feat: wire correlation ID through all four SAML flow legs

Each HTTP leg resolves the correlation ID at the top of its handler so
every log entry emitted during that leg carries the correct ID:

  Leg 1 SSO        — mint() + resolve() in SingleSignOn (WAYF path)
                     mint() + link() + resolve() in ProxyServer (direct path)
  Leg 2 ContinueToIdp — resolve() so debug log lines carry the ID;
                     ProxyServer also calls link() to associate the IdP
                     request ID with the SP request ID
  Leg 3 ACS        — resolve() via InResponseTo (IdP request ID)
  Leg 4 Consent    — resolve() via SP request ID in ProvideConsent and
                     ProcessConsent

DiContainer exposes getCorrelationIdRepository() as the bridge from
legacy Corto code to the Symfony service.

Includes a Behat feature covering the WAYF path, the direct (no-WAYF)
path, and concurrent flows; and a unit test for
AuthnRequestSessionRepository.

Author: kayjoosten

library/EngineBlock/Application/DiContainer.php

@@ -613,4 +613,12 @@ public function getNameIdSubstituteResolver()
     {
         return new EngineBlock_Arp_NameIdSubstituteResolver($this->container->get('engineblock.compat.logger'));
     }
+
+    /**
+     * @return \OpenConext\EngineBlock\Request\CorrelationIdRepository
+     */
+    public function getCorrelationIdRepository(): \OpenConext\EngineBlock\Request\CorrelationIdRepository
+    {
+        return $this->container->get(\OpenConext\EngineBlock\Request\CorrelationIdRepository::class);
+    }
 }

library/EngineBlock/Corto/Module/Service/AssertionConsumer.php

@@ -89,6 +89,9 @@ public function serve($serviceName, Request $httpRequest)
         $receivedRequest = $this->_server->getReceivedRequestFromResponse($receivedResponse);
 
         $application = EngineBlock_ApplicationSingleton::getInstance();
+
+        $correlationIdRepository = $application->getDiContainer()->getCorrelationIdRepository();
+        $correlationIdRepository->resolve($receivedResponse->getInResponseTo());
         $log = $application->getLogInstance();
 
         if(!$receivedRequest instanceof EngineBlock_Saml2_AuthnRequestAnnotationDecorator){

library/EngineBlock/Corto/Module/Service/ContinueToIdp.php

@@ -94,6 +94,15 @@ public function serve($serviceName, Request $httpRequest)
             );
         }
 
+        // Resolve here so log entries emitted during this leg (e.g. the debug
+        // block below) carry the correlation ID. ProxyServer::sendAuthenticationRequest
+        // will also call resolve() when it links the IdP request ID — that is
+        // idempotent and sets the same value.
+        $correlationIdRepository = EngineBlock_ApplicationSingleton::getInstance()
+            ->getDiContainer()
+            ->getCorrelationIdRepository();
+        $correlationIdRepository->resolve($id);
+
         // Flush log if SP or IdP has additional logging enabled
         if ($request->isDebugRequest()) {
             $sp = $this->getEngineSpRole($this->_server);

library/EngineBlock/Corto/Module/Service/ProcessConsent.php

@@ -85,6 +85,12 @@ public function serve($serviceName, Request $httpRequest)
         $response = $processStep->getResponse();
 
         $request = $this->_server->getReceivedRequestFromResponse($response);
+
+        $correlationIdRepository = EngineBlock_ApplicationSingleton::getInstance()
+            ->getDiContainer()
+            ->getCorrelationIdRepository();
+        $correlationIdRepository->resolve($request->getId());
+
         $serviceProvider = $this->_server->getRepository()->fetchServiceProviderByEntityId($request->getIssuer()->getValue());
 
         $destinationMetadata = EngineBlock_SamlHelper::getDestinationSpMetadata(

library/EngineBlock/Corto/Module/Service/ProvideConsent.php

@@ -100,6 +100,11 @@ public function serve($serviceName, Request $httpRequest)
 
