diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c8f89f8c..e0f75e18 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -210,7 +210,7 @@ jobs: runs-on: ubuntu-latest env: SUITE_BASE_URL: https://localhost.emobix.co.uk:8443 - VERSION: release-v4.1.45 + VERSION: release-v5.1.35 steps: - uses: actions/checkout@v4 with: diff --git a/CONFORMANCE_TEST.md b/CONFORMANCE_TEST.md index 0f2fbfe5..53b676c9 100644 --- a/CONFORMANCE_TEST.md +++ b/CONFORMANCE_TEST.md @@ -14,8 +14,7 @@ Clone the conformance test git repo, build the software and run it. ```bash git clone https://gitlab.com/openid/conformance-suite.git cd conformance-suite -# Version 4.1.10 has a bug when building -git checkout release-v4.1.45 +git checkout release-v5.1.35 MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder docker-compose up ``` diff --git a/UPGRADE.md b/UPGRADE.md index a4efab84..81a738ca 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -52,10 +52,15 @@ and optionally a port (as in all previous module versions). - signer algorithm - entity statement duration - organization name + - display name + - description + - keywords - contacts - logo URI - policy URI - - homepage URI + - information URI + - homepage URI (renamed to organization_uri in draft-43) + - organization URI ## Major impact changes diff --git a/config/module_oidc.php.dist b/config/module_oidc.php.dist index 8c56930b..802be944 100644 --- a/config/module_oidc.php.dist +++ b/config/module_oidc.php.dist @@ -375,20 +375,20 @@ $config = [ // 'eyJ...GHg', ], - // (optional) Federation Trust Marks for dynamic fetching. An array of key-value pairs, where key is Trust Mark ID - // and value is Trust Mark Issuer ID, each representing a Trust Mark issued to this entity. Each Trust Mark ID - // in this array will be dynamically fetched from noted Trust Mark Issuer as necessary. If federation caching - // is enabled (recommended), fetched Trust Marks will also be cached until their expiry. + // (optional) Federation Trust Marks for dynamic fetching. An array of key-value pairs, where key is Trust Mark Type + // and value is Trust Mark Issuer ID, each representing a Trust Mark issued to this entity. Each Trust Mark Type + // in this array will be dynamically fetched from the noted Trust Mark Issuer as necessary. If federation + // caching is enabled (recommended), fetched Trust Marks will also be cached until their expiry. ModuleConfig::OPTION_FEDERATION_DYNAMIC_TRUST_MARKS => [ -// 'trust-mark-id' => 'trust-mark-issuer-id', +// 'trust-mark-type' => 'trust-mark-issuer-id', ], // (optional) Federation participation limit by Trust Marks. This is an array with the following format: // [ // 'trust-anchor-id' => [ // 'limit-id' => [ - // 'trust-mark-id', - // 'trust-mark-id-2', + // 'trust-mark-type', + // 'trust-mark-type-2', // ], // ], // ], @@ -399,13 +399,13 @@ $config = [ 'https://ta.example.org/' => [ // Entities must have (at least) one Trust Mark from the list below. \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [ - 'trust-mark-id', - 'trust-mark-id-2', + 'trust-mark-type', + 'trust-mark-type-2', ], // Entities must have all Trust Marks from the list below. \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [ - 'trust-mark-id-3', - 'trust-mark-id-4', + 'trust-mark-type-3', + 'trust-mark-type-4', ], ], ], @@ -471,10 +471,21 @@ $config = [ // Common federation entity parameters: // https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters ModuleConfig::OPTION_ORGANIZATION_NAME => null, + ModuleConfig::OPTION_DISPLAY_NAME => null, + ModuleConfig::OPTION_DESCRIPTION => null, + ModuleConfig::OPTION_KEYWORDS => [ + // 'some-keyword', + ], ModuleConfig::OPTION_CONTACTS => [ // 'John Doe jdoe@example.org', ], ModuleConfig::OPTION_LOGO_URI => null, ModuleConfig::OPTION_POLICY_URI => null, + ModuleConfig::OPTION_INFORMATION_URI => null, + ModuleConfig::OPTION_ORGANIZATION_URI => null, + /** + * @deprecated