simplesamlphp
diff --git a/‎src/Federation.php‎
Lines changed: 14 additions & 0 deletions b/‎src/Federation.php‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/Federation/EntityCollection.php‎
Lines changed: 78 additions & 3 deletions b/‎src/Federation/EntityCollection.php‎
Lines changed: 78 additions & 3 deletions
diff --git a/‎src/Federation/EntityCollection/EntityCollectionFilter.php‎
Lines changed: 44 additions & 46 deletions b/‎src/Federation/EntityCollection/EntityCollectionFilter.php‎
Lines changed: 44 additions & 46 deletions
diff --git a/‎src/Federation/EntityCollection/EntityCollectionPaginator.php‎
Lines changed: 5 additions & 5 deletions b/‎src/Federation/EntityCollection/EntityCollectionPaginator.php‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎src/Federation/EntityCollection/EntityCollectionResponseFactory.php‎
Lines changed: 28 additions & 11 deletions b/‎src/Federation/EntityCollection/EntityCollectionResponseFactory.php‎
Lines changed: 28 additions & 11 deletions
@@ -28,6 +28,7 @@
 use SimpleSAML\OpenID\Federation\EntityCollection\EntityCollectionStoreInterface;
 use SimpleSAML\OpenID\Federation\EntityCollection\InMemoryEntityCollectionStore;
 use SimpleSAML\OpenID\Federation\EntityStatementFetcher;
+use SimpleSAML\OpenID\Federation\Factories\EntityCollectionFactory;
 use SimpleSAML\OpenID\Federation\Factories\EntityStatementFactory;
 use SimpleSAML\OpenID\Federation\Factories\RequestObjectFactory;
 use SimpleSAML\OpenID\Federation\Factories\TrustChainBagFactory;
@@ -140,6 +141,8 @@ class Federation
 
     protected ?KeyPairResolver $keyPairResolver = null;
 
+    protected ?EntityCollectionFactory $entityCollectionFactory = null;
+
 
     public function __construct(
         protected readonly SupportedAlgorithms $supportedAlgorithms = new SupportedAlgorithms(),
@@ -377,6 +380,16 @@ public function entityCollectionStore(): EntityCollectionStoreInterface
     }
 
 
+    public function entityCollectionFactory(): EntityCollectionFactory
+    {
+        return $this->entityCollectionFactory ??= new EntityCollectionFactory(
+            $this->entityCollectionFilter(),
+            $this->entityCollectionSorter(),
+            $this->entityCollectionPaginator(),
+        );
+    }
+
+
     public function federationDiscovery(): FederationDiscovery
     {
         if (!$this->federationDiscovery instanceof \SimpleSAML\OpenID\Federation\FederationDiscovery) {
@@ -385,6 +398,7 @@ public function federationDiscovery(): FederationDiscovery
                 $this->subordinateListingFetcher(),
                 $this->entityCollectionStore(),
                 $this->maxCacheDurationDecorator(),
+                $this->entityCollectionFactory(),
                 $this->logger,
                 $this->maxDiscoveryDepth,
             );
 
@@ -4,22 +4,97 @@
 
 namespace SimpleSAML\OpenID\Federation;
 
+use SimpleSAML\OpenID\Federation\EntityCollection\EntityCollectionFilter;
+use SimpleSAML\OpenID\Federation\EntityCollection\EntityCollectionPaginator;
+use SimpleSAML\OpenID\Federation\EntityCollection\EntityCollectionSorter;
+
 class EntityCollection
 {
     /**
-     * @param array<string, array<string, mixed>> $entities  Keyed by entity ID, value is JWT payload
+     * @param array<string, array<string, mixed>> $entities  Keyed by entity ID,
+     * value is JWT payload
      */
     public function __construct(
-        protected readonly array $entities,
+        protected readonly EntityCollectionFilter $entityCollectionFilter,
+        protected readonly EntityCollectionSorter $entityCollectionSorter,
+        protected readonly EntityCollectionPaginator $entityCollectionPaginator,
+        protected array $entities,
+        protected ?string $nextPageToken = null,
     ) {
     }
 
