WIP - ???Actually check logs???

johanib · johanib · commit baad08de3208 · 2026-04-23T16:22:31.000+02:00
diff --git a/config/packages/ci/monolog.yaml b/config/packages/ci/monolog.yaml
@@ -3,3 +3,8 @@ monolog:
         test_log_handler:
             type: service
             id: OpenConext\EngineBlockFunctionalTestingBundle\Log\TestLogHandler
+        test_log_file:
+            type: stream
+            path: '/tmp/eb-fixtures/log-records.ndjson'
+            level: debug
+            formatter: monolog.formatter.json
diff --git a/config/services_ci.yaml b/config/services_ci.yaml
@@ -68,6 +68,11 @@ services:
     OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\MinkContext:
         tags: ['fob.context']
 
+    OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\LoggingContext:
+        arguments:
+            $logFile: '/tmp/eb-fixtures/log-records.ndjson'
+        tags: ['fob.context']
+
     OpenConext\EngineBlockFunctionalTestingBundle\Fixtures\SbsClientStateManager:
         arguments:
             - "@engineblock.functional_testing.data_store.sbs_client_state_mananger"
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/LoggingContext.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/LoggingContext.php
@@ -19,12 +19,12 @@
 namespace OpenConext\EngineBlockFunctionalTestingBundle\Features\Context;
 
 use Behat\Behat\Context\Context;
-use OpenConext\EngineBlockFunctionalTestingBundle\Log\TestLogHandler;
-use PHPUnit\Framework\Assert;
+use Behat\Gherkin\Node\TableNode;
+use RuntimeException;
 
 class LoggingContext implements Context
 {
-    public function __construct(private readonly TestLogHandler $logHandler)
+    public function __construct(private readonly string $logFile)
     {
     }
 
@@ -33,41 +33,115 @@ public function __construct(private readonly TestLogHandler $logHandler)
      */
     public function resetLogHandler(): void
     {
-        $this->logHandler->reset();
+        file_put_contents($this->logFile, '');
     }
 
     /**
-     * @Then each log record should contain a :field field
+     * @Then the following log messages should have a correlation_id:
      */
-    public function eachLogRecordShouldContainField(string $field): void
+    public function theFollowingLogMessagesShouldHaveACorrelationId(TableNode $table): void
     {
-        $records = $this->logHandler->getRecords();
-
-        Assert::assertNotEmpty($records, 'No log records were captured during this scenario.');
-
-        foreach ($records as $index => $record) {
-            Assert::assertArrayHasKey(
-                $field,
-                $record->extra,
-                sprintf(
-                    'Log record #%d (channel=%s, message="%s") is missing extra field "%s".',
-                    $index,
-                    $record->channel,
-                    $record->message,
-                    $field,
-                ),
+        $records = $this->readRecords();
+        $allCorrelationIds = [];
+
+        foreach ($table->getColumnsHash() as $row) {
+            $pattern = $row['message'];
+            $isRegex = preg_match('/^\/.*\/$/', $pattern) === 1;
+
+            $matched = array_filter(
+                $records,
+                static fn(array $r) => $isRegex
+                    ? preg_match($pattern, $r['message'] ?? '') === 1
+                    : ($r['message'] ?? '') === $pattern,
             );
 
