WIP move to SSP UI

simplesamlphp · Nov 19, 2024 · 76073b5 · 76073b5
1 parent 14e91bc
commit 76073b5
Show file tree

Hide file tree

Showing 16 changed files with 555 additions and 203 deletions.
diff --git a/public/assets/css/src/default.css b/public/assets/css/src/default.css
@@ -70,10 +70,14 @@ h4 {
     background-color: #fff;
 }
 
-ul.config {
+ul.disc {
     list-style: disc outside none;
 }
 
+em {
+    font-style: italic;
+}
+
 /* Text colors */
 .black-text { color: black; }
 .red-text { color: red; }
@@ -85,3 +89,26 @@ ul.config {
 .cyan-text { color: cyan; }
 .lightcyan-text { color: lightcyan; }
 .white-text { color: white; }
+
+/* Button sizes */
+.button-small {
+    font-size: 75%;
+}
+
+/* Client Table */
+table.client-table {
+    width: 100%;
+}
+
+.client-col.col-info {
+    width: 79%;
+}
+
+.client-col.col-actions {
+    width: 21%;
+}
+
+.client-col.col-property {
+    width: 25%;
+    font-weight: bolder;
+}
diff --git a/routing/routes/routes.php b/routing/routes/routes.php
@@ -41,6 +41,8 @@
 
     $routes->add(RoutesEnum::AdminClients->name, RoutesEnum::AdminClients->value)
         ->controller([ClientController::class, 'index']);
+    $routes->add(RoutesEnum::AdminClientsShow->name, RoutesEnum::AdminClientsShow->value)
+        ->controller([ClientController::class, 'show']);
 
     /*****************************************************************************************************************
      * OpenID Connect

diff --git a/src/Admin/Authorization.php b/src/Admin/Authorization.php
@@ -8,18 +8,25 @@
 use SimpleSAML\Locale\Translate;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
+use SimpleSAML\Module\oidc\Services\AuthContextService;
 
 class Authorization
 {
     public function __construct(
         protected readonly SspBridge $sspBridge,
+        protected readonly AuthContextService $authContextService,
     ) {
     }
 
+    public function isAdmin(): bool
+    {
+        return $this->sspBridge->utils()->auth()->isAdmin();
+    }
+
     /**
      * @throws \SimpleSAML\Module\oidc\Exceptions\AuthorizationException
      */
-    public function requireSspAdmin(bool $forceAdminAuthentication = false): void
+    public function requireAdmin(bool $forceAdminAuthentication = false): void
     {
         if ($forceAdminAuthentication) {
             try {
@@ -33,8 +40,33 @@ public function requireSspAdmin(bool $forceAdminAuthentication = false): void
             }
         }
 
-        if (! $this->sspBridge->utils()->auth()->isAdmin()) {
+        if (! $this->isAdmin()) {
             throw new AuthorizationException(Translate::noop('SimpleSAMLphp admin access required.'));
         }
     }
+
+    /**
+     * @throws \SimpleSAML\Module\oidc\Exceptions\AuthorizationException
+     */
+    public function requireAdminOrUserWithPermission(string $permission): void
+    {
+        if ($this->isAdmin()) {
+            return;
+        }
+
+        try {
+            $this->authContextService->requirePermission($permission);
+        } catch (Exception $exception) {
+            throw new AuthorizationException(
+                Translate::noop('User not authorized.'),
+                $exception->getCode(),
+                $exception,
+            );
+        }
+    }
+
+    public function getUserId(): string
+    {
+        return $this->authContextService->getAuthUserId();
+    }
 }
diff --git a/src/Codebooks/RoutesEnum.php b/src/Codebooks/RoutesEnum.php
@@ -18,6 +18,7 @@ enum RoutesEnum: string
     // Client management
 
     case AdminClients = 'admin/clients';
+    case AdminClientsShow = 'admin/clients/show';
 
