Merge pull request #96 from OpenConext/feature/allow-set-force-authn

Allow setting ForceAuthn on AuthnRequest

Author: MKodde

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 4.1.10
+**New feature**
+* Allow setting the ForceAuthn property on AuthNRequest objects #96
+
 # 4.1.9
 **New feature**
 * Provide minimal Symfony 4 support #89 

src/DependencyInjection/SurfnetSamlExtension.php

@@ -226,6 +226,7 @@ private function parseRemoteServiceProviderConfiguration(
      */
     private function parseCertificateData($path, array $provider)
     {
+        $configuration = [];
         if (isset($provider['certificate_file']) && !isset($provider['certificate'])) {
             $configuration['certificateFile'] = $provider['certificate_file'];
         } elseif (isset($provider['certificate'])) {

src/Metadata/MetadataFactory.php

@@ -148,6 +148,8 @@ private function buildKeyPairFrom(MetadataConfiguration $metadataConfiguration)
     private function getCertificateData($publicKeyFile)
     {
         $certificate = File::getFileContents($publicKeyFile);
+
+        $matches = [];
         preg_match(Certificate::CERTIFICATE_PATTERN, $certificate, $matches);
 
         $certificateData = str_replace(array(' ', "\n"), '', $matches[1]);

src/SAML2/AuthnRequestFactory.php

@@ -127,15 +127,20 @@ private static function createAuthnRequestFromHttpRequest(
     /**
      * @param ServiceProvider  $serviceProvider
      * @param IdentityProvider $identityProvider
+     * @param bool $forceAuthn
      * @return AuthnRequest
      */
-    public static function createNewRequest(ServiceProvider $serviceProvider, IdentityProvider $identityProvider)
-    {
+    public static function createNewRequest(
+        ServiceProvider $serviceProvider,
+        IdentityProvider $identityProvider,
+        $forceAuthn = false
+    ) {
         $request = new SAML2AuthnRequest();
         $request->setAssertionConsumerServiceURL($serviceProvider->getAssertionConsumerUrl());
         $request->setDestination($identityProvider->getSsoUrl());
         $request->setIssuer($serviceProvider->getEntityId());
         $request->setProtocolBinding(Constants::BINDING_HTTP_POST);
+        $request->setForceAuthn($forceAuthn);
         $request->setSignatureKey(self::loadPrivateKey(
             $serviceProvider->getPrivateKey(PrivateKey::NAME_DEFAULT)
         ));

src/Tests/Unit/SAML2/AuthnRequestFactoryTest.php

@@ -2,7 +2,12 @@
 
 namespace Surfnet\SamlBundle\Tests\Unit\SAML2;
 
+use Mockery as m;
 use PHPUnit_Framework_TestCase as UnitTest;
+use RobRichards\XMLSecLibs\XMLSecurityKey;
+use SAML2\Configuration\PrivateKey;
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+use Surfnet\SamlBundle\Entity\ServiceProvider;
 use Surfnet\SamlBundle\SAML2\AuthnRequest;
 use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
 use Symfony\Component\HttpFoundation\Request;
@@ -46,4 +51,27 @@ public function an_exception_is_thrown_when_a_request_cannot_be_inflated()
 
         AuthnRequestFactory::createFromHttpRequest($request);
     }
+
+    /**
+     * @test
+     * @group saml2
+     */
+    public function verify_force_authn_works_as_intended()
+    {
+        $sp = m::mock(ServiceProvider::class);
+        $sp->shouldReceive('getAssertionConsumerUrl')->andReturn('https://example-sp.com/acs');
+        $sp->shouldReceive('getEntityId')->andReturn('https://example-sp.com/');
+
+        $pk = new PrivateKey(__DIR__.'/../../../Resources/keys/development_privatekey.pem', 'key-for-test', '');
+
+        $sp->shouldReceive('getPrivateKey')->andReturn($pk);
+
+        $idp = m::mock(IdentityProvider::class);
+        $idp->shouldReceive('getSsoUrl')->andReturn('https://example-idp.com/sso');
+
+        $authnRequest = AuthnRequestFactory::createNewRequest($sp, $idp, true);
+        $this->assertTrue($authnRequest->isForceAuthn());
+        $authnRequest = AuthnRequestFactory::createNewRequest($sp, $idp, false);
+        $this->assertFalse($authnRequest->isForceAuthn());
+    }
 }