-            Assert::assertNotNull(
-                $record->extra[$field],
-                sprintf(
-                    'Log record #%d (channel=%s, message="%s") has a null value for extra field "%s".',
-                    $index,
-                    $record->channel,
-                    $record->message,
-                    $field,
-                ),
+            if (empty($matched)) {
+                throw new RuntimeException(sprintf(
+                    'No log record matched message %s "%s".',
+                    $isRegex ? 'pattern' : 'string',
+                    $pattern,
+                ));
+            }
+
+            foreach ($matched as $record) {
+                $correlationId = $record['extra']['correlation_id'] ?? null;
+
+                if ($correlationId === null) {
+                    throw new RuntimeException(sprintf(
+                        'Log record matching "%s" (channel=%s) has a null correlation_id.',
+                        $pattern,
+                        $record['channel'] ?? '?',
+                    ));
+                }
+
+                $allCorrelationIds[] = $correlationId;
+            }
+        }
+
+        $distinct = array_unique($allCorrelationIds);
+
+        if (count($distinct) > 1) {
+            throw new RuntimeException(sprintf(
+                'Expected a single correlation_id across all matched log records, but found %d distinct values: %s.',
+                count($distinct),
+                implode(', ', $distinct),
+            ));
+        }
+    }
+
+    /**
+     * @Then I dump the log records
+     */
+    public function iDumpTheLogRecords(): void
+    {
+        $records = $this->readRecords();
+        $rows = [];
+        foreach ($records as $record) {
+            $message = $record['message'] ?? '';
+            if (mb_strlen($message) > 100) {
+                $message = mb_substr($message, 0, 97) . '...';
+            }
+            $rows[] = sprintf(
+                '| %-12s | %-9s | %-100s | %s |',
+                $record['channel'] ?? '',
+                $record['level_name'] ?? '',
+                str_replace('|', '\\|', $message),
+                $record['extra']['correlation_id'] ?? 'null',
             );
         }
+        echo "\n" . implode("\n", $rows) . "\n";
+    }
+
+    /**
+     * Reads all records from the log file, decodes each JSON line, and returns only
+     * records not belonging to the event channel (Symfony kernel internals).
+     *
+     * @return array<int, array<string, mixed>>
+     */
+    private function readRecords(): array
+    {
+        $lines = file($this->logFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+
+        if ($lines === false) {
+            return [];
+        }
+
+        $records = [];
+
+        foreach ($lines as $index => $line) {
+            $record = json_decode($line, true);
+
+            if (!is_array($record)) {
+                throw new RuntimeException(sprintf('Log record #%d could not be decoded as JSON.', $index));
+            }
+
+            if (($record['channel'] ?? '') === 'event') {
+                continue;
+            }
+
+            $records[] = $record;
+        }
+
+        return $records;
     }
 }
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/CorrelationId.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/CorrelationId.feature
@@ -5,63 +5,118 @@ Feature:
 
   Background:
     Given an EngineBlock instance on "dev.openconext.local"
-      And no registered SPs
-      And no registered Idps
-      And a Service Provider named "CorrId-SP"
+    And no registered SPs
+    And no registered Idps
+    And a Service Provider named "CorrId-SP"
 
-  # ── WAYF path ──────────────────────────────────────────────────────────────
-  # Two IdPs are registered, so the WAYF is shown after the initial SSO request.
-  # The correlation ID is minted in SingleSignOn.serve(), propagated to
-  # ContinueToIdp (user picks an IdP), then forwarded to the IdP request via
-  # link(), and finally picked up in AssertionConsumer and ProvideConsent/
-  # ProcessConsent.  A complete round-trip through all four HTTP legs must
-  # succeed without error.
   Scenario: A user authenticating via the WAYF completes the full four-leg flow
     Given an Identity Provider named "CorrId-IdP-A"
-      And an Identity Provider named "CorrId-IdP-B"
+    And an Identity Provider named "CorrId-IdP-B"
     When I log in at "CorrId-SP"
-     And I select "CorrId-IdP-A" on the WAYF
-     And I pass through EngineBlock
-     And I pass through the IdP
-     And I give my consent
-     And I pass through EngineBlock
+    And I select "CorrId-IdP-A" on the WAYF
+    And I pass through EngineBlock
+    And I pass through the IdP
+    And I give my consent
+    And I pass through EngineBlock
     Then the url should match "functional-testing/CorrId-SP/acs"
+    #And I dump the log records
+    And the following log messages should have a correlation_id:
+      | message                                                                                                   |
+      | Multiple candidate IdPs: redirecting to WAYF                                                              |
+      | Done calling service 'singleSignOnService'                                                                |
+      | Done calling service 'continueToIdp'                                                                      |
+      | /Received Assertion from Issuer .*/                                                                       |
+      | /SP is not configured for MFA for IdP, or for transparant AuthnContext, skipping validation .*/           |
+      | Verifying if schacHomeOrganization is allowed by configured IdP shibmd:scopes                             |
+      | No shibmd:scope found in the IdP metadata, not verifying schacHomeOrganization                            |
+      | Verifying if eduPersonPrincipalName is allowed by configured IdP shibmd:scopes                            |
+      | No shibmd:scope found in the IdP metadata, not verifying eduPersonPrincipalName                           |
+      | Verifying if subject-id is allowed by configured IdP shibmd:scopes                                        |
+      | No shibmd:scope found in the IdP metadata, not verifying subject-id                                       |
+      | /No Attribute Aggregation for .*/                                                                         |
+      | /No SBS interrupt for serviceProvider.*/                                                                  |
+      | StepupDecision: determine highest LoA                                                                     |
+      | StepupDecision: no level set, no Stepup required                                                          |
+      | Handle Consent authentication callout                                                                     |
+      | Using internal binding for destination /authentication/idp/provide-consent                                |
+      | Calling service 'provideConsentService'                                                                   |
+      | Done calling service 'provideConsentService'                                                              |
+      | Done calling service 'assertionConsumerService'                                                           |
+      | /Using internal binding for destination https:\/\/engine.dev.openconext.local\/authenticati.*/            |
+      | Calling service 'processedAssertionConsumerService'                                                       |
+      | /No ARP available for https:\/\/engine.dev.openconext.local\/functional-testing\/CorrId-SP\/metadata. .*/ |
+      | Executing the ApplyTrustedProxyBehavior output filter                                                     |
+      | Executing the AddIdentityAttributes output filter                                                         |
+      | Resolving a persistent nameId                                                                             |
+      | Setting the NameId on the Assertion                                                                       |
+      | Adding the EduPersonTargetedId on the Assertion                                                           |
+      | /Attribute Denormalization: Adding alias 'urn:oid:0.9.2342.19200300.100.1.1' .*/                          |
+      | /Attribute Denormalization: Adding alias 'urn:oid:1.3.6.1.4.1.25178.1.2.9' for .*/                        |
+      | /Attribute Denormalization: Adding alias 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' for .*/                      |
+      | HTTP-Post: Sending Message                                                                                |
+      | Done calling service 'processedAssertionConsumerService'                                                  |
+      | Done calling service 'processConsentService'                                                              |
 
