Skip to content

Bumb OIDF support to draft 42 #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cicnavi merged 9 commits into from
Mar 10, 2025
Merged

Bumb OIDF support to draft 42 #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5250d9b
Update metadata policy resolver
cicnavi Mar 7, 2025
3feb684
Fix phpstan
cicnavi Mar 8, 2025
b4aad32
Enable setting expected Trust Mark Type header
cicnavi Mar 8, 2025
f05298c
Move to trust_mark_id instead of id claim
cicnavi Mar 8, 2025
438474c
Move to prepared sets for rector config
cicnavi Mar 10, 2025
fdc03c1
Disable VALIDATE_PHP_BUILTIN for super-linter GHA
cicnavi Mar 10, 2025
d0114a7
Linter: remove unnecessary escape character
cicnavi Mar 10, 2025
d648daf
Remove metadata-policy-test-vectors-2025-02-13.json:Zone.Identifier
cicnavi Mar 10, 2025
64a1047
Update readme
cicnavi Mar 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/php.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
LOG_LEVEL: NOTICE
VALIDATE_ALL_CODEBASE: true
VALIDATE_JSON: true
VALIDATE_PHP_BUILTIN: true
# VALIDATE_PHP_BUILTIN: true
VALIDATE_YAML: true
VALIDATE_GITHUB_ACTIONS: true

Expand Down
4 changes: 3 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Library can be installed by using Composer:
composer require simplesamlphp/openid
```

## OpenID Federation (draft 41)
## OpenID Federation (draft 42)

The initial functionality of the library revolves around the OpenID Federation specification. To use it, create an
instance of the class `\SimpleSAML\OpenID\Federation`
Expand Down Expand Up @@ -226,13 +226,15 @@ try {
$trustMarkId,
$leafEntityConfigurationStatement,
$trustAnchorConfigurationStatement,
$expectedJwtType = \SimpleSAML\OpenID\Codebooks\JwtTypesEnum::TrustMarkJwt,
);

// Example which always does formal validation (does not use cache).
$federationTools->trustMarkValidator()->doForTrustMarkId(
$trustMarkId,
$leafEntityConfigurationStatement,
$trustAnchorConfigurationStatement,
$expectedJwtType = \SimpleSAML\OpenID\Codebooks\JwtTypesEnum::TrustMarkJwt,
);
} catch (\Throwable $exception) {
$this->logger->error('Trust Mark validation failed. Error was: ' . $exception->getMessage());
Expand Down
21 changes: 17 additions & 4 deletions rector.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,20 @@
])
// uncomment to reach your current PHP version
->withPhpSets()
->withTypeCoverageLevel(1000)
->withDeadCodeLevel(1000)
->withCodeQualityLevel(1000)
;
->withPreparedSets(
deadCode: true,
codeQuality: true,
codingStyle: true,
typeDeclarations: true,
// privatization: true,
// naming: true,
instanceOf: true,
earlyReturn: true,
strictBooleans: true,
// carbon: true,
rectorPreset: true,
phpunitCodeQuality: true,
// doctrineCodeQuality: true,
// symfonyCodeQuality: true,
// symfonyConfigs: true,
);
1 change: 1 addition & 0 deletions src/Claims/ClaimInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,6 @@
interface ClaimInterface extends \JsonSerializable
{
public function getName(): string;

public function getValue(): mixed;
}
1 change: 1 addition & 0 deletions src/Codebooks/ClaimsEnum.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ enum ClaimsEnum: string
case Typ = 'typ';
case TrustChain = 'trust_chain';
case TrustMark = 'trust_mark';
case TrustMarkId = 'trust_mark_id';
case TrustMarkOwners = 'trust_mark_owners';
case TrustMarks = 'trust_marks';
case UserinfoEndpoint = 'userinfo_endpoint';
Expand Down
171 changes: 108 additions & 63 deletions src/Codebooks/MetadataPolicyOperatorsEnum.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,38 +202,49 @@ public function getSupportedOperatorCombinations(): array
$this->value,
...match ($this) {
self::Value => [
self::Add->value,
self::Default->value,
self::OneOf->value,
self::SubsetOf->value,
self::SupersetOf->value,
self::Essential->value,
],
self::Add => [
self::Value->value,
self::Default->value,
self::SubsetOf->value,
self::SupersetOf->value,
self::Essential->value,
],
self::Default => [
self::Value->value,
self::Add->value,
self::OneOf->value,
self::SubsetOf->value,
self::SupersetOf->value,
self::Essential->value,
],
self::OneOf => [
self::Value->value,
self::Default->value,
self::Essential->value,
],
self::SubsetOf => [
self::Value->value,
self::Add->value,
self::Default->value,
self::SupersetOf->value,
self::Essential->value,
],
self::SupersetOf => [
self::Value->value,
self::Add->value,
self::Default->value,
self::SubsetOf->value,
self::Essential->value,
],
self::Essential => [
self::Value->value,
self::Add->value,
self::Default->value,
self::OneOf->value,
Expand Down Expand Up @@ -282,6 +293,7 @@ public static function validateGeneralParameterOperationRules(array $parameterOp
),
);
}

// If operator combination is not allowed, throw.
