WIP

Author: cicnavi

src/Codebooks/ClaimsEnum.php

@@ -173,6 +173,10 @@ enum ClaimsEnum: string
 
     case Expiration_Date = 'expirationDate';
 
+    case EntityTypes = 'entity_types';
+
+    case FederationCollectionEndpoint = 'federation_collection_endpoint';
+
     case FederationFetchEndpoint = 'federation_fetch_endpoint';
 
     case FederationListEndpoint = 'federation_list_endpoint';

src/Exceptions/EntityDiscoveryException.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Exceptions;
+
+class EntityDiscoveryException extends OpenIdException
+{
+}

src/Federation.php

@@ -19,6 +19,13 @@
 use SimpleSAML\OpenID\Factories\DateIntervalDecoratorFactory;
 use SimpleSAML\OpenID\Factories\HttpClientDecoratorFactory;
 use SimpleSAML\OpenID\Factories\JwsSerializerManagerDecoratorFactory;
+use SimpleSAML\OpenID\Federation\CacheEntityCollectionStore;
+use SimpleSAML\OpenID\Federation\EntityCollectionBuilder;
+use SimpleSAML\OpenID\Federation\EntityCollectionFetcher;
+use SimpleSAML\OpenID\Federation\EntityCollectionFilter;
+use SimpleSAML\OpenID\Federation\EntityCollectionPaginator;
+use SimpleSAML\OpenID\Federation\EntityCollectionSorter;
+use SimpleSAML\OpenID\Federation\EntityCollectionStoreInterface;
 use SimpleSAML\OpenID\Federation\EntityStatementFetcher;
 use SimpleSAML\OpenID\Federation\Factories\EntityStatementFactory;
 use SimpleSAML\OpenID\Federation\Factories\RequestObjectFactory;
@@ -27,12 +34,16 @@
 use SimpleSAML\OpenID\Federation\Factories\TrustMarkDelegationFactory;
 use SimpleSAML\OpenID\Federation\Factories\TrustMarkFactory;
 use SimpleSAML\OpenID\Federation\Factories\TrustMarkStatusResponseFactory;
+use SimpleSAML\OpenID\Federation\FederationDiscovery;
+use SimpleSAML\OpenID\Federation\InMemoryEntityCollectionStore;
 use SimpleSAML\OpenID\Federation\MetadataPolicyApplicator;
 use SimpleSAML\OpenID\Federation\MetadataPolicyResolver;
+use SimpleSAML\OpenID\Federation\SubordinateListingFetcher;
 use SimpleSAML\OpenID\Federation\TrustChainResolver;
 use SimpleSAML\OpenID\Federation\TrustMarkFetcher;
 use SimpleSAML\OpenID\Federation\TrustMarkStatusResponseFetcher;
 use SimpleSAML\OpenID\Federation\TrustMarkValidator;
+use SimpleSAML\OpenID\Helpers;
 use SimpleSAML\OpenID\Jwks\Factories\JwksDecoratorFactory;
 use SimpleSAML\OpenID\Jws\Factories\JwsDecoratorBuilderFactory;
 use SimpleSAML\OpenID\Jws\Factories\JwsVerifierDecoratorFactory;
@@ -50,6 +61,8 @@ class Federation
 
     protected int $maxTrustChainDepth;
 
+    protected int $maxDiscoveryDepth;
+
     protected ?CacheDecorator $cacheDecorator;
 
     protected HttpClientDecorator $httpClientDecorator;
@@ -60,6 +73,20 @@ class Federation
 
     protected ?JwsVerifierDecorator $jwsVerifierDecorator  = null;
 
+    protected ?SubordinateListingFetcher $subordinateListingFetcher = null;
+
+    protected ?FederationDiscovery $federationDiscovery = null;
+
+    protected ?EntityCollectionFetcher $entityCollectionFetcher = null;
+
+    protected ?EntityCollectionFilter $entityCollectionFilter = null;
+
+    protected ?EntityCollectionSorter $entityCollectionSorter = null;
+
+    protected ?EntityCollectionPaginator $entityCollectionPaginator = null;
+
+    protected ?EntityCollectionBuilder $entityCollectionBuilder = null;
+
     protected ?EntityStatementFetcher $entityStatementFetcher = null;
 
