Intitial implementation

Author: cicnavi

src/Controllers/Federation/EntityStatementController.php

@@ -4,7 +4,6 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\Federation;
 
-use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
@@ -95,11 +94,10 @@ public function configuration(): Response
                                 ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
                             ],
                         )),
-                        ClaimsEnum::FederationFetchEndpoint->value =>
-                            $this->moduleConfig->getModuleUrl(RoutesEnum::FederationFetch->value),
+                        ClaimsEnum::FederationFetchEndpoint->value => $this->routes->urlFederationFetch(),
+                        ClaimsEnum::FederationListEndpoint->value => $this->routes->urlFederationList(),
                         // TODO v7 mivanci Add when ready. Use ClaimsEnum for keys.
                         // https://openid.net/specs/openid-federation-1_0.html#name-federation-entity
-                        //'federation_list_endpoint',
                         //'federation_resolve_endpoint',
                         //'federation_trust_mark_status_endpoint',
                         //'federation_trust_mark_list_endpoint',
@@ -233,7 +231,7 @@ public function fetch(Request $request): Response
             return $this->prepareEntityStatementResponse((string)$cachedSubordinateStatement);
         }
 
-        $client = $this->clientRepository->findByEntityIdentifier($subject);
+        $client = $this->clientRepository->findFederatedByEntityIdentifier($subject);
         if (empty($client)) {
             return $this->routes->newJsonErrorResponse(
                 ErrorsEnum::NotFound->value,

src/Controllers/Federation/SubordinateListingsController.php

@@ -4,11 +4,10 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\Federation;
 
-use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\Routes;
 use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
 use SimpleSAML\OpenID\Codebooks\ParamsEnum;
@@ -21,11 +20,9 @@ class SubordinateListingsController
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      */
     public function __construct(
-        private readonly ModuleConfig $moduleConfig,
-        private readonly ClientRepository $clientRepository,
-        private readonly Helpers $helpers,
-        private readonly Routes $routes,
-        private readonly LoggerService $loggerService,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly Routes $routes,
     ) {
         if (!$this->moduleConfig->getFederationEnabled()) {
             throw OidcServerException::forbidden('federation capabilities not enabled');
@@ -52,15 +49,19 @@ public function list(Request $request): Response
             return $this->routes->newJsonErrorResponse(
                 ErrorsEnum::UnsupportedParameter->value,
                 'Unsupported parameter: ' . implode(', ', $intersectedParams),
+                400,
             );
         }
 
-        dd($request->query->all());
+        $subordinateEntityIdList = array_filter(array_map(
+            function (ClientEntityInterface $clientEntity): ?string {
+                return $clientEntity->getEntityIdentifier();
+            },
+            $this->clientRepository->findAllFederated(),
+        ));
 
-
-        if ($entityTypes = $request->query->all(ParamsEnum::EntityType->value)) {
-        }
-
-        return new Response();
+        return $this->routes->newJsonResponse(
+            $subordinateEntityIdList,
+        );
     }
 }

src/Repositories/ClientRepository.php

@@ -153,14 +153,10 @@ public function findByEntityIdentifier(string $entityIdentifier, ?string $owner
             <<<EOS
             SELECT * FROM {$this->getTableName()}
             WHERE
-                entity_identifier = :entity_identifier AND
-                is_enabled = :is_enabled AND
-                is_federated = :is_federated
+                entity_identifier = :entity_identifier
             EOS,
             [
                 'entity_identifier' => $entityIdentifier,
-                'is_enabled' => [true, PDO::PARAM_BOOL],
-                'is_federated' => [true, PDO::PARAM_BOOL],
             ],
             $owner,
         );
@@ -190,6 +186,29 @@ public function findByEntityIdentifier(string $entityIdentifier, ?string $owner
         return $clientEntity;
     }
 