-  # ── Direct path (no WAYF) ───────────────────────────────────────────────────
-  # When only one IdP is available the WAYF is skipped; the correlation ID is
-  # minted inside ProxyServer.sendAuthenticationRequest() and linked to the IdP
-  # request.  AssertionConsumer and consent legs must resolve it from the IdP
-  # request ID stored in InResponseTo.
   Scenario: A user authenticating without the WAYF completes the full flow
     Given an Identity Provider named "CorrId-IdP-Only"
     When I log in at "CorrId-SP"
-     And I pass through EngineBlock
-     And I pass through the IdP
-     And I give my consent
-     And I pass through EngineBlock
+    And I pass through EngineBlock
+    And I pass through the IdP
+    And I give my consent
+    And I pass through EngineBlock
     Then the url should match "functional-testing/CorrId-SP/acs"
+    And I dump the log records
+    And the following log messages should have a correlation_id:
+      | message                                                                                              |
+      | HTTP-Post: Sending Message                                                                           |
+      | Done calling service 'singleSignOnService'                                                           |
+      | /SP is not configured for MFA for IdP, or for transparant AuthnContext, skipping validation of .*/   |
+      | Verifying if schacHomeOrganization is allowed by configured IdP shibmd:scopes                        |
+      | No shibmd:scope found in the IdP metadata, not verifying schacHomeOrganization                       |
+      | Verifying if eduPersonPrincipalName is allowed by configured IdP shibmd:scopes                       |
+      | No shibmd:scope found in the IdP metadata, not verifying eduPersonPrincipalName                      |
+      | Verifying if subject-id is allowed by configured IdP shibmd:scopes                                   |
+      | No shibmd:scope found in the IdP metadata, not verifying subject-id                                  |
+      | /No Attribute Aggregation for https:\/\/engine.dev.openconext.local\/functional-testing\/CorrId-S.*/ |
+      | /No SBS interrupt for serviceProvider: https:\/\/engine.dev.openconext.local\/functional-testin.*/   |
+      | StepupDecision: determine highest LoA                                                                |
+      | StepupDecision: no level set, no Stepup required                                                     |
+      | Handle Consent authentication callout                                                                |
+      | Using internal binding for destination /authentication/idp/provide-consent                           |
+      | Calling service 'provideConsentService'                                                              |
+      | Done calling service 'provideConsentService'                                                         |
+      | Done calling service 'assertionConsumerService'                                                      |
+      | /Using internal binding for destination.*/                                                           |
+      | Calling service 'processedAssertionConsumerService'                                                  |
+      | /No ARP available for https:\/\/engine.dev.openconext.local\/functional-testing\/CorrId-SP\/metadata. */  |
+      | Executing the ApplyTrustedProxyBehavior output filter                                                |
+      | Executing the AddIdentityAttributes output filter                                                    |
+      | Resolving a persistent nameId                                                                        |
+      | Setting the NameId on the Assertion                                                                  |
+      | Adding the EduPersonTargetedId on the Assertion                                                      |
+      | /Attribute Denormalization: Adding alias 'urn:oid:0.9.2342.19200300.100.1.1'*/                       |
+      | /Attribute Denormalization: Adding alias 'urn:oid:1.3.6.1.4.1.25178.1.2.9' f*/                       |
+      | /Attribute Denormalization: Adding alias 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10' */                      |
+      | login granted                                                                                        |
+      | HTTP-Post: Sending Message                                                                           |
+      | Done calling service 'processedAssertionConsumerService'                                             |
+      | Done calling service 'processConsentService'                                                         |
 
