Add feature toggle and tests for stable hash migration

Introduces the `feature_stable_consent_hash_migration` toggle
(default: false) to control when the legacy `attribute` column is
phased out, and adds edge-case test coverage.

Toggle OFF (default): new consent writes both `attribute` and
`attribute_stable` so old EB instances still find records during a
rolling deploy; hash upgrades leave `attribute` intact.

Toggle ON: new consent writes only `attribute_stable` (attribute=NULL)
and upgrades null the old column, cleaning it up over time once all
instances run the new version.

Also:
- Add edge-case tests for consent hash versioning
- Fix test configuration for consent scenarios
- Drop redundant unserialize/serialize deep copies in ConsentHashService
  (PHP passes arrays by value; a mutation-safety regression test is
  added to guard against future changes)

Author: kayjoosten

config/packages/engineblock_features.yaml

@@ -16,3 +16,4 @@ parameters:
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
         eb.stepup.send_user_attributes: "%feature_stepup_send_user_attributes%"
         eb.feature_enable_sram_interrupt: "%feature_enable_sram_interrupt%"
+        eb.stable_consent_hash_migration: "%feature_stable_consent_hash_migration%"

config/packages/parameters.yml.dist

@@ -227,6 +227,7 @@ parameters:
     feature_stepup_sfo_override_engine_entityid: false
     feature_stepup_send_user_attributes: false
     feature_enable_sram_interrupt: false
+    feature_stable_consent_hash_migration: false
 
     ##########################################################################################
     ## PROFILE SETTINGS

config/services/services.yml

@@ -79,6 +79,7 @@ services:
         public: false
         arguments:
             - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
+            - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
 
     OpenConext\EngineBlock\Service\Consent\ConsentService:
         arguments:

library/EngineBlock/Corto/Model/Consent.php

@@ -85,38 +85,39 @@ public function __construct(
         $this->_consentEnabled = $consentEnabled;
     }
 
-    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): ConsentVersion
     {
         if (!$this->_consentEnabled) {
-            return true;
+            // Consent disabled: treat as already given (stable — no upgrade needed)
+            return ConsentVersion::stable();
         }
-        $consent = $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
-        return $consent->given();
+        return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_EXPLICIT);
     }
 
     /**
      * Although the user has given consent previously we want to upgrade the deprecated unstable consent
      * to the new stable consent type.
      * https://www.pivotaltracker.com/story/show/176513931
+     *
+     * The caller must pass the ConsentVersion already retrieved by explicitConsentWasGivenFor or
+     * implicitConsentWasGivenFor to avoid a second identical DB query.
      */
-    public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType): void
+    public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, string $consentType, ConsentVersion $consentVersion): void
     {
         if (!$this->_consentEnabled) {
             return;
         }
-        $consentVersion = $this->_hasStoredConsent($serviceProvider, $consentType);
         if ($consentVersion->isUnstable()) {
             $this->_updateConsent($serviceProvider, $consentType);
         }
     }
 
-    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider): bool
+    public function implicitConsentWasGivenFor(ServiceProvider $serviceProvider): ConsentVersion
     {
         if (!$this->_consentEnabled) {
-            return true;
+            return ConsentVersion::stable();
         }
-        $consent = $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
-        return $consent->given();
+        return $this->_hasStoredConsent($serviceProvider, ConsentType::TYPE_IMPLICIT);
     }
 
     public function giveExplicitConsentFor(ServiceProvider $serviceProvider): bool
@@ -168,6 +169,7 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType):
             serviceId: $serviceProvider->entityId,
             attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
             consentType: $consentType,
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
         );
 
         return $this->_hashService->storeConsentHash($parameters);

library/EngineBlock/Corto/Module/Service/ProcessConsent.php

@@ -100,10 +100,11 @@ public function serve($serviceName, Request $httpRequest)
         $attributes = $response->getAssertion()->getAttributes();
         $consentRepository = $this->_consentFactory->create($this->_server, $response, $attributes);
 