     /*****************************************************************************************************************
      * OpenID Connect

diff --git a/src/Controllers/Admin/ClientController.php b/src/Controllers/Admin/ClientController.php
@@ -6,23 +6,77 @@
 
 use SimpleSAML\Module\oidc\Admin\Authorization;
 use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
 use SimpleSAML\Module\oidc\Factories\TemplateFactory;
+use SimpleSAML\Module\oidc\Repositories\AllowedOriginRepository;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+use SimpleSAML\Module\oidc\Services\AuthContextService;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
 class ClientController
 {
     public function __construct(
         protected readonly TemplateFactory $templateFactory,
         protected readonly Authorization $authorization,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly AllowedOriginRepository $allowedOriginRepository,
     ) {
-        $this->authorization->requireSspAdmin(true);
+        $this->authorization->requireAdminOrUserWithPermission(AuthContextService::PERM_CLIENT);
     }
-    public function index(): Response
+
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @throws \JsonException
+     * @throws \SimpleSAML\Module\oidc\Exceptions\OidcException
+     */
+    protected function getClientFromRequest(Request $request): ClientEntityInterface
     {
+        ($clientId = $request->query->getString('client_id'))
+        || throw new OidcException('Client ID not provided.');
+
+        $authedUserId = $this->authorization->isAdmin() ? null : $this->authorization->getUserId();
+
+        return $this->clientRepository->findById($clientId, $authedUserId) ??
+        throw new OidcException('Client not found.');
+    }
+
+    public function index(Request $request): Response
+    {
+        $page = $request->query->getInt('page', 1);
+        $query = $request->query->getString('q', '');
+        $authedUserId = $this->authorization->isAdmin() ? null : $this->authorization->getUserId();
+
+        $pagination = $this->clientRepository->findPaginated($page, $query, $authedUserId);
+
+
         return $this->templateFactory->build(
             'oidc:clients.twig',
             [
-                //
+                'clients' => $pagination['items'],
+                'numPages' => $pagination['numPages'],
+                'currentPage' => $pagination['currentPage'],
+                'query' => $query,
+            ],
+            RoutesEnum::AdminClients->value,
+        );
+    }
+
+    /**
+     * @throws \SimpleSAML\Module\oidc\Exceptions\OidcException
+     */
+    public function show(Request $request): Response
+    {
+        $client = $this->getClientFromRequest($request);
+        $allowedOrigins = $this->allowedOriginRepository->get($client->getIdentifier());
+
+        // TODO mivanci rename *-ssp.twig templates after removing old ones.
+        return $this->templateFactory->build(
+            'oidc:clients/show-ssp.twig',
+            [
+                'client' => $client,
+                'allowedOrigins' => $allowedOrigins,
             ],
             RoutesEnum::AdminClients->value,
         );

diff --git a/src/Controllers/Admin/ConfigController.php b/src/Controllers/Admin/ConfigController.php
@@ -11,6 +11,7 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\DatabaseMigration;
 use SimpleSAML\Module\oidc\Services\SessionMessagesService;
+use SimpleSAML\OpenID\Federation;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -22,8 +23,9 @@ public function __construct(
         protected readonly Authorization $authorization,
         protected readonly DatabaseMigration $databaseMigration,
         protected readonly SessionMessagesService $sessionMessagesService,
+        protected readonly Federation $federation,
     ) {
-        $this->authorization->requireSspAdmin(true);
+        $this->authorization->requireAdmin(true);
     }
 
     public function migrations(): Response
@@ -65,10 +67,21 @@ public function protocolSettings(): Response
 
     public function federationSettings(): Response
     {
+        $trustMarks = null;
+        if (is_array($trustMarkTokens = $this->moduleConfig->getFederationTrustMarkTokens())) {
+            $trustMarks = array_map(
+                function (string $token): Federation\TrustMark {
+                    return $this->federation->trustMarkFactory()->fromToken($token);
+                },
+                $trustMarkTokens,
+            );
+        }
+
         return $this->templateFactory->build(
             'oidc:config/federation.twig',
             [
                 'moduleConfig' => $this->moduleConfig,
+                'trustMarks' => $trustMarks,
             ],
             RoutesEnum::AdminConfigFederation->value,
         );

diff --git a/src/Controllers/Federation/EntityStatementController.php b/src/Controllers/Federation/EntityStatementController.php
@@ -158,7 +158,7 @@ public function configuration(): Response
 
