Author: kayjoosten

config/services/controllers/api.yml

@@ -16,7 +16,7 @@ services:
             - '@security.token_storage'
             - '@security.access.decision_manager'
             - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
-            - '@OpenConext\EngineBlock\Service\ConsentService'
+            - '@OpenConext\EngineBlock\Service\Consent\ConsentService'
 
     OpenConext\EngineBlockBundle\Controller\Api\DeprovisionController:
         arguments:

config/services/services.yml

@@ -78,8 +78,10 @@ services:
     engineblock.service.consent.ConsentHashService:
         class: OpenConext\EngineBlock\Service\Consent\ConsentHashService
         public: false
+        arguments:
+            - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
 
-    OpenConext\EngineBlock\Service\ConsentService:
+    OpenConext\EngineBlock\Service\Consent\ConsentService:
         arguments:
             - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
             - '@OpenConext\EngineBlock\Service\MetadataService'

database/DoctrineMigrations/Version20220503092351.php

@@ -7,7 +7,7 @@
 
 /**
  * Change to the consent schema
- * 1. Added the `attribute_stable` column, string(80), not null
+ * 1. Added the `attribute_stable` column, string(80), nullable
  * 2. Changed the `attribute` column, has been made nullable
  */
 final class Version20220503092351 extends AbstractMigration
@@ -17,7 +17,7 @@ public function up(Schema $schema) : void
         // this up() migration is auto-generated, please modify it to your needs
         $this->abortIf($this->connection->getDatabasePlatform()->getName() !== 'mysql', 'Migration can only be executed safely on \'mysql\'.');
 
-        $this->addSql('ALTER TABLE consent ADD attribute_stable VARCHAR(80) NOT NULL, CHANGE attribute attribute VARCHAR(80) DEFAULT NULL');
+        $this->addSql('ALTER TABLE consent ADD attribute_stable VARCHAR(80) DEFAULT NULL, CHANGE attribute attribute VARCHAR(80) DEFAULT NULL');
     }
 
     public function down(Schema $schema) : void

library/EngineBlock/Application/DiContainer.php

@@ -165,7 +165,7 @@ public function getAuthenticationLoopGuard()
      */
     public function getConsentService()
     {
-        return $this->container->get(\OpenConext\EngineBlock\Service\ConsentService::class);
+        return $this->container->get(\OpenConext\EngineBlock\Service\Consent\ConsentService::class);
     }
 
     /**

library/EngineBlock/Corto/Model/Consent.php

@@ -16,6 +16,9 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlock\Authentication\Value\ConsentHashQuery;
+use OpenConext\EngineBlock\Authentication\Value\ConsentStoreParameters;
+use OpenConext\EngineBlock\Authentication\Value\ConsentUpdateParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
@@ -98,6 +101,9 @@ public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): bo
      */
     public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType): void
     {
+        if (!$this->_consentEnabled) {
+            return;
+        }
         $consentVersion = $this->_hasStoredConsent($serviceProvider, $consentType);
         if ($consentVersion->isUnstable()) {
             $this->_updateConsent($serviceProvider, $consentType);
@@ -157,39 +163,48 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType):
             return false;
         }
 
-        $parameters = array(
-            sha1($consentUuid),
-            $serviceProvider->entityId,
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $consentType,
+        $parameters = new ConsentStoreParameters(
+            hashedUserId: sha1($consentUuid),
+            serviceId: $serviceProvider->entityId,
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            consentType: $consentType,
         );
 
         return $this->_hashService->storeConsentHash($parameters);
     }
 
     private function _updateConsent(ServiceProvider $serviceProvider, $consentType): bool
     {
-        $parameters = array(
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $this->_getAttributesHash($this->_responseAttributes),
-            sha1($this->_getConsentUid()),
-            $serviceProvider->entityId,
-            $consentType,
+        $consentUid = $this->_getConsentUid();
+        if (!is_string($consentUid)) {
+            return false;
+        }
+
+        $parameters = new ConsentUpdateParameters(
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
+            hashedUserId: sha1($consentUid),
+            serviceId: $serviceProvider->entityId,
+            consentType: $consentType,
         );
 
