Enable testing trust chain resolution in admin UI

README.md

@@ -26,7 +26,7 @@ PHP version requirement changes in minor releases for SimpleSAMLphp.
 
 | OIDC module | Tested SimpleSAMLphp |  PHP   | Note                        |
 |:------------|:---------------------|:------:|-----------------------------|
-| v6.\*       | v2.2.\*              | \>=8.2 | Recommended                 |
+| v6.\*       | v2.3.\*              | \>=8.2 | Recommended                 |
 | v5.\*       | v2.1.\*              | \>=8.1 |                             |
 | v4.\*       | v2.0.\*              | \>=8.0 |                             |
 | v3.\*       | v2.0.\*              | \>=7.4 | Abandoned from August 2023. |
@@ -329,7 +329,7 @@ docker run --name ssp-oidc-dev \
   --mount type=bind,source="$(pwd)/docker/ssp/oidc_module.crt",target=/var/simplesamlphp/cert/oidc_module.crt,readonly \
   --mount type=bind,source="$(pwd)/docker/ssp/oidc_module.key",target=/var/simplesamlphp/cert/oidc_module.key,readonly \
   --mount type=bind,source="$(pwd)/docker/apache-override.cf",target=/etc/apache2/sites-enabled/ssp-override.cf,readonly \
-   -p 443:443 cirrusid/simplesamlphp:v2.2.2
+   -p 443:443 cirrusid/simplesamlphp:v2.3.5
 ```
 
 Visit https://localhost/simplesaml/ and confirm you get the default page.

UPGRADE.md

@@ -91,7 +91,7 @@ has been refactored:
 
 - upgraded to v5 of lcobucci/jwt https://github.com/lcobucci/jwt
 - upgraded to v3 of laminas/laminas-diactoros https://github.com/laminas/laminas-diactoros
-- SimpleSAMLphp version used during development was bumped to v2.2
+- SimpleSAMLphp version used during development was bumped to v2.3
 - In Authorization Code Flow, a new validation was added which checks for 'openid' value in 'scope' parameter. Up to
 now, 'openid' value was dynamically added if not present. In Implicit Code Flow this validation was already present. 
 

composer.json

@@ -43,7 +43,7 @@
         "friendsofphp/php-cs-fixer": "^3",
         "phpunit/phpunit": "^10",
         "rector/rector": "^0.18.3",
-        "simplesamlphp/simplesamlphp": "2.2.*",
+        "simplesamlphp/simplesamlphp": "2.3.*",
         "simplesamlphp/simplesamlphp-test-framework": "^1.5",
         "squizlabs/php_codesniffer": "^3",
         "vimeo/psalm": "^5",
@@ -56,9 +56,10 @@
         },
         "sort-packages": true,
         "allow-plugins": {
-            "simplesamlphp/composer-module-installer": true,
             "dealerdirect/phpcodesniffer-composer-installer": true,
-            "phpstan/extension-installer": true
+            "phpstan/extension-installer": true,
+            "simplesamlphp/composer-module-installer": true,
+            "simplesamlphp/composer-xmlprovider-installer": true
         },
         "cache-dir": "build/composer"
     },

config-templates/module_oidc.php

@@ -368,6 +368,33 @@
 //        'eyJ...GHg',
     ],
 
+    // (optional) Federation participation limit by Trust Marks. This is an array with the following format:
+    // [
+    //    'trust-anchor-id' => [
+    //         'limit-id' => [
+    //              'trust-mark-id',
+    //              'trust-mark-id-2',
+    //          ],
+    //     ],
+    // ],
+    // Check example below on how this can be used. If federation participation limit is configured for particular
+    // Trust Anchor ID, at least one combination of "limit ID" => "trust mark list" should be defined.
+    ModuleConfig::OPTION_FEDERATION_PARTICIPATION_LIMIT_BY_TRUST_MARKS => [
+        // We are limiting federation participation using Trust Marks for 'https://ta.example.org/'.
