WIP Trust Mark Validation

cicnavi · cicnavi · commit 89e869a1a10e · 2025-01-31T15:23:41.000+01:00
diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php
@@ -196,7 +196,7 @@ public function checkRule(
             $this->helpers->dateTime()->getFromTimestamp($trustChain->getResolvedExpirationTime()),
             $existingClient,
             $clientEntityId,
-            $clientFederationEntity->getJwks(),
+            $clientFederationEntity->getJwks()->getValue(),
             $request,
         );
 
@@ -209,7 +209,7 @@ public function checkRule(
         // Check if federation participation is limited by Trust Marks.
         if (
             $this->moduleConfig->isFederationParticipationLimitedByTrustMarksFor(
-                $trustChain->getResolvedTrustAnchor()->getIssuer(),
+                $trustAnchorEntityConfiguration->getIssuer(),
             )
         ) {
             $this->federationParticipationValidator->byTrustMarksFor($trustChain);
diff --git a/src/Server/Validators/BearerTokenValidator.php b/src/Server/Validators/BearerTokenValidator.php
@@ -76,7 +76,7 @@ protected function initJwtConfiguration(): void
             InMemory::plainText('empty', 'empty'),
         );
 
-        /** @psalm-suppress ArgumentTypeCoercion */
+        /** @psalm-suppress DeprecatedMethod, ArgumentTypeCoercion */
         $this->jwtConfiguration->setValidationConstraints(
             new StrictValidAt(new SystemClock(new DateTimeZone(date_default_timezone_get()))),
             new SignedWith(
diff --git a/src/Services/Container.php b/src/Services/Container.php
@@ -349,6 +349,7 @@ public function __construct()
         $this->services[JwksResolver::class] = $jwksResolver;
         $federationParticipationValidator = new FederationParticipationValidator(
             $moduleConfig,
+            $federation,
             $loggerService,
         );
         $this->services[FederationParticipationValidator::class] = $federationParticipationValidator;
diff --git a/src/Utils/FederationParticipationValidator.php b/src/Utils/FederationParticipationValidator.php
@@ -4,15 +4,20 @@
 
 namespace SimpleSAML\Module\oidc\Utils;
 
+use SimpleSAML\Module\oidc\Codebooks\LimitsEnum;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\OpenID\Exceptions\TrustMarkException;
+use SimpleSAML\OpenID\Federation;
+use SimpleSAML\OpenID\Federation\Claims\TrustMarksClaimBag;
+use SimpleSAML\OpenID\Federation\EntityStatement;
 use SimpleSAML\OpenID\Federation\TrustChain;
 
 class FederationParticipationValidator
 {
     public function __construct(
         protected readonly ModuleConfig $moduleConfig,
+        protected readonly Federation $federation,
         protected readonly LoggerService $loggerService,
     ) {
     }
@@ -26,34 +31,271 @@ public function __construct(
      */
     public function byTrustMarksFor(TrustChain $trustChain): void
     {
-        $trustAnchor = $trustChain->getResolvedTrustAnchor();
+        $leafEntityConfiguration = $trustChain->getResolvedLeaf();
+        $trustAnchorEntityConfiguration = $trustChain->getResolvedTrustAnchor();
+
+        $this->loggerService->debug(
+            sprintf(
+                'Validating federation participation by Trust Marks for leaf %s and Trust Anchor %s.',
+                $leafEntityConfiguration->getIssuer(),
+                $trustAnchorEntityConfiguration->getIssuer(),
+            ),
+        );
 
         $trustMarkLimitsRules = $this->moduleConfig->getTrustMarksNeededForFederationParticipationFor(
-            $trustAnchor->getIssuer(),
+            $trustAnchorEntityConfiguration->getIssuer(),
         );
 
         if (empty($trustMarkLimitsRules)) {
-            $this->loggerService->debug('No Trust Mark limits imposed for ' . $trustAnchor->getIssuer());
+            $this->loggerService->debug(
+                'No Trust Mark limits imposed for ' . $trustAnchorEntityConfiguration->getIssuer(),
+            );
             return;
         }
 
-        $this->loggerService->debug('Trust Mark limits for ' . $trustAnchor->getIssuer(), $trustMarkLimitsRules);
+        $this->loggerService->debug(
+            'Trust Mark limits for ' . $trustAnchorEntityConfiguration->getIssuer(),
+            $trustMarkLimitsRules,
+        );
+
+
+        /**
+         * @var string $limitId
+         * @var non-empty-string[] $limitedTrustMarkIds
+         */
+        foreach ($trustMarkLimitsRules as $limitId => $limitedTrustMarkIds) {
+            $limit = LimitsEnum::from($limitId);
 
