Merge branch 'master' into SSP-2167-gateway_fix

pradtke · pradtke · commit 1ee4594399ec · 2025-11-20T16:23:43.000-08:00
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -20,7 +20,7 @@ jobs:
       matrix:
         php-version: ['8.1', '8.2', '8.3', '8.4']
 
-    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_phplinter.yml@v1.10.0
+    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_phplinter.yml@v1.10.3
     with:
       php-version: ${{ matrix.php-version }}
 
@@ -29,7 +29,7 @@ jobs:
     strategy:
       fail-fast: false
 
-    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_linter.yml@v1.10.0
+    uses: simplesamlphp/simplesamlphp-test-framework/.github/workflows/reusable_linter.yml@v1.10.3
     with:
       enable_eslinter: true
       enable_jsonlinter: true
@@ -94,7 +94,7 @@ jobs:
 
       - name: Save coverage data
         if: ${{ matrix.php-versions == '8.4' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build
@@ -253,7 +253,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v6
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build
diff --git a/README.md b/README.md
@@ -101,7 +101,7 @@ docker run --name ssp-casserver-dev \
   --mount type=bind,source="$(pwd)/docker/ssp/authsources.php",target=/var/simplesamlphp/config/authsources.php,readonly \
   --mount type=bind,source="$(pwd)/docker/ssp/config-override.php",target=/var/simplesamlphp/config/config-override.php,readonly \
   --mount type=bind,source="$(pwd)/docker/apache-override.cf",target=/etc/apache2/sites-enabled/ssp-override.cf,readonly \
-   -p 443:443 cirrusid/simplesamlphp:v2.3.5
+   -p 443:443 cirrusid/simplesamlphp:v2.4.2
 ```
 
 Visit [https://localhost/simplesaml/](https://localhost/simplesaml/) and confirm you get the default page.
diff --git a/composer.json b/composer.json
@@ -30,18 +30,19 @@
     },
     "require": {
         "php": "^8.1",
+        "ext-ctype": "*",
         "ext-dom": "*",
         "ext-filter": "*",
         "ext-libxml": "*",
         "ext-SimpleXML": "*",
         "ext-session": "*",
 
-        "simplesamlphp/assert": "~1.8.2",
+        "simplesamlphp/assert": "~1.8.1",
         "simplesamlphp/composer-module-installer": "~1.4.0",
         "simplesamlphp/simplesamlphp": "~2.4.2",
-        "simplesamlphp/xml-cas": "~2.0.0",
-        "simplesamlphp/xml-common": "~2.0.0",
-        "simplesamlphp/xml-soap": "~2.0.0",
+        "simplesamlphp/xml-cas": "~1.3",
+        "simplesamlphp/xml-common": "~1.17",
+        "simplesamlphp/xml-soap": "~1.5",
         "symfony/http-foundation": "~6.4.0",
         "symfony/http-kernel": "~6.4.0",
         "simplesamlphp/saml11": "~1.2.5"
@@ -54,12 +55,10 @@
         "source": "https://github.com/simplesamlphp/simplesamlphp-module-casserver"
     },
     "scripts": {
-        "validate": [
+        "verify": [
             "vendor/bin/phpcs -p",
-            "vendor/bin/composer-require-checker check --config-file=tools/composer-require-checker.json composer.json",
-            "vendor/bin/psalm -c psalm-dev.xml",
-            "vendor/bin/composer-unused",
-            "vendor/bin/phpunit --no-coverage --testdox"
+            "vendor/bin/phpunit --no-coverage --testdox",
+            "vendor/bin/phpstan --memory-limit=256M analyze -c phpstan.neon"
         ],
         "tests": [
             "vendor/bin/phpunit --no-coverage"
diff --git a/src/Cas/ServiceValidator.php b/src/Cas/ServiceValidator.php
@@ -53,35 +53,9 @@ public function checkServiceURL(string $service): ?Configuration
 
             $configOverride = \is_int($index) ? null : $value;
 
-            // URL String
-            if (str_starts_with($service, $legalUrl)) {
-                $isValidService = true;
+            if ($isValidService = $this->validateServiceIsLegal($legalUrl, $service)) {
                 break;
             }
-
-            // Regex
-            // Since "If the regex pattern passed does not compile to a valid regex, an E_WARNING is emitted. "
-            // we will throw an exception if the warning is emitted and use try-catch to handle it
-            set_error_handler(static function ($severity, $message, $file, $line) {
-                throw new \ErrorException($message, $severity, $severity, $file, $line);
-            }, E_WARNING);
-
-            try {
-                $result = preg_match($legalUrl, $service);
-                if ($result !== 1) {
-                    throw new \RuntimeException('Service URL does not match legal service URL.');
-                }
-                $isValidService = true;
-                break;
-            } catch (\RuntimeException $e) {
-                // do nothing
-                Logger::warning($e->getMessage());
-            } catch (\Exception $e) {
-                // do nothing
-                Logger::warning("Invalid CAS legal service url '$legalUrl'. Error " . preg_last_error());
-            } finally {
-                restore_error_handler();
-            }
         }
 
         if (!$isValidService) {
@@ -107,4 +81,38 @@ public function checkServiceURL(string $service): ?Configuration
         }
         return Configuration::loadFromArray($serviceConfig);
     }
+
+    /**
+     * @param string $legalUrl The string or regex to use for comparison
+     * @param string $service  The service to compare
+     *
+     * @return bool Whether the service is legal
+     * @throws \ErrorException
+     */
+    protected function validateServiceIsLegal(string $legalUrl, string $service): bool
+    {
+        $isValid = false;
+        if (!ctype_alnum($legalUrl[0])) {
+            // Since "If the regex pattern passed does not compile to a valid regex, an E_WARNING is emitted. "
