simplesamlphp
diff --git a/‎config-templates/module_oidc.php‎
Lines changed: 27 additions & 0 deletions b/‎config-templates/module_oidc.php‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎routing/routes/routes.php‎
Lines changed: 7 additions & 0 deletions b/‎routing/routes/routes.php‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎routing/services/services.yml‎
Lines changed: 2 additions & 0 deletions b/‎routing/services/services.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Codebooks/LimitsEnum.php‎
Lines changed: 11 additions & 0 deletions b/‎src/Codebooks/LimitsEnum.php‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Codebooks/RoutesEnum.php‎
Lines changed: 4 additions & 0 deletions b/‎src/Codebooks/RoutesEnum.php‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Controllers/Admin/TestController.php‎
Lines changed: 111 additions & 0 deletions b/‎src/Controllers/Admin/TestController.php‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎src/Controllers/Federation/Test.php‎
Lines changed: 8 additions & 8 deletions b/‎src/Controllers/Federation/Test.php‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/Factories/RequestRulesManagerFactory.php‎
Lines changed: 3 additions & 0 deletions b/‎src/Factories/RequestRulesManagerFactory.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Factories/TemplateFactory.php‎
Lines changed: 9 additions & 2 deletions b/‎src/Factories/TemplateFactory.php‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎src/Forms/ClientForm.php‎
Lines changed: 1 addition & 0 deletions b/‎src/Forms/ClientForm.php‎
Lines changed: 1 addition & 0 deletions
@@ -368,6 +368,33 @@
 //        'eyJ...GHg',
     ],
 
+    // (optional) Federation participation limit by Trust Marks. This is an array with the following format:
+    // [
+    //    'trust-anchor-id' => [
+    //         'limit-id' => [
+    //              'trust-mark-id',
+    //              'trust-mark-id-2',
+    //          ],
+    //     ],
+    // ],
+    // Check example below on how this can be used. If federation participation limit is configured for particular
+    // Trust Anchor ID, at least one combination of "limit ID" => "trust mark list" should be defined.
+    ModuleConfig::OPTION_FEDERATION_PARTICIPATION_LIMIT_BY_TRUST_MARKS => [
+        // We are limiting federation participation using Trust Marks for 'https://ta.example.org/'.
+        'https://ta.example.org/' => [
+            // Entities must have (at least) one Trust Mark from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [
+                'trust-mark-id',
+                'trust-mark-id-2',
+            ],
+            // Entities must have all Trust Marks from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [
+                'trust-mark-id-3',
+                'trust-mark-id-4',
+            ],
+        ],
+    ],
+
     // (optional) Dedicated federation cache adapter, used to cache federation artifacts like trust chains, entity
     // statements, etc. It will also be used for token reuse check in federation context. Setting this option is
     // recommended in production environments. If set to null, no caching will be used. Can be set to any
 
@@ -10,6 +10,7 @@
 use SimpleSAML\Module\oidc\Controllers\AccessTokenController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ClientController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ConfigController;
+use SimpleSAML\Module\oidc\Controllers\Admin\TestController;
 use SimpleSAML\Module\oidc\Controllers\AuthorizationController;
 use SimpleSAML\Module\oidc\Controllers\ConfigurationDiscoveryController;
 use SimpleSAML\Module\oidc\Controllers\EndSessionController;
@@ -57,6 +58,12 @@
         ->controller([ClientController::class, 'delete'])
         ->methods([HttpMethodsEnum::POST->value]);
 
+    // Testing
+
+    $routes->add(RoutesEnum::AdminTestTrustChainResolution->name, RoutesEnum::AdminTestTrustChainResolution->value)
+        ->controller([TestController::class, 'trustChainResolution'])
+        ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
+
     /*****************************************************************************************************************
      * OpenID Connect
      ****************************************************************************************************************/
 
@@ -99,6 +99,8 @@ services:
     factory: ['@SimpleSAML\Module\oidc\Factories\ResourceServerFactory', 'build']
 
   # Utils
+  SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger: ~
+  SimpleSAML\Module\oidc\Utils\FederationParticipationValidator: ~
   SimpleSAML\Module\oidc\Utils\Routes: ~
   SimpleSAML\Module\oidc\Utils\RequestParamsResolver: ~
   SimpleSAML\Module\oidc\Utils\ClassInstanceBuilder: ~
 
