Refine consent hash: ConsentAttributes value object, DI, docs, and cleanup

Encapsulate stable consent hash normalisation in the ConsentAttributes
value object. The raw-array + boolean flag signature of
getStableAttributesHash scattered the "which strategy" decision across
every call boundary. ConsentAttributes with named constructors
(withValues / namesOnly) makes the strategy choice once at the call
site, removes the boolean from downstream signatures, and centralises
all normalisation logic with a single testable output (getCompareValue).

Also in this commit:
- Use Symfony DI for Consent factory instead of relying on the old Corto
  service provider singleton (EngineBlock_ApplicationSingleton)
- Make empty-attribute stripping explicit: rename sortArrayRecursive to
  sortRecursive (sort-only), make removeEmptyAttributes recursive so
  nested empty sub-values are stripped without relying on the sort pass
- Add tests pinning the empty-attribute stripping policy:
  * Attribute going from having values to empty array -> different hash
    (triggers re-consent: SP was receiving data, now isn't)
  * Stray empty string in value list -> stripped, same hash as without it
    (no spurious re-consent)
  * Zero values (0, 0.0, "0") -> preserved, not stripped
- Remove unused parameters and properties
- Add CHANGELOG entry for feature_stable_consent_hash_migration
- Annotate deprecated code for removal after next release
- Expand unit test coverage for consent hashing

Author: johanib

CHANGELOG.md

@@ -27,6 +27,12 @@ Changes:
   * The `0000-00-00 00:00:00` is added for clarity/consistency, as this is probably the default behaviour of your database already.
 * Removed unused index `consent.deleted_at`. Delete this from your production database if it's there.
 
+* Stabilized consent checks
+  * In order to make the consent hashes more robust, a more consistent way of hashing the user attributes has been introduced
+  * This feature automatically migrates from the old hashes to the new hashes, cleaning up the old hash.
+  * However, if blue/green deployments are used or if you want to keep the option open to roll back the EB release, keep the `feature_stable_consent_hash_migration` set to false in order to preserve the old consent hashes.
+  * Once the new release is fully rolled out, set `feature_stable_consent_hash_migration` to true. This will clean up the old consent hashes upon login. In the next EB release, the old consent hash column will be deleted.
+
 ## 7.1.0
 SRAM integration
 

config/services/ci/services.yml

@@ -66,6 +66,12 @@ services:
         arguments:
             - "@engineblock.functional_testing.data_store.sbs_client_state_mananger"
 
+    engineblock.compat.corto_model_consent_factory:
+        class: EngineBlock_Corto_Model_Consent_Factory
+        arguments:
+            - "@engineblock.service.consent.ConsentHashService"
+            - "@engineblock.functional_testing.fixture.features"
+
     #endregion Fixtures
 
     #region Data Stores

config/services/compat.yml

@@ -49,8 +49,8 @@ services:
     engineblock.compat.corto_model_consent_factory:
         class: EngineBlock_Corto_Model_Consent_Factory
         arguments:
-            - "@engineblock.compat.corto_filter_command_factory"
             - "@engineblock.service.consent.ConsentHashService"
+            - "@OpenConext\\EngineBlockBundle\\Configuration\\FeatureConfiguration"
 
     engineblock.compat.saml2_id_generator:
         public: true

library/EngineBlock/Corto/Model/Consent.php

@@ -22,15 +22,11 @@
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Authentication\Value\ConsentType;
+use OpenConext\EngineBlock\Service\Consent\ConsentAttributes;
 use OpenConext\EngineBlock\Service\Consent\ConsentHashServiceInterface;
 
 class EngineBlock_Corto_Model_Consent
 {
-    /**
-     * @var string
-     */
-    private $_tableName;
-
     /**
      * @var bool
      */
@@ -68,15 +64,13 @@ class EngineBlock_Corto_Model_Consent
      * @param bool $amPriorToConsentEnabled Is the run_all_manipulations_prior_to_consent feature enabled or not
      */
     public function __construct(
-        string $tableName,
         bool $mustStoreValues,
         EngineBlock_Saml2_ResponseAnnotationDecorator $response,
         array $responseAttributes,
         bool $amPriorToConsentEnabled,
         bool $consentEnabled,
         ConsentHashServiceInterface $hashService
     ) {
-        $this->_tableName = $tableName;
         $this->_mustStoreValues = $mustStoreValues;
         $this->_response = $response;
         $this->_responseAttributes = $responseAttributes;
@@ -101,6 +95,8 @@ public function explicitConsentWasGivenFor(ServiceProvider $serviceProvider): Co
      *
      * The caller must pass the ConsentVersion already retrieved by explicitConsentWasGivenFor or
      * implicitConsentWasGivenFor to avoid a second identical DB query.
+     *
+     * @deprecated Remove after stable consent hash is running in production
      */
     public function upgradeAttributeHashFor(ServiceProvider $serviceProvider, ConsentType $consentType, ConsentVersion $consentVersion): void
     {
@@ -147,14 +143,19 @@ protected function _getConsentUid()
         return $this->_response->getNameIdValue();
     }
 
+    /** @deprecated Remove after stable consent hash is running in production */
     protected function _getAttributesHash($attributes): string
     {
         return $this->_hashService->getUnstableAttributesHash($attributes, $this->_mustStoreValues);
     }
 
     protected function _getStableAttributesHash($attributes): string
     {
-        return $this->_hashService->getStableAttributesHash($attributes, $this->_mustStoreValues);
+        $consentAttributes = $this->_mustStoreValues
+            ? ConsentAttributes::withValues($attributes)
+            : ConsentAttributes::namesOnly($attributes);
+
+        return $this->_hashService->getStableConsentHash($consentAttributes);
     }
 
     private function _storeConsent(ServiceProvider $serviceProvider, ConsentType $consentType): bool
@@ -175,6 +176,7 @@ private function _storeConsent(ServiceProvider $serviceProvider, ConsentType $co
         return $this->_hashService->storeConsentHash($parameters);
     }
 