In Draft-43 of OIDFed specification, metadata claim 'homepage_uri' has been renamed to + * 'organization_uri'. Use 'organization_uri' instead. + */ ModuleConfig::OPTION_HOMEPAGE_URI => null, ]; diff --git a/locales/en/LC_MESSAGES/oidc.po b/locales/en/LC_MESSAGES/oidc.po index a754c677..4d626774 100644 --- a/locales/en/LC_MESSAGES/oidc.po +++ b/locales/en/LC_MESSAGES/oidc.po @@ -491,7 +491,7 @@ msgstr "" msgid "Trust Anchors" msgstr "" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "" msgid "" diff --git a/locales/es/LC_MESSAGES/oidc.po b/locales/es/LC_MESSAGES/oidc.po index 299a0f78..7e1a5690 100644 --- a/locales/es/LC_MESSAGES/oidc.po +++ b/locales/es/LC_MESSAGES/oidc.po @@ -491,7 +491,7 @@ msgstr "" msgid "Trust Anchors" msgstr "" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "" msgid "" diff --git a/locales/fr/LC_MESSAGES/oidc.po b/locales/fr/LC_MESSAGES/oidc.po index fe3cd317..c7d98d9f 100644 --- a/locales/fr/LC_MESSAGES/oidc.po +++ b/locales/fr/LC_MESSAGES/oidc.po @@ -491,7 +491,7 @@ msgstr "" msgid "Trust Anchors" msgstr "" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "" msgid "" diff --git a/locales/hr/LC_MESSAGES/oidc.po b/locales/hr/LC_MESSAGES/oidc.po index 4d9ac306..7c306d1d 100644 --- a/locales/hr/LC_MESSAGES/oidc.po +++ b/locales/hr/LC_MESSAGES/oidc.po @@ -525,7 +525,7 @@ msgstr "IDevi sidra povjerenja" msgid "Trust Anchors" msgstr "Sidra povjerenja" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "ID oznake povjerenja" msgid "" diff --git a/locales/it/LC_MESSAGES/oidc.po b/locales/it/LC_MESSAGES/oidc.po index 68b0da58..7151442e 100644 --- a/locales/it/LC_MESSAGES/oidc.po +++ b/locales/it/LC_MESSAGES/oidc.po @@ -491,7 +491,7 @@ msgstr "" msgid "Trust Anchors" msgstr "" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "" msgid "" diff --git a/locales/nl/LC_MESSAGES/oidc.po b/locales/nl/LC_MESSAGES/oidc.po index b4d5964a..37378dc2 100644 --- a/locales/nl/LC_MESSAGES/oidc.po +++ b/locales/nl/LC_MESSAGES/oidc.po @@ -459,7 +459,7 @@ msgstr "Vertrouwde anker-ID's" msgid "Trust Anchors" msgstr "Vertrouw op ankers" -msgid "Trust Mark ID" +msgid "Trust Mark Type" msgstr "Vertrouwensmerk-ID" msgid "Trust Mark validation passed (there were no warnings or errors during validation)." diff --git a/src/Controllers/Admin/ConfigController.php b/src/Controllers/Admin/ConfigController.php index 85e35a6c..5eb24c3f 100644 --- a/src/Controllers/Admin/ConfigController.php +++ b/src/Controllers/Admin/ConfigController.php @@ -80,15 +80,15 @@ function (string $token): Federation\TrustMark { if (is_array($dynamicTrustMarks = $this->moduleConfig->getFederationDynamicTrustMarks())) { /** - * @var non-empty-string $trustMarkId + * @var non-empty-string $trustMarkType * @var non-empty-string $trustMarkIssuerId */ - foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) { + foreach ($dynamicTrustMarks as $trustMarkType => $trustMarkIssuerId) { $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher() ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId); $trustMarks[] = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint( - $trustMarkId, + $trustMarkType, $this->moduleConfig->getIssuer(), $trustMarkIssuerConfigurationStatement, ); diff --git a/src/Controllers/Admin/TestController.php b/src/Controllers/Admin/TestController.php index e05a6dc1..87e2086b 100644 --- a/src/Controllers/Admin/TestController.php +++ b/src/Controllers/Admin/TestController.php @@ -32,7 +32,7 @@ public function __construct( $this->authorization->requireAdmin(true); $this->arrayLogger->setWeight(ArrayLogger::WEIGHT_WARNING); - // Let's create new Federation instance so we can inject our debug logger and go without cache. + // Let's create a new Federation instance so we can inject our debug logger and go without cache. $this->federationWithArrayLogger = new Federation( supportedAlgorithms: $this->federation->supportedAlgorithms(), cache: null, @@ -114,7 +114,7 @@ public function trustChainResolution(Request $request): Response public function trustMarkValidation(Request $request): Response { - $trustMarkId = null; + $trustMarkType = null; $leafEntityId = null; $trustAnchorId = null; $isFormSubmitted = false; @@ -122,23 +122,23 @@ public function trustMarkValidation(Request $request): Response if ($request->isMethod(Request::METHOD_POST)) { $isFormSubmitted = true; - !empty($trustMarkId = $request->request->getString('trustMarkId')) || - throw new OidcException('Empty Trust Mark ID.'); + !empty($trustMarkType = $request->request->getString('trustMarkType')) || + throw new OidcException('Empty Trust Mark Type.'); !empty($leafEntityId = $request->request->getString('leafEntityId')) || throw new OidcException('Empty leaf entity ID.'); !empty($trustAnchorId = $request->request->getString('trustAnchorId')) || throw new OidcException('Empty Trust Anchor ID.'); try { - // We should not try to validate Trust Marks until we have resolved trust chain between leaf and TA. + // We should not try to validate Trust Marks until we have resolved a trust chain between leaf and TA. $trustChain = $this->federation->trustChainResolver()->for( $leafEntityId, [$trustAnchorId], )->getShortest(); try { - $this->federationWithArrayLogger->trustMarkValidator()->doForTrustMarkId( - $trustMarkId, + $this->federationWithArrayLogger->trustMarkValidator()->doForTrustMarkType( + $trustMarkType, $trustChain->getResolvedLeaf(), $trustChain->getResolvedTrustAnchor(), ); @@ -160,7 +160,7 @@ public function trustMarkValidation(Request $request): Response return $this->templateFactory->build( 'oidc:tests/trust-mark-validation.twig', compact( - 'trustMarkId', + 'trustMarkType', 'leafEntityId', 'trustAnchorId', 'logMessages', diff --git a/src/Controllers/Federation/EntityStatementController.php b/src/Controllers/Federation/EntityStatementController.php index 5f4494a7..d521c60e 100644 --- a/src/Controllers/Federation/EntityStatementController.php +++ b/src/Controllers/Federation/EntityStatementController.php @@ -88,10 +88,14 @@ public function configuration(): Response ...(array_filter( [ ClaimsEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(), + ClaimsEnum::DisplayName->value => $this->moduleConfig->getDisplayName(), + ClaimsEnum::Description->value => $this->moduleConfig->getDescription(), + ClaimsEnum::Keywords->value => $this->moduleConfig->getKeywords(), ClaimsEnum::Contacts->value => $this->moduleConfig->getContacts(), ClaimsEnum::LogoUri->value => $this->moduleConfig->getLogoUri(), ClaimsEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(), - ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(), + ClaimsEnum::InformationUri->value => $this->moduleConfig->getInformationUri(), + ClaimsEnum::OrganizationUri->value => $this->moduleConfig->getOrganizationUri(), ], )), ClaimsEnum::FederationFetchEndpoint->value => $this->routes->urlFederationFetch(), @@ -138,12 +142,12 @@ public function configuration(): Response if ($trustMarkEntity->getSubject() !== $this->moduleConfig->getIssuer()) { throw OidcServerException::serverError(sprintf( 'Trust Mark %s is not intended for this entity.', - $trustMarkEntity->getTrustMarkId(), + $trustMarkEntity->getTrustMarkType(), )); } return [ - ClaimsEnum::TrustMarkId->value => $trustMarkEntity->getTrustMarkId(), + ClaimsEnum::TrustMarkType->value => $trustMarkEntity->getTrustMarkType(), ClaimsEnum::TrustMark->value => $token, ]; }, $trustMarkTokens); @@ -154,29 +158,29 @@ public function configuration(): Response (!empty($dynamicTrustMarks)) ) { /** - * @var non-empty-string $trustMarkId + * @var non-empty-string $trustMarkType * @var non-empty-string $trustMarkIssuerId */ - foreach ($dynamicTrustMarks as $trustMarkId => $trustMarkIssuerId) { + foreach ($dynamicTrustMarks as $trustMarkType => $trustMarkIssuerId) { try { $trustMarkIssuerConfigurationStatement = $this->federation->entityStatementFetcher() ->fromCacheOrWellKnownEndpoint($trustMarkIssuerId); $trustMarkEntity = $this->federation->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint( - $trustMarkId, + $trustMarkType, $this->moduleConfig->getIssuer(), $trustMarkIssuerConfigurationStatement, ); $trustMarks[] = [ - ClaimsEnum::TrustMarkId->value => $trustMarkId, + ClaimsEnum::TrustMarkType->value => $trustMarkType, ClaimsEnum::TrustMark->value => $trustMarkEntity->getToken(), ]; } catch (\Throwable $exception) { $this->loggerService->error( 'Error fetching Trust Mark: ' . $exception->getMessage(), [ - 'trustMarkId' => $trustMarkId, + 'trustMarkType' => $trustMarkType, 'subjectId' => $this->moduleConfig->getIssuer(), 'trustMarkIssuerId' => $trustMarkIssuerId, ], diff --git a/src/Controllers/Federation/SubordinateListingsController.php b/src/Controllers/Federation/SubordinateListingsController.php index f0eb5edc..9c076ad9 100644 --- a/src/Controllers/Federation/SubordinateListingsController.php +++ b/src/Controllers/Federation/SubordinateListingsController.php @@ -31,15 +31,16 @@ public function __construct( public function list(Request $request): Response { - // If unsupported query parameter is provided, we have to respond with an error: "If the responder does not + // If an unsupported query parameter is provided, we have to respond with an error: "If the responder does not // support this feature, it MUST use the HTTP status code 400 and the content type application/json, with // the error code unsupported_parameter." - // Currently, we don't support any of the mentioned params in the spec, so let's return error for any of them. + // Currently, we don't support any of the mentioned params in the spec, so let's return an error for + // any of them. $unsupportedParams = [ ParamsEnum::EntityType->value, ParamsEnum::TrustMarked->value, - ParamsEnum::TrustMarkId->value, + ParamsEnum::TrustMarkType->value, ParamsEnum::Intermediate->value, ]; diff --git a/src/ModuleConfig.php b/src/ModuleConfig.php index 4a9fe3b8..d595503e 100644 --- a/src/ModuleConfig.php +++ b/src/ModuleConfig.php @@ -66,10 +66,15 @@ class ModuleConfig final public const OPTION_FEDERATION_ENTITY_STATEMENT_DURATION = 'federation_entity_statement_duration'; final public const OPTION_FEDERATION_AUTHORITY_HINTS = 'federation_authority_hints'; final public const OPTION_ORGANIZATION_NAME = 'organization_name'; + final public const OPTION_DISPLAY_NAME = 'display_name'; + final public const OPTION_DESCRIPTION = 'description'; + final public const OPTION_KEYWORDS = 'keywords'; final public const OPTION_CONTACTS = 'contacts'; final public const OPTION_LOGO_URI = 'logo_uri'; final public const OPTION_POLICY_URI = 'policy_uri'; + final public const OPTION_INFORMATION_URI = 'information_uri'; final public const OPTION_HOMEPAGE_URI = 'homepage_uri'; + final public const OPTION_ORGANIZATION_URI = 'organization_uri'; final public const OPTION_FEDERATION_ENABLED = 'federation_enabled'; final public const OPTION_FEDERATION_CACHE_ADAPTER = 'federation_cache_adapter'; final public const OPTION_FEDERATION_CACHE_ADAPTER_ARGUMENTS = 'federation_cache_adapter_arguments'; @@ -651,6 +656,42 @@ public function getOrganizationName(): ?string ); } + public function getDisplayName(): ?string + { + return $this->config()->getOptionalString( + self::OPTION_DISPLAY_NAME, + null, + ); + } + + public function getDescription(): ?string + { + return $this->config()->getOptionalString( + self::OPTION_DESCRIPTION, + null, + ); + } + + /** + * JSON array with one or more strings representing search keywords, tags, categories, or labels that + * apply to this Entity. + * + * @return ?string[] + */ + public function getKeywords(): ?array + { + $keywords = $this->config()->getOptionalArray( + self::OPTION_KEYWORDS, + null, + ); + + if (is_null($keywords)) { + return null; + } + + return