@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Codebooks;
+
+enum LimitsEnum: string
+{
+    case OneOf = 'one_of';
+    case AllOf = 'all_of';
+}
@@ -24,6 +24,10 @@ enum RoutesEnum: string
     case AdminClientsResetSecret = 'admin/clients/reset-secret';
     case AdminClientsDelete = 'admin/clients/delete';
 
+    // Testing
+    case AdminTestTrustChainResolution = 'admin/test/trust-chain-resolution';
+
+
     /*****************************************************************************************************************
      * OpenID Connect
      ****************************************************************************************************************/
 
@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\Admin;
+
+use SimpleSAML\Module\oidc\Admin\Authorization;
+use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\Factories\TemplateFactory;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger;
+use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
+use SimpleSAML\OpenID\Exceptions\TrustChainException;
+use SimpleSAML\OpenID\Federation;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class TestController
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly TemplateFactory $templateFactory,
+        protected readonly Authorization $authorization,
+        protected readonly Federation $federation,
+        protected readonly Helpers $helpers,
+        protected readonly ArrayLogger $arrayLogger,
+    ) {
+        $this->authorization->requireAdmin(true);
+    }
+
+    /**
+     * @throws \SimpleSAML\Error\ConfigurationError
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @throws \SimpleSAML\Module\oidc\Exceptions\OidcException
+     */
+    public function trustChainResolution(Request $request): Response
+    {
+        $this->arrayLogger->setWeight(ArrayLogger::WEIGHT_WARNING);
+        // Let's create new Federation instance so we can inject our debug logger and go without cache.
+        $federation = new Federation(
+            supportedAlgorithms: $this->federation->supportedAlgorithms(),
+            cache: null,
+            logger: $this->arrayLogger,
+        );
+
+        $leafEntityId = $this->moduleConfig->getIssuer();
+        $trustChainBag = null;
+        $resolvedMetadata = [];
+        $isFormSubmitted = false;
+
+        try {
+            $trustAnchorIds = $this->moduleConfig->getFederationTrustAnchorIds();
+        } catch (\Throwable $exception) {
+            $this->arrayLogger->error('Module config error: ' . $exception->getMessage());
+            $trustAnchorIds = [];
+        }
+
+        if ($request->isMethod(Request::METHOD_POST)) {
+            $isFormSubmitted = true;
+
+            !empty($leafEntityId = $request->request->getString('leafEntityId')) ||
+                throw new OidcException('Empty leaf entity ID.');
+            !empty($rawTrustAnchorIds = $request->request->getString('trustAnchorIds')) ||
+                throw new OidcException('Empty Trust Anchor IDs.');
+
+            /** @var non-empty-array<non-empty-string> $trustAnchorIds */
+            $trustAnchorIds = $this->helpers->str()->convertTextToArray($rawTrustAnchorIds);
+
+            try {
+                $trustChainBag = $federation->trustChainResolver()->for($leafEntityId, $trustAnchorIds);
+
+                foreach ($trustChainBag->getAll() as $index => $trustChain) {
+                    $metadataEntries = [];
+                    foreach (EntityTypesEnum::cases() as $entityTypeEnum) {
+                        try {
+                            $metadataEntries[$entityTypeEnum->value] =
+                                $trustChain->getResolvedMetadata($entityTypeEnum);
+                        } catch (\Throwable $exception) {
+                            $this->arrayLogger->error(
+                                'Metadata resolving error: ' . $exception->getMessage(),
+                                compact('index', 'entityTypeEnum'),
+                            );
+                            continue;
+                        }
+                    }
+                    $resolvedMetadata[$index] = array_filter($metadataEntries);
+                }
+            } catch (TrustChainException $exception) {
+                $this->arrayLogger->error('Trust chain error: ' . $exception->getMessage());
+            }
+        }
+
+        $trustAnchorIds = implode("\n", $trustAnchorIds);
+        $logMessages = $this->arrayLogger->getEntries();
+//dd($this->arrayLogger->getEntries());
+        return $this->templateFactory->build(
+            'oidc:tests/trust-chain-resolution.twig',
+            compact(
+                'leafEntityId',
+                'trustAnchorIds',
+                'trustChainBag',
+                'resolvedMetadata',
+                'logMessages',
+                'isFormSubmitted',
+            ),
+            RoutesEnum::AdminTestTrustChainResolution->value,
+        );
+    }
+}
@@ -65,25 +65,25 @@ public function __invoke(): Response
 //        $requestObject = $requestObjectFactory->fromToken($unprotectedJws);
 
