test: add tests and Behat feature for correlation ID logging

Unit tests:
- CorrelationIdRepositoryTest: store/find/link CRUD + SessionNotFoundException
  safety for all three methods
- CorrelationIdServiceTest: mint idempotency, link, resolve, null safety
- CorrelationIdFlowTest: end-to-end simulation of all four SAML legs (WAYF
  path, direct path, concurrent flows, back-button replay guard)
- CorrelationIdProcessorTest: processor stamps correlation_id on log records;
  null when no ID is set
- AuthnRequestSessionRepositoryTest: store/link/find + SessionNotFoundException
  safety; updated to use RequestStack + MockArraySessionStorage instead of the
  now-removed LoggerInterface constructor
- ProcessConsentTest / ProvideConsentTest: updated to inject RequestStack-backed
  AuthnRequestSessionRepository; stub getReceivedRequestFromResponse so tests
  are self-contained

Behat (default suite):
- CorrelationId.feature: WAYF path and direct path scenarios assert that every
  log record carries a non-null correlation_id field
- LoggingContext: new Behat context with @BeforeScenario reset and
  "each log record should contain a :field field" step
- TestLogHandler wired into behat.yml; registered in ci monolog config

Author: kayjoosten

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/LoggingContext.php

@@ -0,0 +1,82 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlockFunctionalTestingBundle\Features\Context;
+
+use Behat\Behat\Context\Context;
+use OpenConext\EngineBlockFunctionalTestingBundle\Log\TestLogHandler;
+use PHPUnit\Framework\Assert;
+
+/**
+ * Behat context for asserting on structured log output.
+ *
+ * Injects the in-memory TestLogHandler so scenarios can verify that
+ * log records carry the expected structured fields (e.g. correlation_id).
+ *
+ * Does not extend AbstractSubContext because it performs no browser interactions
+ * and has no need for MinkContext.
+ */
+class LoggingContext implements Context
+{
+    public function __construct(private readonly TestLogHandler $logHandler)
+    {
+    }
+
+    /**
+     * @BeforeScenario
+     */
+    public function resetLogHandler(): void
+    {
+        $this->logHandler->reset();
+    }
+
+    /**
+     * @Then each log record should contain a :field field
+     */
+    public function eachLogRecordShouldContainField(string $field): void
+    {
+        $records = $this->logHandler->getRecords();
+
+        Assert::assertNotEmpty($records, 'No log records were captured during this scenario.');
+
+        foreach ($records as $index => $record) {
+            Assert::assertArrayHasKey(
+                $field,
+                $record->extra,
+                sprintf(
+                    'Log record #%d (channel=%s, message="%s") is missing extra field "%s".',
+                    $index,
+                    $record->channel,
+                    $record->message,
+                    $field,
+                ),
+            );
+
+            Assert::assertNotNull(
+                $record->extra[$field],
+                sprintf(
+                    'Log record #%d (channel=%s, message="%s") has a null value for extra field "%s".',
+                    $index,
+                    $record->channel,
+                    $record->message,
+                    $field,
+                ),
+            );
+        }
+    }
+}

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/CorrelationId.feature

@@ -0,0 +1,69 @@
+Feature:
+  In order to trace a complete authentication flow across log entries
+  As a SURF operator
+  I need a single correlation_id to appear in every log record belonging to the same SAML flow
+
+  Background:
+    Given an EngineBlock instance on "dev.openconext.local"
+      And no registered SPs
+      And no registered Idps
+      And a Service Provider named "CorrId-SP"
+
+  # ── WAYF path ──────────────────────────────────────────────────────────────
+  # Two IdPs are registered, so the WAYF is shown after the initial SSO request.
+  # The correlation ID is minted in SingleSignOn.serve(), propagated to
+  # ContinueToIdp (user picks an IdP), then forwarded to the IdP request via
+  # link(), and finally picked up in AssertionConsumer and ProvideConsent/
+  # ProcessConsent.  A complete round-trip through all four HTTP legs must
+  # succeed without error.
+  Scenario: A user authenticating via the WAYF completes the full four-leg flow
+    Given an Identity Provider named "CorrId-IdP-A"
+      And an Identity Provider named "CorrId-IdP-B"
+    When I log in at "CorrId-SP"
+     And I select "CorrId-IdP-A" on the WAYF
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+     And each log record should contain a "correlation_id" field
+
+  # ── Direct path (no WAYF) ───────────────────────────────────────────────────
+  # When only one IdP is available the WAYF is skipped; the correlation ID is
+  # minted inside ProxyServer.sendAuthenticationRequest() and linked to the IdP
+  # request.  AssertionConsumer and consent legs must resolve it from the IdP
+  # request ID stored in InResponseTo.
+  Scenario: A user authenticating without the WAYF completes the full flow
+    Given an Identity Provider named "CorrId-IdP-Only"
+    When I log in at "CorrId-SP"
+     And I pass through EngineBlock
+     And I pass through the IdP
+     And I give my consent
+     And I pass through EngineBlock
+    Then the url should match "functional-testing/CorrId-SP/acs"
+     And each log record should contain a "correlation_id" field
+
+  # ── Concurrent flows ────────────────────────────────────────────────────────
+  # Two simultaneous authentications in separate browser tabs share the same PHP
+  # session.  Each flow must mint its own correlation ID and the two IDs must
+  # not bleed into each other.  Both flows must complete successfully and land
+  # on the correct SP ACS URL.
+  # Requires the @functional tag to use the Chrome driver (browser tabs need JS).
+  @functional
+  Scenario: Two concurrent authentication flows each complete independently
+    Given an Identity Provider named "CorrId-IdP-A"
+      And an Identity Provider named "CorrId-IdP-B"
+    When I open 2 browser tabs identified by "Tab-A, Tab-B"
+      And I switch to "Tab-A"
+      And I log in at "CorrId-SP"
+      And I select "CorrId-IdP-A" on the WAYF
+      And I switch to "Tab-B"
+      And I log in at "CorrId-SP"
+      And I select "CorrId-IdP-B" on the WAYF
+      And I pass through the IdP
+      And I give my consent
+    Then the url should match "functional-testing/CorrId-SP/acs"
+      And I switch to "Tab-A"
+      And I pass through the IdP
+      And I give my consent
+    Then the url should match "functional-testing/CorrId-SP/acs"

