Add constants and enums for saml:Action and validate the contents of the lement

tvdijen · tvdijen · commit c2ab36b06e52 · 2025-12-22T12:53:57.000+01:00
diff --git a/src/Constants.php b/src/Constants.php
@@ -464,6 +464,21 @@ class Constants extends \SimpleSAML\XMLSecurity\Constants
      */
     public const string STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch';
 
+    /**
+     * Read/Write/Execute/Delete/Control
+     */
+    public const string ACTION_RWEDC = 'urn:oasis:names:tc:SAML:1.0:action:rwedc';
+
+    /**
+     * Read/Write/Execute/Delete/Control with Negation
+     */
+    public const string ACTION_RWEDC_NEGATION = 'urn:oasis:names:tc:SAML:1.0:action:rwedc-negation';
+
+    /**
+     * Get/Head/Put/Post
+     */
+    public const string ACTION_GHPP = 'urn:oasis:names:tc:SAML:1.0:action:ghpp';
+
     /**
      * The maximum size for any entityid as per specification
      */
diff --git a/src/XML/saml/Action.php b/src/XML/saml/Action.php
@@ -6,11 +6,14 @@
 
 use DOMElement;
 use SimpleSAML\SAML2\Assert\Assert;
+use SimpleSAML\SAML2\Constants as C;
+use SimpleSAML\SAML2\Exception\ProtocolViolationException;
 use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
 use SimpleSAML\SAML2\Type\SAMLStringValue;
 use SimpleSAML\XML\TypedTextContentTrait;
 use SimpleSAML\XMLSchema\Exception\InvalidDOMElementException;
 
+use function array_column;
 use function strval;
 
 /**
@@ -38,6 +41,26 @@ public function __construct(
         protected SAMLAnyURIValue $namespace,
         SAMLStringValue $content,
     ) {
+        if ($namespace->equals(C::ACTION_RWEDC)) {
+            Assert::oneOf(
+                $content->getValue(),
+                array_column(RWEDCEnum::cases(), 'value'),
+                ProtocolViolationException::class,
+            );
+        } elseif ($namespace->equals(C::ACTION_RWEDC_NEGATION)) {
+            Assert::oneOf(
+                $content->getValue(),
+                array_column(RWEDCNegationEnum::cases(), 'value'),
+                ProtocolViolationException::class,
+            );
+        } elseif ($namespace->equals(C::ACTION_GHPP)) {
+            Assert::oneOf(
+                $content->getValue(),
+                array_column(GHPPEnum::cases(), 'value'),
+                ProtocolViolationException::class,
+            );
+        }
+
         $this->setContent($content);
     }
 
@@ -61,7 +84,7 @@ public function getNamespace(): SAMLAnyURIValue
      */
     public static function fromXML(DOMElement $xml): static
     {
-        Assert::same($xml->localName, 'Action', InvalidDOMElementException::class);
+        Assert::same($xml->localName, static::getLocalName(), InvalidDOMElementException::class);
         Assert::same($xml->namespaceURI, Action::NS, InvalidDOMElementException::class);
 
         return new self(
diff --git a/src/XML/saml/GHPPEnum.php b/src/XML/saml/GHPPEnum.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\XML\saml;
+
+enum GHPPEnum: string
+{
+    case GET = 'GET';
+    case HEAD = 'HEAD';
+    case PUT = 'PUT';
+    case POST = 'POST';
+}
diff --git a/src/XML/saml/RWEDCEnum.php b/src/XML/saml/RWEDCEnum.php
@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\XML\saml;
+
+enum RWEDCEnum: string
+{
+    case Read = 'Read';
+    case Write = 'Write';
+    case Execute = 'Execute';
+    case Delete = 'Delete';
+    case Control = 'Control';
+}
diff --git a/src/XML/saml/RWEDCNegationEnum.php b/src/XML/saml/RWEDCNegationEnum.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\XML\saml;
+
+enum RWEDCNegationEnum: string
+{
+    case Read = 'Read';
+    case Write = 'Write';
+    case Execute = 'Execute';
+    case Delete = 'Delete';
+    case Control = 'Control';
+    case NotRead = '~Read';
+    case NotWrite = '~Write';
+    case NotExecute = '~Execute';
+    case NotDelete = '~Delete';
+    case NotControl = '~Control';
+}