+    /** @deprecated Remove after stable consent hash is running in production */
     private function _updateConsent(ServiceProvider $serviceProvider, ConsentType $consentType): bool
     {
         $consentUid = $this->_getConsentUid();

library/EngineBlock/Corto/Model/Consent/Factory.php

@@ -17,61 +17,45 @@
  */
 
 use OpenConext\EngineBlock\Service\Consent\ConsentHashServiceInterface;
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 
 /**
  * @todo write a test
  */
 class EngineBlock_Corto_Model_Consent_Factory
 {
-    /** @var EngineBlock_Corto_Filter_Command_Factory */
-    private $_filterCommandFactory;
 
-    /**
-     * @var ConsentHashServiceInterface
-     */
-    private $_hashService;
+    private ConsentHashServiceInterface $hashService;
+    private FeatureConfigurationInterface $featureConfiguration;
 
-    /**
-      * @param EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory
-      */
     public function __construct(
-        EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory,
-        ConsentHashServiceInterface $hashService
+        ConsentHashServiceInterface $hashService,
+        FeatureConfigurationInterface $featureConfiguration
     ) {
-        $this->_filterCommandFactory = $filterCommandFactory;
-        $this->_hashService = $hashService;
+        $this->hashService = $hashService;
+        $this->featureConfiguration = $featureConfiguration;
     }
 
     /**
-     * Creates a new Consent instance
-     *
-     * @param EngineBlock_Corto_ProxyServer $proxyServer
-     * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
      * @param array $attributes
-     * @return EngineBlock_Corto_Model_Consent
      */
     public function create(
         EngineBlock_Corto_ProxyServer $proxyServer,
         EngineBlock_Saml2_ResponseAnnotationDecorator $response,
         array $attributes
-    ) {
+    ): EngineBlock_Corto_Model_Consent {
         // If attribute manipulation was executed before consent, the NameId must be retrieved from the original response
         // object, in order to ensure correct 'hashed_user_id' generation.
-        $featureConfiguration = EngineBlock_ApplicationSingleton::getInstance()
-            ->getDiContainer()
-            ->getFeatureConfiguration();
-
-        $amPriorToConsent = $featureConfiguration->isEnabled('eb.run_all_manipulations_prior_to_consent');
-        $consentEnabled = $featureConfiguration->isEnabled('eb.feature_enable_consent');
+        $amPriorToConsent = $this->featureConfiguration->isEnabled('eb.run_all_manipulations_prior_to_consent');
+        $consentEnabled = $this->featureConfiguration->isEnabled('eb.feature_enable_consent');
 
         return new EngineBlock_Corto_Model_Consent(
-            $proxyServer->getConfig('ConsentDbTable', 'consent'),
             $proxyServer->getConfig('ConsentStoreValues', true),
             $response,
             $attributes,
             $amPriorToConsent,
             $consentEnabled,
-            $this->_hashService
+            $this->hashService
         );
     }
 }

migrations/DoctrineMigrations/Version20260315000001.php

@@ -1,5 +1,21 @@
 <?php
 
+/**
+ * Copyright 2026 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 declare(strict_types=1);
 
 namespace OpenConext\EngineBlock\Doctrine\Migrations;

src/OpenConext/EngineBlock/Authentication/Value/ConsentHashQuery.php

@@ -23,6 +23,7 @@ final class ConsentHashQuery
     public function __construct(
         public readonly string $hashedUserId,
         public readonly string $serviceId,
+        /** @deprecated Remove after stable consent hash is running in production */
         public readonly string $attributeHash,
         public readonly string $attributeStableHash,
         public readonly string $consentType,

src/OpenConext/EngineBlock/Authentication/Value/ConsentStoreParameters.php

@@ -25,6 +25,7 @@ public function __construct(
         public readonly string $serviceId,
         public readonly string $attributeStableHash,
         public readonly string $consentType,
+        /** @deprecated Remove after stable consent hash is running in production */
         public readonly ?string $attributeHash = null,
     ) {
     }

src/OpenConext/EngineBlock/Authentication/Value/ConsentUpdateParameters.php

@@ -22,10 +22,12 @@ final class ConsentUpdateParameters
 {
     public function __construct(
         public readonly string $attributeStableHash,
+        /** @deprecated Remove after stable consent hash is running in production */
         public readonly string $attributeHash,
         public readonly string $hashedUserId,
         public readonly string $serviceId,
         public readonly string $consentType,
+        /** @deprecated Remove after stable consent hash is running in production */
         public readonly bool $clearLegacyHash = false,
     ) {
     }

src/OpenConext/EngineBlock/Authentication/Value/ConsentVersion.php

@@ -23,6 +23,7 @@
 final class ConsentVersion
 {
     const STABLE = 'stable';
+    /** @deprecated Remove after stable consent hash is running in production */
     const UNSTABLE = 'unstable';
     const NOT_GIVEN = 'not-given';
 
@@ -36,6 +37,7 @@ public static function stable(): ConsentVersion
         return new self(self::STABLE);
     }
 
+    /** @deprecated Remove after stable consent hash is running in production */
     public static function unstable(): ConsentVersion
     {
         return new self(self::UNSTABLE);
@@ -70,6 +72,7 @@ public function __toString()
         return $this->consentVersion;
     }
 
+    /** @deprecated Remove after stable consent hash is running in production */
     public function isUnstable(): bool
     {
         return $this->consentVersion === self::UNSTABLE;