Introduce TrustMarkFetcher

cicnavi · cicnavi · commit ac1a2b7cf0ca · 2025-03-31T15:56:42.000+02:00
diff --git a/README.md b/README.md
@@ -196,6 +196,40 @@ try {
     return;
 }
 
+```
+### Fetching Trust Marks
+Federation tools expose Trust Mark Fetcher which you can use to dynamically fetch or refresh (short-living) Trust Marks.
+
+```php
+// ...
+
+/** @var \SimpleSAML\OpenID\Federation $federationTools */
+
+// Trust Mark ID that you want to fetch. 
+$trustMarkId = 'https://example.com/trust-mark/member';
+// ID of Subject for which to fetch the Trust Mark.
+$subjectId = 'https://leaf-entity.org'
+// ID of the Trust Mark Issuer from which to fetch the Trust Mark.
+$trustMarkIssuerEntityId = 'https://trust-mark-issuer.org'
+
+try {
+    // First, fetch the Configuration Statement for Trust Mark Issuer.
+    $trustMarkIssuerConfigurationStatement = $this->federation
+        ->entityStatementFetcher()
+        ->fromCacheOrWellKnownEndpoint($trustMarkIssuerEntityId);
+
+    // Fetch the Trust Mark from Issuer.
+    $trustMarkEntity = $federationTools->trustMarkFetcher()->fromCacheOrFederationTrustMarkEndpoint(
+        $trustMarkId,
+        $subjectId,
+        $trustMarkIssuerConfigurationStatement
+    );
+    
+} catch (\Throwable $exception) {
+    $this->logger->error('Trust Mark fetch failed. Error was: ' . $exception->getMessage());
+    return;
+}
+
 ```
 
 ### Validating Trust Marks
diff --git a/src/Codebooks/ClaimsEnum.php b/src/Codebooks/ClaimsEnum.php
@@ -30,6 +30,7 @@ enum ClaimsEnum: string
     // ExpirationTime
     case Exp = 'exp';
     case FederationFetchEndpoint = 'federation_fetch_endpoint';
+    case FederationTrustMarkEndpoint = 'federation_trust_mark_endpoint';
     case GrantTypes = 'grant_types';
     case GrantTypesSupported = 'grant_types_supported';
     case HomepageUri = 'homepage_uri';
diff --git a/src/Codebooks/ContentTypesEnum.php b/src/Codebooks/ContentTypesEnum.php
@@ -8,4 +8,5 @@ enum ContentTypesEnum: string
 {
     case ApplicationJwt = 'application/jwt';
     case ApplicationEntityStatementJwt = 'application/entity-statement+jwt';
+    case ApplicationTrustMarkJwt = 'application/trust-mark+jwt';
 }
diff --git a/src/Federation.php b/src/Federation.php
@@ -27,6 +27,7 @@
 use SimpleSAML\OpenID\Federation\MetadataPolicyApplicator;
 use SimpleSAML\OpenID\Federation\MetadataPolicyResolver;
 use SimpleSAML\OpenID\Federation\TrustChainResolver;
+use SimpleSAML\OpenID\Federation\TrustMarkFetcher;
 use SimpleSAML\OpenID\Federation\TrustMarkValidator;
 use SimpleSAML\OpenID\Jwks\Factories\JwksFactory;
 use SimpleSAML\OpenID\Jws\Factories\JwsParserFactory;
@@ -98,6 +99,8 @@ class Federation
 
     protected ?TrustMarkValidator $trustMarkValidator = null;
 
+    protected ?TrustMarkFetcher $trustMarkFetcher = null;
+
     public function __construct(
         protected readonly SupportedAlgorithms $supportedAlgorithms = new SupportedAlgorithms(),
         protected readonly SupportedSerializers $supportedSerializers = new SupportedSerializers(),
@@ -243,6 +246,17 @@ public function trustMarkValidator(): TrustMarkValidator
         );
     }
 
+    public function trustMarkFetcher(): TrustMarkFetcher
+    {
+        return $this->trustMarkFetcher ??= new TrustMarkFetcher(
+            $this->trustMarkFactory(),
+            $this->artifactFetcher(),
+            $this->maxCacheDurationDecorator,
+            $this->helpers(),
+            $this->logger,
+        );
+    }
+
     public function helpers(): Helpers
     {
         return $this->helpers ??= new Helpers();
diff --git a/src/Federation/EntityStatement.php b/src/Federation/EntityStatement.php
@@ -236,24 +236,47 @@ public function getKeyId(): string
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      *
-     * phpcs:ignore
+     * @return ?non-empty-string
      */
     public function getFederationFetchEndpoint(): ?string
     {
-        // phpcs:disable
-        // @phpstan-ignore offsetAccess.nonOffsetAccessible (We fall back to null if not available.)
-        $federationFetchEndpoint = $this->getPayload() // @phpstan-ignore offsetAccess.nonOffsetAccessible (We fall back to null if not available.)
