Merge pull request #550 from OpenConext/bugfix/add-prove-possession-for-already-registered-tokens

pablothedude · web-flow · commit 79d018c33168 · 2025-08-21T09:59:26.000+02:00
Check already registered on prove possession
diff --git a/ci/qa/phpstan-baseline.neon b/ci/qa/phpstan-baseline.neon
@@ -1392,7 +1392,7 @@ parameters:
 
 		-
 			message: "#^Argument of an invalid type Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\|null supplied for foreach, only iterables are supported\\.$#"
-			count: 8
+			count: 11
 			path: ../../src/Surfnet/Stepup/Identity/Identity.php
 
 		-
@@ -1455,6 +1455,11 @@ parameters:
 			count: 1
 			path: ../../src/Surfnet/Stepup/Identity/Identity.php
 
+		-
+			message: "#^Cannot call method getType\\(\\) on mixed\\.$#"
+			count: 3
+			path: ../../src/Surfnet/Stepup/Identity/Identity.php
+
 		-
 			message: "#^Cannot call method getValues\\(\\) on Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\RegistrationAuthorityCollection\\|null\\.$#"
 			count: 1
diff --git a/src/Surfnet/Stepup/Identity/Identity.php b/src/Surfnet/Stepup/Identity/Identity.php
@@ -210,6 +210,7 @@ public function bootstrapYubikeySecondFactor(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenTypeNotAlreadyRegistered(new SecondFactorType('yubikey'));
 
         $this->apply(
             new YubikeySecondFactorBootstrappedEvent(
@@ -234,6 +235,7 @@ public function provePossessionOfYubikey(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenTypeNotAlreadyRegistered(new SecondFactorType('yubikey'));
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -278,6 +280,7 @@ public function provePossessionOfPhone(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenTypeNotAlreadyRegistered(new SecondFactorType('sms'));
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -373,6 +376,7 @@ public function provePossessionOfGssf(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenTypeNotAlreadyRegistered(new SecondFactorType($provider->getStepupProvider()));
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -422,6 +426,7 @@ public function provePossessionOfU2fDevice(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenTypeNotAlreadyRegistered(new SecondFactorType('u2f'));
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -685,6 +690,7 @@ public function migrateVettedSecondFactor(
             throw new DomainException("The second factor on the original identity can not be found");
         }
         $this->assertTokenNotAlreadyRegistered($secondFactor->getType(), $secondFactor->getIdentifier());
+        $this->assertTokenTypeNotAlreadyRegistered($secondFactor->getType());
         if ($sourceIdentity->getInstitution()->equals($this->getInstitution())) {
             throw new DomainException("Cannot move the second factor to the same institution");
         }
@@ -1546,21 +1552,40 @@ private function assertTokenNotAlreadyRegistered(SecondFactorType $type, SecondF
     {
         foreach ($this->unverifiedSecondFactors as $unverified) {
             if ($unverified->typeAndIdentifierAreEqual($type, $identifier)) {
-                throw new DomainException("The second factor was already registered as a unverified second factor");
+                throw new DomainException("The second factor was already registered as an unverified second factor");
             }
         }
         foreach ($this->verifiedSecondFactors as $verified) {
             if ($verified->typeAndIdentifierAreEqual($type, $identifier)) {
                 throw new DomainException("The second factor was already registered as a verified second factor");
             }
         }
-        foreach ($this->vettedSecondFactors as $vettedSecondFactor) {
-            if ($vettedSecondFactor->typeAndIdentifierAreEqual($type, $identifier)) {
+        foreach ($this->vettedSecondFactors as $vetted) {
+            if ($vetted->typeAndIdentifierAreEqual($type, $identifier)) {
                 throw new DomainException("The second factor was registered as a vetted second factor");
             }
         }
     }
 
+    private function assertTokenTypeNotAlreadyRegistered(SecondFactorType $type): void
+    {
+        foreach ($this->unverifiedSecondFactors as $unverified) {
+            if ($unverified->getType()->equals($type)) {
+                throw new DomainException("This second factor type was already registered as an unverified second factor");
+            }
+        }
+        foreach ($this->verifiedSecondFactors as $verified) {
+            if ($verified->getType()->equals($type)) {
+                throw new DomainException("This second factor type was already registered as a verified second factor");
+            }
+        }
+        foreach ($this->vettedSecondFactors as $vetted) {
+            if ($vetted->getType()->equals($type)) {
+                throw new DomainException("This second factor type was already registered as a vetted second factor");
+            }
+        }
+    }
+
     private function assertSelfAssertedTokenRegistrationAllowed(): void
     {
         if ($this->vettedSecondFactors->count() !== 0) {
diff --git a/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerMoveTokenTest.php b/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerMoveTokenTest.php
@@ -593,7 +593,7 @@ public function test_can_not_be_moved_if_already_present_as_verified_token(): vo
 
     public function test_can_not_be_moved_if_already_present_as_unverified_token(): void
     {
-        $this->expectExceptionMessage("The second factor was already registered as a unverified second factor");
+        $this->expectExceptionMessage("The second factor was already registered as an unverified second factor");
         $this->expectException(DomainException::class);
 
         $this->setUpInstitutionConfiguration(2, ['yubikey']);
diff --git a/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerUniqueTypeRegistrationTest.php b/src/Surfnet/StepupMiddleware/CommandHandlingBundle/Tests/Identity/CommandHandler/IdentityCommandHandlerUniqueTypeRegistrationTest.php

Original file line number	Diff line number	Diff line change
`@@ -1392,7 +1392,7 @@ parameters:`
`1392`	`1392`
`1393`	`1393`	`-`
`1394`	`1394`	`message: "#^Argument of an invalid type Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\SecondFactorCollection\\\|null supplied for foreach, only iterables are supported\\.$#"`
`1395`		`- count: 8`
	`1395`	`+ count: 11`
`1396`	`1396`	`path: ../../src/Surfnet/Stepup/Identity/Identity.php`
`1397`	`1397`
`1398`	`1398`	`-`
`@@ -1455,6 +1455,11 @@ parameters:`
`1455`	`1455`	`count: 1`
`1456`	`1456`	`path: ../../src/Surfnet/Stepup/Identity/Identity.php`
`1457`	`1457`
	`1458`	`+ -`
	`1459`	`+ message: "#^Cannot call method getType\\(\\) on mixed\\.$#"`
	`1460`	`+ count: 3`
	`1461`	`+ path: ../../src/Surfnet/Stepup/Identity/Identity.php`
	`1462`	`+`
`1458`	`1463`	`-`
`1459`	`1464`	`message: "#^Cannot call method getValues\\(\\) on Surfnet\\\\Stepup\\\\Identity\\\\Entity\\\\RegistrationAuthorityCollection\\\|null\\.$#"`
`1460`	`1465`	`count: 1`
Original file line number	Diff line number	Diff line change
`@@ -593,7 +593,7 @@ public function test_can_not_be_moved_if_already_present_as_verified_token(): vo`
`593`	`593`
`594`	`594`	`public function test_can_not_be_moved_if_already_present_as_unverified_token(): void`
`595`	`595`	`{`
`596`		`- $this->expectExceptionMessage("The second factor was already registered as a unverified second factor");`
	`596`	`+ $this->expectExceptionMessage("The second factor was already registered as an unverified second factor");`
`597`	`597`	`$this->expectException(DomainException::class);`
`598`	`598`
`599`	`599`	`$this->setUpInstitutionConfiguration(2, ['yubikey']);`