-        if (!$consentRepository->explicitConsentWasGivenFor($serviceProvider)) {
+        $explicitConsent = $consentRepository->explicitConsentWasGivenFor($serviceProvider);
+        if (!$explicitConsent->given()) {
             $consentRepository->giveExplicitConsentFor($destinationMetadata);
         } else {
-            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT);
+            $consentRepository->upgradeAttributeHashFor($destinationMetadata, ConsentType::TYPE_EXPLICIT, $explicitConsent);
         }
 
         $response->setConsent(Constants::CONSENT_OBTAINED);

library/EngineBlock/Corto/Module/Service/ProvideConsent.php

@@ -144,10 +144,11 @@ public function serve($serviceName, Request $httpRequest)
 
 
         if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
-            if (!$consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata)) {
+            $implicitConsent = $consentRepository->implicitConsentWasGivenFor($serviceProviderMetadata);
+            if (!$implicitConsent->given()) {
                 $consentRepository->giveImplicitConsentFor($serviceProviderMetadata);
             } else {
-                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT);
+                $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_IMPLICIT, $implicitConsent);
             }
 
             $response->setConsent(Constants::CONSENT_INAPPLICABLE);
@@ -165,8 +166,8 @@ public function serve($serviceName, Request $httpRequest)
         }
 
         $priorConsent = $consentRepository->explicitConsentWasGivenFor($serviceProviderMetadata);
-        if ($priorConsent) {
-            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_EXPLICIT);
+        if ($priorConsent->given()) {
+            $consentRepository->upgradeAttributeHashFor($serviceProviderMetadata, ConsentType::TYPE_EXPLICIT, $priorConsent);
 
             $response->setConsent(Constants::CONSENT_PRIOR);
 

…rineMigrations/Version20220503092351.php …rineMigrations/Version20260315000001.phpmigrations/DoctrineMigrations/Version20220503092351.php renamed to migrations/DoctrineMigrations/Version20260315000001.php migrations/DoctrineMigrations/Version20220503092351.php renamed to migrations/DoctrineMigrations/Version20260315000001.php

@@ -30,6 +30,8 @@ public function up(Schema $schema): void
 
     public function down(Schema $schema): void
     {
-        $this->addSql('ALTER TABLE consent DROP attribute_stable, CHANGE attribute attribute VARCHAR(80) CHARACTER SET utf8 NOT NULL COLLATE `utf8_unicode_ci`');
+        $this->addSql('UPDATE consent SET attribute = attribute_stable WHERE attribute IS NULL AND attribute_stable IS NOT NULL');
+        $this->addSql('ALTER TABLE consent CHANGE attribute attribute VARCHAR(80) NOT NULL');
+        $this->addSql('ALTER TABLE consent DROP attribute_stable');
     }
 }

src/OpenConext/EngineBlock/Authentication/Repository/ConsentRepository.php

@@ -58,5 +58,5 @@ public function storeConsentHash(ConsentStoreParameters $parameters): bool;
      */
     public function updateConsentHash(ConsentUpdateParameters $parameters): bool;
 
-    public function countTotalConsent($consentUid): int;
+    public function countTotalConsent(string $consentUid): int;
 }

src/OpenConext/EngineBlock/Authentication/Value/ConsentStoreParameters.php

@@ -25,6 +25,7 @@ public function __construct(
         public readonly string $serviceId,
         public readonly string $attributeStableHash,
         public readonly string $consentType,
+        public readonly ?string $attributeHash = null,
     ) {
     }
 }

src/OpenConext/EngineBlock/Authentication/Value/ConsentUpdateParameters.php

@@ -26,6 +26,7 @@ public function __construct(
         public readonly string $hashedUserId,
         public readonly string $serviceId,
         public readonly string $consentType,
+        public readonly bool $clearLegacyHash = false,
     ) {
     }
 }