-        [ClaimsEnum::Metadata->value]
-        [EntityTypesEnum::FederationEntity->value]
-        [ClaimsEnum::FederationFetchEndpoint->value] ?? null;
-        // phpcs:enable
+        $federationFetchEndpoint = $this->helpers->arr()->getNestedValue(
+            $this->getPayload(),
+            ClaimsEnum::Metadata->value,
+            EntityTypesEnum::FederationEntity->value,
+            ClaimsEnum::FederationFetchEndpoint->value,
+        );
 
         if (is_null($federationFetchEndpoint)) {
             return null;
         }
 
-        return $this->helpers->type()->ensureString($federationFetchEndpoint);
+        return $this->helpers->type()->ensureNonEmptyString($federationFetchEndpoint);
+    }
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
+     *
+     * @return ?non-empty-string
+     */
+    public function getFederationTrustMarkEndpoint(): ?string
+    {
+        $federationTrustMarkEndpoint = $this->helpers->arr()->getNestedValue(
+            $this->getPayload(),
+            ClaimsEnum::Metadata->value,
+            EntityTypesEnum::FederationEntity->value,
+            ClaimsEnum::FederationTrustMarkEndpoint->value,
+        );
+
+        if (is_null($federationTrustMarkEndpoint)) {
+            return null;
+        }
+
+        return $this->helpers->type()->ensureNonEmptyString($federationTrustMarkEndpoint);
     }
 
     /**
@@ -283,6 +306,7 @@ public function verifyWithKeySet(?array $jwks = null, int $signatureIndex = 0):
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      */
     protected function validate(): void
     {
@@ -300,6 +324,7 @@ protected function validate(): void
             $this->getTrustMarks(...),
             $this->getTrustMarkOwners(...),
             $this->getFederationFetchEndpoint(...),
+            $this->getFederationTrustMarkEndpoint(...),
         );
     }
 }
diff --git a/src/Federation/TrustMarkFetcher.php b/src/Federation/TrustMarkFetcher.php
@@ -0,0 +1,133 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Federation;
+
+use Psr\Log\LoggerInterface;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\ContentTypesEnum;
+use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
+use SimpleSAML\OpenID\Exceptions\EntityStatementException;
+use SimpleSAML\OpenID\Exceptions\FetchException;
+use SimpleSAML\OpenID\Federation\Factories\TrustMarkFactory;
+use SimpleSAML\OpenID\Helpers;
+use SimpleSAML\OpenID\Jws\JwsFetcher;
+use SimpleSAML\OpenID\Utils\ArtifactFetcher;
+
+class TrustMarkFetcher extends JwsFetcher
+{
+    public function __construct(
+        private readonly TrustMarkFactory $parsedJwsFactory,
+        ArtifactFetcher $artifactFetcher,
+        DateIntervalDecorator $maxCacheDuration,
+        Helpers $helpers,
+        ?LoggerInterface $logger = null,
+    ) {
+        parent::__construct($parsedJwsFactory, $artifactFetcher, $maxCacheDuration, $helpers, $logger);
+    }
+
+    protected function buildJwsInstance(string $token): TrustMark
+    {
+        return $this->parsedJwsFactory->fromToken($token);
+    }
+
+    public function getExpectedContentTypeHttpHeader(): string
+    {
+        return ContentTypesEnum::ApplicationTrustMarkJwt->value;
+    }
+
+    /**
+     * @param \SimpleSAML\OpenID\Federation\EntityStatement $entityConfiguration Entity from which to use the
+     * federation_trust_mark_endpoint (issuer).
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\FetchException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
+     */
+    public function fromCacheOrFederationTrustMarkEndpoint(
+        string $trustMarkId,
+        string $subjectId,
+        EntityStatement $entityConfiguration,
+    ): TrustMark {
+        $trustMarkEndpoint = $entityConfiguration->getFederationTrustMarkEndpoint() ??
+        throw new EntityStatementException('No federation trust mark endpoint found in entity configuration.');
+
+        $this->logger?->debug(
+            'Trust Mark fetch from cache or federation trust mark endpoint.',
+            ['trustMarkId' => $trustMarkId, 'subjectId' => $subjectId, 'trustMarkEndpoint' => $trustMarkEndpoint],
+        );
+
+        return $this->fromCacheOrNetwork(
+            $this->helpers->url()->withParams(
+                $trustMarkEndpoint,
+                [
+                    ClaimsEnum::TrustMarkId->value => $trustMarkId,
+                    ClaimsEnum::Sub->value => $subjectId,
+                ],
+            ),
+        );
+    }
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\FetchException
+     */
+    public function fromCacheOrNetwork(string $uri): TrustMark
+    {
+        return $this->fromCache($uri) ?? $this->fromNetwork($uri);
+    }
+
+    /**
+     * Fetch Trust Mark from cache, if available. URI is used as cache key.
