From c9138a59c15239d05a578373b52bf28a9ce21ee0 Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Mon, 21 Aug 2023 15:38:14 -0400
Subject: [PATCH 1/8] [feature] Switch from Ant build to Maven and add GitHub
 Actions CI

---
 .github/workflows/ci.yml                      |  28 +++++
 .gitignore                                    |   3 +-
 VERSION.txt                                   |   1 -
 build.properties.xml                          |  12 --
 build.xml                                     |  36 ------
 collection.xconf                              |   6 -
 expath-pkg.xml.tmpl                           |   6 -
 index.html                                    |   9 --
 pom.xml                                       | 107 ++++++++++++++++++
 post-install.xql                              |   6 -
 repo.xml.tmpl                                 |  13 ---
 saml-request-ids/KEEPME                       |   1 -
 .../xar-resources-filtered/clean-reqids.xq    |   4 +-
 .../main/xar-resources-filtered/scheduler.xq  |   9 +-
 .../xar-resources/modules}/config-exsaml.xml  |   0
 .../main/xar-resources/modules}/exsaml.xqm    |   6 +-
 src/main/xar-resources/post-install.xq        |  18 +++
 xar-assembly.xml                              |  43 +++++++
 18 files changed, 205 insertions(+), 103 deletions(-)
 create mode 100644 .github/workflows/ci.yml
 delete mode 100644 VERSION.txt
 delete mode 100644 build.properties.xml
 delete mode 100644 build.xml
 delete mode 100644 collection.xconf
 delete mode 100644 expath-pkg.xml.tmpl
 delete mode 100644 index.html
 create mode 100644 pom.xml
 delete mode 100644 post-install.xql
 delete mode 100644 repo.xml.tmpl
 delete mode 100644 saml-request-ids/KEEPME
 rename content/clean-reqids.xql => src/main/xar-resources-filtered/clean-reqids.xq (84%)
 rename content/scheduler.xql => src/main/xar-resources-filtered/scheduler.xq (56%)
 rename {content => src/main/xar-resources/modules}/config-exsaml.xml (100%)
 rename {content => src/main/xar-resources/modules}/exsaml.xqm (98%)
 create mode 100644 src/main/xar-resources/post-install.xq
 create mode 100644 xar-assembly.xml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..3060067
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,28 @@
+name: CI
+on: [push, pull_request]
+jobs:
+  build:
+    name: Build and Test (${{ matrix.os }} / OpenJDK ${{ matrix.jdk }})
+    strategy:
+      fail-fast: true
+      matrix:
+        jdk: ['8']
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK ${{ matrix.jdk }}
+        uses: actions/setup-java@v3
+        with:
+          java-version: ${{ matrix.jdk }}
+          distribution: 'temurin'
+      - name: Cache Maven packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Maven Build
+        run: mvn clean package -DskipTests
+      - name: Test
+        run: mvn verify
diff --git a/.gitignore b/.gitignore
index 42d15f4..e06bcfb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
-build/
-.*
+target/
 !.gitignore
diff --git a/VERSION.txt b/VERSION.txt
deleted file mode 100644
index 266146b..0000000
--- a/VERSION.txt
+++ /dev/null
@@ -1 +0,0 @@
-1.6.3
diff --git a/build.properties.xml b/build.properties.xml
deleted file mode 100644
index 4ecc28a..0000000
--- a/build.properties.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<root>
-  <app>
-    <name>existdb-saml</name>
-    <description>SAML implementation for existdb</description>
-    <version>1.6.3</version>
-    <url>http://exist-db.org/xquery/exsaml</url>
-    <status>beta</status>
-    <permissions>rwxr-xr-x</permissions>
-    <website>https://exist-db.org/</website>
-  </app>
-</root>
diff --git a/build.xml b/build.xml
deleted file mode 100644
index 95aede0..0000000
--- a/build.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns:xdb="http://exist-db.org/ant" default="xar" name="existdb-saml" basedir=".">
-  <xmlproperty file="build.properties.xml" semanticAttributes="true" keepRoot="false"/>
-  <property name="build.dir" value="build"/>
-
-  <target name="clean" description="clean up build dir">
-    <delete dir="${build.dir}"/>
-    <mkdir dir="${build.dir}"/>
-  </target>
-
-  <target name="copy">
-    <copy todir="${build.dir}/${app.name}-${app.version}">
-      <fileset dir="${basedir}" excludes="${build.dir},README.md,build.xml,build.properties.xml,.idea/,.gitignore,.editorconfig,.existdb.json,expath-pkg.xml.tmpl,repo.xml.tmpl,bower.json,bower_components/**,node_modules/**,package.json,local.node-exist.json,gulpfile.js"/>
-    </copy>
-    <copy todir="${build.dir}/${app.name}-${app.version}" overwrite="true" verbose="true">
-      <fileset file="expath-pkg.xml.tmpl"/>
-      <fileset file="repo.xml.tmpl"/>
-      <filterset>
-        <filter token="name" value="${app.name}"/>
-        <filter token="version" value="${app.version}"/>
-        <filter token="url" value="${app.url}"/>
-        <filter token="description" value="${app.description}"/>
-        <filter token="website" value="${app.website}"/>
-        <filter token="status" value="${app.status}"/>
-        <filter token="permissions" value="${app.permissions}"/>
-
-      </filterset>
-      <globmapper from="*.tmpl" to="*"/>
-    </copy>
-  </target>
-
-  <target name="xar" depends="clean, copy" description="main target to create application XAR file">
-    <zip basedir="${build.dir}/${app.name}-${app.version}" destfile="${build.dir}/${app.name}-${app.version}.xar"/>
-  </target>
-
-</project>
diff --git a/collection.xconf b/collection.xconf
deleted file mode 100644