+    public function findFederatedByEntityIdentifier(
+        string $entityIdentifier,
+        ?string $owner = null,
+    ): ?ClientEntityInterface {
+        $clientEntity = $this->findByEntityIdentifier($entityIdentifier, $owner);
+
+        if (is_null($clientEntity)) {
+            return null;
+        }
+
+        if (
+            is_null($clientEntity->getEntityIdentifier()) ||
+            (! $clientEntity->isEnabled()) ||
+            (! $clientEntity->isFederated()) ||
+            (!is_array($clientEntity->getFederationJwks())) ||
+            $clientEntity->isExpired()
+        ) {
+            return null;
+        }
+
+        return $clientEntity;
+    }
+
     private function addOwnerWhereClause(string $query, array $params, ?string $owner = null): array
     {
         if (isset($owner)) {
@@ -234,6 +253,47 @@ public function findAll(?string $owner = null): array
         return $clients;
     }
 
+    /**
+     * @return \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface[]
+     * @throws \JsonException
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function findAllFederated(?string $owner = null): array
+    {
+        /**
+         * @var string $query
+         * @var array $params
+         */
+        [$query, $params] = $this->addOwnerWhereClause(
+            <<<EOS
+            SELECT * FROM {$this->getTableName()}
+            WHERE
+                entity_identifier IS NOT NULL AND
+                federation_jwks IS NOT NULL AND
+                is_enabled = :is_enabled AND
+                is_federated = :is_federated
+            EOS,
+            [
+                'is_enabled' => [true, PDO::PARAM_BOOL],
+                'is_federated' => [true, PDO::PARAM_BOOL],
+            ],
+            $owner,
+        );
+        $stmt = $this->database->read(
+            "$query ORDER BY name ASC",
+            $params,
+        );
+
+        $clients = [];
+
+        /** @var array $state */
+        foreach ($stmt->fetchAll() as $state) {
+            $clients[] = $this->clientEntityFactory->fromState($state);
+        }
+
+        return $clients;
+    }
+
     /**
      * @return array{
      *   numPages: int,

tests/unit/src/Controllers/Federation/SubordinateListingsControllerTest.php

@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\oidc\unit\Controllers\Federation;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\oidc\Controllers\Federation\SubordinateListingsController;
+use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
+use SimpleSAML\OpenID\Codebooks\ParamsEnum;
+use Symfony\Component\HttpFoundation\ParameterBag;
+use Symfony\Component\HttpFoundation\Request;
+
+#[CoversClass(SubordinateListingsController::class)]
+final class SubordinateListingsControllerTest extends TestCase
+{
+    private MockObject $moduleConfigMock;
+    private MockObject $clientRepositoryMock;
+    private MockObject $routesMock;
+
+    private bool $isFederationEnabled;
+    private MockObject $requestMock;
+    private MockObject $requestQueryMock;
+
+
+    protected function setUp(): void
+    {
+        $this->moduleConfigMock = $this->createMock(ModuleConfig::class);
+        $this->clientRepositoryMock = $this->createMock(ClientRepository::class);
+        $this->routesMock = $this->createMock(Routes::class);
+
+        $this->isFederationEnabled = true;
+
+        $this->requestMock = $this->createMock(Request::class);
+        $this->requestQueryMock = $this->createMock(ParameterBag::class);
+        $this->requestMock->query = $this->requestQueryMock;
+    }
+
+    public function sut(
+        ?ModuleConfig $moduleConfig = null,
+        ?ClientRepository $clientRepository = null,
+        ?Routes $routes = null,
+        ?bool $federationEnabled = null,
+    ): SubordinateListingsController {
+        $federationEnabled = $federationEnabled ?? $this->isFederationEnabled;
+        $this->moduleConfigMock->method('getFederationEnabled')->willReturn($federationEnabled);
+
+        $moduleConfig = $moduleConfig ?? $this->moduleConfigMock;
+        $clientRepository = $clientRepository ?? $this->clientRepositoryMock;
+        $routes = $routes ?? $this->routesMock;
+
+        return new SubordinateListingsController(
+            $moduleConfig,
+            $clientRepository,
+            $routes,
+        );
+    }
+
+    public function testCanConstruct(): void
+    {
+        $this->assertInstanceOf(SubordinateListingsController::class, $this->sut());
+    }
+
+    public function testThrowsIfFederationNotEnabled(): void
+    {
+        $this->expectException(OidcServerException::class);
+        $this->expectExceptionMessage('refused');
+
+        $this->sut(federationEnabled: false);
+    }
+
+    public function testCanListFederatedEntities(): void
+    {
+        $client = $this->createMock(ClientEntityInterface::class);
+        $client->method('getEntityIdentifier')->willReturn('entity-id');
+
+        $federatedEntities = [
+            $client,
+        ];
+
+        $this->clientRepositoryMock->expects($this->once())->method('findAllFederated')
+            ->willReturn($federatedEntities);
+
+        $this->routesMock->expects($this->once())->method('newJsonResponse')
+            ->with([
+                $client->getEntityIdentifier(),
+            ]);
+
+        $this->sut()->list($this->requestMock);
+    }
+
+    public function testListReturnsErrorOnUnsuportedQueryParameter(): void
+    {
+        $this->requestQueryMock->method('all')->willReturn([
+            ParamsEnum::EntityType->value => 'something',
+        ]);
+
+        $this->routesMock->expects($this->once())->method('newJsonErrorResponse')
+            ->with(ErrorsEnum::UnsupportedParameter->value);
+
+        $this->sut()->list($this->requestMock);
+    }
+}

