Start with version 5 (#211)

* Move to PHP v8.1 * Move to psalm level 1 * Remove dependency on steverhoades/oauth2-openid-connect-server * Move ClaimTranslatorExtractor to Utils * Move ConfigurationService to src * Rename ConfigurationService to ModuleConfig * Move to module config constants * Normalize codebase * First Symfony route (OP configuration) * Update tests * Set SSP requirement to 2.1 * Update upgrade log --------- Co-authored-by: Marko Ivančić <[email protected]>
simplesamlphp · Dec 3, 2023 · 9b3cd12 · 9b3cd12
1 parent 895abfd
commit 9b3cd12
Show file tree

Hide file tree

Showing 265 changed files with 4,971 additions and 4,066 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-versions: ["8.0", "8.1", "8.2"]
+        php-versions: ["8.1", "8.2"]
 
     steps:
       - name: Setup PHP, with composer and extensions
@@ -55,7 +55,7 @@ jobs:
         run: composer install --no-progress --prefer-dist --optimize-autoloader
 
       - name: Decide whether to run code coverage or not
-        if: ${{ matrix.php-versions != '8.0' }}
+        if: ${{ matrix.php-versions != '8.1' }}
         run: |
           echo "NO_COVERAGE=--no-coverage" >> $GITHUB_ENV
 