+        'https://ta.example.org/' => [
+            // Entities must have (at least) one Trust Mark from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [
+                'trust-mark-id',
+                'trust-mark-id-2',
+            ],
+            // Entities must have all Trust Marks from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [
+                'trust-mark-id-3',
+                'trust-mark-id-4',
+            ],
+        ],
+    ],
+
     // (optional) Dedicated federation cache adapter, used to cache federation artifacts like trust chains, entity
     // statements, etc. It will also be used for token reuse check in federation context. Setting this option is
     // recommended in production environments. If set to null, no caching will be used. Can be set to any

docker/Dockerfile

@@ -1,5 +1,5 @@
-#FROM cirrusid/simplesamlphp:v2.2.2
-FROM cicnavi/simplesamlphp:dev
+FROM cirrusid/simplesamlphp:v2.3.5
+#FROM cicnavi/simplesamlphp:dev
 
 RUN apt-get update && apt-get install -y sqlite3
 # Prepopulate the DB with items needed for testing

routing/routes/routes.php

@@ -10,6 +10,7 @@
 use SimpleSAML\Module\oidc\Controllers\AccessTokenController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ClientController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ConfigController;
+use SimpleSAML\Module\oidc\Controllers\Admin\TestController;
 use SimpleSAML\Module\oidc\Controllers\AuthorizationController;
 use SimpleSAML\Module\oidc\Controllers\ConfigurationDiscoveryController;
 use SimpleSAML\Module\oidc\Controllers\EndSessionController;
@@ -57,6 +58,12 @@
         ->controller([ClientController::class, 'delete'])
         ->methods([HttpMethodsEnum::POST->value]);
 
+    // Testing
+
+    $routes->add(RoutesEnum::AdminTestTrustChainResolution->name, RoutesEnum::AdminTestTrustChainResolution->value)
+        ->controller([TestController::class, 'trustChainResolution'])
+        ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
+
     /*****************************************************************************************************************
      * OpenID Connect
      ****************************************************************************************************************/

routing/services/services.yml

@@ -99,6 +99,8 @@ services:
     factory: ['@SimpleSAML\Module\oidc\Factories\ResourceServerFactory', 'build']
 
   # Utils
+  SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger: ~
+  SimpleSAML\Module\oidc\Utils\FederationParticipationValidator: ~
   SimpleSAML\Module\oidc\Utils\Routes: ~
   SimpleSAML\Module\oidc\Utils\RequestParamsResolver: ~
   SimpleSAML\Module\oidc\Utils\ClassInstanceBuilder: ~

src/Admin/Menu.php

@@ -20,7 +20,7 @@ public function __construct(Item ...$items)
         array_push($this->items, ...$items);
     }
 
-    public function addItem(Item $menuItem, int $offset = null): void
+    public function addItem(Item $menuItem, ?int $offset = null): void
     {
         $offset ??= count($this->items);
 

src/Codebooks/LimitsEnum.php

@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Codebooks;
+
+enum LimitsEnum: string
+{
+    case OneOf = 'one_of';
+    case AllOf = 'all_of';
+}

src/Codebooks/RoutesEnum.php

@@ -24,6 +24,10 @@ enum RoutesEnum: string
     case AdminClientsResetSecret = 'admin/clients/reset-secret';
     case AdminClientsDelete = 'admin/clients/delete';
 
+    // Testing
+    case AdminTestTrustChainResolution = 'admin/test/trust-chain-resolution';
+
+
     /*****************************************************************************************************************
      * OpenID Connect
      ****************************************************************************************************************/

src/Controllers/Admin/TestController.php

@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\Admin;
+
+use SimpleSAML\Module\oidc\Admin\Authorization;
+use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\Factories\TemplateFactory;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger;
+use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
+use SimpleSAML\OpenID\Exceptions\TrustChainException;
+use SimpleSAML\OpenID\Federation;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class TestController
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly TemplateFactory $templateFactory,
+        protected readonly Authorization $authorization,
+        protected readonly Federation $federation,
+        protected readonly Helpers $helpers,
+        protected readonly ArrayLogger $arrayLogger,
+    ) {
+        $this->authorization->requireAdmin(true);
+    }
+
+    /**
+     * @throws \SimpleSAML\Error\ConfigurationError
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @throws \SimpleSAML\Module\oidc\Exceptions\OidcException
+     */
+    public function trustChainResolution(Request $request): Response
+    {
+        $this->arrayLogger->setWeight(ArrayLogger::WEIGHT_WARNING);
+        // Let's create new Federation instance so we can inject our debug logger and go without cache.
