Bumb OIDF support to draft 42 (#5)

* Update metadata policy resolver

* Fix phpstan

* Enable setting expected Trust Mark Type header

* Move to trust_mark_id instead of id claim

* Move to prepared sets for rector config

* Disable VALIDATE_PHP_BUILTIN for super-linter GHA

* Linter: remove unnecessary escape character

* Remove metadata-policy-test-vectors-2025-02-13.json:Zone.Identifier

* Update readme

Author: cicnavi

.github/workflows/php.yml

@@ -34,7 +34,7 @@ jobs:
           LOG_LEVEL: NOTICE
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JSON: true
-          VALIDATE_PHP_BUILTIN: true
+#          VALIDATE_PHP_BUILTIN: true
           VALIDATE_YAML: true
           VALIDATE_GITHUB_ACTIONS: true
 

README.md

@@ -15,7 +15,7 @@ Library can be installed by using Composer:
 composer require simplesamlphp/openid
 ```
 
-## OpenID Federation (draft 41)
+## OpenID Federation (draft 42)
 
 The initial functionality of the library revolves around the OpenID Federation specification. To use it, create an
 instance of the class `\SimpleSAML\OpenID\Federation`
@@ -226,13 +226,15 @@ try {
         $trustMarkId,
         $leafEntityConfigurationStatement,
         $trustAnchorConfigurationStatement,
+        $expectedJwtType = \SimpleSAML\OpenID\Codebooks\JwtTypesEnum::TrustMarkJwt,
     );
 
     // Example which always does formal validation (does not use cache).
     $federationTools->trustMarkValidator()->doForTrustMarkId(
         $trustMarkId,
         $leafEntityConfigurationStatement,
         $trustAnchorConfigurationStatement,
+        $expectedJwtType = \SimpleSAML\OpenID\Codebooks\JwtTypesEnum::TrustMarkJwt,
     );
 } catch (\Throwable $exception) {
     $this->logger->error('Trust Mark validation failed. Error was: ' . $exception->getMessage());

rector.php

@@ -11,7 +11,20 @@
     ])
     // uncomment to reach your current PHP version
     ->withPhpSets()
-    ->withTypeCoverageLevel(1000)
-    ->withDeadCodeLevel(1000)
-    ->withCodeQualityLevel(1000)
-    ;
+    ->withPreparedSets(
+        deadCode: true,
+        codeQuality: true,
+        codingStyle: true,
+        typeDeclarations: true,
+//        privatization: true,
+//        naming: true,
+        instanceOf: true,
+        earlyReturn: true,
+        strictBooleans: true,
+//        carbon: true,
+        rectorPreset: true,
+        phpunitCodeQuality: true,
+//        doctrineCodeQuality: true,
+//        symfonyCodeQuality: true,
+//        symfonyConfigs: true,
+    );

src/Claims/ClaimInterface.php

@@ -7,5 +7,6 @@
 interface ClaimInterface extends \JsonSerializable
 {
     public function getName(): string;
+
     public function getValue(): mixed;
 }

src/Codebooks/ClaimsEnum.php

@@ -82,6 +82,7 @@ enum ClaimsEnum: string
     case Typ = 'typ';
     case TrustChain = 'trust_chain';
     case TrustMark = 'trust_mark';
+    case TrustMarkId = 'trust_mark_id';
     case TrustMarkOwners = 'trust_mark_owners';
     case TrustMarks = 'trust_marks';
     case UserinfoEndpoint = 'userinfo_endpoint';

src/Codebooks/MetadataPolicyOperatorsEnum.php

@@ -202,38 +202,49 @@ public function getSupportedOperatorCombinations(): array
             $this->value,
             ...match ($this) {
                 self::Value => [
+                    self::Add->value,
+                    self::Default->value,
+                    self::OneOf->value,
+                    self::SubsetOf->value,
+                    self::SupersetOf->value,
                     self::Essential->value,
                 ],
                 self::Add => [
+                    self::Value->value,
                     self::Default->value,
                     self::SubsetOf->value,
                     self::SupersetOf->value,
                     self::Essential->value,
                 ],
                 self::Default => [
+                    self::Value->value,
                     self::Add->value,
                     self::OneOf->value,
                     self::SubsetOf->value,
                     self::SupersetOf->value,
                     self::Essential->value,
                 ],
                 self::OneOf => [
+                    self::Value->value,
                     self::Default->value,
                     self::Essential->value,
                 ],
                 self::SubsetOf => [
+                    self::Value->value,
                     self::Add->value,
                     self::Default->value,
                     self::SupersetOf->value,
                     self::Essential->value,
                 ],
                 self::SupersetOf => [
+                    self::Value->value,
                     self::Add->value,
                     self::Default->value,
                     self::SubsetOf->value,
                     self::Essential->value,
                 ],
                 self::Essential => [
+                    self::Value->value,
                     self::Add->value,
                     self::Default->value,
                     self::OneOf->value,
@@ -282,6 +293,7 @@ public static function validateGeneralParameterOperationRules(array $parameterOp
                     ),
                 );
             }
+
             // If operator combination is not allowed, throw.
             if (!$metadataPolicyOperatorsEnum->isOperatorCombinationSupported($parameterOperatorKeys)) {
                 throw new MetadataPolicyException(
@@ -311,19 +323,65 @@ public static function validateSpecificParameterOperationRules(array $parameterO
 
             $operatorValue = $parameterOperations[$metadataPolicyOperatorEnum->value];
 
-            // No special resolving rules for operator 'value', continue with 'add'.
-            if ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Add) {
-                /** @var array<mixed> $operatorValue We ensured this is array. */
-                // If add is combined with subset_of, the values of add MUST be a subset of the values of
+            // Start with operator 'value'.