 
     /**
      * @return array<string, array<string, mixed>>
      */
-    public function all(): array
+    public function getEntities(): array
     {
         return $this->entities;
     }
+
+
+    /**
+     * Apply filters to the collection. Supported criteria keys:
+     * - entity_type: array of entity types to include
+     * (e.g. ['openid_relying_party'])
+     * - trust_mark_type: array of trust mark types to include
+     * (e.g. ['https://example.com/marks/approved'])
+     * - query: string to search for in display_name, organization_name,
+     * and entity_id (case-insensitive)
+     *
+     * @param array{
+     *    entity_type?: string[],
+     *    trust_mark_type?: string[],
+     *    query?: string,
+     *  } $criteria
+     * @return $this
+     */
+    public function filter(array $criteria): static
+    {
+        $this->entities = $this->entityCollectionFilter->filter($this->entities, $criteria);
+
+        return $this;
+    }
+
+
+    /**
+     * @param non-empty-array<int, non-empty-string[]> $claimPaths
+     * @param 'asc'|'desc' $sortOrder
+     * @return $this
+     */
+    public function sortByMetadataClaims(array $claimPaths, string $sortOrder): static
+    {
+        $this->entities = $this->entityCollectionSorter->sortByMetadataClaims(
+            $this->entities,
+            $claimPaths,
+            $sortOrder,
+        );
+
+        return $this;
+    }
+
+
+    /**
+     * @param positive-int $limit Maximum number of entries to return
+     * @param string|null $from Opaque cursor (base64 encoded entity ID to start AFTER)
+     */
+    public function paginate(int $limit, ?string $from = null): static
+    {
+        [
+            'entities' => $this->entities,
+            'next' => $this->nextPageToken,
+            ] = $this->entityCollectionPaginator->paginate(
+                $this->entities,
+                $limit,
+                $from,
+            );
+
+        return $this;
+    }
+
+
+    public function getNextPageToken(): ?string
+    {
+        return $this->nextPageToken;
+    }
 }
@@ -5,7 +5,6 @@
 namespace SimpleSAML\OpenID\Federation\EntityCollection;
 
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
-use SimpleSAML\OpenID\Federation\EntityCollection;
 use SimpleSAML\OpenID\Helpers;
 
 class EntityCollectionFilter
@@ -17,23 +16,35 @@ public function __construct(
 
 
     /**
+     * Filters a list of entities based on the provided criteria.
+     *
+     * The method applies multiple filters in the following order:
+     * 1. Filters entities by their type, based on the 'entity_type' criteria.
+     * 2. Filters entities by their trust mark type, based on the
+     * 'trust_mark_type' criteria.
+     * 3. Filters entities by a textual query that checks multiple fields
+     * (e.g., `display_name` or `organization_name`).
+     *
+     * @param array<string, array<string, mixed>> $entities The list of entities
+     * to be filtered. Each entity is expected to be an associative array.
      * @param array{
-     *   entity_type?: string[],
-     *   trust_mark_type?: string,
-     *   query?: string,
-     *   trust_anchor?: string,
-     * } $criteria
-     * @return array<string, array<string, mixed>>  Filtered
-     * entity payloads keyed by entity ID
+     *    entity_type?: string[],
+     *    trust_mark_type?: string[],
+     *    query?: string,
+     *  } $criteria The array of filtering criteria. It may contain:
+     *  - 'entity_type': An array of entity types to filter by.
+     *  - 'trust_mark_type': An array of trust mark types to filter by.
+     *  - 'query': A string used to perform a case-insensitive search on
+     *  specific fields.
+     * @return array<string, array<string, mixed>> The filtered list of entities
+     * that match all provided criteria.
      */
-    public function filter(EntityCollection $entityCollection, array $criteria): array
+    public function filter(array $entities, array $criteria): array
     {
-        $filtered = $entityCollection->all();
-
         // 1. entity_type
         if (isset($criteria['entity_type']) && $criteria['entity_type'] !== []) {
             $types = $criteria['entity_type'];
-            $filtered = array_filter($filtered, function (array $payload) use ($types): bool {
+            $entities = array_filter($entities, function (array $payload) use ($types): bool {
                 $metadata = $payload[ClaimsEnum::Metadata->value] ?? null;
                 if (!is_array($metadata)) {
                     return false;
@@ -50,26 +61,35 @@ public function filter(EntityCollection $entityCollection, array $criteria): arr
         }
 
         // 2. trust_mark_type
-        if (isset($criteria['trust_mark_type'])) {
-            $tmType = $criteria['trust_mark_type'];
-            $filtered = array_filter($filtered, function (array $payload) use ($tmType): bool {
-                $marks = $payload[ClaimsEnum::TrustMarks->value] ?? null;
-                if (is_array($marks)) {
-                    foreach ($marks as $mark) {
-                        if (is_array($mark) && ($mark[ClaimsEnum::TrustMarkType->value] ?? null) === $tmType) {
-                            return true;
-                        }
+        if (isset($criteria['trust_mark_type']) && $criteria['trust_mark_type'] !== []) {
+            $criteriaTrustMarkTypes = $criteria['trust_mark_type'];
+            $entities = array_filter($entities, function (array $payload) use ($criteriaTrustMarkTypes): bool {
+                $entityTrustMarks = $payload[ClaimsEnum::TrustMarks->value] ?? null;
+                if (!is_array($entityTrustMarks)) {
+                    return false;
+                }
+
+                $entityTrustMarkTypes = [];
+                foreach ($entityTrustMarks as $mark) {
+                    if (is_array($mark) && isset($mark[ClaimsEnum::TrustMarkType->value])) {
+                        $entityTrustMarkTypes[] = $mark[ClaimsEnum::TrustMarkType->value];
                     }
                 }
 
