Feature/metadata exchange

.github/workflows/interoperability.yml

@@ -0,0 +1,80 @@
+---
+
+name: Interoperability
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: ['**']
+    paths-ignore:
+      - '**.md'
+      - '**.yml'
+  pull_request:
+    branches: [master, release-*]
+    paths-ignore:
+      - '**.md'
+      - '**.yml'
+  workflow_dispatch:
+
+jobs:
+  edugain:
+    name: "Interoperability tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}"
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: false
+      matrix:
+        operating-system: [ubuntu-latest]
+        php-versions: ['8.2']
+
+    steps:
+      - name: Setup PHP, with composer and extensions
+        # https://github.com/shivammathur/setup-php
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: ctype, date, dom, hash, mbstring, openssl, pcre, spl, xml
+          tools: composer:v2
+          ini-values: error_reporting=E_ALL, memory_limit=-1
+          coverage: none
+
+      - name: Setup problem matchers for PHP
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: Setup problem matchers for PHPUnit
+        run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
+
+      - name: Set git to use LF
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+
+      - uses: actions/checkout@v4
+
+      - name: Cache composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: $(composer config cache-files-dir)
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Install Composer dependencies
+        run: composer install --no-progress --prefer-dist --optimize-autoloader
+
+      - name: Get current date
+        id: date
+        run: |
+          echo "{date}={$(date +'%Y-%m-%d')}" >> "$GITHUB_STATE"
+
+      - name: Cache metadata
+        id: cache-metadata
+        uses: actions/cache@v4
+        with:
+          path: /tmp/metadata
+          key: ${{ runner.os }}-metadata-${{ env.date }}
+          restore-keys: ${{ runner.os }}-metadata-
+
+      - name: Run unit tests
+        run: |
+          ./vendor/bin/phpunit -c phpunit-interoperability.xml

composer.json

@@ -30,6 +30,7 @@
     },
     "autoload-dev": {
         "psr-4": {
+            "SimpleSAML\\Test\\Module\\adfs\\": "vendor/simplesamlphp/simplesamlphp/tests",
             "SimpleSAML\\Test\\Utils\\": "vendor/simplesamlphp/simplesamlphp/tests/Utils"
         }
     },
@@ -39,18 +40,19 @@
 
         "beste/clock": "^3.0",
         "psr/clock": "^1.0",
-        "simplesamlphp/assert": "^1.1",
-        "simplesamlphp/saml11": "^1.0",
+        "simplesamlphp/assert": "~1.8.0",
+        "simplesamlphp/saml11": "~1.2.0",
         "simplesamlphp/saml2": "^5@dev",
         "simplesamlphp/simplesamlphp": "^2.4",
-        "simplesamlphp/ws-security": "^1.6",
-        "simplesamlphp/xml-common": "^1.16",
-        "simplesamlphp/xml-security": "^1.9",
+        "simplesamlphp/xml-common": "~1.24.0",
+        "simplesamlphp/xml-security": "~1.13.0",
+        "simplesamlphp/xml-soap": "~1.7.0",
+        "simplesamlphp/xml-wsdl": "~1.2.0",
+        "simplesamlphp/ws-security": "~1.9.0",
         "symfony/http-foundation": "^6.4"
     },
     "require-dev": {
-        "simplesamlphp/simplesamlphp-test-framework": "^1.6",
-        "simplesamlphp/xml-security": "^1.7"
+        "simplesamlphp/simplesamlphp-test-framework": "~1.8.0"
     },
     "support": {
         "issues": "https://github.com/simplesamlphp/simplesamlphp-module-adfs/issues",

phpunit-interoperability.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" backupGlobals="false" colors="true" processIsolation="false" stopOnFailure="false" bootstrap="./tests/bootstrap.php" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.0/phpunit.xsd" cacheDirectory=".phpunit.cache" backupStaticProperties="false">
+  <testsuites>
+    <testsuite name="Test Suite - Interoperability">
+      <directory>./tests/InterOperability</directory>
+    </testsuite>
+  </testsuites>
+</phpunit>

routing/routes/routes.yml

@@ -27,3 +27,17 @@ adfs-prp-legacy:
     _controller: 'SimpleSAML\Module\adfs\Controller\Adfs::prp'
   }
   methods: [GET, POST]
+
+adfs-wstrust-mex:
+  path: /ws-trust/mex
+  defaults: {
+    _controller: 'SimpleSAML\Module\adfs\Controller\Adfs::mex'
+  }
+  methods: [GET]
+
+adfs-wstrust-usernamemixed:
+  path: /ws-trust/2005/services/usernamemixed
+  defaults: {
+    _controller: 'SimpleSAML\Module\adfs\Controller\Adfs::usernamemixed'
+  }
+  methods: [POST]