if (!$metadataPolicyOperatorsEnum->isOperatorCombinationSupported($parameterOperatorKeys)) {
throw new MetadataPolicyException(
Expand Down Expand Up @@ -311,19 +323,65 @@ public static function validateSpecificParameterOperationRules(array $parameterO

$operatorValue = $parameterOperations[$metadataPolicyOperatorEnum->value];

// No special resolving rules for operator 'value', continue with 'add'.
if ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Add) {
/** @var array<mixed> $operatorValue We ensured this is array. */
// If add is combined with subset_of, the values of add MUST be a subset of the values of
// Start with operator 'value'.
if ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Value) {
// MAY be combined with add, in which case the values of add MUST be a subset of the values of value.
if (
in_array(MetadataPolicyOperatorsEnum::Add->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $subset We ensured this is array. */
$subset = $parameterOperations[MetadataPolicyOperatorsEnum::Add->value];
if (!MetadataPolicyOperatorsEnum::Value->isValueSupersetOf($operatorValue, $subset)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not superset of %s.',
$metadataPolicyOperatorEnum->value,
var_export($operatorValue, true),
var_export($subset, true),
),
);
}
}

// MAY be combined with default if the value of value is not null.
if (
in_array(MetadataPolicyOperatorsEnum::Default->value, $parameterOperatorKeys, true) &&
is_null($operatorValue)
) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value null can not be combined with operator default.',
$metadataPolicyOperatorEnum->value,
),
);
}

// MAY be combined with one_of, in which case the value of value MUST be among the one_of values.
if (
in_array(MetadataPolicyOperatorsEnum::OneOf->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $oneOf We ensured this is array. */
$oneOf = $parameterOperations[MetadataPolicyOperatorsEnum::OneOf->value];
if (!in_array($operatorValue, $oneOf)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not one of %s.',
$metadataPolicyOperatorEnum->value,
var_export($operatorValue, true),
var_export($oneOf, true),
),
);
}
}

// MAY be combined with subset_of, in which case the values of value MUST be a subset of the values of
// subset_of.
if (
in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $superset We ensured this is array. */
$superset = $parameterOperations[
MetadataPolicyOperatorsEnum::SubsetOf->value
];
if (!MetadataPolicyOperatorsEnum::Add->isValueSubsetOf($operatorValue, $superset)) {
$superset = $parameterOperations[MetadataPolicyOperatorsEnum::SubsetOf->value];
if (!MetadataPolicyOperatorsEnum::Value->isValueSubsetOf($operatorValue, $superset)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not subset of %s.',
Expand All @@ -334,20 +392,15 @@ public static function validateSpecificParameterOperationRules(array $parameterO
);
}
}
// If add is combined with superset_of, the values of add MUST be a superset of the values

// MAY be combined with superset_of, in which case the values of value MUST be a superset of the values
// of superset_of.
if (
in_array(
MetadataPolicyOperatorsEnum::SupersetOf->value,
$parameterOperatorKeys,
true,
)
in_array(MetadataPolicyOperatorsEnum::SupersetOf->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $subset We ensured this is array. */
$subset = $parameterOperations[
MetadataPolicyOperatorsEnum::SupersetOf->value
];
if (!MetadataPolicyOperatorsEnum::Add->isValueSupersetOf($operatorValue, $subset)) {
$subset = $parameterOperations[MetadataPolicyOperatorsEnum::SupersetOf->value];
if (!MetadataPolicyOperatorsEnum::Value->isValueSupersetOf($operatorValue, $subset)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not superset of %s.',
Expand All @@ -358,36 +411,36 @@ public static function validateSpecificParameterOperationRules(array $parameterO
);
}
}
} elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Default) {
// If default is combined with one_of, the default value MUST be among the one_of values.

