SSP 2.5 compatibility

.github/workflows/documentation.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: [ubuntu-latest]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Lint markdown files
         uses: nosborn/github-action-markdown-cli@v3

.github/workflows/sonar.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: SonarQube Scan
         uses: SonarSource/sonarqube-scan-action@v2
         env:
@@ -17,4 +17,4 @@ jobs:
         with:
           args: >
             -Dsonar.projectKey=${{ github.event.repository.name }}
-            -Dsonar.projectName=${{ github.event.repository.name }}
+            -Dsonar.projectName=${{ github.event.repository.name }}

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-versions: ["8.2", "8.3"]
+        php-versions: ["8.3", "8.4", "8.5"]
 
     steps:
       - name: Setup PHP, with composer and extensions
@@ -35,14 +35,14 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -55,7 +55,7 @@ jobs:
         run: composer install --no-progress --prefer-dist --optimize-autoloader
 
       - name: Decide whether to run code coverage or not
-        if: ${{ matrix.php-versions != '8.2' }}
+        if: ${{ matrix.php-versions != '8.5' }}
         run: |
           echo "NO_COVERAGE=--no-coverage" >> $GITHUB_ENV
 
@@ -70,13 +70,13 @@ jobs:
           ./vendor/bin/phpunit $NO_COVERAGE --no-configuration -c phpunit.integration.xml
 
       - name: Merge coverage data
-        if: ${{ matrix.php-versions == '8.2' }}
+        if: ${{ matrix.php-versions == '8.5' }}
         run: |
           ./vendor/bin/phpunit-merger log build/logs/partial_junit/ build/logs/junit.xml
           ./vendor/bin/phpunit-merger coverage build/logs/partial_clover/ build/logs/clover.xml
 
       - name: Save coverage data
-        if: ${{ matrix.php-versions == '8.2' }}
+        if: ${{ matrix.php-versions == '8.5' }}
         uses: actions/upload-artifact@v4
         with:
           name: build-data
@@ -89,22 +89,22 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.3"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -130,22 +130,22 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.3"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -163,21 +163,21 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.5"
           tools: composer:v2
           extensions: mbstring, xml
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -211,12 +211,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ssp-version: ["v2.3.7", "v2.4.4"]
+        ssp-version: ["v2.5.0"]
     env:
       SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
       VERSION: release-v5.1.35
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           path: main
       - name: Setup Python Dependencies

composer.json

@@ -17,7 +17,7 @@
         }
     ],
     "require": {
-        "php": "^8.2",
+        "php": "^8.3",
         "ext-curl": "*",
         "ext-json": "*",
         "ext-openssl": "*",
@@ -33,20 +33,18 @@
         "simplesamlphp/composer-module-installer": "^1.3",
         "simplesamlphp/openid": "~v0.1.1",
         "spomky-labs/base64url": "^2.0",
-        "symfony/expression-language": "^6.3",
-        "symfony/psr-http-message-bridge": "^7.1",
+        "symfony/expression-language": "^7.4",
+        "symfony/psr-http-message-bridge": "^7.4",
         "web-token/jwt-framework": "^3",
-        "symfony/cache": "^6.4",
+        "symfony/cache": "^7.4",
         "psr/simple-cache": "^3"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3",
-        "phpunit/phpunit": "^10",
-        "rector/rector": "^0.18.3",
-        "simplesamlphp/simplesamlphp": "2.3.*",
-        "simplesamlphp/simplesamlphp-test-framework": "^1.5",
-        "squizlabs/php_codesniffer": "^3",
-        "vimeo/psalm": "^5",
+        "rector/rector": "^1.2.10",
+        "simplesamlphp/simplesamlphp": "2.5.*",
+        "simplesamlphp/simplesamlphp-test-framework": "^1.9.3",
+        "vimeo/psalm": "^6.15.1",
         "testcontainers/testcontainers": "^0.2",
         "nimut/phpunit-merger": "^2.0"
     },
@@ -57,6 +55,7 @@
         "sort-packages": true,
         "allow-plugins": {
             "dealerdirect/phpcodesniffer-composer-installer": true,
+            "php-http/discovery": true,
             "phpstan/extension-installer": true,
             "simplesamlphp/composer-module-installer": true,
             "simplesamlphp/composer-xmlprovider-installer": true

docker/Dockerfile

@@ -1,6 +1,6 @@
-ARG SSP_VERSION="v2.4.4"
-FROM cirrusid/simplesamlphp:${SSP_VERSION}
-#FROM cicnavi/simplesamlphp:${SSP_VERSION}
+ARG SSP_VERSION="v2.5.0"
+#FROM cirrusid/simplesamlphp:${SSP_VERSION}
+FROM cicnavi/simplesamlphp:${SSP_VERSION}
 
