From a65b8014f0f762f909d15c1247adcb30203bd224 Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 08:39:32 +0200 Subject: [PATCH 01/13] Added ResponseMode interface with FragmentResponseMode and QueryResponseMode --- src/Server/Grants/AuthCodeGrant.php | 17 ++++++------- src/Server/Grants/ImplicitGrant.php | 14 +++++------ .../ResponseModes/FragmentResponseMode.php | 25 +++++++++++++++++++ .../ResponseModes/QueryResponseMode.php | 25 +++++++++++++++++++ .../ResponseModes/ResponseModeInterface.php | 12 +++++++++ 5 files changed, 76 insertions(+), 17 deletions(-) create mode 100644 src/Server/ResponseModes/FragmentResponseMode.php create mode 100644 src/Server/ResponseModes/QueryResponseMode.php create mode 100644 src/Server/ResponseModes/ResponseModeInterface.php diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index dbbbce0b..a6410466 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -63,6 +63,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\AcrResponseTypeInterface; use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\AuthTimeResponseTypeInterface; use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\NonceResponseTypeInterface; @@ -304,15 +305,13 @@ public function completeOidcAuthorizationRequest( $jsonPayload = json_encode($payload, JSON_THROW_ON_ERROR); - $response = new RedirectResponse(); - $response->setRedirectUri( - $this->makeRedirectUri( - $finalRedirectUri, - [ - 'code' => $this->encrypt($jsonPayload), - 'state' => $authorizationRequest->getState(), - ], - ), + $responseMode = new QueryResponseMode(); + $response = $responseMode->buildResponse( + $finalRedirectUri, + [ + 'code' => $this->encrypt($jsonPayload), + 'state' => $authorizationRequest->getState(), + ], ); return $response; diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php index 2677ca98..a73e58b1 100644 --- a/src/Server/Grants/ImplicitGrant.php +++ b/src/Server/Grants/ImplicitGrant.php @@ -40,6 +40,8 @@ use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; + /** * @psalm-suppress PropertyNotSetInConstructor */ @@ -274,14 +276,10 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz $responseParams['id_token'] = $idToken->getToken(); - $response = new RedirectResponse(); - - $response->setRedirectUri( - $this->makeRedirectUri( - $redirectUrl, - $responseParams, - $this->queryDelimiter, - ), + $responseMode = new FragmentResponseMode(); + $response = $responseMode->buildResponse( + $redirectUrl, + $responseParams, ); return $response; diff --git a/src/Server/ResponseModes/FragmentResponseMode.php b/src/Server/ResponseModes/FragmentResponseMode.php new file mode 100644 index 00000000..93bbfab5 --- /dev/null +++ b/src/Server/ResponseModes/FragmentResponseMode.php @@ -0,0 +1,25 @@ +setRedirectUri($newRedirectUri); + + return $response; + } +} \ No newline at end of file diff --git a/src/Server/ResponseModes/QueryResponseMode.php b/src/Server/ResponseModes/QueryResponseMode.php new file mode 100644 index 00000000..bebe0388 --- /dev/null +++ b/src/Server/ResponseModes/QueryResponseMode.php @@ -0,0 +1,25 @@ +setRedirectUri($newRedirectUri); + + return $response; + } +} \ No newline at end of file diff --git a/src/Server/ResponseModes/ResponseModeInterface.php b/src/Server/ResponseModes/ResponseModeInterface.php new file mode 100644 index 00000000..72705510 --- /dev/null +++ b/src/Server/ResponseModes/ResponseModeInterface.php @@ -0,0 +1,12 @@ + Date: Wed, 6 May 2026 08:39:38 +0200 Subject: [PATCH 02/13] Start of form_post response mode, hardcoded for now --- routing/services/services.yml | 6 + src/Factories/RequestRulesManagerFactory.php | 14 +++ src/Server/AuthorizationServer.php | 2 + .../RequestRules/Rules/ResponseModeRule.php | 103 ++++++++++++++++++ .../ResponseModes/FormPostResponseMode.php | 35 ++++++ .../ResponseModes/FragmentResponseMode.php | 9 +- .../ResponseModes/QueryResponseMode.php | 9 +- src/Server/ResponseTypes/HtmlResponse.php | 36 ++++++ src/Services/Container.php | 10 ++ templates/formpost.twig | 17 +++ 10 files changed, 227 insertions(+), 14 deletions(-) create mode 100644 src/Server/RequestRules/Rules/ResponseModeRule.php create mode 100644 src/Server/ResponseModes/FormPostResponseMode.php create mode 100644 src/Server/ResponseTypes/HtmlResponse.php create mode 100644 templates/formpost.twig diff --git a/routing/services/services.yml b/routing/services/services.yml index 84054d20..5cd44e92 100644 --- a/routing/services/services.yml +++ b/routing/services/services.yml @@ -67,6 +67,12 @@ services: SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse: factory: ['@SimpleSAML\Module\oidc\Factories\TokenResponseFactory', 'build'] + SimpleSAML\Module\oidc\Server\ResponseModes\: + resource: '../../src/Server/ResponseModes/*' + + SimpleSAML\Configuration: + factory: ['SimpleSAML\Configuration', 'getInstance'] + oidc.key.private: class: League\OAuth2\Server\CryptKey factory: ['@SimpleSAML\Module\oidc\Factories\CryptKeyFactory', 'buildPrivateKey'] diff --git a/src/Factories/RequestRulesManagerFactory.php b/src/Factories/RequestRulesManagerFactory.php index 9b77e7c0..4ef70690 100644 --- a/src/Factories/RequestRulesManagerFactory.php +++ b/src/Factories/RequestRulesManagerFactory.php @@ -31,11 +31,15 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver; @@ -72,6 +76,9 @@ public function __construct( private readonly AuthenticatedOAuth2ClientResolver $authenticatedOAuth2ClientResolver, private readonly ?FederationCache $federationCache = null, private readonly ?ProtocolCache $protocolCache = null, + private readonly QueryResponseMode $queryResponseMode, + private readonly FragmentResponseMode $fragmentResponseMode, + private readonly FormPostResponseMode $formPostResponseMode, ) { } @@ -107,6 +114,13 @@ private function getDefaultRules(): array ), new ClientRedirectUriRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig), new RequestObjectRule($this->requestParamsResolver, $this->helpers, $this->jwksResolver), + new ResponseModeRule( + $this->requestParamsResolver, + $this->helpers, + $this->queryResponseMode, + $this->fragmentResponseMode, + $this->formPostResponseMode, + ), new PromptRule( $this->requestParamsResolver, $this->helpers, diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php index f0cc0585..f62858ab 100644 --- a/src/Server/AuthorizationServer.php +++ b/src/Server/AuthorizationServer.php @@ -24,6 +24,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -85,6 +86,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O StateRule::class, ClientRule::class, ClientRedirectUriRule::class, + ResponseModeRule::class, ]; try { diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php new file mode 100644 index 00000000..5c7db62e --- /dev/null +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -0,0 +1,103 @@ +requestParamsResolver->getAllBasedOnAllowedMethods( + $request, + $allowedServerRequestMethods, + ); + + // response_mode requires client_id and response_type to be present + if ( + !isset($requestParams[ParamsEnum::ClientId->value]) || + !isset($requestParams[ParamsEnum::ResponseType->value])) { + throw OidcServerException::invalidRequest('Missing client_id or response_type'); + } + + $reponseModeValue = $requestParams[ParamsEnum::ResponseMode->value] ?? null; + $loggerService->debug('ResponseModeRule: resolved response_mode value: ' . ($reponseModeValue ?? 'null')); + + + // if response_mode is not set, we set the default + $responseType = $requestParams[ParamsEnum::ResponseType->value]; + if (!$reponseModeValue) { + switch ($responseType) { + case str_contains($responseType, 'token'): + case str_contains($responseType, 'id_token'): + $reponseModeValue = 'fragment'; + break; + default: + // for other response types, the default is query + $reponseModeValue = 'query'; + } + } + + // Verify if response_mode is one of 'query', 'fragment', 'form_post' + if (!in_array( + $reponseModeValue, + ['query', 'fragment', 'form_post'], + true, + )) { + throw OidcServerException::invalidRequest('Invalid response_mode'); + } + + // TODO: validate whether response_mode is allowed by configuration + + // Resolve ResponseModeStrategy + switch ($reponseModeValue) { + case 'query': + $responseMode = $this->queryResponseMode; + break; + case 'fragment': + $responseMode = $this->fragmentResponseMode; + break; + case 'form_post': + $responseMode = $this->formPostResponseMode; + break; + default: + throw OidcServerException::invalidRequest('Unsupported response_mode. How did we get here?'); + } + + return new Result($this->getKey(), $responseMode); + } +} diff --git a/src/Server/ResponseModes/FormPostResponseMode.php b/src/Server/ResponseModes/FormPostResponseMode.php new file mode 100644 index 00000000..515a7b6c --- /dev/null +++ b/src/Server/ResponseModes/FormPostResponseMode.php @@ -0,0 +1,35 @@ +simpleSAMLConfiguration = $simpleSAMLConfiguration; + } + + public function buildResponse(string $redirectUri, array $params): AbstractResponseType + { + $template = new Template($this->simpleSAMLConfiguration, 'oidc:formpost.twig'); + $template->data = [ + 'redirectUri' => $redirectUri, + 'params' => $params, + ]; + $html = $template->getContents(); // renders to a string + + $response = new HtmlResponse(); + $response->setHtml($html); + return $response; + } +} \ No newline at end of file diff --git a/src/Server/ResponseModes/FragmentResponseMode.php b/src/Server/ResponseModes/FragmentResponseMode.php index 93bbfab5..05b2ea73 100644 --- a/src/Server/ResponseModes/FragmentResponseMode.php +++ b/src/Server/ResponseModes/FragmentResponseMode.php @@ -5,20 +5,15 @@ namespace SimpleSAML\Module\oidc\Server\ResponseModes; use League\OAuth2\Server\ResponseTypes\AbstractResponseType; -use Psr\Http\Message\ResponseInterface; use League\OAuth2\Server\ResponseTypes\RedirectResponse; class FragmentResponseMode implements ResponseModeInterface { public function buildResponse(string $redirectUri, array $params): AbstractResponseType { + $separator = str_contains($redirectUri, '#') ? '&' : '#'; $response = new RedirectResponse(); - - // TODO: copied from league/oauth2-server/src/Grant/AbstractAuthorizeGrant.php for now, but should be refactored to a common helper method - $newRedirectUri = (\strstr($redirectUri, "#") === false) ? "#" : "&"; - $newRedirectUri .= \http_build_query($params); - - $response->setRedirectUri($newRedirectUri); + $response->setRedirectUri($redirectUri . $separator . http_build_query($params)); return $response; } diff --git a/src/Server/ResponseModes/QueryResponseMode.php b/src/Server/ResponseModes/QueryResponseMode.php index bebe0388..58ecc563 100644 --- a/src/Server/ResponseModes/QueryResponseMode.php +++ b/src/Server/ResponseModes/QueryResponseMode.php @@ -5,20 +5,15 @@ namespace SimpleSAML\Module\oidc\Server\ResponseModes; use League\OAuth2\Server\ResponseTypes\AbstractResponseType; -use Psr\Http\Message\ResponseInterface; use League\OAuth2\Server\ResponseTypes\RedirectResponse; class QueryResponseMode implements ResponseModeInterface { public function buildResponse(string $redirectUri, array $params): AbstractResponseType { + $separator = str_contains($redirectUri, '?') ? '&' : '?'; $response = new RedirectResponse(); - - // TODO: copied from league/oauth2-server/src/Grant/AbstractAuthorizeGrant.php for now, but should be refactored to a common helper method - $newRedirectUri = (\strstr($redirectUri, "?") === false) ? "?" : "&"; - $newRedirectUri .= \http_build_query($params); - - $response->setRedirectUri($newRedirectUri); + $response->setRedirectUri($redirectUri . $separator . http_build_query($params)); return $response; } diff --git a/src/Server/ResponseTypes/HtmlResponse.php b/src/Server/ResponseTypes/HtmlResponse.php new file mode 100644 index 00000000..920c3409 --- /dev/null +++ b/src/Server/ResponseTypes/HtmlResponse.php @@ -0,0 +1,36 @@ +html = $html; + } + + /** + * @param ResponseInterface $response + * + * @return ResponseInterface + */ + public function generateHttpResponse(ResponseInterface $response) + { + $response->getBody()->write($this->html); + + return $response->withStatus(200)->withHeader('Content-Type', 'text/html'); + } +} diff --git a/src/Services/Container.php b/src/Services/Container.php index f0a0bbef..d14378db 100644 --- a/src/Services/Container.php +++ b/src/Services/Container.php @@ -92,11 +92,15 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; use SimpleSAML\Module\oidc\Server\ResourceServer; use SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse; use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer; @@ -420,6 +424,11 @@ public function __construct() ); $this->services[AuthenticatedOAuth2ClientResolver::class] = $authenticatedOAuth2ClientResolver; + $queryResponseMode = new QueryResponseMode(); + $fragmentResponseMode = new FragmentResponseMode(); + // FormPostResponseMode renders a template, so it requires the configuration. + $formPostResponseMode = new FormPostResponseMode($simpleSAMLConfiguration); + $requestRules = [ new StateRule($requestParamsResolver, $helpers), new ClientRule( @@ -436,6 +445,7 @@ public function __construct() ), new ClientRedirectUriRule($requestParamsResolver, $helpers, $moduleConfig), new RequestObjectRule($requestParamsResolver, $helpers, $jwksResolver), + new ResponseModeRule($requestParamsResolver, $helpers, $queryResponseMode, $fragmentResponseMode, $formPostResponseMode), new PromptRule($requestParamsResolver, $helpers, $authSimpleFactory, $authenticationService, $sspBridge), new MaxAgeRule($requestParamsResolver, $helpers, $authSimpleFactory, $authenticationService, $sspBridge), new ScopeRule($requestParamsResolver, $helpers, $scopeRepository), diff --git a/templates/formpost.twig b/templates/formpost.twig new file mode 100644 index 00000000..295b1d58 --- /dev/null +++ b/templates/formpost.twig @@ -0,0 +1,17 @@ + + + + + Submitting... + + +
+ {% for name, value in params %} + + {% endfor %} + +
+ + \ No newline at end of file From b0073a51a35c947341ac65c5669d899815a83538 Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 08:39:40 +0200 Subject: [PATCH 03/13] First version of form_post --- public/assets/js/src/formpost.js | 1 + src/Factories/Grant/ImplicitGrantFactory.php | 1 - src/Server/AuthorizationServer.php | 8 +- src/Server/Exceptions/OidcServerException.php | 108 +++++++++--------- src/Server/Grants/AuthCodeGrant.php | 21 +++- src/Server/Grants/ImplicitGrant.php | 27 ++--- src/Server/Grants/PreAuthCodeGrant.php | 3 +- .../Interfaces/RequestRuleInterface.php | 6 +- .../RequestRules/RequestRulesManager.php | 9 +- .../RequestRules/Rules/AcrValuesRule.php | 4 +- .../Rules/AddClaimsToIdTokenRule.php | 3 +- .../Rules/AuthorizationDetailsRule.php | 3 +- .../Rules/ClientAuthenticationRule.php | 3 +- .../RequestRules/Rules/ClientIdRule.php | 3 +- .../Rules/ClientRedirectUriRule.php | 3 +- src/Server/RequestRules/Rules/ClientRule.php | 3 +- .../Rules/CodeChallengeMethodRule.php | 6 +- .../RequestRules/Rules/CodeChallengeRule.php | 8 +- .../RequestRules/Rules/CodeVerifierRule.php | 3 +- .../RequestRules/Rules/IdTokenHintRule.php | 3 +- .../RequestRules/Rules/IssuerStateRule.php | 3 +- src/Server/RequestRules/Rules/MaxAgeRule.php | 6 +- .../Rules/PostLogoutRedirectUriRule.php | 3 +- src/Server/RequestRules/Rules/PromptRule.php | 5 +- .../RequestRules/Rules/RequestObjectRule.php | 7 +- .../Rules/RequestedClaimsRule.php | 3 +- .../RequestRules/Rules/RequiredNonceRule.php | 5 +- .../Rules/RequiredOpenIdScopeRule.php | 5 +- .../RequestRules/Rules/ResponseModeRule.php | 3 +- .../RequestRules/Rules/ResponseTypeRule.php | 3 +- .../Rules/ScopeOfflineAccessRule.php | 5 +- src/Server/RequestRules/Rules/ScopeRule.php | 5 +- src/Server/RequestRules/Rules/StateRule.php | 3 +- .../RequestRules/Rules/UiLocalesRule.php | 3 +- .../RequestTypes/AuthorizationRequest.php | 13 +++ src/Services/OpMetadataService.php | 2 + templates/formpost.twig | 3 +- 37 files changed, 178 insertions(+), 125 deletions(-) create mode 100644 public/assets/js/src/formpost.js diff --git a/public/assets/js/src/formpost.js b/public/assets/js/src/formpost.js new file mode 100644 index 00000000..88950b52 --- /dev/null +++ b/public/assets/js/src/formpost.js @@ -0,0 +1 @@ +document.forms[0].submit(); \ No newline at end of file diff --git a/src/Factories/Grant/ImplicitGrantFactory.php b/src/Factories/Grant/ImplicitGrantFactory.php index a22791d8..47d5ec6b 100644 --- a/src/Factories/Grant/ImplicitGrantFactory.php +++ b/src/Factories/Grant/ImplicitGrantFactory.php @@ -43,7 +43,6 @@ public function build(): ImplicitGrant $this->accessTokenRepository, $this->requestRulesManager, $this->requestParamsResolver, - '#', $this->accessTokenEntityFactory, ); } diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php index f62858ab..81c38065 100644 --- a/src/Server/AuthorizationServer.php +++ b/src/Server/AuthorizationServer.php @@ -26,6 +26,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -93,7 +94,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - false, + new QueryResponseMode(), [HttpMethodsEnum::GET, HttpMethodsEnum::POST], ); } catch (OidcServerException $exception) { @@ -116,6 +117,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var string $redirectUri */ $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); + $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); foreach ($this->enabledGrantTypes as $grantType) { $this->loggerService?->debug( @@ -159,7 +161,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O 'request.', ['requestQueryParams' => $request->getQueryParams()], ); - throw OidcServerException::unsupportedResponseType($redirectUri, $state); + throw OidcServerException::unsupportedResponseType($redirectUri, $state, $responseMode); } /** @@ -179,7 +181,7 @@ public function validateLogoutRequest(ServerRequestInterface $request): LogoutRe $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - false, + new QueryResponseMode(), [HttpMethodsEnum::GET, HttpMethodsEnum::POST], ); } catch (OidcServerException $exception) { diff --git a/src/Server/Exceptions/OidcServerException.php b/src/Server/Exceptions/OidcServerException.php index 5a9be60d..f1be1922 100644 --- a/src/Server/Exceptions/OidcServerException.php +++ b/src/Server/Exceptions/OidcServerException.php @@ -6,6 +6,9 @@ use League\OAuth2\Server\Exception\OAuthServerException; use Psr\Http\Message\ResponseInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Codebooks\ErrorsEnum; use Throwable; @@ -37,9 +40,9 @@ class OidcServerException extends OAuthServerException protected ?string $redirectUri; /** - * @var bool + * @var null|ResponseModeInterface */ - protected bool $useFragmentInHttpResponses = false; + protected ?ResponseModeInterface $responseMode = null; /** * Throw a new exception. @@ -62,12 +65,14 @@ public function __construct( ?string $redirectUri = null, ?Throwable $previous = null, ?string $state = null, + ?ResponseModeInterface $responseMode = new QueryResponseMode(), ) { parent::__construct($message, $code, $errorType, $httpStatusCode, $hint, $redirectUri, $previous); $this->httpStatusCode = $httpStatusCode; $this->errorType = $errorType; $this->redirectUri = $redirectUri; + $this->responseMode = $responseMode; if ($hint !== null) { $message .= ' (' . $hint . ')'; @@ -90,19 +95,19 @@ public function __construct( * * @param string|null $redirectUri * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * @return self */ public static function unsupportedResponseType( ?string $redirectUri = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { $errorMessage = 'The response type is not supported by the authorization server.'; $hint = 'Check that all required parameters have been provided'; $e = new self($errorMessage, 2, 'unsupported_response_type', 400, $hint, $redirectUri, null, $state); - $e->useFragmentInHttpResponses($useFragment); + $e->responseMode = $responseMode; return $e; } @@ -112,19 +117,25 @@ public static function unsupportedResponseType( * @param string $scope The bad scope * @param string|null $redirectUri An HTTP URI to redirect the user back to * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * @return static */ public static function invalidScope( $scope, $redirectUri = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { - // OAuthServerException correctly implements this error, however, it misses state parameter. - $e = parent::invalidScope($scope, $redirectUri); - $e->setState($state); - $e->useFragmentInHttpResponses($useFragment); + if (empty($scope)) { + $hint = 'Specify a scope in the request or set a default scope'; + } else { + $hint = sprintf( + 'Check the `%s` scope', + htmlspecialchars((string) $scope, ENT_QUOTES, 'UTF-8', false), + ); + } + + $e = new self('The requested scope is invalid, unknown, or malformed', 5, 'invalid_scope', 400, $hint, $redirectUri, null, $state, $responseMode); return $e; } @@ -137,7 +148,7 @@ public static function invalidScope( * @param \Throwable|null $previous * @param string|null $redirectUri * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * @return static */ public static function invalidRequest( @@ -146,13 +157,12 @@ public static function invalidRequest( ?Throwable $previous = null, ?string $redirectUri = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { - $e = parent::invalidRequest($parameter, $hint, $previous); - // OAuthServerException misses the ability to set redirectUri for invalid requests, as well as state. - $e->setRedirectUri($redirectUri); - $e->setState($state); - $e->useFragmentInHttpResponses($useFragment); + $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' . + 'includes a parameter more than once, or is otherwise malformed.'; + $hint = ($hint === null) ? \sprintf('Check the `%s` parameter', $parameter) : $hint; + $e = new self($errorMessage, 9, 'invalid_request', 400, $hint, $redirectUri, $previous, $state, $responseMode); return $e; } @@ -162,7 +172,7 @@ public static function invalidRequest( * @param string|null $redirectUri * @param \Throwable|null $previous * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * @return static */ public static function accessDenied( @@ -170,11 +180,18 @@ public static function accessDenied( $redirectUri = null, ?Throwable $previous = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { - $e = parent::accessDenied($hint, $redirectUri, $previous); - $e->setState($state); - $e->useFragmentInHttpResponses($useFragment); + $e = new self('The resource owner or authorization server denied the request.', + 9, + 'access_denied', + 401, + $hint, + $redirectUri, + $previous, + $state, + $responseMode, + ); return $e; } @@ -186,7 +203,7 @@ public static function accessDenied( * @param string|null $redirectUri * @param \Throwable|null $previous * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * * @return self */ @@ -195,12 +212,11 @@ public static function loginRequired( ?string $redirectUri = null, ?Throwable $previous = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { $errorMessage = "End-User is not already authenticated."; - $e = new self($errorMessage, 6, 'login_required', 400, $hint, $redirectUri, $previous, $state); - $e->useFragmentInHttpResponses($useFragment); + $e = new self($errorMessage, 6, 'login_required', 400, $hint, $redirectUri, $previous, $state, $responseMode); return $e; } @@ -212,7 +228,7 @@ public static function loginRequired( * @param string|null $redirectUri * @param \Throwable|null $previous * @param string|null $state - * @param bool $useFragment Use URI fragment to return error parameters + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * * @return self */ @@ -221,12 +237,11 @@ public static function requestNotSupported( ?string $redirectUri = null, ?Throwable $previous = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { $errorMessage = "Request object not supported."; - $e = new self($errorMessage, 7, 'request_not_supported', 400, $hint, $redirectUri, $previous, $state); - $e->useFragmentInHttpResponses($useFragment); + $e = new self($errorMessage, 7, 'request_not_supported', 400, $hint, $redirectUri, $previous, $state, $responseMode); return $e; } @@ -250,7 +265,7 @@ public static function invalidTrustChain( ?string $redirectUri = null, ?Throwable $previous = null, ?string $state = null, - bool $useFragment = false, + ?ResponseModeInterface $responseMode = null, ): OidcServerException { $errorMessage = 'Trust chain validation failed.'; @@ -263,8 +278,8 @@ public static function invalidTrustChain( $redirectUri, $previous, $state, + $responseMode ); - $e->useFragmentInHttpResponses($useFragment); return $e; } @@ -361,8 +376,6 @@ public function setState(?string $state = null): void * Generate an HTTP response. * * @param \Psr\Http\Message\ResponseInterface $response - * @param bool $useFragment True if errors should be in the URI fragment instead of query string. Note - * that this can also be set using useFragmentInHttpResponses(). * @param int $jsonOptions options passed to json_encode * * @return \Psr\Http\Message\ResponseInterface @@ -377,16 +390,13 @@ public function generateHttpResponse( $payload = $this->getPayload(); - if ($this->redirectUri !