-                return false;
+                foreach ($criteriaTrustMarkTypes as $tmType) {
+                    if (!in_array($tmType, $entityTrustMarkTypes, true)) {
+                        return false;
+                    }
+                }
+
+                return true;
             });
         }
 
         // 3. query
         if (isset($criteria['query']) && $criteria['query'] !== '') {
             $q = mb_strtolower($criteria['query']);
-            $filtered = array_filter($filtered, function (array $payload) use ($q): bool {
+            $entities = array_filter($entities, function (array $payload) use ($q): bool {
                 $sub = is_string($payload[ClaimsEnum::Sub->value] ?? null) ?
                 mb_strtolower($payload[ClaimsEnum::Sub->value]) :
                 '';
@@ -105,28 +125,6 @@ public function filter(EntityCollection $entityCollection, array $criteria): arr
             });
         }
 
-        // 4. trust_anchor (simple prefix match for now as per spec suggestion,
-        // or more complex if needed). Historically, in some federation
-        // implementations, subordination is indicated via id prefix or
-        // specific claims. For this building block, we'll implement it as a
-        // filter on the authority hint if possible.
-        if (isset($criteria['trust_anchor'])) {
-            $ta = $criteria['trust_anchor'];
-            $filtered = array_filter($filtered, function (array $payload) use ($ta): bool {
-                // In a top-down traversal, everything is subordinate to the TA we started with.
-                // If the collection contains multiple TAs, we would check authority_hints.
-                $hints = $this->helpers->arr()->getNestedValue(
-                    $payload,
-                    ClaimsEnum::AuthorityHints->value,
-                );
-                if (is_array($hints)) {
-                    return in_array($ta, $hints, true);
-                }
-
-                return false;
-            });
-        }
-
-        return $filtered;
+        return $entities;
     }
 }
@@ -16,11 +16,11 @@ public function __construct(
 
 
     /**
-     * @template T
-     * @param array<string, T> $entities  Full ordered result set (pre-sorted)
-     * @param positive-int $limit  Maximum number of entries to return
-     * @param string|null  $from   Opaque cursor (base64 encoded entity ID to start AFTER)
-     * @return array{entities: array<string, T>, next: ?string}
+     * @param array<string, array<string, mixed>> $entities The list of entities
+     * to be paginate, ordered (pre-sorted).
+     * @param positive-int $limit Maximum number of entries to return
+     * @param string|null  $from Opaque cursor (base64 encoded entity ID to start AFTER)
+     * @return array{entities: array<string, array<string, mixed>>, next: ?string}
      */
     public function paginate(array $entities, int $limit, ?string $from = null): array
     {
 
@@ -29,7 +29,7 @@ public function __construct(
      *   trust_mark_type?: string,
      *   query?: string,
      *   trust_anchor?: string,
-     *   sort_by?: string,
+     *   sort_by?: string|string[],
      *   sort_dir?: 'asc'|'desc',
      *   entity_claims?: string[],
      *   ui_claims?: string[],
@@ -41,27 +41,44 @@ public function build(string $trustAnchorId, array $requestParams = []): EntityC
     {
         // 1. Discover full configurations
         $entities = $this->federationDiscovery->discover($trustAnchorId);
-        $collection = new EntityCollection($entities);
+        $collection = new EntityCollection(
+            $this->filter,
+            $this->sorter,
+            $this->paginator,
+            $entities->getEntities(),
+        );
 
         // 2. Filter
-        $filtered = $this->filter->filter($collection, $requestParams);
+        $collection->filter($requestParams);
 
         // 3. Sort
         if (isset($requestParams['sort_by'])) {
-            $path = explode('.', $requestParams['sort_by']);
-            /** @var non-empty-string[] $path */
-            $filtered = $this->sorter->sortByMetadataClaim(
-                $filtered,
-                $path,
-                (string)($requestParams['sort_dir'] ?? 'asc'),
-            );
+            $sortByParams = is_array($requestParams['sort_by'])
+            ? $requestParams['sort_by']
+            : [$requestParams['sort_by']];
+
+            $claimPaths = [];
+            foreach ($sortByParams as $sortBy) {
+                if (!is_string($sortBy)) {
+                    continue;
+                }
+                $claimPaths[] = explode('.', $sortBy);
+            }
+
+            if ($claimPaths !== []) {
+                /** @var non-empty-array<int, non-empty-string[]> $claimPaths */
+                $collection->sortByMetadataClaims(
+                    $claimPaths,
+                    (string)($requestParams['sort_dir'] ?? 'asc'),
+                );
+            }
         }
 
         // 4. Claims sub-selection (Projection)
         $entries = [];
         $uiClaims = $requestParams['ui_claims'] ?? null;
 
-        foreach ($filtered as $id => $payload) {
+        foreach ($collection->getEntities() as $id => $payload) {
             $metadata = $payload[ClaimsEnum::Metadata->value] ?? [];
             if (!is_array($metadata)) {
                 $metadata = [];