Updates for docker testing; phpstan; consolidate gateway methods

pradtke · pradtke · commit 3d953b1cc8a6 · 2025-11-20T20:39:31.000-08:00
diff --git a/config/module_casserver.php.dist b/config/module_casserver.php.dist
@@ -117,7 +117,8 @@ $config = [
     'proxy_granting_ticket_expire_time' => 600,
     // how many seconds proxy tickets are valid for, defaults to 5
     'proxy_ticket_expire_time' => 5,
-    // OPTIONAL, enable CAS passive mode, defaults to false
+    // OPTIONAL, if `gateway=true` is requested and user has no session, invoke the authsource with `isPassive=true`.
+    // defaults to false
     //'enable_passive_mode' => true,
 
     // If query param debugMode=true is sent to the login endpoint then print cas ticket xml. Default false
diff --git a/docker/ssp/authsources.php b/docker/ssp/authsources.php
@@ -14,6 +14,7 @@
         'users' => [
             'student:studentpass' => [
                 'uid' => ['student'],
+                'cn' => ['Firsty Lasty'],
                 'eduPersonAffiliation' => ['member', 'student'],
                 'eduPersonNickname' => 'Sir_Nickname',
                 'displayName' => 'Some User',
diff --git a/docker/ssp/module_casserver.php b/docker/ssp/module_casserver.php
@@ -115,7 +115,7 @@
                                   url query parameter to CAS logout mandatory for obvious reasons.*/
 
     // how many seconds service tickets are valid for, defaults to 5
-    'service_ticket_expire_time' => 5,
+    'service_ticket_expire_time' => 60,
     // how many seconds proxy granting tickets are valid for at most, defaults to 3600
     'proxy_granting_ticket_expire_time' => 600,
     //how many seconds proxy tickets are valid for, defaults to 5
diff --git a/src/Controller/LoginController.php b/src/Controller/LoginController.php
@@ -165,24 +165,18 @@ public function login(
         $returnToUrl = $this->getReturnUrl($request, $sessionTicket);
 
         // renew=true and gateway=true are incompatible → prefer interactive login (disable passive)
-        // Protocol: gateway and renew are incompatible; behavior is undefined if both are set.
-        // OPTIONAL (implementation policy): Prefer renew (interactive, non-passive) by disabling gateway.
-        // OPTIONAL alternative: Reject with 400 to signal incompatible parameters.
         if ($gateway && $forceAuthn) {
             $gateway = false;
         }
 
-        // Handle passive authentication
+        // Handle passive authentication if service url defined
         // Protocol (gateway set): CAS MUST NOT prompt for credentials during this branch.
-        if ($gateway && !$this->authSource->isAuthenticated() && !$requestForceAuthenticate) {
-            $response = $this->handleUnauthenticatedGateway(
+        if ($serviceUrl && $gateway && !$this->authSource->isAuthenticated() && !$requestForceAuthenticate) {
+            return $this->handleUnauthenticatedGateway(
                 $serviceUrl,
                 $entityId,
                 $returnToUrl,
             );
-            if ($response !== null) {
-                return $response;
-            }
         }
 
         // Handle interactive authentication
@@ -254,9 +248,6 @@ public function login(
         }
 
         // User has SSO or non-interactive auth succeeded → redirect/POST to service WITH a ticket
-        // Protocol: With gateway and a successful non-interactive auth (or existing SSO), CAS MAY redirect to the
-        //           service and append a ticket.
-        // Protocol: CAS MAY interpose an advisory page indicating that authentication took place.
         $ticketName = $this->calculateTicketName($service);
         $this->postAuthUrlParameters[$ticketName] = $serviceTicket['id'];
 
@@ -502,20 +493,19 @@ private function handleInteractiveAuthenticate(
      *  - null to indicate: proceed with interactive login (non-passive).
      */
     private function handleUnauthenticatedGateway(
-        ?string $serviceUrl,
+        string $serviceUrl,
         ?string $entityId,
         string $returnToUrl,
-    ): ?RunnableResponse {
+    ): RunnableResponse {
         $passiveAllowed = $this->casConfig->getOptionalBoolean('enable_passive_mode', false);
 
-        // Passive mode is not enabled by configuration.
-        // Protocol: If non-interactive auth cannot be established:
-        //  - If service is present, CAS MUST redirect to the service URL WITHOUT a ticket parameter.
-        //  - If service is absent, behavior is undefined; it is RECOMMENDED
-        //    to request credentials as if neither parameter was specified.
+        // Passive mode is not enabled by configuration
+        // CAS MUST redirect to the service URL WITHOUT a ticket parameter.
         if (!$passiveAllowed) {
-            // Passive attempt already performed and still not authenticated.
-            return $this->gatewayFallback($serviceUrl);
+            return new RunnableResponse(
+                [$this->httpUtils, 'redirectTrustedURL'],
+                [$serviceUrl, []],
+            );
         }
 
         // Passive mode enabled: attempt a passive (non-interactive) authentication.
@@ -566,26 +556,4 @@ private function handleAuthenticate(
             [$params],
         );
     }
-
-    /**
-     * Gateway fallback per CAS gateway semantics:
-     * - Protocol (MUST): If a service is provided and non-interactive auth cannot be established,
-     *   redirect to the service WITHOUT any CAS parameters (no "ticket").
-     * - Protocol (Undefined, RECOMMENDED): If no service is provided, proceed with interactive login
-     *     (request credentials).
-     * @param string|null $serviceUrl
-     * @return RunnableResponse|null
-     */
-    private function gatewayFallback(?string $serviceUrl): ?RunnableResponse
-    {
-        if ($serviceUrl !== null) {
-            // MUST: Redirect to service WITHOUT a "ticket" parameter (and without other CAS params).
-            return new RunnableResponse(
-                [$this->httpUtils, 'redirectTrustedURL'],
-                [$serviceUrl, []],
-            );
-        }
-        // RECOMMENDED: No service specified; proceed with interactive login as if neither parameter was specified.
-        return null;
-    }
 }
diff --git a/tests/src/Controller/LoginControllerTest.php b/tests/src/Controller/LoginControllerTest.php
@@ -331,7 +331,7 @@ public function testValidServiceUrl(string $serviceParam, string $redirectURL, b
     /**
      * @return array<array{0:string}>
      */
-    public function serviceUrlsProvider(): array
+    public static function serviceUrlsProvider(): array
     {
         return [
             ['https://example.com/ssp/module.php/cas/linkback.php'],

Original file line number	Diff line number	Diff line change
`@@ -331,7 +331,7 @@ public function testValidServiceUrl(string $serviceParam, string $redirectURL, b`
`331`	`331`	`/**`
`332`	`332`	`* @return array<array{0:string}>`
`333`	`333`	`*/`
`334`		`- public function serviceUrlsProvider(): array`
	`334`	`+ public static function serviceUrlsProvider(): array`
`335`	`335`	`{`
`336`	`336`	`return [`
`337`	`337`	`['https://example.com/ssp/module.php/cas/linkback.php'],`