Skip to content

Feature/issue 48 mdui chunk#137

Open
kayjoosten wants to merge 3 commits into
mainfrom
feature/issue-48-mdui-chunk
Open

Feature/issue 48 mdui chunk#137
kayjoosten wants to merge 3 commits into
mainfrom
feature/issue-48-mdui-chunk

Conversation

@kayjoosten

Copy link
Copy Markdown

No description provided.

kayjoosten added a commit to OpenConext/Stepup-gssp-bundle that referenced this pull request Jul 2, 2026
…sting

Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0
from packagist, which does not yet contain MduiChunk. This caused phpstan to
fail with "class not found" errors for all mdui-related symbols.

This change adds a VCS repository pointing to the GitHub source and pins the
requirement to the feature branch where MduiChunk is implemented. This is a
temporary measure to enable end-to-end integration testing from EngineBlock
through to the GSSP example application.

This must be reverted to a packagist version constraint once the saml-bundle
PR is merged and a new release is tagged.

Links:
- OpenConext/Stepup-saml-bundle#137
Prior to this change, the bundle had no way to parse or expose the
mdui:UIInfo element (containing mdui:DisplayName entries per xml:lang)
that EngineBlock and Gateway forward on proxy AuthnRequests. Consumers
could not read the service display name from session state, making it
impossible to show the correct service name during step-up flows.

This change introduces MduiChunk — modelled on the existing
GsspUserAttributesChunk — which wraps the mdui:UIInfo DOM element and
exposes getDisplayNames() returning a lang-keyed array of display names.
ExtensionsMapperTrait now maps the UIInfo local name to MduiChunk, and
Extensions gains getMduiChunk() / hasMduiChunk() accessors. The phpstan
baseline is regenerated to remove stale suppressions.

Links:
- #136
- https://www.oasis-open.org/specs (SAML Metadata UI Extensions)
Prior to this change, the CI matrix tested against Symfony 6.3 which reached
end-of-life in November 2024. All symfony/security-bundle 6.3.x releases are
blocked by packagist security advisory PKSA-nzkq-gsnx-t6bw, causing composer
dependency resolution to fail. Additionally, irstea/phpcpd-shim has no dist
archive on packagist and falls back to cloning from gitlab.irstea.fr which is
unreachable from GitHub Actions. Finally, simplesamlphp/saml2 4.20.x renamed
the Chunk class namespace to SimpleSAML\XML while simplesamlphp/xml-common
independently declares the same class, causing a PHP fatal redeclaration error.

This change raises the minimum Symfony 6 constraint to ^6.4 LTS, removes the
phpcpd dependency, pins simplesamlphp/saml2 to <4.20, and updates the CI
matrix to test PHP 8.2/8.5 against Symfony 6.4.*/7.4.*.

Links:
- https://packagist.org/security-advisories/PKSA-nzkq-gsnx-t6bw
@kayjoosten kayjoosten force-pushed the feature/issue-48-mdui-chunk branch from e1cdf19 to 9f4866a Compare July 2, 2026 07:33
kayjoosten added a commit to OpenConext/Stepup-gssp-bundle that referenced this pull request Jul 2, 2026
Prior to this change, the GSSP bundle discarded the mdui:UIInfo extension
forwarded by the Gateway on proxy AuthnRequests. Consumers had no way to
retrieve per-language service display names from session state, making it
impossible to show the correct service name during step-up authentication
and registration flows.

This change saves mdui:UIInfo to session state in both
saveAuthenticationRequest() and saveRegistrationRequest(), and exposes it
through getMdui(): ?MduiChunk and hasMdui(): bool on StateHandler and
StateHandlerInterface. Behat scenarios cover the present and absent cases
for both flows. SSOController is corrected to read the relay state from
the query string only, matching the HTTP-Redirect binding specification.

Links:
- #48
- OpenConext/Stepup-saml-bundle#137
kayjoosten added a commit to OpenConext/Stepup-gssp-bundle that referenced this pull request Jul 2, 2026
…sting

Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0
from packagist, which does not yet contain MduiChunk. This caused phpstan to
fail with class-not-found errors for all mdui-related symbols, blocking CI.

This change adds a VCS repository pointing to the GitHub source and pins the
requirement to the feature branch that implements MduiChunk. This is temporary
and must be reverted to a packagist version constraint once the saml-bundle
pull request is merged and a new release is tagged.

Links:
- OpenConext/Stepup-saml-bundle#137
kayjoosten added a commit to OpenConext/Stepup-gssp-bundle that referenced this pull request Jul 3, 2026
Prior to this change, the GSSP bundle discarded the mdui:UIInfo extension
forwarded by the Gateway on proxy AuthnRequests. Consumers had no way to
retrieve per-language service display names from session state, making it
impossible to show the correct service name during step-up authentication
and registration flows.

This change saves mdui:UIInfo to session state in both
saveAuthenticationRequest() and saveRegistrationRequest(), and exposes it
through getMdui(): ?MduiChunk and hasMdui(): bool on StateHandler and
StateHandlerInterface. Behat scenarios cover the present and absent cases
for both flows. SSOController is corrected to read the relay state from
the query string only, matching the HTTP-Redirect binding specification.

Links:
- #48
- OpenConext/Stepup-saml-bundle#137
kayjoosten added a commit to OpenConext/Stepup-gssp-bundle that referenced this pull request Jul 3, 2026
…sting

Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0
from packagist, which does not yet contain MduiChunk. This caused phpstan to
fail with class-not-found errors for all mdui-related symbols, blocking CI.

This change adds a VCS repository pointing to the GitHub source and pins the
requirement to the feature branch that implements MduiChunk. This is temporary
and must be reverted to a packagist version constraint once the saml-bundle
pull request is merged and a new release is tagged.

Links:
- OpenConext/Stepup-saml-bundle#137
…sing

simplesamlphp/saml2 <=4.20.2 has no upstream patch for a DoS via
attacker-controlled XPath expressions in <ds:Transform> elements during
signature-reference canonicalization, and no fix is planned for the
v4.x line (5.x/6.x fix it internally but are a ground-up rewrite
without the SP/IdP response-processing orchestration this bundle
depends on, so are not a viable upgrade path).

Add SignatureTransformGuard, which allow-lists the Transform algorithms
SAML 2.0 signature verification actually needs (enveloped-signature,
exclusive/inclusive C14N) and rejects everything else -- including but
not limited to the vulnerable XPath Filtering algorithm -- before the
document reaches simplesamlphp/saml2's signature processing. Wired
into PostBinding::processResponse() right after parsing the incoming
response, ahead of both the Response-level and any Assertion-level
signature verification (SAML allows both to be independently signed).

Document the two advisories that remain after this fix in composer.json's
audit-ignore config, each with its own justification:
- PKSA-1fc7-xrz7-vw78 (the DoS): mitigated by SignatureTransformGuard above.
- PKSA-yk3g-3g3t-ts6q (HTTP-Artifact TLS validator confusion): this bundle
  only implements HTTP-Redirect and HTTP-POST bindings, so the affected
  code path is unreachable.
The other two advisories flagged in CI (redirect-binding signature bypass,
XXE) don't need an ignore entry -- the resolved simplesamlphp/saml2 version
(4.19.2) is already past their fixed versions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant