Add initial dynamic Trust Mark fetch capabilities

Author: cicnavi

UPGRADE.md

@@ -47,6 +47,7 @@ and optionally a port (as in all previous module versions).
   - federation caching adapter and its arguments
   - PKI keys - federation keys used for example to sign federation entity statements
   - federation participation limiting based on Trust Marks for RPs
+  - (from v6.1) own Trust Marks to dynamically fetch
   - signer algorithm
   - entity statement duration
   - organization name

config/module_oidc.php.dist

@@ -369,11 +369,20 @@ $config = [
     ],
 
     // (optional) Federation Trust Mark tokens. An array of tokens (signed JWTs), each representing a Trust Mark
-    // issued to this entity.
+    // issued to this entity. This option is primarily intended for long-lasting or non-expiring tokens, so it
+    // is not necessary to dynamically fetch / refresh them.
     ModuleConfig::OPTION_FEDERATION_TRUST_MARK_TOKENS => [
 //        'eyJ...GHg',
     ],
 
+    // (optional) Federation Trust Marks for dynamic fetching. An array of key-value pairs, where key is Trust Mark ID
+    // and value is Trust Mark Issuer ID, each representing a Trust Mark issued to this entity. Each Trust Mark ID
+    // in this array will be dynamically fetched from noted Trust Mark Issuer as necessary. If federation caching
+    // is enabled (recommended), fetched Trust Marks will also be cached until their expiry.
+    ModuleConfig::OPTION_FEDERATION_DYNAMIC_TRUST_MARK_TOKENS => [
+//        'trust-mark-id' => 'trust-mark-issuer-id',
+    ],
+
     // (optional) Federation participation limit by Trust Marks. This is an array with the following format:
     // [
     //    'trust-anchor-id' => [

src/Controllers/Admin/ConfigController.php

@@ -68,7 +68,7 @@ public function protocolSettings(): Response
 
     public function federationSettings(): Response
     {
-        $trustMarks = null;
+        $trustMarks = [];
         if (is_array($trustMarkTokens = $this->moduleConfig->getFederationTrustMarkTokens())) {
             $trustMarks = array_map(
                 function (string $token): Federation\TrustMark {
@@ -78,6 +78,23 @@ function (string $token): Federation\TrustMark {
             );
         }
 
+        if (is_array($dynamicTrustMarks = $this->moduleConfig->getFederationDynamicTrustMarks())) {
+            /**
+             * @var non-empty-string $trustMarkId
+             * @var non-empty-string $trustMarkIssuerId
+             */
+            foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) {
+                $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher()
+                    ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId);
+
+                $trustMarks[] = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint(
+                    $trustMarkId,
+                    $this->moduleConfig->getIssuer(),
+                    $trustMarkIssuerConfigurationStatement,
+                );
+            }
+        }
+
         return $this->templateFactory->build(
             'oidc:config/federation.twig',
             [

src/Controllers/Federation/EntityStatementController.php

@@ -11,6 +11,7 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\JsonWebKeySetService;
 use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
 use SimpleSAML\Module\oidc\Utils\Routes;
@@ -42,6 +43,7 @@ public function __construct(
         private readonly Helpers $helpers,
         private readonly Routes $routes,
         private readonly Federation $federation,
+        private readonly LoggerService $loggerService,
         private readonly ?FederationCache $federationCache,
     ) {
         if (!$this->moduleConfig->getFederationEnabled()) {
@@ -126,6 +128,8 @@ public function configuration(): Response
             $builder = $builder->withClaim(ClaimsEnum::AuthorityHints->value, $authorityHints);
         }
 
+        $trustMarks = [];
+
         if (
             is_array($trustMarkTokens = $this->moduleConfig->getFederationTrustMarkTokens()) &&
             (!empty($trustMarkTokens))
@@ -145,7 +149,45 @@ public function configuration(): Response
                     ClaimsEnum::TrustMark->value => $token,
                 ];
             }, $trustMarkTokens);
+        }
+
+        if (
+            is_array($dynamicTrustMarks = $this->moduleConfig->getFederationDynamicTrustMarks()) &&
+            (!empty($dynamicTrustMarks))
+        ) {
+            /**
+             * @var non-empty-string $trustMarkId
+             * @var non-empty-string $trustMarkIssuerId
+             */
+            foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) {
+                try {
+                    $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher()
+                        ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId);
+
+                    $trustMarkEntity = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint(
+                        $trustMarkId,
+                        $this->moduleConfig->getIssuer(),
+                        $trustMarkIssuerConfigurationStatement,
+                    );
+
+                    $trustMarks[] = [
+                        ClaimsEnum::TrustMarkId->value => $trustMarkId,
+                        ClaimsEnum::TrustMark->value => $trustMarkEntity->getToken(),
+                    ];
+                } catch (\Throwable $exception) {
+                    $this->loggerService->error(
+                        'Error fetching Trust Mark: ' . $exception->getMessage(),
+                        [
+                            'trustMarkId' => $trustMarkId,
+                            'subjectId' => $this->moduleConfig->getIssuer(),
+                            'trustMarkIssuerId' => $trustMarkIssuerId,
+                        ],
+                    );
+                }
+            }
+        }
 