index a871791..0000000
--- a/collection.xconf
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<collection xmlns="http://exist-db.org/collection-config/1.0">
-    <index xmlns:xs="http://www.w3.org/2001/XMLSchema">
-        <fulltext default="none" attributes="false"/>
-    </index>
-</collection>
\ No newline at end of file
diff --git a/expath-pkg.xml.tmpl b/expath-pkg.xml.tmpl
deleted file mode 100644
index a67f499..0000000
--- a/expath-pkg.xml.tmpl
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<package xmlns="http://expath.org/ns/pkg" name="@url@" abbrev="@name@" version="@version@" spec="1.0">
-    <title>@name@</title>
-    <dependency package="http://expath.org/ns/crypto"/>
-    <dependency processor="http://exist-db.org" semver-min="3.2.0"/>
-</package>
diff --git a/index.html b/index.html
deleted file mode 100644
index be398e4..0000000
--- a/index.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<html>
-    <head>
-        <title>forbidden</title>
-    </head>
-    <body>
-        <h1>forbidden</h1>
-    </body>
-</html>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..31ab3d5
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,107 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.exist-db</groupId>
+    <artifactId>exist-apps-parent</artifactId>
+    <version>1.12.0</version>
+    <relativePath/>
+  </parent>
+
+  <groupId>org.exist-db.apps</groupId>
+  <artifactId>existdb-saml-xquery</artifactId>
+  <version>1.7.0-SNAPSHOT</version>
+  
+
+  <name>eXist-db SAML XQuery</name>
+  <description>SAML v2.0 Implementation in XQuery</description>
+  <url>https://github.com/eXist-db/existdb-saml</url>
+
+  <scm>
+    <url>https://github.com/eXist-db/existdb-saml.git</url>
+    <connection>scm:git:https://github.com/eXist-db/existdb-saml.git</connection>
+    <developerConnection>scm:git:https://github.com/eXist-db/existdb-saml.git</developerConnection>
+  </scm>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+    <!-- used in the EXPath Package Descriptor -->
+    <package-name>http://exist-db.org/apps/exsaml</package-name>
+    
+    <exist.version>6.0.1</exist.version>
+
+    <exist.saml.library.path>/db/system/repo/${project.artifactId}-${project.version}</exist.saml.library.path>
+
+  </properties>
+
+  <build>
+    <resources>
+      <resource>
+        <directory>src/main/xar-resources</directory>
+        <filtering>false</filtering>
+      </resource>
+      <resource>
+        <directory>src/main/xar-resources-filtered</directory>
+        <filtering>true</filtering>
+      </resource>
+    </resources>
+
+    <testResources>
+      <testResource>
+        <directory>src/test/resources</directory>
+        <filtering>false</filtering>
+      </testResource>
+      <testResource>
+        <directory>src/test/resources-filtered</directory>
+        <filtering>true</filtering>
+      </testResource>
+    </testResources>
+
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-dependency-plugin</artifactId>
+      </plugin>
+
+      <plugin>
+        <groupId>ro.kuberam.maven.plugins</groupId>
+        <artifactId>kuberam-expath-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>create-xar</id>
+            <phase>package</phase>
+            <goals>
+              <goal>make-xar</goal>
+            </goals>
+            <configuration>
+              <descriptor>xar-assembly.xml</descriptor>
+              <finalName>${package-final-name}</finalName>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <configuration>
+          <useAgent>true</useAgent>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-release-plugin</artifactId>
+        <configuration>
+          <mavenExecutorId>forked-path </mavenExecutorId>
+          <!-- avoid a bug with GPG plugin hanging http://jira.codehaus.org/browse/MGPG-9 -->
+          <autoVersionSubmodules>true</autoVersionSubmodules>
+          <tagNameFormat>@{project.version}</tagNameFormat>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
diff --git a/post-install.xql b/post-install.xql
deleted file mode 100644
index 92792cd..0000000
--- a/post-install.xql
+++ /dev/null
@@ -1,6 +0,0 @@
-xquery version "3.1";
-
-(: the target collection into which the app is deployed :)
-declare variable $target external;
-
-sm:chmod(xs:anyURI($target||'/saml-request-ids'), 'rwx------')
diff --git a/repo.xml.tmpl b/repo.xml.tmpl
deleted file mode 100644
index 07ba920..0000000
--- a/repo.xml.tmpl
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<meta xmlns="http://exist-db.org/xquery/repo">
-  <description>@description@</description>
-  <website>@website@</website>
-  <status>@status@</status>
-  <license>LGPL 2.1</license>
-  <copyright>true</copyright>
-  <type>library</type>
-  <target>existdb-saml</target>
-  <prepare />
-  <finish>post-install.xql</finish>
-  <permissions user="exsaml" group="dba" password="exsamlpass" mode="rwxrwxr-x"/>
-</meta>
diff --git a/saml-request-ids/KEEPME b/saml-request-ids/KEEPME
deleted file mode 100644
index a1b0291..0000000
--- a/saml-request-ids/KEEPME
+++ /dev/null
@@ -1 +0,0 @@
-just to keep this dir
\ No newline at end of file
diff --git a/content/clean-reqids.xql b/src/main/xar-resources-filtered/clean-reqids.xq
similarity index 84%
rename from content/clean-reqids.xql
rename to src/main/xar-resources-filtered/clean-reqids.xq
index 21b5de8..39a47f7 100644
--- a/content/clean-reqids.xql
+++ b/src/main/xar-resources-filtered/clean-reqids.xq
@@ -1,10 +1,10 @@
 xquery version "3.1";
 
