Add configurable sso registration bypass

#539

Author: Bas

config/packages/doctrine.yaml

@@ -103,6 +103,9 @@ doctrine:
             stepup_sso_on_2fa_option:
                 class: Surfnet\StepupMiddleware\ApiBundle\Doctrine\Type\SsoOn2faOptionType
                 commented: false
+            stepup_sso_registration_bypass_option:
+                class: Surfnet\StepupMiddleware\ApiBundle\Doctrine\Type\SsoOn2faOptionType
+                commented: false
             stepup_institution_role:
                 class: Surfnet\StepupMiddleware\ApiBundle\Doctrine\Type\InstitutionRoleType
                 commented: false

config/packages/monolog.yaml

@@ -24,7 +24,7 @@ when@dev: &override
       main_syslog:
         type: stream
         path: php://stderr
-        level: error
+        level: debug
         channels: ["!event", "!doctrine", "!deprecation", "!console"]
       console:
         type: console

src/Surfnet/Migrations/Version20250501121457.php

@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * Copyright 2025 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace Surfnet\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+use Surfnet\Stepup\MigrationsFactory\ConfigurationAwareMigrationInterface;
+use Surfnet\Stepup\MigrationsFactory\ConfigurationAwareMigrationTrait;
+
+final class Version20250501121457 extends AbstractMigration implements ConfigurationAwareMigrationInterface
+{
+    use ConfigurationAwareMigrationTrait;
+
+    public function up(Schema $schema): void
+    {
+        $this->abortIf(
+            $this->connection->getDatabasePlatform()->getName() !== 'mysql',
+            'Migration can only be executed safely on \'mysql\'.',
+        );
+        // Create the new sso_on_2fa option, note the name conversion 'error' made by doctrine.
+        $this->addSql('ALTER TABLE institution_configuration_options ADD sso_registration_bypass_option INT DEFAULT \'0\' NOT NULL');
+        // Create the institution_configuration gateway schema
+        $gatewaySchema = $this->getGatewaySchema();
+        $this->addSql(
+            sprintf(
+                'ALTER TABLE  %s.institution_configuration ADD sso_registration_bypass_option TINYINT(1) NOT NULL DEFAULT \'0\' NOT NULL',
+                $gatewaySchema,
+            ),
+        );
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->abortIf(
+            $this->connection->getDatabasePlatform()->getName() !== 'mysql',
+            'Migration can only be executed safely on \'mysql\'.',
+        );
+        // Down the Middleware schema change
+        $this->addSql('ALTER TABLE institution_configuration_options DROP sso_registration_bypass_option');
+        // Gateway schema change (remove the institution_configuration)
+        $gatewaySchema = $this->getGatewaySchema();
+        $this->addSql(sprintf('ALTER TABLE  %s.institution_configuration DROP sso_registration_bypass_option', $gatewaySchema));
+    }
+}

src/Surfnet/Stepup/Configuration/Event/NewInstitutionConfigurationCreatedEvent.php

@@ -26,6 +26,7 @@
 use Surfnet\Stepup\Configuration\Value\SelfVetOption;
 use Surfnet\Stepup\Configuration\Value\ShowRaaContactInformationOption;
 use Surfnet\Stepup\Configuration\Value\SsoOn2faOption;
+use Surfnet\Stepup\Configuration\Value\SsoRegistrationBypassOption;
 use Surfnet\Stepup\Configuration\Value\UseRaLocationsOption;
 use Surfnet\Stepup\Configuration\Value\VerifyEmailOption;
 