// MAY be combined with essential, except when value is null and essential is true.
if (
in_array(MetadataPolicyOperatorsEnum::OneOf->value, $parameterOperatorKeys, true)
in_array(MetadataPolicyOperatorsEnum::Essential->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $superset We ensured this is array. */
$superset = $parameterOperations[
MetadataPolicyOperatorsEnum::OneOf->value
];
if (!MetadataPolicyOperatorsEnum::OneOf->isValueSubsetOf($operatorValue, $superset)) {
$essential = $parameterOperations[MetadataPolicyOperatorsEnum::Essential->value];
if ($operatorValue === null && $essential === true) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not one of %s.',
'Operator %s, value %s can not be combined with essential value true.',
$metadataPolicyOperatorEnum->value,
var_export($operatorValue, true),
var_export($superset, true),
),
);
}
}
// If default is combined with subset_of, the value of default MUST be a subset of the
// values of subset_of.
} elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Add) {
// MAY be combined with value, in which case the values of add MUST be a subset of the values of value.
// We handle this in value case.

// MAY be combined with subset_of, in which case the values of add MUST be a subset of the values of
// subset_of.
if (
in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
) {
/** @var array<mixed> $superset We ensured this is array. */
$superset = $parameterOperations[
MetadataPolicyOperatorsEnum::SubsetOf->value
];
if (!MetadataPolicyOperatorsEnum::Default->isValueSubsetOf($operatorValue, $superset)) {
if (!MetadataPolicyOperatorsEnum::Add->isValueSubsetOf($operatorValue, $superset)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not subset of %s.',
Expand All @@ -398,38 +451,22 @@ public static function validateSpecificParameterOperationRules(array $parameterO
);
}
}
// If default is combined with superset_of, the values of default MUST be a superset of
// the values of superset_of.
if (
in_array(
MetadataPolicyOperatorsEnum::SupersetOf->value,
$parameterOperatorKeys,
true,
)
) {
/** @var array<mixed> $subset We ensured this is array. */
$subset = $parameterOperations[
MetadataPolicyOperatorsEnum::SupersetOf->value
];
if (!MetadataPolicyOperatorsEnum::Default->isValueSupersetOf($operatorValue, $subset)) {
throw new MetadataPolicyException(
sprintf(
'Operator %s, value %s is not superset of %s.',
$metadataPolicyOperatorEnum->value,
var_export($operatorValue, true),
var_export($subset, true),
),
);
}
}

// Operator one_of has special rule when combined with default, but we already handled that
// when we encountered default. We can continue to subset_of.
// Operator default
// MAY be combined with value if the value of value is not null. -> handled in value case.

// Operator one_of
// MAY be combined with value, in which case the value of value MUST be among the one_of values. ->
// handled in value case.
} elseif ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::SubsetOf) {
// Operator subset_of has special rule when combined with add or default, but we already
// handled that. We'll only handle special case for superset_of.
// If subset_of is combined with superset_of, the values of subset_of MUST be a superset of
// the values of superset_of.
// MAY be combined with value, in which case the values of value MUST be a subset of the values of
// subset_of. -> handled in value case.

// MAY be combined with add, in which case the values of add MUST be a subset of the values of
// subset_of. -> handled in add case.

// MAY be combined with superset_of, in which case the values of subset_of MUST be a superset of the
// values of superset_of.
if (
in_array(
MetadataPolicyOperatorsEnum::SupersetOf->value,
Expand All @@ -453,8 +490,16 @@ public static function validateSpecificParameterOperationRules(array $parameterO
}
}

// Operator superset_of has special rules when combined with add, default and subset_of,
// but we already handle those. Operator essential doesn't have any special rules.
// Operator superset_of
// MAY be combined with value, in which case the values of value MUST be a superset of the values of
// superset_of. -> handled in value case.
// MAY be combined with subset_of, in which case the values of subset_of MUST be a superset of the
// values of superset_of. -> handled in subset_of case

// Operator essential
// MAY be combined with value, except when value is null and essential is true. -> handled in value
// case.

// We can continue with merging.
}
}
Expand Down
Loading