fix(consent): polish follow-up fixes and test configuration

Author: kayjoosten

library/EngineBlock/Corto/Model/Consent.php

@@ -85,38 +85,39 @@ public function __construct(
         $this->_consentEnabled = $consentEnabled;
     }
 
-    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): ConsentVersion
     {
         if (!$this->_consentEnabled) {
-            return true;
+            // Consent disabled: treat as already given (stable — no upgrade needed)
+            return ConsentVersion::stable();
         }
-        $consent = $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
-        return $consent->given();
+        return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
     }
 
     /**
      * Although the user has given consent previously we want to upgrade the deprecated unstable consent
      * to the new stable consent type.
      * https://www.pivotaltracker.com/story/show/176513931
+     *
+     * The caller must pass the ConsentVersion already retrieved by explicitConsentWasGivenFor or
+     * implicitConsentWasGivenFor to avoid a second identical DB query.
      */
-    public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType): void
+    public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType, ConsentVersion $consentVersion): void
     {
         if (!$this->_consentEnabled) {
             return;
         }
-        $consentVersion = $this->_hasStoredConsent($serviceProvider, $consentType);
         if ($consentVersion->isUnstable()) {
             $this->_updateConsent($serviceProvider, $consentType);
         }
     }
 
-    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider): ConsentVersion
     {
         if (!$this->_consentEnabled) {
-            return true;
+            return ConsentVersion::stable();
         }
-        $consent = $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
-        return $consent->given();
+        return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
     }
 
     public function giveExplicitConsentFor(ServiceProvider $serviceProvider): bool

library/EngineBlock/Corto/Module/Service/ProcessConsent.php

@@ -100,10 +100,11 @@ public function serve($serviceName, Request $httpRequest)
         $attributes = $response->getAssertion()->getAttributes();
         $consentRepository = $this->_consentFactory->create($this->_server, $response, $attributes);
 
-        if (!$consentRepository->explicitConsentWasGivenFor($serviceProvider)) {
+        $explicitConsent = $consentRepository->explicitConsentWasGivenFor($serviceProvider);
+        if (!$explicitConsent->given()) {
             $consentRepository->giveExplicitConsentFor($destinationMetadata);
         } else {
-            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
+            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT, $explicitConsent);
         }
 
         $response->setConsent(Constants::CONSENT_OBTAINED);

library/EngineBlock/Corto/Module/Service/ProvideConsent.php

@@ -147,10 +147,11 @@ public function serve($serviceName, Request $httpRequest)
 
 
         if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
-            if (!$consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata)) {
+            $implicitConsent = $consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata);
+            if (!$implicitConsent->given()) {
                 $consentRepository->giveImplicitConsentFor($serviceProviderMetadata);
             } else {
-                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
+                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT, $implicitConsent);
             }
 
             $response->setConsent(Constants::CONSENT_INAPPLICABLE);
@@ -168,8 +169,8 @@ public function serve($serviceName, Request $httpRequest)
         }
 
         $priorConsent = $consentRepository->explicitConsentWasGivenFor($serviceProviderMetadata);
-        if ($priorConsent) {
-            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_EXPLICIT);
+        if ($priorConsent->given()) {
+            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_EXPLICIT, $priorConsent);
 
             $response->setConsent(Constants::CONSENT_PRIOR);
 

…rineMigrations/Version20220503092351.php …rineMigrations/Version20260315000001.phpmigrations/DoctrineMigrations/Version20220503092351.php renamed to migrations/DoctrineMigrations/Version20260315000001.php migrations/DoctrineMigrations/Version20220503092351.php renamed to migrations/DoctrineMigrations/Version20260315000001.php

@@ -12,7 +12,7 @@
  * 1. Added the `attribute_stable` column, string(80), nullable
  * 2. Changed the `attribute` column, has been made nullable
  */
-final class Version20220503092351 extends AbstractMigration
+final class Version20260315000001 extends AbstractMigration
 {
     public function getDescription(): string
     {

src/OpenConext/EngineBlock/Authentication/Repository/ConsentRepository.php

@@ -58,5 +58,5 @@ public function storeConsentHash(ConsentStoreParameters $parameters): bool;
      */
     public function updateConsentHash(ConsentUpdateParameters $parameters): bool;
 
