Merge pull request #526 from OpenConext/bugfix/allow-identity-restore

pablothedude · web-flow · commit b61e7a601ee6 · 2025-02-04T11:35:48.000+01:00
Allow identity restoration
diff --git a/ci/qa/phpstan-baseline.neon b/ci/qa/phpstan-baseline.neon
@@ -1220,11 +1220,6 @@ parameters:
 			count: 1
 			path: ../../src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php
 
-		-
-			message: "#^Property Surfnet\\\\Stepup\\\\Identity\\\\Event\\\\SafeStoreSecretRecoveryTokenPossessionPromisedEvent\\:\\:\\$secret \\(Surfnet\\\\Stepup\\\\Identity\\\\Value\\\\RecoveryTokenIdentifier\\) does not accept Surfnet\\\\Stepup\\\\Identity\\\\Value\\\\RecoveryTokenIdentifier\\|null\\.$#"
-			count: 1
-			path: ../../src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php
-
 		-
 			message: "#^Method Surfnet\\\\Stepup\\\\Identity\\\\Event\\\\SecondFactorMigratedEvent\\:\\:deserialize\\(\\) has parameter \\$data with no value type specified in iterable type array\\.$#"
 			count: 1
@@ -1412,7 +1407,7 @@ parameters:
 
 		-
 			message: "#^Cannot call method count\\(\\) on Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\|null\\.$#"
-			count: 2
+			count: 5
 			path: ../../src/Surfnet/Stepup/Identity/Identity.php
 
 		-
@@ -1527,7 +1522,7 @@ parameters:
 
 		-
 			message: "#^Parameter \\#1 \\$value of function count expects array\\|Countable, Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\|null given\\.$#"
-			count: 4
+			count: 1
 			path: ../../src/Surfnet/Stepup/Identity/Identity.php
 
 		-
@@ -2572,12 +2567,12 @@ parameters:
 
 		-
 			message: "#^Cannot access property \\$commonName on Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\|null\\.$#"
-			count: 1
+			count: 2
 			path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php
 
 		-
 			message: "#^Cannot access property \\$email on Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\|null\\.$#"
-			count: 1
+			count: 2
 			path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php
 
 		-
@@ -2587,7 +2582,7 @@ parameters:
 
 		-
 			message: "#^Parameter \\#1 \\$identity of method Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Repository\\\\IdentityRepository\\:\\:save\\(\\) expects Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity, Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\|null given\\.$#"
-			count: 3
+			count: 4
 			path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php
 
 		-
diff --git a/src/Surfnet/Stepup/Identity/Api/Identity.php b/src/Surfnet/Stepup/Identity/Api/Identity.php
@@ -232,6 +232,11 @@ public function expressPreferredLocale(Locale $preferredLocale): void;
      */
     public function forget(): void;
 
