Introduce Jar and RequestObject facades

Author: cicnavi

src/Codebooks/ClaimsEnum.php

@@ -326,6 +326,8 @@ enum ClaimsEnum: string
 
     case ProofTypesSupported = 'proof_types_supported';
 
+    case PushedAuthorizationRequestEndpoint = 'pushed_authorization_request_endpoint';
+
     case RedirectUris = 'redirect_uris';
 
     // Reference
@@ -359,8 +361,12 @@ enum ClaimsEnum: string
 
     case RequireAuthTime = 'require_auth_time';
 
+    case RequirePushedAuthorizationRequests = 'require_pushed_authorization_requests';
+
     case RequireRequestUriRegistration = 'require_request_uri_registration';
 
+    case RequireSignedRequestObject = 'require_signed_request_object';
+
     case ResponseModesSupported = 'response_modes_supported';
 
     case ResponseTypes = 'response_types';

src/Codebooks/ParamsEnum.php

@@ -71,6 +71,8 @@ enum ParamsEnum: string
 
     case Request = 'request';
 
+    case RequestUri = 'request_uri';
+
     case ResponseMode = 'response_mode';
 
     case ResponseType = 'response_type';

src/Jar.php

@@ -0,0 +1,169 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID;
+
+use DateInterval;
+use SimpleSAML\OpenID\Algorithms\AlgorithmManagerDecorator;
+use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
+use SimpleSAML\OpenID\Factories\AlgorithmManagerDecoratorFactory;
+use SimpleSAML\OpenID\Factories\ClaimFactory;
+use SimpleSAML\OpenID\Factories\DateIntervalDecoratorFactory;
+use SimpleSAML\OpenID\Factories\JwsSerializerManagerDecoratorFactory;
+use SimpleSAML\OpenID\Jar\Factories\RequestObjectFactory;
+use SimpleSAML\OpenID\Jwks\Factories\JwksDecoratorFactory;
+use SimpleSAML\OpenID\Jws\Factories\JwsDecoratorBuilderFactory;
+use SimpleSAML\OpenID\Jws\Factories\JwsVerifierDecoratorFactory;
+use SimpleSAML\OpenID\Jws\JwsDecoratorBuilder;
+use SimpleSAML\OpenID\Jws\JwsVerifierDecorator;
+use SimpleSAML\OpenID\Serializers\JwsSerializerManagerDecorator;
+
+class Jar
+{
+    protected ?DateIntervalDecoratorFactory $dateIntervalDecoratorFactory = null;
+
+    protected ?RequestObjectFactory $requestObjectFactory = null;
+
+    protected ?JwsSerializerManagerDecorator $jwsSerializerManagerDecorator = null;
+
+    protected ?JwsSerializerManagerDecoratorFactory $jwsSerializerManagerDecoratorFactory = null;
+
+    protected ?JwsDecoratorBuilderFactory $jwsDecoratorBuilderFactory = null;
+
+    protected ?AlgorithmManagerDecoratorFactory $algorithmManagerDecoratorFactory = null;
+
+    protected ?AlgorithmManagerDecorator $algorithmManagerDecorator = null;
+
+    protected ?Helpers $helpers = null;
+
+    protected ?JwsVerifierDecoratorFactory $jwsVerifierDecoratorFactory = null;
+
+    protected ?JwsVerifierDecorator $jwsVerifierDecorator  = null;
+
+    protected ?JwksDecoratorFactory $jwksDecoratorFactory = null;
+
+    protected DateIntervalDecorator $timestampValidationLeewayDecorator;
+
+    protected ?ClaimFactory $claimFactory = null;
+
+    protected ?JwsDecoratorBuilder $jwsDecoratorBuilder = null;
+
+
+    public function __construct(
+        protected readonly SupportedSerializers $supportedSerializers = new SupportedSerializers(),
+        protected readonly SupportedAlgorithms $supportedAlgorithms = new SupportedAlgorithms(),
+        DateInterval $timestampValidationLeeway = new DateInterval('PT1M'),
+    ) {
+        $this->timestampValidationLeewayDecorator = $this->dateIntervalDecoratorFactory()
+        ->build($timestampValidationLeeway);
+    }
+
+
+    public function dateIntervalDecoratorFactory(): DateIntervalDecoratorFactory
+    {
+        return $this->dateIntervalDecoratorFactory ??= new DateIntervalDecoratorFactory();
+    }
+
+
+    public function jwsSerializerManagerDecoratorFactory(): JwsSerializerManagerDecoratorFactory
+    {
+        return $this->jwsSerializerManagerDecoratorFactory ??= new JwsSerializerManagerDecoratorFactory();
+    }
+
+
+    public function supportedSerializers(): SupportedSerializers
+    {
+        return $this->supportedSerializers;
+    }
+
+
+    public function jwsDecoratorBuilderFactory(): JwsDecoratorBuilderFactory
+    {
+        return $this->jwsDecoratorBuilderFactory ??= new JwsDecoratorBuilderFactory();
+    }
+
+
+    public function jwsSerializerManagerDecorator(): JwsSerializerManagerDecorator
+    {
+        return $this->jwsSerializerManagerDecorator ??= $this->jwsSerializerManagerDecoratorFactory()
+            ->build($this->supportedSerializers);
+    }
+
+
+    public function algorithmManagerDecoratorFactory(): AlgorithmManagerDecoratorFactory
+    {
+        return $this->algorithmManagerDecoratorFactory ??= new AlgorithmManagerDecoratorFactory();
+    }
+
+
+    public function algorithmManagerDecorator(): AlgorithmManagerDecorator
+    {
+        return $this->algorithmManagerDecorator ??= $this->algorithmManagerDecoratorFactory()
+            ->build($this->supportedAlgorithms);
+    }
+
+
+    public function helpers(): Helpers
+    {
+        return $this->helpers ??= new Helpers();
+    }
+
+
+    public function jwsDecoratorBuilder(): JwsDecoratorBuilder
+    {
+        return $this->jwsDecoratorBuilder ??= $this->jwsDecoratorBuilderFactory()->build(
+            $this->jwsSerializerManagerDecorator(),
+            $this->algorithmManagerDecorator(),
+            $this->helpers(),
+        );
+    }
+
+
+    public function jwsVerifierDecoratorFactory(): JwsVerifierDecoratorFactory
+    {
+        return $this->jwsVerifierDecoratorFactory ??= new JwsVerifierDecoratorFactory();
+    }
+
+
+    public function jwsVerifierDecorator(): JwsVerifierDecorator
+    {
+        return $this->jwsVerifierDecorator ??= $this->jwsVerifierDecoratorFactory()->build(
+            $this->algorithmManagerDecorator(),
+        );
+    }
+
+
+    public function jwksDecoratorFactory(): JwksDecoratorFactory
+    {
+        return $this->jwksDecoratorFactory ??= new JwksDecoratorFactory();
+    }
+
+
+    public function timestampValidationLeewayDecorator(): DateIntervalDecorator
+    {
+        return $this->timestampValidationLeewayDecorator;
+    }
+
+
+    public function claimFactory(): ClaimFactory
+    {
+        return $this->claimFactory ??= new ClaimFactory(
+            $this->helpers(),
+        );
+    }
+
+
+    public function requestObjectFactory(): RequestObjectFactory
+    {
+        return $this->requestObjectFactory ??= new RequestObjectFactory(
+            $this->jwsDecoratorBuilder(),
+            $this->jwsVerifierDecorator(),
+            $this->jwksDecoratorFactory(),
+            $this->jwsSerializerManagerDecorator(),
+            $this->timestampValidationLeewayDecorator(),
+            $this->helpers(),
+            $this->claimFactory(),
+        );
+    }
+}

src/Jar/Factories/RequestObjectFactory.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Jar\Factories;
+
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Jar\RequestObject;
+use SimpleSAML\OpenID\Jwk\JwkDecorator;
+use SimpleSAML\OpenID\Jws\Factories\ParsedJwsFactory;
+
+class RequestObjectFactory extends ParsedJwsFactory
+{
+    public function fromToken(string $token): RequestObject
+    {
+        return new RequestObject(
+            $this->jwsDecoratorBuilder->fromToken($token),
+            $this->jwsVerifierDecorator,
+            $this->jwksDecoratorFactory,
+            $this->jwsSerializerManagerDecorator,
+            $this->timestampValidationLeeway,
+            $this->helpers,
+            $this->claimFactory,
+        );
+    }
+
+
+    /**
+     * @param array<non-empty-string,mixed> $payload
+     * @param array<non-empty-string,mixed> $header
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     */
+    public function fromData(
+        JwkDecorator $signingKey,
+        SignatureAlgorithmEnum $signatureAlgorithm,
+        array $payload,
+        array $header,
+    ): RequestObject {
+        return new RequestObject(
+            $this->jwsDecoratorBuilder->fromData(
+                $signingKey,
+                $signatureAlgorithm,
+                $payload,
+                $header,
+            ),
+            $this->jwsVerifierDecorator,
+            $this->jwksDecoratorFactory,
+            $this->jwsSerializerManagerDecorator,
+            $this->timestampValidationLeeway,
+            $this->helpers,
+            $this->claimFactory,
+        );
+    }
+}

src/Jar/RequestObject.php

@@ -0,0 +1,80 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Jar;
+
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\ParamsEnum;
+use SimpleSAML\OpenID\Exceptions\RequestObjectException;
+use SimpleSAML\OpenID\Jws\ParsedJws;
+
+class RequestObject extends ParsedJws
+{
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException
+     * @return non-empty-string
+     */
+    public function getClientId(): string
+    {
+        $claimKey = ClaimsEnum::ClientId->value;
+        $clientId = $this->getPayloadClaim($claimKey);
+
+        if (is_null($clientId)) {
+            throw new RequestObjectException('No Client ID claim found.');
+        }
+
+        return $this->helpers->type()->ensureNonEmptyString($clientId, $claimKey);
+    }
+
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException
+     */
+    protected function validateAlgorithm(): void
+    {
+        if (is_null($alg = $this->getAlgorithm())) {
+            throw new RequestObjectException('Missing Algorithm header claim.');
+        }
+
+        $signatureAlgorithm = SignatureAlgorithmEnum::tryFrom($alg) ?? throw new RequestObjectException(
+            'Invalid Algorithm header claim.',
+        );
+
+        if ($signatureAlgorithm === SignatureAlgorithmEnum::none) {
+            throw new RequestObjectException('Algorithm header claim must not be "none".');
+        }
+    }
+
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException
+     */
+    protected function validateForbiddenRequestObjectParams(): void
+    {
+        foreach ([ParamsEnum::Request, ParamsEnum::RequestUri] as $param) {
+            if (array_key_exists($param->value, $this->getPayload())) {
+                throw new RequestObjectException(
+                    sprintf('Request Object must not contain %s.', $param->value),
+                );
+            }
+        }
+    }
+
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     */
+    protected function validate(): void
+    {
+        $this->validateByCallbacks(
+            $this->getClientId(...),
+            $this->validateAlgorithm(...),
+            $this->validateForbiddenRequestObjectParams(...),
+        );
+    }
+}