Merge branch 'release/4.3'

Author: MKodde

CHANGELOG.md

@@ -1,3 +1,12 @@
+# 4.3.1
+**Bugfix**
+* Update metadata.xml template reference
+
+# 4.3.0
+**New feature**
+* Further support Symfony 4 by adhering to the Twig environment in favor of
+  the old 'Environment' solution
+
 # 4.2.0
 **New feature**
 * Support for SAML extensions on Authn SAML requests

README.md

@@ -66,9 +66,25 @@ surfnet_saml:
               assertion_consumer_service_url: "%surfnet_saml_remote_sp_acs%"            
 ```
 
-The hosted configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP
+The `hosted:` configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP
  functionality can be turned off and on individually through the repective `enabled` flags.
-The remote configuration lists, if enabled, the configuration for a remote IdP to connect to.
+
+The `remote:` configuration lists, if enabled, the configuration for one or more remote service providers and identity providers to connect to.
+If your application authenticates with a single identity provider, you can use the `identity_provider:` option as shown above. The identity
+provider can be accessed runtime using the `@surfnet_saml.remote.idp` service.
+
+If your application authenticates with more than one identity providers, you can omit the `identity_provider:` key from configuration and list all
+identity providers under `identity_providers:`. The identity providers can be accessed by using the `@surfnet_saml.remote.identity_providers` service.
+```yaml
+    remote:
+        identity_providers:
+            -  enabled: true
+               entity_id: %surfnet_saml_remote_idp_entity_id%
+               sso_url: %surfnet_saml_remote_idp_sso_url%
+               certificate: %surfnet_saml_remote_idp_certificate%
+
+```
+
 The inlined certificate in the last line can be replaced with `certificate_file` containing a filesystem path to
 a file which contains said certificate.
 It is recommended to use parameters as listed above. The various `publickey` and `privatekey` variables are the

composer.json

@@ -7,22 +7,24 @@
     "minimum-stability": "stable",
     "require": {
         "php": ">=7.2,<8.0-dev",
+        "ext-dom": "*",
         "ext-openssl": "*",
         "robrichards/xmlseclibs": "^3.0.4",
         "simplesamlphp/saml2": "3.2.*",
         "symfony/dependency-injection": "^4.4",
         "symfony/framework-bundle": "^4.4",
         "symfony/templating": "^4.4",
-        "ext-dom": "*"
+        "twig/twig": "^2"
     },
     "require-dev": {
+        "jasny/phpunit-xsdvalidation": "^1.0",
+        "mockery/mockery": "~0.9",
         "phpmd/phpmd": "^2.6",
         "phpunit/phpunit": "^5.7",
+        "psr/log": "~1.0",
         "sebastian/exporter": "~2.0",
         "sebastian/phpcpd": "^2.0",
         "squizlabs/php_codesniffer": "^3.0",
-        "mockery/mockery": "~0.9",
-        "psr/log": "~1.0",
         "symfony/phpunit-bridge": "^4.4"
     },
     "config": {

src/DependencyInjection/Configuration.php

@@ -19,6 +19,7 @@
 namespace Surfnet\SamlBundle\DependencyInjection;
 
 use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
+use Symfony\Component\Config\Definition\Builder\NodeBuilder;
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
 
@@ -34,8 +35,8 @@ class Configuration implements ConfigurationInterface
      */
     public function getConfigTreeBuilder()
     {
-        $treeBuilder = new TreeBuilder();
-        $rootNode = $treeBuilder->root('surfnet_saml');
+        $treeBuilder = new TreeBuilder('surfnet_saml');
+        $rootNode = $treeBuilder->getRootNode();
 
         $this->addHostedSection($rootNode);
         $this->addRemoteSection($rootNode);
@@ -137,39 +138,69 @@ private function addRemoteSection(ArrayNodeDefinition $rootNode)
             ->children()
             ->arrayNode('remote');
 
-        $this->addRemoteIdentityProviderSection($remoteNode);
+        $this->addRemoteIdentityProvidersSection($remoteNode);
         $this->addRemoteServiceProvidersSection($remoteNode);
+
+        // For backwards compatibility: support configuring a single remote IDP
+        $this->addRemoteIdentityProviderSection($remoteNode);
     }
 
     private function addRemoteIdentityProviderSection(ArrayNodeDefinition $remoteNode)
     {
-        $remoteNode
+        $arrayNode = $remoteNode
             ->children()
             ->arrayNode('identity_provider')
                 ->canBeEnabled()
-                ->children()
-                    ->scalarNode('entity_id')
-                        ->isRequired()
-                        ->info('The EntityID of the remote identity provider')
-                    ->end()
-                    ->scalarNode('sso_url')
-                        ->isRequired()
-                        ->info('The name of the route to generate the SSO URL')
-                    ->end()
-                    ->scalarNode('certificate')
-                        ->info(
-                            'The contents of the certificate used to sign the AuthnResponse with'
-                        )
-                    ->end()
-                    ->scalarNode('certificate_file')
-                        ->info(
-                            'A file containing the certificate used to sign the AuthnResponse with'
-                        )
-                    ->end()
+                ->children();
+
+        $this->addRemoteIdentityProviderConfiguration($arrayNode);
+
+        $arrayNode
                 ->end()
             ->end();
     }
 
+
+    private function addRemoteIdentityProviderConfiguration(NodeBuilder $arrayNode)
+    {
+        $arrayNode
+          ->scalarNode('entity_id')
+              ->isRequired()
+              ->info('The EntityID of the remote identity provider')
+          ->end()
+          ->scalarNode('sso_url')
+              ->isRequired()
+              ->info('The name of the route to generate the SSO URL')
+          ->end()
+          ->scalarNode('certificate')
+              ->info(
+                  'The contents of the certificate used to sign the AuthnResponse with'
+              )
+          ->end()
