feat(consent): add feature toggle for stable hash migration

Introduces `eb.stable_consent_hash_migration` (default: false) to control
when the legacy `attribute` column is phased out.

Toggle OFF (default): new consent writes both `attribute` and `attribute_stable`
so old EB instances still find records during a rolling deploy; upgrades leave
`attribute` intact for the same reason.

Toggle ON: new consent writes only `attribute_stable` (attribute=NULL) and
upgrades null the old column, cleaning it up over time once all instances
are on the new version.

Author: kayjoosten

config/packages/engineblock_features.yaml

@@ -16,3 +16,4 @@ parameters:
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
         eb.stepup.send_user_attributes: "%feature_stepup_send_user_attributes%"
         eb.feature_enable_sram_interrupt: "%feature_enable_sram_interrupt%"
+        eb.stable_consent_hash_migration: "%feature_stable_consent_hash_migration%"

config/packages/parameters.yml.dist

@@ -224,6 +224,7 @@ parameters:
     feature_stepup_sfo_override_engine_entityid: false
     feature_stepup_send_user_attributes: false
     feature_enable_sram_interrupt: false
+    feature_stable_consent_hash_migration: false
 
     ##########################################################################################
     ## PROFILE SETTINGS

config/services/services.yml

@@ -80,6 +80,7 @@ services:
         public: false
         arguments:
             - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
+            - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
 
     OpenConext\EngineBlock\Service\Consent\ConsentService:
         arguments:

library/EngineBlock/Corto/Model/Consent.php

@@ -169,6 +169,7 @@ private function _storeConsent(ServiceProvider $serviceProvider, $consentType):
             serviceId: $serviceProvider->entityId,
             attributeStableHash: $this->_getStableAttributesHash($this->_responseAttributes),
             consentType: $consentType,
+            attributeHash: $this->_getAttributesHash($this->_responseAttributes),
         );
 
         return $this->_hashService->storeConsentHash($parameters);

migrations/DoctrineMigrations/Version20260315000001.php

@@ -48,6 +48,8 @@ public function up(Schema $schema): void
 
     public function down(Schema $schema): void
     {
-        $this->addSql('ALTER TABLE consent DROP attribute_stable, CHANGE attribute attribute VARCHAR(80) CHARACTER SET utf8 NOT NULL COLLATE `utf8_unicode_ci`');
+        $this->addSql('UPDATE consent SET attribute = attribute_stable WHERE attribute IS NULL AND attribute_stable IS NOT NULL');
+        $this->addSql('ALTER TABLE consent CHANGE attribute attribute VARCHAR(80) NOT NULL');
+        $this->addSql('ALTER TABLE consent DROP attribute_stable');
     }
 }

src/OpenConext/EngineBlock/Authentication/Value/ConsentStoreParameters.php

@@ -25,6 +25,7 @@ public function __construct(
         public readonly string $serviceId,
         public readonly string $attributeStableHash,
         public readonly string $consentType,
+        public readonly ?string $attributeHash = null,
     ) {
     }
 }

src/OpenConext/EngineBlock/Authentication/Value/ConsentUpdateParameters.php

@@ -26,6 +26,7 @@ public function __construct(
         public readonly string $hashedUserId,
         public readonly string $serviceId,
         public readonly string $consentType,
+        public readonly bool $clearLegacyHash = false,
     ) {
     }
 }

src/OpenConext/EngineBlock/Service/Consent/ConsentHashService.php

@@ -23,6 +23,7 @@
 use OpenConext\EngineBlock\Authentication\Value\ConsentStoreParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentUpdateParameters;
 use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 use SAML2\XML\saml\NameID;
 use function array_filter;
 use function array_keys;
@@ -40,14 +41,22 @@
 
 final class ConsentHashService implements ConsentHashServiceInterface
 {
+    private const FEATURE_MIGRATION = 'eb.stable_consent_hash_migration';
+
     /**
      * @var ConsentRepository
      */
     private $consentRepository;
 
