Add missing edge-case tests for consent hash implementation

Based on requirements from issue #1721, PR #1137 review threads, and
newly added code paths:

ConsentIntegrationTest:
- test_upgrade_not_applied_when_no_consent_given: upgradeAttributeHashFor
  does nothing when hasConsentHash returns notGiven()
- test_upgrade_continues_gracefully_when_attributes_changed: when
  updateConsentHash returns false (0 rows, attributes changed since
  consent was given), upgradeAttributeHashFor must not throw

ConsentTest (eb4):
- testNullNameIdReturnsNoConsentWithoutCallingRepository: when
  getNameIdValue() returns null, all three private guards (_storeConsent,
  _hasStoredConsent, _updateConsent) must return early without touching
  the repository

ConsentVersionTest (new):
- isStable/isUnstable/given behaviour for all three states
- invalid value throws InvalidArgumentException

ConsentHashServiceTest:
- test_stable_attribute_hash_attribute_name_casing_normalized: issue #1721
  explicitly requires 'Case normalize all attribute names'; verifies keys
  like 'displayName' and 'DISPLAYNAME' produce the same hash
- test_stable_attribute_hash_attribute_name_ordering_normalized: issue
  #1721 requires 'Sort all attribute names'; verifies key order is stable

Author: kayjoosten

src/OpenConext/EngineBlockBundle/Authentication/Repository/DbalConsentRepository.php

@@ -238,7 +238,8 @@ public function updateConsentHash(array $parameters): bool
                 UPDATE
                     consent
                 SET
-                    attribute_stable = ?
+                    attribute_stable = ?,
+                    attribute = NULL
                 WHERE
                     attribute = ?
                 AND

tests/library/EngineBlock/Test/Corto/Model/ConsentIntegrationTest.php

@@ -235,6 +235,50 @@ public function test_upgrade_to_stable_consent_not_applied_when_stable($consentT
         $this->assertNull($this->consent->upgradeAttributeHashFor($serviceProvider, $consentType));
     }
 
+    /**
+     * @dataProvider consentTypeProvider
+     */
+    public function test_upgrade_not_applied_when_no_consent_given($consentType)
+    {
+        $serviceProvider = new ServiceProvider("service-provider-entity-id");
+        $this->response->shouldReceive('getNameIdValue')
+            ->once()
+            ->andReturn('collab:person:id:org-a:joe-a');
+        // No consent has been given at all
+        $this->consentRepository
+            ->shouldReceive('hasConsentHash')
+            ->once()
+            ->andReturn(ConsentVersion::notGiven());
+        // No update should be triggered
+        $this->consentRepository->shouldNotReceive('updateConsentHash');
+
+        $this->assertNull($this->consent->upgradeAttributeHashFor($serviceProvider, $consentType));
+    }
+
+    /**
+     * @dataProvider consentTypeProvider
+     */
+    public function test_upgrade_continues_gracefully_when_attributes_changed($consentType)
+    {
+        $serviceProvider = new ServiceProvider("service-provider-entity-id");
+        $this->response->shouldReceive('getNameIdValue')
+            ->twice()
+            ->andReturn('collab:person:id:org-a:joe-a');
+        // Old-style (unstable) consent is found
+        $this->consentRepository
+            ->shouldReceive('hasConsentHash')
+            ->once()
+            ->andReturn(ConsentVersion::unstable());
+        // But the UPDATE matches 0 rows (attributes changed since consent was given)
+        $this->consentRepository
+            ->shouldReceive('updateConsentHash')
+            ->once()
+            ->andReturn(false);
+
+        // Must not throw; the warning is logged inside the repository
+        $this->assertNull($this->consent->upgradeAttributeHashFor($serviceProvider, $consentType));
+    }
+
     public static function consentTypeProvider(): iterable
     {
         yield [ConsentType::TYPE_IMPLICIT];

