Merge branch 'master' into feature/xsd-types

Author: tvdijen

.github/workflows/documentation.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: [ubuntu-latest]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Lint markdown files
         uses: nosborn/github-action-markdown-cli@v3

.github/workflows/interoperability.yml

@@ -47,7 +47,7 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Cache composer dependencies
         uses: actions/cache@v4

.github/workflows/php.yml

@@ -21,7 +21,7 @@ jobs:
       matrix:
         php-version: ['8.1', '8.2', '8.3', '8.4']
 
-    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_phplinter.yml@v1.9.2
+    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_phplinter.yml@v1.10.0
     with:
       php-version: ${{ matrix.php-version }}
 
@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: false
 
-    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_linter.yml@v1.9.2
+    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_linter.yml@v1.10.0
     with:
       enable_eslinter: false
       enable_jsonlinter: true
@@ -69,7 +69,7 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
@@ -131,7 +131,7 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$env:GITHUB_ENV"
@@ -168,7 +168,7 @@ jobs:
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
@@ -220,7 +220,7 @@ jobs:
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
@@ -249,9 +249,9 @@ jobs:
     runs-on: [ubuntu-latest]
     needs: [unit-tests-linux]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v5
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build

src/XML/element.registry.php classes/element.registry.phpsrc/XML/element.registry.php renamed to classes/element.registry.php

@@ -41,6 +41,7 @@
         "beste/clock": "~3.0.0",
         "mockery/mockery": "~1.6.12",
         "simplesamlphp/simplesamlphp-test-framework": "~1.9.3"
+        "simplesamlphp/simplesamlphp-test-framework": "~1.9.2"
     },
     "suggest": {
         "ext-soap": "*"

composer.json

@@ -36,6 +36,11 @@ class Constants extends \SimpleSAML\XMLSecurity\Constants
      */
     public const ATTR_SUBJECT_ID = 'urn:oasis:names:tc:SAML:attribute:subject-id';
 
+    /**
+     * Subject signal attribute
+     */
+    public const PROFILE_SUBJECT_ID_REQ = 'urn:oasis:names:tc:SAML:profiles:subject-id:req';
+
     /**
      * The URN for the Holder-of-Key Web Browser SSO Profile binding
      */

src/Constants.php

@@ -6,6 +6,7 @@
 
 use SimpleSAML\SAML2\Assert\Assert;
 use SimpleSAML\SAML2\Compat\ContainerSingleton;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\XMLSecurity\Exception\ReferenceValidationFailedException;
 use SimpleSAML\XMLSecurity\XML\ds\Signature;
 use SimpleSAML\XMLSecurity\XML\SignedElementTrait as BaseSignedElementTrait;
@@ -45,6 +46,18 @@ protected function setSignature(Signature $signature): void
             ReferenceValidationFailedException::class,
         );
 
+        /**
+         * E91: Disallow <ds:Object> element in signatures
+         *
+         * The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.
+         */
+
+        Assert::isEmpty(
+            $signature->getObjects(),
+            ProtocolViolationException::class,
+            'The <ds:Object> element is not defined for use with SAML signatures, and SHOULD NOT be present.',
+        );
+
         $this->signature = $signature;
     }
 

src/XML/SignedElementTrait.php

@@ -95,7 +95,9 @@ public function __construct(
             'All md:AttributeConsumingService endpoints must be an instance of AttributeConsumingService.',
         );
 
-        // test that only one ACS is marked as default
+        /**
+         * E87:  test that only one ACS is marked as default
+         */
         Assert::maxCount(
             array_filter(
                 $attributeConsumingService,
@@ -104,7 +106,7 @@ function (AttributeConsumingService $acs) {
                 },
             ),
             1,
-            'Only one md:AttributeConsumingService can be set as default.',
+            'At most one <AttributeConsumingService> element can have the attribute isDefault set to true.',
         );
     }
 

src/XML/md/SPSSODescriptor.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\XML\subjectid;
+
+enum SignalEnum: string
+{
+    /**
+     * The value MUST be one of the following, signaling the corresponding requirement:
+     */
+
+    /**
+     * The relying party requires the standard identifier Attribute defined in Section 3.3.
+     *
+     * - subject-id
+     */
+    case SUBJECT_ID = 'subject-id';
+
+    /**
+     * The relying party requires the pair-wise identifier Attribute defined in Section 3.4.
+     *
+     * - pairwise-id
+     */
+    case PAIRWISE_ID = 'pairwise-id';
+
+    /**
+     * The relying party does not require any subject identifier and is designed to operate without a
+     * specific user identity (e.g., with authorization based on non-identifying data).
+     *
+     * - none
+     */
+    case NONE = 'none';
+
+    /**
+     * The relying party will accept any of the identifier Attributes defined in this profile but requires at least one.
+     *
+     * - any
+     */
+    case ANY = 'any';
+}

src/XML/subjectid/SignalEnum.php

@@ -23,7 +23,7 @@ final class ElementRegistryTest extends TestCase
      */
     public function testElementRegistry(): void
     {
-        $elementRegistry = dirname(__FILE__, 4) . '/src/XML/element.registry.php';
+        $elementRegistry = dirname(__FILE__, 4) . '/classes/element.registry.php';
         $namespaces = include($elementRegistry);
 
         foreach ($namespaces as $namespaceURI => $elements) {