+        $federation = new Federation(
+            supportedAlgorithms: $this->federation->supportedAlgorithms(),
+            cache: null,
+            logger: $this->arrayLogger,
+        );
+
+        $leafEntityId = $this->moduleConfig->getIssuer();
+        $trustChainBag = null;
+        $resolvedMetadata = [];
+        $isFormSubmitted = false;
+
+        try {
+            $trustAnchorIds = $this->moduleConfig->getFederationTrustAnchorIds();
+        } catch (\Throwable $exception) {
+            $this->arrayLogger->error('Module config error: ' . $exception->getMessage());
+            $trustAnchorIds = [];
+        }
+
+        if ($request->isMethod(Request::METHOD_POST)) {
+            $isFormSubmitted = true;
+
+            !empty($leafEntityId = $request->request->getString('leafEntityId')) ||
+            throw new OidcException('Empty leaf entity ID.');
+            !empty($rawTrustAnchorIds = $request->request->getString('trustAnchorIds')) ||
+            throw new OidcException('Empty Trust Anchor IDs.');
+
+            /** @var non-empty-array<non-empty-string> $trustAnchorIds */
+            $trustAnchorIds = $this->helpers->str()->convertTextToArray($rawTrustAnchorIds);
+
+            try {
+                $trustChainBag = $federation->trustChainResolver()->for($leafEntityId, $trustAnchorIds);
+
+                foreach ($trustChainBag->getAll() as $index => $trustChain) {
+                    $metadataEntries = [];
+                    foreach (EntityTypesEnum::cases() as $entityTypeEnum) {
+                        try {
+                            $metadataEntries[$entityTypeEnum->value] =
+                            $trustChain->getResolvedMetadata($entityTypeEnum);
+                        } catch (\Throwable $exception) {
+                            $this->arrayLogger->error(
+                                'Metadata resolving error: ' . $exception->getMessage(),
+                                compact('index', 'entityTypeEnum'),
+                            );
+                            continue;
+                        }
+                    }
+                    $resolvedMetadata[$index] = array_filter($metadataEntries);
+                }
+            } catch (TrustChainException $exception) {
+                $this->arrayLogger->error('Trust chain error: ' . $exception->getMessage());
+            }
+        }
+
+        $trustAnchorIds = implode("\n", $trustAnchorIds);
+        $logMessages = $this->arrayLogger->getEntries();
+//dd($this->arrayLogger->getEntries());
+        return $this->templateFactory->build(
+            'oidc:tests/trust-chain-resolution.twig',
+            compact(
+                'leafEntityId',
+                'trustAnchorIds',
+                'trustChainBag',
+                'resolvedMetadata',
+                'logMessages',
+                'isFormSubmitted',
+            ),
+            RoutesEnum::AdminTestTrustChainResolution->value,
+        );
+    }
+}

src/Controllers/Federation/Test.php

@@ -65,25 +65,25 @@
 //        $requestObject = $requestObjectFactory->fromToken($unprotectedJws);
 
 //        dd($requestObject, $requestObject->getPayload(), $requestObject->getHeader());
-//        $cache->clear();
+        $this->federationCache?->cache->clear();
 
         $trustChain = $this->federation
             ->trustChainResolver()
             ->for(
-                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
+//                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
 //                'https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/rp/',
 //                'https://relying-party-php.testbed.oidcfed.incubator.geant.org/',
-//                'https://gorp.testbed.oidcfed.incubator.geant.org',
+                'https://gorp.testbed.oidcfed.incubator.geant.org',
 //                'https://maiv1.incubator.geant.org',
                 [
-//                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
+                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
                     'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ABTrustAnchor/',
