Enable TrustMarks listing in entity configuration

Author: cicnavi

config-templates/module_oidc.php

@@ -355,6 +355,12 @@
         //'https://intermediate.example.org/',
     ],
 
+    // (optional) Federation Trust Mark tokens. An array of tokens (signed JWTs), each representing a Trust Mark
+    // issued to this entity.
+    ModuleConfig::OPTION_FEDERATION_TRUST_MARK_TOKENS => [
+//        'eyJ...GHg',
+    ],
+
     // (optional) Dedicated federation cache adapter, used to cache federation artifacts like trust chains, entity
     // statements, etc. It will also be used for token reuse check in federation context. Setting this option is
     // recommended in production environments. If set to null, no caching will be used. Can be set to any

src/Controller/Federation/EntityStatementController.php

@@ -20,6 +20,7 @@
 use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
 use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
+use SimpleSAML\OpenID\Federation;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -39,6 +40,7 @@ public function __construct(
         private readonly OpMetadataService $opMetadataService,
         private readonly ClientRepository $clientRepository,
         private readonly Helpers $helpers,
+        private readonly Federation $federation,
         private readonly ?FederationCache $federationCache,
     ) {
         if (!$this->moduleConfig->getFederationEnabled()) {
@@ -52,6 +54,8 @@ public function __construct(
      * @return \Symfony\Component\HttpFoundation\Response
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      * @throws \ReflectionException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \Psr\SimpleCache\InvalidArgumentException
      */
     public function configuration(): Response
     {
@@ -121,14 +125,32 @@ public function configuration(): Response
             $builder = $builder->withClaim(ClaimsEnum::AuthorityHints->value, $authorityHints);
         }
 
+        if (
+            is_array($trustMarkTokens = $this->moduleConfig->getFederationTrustMarkTokens()) &&
+            (!empty($trustMarkTokens))
+        ) {
+            $trustMarks = array_map(function (string $token): array {
+                $trustMarkEntity = $this->federation->trustMarkFactory()->fromToken($token);
+
+                if ($trustMarkEntity->getSubject() !== $this->moduleConfig->getIssuer()) {
+                    throw OidcServerException::serverError(sprintf(
+                        'Trust Mark %s is not intended for this entity.',
+                        $trustMarkEntity->getIdentifier(),
+                    ));
+                }
+
+                return [
+                    ClaimsEnum::Id->value => $trustMarkEntity->getIdentifier(),
+                    ClaimsEnum::TrustMark->value => $token,
+                ];
+            }, $trustMarkTokens);
+
+            $builder = $builder->withClaim(ClaimsEnum::TrustMarks->value, $trustMarks);
+        }
+
+        // TODO mivanci Continue
         // Remaining claims, add if / when ready.
         // * crit
-        // * trust_marks
-        // * trust_mark_issuers
-        // * source_endpoint
-
-        // Note: claims which should only be present in Trust Anchors
-        // * trust_mark_owners
 
         $jws = $this->jsonWebTokenBuilderService->getSignedFederationJwt($builder);
 
@@ -219,6 +241,7 @@ public function fetch(Request $request): Response
                 ],
             );
 
+        // TODO mivanci Continue
         // Note: claims which can be present in subordinate statements:
         // * metadata_policy
         // * constraints

src/Controller/Federation/Test.php

@@ -68,31 +68,31 @@ public function __invoke(): Response
         $trustChain = $this->federation
             ->trustChainResolver()
             ->for(
-//                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
+                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
 //                'https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/rp/',
 //                'https://relying-party-php.testbed.oidcfed.incubator.geant.org/',
-                'https://gorp.testbed.oidcfed.incubator.geant.org',
+//                'https://gorp.testbed.oidcfed.incubator.geant.org',
 //                'https://maiv1.incubator.geant.org',
                 [
-                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
-//                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ABTrustAnchor/',
+//                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
+                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ABTrustAnchor/',
 //                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/CTrustAnchor/',
                 ],
             );
 