+    public function restore(
+        CommonName $commonName,
+        Email $email,
+    ): void;
+
     /**
      * @return IdentityId
      */
diff --git a/src/Surfnet/Stepup/Identity/Event/IdentityRestoredEvent.php b/src/Surfnet/Stepup/Identity/Event/IdentityRestoredEvent.php
@@ -0,0 +1,117 @@
+<?php
+
+/**
+ * Copyright 2025 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\Stepup\Identity\Event;
+
+use Surfnet\Stepup\Identity\AuditLog\Metadata;
+use Surfnet\Stepup\Identity\Value\CommonName;
+use Surfnet\Stepup\Identity\Value\Email;
+use Surfnet\Stepup\Identity\Value\IdentityId;
+use Surfnet\Stepup\Identity\Value\Institution;
+use Surfnet\StepupMiddleware\CommandHandlingBundle\SensitiveData\Forgettable;
+use Surfnet\StepupMiddleware\CommandHandlingBundle\SensitiveData\RightToObtainDataInterface;
+use Surfnet\StepupMiddleware\CommandHandlingBundle\SensitiveData\SensitiveData;
+
+class IdentityRestoredEvent extends IdentityEvent implements Forgettable, RightToObtainDataInterface
+{
+
+    /**
+     * @var string[]
+     */
+    private array $allowlist = [
+        'id',
+        'common_name',
+        'email',
+        'institution',
+    ];
+
+    public function __construct(
+        private readonly IdentityId $id,
+        private readonly Institution $institution,
+        public CommonName $commonName,
+        public Email $email,
+    ) {
+        parent::__construct($id, $institution);
+    }
+
+    public function getAuditLogMetadata(): Metadata
+    {
+        $metadata = new Metadata();
+        $metadata->identityId = $this->id;
+        $metadata->identityInstitution = $this->institution;
+
+        return $metadata;
+    }
+
+    /**
+     * @param array<string,string> $data
+     */
+    public static function deserialize(array $data): self
+    {
+        return new self(
+            new IdentityId($data['id']),
+            new Institution($data['institution']),
+            new CommonName($data['common_name']),
+            new Email($data['email']),
+        );
+    }
+
+    /**
+     * @return array<string,string>
+     */
+    public function serialize(): array
+    {
+        return [
+            'id' => (string)$this->id,
+            'institution' => (string)$this->institution,
+            'common_name' => (string)$this->commonName,
+            'email' => (string)$this->email,
+        ];
+    }
+
+    public function getSensitiveData(): SensitiveData
+    {
+        return (new SensitiveData)
+            ->withCommonName($this->commonName)
+            ->withEmail($this->email);
+    }
+
+    public function setSensitiveData(SensitiveData $sensitiveData): void
+    {
+        $this->commonName = $sensitiveData->getCommonName();
+        $this->email = $sensitiveData->getEmail();
+    }
+
+    /**
+     * @return array<string,string>
+     */
+    public function obtainUserData(): array
+    {
+        $serializedPublicUserData = $this->serialize();
+        $serializedSensitiveUserData = $this->getSensitiveData()->serialize();
+        return array_merge($serializedPublicUserData, $serializedSensitiveUserData);
+    }
+
+    /**
+     * @return string[]
+     */
+    public function getAllowlist(): array
+    {
+        return $this->allowlist;
+    }
+}
diff --git a/src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php b/src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php
@@ -116,9 +116,14 @@ public function getSensitiveData(): SensitiveData
 
     public function setSensitiveData(SensitiveData $sensitiveData): void
     {
+        $secret = $sensitiveData->getRecoveryTokenIdentifier();
+        if ($secret === null) {
+            $secret = SafeStore::unknown();
+        }
+
         $this->email = $sensitiveData->getEmail();
         $this->commonName = $sensitiveData->getCommonName();
-        $this->secret = $sensitiveData->getRecoveryTokenIdentifier();
+        $this->secret = $secret;
     }
 
     public function obtainUserData(): array
diff --git a/src/Surfnet/Stepup/Identity/Identity.php b/src/Surfnet/Stepup/Identity/Identity.php
@@ -52,6 +52,7 @@
 use Surfnet\Stepup\Identity\Event\IdentityCreatedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityEmailChangedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityForgottenEvent;
+use Surfnet\Stepup\Identity\Event\IdentityRestoredEvent;
 use Surfnet\Stepup\Identity\Event\IdentityRenamedEvent;
 use Surfnet\Stepup\Identity\Event\LocalePreferenceExpressedEvent;
 use Surfnet\Stepup\Identity\Event\PhonePossessionProvenAndVerifiedEvent;
@@ -1010,6 +1011,17 @@ public function forget(): void
         $this->apply(new IdentityForgottenEvent($this->id, $this->institution));
     }
 