-//                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/CTrustAnchor/',
+                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/CTrustAnchor/',
                 ],
-            );
-
+            )->getAll();
+dd($trustChain);
         $leaf = $trustChain->getResolvedLeaf();
-//        dd($leaf);
+        dd($leaf->getPayload());
         $leafFederationJwks = $leaf->getJwks();
 //        dd($leafFederationJwks);
 //        /** @psalm-suppress PossiblyNullArgument */

src/Entities/AccessTokenEntity.php

@@ -65,11 +65,11 @@ public function __construct(
         DateTimeImmutable $expiryDateTime,
         CryptKey $privateKey,
         protected JsonWebTokenBuilderService $jsonWebTokenBuilderService,
-        int|string $userIdentifier = null,
-        string $authCodeId = null,
-        array $requestedClaims = null,
-        bool $isRevoked = false,
-        Configuration $jwtConfiguration = null,
+        int|string|null $userIdentifier = null,
+        ?string $authCodeId = null,
+        ?array $requestedClaims = null,
+        ?bool $isRevoked = false,
+        ?Configuration $jwtConfiguration = null,
     ) {
         $this->setIdentifier($id);
         $this->setClient($clientEntity);

src/Entities/AuthCodeEntity.php

@@ -40,9 +40,9 @@ public function __construct(
         OAuth2ClientEntityInterface $client,
         array $scopes,
         DateTimeImmutable $expiryDateTime,
-        string $userIdentifier = null,
-        string $redirectUri = null,
-        string $nonce = null,
+        ?string $userIdentifier = null,
+        ?string $redirectUri = null,
+        ?string $nonce = null,
         bool $isRevoked = false,
     ) {
         $this->identifier = $id;

src/Factories/Entities/AccessTokenEntityFactory.php

@@ -31,10 +31,10 @@ public function fromData(
         OAuth2ClientEntityInterface $clientEntity,
         array $scopes,
         DateTimeImmutable $expiryDateTime,
-        int|string $userIdentifier = null,
-        string $authCodeId = null,
-        array $requestedClaims = null,
-        bool $isRevoked = false,
+        int|string|null $userIdentifier = null,
+        ?string $authCodeId = null,
+        ?array $requestedClaims = null,
+        ?bool $isRevoked = false,
     ): AccessTokenEntity {
         return new AccessTokenEntity(
             $id,

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -27,9 +27,9 @@ public function fromData(
         OAuth2ClientEntityInterface $client,
         array $scopes,
         DateTimeImmutable $expiryDateTime,
-        string $userIdentifier = null,
-        string $redirectUri = null,
-        string $nonce = null,
+        ?string $userIdentifier = null,
+        ?string $redirectUri = null,
+        ?string $nonce = null,
         bool $isRevoked = false,
     ): AuthCodeEntity {
         return new AuthCodeEntity(

src/Factories/Entities/ScopeEntityFactory.php

@@ -13,8 +13,8 @@ class ScopeEntityFactory
      */
     public function fromData(
         string $identifier,
-        string $description = null,
-        string $icon = null,
+        ?string $description = null,
+        ?string $icon = null,
         array $claims = [],
     ): ScopeEntity {
         return new ScopeEntity(

src/Factories/RequestRulesManagerFactory.php

@@ -36,6 +36,7 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
+use SimpleSAML\Module\oidc\Utils\FederationParticipationValidator;
 use SimpleSAML\Module\oidc\Utils\JwksResolver;
 use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
@@ -58,6 +59,7 @@
         private readonly Federation $federation,
         private readonly Helpers $helpers,
         private readonly JwksResolver $jwksResolver,
+        private readonly FederationParticipationValidator $federationParticipationValidator,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
     ) {
@@ -88,6 +90,7 @@
                 $this->federation,
                 $this->helpers,
                 $this->jwksResolver,
+                $this->federationParticipationValidator,
                 $this->federationCache,
             ),
             new RedirectUriRule($this->requestParamsResolver),