@@ -43,6 +44,7 @@ public function __construct(
         public VerifyEmailOption $verifyEmailOption,
         public NumberOfTokensPerIdentityOption $numberOfTokensPerIdentityOption,
         public SsoOn2faOption $ssoOn2faOption,
+        public SsoRegistrationBypassOption $ssoRegistrationBypassOption,
         public SelfVetOption $selfVetOption,
         public SelfAssertedTokensOption $selfAssertedTokensOption
     ) {
@@ -60,6 +62,10 @@ public static function deserialize(array $data): self
         if (!isset($data['sso_on_2fa_option'])) {
             $data['sso_on_2fa_option'] = false;
         }
+        // If sso registration bypass option is not yet present, default to false
+        if (!isset($data['sso_registration_bypass_option'])) {
+            $data['sso_registration_bypass_option'] = false;
+        }
         // If self vet option is not yet present, default to false
         if (!isset($data['self_vet_option'])) {
             $data['self_vet_option'] = false;
@@ -76,6 +82,7 @@ public static function deserialize(array $data): self
             new VerifyEmailOption($data['verify_email_option']),
             new NumberOfTokensPerIdentityOption($data['number_of_tokens_per_identity_option']),
             new SsoOn2faOption($data['sso_on_2fa_option']),
+            new SsoRegistrationBypassOption($data['sso_registration_bypass_option']),
             new SelfVetOption($data['self_vet_option']),
             new SelfAssertedTokensOption($data['self_asserted_tokens_option']),
         );
@@ -91,6 +98,7 @@ public function serialize(): array
             'verify_email_option' => $this->verifyEmailOption->isEnabled(),
             'number_of_tokens_per_identity_option' => $this->numberOfTokensPerIdentityOption->getNumberOfTokensPerIdentity(),
             'sso_on_2fa_option' => $this->ssoOn2faOption->isEnabled(),
+            'sso_registration_bypass_option' => $this->ssoRegistrationBypassOption->isEnabled(),
             'self_vet_option' => $this->selfVetOption->isEnabled(),
             'self_asserted_tokens_option' => $this->selfAssertedTokensOption->isEnabled(),
         ];

src/Surfnet/Stepup/Configuration/Event/SsoRegistrationBypassOptionChangedEvent.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright 2025 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\Stepup\Configuration\Event;
+
+use Broadway\Serializer\Serializable as SerializableInterface;
+use Surfnet\Stepup\Configuration\Value\Institution;
+use Surfnet\Stepup\Configuration\Value\InstitutionConfigurationId;
+use Surfnet\Stepup\Configuration\Value\SsoRegistrationBypassOption;
+
+final class SsoRegistrationBypassOptionChangedEvent implements SerializableInterface
+{
+    public function __construct(
+        public InstitutionConfigurationId $institutionConfigurationId,
+        public Institution $institution,
+        public SsoRegistrationBypassOption $ssoRegistrationBypassOption,
+    ) {
+    }
+
+    public static function deserialize(array $data): self
+    {
+        return new self(
+            new InstitutionConfigurationId($data['institution_configuration_id']),
+            new Institution($data['institution']),
+            new SsoRegistrationBypassOption($data['sso_registration_bypass_option']),
+        );
+    }
+
+    public function serialize(): array
+    {
+        return [
+            'institution_configuration_id' => $this->institutionConfigurationId->getInstitutionConfigurationId(),
+            'institution' => $this->institution->getInstitution(),
+            'sso_registration_bypass_option' => $this->ssoRegistrationBypassOption->isEnabled(),
+        ];
+    }
+}

src/Surfnet/Stepup/Configuration/InstitutionConfiguration.php

@@ -35,6 +35,7 @@
 use Surfnet\Stepup\Configuration\Event\SelfVetOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\ShowRaaContactInformationOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\SsoOn2faOptionChangedEvent;
+use Surfnet\Stepup\Configuration\Event\SsoRegistrationBypassOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\UseRaaOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\UseRaLocationsOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\UseRaOptionChangedEvent;
@@ -54,6 +55,7 @@
 use Surfnet\Stepup\Configuration\Value\SelfVetOption;
 use Surfnet\Stepup\Configuration\Value\ShowRaaContactInformationOption;
 use Surfnet\Stepup\Configuration\Value\SsoOn2faOption;
+use Surfnet\Stepup\Configuration\Value\SsoRegistrationBypassOption;
 use Surfnet\Stepup\Configuration\Value\UseRaLocationsOption;
 use Surfnet\Stepup\Configuration\Value\VerifyEmailOption;
 use Surfnet\Stepup\Exception\DomainException;
@@ -93,6 +95,8 @@ class InstitutionConfiguration extends EventSourcedAggregateRoot implements Inst
 
     private ?SsoOn2faOption $ssoOn2faOption = null;
 
+    private ?SsoRegistrationBypassOption $ssoRegistrationBypassOption = null;
+
     private ?SelfAssertedTokensOption $selfAssertedTokensOption = null;
 
     private ?InstitutionAuthorizationOption $useRaOption = null;
@@ -119,6 +123,7 @@ public static function create(
                 VerifyEmailOption::getDefault(),
                 NumberOfTokensPerIdentityOption::getDefault(),
                 SsoOn2faOption::getDefault(),
+                SsoRegistrationBypassOption::getDefault(),
                 SelfVetOption::getDefault(),
                 SelfAssertedTokensOption::getDefault(),
             ),
@@ -320,6 +325,21 @@ public function configureSsoOn2faOption(SsoOn2faOption $ssoOn2faOption): void
         );
     }
 