== null) { - $paramSeparator = '?'; - - if ($this->useFragmentInHttpResponses || $useFragment) { - $paramSeparator = '#'; - } - - $this->redirectUri .= (!str_contains($this->redirectUri, $paramSeparator)) ? $paramSeparator : '&'; + if ($this->responseMode === null) { + // Fallback to useFragment if responseMode is not set + $this->responseMode = $useFragment ? new FragmentResponseMode() : new QueryResponseMode(); + } - return $response->withStatus(302)->withHeader('Location', $this->redirectUri . http_build_query($payload)); + if ($this->redirectUri !== null) { + return $this->responseMode->buildResponse($this->redirectUri, $payload)->generateHttpResponse($response); } foreach ($headers as $header => $content) { @@ -399,14 +409,4 @@ public function generateHttpResponse( return $response->withStatus($this->getHttpStatusCode()); } - - /** - * Use URI fragment to return parameters in HTTP redirection error responses - * - * @param bool $useFragment True if fragment should be used, false otherwise - */ - public function useFragmentInHttpResponses(bool $useFragment): void - { - $this->useFragmentInHttpResponses = $useFragment; - } } diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index a6410466..e2544f49 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -17,6 +17,7 @@ use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface as OAuth2AuthCodeRepositoryInterface; use League\OAuth2\Server\RequestEvent; use League\OAuth2\Server\RequestTypes\AuthorizationRequest as OAuth2AuthorizationRequest; +use League\OAuth2\Server\ResponseTypes\AbstractResponseType; use League\OAuth2\Server\ResponseTypes\RedirectResponse; use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use LogicException; @@ -59,6 +60,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; @@ -256,7 +258,7 @@ public function completeAuthorizationRequest( */ public function completeOidcAuthorizationRequest( AuthorizationRequest $authorizationRequest, - ): RedirectResponse { + ): AbstractResponseType { $user = $authorizationRequest->getUser(); if ($user instanceof UserEntity === false) { throw new LogicException('An instance of UserEntity should be set on the ' . @@ -273,6 +275,7 @@ public function completeOidcAuthorizationRequest( $finalRedirectUri, null, $authorizationRequest->getState(), + $authorizationRequest->getResponseMode(), ); } @@ -305,7 +308,7 @@ public function completeOidcAuthorizationRequest( $jsonPayload = json_encode($payload, JSON_THROW_ON_ERROR); - $responseMode = new QueryResponseMode(); + $responseMode = $authorizationRequest->getResponseMode() ?? new QueryResponseMode(); $response = $responseMode->buildResponse( $finalRedirectUri, [ @@ -502,7 +505,7 @@ public function respondToAccessTokenRequest( $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - false, + new QueryResponseMode(), // TODO: Response mode is not relevant for token request, as there is no redirection, but we need to provide something to execute rules. $this->allowedTokenHttpMethods, ); @@ -769,6 +772,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); + $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $this->loggerService->debug('AuthCodeGrant: Resolved data:', [ 'redirectUri' => $redirectUri, @@ -783,9 +787,9 @@ public function validateAuthorizationRequestWithRequestRules( $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - false, + $responseMode, $this->allowedAuthorizationHttpMethods, - ); + ); $this->loggerService->debug('AuthCodeGrant: executed rules.', ['rulesToExecute' => $rulesToExecute]); @@ -901,6 +905,13 @@ public function validateAuthorizationRequestWithRequestRules( ); $authorizationRequest->setAuthorizationDetails($authorizationDetails); + $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); + $this->loggerService->debug( + 'AuthCodeGrant: Response mode: ', + ['responseMode' => $responseMode], + ); + $authorizationRequest->setResponseMode($responseMode); + // TODO This is a band-aid fix for having credential claims in the userinfo endpoint when // only VCI authorizationDetails are supplied. This requires configuring a matching OIDC scope // that has all the credential type claims as well. diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php index a73e58b1..79f80128 100644 --- a/src/Server/Grants/ImplicitGrant.php +++ b/src/Server/Grants/ImplicitGrant.php @@ -32,16 +32,16 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Services\IdTokenBuilder; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; -use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; - /** * @psalm-suppress PropertyNotSetInConstructor */ @@ -64,10 +64,9 @@ public function __construct( AccessTokenRepositoryInterface $accessTokenRepository, protected RequestRulesManager $requestRulesManager, protected RequestParamsResolver $requestParamsResolver, - protected string $queryDelimiter, AccessTokenEntityFactory $accessTokenEntityFactory, ) { - parent::__construct($accessTokenTTL, $queryDelimiter); + parent::__construct($accessTokenTTL); $this->accessTokenRepository = $accessTokenRepository; $this->accessTokenEntityFactory = $accessTokenEntityFactory; @@ -145,6 +144,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); + $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); // Some rules need certain things available in order to work properly... $this->requestRulesManager->setData('default_scope', $this->defaultScope); @@ -153,7 +153,7 @@ public function validateAuthorizationRequestWithRequestRules( $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - $this->shouldUseFragment(), + $responseMode, $this->allowedAuthorizationHttpMethods, ); @@ -197,6 +197,9 @@ public function validateAuthorizationRequestWithRequestRules( $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue(); $authorizationRequest->setRequestedAcrValues($acrValues); + $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); + $authorizationRequest->setResponseMode($responseMode); + return $authorizationRequest; } @@ -222,7 +225,7 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz $redirectUrl, null, $authorizationRequest->getState(), - $this->shouldUseFragment(), + $authorizationRequest->getResponseMode(), ); } @@ -276,7 +279,7 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz $responseParams['id_token'] = $idToken->getToken(); - $responseMode = new FragmentResponseMode(); + $responseMode = $authorizationRequest->getResponseMode() ?? new FragmentResponseMode(); $response = $responseMode->buildResponse( $redirectUrl, $responseParams, @@ -299,14 +302,4 @@ private function getRedirectUrl(AuthorizationRequest $authorizationRequest): str return $redirectUris; } - - /** - * Check if fragment should be used for params transportation in HTTP responses - * - * @return bool - */ - protected function shouldUseFragment(): bool - { - return $this->queryDelimiter === '#'; - } } diff --git a/src/Server/Grants/PreAuthCodeGrant.php b/src/Server/Grants/PreAuthCodeGrant.php index 5c7e0a24..9bb45d13 100644 --- a/src/Server/Grants/PreAuthCodeGrant.php +++ b/src/Server/Grants/PreAuthCodeGrant.php @@ -22,6 +22,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AuthorizationDetailsRule; use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\OpenID\Codebooks\GrantTypesEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -174,7 +175,7 @@ public function respondToAccessTokenRequest( $resultBag = $this->requestRulesManager->check( $request, [AuthorizationDetailsRule::class], - false, + new QueryResponseMode(), // TODO: Response mode is not relevant for token request, as there is no redirection, but we need to provide something to execute rules. $this->allowedTokenHttpMethods, ); diff --git a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php index 6f719a31..136818f3 100644 --- a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php +++ b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php @@ -5,6 +5,7 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Interfaces; use Psr\Http\Message\ServerRequestInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -21,8 +22,7 @@ public function getKey(): string; * @param \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface $currentResultBag * ResultBag with all results of the checks performed to current check * @param array $data Data which will be available during check. - * @param bool $useFragmentInHttpErrorResponses Indicate that in case of HTTP error responses, params should be - * returned in URI fragment instead of query. + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode Response mode to use for error responses * @param HttpMethodsEnum[] $allowedServerRequestMethods Indicate allowed HTTP methods used for request * @return \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface|null Result of the specific check * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException If check fails @@ -32,7 +32,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface; } diff --git a/src/Server/RequestRules/RequestRulesManager.php b/src/Server/RequestRules/RequestRulesManager.php index c08c1a67..baef127b 100644 --- a/src/Server/RequestRules/RequestRulesManager.php +++ b/src/Server/RequestRules/RequestRulesManager.php @@ -9,6 +9,8 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\RequestRuleInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -45,15 +47,14 @@ public function add(RequestRuleInterface $rule): void /** * @param class-string[] $ruleKeysToExecute - * @param bool $useFragmentInHttpErrorResponses Indicate that in case of HTTP error responses, params should be - * returned in URI fragment instead of query. + * @param ResponseModeInterface $responseMode Response mode which will be used in rules execution, as some rules might need to adjust their behaviour based on response mode used in request. * @param HttpMethodsEnum[] $allowedServerRequestMethods Indicate allowed HTTP methods used for request * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException */ public function check( ServerRequestInterface $request, array $ruleKeysToExecute, - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ResultBagInterface { foreach ($ruleKeysToExecute as $ruleKey) { @@ -66,7 +67,7 @@ public function check( $this->resultBag, $this->loggerService, $this->data, - $useFragmentInHttpErrorResponses, + $responseMode, $allowedServerRequestMethods, ); diff --git a/src/Server/RequestRules/Rules/AcrValuesRule.php b/src/Server/RequestRules/Rules/AcrValuesRule.php index 7d02cf1f..727f3bff 100644 --- a/src/Server/RequestRules/Rules/AcrValuesRule.php +++ b/src/Server/RequestRules/Rules/AcrValuesRule.php @@ -4,10 +4,12 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules; +use GuzzleHttp\Psr7\Query; use Psr\Http\Message\ServerRequestInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -22,7 +24,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AcrValuesRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php index a6aae64f..a11340bd 100644 --- a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php +++ b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -22,7 +23,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $responseType */ diff --git a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php index 4b4ff89f..865d7469 100644 --- a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php +++ b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -34,7 +35,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AuthorizationDetailsRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php index 7a062bd6..eb25882f 100644 --- a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php +++ b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php @@ -10,6 +10,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -34,7 +35,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php index b329c179..4705ccff 100644 --- a/src/Server/RequestRules/Rules/ClientIdRule.php +++ b/src/Server/RequestRules/Rules/ClientIdRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -38,7 +39,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientIdRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php index 3c00c763..4fc44d71 100644 --- a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php @@ -13,6 +13,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -37,7 +38,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RedirectUriRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRule.php b/src/Server/RequestRules/Rules/ClientRule.php index ac6a1160..717b03ea 100644 --- a/src/Server/RequestRules/Rules/ClientRule.php +++ b/src/Server/RequestRules/Rules/ClientRule.php @@ -17,6 +17,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\FederationCache; use SimpleSAML\Module\oidc\Utils\FederationParticipationValidator; @@ -71,7 +72,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php index 33d5f70a..2fbe17fb 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php @@ -11,6 +11,8 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -35,7 +37,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeMethodRule::checkRule'); @@ -62,7 +64,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/CodeChallengeRule.php b/src/Server/RequestRules/Rules/CodeChallengeRule.php index feb37160..d51668d9 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeRule.php @@ -9,6 +9,8 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -24,7 +26,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeRule::checkRule'); @@ -50,7 +52,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } @@ -66,7 +68,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/CodeVerifierRule.php b/src/Server/RequestRules/Rules/CodeVerifierRule.php index 8b3767eb..d8260811 100644 --- a/src/Server/RequestRules/Rules/CodeVerifierRule.php +++ b/src/Server/RequestRules/Rules/CodeVerifierRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -23,7 +24,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ diff --git a/src/Server/RequestRules/Rules/IdTokenHintRule.php b/src/Server/RequestRules/Rules/IdTokenHintRule.php index 8feccbf2..627b8601 100644 --- a/src/Server/RequestRules/Rules/IdTokenHintRule.php +++ b/src/Server/RequestRules/Rules/IdTokenHintRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -39,7 +40,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/IssuerStateRule.php b/src/Server/RequestRules/Rules/IssuerStateRule.php index 7ba9bf2d..f1793d27 100644 --- a/src/Server/RequestRules/Rules/IssuerStateRule.php +++ b/src/Server/RequestRules/Rules/IssuerStateRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -22,7 +23,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $issuerState = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/MaxAgeRule.php b/src/Server/RequestRules/Rules/MaxAgeRule.php index e5731a7f..a67e64e6 100644 --- a/src/Server/RequestRules/Rules/MaxAgeRule.php +++ b/src/Server/RequestRules/Rules/MaxAgeRule.php @@ -12,6 +12,8 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -43,7 +45,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('MaxAgeRule::checkRule'); @@ -80,7 +82,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php index 258d8186..1a174a0c 100644 --- a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -35,7 +36,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/PromptRule.php b/src/Server/RequestRules/Rules/PromptRule.php index 8a994f45..8d43ad4e 100644 --- a/src/Server/RequestRules/Rules/PromptRule.php +++ b/src/Server/RequestRules/Rules/PromptRule.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -44,7 +45,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('PromptRule::checkRule'); @@ -78,7 +79,7 @@ public function checkRule( $redirectUri, null, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/RequestObjectRule.php b/src/Server/RequestRules/Rules/RequestObjectRule.php index 81c05812..08568f8e 100644 --- a/src/Server/RequestRules/Rules/RequestObjectRule.php +++ b/src/Server/RequestRules/Rules/RequestObjectRule.php @@ -10,6 +10,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -35,7 +36,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestObjectRule::checkRule'); @@ -80,7 +81,7 @@ public function checkRule( $redirectUri, null, $stateValue, - $useFragmentInHttpErrorResponses, + $responseMode, ); try { @@ -91,7 +92,7 @@ public function checkRule( $redirectUri, null, $stateValue, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/RequestedClaimsRule.php b/src/Server/RequestRules/Rules/RequestedClaimsRule.php index 3a7d60b3..02d95cb0 100644 --- a/src/Server/RequestRules/Rules/RequestedClaimsRule.php +++ b/src/Server/RequestRules/Rules/RequestedClaimsRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -34,7 +35,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestedClaimsRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequiredNonceRule.php b/src/Server/RequestRules/Rules/RequiredNonceRule.php index 16034d17..8c5007c8 100644 --- a/src/Server/RequestRules/Rules/RequiredNonceRule.php +++ b/src/Server/RequestRules/Rules/RequiredNonceRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -24,7 +25,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $redirectUri */ @@ -45,7 +46,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php index 5fa0dc86..fb78b978 100644 --- a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php +++ b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -23,7 +24,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequiredOpenIdScopeRule::checkRule.'); @@ -53,7 +54,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } } catch (\Throwable $e) { diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index 5c7db62e..92f1cdbf 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; @@ -39,7 +40,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/ResponseTypeRule.php b/src/Server/RequestRules/Rules/ResponseTypeRule.php index 30acb5ad..7233193a 100644 --- a/src/Server/RequestRules/Rules/ResponseTypeRule.php +++ b/src/Server/RequestRules/Rules/ResponseTypeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -23,7 +24,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php index ee4188b2..6ac69302 100644 --- a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php +++ b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -23,7 +24,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeOfflineAccessRule::checkRule'); @@ -50,7 +51,7 @@ public function checkRule( null, $redirectUri, $state, - $useFragmentInHttpErrorResponses, + $responseMode, ); } diff --git a/src/Server/RequestRules/Rules/ScopeRule.php b/src/Server/RequestRules/Rules/ScopeRule.php index bc6b753c..5d7a70c2 100644 --- a/src/Server/RequestRules/Rules/ScopeRule.php +++ b/src/Server/RequestRules/Rules/ScopeRule.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -36,7 +37,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeRule::checkRule.'); @@ -69,7 +70,7 @@ public function checkRule( if ($scope instanceof ScopeEntityInterface === false) { $loggerService->error('ScopeRule: Invalid scope: ' . $scopeItem); - throw OidcServerException::invalidScope($scopeItem, $redirectUri, $state); + throw OidcServerException::invalidScope($scopeItem, $redirectUri, $state, $responseMode); } $loggerService->debug('ScopeRule: Valid scope: ' . $scopeItem); $validScopes[] = $scope; diff --git a/src/Server/RequestRules/Rules/StateRule.php b/src/Server/RequestRules/Rules/StateRule.php index d60d31d7..39371f0a 100644 --- a/src/Server/RequestRules/Rules/StateRule.php +++ b/src/Server/RequestRules/Rules/StateRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -22,7 +23,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('StateRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/UiLocalesRule.php b/src/Server/RequestRules/Rules/UiLocalesRule.php index 3bbbd3c3..b36d2c10 100644 --- a/src/Server/RequestRules/Rules/UiLocalesRule.php +++ b/src/Server/RequestRules/Rules/UiLocalesRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; @@ -22,7 +23,7 @@ public function checkRule( ResultBagInterface $currentResultBag, LoggerService $loggerService, array $data = [], - bool $useFragmentInHttpErrorResponses = false, + ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { return new Result($this->getKey(), $this->requestParamsResolver->getBasedOnAllowedMethods( diff --git a/src/Server/RequestTypes/AuthorizationRequest.php b/src/Server/RequestTypes/AuthorizationRequest.php index 1278e9f9..3b0450cd 100644 --- a/src/Server/RequestTypes/AuthorizationRequest.php +++ b/src/Server/RequestTypes/AuthorizationRequest.php @@ -6,6 +6,7 @@ use League\OAuth2\Server\RequestTypes\AuthorizationRequest as OAuth2AuthorizationRequest; use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; class AuthorizationRequest extends OAuth2AuthorizationRequest { @@ -70,6 +71,8 @@ class AuthorizationRequest extends OAuth2AuthorizationRequest */ protected ?string $issuerState = null; + private ?ResponseModeInterface $responseMode = null; + public static function fromOAuth2AuthorizationRequest( OAuth2AuthorizationRequest $oAuth2authorizationRequest, ): AuthorizationRequest { @@ -162,6 +165,16 @@ public function getResponseType(): ?string return $this->responseType; } + public function setResponseMode(ResponseModeInterface $responseMode): void + { + $this->responseMode = $responseMode; + } + + public function getResponseMode(): ?ResponseModeInterface + { + return $this->responseMode; + } + /** * Check if access token should be issued in authorization response (implicit flow, hybrid flow...). * @return bool diff --git a/src/Services/OpMetadataService.php b/src/Services/OpMetadataService.php index 91537d7f..5b3eaa48 100644 --- a/src/Services/OpMetadataService.php +++ b/src/Services/OpMetadataService.php @@ -100,6 +100,8 @@ private function initMetadata(): void $this->metadata[ClaimsEnum::ClaimsSupported->value] = $claimsSupported; } + $this->metadata[ClaimsEnum::ResponseModesSupported->value] = ['query', 'fragment', 'form_post']; + // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-oauth-20-authorization-serv // OPTIONAL // pre-authorized_grant_anonymous_access_supported // TODO mivanci Make configurable diff --git a/templates/formpost.twig b/templates/formpost.twig index 295b1d58..95e9604f 100644 --- a/templates/formpost.twig +++ b/templates/formpost.twig @@ -4,7 +4,7 @@ Submitting... - +