-import module namespace exsaml="http://exist-db.org/xquery/exsaml" at "/db/apps/existdb-saml/content/exsaml.xqm";
+import module namespace exsaml = "http://exist-db.org/xquery/exsaml" at "${exist.saml.library.path}/modules/exsaml.xqm";
 import module namespace functx = "http://www.functx.com";
 
 declare function local:clean-reqids() {
-    let $reqid-col := "/db/apps/existdb-saml/saml-request-ids"
+    let $reqid-col := "${exist.saml.library.path}/saml-request-ids"
     let $reqids := for $reqid in collection($reqid-col)/reqid
                         let $duration := xs:dateTime(current-dateTime()) - xs:dateTime($reqid)
                         return
diff --git a/content/scheduler.xql b/src/main/xar-resources-filtered/scheduler.xq
similarity index 56%
rename from content/scheduler.xql
rename to src/main/xar-resources-filtered/scheduler.xq
index 76b40fd..b2368bc 100644
--- a/content/scheduler.xql
+++ b/src/main/xar-resources-filtered/scheduler.xq
@@ -1,21 +1,18 @@
 xquery version "3.1";
 
-import module namespace scheduler="http://exist-db.org/xquery/scheduler" at "java:org.exist.xquery.modules.scheduler.SchedulerModule";
-
-
-declare namespace sc="http://exist-db.org/xquery/scheduler";
+import module namespace scheduler = "http://exist-db.org/xquery/scheduler";
 
 declare variable $local:job-name := "clean-up-sso-reqids";
 declare variable $local:cron := "0 0 11 * * ? *";
 
 declare function local:start-job() {
-    scheduler:schedule-xquery-cron-job("/db/apps/existdb-saml/content/clean-reqids.xql", $local:cron, $local:job-name)
+    scheduler:schedule-xquery-cron-job("${exist.saml.library.path}/clean-reqids.xql", $local:cron, $local:job-name)
 };
 
