feat(consent): implement consent hash versioning

Author: kayjoosten

config/services/controllers/api.yml

@@ -16,7 +16,7 @@ services:
             - '@security.token_storage'
             - '@security.access.decision_manager'
             - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
-            - '@OpenConext\EngineBlock\Service\ConsentService'
+            - '@OpenConext\EngineBlock\Service\Consent\ConsentService'
 
     OpenConext\EngineBlockBundle\Controller\Api\DeprovisionController:
         arguments:

config/services/services.yml

@@ -78,8 +78,10 @@ services:
     engineblock.service.consent.ConsentHashService:
         class: OpenConext\EngineBlock\Service\Consent\ConsentHashService
         public: false
+        arguments:
+            - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
 
-    OpenConext\EngineBlock\Service\ConsentService:
+    OpenConext\EngineBlock\Service\Consent\ConsentService:
         arguments:
             - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
             - '@OpenConext\EngineBlock\Service\MetadataService'

database/DoctrineMigrations/Version20220503092351.php

@@ -165,7 +165,7 @@ public function getAuthenticationLoopGuard()
      */
     public function getConsentService()
     {
-        return $this->container->get(\OpenConext\EngineBlock\Service\ConsentService::class);
+        return $this->container->get(\OpenConext\EngineBlock\Service\Consent\ConsentService::class);
     }
 
     /**

library/EngineBlock/Application/DiContainer.php

@@ -16,6 +16,9 @@
  * limitations under the License.
  */
 
+use OpenConext\EngineBlock\Authentication\Value\ConsentHashQuery;
+use OpenConext\EngineBlock\Authentication\Value\ConsentStoreParameters;
+use OpenConext\EngineBlock\Authentication\Value\ConsentUpdateParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
@@ -98,6 +101,9 @@ public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): bo
      */
     public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType): void
     {
+        if (!$this->_consentEnabled) {
+            return;
+        }
         $consentVersion = $this->_hasStoredConsent($serviceProvider, $consentType);
         if ($consentVersion->isUnstable()) {
             $this->_updateConsent($serviceProvider, $consentType);
@@ -157,39 +163,48 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType):
             return false;
         }
 
-        $parameters = array(
-            sha1($consentUuid),
-            $serviceProvider->entityId,
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $consentType,
+        $parameters = new ConsentStoreParameters(
+            hashedUserId: sha1($consentUuid),
+            serviceId: $serviceProvider->entityId,
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            consentType: $consentType,
         );
 
         return $this->_hashService->storeConsentHash($parameters);
     }
 
     private function _updateConsent(ServiceProvider $serviceProvider, $consentType): bool
     {
-        $parameters = array(
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $this->_getAttributesHash($this->_responseAttributes),
-            sha1($this->_getConsentUid()),
-            $serviceProvider->entityId,
-            $consentType,
+        $consentUid = $this->_getConsentUid();
+        if (!is_string($consentUid)) {
+            return false;
+        }
+
+        $parameters = new ConsentUpdateParameters(
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
+            hashedUserId: sha1($consentUid),
+            serviceId: $serviceProvider->entityId,
+            consentType: $consentType,
         );
 
         return $this->_hashService->updateConsentHash($parameters);
     }
 
     private function _hasStoredConsent(ServiceProvider $serviceProvider, $consentType): ConsentVersion
     {
-        $consentUuid = sha1($this->_getConsentUid());
-        $parameters = [
-            $consentUuid,
-            $serviceProvider->entityId,
-            $this->_getAttributesHash($this->_responseAttributes),
-            $this->_getStableAttributesHash($this->_responseAttributes),
-            $consentType,
-        ];
-        return $this->_hashService->retrieveConsentHash($parameters);
+        $consentUid = $this->_getConsentUid();
+        if (!is_string($consentUid)) {
+            return ConsentVersion::notGiven();
+        }
+
+        $query = new ConsentHashQuery(
+            hashedUserId: sha1($consentUid),
+            serviceId: $serviceProvider->entityId,
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
+            attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
+            consentType: $consentType,
+        );
+        return $this->_hashService->retrieveConsentHash($query);
     }
 }

library/EngineBlock/Corto/Model/Consent.php

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-use OpenConext\EngineBlock\Service\Consent\ConsentHashService;
+use OpenConext\EngineBlock\Service\Consent\ConsentHashServiceInterface;
 
