Merge pull request #468 from OpenConext/feature/467-fix-InstitutionConfigNotFound

pmeulen · web-flow · commit deec5b908cb4 · 2025-10-20T13:58:58.000+02:00
Fix InstitutionConfigurationNotFoundException when GSSP fallback attr…
diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/GsspFallbackService.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Service/Gateway/GsspFallbackService.php
@@ -24,6 +24,7 @@
 use Surfnet\StepupGateway\GatewayBundle\Controller\SecondFactorController;
 use Surfnet\StepupGateway\GatewayBundle\Entity\InstitutionConfigurationRepository;
 use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactorRepository;
+use Surfnet\StepupGateway\GatewayBundle\Exception\InstitutionConfigurationNotFoundException;
 use Surfnet\StepupGateway\GatewayBundle\Saml\Proxy\ProxyStateHandler;
 use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactor\SecondFactorInterface;
 use Surfnet\StepupGateway\GatewayBundle\Service\WhitelistService;
@@ -87,6 +88,10 @@ public function handleSamlGsspExtension(LoggerInterface $logger, ReceivedAuthnRe
         }
     }
 
+    /**
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     * @SuppressWarnings(PHPMD.NPathComplexity)
+     */
     public function determineGsspFallbackNeeded(
         string $identityNameId,
         string $authenticationMode,
@@ -135,7 +140,14 @@ public function determineGsspFallbackNeeded(
             return false;
         }
 
-        $institutionConfiguration = $this->institutionConfigurationRepository->getInstitutionConfiguration($institution);
+        try {
+            $institutionConfiguration = $this->institutionConfigurationRepository->getInstitutionConfiguration($institution);
+        } catch (InstitutionConfigurationNotFoundException) {
+            $this->stateHandler->setSecondFactorIsFallback(false);
+            $logger->info('Gssp Fallback configured but not used, GSSP institution configuration is not found');
+            return false;
+        }
+
         if (!$institutionConfiguration->ssoRegistrationBypass) {
             $this->stateHandler->setSecondFactorIsFallback(false);
             $logger->info('Gssp Fallback configured but not used, GSSP fallback is not enabled for the institution');
diff --git a/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Tests/Service/Gateway/GsspFallback/GsspFallbackServiceTest.php b/src/Surfnet/StepupGateway/SecondFactorOnlyBundle/Tests/Service/Gateway/GsspFallback/GsspFallbackServiceTest.php
@@ -26,6 +26,7 @@
 use Surfnet\StepupGateway\GatewayBundle\Entity\InstitutionConfiguration;
 use Surfnet\StepupGateway\GatewayBundle\Entity\InstitutionConfigurationRepository;
 use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactorRepository;
+use Surfnet\StepupGateway\GatewayBundle\Exception\InstitutionConfigurationNotFoundException;
 use Surfnet\StepupGateway\GatewayBundle\Saml\Proxy\ProxyStateHandler;
 use Surfnet\StepupGateway\GatewayBundle\Service\WhitelistService;
 use Surfnet\StepupGateway\GatewayBundle\Tests\TestCase\GatewaySamlTestCase;
@@ -299,4 +300,53 @@ public function it_can_create_a_gssp_fallback_token(): void
         $this->assertSame($locale, $token->getDisplayLocale());
     }
 
+    /**
+     * @test
+     */
+    public function it_treats_missing_institution_configuration_as_default(): void
+    {
+        $subject = 'urn:collab:person:dev.openconext.local:john_haack';
+        $gsspSubject = 'john_haack@dev.openconext.local';
+        $gsspInstitution = 'dev.openconext.local';
+        $locale = 'en_GB';
+        $preferredLoa = 1.5;
+        $authenticationMode = SecondFactorController::MODE_SFO;
+
+        $this->stateHandler->shouldReceive('getGsspUserAttributeSubject')
+            ->once()
+            ->andReturn($gsspSubject);
+
+        $this->stateHandler->shouldReceive('getGsspUserAttributeInstitution')
+            ->once()
+            ->andReturn($gsspInstitution);
+
+        $this->institutionConfiguration->shouldReceive('getInstitutionConfiguration')
+            ->with($gsspInstitution)
+            ->andThrow(new InstitutionConfigurationNotFoundException());
+
+        $whitelistService = m::mock(WhitelistService::class);
+        $whitelistService->shouldReceive('contains')
+            ->once()
+            ->with($gsspInstitution)
+            ->andReturn(true);
+
+        // When institution configuration is not found, it means default config
+        // So the fallback should not be started
+        $this->stateHandler->shouldReceive('setSecondFactorIsFallback')
+            ->with(false)
+            ->once();
+
+        $this->stateHandler->shouldNotReceive('setPreferredLocale');
+
+        $result = $this->service->determineGsspFallbackNeeded(
+            $subject,
+            $authenticationMode,
+            new Loa($preferredLoa, 'example.org:loa-level'),
+            $whitelistService,
+            $this->logger,
+            $locale,
+        );
+
+        $this->assertFalse($result);
+    }
 }
