Draft: Another way to return a 405 if calling SSO with HEAD req. (#2481)

monkeyiq · tvdijen · web-flow · commit 88a266e8d188 · 2025-07-07T13:22:32.000+10:00
* Another way to return a 405 if calling SSO with HEAD req. This relates to #2475 * downgrade to debug * Report 405 for all other methods * Move the allowedMethods array into the route definition. This would require a few rotues calling into headRequestNotAllowed if the allowedMethods are different. * Rename controller-method It will not just handle head-requests, also OPTIONS, TRACE, etc. * Fix lock-file * Move to separate controller-class and re-use on all SAML-endpoints * Fix alphabetical order --------- Co-authored-by: Tim van Dijen <tvdijen@gmail.com>
diff --git a/composer.json b/composer.json
@@ -71,6 +71,7 @@
         "symfony/config": "^6.4",
         "symfony/console": "^6.4",
         "symfony/dependency-injection": "^6.4",
+        "symfony/expression-language": "~6.4.0",
         "symfony/filesystem": "^6.4",
         "symfony/finder": "^6.4",
         "symfony/framework-bundle": "^6.4",
diff --git a/composer.lock b/composer.lock
diff --git a/modules/saml/routing/routes/routes.yml b/modules/saml/routing/routes/routes.yml
@@ -35,13 +35,29 @@ saml-sp-wrongAuthnContextClassRef:
   }
   methods: [GET]
 
+saml-sp-assertionConsumerService-method-not-allowed:
+  path: /sp/saml2-acs.php/{sourceId}
+  defaults: {
+    _controller: 'SimpleSAML\Module\saml\Controller\Exception::methodNotAllowed',
+    allowedMethods: ['GET', 'POST']
+  }
+  condition: "context.getMethod() not in ['GET', 'POST']"
+
 saml-sp-assertionConsumerService:
   path: /sp/saml2-acs.php/{sourceId}
   defaults: {
     _controller: 'SimpleSAML\Module\saml\Controller\ServiceProvider::assertionConsumerService'
   }
   methods: [GET, POST]
 
+saml-sp-singleLogoutService-method-not-allowed:
+  path: /sp/saml2-logout.php/{sourceId}
+  defaults: {
+    _controller: 'SimpleSAML\Module\saml\Controller\Exception::methodNotAllowed',
+    allowedMethods: ['GET', 'POST']
+  }
+  condition: "context.getMethod() not in ['GET', 'POST']"
+
 saml-sp-singleLogoutService:
   path: /sp/saml2-logout.php/{sourceId}
   defaults: {
@@ -64,13 +80,29 @@ saml-legacy-sp-metadata:
   }
   methods: [GET]
 
+websso-single-sign-on-method-not-allowed:
+  path: /idp/singleSignOnService
+  defaults: {
+    _controller: 'SimpleSAML\Module\saml\Controller\Exception::methodNotAllowed',
+    allowedMethods: ['GET', 'POST']
+  }
+  condition: "context.getMethod() not in ['GET', 'POST']"
+
 websso-single-sign-on:
   path: /idp/singleSignOnService
   defaults: {
     _controller: 'SimpleSAML\Module\saml\Controller\WebBrowserSingleSignOn::singleSignOnService'
   }
   methods: [GET, POST]
 
+websso-artifact-resolution-method-not-allowed:
+  path: /idp/artifactResolutionService
+  defaults: {
+    _controller: 'SimpleSAML\Module\saml\Controller\Exception::methodNotAllowed',
+    allowedMethods: ['GET', 'POST']
+  }
+  condition: "context.getMethod() not in ['GET', 'POST']"
+
 websso-artifact-resolution:
   path: /idp/artifactResolutionService
   defaults: {
@@ -85,6 +117,14 @@ websso-metadata:
   }
   methods: [GET]
 
+websso-single-logout-method-not-allowed:
+  path: /idp/singleLogout
+  defaults: {
+    _controller: 'SimpleSAML\Module\saml\Controller\Exception::methodNotAllowed',
+    allowedMethods: ['GET', 'POST']
+  }
+  condition: "context.getMethod() not in ['GET', 'POST']"
+
 websso-single-logout:
   path: /idp/singleLogout
   defaults: {
diff --git a/modules/saml/src/Controller/Exception.php b/modules/saml/src/Controller/Exception.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\saml\Controller;
+
+use SimpleSAML\{Configuration, Logger};
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
+
+use function implode;
+use function sprintf;
+
+/**
+ * Controller class for handling 'method not allowed' on SAML 2.0 endpoints.
+ *
+ * @package simplesamlphp/simplesamlphp
+ */
+class Exception
+{
+    /**
+     * Controller constructor.
+     *
+     * It initializes the global configuration for the controllers implemented here.
+     *
+     * @param \SimpleSAML\Configuration $config The configuration to use by the controllers.
+     */
+    public function __construct(
+        protected Configuration $config,
+    ) {
+    }
+
+
+    /**
+     * @param string[] $allowedMethods
+     * @return \SimpleSAML\HTTP\RunnableResponse
+     */
+    public function methodNotAllowed(array $allowedMethods): never
+    {
+        Logger::debug('Handling a HEAD request by returning method not allowed...');
+
+        $request = Request::createFromGlobals();
+
+        // These are the allowed methods from routes.yml
+        $message = sprintf(
+            'No route found for "%s %s": Method Not Allowed (Allow: %s)',
+            $request->getMethod(),
+            $request->getUriForPath($request->getPathInfo()),
+            implode(', ', $allowedMethods),
+        );
+
+        throw new MethodNotAllowedHttpException($allowedMethods, $message);
+    }
+}