 /**
  * @todo write a test
@@ -27,7 +27,7 @@ class EngineBlock_Corto_Model_Consent_Factory
     private $_filterCommandFactory;
 
     /**
-     * @var ConsentHashService
+     * @var ConsentHashServiceInterface
      */
     private $_hashService;
 
@@ -36,7 +36,7 @@ class EngineBlock_Corto_Model_Consent_Factory
       */
     public function __construct(
         EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory,
-        ConsentHashService $hashService
+        ConsentHashServiceInterface $hashService
     ) {
         $this->_filterCommandFactory = $filterCommandFactory;
         $this->_hashService = $hashService;

library/EngineBlock/Corto/Model/Consent/Factory.php

@@ -102,8 +102,9 @@ public function serve($serviceName, Request $httpRequest)
 
         if (!$consentRepository->explicitConsentWasGivenFor($serviceProvider)) {
             $consentRepository->giveExplicitConsentFor($destinationMetadata);
+        } else {
+            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
         }
-        $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
 
         $response->setConsent(Constants::CONSENT_OBTAINED);
         $response->setDestination($response->getReturn());

library/EngineBlock/Corto/Module/Service/ProcessConsent.php

@@ -149,8 +149,9 @@ public function serve($serviceName, Request $httpRequest)
         if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
             if (!$consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata)) {
                 $consentRepository->giveImplicitConsentFor($serviceProviderMetadata);
+            } else {
+                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
             }
-            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
 
             $response->setConsent(Constants::CONSENT_INAPPLICABLE);
             $response->setDestination($response->getReturn());

library/EngineBlock/Corto/Module/Service/ProvideConsent.php

@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OpenConext\EngineBlock\Doctrine\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Change to the consent schema
+ * 1. Added the `attribute_stable` column, string(80), nullable
+ * 2. Changed the `attribute` column, has been made nullable
+ */
+final class Version20220503092351 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add attribute_stable column to consent table and make attribute nullable';
+    }
+
+    public function preUp(Schema $schema): void
+    {
+        $tables = $this->connection->createSchemaManager()->listTableNames();
+        $tableExists = in_array('consent', $tables, true);
+
+        if (!$tableExists) {
+            $this->skipIf(true, 'Table consent does not exist yet (fresh install, baseline will create it). Skipping.');
+            return;
+        }
+
+        $columnExists = (bool) $this->connection->fetchOne(
+            "SELECT COUNT(*) FROM information_schema.COLUMNS
+             WHERE TABLE_SCHEMA = DATABASE()
+               AND TABLE_NAME = 'consent'
+               AND COLUMN_NAME = 'attribute_stable'"
+        );
+        $this->skipIf(
+            $columnExists,
+            'Column attribute_stable already exists (fresh install via baseline). Skipping.'
+        );
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE consent ADD attribute_stable VARCHAR(80) DEFAULT NULL, CHANGE attribute attribute VARCHAR(80) DEFAULT NULL');
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE consent DROP attribute_stable, CHANGE attribute attribute VARCHAR(80) CHARACTER SET utf8 NOT NULL COLLATE `utf8_unicode_ci`');
+    }
+}

migrations/DoctrineMigrations/Version20220503092351.php

@@ -53,7 +53,8 @@ public function up(Schema $schema): void
             `consent_date` datetime NOT NULL,
             `hashed_user_id` varchar(80) NOT NULL,
             `service_id` varchar(255) NOT NULL,
-            `attribute` varchar(80) NOT NULL,
+            `attribute` varchar(80) DEFAULT NULL,
+            `attribute_stable` varchar(80) DEFAULT NULL,
             `consent_type` varchar(20) DEFAULT \'explicit\',
             `deleted_at` datetime NOT NULL DEFAULT \'0000-00-00 00:00:00\',
             PRIMARY KEY (`hashed_user_id`,`service_id`,`deleted_at`),