{% for name, value in params %} @@ -14,4 +14,5 @@
+ \ No newline at end of file From fe659be37dd41f429b2af139e2cf578e361c167c Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 08:39:42 +0200 Subject: [PATCH 04/13] Added allowed response modes configuration option for clients --- src/Controllers/Admin/ClientController.php | 4 ++ src/Entities/ClientEntity.php | 15 +++++++ .../Interfaces/ClientEntityInterface.php | 1 + src/Forms/ClientForm.php | 45 +++++++++++++++++++ .../RequestRules/Rules/ResponseModeRule.php | 16 ++++++- templates/clients/includes/form.twig | 9 ++++ templates/clients/show.twig | 12 +++++ 7 files changed, 100 insertions(+), 2 deletions(-) diff --git a/src/Controllers/Admin/ClientController.php b/src/Controllers/Admin/ClientController.php index 7f7ff7ef..db1db0f4 100644 --- a/src/Controllers/Admin/ClientController.php +++ b/src/Controllers/Admin/ClientController.php @@ -239,6 +239,7 @@ public function edit(Request $request): Response $clientData = $originalClient->toArray(); $clientData['allowed_origin'] = $clientAllowedOrigins; + $clientData['response_modes_allowed'] = $originalClient->getAllowedResponseModes(); // Handle extra metadata @@ -358,6 +359,9 @@ protected function buildClientEntityFromFormData( ClaimsEnum::IdTokenSignedResponseAlg->value => $idTokenSignedResponseAlg, ]; + $allowedResponseModes = is_array($data['response_modes_allowed']) ? $data['response_modes_allowed'] : []; + $extraMetadata['allowed_response_modes'] = $allowedResponseModes; + return $this->clientEntityFactory->fromData( $identifier, $secret, diff --git a/src/Entities/ClientEntity.php b/src/Entities/ClientEntity.php index a0ffb92b..9bcab000 100644 --- a/src/Entities/ClientEntity.php +++ b/src/Entities/ClientEntity.php @@ -388,4 +388,19 @@ public function getIdTokenSignedResponseAlg(): ?string return $idTokenSignedResponseAlg; } + + public function getAllowedResponseModes(): array + { + if (!is_array($this->extraMetadata)) { + return []; + } + + $allowedResponseModes = $this->extraMetadata['allowed_response_modes'] ?? null; + + if (!is_array($allowedResponseModes)) { + return []; + } + + return $allowedResponseModes; + } } diff --git a/src/Entities/Interfaces/ClientEntityInterface.php b/src/Entities/Interfaces/ClientEntityInterface.php index dea9ff66..47bc6f15 100644 --- a/src/Entities/Interfaces/ClientEntityInterface.php +++ b/src/Entities/Interfaces/ClientEntityInterface.php @@ -82,4 +82,5 @@ public function isGeneric(): bool; public function getExtraMetadata(): array; public function getIdTokenSignedResponseAlg(): ?string; + public function getAllowedResponseModes(): array; } diff --git a/src/Forms/ClientForm.php b/src/Forms/ClientForm.php index 694a206e..183c57aa 100644 --- a/src/Forms/ClientForm.php +++ b/src/Forms/ClientForm.php @@ -284,6 +284,9 @@ public function getValues(string|object|bool|null $returnType = null, ?array $co $values[ClaimsEnum::IdTokenSignedResponseAlg->value] = empty($idTokenSignedResponseAlg) ? null : $idTokenSignedResponseAlg; + $responseModesAllowed = is_array($values['response_modes_allowed']) ? $values['response_modes_allowed'] : []; + $values['response_modes_allowed'] = array_intersect($responseModesAllowed, array_keys($this->getAllowedResponseModesValues())); + return $values; } @@ -336,6 +339,8 @@ public function setDefaults(object|array $data, bool $erase = false): static $data['auth_source'] = null; } + $data['response_modes_allowed'] = is_array($data['response_modes_allowed']) ? $data['response_modes_allowed'] : []; + parent::setDefaults($data, $erase); return $this; @@ -354,6 +359,7 @@ protected function buildForm(): void $this->onValidate[] = $this->validateBackChannelLogoutUri(...); $this->onValidate[] = $this->validateEntityIdentifier(...); $this->onValidate[] = $this->validateClientRegistrationTypes(...); + $this->onValidate[] = $this->validateResponseModes(...); $this->onValidate[] = $this->validateFederationJwks(...); $this->onValidate[] = $this->validateProtocolJwks(...); $this->onValidate[] = $this->validateJwksUri(...); @@ -423,6 +429,45 @@ protected function buildForm(): void ->setHtmlAttribute('class', 'full-width') ->setItems(['RS256'], false) ->setPrompt(Translate::noop('-')); + + $this->addMultiSelect( + 'response_modes_allowed', + Translate::noop('Allowed Response Modes'), + $this->getAllowedResponseModesValues(), + 3, + )->setHtmlAttribute('class', 'full-width') + ->setRequired(Translate::noop('At least one response mode is required.')); + } + + /** + * Validate provided response modes + * + * @throws \Exception + */ + public function validateResponseModes(Form $form): void + { + $values = $form->getValues(self::TYPE_ARRAY); + $responseModes = $values['response_modes_allowed'] ?? null; + if ($responseModes !== null && is_array($responseModes)) { + $allowed = array_keys($this->getAllowedResponseModesValues()); + foreach ($responseModes as $mode) { + if (!in_array($mode, $allowed, true)) { + $this->addError("Invalid value: $mode"); + } + } + } + } + + /** + * @return string[] map of value => label + */ + protected function getAllowedResponseModesValues(): array + { + return [ + 'query' => 'query', + 'fragment' => 'fragment', + 'form_post' => 'form_post', + ]; } /** diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index 92f1cdbf..0e41c550 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -4,6 +4,7 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules; +use LogicException; use Psr\Http\Message\ServerRequestInterface; use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; @@ -56,7 +57,7 @@ public function checkRule( } $reponseModeValue = $requestParams[ParamsEnum::ResponseMode->value] ?? null; - $loggerService->debug('ResponseModeRule: resolved response_mode value: ' . ($reponseModeValue ?? 'null')); + $loggerService->debug('ResponseModeRule: response_mode requestParams value: ' . ($reponseModeValue ?? 'null')); // if response_mode is not set, we set the default @@ -82,7 +83,18 @@ public function checkRule( throw OidcServerException::invalidRequest('Invalid response_mode'); } - // TODO: validate whether response_mode is allowed by configuration + // Validate whether response_mode is allowed by client configuration + $client = $currentResultBag->getOrFail(ClientRule::class)->getValue(); + $redirectUri = $currentResultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); + $state = $currentResultBag->getOrFail(StateRule::class)->getValue(); + + $allowedResponseModes = $client->getAllowedResponseModes(); + if (!in_array($reponseModeValue, $allowedResponseModes, true)) { + throw OidcServerException::invalidRequest( + 'response_mode', + 'response_mode "' . $reponseModeValue . '" is not allowed for this client' + ); + } // Resolve ResponseModeStrategy switch ($reponseModeValue) { diff --git a/templates/clients/includes/form.twig b/templates/clients/includes/form.twig index 51b1a869..1926a7b0 100644 --- a/templates/clients/includes/form.twig +++ b/templates/clients/includes/form.twig @@ -150,6 +150,15 @@ {{ form.id_token_signed_response_alg.getError }} {% endif %} + + {{ form.response_modes_allowed.control | raw }} + + {% trans %}Allowed response modes for this Client, a selection of 'query', 'fragment' and 'form_post'. Set to 'form_post' only to protect against browser-swapping attacks.{% endtrans %} + + {% if form.response_modes_allowed.hasErrors %} + {{ form.response_modes_allowed.getError }} + {% endif %} +

{{ 'OpenID Federation Related Properties'|trans }}

diff --git a/templates/clients/show.twig b/templates/clients/show.twig index 307de574..47d549c9 100644 --- a/templates/clients/show.twig +++ b/templates/clients/show.twig @@ -213,6 +213,18 @@ {{ client.idTokenSignedResponseAlg|default('N/A'|trans) }} + + + {{ 'Allowed response modes'|trans }} + + +
    + {% for key, response_mode in client.allowedresponsemodes %} +
  • {{ response_mode }}
    • + {% endfor %} +
+ + {{ 'Owner'|trans }} From c73c92cdb959e926cc49a14abb1402a4447c30ab Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 08:39:45 +0200 Subject: [PATCH 05/13] Fix failing tests due to changed function signatures --- .../unit/src/Server/Grants/ImplicitGrantTest.php | 5 ----- .../RequestRules/Rules/AcrValuesRuleTest.php | 9 +++++++++ .../Rules/AddClaimsToIdTokenRuleTest.php | 9 ++++++--- .../Server/RequestRules/Rules/ClientRuleTest.php | 9 +++++++++ .../Rules/CodeChallengeMethodRuleTest.php | 11 +++++++---- .../RequestRules/Rules/CodeChallengeRuleTest.php | 13 ++++++++----- .../RequestRules/Rules/IdTokenHintRuleTest.php | 13 +++++++++---- .../Rules/PostLogoutRedirectUriRuleTest.php | 15 +++++++++------ .../RequestRules/Rules/RedirectUriRuleTest.php | 15 +++++++++------ .../RequestRules/Rules/RequestObjectRuleTest.php | 13 ++++++++----- .../Rules/RequestedClaimsRuleTest.php | 9 ++++++--- .../RequestRules/Rules/RequiredNonceRuleTest.php | 11 +++++++---- .../Rules/RequiredOpenIdScopeRuleTest.php | 11 +++++++---- .../RequestRules/Rules/ResponseTypeRuleTest.php | 7 +++++-- .../Rules/ScopeOfflineAccessRuleTest.php | 9 ++++++--- .../Server/RequestRules/Rules/ScopeRuleTest.php | 11 +++++++---- .../Server/RequestRules/Rules/StateRuleTest.php | 7 ++++++- .../RequestRules/Rules/UiLocalesRuleTest.php | 7 +++++-- tests/unit/src/Services/OpMetadataServiceTest.php | 1 + 19 files changed, 124 insertions(+), 61 deletions(-) diff --git a/tests/unit/src/Server/Grants/ImplicitGrantTest.php b/tests/unit/src/Server/Grants/ImplicitGrantTest.php index d28dabda..5f487746 100644 --- a/tests/unit/src/Server/Grants/ImplicitGrantTest.php +++ b/tests/unit/src/Server/Grants/ImplicitGrantTest.php @@ -31,7 +31,6 @@ class ImplicitGrantTest extends TestCase protected MockObject $accessTokenRepositoryMock; protected MockObject $requestRulesManagerMock; protected MockObject $requestParamsResolverMock; - protected string $queryDelimiter; protected MockObject $accessTokenEntityFactoryMock; protected MockObject $scopeRepositoryMock; protected MockObject $serverRequestMock; @@ -48,7 +47,6 @@ protected function setUp(): void $this->accessTokenRepositoryMock = $this->createMock(AccessTokenRepository::class); $this->requestRulesManagerMock = $this->createMock(RequestRulesManager::class); $this->requestParamsResolverMock = $this->createMock(RequestParamsResolver::class); - $this->queryDelimiter = '#'; $this->accessTokenEntityFactoryMock = $this->createMock(AccessTokenEntityFactory::class); $this->scopeRepositoryMock = $this->createMock(ScopeRepositoryInterface::class); @@ -66,7 +64,6 @@ protected function sut( ?AccessTokenRepositoryInterface $accessTokenRepository = null, ?RequestRulesManager $requestRulesManager = null, ?RequestParamsResolver $requestParamsResolver = null, - ?string $queryDelimiter = null, ?AccessTokenEntityFactory $accessTokenEntityFactory = null, ?ScopeRepositoryInterface $scopeRepository = null, ): ImplicitGrant { @@ -75,7 +72,6 @@ protected function sut( $accessTokenRepository ??= $this->accessTokenRepositoryMock; $requestRulesManager ??= $this->requestRulesManagerMock; $requestParamsResolver ??= $this->requestParamsResolverMock; - $queryDelimiter ??= $this->queryDelimiter; $accessTokenEntityFactory ??= $this->accessTokenEntityFactoryMock; $scopeRepository ??= $this->scopeRepositoryMock; @@ -86,7 +82,6 @@ protected function sut( $accessTokenRepository, $requestRulesManager, $requestParamsResolver, - $queryDelimiter, $accessTokenEntityFactory, ); diff --git a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php index 302eaa30..8a147402 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -25,6 +26,7 @@ class AcrValuesRuleTest extends TestCase protected Stub $resultStub; protected Stub $loggerServiceStub; protected Stub $requestParamsResolverStub; + protected Stub $responseModeStub; protected Helpers $helpers; /** @@ -37,6 +39,7 @@ protected function setUp(): void $this->resultStub = $this->createStub(ResultInterface::class); $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); $this->helpers = new Helpers(); } @@ -62,6 +65,8 @@ public function testNoAcrIsSetIfAcrValuesNotRequested(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); $this->assertNull($result->getValue()); } @@ -79,6 +84,8 @@ public function testPopulatesAcrValuesFromClaimsParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); $this->assertSame(['1', '0'], $result->getValue()['values']); @@ -96,6 +103,8 @@ public function testPopulatesAcrValuesFromAcrValuesRequestParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); $this->assertSame(['1', '0'], $result->getValue()['values']); diff --git a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php index fb54da45..1eefe354 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php @@ -15,6 +15,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule @@ -48,6 +49,7 @@ class AddClaimsToIdTokenRuleTest extends TestCase private ResultBag $resultBag; private Stub $loggerServiceStub; + private Stub $responseModeStub; /** * @throws \Exception @@ -60,6 +62,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -83,7 +86,7 @@ public function testAddClaimsToIdTokenRuleTest($responseType) { $this->resultBag->add(new Result(ResponseTypeRule::class, $responseType)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(AddClaimsToIdTokenRule::class, null); $this->assertTrue($result->getValue()); } @@ -103,7 +106,7 @@ public function testDoNotAddClaimsToIdTokenRuleTest($responseType) { $this->resultBag->add(new Result(ResponseTypeRule::class, $responseType)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(AddClaimsToIdTokenRule::class, null); $this->assertFalse($result->getValue()); @@ -128,6 +131,6 @@ public static function invalidResponseTypeProvider(): array public function testAddClaimsToIdTokenRuleThrowsWithNoResponseTypeParamTest() { $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php index abf0eb9e..fad91778 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php @@ -21,6 +21,7 @@ use SimpleSAML\Module\oidc\Utils\FederationParticipationValidator; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Federation; /** @@ -41,6 +42,7 @@ class ClientRuleTest extends TestCase protected Stub $helpersStub; protected Stub $jwksResolverStub; protected Stub $federationParticipationValidatorStub; + protected Stub $responseModeStub; /** * @throws \Exception @@ -60,6 +62,7 @@ protected function setUp(): void $this->helpersStub = $this->createStub(Helpers::class); $this->jwksResolverStub = $this->createStub(JwksResolver::class); $this->federationParticipationValidatorStub = $this->createStub(FederationParticipationValidator::class); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut(): ClientRule @@ -91,6 +94,8 @@ public function testCheckRuleEmptyClientIdThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ); } @@ -103,6 +108,8 @@ public function testCheckRuleInvalidClientThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ); } @@ -119,6 +126,8 @@ public function testCheckRuleForValidClientId(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertInstanceOf(ClientEntityInterface::class, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php index f01343ca..2bf60769 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php @@ -21,6 +21,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule @@ -36,6 +37,7 @@ class CodeChallengeMethodRuleTest extends TestCase protected Stub $requestParamsResolverStub; protected MockObject $codeChallengeVerifiersRepositoryMock; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception */ @@ -49,6 +51,7 @@ protected function setUp(): void $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->codeChallengeVerifiersRepositoryMock = $this->createMock(CodeChallengeVerifiersRepository::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -75,7 +78,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -87,7 +90,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -100,7 +103,7 @@ public function testCheckRuleWithInvalidCodeChallengeMethodThrows(): void $this->codeChallengeVerifiersRepositoryMock->expects($this->once())->method('has') ->with('invalid')->willReturn(false); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -113,7 +116,7 @@ public function testCheckRuleForValidCodeChallengeMethod(): void $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('plain'); $this->codeChallengeVerifiersRepositoryMock->expects($this->once())->method('has') ->with('plain')->willReturn(true); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame('plain', $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php index 1755ea6f..dd672df0 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php @@ -21,6 +21,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule @@ -39,6 +40,7 @@ class CodeChallengeRuleTest extends TestCase protected Stub $clientStub; protected Result $clientIdResult; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception @@ -54,6 +56,7 @@ protected function setUp(): void $this->clientStub = $this->createStub(ClientEntityInterface::class); $this->clientIdResult = new Result(ClientRule::class, $this->clientStub); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -77,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -89,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -100,7 +103,7 @@ public function testCheckRuleNoCodeReturnsNullForConfidentialClients(): void $this->clientStub->method('isConfidential')->willReturn(true); $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn(null); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertNull($result->getValue()); } @@ -113,7 +116,7 @@ public function testCheckRuleInvalidCodeChallengeThrows(): void $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('too-short'); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -125,7 +128,7 @@ public function testCheckRuleForValidCodeChallenge(): void $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn($this->codeChallenge); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($this->codeChallenge, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php index d8137a8e..e5661a4b 100644 --- a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php @@ -16,6 +16,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core; use SimpleSAML\OpenID\Core\Factories\IdTokenFactory; use SimpleSAML\OpenID\Core\IdToken; @@ -46,6 +47,7 @@ class IdTokenHintRuleTest extends TestCase protected MockObject $coreMock; protected MockObject $idTokenFactoryMock; protected MockObject $idTokenMock; + protected Stub $responseModeStub; /** * @throws \ReflectionException @@ -70,6 +72,7 @@ protected function setUp(): void $this->idTokenFactoryMock = $this->createMock(IdTokenFactory::class); $this->idTokenMock = $this->createMock(IdToken::class); $this->coreMock->method('idTokenFactory')->willReturn($this->idTokenFactoryMock); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -110,6 +113,8 @@ public function testCheckRuleIsNullWhenParamNotSet(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], + $this->responseModeStub, ) ?? new Result(IdTokenHintRule::class); $this->assertNull($result->getValue()); @@ -122,7 +127,7 @@ public function testCheckRuleThrowsForMalformedIdToken(): void { $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('malformed'); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -139,7 +144,7 @@ public function testCheckRuleThrowsForIdTokenWithInvalidSignature(): void ->with('invalid-it-token') ->willReturn($this->idTokenMock); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -157,7 +162,7 @@ public function testCheckRuleThrowsForIdTokenWithInvalidIssuer(): void $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods') ->willReturn('id-token'); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -172,7 +177,7 @@ public function testCheckRulePassesForValidIdToken(): void $this->idTokenMock->method('getIssuer')->willReturn(self::$issuer); $this->idTokenFactoryMock->method('fromToken') ->willReturn($this->idTokenMock); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(IdTokenHintRule::class); $this->assertInstanceOf(IdToken::class, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php index 7bf7d279..f0fc017f 100644 --- a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php @@ -23,6 +23,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core\IdToken; use Throwable; @@ -50,6 +51,7 @@ class PostLogoutRedirectUriRuleTest extends TestCase protected Stub $requestParamsResolverStub; protected Helpers $helpers; protected MockObject $idTokenMock; + protected Stub $responseModeStub; public static function setUpBeforeClass(): void { @@ -83,6 +85,7 @@ protected function setUp(): void $this->helpers = new Helpers(); $this->idTokenMock = $this->createMock(IdToken::class); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -107,7 +110,7 @@ protected function sut( */ public function testCheckRuleReturnsNullIfNoParamSet(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); $this->assertNull($result->getValue()); @@ -123,7 +126,7 @@ public function testCheckRuleThrowsWhenIdTokenHintNotAvailable(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -148,7 +151,7 @@ public function testCheckRuleThrowsWhenAudClaimNotValid(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -176,7 +179,7 @@ public function testCheckRuleThrowsWhenClientNotFound(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -204,7 +207,7 @@ public function testCheckRuleThrowsWhenPostLogoutRegisteredUriNotRegistered(): v $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -231,7 +234,7 @@ public function testCheckRuleReturnsForRegisteredPostLogoutRedirectUri(): void new Result(IdTokenHintRule::class, $this->idTokenMock), ); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? (new Result(PostLogoutRedirectUriRule::class)); $this->assertEquals(self::$postLogoutRedirectUri, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php index 33a31f4e..2738c826 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php @@ -19,6 +19,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule @@ -34,6 +35,7 @@ class RedirectUriRuleTest extends TestCase protected Stub $requestParamsResolverStub; protected Helpers $helpers; protected Stub $moduleConfigStub; + protected Stub $responseModeStub; /** @@ -48,6 +50,7 @@ protected function setUp(): void $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); $this->moduleConfigStub = $this->createStub(ModuleConfig::class); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -73,7 +76,7 @@ protected function sut( public function testCheckRuleClientIdDependency(): void { $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -84,7 +87,7 @@ public function testCheckRuleWithInvalidClientDependancy(): void { $this->resultBag->add(new Result(ClientRule::class, 'invalid')); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -95,7 +98,7 @@ public function testCheckRuleRedirectUriNotSetThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -107,7 +110,7 @@ public function testCheckRuleDifferentClientRedirectUriThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -121,7 +124,7 @@ public function testCheckRuleDifferentClientRedirectUriArrayThrows(): void $this->resultBag->add(new Result(ClientRule::class, $this->clientStub)); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -134,7 +137,7 @@ public function testCheckRuleWithValidRedirectUri(): void $resultBag = $this->prepareValidResultBag(); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($this->redirectUri, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php index 45861adb..017d9045 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php @@ -20,6 +20,7 @@ use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core\RequestObject; #[CoversClass(RequestObjectRule::class)] @@ -33,6 +34,7 @@ class RequestObjectRuleTest extends TestCase protected Stub $loggerServiceStub; protected MockObject $jwksResolverMock; protected Helpers $helpers; + protected Stub $responseModeStub; protected function setUp(): void { @@ -49,6 +51,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->jwksResolverMock = $this->createMock(JwksResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -74,7 +77,7 @@ public function testCanCreateInstance(): void public function testRequestParamCanBeAbsent(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertNull($result); } @@ -85,7 +88,7 @@ public function testUnprotectedRequestParamCanBeUsed(): void $this->requestParamsResolverMock->expects($this->once())->method('parseRequestObjectToken') ->with('token')->willReturn($this->requestObjectMock); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(Result::class, $result); $this->assertIsArray($result->getValue()); $this->assertNotEmpty($result->getValue()); @@ -100,7 +103,7 @@ public function testMissingClientJwksThrows(): void $this->clientStub->expects($this->once())->method('getJwks')->willReturn(null); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); } public function testThrowsForInvalidRequestObject(): void @@ -116,7 +119,7 @@ public function testThrowsForInvalidRequestObject(): void ->willReturn(['jwks']); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); } public function testReturnsValidRequestObject(): void @@ -132,7 +135,7 @@ public function testReturnsValidRequestObject(): void ->with($this->clientStub) ->willReturn(['jwks']); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertInstanceOf(Result::class, $result); $this->assertIsArray($result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php index a17f677d..57ce690e 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php @@ -18,6 +18,7 @@ use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule @@ -33,6 +34,7 @@ class RequestedClaimsRuleTest extends TestCase protected Stub $requestParamsResolverStub; protected Stub $claimSetEntityFactoryStub; protected Helpers $helpers; + protected Stub $responseModeStub; /** @@ -57,6 +59,7 @@ protected function setUp(): void }); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -80,7 +83,7 @@ protected function sut( */ public function testNoRequestedClaims(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertNull($result); } @@ -113,7 +116,7 @@ public function testWithClaims(): void $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn(json_encode($requestedClaims)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); } @@ -132,7 +135,7 @@ public function testOnlyWithNonStandardClaimRequest(): void $requestedClaims = $expectedClaims; $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn(json_encode($requestedClaims)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); } diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php index 6bfbd34e..8bafbba9 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php @@ -17,6 +17,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule @@ -37,6 +38,7 @@ class RequiredNonceRuleTest extends TestCase protected Stub $loggerServiceStub; protected Stub $requestParamsResolverStub; + protected Stub $responseModeStub; /** * @throws \Exception @@ -54,6 +56,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -77,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -89,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -101,7 +104,7 @@ public function testCheckRulePassesWhenNonceIsPresent() $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods') ->willReturn($this->requestQueryParams['nonce']); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(RequiredNonceRule::class, null); $this->assertEquals($this->requestQueryParams['nonce'], $result->getValue()); @@ -114,6 +117,6 @@ public function testCheckRuleThrowsWhenNonceIsNotPresent() { $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php index 05668b79..de7aa228 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php @@ -19,6 +19,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule @@ -36,6 +37,7 @@ class RequiredOpenIdScopeRuleTest extends TestCase protected Stub $loggerServiceStub; protected Stub $requestParamsResolverStub; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception @@ -53,6 +55,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -76,7 +79,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -88,7 +91,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -102,7 +105,7 @@ public function testCheckRulePassesWhenOpenIdScopeIsPresent() $resultBag->add($this->stateResult); $resultBag->add($this->scopeResult); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(RequiredOpenIdScopeRule::class, null); $this->assertTrue($result->getValue()); @@ -123,6 +126,6 @@ public function testCheckRuleThrowsWhenOpenIdScopeIsNotPresent() $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php index ecd2d1e6..5d262439 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php @@ -14,6 +14,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule @@ -49,6 +50,7 @@ class ResponseTypeRuleTest extends TestCase private ResultBag $resultBag; protected Stub $loggerServiceStub; + protected Stub $responseModeStub; /** * @throws \Exception @@ -61,6 +63,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -84,7 +87,7 @@ public function testResponseTypeRuleTest($responseType) { $this->requestParams['response_type'] = $responseType; $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($this->requestParams); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(ResponseTypeRule::class, null); $this->assertSame($responseType, $result->getValue()); } @@ -103,6 +106,6 @@ public function testResponseTypeRuleThrowsWithNoResponseTypeParamTest() unset($params['response_type']); $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub); + $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php index e9bddd38..dd6e75af 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php @@ -19,6 +19,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule @@ -39,6 +40,7 @@ class ScopeOfflineAccessRuleTest extends TestCase protected Stub $openIdConfigurationStub; protected Stub $requestParamsResolverStub; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception @@ -69,6 +71,7 @@ protected function setUp(): void $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -115,7 +118,7 @@ public function testReturnsFalseWhenOfflineAccessScopeNotPresent(): void $this->moduleConfigStub->method('config') ->willReturn($this->openIdConfigurationStub); - $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock); + $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); $this->assertNotNull($result); $this->assertFalse($result->getValue()); @@ -146,7 +149,7 @@ public function testThrowsWhenClientDoesntHaveOfflineAccessScopeRegistered(): vo $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock); + $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); } /** @@ -173,7 +176,7 @@ public function testReturnsTrueWhenClientDoesHaveOfflineAccessScopeRegistered(): $this->moduleConfigStub->method('config') ->willReturn($this->openIdConfigurationStub); - $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock); + $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); $this->assertNotNull($result); $this->assertTrue($result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php index 1916686e..5f601970 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php @@ -22,6 +22,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule @@ -47,6 +48,7 @@ class ScopeRuleTest extends TestCase protected Stub $requestParamsResolverStub; protected Stub $helpersStub; protected Stub $strHelperMock; + protected Stub $responseModeStub; /** * @throws \Exception @@ -67,6 +69,7 @@ protected function setUp(): void $this->helpersStub = $this->createStub(Helpers::class); $this->strHelperMock = $this->createMock(Helpers\Str::class); $this->helpersStub->method('str')->willReturn($this->strHelperMock); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -98,7 +101,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); } /** @@ -110,7 +113,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); } /** @@ -134,7 +137,7 @@ public function testValidScopes(): void ), ); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data); + $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertIsArray($result->getValue()); $this->assertSame($this->scopeEntities['openid'], $result->getValue()[0]); @@ -161,7 +164,7 @@ public function testInvalidScopeThrows(): void ); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); } protected function prepareValidResultBag(): ResultBag diff --git a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php index aa38de1b..c3253b0e 100644 --- a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php @@ -13,6 +13,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\AbstractRule @@ -23,6 +24,7 @@ class StateRuleTest extends TestCase protected Stub $loggerServiceStub; protected Stub $requestParamsResolverStub; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception @@ -32,6 +34,7 @@ public function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -65,7 +68,7 @@ public function testCheckRuleHasValue(): void $resultBag = new ResultBag(); $data = []; - $result = $this->sut()->checkRule($request, $resultBag, $this->loggerServiceStub, $data); + $result = $this->sut()->checkRule($request, $resultBag, $this->loggerServiceStub, $data, $this->responseModeStub); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($value, $result->getValue()); @@ -85,6 +88,8 @@ public function testCheckRulePostMethod(): void $request, $resultBag, $this->loggerServiceStub, + [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php index a4eefd8c..f885e0d5 100644 --- a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php @@ -13,6 +13,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule @@ -24,6 +25,7 @@ class UiLocalesRuleTest extends TestCase protected Stub $loggerServiceStub; protected Stub $requestParamsResolverStub; protected Helpers $helpers; + protected Stub $responseModeStub; /** * @throws \Exception @@ -37,6 +39,7 @@ protected function setUp(): void $this->loggerServiceStub = $this->createStub(LoggerService::class); $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); } protected function sut( @@ -59,7 +62,7 @@ public function testCheckRuleReturnsResultWhenParamSet() { $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn('en'); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(UiLocalesRule::class); $this->assertEquals('en', $result->getValue()); @@ -72,7 +75,7 @@ public function testCheckRuleReturnsNullWhenParamNotSet() { $this->requestStub->method('getQueryParams')->willReturn([]); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub) ?? + $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? new Result(UiLocalesRule::class); $this->assertNull($result->getValue()); diff --git a/tests/unit/src/Services/OpMetadataServiceTest.php b/tests/unit/src/Services/OpMetadataServiceTest.php index f354b630..9247da12 100644 --- a/tests/unit/src/Services/OpMetadataServiceTest.php +++ b/tests/unit/src/Services/OpMetadataServiceTest.php @@ -142,6 +142,7 @@ public function testItReturnsExpectedMetadata(): void 'acr_values_supported' => ['1'], 'backchannel_logout_supported' => true, 'backchannel_logout_session_supported' => true, + 'response_modes_supported' => ['query', 'fragment', 'form_post'], ], $this->sut()->getMetadata(), ); From 8364e8589089033aca659e4db1fb5a36a5b0b795 Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 08:39:48 +0200 Subject: [PATCH 06/13] Code styling, some test fixes --- src/Factories/RequestRulesManagerFactory.php | 4 +- src/Forms/ClientForm.php | 8 ++- src/Server/AuthorizationServer.php | 2 +- src/Server/Exceptions/OidcServerException.php | 34 ++++++++++--- src/Server/Grants/AuthCodeGrant.php | 7 +-- src/Server/Grants/ImplicitGrant.php | 1 - src/Server/Grants/PreAuthCodeGrant.php | 4 +- .../Interfaces/RequestRuleInterface.php | 5 +- .../RequestRules/RequestRulesManager.php | 6 ++- .../RequestRules/Rules/AcrValuesRule.php | 3 +- .../Rules/AddClaimsToIdTokenRule.php | 2 +- .../Rules/AuthorizationDetailsRule.php | 2 +- .../Rules/ClientAuthenticationRule.php | 2 +- .../RequestRules/Rules/ClientIdRule.php | 2 +- .../Rules/ClientRedirectUriRule.php | 2 +- src/Server/RequestRules/Rules/ClientRule.php | 2 +- .../Rules/CodeChallengeMethodRule.php | 3 +- .../RequestRules/Rules/CodeChallengeRule.php | 3 +- .../RequestRules/Rules/CodeVerifierRule.php | 2 +- .../RequestRules/Rules/IdTokenHintRule.php | 2 +- .../RequestRules/Rules/IssuerStateRule.php | 2 +- src/Server/RequestRules/Rules/MaxAgeRule.php | 3 +- .../Rules/PostLogoutRedirectUriRule.php | 2 +- src/Server/RequestRules/Rules/PromptRule.php | 2 +- .../RequestRules/Rules/RequestObjectRule.php | 2 +- .../Rules/RequestedClaimsRule.php | 2 +- .../RequestRules/Rules/RequiredNonceRule.php | 2 +- .../Rules/RequiredOpenIdScopeRule.php | 2 +- .../RequestRules/Rules/ResponseModeRule.php | 30 +++++------ .../RequestRules/Rules/ResponseTypeRule.php | 2 +- .../Rules/ScopeOfflineAccessRule.php | 2 +- src/Server/RequestRules/Rules/ScopeRule.php | 2 +- src/Server/RequestRules/Rules/StateRule.php | 2 +- .../RequestRules/Rules/UiLocalesRule.php | 2 +- .../RequestTypes/AuthorizationRequest.php | 2 +- .../ResponseModes/FormPostResponseMode.php | 6 +-- .../ResponseModes/FragmentResponseMode.php | 2 +- .../ResponseModes/QueryResponseMode.php | 2 +- .../ResponseModes/ResponseModeInterface.php | 2 +- src/Server/ResponseTypes/HtmlResponse.php | 4 +- src/Services/Container.php | 14 ++++-- .../Admin/ClientControllerTest.php | 1 + tests/unit/src/Forms/ClientFormTest.php | 1 + .../RequestRules/RequestRulesManagerTest.php | 2 + .../RequestRules/Rules/AcrValuesRuleTest.php | 3 -- .../Rules/AddClaimsToIdTokenRuleTest.php | 26 ++++++++-- .../RequestRules/Rules/ClientRuleTest.php | 5 +- .../Rules/CodeChallengeMethodRuleTest.php | 16 ++++-- .../Rules/CodeChallengeRuleTest.php | 24 ++++++--- .../Rules/IdTokenHintRuleTest.php | 31 +++++++++--- .../Rules/PostLogoutRedirectUriRuleTest.php | 50 ++++++++++++++++--- .../Rules/RedirectUriRuleTest.php | 38 +++++++++++--- .../Rules/RequestObjectRuleTest.php | 42 +++++++++++++--- .../Rules/RequestedClaimsRuleTest.php | 26 ++++++++-- .../Rules/RequiredNonceRuleTest.php | 22 ++++++-- .../Rules/RequiredOpenIdScopeRuleTest.php | 16 ++++-- .../Rules/ResponseTypeRuleTest.php | 18 +++++-- .../Rules/ScopeOfflineAccessRuleTest.php | 26 ++++++++-- .../RequestRules/Rules/ScopeRuleTest.php | 34 +++++++++++-- .../RequestRules/Rules/StateRuleTest.php | 11 ++-- .../RequestRules/Rules/UiLocalesRuleTest.php | 18 +++++-- 61 files changed, 439 insertions(+), 156 deletions(-) diff --git a/src/Factories/RequestRulesManagerFactory.php b/src/Factories/RequestRulesManagerFactory.php index 4ef70690..85fbf083 100644 --- a/src/Factories/RequestRulesManagerFactory.php +++ b/src/Factories/RequestRulesManagerFactory.php @@ -37,9 +37,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; -use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; -use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver; diff --git a/src/Forms/ClientForm.php b/src/Forms/ClientForm.php index 183c57aa..1181eea2 100644 --- a/src/Forms/ClientForm.php +++ b/src/Forms/ClientForm.php @@ -285,7 +285,10 @@ public function getValues(string|object|bool|null $returnType = null, ?array $co null : $idTokenSignedResponseAlg; $responseModesAllowed = is_array($values['response_modes_allowed']) ? $values['response_modes_allowed'] : []; - $values['response_modes_allowed'] = array_intersect($responseModesAllowed, array_keys($this->getAllowedResponseModesValues())); + $values['response_modes_allowed'] = array_intersect( + $responseModesAllowed, + array_keys($this->getAllowedResponseModesValues()), + ); return $values; } @@ -339,7 +342,8 @@ public function setDefaults(object|array $data, bool $erase = false): static $data['auth_source'] = null; } - $data['response_modes_allowed'] = is_array($data['response_modes_allowed']) ? $data['response_modes_allowed'] : []; + $data['response_modes_allowed'] = is_array($data['response_modes_allowed']) ? + $data['response_modes_allowed'] : []; parent::setDefaults($data, $erase); diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php index 81c38065..89d76f76 100644 --- a/src/Server/AuthorizationServer.php +++ b/src/Server/AuthorizationServer.php @@ -22,9 +22,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule; +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; -use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule; use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest; use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Services\LoggerService; diff --git a/src/Server/Exceptions/OidcServerException.php b/src/Server/Exceptions/OidcServerException.php index f1be1922..3e17c7cb 100644 --- a/src/Server/Exceptions/OidcServerException.php +++ b/src/Server/Exceptions/OidcServerException.php @@ -6,13 +6,12 @@ use League\OAuth2\Server\Exception\OAuthServerException; use Psr\Http\Message\ResponseInterface; -use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Codebooks\ErrorsEnum; use Throwable; -use function http_build_query; use function json_encode; class OidcServerException extends OAuthServerException @@ -135,7 +134,17 @@ public static function invalidScope( ); } - $e = new self('The requested scope is invalid, unknown, or malformed', 5, 'invalid_scope', 400, $hint, $redirectUri, null, $state, $responseMode); + $e = new self( + 'The requested scope is invalid, unknown, or malformed', + 5, + 'invalid_scope', + 400, + $hint, + $redirectUri, + null, + $state, + $responseMode, + ); return $e; } @@ -160,7 +169,7 @@ public static function invalidRequest( ?ResponseModeInterface $responseMode = null, ): OidcServerException { $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' . - 'includes a parameter more than once, or is otherwise malformed.'; + 'includes a parameter more than once, or is otherwise malformed.'; $hint = ($hint === null) ? \sprintf('Check the `%s` parameter', $parameter) : $hint; $e = new self($errorMessage, 9, 'invalid_request', 400, $hint, $redirectUri, $previous, $state, $responseMode); @@ -182,7 +191,8 @@ public static function accessDenied( ?string $state = null, ?ResponseModeInterface $responseMode = null, ): OidcServerException { - $e = new self('The resource owner or authorization server denied the request.', + $e = new self( + 'The resource owner or authorization server denied the request.', 9, 'access_denied', 401, @@ -241,7 +251,17 @@ public static function requestNotSupported( ): OidcServerException { $errorMessage = "Request object not supported."; - $e = new self($errorMessage, 7, 'request_not_supported', 400, $hint, $redirectUri, $previous, $state, $responseMode); + $e = new self( + $errorMessage, + 7, + 'request_not_supported', + 400, + $hint, + $redirectUri, + $previous, + $state, + $responseMode, + ); return $e; } @@ -278,7 +298,7 @@ public static function invalidTrustChain( $redirectUri, $previous, $state, - $responseMode + $responseMode, ); return $e; diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index e2544f49..052af731 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -18,7 +18,6 @@ use League\OAuth2\Server\RequestEvent; use League\OAuth2\Server\RequestTypes\AuthorizationRequest as OAuth2AuthorizationRequest; use League\OAuth2\Server\ResponseTypes\AbstractResponseType; -use League\OAuth2\Server\ResponseTypes\RedirectResponse; use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use LogicException; use Psr\Http\Message\ServerRequestInterface; @@ -505,7 +504,9 @@ public function respondToAccessTokenRequest( $resultBag = $this->requestRulesManager->check( $request, $rulesToExecute, - new QueryResponseMode(), // TODO: Response mode is not relevant for token request, as there is no redirection, but we need to provide something to execute rules. + // TODO: Response mode is not relevant for token request, as there is + // no redirection, but we need to provide something to execute rules. + new QueryResponseMode(), $this->allowedTokenHttpMethods, ); @@ -789,7 +790,7 @@ public function validateAuthorizationRequestWithRequestRules( $rulesToExecute, $responseMode, $this->allowedAuthorizationHttpMethods, - ); + ); $this->loggerService->debug('AuthCodeGrant: executed rules.', ['rulesToExecute' => $rulesToExecute]); diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php index 79f80128..aee0494c 100644 --- a/src/Server/Grants/ImplicitGrant.php +++ b/src/Server/Grants/ImplicitGrant.php @@ -7,7 +7,6 @@ use DateInterval; use League\OAuth2\Server\Grant\ImplicitGrant as OAuth2ImplicitGrant; use League\OAuth2\Server\RequestTypes\AuthorizationRequest as OAuth2AuthorizationRequest; -use League\OAuth2\Server\ResponseTypes\RedirectResponse; use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use LogicException; use Psr\Http\Message\ServerRequestInterface; diff --git a/src/Server/Grants/PreAuthCodeGrant.php b/src/Server/Grants/PreAuthCodeGrant.php index 9bb45d13..4b13ef5c 100644 --- a/src/Server/Grants/PreAuthCodeGrant.php +++ b/src/Server/Grants/PreAuthCodeGrant.php @@ -175,7 +175,9 @@ public function respondToAccessTokenRequest( $resultBag = $this->requestRulesManager->check( $request, [AuthorizationDetailsRule::class], - new QueryResponseMode(), // TODO: Response mode is not relevant for token request, as there is no redirection, but we need to provide something to execute rules. + // TODO: Response mode is not relevant for token request, as there is + // no redirection, but we need to provide something to execute rules. + new QueryResponseMode(), $this->allowedTokenHttpMethods, ); diff --git a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php index 136818f3..71b62d64 100644 --- a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php +++ b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php @@ -22,7 +22,8 @@ public function getKey(): string; * @param \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface $currentResultBag * ResultBag with all results of the checks performed to current check * @param array $data Data which will be available during check. - * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode Response mode to use for error responses + * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode + * Response mode to use for error responses * @param HttpMethodsEnum[] $allowedServerRequestMethods Indicate allowed HTTP methods used for request * @return \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface|null Result of the specific check * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException If check fails @@ -31,8 +32,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface; } diff --git a/src/Server/RequestRules/RequestRulesManager.php b/src/Server/RequestRules/RequestRulesManager.php index baef127b..ff7c3c1d 100644 --- a/src/Server/RequestRules/RequestRulesManager.php +++ b/src/Server/RequestRules/RequestRulesManager.php @@ -47,7 +47,9 @@ public function add(RequestRuleInterface $rule): void /** * @param class-string[] $ruleKeysToExecute - * @param ResponseModeInterface $responseMode Response mode which will be used in rules execution, as some rules might need to adjust their behaviour based on response mode used in request. + * @param ResponseModeInterface $responseMode Response mode which will be + * used in rules execution, as some rules might need to