Add a consentHashService

Prior to this commit, there was no service specifically for hashing
attribute arrays for consent.

This commit adds such a service with both the old hashing algorithm and
a stable hashing algorithm.

Pivotal ticket: https://www.pivotaltracker.com/story/show/176513931

Author: Koen Cornelis

library/EngineBlock/Corto/Model/Consent.php

@@ -18,6 +18,7 @@
 
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
+use OpenConext\EngineBlock\Service\Consent\ConsentHashService;
 
 class EngineBlock_Corto_Model_Consent
 {
@@ -36,7 +37,7 @@ class EngineBlock_Corto_Model_Consent
      */
     private $_response;
     /**
-     * @var array
+     * @var array All attributes as an associative array.
      */
     private $_responseAttributes;
 
@@ -52,21 +53,28 @@ class EngineBlock_Corto_Model_Consent
      */
     private $_amPriorToConsentEnabled;
 
+    /**
+     * @var ConsentHashService
+     */
+    private $_hashService;
+
     /**
      * @param string $tableName
      * @param bool $mustStoreValues
      * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
      * @param array $responseAttributes
      * @param EngineBlock_Database_ConnectionFactory $databaseConnectionFactory
      * @param bool $amPriorToConsentEnabled Is the run_all_manipulations_prior_to_consent feature enabled or not
+     * @param ConsentHashService $hashService
      */
     public function __construct(
         $tableName,
         $mustStoreValues,
         EngineBlock_Saml2_ResponseAnnotationDecorator $response,
         array $responseAttributes,
         EngineBlock_Database_ConnectionFactory $databaseConnectionFactory,
-        $amPriorToConsentEnabled
+        $amPriorToConsentEnabled,
+        $hashService
     )
     {
         $this->_tableName = $tableName;
@@ -75,27 +83,33 @@ public function __construct(
         $this->_responseAttributes = $responseAttributes;
         $this->_databaseConnectionFactory = $databaseConnectionFactory;
         $this->_amPriorToConsentEnabled = $amPriorToConsentEnabled;
+        $this->_hashService = $hashService;
     }
 
-    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider) {
+    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    {
         return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
     }
 
-    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider) {
+    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    {
         return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
     }
 
-    public function giveExplicitConsentFor(ServiceProvider $serviceProvider)
+    public function giveExplicitConsentFor(ServiceProvider $serviceProvider): bool
     {
         return $this->_storeConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
     }
 
-    public function giveImplicitConsentFor(ServiceProvider $serviceProvider)
+    public function giveImplicitConsentFor(ServiceProvider $serviceProvider): bool
     {
         return $this->_storeConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
     }
 
-    public function countTotalConsent()
+    /**
+     * @throws EngineBlock_Exception
+     */
+    public function countTotalConsent(): int
     {
         $dbh = $this->_getConsentDatabaseConnection();
         $hashedUserId = sha1($this->_getConsentUid());
@@ -129,21 +143,17 @@ protected function _getConsentUid()
         return $this->_response->getNameIdValue();
     }
 
-    protected function _getAttributesHash($attributes)
+    protected function _getAttributesHash($attributes): string
     {
-        $hashBase = NULL;
-        if ($this->_mustStoreValues) {
-            ksort($attributes);
-            $hashBase = serialize($attributes);
-        } else {
-            $names = array_keys($attributes);
-            sort($names);
-            $hashBase = implode('|', $names);
-        }
-        return sha1($hashBase);
+        return $this->_hashService->getUnstableAttributesHash($attributes, $this->_mustStoreValues);
+    }
+
+    protected function _getStableAttributesHash($attributes): string
+    {
+        return $this->_hashService->getStableAttributesHash($attributes, $this->_mustStoreValues);
     }
 
-    private function _storeConsent(ServiceProvider $serviceProvider, $consentType)
+    private function _storeConsent(ServiceProvider $serviceProvider, $consentType): bool
     {
         $dbh = $this->_getConsentDatabaseConnection();
         if (!$dbh) {
@@ -156,7 +166,7 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType)
         $parameters = array(
             sha1($this->_getConsentUid()),
             $serviceProvider->entityId,
-            $this->_getAttributesHash($this->_responseAttributes),
+            $this->_getStableAttributesHash($this->_responseAttributes),
             $consentType,
         );
 