 RUN apt-get update && apt-get --no-install-recommends install -y sqlite3
 # Prepopulate the DB with items needed for testing

docs/1-oidc.md

@@ -34,16 +34,16 @@ OIDFed is implemented using the
 
 Minor versions listed show which SimpleSAMLphp versions were used during
 module development. SimpleSAMLphp follows semantic versioning for its
-API since v2.0. For example, v5.\* of the OIDC module should work with
-any v2.\* of SimpleSAMLphp. PHP version requirements may differ.
-
-| OIDC module | Tested SimpleSAMLphp |  PHP   | Note        |
-|:------------|:---------------------|:------:|-------------|
-| v6.\*       | v2.3.\*, v2.4.\*     | \>=8.2 | Recommended |
-| v5.\*       | v2.1.\*              | \>=8.1 |             |
-| v4.\*       | v2.0.\*              | \>=8.0 |             |
-| v3.\*       | v2.0.\*              | \>=7.4 |             |
-| v2.\*       | v1.19.\*             | \>=7.4 |             |
+API since v2.0. PHP version requirements may differ.
+
+| OIDC module | Tested SimpleSAMLphp |  PHP   |
+|:------------|:---------------------|:------:|
+| v6.4.\*     | v2.5.\*              | \>=8.3 |
+| v6.3.\*     | v2.3.\*, v2.4.\*     | \>=8.2 |
+| v5.\*       | v2.1.\*              | \>=8.1 |
+| v4.\*       | v2.0.\*              | \>=8.0 |
+| v3.\*       | v2.0.\*              | \>=7.4 |
+| v2.\*       | v1.19.\*             | \>=7.4 |
 
 Upgrading? See the [upgrade guide](6-oidc-upgrade.md).
 

docs/6-oidc-upgrade.md

@@ -3,6 +3,12 @@
 This is an upgrade guide from versions 1 → 6. Review the changes and
 apply those relevant to your deployment.
 
+## Version 6.3 to 6.4
+
+This is a minor release in order to enable installation of the module with
+SimpleSAMLphp v2.5.*, which now requires at least PHP v8.3 and bumps a bunch
+of dependent Symfony packages to v7.4.
+
 ## Version 5 to 6
 
 New features:

psalm.xml

@@ -23,25 +23,33 @@
   </projectFiles>
 
   <issueHandlers>
-    <!-- Ignore UnresolvableInclude on CLI-scripts -->
-    <UnresolvableInclude>
-        <errorLevel type="suppress">
-          <file name="tests/bootstrap.php" />
-        </errorLevel>
-    </UnresolvableInclude>
+    <!-- Ignore InvalidClassConstantType -->
     <InvalidClassConstantType>
       <errorLevel type="suppress">
         <file name="src/Forms/Controls/CsrfProtection.php" />
       </errorLevel>
     </InvalidClassConstantType>
 
+    <!-- Ignore PossiblyFalseArgument -->
+    <PossiblyFalseArgument>
+      <errorLevel type="suppress">
+        <file name="src/Server/Validators/BearerTokenValidator.php" />
+      </errorLevel>
+    </PossiblyFalseArgument>
+
     <!-- Ignore errors related to unused classes, methods... -->
     <UnusedClass errorLevel="suppress" />
     <PossiblyUnusedMethod errorLevel="suppress" />
     <PossiblyUnusedReturnValue errorLevel="suppress" />
 
     <!-- Ignore RiskyTruthyFalsyComparison -->
     <RiskyTruthyFalsyComparison errorLevel="suppress" />
+
+    <!-- Ignore ClassMustBeFinal -->
+    <ClassMustBeFinal errorLevel="suppress" />
+
+    <!-- Ignore MissingOverrideAttribute -->
+    <MissingOverrideAttribute errorLevel="suppress" />
   </issueHandlers>
 </psalm>
 

src/Controllers/Federation/EntityStatementController.php

@@ -27,8 +27,8 @@
 
 class EntityStatementController
 {
-    protected const KEY_OP_ENTITY_CONFIGURATION_STATEMENT = 'op_entity_configuration_statement';
-    protected const KEY_RP_SUBORDINATE_ENTITY_STATEMENT = 'rp_subordinate_entity_statement';
+    protected const string KEY_OP_ENTITY_CONFIGURATION_STATEMENT = 'op_entity_configuration_statement';
+    protected const string KEY_RP_SUBORDINATE_ENTITY_STATEMENT = 'rp_subordinate_entity_statement';
 