array_filter($keywords, fn($keyword) => is_string($keyword)); + } + public function getContacts(): ?array { return $this->config()->getOptionalArray( @@ -675,6 +716,21 @@ public function getPolicyUri(): ?string ); } + public function getInformationUri(): ?string + { + return $this->config()->getOptionalString( + self::OPTION_INFORMATION_URI, + null, + ); + } + + /** + * @return string|null + * TODO mivanci v7 Remove in next major release, as well as config constant. + * In Draft-43 of OIDFed specification, metadata claim 'homepage_uri' has been renamed to + * 'organization_uri'. Use 'organization_uri' instead. + * @see self::getOrganizationUri() + */ public function getHomepageUri(): ?string { return $this->config()->getOptionalString( @@ -683,6 +739,14 @@ public function getHomepageUri(): ?string ); } + public function getOrganizationUri(): ?string + { + return $this->config()->getOptionalString( + self::OPTION_ORGANIZATION_URI, + null, + ); + } + public function getFederationCacheAdapterClass(): ?string { return $this->config()->getOptionalString(self::OPTION_FEDERATION_CACHE_ADAPTER, null); diff --git a/src/Utils/FederationParticipationValidator.php b/src/Utils/FederationParticipationValidator.php index 9fd55934..5ce45fe1 100644 --- a/src/Utils/FederationParticipationValidator.php +++ b/src/Utils/FederationParticipationValidator.php @@ -60,20 +60,20 @@ public function byTrustMarksFor(TrustChain $trustChain): void /** * @var string $limitId - * @var non-empty-string[] $limitedTrustMarkIds + * @var non-empty-string[] $limitedTrustMarkTypes */ - foreach ($trustMarkLimitsRules as $limitId => $limitedTrustMarkIds) { + foreach ($trustMarkLimitsRules as $limitId => $limitedTrustMarkTypes) { $limit = LimitsEnum::from($limitId); if ($limit === LimitsEnum::OneOf) { $this->validateForOneOfLimit( - $limitedTrustMarkIds, + $limitedTrustMarkTypes, $leafEntityConfiguration, $trustAnchorEntityConfiguration, ); } else { $this->validateForAllOfLimit( - $limitedTrustMarkIds, + $limitedTrustMarkTypes, $leafEntityConfiguration, $trustAnchorEntityConfiguration, ); @@ -82,17 +82,17 @@ public function byTrustMarksFor(TrustChain $trustChain): void } /** - * @param non-empty-string[] $limitedTrustMarkIds + * @param non-empty-string[] $limitedTrustMarkTypes * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException * @throws \SimpleSAML\OpenID\Exceptions\JwsException * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException */ public function validateForOneOfLimit( - array $limitedTrustMarkIds, + array $limitedTrustMarkTypes, EntityStatement $leafEntityConfiguration, EntityStatement $trustAnchorEntityConfiguration, ): void { - if (empty($limitedTrustMarkIds)) { + if (empty($limitedTrustMarkTypes)) { $this->loggerService->debug('No Trust Mark limits given for OneOf limit rule, nothing to do.'); return; } @@ -103,21 +103,21 @@ public function validateForOneOfLimit( $leafEntityConfiguration->getIssuer(), $trustAnchorEntityConfiguration->getIssuer(), ), - ['limitedTrustMarkIds' => $limitedTrustMarkIds], + ['limitedTrustMarkTypes' => $limitedTrustMarkTypes], ); - foreach ($limitedTrustMarkIds as $limitedTrustMarkId) { + foreach ($limitedTrustMarkTypes as $limitedTrustMarkType) { try { - $this->federation->trustMarkValidator()->fromCacheOrDoForTrustMarkId( - $limitedTrustMarkId, + $this->federation->trustMarkValidator()->fromCacheOrDoForTrustMarkType( + $limitedTrustMarkType, $leafEntityConfiguration, $trustAnchorEntityConfiguration, ); $this->loggerService->debug( sprintf( - 'Trust Mark ID %s validated using OneOf limit rule for entity %s under Trust Anchor %s.', - $limitedTrustMarkId, + 'Trust Mark Type %s validated using OneOf limit rule for entity %s under Trust Anchor %s.', + $limitedTrustMarkType, $leafEntityConfiguration->getIssuer(), $trustAnchorEntityConfiguration->getIssuer(), ), @@ -126,8 +126,8 @@ public function validateForOneOfLimit( } catch (\Throwable $exception) { $this->loggerService->debug( sprintf( - 'Trust Mark ID %s validation failed with error: %s. Trying next if available.', - $limitedTrustMarkId, + 'Trust Mark Type %s validation failed with error: %s. Trying next if available.', + $limitedTrustMarkType, $exception->getMessage(), ), ); @@ -138,7 +138,7 @@ public function validateForOneOfLimit( $error = sprintf( 'Leaf entity %s does not have any valid Trust Marks from the given list (%s). OneOf limit rule failed.', $leafEntityConfiguration->getIssuer(), - implode(',', $limitedTrustMarkIds), + implode(',', $limitedTrustMarkTypes), ); $this->loggerService->error($error); @@ -146,17 +146,17 @@ public function validateForOneOfLimit( } /** - * @param non-empty-string[] $limitedTrustMarkIds + * @param non-empty-string[] $limitedTrustMarkTypes * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException * @throws \SimpleSAML\OpenID\Exceptions\JwsException * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException */ public function validateForAllOfLimit( - array $limitedTrustMarkIds, + array $limitedTrustMarkTypes, EntityStatement $leafEntityConfiguration, EntityStatement $trustAnchorEntityConfiguration, ): void { - if (empty($limitedTrustMarkIds)) { + if (empty($limitedTrustMarkTypes)) { $this->loggerService->debug('No Trust Mark limits given for AllOf limit rule, nothing to do.'); return; } @@ -167,27 +167,27 @@ public function validateForAllOfLimit( $leafEntityConfiguration->getIssuer(), $trustAnchorEntityConfiguration->getIssuer(), ), - ['limitedTrustMarkIds' => $limitedTrustMarkIds], + ['limitedTrustMarkTypes' => $limitedTrustMarkTypes], ); - foreach ($limitedTrustMarkIds as $limitedTrustMarkId) { + foreach ($limitedTrustMarkTypes as $limitedTrustMarkType) { try { - $this->federation->trustMarkValidator()->fromCacheOrDoForTrustMarkId( - $limitedTrustMarkId, + $this->federation->trustMarkValidator()->fromCacheOrDoForTrustMarkType( + $limitedTrustMarkType, $leafEntityConfiguration, $trustAnchorEntityConfiguration, ); $this->loggerService->debug( sprintf( - 'Trust Mark ID %s validated. Trying next if available.', - $limitedTrustMarkId, + 'Trust Mark Type %s validated. Trying next if available.', + $limitedTrustMarkType, ), ); } catch (\Throwable $exception) { $error = sprintf( - 'Trust Mark ID %s validation failed with error: %s. AllOf limit rule failed.', - $limitedTrustMarkId, + 'Trust Mark Type %s validation failed with error: %s. AllOf limit rule failed.', + $limitedTrustMarkType, $exception->getMessage(), ); $this->loggerService->error($error); diff --git a/templates/config/federation.twig b/templates/config/federation.twig index 4b05424c..a2d2801e 100644 --- a/templates/config/federation.twig +++ b/templates/config/federation.twig @@ -93,7 +93,7 @@ {% if trustMarks|default is not empty %} {% for trustMark in trustMarks %}

- - {{ trustMark.getPayload.trust_mark_id }} + - {{ trustMark.getPayload.trust_mark_type }} {{- trustMark.getPayload|json_encode(constant('JSON_PRETTY_PRINT') b-or constant('JSON_UNESCAPED_SLASHES')) -}} diff --git a/templates/tests/trust-mark-validation.twig b/templates/tests/trust-mark-validation.twig index 9a0cd219..d426889d 100644 --- a/templates/tests/trust-mark-validation.twig +++ b/templates/tests/trust-mark-validation.twig @@ -15,13 +15,13 @@ class="pure-form pure-form-stacked">