 declare function local:show-job() {
     let $jobs := scheduler:get-scheduled-jobs()
      return
-         $jobs//sc:job[@name=$local:job-name]
+         $jobs//scheduler:job[@name=$local:job-name]
 };
 
 declare function local:stop-job() {
diff --git a/content/config-exsaml.xml b/src/main/xar-resources/modules/config-exsaml.xml
similarity index 100%
rename from content/config-exsaml.xml
rename to src/main/xar-resources/modules/config-exsaml.xml
diff --git a/content/exsaml.xqm b/src/main/xar-resources/modules/exsaml.xqm
similarity index 98%
rename from content/exsaml.xqm
rename to src/main/xar-resources/modules/exsaml.xqm
index f8884aa..665064a 100644
--- a/content/exsaml.xqm
+++ b/src/main/xar-resources/modules/exsaml.xqm
@@ -51,7 +51,7 @@ declare %private variable $exsaml:fake-user   := data($exsaml:config/fake-idp/@u
 declare %private variable $exsaml:fake-group  := data($exsaml:config/fake-idp/@group);
 
 (: SAML specific constants and non-configurable vars :)
-declare %private variable $exsaml:saml-coll-reqid := "/db/apps/existdb-saml/saml-request-ids";
+declare %private variable $exsaml:saml-coll-reqid := "${exist.saml.library.path}/saml-request-ids";
 declare %private variable $exsaml:saml-version   := "2.0";
 declare %private variable $exsaml:status-success := "urn:oasis:names:tc:SAML:2.0:status:Success";
 (: debugging only to simulate failure in fake-idp :)
@@ -130,7 +130,7 @@ declare %private function exsaml:store-authnreqid-as-exsol-user($id as xs:string
         then (
             let $log := exsaml:log("info", "collection " || $exsaml:saml-coll-reqid || " does not exist, attempting to create it")
             return
-                xmldb:create-collection("/db/apps/existdb-saml", "saml-request-ids")
+                xmldb:create-collection(fn:replace($exsaml:saml-coll-reqid, "(.*)/[^/]+", "$1"), fn:replace($exsaml:saml-coll-reqid, ".*/([^/]+)", "$1"))
         )
         else ()
     return
@@ -228,7 +228,7 @@ declare function exsaml:process-saml-response-post() {
         else ""
 
     let $pass := exsaml:create-user-password($auth/@nameid)
-    let $log-in := xmldb:login("/db/apps", $auth/@nameid, $pass, true())
+    let $log-in := xmldb:login("/db", $auth/@nameid, $pass, true())
     let $log := util:log("info", "login result: " || $log-in || ", " || fn:serialize(sm:id()))
 
     (: put SAML token into browser session :)
diff --git a/src/main/xar-resources/post-install.xq b/src/main/xar-resources/post-install.xq
new file mode 100644
index 0000000..f519d3e
--- /dev/null
+++ b/src/main/xar-resources/post-install.xq
@@ -0,0 +1,18 @@
+xquery version "3.1";
+
+import module namespace sm = "http://exist-db.org/xquery/securitymanager";
+import module namespace xmldb = "http://exist-db.org/xquery/xmldb";
+
+(: the target collection into which the app is deployed :)
+declare variable $target external;
+
+declare variable $saml-request-ids-collection-name := "saml-request-ids";
+declare variable $saml-request-ids-collection-path := $target || "/" || $saml-request-ids-collection-name;
+
+let $_ :=
+    if (fn:not(xmldb:collection-available($saml-request-ids-collection-path)))
+    then
+      xmldb:create-collection($target, $saml-request-ids-collection-name)
+    else()
+return
+    sm:chmod(xs:anyURI($saml-request-ids-collection-path), "rwx------")
diff --git a/xar-assembly.xml b/xar-assembly.xml
new file mode 100644
index 0000000..625b318
--- /dev/null
+++ b/xar-assembly.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<package xmlns="http://expath.org/ns/pkg" name="${package-name}" abbrev="${package-abbrev}" version="${project.version}"
+  spec="1.0">
+  <title>${package-title}</title>
+  <author id="eXist-db">${project.organization.name}</author>
+  <description>${project.description}</description>
+  <website>${project.url}</website>
+  <license>GNU LGPL 2.1</license>
+  <copyright>true</copyright>
+  
+  <type>library</type>
+  
+  <status>stable</status>
+  
+  <tag>${project.artifactId}</tag>
+  
+  <dependency processor="http://exist-db.org" semver-min="${exist.version}"/>
+  <dependency package="http://expath.org/ns/crypto" semver-min="6.0.1"/>
+
+  <target>${package-abbrev}</target>
+
+  <finish>post-install.xq</finish>
+  
+  <!-- includes everything in target, README.md, and LICENSE -->
+  <fileSets>
+    <fileSet>
+      <directory>${project.build.outputDirectory}</directory>
+    </fileSet>
+    <fileSet>
+      <directory>${project.basedir}</directory>
+      <includes>
+        <include>README.md</include>
+      </includes>
+    </fileSet>
+    <fileSet>
+      <directory>${project.basedir}</directory>
+      <includes>
+        <include>LICENSE</include>
+      </includes>
+    </fileSet>
+  </fileSets>
+  
+</package>