     protected ?MetadataPolicyResolver $metadataPolicyResolver = null;
@@ -126,11 +153,13 @@ public function __construct(
         ?Client $client = null,
         // phpcs:ignore
         protected readonly TrustMarkStatusEndpointUsagePolicyEnum $defaultTrustMarkStatusEndpointUsagePolicyEnum = TrustMarkStatusEndpointUsagePolicyEnum::NotUsed,
+        int $maxDiscoveryDepth = 10,
     ) {
         $this->maxCacheDurationDecorator = $this->dateIntervalDecoratorFactory()->build($maxCacheDuration);
         $this->timestampValidationLeewayDecorator = $this->dateIntervalDecoratorFactory()
             ->build($timestampValidationLeeway);
         $this->maxTrustChainDepth = min(20, max(1, $maxTrustChainDepth));
+        $this->maxDiscoveryDepth = max(1, $maxDiscoveryDepth);
         $this->cacheDecorator = is_null($cache) ? null : $this->cacheDecoratorFactory()->build($cache);
         $this->httpClientDecorator = $this->httpClientDecoratorFactory()->build($client);
     }
@@ -321,6 +350,80 @@ public function trustMarkFetcher(): TrustMarkFetcher
     }
 
 
+    public function subordinateListingFetcher(): SubordinateListingFetcher
+    {
+        return $this->subordinateListingFetcher ??= new SubordinateListingFetcher(
+            $this->artifactFetcher(),
+            $this->helpers(),
+            $this->logger,
+        );
+    }
+
+
+    public function federationDiscovery(?EntityCollectionStoreInterface $store = null): FederationDiscovery
+    {
+        if (!$this->federationDiscovery instanceof \SimpleSAML\OpenID\Federation\FederationDiscovery) {
+            $effectiveStore = $store ?? ($this->cacheDecorator() instanceof \SimpleSAML\OpenID\Decorators\CacheDecorator
+                ? new CacheEntityCollectionStore($this->cacheDecorator())
+                : new InMemoryEntityCollectionStore());
+
+            $this->federationDiscovery = new FederationDiscovery(
+                $this->entityStatementFetcher(),
+                $this->subordinateListingFetcher(),
+                $effectiveStore,
+                $this->maxCacheDurationDecorator(),
+                $this->logger,
+                $this->maxDiscoveryDepth,
+            );
+        }
+
+        return $this->federationDiscovery;
+    }
+
+
+    public function entityCollectionFetcher(): EntityCollectionFetcher
+    {
+        return $this->entityCollectionFetcher ??= new EntityCollectionFetcher(
+            $this->artifactFetcher(),
+            $this->helpers(),
+            $this->logger,
+        );
+    }
+
+
+    public function entityCollectionFilter(): EntityCollectionFilter
+    {
+        return $this->entityCollectionFilter ??= new EntityCollectionFilter($this->helpers());
+    }
+
+
+    public function entityCollectionSorter(): EntityCollectionSorter
+    {
+        return $this->entityCollectionSorter ??= new EntityCollectionSorter($this->helpers());
+    }
+
+
+    public function entityCollectionPaginator(): EntityCollectionPaginator
+    {
+        return $this->entityCollectionPaginator ??= new EntityCollectionPaginator();
+    }
+
+
+    /**
+     * @param \SimpleSAML\OpenID\Federation\EntityCollectionStoreInterface|null $store  Forwarded to
+     * federationDiscovery()
+     */
+    public function entityCollectionBuilder(?EntityCollectionStoreInterface $store = null): EntityCollectionBuilder
+    {
+        return $this->entityCollectionBuilder ??= new EntityCollectionBuilder(
+            $this->federationDiscovery($store),
+            $this->entityCollectionFilter(),
+            $this->entityCollectionSorter(),
+            $this->entityCollectionPaginator(),
+        );
+    }
+
+
     public function helpers(): Helpers
     {
         return $this->helpers ??= new Helpers();

src/Federation/CacheEntityCollectionStore.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Federation;
+
+use SimpleSAML\OpenID\Decorators\CacheDecorator;
+use Throwable;
+
+class CacheEntityCollectionStore implements EntityCollectionStoreInterface
+{
+    private const PREFIX = 'federation_entity_ids';
+
+
+    public function __construct(
+        private readonly CacheDecorator $cacheDecorator,
+    ) {
+    }
+
+
+    public function storeEntityIds(string $trustAnchorId, array $entityIds, int $ttl): void
+    {
+        try {
+            $this->cacheDecorator->set(
+                json_encode($entityIds, JSON_THROW_ON_ERROR),
+                $ttl,
+                self::PREFIX,
+                $trustAnchorId,
+            );
+        } catch (Throwable) {
+            // Log if needed, or ignore for now as per ArtifactFetcher pattern
+        }
+    }
+
+
+    public function getEntityIds(string $trustAnchorId): ?array
+    {
+        try {
+            /** @var ?string $cached */
+            $cached = $this->cacheDecorator->get(null, self::PREFIX, $trustAnchorId);
+
+            if (is_null($cached)) {
+                return null;
+            }
+
+            /** @var non-empty-string[] $decoded */
+            $decoded = json_decode($cached, true, 512, JSON_THROW_ON_ERROR);
+
+            return $decoded;
+        } catch (Throwable) {
+            return null;
+        }
+    }
+
+
+    public function clearEntityIds(string $trustAnchorId): void
+    {
+        try {
+            $this->cacheDecorator->delete(self::PREFIX, $trustAnchorId);
+        } catch (Throwable) {
+            // Ignore
+        }
+    }
+}

