test: add unit, functional and integration tests for NameID lookup API

Author: kayjoosten

migrations/DoctrineMigrations/Version20260331000000.php

@@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Copyright 2026 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types=1);
+
+namespace OpenConext\EngineBlock\Doctrine\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+
+/**
+ * Corrects the column comment on saml_persistent_id.persistent_id.
+ *
+ * The original comment read "SHA1 of service_provider_uuid + user_uuid", which was
+ * inaccurate in two ways: the operand order was wrong, and the COIN: salt was omitted.
+ * The actual value stored is sha1('COIN:' + user_uuid + service_provider_uuid), as
+ * defined in EngineBlock_Saml2_NameIdResolver::PERSISTENT_NAMEID_SALT.
+ *
+ * NOTE: This migration is NOT mandatory. It only updates a database-level column comment
+ * and has no effect on data integrity or application behaviour. It is safe to skip on
+ * existing installations where updating the comment is not considered necessary.
+ */
+final class Version20260331000000 extends AbstractEngineBlockMigration
+{
+    public function getDescription(): string
+    {
+        return 'Corrects the column comment on saml_persistent_id.persistent_id to accurately reflect the SHA1 formula.';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(
+            "ALTER TABLE `saml_persistent_id` MODIFY COLUMN `persistent_id` CHAR(40) NOT NULL COMMENT 'SHA1 of COIN: + user_uuid + service_provider_uuid'"
+        );
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql(
+            "ALTER TABLE `saml_persistent_id` MODIFY COLUMN `persistent_id` CHAR(40) NOT NULL COMMENT 'SHA1 of service_provider_uuid + user_uuid'"
+        );
+    }
+}

src/OpenConext/EngineBlock/Service/NameIdLookupService.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/OpenConext/EngineBlockBundle/Controller/Api/UserController.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,7 +51,7 @@ private function getCallerUsername(): string
         return $this->tokenStorage->getToken()?->getUserIdentifier() ?? 'unknown';
     }
 
-    #[Route(path: '/info/users/nameid', name: 'api_users_nameid', methods: ['POST'], defaults: ['_format' => 'json'])]
+    #[Route(path: '/info/users/nameid', name: 'api_users_nameid', defaults: ['_format' => 'json'], methods: ['POST'])]
     public function nameIdAction(Request $request): JsonResponse
     {
         if (!$this->featureConfiguration->isEnabled('api.users_nameid')) {
@@ -80,7 +80,7 @@ public function nameIdAction(Request $request): JsonResponse
         return new JsonResponse($results, Response::HTTP_OK);
     }
 
-    #[Route(path: '/info/users/id', name: 'api_users_id', methods: ['POST'], defaults: ['_format' => 'json'])]
+    #[Route(path: '/info/users/id', name: 'api_users_id', defaults: ['_format' => 'json'], methods: ['POST'])]
     public function userIdentityAction(Request $request): JsonResponse
     {
         if (!$this->featureConfiguration->isEnabled('api.users_id')) {
@@ -101,11 +101,13 @@ public function userIdentityAction(Request $request): JsonResponse
             if (!is_string($nameId)) {
                 throw new BadApiRequestHttpException('Each entry in the request must be a string NameID');
             }
+
             if (!preg_match('/^[0-9a-f]{40}$/i', $nameId)) {
                 throw new BadApiRequestHttpException(
                     sprintf('Invalid NameID format "%s": must be a 40-character hexadecimal SHA1 string', $nameId)
                 );
             }
+
             $results[] = $this->nameIdLookupService->resolveUserIdentity($nameId);
         }
 

tests/functional/OpenConext/EngineBlockBundle/Authentication/Repository/NameIdLookupRepositoryTest.php

