Merge branch 'release/2.5'

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 2.5.1
+**Bugfix**
+* Only preserve the exclude-from-push flag on client secret reset #342
+* Reuse scope attribute, preventing overwriting them #341 
+* Prevent overwriting of ARP motivations #340
+
 ## 2.5.0
 **Bugfix**
 

src/Surfnet/ServiceProviderDashboard/Application/Dto/MetadataConversionDto.php

@@ -561,4 +561,12 @@ public function isExcludedFromPush()
     {
         return $this->manageEntity->isExcludedFromPush();
     }
+
+    /**
+     * @return array
+     */
+    public function getScopes()
+    {
+        return $this->manageEntity->getOidcClient()->getScope();
+    }
 }

src/Surfnet/ServiceProviderDashboard/Application/Metadata/JsonGenerator/ArpGenerator.php

@@ -87,6 +87,9 @@ private function addExtraFields(array &$attributes, MetadataConversionDto $entit
                             'value' => $manageAttribute->getValue(),
                         ]
                     ];
+                    if (!empty($manageAttribute->getMotivation())) {
+                        $attributes[$manageAttribute->getName()][0]['motivation'] = $manageAttribute->getMotivation();
+                    }
                 }
             }
         }

src/Surfnet/ServiceProviderDashboard/Application/Metadata/OidcngJsonGenerator.php

@@ -216,15 +216,27 @@ private function generateMetadataFields(MetadataConversionDto $entity)
 
         $metadata['NameIDFormat'] = $entity->getNameIdFormat();
 
-        // Will become configurable some time in the future.
-        $metadata['scopes'] = ['openid'];
+        // If the entity exists in Manage, use the scopes configured there.
+        if ($entity->isManageEntity()) {
+            // This prevents overwriting the scopes attribute. See: https://www.pivotaltracker.com/story/show/170868465
+            $metadata['scopes'] = $entity->getScopes();
+        } else {
+            // Will become configurable some time in the future.
+            $metadata['scopes'] = ['openid'];
+        }
 
         // When publishing to production, the coin:exclude_from_push must be present and set to '1'. This prevents the
         // entity from being pushed to engineblock.
         if ($entity->isProduction()) {
             $metadata['coin:exclude_from_push'] = '1';
         }
 
+        // When dealing with a client secret reset, keep the current exclude from push state.
+        $secret = $entity->getClientSecret();
+        if ($secret && $entity->isManageEntity() && !$entity->isExcludedFromPush()) {
+            $metadata['coin:exclude_from_push'] = '0';
+        }
+
         $metadata += $this->generateOidcClient($entity);
 
         if (!empty($entity->getLogoUrl())) {

src/Surfnet/ServiceProviderDashboard/Application/Metadata/OidcngResourceServerJsonGenerator.php

@@ -194,6 +194,12 @@ private function generateMetadataFields(MetadataConversionDto $entity)
             $metadata['coin:exclude_from_push'] = '1';
         }
 
+        // When dealing with a client secret reset, keep the current exclude from push state.
+        $secret = $entity->getClientSecret();
+        if ($secret && $entity->isManageEntity() && !$entity->isExcludedFromPush()) {
+            $metadata['coin:exclude_from_push'] = '0';
+        }
+
         $metadata += $this->generateOidcClient($entity);
 
         return $metadata;

src/Surfnet/ServiceProviderDashboard/Infrastructure/Manage/Dto/Coin.php

@@ -43,7 +43,7 @@ public static function fromApiResponse(array $metaDataFields)
         $eula = isset($metaDataFields['coin:eula'])
             ? $metaDataFields['coin:eula'] : '';
         $excludeFromPush = isset($metaDataFields['coin:exclude_from_push'])
-            ? (int) $metaDataFields['coin:exclude_from_push'] : 0;
+            ? (int) $metaDataFields['coin:exclude_from_push'] : null;
         $oidcClient = isset($metaDataFields['coin:oidc_client'])
             ? (int) $metaDataFields['coin:oidc_client'] : 0;
 
@@ -52,7 +52,7 @@ public static function fromApiResponse(array $metaDataFields)
         Assert::string($originalMetadataUrl);
         Assert::string($applicationUrl);
         Assert::string($eula);
-        Assert::integer($excludeFromPush);
+        Assert::nullOrIntegerish($excludeFromPush);
         Assert::integer($oidcClient);
 
         return new self(

src/Surfnet/ServiceProviderDashboard/Infrastructure/Manage/Dto/ManageEntity.php

@@ -169,6 +169,9 @@ public function isOidcngResourceServer()
 
     public function isExcludedFromPush()
     {
+        if (is_null($this->getMetaData()->getCoin()->getExcludeFromPush())) {
+            return true;
+        }
         return $this->getMetaData()->getCoin()->getExcludeFromPush() == 1 ? true : false;
     }
 }

tests/unit/Application/Metadata/JsonGenerator/ArpGeneratorTest.php

@@ -136,6 +136,8 @@ private function buildManageAttribute(string $attributeName)
             ->andReturn('idp');
         $attribute->shouldReceive('getValue')
             ->andReturn('The Manage attr value');
+        $attribute->shouldReceive('getMotivation')
+            ->andReturn('The Manage motivation');
         return $attribute;
     }
 }