Merge branch 'release-2.x'

.gitignore

@@ -5,6 +5,7 @@
 /app/cache/*
 /app/config/parameters.yml
 /app/config/samlstepupproviders_parameters.yml
+/app/config/global_view_parameters.yml
 /app/logs/*
 !app/cache/.gitkeep
 !app/logs/.gitkeep

README.md

@@ -3,6 +3,8 @@ Step-up Registration Authority
 
 [![Build Status](https://travis-ci.org/SURFnet/Stepup-RA.svg)](https://travis-ci.org/SURFnet/Stepup-RA) [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/SURFnet/Stepup-RA/badges/quality-score.png?b=develop)](https://scrutinizer-ci.com/g/SURFnet/Stepup-RA/?branch=develop) [![SensioLabs Insight](https://insight.sensiolabs.com/projects/8f9557e9-d8b8-4625-9e2a-60587d3cb3f0/mini.png)](https://insight.sensiolabs.com/projects/8f9557e9-d8b8-4625-9e2a-60587d3cb3f0)
 
+This component is part of "Step-up Authentication as-a Service" and requires other supporting components to function. See [Stepup-Deploy](https://github.com/SURFnet/Stepup-Deploy) for an overview. 
+
 ## Requirements
 
  * PHP 5.6+ or PHP7

app/Resources/translations/validators.en_GB.xliff

@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2016-08-12T13:45:09Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
+  <file date="2016-11-03T10:43:41Z" source-language="en" target-language="en_GB" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
     </header>
     <body>
       <trans-unit id="e921db3beb8170142aa4dcd8c364595343b6fc64" resname="middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean">
         <source>middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean</source>
-        <target state="new">middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean</target>
+        <target>Show RAA Contact Information option must be boolean.</target>
       </trans-unit>
       <trans-unit id="53ef4f54259698cee5e0aaba2d7f20417cd8e9fb" resname="middleware_client.dto.configuration.use_ra_locations.must_be_boolean">
         <source>middleware_client.dto.configuration.use_ra_locations.must_be_boolean</source>
-        <target state="new">middleware_client.dto.configuration.use_ra_locations.must_be_boolean</target>
+        <target>Use RA locations option must be boolean.</target>
       </trans-unit>
       <trans-unit id="f033a6177f4f371fbc302f07a6b8c67ec8b46549" resname="middleware_client.dto.identity.common_name.must_be_string">
         <source>middleware_client.dto.identity.common_name.must_be_string</source>
@@ -430,6 +430,14 @@
         <source>ra.verify_identity_command.document_number.may_not_be_empty</source>
         <target>Enter the last 6 characters of document number</target>
       </trans-unit>
+      <trans-unit id="94785a2a9091f214657771372fcb4a61d47948bd" resname="ra.verify_identity_command.document_number.must_be_higher_than_minimum">
+        <source>ra.verify_identity_command.document_number.must_be_higher_than_minimum</source>
+        <target>Document number must consist of at least {{ limit }} character.|Document number must consist of at least {{ limit }} characters.</target>
+      </trans-unit>
+      <trans-unit id="5b10a05ddf6d1e4e7073de3dbbde2c7a095870ff" resname="ra.verify_identity_command.document_number.must_be_lower_than_maximum">
+        <source>ra.verify_identity_command.document_number.must_be_lower_than_maximum</source>
+        <target>Document number must consist of at most {{ limit }} character.|Document number must consist of at most {{ limit }} characters.</target>
+      </trans-unit>
       <trans-unit id="6a7721edc1618980a3d081cf8df1585ec10018ec" resname="ra.verify_identity_command.document_number.must_be_string">
         <source>ra.verify_identity_command.document_number.must_be_string</source>
         <target>Enter the last 6 characters of document number</target>

