Feature/issue 48 mdui chunk#137
Open
kayjoosten wants to merge 3 commits into
Open
Conversation
kayjoosten
added a commit
to OpenConext/Stepup-gssp-bundle
that referenced
this pull request
Jul 2, 2026
…sting Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0 from packagist, which does not yet contain MduiChunk. This caused phpstan to fail with "class not found" errors for all mdui-related symbols. This change adds a VCS repository pointing to the GitHub source and pins the requirement to the feature branch where MduiChunk is implemented. This is a temporary measure to enable end-to-end integration testing from EngineBlock through to the GSSP example application. This must be reverted to a packagist version constraint once the saml-bundle PR is merged and a new release is tagged. Links: - OpenConext/Stepup-saml-bundle#137
Prior to this change, the bundle had no way to parse or expose the mdui:UIInfo element (containing mdui:DisplayName entries per xml:lang) that EngineBlock and Gateway forward on proxy AuthnRequests. Consumers could not read the service display name from session state, making it impossible to show the correct service name during step-up flows. This change introduces MduiChunk — modelled on the existing GsspUserAttributesChunk — which wraps the mdui:UIInfo DOM element and exposes getDisplayNames() returning a lang-keyed array of display names. ExtensionsMapperTrait now maps the UIInfo local name to MduiChunk, and Extensions gains getMduiChunk() / hasMduiChunk() accessors. The phpstan baseline is regenerated to remove stale suppressions. Links: - #136 - https://www.oasis-open.org/specs (SAML Metadata UI Extensions)
Prior to this change, the CI matrix tested against Symfony 6.3 which reached end-of-life in November 2024. All symfony/security-bundle 6.3.x releases are blocked by packagist security advisory PKSA-nzkq-gsnx-t6bw, causing composer dependency resolution to fail. Additionally, irstea/phpcpd-shim has no dist archive on packagist and falls back to cloning from gitlab.irstea.fr which is unreachable from GitHub Actions. Finally, simplesamlphp/saml2 4.20.x renamed the Chunk class namespace to SimpleSAML\XML while simplesamlphp/xml-common independently declares the same class, causing a PHP fatal redeclaration error. This change raises the minimum Symfony 6 constraint to ^6.4 LTS, removes the phpcpd dependency, pins simplesamlphp/saml2 to <4.20, and updates the CI matrix to test PHP 8.2/8.5 against Symfony 6.4.*/7.4.*. Links: - https://packagist.org/security-advisories/PKSA-nzkq-gsnx-t6bw
e1cdf19 to
9f4866a
Compare
kayjoosten
added a commit
to OpenConext/Stepup-gssp-bundle
that referenced
this pull request
Jul 2, 2026
Prior to this change, the GSSP bundle discarded the mdui:UIInfo extension forwarded by the Gateway on proxy AuthnRequests. Consumers had no way to retrieve per-language service display names from session state, making it impossible to show the correct service name during step-up authentication and registration flows. This change saves mdui:UIInfo to session state in both saveAuthenticationRequest() and saveRegistrationRequest(), and exposes it through getMdui(): ?MduiChunk and hasMdui(): bool on StateHandler and StateHandlerInterface. Behat scenarios cover the present and absent cases for both flows. SSOController is corrected to read the relay state from the query string only, matching the HTTP-Redirect binding specification. Links: - #48 - OpenConext/Stepup-saml-bundle#137
kayjoosten
added a commit
to OpenConext/Stepup-gssp-bundle
that referenced
this pull request
Jul 2, 2026
…sting Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0 from packagist, which does not yet contain MduiChunk. This caused phpstan to fail with class-not-found errors for all mdui-related symbols, blocking CI. This change adds a VCS repository pointing to the GitHub source and pins the requirement to the feature branch that implements MduiChunk. This is temporary and must be reverted to a packagist version constraint once the saml-bundle pull request is merged and a new release is tagged. Links: - OpenConext/Stepup-saml-bundle#137
3 tasks
kayjoosten
added a commit
to OpenConext/Stepup-gssp-bundle
that referenced
this pull request
Jul 3, 2026
Prior to this change, the GSSP bundle discarded the mdui:UIInfo extension forwarded by the Gateway on proxy AuthnRequests. Consumers had no way to retrieve per-language service display names from session state, making it impossible to show the correct service name during step-up authentication and registration flows. This change saves mdui:UIInfo to session state in both saveAuthenticationRequest() and saveRegistrationRequest(), and exposes it through getMdui(): ?MduiChunk and hasMdui(): bool on StateHandler and StateHandlerInterface. Behat scenarios cover the present and absent cases for both flows. SSOController is corrected to read the relay state from the query string only, matching the HTTP-Redirect binding specification. Links: - #48 - OpenConext/Stepup-saml-bundle#137
kayjoosten
added a commit
to OpenConext/Stepup-gssp-bundle
that referenced
this pull request
Jul 3, 2026
…sting Prior to this change, composer.json required surfnet/stepup-saml-bundle ^7.0 from packagist, which does not yet contain MduiChunk. This caused phpstan to fail with class-not-found errors for all mdui-related symbols, blocking CI. This change adds a VCS repository pointing to the GitHub source and pins the requirement to the feature branch that implements MduiChunk. This is temporary and must be reverted to a packagist version constraint once the saml-bundle pull request is merged and a new release is tagged. Links: - OpenConext/Stepup-saml-bundle#137
…sing simplesamlphp/saml2 <=4.20.2 has no upstream patch for a DoS via attacker-controlled XPath expressions in <ds:Transform> elements during signature-reference canonicalization, and no fix is planned for the v4.x line (5.x/6.x fix it internally but are a ground-up rewrite without the SP/IdP response-processing orchestration this bundle depends on, so are not a viable upgrade path). Add SignatureTransformGuard, which allow-lists the Transform algorithms SAML 2.0 signature verification actually needs (enveloped-signature, exclusive/inclusive C14N) and rejects everything else -- including but not limited to the vulnerable XPath Filtering algorithm -- before the document reaches simplesamlphp/saml2's signature processing. Wired into PostBinding::processResponse() right after parsing the incoming response, ahead of both the Response-level and any Assertion-level signature verification (SAML allows both to be independently signed). Document the two advisories that remain after this fix in composer.json's audit-ignore config, each with its own justification: - PKSA-1fc7-xrz7-vw78 (the DoS): mitigated by SignatureTransformGuard above. - PKSA-yk3g-3g3t-ts6q (HTTP-Artifact TLS validator confusion): this bundle only implements HTTP-Redirect and HTTP-POST bindings, so the affected code path is unreachable. The other two advisories flagged in CI (redirect-binding signature bypass, XXE) don't need an ignore entry -- the resolved simplesamlphp/saml2 version (4.19.2) is already past their fixed versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.