+            // we will throw an exception if the warning is emitted and use try-catch to handle it
+            set_error_handler(static function ($severity, $message, $file, $line) {
+                throw new \ErrorException($message, $severity, $severity, $file, $line);
+            }, E_WARNING);
+
+            try {
+                if (preg_match($legalUrl, $service) === 1) {
+                    $isValid = true;
+                }
+            } catch (\ErrorException $e) {
+                // do nothing
+                Logger::warning("Invalid CAS legal service url '$legalUrl'. Error " . preg_last_error_msg());
+            } finally {
+                restore_error_handler();
+            }
+        } elseif (str_starts_with($service, $legalUrl)) {
+            $isValid = true;
+        }
+
+        return $isValid;
+    }
 }
diff --git a/src/Controller/Cas20Controller.php b/src/Controller/Cas20Controller.php
@@ -4,7 +4,6 @@
 
 namespace SimpleSAML\Module\casserver\Controller;
 
-use Exception;
 use SimpleSAML\CAS\Constants as C;
 use SimpleSAML\Configuration;
 use SimpleSAML\Logger;
diff --git a/src/Controller/LoginController.php b/src/Controller/LoginController.php
@@ -28,9 +28,9 @@
 use Symfony\Component\HttpKernel\Attribute\AsController;
 use Symfony\Component\HttpKernel\Attribute\MapQueryParameter;
 
-use in_array;
-use http_build_query;
-use var_export;
+use function http_build_query;
+use function in_array;
+use function var_export;
 
 #[AsController]
 class LoginController
diff --git a/src/Controller/Traits/TicketValidatorTrait.php b/src/Controller/Traits/TicketValidatorTrait.php
@@ -74,21 +74,7 @@ public function validate(
         $message = '';
         // Below, we do not have a ticket or the ticket does not meet the very basic criteria that allow
         // any further handling
-        if (empty($serviceTicket)) {
-            // No ticket
-            $message = 'Ticket ' . var_export($ticket, true) . ' not recognized';
-            $failed  = true;
-        } elseif ($method === 'proxyValidate' && !$this->ticketFactory->isProxyTicket($serviceTicket)) {
-            // proxyValidate but not a proxy ticket
-            $message = 'Ticket ' . var_export($ticket, true) . ' is not a proxy ticket.';
-            $failed  = true;
-        } elseif ($method === 'serviceValidate' && !$this->ticketFactory->isServiceTicket($serviceTicket)) {
-            // serviceValidate but not a service ticket
-            $message = 'Ticket ' . var_export($ticket, true) . ' is not a service ticket.';
-            $failed  = true;
-        }
-
-        if ($failed) {
+        if ($message = $this->validateServiceTicket($serviceTicket, $ticket, $method)) {
             $finalMessage = 'casserver:validate: ' . $message;
             Logger::error(__METHOD__ . '::' . $finalMessage);
 
@@ -185,4 +171,27 @@ public function validate(
             Response::HTTP_OK,
         );
     }
+
+    /**
+     * @param array{'id': string}|null $serviceTicket
+     *
+     * @return ?string Message on failure, null on success
+     */
+    private function validateServiceTicket(?array $serviceTicket, string $ticket, string $method): ?string
+    {
+        if (empty($serviceTicket)) {
+            return 'Ticket ' . var_export($ticket, true) . ' not recognized';
+        }
+
+        $isServiceTicket = $this->ticketFactory->isServiceTicket($serviceTicket);
+        if ($method === 'serviceValidate' && !$isServiceTicket) {
+            return 'Ticket ' . var_export($ticket, true) . ' is not a service ticket.';
+        }
+
+        if ($method === 'proxyValidate' && !$isServiceTicket && !$this->ticketFactory->isProxyTicket($serviceTicket)) {
+            return 'Ticket ' . var_export($ticket, true) . ' is not a proxy ticket.';
+        }
+
+        return null;
+    }
 }
diff --git a/tests/src/Controller/Cas20ControllerTest.php b/tests/src/Controller/Cas20ControllerTest.php
@@ -565,14 +565,6 @@ public static function validateOnDifferentQueryParameterCombinationsProxyValidat
                 "Ticket 'PT-{$sessionId}' has expired",
                 'PT-' . $sessionId,
             ],
-            'Returns Bad Request on Ticket is A Service Ticket' => [
-                [
-                    'ticket' => 'ST-' . $sessionId,
-                    'service' => 'https://myservice.com/abcd',
-                ],
-                "Ticket 'ST-{$sessionId}' is not a proxy ticket.",
-                'ST-' . $sessionId,
-            ],
             'Returns Bad Request on Ticket Issued By Single SignOn Session' => [
                 [
                     'ticket' => 'PT-' . $sessionId,
@@ -583,7 +575,7 @@ public static function validateOnDifferentQueryParameterCombinationsProxyValidat
                 'PT-' . $sessionId,
                 9999999999,
             ],
-            'Returns Success' => [
+            'Returns Success with Proxy Ticket' => [
                 [
                     'ticket' => 'PT-' . $sessionId,
                     'service' => 'https://myservice.com/abcd',
@@ -592,6 +584,15 @@ public static function validateOnDifferentQueryParameterCombinationsProxyValidat
                 'PT-' . $sessionId,
                 9999999999,
             ],
+            'Returns Success with Service Ticket' => [
+                [
+                    'ticket' => 'ST-' . $sessionId,
+                    'service' => 'https://myservice.com/abcd',
+                ],
+                'username@google.com',
+                'ST-' . $sessionId,
+                9999999999,
+            ],
         ];
     }
 