app/Resources/translations/validators.nl_NL.xliff

@@ -1,18 +1,19 @@
 <?xml version="1.0" encoding="utf-8"?>
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:jms="urn:jms:translation" version="1.2">
-  <file date="2016-08-12T13:45:11Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
+  <file date="2016-11-03T10:45:46Z" source-language="en" target-language="nl_NL" datatype="plaintext" original="not.available">
     <header>
       <tool tool-id="JMSTranslationBundle" tool-name="JMSTranslationBundle" tool-version="1.1.0-DEV"/>
       <note>The source node in most cases contains the sample message as written by the developer. If it looks like a dot-delimitted string such as "form.label.firstname", then the developer has not provided a default message.</note>
     </header>
     <body>
       <trans-unit id="e921db3beb8170142aa4dcd8c364595343b6fc64" resname="middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean">
         <source>middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean</source>
-        <target state="new">middleware_client.dto.configuration.show_raa_contact_information.must_be_boolean</target>
+        <target>Show RAA Contact Information option must be boolean.</target>
       </trans-unit>
       <trans-unit id="53ef4f54259698cee5e0aaba2d7f20417cd8e9fb" resname="middleware_client.dto.configuration.use_ra_locations.must_be_boolean">
         <source>middleware_client.dto.configuration.use_ra_locations.must_be_boolean</source>
-        <target state="new">middleware_client.dto.configuration.use_ra_locations.must_be_boolean</target>
+        <target>Use RA locations option must be boolean.
+</target>
       </trans-unit>
       <trans-unit id="f033a6177f4f371fbc302f07a6b8c67ec8b46549" resname="middleware_client.dto.identity.common_name.must_be_string">
         <source>middleware_client.dto.identity.common_name.must_be_string</source>
@@ -430,6 +431,14 @@
         <source>ra.verify_identity_command.document_number.may_not_be_empty</source>
         <target>Voor de laatste 6 karakters van het documentnummer in</target>
       </trans-unit>
+      <trans-unit id="94785a2a9091f214657771372fcb4a61d47948bd" resname="ra.verify_identity_command.document_number.must_be_higher_than_minimum">
+        <source>ra.verify_identity_command.document_number.must_be_higher_than_minimum</source>
+        <target>Documentnummer moet uit ten minste {{ limit }} teken bestaan.|Documentnummer moet uit ten minste {{ limit }} tekens bestaan.</target>
+      </trans-unit>
+      <trans-unit id="5b10a05ddf6d1e4e7073de3dbbde2c7a095870ff" resname="ra.verify_identity_command.document_number.must_be_lower_than_maximum">
+        <source>ra.verify_identity_command.document_number.must_be_lower_than_maximum</source>
+        <target>Documentnummer mag uit ten hoogste {{ limit }} teken bestaan.|Documentnummer mag uit ten hoogste {{ limit }} tekens bestaan.</target>
+      </trans-unit>
       <trans-unit id="6a7721edc1618980a3d081cf8df1585ec10018ec" resname="ra.verify_identity_command.document_number.must_be_string">
         <source>ra.verify_identity_command.document_number.must_be_string</source>
         <target>Voor de laatste 6 karakters van het documentnummer in</target>

app/Resources/views/base.html.twig

@@ -96,7 +96,7 @@
                 <div class="span8 offset2">
                     <hr>
                     <ul class="nav nav-pills">
-                        <li><a href="{{ footer_link_url }}">{{ 'footer.documentation'|trans }}</a></li>
+                        <li><a href="{{ global_view_parameters.manualUrl }}">{{ 'footer.documentation'|trans }}</a></li>
                     </ul>
                 </div>
             </div>

app/config/config.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: parameters.yml }
     - { resource: security.yml }
     - { resource: samlstepupproviders.yml }
+    - { resource: global_view_parameters.yml }
     - { resource: logging.yml }
 
 framework:
@@ -36,7 +37,7 @@ twig:
     strict_variables: "%kernel.debug%"
     exception_controller:  SurfnetStepupBundle:Exception:show
     globals:
-        footer_link_url: %footer_link_url%
+        global_view_parameters: "@ra.service.global_view_parameters"
         institutionConfigurationOptions: "@ra.twig.institution_configuration_options"
 