-    public function __construct(ConsentRepository $consentHashRepository)
+    /**
+     * @var FeatureConfigurationInterface
+     */
+    private $featureConfiguration;
+
+    public function __construct(ConsentRepository $consentHashRepository, FeatureConfigurationInterface $featureConfiguration)
     {
         $this->consentRepository = $consentHashRepository;
+        $this->featureConfiguration = $featureConfiguration;
     }
 
     public function retrieveConsentHash(ConsentHashQuery $query): ConsentVersion
@@ -57,11 +66,36 @@ public function retrieveConsentHash(ConsentHashQuery $query): ConsentVersion
 
     public function storeConsentHash(ConsentStoreParameters $parameters): bool
     {
+        $migrationEnabled = $this->featureConfiguration->isEnabled(self::FEATURE_MIGRATION);
+
+        if ($migrationEnabled) {
+            $parameters = new ConsentStoreParameters(
+                hashedUserId: $parameters->hashedUserId,
+                serviceId: $parameters->serviceId,
+                attributeStableHash: $parameters->attributeStableHash,
+                consentType: $parameters->consentType,
+                attributeHash: null,
+            );
+        }
+
         return $this->consentRepository->storeConsentHash($parameters);
     }
 
     public function updateConsentHash(ConsentUpdateParameters $parameters): bool
     {
+        $migrationEnabled = $this->featureConfiguration->isEnabled(self::FEATURE_MIGRATION);
+
+        if ($migrationEnabled) {
+            $parameters = new ConsentUpdateParameters(
+                attributeStableHash: $parameters->attributeStableHash,
+                attributeHash: $parameters->attributeHash,
+                hashedUserId: $parameters->hashedUserId,
+                serviceId: $parameters->serviceId,
+                consentType: $parameters->consentType,
+                clearLegacyHash: true,
+            );
+        }
+
         return $this->consentRepository->updateConsentHash($parameters);
     }
 

src/OpenConext/EngineBlockBundle/Authentication/Repository/DbalConsentRepository.php

@@ -226,18 +226,33 @@ public function hasConsentHash(ConsentHashQuery $query): ConsentVersion
      */
     public function storeConsentHash(ConsentStoreParameters $parameters): bool
     {
-        $query = "INSERT INTO consent (hashed_user_id, service_id, attribute_stable, consent_type, consent_date, deleted_at)
-                  VALUES (?, ?, ?, ?, NOW(), '0000-00-00 00:00:00')
-                  ON DUPLICATE KEY UPDATE attribute_stable=VALUES(attribute_stable),
-                  consent_type=VALUES(consent_type), consent_date=NOW(), deleted_at='0000-00-00 00:00:00'";
-
-        try {
-            $this->connection->executeStatement($query, [
+        if ($parameters->attributeHash !== null) {
+            $query = "INSERT INTO consent (hashed_user_id, service_id, attribute, attribute_stable, consent_type, consent_date, deleted_at)
+                      VALUES (?, ?, ?, ?, ?, NOW(), '0000-00-00 00:00:00')
+                      ON DUPLICATE KEY UPDATE attribute=VALUES(attribute), attribute_stable=VALUES(attribute_stable),
+                      consent_type=VALUES(consent_type), consent_date=NOW(), deleted_at='0000-00-00 00:00:00'";
+            $bindings = [
                 $parameters->hashedUserId,
                 $parameters->serviceId,
+                $parameters->attributeHash,
                 $parameters->attributeStableHash,
                 $parameters->consentType,
-            ]);
+            ];
+        } else {
+            $query = "INSERT INTO consent (hashed_user_id, service_id, attribute_stable, consent_type, consent_date, deleted_at)
+                      VALUES (?, ?, ?, ?, NOW(), '0000-00-00 00:00:00')
+                      ON DUPLICATE KEY UPDATE attribute_stable=VALUES(attribute_stable),
+                      consent_type=VALUES(consent_type), consent_date=NOW(), deleted_at='0000-00-00 00:00:00'";
+            $bindings = [
+                $parameters->hashedUserId,
+                $parameters->serviceId,
+                $parameters->attributeStableHash,
+                $parameters->consentType,
+            ];
+        }
+
+        try {
+            $this->connection->executeStatement($query, $bindings);
         } catch (Exception $e) {
             throw new RuntimeException(
                 sprintf('Error storing consent: "%s"', $e->getMessage())
@@ -252,7 +267,8 @@ public function storeConsentHash(ConsentStoreParameters $parameters): bool
      */
     public function updateConsentHash(ConsentUpdateParameters $parameters): bool
     {
-        $query = "
+        if ($parameters->clearLegacyHash) {
+            $query = "
                 UPDATE
                     consent
                 SET
@@ -268,7 +284,25 @@ public function updateConsentHash(ConsentUpdateParameters $parameters): bool
                     consent_type = ?
                 AND
                     deleted_at IS NULL
-        ";
+            ";
+        } else {
+            $query = "
+                UPDATE
+                    consent
+                SET
+                    attribute_stable = ?
+                WHERE
+                    attribute = ?
+                AND
+                    hashed_user_id = ?
+                AND
+                    service_id = ?
+                AND
+                    consent_type = ?
+                AND
+                    deleted_at IS NULL
+            ";
+        }
 