-  # ── Concurrent flows ────────────────────────────────────────────────────────
-  # Two simultaneous authentications in separate browser tabs share the same PHP
-  # session.  Each flow must mint its own correlation ID and the two IDs must
-  # not bleed into each other.  Both flows must complete successfully and land
-  # on the correct SP ACS URL.
-  # Requires the @functional tag to use the Chrome driver (browser tabs need JS).
   @functional
   Scenario: Two concurrent authentication flows each complete independently
     Given an Identity Provider named "CorrId-IdP-A"
-      And an Identity Provider named "CorrId-IdP-B"
+    And an Identity Provider named "CorrId-IdP-B"
     When I open 2 browser tabs identified by "Tab-A, Tab-B"
-      And I switch to "Tab-A"
-      And I log in at "CorrId-SP"
-      And I select "CorrId-IdP-A" on the WAYF
-      And I switch to "Tab-B"
-      And I log in at "CorrId-SP"
-      And I select "CorrId-IdP-B" on the WAYF
-      And I pass through the IdP
-      And I give my consent
+    And I switch to "Tab-A"
+    And I log in at "CorrId-SP"
+    And I select "CorrId-IdP-A" on the WAYF
+    And I switch to "Tab-B"
+    And I log in at "CorrId-SP"
+    And I select "CorrId-IdP-B" on the WAYF
+    And I pass through the IdP
+    And I give my consent
     Then the url should match "functional-testing/CorrId-SP/acs"
-      And I switch to "Tab-A"
-      And I pass through the IdP
-      And I give my consent
+    And I switch to "Tab-A"
+    And I pass through the IdP
+    And I give my consent
     Then the url should match "functional-testing/CorrId-SP/acs"
diff --git a/tests/behat.yml b/tests/behat.yml
@@ -44,7 +44,7 @@ default:
                 - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\TranslationContext:
                     mockTranslator: '@engineblock.functional_testing.mock.translator'
                 - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\LoggingContext:
-                    logHandler: '@OpenConext\EngineBlockFunctionalTestingBundle\Log\TestLogHandler'
+                    logFile: '/tmp/eb-fixtures/log-records.ndjson'
                 - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\MinkContext:
         functional:
             mink_session: chrome
diff --git a/tests/library/EngineBlock/Test/Saml2/AuthnRequestSessionRepositoryTest.php b/tests/library/EngineBlock/Test/Saml2/AuthnRequestSessionRepositoryTest.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/tests/unit/OpenConext/EngineBlock/Logger/Processor/CorrelationIdProcessorTest.php b/tests/unit/OpenConext/EngineBlock/Logger/Processor/CorrelationIdProcessorTest.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdFlowTest.php b/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdFlowTest.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdRepositoryTest.php b/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdRepositoryTest.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdServiceTest.php b/tests/unit/OpenConext/EngineBlock/Request/CorrelationIdServiceTest.php

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`<?php`
`2`	`2`
`3`	`3`	`/**`
`4`		`- * Copyright 2010 SURFnet B.V.`
	`4`	`+ * Copyright 2026 SURFnet B.V.`
`5`	`5`	`*`
`6`	`6`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`7`	`7`	`* you may not use this file except in compliance with the License.`