-    public function countTotalConsent($consentUid): int;
+    public function countTotalConsent(string $consentUid): int;
 }

src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php

@@ -23,7 +23,6 @@
 use OpenConext\EngineBlock\Authentication\Value\ConsentStoreParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentUpdateParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
-use OpenConext\UserLifecycle\Domain\ValueObject\Client\Name;
 use SAML2\XML\saml\NameID;
 use function array_filter;
 use function array_keys;
@@ -33,11 +32,10 @@
 use function is_array;
 use function is_numeric;
 use function ksort;
+use function mb_strtolower;
 use function serialize;
 use function sha1;
 use function sort;
-use function str_replace;
-use function strtolower;
 use function unserialize;
 
 final class ConsentHashService implements ConsentHashServiceInterface
@@ -67,7 +65,7 @@ public function updateConsentHash(ConsentUpdateParameters $parameters): bool
         return $this->consentRepository->updateConsentHash($parameters);
     }
 
-    public function countTotalConsent($consentUid): int
+    public function countTotalConsent(string $consentUid): int
     {
         return $this->consentRepository->countTotalConsent($consentUid);
     }
@@ -114,14 +112,27 @@ private function createHashBaseWithoutValues(array $lowerCasedAttributes): strin
     }
 
     /**
-     * Lowercases all array keys and values.
+     * Lowercases all array keys and string values recursively using mb_strtolower
+     * to handle multi-byte UTF-8 characters (e.g. Ü→ü, Arabic, Chinese — common in SAML).
+     *
+     * The previous implementation used serialize/strtolower/unserialize which corrupted
+     * PHP's s:N: byte-length markers for multi-byte values, causing unserialize() to silently
+     * return false and producing wrong hashes for any user with a non-ASCII attribute value.
      */
     private function caseNormalizeStringArray(array $original): array
     {
-        $serialized = serialize($original);
-        $lowerCased = strtolower($serialized);
-        $unserialized = unserialize($lowerCased);
-        return $unserialized;
+        $result = [];
+        foreach ($original as $key => $value) {
+            $normalizedKey = is_string($key) ? mb_strtolower($key) : $key;
+            if (is_array($value)) {
+                $result[$normalizedKey] = $this->caseNormalizeStringArray($value);
+            } elseif (is_string($value)) {
+                $result[$normalizedKey] = mb_strtolower($value);
+            } else {
+                $result[$normalizedKey] = $value;
+            }
+        }
+        return $result;
     }
 
     /**

src/OpenConext/EngineBlock/Service/Consent/ConsentHashServiceInterface.php

@@ -34,7 +34,7 @@ public function storeConsentHash(ConsentStoreParameters $parameters): bool;
 
     public function updateConsentHash(ConsentUpdateParameters $parameters): bool;
 
-    public function countTotalConsent($consentUid): int;
+    public function countTotalConsent(string $consentUid): int;
 
     public function getUnstableAttributesHash(array $attributes, bool $mustStoreValues): string;
 

src/OpenConext/EngineBlockBundle/Authentication/Repository/DbalConsentRepository.php

@@ -228,7 +228,8 @@ public function storeConsentHash(ConsentStoreParameters $parameters): bool
     {
         $query = "INSERT INTO consent (hashed_user_id, service_id, attribute_stable, consent_type, consent_date, deleted_at)
                   VALUES (?, ?, ?, ?, NOW(), '0000-00-00 00:00:00')
-                  ON DUPLICATE KEY UPDATE attribute_stable=VALUES(attribute_stable), consent_type=VALUES(consent_type), consent_date=NOW()";
+                  ON DUPLICATE KEY UPDATE attribute_stable=VALUES(attribute_stable),
+                  consent_type=VALUES(consent_type), consent_date=NOW(), deleted_at='0000-00-00 00:00:00'";
 
         try {
             $this->connection->executeStatement($query, [
@@ -301,7 +302,7 @@ public function updateConsentHash(ConsentUpdateParameters $parameters): bool
     /**
      * @throws RuntimeException
      */
-    public function countTotalConsent($consentUid): int
+    public function countTotalConsent(string $consentUid): int
     {
         $query = "SELECT COUNT(*) FROM consent where hashed_user_id = ? AND deleted_at IS NULL";
         $parameters = [sha1($consentUid)];