Migrate calls to xml-libraries to use the new interface

Author: tvdijen

composer.json

@@ -37,6 +37,7 @@
         "ext-SimpleXML": "*",
         "ext-session": "*",
 
+        "beste/clock": "~3.0",
         "simplesamlphp/assert": "~1.9",
         "simplesamlphp/composer-module-installer": "~1.6",
         "simplesamlphp/simplesamlphp": "~2.5@dev",

src/Cas/Protocol/Cas20.php

@@ -25,23 +25,30 @@
 
 namespace SimpleSAML\Module\casserver\Cas\Protocol;
 
-use DateTimeImmutable;
-use SimpleSAML\CAS\XML\cas\Attributes;
-use SimpleSAML\CAS\XML\cas\AuthenticationDate;
-use SimpleSAML\CAS\XML\cas\AuthenticationFailure;
-use SimpleSAML\CAS\XML\cas\AuthenticationSuccess;
-use SimpleSAML\CAS\XML\cas\IsFromNewLogin;
-use SimpleSAML\CAS\XML\cas\LongTermAuthenticationRequestTokenUsed;
-use SimpleSAML\CAS\XML\cas\ProxyFailure;
-use SimpleSAML\CAS\XML\cas\ProxyGrantingTicket;
-use SimpleSAML\CAS\XML\cas\ProxySuccess;
-use SimpleSAML\CAS\XML\cas\ProxyTicket;
-use SimpleSAML\CAS\XML\cas\ServiceResponse;
-use SimpleSAML\CAS\XML\cas\User;
+use Beste\Clock\LocalizedClock;
+use DateTimeZone;
+use InvalidArgumentException;
+use SimpleSAML\CAS\Type\CodeValue;
+use SimpleSAML\CAS\XML\Attributes;
+use SimpleSAML\CAS\XML\AuthenticationDate;
+use SimpleSAML\CAS\XML\AuthenticationFailure;
+use SimpleSAML\CAS\XML\AuthenticationSuccess;
+use SimpleSAML\CAS\XML\IsFromNewLogin;
+use SimpleSAML\CAS\XML\LongTermAuthenticationRequestTokenUsed;
+use SimpleSAML\CAS\XML\ProxyFailure;
+use SimpleSAML\CAS\XML\ProxyGrantingTicket;
+use SimpleSAML\CAS\XML\ProxySuccess;
+use SimpleSAML\CAS\XML\ProxyTicket;
+use SimpleSAML\CAS\XML\ServiceResponse;
+use SimpleSAML\CAS\XML\User;
 use SimpleSAML\Configuration;
 use SimpleSAML\Logger;
+use SimpleSAML\XML\Assert\Assert;
 use SimpleSAML\XML\Chunk;
 use SimpleSAML\XML\DOMDocumentFactory;
+use SimpleSAML\XMLSchema\Type\BooleanValue;
+use SimpleSAML\XMLSchema\Type\DateTimeValue;
+use SimpleSAML\XMLSchema\Type\StringValue;
 
 use function base64_encode;
 use function count;
@@ -121,23 +128,24 @@ public function getProxyGrantingTicketIOU(): ?string
      */
     public function getValidateSuccessResponse(string $username): ServiceResponse
     {
-        $user = new User($username);
+        $user = new User(StringValue::fromString($username));
 
         $proxyGrantingTicket = null;
         if (is_string($this->proxyGrantingTicketIOU)) {
-            $proxyGrantingTicket = new ProxyGrantingTicket($this->proxyGrantingTicketIOU);
+            $proxyGrantingTicket = new ProxyGrantingTicket(StringValue::fromString($this->proxyGrantingTicketIOU));
         }
 
         $attr = [];
         if ($this->sendAttributes && count($this->attributes) > 0) {
             foreach ($this->attributes as $name => $values) {
                 // Fix the most common cause of invalid XML elements
                 $_name = str_replace(':', '_', $name);
-                if ($this->isValidXmlName($_name) === true) {
+                try {
+                    Assert::validNCName($_name);
                     foreach ($values as $value) {
                         $attr[] = $this->generateCas20Attribute($_name, $value);
                     }
-                } else {
+                } catch (InvalidArgumentException) {
                     Logger::warning("DOMException creating attribute '$_name'. Continuing without attribute'");
                 }
             }
@@ -150,10 +158,11 @@ public function getValidateSuccessResponse(string $username): ServiceResponse
             }
         }
 
+        $systemClock = LocalizedClock::in(new DateTimeZone('Z'));
         $attributes = new Attributes(
-            new AuthenticationDate(new DateTimeImmutable('now')),
-            new LongTermAuthenticationRequestTokenUsed('true'),
-            new IsFromNewLogin('true'),
+            new AuthenticationDate(DateTimeValue::now($systemClock)),
+            new LongTermAuthenticationRequestTokenUsed(BooleanValue::fromBoolean(true)),
+            new IsFromNewLogin(BooleanValue::fromBoolean(true)),
             $attr,
         );
 