         try {
             $affected = $this->connection->executeStatement($query, [

tests/library/EngineBlock/Test/Corto/Model/ConsentIntegrationTest.php

@@ -27,6 +27,7 @@
 use OpenConext\EngineBlock\Metadata\Entity\ServiceProvider;
 use OpenConext\EngineBlock\Service\Consent\ConsentHashService;
 use OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository;
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
@@ -56,8 +57,20 @@ public function setup(): void
 
         $this->response = Mockery::mock(EngineBlock_Saml2_ResponseAnnotationDecorator::class);
         $this->consentRepository = Mockery::mock(ConsentRepository::class);
-        $this->consentService = new ConsentHashService($this->consentRepository);
 
+        $this->buildConsentAndService(migrationEnabled: true);
+    }
+
+    /**
+     * Rebuilds $this->consentService and $this->consent with the given toggle state.
+     * Call this in tests that need a specific toggle setting different from setUp's default.
+     */
+    private function buildConsentAndService(bool $migrationEnabled): void
+    {
+        $featureConfig = new FeatureConfiguration([
+            'eb.stable_consent_hash_migration' => $migrationEnabled,
+        ]);
+        $this->consentService = new ConsentHashService($this->consentRepository, $featureConfig);
         $this->consent = new EngineBlock_Corto_Model_Consent(
             "consent",
             true,
@@ -151,14 +164,19 @@ public function test_stable_consent_given($consentType)
         }
     }
 
+    /**
+     * Toggle ON (migration enabled): new consent stores only the stable hash.
+     * The legacy attribute column must be left NULL so fully-migrated deployments
+     * don't accumulate unnecessary data in the old column.
+     */
     #[DataProvider('consentTypeProvider')]
-    public function test_give_consent_no_unstable_consent_given($consentType)
+    public function test_give_consent_toggle_on_stores_only_stable_hash($consentType)
     {
+        // setUp already builds with migrationEnabled=true
         $serviceProvider = new ServiceProvider("service-provider-entity-id");
         $this->response->shouldReceive('getNameIdValue')
             ->once()
             ->andReturn('collab:person:id:org-a:joe-a');
-        // Now assert that the new stable consent hash is going to be set
         $this->consentRepository
             ->shouldReceive('storeConsentHash')
             ->once()
@@ -167,6 +185,7 @@ public function test_give_consent_no_unstable_consent_given($consentType)
                 serviceId: 'service-provider-entity-id',
                 attributeStableHash: '8739602554c7f3241958e3cc9b57fdecb474d508',
                 consentType: $consentType,
+                attributeHash: null,
             ))
             ->andReturn(true);
 
@@ -180,14 +199,53 @@ public function test_give_consent_no_unstable_consent_given($consentType)
         }
     }
 
