Add Service Provider entity ID based filtering

[sitya]

Allow restricting authorization rules to specific SPs by adding spEntityIDs arrays to attribute configurations. Rules with spEntityIDs only apply when the current SP matches the allowed list, enabling fine-grained access control per service provider.

Valid use-case: when our institution authenticates users who are allowed to access only a very few SPs, but they must be handled by the main IdP (e.g. users with library-walk-in affiliation). These improvements are relevant, if only you use Authorize module for your authproc.idp. In this case the the users can access only for the listed SPs, not else (e.g. they cannot access any resource from the national federation).

[tvdijen]

Looks good to me now! @monkeyiq would you mind going over this too?

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.03%. Comparing base (d411c40) to head (042f993).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master      #30      +/-   ##
============================================
+ Coverage     63.56%   69.03%   +5.46%     
- Complexity       50       56       +6     
============================================
  Files             2        2              
  Lines           129      155      +26     
============================================
+ Hits             82      107      +25     
- Misses           47       48       +1     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[monkeyiq]

I played around with testSpRestriction setting deny to true and when the dataset expectations are also inverted it seems to do what one would expect. I am not sure why one would want to deny on attr+sp picking but it is a possibility.

[monkeyiq]

I will give this another comb over in the morning. On first eyeballs it looks good.

[tvdijen]

Just a thought, not for this PR, but for later discussion.. I think it would make sense to be able to make authproc-filters apply to specific entities, in addition to the already existing 'precondition'-feature..

[tvdijen]

@sitya I took the liberty to 1) throw \SimpleSAML\Error\Exception instead of \Exception because we are trying to get rid of any generic exceptions in the SimpleSAMLphp-code and 2) I used an assertion that tests the $spEntityIDs variable for valid entityIDs. I hope you agree that both are good improvements.

Once @monkeyiq had his time to go over this once more I will merge and tag v1.7

[monkeyiq]

Using Assert for configuration seems like a good idea. It should probably be a hard failure mode to avoid any unintended soft fail over if the configuration is not what is expected. If folks are setting up specific auth procs they are probably happy to RTFM and make sure they have an array where one is expected.

[monkeyiq]

@tvdijen feel free to merge and tag :) sorry about the delay.

[tvdijen]

Tagged v1.7.0 - it will be included in the full build of SimpleSAMLphp 2.5.0
In the mean time you can manually update this module by running bin/composer.phar update simplesamlphp/simplesamlphp-module-authorize