Move to SSP UI (#267)

* Move to SSP UI

---------

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

README.md

@@ -34,7 +34,7 @@ PHP version requirement changes in minor releases for SimpleSAMLphp.
 
 ### Upgrading?
 
-If you are upgrading from a previous version, checkout the [upgrade guide](UPGRADE.md).
+If you are upgrading from a previous version, make sure to check the [upgrade guide](UPGRADE.md).
 
 ## Installation
 
@@ -107,14 +107,12 @@ SimpleSAMLphp configuration file, `config/config.php`.
         'oidc' => true,
     ],
 
-This is required the enable the module on the _Federation_ tab in the admin web interface, which can be used in the
-next two steps to finalize the installation.
+Once the module is enabled, the database migrations must be run.
 
 ### Run database migrations
 
 The module comes with some default SQL migrations which set up needed tables in the configured database. To run them,
-open the _Federation_ tab from your _SimpleSAMLphp_ installation and select the option _OpenID Connect Installation_
-inside the _Tools_ section. Once there, all you need to do is press the _Install_ button and the schema will be created.
+go to `OIDC` > `Database Migrations`, and press the available button.
 
 Alternatively, in case of automatic / scripted deployments, you can run the 'install.php' script from the command line:
 
@@ -124,8 +122,7 @@ Alternatively, in case of automatic / scripted deployments, you can run the 'ins
 
 The module lets you manage (create, read, update and delete) approved RPs from the module user interface itself.
 
-Once the database schema has been created, you can open the _Federation_ tab from your _SimpleSAMLphp_ installation
-and select the option _OpenID Connect Client Registry_ inside the _Tools_ section.
+Once the database schema has been created, you can go to `OIDC` > `Client Registry`. 
 
 Note that clients can be marked as confidential or public. If the client is not marked as confidential (it is public),
 and is using Authorization Code flow, it will have to provide PKCE parameters during the flow.

UPGRADE.md

@@ -7,6 +7,7 @@
 - remove dependency on laminas/laminas-httphandlerrunner
 - create a bridge towards SSP utility classes, so they can be easily mocked
 - move away from SSP database as store; move to DBAL
+- move to phpstan instead of psalm (as SSP)
 
 # Version 5 to 6
 
@@ -79,7 +80,12 @@ key `authproc.oidc`
 
 ## Low impact changes
 
-Below are some internal changes that should not have impact for the OIDC OP implementors. However, if you are using
+In an effort to move to SimpleSAMLphp way of working with user interface (UI), the client management UI was updated
+to extend from the SimpleSAMLphp base template. In addition, we have also introduced some configuration overview pages
+where you can take a quick view of some of the configuration values for the module. OIDC related pages are now available
+from the main SimpleSAMLphp menu in Administration area.  
+
+Below are also some internal changes that should not have impact for the OIDC OP implementors. However, if you are using
 this module as a library or extending from it, you will probably encounter breaking changes, since a lot of code
 has been refactored:
 

bin/install.php

@@ -22,7 +22,7 @@
     $database = Database::getInstance();
     $databaseMigration = new DatabaseMigration($database);
 
-    if ($databaseMigration->isUpdated()) {
+    if ($databaseMigration->isMigrated()) {
         echo 'Database is up to date, skipping.' . PHP_EOL;
         return 0;
     }

config-templates/module_oidc.php

@@ -383,13 +383,13 @@
         // Adapter arguments here...
     ],
 
-    // Maximum federation cache item duration. Federation cache item duration will typically be resolved based on the
-    // expiry of the artifact. For example, when caching entity statements, cache duration will be based on the 'exp'
-    // claim (expiration time). Since those claims are set by issuer (can be long), it could be desirable to limit
-    // the maximum time, so that items in cache get refreshed more regularly (and changes propagate more quickly).
-    // This is only relevant if federation cache adapter is set up. For duration format info, check
-    // https://www.php.net/manual/en/dateinterval.construct.php.
-    ModuleConfig::OPTION_FEDERATION_CACHE_MAX_DURATION => 'PT6H', // 6 hours
+    // Maximum federation cache duration for fetched artifacts. Federation cache duration will typically be resolved
+    // based on the expiry of the fetched artifact. For example, when caching fetched entity statements, cache
+    // duration will be based on the 'exp' claim (expiration time). Since those claims are set by issuer (can
+    // be long), it could be desirable to limit the maximum time, so that items in cache get refreshed more
+    // regularly (and changes propagate more quickly). This is only relevant if federation cache adapter
+    // is set up. For duration format info, check https://www.php.net/manual/en/dateinterval.construct.php.
+    ModuleConfig::OPTION_FEDERATION_CACHE_MAX_DURATION_FOR_FETCHED => 'PT6H', // 6 hours
 