         $receivedRequest = $this->_server->getReceivedRequestFromResponse($response);
 
+        $correlationIdRepository = EngineBlock_ApplicationSingleton::getInstance()
+            ->getDiContainer()
+            ->getCorrelationIdRepository();
+        $correlationIdRepository->resolve($receivedRequest->getId());
+
         // update previous response with current response
         $this->_processingStateHelper->updateStepResponseByRequestId(
             $receivedRequest->getId(),

library/EngineBlock/Corto/Module/Service/SingleSignOn.php

@@ -237,6 +237,10 @@ public function serve($serviceName, Request $httpRequest)
         $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($log);
         $authnRequestRepository->store($request);
 
+        $correlationIdRepository = $application->getDiContainer()->getCorrelationIdRepository();
+        $correlationIdRepository->mint($request->getId());
+        $correlationIdRepository->resolve($request->getId());
+
         // Show WAYF
         $log->info("Multiple candidate IdPs: redirecting to WAYF");
         $this->_showWayf($request, $candidateIDPs);

library/EngineBlock/Corto/ProxyServer.php

@@ -471,6 +471,12 @@ public function sendAuthenticationRequest(
         $authnRequestRepository->store($spRequest);
         $authnRequestRepository->link($ebRequest, $spRequest);
 
+        $correlationIdRepository = EngineBlock_ApplicationSingleton::getInstance()
+            ->getDiContainer()
+            ->getCorrelationIdRepository();
+        $correlationIdRepository->mint($spRequest->getId());
+        $correlationIdRepository->link($ebRequest->getId(), $spRequest->getId());
+        $correlationIdRepository->resolve($spRequest->getId());
 
         $this->getBindingsModule()->send($ebRequest, $identityProvider);
     }
@@ -556,6 +562,13 @@ public function sendStepupAuthenticationRequest(
         $authnRequestRepository->store($spRequest);
         $authnRequestRepository->link($ebRequest, $spRequest);
 
+        $correlationIdRepository = EngineBlock_ApplicationSingleton::getInstance()
+            ->getDiContainer()
+            ->getCorrelationIdRepository();
+        $correlationIdRepository->mint($spRequest->getId());
+        $correlationIdRepository->link($ebRequest->getId(), $spRequest->getId());
+        $correlationIdRepository->resolve($spRequest->getId());
+
         $this->getBindingsModule()->send($ebRequest, $identityProvider, true);
     }
 

library/EngineBlock/Saml2/AuthnRequestSessionRepository.php

@@ -91,6 +91,7 @@ public function store(
     ) {
         // Store the original Request
         $this->requestStorage[$spRequest->getId()] = $spRequest;
+
         return $this;
     }
 
@@ -105,6 +106,8 @@ public function link(
     ) {
         // Store the mapping from the new request ID to the original request ID
         $this->linkStorage[$fromRequest->getId()] = $toRequest->getId();
+
         return $this;
     }
+
 }