+    /**
+     * Toggle OFF (migration disabled): new consent stores BOTH hashes so that
+     * old EB instances (still reading only the `attribute` column) can still
+     * find the consent record during a rolling deploy.
+     */
     #[DataProvider('consentTypeProvider')]
-    public function test_upgrade_to_stable_consent($consentType)
+    public function test_give_consent_toggle_off_stores_both_hashes($consentType)
     {
+        $this->buildConsentAndService(migrationEnabled: false);
+        $serviceProvider = new ServiceProvider("service-provider-entity-id");
+        $this->response->shouldReceive('getNameIdValue')
+            ->once()
+            ->andReturn('collab:person:id:org-a:joe-a');
+        $this->consentRepository
+            ->shouldReceive('storeConsentHash')
+            ->once()
+            ->with(new ConsentStoreParameters(
+                hashedUserId: '0e54805079c56c2b1c1197a760af86ac337b7bac',
+                serviceId: 'service-provider-entity-id',
+                attributeStableHash: '8739602554c7f3241958e3cc9b57fdecb474d508',
+                consentType: $consentType,
+                attributeHash: '8739602554c7f3241958e3cc9b57fdecb474d508',
+            ))
+            ->andReturn(true);
+
+        switch ($consentType) {
+            case ConsentType::TYPE_EXPLICIT:
+                $this->assertTrue($this->consent->giveExplicitConsentFor($serviceProvider));
+                break;
+            case ConsentType::TYPE_IMPLICIT:
+                $this->assertTrue($this->consent->giveImplicitConsentFor($serviceProvider));
+                break;
+        }
+    }
+
+    /**
+     * Toggle OFF (migration disabled): upgrading an old unstable consent leaves
+     * the legacy `attribute` column intact so old instances keep working.
+     */
+    #[DataProvider('consentTypeProvider')]
+    public function test_upgrade_toggle_off_preserves_legacy_hash($consentType)
+    {
+        $this->buildConsentAndService(migrationEnabled: false);
         $serviceProvider = new ServiceProvider("service-provider-entity-id");
         $this->response->shouldReceive('getNameIdValue')
             ->once()
             ->andReturn('collab:person:id:org-a:joe-a');
-        // Now assert that the new stable consent hash is going to be set
         $this->consentRepository
             ->shouldReceive('updateConsentHash')
             ->once()
@@ -197,10 +255,38 @@ public function test_upgrade_to_stable_consent($consentType)
                 hashedUserId: '0e54805079c56c2b1c1197a760af86ac337b7bac',
                 serviceId: 'service-provider-entity-id',
                 consentType: $consentType,
+                clearLegacyHash: false,
+            ))
+            ->andReturn(true);
+
+        $this->assertNull($this->consent->upgradeAttributeHashFor($serviceProvider, $consentType, ConsentVersion::unstable()));
+    }
+
+    /**
+     * Toggle ON (migration enabled): upgrading an old unstable consent nulls the
+     * legacy `attribute` column so the old column is cleaned up over time.
+     */
+    #[DataProvider('consentTypeProvider')]
+    public function test_upgrade_toggle_on_clears_legacy_hash($consentType)
+    {
+        // setUp already builds with migrationEnabled=true
+        $serviceProvider = new ServiceProvider("service-provider-entity-id");
+        $this->response->shouldReceive('getNameIdValue')
+            ->once()
+            ->andReturn('collab:person:id:org-a:joe-a');
+        $this->consentRepository
+            ->shouldReceive('updateConsentHash')
+            ->once()
+            ->with(new ConsentUpdateParameters(
+                attributeStableHash: '8739602554c7f3241958e3cc9b57fdecb474d508',
+                attributeHash: '8739602554c7f3241958e3cc9b57fdecb474d508',
+                hashedUserId: '0e54805079c56c2b1c1197a760af86ac337b7bac',
+                serviceId: 'service-provider-entity-id',
+                consentType: $consentType,
+                clearLegacyHash: true,
             ))
             ->andReturn(true);
 
-        // Pass the pre-fetched ConsentVersion (unstable) — no second DB query is made
         $this->assertNull($this->consent->upgradeAttributeHashFor($serviceProvider, $consentType, ConsentVersion::unstable()));
     }