         $leaf = $trustChain->getResolvedLeaf();
-        dd($leaf);
-//        $leafFederationJwks = $leaf->getJwks();
+//        dd($leaf);
+        $leafFederationJwks = $leaf->getJwks();
 //        dd($leafFederationJwks);
-        /** @psalm-suppress PossiblyNullArgument */
-//        $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty);
-//        $clientEntity = $this->clientEntityFactory->fromRegistrationData(
-//            $resolvedMetadata,
-//            RegistrationTypeEnum::FederatedAutomatic,
-//        );
+//        /** @psalm-suppress PossiblyNullArgument */
+        $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty);
+        $clientEntity = $this->clientEntityFactory->fromRegistrationData(
+            $resolvedMetadata,
+            RegistrationTypeEnum::FederatedAutomatic,
+        );
 //        dd($resolvedMetadata, $clientEntity);
-//        $jwksUri = $resolvedMetadata['jwks_uri'] ?? null;
-//        $signedJwksUri = $resolvedMetadata['signed_jwks_uri'] ?? null;
+        $jwksUri = $resolvedMetadata['jwks_uri'] ?? null;
+        $signedJwksUri = $resolvedMetadata['signed_jwks_uri'] ?? null;
 //        dd($leaf, $leafFederationJwks, $resolvedMetadata, $jwksUri, $signedJwksUri);
 //        $cachedJwks = $jwksUri ? $this->jwks->jwksFetcher()->fromCache($jwksUri) : null;
 //        $jwks = $jwksUri ? $this->jwks->jwksFetcher()->fromJwksUri($jwksUri) : null;
@@ -112,10 +112,10 @@ public function __invoke(): Response
 //        ],
 //];
 //        $signedJwksUri = 'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/signed-jwks';
-//        $signedJwks = $signedJwksUri ? $this->jwks->jwksFetcher()
-//            ->fromSignedJwksUri($signedJwksUri, $leafFederationJwks) : null;
-//        $cachedSignedJwks = $signedJwksUri ? $this->jwks->jwksFetcher()->fromCache($signedJwksUri) : null;
-//        dd($signedJwksUri, $cachedSignedJwks, $signedJwks);
+        $signedJwks = $signedJwksUri ? $this->jwks->jwksFetcher()
+            ->fromSignedJwksUri($signedJwksUri, $leafFederationJwks) : null;
+        $cachedSignedJwks = $signedJwksUri ? $this->jwks->jwksFetcher()->fromCache($signedJwksUri) : null;
+        dd($signedJwksUri, $cachedSignedJwks, $signedJwks);
 //        dd(
 //            $signedJwksUri,
 //            $cachedSignedJwks,

src/ModuleConfig.php

@@ -76,6 +76,7 @@ class ModuleConfig
     final public const OPTION_FEDERATION_CACHE_ADAPTER_ARGUMENTS = 'federation_cache_adapter_arguments';
     final public const OPTION_FEDERATION_CACHE_MAX_DURATION = 'federation_cache_max_duration';
     final public const OPTION_FEDERATION_TRUST_ANCHORS = 'federation_trust_anchors';
+    final public const OPTION_FEDERATION_TRUST_MARK_TOKENS = 'federation_trust_mark_tokens';
     final public const OPTION_FEDERATION_ENTITY_STATEMENT_CACHE_DURATION = 'federation_entity_statement_cache_duration';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER = 'protocol_cache_adapter';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS = 'protocol_cache_adapter_arguments';
@@ -478,6 +479,16 @@ public function getFederationAuthorityHints(): ?array
         return empty($authorityHints) ? null : $authorityHints;
     }
 
+    public function getFederationTrustMarkTokens(): ?array
+    {
+        $trustMarks = $this->config()->getOptionalArray(
+            self::OPTION_FEDERATION_TRUST_MARK_TOKENS,
+            null,
+        );
+
+        return empty($trustMarks) ? null : $trustMarks;
+    }
+
     public function getOrganizationName(): ?string
     {
         return $this->config()->getOptionalString(