- + diff --git a/tests/config/module_oidc.php b/tests/config/module_oidc.php index 8efd6ee2..c481f5f7 100644 --- a/tests/config/module_oidc.php +++ b/tests/config/module_oidc.php @@ -80,13 +80,13 @@ 'https://ta.example.org/' => [ // Entities must have (at least) one Trust Mark from the list below. \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [ - 'trust-mark-id', - 'trust-mark-id-2', + 'trust-mark-type', + 'trust-mark-type-2', ], // Entities must have all Trust Marks from the list below. \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [ - 'trust-mark-id-3', - 'trust-mark-id-4', + 'trust-mark-type-3', + 'trust-mark-type-4', ], ], ], @@ -107,10 +107,15 @@ ModuleConfig::OPTION_FEDERATION_TOKEN_SIGNER => Sha256::class, ModuleConfig::OPTION_ORGANIZATION_NAME => 'Foo corp', + ModuleConfig::OPTION_DISPLAY_NAME => 'Foo corp', + ModuleConfig::OPTION_DESCRIPTION => 'Foo provider', + ModuleConfig::OPTION_KEYWORDS => ['openid', 'oidc', 'op', 'federation'], ModuleConfig::OPTION_CONTACTS => [ 'John Doe jdoe@example.org', ], ModuleConfig::OPTION_LOGO_URI => 'https://example.org/logo', ModuleConfig::OPTION_POLICY_URI => 'https://example.org/policy', + ModuleConfig::OPTION_INFORMATION_URI => 'https://example.org/info', ModuleConfig::OPTION_HOMEPAGE_URI => 'https://example.org', + ModuleConfig::OPTION_ORGANIZATION_URI => 'https://example.org', ]; diff --git a/tests/unit/src/Controllers/Admin/ConfigControllerTest.php b/tests/unit/src/Controllers/Admin/ConfigControllerTest.php index 07c4a8d6..0123c9fe 100644 --- a/tests/unit/src/Controllers/Admin/ConfigControllerTest.php +++ b/tests/unit/src/Controllers/Admin/ConfigControllerTest.php @@ -142,14 +142,14 @@ public function testCanIncludeDynamicTrustMarksInFederationSettings(): void { $this->moduleConfigMock->method('getIssuer')->willReturn('issuer-id'); $this->moduleConfigMock->method('getFederationDynamicTrustMarks') - ->willReturn(['trust-mark-id' => 'trust-mark-issuer-id']); + ->willReturn(['trust-mark-type' => 'trust-mark-issuer-id']); $this->entityStatementFetcherMock->expects($this->once())->method('fromCacheOrWellKnownEndpoint') ->with('trust-mark-issuer-id'); $this->trustMarkFetcherMock->expects($this->once())->method('fromCacheOrFederationTrustMarkEndpoint') ->with( - 'trust-mark-id', + 'trust-mark-type', 'issuer-id', ); diff --git a/tests/unit/src/ModuleConfigTest.php b/tests/unit/src/ModuleConfigTest.php index f2991676..51237c14 100644 --- a/tests/unit/src/ModuleConfigTest.php +++ b/tests/unit/src/ModuleConfigTest.php @@ -239,10 +239,15 @@ public function testCanGetCommonFederationOptions(): void $this->assertNotEmpty($this->sut()->getFederationAuthorityHints()); $this->assertNotEmpty($this->sut()->getFederationTrustMarkTokens()); $this->assertNotEmpty($this->sut()->getOrganizationName()); + $this->assertNotEmpty($this->sut()->getDisplayName()); + $this->assertNotEmpty($this->sut()->getDescription()); + $this->assertNotEmpty($this->sut()->getKeywords()); $this->assertNotEmpty($this->sut()->getContacts()); $this->assertNotEmpty($this->sut()->getLogoUri()); $this->assertNotEmpty($this->sut()->getPolicyUri()); + $this->assertNotEmpty($this->sut()->getInformationUri()); $this->assertNotEmpty($this->sut()->getHomepageUri()); + $this->assertNotEmpty($this->sut()->getOrganizationUri()); $this->assertNotEmpty($this->sut()->getFederationCacheAdapterClass()); $this->assertIsArray($this->sut()->getFederationCacheAdapterArguments()); $this->assertNotEmpty($this->sut()->getFederationCacheMaxDurationForFetched()); @@ -250,6 +255,17 @@ public function testCanGetCommonFederationOptions(): void $this->assertNotEmpty($this->sut()->getFederationTrustAnchorIds()); } + public function testKeywordsCanBeNull(): void + { + $this->assertNull( + $this->sut( + overrides: [ + ModuleConfig::OPTION_KEYWORDS => null, + ], + )->getKeywords(), + ); + } + public function testGetFederationTrustAnchorsThrowsOnEmptyIfFederationEnabled(): void { $this->expectException(ConfigurationError::class); @@ -412,13 +428,13 @@ public function testCanGetFederationDynamicTrustMarks(): void $sut = $this->sut( overrides: [ ModuleConfig::OPTION_FEDERATION_DYNAMIC_TRUST_MARKS => [ - 'trust-mark-id' => 'trust-mark-issuer-id', + 'trust-mark-type' => 'trust-mark-issuer-id', ], ], ); $this->assertArrayHasKey( - 'trust-mark-id', + 'trust-mark-type', $sut->getFederationDynamicTrustMarks(), ); } @@ -436,7 +452,7 @@ public function testCanGetTrustMarksNeededForFederationParticipationFor(): void $neededTrustMarks = $this->sut()->getTrustMarksNeededForFederationParticipationFor('https://ta.example.org/'); $this->assertArrayHasKey('one_of', $neededTrustMarks); - $this->assertTrue(in_array('trust-mark-id', $neededTrustMarks['one_of'])); + $this->assertTrue(in_array('trust-mark-type', $neededTrustMarks['one_of'])); } public function testGetTrustMarksNeededForFederationParticipationForThrowsOnInvalidConfigValue(): void diff --git a/tests/unit/src/Utils/FederationParticipationValidatorTest.php b/tests/unit/src/Utils/FederationParticipationValidatorTest.php index dad0053b..867823d2 100644 --- a/tests/unit/src/Utils/FederationParticipationValidatorTest.php +++ b/tests/unit/src/Utils/FederationParticipationValidatorTest.php @@ -76,14 +76,14 @@ public function testByTrustMarksFor(): void ->method('getTrustMarksNeededForFederationParticipationFor') ->with('trustAnchorId') ->willReturn([ - LimitsEnum::OneOf->value => ['trustMarkId1'], - LimitsEnum::AllOf->value => ['trustMarkId2'], + LimitsEnum::OneOf->value => ['trustMarkType1'], + LimitsEnum::AllOf->value => ['trustMarkType2'], ]); $this->trustMarkValidatorMock->expects($this->atLeastOnce()) - ->method('fromCacheOrDoForTrustMarkId') + ->method('fromCacheOrDoForTrustMarkType') ->with($this->callback( - fn(string $trustMarkId): bool => in_array($trustMarkId, ['trustMarkId1', 'trustMarkId2']), + fn(string $trustMarkType): bool => in_array($trustMarkType, ['trustMarkType1', 'trustMarkType2']), )); $this->sut()->byTrustMarksFor($this->trustChainMock); @@ -97,7 +97,7 @@ public function testByTrustMarksForEmptyLimitsDoesNotRunValidations(): void ->willReturn([]); $this->trustMarkValidatorMock->expects($this->never()) - ->method('fromCacheOrDoForTrustMarkId'); + ->method('fromCacheOrDoForTrustMarkType'); $this->sut()->byTrustMarksFor($this->trustChainMock); } @@ -105,7 +105,7 @@ public function testByTrustMarksForEmptyLimitsDoesNotRunValidations(): void public function testValidateForOneOfLimitDoesNotRunValidationOnEmptyLimit(): void { $this->trustMarkValidatorMock->expects($this->never()) - ->method('fromCacheOrDoForTrustMarkId'); + ->method('fromCacheOrDoForTrustMarkType'); $this->sut()->validateForOneOfLimit( [], @@ -117,15 +117,15 @@ public function testValidateForOneOfLimitDoesNotRunValidationOnEmptyLimit(): voi public function testValidateForOneOfLimitThrowsIfNoneAreValid(): void { $this->trustMarkValidatorMock->expects($this->atLeastOnce()) - ->method('fromCacheOrDoForTrustMarkId') - ->with('trustMarkId') + ->method('fromCacheOrDoForTrustMarkType') + ->with('trustMarkType') ->willThrowException(new \Exception('error')); $this->expectException(TrustMarkException::class); $this->expectExceptionMessage('OneOf limit rule failed'); $this->sut()->validateForOneOfLimit( - ['trustMarkId'], + ['trustMarkType'], $this->leafEntityConfiguration, $this->trustAnchorEntityConfiguration, ); @@ -134,7 +134,7 @@ public function testValidateForOneOfLimitThrowsIfNoneAreValid(): void public function testValidateForAllOfLimitDoesNotRunValidationOnEmptyLimit(): void { $this->trustMarkValidatorMock->expects($this->never()) - ->method('fromCacheOrDoForTrustMarkId'); + ->method('fromCacheOrDoForTrustMarkType'); $this->sut()->validateForAllOfLimit( [], @@ -146,15 +146,15 @@ public function testValidateForAllOfLimitDoesNotRunValidationOnEmptyLimit(): voi public function testValidateForAllOfLimitThrowsIfAnyIsInvalid(): void { $this->trustMarkValidatorMock->expects($this->atLeastOnce()) - ->method('fromCacheOrDoForTrustMarkId') - ->with('trustMarkId') + ->method('fromCacheOrDoForTrustMarkType') + ->with('trustMarkType') ->willThrowException(new \Exception('error')); $this->expectException(TrustMarkException::class); $this->expectExceptionMessage('AllOf limit rule failed'); $this->sut()->validateForAllOfLimit( - ['trustMarkId'], + ['trustMarkType'], $this->leafEntityConfiguration, $this->trustAnchorEntityConfiguration, );