@@ -0,0 +1,178 @@
+<?php
+
+/**
+ * Copyright 2026 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlockBundle\Tests;
+
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Query\QueryBuilder;
+use OpenConext\EngineBlock\Authentication\Value\CollabPersonUuid;
+use OpenConext\EngineBlockBundle\Authentication\Repository\SamlPersistentIdRepository;
+use OpenConext\EngineBlockBundle\Authentication\Repository\ServiceProviderUuidRepository;
+use OpenConext\EngineBlockBundle\Authentication\Repository\UserRepository;
+use PHPUnit\Framework\Attributes\Group;
+use PHPUnit\Framework\Attributes\Test;
+use Ramsey\Uuid\Uuid;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+
+final class NameIdLookupRepositoryTest extends KernelTestCase
+{
+    protected function tearDown(): void
+    {
+        $this->clearFixtures();
+        parent::tearDown();
+        restore_exception_handler();
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_by_collab_person_uuid_returns_the_correct_user(): void
+    {
+        $userUuid      = Uuid::uuid4()->toString();
+        $collabPersonId = 'urn:collab:person:example.edu:' . uniqid();
+
+        $this->insertUser($collabPersonId, $userUuid);
+
+        $repo = self::getContainer()->get(UserRepository::class);
+        $user = $repo->findByCollabPersonUuid(new CollabPersonUuid($userUuid));
+
+        $this->assertNotNull($user);
+        $this->assertSame($collabPersonId, $user->collabPersonId->getCollabPersonId());
+        $this->assertSame($userUuid, $user->collabPersonUuid->getUuid());
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_by_collab_person_uuid_returns_null_when_uuid_is_unknown(): void
+    {
+        $repo = self::getContainer()->get(UserRepository::class);
+        $user = $repo->findByCollabPersonUuid(new CollabPersonUuid('00000000-0000-0000-0000-000000000000'));
+
+        $this->assertNull($user);
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_uuid_by_entity_id_returns_the_uuid_for_a_known_sp(): void
+    {
+        $spUuid     = Uuid::uuid4()->toString();
+        $spEntityId = 'https://sp-' . uniqid() . '.example.com/';
+
+        $this->insertServiceProvider($spUuid, $spEntityId);
+
+        $repo = self::getContainer()->get(ServiceProviderUuidRepository::class);
+        $uuid = $repo->findUuidByEntityId($spEntityId);
+
+        $this->assertSame($spUuid, $uuid);
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_uuid_by_entity_id_returns_null_when_sp_is_unknown(): void
+    {
+        $repo = self::getContainer()->get(ServiceProviderUuidRepository::class);
+        $uuid = $repo->findUuidByEntityId('https://unknown-sp.example.com/');
+
+        $this->assertNull($uuid);
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_by_user_and_sp_uuid_returns_entry_when_persistent_id_exists(): void
+    {
+        $userUuid     = Uuid::uuid4()->toString();
+        $spUuid       = Uuid::uuid4()->toString();
+        $persistentId = sha1('COIN:' . $userUuid . $spUuid);
+
+        $this->insertPersistentId($persistentId, $userUuid, $spUuid);
+
+        $repo  = self::getContainer()->get(SamlPersistentIdRepository::class);
+        $entry = $repo->findByUserAndSpUuid($userUuid, $spUuid);
+
+        $this->assertNotNull($entry);
+        $this->assertSame($persistentId, $entry->persistentId);
+        $this->assertSame($userUuid, $entry->userUuid);
+        $this->assertSame($spUuid, $entry->serviceProviderUuid);
+    }
+
+    #[Group('Repository')]
+    #[Group('NameIdLookup')]
+    #[Test]
+    public function find_by_user_and_sp_uuid_returns_null_when_no_persistent_id_stored(): void
+    {
+        $repo  = self::getContainer()->get(SamlPersistentIdRepository::class);
+        $entry = $repo->findByUserAndSpUuid(Uuid::uuid4()->toString(), Uuid::uuid4()->toString());
+
+        $this->assertNull($entry);
+    }
+
+    private function insertUser(string $collabPersonId, string $uuid): void
+    {
+        $qb = $this->connection()->createQueryBuilder();
+        assert($qb instanceof QueryBuilder);
+        $qb->insert('user')
+            ->values(['collab_person_id' => ':collab_person_id', 'uuid' => ':uuid'])
+            ->setParameters(['collab_person_id' => $collabPersonId, 'uuid' => $uuid])
+            ->executeStatement();
+    }
+
+    private function insertServiceProvider(string $uuid, string $entityId): void
+    {
+        $qb = $this->connection()->createQueryBuilder();
+        assert($qb instanceof QueryBuilder);
+        $qb->insert('service_provider_uuid')
+            ->values(['uuid' => ':uuid', 'service_provider_entity_id' => ':entity_id'])
+            ->setParameters(['uuid' => $uuid, 'entity_id' => $entityId])
+            ->executeStatement();
+    }
+
+    private function insertPersistentId(string $persistentId, string $userUuid, string $spUuid): void
+    {
+        $qb = $this->connection()->createQueryBuilder();
+        assert($qb instanceof QueryBuilder);
+        $qb->insert('saml_persistent_id')
+            ->values([
+                'persistent_id'         => ':persistent_id',
+                'user_uuid'             => ':user_uuid',
+                'service_provider_uuid' => ':sp_uuid',
+            ])
+            ->setParameters([
+                'persistent_id' => $persistentId,
+                'user_uuid'     => $userUuid,
+                'sp_uuid'       => $spUuid,
+            ])
+            ->executeStatement();
+    }
+
+    private function clearFixtures(): void
+    {
+        $conn = $this->connection();
+        $conn->executeStatement('DELETE FROM saml_persistent_id');
+        $conn->executeStatement('DELETE FROM service_provider_uuid');
+        $conn->executeStatement('DELETE FROM user');
+    }
+
+    private function connection(): Connection
+    {
+        return self::getContainer()->get('doctrine')->getConnection();
+    }
+}