+    public function restore(
+        CommonName $commonName,
+        Email $email,
+    ): void {
+        if (!$this->forgotten) {
+            return;
+        }
+
+        $this->apply(new IdentityRestoredEvent($this->id, $this->institution, $commonName, $email));
+    }
+
     public function allVettedSecondFactorsRemoved(): void
     {
         $this->apply(
@@ -1037,6 +1049,19 @@ protected function applyIdentityCreatedEvent(IdentityCreatedEvent $event): void
         $this->recoveryTokens = new RecoveryTokenCollection();
     }
 
+    protected function applyIdentityRestoredEvent(IdentityRestoredEvent $event): void
+    {
+        $this->unverifiedSecondFactors = new SecondFactorCollection();
+        $this->verifiedSecondFactors = new SecondFactorCollection();
+        $this->vettedSecondFactors = new SecondFactorCollection();
+        $this->registrationAuthorities = new RegistrationAuthorityCollection();
+        $this->recoveryTokens = new RecoveryTokenCollection();
+
+        $this->commonName = $event->commonName;
+        $this->email = $event->email;
+        $this->forgotten = false;
+    }
+
     public function applyIdentityRenamedEvent(IdentityRenamedEvent $event): void
     {
         $this->commonName = $event->commonName;
@@ -1452,9 +1477,9 @@ private function assertNotForgotten(): void
      */
     private function assertUserMayAddSecondFactor(int $maxNumberOfTokens): void
     {
-        if (count($this->unverifiedSecondFactors) +
-            count($this->verifiedSecondFactors) +
-            count($this->vettedSecondFactors) >= $maxNumberOfTokens
+        if ($this->unverifiedSecondFactors->count() +
+            $this->verifiedSecondFactors->count() +
+            $this->vettedSecondFactors->count() >= $maxNumberOfTokens
         ) {
             throw new DomainException(
                 sprintf('User may not have more than %d token(s)', $maxNumberOfTokens),
diff --git a/src/Surfnet/Stepup/Identity/Value/SafeStore.php b/src/Surfnet/Stepup/Identity/Value/SafeStore.php
@@ -18,14 +18,20 @@
 
 namespace Surfnet\Stepup\Identity\Value;
 
+use Surfnet\Stepup\Exception\DomainException;
+use Surfnet\Stepup\Exception\RuntimeException;
+
 /**
  * Recovery token identifier for the SafeStore token type
  */
 class SafeStore implements RecoveryTokenIdentifier
 {
+    private ?Secret $secret = null;
+
     public function __construct(
-        private readonly Secret $secret,
+        Secret $secret,
     ) {
+        $this->secret = $secret;
     }
 
     public static function unknown(): self
@@ -40,6 +46,9 @@ public static function hidden(): self
 
     public function getValue(): string
     {
+        if ($this->secret === null) {
+            throw new RuntimeException("Secret should be set");
+        }
         return $this->secret->getSecret();
     }
 