     /**
      * PKI settings related to OpenID Federation. These keys will be used, for example, to sign federation
@@ -412,10 +412,10 @@
     ModuleConfig::OPTION_FEDERATION_ENTITY_STATEMENT_DURATION => 'P1D', // 1 day
 
     // Cache duration for federation entity statements produced by this OP. This can be used to avoid calculating JWS
-    // signature on every HTTP request for OP Configuration statement, Subordinate Statements...
-    // This is only relevant if federation cache adapter is set up. For duration format info, check
+    // signature on every HTTP request for OP Configuration statement, Subordinate Statements... This is only
+    // relevant if federation cache adapter is set up. For duration format info, check
     // https://www.php.net/manual/en/dateinterval.construct.php.
-    ModuleConfig::OPTION_FEDERATION_ENTITY_STATEMENT_CACHE_DURATION => 'PT2M', // 2 minutes
+    ModuleConfig::OPTION_FEDERATION_CACHE_DURATION_FOR_PRODUCED => 'PT2M', // 2 minutes
 
     // Common federation entity parameters:
     // https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters

docs/oidc.png

@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+use SimpleSAML\Locale\Translate;
+use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\XHTML\Template;
+
+/** @noinspection PhpParameterByRefIsNotUsedAsReferenceInspection Reference is actually used by SimpleSAMLphp */
+function oidc_hook_adminmenu(Template &$template): void
+{
+    $menuKey = 'menu';
+
+    if (!isset($template->data[$menuKey]) || !is_array($template->data[$menuKey])) {
+        return;
+    }
+
+    $moduleConfig = new ModuleConfig();
+
+    $oidcMenuEntry = [
+        ModuleConfig::MODULE_NAME => [
+            'url' => $moduleConfig->getModuleUrl(RoutesEnum::AdminMigrations->value),
+            'name' => Translate::noop('OIDC'),
+        ],
+    ];
+
+    // Put OIDC entry before the 'Log out' entry, if it exists.
+    $logoutEntryKey = 'logout';
+    $logoutEntryValue = null;
+    if (
+        array_key_exists($logoutEntryKey, $template->data[$menuKey]) &&
+        is_array($template->data[$menuKey][$logoutEntryKey])
+    ) {
+        $logoutEntryValue = $template->data[$menuKey][$logoutEntryKey];
+        unset($template->data[$menuKey][$logoutEntryKey]);
+    }
+
+    $template->data[$menuKey] += $oidcMenuEntry;
+
+    if ($logoutEntryValue !== null) {
+        $template->data[$menuKey][$logoutEntryKey] = $logoutEntryValue;
+    }
+
+    $template->getLocalization()->addModuleDomain(ModuleConfig::MODULE_NAME);
+}

hooks/hook_adminmenu.php

@@ -16,6 +16,7 @@
 
 use SimpleSAML\Locale\Translate;
 use SimpleSAML\Module;
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\DatabaseMigration;
 use SimpleSAML\XHTML\Template;
 
@@ -24,12 +25,17 @@
  */
 function oidc_hook_federationpage(Template $template): void
 {
-    $href = Module::getModuleURL('oidc/admin-clients/index.php');
-    $text = Translate::noop('OpenID Connect Registry');
+    $routes = new Module\oidc\Utils\Routes(
+        new ModuleConfig(),
+        new Module\oidc\Bridges\SspBridge(),
+    );
 
-    if (! (new DatabaseMigration())->isUpdated()) {
-        $href = Module::getModuleURL('oidc/install.php');
-        $text = Translate::noop('OpenID Connect Installation');
+    $href = $routes->urlAdminClients();
+    $text = Translate::noop('OIDC Client Registry');
+
+    if (! (new DatabaseMigration())->isMigrated()) {
+        $href = $routes->urlAdminMigrations();
+        $text = Translate::noop('OIDC Installation');
     }
 
     if (!is_array($template->data['links'])) {