         $this->federationCache?->set(
             $entityConfigurationToken,
-            $this->moduleConfig->getFederationEntityStatementCacheDuration(),
+            $this->moduleConfig->getFederationEntityStatementCacheDurationForProduced(),
             self::KEY_OP_ENTITY_CONFIGURATION_STATEMENT,
             $this->moduleConfig->getIssuer(),
         );
@@ -253,7 +253,7 @@ public function fetch(Request $request): Response
 
         $this->federationCache?->set(
             $subordinateStatementToken,
-            $this->moduleConfig->getFederationEntityStatementCacheDuration(),
+            $this->moduleConfig->getFederationEntityStatementCacheDurationForProduced(),
             self::KEY_RP_SUBORDINATE_ENTITY_STATEMENT,
             $subject,
         );

diff --git a/src/Factories/FederationFactory.php b/src/Factories/FederationFactory.php
@@ -40,7 +40,7 @@ public function build(): Federation
 
         return new Federation(
             supportedAlgorithms: $supportedAlgorithms,
-            maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDuration(),
+            maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDurationForFetched(),
             cache: $this->federationCache?->cache,
             logger: $this->loggerService,
         );

diff --git a/src/Factories/JwksFactory.php b/src/Factories/JwksFactory.php
@@ -35,7 +35,7 @@ public function build(): Jwks
 
         return new Jwks(
             supportedAlgorithms: $supportedAlgorithms,
-            maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDuration(),
+            maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDurationForFetched(),
             cache: $this->federationCache?->cache,
             logger: $this->loggerService,
         );

diff --git a/src/Factories/TemplateFactory.php b/src/Factories/TemplateFactory.php
@@ -111,7 +111,7 @@ protected function includeDefaultMenuItems(): void
         $this->oidcMenu->addItem(
             $this->oidcMenu->buildItem(
                 $this->moduleConfig->getModuleUrl(RoutesEnum::AdminClients->value),
-                Translate::noop('Clients'),
+                Translate::noop('Client Registry'),
             ),
         );
     }

diff --git a/src/ModuleConfig.php b/src/ModuleConfig.php
@@ -534,7 +534,7 @@ public function getFederationEntityStatementDuration(): DateInterval
     /**
      * @throws \Exception
      */
-    public function getFederationEntityStatementCacheDuration(): DateInterval
+    public function getFederationEntityStatementCacheDurationForProduced(): DateInterval
     {
         return new DateInterval(
             $this->config()->getOptionalString(
@@ -614,7 +614,7 @@ public function getFederationCacheAdapterArguments(): array
         return $this->config()->getOptionalArray(self::OPTION_FEDERATION_CACHE_ADAPTER_ARGUMENTS, []);
     }
 
-    public function getFederationCacheMaxDuration(): DateInterval
+    public function getFederationCacheMaxDurationForFetched(): DateInterval
     {
         return new DateInterval(
             $this->config()->getOptionalString(self::OPTION_FEDERATION_CACHE_MAX_DURATION_FOR_FETCHED, 'PT6H'),

diff --git a/src/Utils/Routes.php b/src/Utils/Routes.php
@@ -23,7 +23,6 @@ public function getModuleUrl(string $resource = '', array $parameters = []): str
         return $this->sspBridge->module()->getModuleUrl($resource, $parameters);
     }
 
-
     /*****************************************************************************************************************
      * Admin area
      ****************************************************************************************************************/
@@ -52,7 +51,13 @@ public function urlAdminMigrationsRun(array $parameters = []): string
 
     public function urlAdminClients(array $parameters = []): string
     {
-        return $this->getModuleUrl(RoutesEnum::AdminMigrationsRun->value, $parameters);
+        return $this->getModuleUrl(RoutesEnum::AdminClients->value, $parameters);
+    }
+
+    public function urlAdminClientsShow(string $clientId, array $parameters = []): string
+    {
+        $parameters['client_id'] = $clientId;
+        return $this->getModuleUrl(RoutesEnum::AdminClientsShow->value, $parameters);
     }
 
     /*****************************************************************************************************************