diff --git a/src/Surfnet/Stepup/Tests/Identity/Event/EventSerializationAndDeserializationTest.php b/src/Surfnet/Stepup/Tests/Identity/Event/EventSerializationAndDeserializationTest.php
@@ -40,6 +40,7 @@
 use Surfnet\Stepup\Identity\Event\IdentityCreatedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityEmailChangedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityRenamedEvent;
+use Surfnet\Stepup\Identity\Event\IdentityRestoredEvent;
 use Surfnet\Stepup\Identity\Event\LocalePreferenceExpressedEvent;
 use Surfnet\Stepup\Identity\Event\PhonePossessionProvenEvent;
 use Surfnet\Stepup\Identity\Event\RegistrationAuthorityInformationAmendedEvent;
@@ -293,6 +294,14 @@ public function eventProvider(): array
                     new Locale('en_GB'),
                 ),
             ],
+            'IdentityRestoredEvent' => [
+                new IdentityRestoredEvent(
+                    new IdentityId($this->UUID()),
+                    new Institution('BabelFish Inc'),
+                    new CommonName('Henk Westbroek'),
+                    new Email('info@example.invalid'),
+                ),
+            ],
             'IdentityEmailChangedEvent' => [
                 new IdentityEmailChangedEvent(
                     new IdentityId($this->UUID()),
diff --git a/src/Surfnet/Stepup/Tests/Identity/Event/ForgettableEventsTest.php b/src/Surfnet/Stepup/Tests/Identity/Event/ForgettableEventsTest.php
@@ -32,6 +32,7 @@
 use Surfnet\Stepup\Identity\Event\IdentityCreatedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityEmailChangedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityRenamedEvent;
+use Surfnet\Stepup\Identity\Event\IdentityRestoredEvent;
 use Surfnet\Stepup\Identity\Event\PhonePossessionProvenAndVerifiedEvent;
 use Surfnet\Stepup\Identity\Event\PhonePossessionProvenEvent;
 use Surfnet\Stepup\Identity\Event\PhoneRecoveryTokenPossessionProvenEvent;
@@ -93,6 +94,7 @@ public function certain_events_are_forgettable_events_and_others_are_not(): void
             YubikeyPossessionProvenAndVerifiedEvent::class,
             YubikeySecondFactorBootstrappedEvent::class,
             RegistrationAuthorityRetractedForInstitutionEvent::class,
+            IdentityRestoredEvent::class,
         ];
         $otherIdentityEventFqcns = array_diff($this->getConcreteIdentityEventFqcns(), $forgettableEventFqcns);
         $forgettableFqcn = Forgettable::class;
diff --git a/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php b/src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php
@@ -18,6 +18,7 @@
 
 namespace Surfnet\StepupMiddleware\ApiBundle\Identity\Projector;
 
+use Surfnet\Stepup\Identity\Event\IdentityRestoredEvent;
 use Surfnet\Stepup\Projector\Projector;
 use Surfnet\Stepup\Identity\Event\IdentityCreatedEvent;
 use Surfnet\Stepup\Identity\Event\IdentityEmailChangedEvent;
@@ -75,6 +76,16 @@ public function applyLocalePreferenceExpressedEvent(LocalePreferenceExpressedEve
         $this->identityRepository->save($identity);
     }
 
+    public function applyIdentityRestoredEvent(IdentityRestoredEvent $event): void
+    {
+        $identity = $this->identityRepository->find((string)$event->identityId);
+        $identity->email = $event->email;
+        $identity->commonName = $event->commonName;
+
+        $this->identityRepository->save($identity);
+    }
+
+
     public function applySecondFactorVettedEvent(SecondFactorVettedEvent $event): void
     {
         $this->determinePossessionOfSelfAssertedToken($event->vettingType, (string)$event->identityId);
diff --git a/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Identity/CommandHandler/IdentityCommandHandler.php b/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Identity/CommandHandler/IdentityCommandHandler.php
@@ -122,6 +122,7 @@ public function handleUpdateIdentityCommand(UpdateIdentityCommand $command): voi
         /** @var IdentityApi $identity */
         $identity = $this->eventSourcedRepository->load(new IdentityId($command->id));
 
+        $identity->restore(new CommonName($command->commonName), new Email($command->email));
         $identity->rename(new CommonName($command->commonName));
         $identity->changeEmail(new Email($command->email));
 
diff --git a/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerTest.php b/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerTest.php