@@ -171,7 +180,10 @@ public function getValidateSuccessResponse(string $username): ServiceResponse
      */
     public function getValidateFailureResponse(string $errorCode, string $explanation): ServiceResponse
     {
-        $authenticationFailure = new AuthenticationFailure($explanation, $errorCode);
+        $authenticationFailure = new AuthenticationFailure(
+            StringValue::fromString($explanation),
+            CodeValue::fromString($errorCode),
+        );
         $serviceResponse = new ServiceResponse($authenticationFailure);
 
         return $serviceResponse;
@@ -184,7 +196,7 @@ public function getValidateFailureResponse(string $errorCode, string $explanatio
      */
     public function getProxySuccessResponse(string $proxyTicketId): ServiceResponse
     {
-        $proxyTicket = new ProxyTicket($proxyTicketId);
+        $proxyTicket = new ProxyTicket(StringValue::fromString($proxyTicketId));
         $proxySuccess = new ProxySuccess($proxyTicket);
         $serviceResponse = new ServiceResponse($proxySuccess);
 
@@ -199,7 +211,10 @@ public function getProxySuccessResponse(string $proxyTicketId): ServiceResponse
      */
     public function getProxyFailureResponse(string $errorCode, string $explanation): ServiceResponse
     {
-        $proxyFailure = new ProxyFailure($explanation, $errorCode);
+        $proxyFailure = new ProxyFailure(
+            StringValue::fromString($explanation),
+            CodeValue::fromString($errorCode),
+        );
         $serviceResponse = new ServiceResponse($proxyFailure);
 
         return $serviceResponse;
@@ -222,26 +237,4 @@ private function generateCas20Attribute(
 
         return new Chunk($attributeElement);
     }
-
-
-    /**
-     * XML element names have a lot of rules and not every SAML attribute name can be converted.
-     * Ref: https://www.w3.org/TR/REC-xml/#NT-NameChar
-     * https://stackoverflow.com/q/2519845/54396
-     * must only start with letter or underscore
-     * cannot start with 'xml' (or maybe it can - stackoverflow commenters don't agree)
-     * cannot contain a ':' since those are for namespaces
-     * cannot contains space
-     * can only  contain letters, digits, hyphens, underscores, and periods
-     * @param string $name The attribute name to be used as an element
-     * @return bool true if $name would make a valid xml element.
-     */
-    private function isValidXmlName(string $name): bool
-    {
-        return filter_var(
-            $name,
-            FILTER_VALIDATE_REGEXP,
-            ['options' => ['regexp' => '/^[a-zA-Z_][\w.-]*$/']],
-        ) !== false;
-    }
 }

src/Cas/Protocol/SamlValidateResponder.php

@@ -6,8 +6,9 @@
 
 use SimpleSAML\Configuration;
 use SimpleSAML\Module\casserver\Shib13\AuthnResponse;
-use SimpleSAML\SOAP\XML\env_200106\Body;
-use SimpleSAML\SOAP\XML\env_200106\Envelope;
+use SimpleSAML\SAML11\Constants as C;
+use SimpleSAML\SOAP11\XML\Body;
+use SimpleSAML\SOAP11\XML\Envelope;
 use SimpleSAML\XML\Chunk;
 use SimpleSAML\XML\DOMDocumentFactory;
 use SimpleSAML\XML\SerializableElementInterface;
@@ -48,8 +49,8 @@ public function convertToSaml(array $ticket): Chunk
             '<NameIdentifier$1>' . htmlspecialchars($user) . '</NameIdentifier>',
             $authnResponseXML,
         );
-        // CAS seems to prefer this type of assertiond
-        $ret = str_replace('urn:oasis:names:tc:SAML:1.0:cm:bearer', 'urn:oasis:names:tc:SAML:1.0:cm:artifact', $ret);
+        // CAS seems to prefer this type of assertion
+        $ret = str_replace(C::CM_BEARER, C::CM_ARTIFACT, $ret);
         // CAS uses a different namespace for attributes
         $ret = str_replace(
             'urn:mace:shibboleth:1.0:attributeNamespace:uri',
@@ -64,7 +65,7 @@ public function convertToSaml(array $ticket): Chunk
 
     /**
      * @param \SimpleSAML\XML\SerializableElementInterface $samlResponse
-     * @return \SimpleSAML\SOAP\XML\env_200106\Envelope
+     * @return \SimpleSAML\SOAP11\XML\Envelope
      */
     public function wrapInSoap(SerializableElementInterface $samlResponse): Envelope
     {

src/Controller/Cas30Controller.php

@@ -15,7 +15,7 @@
 use SimpleSAML\Module\casserver\Http\XmlResponse;
 use SimpleSAML\SAML11\Exception\ProtocolViolationException;
 use SimpleSAML\SAML11\XML\samlp\Request as SamlRequest;
-use SimpleSAML\SOAP\XML\env_200106\Envelope;
+use SimpleSAML\SOAP11\XML\Envelope;
 use SimpleSAML\XML\DOMDocumentFactory;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -112,7 +112,7 @@ public function samlValidate(
         // Assertion Artifact Element
         $assertionArtifactParsed = $samlpRequestParsed->getRequest()[0];
 
-        $ticketId = $assertionArtifactParsed->getContent();
+        $ticketId = $assertionArtifactParsed->getContent()->getValue();
         Logger::debug('samlvalidate: Checking ticket ' . $ticketId);
 
         try {

tests/src/Cas/Protocol/SamlValidateTest.php

@@ -6,7 +6,7 @@
 
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\Module\casserver\Cas\Protocol\SamlValidateResponder;
-use SimpleSAML\SOAP\XML\env_200106\Envelope;
+use SimpleSAML\SOAP11\XML\Envelope;
 
 class SamlValidateTest extends TestCase
 {