Feature/standalone metadata (#21)

* Do not rely on SimpleSAMLphp for metadata-building

* Fix

* Introduce a clokc

* Generate ID

* Cleanup

Author: tvdijen

composer.json

@@ -36,6 +36,8 @@
         "php": "^8.1",
         "ext-dom": "*",
 
+        "beste/clock": "^3.0",
+        "psr/clock": "^1.0",
         "simplesamlphp/assert": "^1.1",
         "simplesamlphp/saml11": "^1.0",
         "simplesamlphp/saml2": "^5@dev",

src/Controller/Adfs.php

@@ -5,19 +5,11 @@
 namespace SimpleSAML\Module\adfs\Controller;
 
 use Exception;
-use SimpleSAML\Configuration;
+use SimpleSAML\{Configuration, IdP, Logger, Metadata, Module, Session, Utils};
 use SimpleSAML\Error as SspError;
-use SimpleSAML\IdP;
-use SimpleSAML\Logger;
-use SimpleSAML\Metadata;
-use SimpleSAML\Module;
 use SimpleSAML\Module\adfs\IdP\ADFS as ADFS_IDP;
-use SimpleSAML\SAML2\Constants as C;
-use SimpleSAML\Session;
-use SimpleSAML\Utils;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpFoundation\StreamedResponse;
+use SimpleSAML\Module\adfs\IdP\MetadataBuilder;
+use Symfony\Component\HttpFoundation\{Request, Response, StreamedResponse};
 
 /**
  * Controller class for the adfs module.
@@ -79,123 +71,14 @@ public function metadata(Request $request): Response
             }
             $idpmeta = $this->metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted');
 
-            $availableCerts = [];
-            $keys = [];
-            $certInfo = $this->cryptoUtils->loadPublicKey($idpmeta, false, 'new_');
+            $builder = new MetadataBuilder($this->config, $idpmeta);
 
-            if ($certInfo !== null) {
-                $availableCerts['new_idp.crt'] = $certInfo;
-                $keys[] = [
-                    'type'            => 'X509Certificate',
-                    'signing'         => true,
-                    'encryption'      => true,
-                    'X509Certificate' => $certInfo['certData'],
-                ];
-                $hasNewCert = true;
-            } else {
-                $hasNewCert = false;
-            }
-
-            /** @var array $certInfo */
-            $certInfo = $this->cryptoUtils->loadPublicKey($idpmeta, true);
-            $availableCerts['idp.crt'] = $certInfo;
-            $keys[] = [
-                'type'            => 'X509Certificate',
-                'signing'         => true,
-                'encryption'      => ($hasNewCert ? false : true),
-                'X509Certificate' => $certInfo['certData'],
-            ];
-
-            if ($idpmeta->hasValue('https.certificate')) {
-                /** @var array $httpsCert */
-                $httpsCert = $this->cryptoUtils->loadPublicKey($idpmeta, true, 'https.');
-                Assert::keyExists($httpsCert, 'certData');
-                $availableCerts['https.crt'] = $httpsCert;
-                $keys[] = [
-                    'type'            => 'X509Certificate',
-                    'signing'         => true,
-                    'encryption'      => false,
-                    'X509Certificate' => $httpsCert['certData'],
-                ];
-            }
-
-            $adfs_service_location = Module::getModuleURL('adfs') . '/idp/prp.php';
-            $metaArray = [
-                'metadata-set'        => 'adfs-idp-remote',
-                'entityid'            => $idpentityid,
-                'SingleSignOnService' => [
-                    0 => [
-                        'Binding'  => C::BINDING_HTTP_REDIRECT,
-                        'Location' => $adfs_service_location,
-                    ],
-                ],
-                'SingleLogoutService' => [
-                    0 => [
-                        'Binding'  => C::BINDING_HTTP_REDIRECT,
-                        'Location' => $adfs_service_location,
-                    ],
-                ],
-            ];
-
-            if (count($keys) === 1) {
-                $metaArray['certData'] = $keys[0]['X509Certificate'];
-            } else {
-                $metaArray['keys'] = $keys;
-            }
-
-            $metaArray['NameIDFormat'] = $idpmeta->getOptionalString(
-                'NameIDFormat',
-                C::NAMEID_TRANSIENT,
-            );
-
-            if ($idpmeta->hasValue('OrganizationName')) {
-                $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
-                $metaArray['OrganizationDisplayName'] = $idpmeta->getOptionalLocalizedString(
-                    'OrganizationDisplayName',
-                    $metaArray['OrganizationName'],
-                );
-
-                if (!$idpmeta->hasValue('OrganizationURL')) {
-                    throw new SspError\Exception('If OrganizationName is set, OrganizationURL must also be set.');
-                }
-                $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
-            }
-
-            if ($idpmeta->hasValue('scope')) {
-                $metaArray['scope'] = $idpmeta->getArray('scope');
-            }
-
-            if ($idpmeta->hasValue('EntityAttributes')) {
-                $metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
-            }
-
-            if ($idpmeta->hasValue('UIInfo')) {
-                $metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
-            }
-
-            if ($idpmeta->hasValue('DiscoHints')) {
-                $metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
-            }
-
-            if ($idpmeta->hasValue('RegistrationInfo')) {
-                $metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
-            }
-
-            $metaBuilder = new Metadata\SAMLBuilder($idpentityid);
-            $metaBuilder->addSecurityTokenServiceType($metaArray);
-            $metaBuilder->addOrganizationInfo($metaArray);
-            $technicalContactEmail = $this->config->getOptionalString('technicalcontact_email', null);
-            if ($technicalContactEmail !== null && $technicalContactEmail !== '[email protected]') {
-                $metaBuilder->addContact(Utils\Config\Metadata::getContact([
-                    'emailAddress' => $technicalContactEmail,
-                    'givenName'    => $this->config->getOptionalString('technicalcontact_name', null),
-                    'contactType'  => 'technical',
-                ]));
-            }
-            $metaxml = $metaBuilder->getEntityDescriptorText();
+            $document = $builder->buildDocument()->toXML();
+            // Some products like DirX are known to break on pretty-printed XML
+            $document->ownerDocument->formatOutput = false;
+            $document->ownerDocument->encoding = 'UTF-8';
 
-            // sign the metadata if enabled
-            $metaxml = Metadata\Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
+            $metaxml = $document->ownerDocument->saveXML();
 
             $response = new Response();
             $response->setEtag(hash('sha256', $metaxml));

src/IdP/ADFS.php

@@ -8,7 +8,6 @@
 use DateTimeImmutable;
 use DateTimeZone;
 use Exception;
-use SimpleSAML\Assert\Assert;
 use SimpleSAML\Configuration;
 use SimpleSAML\Error;
 use SimpleSAML\IdP;