+            if ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Value) {
+                // MAY be combined with add, in which case the values of add MUST be a subset of the values of value.
+                if (
+                    in_array(MetadataPolicyOperatorsEnum::Add->value, $parameterOperatorKeys, true)
+                ) {
+                    /** @var array<mixed> $subset We ensured this is array. */
+                    $subset = $parameterOperations[MetadataPolicyOperatorsEnum::Add->value];
+                    if (!MetadataPolicyOperatorsEnum::Value->isValueSupersetOf($operatorValue, $subset)) {
+                        throw new MetadataPolicyException(
+                            sprintf(
+                                'Operator %s, value %s is not superset of %s.',
+                                $metadataPolicyOperatorEnum->value,
+                                var_export($operatorValue, true),
+                                var_export($subset, true),
+                            ),
+                        );
+                    }
+                }
+
+                // MAY be combined with default if the value of value is not null.
+                if (
+                    in_array(MetadataPolicyOperatorsEnum::Default->value, $parameterOperatorKeys, true) &&
+                    is_null($operatorValue)
+                ) {
+                    throw new MetadataPolicyException(
+                        sprintf(
+                            'Operator %s, value null can not be combined with operator default.',
+                            $metadataPolicyOperatorEnum->value,
+                        ),
+                    );
+                }
+
+                // MAY be combined with one_of, in which case the value of value MUST be among the one_of values.
+                if (
+                    in_array(MetadataPolicyOperatorsEnum::OneOf->value, $parameterOperatorKeys, true)
+                ) {
+                    /** @var array<mixed> $oneOf We ensured this is array. */
+                    $oneOf = $parameterOperations[MetadataPolicyOperatorsEnum::OneOf->value];
+                    if (!in_array($operatorValue, $oneOf)) {
+                        throw new MetadataPolicyException(
+                            sprintf(
+                                'Operator %s, value %s is not one of %s.',
+                                $metadataPolicyOperatorEnum->value,
+                                var_export($operatorValue, true),
+                                var_export($oneOf, true),
+                            ),
+                        );
+                    }
+                }
+
+                // MAY be combined with subset_of, in which case the values of value MUST be a subset of the values of
                 // subset_of.
                 if (
                     in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
                 ) {
                     /** @var array<mixed> $superset We ensured this is array. */
-                    $superset = $parameterOperations[
-                    MetadataPolicyOperatorsEnum::SubsetOf->value
-                    ];
-                    if (!MetadataPolicyOperatorsEnum::Add->isValueSubsetOf($operatorValue, $superset)) {
+                    $superset = $parameterOperations[MetadataPolicyOperatorsEnum::SubsetOf->value];
+                    if (!MetadataPolicyOperatorsEnum::Value->isValueSubsetOf($operatorValue, $superset)) {
                         throw new MetadataPolicyException(
                             sprintf(
                                 'Operator %s, value %s is not subset of %s.',
@@ -334,20 +392,15 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         );
                     }
                 }
-                // If add is combined with superset_of, the values of add MUST be a superset of the values
+
+                // MAY be combined with superset_of, in which case the values of value MUST be a superset of the values
                 // of superset_of.
                 if (
-                    in_array(
-                        MetadataPolicyOperatorsEnum::SupersetOf->value,
-                        $parameterOperatorKeys,
-                        true,
-                    )
+                    in_array(MetadataPolicyOperatorsEnum::SupersetOf->value, $parameterOperatorKeys, true)
                 ) {
                     /** @var array<mixed> $subset We ensured this is array. */
-                    $subset = $parameterOperations[
-                    MetadataPolicyOperatorsEnum::SupersetOf->value
-                    ];
-                    if (!MetadataPolicyOperatorsEnum::Add->isValueSupersetOf($operatorValue, $subset)) {
+                    $subset = $parameterOperations[MetadataPolicyOperatorsEnum::SupersetOf->value];
+                    if (!MetadataPolicyOperatorsEnum::Value->isValueSupersetOf($operatorValue, $subset)) {
                         throw new MetadataPolicyException(
                             sprintf(
                                 'Operator %s, value %s is not superset of %s.',
@@ -358,36 +411,36 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         );
                     }
                 }
-            } elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Default) {
-                // If default is combined with one_of, the default value MUST be among the one_of values.
+
+                // MAY be combined with essential, except when value is null and essential is true.
                 if (
-                    in_array(MetadataPolicyOperatorsEnum::OneOf->value, $parameterOperatorKeys, true)
+                    in_array(MetadataPolicyOperatorsEnum::Essential->value, $parameterOperatorKeys, true)
                 ) {
-                    /** @var array<mixed> $superset We ensured this is array. */
-                    $superset = $parameterOperations[
-                    MetadataPolicyOperatorsEnum::OneOf->value
-                    ];