@@ -179,16 +189,27 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType)
         return true;
     }
 
-    private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentType)
+    private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentType): bool
     {
-        try {
-            $dbh = $this->_getConsentDatabaseConnection();
-            if (!$dbh) {
-                return false;
-            }
+        $dbh = $this->_getConsentDatabaseConnection();
+        if (!$dbh) {
+            return false;
+        }
+
+        $unstableConsentHash = $this->_getAttributesHash($this->_responseAttributes);
+        $hasUnstableConsentHash = $this->retrieveConsentHashFromDb($dbh, $serviceProvider, $consentType, $unstableConsentHash);
 
-            $attributesHash = $this->_getAttributesHash($this->_responseAttributes);
+        if ($hasUnstableConsentHash) {
+            return true;
+        }
+
+        $stableConsentHash = $this->_getStableAttributesHash($this->_responseAttributes);
+        return $this->retrieveConsentHashFromDb($dbh, $serviceProvider, $consentType, $stableConsentHash);
+    }
 
+    private function retrieveConsentHashFromDb(PDO $dbh, ServiceProvider $serviceProvider, $consentType, $attributesHash): bool
+    {
+        try {
             $query = "SELECT * FROM {$this->_tableName} WHERE hashed_user_id = ? AND service_id = ? AND attribute = ? AND consent_type = ?";
             $hashedUserId = sha1($this->_getConsentUid());
             $parameters = array(

library/EngineBlock/Corto/Model/Consent/Factory.php

@@ -27,18 +27,24 @@ class EngineBlock_Corto_Model_Consent_Factory
     /** @var EngineBlock_Database_ConnectionFactory */
     private $_databaseConnectionFactory;
 
+    /**
+     * @var ConsentHashService
+     */
+    private $_hashService;
 
-     /**
+    /**
       * @param EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory
       * @param EngineBlock_Database_ConnectionFactory $databaseConnectionFactory
       */
     public function __construct(
         EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory,
-        EngineBlock_Database_ConnectionFactory $databaseConnectionFactory
+        EngineBlock_Database_ConnectionFactory $databaseConnectionFactory,
+        ConsentHashService $hashService
     )
     {
         $this->_filterCommandFactory = $filterCommandFactory;
         $this->_databaseConnectionFactory = $databaseConnectionFactory;
+        $this->_hashService = $hashService;
     }
 
     /**
@@ -68,7 +74,8 @@ public function create(
             $response,
             $attributes,
             $this->_databaseConnectionFactory,
-            $amPriorToConsent
+            $amPriorToConsent,
+            $this->_hashService
         );
     }
 }