 //        dd($requestObject, $requestObject->getPayload(), $requestObject->getHeader());
-//        $cache->clear();
+        $this->federationCache?->cache->clear();
 
         $trustChain = $this->federation
             ->trustChainResolver()
             ->for(
-                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
+//                'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ALeaf/',
 //                'https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/rp/',
 //                'https://relying-party-php.testbed.oidcfed.incubator.geant.org/',
-//                'https://gorp.testbed.oidcfed.incubator.geant.org',
+                'https://gorp.testbed.oidcfed.incubator.geant.org',
 //                'https://maiv1.incubator.geant.org',
                 [
-//                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
+                    'https://trust-anchor.testbed.oidcfed.incubator.geant.org/',
                     'https://08-dap.localhost.markoivancic.from.hr/openid/entities/ABTrustAnchor/',
-//                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/CTrustAnchor/',
+                    'https://08-dap.localhost.markoivancic.from.hr/openid/entities/CTrustAnchor/',
                 ],
-            );
-
+            )->getAll();
+dd($trustChain);
         $leaf = $trustChain->getResolvedLeaf();
-//        dd($leaf);
+        dd($leaf->getPayload());
         $leafFederationJwks = $leaf->getJwks();
 //        dd($leafFederationJwks);
 //        /** @psalm-suppress PossiblyNullArgument */
 
@@ -36,6 +36,7 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
+use SimpleSAML\Module\oidc\Utils\FederationParticipationValidator;
 use SimpleSAML\Module\oidc\Utils\JwksResolver;
 use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
@@ -58,6 +59,7 @@ public function __construct(
         private readonly Federation $federation,
         private readonly Helpers $helpers,
         private readonly JwksResolver $jwksResolver,
+        private readonly FederationParticipationValidator $federationParticipationValidator,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
     ) {
@@ -88,6 +90,7 @@ private function getDefaultRules(): array
                 $this->federation,
                 $this->helpers,
                 $this->jwksResolver,
+                $this->federationParticipationValidator,
                 $this->federationCache,
             ),
             new RedirectUriRule($this->requestParamsResolver),
 
@@ -107,6 +107,13 @@ protected function includeDefaultMenuItems(): void
             ),
         );
 
+        $this->oidcMenu->addItem(
+            $this->oidcMenu->buildItem(
+                $this->moduleConfig->getModuleUrl(RoutesEnum::AdminClients->value),
+                Translate::noop('Client Registry'),
+            ),
+        );
+
         $this->oidcMenu->addItem(
             $this->oidcMenu->buildItem(
                 $this->moduleConfig->getModuleUrl(RoutesEnum::AdminConfigProtocol->value),
@@ -123,8 +130,8 @@ protected function includeDefaultMenuItems(): void
 
         $this->oidcMenu->addItem(
             $this->oidcMenu->buildItem(
-                $this->moduleConfig->getModuleUrl(RoutesEnum::AdminClients->value),
-                Translate::noop('Client Registry'),
+                $this->moduleConfig->getModuleUrl(RoutesEnum::AdminTestTrustChainResolution->value),
+                Translate::noop('Test Trust Chain Resolution'),
             ),
         );
     }
 
@@ -414,6 +414,7 @@ protected function getScopes(): array
     }
 
     /**
+     * TODO mivanci Move to Str helper.
      * @return string[]
      */
     protected function convertTextToArrayWithLinesAsValues(string $text): array
Original file line number	Diff line number	Diff line change
`@@ -414,6 +414,7 @@ protected function getScopes(): array`
`414`	`414`	`}`
`415`	`415`
`416`	`416`	`/**`
	`417`	`+ * TODO mivanci Move to Str helper.`
`417`	`418`	`* @return string[]`
`418`	`419`	`*/`
`419`	`420`	`protected function convertTextToArrayWithLinesAsValues(string $text): array`