-                    if (!MetadataPolicyOperatorsEnum::OneOf->isValueSubsetOf($operatorValue, $superset)) {
+                    $essential = $parameterOperations[MetadataPolicyOperatorsEnum::Essential->value];
+                    if ($operatorValue === null && $essential === true) {
                         throw new MetadataPolicyException(
                             sprintf(
-                                'Operator %s, value %s is not one of %s.',
+                                'Operator %s, value %s can not be combined with essential value true.',
                                 $metadataPolicyOperatorEnum->value,
                                 var_export($operatorValue, true),
-                                var_export($superset, true),
                             ),
                         );
                     }
                 }
-                // If default is combined with subset_of, the value of default MUST be a subset of the
-                // values of subset_of.
+            } elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Add) {
+                // MAY be combined with value, in which case the values of add MUST be a subset of the values of value.
+                // We handle this in value case.
+
+                // MAY be combined with subset_of, in which case the values of add MUST be a subset of the values of
+                // subset_of.
                 if (
                     in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
                 ) {
                     /** @var array<mixed> $superset We ensured this is array. */
                     $superset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SubsetOf->value
                     ];
-                    if (!MetadataPolicyOperatorsEnum::Default->isValueSubsetOf($operatorValue, $superset)) {
+                    if (!MetadataPolicyOperatorsEnum::Add->isValueSubsetOf($operatorValue, $superset)) {
                         throw new MetadataPolicyException(
                             sprintf(
                                 'Operator %s, value %s is not subset of %s.',
@@ -398,38 +451,22 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         );
                     }
                 }
-                // If default is combined with superset_of, the values of default MUST be a superset of
-                // the values of superset_of.
-                if (
-                    in_array(
-                        MetadataPolicyOperatorsEnum::SupersetOf->value,
-                        $parameterOperatorKeys,
-                        true,
-                    )
-                ) {
-                    /** @var array<mixed> $subset We ensured this is array. */
-                    $subset = $parameterOperations[
-                    MetadataPolicyOperatorsEnum::SupersetOf->value
-                    ];
-                    if (!MetadataPolicyOperatorsEnum::Default->isValueSupersetOf($operatorValue, $subset)) {
-                        throw new MetadataPolicyException(
-                            sprintf(
-                                'Operator %s, value %s is not superset of %s.',
-                                $metadataPolicyOperatorEnum->value,
-                                var_export($operatorValue, true),
-                                var_export($subset, true),
-                            ),
-                        );
-                    }
-                }
 
-                // Operator one_of has special rule when combined with default, but we already handled that
-                // when we encountered default. We can continue to subset_of.
+                // Operator default
+                // MAY be combined with value if the value of value is not null. -> handled in value case.
+
+                // Operator one_of
+                // MAY be combined with value, in which case the value of value MUST be among the one_of values. ->
+                // handled in value case.
             } elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::SubsetOf) {
-                // Operator subset_of has special rule when combined with add or default, but we already
-                // handled that. We'll only handle special case for superset_of.
-                // If subset_of is combined with superset_of, the values of subset_of MUST be a superset of
-                // the values of superset_of.
+                // MAY be combined with value, in which case the values of value MUST be a subset of the values of
+                // subset_of. -> handled in value case.
+
+                // MAY be combined with add, in which case the values of add MUST be a subset of the values of
+                // subset_of. -> handled in add case.
+
+                // MAY be combined with superset_of, in which case the values of subset_of MUST be a superset of the
+                // values of superset_of.
                 if (
                     in_array(
                         MetadataPolicyOperatorsEnum::SupersetOf->value,
@@ -453,8 +490,16 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                     }
                 }
 
-                // Operator superset_of has special rules when combined with add, default and subset_of,
-                // but we already handle those. Operator essential doesn't have any special rules.
+                // Operator superset_of
+                // MAY be combined with value, in which case the values of value MUST be a superset of the values of
+                // superset_of. -> handled in value case.
+                // MAY be combined with subset_of, in which case the values of subset_of MUST be a superset of the
+                // values of superset_of. -> handled in subset_of case
+
+                // Operator essential
+                // MAY be combined with value, except when value is null and essential is true. -> handled in value
+                // case.
+
                 // We can continue with merging.
             }
         }