src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php

@@ -0,0 +1,147 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlock\Service\Consent;
+
+use function array_filter;
+use function array_keys;
+use function array_values;
+use function count;
+use function implode;
+use function is_array;
+use function is_numeric;
+use function ksort;
+use function serialize;
+use function sha1;
+use function sort;
+use function strtolower;
+use function unserialize;
+
+final class ConsentHashService
+{
+    public function getUnstableAttributesHash(array $attributes,bool $mustStoreValues): string
+    {
+        $hashBase = null;
+        if ($mustStoreValues) {
+            ksort($attributes);
+            $hashBase = serialize($attributes);
+        } else {
+            $names = array_keys($attributes);
+            sort($names);
+            $hashBase = implode('|', $names);
+        }
+        return sha1($hashBase);
+    }
+
+    public function getStableAttributesHash(array $attributes, bool $mustStoreValues) : string
+    {
+        $lowerCasedAttributes = $this->caseNormalizeStringArray($attributes);
+        $hashBase = $mustStoreValues ? $this->createHashBaseWithValues($lowerCasedAttributes) : $this->createHashBaseWithoutValues($lowerCasedAttributes);
+
+        return sha1($hashBase);
+    }
+
+    private function createHashBaseWithValues(array $lowerCasedAttributes): string
+    {
+        return serialize($this->sortArray($lowerCasedAttributes));
+    }
+
+    private function createHashBaseWithoutValues(array $lowerCasedAttributes): string
+    {
+        $noEmptyAttributes = $this->removeEmptyAttributes($lowerCasedAttributes);
+        $sortedAttributes = $this->sortArray(array_keys($noEmptyAttributes));
+        return implode('|', $sortedAttributes);
+    }
+
+    /**
+     * Lowercases all array keys and values.
+     * Performs the lowercasing on a copy (which is returned), to avoid side-effects.
+     */
+    private function caseNormalizeStringArray(array $original): array
+    {
+        return unserialize(strtolower(serialize($original)));
+    }
+
+    /**
+     * Recursively sorts an array via the ksort function.  Performs the sort on a copy to avoid side-effects.
+     */
+    private function sortArray(array $sortMe): array
+    {
+        $copy = unserialize(serialize($sortMe));
+        $sortFunction = 'ksort';
+        $copy = $this->removeEmptyAttributes($copy);
+
+        if($this->isSequentialArray($copy)){
+            $sortFunction = 'sort';
+            $copy = $this->renumberIndices($copy);
+        }
+
+        $sortFunction($copy);
+        foreach ($copy as $key => $value) {
+            if (is_array($value)) {
+                $sortFunction($value);
+                $copy[$key] = $this->sortArray($value);
+            }
+        }
+
+        return $copy;
+    }
+
+    /**
+     * Determines whether an array is sequential, by checking to see if there's at no string keys in it.
+     */
+    private function isSequentialArray(array $array): bool
+    {
+        return count(array_filter(array_keys($array), 'is_string')) === 0;
+    }
+
+    /**
+     * Reindexes the values of the array so that any skipped numeric indexes are removed.
+     */
+    private function renumberIndices(array $array): array
+    {
+        return array_values($array);
+    }
+
+    /**
+     * Iterate over an array and unset any empty values.
+     */
+    private function removeEmptyAttributes(array $array): array
+    {
+        $copy = unserialize(serialize($array));
+
+        foreach ($copy as $key => $value) {
+            if ($this->is_blank($value)) {
+                unset($copy[$key]);
+            }
+        }
+
+        return $copy;
+    }
+
+    /**
+     * Checks if a value is empty, but allowing 0 as an integer, float and string.  This means the following are allowed:
+     * - 0
+     * - 0.0
+     * - "0"
+     * @param $value array|string|integer|float
+     */
+    private function is_blank($value): bool {
+        return empty($value) && !is_numeric($value);
+    }
+}

…t/EngineBlock/Service/ConsentService.php …Block/Service/Consent/ConsentService.phpsrc/OpenConext/EngineBlock/Service/ConsentService.php renamed to src/OpenConext/EngineBlock/Service/Consent/ConsentService.php src/OpenConext/EngineBlock/Service/ConsentService.php renamed to src/OpenConext/EngineBlock/Service/Consent/ConsentService.php

@@ -48,6 +48,7 @@ services:
         arguments:
             - "@engineblock.compat.corto_filter_command_factory"
             - "@engineblock.compat.database_connection_factory"
+            - "@engineblock.service.consent.ConsentHashService"
 
     engineblock.compat.saml2_id_generator:
         class: EngineBlock_Saml2_IdGenerator_Default

…lock/Service/ConsentServiceInterface.php …vice/Consent/ConsentServiceInterface.phpsrc/OpenConext/EngineBlock/Service/ConsentServiceInterface.php renamed to src/OpenConext/EngineBlock/Service/Consent/ConsentServiceInterface.php src/OpenConext/EngineBlock/Service/ConsentServiceInterface.php renamed to src/OpenConext/EngineBlock/Service/Consent/ConsentServiceInterface.php

@@ -345,3 +345,7 @@ services:
             - "@translator"
         tags:
              - { name: 'twig.extension' }
+
+    engineblock.service.consent.ConsentHashService:
+        class: OpenConext\EngineBlock\Service\Consent\ConsentHashService
+        public: false