src/Federation/EntityCollection.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Federation;
+
+class EntityCollection
+{
+    /**
+     * @param array<string, \SimpleSAML\OpenID\Federation\EntityStatement> $entities  Keyed by entity ID
+     */
+    public function __construct(
+        public readonly array $entities,
+    ) {
+    }
+}

src/Federation/EntityCollectionBuilder.php

@@ -0,0 +1,116 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\Federation;
+
+class EntityCollectionBuilder
+{
+    public function __construct(
+        private readonly FederationDiscovery $federationDiscovery,
+        private readonly EntityCollectionFilter $filter,
+        private readonly EntityCollectionSorter $sorter,
+        private readonly EntityCollectionPaginator $paginator,
+    ) {
+    }
+
+
+    /**
+     * Build an EntityCollectionResponse.
+     *
+     * @param non-empty-string $trustAnchorId
+     * @param array{
+     *   entity_type?: string[],
+     *   trust_mark_type?: string,
+     *   query?: string,
+     *   trust_anchor?: string,
+     *   sort_by?: string,
+     *   sort_dir?: 'asc'|'desc',
+     *   entity_claims?: string[],
+     *   ui_claims?: string[],
+     *   limit?: positive-int|string,
+     *   from?: string,
+     * } $requestParams
+     */
+    public function build(string $trustAnchorId, array $requestParams = []): EntityCollectionResponse
+    {
+        // 1. Discover and fetch full configurations
+        $entities = $this->federationDiscovery->discoverAndFetch($trustAnchorId);
+        $collection = new EntityCollection($entities);
+
+        // 2. Filter
+        $filtered = $this->filter->filter($collection, $requestParams);
+
+        // 3. Sort
+        if (isset($requestParams['sort_by'])) {
+            $path = explode('.', $requestParams['sort_by']);
+            /** @var non-empty-string[] $path */
+            $filtered = $this->sorter->sortByMetadataClaim(
+                $filtered,
+                $path,
+                (string)($requestParams['sort_dir'] ?? 'asc'),
+            );
+        }
+
+        // 4. Claims sub-selection (Projection)
+        $entries = [];
+        $uiClaims = $requestParams['ui_claims'] ?? null;
+
+        foreach ($filtered as $id => $statement) {
+            $metadata = $statement->getMetadata() ?? [];
+            /** @var non-empty-string[] $entityTypes */
+            $entityTypes = array_keys($metadata);
+
+            // ui_info projection
+            $uiInfo = null;
+            if (is_array($uiClaims) && $uiClaims !== []) {
+                $uiInfo = [];
+                foreach ($metadata as $payload) {
+                    if (!is_array($payload)) {
+                        continue;
+                    }
+
+                    foreach ($uiClaims as $claim) {
+                        if (isset($payload[$claim])) {
+                            $uiInfo[$claim] = $payload[$claim];
+                        }
+                    }
+                }
+            }
+
+            // trust_marks projection is handled by getting them from statement
+            $trustMarks = null;
+            try {
+                // In a real projection, we might filter which trust marks to return,
+                // but for now we return all if asked or if no specific selection is implemented.
+                $trustMarks = $statement->getTrustMarks();
+            } catch (\Throwable) {
+            }
+
+            // If entity_claims is provided, we might want to filter the metadata itself,
+            // but the EntityCollectionEntry DTO currently separates ui_info.
+            // For now, project into the Entry VO.
+            /** @var non-empty-string $id */
+            $entries[$id] = new EntityCollectionEntry(
+                $id,
+                $entityTypes,
+                $uiInfo,
+                $trustMarks?->jsonSerialize(),
+            );
+        }
+
+        // 5. Paginate
+        $limit = isset($requestParams['limit']) ? (int)$requestParams['limit'] : 100;
+        $limit = max(1, $limit);
+
+        $from = $requestParams['from'] ?? null;
+
+        $paginated = $this->paginator->paginate($entries, $limit, $from);
+
+        return new EntityCollectionResponse(
+            array_values($paginated['entities']),
+            $paginated['next'],
+            time(), // last_updated
+        );
+    }
+}