@@ -65,7 +65,7 @@ jobs:
           ./vendor/bin/phpunit $NO_COVERAGE
 
       - name: Save coverage data
-        if: ${{ matrix.php-versions == '8.0' }}
+        if: ${{ matrix.php-versions == '8.1' }}
         uses: actions/upload-artifact@v1
         with:
           name: build-data
@@ -78,7 +78,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.0"
+          php-version: "8.1"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
@@ -119,7 +119,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.0"
+          php-version: "8.1"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
@@ -152,7 +152,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.0"
+          php-version: "8.1"
           tools: composer:v2
           extensions: mbstring, xml
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/CONFORMANCE_TEST.md b/CONFORMANCE_TEST.md
@@ -20,7 +20,7 @@ MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder
 docker-compose up
 ```
 
-This will startup the Java conformance app and a MongoDB server. You'll need to configure a test.
+This will start up the Java conformance app and a MongoDB server. You'll need to configure a test.
 
 Visit https://localhost:8443/ and "Create a new plan".
 The Test Plan should be "OpenID Connect Core: Basic Certification Profile Authorization server test"
@@ -33,20 +33,21 @@ You'll need to get your OIDC SSP image running next
 
 ## Run SSP
 
-You'll need to run SSP with OIDC on the same docker network as the compliance tests so they are able to communicate.
+You'll need to run SSP with OIDC on the same docker network as the compliance tests, so they are able to communicate.
 
 See "Docker Compose" section of the main README.
 
 ## Run Conformance Tests
 
-The conformance tests are interactive to make you authenticate. Some of the tests require you to clear cookies to confirm
-certain test scenarios, while others require you to have session cookies to test the RP signaling to the OP that the user
-should reauthenticate. The tests may also redirect you to https://localhost.emobix.co.uk:8443/  which will resolve to
-the conformance Java container. You'll need to accept any SSL connection warnings.
+The conformance tests are interactive to make you authenticate. Some of the tests require you to clear cookies to
+confirm certain test scenarios, while others require you to have session cookies to test the RP signaling to the
+OP that the user should reauthenticate. The tests may also redirect you to https://localhost.emobix.co.uk:8443/
+which will resolve to the conformance Java container. You'll need to accept any SSL connection warnings.
 
 ## Run automated tests
 
-Eventually these test can have [the browser portion automated](https://gitlab.com/openid/conformance-suite/-/wikis/Design/BrowserControl)
+Eventually these test can have
+[the browser portion automated](https://gitlab.com/openid/conformance-suite/-/wikis/Design/BrowserControl)
 though the Conformance tests authors recommend getting them all to pass first.
 
 To run basic profile test, launch this command in console inside `simplesamlphp-module-oidc` directory:
@@ -96,13 +97,13 @@ In this situation your OIDC OP must be accessible to the public internet.
 ## Deploy SSP OIDC Image
 
 The docker image created in the README.md is designed to be used for running the conformance tests.
-It contains an sqlite database pre-populated with data that can be used for these tests.
+It contains a sqlite database pre-populated with data that can be used for these tests.
 Build and run the image somewhere.
 
 ## Register and Create Conformance Tests
 
 Visit https://openid.net/certification/instructions/
-You can use the `json` deployment configurations under `conformance-tests` to configure your cloud instances. Update your
-`discoveryUrl` to reflect the location you deployed SSP. You may also need to adjust `alias` since that is used in all
-client redirect URIs and may conflict with existing test suites.
+You can use the `json` deployment configurations under `conformance-tests` to configure your cloud instances. Update
+your `discoveryUrl` to reflect the location you deployed SSP. You may also need to adjust `alias` since that is used
+in all client redirect URIs and may conflict with existing test suites.
 
diff --git a/FAQ.md b/FAQ.md
@@ -1,12 +1,12 @@
 # Set JSON type for claims
 
 You can set the type of claim by prefixing the name with `int:`, `bool:` or `string:`. If no prefix is set then `string`
-is assumed. In the rare event that your custom claim name starts with a prefix (example: `int:mycustomclaim`) you can add an one of
-the type prefixes (example: `string:int:mycustomclaim`) to force the module to release a claim with the original prefix in it
- (example: claim `int:mycustomclaim` of type `string`)
+is assumed. In the rare event that your custom claim name starts with a prefix (example: `int:mycustomclaim`) you can
+add one of the type prefixes (example: `string:int:mycustomclaim`) to force the module to release a claim with the
+original prefix in it (example: claim `int:mycustomclaim` of type `string`)
 
 # Release photo
 
-The OIDC `picture` claim is a url, while the `jpegPhoto` ldap attribute is often a b64 string. To use `jpegPhoto` you can
-try using an authproc filter to turn it into a data url by adding `data:image/jpeg;base64,` prefix. The support for data urls
-amongst OIDC client is unknown. 
+The OIDC `picture` claim is an URL, while the `jpegPhoto` LDAP attribute is often a b64 string. To use `jpegPhoto` you
+can try using an authproc filter to turn it into a data url by adding `data:image/jpeg;base64,` prefix. The support
+for data URLs amongst OIDC client is unknown. 
diff --git a/README.md b/README.md
@@ -21,10 +21,15 @@ Currently supported flows are:
 
 | OIDC module | SimpleSAMLphp |  PHP   | Note                        |
 |:------------|:--------------|:------:|-----------------------------|
-| v4.\*       | v2.0.\*       | \>=8.0 | Recommended                 |
-| v3.\*       | v2.0.0        | \>=7.4 | Abandoned from August 2023. |
+| v5.\*       | v2.1.\*       | \>=8.1 | Recommended                 |
+| v4.\*       | v2.0.\*       | \>=8.0 |                             |
+| v3.\*       | v2.0.\*       | \>=7.4 | Abandoned from August 2023. |
 | v2.\*       | v1.19.\*      | \>=7.4 |                             |
 
+### Upgrading?
+
+If you are upgrading from a previous version, checkout the [upgrade guide](UPGRADE.md).
+
 ## Installation
 
 Installation can be as easy as executing:
@@ -95,10 +100,6 @@ If you use a passphrase, make sure to also configure it in the `module_oidc.php`
 In order to purge expired tokens, this module requires [cron module](https://simplesamlphp.org/docs/stable/cron:cron)
 to be enabled and configured.
 
-## Upgrading?
-
-If you are upgrading from a previous version, checkout the [upgrade guide](UPGRADE.md).
-
 ## Additional considerations
 ### Private scopes
 
@@ -109,7 +110,7 @@ However, you can add your own private scopes in the `module_oidc.php` config fil
 <?php
 
 $config = [
-    'scopes' => [
+    \SimpleSAML\Module\oidc\ModuleConfig::OPTION_AUTH_CUSTOM_SCOPES => [
         'private' => [
             'description' => 'private scope',
             'claim_name_prefix' => '', // Optional prefix for claim names
@@ -131,7 +132,7 @@ You can change or extend this table in the `module_oidc.php` config file, for ex
 <?php
 
 $config = [
-    'translate' => [
+    \SimpleSAML\Module\oidc\ModuleConfig::OPTION_AUTH_SAML_TO_OIDC_TRANSLATE_TABLE => [
         // Overwrite default translation
         'sub' => [
             'uid', // added
@@ -185,7 +186,7 @@ documentation](https://simplesamlphp.org/docs/stable/simplesamlphp-authproc).
 <?php
 
 $config = [
-    'authproc.oidc' => [
+    \SimpleSAML\Module\oidc\ModuleConfig::OPTION_AUTH_PROCESSING_FILTERS => [
         50 => [
             'class' => 'core:AttributeAdd',
             'groups' => ['users', 'members'],
@@ -206,8 +207,8 @@ eduPersonEntitlements from the `client` permission array.
 
 A permission can be disabled by commenting it out.
 
-```bash
-    'permissions' => [
+```php
+     \SimpleSAML\Module\oidc\ModuleConfig::OPTION_ADMIN_UI_PERMISSIONS => [
         // Attribute to inspect to determine user's permissions
         'attribute' => 'eduPersonEntitlement',
         // Which entitlements allow for registering, editing, delete a client. OIDC clients are owned by the creator
@@ -242,9 +243,9 @@ form. Here are some sample configurations:
 
 ### With current git branch.
 
-To explore the module using docker run the below command. This will run an SSP image, with the current oidc module mounted
-in the container, along with some configuration files. Any code changes you make to your git checkout are "live" in
-the container, allowing you to test and iterate different things.
+To explore the module using docker run the below command. This will run an SSP image, with the current oidc module
+mounted in the container, along with some configuration files. Any code changes you make to your git checkout are
+"live" in the container, allowing you to test and iterate different things.
 