 # Assetic Configuration
@@ -86,9 +87,11 @@ surfnet_stepup_ra_ra:
     session_lifetimes:
         max_absolute_lifetime: "%session_max_absolute_lifetime%"
         max_relative_lifetime: "%session_max_relative_lifetime%"
+    self_service_url: "%self_service_url%"
 
 mopa_bootstrap:
     form:
+        render_optional_text: false
         show_legend: false
         templating: SurfnetStepupRaRaBundle:Form:fields.html.twig
     icons:

app/config/global_view_parameters.yml.dist

@@ -0,0 +1,7 @@
+# These parameters are to be rendered into the view according to a specific locale
+# A typical example would be showing locale-dependent external URLs
+# Strings containing '%' should be escaped by prepending '%'
+parameters:
+    manual_url:
+        en_GB: "https://wiki.surfnet.nl/display/surfconextdev/Manual+RA+Management+portal"
+        nl_NL: "https://wiki.surfnet.nl/display/surfconextdev/Handleiding+RA+Management+portal"

app/config/parameters.yml.dist

@@ -50,7 +50,6 @@ parameters:
 
     u2f_app_id: https://gateway.tld/u2f/app-id
 
-    footer_link_url: https://wiki.surfnet.nl/display/surfconextdev/Handleiding+RA+Management+portal
-
     session_max_absolute_lifetime: 28800 # 8 hours * 60 minutes * 60 seconds
     session_max_relative_lifetime: 1800  # 30 minutes * 60 seconds
+    self_service_url: 'https://selfservice.tld/'

composer.json

@@ -68,6 +68,9 @@
             },
             {
                 "file": "app/config/samlstepupproviders_parameters.yml"
+            },
+            {
+                "file": "app/config/global_view_parameters.yml"
             }
         ]
     }

src/Surfnet/StepupRa/RaBundle/Assert.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Copyright 2016 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupRa\RaBundle;
+
+use Assert\Assertion;
+use Surfnet\StepupRa\RaBundle\Exception\AssertionFailedException;
+
+final class Assert extends Assertion
+{
+    protected static $exceptionClass = '\Surfnet\StepupRa\RaBundle\Exception\AssertionFailedException';
+
+    public static function keysAre(array $array, array $expectedKeys, $propertyPath = null)
+    {
+        $givenKeys = array_keys($array);
+
+        sort($givenKeys);
+        sort($expectedKeys);
+
+        if ($givenKeys === $expectedKeys) {
+            return;
+        }
+
+        $givenCount = count($givenKeys);
+        $expectedCount = count($expectedKeys);
+
+        if ($givenCount < $expectedCount) {
+            $message = sprintf(
+                'Required keys "%s" are missing',
+                implode('", "', array_diff($expectedKeys, $givenKeys))
+            );
+        } elseif ($givenCount > $expectedCount) {
+            $message = sprintf(
+                'Additional keys "%s" found',
+                implode('", "', array_diff($givenKeys, $expectedKeys))
+            );
+        } else {
+            $additional = array_diff($givenKeys, $expectedKeys);
+            $required = array_diff($expectedKeys, $givenKeys);
+
+            $message = 'Keys do not match requirements';
+            if (!empty($additional)) {
+                $message .= sprintf(
+                    ', additional keys "%s" found',
+                    implode('", "', array_diff($givenKeys, $expectedKeys))
+                );
+            }
+
+            if (!empty($required)) {
+                $message .= sprintf(
+                    ', required keys "%s" are missing',
+                    implode('", "', array_diff($expectedKeys, $givenKeys))
+                );
+            }
+        }
+
+        throw new AssertionFailedException($message, 0, $propertyPath, $array);
+    }
+}

src/Surfnet/StepupRa/RaBundle/Command/VerifyIdentityCommand.php

@@ -25,6 +25,12 @@ class VerifyIdentityCommand
     /**
      * @Assert\NotBlank(message="ra.verify_identity_command.document_number.may_not_be_empty")
      * @Assert\Type(type="string", message="ra.verify_identity_command.document_number.must_be_string")
+     * @Assert\Length(
+     *      min=1,
+     *      max=6,
+     *      minMessage="ra.verify_identity_command.document_number.must_be_higher_than_minimum",
+     *      maxMessage="ra.verify_identity_command.document_number.must_be_lower_than_maximum"
+     * )
      *
      * @var string
      */