+          ->scalarNode('certificate_file')
+              ->info(
+                  'A file containing the certificate used to sign the AuthnResponse with'
+              )
+          ->end();
+    }
+
+    private function addRemoteIdentityProvidersSection(ArrayNodeDefinition $remoteNode)
+    {
+        $arrayNode = $remoteNode
+            ->children()
+                ->arrayNode('identity_providers')
+                     ->prototype('array')
+                        ->children();
+
+        $this->addRemoteIdentityProviderConfiguration($arrayNode);
+
+        $arrayNode
+                      ->end()
+                  ->end()
+              ->end()
+          ->end();
+    }
+
     private function addRemoteServiceProvidersSection(ArrayNodeDefinition $remoteNode)
     {
         $remoteNode

src/DependencyInjection/SurfnetSamlExtension.php

@@ -20,6 +20,7 @@
 
 use Surfnet\SamlBundle\Entity\IdentityProvider;
 use Surfnet\SamlBundle\Entity\ServiceProvider;
+use Surfnet\SamlBundle\Entity\StaticIdentityProviderRepository;
 use Surfnet\SamlBundle\Entity\StaticServiceProviderRepository;
 use Surfnet\SamlBundle\Exception\SamlInvalidConfigurationException;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
@@ -149,20 +150,46 @@ private function parseMetadataConfiguration(array $configuration, ContainerBuild
      */
     private function parseRemoteConfiguration(array $remoteConfiguration, ContainerBuilder $container)
     {
-        $this->parseRemoteIdentityProviderConfiguration($remoteConfiguration['identity_provider'], $container);
         $this->parseRemoteServiceProviderConfigurations($remoteConfiguration['service_providers'], $container);
+
+        // Parse a configuration where multiple remote IDPs are configured (identity_providers:)
+        $this->parseRemoteIdentityProviderConfigurations($remoteConfiguration['identity_providers'], $container);
+
+        // Parse a single remote IDP configuration (identity_provider:)
+        if (!empty($remoteConfiguration['identity_provider']['enabled'])) {
+            $definition = $this->parseRemoteIdentityProviderConfiguration($remoteConfiguration['identity_provider']);
+
+            if ($definition !== null) {
+                $container->setDefinition('surfnet_saml.remote.idp', $definition);
+            }
+        }
     }
 
     /**
-     * @param array            $identityProvider
-     * @param ContainerBuilder $container
+     * @param array $identityProviders
+     * @param $container
+     * @throws \Surfnet\SamlBundle\Exception\SamlInvalidConfigurationException
      */
-    private function parseRemoteIdentityProviderConfiguration(array $identityProvider, ContainerBuilder $container)
+    private function parseRemoteIdentityProviderConfigurations(array $identityProviders, ContainerBuilder $container)
     {
-        if (!$identityProvider['enabled']) {
-            return;
-        }
+        $definitions = array_map(function ($config) {
+            return $this->parseRemoteIdentityProviderConfiguration($config);
+        }, $identityProviders);
+
+        $definition = new Definition(StaticIdentityProviderRepository::class, [
+          $definitions
+        ]);
+        $definition->setPublic(true);
+        $container->setDefinition('surfnet_saml.remote.identity_providers', $definition);
+    }
 
+    /**
+     * @param array $identityProvider
+     *
+     * @return Definition
+     */
+    private function parseRemoteIdentityProviderConfiguration(array $identityProvider)
+    {
         $definition = new Definition(IdentityProvider::class);
         $configuration = [
             'entityId' => $identityProvider['entity_id'],
@@ -175,7 +202,9 @@ private function parseRemoteIdentityProviderConfiguration(array $identityProvide
         );
 
         $definition->setArguments([$configuration]);
-        $container->setDefinition('surfnet_saml.remote.idp', $definition);
+        $definition->setPublic(true);
+
+        return $definition;
     }
 
     /**
@@ -192,6 +221,7 @@ private function parseRemoteServiceProviderConfigurations(array $serviceProvider
         $definition = new Definition(StaticServiceProviderRepository::class, [
             $definitions
         ]);
+        $definition->setPublic(true);
         $container->setDefinition('surfnet_saml.remote.service_providers', $definition);
     }
 

src/Entity/IdentityProviderRepository.php

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * Copyright 2017 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\SamlBundle\Entity;
+
+interface IdentityProviderRepository
+{
+    /**
+     * @param string $entityId
+     * @return IdentityProvider
+     */
+    public function getIdentityProvider($entityId);
+
+    /**
+     * @param string $entityId
+     * @return bool
+     */
+    public function hasIdentityProvider($entityId);
+}

src/Entity/ImmutableCollection/IdentityProviders.php

@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * Copyright 2017 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\SamlBundle\Entity\ImmutableCollection;
+
+use Surfnet\SamlBundle\Entity\IdentityProvider;
+
+/**
+ * Collection of identity providers
+ *
+ * Protects the integrity and provides low level logic functions.
+ */
+final class IdentityProviders
+{
+    private $identityProviders;
+
+    /**
+     *
+     * @param IdentityProvider[] $identityProviders
+     */
+    public function __construct(array $identityProviders)
+    {
+        $this->identityProviders = array_values($identityProviders);
+    }
+
+    public function hasByEntityId($entityId)
+    {
+        return $this->findByEntityId($entityId) !== null;
+    }
+
+    public function findByEntityId($entityId)
+    {
+        return $this->find(function (IdentityProvider $provider) use ($entityId) {
+            return $provider->getEntityId() === $entityId;
+        });
+    }
+
+    private function find(callable $callback)
+    {
+        foreach ($this->identityProviders as $provider) {
+            if ($callback($provider)) {
+                return $provider;
+            }
+        }
+        return null;
+    }
+}