Merge branch 'master' into dl/allow-service-ticket-on-proxyValidate

Author: pradtke

README.md

@@ -101,7 +101,7 @@ docker run --name ssp-casserver-dev \
   --mount type=bind,source="$(pwd)/docker/ssp/authsources.php",target=/var/simplesamlphp/config/authsources.php,readonly \
   --mount type=bind,source="$(pwd)/docker/ssp/config-override.php",target=/var/simplesamlphp/config/config-override.php,readonly \
   --mount type=bind,source="$(pwd)/docker/apache-override.cf",target=/etc/apache2/sites-enabled/ssp-override.cf,readonly \
-   -p 443:443 cirrusid/simplesamlphp:v2.3.5
+   -p 443:443 cirrusid/simplesamlphp:v2.4.2
 ```
 
 Visit [https://localhost/simplesaml/](https://localhost/simplesaml/) and confirm you get the default page.

composer.json

@@ -30,18 +30,19 @@
     },
     "require": {
         "php": "^8.1",
+        "ext-ctype": "*",
         "ext-dom": "*",
         "ext-filter": "*",
         "ext-libxml": "*",
         "ext-SimpleXML": "*",
         "ext-session": "*",
 
-        "simplesamlphp/assert": "~1.8.2",
+        "simplesamlphp/assert": "~1.8.1",
         "simplesamlphp/composer-module-installer": "~1.4.0",
         "simplesamlphp/simplesamlphp": "~2.4.2",
-        "simplesamlphp/xml-cas": "~2.0.0",
-        "simplesamlphp/xml-common": "~2.0.0",
-        "simplesamlphp/xml-soap": "~2.0.0",
+        "simplesamlphp/xml-cas": "~1.3",
+        "simplesamlphp/xml-common": "~1.17",
+        "simplesamlphp/xml-soap": "~1.5",
         "symfony/http-foundation": "~6.4.0",
         "symfony/http-kernel": "~6.4.0",
         "simplesamlphp/saml11": "~1.2.5"
@@ -54,11 +55,8 @@
         "source": "https://github.com/simplesamlphp/simplesamlphp-module-casserver"
     },
     "scripts": {
-        "validate": [
+        "verify": [
             "vendor/bin/phpcs -p",
-            "vendor/bin/composer-require-checker check --config-file=tools/composer-require-checker.json composer.json",
-            "vendor/bin/psalm -c psalm-dev.xml",
-            "vendor/bin/composer-unused",
             "vendor/bin/phpunit --no-coverage --testdox"
         ],
         "tests": [

src/Cas/ServiceValidator.php

@@ -53,35 +53,9 @@ public function checkServiceURL(string $service): ?Configuration
 
             $configOverride = \is_int($index) ? null : $value;
 
-            // URL String
-            if (str_starts_with($service, $legalUrl)) {
-                $isValidService = true;
+            if ($isValidService = $this->validateServiceIsLegal($legalUrl, $service)) {
                 break;
             }
-
-            // Regex
-            // Since "If the regex pattern passed does not compile to a valid regex, an E_WARNING is emitted. "
-            // we will throw an exception if the warning is emitted and use try-catch to handle it
-            set_error_handler(static function ($severity, $message, $file, $line) {
-                throw new \ErrorException($message, $severity, $severity, $file, $line);
-            }, E_WARNING);
-
-            try {
-                $result = preg_match($legalUrl, $service);
-                if ($result !== 1) {
-                    throw new \RuntimeException('Service URL does not match legal service URL.');
-                }
-                $isValidService = true;
-                break;
-            } catch (\RuntimeException $e) {
-                // do nothing
-                Logger::warning($e->getMessage());
-            } catch (\Exception $e) {
-                // do nothing
-                Logger::warning("Invalid CAS legal service url '$legalUrl'. Error " . preg_last_error());
-            } finally {
-                restore_error_handler();
-            }
         }
 
         if (!$isValidService) {
@@ -107,4 +81,38 @@ public function checkServiceURL(string $service): ?Configuration
         }
         return Configuration::loadFromArray($serviceConfig);
     }
+
+    /**
+     * @param string $legalUrl The string or regex to use for comparison
+     * @param string $service  The service to compare
+     *
+     * @return bool Whether the service is legal
+     * @throws \ErrorException
+     */
+    protected function validateServiceIsLegal(string $legalUrl, string $service): bool
+    {
+        $isValid = false;
+        if (!ctype_alnum($legalUrl[0])) {
+            // Since "If the regex pattern passed does not compile to a valid regex, an E_WARNING is emitted. "
+            // we will throw an exception if the warning is emitted and use try-catch to handle it
+            set_error_handler(static function ($severity, $message, $file, $line) {
+                throw new \ErrorException($message, $severity, $severity, $file, $line);
+            }, E_WARNING);
+
+            try {
+                if (preg_match($legalUrl, $service) === 1) {
+                    $isValid = true;
+                }
+            } catch (\ErrorException $e) {
+                // do nothing
+                Logger::warning("Invalid CAS legal service url '$legalUrl'. Error " . preg_last_error_msg());
+            } finally {
+                restore_error_handler();
+            }
+        } elseif (str_starts_with($service, $legalUrl)) {
+            $isValid = true;
+        }
+
+        return $isValid;
+    }
 }

src/Controller/Cas20Controller.php

@@ -4,7 +4,6 @@
 
 namespace SimpleSAML\Module\casserver\Controller;
 
-use Exception;
 use SimpleSAML\CAS\Constants as C;
 use SimpleSAML\Configuration;
 use SimpleSAML\Logger;

src/Controller/LoginController.php

@@ -28,9 +28,9 @@
 use Symfony\Component\HttpKernel\Attribute\AsController;
 use Symfony\Component\HttpKernel\Attribute\MapQueryParameter;
 
-use in_array;
-use http_build_query;
-use var_export;
+use function http_build_query;
+use function in_array;
+use function var_export;
 
 #[AsController]
 class LoginController