adjust their + * behaviour based on response mode used in request. * @param HttpMethodsEnum[] $allowedServerRequestMethods Indicate allowed HTTP methods used for request * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException */ @@ -66,8 +68,8 @@ public function check( $request, $this->resultBag, $this->loggerService, - $this->data, $responseMode, + $this->data, $allowedServerRequestMethods, ); diff --git a/src/Server/RequestRules/Rules/AcrValuesRule.php b/src/Server/RequestRules/Rules/AcrValuesRule.php index 727f3bff..e00f6ad5 100644 --- a/src/Server/RequestRules/Rules/AcrValuesRule.php +++ b/src/Server/RequestRules/Rules/AcrValuesRule.php @@ -4,7 +4,6 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules; -use GuzzleHttp\Psr7\Query; use Psr\Http\Message\ServerRequestInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; @@ -23,8 +22,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AcrValuesRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php index a11340bd..b5f731fd 100644 --- a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php +++ b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php @@ -22,8 +22,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $responseType */ diff --git a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php index 865d7469..af3c70b8 100644 --- a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php +++ b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php @@ -34,8 +34,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AuthorizationDetailsRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php index eb25882f..400ed532 100644 --- a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php +++ b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php @@ -34,8 +34,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php index 4705ccff..48ce1c39 100644 --- a/src/Server/RequestRules/Rules/ClientIdRule.php +++ b/src/Server/RequestRules/Rules/ClientIdRule.php @@ -38,8 +38,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientIdRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php index 4fc44d71..27320e32 100644 --- a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php @@ -37,8 +37,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RedirectUriRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRule.php b/src/Server/RequestRules/Rules/ClientRule.php index 717b03ea..c3c2088b 100644 --- a/src/Server/RequestRules/Rules/ClientRule.php +++ b/src/Server/RequestRules/Rules/ClientRule.php @@ -71,8 +71,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php index 2fbe17fb..53d5f799 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php @@ -11,7 +11,6 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; -use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -36,8 +35,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeMethodRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/CodeChallengeRule.php b/src/Server/RequestRules/Rules/CodeChallengeRule.php index d51668d9..92ded541 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeRule.php @@ -9,7 +9,6 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; -use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -25,8 +24,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/CodeVerifierRule.php b/src/Server/RequestRules/Rules/CodeVerifierRule.php index d8260811..1a2cb041 100644 --- a/src/Server/RequestRules/Rules/CodeVerifierRule.php +++ b/src/Server/RequestRules/Rules/CodeVerifierRule.php @@ -23,8 +23,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ diff --git a/src/Server/RequestRules/Rules/IdTokenHintRule.php b/src/Server/RequestRules/Rules/IdTokenHintRule.php index 627b8601..91a83915 100644 --- a/src/Server/RequestRules/Rules/IdTokenHintRule.php +++ b/src/Server/RequestRules/Rules/IdTokenHintRule.php @@ -39,8 +39,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/IssuerStateRule.php b/src/Server/RequestRules/Rules/IssuerStateRule.php index f1793d27..6767ba9f 100644 --- a/src/Server/RequestRules/Rules/IssuerStateRule.php +++ b/src/Server/RequestRules/Rules/IssuerStateRule.php @@ -22,8 +22,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $issuerState = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/MaxAgeRule.php b/src/Server/RequestRules/Rules/MaxAgeRule.php index a67e64e6..656d20c5 100644 --- a/src/Server/RequestRules/Rules/MaxAgeRule.php +++ b/src/Server/RequestRules/Rules/MaxAgeRule.php @@ -12,7 +12,6 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; -use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; @@ -44,8 +43,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('MaxAgeRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php index 1a174a0c..eee93c8c 100644 --- a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php @@ -35,8 +35,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/PromptRule.php b/src/Server/RequestRules/Rules/PromptRule.php index 8d43ad4e..d5d490cc 100644 --- a/src/Server/RequestRules/Rules/PromptRule.php +++ b/src/Server/RequestRules/Rules/PromptRule.php @@ -44,8 +44,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('PromptRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequestObjectRule.php b/src/Server/RequestRules/Rules/RequestObjectRule.php index 08568f8e..f48ce1e9 100644 --- a/src/Server/RequestRules/Rules/RequestObjectRule.php +++ b/src/Server/RequestRules/Rules/RequestObjectRule.php @@ -35,8 +35,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestObjectRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequestedClaimsRule.php b/src/Server/RequestRules/Rules/RequestedClaimsRule.php index 02d95cb0..ab2ddb63 100644 --- a/src/Server/RequestRules/Rules/RequestedClaimsRule.php +++ b/src/Server/RequestRules/Rules/RequestedClaimsRule.php @@ -34,8 +34,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestedClaimsRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequiredNonceRule.php b/src/Server/RequestRules/Rules/RequiredNonceRule.php index 8c5007c8..c0653e96 100644 --- a/src/Server/RequestRules/Rules/RequiredNonceRule.php +++ b/src/Server/RequestRules/Rules/RequiredNonceRule.php @@ -24,8 +24,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $redirectUri */ diff --git a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php index fb78b978..557c162a 100644 --- a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php +++ b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php @@ -23,8 +23,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequiredOpenIdScopeRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index 0e41c550..fa4b1269 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -4,27 +4,26 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules; -use LogicException; use Psr\Http\Message\ServerRequestInterface; +use SimpleSAML\Module\oidc\Helpers; use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; -use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; +use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; -use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Helpers; class ResponseModeRule extends AbstractRule { public function __construct( RequestParamsResolver $requestParamsResolver, - Helpers $helpers, + Helpers $helpers, private readonly QueryResponseMode $queryResponseMode, private readonly FragmentResponseMode $fragmentResponseMode, private readonly FormPostResponseMode $formPostResponseMode, @@ -40,8 +39,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( @@ -52,7 +51,8 @@ public function checkRule( // response_mode requires client_id and response_type to be present if ( !isset($requestParams[ParamsEnum::ClientId->value]) || - !isset($requestParams[ParamsEnum::ResponseType->value])) { + !isset($requestParams[ParamsEnum::ResponseType->value]) + ) { throw OidcServerException::invalidRequest('Missing client_id or response_type'); } @@ -75,11 +75,13 @@ public function checkRule( } // Verify if response_mode is one of 'query', 'fragment', 'form_post' - if (!in_array( - $reponseModeValue, - ['query', 'fragment', 'form_post'], - true, - )) { + if ( + !in_array( + $reponseModeValue, + ['query', 'fragment', 'form_post'], + true, + ) + ) { throw OidcServerException::invalidRequest('Invalid response_mode'); } @@ -92,7 +94,7 @@ public function checkRule( if (!in_array($reponseModeValue, $allowedResponseModes, true)) { throw OidcServerException::invalidRequest( 'response_mode', - 'response_mode "' . $reponseModeValue . '" is not allowed for this client' + 'response_mode "' . $reponseModeValue . '" is not allowed for this client', ); } diff --git a/src/Server/RequestRules/Rules/ResponseTypeRule.php b/src/Server/RequestRules/Rules/ResponseTypeRule.php index 7233193a..2fac497d 100644 --- a/src/Server/RequestRules/Rules/ResponseTypeRule.php +++ b/src/Server/RequestRules/Rules/ResponseTypeRule.php @@ -23,8 +23,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php index 6ac69302..b46587a2 100644 --- a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php +++ b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php @@ -23,8 +23,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeOfflineAccessRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ScopeRule.php b/src/Server/RequestRules/Rules/ScopeRule.php index 5d7a70c2..580c1760 100644 --- a/src/Server/RequestRules/Rules/ScopeRule.php +++ b/src/Server/RequestRules/Rules/ScopeRule.php @@ -36,8 +36,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/StateRule.php b/src/Server/RequestRules/Rules/StateRule.php index 39371f0a..fa000596 100644 --- a/src/Server/RequestRules/Rules/StateRule.php +++ b/src/Server/RequestRules/Rules/StateRule.php @@ -22,8 +22,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('StateRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/UiLocalesRule.php b/src/Server/RequestRules/Rules/UiLocalesRule.php index b36d2c10..561fd0c9 100644 --- a/src/Server/RequestRules/Rules/UiLocalesRule.php +++ b/src/Server/RequestRules/Rules/UiLocalesRule.php @@ -22,8 +22,8 @@ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, + ?ResponseModeInterface $responseMode, array $data = [], - ResponseModeInterface $responseMode, array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { return new Result($this->getKey(), $this->requestParamsResolver->getBasedOnAllowedMethods( diff --git a/src/Server/RequestTypes/AuthorizationRequest.php b/src/Server/RequestTypes/AuthorizationRequest.php index 3b0450cd..bc969f10 100644 --- a/src/Server/RequestTypes/AuthorizationRequest.php +++ b/src/Server/RequestTypes/AuthorizationRequest.php @@ -71,7 +71,7 @@ class AuthorizationRequest extends OAuth2AuthorizationRequest */ protected ?string $issuerState = null; - private ?ResponseModeInterface $responseMode = null; + private ?ResponseModeInterface $responseMode = null; public static function fromOAuth2AuthorizationRequest( OAuth2AuthorizationRequest $oAuth2authorizationRequest, diff --git a/src/Server/ResponseModes/FormPostResponseMode.php b/src/Server/ResponseModes/FormPostResponseMode.php index 515a7b6c..48da84fd 100644 --- a/src/Server/ResponseModes/FormPostResponseMode.php +++ b/src/Server/ResponseModes/FormPostResponseMode.php @@ -5,9 +5,9 @@ namespace SimpleSAML\Module\oidc\Server\ResponseModes; use League\OAuth2\Server\ResponseTypes\AbstractResponseType; -use SimpleSAML\XHTML\Template; -use SimpleSAML\Module\oidc\Server\ResponseTypes\HtmlResponse; use SimpleSAML\Configuration; +use SimpleSAML\Module\oidc\Server\ResponseTypes\HtmlResponse; +use SimpleSAML\XHTML\Template; class FormPostResponseMode implements ResponseModeInterface { @@ -32,4 +32,4 @@ public function buildResponse(string $redirectUri, array $params): AbstractRespo $response->setHtml($html); return $response; } -} \ No newline at end of file +} diff --git a/src/Server/ResponseModes/FragmentResponseMode.php b/src/Server/ResponseModes/FragmentResponseMode.php index 05b2ea73..b8e40652 100644 --- a/src/Server/ResponseModes/FragmentResponseMode.php +++ b/src/Server/ResponseModes/FragmentResponseMode.php @@ -17,4 +17,4 @@ public function buildResponse(string $redirectUri, array $params): AbstractRespo return $response; } -} \ No newline at end of file +} diff --git a/src/Server/ResponseModes/QueryResponseMode.php b/src/Server/ResponseModes/QueryResponseMode.php index 58ecc563..2a379447 100644 --- a/src/Server/ResponseModes/QueryResponseMode.php +++ b/src/Server/ResponseModes/QueryResponseMode.php @@ -17,4 +17,4 @@ public function buildResponse(string $redirectUri, array $params): AbstractRespo return $response; } -} \ No newline at end of file +} diff --git a/src/Server/ResponseModes/ResponseModeInterface.php b/src/Server/ResponseModes/ResponseModeInterface.php index 72705510..529e4824 100644 --- a/src/Server/ResponseModes/ResponseModeInterface.php +++ b/src/Server/ResponseModes/ResponseModeInterface.php @@ -9,4 +9,4 @@ interface ResponseModeInterface { public function buildResponse(string $redirectUri, array $params): AbstractResponseType; -} \ No newline at end of file +} diff --git a/src/Server/ResponseTypes/HtmlResponse.php b/src/Server/ResponseTypes/HtmlResponse.php index 920c3409..28aeb15a 100644 --- a/src/Server/ResponseTypes/HtmlResponse.php +++ b/src/Server/ResponseTypes/HtmlResponse.php @@ -1,11 +1,11 @@ 'https://example.com/jwks', 'signed_jwks_uri' => 'https://example.com/signed-jwks', + 'response_modes_allowed' => ['query', 'fragment', 'form_post'], ]; protected function setUp(): void diff --git a/tests/unit/src/Forms/ClientFormTest.php b/tests/unit/src/Forms/ClientFormTest.php index 425c3d2e..7638da68 100644 --- a/tests/unit/src/Forms/ClientFormTest.php +++ b/tests/unit/src/Forms/ClientFormTest.php @@ -81,6 +81,7 @@ public function setUp(): void ), 'expires_at' => null, 'allowed_origin' => [], + 'response_modes_allowed' => ['query', 'fragment', 'form_post',], ]; } diff --git a/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php b/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php index c70118db..e1d705d0 100644 --- a/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php +++ b/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; /** @@ -121,6 +122,7 @@ public function testSetData(RequestRulesManager $requestRulesManager): void $this->identicalTo($this->request), $this->isInstanceOf(ResultBagInterface::class), $this->isInstanceOf(LoggerService::class), + $this->isInstanceOf(ResponseModeInterface::class), $this->arrayHasKey($this->key), ); diff --git a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php index 8a147402..15f2a8f0 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php @@ -65,7 +65,6 @@ public function testNoAcrIsSetIfAcrValuesNotRequested(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); $this->assertNull($result->getValue()); @@ -84,7 +83,6 @@ public function testPopulatesAcrValuesFromClaimsParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); @@ -103,7 +101,6 @@ public function testPopulatesAcrValuesFromAcrValuesRequestParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); diff --git a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php index 1eefe354..39ac78be 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php @@ -13,9 +13,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule @@ -86,7 +86,13 @@ public function testAddClaimsToIdTokenRuleTest($responseType) { $this->resultBag->add(new Result(ResponseTypeRule::class, $responseType)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(AddClaimsToIdTokenRule::class, null); $this->assertTrue($result->getValue()); } @@ -106,7 +112,13 @@ public function testDoNotAddClaimsToIdTokenRuleTest($responseType) { $this->resultBag->add(new Result(ResponseTypeRule::class, $responseType)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(AddClaimsToIdTokenRule::class, null); $this->assertFalse($result->getValue()); @@ -131,6 +143,12 @@ public static function invalidResponseTypeProvider(): array public function testAddClaimsToIdTokenRuleThrowsWithNoResponseTypeParamTest() { $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php index fad91778..fe5de3e2 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php @@ -16,12 +16,12 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\FederationCache; use SimpleSAML\Module\oidc\Utils\FederationParticipationValidator; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Federation; /** @@ -94,7 +94,6 @@ public function testCheckRuleEmptyClientIdThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ); } @@ -108,7 +107,6 @@ public function testCheckRuleInvalidClientThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ); } @@ -126,7 +124,6 @@ public function testCheckRuleForValidClientId(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php index 2bf60769..d1dea826 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php @@ -19,9 +19,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule @@ -78,7 +78,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -90,7 +90,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -103,7 +103,7 @@ public function testCheckRuleWithInvalidCodeChallengeMethodThrows(): void $this->codeChallengeVerifiersRepositoryMock->expects($this->once())->method('has') ->with('invalid')->willReturn(false); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -116,7 +116,13 @@ public function testCheckRuleForValidCodeChallengeMethod(): void $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('plain'); $this->codeChallengeVerifiersRepositoryMock->expects($this->once())->method('has') ->with('plain')->willReturn(true); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame('plain', $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php index dd672df0..c162aa90 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php @@ -19,9 +19,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule @@ -80,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -92,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -103,7 +103,13 @@ public function testCheckRuleNoCodeReturnsNullForConfidentialClients(): void $this->clientStub->method('isConfidential')->willReturn(true); $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn(null); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertNull($result->getValue()); } @@ -116,7 +122,7 @@ public function testCheckRuleInvalidCodeChallengeThrows(): void $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('too-short'); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -128,7 +134,13 @@ public function testCheckRuleForValidCodeChallenge(): void $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn($this->codeChallenge); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($this->codeChallenge, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php index e5661a4b..dbfd3864 100644 --- a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php @@ -14,9 +14,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core; use SimpleSAML\OpenID\Core\Factories\IdTokenFactory; use SimpleSAML\OpenID\Core\IdToken; @@ -113,7 +113,6 @@ public function testCheckRuleIsNullWhenParamNotSet(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - [], $this->responseModeStub, ) ?? new Result(IdTokenHintRule::class); @@ -127,7 +126,12 @@ public function testCheckRuleThrowsForMalformedIdToken(): void { $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('malformed'); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + ); } /** @@ -144,7 +148,12 @@ public function testCheckRuleThrowsForIdTokenWithInvalidSignature(): void ->with('invalid-it-token') ->willReturn($this->idTokenMock); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + ); } /** @@ -162,7 +171,12 @@ public function testCheckRuleThrowsForIdTokenWithInvalidIssuer(): void $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods') ->willReturn('id-token'); $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + ); } /** @@ -177,7 +191,12 @@ public function testCheckRulePassesForValidIdToken(): void $this->idTokenMock->method('getIssuer')->willReturn(self::$issuer); $this->idTokenFactoryMock->method('fromToken') ->willReturn($this->idTokenMock); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + ) ?? new Result(IdTokenHintRule::class); $this->assertInstanceOf(IdToken::class, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php index f0fc017f..c02c5e0e 100644 --- a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php @@ -21,9 +21,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core\IdToken; use Throwable; @@ -110,7 +110,13 @@ protected function sut( */ public function testCheckRuleReturnsNullIfNoParamSet(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); $this->assertNull($result->getValue()); @@ -126,7 +132,13 @@ public function testCheckRuleThrowsWhenIdTokenHintNotAvailable(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -151,7 +163,13 @@ public function testCheckRuleThrowsWhenAudClaimNotValid(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -179,7 +197,13 @@ public function testCheckRuleThrowsWhenClientNotFound(): void $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -207,7 +231,13 @@ public function testCheckRuleThrowsWhenPostLogoutRegisteredUriNotRegistered(): v $this->expectException(Throwable::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -234,7 +264,13 @@ public function testCheckRuleReturnsForRegisteredPostLogoutRedirectUri(): void new Result(IdTokenHintRule::class, $this->idTokenMock), ); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? (new Result(PostLogoutRedirectUriRule::class)); $this->assertEquals(self::$postLogoutRedirectUri, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php index 2738c826..e935495b 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php @@ -17,9 +17,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule @@ -76,7 +76,13 @@ protected function sut( public function testCheckRuleClientIdDependency(): void { $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } /** @@ -87,7 +93,13 @@ public function testCheckRuleWithInvalidClientDependancy(): void { $this->resultBag->add(new Result(ClientRule::class, 'invalid')); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } /** @@ -98,7 +110,7 @@ public function testCheckRuleRedirectUriNotSetThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -110,7 +122,7 @@ public function testCheckRuleDifferentClientRedirectUriThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -124,7 +136,13 @@ public function testCheckRuleDifferentClientRedirectUriArrayThrows(): void $this->resultBag->add(new Result(ClientRule::class, $this->clientStub)); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } /** @@ -137,7 +155,13 @@ public function testCheckRuleWithValidRedirectUri(): void $resultBag = $this->prepareValidResultBag(); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($this->redirectUri, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php index 017d9045..93428cb7 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php @@ -17,10 +17,10 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\OpenID\Core\RequestObject; #[CoversClass(RequestObjectRule::class)] @@ -77,7 +77,13 @@ public function testCanCreateInstance(): void public function testRequestParamCanBeAbsent(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertNull($result); } @@ -88,7 +94,13 @@ public function testUnprotectedRequestParamCanBeUsed(): void $this->requestParamsResolverMock->expects($this->once())->method('parseRequestObjectToken') ->with('token')->willReturn($this->requestObjectMock); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(Result::class, $result); $this->assertIsArray($result->getValue()); $this->assertNotEmpty($result->getValue()); @@ -103,7 +115,13 @@ public