Remove loop handler query parameter. Loop prevention in passive mode is not a realistic scenario.

ioigoume · ioigoume · commit 526159d8189d · 2025-11-05T19:26:11.000+02:00
diff --git a/src/Controller/LoginController.php b/src/Controller/LoginController.php
@@ -176,7 +176,6 @@ public function login(
         // Protocol (gateway set): CAS MUST NOT prompt for credentials during this branch.
         if ($gateway && !$this->authSource->isAuthenticated() && !$requestForceAuthenticate) {
             $response = $this->handleUnauthenticatedGateway(
-                $request,
                 $serviceUrl,
                 $entityId,
                 $returnToUrl,
@@ -503,7 +502,6 @@ private function handleInteractiveAuthenticate(
      *  - null to indicate: proceed with interactive login (non-passive).
      */
     private function handleUnauthenticatedGateway(
-        Request $request,
         ?string $serviceUrl,
         ?string $entityId,
         string $returnToUrl,
@@ -520,24 +518,13 @@ private function handleUnauthenticatedGateway(
             return $this->gatewayFallback($serviceUrl);
         }
 
-        // Passive mode enabled: try a passive (non-interactive) authentication once
-        // OPTIONAL (implementation): Attempt passive exactly once while avoiding loops.
-        $gatewayTried = $this->getRequestParam($request, 'gatewayTried');
-        if ($gatewayTried !== '1') {
-            $rt = str_contains($returnToUrl, 'gatewayTried=')
-                ? $returnToUrl
-                : $returnToUrl . (str_contains($returnToUrl, '?') ? '&' : '?') . 'gatewayTried=1';
-
-            return $this->handleAuthenticate(
-                forceAuthn: false,
-                gateway: true,
-                returnToUrl: $rt,
-                entityId: $entityId,
-            );
-        }
-
-        // Passive attempt already performed and still not authenticated.
-        return $this->gatewayFallback($serviceUrl);
+        // Passive mode enabled: attempt a passive (non-interactive) authentication.
+        return $this->handleAuthenticate(
+            forceAuthn: false,
+            gateway: true,
+            returnToUrl: $returnToUrl,
+            entityId: $entityId,
+        );
     }
 
     /**
diff --git a/tests/src/Controller/LoginControllerTest.php b/tests/src/Controller/LoginControllerTest.php
@@ -318,6 +318,7 @@ public function testValidServiceUrl(string $serviceParam, string $redirectURL, b
             parameters: $queryParameters,
         );
 
+        /** @psalm-suppress InvalidArgument */
         $response = $controllerMock->login($loginRequest, ...$queryParameters);
         $this->assertInstanceOf(RunnableResponse::class, $response);
         $arguments = $response->getArguments();
@@ -327,15 +328,35 @@ public function testValidServiceUrl(string $serviceParam, string $redirectURL, b
         $this->assertEquals('redirectTrustedURL', $callable[1] ?? '');
     }
 
-    public function testGatewayPassiveDisabledRedirectsWithoutParams(): void
+    /**
+     * @return array<array{0:string}>
+     */
+    public function serviceUrlsProvider(): array
+    {
+        return [
+            ['https://example.com/ssp/module.php/cas/linkback.php'],
+            ['https://example.com/ssp/module.php/cas/linkback.php?foo=1&bar=2'],
+        ];
+    }
+
+    /**
+     * When passive is disabled and a service is provided, CAS must redirect to the service without appending CAS params
+     *
+     * @dataProvider serviceUrlsProvider
+     */
+    public function testGatewayPassiveDisabledRedirectsWithoutParams(string $serviceUrl): void
     {
         // enable_passive_mode disabled
         $moduleConfig = $this->moduleConfig;
         $moduleConfig['enable_passive_mode'] = false;
+
+        // Ensure the exact service URL (including its query string, if any) is allowed
+        $moduleConfig['legal_service_urls'] = [$serviceUrl];
+
         $casconfig = Configuration::loadFromArray($moduleConfig);
 
         $params = [
-            'service' => 'https://example.com/ssp/module.php/cas/linkback.php',
+            'service' => $serviceUrl,
             'gateway' => true,
         ];
         $loginRequest = Request::create(
@@ -355,15 +376,16 @@ public function testGatewayPassiveDisabledRedirectsWithoutParams(): void
         $controllerMock->expects($this->once())->method('getSession')->willReturn($this->sessionMock);
         $this->sessionMock->expects($this->once())->method('getSessionId')->willReturn(session_create_id());
 
+        // Execute
         $response = $controllerMock->login($loginRequest, ...$params);
 
+        // Validate redirect with original service URL and no CAS parameters appended
         $this->assertInstanceOf(RunnableResponse::class, $response);
         $callable = (array)$response->getCallable();
         $this->assertEquals('redirectTrustedURL', $callable[1] ?? '');
 
-        // Service URL unchanged and NO CAS params appended
         $arguments = $response->getArguments();
-        $this->assertEquals('https://example.com/ssp/module.php/cas/linkback.php', $arguments[0]);
+        $this->assertEquals($serviceUrl, $arguments[0]);
         $this->assertSame([], $arguments[1] ?? []);
     }
 
@@ -403,7 +425,7 @@ public function testGatewayPassiveEnabledPerformsPassiveAttempt(): void
         $callable = (array)$response->getCallable();
         $this->assertEquals('login', $callable[1] ?? '');
 