-        $leaf = $trustChain->getResolvedLeaf();
-        $leafTrustMarks = $leaf->getTrustMarks();
+            if ($limit === LimitsEnum::OneOf) {
+                $this->validateTrustMarksClaimBagAsOneOfLimit(
+                    $limitedTrustMarkIds,
+                    $leafEntityConfiguration,
+                    $trustAnchorEntityConfiguration,
+                );
+            } else {
+                $this->validateTrustMarksClaimBagAsAllOfLimit(
+                    $limitedTrustMarkIds,
+                    $leafEntityConfiguration,
+                    $trustAnchorEntityConfiguration,
+                );
+            }
+        }
+    }
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException
+     */
+    protected function ensureTrustMarksClaimBag(EntityStatement $leafEntityConfiguration): TrustMarksClaimBag
+    {
+        $leafTrustMarksClaimBag = $leafEntityConfiguration->getTrustMarks();
 
-        if (is_null($leafTrustMarks)) {
+        if (is_null($leafTrustMarksClaimBag)) {
             $error = sprintf(
                 'Leaf entity %s does not have any Trust Marks available.',
-                $leaf->getIssuer(),
+                $leafEntityConfiguration->getIssuer(),
             );
 
-            $this->loggerService->error($error, compact('trustMarkLimitsRules'));
+            $this->loggerService->error($error);
             throw new TrustMarkException($error);
         }
 
-        // Leaf has some Trust Marks.
+        $this->loggerService->debug(
+            'Leaf has Trust Marks available.',
+            ['leafTrustMarksClaimBag' => $leafTrustMarksClaimBag->jsonSerialize()],
+        );
+
+        return $leafTrustMarksClaimBag;
+    }
+
+    /**
+     * @param non-empty-string[] $limitedTrustMarkIds
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException
+     */
+    public function validateTrustMarksClaimBagAsOneOfLimit(
+        array $limitedTrustMarkIds,
+        EntityStatement $leafEntityConfiguration,
+        EntityStatement $trustAnchorEntityConfiguration,
+    ): void {
+        if (empty($limitedTrustMarkIds)) {
+            $this->loggerService->debug('No Trust Mark limits given for OneOf limit rule, nothing to do.');
+            return;
+        }
+
+        $this->loggerService->debug(
+            sprintf(
+                'Validating that entity %s has at least one valid Trust Mark for Trust Anchor %s.',
+                $leafEntityConfiguration->getIssuer(),
+                $trustAnchorEntityConfiguration->getIssuer(),
+            ),
+            ['limitedTrustMarkIds' => $limitedTrustMarkIds],
+        );
+
+        $trustMarksClaimBag = $this->ensureTrustMarksClaimBag($leafEntityConfiguration);
+
+        foreach ($limitedTrustMarkIds as $limitedTrustMarkId) {
+            $trustMarksClaimValues = $trustMarksClaimBag->gerAllFor($limitedTrustMarkId);
+            if (empty($trustMarksClaimValues)) {
+                $this->loggerService->debug(
+                    sprintf(
+                        'There are no claims for Trust Mark ID %s. Trying next if available.',
+                        $limitedTrustMarkId,
+                    ),
+                );
+                continue;
+            }
+
+            $this->loggerService->debug(
+                sprintf(
+                    'There is/are %s claim/claims for Trust Mark ID %s.',
+                    count($trustMarksClaimValues),
+                    $limitedTrustMarkId,
+                ),
+            );
+
+            foreach ($trustMarksClaimValues as $idx => $trustMarksClaimValue) {
+                $this->loggerService->debug(
+                    sprintf(
+                        'Validating claim %s for Trust Mark ID %s',
+                        $idx,
+                        $limitedTrustMarkId,
+                    ),
+                    ['trustMarkClaim' => $trustMarksClaimValue->jsonSerialize()],
+                );
+
+                try {
+                    $this->federation->trustMarkValidator()->forTrustMarksClaimValue(
+                        $trustMarksClaimValue,
+                        $leafEntityConfiguration,
+                        $trustAnchorEntityConfiguration,
+                    );
+
+                    $this->loggerService->debug(
+                        sprintf(
+                            'Trust Mark ID %s validated using OneOf limit rule for entity %s for Trust Anchor %s.',
+                            $limitedTrustMarkId,
+                            $leafEntityConfiguration->getIssuer(),
+                            $trustAnchorEntityConfiguration->getIssuer(),
+                        ),
+                    );
+                    return;
+                } catch (\Throwable $exception) {
+                    $this->loggerService->debug(
+                        sprintf(
+                            'Trust Mark ID %s validation failed with error: %s. Trying next if available.',
+                            $limitedTrustMarkId,
+                            $exception->getMessage(),
+                        ),
+                    );
+                    continue;
+                }
+            }
+        }
+
+        $error = sprintf(
+            'Leaf entity %s does not have any valid Trust Marks from the given list (%s).',
+            $leafEntityConfiguration->getIssuer(),
+            implode(',', $limitedTrustMarkIds),
+        );
+
+        $this->loggerService->error($error);
+        throw new TrustMarkException($error);
+    }
+
+    /**
+     * @param non-empty-string[] $limitedTrustMarkIds
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException
+     */
+    public function validateTrustMarksClaimBagAsAllOfLimit(
+        array $limitedTrustMarkIds,
+        EntityStatement $leafEntityConfiguration,
+        EntityStatement $trustAnchorEntityConfiguration,
+    ): void {
+        if (empty($limitedTrustMarkIds)) {
+            $this->loggerService->debug('No Trust Mark limits given for AllOf limit rule, nothing to do.');
+            return;
+        }
+
+        $this->loggerService->debug(
+            sprintf(
+                'Validating that entity %s has all valid Trust Marks for Trust Anchor %s.',
+                $leafEntityConfiguration->getIssuer(),
+                $trustAnchorEntityConfiguration->getIssuer(),
+            ),
+            ['limitedTrustMarkIds' => $limitedTrustMarkIds],
+        );
+
+        $trustMarksClaimBag = $this->ensureTrustMarksClaimBag($leafEntityConfiguration);
+
+        foreach ($limitedTrustMarkIds as $limitedTrustMarkId) {
+            $trustMarksClaimValues = $trustMarksClaimBag->gerAllFor($limitedTrustMarkId);
+
+            if (empty($trustMarksClaimValues)) {
+                $error = sprintf(
+                    'There are no claims for Trust Mark ID %s.',
+                    $limitedTrustMarkId,
+                );
+                $this->loggerService->error($error);
+                throw new TrustMarkException($error);
+            }
 