+    public function configureSsoRegistrationBypassOption(SsoRegistrationBypassOption $ssoRegistrationBypassOption)
+    {
+        if ($this->ssoRegistrationBypassOption->equals($ssoRegistrationBypassOption)) {
+            return;
+        }
+
+        $this->apply(
+            new SsoRegistrationBypassOptionChangedEvent(
+                $this->institutionConfigurationId,
+                $this->institution,
+                $ssoRegistrationBypassOption
+            )
+        );
+    }
+
     public function updateUseRaOption(InstitutionAuthorizationOption $useRaOption): void
     {
         if ($this->useRaOption instanceof \Surfnet\Stepup\Configuration\Value\InstitutionAuthorizationOption
@@ -526,6 +546,7 @@ protected function applyNewInstitutionConfigurationCreatedEvent(NewInstitutionCo
         $this->verifyEmailOption = $event->verifyEmailOption;
         $this->selfVetOption = $event->selfVetOption;
         $this->ssoOn2faOption = $event->ssoOn2faOption;
+        $this->ssoRegistrationBypassOption = $event->ssoRegistrationBypassOption;
         $this->selfAssertedTokensOption = $event->selfAssertedTokensOption;
         $this->numberOfTokensPerIdentityOption = $event->numberOfTokensPerIdentityOption;
         $this->raLocations = new RaLocationList([]);
@@ -592,6 +613,12 @@ protected function applySsoOn2faOptionChangedEvent(
         $this->ssoOn2faOption = $event->ssoOn2faOption;
     }
 
+    protected function applySsoRegistrationBypassOptionChangedEvent(
+        SsoRegistrationBypassOptionChangedEvent $event,
+    ): void {
+        $this->ssoRegistrationBypassOption = $event->ssoRegistrationBypassOption;
+    }
+
     protected function applyNumberOfTokensPerIdentityOptionChangedEvent(
         NumberOfTokensPerIdentityOptionChangedEvent $event,
     ): void {

src/Surfnet/Stepup/Configuration/Value/SsoRegistrationBypassOption.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Copyright 2025 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\Stepup\Configuration\Value;
+
+use JsonSerializable;
+
+final readonly class SsoRegistrationBypassOption implements JsonSerializable
+{
+    public static function getDefault(): self
+    {
+        return new self(false);
+    }
+
+    public function __construct(
+        private bool $ssoRegistrationBypass
+    ) {
+    }
+
+    public function equals(SsoRegistrationBypassOption $other): bool
+    {
+        return $this->ssoRegistrationBypass === $other->isEnabled();
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->ssoRegistrationBypass;
+    }
+
+    public function jsonSerialize(): bool
+    {
+        return $this->ssoRegistrationBypass;
+    }
+}

src/Surfnet/Stepup/Tests/Configuration/Event/EventSerializationAndDeserializationTest.php

@@ -40,6 +40,7 @@
 use Surfnet\Stepup\Configuration\Event\ShowRaaContactInformationOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\SraaUpdatedEvent;
 use Surfnet\Stepup\Configuration\Event\SsoOn2faOptionChangedEvent;
+use Surfnet\Stepup\Configuration\Event\SsoRegistrationBypassOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\UseRaLocationsOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Event\VerifyEmailOptionChangedEvent;
 use Surfnet\Stepup\Configuration\Value\AllowedSecondFactorList;
@@ -54,6 +55,7 @@
 use Surfnet\Stepup\Configuration\Value\SelfVetOption;
 use Surfnet\Stepup\Configuration\Value\ShowRaaContactInformationOption;
 use Surfnet\Stepup\Configuration\Value\SsoOn2faOption;
+use Surfnet\Stepup\Configuration\Value\SsoRegistrationBypassOption;
 use Surfnet\Stepup\Configuration\Value\UseRaLocationsOption;
 use Surfnet\Stepup\Configuration\Value\VerifyEmailOption;
 use Surfnet\StepupBundle\Value\SecondFactorType;
@@ -171,6 +173,13 @@ public function institutionConfigurationEventsProvider(): array
                     new SsoOn2faOption(false),
                 ),
             ],
+            'SsoRegistrationBypassOptionChangedEvent' => [
+                new SsoRegistrationBypassOptionChangedEvent(
+                    $institutionConfigurationId,
+                    $institution,
+                    new SsoRegistrationBypassOption(false),
+                ),
+            ],
             'AllowedSecondFactorListUpdatedEvent:withSecondFactors' => [
                 new AllowedSecondFactorListUpdatedEvent(
                     $institutionConfigurationId,