Original file line number	Diff line number	Diff line change
`@@ -1220,11 +1220,6 @@ parameters:`
`1220`	`1220`	`count: 1`
`1221`	`1221`	`path: ../../src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php`
`1222`	`1222`
`1223`		`- -`
`1224`		`- message: "#^Property Surfnet\\\\Stepup\\\\Identity\\\\Event\\\\SafeStoreSecretRecoveryTokenPossessionPromisedEvent\\:\\:\\$secret \\(Surfnet\\\\Stepup\\\\Identity\\\\Value\\\\RecoveryTokenIdentifier\\) does not accept Surfnet\\\\Stepup\\\\Identity\\\\Value\\\\RecoveryTokenIdentifier\\\|null\\.$#"`
`1225`		`- count: 1`
`1226`		`- path: ../../src/Surfnet/Stepup/Identity/Event/SafeStoreSecretRecoveryTokenPossessionPromisedEvent.php`
`1227`		`-`
`1228`	`1223`	`-`
`1229`	`1224`	`message: "#^Method Surfnet\\\\Stepup\\\\Identity\\\\Event\\\\SecondFactorMigratedEvent\\:\\:deserialize\\(\\) has parameter \\$data with no value type specified in iterable type array\\.$#"`
`1230`	`1225`	`count: 1`
`@@ -1412,7 +1407,7 @@ parameters:`
`1412`	`1407`
`1413`	`1408`	`-`
`1414`	`1409`	`message: "#^Cannot call method count\\(\\) on Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\\|null\\.$#"`
`1415`		`- count: 2`
	`1410`	`+ count: 5`
`1416`	`1411`	`path: ../../src/Surfnet/Stepup/Identity/Identity.php`
`1417`	`1412`
`1418`	`1413`	`-`
`@@ -1527,7 +1522,7 @@ parameters:`
`1527`	`1522`
`1528`	`1523`	`-`
`1529`	`1524`	`message: "#^Parameter \\#1 \\$value of function count expects array\\\|Countable, Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\\|null given\\.$#"`
`1530`		`- count: 4`
	`1525`	`+ count: 1`
`1531`	`1526`	`path: ../../src/Surfnet/Stepup/Identity/Identity.php`
`1532`	`1527`
`1533`	`1528`	`-`
`@@ -2572,12 +2567,12 @@ parameters:`
`2572`	`2567`
`2573`	`2568`	`-`
`2574`	`2569`	`message: "#^Cannot access property \\$commonName on Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\\|null\\.$#"`
`2575`		`- count: 1`
	`2570`	`+ count: 2`
`2576`	`2571`	`path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php`
`2577`	`2572`
`2578`	`2573`	`-`
`2579`	`2574`	`message: "#^Cannot access property \\$email on Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\\|null\\.$#"`
`2580`		`- count: 1`
	`2575`	`+ count: 2`
`2581`	`2576`	`path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php`
`2582`	`2577`
`2583`	`2578`	`-`
`@@ -2587,7 +2582,7 @@ parameters:`
`2587`	`2582`
`2588`	`2583`	`-`
`2589`	`2584`	`message: "#^Parameter \\#1 \\$identity of method Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Repository\\\\IdentityRepository\\:\\:save\\(\\) expects Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity, Surfnet\\\\StepupMiddleware\\\\ApiBundle\\\\Identity\\\\Entity\\\\Identity\\\|null given\\.$#"`
`2590`		`- count: 3`
	`2585`	`+ count: 4`
`2591`	`2586`	`path: ../../src/Surfnet/StepupMiddleware/ApiBundle/Identity/Projector/IdentityProjector.php`
`2592`	`2587`
`2593`	`2588`	`-`
Original file line number	Diff line number	Diff line change
`@@ -116,9 +116,14 @@ public function getSensitiveData(): SensitiveData`
`116`	`116`
`117`	`117`	`public function setSensitiveData(SensitiveData $sensitiveData): void`
`118`	`118`	`{`
	`119`	`+ $secret = $sensitiveData->getRecoveryTokenIdentifier();`
	`120`	`+ if ($secret === null) {`
	`121`	`+ $secret = SafeStore::unknown();`
	`122`	`+ }`
	`123`	`+`
`119`	`124`	`$this->email = $sensitiveData->getEmail();`
`120`	`125`	`$this->commonName = $sensitiveData->getCommonName();`
`121`		`- $this->secret = $sensitiveData->getRecoveryTokenIdentifier();`
	`126`	`+ $this->secret = $secret;`
`122`	`127`	`}`
`123`	`128`
`124`	`129`	`public function obtainUserData(): array`