 ```
 GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD)

diff --git a/UPGRADE.md b/UPGRADE.md
@@ -1,7 +1,31 @@
+# Version 4 to 5
+
+## Major impact changes
+- PHP version requirement was bumped to v8.1
+
+## Medium impact changes
+- Module config options in file 'module_oidc.php' are now using constants for config keys. The values for constants are
+taken from the previous version of the module, so theoretically you don't have to rewrite your current config file,
+although it is recommended to do so.
+
+## Low impact changes
+- Removed the 'kid' config option which was not utilized in the codebase (from v2 of the module, the 'kid' value is the
+fingerprint of the certificate).
+
+Below are some internal changes that should not have impact for the OIDC OP implementors. However, if you are using
+this module as a library or extending from it, you will probably encounter breaking changes, since a lot of code
+has been refactored:
+
+- psalm error level set to 1, which needed a fair amount of code adjustments
+- refactored to strict typing whenever possible (psalm can now infer types for >99% of the codebase)
+- refactored to PHP v8.* (up to PHP v8.1) code styling whenever possible, like using constructor property promotion, 
+match expressions...
+- removed dependency on steverhoades/oauth2-openid-connect-server (low maintenance)
+
 # Version 3 to 4
 - PHP version requirement was bumped to v8.0 to enable updating important dependant packages like 'league/oauth2-server'
   which has already moved to PHPv8 between their minor releases.
-- SimpleSAMLphp version fixed to v2.0.*
+- SimpleSAMLphp version requirement fixed to v2.0.*
 
 # Version 2 to 3
  - Module code was refactored to make it compatible with SimpleSAMLphp v2

diff --git a/composer.json b/composer.json
@@ -17,7 +17,7 @@
         }
     ],
     "require": {
-        "php": "^8.0",
+        "php": "^8.1",
         "ext-curl": "*",
         "ext-json": "*",
         "ext-openssl": "*",
@@ -28,22 +28,21 @@
         "lcobucci/jwt": "^4.1",
         "league/oauth2-server": "^8.5.3",
         "nette/forms": "^3",
-        "psr/container": "^1.0",
-        "psr/log": "^1.1",
-        "simplesamlphp/composer-module-installer": "^1.2",
+        "psr/container": "^2.0",
+        "psr/log": "^3",
+        "simplesamlphp/composer-module-installer": "^1.3",
         "spomky-labs/base64url": "^2.0",
-        "steverhoades/oauth2-openid-connect-server": "^2.0",
-        "web-token/jwt-framework": "^2.1"
+        "symfony/expression-language": "^6.3",
+        "web-token/jwt-framework": "^3"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3",
-        "phpunit/php-code-coverage": "^9.0.0",
-        "phpunit/phpcov": "^8.2.0",
-        "phpunit/phpunit": "^9.0.0",
-        "simplesamlphp/simplesamlphp": "2.0.*",
-        "simplesamlphp/simplesamlphp-test-framework": "^1.2.1",
-        "squizlabs/php_codesniffer": "^3.7",
-        "vimeo/psalm": "^5.8"
+        "phpunit/phpunit": "^10",
+        "rector/rector": "^0.18.3",
+        "simplesamlphp/simplesamlphp": "2.1.*",
+        "simplesamlphp/simplesamlphp-test-framework": "^1.5",
+        "squizlabs/php_codesniffer": "^3",
+        "vimeo/psalm": "^5"
     },
     "config": {
         "preferred-install": {
@@ -52,7 +51,8 @@
         "sort-packages": true,
         "allow-plugins": {
             "simplesamlphp/composer-module-installer": true
-        }
+        },
+        "cache-dir": "build/composer"
     },
     "autoload": {
         "psr-4": {
@@ -61,12 +61,11 @@
     },
     "autoload-dev": {
         "psr-4": {
-            "SimpleSAML\\Test\\Module\\oidc\\": "tests/"
+            "SimpleSAML\\Test\\Module\\oidc\\": "tests/src/"
         }
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.0.x-dev"
         }
     },
     "scripts": {