src/Surfnet/StepupRa/RaBundle/Controller/VettingController.php

@@ -33,6 +33,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Translation\TranslatorInterface;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -205,15 +206,27 @@ public function verifyIdentityAction(Request $request, $procedureId)
         }
 
         try {
-            $vetted = $vettingService->vet($procedureId);
-            if ($vetted) {
+            $vetting = $vettingService->vet($procedureId);
+            if ($vetting->isSuccessful()) {
                 $logger->notice('Identity Verified, vetting completed');
 
                 return $this->redirectToRoute('ra_vetting_completed', ['procedureId' => $procedureId]);
             }
 
             $logger->error('RA attempted to vet second factor, but the command failed');
 
+            if (in_array(VettingService::REGISTRATION_CODE_EXPIRED_ERROR, $vetting->getErrors())) {
+                $registrationCodeExpiredError = $this->getTranslator()
+                    ->trans(
+                        'ra.verify_identity.registration_code_expired',
+                        [
+                            '%self_service_url%' => $this->getParameter('surfnet_stepup_ra.self_service_url'),
+                        ]
+                    );
+
+                return $showForm($registrationCodeExpiredError);
+            }
+
             return $showForm('ra.verify_identity.second_factor_vetting_failed');
         } catch (DomainException $e) {
             $logger->error(
@@ -256,4 +269,12 @@ private function getIdentity()
     {
         return $this->get('security.token_storage')->getToken()->getUser();
     }
+
+    /**
+     * @return TranslatorInterface
+     */
+    private function getTranslator()
+    {
+        return $this->get('translator');
+    }
 }

src/Surfnet/StepupRa/RaBundle/DependencyInjection/Configuration.php

@@ -21,7 +21,6 @@
 use Surfnet\StepupBundle\Exception\DomainException;
 use Surfnet\StepupBundle\Exception\InvalidArgumentException;
 use Surfnet\StepupBundle\Value\SecondFactorType;
-use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
 use Symfony\Component\Config\Definition\Builder\NodeBuilder;
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
@@ -40,7 +39,7 @@ public function getConfigTreeBuilder()
         $this->appendLoaConfiguration($childNodes);
         $this->appendSecondFactorTypesConfiguration($childNodes);
         $this->appendSessionConfiguration($childNodes);
-
+        $this->appendUrlConfiguration($childNodes);
 
         return $treeBuilder;
     }
@@ -66,7 +65,6 @@ private function appendLoaConfiguration(NodeBuilder $childNodes)
     private function appendSecondFactorTypesConfiguration(NodeBuilder $childNodes)
     {
         $childNodes
-
             ->arrayNode('enabled_second_factors')
                 ->isRequired()
                 ->prototype('scalar')
@@ -134,4 +132,19 @@ function ($lifetime) {
                 ->end()
             ->end();
     }
+
+    private function appendUrlConfiguration(NodeBuilder $childNodes)
+    {
+        $childNodes
+            ->scalarNode('self_service_url')
+                ->info('The URL of Self Service, where a user can register and revoke second factors')
+                ->validate()
+                    ->ifTrue(
+                        function ($url) {
+                            return filter_var($url, FILTER_VALIDATE_URL) === false;
+                        }
+                    )
+                    ->thenInvalid('self_service_url must be a valid url')
+            ->end();
+    }
 }

src/Surfnet/StepupRa/RaBundle/DependencyInjection/SurfnetStepupRaRaExtension.php

@@ -50,5 +50,7 @@ public function load(array $configs, ContainerBuilder $container)
             'ra.security.authentication.session.maximum_relative_lifetime_in_seconds',
             $config['session_lifetimes']['max_relative_lifetime']
         );
+
+        $container->setParameter('surfnet_stepup_ra.self_service_url', $config['self_service_url']);
     }
 }