function testMissingClientJwksThrows(): void $this->clientStub->expects($this->once())->method('getJwks')->willReturn(null); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } public function testThrowsForInvalidRequestObject(): void @@ -119,7 +137,13 @@ public function testThrowsForInvalidRequestObject(): void ->willReturn(['jwks']); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } public function testReturnsValidRequestObject(): void @@ -135,7 +159,13 @@ public function testReturnsValidRequestObject(): void ->with($this->clientStub) ->willReturn(['jwks']); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertInstanceOf(Result::class, $result); $this->assertIsArray($result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php index 57ce690e..eef31f90 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php @@ -15,10 +15,10 @@ use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule @@ -83,7 +83,13 @@ protected function sut( */ public function testNoRequestedClaims(): void { - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertNull($result); } @@ -116,7 +122,13 @@ public function testWithClaims(): void $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn(json_encode($requestedClaims)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); } @@ -135,7 +147,13 @@ public function testOnlyWithNonStandardClaimRequest(): void $requestedClaims = $expectedClaims; $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn(json_encode($requestedClaims)); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); } diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php index 8bafbba9..de4e4559 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php @@ -15,9 +15,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule @@ -80,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -92,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -104,7 +104,13 @@ public function testCheckRulePassesWhenNonceIsPresent() $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods') ->willReturn($this->requestQueryParams['nonce']); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(RequiredNonceRule::class, null); $this->assertEquals($this->requestQueryParams['nonce'], $result->getValue()); @@ -117,6 +123,12 @@ public function testCheckRuleThrowsWhenNonceIsNotPresent() { $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php index de7aa228..849792c5 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php @@ -17,9 +17,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule @@ -79,7 +79,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -91,7 +91,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } /** @@ -105,7 +105,13 @@ public function testCheckRulePassesWhenOpenIdScopeIsPresent() $resultBag->add($this->stateResult); $resultBag->add($this->scopeResult); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(RequiredOpenIdScopeRule::class, null); $this->assertTrue($result->getValue()); @@ -126,6 +132,6 @@ public function testCheckRuleThrowsWhenOpenIdScopeIsNotPresent() $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php index 5d262439..83dccca0 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php @@ -12,9 +12,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Result; use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule @@ -87,7 +87,13 @@ public function testResponseTypeRuleTest($responseType) { $this->requestParams['response_type'] = $responseType; $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($this->requestParams); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(ResponseTypeRule::class, null); $this->assertSame($responseType, $result->getValue()); } @@ -106,6 +112,12 @@ public function testResponseTypeRuleThrowsWithNoResponseTypeParamTest() unset($params['response_type']); $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $this->resultBag, $this->loggerServiceStub, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php index dd6e75af..4aa672bc 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php @@ -17,9 +17,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule @@ -118,7 +118,13 @@ public function testReturnsFalseWhenOfflineAccessScopeNotPresent(): void $this->moduleConfigStub->method('config') ->willReturn($this->openIdConfigurationStub); - $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->serverRequestStub, + $this->resultBagMock, + $this->loggerServiceMock, + $this->responseModeStub, + [], + ); $this->assertNotNull($result); $this->assertFalse($result->getValue()); @@ -149,7 +155,13 @@ public function testThrowsWhenClientDoesntHaveOfflineAccessScopeRegistered(): vo $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); + $this->sut()->checkRule( + $this->serverRequestStub, + $this->resultBagMock, + $this->loggerServiceMock, + $this->responseModeStub, + [], + ); } /** @@ -176,7 +188,13 @@ public function testReturnsTrueWhenClientDoesHaveOfflineAccessScopeRegistered(): $this->moduleConfigStub->method('config') ->willReturn($this->openIdConfigurationStub); - $result = $this->sut()->checkRule($this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, [], $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->serverRequestStub, + $this->resultBagMock, + $this->loggerServiceMock, + $this->responseModeStub, + [], + ); $this->assertNotNull($result); $this->assertTrue($result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php index 5f601970..318674fc 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php @@ -20,9 +20,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRedirectUriRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule @@ -101,7 +101,13 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + $this->data, + ); } /** @@ -113,7 +119,13 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + $this->data, + ); } /** @@ -137,7 +149,13 @@ public function testValidScopes(): void ), ); - $result = $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); + $result = $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + $this->data, + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertIsArray($result->getValue()); $this->assertSame($this->scopeEntities['openid'], $result->getValue()[0]); @@ -164,7 +182,13 @@ public function testInvalidScopeThrows(): void ); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->data, $this->responseModeStub); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + $this->data, + ); } protected function prepareValidResultBag(): ResultBag diff --git a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php index c3253b0e..ca06ccf3 100644 --- a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php @@ -11,9 +11,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\AbstractRule @@ -68,7 +68,13 @@ public function testCheckRuleHasValue(): void $resultBag = new ResultBag(); $data = []; - $result = $this->sut()->checkRule($request, $resultBag, $this->loggerServiceStub, $data, $this->responseModeStub); + $result = $this->sut()->checkRule( + $request, + $resultBag, + $this->loggerServiceStub, + $this->responseModeStub, + $data, + ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertSame($value, $result->getValue()); @@ -88,7 +94,6 @@ public function testCheckRulePostMethod(): void $request, $resultBag, $this->loggerServiceStub, - [], $this->responseModeStub, ); diff --git a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php index f885e0d5..1876bb75 100644 --- a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php @@ -11,9 +11,9 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule; +use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; /** * @covers \SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule @@ -62,7 +62,13 @@ public function testCheckRuleReturnsResultWhenParamSet() { $this->requestParamsResolverStub->method('getBasedOnAllowedMethods')->willReturn('en'); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(UiLocalesRule::class); $this->assertEquals('en', $result->getValue()); @@ -75,7 +81,13 @@ public function testCheckRuleReturnsNullWhenParamNotSet() { $this->requestStub->method('getQueryParams')->willReturn([]); - $result = $this->sut()->checkRule($this->requestStub, $this->resultBagStub, $this->loggerServiceStub, [], $this->responseModeStub) ?? + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBagStub, + $this->loggerServiceStub, + $this->responseModeStub, + [], + ) ?? new Result(UiLocalesRule::class); $this->assertNull($result->getValue()); From 12ac4f83b1fbe9aa77edcf97e964e0dd3dbbfeaf Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 6 May 2026 15:36:06 +0200 Subject: [PATCH 07/13] Fix some conformance issues --- src/Entities/ClientEntity.php | 6 ++++-- src/Server/RequestRules/Rules/ResponseModeRule.php | 10 +++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/Entities/ClientEntity.php b/src/Entities/ClientEntity.php index 9bcab000..aae1958a 100644 --- a/src/Entities/ClientEntity.php +++ b/src/Entities/ClientEntity.php @@ -392,13 +392,15 @@ public function getIdTokenSignedResponseAlg(): ?string public function getAllowedResponseModes(): array { if (!is_array($this->extraMetadata)) { - return []; + // Default to allowing all response modes + return ['query', 'fragment', 'form_post']; } $allowedResponseModes = $this->extraMetadata['allowed_response_modes'] ?? null; if (!is_array($allowedResponseModes)) { - return []; + // Default to allowing all response modes + return ['query', 'fragment', 'form_post']; } return $allowedResponseModes; diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index fa4b1269..2b94a5bc 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -48,12 +48,11 @@ public function checkRule( $allowedServerRequestMethods, ); - // response_mode requires client_id and response_type to be present + // response_mode requires client_id to be present if ( - !isset($requestParams[ParamsEnum::ClientId->value]) || - !isset($requestParams[ParamsEnum::ResponseType->value]) + !isset($requestParams[ParamsEnum::ClientId->value]) ) { - throw OidcServerException::invalidRequest('Missing client_id or response_type'); + throw OidcServerException::invalidRequest('Missing client_id'); } $reponseModeValue = $requestParams[ParamsEnum::ResponseMode->value] ?? null; @@ -61,7 +60,8 @@ public function checkRule( // if response_mode is not set, we set the default - $responseType = $requestParams[ParamsEnum::ResponseType->value]; + // default to 'code' if not set. Error will be thrown by ResponseTypeRule. + $responseType = $requestParams[ParamsEnum::ResponseType->value] ?? 'code'; if (!$reponseModeValue) { switch ($responseType) { case str_contains($responseType, 'token'): From fd46417d6d73735200b313f97256d260526b9f8c Mon Sep 17 00:00:00 2001 From: Harm Date: Fri, 8 May 2026 10:39:27 +0200 Subject: [PATCH 08/13] refactor checkRule api back, psalm fixes --- .../CredentialIssuerCredentialController.php | 2 +- .../RequestRules/Interfaces/RequestRuleInterface.php | 9 ++++++--- src/Server/RequestRules/RequestRulesManager.php | 4 ++-- src/Server/RequestRules/Rules/AcrValuesRule.php | 4 +++- .../RequestRules/Rules/AddClaimsToIdTokenRule.php | 5 ++++- .../RequestRules/Rules/AuthorizationDetailsRule.php | 4 +++- .../RequestRules/Rules/ClientAuthenticationRule.php | 4 +++- src/Server/RequestRules/Rules/ClientIdRule.php | 5 ++++- .../RequestRules/Rules/ClientRedirectUriRule.php | 5 ++++- src/Server/RequestRules/Rules/ClientRule.php | 5 ++++- .../RequestRules/Rules/CodeChallengeMethodRule.php | 4 +++- src/Server/RequestRules/Rules/CodeChallengeRule.php | 5 ++++- src/Server/RequestRules/Rules/CodeVerifierRule.php | 4 +++- src/Server/RequestRules/Rules/IdTokenHintRule.php | 5 ++++- src/Server/RequestRules/Rules/IssuerStateRule.php | 4 +++- src/Server/RequestRules/Rules/MaxAgeRule.php | 4 +++- .../RequestRules/Rules/PostLogoutRedirectUriRule.php | 5 ++++- src/Server/RequestRules/Rules/PromptRule.php | 4 +++- src/Server/RequestRules/Rules/RequestObjectRule.php | 4 +++- .../RequestRules/Rules/RequestedClaimsRule.php | 4 +++- src/Server/RequestRules/Rules/RequiredNonceRule.php | 5 ++++- .../RequestRules/Rules/RequiredOpenIdScopeRule.php | 5 ++++- src/Server/RequestRules/Rules/ResponseModeRule.php | 8 +++++--- src/Server/RequestRules/Rules/ResponseTypeRule.php | 5 ++++- .../RequestRules/Rules/ScopeOfflineAccessRule.php | 5 ++++- src/Server/RequestRules/Rules/ScopeRule.php | 5 ++++- src/Server/RequestRules/Rules/StateRule.php | 4 +++- src/Server/RequestRules/Rules/UiLocalesRule.php | 4 +++- src/Utils/Routes.php | 2 +- .../Server/RequestRules/RequestRulesManagerTest.php | 2 +- .../Server/RequestRules/Rules/AcrValuesRuleTest.php | 3 +++ .../Rules/AddClaimsToIdTokenRuleTest.php | 6 +++--- .../src/Server/RequestRules/Rules/ClientRuleTest.php | 3 +++ .../Rules/CodeChallengeMethodRuleTest.php | 8 ++++---- .../RequestRules/Rules/CodeChallengeRuleTest.php | 10 +++++----- .../RequestRules/Rules/IdTokenHintRuleTest.php | 5 +++++ .../Rules/PostLogoutRedirectUriRuleTest.php | 12 ++++++------ .../RequestRules/Rules/RedirectUriRuleTest.php | 12 ++++++------ .../RequestRules/Rules/RequestObjectRuleTest.php | 10 +++++----- .../RequestRules/Rules/RequestedClaimsRuleTest.php | 6 +++--- .../RequestRules/Rules/RequiredNonceRuleTest.php | 8 ++++---- .../Rules/RequiredOpenIdScopeRuleTest.php | 8 ++++---- .../RequestRules/Rules/ResponseTypeRuleTest.php | 4 ++-- .../Rules/ScopeOfflineAccessRuleTest.php | 6 +++--- .../src/Server/RequestRules/Rules/ScopeRuleTest.php | 8 ++++---- .../src/Server/RequestRules/Rules/StateRuleTest.php | 3 ++- .../Server/RequestRules/Rules/UiLocalesRuleTest.php | 4 ++-- 47 files changed, 164 insertions(+), 87 deletions(-) diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php index 3595a3a1..6dd7da8b 100644 --- a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php +++ b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php @@ -808,7 +808,7 @@ public function credential(Request $request): Response * @psalm-suppress UnusedVariable, MixedAssignment * @param array-key[] $path */ - protected function setCredentialClaimValue(array &$claims, array $path, mixed $value): void + protected function setCredentialClaimValue(array &$claims, array $path, string $value): void { $temp = &$claims; diff --git a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php index 71b62d64..65a39950 100644 --- a/src/Server/RequestRules/Interfaces/RequestRuleInterface.php +++ b/src/Server/RequestRules/Interfaces/RequestRuleInterface.php @@ -5,6 +5,7 @@ namespace SimpleSAML\Module\oidc\Server\RequestRules\Interfaces; use Psr\Http\Message\ServerRequestInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -19,21 +20,23 @@ public function getKey(): string; /** * Check specific rule. + * * @param \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface $currentResultBag * ResultBag with all results of the checks performed to current check * @param array $data Data which will be available during check. - * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode - * Response mode to use for error responses + * @param ResponseModeInterface $responseMode Response mode to use for error responses * @param HttpMethodsEnum[] $allowedServerRequestMethods Indicate allowed HTTP methods used for request + * * @return \SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface|null Result of the specific check + * * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException If check fails */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface; } diff --git a/src/Server/RequestRules/RequestRulesManager.php b/src/Server/RequestRules/RequestRulesManager.php index ff7c3c1d..9adfad34 100644 --- a/src/Server/RequestRules/RequestRulesManager.php +++ b/src/Server/RequestRules/RequestRulesManager.php @@ -68,8 +68,8 @@ public function check( $request, $this->resultBag, $this->loggerService, - $responseMode, $this->data, + $responseMode, $allowedServerRequestMethods, ); @@ -100,7 +100,7 @@ public function predefineResultBag(ResultBagInterface $resultBag): void /** * Set data which will be available in each check, using key value pair */ - public function setData(string $key, mixed $value): void + public function setData(string $key, string $value): void { $this->data[$key] = $value; } diff --git a/src/Server/RequestRules/Rules/AcrValuesRule.php b/src/Server/RequestRules/Rules/AcrValuesRule.php index e00f6ad5..5ce8fdf6 100644 --- a/src/Server/RequestRules/Rules/AcrValuesRule.php +++ b/src/Server/RequestRules/Rules/AcrValuesRule.php @@ -17,13 +17,15 @@ class AcrValuesRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AcrValuesRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php index b5f731fd..e118c0f6 100644 --- a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php +++ b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php @@ -16,14 +16,17 @@ class AddClaimsToIdTokenRule extends AbstractRule { /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $responseType */ diff --git a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php index af3c70b8..c9d1a23f 100644 --- a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php +++ b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php @@ -29,13 +29,15 @@ public function __construct( /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('AuthorizationDetailsRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php index 400ed532..963b12c7 100644 --- a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php +++ b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php @@ -29,13 +29,15 @@ public function __construct( /** * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php index 48ce1c39..6c9dad2f 100644 --- a/src/Server/RequestRules/Rules/ClientIdRule.php +++ b/src/Server/RequestRules/Rules/ClientIdRule.php @@ -21,6 +21,7 @@ class ClientIdRule extends AbstractRule { /** * @inheritDoc + * * @throws \JsonException * @throws \League\OAuth2\Server\Exception\OAuthServerException * @throws \Psr\SimpleCache\InvalidArgumentException @@ -33,13 +34,15 @@ class ClientIdRule extends AbstractRule * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException * @throws \SimpleSAML\OpenID\Exceptions\TrustChainException * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientIdRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php index 27320e32..29364c2c 100644 --- a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php @@ -31,14 +31,17 @@ public function __construct( /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RedirectUriRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ClientRule.php b/src/Server/RequestRules/Rules/ClientRule.php index c3c2088b..a2f78202 100644 --- a/src/Server/RequestRules/Rules/ClientRule.php +++ b/src/Server/RequestRules/Rules/ClientRule.php @@ -54,6 +54,7 @@ public function __construct( /** * @inheritDoc + * * @throws \JsonException * @throws \League\OAuth2\Server\Exception\OAuthServerException * @throws \Psr\SimpleCache\InvalidArgumentException @@ -66,13 +67,15 @@ public function __construct( * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException * @throws \SimpleSAML\OpenID\Exceptions\TrustChainException * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ClientRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php index 53d5f799..31f0730c 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php @@ -30,13 +30,15 @@ public function __construct( /** * @throws \Throwable * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeMethodRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/CodeChallengeRule.php b/src/Server/RequestRules/Rules/CodeChallengeRule.php index 92ded541..e9b2d067 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeRule.php @@ -18,14 +18,17 @@ class CodeChallengeRule extends AbstractRule { /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('CodeChallengeRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/CodeVerifierRule.php b/src/Server/RequestRules/Rules/CodeVerifierRule.php index 1a2cb041..f37e6c4e 100644 --- a/src/Server/RequestRules/Rules/CodeVerifierRule.php +++ b/src/Server/RequestRules/Rules/CodeVerifierRule.php @@ -18,13 +18,15 @@ class CodeVerifierRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ diff --git a/src/Server/RequestRules/Rules/IdTokenHintRule.php b/src/Server/RequestRules/Rules/IdTokenHintRule.php index 91a83915..18a09f85 100644 --- a/src/Server/RequestRules/Rules/IdTokenHintRule.php +++ b/src/Server/RequestRules/Rules/IdTokenHintRule.php @@ -33,14 +33,17 @@ public function __construct( /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/IssuerStateRule.php b/src/Server/RequestRules/Rules/IssuerStateRule.php index 6767ba9f..733e3be0 100644 --- a/src/Server/RequestRules/Rules/IssuerStateRule.php +++ b/src/Server/RequestRules/Rules/IssuerStateRule.php @@ -17,13 +17,15 @@ class IssuerStateRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $issuerState = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/MaxAgeRule.php b/src/Server/RequestRules/Rules/MaxAgeRule.php index 656d20c5..acac9baa 100644 --- a/src/Server/RequestRules/Rules/MaxAgeRule.php +++ b/src/Server/RequestRules/Rules/MaxAgeRule.php @@ -38,13 +38,15 @@ public function __construct( * @throws \SimpleSAML\Error\NotFound * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('MaxAgeRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php index eee93c8c..1a028a4f 100644 --- a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php @@ -29,14 +29,17 @@ public function __construct( /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string|null $state */ diff --git a/src/Server/RequestRules/Rules/PromptRule.php b/src/Server/RequestRules/Rules/PromptRule.php index d5d490cc..6c29bdfa 100644 --- a/src/Server/RequestRules/Rules/PromptRule.php +++ b/src/Server/RequestRules/Rules/PromptRule.php @@ -39,13 +39,15 @@ public function __construct( * @throws \SimpleSAML\Error\NotFound * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('PromptRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequestObjectRule.php b/src/Server/RequestRules/Rules/RequestObjectRule.php index f48ce1e9..17b76bc0 100644 --- a/src/Server/RequestRules/Rules/RequestObjectRule.php +++ b/src/Server/RequestRules/Rules/RequestObjectRule.php @@ -30,13 +30,15 @@ public function __construct( /** * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestObjectRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequestedClaimsRule.php b/src/Server/RequestRules/Rules/RequestedClaimsRule.php index ab2ddb63..8430bcb8 100644 --- a/src/Server/RequestRules/Rules/RequestedClaimsRule.php +++ b/src/Server/RequestRules/Rules/RequestedClaimsRule.php @@ -29,13 +29,15 @@ public function __construct( /** * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequestedClaimsRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/RequiredNonceRule.php b/src/Server/RequestRules/Rules/RequiredNonceRule.php index c0653e96..756ffcd5 100644 --- a/src/Server/RequestRules/Rules/RequiredNonceRule.php +++ b/src/Server/RequestRules/Rules/RequiredNonceRule.php @@ -18,14 +18,17 @@ class RequiredNonceRule extends AbstractRule { /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { /** @var string $redirectUri */ diff --git a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php index 557c162a..42dcb58f 100644 --- a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php +++ b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php @@ -17,14 +17,17 @@ class RequiredOpenIdScopeRule extends AbstractRule { /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('RequiredOpenIdScopeRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index 2b94a5bc..4d93a3dc 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -34,13 +34,15 @@ public