     /**
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException

src/Entities/ClientEntity.php

@@ -28,29 +28,31 @@ class ClientEntity implements ClientEntityInterface
     use EntityTrait;
     use ClientTrait;
 
-    public const KEY_ID = 'id';
-    public const KEY_SECRET = 'secret';
-    public const KEY_NAME = 'name';
-    public const KEY_DESCRIPTION = 'description';
-    public const KEY_AUTH_SOURCE = 'auth_source';
-    public const KEY_REDIRECT_URI = 'redirect_uri';
-    public const KEY_SCOPES = 'scopes';
-    public const KEY_IS_ENABLED = 'is_enabled';
-    public const KEY_IS_CONFIDENTIAL = 'is_confidential';
-    public const KEY_OWNER = 'owner';
-    public const KEY_POST_LOGOUT_REDIRECT_URI = 'post_logout_redirect_uri';
-    public const KEY_BACKCHANNEL_LOGOUT_URI = 'backchannel_logout_uri';
-    public const KEY_ENTITY_IDENTIFIER = 'entity_identifier';
-    public const KEY_CLIENT_REGISTRATION_TYPES = 'client_registration_types';
-    public const KEY_FEDERATION_JWKS = 'federation_jwks';
-    public const KEY_JWKS = 'jwks';
-    public const KEY_JWKS_URI = 'jwks_uri';
-    public const KEY_SIGNED_JWKS_URI = 'signed_jwks_uri';
-    public const KEY_REGISTRATION_TYPE = 'registration_type';
-    public const KEY_UPDATED_AT = 'updated_at';
-    public const KEY_CREATED_AT = 'created_at';
-    public const KEY_EXPIRES_AT = 'expires_at';
-    public const KEY_IS_FEDERATED = 'is_federated';
+
+    public const string KEY_ID = 'id';
+    public const string KEY_SECRET = 'secret';
+    public const string KEY_NAME = 'name';
+    public const string KEY_DESCRIPTION = 'description';
+    public const string KEY_AUTH_SOURCE = 'auth_source';
+    public const string KEY_REDIRECT_URI = 'redirect_uri';
+    public const string KEY_SCOPES = 'scopes';
+    public const string KEY_IS_ENABLED = 'is_enabled';
+    public const string KEY_IS_CONFIDENTIAL = 'is_confidential';
+    public const string KEY_OWNER = 'owner';
+    public const string KEY_POST_LOGOUT_REDIRECT_URI = 'post_logout_redirect_uri';
+    public const string KEY_BACKCHANNEL_LOGOUT_URI = 'backchannel_logout_uri';
+    public const string KEY_ENTITY_IDENTIFIER = 'entity_identifier';
+    public const string KEY_CLIENT_REGISTRATION_TYPES = 'client_registration_types';
+    public const string KEY_FEDERATION_JWKS = 'federation_jwks';
+    public const string KEY_JWKS = 'jwks';
+    public const string KEY_JWKS_URI = 'jwks_uri';
+    public const string KEY_SIGNED_JWKS_URI = 'signed_jwks_uri';
+    public const string KEY_REGISTRATION_TYPE = 'registration_type';
+    public const string KEY_UPDATED_AT = 'updated_at';
+    public const string KEY_CREATED_AT = 'created_at';
+    public const string KEY_EXPIRES_AT = 'expires_at';
+    public const string KEY_IS_FEDERATED = 'is_federated';
+
 
     private string $secret;
 

src/Factories/ClaimTranslatorExtractorFactory.php

@@ -22,9 +22,10 @@
 
 class ClaimTranslatorExtractorFactory
 {
-    protected const CONFIG_KEY_CLAIM_NAME_PREFIX = 'claim_name_prefix';
+    protected const string CONFIG_KEY_CLAIM_NAME_PREFIX = 'claim_name_prefix';
+
+    protected const string CONFIG_KEY_MULTIPLE_CLAIM_VALUES_ALLOWED = 'are_multiple_claim_values_allowed';
 
-    protected const CONFIG_KEY_MULTIPLE_CLAIM_VALUES_ALLOWED = 'are_multiple_claim_values_allowed';
 
     public function __construct(
         private readonly ModuleConfig $moduleConfig,