Support overriding StepUp EntityId

OpenConext · Nov 20, 2023 · 5e2eb17 · 5e2eb17
1 parent f7e664d
commit 5e2eb17
Show file tree

Hide file tree

Showing 17 changed files with 953 additions and 492 deletions.
diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
@@ -9,7 +9,7 @@ on:
       - cron: "0 6 * * *"
 jobs:
     build:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-20.04
         timeout-minutes: 30
         continue-on-error: true
         strategy:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ We will continue to post relevant release notes on the GitHub release page. More
 
 More information about our release strategy can be found in the [Development Guidelines](https://github.com/OpenConext/OpenConext-engineblock/wiki/Development-Guidelines#release-notes) on the EngineBlock wiki.
 
+## 6.14.0
+* A new feature was added to allow overwriting the internal StepUp auth EntityId 
+
 ## 6.13.0
 
 * Move most HTML from translatable strings into Twig templates, where it

diff --git a/UPGRADING.md b/UPGRADING.md
@@ -1,5 +1,24 @@
 # UPGRADE NOTES
 
+## 6.13 -> 6.14
+Previously the SAML EntityID of the EngineBlock SP that was used to do Stepup (SFO) authentications to the Stepup-Gateway 
+always was https://<engineblock.sever.domain.name>/authentication/stepup/metadata. For these authentication the default
+EngineBlock key is always used for signing.
+
+If you'd like to key-rollover the StepUp entity (baked into EngineBlock).
+The key used to sign the SAML AuthnRequests from this SP is the engineblock default key.
+
+To facilitate a rolling configuration update I want the SP entityID that is used for Stepup to be configurable so that at the same time that the engineblock default key is updated, this entityID can be changed. This then allows two entities, with two different keys, to be configured in the Stepup-Gateway.
+
+There are two new parameters that configure this behavior.
+
+1. `feature_stepup_sfo_override_engine_entityid` [bool] enables/disables the feature. Default: disabled
+2. `stepup.sfo.override_engine_entityid` [string] should be set with the Entity ID you'd like to use for the stepup EntityId. Default: ''
+
+The feature flag was added mainly to aid our test suite to easily test this feature.
+
+By default this feature is disabled and the default Entity Id is used for the StepUp entity.
+
 ## 6.12 -> 6.13
 
 Some translatable strings have been changed and "raw" use of HTML in

diff --git a/app/config/config.yml b/app/config/config.yml
@@ -27,6 +27,8 @@ open_conext_engine_block:
         eb.enable_sso_notification: "%feature_enable_sso_notification%"
         eb.feature_enable_consent: "%feature_enable_consent%"
         eb.enable_sso_session_cookie: "%feature_enable_sso_session_cookie%"
+        eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
+
 
 swiftmailer:
     transport: "%mailer_transport%"

diff --git a/app/config/config_test.yml b/app/config/config_test.yml
@@ -48,6 +48,7 @@ monolog:
             activation_strategy: engineblock.logger.manual_or_error_activation_strategy
             passthru_level: "%logger.fingers_crossed.passthru_level%"
             handler: file
+            channels: ['!event']
         file:
             type:   stream
             path:   "%kernel.logs_dir%/%kernel.environment%.log"

diff --git a/app/config/functional_testing.yml.dist b/app/config/functional_testing.yml.dist
@@ -5,3 +5,4 @@ parameters:
     # Where must we store the writable state of the Mock IdP and Mock SP?
     idp_fixture_file:   "%kernel.root_dir%/../tmp/fixtures/db/idp.states.php.serialized"
     sp_fixture_file:    "%kernel.root_dir%/../tmp/fixtures/db/sp.states.php.serialized"
+    stepup.sfo.override_engine_entityid: 'https://engine.vm.openconext.com/new/stepup/metadata'
diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist
@@ -223,6 +223,7 @@ parameters:
     feature_run_all_manipulations_prior_to_consent: false
     feature_block_user_on_violation: false
     feature_enable_consent: true
+    feature_stepup_sfo_override_engine_entityid: false
 
     ##########################################################################################
     ## PROFILE SETTINGS
@@ -261,6 +262,7 @@ parameters:
     stepup.gateway.sfo.sso_location: 'https://gateway.stepup.vm.openconext.org/second-factor-only/single-sign-on'
     ## The public key from the Stepup Gateway IdP
     stepup.gateway.sfo.key_file: /etc/openconext/engineblock.crt
+    stepup.sfo.override_engine_entityid: ''
 
     ##########################################################################################
     ## THEME SETTINGS