function __construct( /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( @@ -87,8 +89,8 @@ public function checkRule( // Validate whether response_mode is allowed by client configuration $client = $currentResultBag->getOrFail(ClientRule::class)->getValue(); - $redirectUri = $currentResultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); - $state = $currentResultBag->getOrFail(StateRule::class)->getValue(); + $currentResultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); + $currentResultBag->getOrFail(StateRule::class)->getValue(); $allowedResponseModes = $client->getAllowedResponseModes(); if (!in_array($reponseModeValue, $allowedResponseModes, true)) { diff --git a/src/Server/RequestRules/Rules/ResponseTypeRule.php b/src/Server/RequestRules/Rules/ResponseTypeRule.php index 2fac497d..b9b4e624 100644 --- a/src/Server/RequestRules/Rules/ResponseTypeRule.php +++ b/src/Server/RequestRules/Rules/ResponseTypeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -18,13 +19,15 @@ class ResponseTypeRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods( diff --git a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php index b46587a2..2431f1d2 100644 --- a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php +++ b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php @@ -17,14 +17,17 @@ class ScopeOfflineAccessRule extends AbstractRule { /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeOfflineAccessRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/ScopeRule.php b/src/Server/RequestRules/Rules/ScopeRule.php index 580c1760..664e811c 100644 --- a/src/Server/RequestRules/Rules/ScopeRule.php +++ b/src/Server/RequestRules/Rules/ScopeRule.php @@ -30,14 +30,17 @@ public function __construct( /** * @inheritDoc + * * @throws \Throwable + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('ScopeRule::checkRule.'); diff --git a/src/Server/RequestRules/Rules/StateRule.php b/src/Server/RequestRules/Rules/StateRule.php index fa000596..325fad39 100644 --- a/src/Server/RequestRules/Rules/StateRule.php +++ b/src/Server/RequestRules/Rules/StateRule.php @@ -17,13 +17,15 @@ class StateRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { $loggerService->debug('StateRule::checkRule'); diff --git a/src/Server/RequestRules/Rules/UiLocalesRule.php b/src/Server/RequestRules/Rules/UiLocalesRule.php index 561fd0c9..ad93a985 100644 --- a/src/Server/RequestRules/Rules/UiLocalesRule.php +++ b/src/Server/RequestRules/Rules/UiLocalesRule.php @@ -17,13 +17,15 @@ class UiLocalesRule extends AbstractRule { /** * @inheritDoc + * + * @param ResponseModeInterface $responseMode */ public function checkRule( ServerRequestInterface $request, ResultBagInterface $currentResultBag, LoggerService $loggerService, - ?ResponseModeInterface $responseMode, array $data = [], + ResponseModeInterface $responseMode = new QueryResponseMode(), array $allowedServerRequestMethods = [HttpMethodsEnum::GET], ): ?ResultInterface { return new Result($this->getKey(), $this->requestParamsResolver->getBasedOnAllowedMethods( diff --git a/src/Utils/Routes.php b/src/Utils/Routes.php index ff5b2711..f4f16cda 100644 --- a/src/Utils/Routes.php +++ b/src/Utils/Routes.php @@ -53,7 +53,7 @@ public function newResponse( } public function newJsonResponse( - mixed $data = null, + array|null $data = null, int $status = 200, array $headers = [], bool $json = false, diff --git a/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php b/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php index e1d705d0..2efabc97 100644 --- a/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php +++ b/tests/unit/src/Server/RequestRules/RequestRulesManagerTest.php @@ -122,8 +122,8 @@ public function testSetData(RequestRulesManager $requestRulesManager): void $this->identicalTo($this->request), $this->isInstanceOf(ResultBagInterface::class), $this->isInstanceOf(LoggerService::class), - $this->isInstanceOf(ResponseModeInterface::class), $this->arrayHasKey($this->key), + $this->isInstanceOf(ResponseModeInterface::class), ); $requestRulesManager->add($ruleMock); diff --git a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php index 15f2a8f0..8a147402 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AcrValuesRuleTest.php @@ -65,6 +65,7 @@ public function testNoAcrIsSetIfAcrValuesNotRequested(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); $this->assertNull($result->getValue()); @@ -83,6 +84,7 @@ public function testPopulatesAcrValuesFromClaimsParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); @@ -101,6 +103,7 @@ public function testPopulatesAcrValuesFromAcrValuesRequestParameter(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ) ?? new Result(AcrValuesRule::class, null); diff --git a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php index 39ac78be..121dc7e2 100644 --- a/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/AddClaimsToIdTokenRuleTest.php @@ -90,8 +90,8 @@ public function testAddClaimsToIdTokenRuleTest($responseType) $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(AddClaimsToIdTokenRule::class, null); $this->assertTrue($result->getValue()); @@ -116,8 +116,8 @@ public function testDoNotAddClaimsToIdTokenRuleTest($responseType) $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(AddClaimsToIdTokenRule::class, null); @@ -147,8 +147,8 @@ public function testAddClaimsToIdTokenRuleThrowsWithNoResponseTypeParamTest() $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php index fe5de3e2..191c982a 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ClientRuleTest.php @@ -94,6 +94,7 @@ public function testCheckRuleEmptyClientIdThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); } @@ -107,6 +108,7 @@ public function testCheckRuleInvalidClientThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); } @@ -124,6 +126,7 @@ public function testCheckRuleForValidClientId(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php index d1dea826..e3c66093 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeMethodRuleTest.php @@ -78,7 +78,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -90,7 +90,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -103,7 +103,7 @@ public function testCheckRuleWithInvalidCodeChallengeMethodThrows(): void $this->codeChallengeVerifiersRepositoryMock->expects($this->once())->method('has') ->with('invalid')->willReturn(false); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -120,8 +120,8 @@ public function testCheckRuleForValidCodeChallengeMethod(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php index c162aa90..6e84765d 100644 --- a/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/CodeChallengeRuleTest.php @@ -80,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -92,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -107,8 +107,8 @@ public function testCheckRuleNoCodeReturnsNullForConfidentialClients(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertNull($result->getValue()); @@ -122,7 +122,7 @@ public function testCheckRuleInvalidCodeChallengeThrows(): void $resultBag = $this->prepareValidResultBag(); $this->requestParamsResolverStub->method('getAsStringBasedOnAllowedMethods')->willReturn('too-short'); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -138,8 +138,8 @@ public function testCheckRuleForValidCodeChallenge(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php index dbfd3864..65de0270 100644 --- a/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/IdTokenHintRuleTest.php @@ -113,6 +113,7 @@ public function testCheckRuleIsNullWhenParamNotSet(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ) ?? new Result(IdTokenHintRule::class); @@ -130,6 +131,7 @@ public function testCheckRuleThrowsForMalformedIdToken(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); } @@ -152,6 +154,7 @@ public function testCheckRuleThrowsForIdTokenWithInvalidSignature(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); } @@ -175,6 +178,7 @@ public function testCheckRuleThrowsForIdTokenWithInvalidIssuer(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ); } @@ -195,6 +199,7 @@ public function testCheckRulePassesForValidIdToken(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, + [], $this->responseModeStub, ) ?? new Result(IdTokenHintRule::class); diff --git a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php index c02c5e0e..8b5c225a 100644 --- a/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/PostLogoutRedirectUriRuleTest.php @@ -114,8 +114,8 @@ public function testCheckRuleReturnsNullIfNoParamSet(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); @@ -136,8 +136,8 @@ public function testCheckRuleThrowsWhenIdTokenHintNotAvailable(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -167,8 +167,8 @@ public function testCheckRuleThrowsWhenAudClaimNotValid(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -201,8 +201,8 @@ public function testCheckRuleThrowsWhenClientNotFound(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -235,8 +235,8 @@ public function testCheckRuleThrowsWhenPostLogoutRegisteredUriNotRegistered(): v $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); } @@ -268,8 +268,8 @@ public function testCheckRuleReturnsForRegisteredPostLogoutRedirectUri(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? (new Result(PostLogoutRedirectUriRule::class)); diff --git a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php index e935495b..68dbd391 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RedirectUriRuleTest.php @@ -80,8 +80,8 @@ public function testCheckRuleClientIdDependency(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -97,8 +97,8 @@ public function testCheckRuleWithInvalidClientDependancy(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -110,7 +110,7 @@ public function testCheckRuleRedirectUriNotSetThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -122,7 +122,7 @@ public function testCheckRuleDifferentClientRedirectUriThrows(): void $resultBag = $this->prepareValidResultBag(); $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -140,8 +140,8 @@ public function testCheckRuleDifferentClientRedirectUriArrayThrows(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -159,8 +159,8 @@ public function testCheckRuleWithValidRedirectUri(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php index 93428cb7..56f0679a 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestObjectRuleTest.php @@ -81,8 +81,8 @@ public function testRequestParamCanBeAbsent(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNull($result); } @@ -98,8 +98,8 @@ public function testUnprotectedRequestParamCanBeUsed(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(Result::class, $result); $this->assertIsArray($result->getValue()); @@ -119,8 +119,8 @@ public function testMissingClientJwksThrows(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -141,8 +141,8 @@ public function testThrowsForInvalidRequestObject(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -163,8 +163,8 @@ public function testReturnsValidRequestObject(): void $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertInstanceOf(Result::class, $result); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php index eef31f90..33caca10 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequestedClaimsRuleTest.php @@ -87,8 +87,8 @@ public function testNoRequestedClaims(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNull($result); } @@ -126,8 +126,8 @@ public function testWithClaims(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); @@ -151,8 +151,8 @@ public function testOnlyWithNonStandardClaimRequest(): void $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNotNull($result); $this->assertEquals($expectedClaims, $result->getValue()); diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php index de4e4559..cb15a571 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredNonceRuleTest.php @@ -80,7 +80,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -92,7 +92,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -108,8 +108,8 @@ public function testCheckRulePassesWhenNonceIsPresent() $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(RequiredNonceRule::class, null); @@ -127,8 +127,8 @@ public function testCheckRuleThrowsWhenNonceIsNotPresent() $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php index 849792c5..84de98eb 100644 --- a/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/RequiredOpenIdScopeRuleTest.php @@ -79,7 +79,7 @@ public function testCheckRuleRedirectUriDependency(): void { $resultBag = new ResultBag(); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -91,7 +91,7 @@ public function testCheckRuleStateDependency(): void $resultBag = new ResultBag(); $resultBag->add($this->redirectUriResult); $this->expectException(LogicException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } /** @@ -109,8 +109,8 @@ public function testCheckRulePassesWhenOpenIdScopeIsPresent() $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(RequiredOpenIdScopeRule::class, null); @@ -132,6 +132,6 @@ public function testCheckRuleThrowsWhenOpenIdScopeIsNotPresent() $this->expectException(OidcServerException::class); - $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, $this->responseModeStub, []); + $this->sut()->checkRule($this->requestStub, $resultBag, $this->loggerServiceStub, [], $this->responseModeStub); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php index 83dccca0..5b1c5c91 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ResponseTypeRuleTest.php @@ -91,8 +91,8 @@ public function testResponseTypeRuleTest($responseType) $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(ResponseTypeRule::class, null); $this->assertSame($responseType, $result->getValue()); @@ -116,8 +116,8 @@ public function testResponseTypeRuleThrowsWithNoResponseTypeParamTest() $this->requestStub, $this->resultBag, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ); } } diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php index 4aa672bc..a640af98 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeOfflineAccessRuleTest.php @@ -122,8 +122,8 @@ public function testReturnsFalseWhenOfflineAccessScopeNotPresent(): void $this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNotNull($result); @@ -159,8 +159,8 @@ public function testThrowsWhenClientDoesntHaveOfflineAccessScopeRegistered(): vo $this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, - $this->responseModeStub, [], + $this->responseModeStub, ); } @@ -192,8 +192,8 @@ public function testReturnsTrueWhenClientDoesHaveOfflineAccessScopeRegistered(): $this->serverRequestStub, $this->resultBagMock, $this->loggerServiceMock, - $this->responseModeStub, [], + $this->responseModeStub, ); $this->assertNotNull($result); diff --git a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php index 318674fc..fa144662 100644 --- a/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/ScopeRuleTest.php @@ -105,8 +105,8 @@ public function testCheckRuleRedirectUriDependency(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, $this->data, + $this->responseModeStub, ); } @@ -123,8 +123,8 @@ public function testCheckRuleStateDependency(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, $this->data, + $this->responseModeStub, ); } @@ -153,8 +153,8 @@ public function testValidScopes(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, $this->data, + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); $this->assertIsArray($result->getValue()); @@ -186,8 +186,8 @@ public function testInvalidScopeThrows(): void $this->requestStub, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, $this->data, + $this->responseModeStub, ); } diff --git a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php index ca06ccf3..336ca8bb 100644 --- a/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/StateRuleTest.php @@ -72,8 +72,8 @@ public function testCheckRuleHasValue(): void $request, $resultBag, $this->loggerServiceStub, - $this->responseModeStub, $data, + $this->responseModeStub, ); $this->assertInstanceOf(ResultInterface::class, $result); @@ -94,6 +94,7 @@ public function testCheckRulePostMethod(): void $request, $resultBag, $this->loggerServiceStub, + [], $this->responseModeStub, ); diff --git a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php index 1876bb75..749525c3 100644 --- a/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php +++ b/tests/unit/src/Server/RequestRules/Rules/UiLocalesRuleTest.php @@ -66,8 +66,8 @@ public function testCheckRuleReturnsResultWhenParamSet() $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(UiLocalesRule::class); @@ -85,8 +85,8 @@ public function testCheckRuleReturnsNullWhenParamNotSet() $this->requestStub, $this->resultBagStub, $this->loggerServiceStub, - $this->responseModeStub, [], + $this->responseModeStub, ) ?? new Result(UiLocalesRule::class); From 6e2777422dbb4c9e45056a93a0b84f52aea37b89 Mon Sep 17 00:00:00 2001 From: Harm Date: Wed, 13 May 2026 09:48:00 +0200 Subject: [PATCH 09/13] Fix final psalm and formatting issues --- src/Forms/ClientForm.php | 3 ++- src/Server/AuthorizationServer.php | 1 + src/Server/Exceptions/OidcServerException.php | 20 +++++++++++-------- src/Server/Grants/AuthCodeGrant.php | 2 ++ src/Server/Grants/ImplicitGrant.php | 2 ++ .../RequestRules/Rules/AcrValuesRule.php | 2 ++ .../Rules/AddClaimsToIdTokenRule.php | 1 + .../Rules/AuthorizationDetailsRule.php | 2 ++ .../Rules/ClientAuthenticationRule.php | 1 + .../RequestRules/Rules/ClientIdRule.php | 2 ++ .../Rules/ClientRedirectUriRule.php | 2 ++ src/Server/RequestRules/Rules/ClientRule.php | 2 ++ .../Rules/CodeChallengeMethodRule.php | 2 ++ .../RequestRules/Rules/CodeChallengeRule.php | 2 ++ .../RequestRules/Rules/CodeVerifierRule.php | 2 ++ .../RequestRules/Rules/IdTokenHintRule.php | 2 ++ .../RequestRules/Rules/IssuerStateRule.php | 2 ++ src/Server/RequestRules/Rules/MaxAgeRule.php | 2 ++ .../Rules/PostLogoutRedirectUriRule.php | 2 ++ src/Server/RequestRules/Rules/PromptRule.php | 2 ++ .../RequestRules/Rules/RequestObjectRule.php | 2 ++ .../Rules/RequestedClaimsRule.php | 2 ++ .../RequestRules/Rules/RequiredNonceRule.php | 2 ++ .../Rules/RequiredOpenIdScopeRule.php | 2 ++ .../RequestRules/Rules/ResponseModeRule.php | 18 +++++++---------- .../RequestRules/Rules/ResponseTypeRule.php | 1 + .../Rules/ScopeOfflineAccessRule.php | 1 + src/Server/RequestRules/Rules/ScopeRule.php | 2 ++ src/Server/RequestRules/Rules/StateRule.php | 2 ++ .../RequestRules/Rules/UiLocalesRule.php | 2 ++ src/Server/ResponseTypes/HtmlResponse.php | 5 +---- 31 files changed, 71 insertions(+), 24 deletions(-) diff --git a/src/Forms/ClientForm.php b/src/Forms/ClientForm.php index 1181eea2..a912c885 100644 --- a/src/Forms/ClientForm.php +++ b/src/Forms/ClientForm.php @@ -451,8 +451,9 @@ protected function buildForm(): void public function validateResponseModes(Form $form): void { $values = $form->getValues(self::TYPE_ARRAY); + /** @var string[]|null $responseModes */ $responseModes = $values['response_modes_allowed'] ?? null; - if ($responseModes !== null && is_array($responseModes)) { + if (is_array($responseModes)) { $allowed = array_keys($this->getAllowedResponseModesValues()); foreach ($responseModes as $mode) { if (!in_array($mode, $allowed, true)) { diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php index 89d76f76..b6973a9e 100644 --- a/src/Server/AuthorizationServer.php +++ b/src/Server/AuthorizationServer.php @@ -117,6 +117,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var string $redirectUri */ $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); + /** @var ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); foreach ($this->enabledGrantTypes as $grantType) { diff --git a/src/Server/Exceptions/OidcServerException.php b/src/Server/Exceptions/OidcServerException.php index 3e17c7cb..96edca56 100644 --- a/src/Server/Exceptions/OidcServerException.php +++ b/src/Server/Exceptions/OidcServerException.php @@ -95,7 +95,7 @@ public function __construct( * @param string|null $redirectUri * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode - * @return self + * @return OidcServerException */ public static function unsupportedResponseType( ?string $redirectUri = null, @@ -117,7 +117,8 @@ public static function unsupportedResponseType( * @param string|null $redirectUri An HTTP URI to redirect the user back to * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode - * @return static + * @return OidcServerException + * @psalm-suppress LessSpecificImplementedReturnType */ public static function invalidScope( $scope, @@ -130,7 +131,7 @@ public static function invalidScope( } else { $hint = sprintf( 'Check the `%s` scope', - htmlspecialchars((string) $scope, ENT_QUOTES, 'UTF-8', false), + htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false), ); } @@ -158,7 +159,8 @@ public static function invalidScope( * @param string|null $redirectUri * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode - * @return static + * @return OidcServerException + * @psalm-suppress LessSpecificImplementedReturnType */ public static function invalidRequest( $parameter, @@ -182,7 +184,8 @@ public static function invalidRequest( * @param \Throwable|null $previous * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode - * @return static + * @return OidcServerException + * @psalm-suppress LessSpecificImplementedReturnType */ public static function accessDenied( $hint = null, @@ -215,7 +218,7 @@ public static function accessDenied( * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * - * @return self + * @return OidcServerException */ public static function loginRequired( ?string $hint = null, @@ -240,7 +243,7 @@ public static function loginRequired( * @param string|null $state * @param \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface|null $responseMode * - * @return self + * @return OidcServerException */ public static function requestNotSupported( ?string $hint = null, @@ -272,7 +275,7 @@ public static function requestNotSupported( * @param string|null $hint * @param \Throwable|null $previous * - * @return self + * @return OidcServerException * @psalm-suppress LessSpecificImplementedReturnType */ public static function invalidRefreshToken($hint = null, ?Throwable $previous = null): OidcServerException @@ -396,6 +399,7 @@ public function setState(?string $state = null): void * Generate an HTTP response. * * @param \Psr\Http\Message\ResponseInterface $response + * @param bool $useFragment * @param int $jsonOptions options passed to json_encode * * @return \Psr\Http\Message\ResponseInterface diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index 052af731..41e70ac4 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -773,6 +773,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); + /** @var ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $this->loggerService->debug('AuthCodeGrant: Resolved data:', [ @@ -906,6 +907,7 @@ public function validateAuthorizationRequestWithRequestRules( ); $authorizationRequest->setAuthorizationDetails($authorizationDetails); + /** @var ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $this->loggerService->debug( 'AuthCodeGrant: Response mode: ', diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php index aee0494c..bcdd1a90 100644 --- a/src/Server/Grants/ImplicitGrant.php +++ b/src/Server/Grants/ImplicitGrant.php @@ -143,6 +143,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); + /** @var ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); // Some rules need certain things available in order to work properly... @@ -196,6 +197,7 @@ public function