+     *
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\FetchException
+     */
+    public function fromCache(string $uri): ?TrustMark
+    {
+        $trustMark = parent::fromCache($uri);
+
+        if (is_null($trustMark)) {
+            return null;
+        }
+
+        if ($trustMark instanceof TrustMark) {
+            return $trustMark;
+        }
+
+        // @codeCoverageIgnoreStart
+        $message = 'Unexpected Trust Mark instance encountered for cache fetch.';
+        $this->logger?->error(
+            $message,
+            ['uri' => $uri, 'trustMark' => $trustMark],
+        );
+
+        throw new FetchException($message);
+        // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * Fetch Trust Mark from network. Each successful fetch will be cached, with URI being used as a cache key.
+     *
+     * @throws \SimpleSAML\OpenID\Exceptions\FetchException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     */
+    public function fromNetwork(string $uri): TrustMark
+    {
+        $trustMark = parent::fromNetwork($uri);
+
+        if ($trustMark instanceof TrustMark) {
+            return $trustMark;
+        }
+
+        // @codeCoverageIgnoreStart
+        $message = 'Unexpected Trust Mark instance encountered for network fetch.';
+        $this->logger?->error(
+            $message,
+            ['uri' => $uri, 'trustMark' => $trustMark],
+        );
+
+        throw new FetchException($message);
+        // @codeCoverageIgnoreEnd
+    }
+}
diff --git a/src/Helpers/Arr.php b/src/Helpers/Arr.php
@@ -29,4 +29,31 @@ public function ensureArrayDepth(array &$array, int|string ...$keys): void
 
         $this->ensureArrayDepth($array[$key], ...$keys);
     }
+
+    /**
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
+     * @param mixed[] $array
+     */
+    public function getNestedValue(array $array, int|string ...$keys): mixed
+    {
+        if (count($keys) > 99) {
+            throw new OpenIdException('Refusing to recurse to given depth.');
+        }
+
+        if (count($keys) < 1) {
+            return null;
+        }
+
+        if (count($keys) === 1) {
+            return $array[array_shift($keys)] ?? null;
+        }
+
+        $key = array_shift($keys);
+
+        if (!is_array($nestedArray = $array[$key] ?? null)) {
+            return null;
+        }
+
+        return $this->getNestedValue($nestedArray, ...$keys);
+    }
 }
diff --git a/src/Jws/JwsFetcher.php b/src/Jws/JwsFetcher.php
@@ -88,7 +88,7 @@ public function fromNetwork(string $uri): ParsedJws
 
         $response = $this->artifactFetcher->fromNetwork($uri);
 
-        if ($response->getStatusCode() !== 200) {
+        if ($response->getStatusCode() < 200 || $response->getStatusCode() > 299) {
             $message = sprintf(
                 'Unexpected HTTP response for JWS fetch, status code: %s, reason: %s. URI %s',
                 $response->getStatusCode(),
diff --git a/tests/src/Federation/EntityStatementFetcherTest.php b/tests/src/Federation/EntityStatementFetcherTest.php
@@ -131,7 +131,7 @@ public function testFetchFromCacheOrFetchEndpointThrowsIfNoFetchEndpoint(): void
             ->willReturn(null);
 
         $this->expectException(EntityStatementException::class);
-        $this->expectExceptionMessage('fetch');
+        $this->expectExceptionMessage('endpoint');
 
         $this->sut()->fromCacheOrFetchEndpoint('entityId', $this->entityStatementMock);
     }
diff --git a/tests/src/Federation/EntityStatementTest.php b/tests/src/Federation/EntityStatementTest.php
diff --git a/tests/src/Federation/TrustMarkFetcherTest.php b/tests/src/Federation/TrustMarkFetcherTest.php
diff --git a/tests/src/FederationTest.php b/tests/src/FederationTest.php
diff --git a/tests/src/Helpers/ArrTest.php b/tests/src/Helpers/ArrTest.php

Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,5 @@ enum ContentTypesEnum: string`
`8`	`8`	`{`
`9`	`9`	`case ApplicationJwt = 'application/jwt';`
`10`	`10`	`case ApplicationEntityStatementJwt = 'application/entity-statement+jwt';`
	`11`	`+ case ApplicationTrustMarkJwt = 'application/trust-mark+jwt';`
`11`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ public function testFetchFromCacheOrFetchEndpointThrowsIfNoFetchEndpoint(): void`
`131`	`131`	`->willReturn(null);`
`132`	`132`
`133`	`133`	`$this->expectException(EntityStatementException::class);`
`134`		`- $this->expectExceptionMessage('fetch');`
	`134`	`+ $this->expectExceptionMessage('endpoint');`
`135`	`135`
`136`	`136`	`$this->sut()->fromCacheOrFetchEndpoint('entityId', $this->entityStatementMock);`
`137`	`137`	`}`