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/CorrelationId.feature

@@ -0,0 +1,67 @@
+Feature:
+  In order to trace a complete authentication flow across log entries
+  As a SURF operator
+  I need a single correlation_id to appear in every log record belonging to the same SAML flow
+
+  Background:
+    Given an EngineBlock instance on "dev.openconext.local"
+      And no registered SPs
+      And no registered Idps
+      And a Service Provider named "CorrId-SP"
+
+  # ── WAYF path ──────────────────────────────────────────────────────────────
+  # Two IdPs are registered, so the WAYF is shown after the initial SSO request.
+  # The correlation ID is minted in SingleSignOn.serve(), propagated to
+  # ContinueToIdp (user picks an IdP), then forwarded to the IdP request via
+  # link(), and finally picked up in AssertionConsumer and ProvideConsent/
+  # ProcessConsent.  A complete round-trip through all four HTTP legs must
+  # succeed without error.
+  Scenario: A user authenticating via the WAYF completes the full four-leg flow
+    Given an Identity Provider named "CorrId-IdP-A"
+      And an Identity Provider named "CorrId-IdP-B"
+    When I log in at "CorrId-SP"
+     And I select "CorrId-IdP-A" on the WAYF
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+
+  # ── Direct path (no WAYF) ───────────────────────────────────────────────────
+  # When only one IdP is available the WAYF is skipped; the correlation ID is
+  # minted inside ProxyServer.sendAuthenticationRequest() and linked to the IdP
+  # request.  AssertionConsumer and consent legs must resolve it from the IdP
+  # request ID stored in InResponseTo.
+  Scenario: A user authenticating without the WAYF completes the full flow
+    Given an Identity Provider named "CorrId-IdP-Only"
+    When I log in at "CorrId-SP"
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+
+  # ── Concurrent flows ────────────────────────────────────────────────────────
+  # Two simultaneous authentications in separate browser tabs share the same PHP
+  # session.  Each flow must mint its own correlation ID and the two IDs must
+  # not bleed into each other.  Both flows must complete successfully and land
+  # on the correct SP ACS URL.
+  # Requires the @functional tag to use the Chrome driver (browser tabs need JS).
+  @functional
+  Scenario: Two concurrent authentication flows each complete independently
+    Given an Identity Provider named "CorrId-IdP-A"
+      And an Identity Provider named "CorrId-IdP-B"
+    When I open 2 browser tabs identified by "Tab-A, Tab-B"
+      And I switch to "Tab-A"
+      And I log in at "CorrId-SP"
+      And I select "CorrId-IdP-A" on the WAYF
+      And I switch to "Tab-B"
+      And I log in at "CorrId-SP"
+      And I select "CorrId-IdP-B" on the WAYF
+      And I pass through the IdP
+      And I give my consent
+    Then the url should match "functional-testing/CorrId-SP/acs"
+      And I switch to "Tab-A"
+      And I pass through the IdP
+      And I give my consent
+    Then the url should match "functional-testing/CorrId-SP/acs"

tests/library/EngineBlock/Test/Saml2/AuthnRequestSessionRepositoryTest.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+use Mockery as m;
+use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
+use PHPUnit\Framework\TestCase;
+use SAML2\AuthnRequest;
+
+class EngineBlock_Test_Saml2_AuthnRequestSessionRepositoryTest extends TestCase
+{
+    use MockeryPHPUnitIntegration;
+
+    protected function setUp(): void
+    {
+        $_SESSION = [];
+    }
+
+    protected function tearDown(): void
+    {
+        $_SESSION = [];
+    }
+
+    private function makeRequest(string $id): EngineBlock_Saml2_AuthnRequestAnnotationDecorator
+    {
+        $authnRequest = new AuthnRequest();
+        $authnRequest->setId($id);
+        return new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($authnRequest);
+    }
+
+    private function makeRepository(): EngineBlock_Saml2_AuthnRequestSessionRepository
+    {
+        $logger = m::mock(Psr\Log\LoggerInterface::class);
+        return new EngineBlock_Saml2_AuthnRequestSessionRepository($logger);
+    }
+
+    public function test_store_saves_request()
+    {
+        $repository = $this->makeRepository();
+        $request = $this->makeRequest('_sp-request-A');
+
+        $repository->store($request);
+
+        $storedRequest = $repository->findRequestById('_sp-request-A');
+        $this->assertSame($request, $storedRequest);
+    }
+
+    public function test_link_stores_request_mapping()
+    {
+        $repository = $this->makeRepository();
+        $spRequest = $this->makeRequest('_sp-request-A');
+        $idpRequest = $this->makeRequest('_idp-request-B');
+
+        $repository->store($spRequest);
+        $repository->link($idpRequest, $spRequest);
+
+        $linkedRequestId = $repository->findLinkedRequestId('_idp-request-B');
+        $this->assertSame('_sp-request-A', $linkedRequestId);
+    }
+}