tests/library/EngineBlock/Test/Corto/Model/ConsentTest.php

@@ -98,4 +98,36 @@ public function testConsentWriteToDatabase()
         $this->assertTrue($this->consent->giveExplicitConsentFor($serviceProvider));
         $this->assertTrue($this->consent->giveImplicitConsentFor($serviceProvider));
     }
+
+    public function testNullNameIdReturnsNoConsentWithoutCallingRepository()
+    {
+        $mockedResponse = Phake::mock('EngineBlock_Saml2_ResponseAnnotationDecorator');
+        Phake::when($mockedResponse)->getNameIdValue()->thenReturn(null);
+
+        $consentWithNullUid = new EngineBlock_Corto_Model_Consent(
+            "consent",
+            true,
+            $mockedResponse,
+            [],
+            false,
+            true,
+            $this->consentService
+        );
+
+        $serviceProvider = new ServiceProvider("service-provider-entity-id");
+
+        // No DB calls should occur when the NameID is null
+        $this->consentService->shouldNotReceive('retrieveConsentHash');
+        $this->consentService->shouldNotReceive('storeConsentHash');
+        $this->consentService->shouldNotReceive('updateConsentHash');
+
+        // _hasStoredConsent returns notGiven() when UID is null -> consent methods return false
+        $this->assertFalse($consentWithNullUid->explicitConsentWasGivenFor($serviceProvider));
+        $this->assertFalse($consentWithNullUid->implicitConsentWasGivenFor($serviceProvider));
+        // giveConsent returns false when UID is null (_storeConsent returns early)
+        $this->assertFalse($consentWithNullUid->giveExplicitConsentFor($serviceProvider));
+        $this->assertFalse($consentWithNullUid->giveImplicitConsentFor($serviceProvider));
+        // upgradeAttributeHashFor should not throw when UID is null
+        $consentWithNullUid->upgradeAttributeHashFor($serviceProvider, ConsentType::TYPE_EXPLICIT);
+    }
 }

tests/unit/OpenConext/EngineBlock/Authentication/Value/ConsentVersionTest.php

@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlock\Authentication\Tests\Value;
+
+use OpenConext\EngineBlock\Authentication\Value\ConsentVersion;
+use OpenConext\EngineBlock\Exception\InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+class ConsentVersionTest extends TestCase
+{
+    public function testStableIsGiven(): void
+    {
+        $version = ConsentVersion::stable();
+
+        $this->assertTrue($version->given());
+        $this->assertTrue($version->isStable());
+        $this->assertFalse($version->isUnstable());
+        $this->assertSame('stable', (string) $version);
+    }
+
+    public function testUnstableIsGiven(): void
+    {
+        $version = ConsentVersion::unstable();
+
+        $this->assertTrue($version->given());
+        $this->assertFalse($version->isStable());
+        $this->assertTrue($version->isUnstable());
+        $this->assertSame('unstable', (string) $version);
+    }
+
+    public function testNotGivenIsNotGiven(): void
+    {
+        $version = ConsentVersion::notGiven();
+
+        $this->assertFalse($version->given());
+        $this->assertFalse($version->isStable());
+        $this->assertFalse($version->isUnstable());
+        $this->assertSame('not-given', (string) $version);
+    }
+
+    public function testInvalidVersionThrows(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new ConsentVersion('invalid');
+    }
+}

tests/unit/OpenConext/EngineBlock/Service/Consent/ConsentHashServiceTest.php

@@ -474,4 +474,51 @@ public function test_stable_attribute_hash_can_handle_nameid_objects()
         $hash = $this->chs->getStableAttributesHash($attributes, false);
         $this->assertTrue(is_string($hash));
     }
+
+    public function test_stable_attribute_hash_attribute_name_casing_normalized()
+    {
+        // Issue requirement: "Case normalize all attribute names"
+        // Attribute names (keys) differing only in casing must yield the same hash
+        $lowercase = [
+            'urn:mace:dir:attribute-def:displayname' => ['John Doe'],
+            'urn:mace:dir:attribute-def:uid'         => ['joe-f12'],
+        ];
+        $mixed = [
+            'urn:mace:dir:attribute-def:displayName' => ['John Doe'],
+            'URN:MACE:DIR:ATTRIBUTE-DEF:UID'         => ['joe-f12'],
+        ];
+
+        $this->assertEquals(
+            $this->chs->getStableAttributesHash($lowercase, true),
+            $this->chs->getStableAttributesHash($mixed, true)
+        );
+        $this->assertEquals(
+            $this->chs->getStableAttributesHash($lowercase, false),
+            $this->chs->getStableAttributesHash($mixed, false)
+        );
+    }
+
+    public function test_stable_attribute_hash_attribute_name_ordering_normalized()
+    {
+        // Issue requirement: "Sort all attribute names"
+        $alphabetical = [
+            'urn:attribute:a' => ['value1'],
+            'urn:attribute:b' => ['value2'],
+            'urn:attribute:c' => ['value3'],
+        ];
+        $reversed = [
+            'urn:attribute:c' => ['value3'],
+            'urn:attribute:b' => ['value2'],
+            'urn:attribute:a' => ['value1'],
+        ];
+
+        $this->assertEquals(
+            $this->chs->getStableAttributesHash($alphabetical, true),
+            $this->chs->getStableAttributesHash($reversed, true)
+        );
+        $this->assertEquals(
+            $this->chs->getStableAttributesHash($alphabetical, false),
+            $this->chs->getStableAttributesHash($reversed, false)
+        );
+    }
 }