Improve skip SSO on 2FA log messages

OpenConext · Sep 19, 2023 · b7c48f7 · b7c48f7
1 parent a2867b2
commit b7c48f7
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 3 deletions.
diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php b/src/Surfnet/StepupGateway/GatewayBundle/Controller/SecondFactorController.php
@@ -111,7 +111,13 @@ public function selectSecondFactorForVerificationAction($authenticationMode, Req
             $ssoCookie = $this->getCookieService()->read($request);
             // Test if the SSO cookie can satisfy the second factor authentication requirements
             if ($this->getCookieService()->maySkipAuthentication($requiredLoa->getLevel(), $identityNameId, $ssoCookie)) {
-                $logger->notice('Skipping second factor authentication. Required LoA was met by the LoA recorded in the cookie');
+                $logger->notice(
+                    'Skipping second factor authentication. Required LoA was met by the LoA recorded in the cookie',
+                    [
+                        'required-loa' => $requiredLoa->getLevel(),
+                        'cookie-loa' => $ssoCookie->getLoa()
+                    ]
+                );
                 // We use the SF from the cookie as the SF that was used for authenticating the second factor authentication
                 $secondFactor = $this->getSecondFactorService()->findByUuid($ssoCookie->secondFactorId());
                 $this->getResponseContext($authenticationMode)->saveSelectedSecondFactor($secondFactor);

diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/CookieService.php b/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/CookieService.php
@@ -174,7 +174,7 @@ public function preconditionsAreMet(ResponseContext $responseContext): bool
         if (!$remoteSp->allowSsoOn2fa()) {
             $this->logger->notice(
                 sprintf(
-                    'Ignoring SSO on 2FA for SP: %s',
+                    'SSO on 2FA is disabled by config for SP: %s',
                     $remoteSp->getEntityId()
                 )
             );

diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/ValueObject/CookieValueInterface.php b/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/ValueObject/CookieValueInterface.php
@@ -29,4 +29,6 @@ public function meetsRequiredLoa(float $requiredLoa): bool;
     public function authenticationTime(): int;
 
     public function secondFactorId(): string;
+
+    public function getLoa(): float;
 }
diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/ValueObject/NullCookieValue.php b/src/Surfnet/StepupGateway/GatewayBundle/Sso2fa/ValueObject/NullCookieValue.php
@@ -44,4 +44,9 @@ public function secondFactorId(): string
     {
         return '';
     }
+
+    public function getLoa(): float
+    {
+        // TODO: Implement getLoa() method.
+    }
 }
diff --git a/src/Surfnet/StepupGateway/GatewayBundle/Tests/Sso2fa/CookieServiceTest.php b/src/Surfnet/StepupGateway/GatewayBundle/Tests/Sso2fa/CookieServiceTest.php
@@ -199,7 +199,7 @@ public function test_check_preconditions_is_remote_sp_disabled()
 
         $this->logger
             ->shouldReceive('notice')
-            ->with('Ignoring SSO on 2FA for SP: https://remote.sp.stepup.example.com');
+            ->with('SSO on 2FA is disabled by config for SP: https://remote.sp.stepup.example.com');
 
         self::assertFalse($this->service->preconditionsAreMet($this->responseContext));
     }