-        // Verify isPassive=true, ForceAuthn=false, ReturnTo contains gatewayTried=1
+        // Verify isPassive=true, ForceAuthn=false
         $arguments = $response->getArguments();
         $actualLoginParams = $arguments[0] ?? [];
         $this->assertArrayHasKey('ForceAuthn', $actualLoginParams);
@@ -412,50 +434,6 @@ public function testGatewayPassiveEnabledPerformsPassiveAttempt(): void
         $this->assertTrue($actualLoginParams['isPassive']);
         $this->assertArrayHasKey('ReturnTo', $actualLoginParams);
         $this->assertIsString($actualLoginParams['ReturnTo']);
-        $this->assertStringContainsString('gatewayTried=1', $actualLoginParams['ReturnTo']);
-    }
-
-    public function testGatewayPassiveEnabledSecondPassRedirectsWithoutParams(): void
-    {
-        // enable_passive_mode enabled
-        $moduleConfig = $this->moduleConfig;
-        $moduleConfig['enable_passive_mode'] = true;
-        $casconfig = Configuration::loadFromArray($moduleConfig);
-
-        // Include gatewayTried in the Request only
-        $requestParams = [
-            'service' => 'https://example.com/ssp/module.php/cas/linkback.php',
-            'gateway' => true,
-            'gatewayTried' => '1', // simulate second pass after passive attempt
-        ];
-        $loginRequest = Request::create(
-            uri:        Module::getModuleURL('casserver/login'),
-            parameters: $requestParams,
-        );
-
-        $controllerMock = $this->getMockBuilder(LoginController::class)
-            ->setConstructorArgs([$this->sspConfig, $casconfig, $this->authSimpleMock, $this->httpUtils])
-            ->onlyMethods(['getSession'])
-            ->getMock();
-
-        $this->authSimpleMock->expects($this->atLeastOnce())->method('isAuthenticated')->willReturn(false);
-
-        $controllerMock->expects($this->once())->method('getSession')->willReturn($this->sessionMock);
-        $this->sessionMock->expects($this->once())->method('getSessionId')->willReturn(session_create_id());
-
-        // Do not pass 'gatewayTried' as named argument
-        $callParams = $requestParams;
-        unset($callParams['gatewayTried']);
-
-        $response = $controllerMock->login($loginRequest, ...$callParams);
-
-        $this->assertInstanceOf(RunnableResponse::class, $response);
-        $callable = (array)$response->getCallable();
-        $this->assertEquals('redirectTrustedURL', $callable[1] ?? '');
-
-        $arguments = $response->getArguments();
-        $this->assertEquals('https://example.com/ssp/module.php/cas/linkback.php', $arguments[0]);
-        $this->assertSame([], $arguments[1] ?? []);
     }
 
     public function testGatewayNoServicePassiveDisabledFallsBackToInteractive(): void
@@ -572,6 +550,7 @@ public function testAuthenticatedPostSubmitsViaPostWithTicket(): void
             ],
         ]);
 
+        /** @psalm-suppress InvalidArgument */
         $response = $controllerMock->login($loginRequest, ...$requestParams);
 
         $this->assertInstanceOf(RunnableResponse::class, $response);
@@ -585,54 +564,4 @@ public function testAuthenticatedPostSubmitsViaPostWithTicket(): void
         $this->assertArrayHasKey('ticket', $params);
         $this->assertStringStartsWith('ST-', $params['ticket']);
     }
-
-    public function testGatewayRedirectPreservesServiceQueryWithoutTicket(): void
-    {
-        // Passive disabled to trigger direct redirect with no ticket
-        $moduleConfig = $this->moduleConfig;
-        $moduleConfig['enable_passive_mode'] = false;
-
-        // Service URL with existing query parameters
-        $serviceWithQuery = 'https://example.com/ssp/module.php/cas/linkback.php?foo=1&bar=2';
-        // Ensure the exact service URL (including its query string) is allowed
-        $moduleConfig['legal_service_urls'] = [$serviceWithQuery];
-
-        $casconfig = Configuration::loadFromArray($moduleConfig);
-
-        $params = [
-            'service' => $serviceWithQuery,
-            'gateway' => true,
-        ];
-
-        $loginRequest = Request::create(
-            uri:        Module::getModuleURL('casserver/login'),
-            parameters: $params,
-        );
-
-        $controllerMock = $this->getMockBuilder(LoginController::class)
-            ->setConstructorArgs([$this->sspConfig, $casconfig, $this->authSimpleMock, $this->httpUtils])
-            ->onlyMethods(['getSession'])
-            ->getMock();
-
-        // Unauthenticated so gateway path is exercised
-        $this->authSimpleMock->expects($this->atLeastOnce())->method('isAuthenticated')->willReturn(false);
-
-        // Session used to build ReturnTo
-        $controllerMock->expects($this->once())->method('getSession')->willReturn($this->sessionMock);
-        $this->sessionMock->expects($this->once())->method('getSessionId')->willReturn(session_create_id());
-
-        // Execute
-        $response = $controllerMock->login($loginRequest, ...$params);
-
-        // Validate redirect with original query intact and no CAS parameters appended
-        $this->assertInstanceOf(RunnableResponse::class, $response);
-        $callable = (array)$response->getCallable();
-        $this->assertEquals('redirectTrustedURL', $callable[1] ?? '');
-
-        $arguments = $response->getArguments();
-        // URL should be exactly the original service URL including its query string
-        $this->assertEquals($serviceWithQuery, $arguments[0]);
-        // No additional parameters (e.g., no ticket) should be appended by CAS
-        $this->assertSame([], $arguments[1] ?? []);
-    }
 }
