Remove old container and legacy URLs

docs/6-oidc-upgrade.md

@@ -153,6 +153,30 @@ statements about subordinates are removed, as the final specification
 explicitly states that leaf entities must not have those endpoints.
 This effectively means that this OP implementation can only be a leaf entity
 in the federation context, and not a federation operator or intermediary entity.
+- The legacy OIDC endpoints served directly by PHP files in the module's
+`public` folder are now removed (as announced in the version 5 to 6 upgrade
+notes). These were the old routes still reachable at URLs ending in `.php`:
+  - `<basepath>/module.php/oidc/authorize.php`
+  - `<basepath>/module.php/oidc/token.php`
+  - `<basepath>/module.php/oidc/userinfo.php`
+  - `<basepath>/module.php/oidc/jwks.php`
+  - `<basepath>/module.php/oidc/logout.php`
+  - `<basepath>/module.php/oidc/openid-configuration.php`
+
+  Use the Symfony-based routes instead, which have been the default since
+  version 6 and are the ones advertised in the OP Configuration
+  (`.well-known/openid-configuration`) endpoint:
+  - `<basepath>/module.php/oidc/authorization`
+  - `<basepath>/module.php/oidc/token`
+  - `<basepath>/module.php/oidc/userinfo`
+  - `<basepath>/module.php/oidc/jwks`
+  - `<basepath>/module.php/oidc/end-session`
+  - `<basepath>/module.php/oidc/.well-known/openid-configuration`
+
+  Any relying party still calling the old `.php` URLs must be updated to the
+  new routes. Note that since version 6 the OP has been publishing the new
+  routes in its discovery metadata, so RPs that read the OP Configuration
+  dynamically need no change.
 
 Medium impact changes:
 

hooks/hook_cron.php

@@ -14,20 +14,14 @@
  * file that was distributed with this source code.
  */
 
+use SimpleSAML\Kernel;
 use SimpleSAML\Logger;
 use SimpleSAML\Module\oidc\ModuleConfig;
-use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
-use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
-use SimpleSAML\Module\oidc\Repositories\IssuerStateRepository;
-use SimpleSAML\Module\oidc\Repositories\PushedAuthorizationRequestRepository;
-use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Services\Container;
+use SimpleSAML\Module\oidc\Services\ExpiredEntriesCleaner;
 
 /**
  * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
- * @throws \Psr\Container\ContainerExceptionInterface
- * @throws \Psr\Container\NotFoundExceptionInterface
  * @throws \Exception
  */
 function oidc_hook_cron(array &$croninfo): void
@@ -51,31 +45,15 @@ function oidc_hook_cron(array &$croninfo): void
         return;
     }
 
-    $container = new Container();
-
     try {
-        /** @var \SimpleSAML\Module\oidc\Repositories\AccessTokenRepository $accessTokenRepository */
-        $accessTokenRepository = $container->get(AccessTokenRepository::class);
-        $accessTokenRepository->removeExpired();
-
-        /** @var \SimpleSAML\Module\oidc\Repositories\AuthCodeRepository $authTokenRepository */
-        $authTokenRepository = $container->get(AuthCodeRepository::class);
-        $authTokenRepository->removeExpired();
-
-        /** @var \SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository $refreshTokenRepository */
-        $refreshTokenRepository = $container->get(RefreshTokenRepository::class);
-        $refreshTokenRepository->removeExpired();
-
-        /** @var \SimpleSAML\Module\oidc\Repositories\IssuerStateRepository $issuerStateRepository */
-        $issuerStateRepository = $container->get(IssuerStateRepository::class);
-        $issuerStateRepository->removeInvalid();
-
-        /** @var \SimpleSAML\Module\oidc\Repositories\PushedAuthorizationRequestRepository $parRepository */
-        $parRepository = $container->get(PushedAuthorizationRequestRepository::class);
-        $parRepository->removeExpired();
+        $kernel = new Kernel(ModuleConfig::MODULE_NAME);
+        $kernel->boot();
+        /** @var \SimpleSAML\Module\oidc\Services\ExpiredEntriesCleaner $cleaner */
+        $cleaner = $kernel->getContainer()->get(ExpiredEntriesCleaner::class);
+        $cleaner->clean();
 
         $croninfo['summary'][] = 'Module `oidc` clean up. Removed expired entries from storage.';
-    } catch (Exception $e) {
+    } catch (Throwable $e) {
         $message = 'Module `oidc` clean up cron script failed: ' . $e->getMessage();
         Logger::warning($message);
         $croninfo['summary'][] = $message;

routing/services/services.yml

@@ -24,7 +24,10 @@ services:
 
   SimpleSAML\Module\oidc\Services\:
     resource: '../../src/Services/*'
-    exclude: '../../src/Services/{Container.php}'
+
+  # Fetched from the (otherwise private) container by the cron hook after booting the module Kernel.
+  SimpleSAML\Module\oidc\Services\ExpiredEntriesCleaner:
+    public: true
 
   SimpleSAML\Module\oidc\Repositories\:
     resource: '../../src/Repositories/*'