         return $this->_hashService->updateConsentHash($parameters);
     }
 
     private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentType): ConsentVersion
     {
-        $consentUuid = sha1($this->_getConsentUid());
-        $parameters = [
-            $consentUuid,
-            $serviceProvider->entityId,
-            $this->_getAttributesHash($this->_responseAttributes),
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $consentType,
-        ];
-        return $this->_hashService->retrieveConsentHash($parameters);
+        $consentUid = $this->_getConsentUid();
+        if (!is_string($consentUid)) {
+            return ConsentVersion::notGiven();
+        }
+
+        $query = new ConsentHashQuery(
+            hashedUserId: sha1($consentUid),
+            serviceId: $serviceProvider->entityId,
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            consentType: $consentType,
+        );
+        return $this->_hashService->retrieveConsentHash($query);
     }
 }

library/EngineBlock/Corto/Model/Consent/Factory.php

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-use OpenConext\EngineBlock\Service\Consent\ConsentHashService;
+use OpenConext\EngineBlock\Service\Consent\ConsentHashServiceInterface;
 
 /**
  * @todo write a test
@@ -27,7 +27,7 @@ class EngineBlock_Corto_Model_Consent_Factory
     private $_filterCommandFactory;
 
     /**
-     * @var ConsentHashService
+     * @var ConsentHashServiceInterface
      */
     private $_hashService;
 
@@ -36,7 +36,7 @@ class EngineBlock_Corto_Model_Consent_Factory
       */
     public function __construct(
         EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory,
-        ConsentHashService $hashService
+        ConsentHashServiceInterface $hashService
     ) {
         $this->_filterCommandFactory = $filterCommandFactory;
         $this->_hashService = $hashService;

library/EngineBlock/Corto/Module/Service/ProcessConsent.php

@@ -102,8 +102,9 @@ public function serve($serviceName, Request $httpRequest)
 
         if (!$consentRepository->explicitConsentWasGivenFor($serviceProvider)) {
             $consentRepository->giveExplicitConsentFor($destinationMetadata);
+        } else {
+            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
         }
-        $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
 
         $response->setConsent(Constants::CONSENT_OBTAINED);
         $response->setDestination($response->getReturn());

library/EngineBlock/Corto/Module/Service/ProvideConsent.php

@@ -149,8 +149,9 @@ public function serve($serviceName, Request $httpRequest)
         if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
             if (!$consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata)) {
                 $consentRepository->giveImplicitConsentFor($serviceProviderMetadata);
+            } else {
+                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
             }
-            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
 
             $response->setConsent(Constants::CONSENT_INAPPLICABLE);
             $response->setDestination($response->getReturn());

src/OpenConext/EngineBlock/Authentication/Repository/ConsentRepository.php

@@ -19,6 +19,9 @@
 namespace OpenConext\EngineBlock\Authentication\Repository;
 
 use OpenConext\EngineBlock\Authentication\Model\Consent;
+use OpenConext\EngineBlock\Authentication\Value\ConsentHashQuery;
+use OpenConext\EngineBlock\Authentication\Value\ConsentStoreParameters;
+use OpenConext\EngineBlock\Authentication\Value\ConsentUpdateParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 
 interface ConsentRepository
@@ -42,18 +45,18 @@ public function deleteOneFor(string $userId, string $serviceProviderEntityId): b
     /**
      * Test if the consent row is set with an attribute hash either stable or unstable
      */
-    public function hasConsentHash(array $parameters): ConsentVersion;
+    public function hasConsentHash(ConsentHashQuery $query): ConsentVersion;
 
     /**
      * By default stores the stable consent hash. The legacy consent hash is left.
      */
-    public function storeConsentHash(array $parameters): bool;
+    public function storeConsentHash(ConsentStoreParameters $parameters): bool;
 
     /**
      * When a deprecated unstable consent hash is encoutered, we upgrade it to the new format using this
      * update consent hash method.
      */
-    public function updateConsentHash(array $parameters): bool;
+    public function updateConsentHash(ConsentUpdateParameters $parameters): bool;
 
     public function countTotalConsent($consentUid): int;
 }

src/OpenConext/EngineBlock/Authentication/Value/ConsentHashQuery.php

@@ -0,0 +1,31 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlock\Authentication\Value;
+
+final class ConsentHashQuery
+{
+    public function __construct(
+        public readonly string $hashedUserId,
+        public readonly string $serviceId,
+        public readonly string $attributeHash,
+        public readonly string $attributeStableHash,
+        public readonly string $consentType,
+    ) {
+    }
+}