-        // TODO mivanci continue
+            $this->loggerService->debug(
+                sprintf(
+                    'There is/are %s claim/claims for Trust Mark ID %s.',
+                    count($trustMarksClaimValues),
+                    $limitedTrustMarkId,
+                ),
+            );
+
+            foreach ($trustMarksClaimValues as $idx => $trustMarksClaimValue) {
+                $this->loggerService->debug(
+                    sprintf(
+                        'Validating claim %s for Trust Mark ID %s',
+                        $idx,
+                        $limitedTrustMarkId,
+                    ),
+                    ['trustMarkClaim' => $trustMarksClaimValue->jsonSerialize()],
+                );
+
+                try {
+                    $this->federation->trustMarkValidator()->forTrustMarksClaimValue(
+                        $trustMarksClaimValue,
+                        $leafEntityConfiguration,
+                        $trustAnchorEntityConfiguration,
+                    );
+
+                    $this->loggerService->debug(
+                        sprintf(
+                            'Trust Mark ID %s validated. Trying next if available.',
+                            $limitedTrustMarkId,
+                        ),
+                    );
+                } catch (\Throwable $exception) {
+                    $error = sprintf(
+                        'Trust Mark ID %s validation failed with error: %s.',
+                        $limitedTrustMarkId,
+                        $exception->getMessage(),
+                    );
+                    $this->loggerService->error($error);
+                    throw new TrustMarkException($error);
+                }
+            }
+        }
+
+        $this->loggerService->debug(
+            sprintf(
+                'Entity %s has all valid Trust Marks for Trust Anchor %s.',
+                $leafEntityConfiguration->getIssuer(),
+                $trustAnchorEntityConfiguration->getIssuer(),
+            ),
+        );
     }
 }
diff --git a/tests/unit/src/Services/AuthenticationServiceTest.php b/tests/unit/src/Services/AuthenticationServiceTest.php
@@ -326,9 +326,7 @@ public function testGetAuthenticateUserItThrowsIfClaimsNotExist(): void
         unset($invalidState['Attributes'][self::USER_ID_ATTR]);
 
         $this->expectException(Exception::class);
-        $this->expectExceptionMessageMatches(
-            "/Attribute `useridattr` doesn\'t exists in claims. Available attributes are:/",
-        );
+        $this->expectExceptionMessageMatches("/User identifier attribute /");
 
         $this->mock()->getAuthenticateUser($invalidState);
     }

Original file line number	Diff line number	Diff line change
`@@ -326,9 +326,7 @@ public function testGetAuthenticateUserItThrowsIfClaimsNotExist(): void`
`326`	`326`	`unset($invalidState['Attributes'][self::USER_ID_ATTR]);`
`327`	`327`
`328`	`328`	`$this->expectException(Exception::class);`
`329`		`- $this->expectExceptionMessageMatches(`
`330`		- "/Attribute `useridattr` doesn\'t exists in claims. Available attributes are:/",
`331`		`- );`
	`329`	`+ $this->expectExceptionMessageMatches("/User identifier attribute /");`
`332`	`330`
`333`	`331`	`$this->mock()->getAuthenticateUser($invalidState);`
`334`	`332`	`}`