src/OpenConext/EngineBlockFunctionalTestingBundle/Log/TestLogHandler.php

@@ -0,0 +1,63 @@
+<?php
+
+/**
+ * Copyright 2010 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace OpenConext\EngineBlockFunctionalTestingBundle\Log;
+
+use Monolog\Handler\AbstractProcessingHandler;
+use Monolog\Level;
+use Monolog\LogRecord;
+
+/**
+ * In-memory Monolog handler for Behat log assertions.
+ *
+ * Collects every log record that passes through it so Behat steps
+ * can assert on the presence (or absence) of structured log fields.
+ */
+final class TestLogHandler extends AbstractProcessingHandler
+{
+    /** @var LogRecord[] */
+    private array $records = [];
+
+    public function __construct()
+    {
+        parent::__construct(Level::Debug, bubble: true);
+    }
+
+    protected function write(LogRecord $record): void
+    {
+        $this->records[] = $record;
+    }
+
+    /**
+     * Returns all captured log records since the last reset.
+     *
+     * @return LogRecord[]
+     */
+    public function getRecords(): array
+    {
+        return $this->records;
+    }
+
+    /**
+     * Clears all captured log records.
+     */
+    public function reset(): void
+    {
+        $this->records = [];
+    }
+}

tests/behat.yml

@@ -43,6 +43,8 @@ default:
                     serviceRegistryFixture: '@engineblock.functional_testing.fixture.service_registry'
                 - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\TranslationContext:
                     mockTranslator: '@engineblock.functional_testing.mock.translator'
+                - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\LoggingContext:
+                    logHandler: '@OpenConext\EngineBlockFunctionalTestingBundle\Log\TestLogHandler'
                 - OpenConext\EngineBlockFunctionalTestingBundle\Features\Context\MinkContext:
         functional:
             mink_session: chrome

tests/library/EngineBlock/Test/Corto/Module/Service/ProcessConsentTest.php

@@ -184,6 +184,19 @@ private function mockProxyServer()
             ))
             ->setBindingsModule($this->mockBindingsModule());
 
+        // Stub getReceivedRequestFromResponse so tests do not depend on DI-wired
+        // AuthnRequestSessionRepository being populated during the test.
+        $spRequest = new AuthnRequest();
+        $spRequest->setId('SPREQUEST');
+        $issuer = new Issuer();
+        $issuer->setValue('https://sp.example.edu');
+        $spRequest->setIssuer($issuer);
+        $decoratedSpRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
+
+        Phake::when($proxyServerMock)
+            ->getReceivedRequestFromResponse(Phake::anyParameters())
+            ->thenReturn($decoratedSpRequest);
+
         return $proxyServerMock;
     }
 
@@ -261,8 +274,10 @@ private function mockSspResponse()
         $ebRequest->setId('EBREQUEST');
         $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
 
-        $dummySessionLog = new Psr\Log\NullLogger();
-        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummySessionLog);
+        $authnRequest = new \Symfony\Component\HttpFoundation\Request();
+        $authnRequest->setSession(new Session(new MockArraySessionStorage()));
+        $testStack = new RequestStack([$authnRequest]);
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($testStack);
         $authnRequestRepository->store($spRequest);
         $authnRequestRepository->store($ebRequest);
         $authnRequestRepository->link($ebRequest, $spRequest);

tests/library/EngineBlock/Test/Corto/Module/Service/ProvideConsentTest.php

@@ -187,6 +187,19 @@ private function mockProxyServer()
         $bindingsModuleMock = $this->mockBindingsModule();
         $proxyServerMock->setBindingsModule($bindingsModuleMock);
 
+        // Stub getReceivedRequestFromResponse so tests do not depend on DI-wired
+        // AuthnRequestSessionRepository being populated during the test.
+        $spRequest = new AuthnRequest();
+        $spRequest->setId('SPREQUEST');
+        $issuer = new Issuer();
+        $issuer->setValue('testSp');
+        $spRequest->setIssuer($issuer);
+        $decoratedSpRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
+
+        Phake::when($proxyServerMock)
+            ->getReceivedRequestFromResponse(Phake::anyParameters())
+            ->thenReturn($decoratedSpRequest);
+
         Phake::when($proxyServerMock)
             ->renderTemplate(Phake::anyParameters())
             ->thenReturn(null);
@@ -214,8 +227,10 @@ private function mockBindingsModule()
         $ebRequest->setId('EBREQUEST');
         $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
 
-        $dummyLog = new Psr\Log\NullLogger();
-        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog);
+        $authnRequest = new \Symfony\Component\HttpFoundation\Request();
+        $authnRequest->setSession(new Session(new MockArraySessionStorage()));
+        $testStack = new RequestStack([$authnRequest]);
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($testStack);
         $authnRequestRepository->store($spRequest);
         $authnRequestRepository->store($ebRequest);
         $authnRequestRepository->link($ebRequest, $spRequest);