validateAuthorizationRequestWithRequestRules( $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue(); $authorizationRequest->setRequestedAcrValues($acrValues); + /** @var ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $authorizationRequest->setResponseMode($responseMode); diff --git a/src/Server/RequestRules/Rules/AcrValuesRule.php b/src/Server/RequestRules/Rules/AcrValuesRule.php index 5ce8fdf6..d971303b 100644 --- a/src/Server/RequestRules/Rules/AcrValuesRule.php +++ b/src/Server/RequestRules/Rules/AcrValuesRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -19,6 +20,7 @@ class AcrValuesRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php index e118c0f6..e0ca70f1 100644 --- a/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php +++ b/src/Server/RequestRules/Rules/AddClaimsToIdTokenRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; diff --git a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php index c9d1a23f..4af36369 100644 --- a/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php +++ b/src/Server/RequestRules/Rules/AuthorizationDetailsRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -31,6 +32,7 @@ public function __construct( * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php index 963b12c7..f6e7a92f 100644 --- a/src/Server/RequestRules/Rules/ClientAuthenticationRule.php +++ b/src/Server/RequestRules/Rules/ClientAuthenticationRule.php @@ -10,6 +10,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver; diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php index 6c9dad2f..0a2e80bc 100644 --- a/src/Server/RequestRules/Rules/ClientIdRule.php +++ b/src/Server/RequestRules/Rules/ClientIdRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -36,6 +37,7 @@ class ClientIdRule extends AbstractRule * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php index 29364c2c..d4aa11f1 100644 --- a/src/Server/RequestRules/Rules/ClientRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/ClientRedirectUriRule.php @@ -13,6 +13,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -35,6 +36,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/ClientRule.php b/src/Server/RequestRules/Rules/ClientRule.php index a2f78202..242c60d0 100644 --- a/src/Server/RequestRules/Rules/ClientRule.php +++ b/src/Server/RequestRules/Rules/ClientRule.php @@ -17,6 +17,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\FederationCache; @@ -69,6 +70,7 @@ public function __construct( * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkException * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php index 31f0730c..f0e46c42 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeMethodRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -32,6 +33,7 @@ public function __construct( * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/CodeChallengeRule.php b/src/Server/RequestRules/Rules/CodeChallengeRule.php index e9b2d067..b55d79d6 100644 --- a/src/Server/RequestRules/Rules/CodeChallengeRule.php +++ b/src/Server/RequestRules/Rules/CodeChallengeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -22,6 +23,7 @@ class CodeChallengeRule extends AbstractRule * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/CodeVerifierRule.php b/src/Server/RequestRules/Rules/CodeVerifierRule.php index f37e6c4e..d4bcc04a 100644 --- a/src/Server/RequestRules/Rules/CodeVerifierRule.php +++ b/src/Server/RequestRules/Rules/CodeVerifierRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -20,6 +21,7 @@ class CodeVerifierRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/IdTokenHintRule.php b/src/Server/RequestRules/Rules/IdTokenHintRule.php index 18a09f85..dc481b22 100644 --- a/src/Server/RequestRules/Rules/IdTokenHintRule.php +++ b/src/Server/RequestRules/Rules/IdTokenHintRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -37,6 +38,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/IssuerStateRule.php b/src/Server/RequestRules/Rules/IssuerStateRule.php index 733e3be0..962e94e9 100644 --- a/src/Server/RequestRules/Rules/IssuerStateRule.php +++ b/src/Server/RequestRules/Rules/IssuerStateRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -19,6 +20,7 @@ class IssuerStateRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/MaxAgeRule.php b/src/Server/RequestRules/Rules/MaxAgeRule.php index acac9baa..1b02c085 100644 --- a/src/Server/RequestRules/Rules/MaxAgeRule.php +++ b/src/Server/RequestRules/Rules/MaxAgeRule.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; @@ -40,6 +41,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php index 1a028a4f..d0d4e8df 100644 --- a/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php +++ b/src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php @@ -11,6 +11,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -33,6 +34,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/PromptRule.php b/src/Server/RequestRules/Rules/PromptRule.php index 6c29bdfa..9b708ab3 100644 --- a/src/Server/RequestRules/Rules/PromptRule.php +++ b/src/Server/RequestRules/Rules/PromptRule.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\AuthenticationService; use SimpleSAML\Module\oidc\Services\LoggerService; @@ -41,6 +42,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/RequestObjectRule.php b/src/Server/RequestRules/Rules/RequestObjectRule.php index 17b76bc0..e4eab6e3 100644 --- a/src/Server/RequestRules/Rules/RequestObjectRule.php +++ b/src/Server/RequestRules/Rules/RequestObjectRule.php @@ -10,6 +10,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\JwksResolver; @@ -32,6 +33,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/RequestedClaimsRule.php b/src/Server/RequestRules/Rules/RequestedClaimsRule.php index 8430bcb8..18388d64 100644 --- a/src/Server/RequestRules/Rules/RequestedClaimsRule.php +++ b/src/Server/RequestRules/Rules/RequestedClaimsRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor; @@ -31,6 +32,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/RequiredNonceRule.php b/src/Server/RequestRules/Rules/RequiredNonceRule.php index 756ffcd5..1839ca9c 100644 --- a/src/Server/RequestRules/Rules/RequiredNonceRule.php +++ b/src/Server/RequestRules/Rules/RequiredNonceRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -22,6 +23,7 @@ class RequiredNonceRule extends AbstractRule * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php index 42dcb58f..53b62375 100644 --- a/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php +++ b/src/Server/RequestRules/Rules/RequiredOpenIdScopeRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -21,6 +22,7 @@ class RequiredOpenIdScopeRule extends AbstractRule * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/ResponseModeRule.php b/src/Server/RequestRules/Rules/ResponseModeRule.php index 4d93a3dc..34c7a485 100644 --- a/src/Server/RequestRules/Rules/ResponseModeRule.php +++ b/src/Server/RequestRules/Rules/ResponseModeRule.php @@ -36,6 +36,7 @@ public function __construct( * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, @@ -57,23 +58,17 @@ public function checkRule( throw OidcServerException::invalidRequest('Missing client_id'); } - $reponseModeValue = $requestParams[ParamsEnum::ResponseMode->value] ?? null; + $reponseModeValue = isset($requestParams[ParamsEnum::ResponseMode->value]) ? + (string)$requestParams[ParamsEnum::ResponseMode->value] : null; $loggerService->debug('ResponseModeRule: response_mode requestParams value: ' . ($reponseModeValue ?? 'null')); // if response_mode is not set, we set the default // default to 'code' if not set. Error will be thrown by ResponseTypeRule. - $responseType = $requestParams[ParamsEnum::ResponseType->value] ?? 'code'; + $responseType = isset($requestParams[ParamsEnum::ResponseType->value]) ? + (string)$requestParams[ParamsEnum::ResponseType->value] : 'code'; if (!$reponseModeValue) { - switch ($responseType) { - case str_contains($responseType, 'token'): - case str_contains($responseType, 'id_token'): - $reponseModeValue = 'fragment'; - break; - default: - // for other response types, the default is query - $reponseModeValue = 'query'; - } + $reponseModeValue = str_contains($responseType, 'token') ? 'fragment' : 'query'; } // Verify if response_mode is one of 'query', 'fragment', 'form_post' @@ -88,6 +83,7 @@ public function checkRule( } // Validate whether response_mode is allowed by client configuration + /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $currentResultBag->getOrFail(ClientRule::class)->getValue(); $currentResultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); $currentResultBag->getOrFail(StateRule::class)->getValue(); diff --git a/src/Server/RequestRules/Rules/ResponseTypeRule.php b/src/Server/RequestRules/Rules/ResponseTypeRule.php index b9b4e624..1b71a93d 100644 --- a/src/Server/RequestRules/Rules/ResponseTypeRule.php +++ b/src/Server/RequestRules/Rules/ResponseTypeRule.php @@ -21,6 +21,7 @@ class ResponseTypeRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php index 2431f1d2..fd41cdfe 100644 --- a/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php +++ b/src/Server/RequestRules/Rules/ScopeOfflineAccessRule.php @@ -9,6 +9,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; diff --git a/src/Server/RequestRules/Rules/ScopeRule.php b/src/Server/RequestRules/Rules/ScopeRule.php index 664e811c..2587aaee 100644 --- a/src/Server/RequestRules/Rules/ScopeRule.php +++ b/src/Server/RequestRules/Rules/ScopeRule.php @@ -12,6 +12,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; @@ -34,6 +35,7 @@ public function __construct( * @throws \Throwable * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/StateRule.php b/src/Server/RequestRules/Rules/StateRule.php index 325fad39..8f337281 100644 --- a/src/Server/RequestRules/Rules/StateRule.php +++ b/src/Server/RequestRules/Rules/StateRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -19,6 +20,7 @@ class StateRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/RequestRules/Rules/UiLocalesRule.php b/src/Server/RequestRules/Rules/UiLocalesRule.php index ad93a985..4561da7b 100644 --- a/src/Server/RequestRules/Rules/UiLocalesRule.php +++ b/src/Server/RequestRules/Rules/UiLocalesRule.php @@ -8,6 +8,7 @@ use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface; use SimpleSAML\Module\oidc\Server\RequestRules\Result; +use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode; use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; @@ -19,6 +20,7 @@ class UiLocalesRule extends AbstractRule * @inheritDoc * * @param ResponseModeInterface $responseMode + * @param HttpMethodsEnum[] $allowedServerRequestMethods */ public function checkRule( ServerRequestInterface $request, diff --git a/src/Server/ResponseTypes/HtmlResponse.php b/src/Server/ResponseTypes/HtmlResponse.php index 28aeb15a..36b7d4ea 100644 --- a/src/Server/ResponseTypes/HtmlResponse.php +++ b/src/Server/ResponseTypes/HtmlResponse.php @@ -9,10 +9,7 @@ class HtmlResponse extends AbstractResponseType { - /** - * @var string - */ - private string $html; + private string $html = ''; /** * @param string $html From 68bb0f7dfe5fedaafa4a866d3cda7189163c3808 Mon Sep 17 00:00:00 2001 From: Harm Date: Tue, 19 May 2026 12:29:38 +0200 Subject: [PATCH 10/13] Added conformance tests to pipeline --- .github/workflows/test.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 79156c9e..faf787a3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -259,6 +259,12 @@ jobs: - name: Run RP backchannel run: | ./conformance-suite/scripts/run-test-plan.py "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" ./main/conformance-tests/conformance-back-channel-logout-ci.json + - name: Run form_post basic tests + run: | + ./conformance-suite/scripts/run-test-plan.py "oidcc-formpost-basic-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-basic-ci.json + - name: Run form_post implicit tests + run: | + ./conformance-suite/scripts/run-test-plan.py "oidcc-formpost-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-implicit-ci.json - name: Stop SSP working-directory: ./main run: | From f45cf96de0253b849e21b5e0ab4ec72dae34509f Mon Sep 17 00:00:00 2001 From: Harm Date: Tue, 19 May 2026 12:53:03 +0200 Subject: [PATCH 11/13] Added unit tests --- .../Rules/ResponseModeRuleTest.php | 332 ++++++++++++++++++ .../FormPostResponseModeTest.php | 45 +++ 2 files changed, 377 insertions(+) create mode 100644 tests/unit/src/Server/RequestRules/Rules/ResponseModeRuleTest.php create mode 100644 tests/unit/src/Server/ResponseModes/FormPostResponseModeTest.php diff --git a/tests/unit/src/Server/RequestRules/Rules/ResponseModeRuleTest.php b/tests/unit/src/Server/RequestRules/Rules/ResponseModeRuleTest.php new file mode 100644 index 00000000..4fcef301 --- /dev/null +++ b/tests/unit/src/Server/RequestRules/Rules/ResponseModeRuleTest.php @@ -0,0 +1,332 @@ + 'client123', + 'response_type' => 'code', + 'response_mode' => 'query', + ]; + + protected function setUp(): void + { + $this->requestStub = $this->createStub(ServerRequestInterface::class); + $this->loggerServiceStub = $this->createStub(LoggerService::class); + $this->requestParamsResolverStub = $this->createStub(RequestParamsResolver::class); + $this->helpers = new Helpers(); + $this->responseModeStub = $this->createStub(ResponseModeInterface::class); + + $this->clientStub = $this->createStub(ClientEntityInterface::class); + $this->clientStub->method('getAllowedResponseModes')->willReturn(['query', 'fragment', 'form_post']); + + $this->queryResponseModeStub = $this->createStub(QueryResponseMode::class); + $this->fragmentResponseModeStub = $this->createStub(FragmentResponseMode::class); + $this->formPostResponseModeStub = $this->createStub(FormPostResponseMode::class); + + $this->resultBag = new ResultBag(); + $this->resultBag->add(new Result(ClientRule::class, $this->clientStub)); + $this->resultBag->add(new Result(ClientRedirectUriRule::class, 'https://example.org/callback')); + $this->resultBag->add(new Result(StateRule::class, 'state123')); + } + + protected function sut( + ?RequestParamsResolver $requestParamsResolver = null, + ?Helpers $helpers = null, + ?QueryResponseMode $queryResponseMode = null, + ?FragmentResponseMode $fragmentResponseMode = null, + ?FormPostResponseMode $formPostResponseMode = null, + ): ResponseModeRule { + return new ResponseModeRule( + $requestParamsResolver ?? $this->requestParamsResolverStub, + $helpers ?? $this->helpers, + $queryResponseMode ?? $this->queryResponseModeStub, + $fragmentResponseMode ?? $this->fragmentResponseModeStub, + $formPostResponseMode ?? $this->formPostResponseModeStub, + ); + } + + public function testThrowsWhenClientIdMissing(): void + { + $params = $this->requestParams; + unset($params['client_id']); + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(OidcServerException::class); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testReturnsQueryResponseModeWhenExplicitlyRequested(): void + { + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($this->requestParams); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->queryResponseModeStub, $result->getValue()); + } + + public function testReturnsFragmentResponseModeWhenExplicitlyRequested(): void + { + $params = $this->requestParams; + $params['response_mode'] = 'fragment'; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->fragmentResponseModeStub, $result->getValue()); + } + + public function testReturnsFormPostResponseModeWhenExplicitlyRequested(): void + { + $params = $this->requestParams; + $params['response_mode'] = 'form_post'; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->formPostResponseModeStub, $result->getValue()); + } + + public function testDefaultsToQueryWhenResponseModeNotSetAndResponseTypeIsCode(): void + { + $params = $this->requestParams; + unset($params['response_mode']); + $params['response_type'] = 'code'; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->queryResponseModeStub, $result->getValue()); + } + + /** + * @dataProvider tokenResponseTypeProvider + */ + public function testDefaultsToFragmentWhenResponseModeNotSetAndResponseTypeContainsToken( + string $responseType, + ): void { + $params = $this->requestParams; + unset($params['response_mode']); + $params['response_type'] = $responseType; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->fragmentResponseModeStub, $result->getValue()); + } + + public static function tokenResponseTypeProvider(): array + { + return [ + 'token' => ['token'], + 'id_token token' => ['id_token token'], + 'code token' => ['code token'], + 'code id_token token' => ['code id_token token'], + ]; + } + + public function testDefaultsToQueryWhenResponseModeAndResponseTypeNotSet(): void + { + $params = ['client_id' => 'client123']; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame($this->queryResponseModeStub, $result->getValue()); + } + + public function testThrowsOnInvalidResponseMode(): void + { + $params = $this->requestParams; + $params['response_mode'] = 'invalid'; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(OidcServerException::class); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testThrowsWhenResponseModeNotAllowedByClient(): void + { + $this->clientStub = $this->createStub(ClientEntityInterface::class); + $this->clientStub->method('getAllowedResponseModes')->willReturn(['query']); + + $this->resultBag = new ResultBag(); + $this->resultBag->add(new Result(ClientRule::class, $this->clientStub)); + $this->resultBag->add(new Result(ClientRedirectUriRule::class, 'https://example.org/callback')); + $this->resultBag->add(new Result(StateRule::class, 'state123')); + + $params = $this->requestParams; + $params['response_mode'] = 'fragment'; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(OidcServerException::class); + $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testThrowsWhenClientRuleResultMissing(): void + { + $resultBag = new ResultBag(); + + $params = $this->requestParams; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(LogicException::class); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testThrowsWhenRedirectUriResultMissing(): void + { + $resultBag = new ResultBag(); + $resultBag->add(new Result(ClientRule::class, $this->clientStub)); + + $params = $this->requestParams; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(LogicException::class); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testThrowsWhenStateResultMissing(): void + { + $resultBag = new ResultBag(); + $resultBag->add(new Result(ClientRule::class, $this->clientStub)); + $resultBag->add(new Result(ClientRedirectUriRule::class, 'https://example.org/callback')); + + $params = $this->requestParams; + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($params); + + $this->expectException(LogicException::class); + $this->sut()->checkRule( + $this->requestStub, + $resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + } + + public function testResultKeyMatchesRuleClass(): void + { + $this->requestParamsResolverStub->method('getAllBasedOnAllowedMethods')->willReturn($this->requestParams); + + $result = $this->sut()->checkRule( + $this->requestStub, + $this->resultBag, + $this->loggerServiceStub, + [], + $this->responseModeStub, + ); + + $this->assertNotNull($result); + $this->assertSame(ResponseModeRule::class, $result->getKey()); + } +} diff --git a/tests/unit/src/Server/ResponseModes/FormPostResponseModeTest.php b/tests/unit/src/Server/ResponseModes/FormPostResponseModeTest.php new file mode 100644 index 00000000..605a9e34 --- /dev/null +++ b/tests/unit/src/Server/ResponseModes/FormPostResponseModeTest.php @@ -0,0 +1,45 @@ + 'simplesaml/', + 'module.enable' => ['oidc' => true], + ], '', 'simplesaml'); + + $this->sut = new FormPostResponseMode($config); + } + + public function testBuildResponseReturnsHtmlWithFormPost(): void + { + $result = $this->sut->buildResponse( + 'https://example.org/callback', + ['code' => 'abc123', 'state' => 'xyz'], + ); + + $this->assertInstanceOf(HtmlResponse::class, $result); + + $body = (string) $result->generateHttpResponse(new Response())->getBody(); + $this->assertStringContainsString('https://example.org/callback', $body); + $this->assertStringContainsString('abc123', $body); + $this->assertStringContainsString('xyz', $body); + $this->assertMatchesRegularExpression('/method=["\']post["\']/i', $body); + } +} From f145c03f1f82b13521aa2f0542f84dfd49ef98ad Mon Sep 17 00:00:00 2001 From: Harm Date: Tue, 19 May 2026 13:05:09 +0200 Subject: [PATCH 12/13] Fix final psalm errors --- src/Server/AuthorizationServer.php | 2 +- src/Server/Grants/AuthCodeGrant.php | 4 ++-- src/Server/Grants/ImplicitGrant.php | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php index b6973a9e..56e1d7c4 100644 --- a/src/Server/AuthorizationServer.php +++ b/src/Server/AuthorizationServer.php @@ -117,7 +117,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var string $redirectUri */ $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue(); - /** @var ResponseModeInterface $responseMode */ + /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); foreach ($this->enabledGrantTypes as $grantType) { diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index 41e70ac4..d6fc76b8 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -773,7 +773,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); - /** @var ResponseModeInterface $responseMode */ + /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $this->loggerService->debug('AuthCodeGrant: Resolved data:', [ @@ -907,7 +907,7 @@ public function validateAuthorizationRequestWithRequestRules( ); $authorizationRequest->setAuthorizationDetails($authorizationDetails); - /** @var ResponseModeInterface $responseMode */ + /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $this->loggerService->debug( 'AuthCodeGrant: Response mode: ', diff --git a/src/Server/Grants/ImplicitGrant.php b/src/Server/Grants/ImplicitGrant.php index bcdd1a90..75fcf1c8 100644 --- a/src/Server/Grants/ImplicitGrant.php +++ b/src/Server/Grants/ImplicitGrant.php @@ -143,7 +143,7 @@ public function validateAuthorizationRequestWithRequestRules( $state = $resultBag->getOrFail(StateRule::class)->getValue(); /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */ $client = $resultBag->getOrFail(ClientRule::class)->getValue(); - /** @var ResponseModeInterface $responseMode */ + /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); // Some rules need certain things available in order to work properly... @@ -197,7 +197,7 @@ public function validateAuthorizationRequestWithRequestRules( $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue(); $authorizationRequest->setRequestedAcrValues($acrValues); - /** @var ResponseModeInterface $responseMode */ + /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */ $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue(); $authorizationRequest->setResponseMode($responseMode); From 5460a76a2a76b421d40267ee6c39ff9668eb9102 Mon Sep 17 00:00:00 2001 From: Harm Date: Tue, 19 May 2026 14:07:02 +0200 Subject: [PATCH 13/13] Change string type back to mixed from automatic psalm fix --- .../CredentialIssuerCredentialController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php index 5850e1df..08046dd8 100644 --- a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php +++ b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php @@ -839,7 +839,7 @@ public function credential(Request $request): Response * @psalm-suppress UnusedVariable, MixedAssignment * @param array-key[] $path */ - protected function setCredentialClaimValue(array &$claims, array $path, string $value): void + protected function setCredentialClaimValue(array &$claims, array $path, mixed $value): void { $temp = &$claims;