tests/unit/src/Repositories/ClientRepositoryTest.php

@@ -391,7 +391,7 @@ public function testCanFindByIdFromCache(): void
 
     public function testCanFindByEntityIdentifier(): void
     {
-        $client = self::getClient(id: 'clientId', entityId: 'entityId', isFederated: true);
+        $client = self::getClient(id: 'clientId', entityId: 'entityId');
         $this->repository->add($client);
 
         $this->clientEntityFactoryMock->expects($this->once())->method('fromState')->willReturn($client);
@@ -404,6 +404,46 @@ public function testCanFindByEntityIdentifier(): void
         $this->assertNull($this->repository->findByEntityIdentifier('nonExistingEntityId'));
     }
 
+    public function testCanFindFederatedByEntityIdentifier(): void
+    {
+        $client = self::getClient(id: 'clientId', entityId: 'entityId', isFederated: true, federationJwks: []);
+        $this->repository->add($client);
+
+        $this->clientEntityFactoryMock->expects($this->once())->method('fromState')->willReturn($client);
+
+        $this->assertSame(
+            $client,
+            $this->repository->findFederatedByEntityIdentifier('entityId'),
+        );
+
+        $this->assertNull($this->repository->findFederatedByEntityIdentifier('nonExistingEntityId'));
+    }
+
+    public function testCanNotFindFederatedByEntityIdentifierIfMissingFederationAttributes(): void
+    {
+        $client = self::getClient(id: 'clientId', entityId: 'entityId');
+        $this->repository->add($client);
+
+        $this->clientEntityFactoryMock->expects($this->atLeastOnce())->method('fromState')->willReturn($client);
+
+        $this->assertSame(
+            $client,
+            $this->repository->findByEntityIdentifier('entityId'),
+        );
+
+        $this->assertNull($this->repository->findFederatedByEntityIdentifier('entityId'));
+    }
+
+    public function testCanFindAllFederated(): void
+    {
+        $client = self::getClient(id: 'clientId', entityId: 'entityId', isFederated: true, federationJwks: []);
+        $this->repository->add($client);
+
+        $this->clientEntityFactoryMock->expects($this->atLeastOnce())->method('fromState')->willReturn($client);
+
+        $this->assertCount(1, $this->repository->findAllFederated());
+    }
+
     public function testCanFindByEntityIdFromCache(): void
     {
         $protocolCacheMock = $this->createMock(ProtocolCache::class);
@@ -430,6 +470,7 @@ public static function getClient(
         ?string $owner = null,
         ?string $entityId = null,
         bool $isFederated = false,
+        ?array $federationJwks = null,
     ): ClientEntityInterface {
         return new ClientEntity(
             identifier: $id,
@@ -443,6 +484,7 @@ public static function getClient(
             authSource: 'admin',
             owner: $owner,
             entityIdentifier: $entityId,
+            federationJwks: $federationJwks,
             isFederated: $isFederated,
         );
     }