+        if (!empty($trustMarks)) {
             $builder = $builder->withClaim(ClaimsEnum::TrustMarks->value, $trustMarks);
         }
 

src/ModuleConfig.php

@@ -76,6 +76,7 @@ class ModuleConfig
     final public const OPTION_FEDERATION_CACHE_MAX_DURATION_FOR_FETCHED = 'federation_cache_max_duration_for_fetched';
     final public const OPTION_FEDERATION_TRUST_ANCHORS = 'federation_trust_anchors';
     final public const OPTION_FEDERATION_TRUST_MARK_TOKENS = 'federation_trust_mark_tokens';
+    final public const OPTION_FEDERATION_DYNAMIC_TRUST_MARK_TOKENS = 'federation_dynamic_trust_mark_tokens';
     final public const OPTION_FEDERATION_CACHE_DURATION_FOR_PRODUCED = 'federation_cache_duration_for_produced';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER = 'protocol_cache_adapter';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS = 'protocol_cache_adapter_arguments';
@@ -632,6 +633,16 @@ public function getFederationTrustMarkTokens(): ?array
         return empty($trustMarks) ? null : $trustMarks;
     }
 
+    public function getFederationDynamicTrustMarks(): ?array
+    {
+        $dynamicTrustMarks = $this->config()->getOptionalArray(
+            self::OPTION_FEDERATION_DYNAMIC_TRUST_MARK_TOKENS,
+            null,
+        );
+
+        return empty($dynamicTrustMarks) ? null : $dynamicTrustMarks;
+    }
+
     public function getOrganizationName(): ?string
     {
         return $this->config()->getOptionalString(

templates/config/federation.twig

@@ -93,7 +93,7 @@
     {% if trustMarks|default is not empty %}
         {% for trustMark in trustMarks %}
             <p>
-                - {{ trustMark.getPayload.id }}
+                - {{ trustMark.getPayload.trust_mark_id }}
                 <code class="code-box code-box-content">
                     {{- trustMark.getPayload|json_encode(constant('JSON_PRETTY_PRINT') b-or constant('JSON_UNESCAPED_SLASHES')) -}}
                 </code>

tests/unit/src/Controllers/Federation/EntityStatementControllerTest.php

@@ -14,6 +14,7 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\JsonWebKeySetService;
 use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
 use SimpleSAML\Module\oidc\Utils\Routes;
@@ -30,6 +31,7 @@ class EntityStatementControllerTest extends TestCase
     protected MockObject $helpersMock;
     protected MockObject $routesMock;
     protected MockObject $federationMock;
+    protected MockObject $loggerServiceMock;
     protected MockObject $federationCacheMock;
 
     protected function setUp(): void
@@ -42,6 +44,7 @@ protected function setUp(): void
         $this->helpersMock = $this->createMock(Helpers::class);
         $this->routesMock = $this->createMock(Routes::class);
         $this->federationMock = $this->createMock(Federation::class);
+        $this->loggerServiceMock = $this->createMock(LoggerService::class);
         $this->federationCacheMock = $this->createMock(FederationCache::class);
     }
 
@@ -54,6 +57,7 @@ protected function sut(
         ?Helpers $helpers = null,
         ?Routes $routes = null,
         ?Federation $federation = null,
+        ?LoggerService $loggerService = null,
         ?FederationCache $federationCache = null,
     ): EntityStatementController {
         $moduleConfig ??= $this->moduleConfigMock;
@@ -64,6 +68,7 @@ protected function sut(
         $helpers ??= $this->helpersMock;
         $routes ??= $this->routesMock;
         $federation ??= $this->federationMock;
+        $loggerService ??= $this->loggerServiceMock;
         $federationCache ??= $this->federationCacheMock;
 
         return new EntityStatementController(
@@ -75,6 +80,7 @@ protected function sut(
             $helpers,
             $routes,
             $federation,
+            $loggerService,
             $federationCache,
         );
     }