src/Controller/Adfs.php

@@ -9,6 +9,10 @@
 use SimpleSAML\Error as SspError;
 use SimpleSAML\Module\adfs\IdP\ADFS as ADFS_IDP;
 use SimpleSAML\Module\adfs\IdP\MetadataBuilder;
+use SimpleSAML\Module\adfs\IdP\PassiveIdP;
+use SimpleSAML\Module\adfs\MetadataExchange;
+use SimpleSAML\SOAP\XML\env_200305\Envelope;
+use SimpleSAML\XML\DOMDocumentFactory;
 use Symfony\Component\HttpFoundation\{Request, Response, StreamedResponse};
 
 /**
@@ -77,7 +81,6 @@ public function metadata(Request $request): Response
             // Some products like DirX are known to break on pretty-printed XML
             $document->ownerDocument->formatOutput = false;
             $document->ownerDocument->encoding = 'UTF-8';
-
             $metaxml = $document->ownerDocument->saveXML();
 
             $response = new Response();
@@ -137,4 +140,96 @@ function () use ($idp, /** @scrutinizer ignore-type */ $assocId, $relayState, $l
         }
         throw new SspError\BadRequest("Missing parameter 'wa' or 'assocId' in request.");
     }
+
+
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function mex(Request $request): Response
+    {
+        if (!$this->config->getOptionalBoolean('enable.adfs-idp', false)) {
+            throw new SspError\Error('NOACCESS');
+        }
+
+        // check if valid local session exists
+        $authUtils = new Utils\Auth();
+        if ($this->config->getOptionalBoolean('admin.protectmetadata', false) && !$authUtils->isAdmin()) {
+            return new StreamedResponse([$authUtils, 'requireAdmin']);
+        }
+
+        $mexBuilder = new MetadataExchange();
+        $document = $mexBuilder->buildDocument()->toXML();
+        // Some products like DirX are known to break on pretty-printed XML
+        $document->ownerDocument->formatOutput = false;
+        $document->ownerDocument->encoding = 'UTF-8';
+
+        $document->setAttributeNS(
+            'http://www.w3.org/2000/xmlns/',
+            'xmlns:tns',
+            'http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice',
+        );
+
+        $document->setAttributeNS(
+            'http://www.w3.org/2000/xmlns/',
+            'xmlns:soapenc',
+            'http://schemas.xmlsoap.org/soap/encoding/',
+        );
+
+        $document->setAttributeNS(
+            'http://www.w3.org/2000/xmlns/',
+            'xmlns:msc',
+            'http://schemas.microsoft.com/ws/2005/12/wsdl/contract',
+        );
+
+        $document->setAttributeNS(
+            'http://www.w3.org/2000/xmlns/',
+            'xmlns:wsam',
+            'http://www.w3.org/2007/05/addressing/metadata',
+        );
+
+        $document->setAttributeNS(
+            'http://www.w3.org/2000/xmlns/',
+            'xmlns:wsap',
+            'http://schemas.xmlsoap.org/ws/2004/08/addressing/policy',
+        );
+
+        $metaxml = $document->ownerDocument->saveXML();
+
+        $response = new Response();
+        $response->setEtag(hash('sha256', $metaxml));
+        $response->setPublic();
+        if ($response->isNotModified($request)) {
+            return $response;
+        }
+        $response->headers->set('Content-Type', 'text/xml');
+        $response->setContent($metaxml);
+
+        return $response;
+    }
+
+
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function usernamemixed(Request $request): Response
+    {
+        if (!$this->config->getOptionalBoolean('enable.adfs-idp', false)) {
+            throw new SspError\Error('NOACCESS');
+        }
+
+        $soapMessage = $request->getContent();
+        if ($soapMessage === false) {
+            throw new SspError\BadRequest('Missing SOAP-content.');
+        }
+
+        $domDocument = DOMDocumentFactory::fromString($soapMessage);
+        $soapEnvelope = Envelope::fromXML($domDocument->documentElement);
+
+        $idpEntityId = $this->metadata->getMetaDataCurrentEntityID('adfs-idp-hosted');
+        $idp = PassiveIdP::getById($this->config, 'adfs:' . $idpEntityId);
+
+        return ADFS_IDP::receivePassiveAuthnRequest($request, $soapEnvelope, $idp);
+    }
 }