From b5892ed8eff55ab7e790841cce5e242a7fca0510 Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 13:33:09 -0500
Subject: [PATCH 2/8] [bugfix] Forward port from -
 https://github.com/eXist-db/existdb-saml/pull/19 - Create 'exsaml' user
 during package install

---
 .../modules => xar-resources-filtered}/exsaml.xqm     |  0
 src/main/xar-resources/modules/config-exsaml.xml      |  2 +-
 src/main/xar-resources/pre-install.xq                 | 11 +++++++++++
 xar-assembly.xml                                      |  1 +
 4 files changed, 13 insertions(+), 1 deletion(-)
 rename src/main/{xar-resources/modules => xar-resources-filtered}/exsaml.xqm (100%)
 create mode 100644 src/main/xar-resources/pre-install.xq

diff --git a/src/main/xar-resources/modules/exsaml.xqm b/src/main/xar-resources-filtered/exsaml.xqm
similarity index 100%
rename from src/main/xar-resources/modules/exsaml.xqm
rename to src/main/xar-resources-filtered/exsaml.xqm
diff --git a/src/main/xar-resources/modules/config-exsaml.xml b/src/main/xar-resources/modules/config-exsaml.xml
index ecd6d8d..ed2a34d 100644
--- a/src/main/xar-resources/modules/config-exsaml.xml
+++ b/src/main/xar-resources/modules/config-exsaml.xml
@@ -52,7 +52,7 @@
     <!--   @username: username of privileged user -->
     <!--   @username: username of privileged user -->
     <!--   @pass: plaintext password, WILL GO AWAY -->
-    <exsaml-creds username="exsaml" group="exsaml" pass="my other password"/>
+    <exsaml-creds username="exsaml" group="exsaml" pass="exsaml"/>
 
     <!-- settings for dynamic user creation -->
     <!-- Since we are using a third party for authentication (SAML IDP), there
diff --git a/src/main/xar-resources/pre-install.xq b/src/main/xar-resources/pre-install.xq
new file mode 100644
index 0000000..c290d8b
--- /dev/null
+++ b/src/main/xar-resources/pre-install.xq
@@ -0,0 +1,11 @@
+xquery version "3.1";
+
+import module namespace sm = "http://exist-db.org/xquery/securitymanager";
+
+declare variable $saml-user-name := "exsaml";
+
+(: Create the default 'exsaml' user account :)
+if (fn:not(sm:user-exists($saml-user-name)))
+then
+  sm:create-account($saml-user-name, $saml-user-name, (), "existdb-saml", "existdb-saml-xquery SAML Authentication Account")
+else()
\ No newline at end of file
diff --git a/xar-assembly.xml b/xar-assembly.xml
index 625b318..30b8378 100644
--- a/xar-assembly.xml
+++ b/xar-assembly.xml
@@ -19,6 +19,7 @@
 
   <target>${package-abbrev}</target>
 
+  <prepare>pre-install.xq</prepare>
   <finish>post-install.xq</finish>
   
   <!-- includes everything in target, README.md, and LICENSE -->

From 89cdc24b51e68b69ad1fe8bf9943cafbb804d413 Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 14:34:30 -0500
Subject: [PATCH 3/8] [bugfix] Forward port from -
 https://github.com/eXist-db/existdb-saml/pull/22 - Use correct XDM type for
 compatibility with eXist-db 6.x.x and without breaking backwards
 compatibility Closes https://github.com/eXist-db/existdb-saml/issues/2

---
 src/main/xar-resources-filtered/exsaml.xqm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/xar-resources-filtered/exsaml.xqm b/src/main/xar-resources-filtered/exsaml.xqm
index 665064a..074b206 100644
--- a/src/main/xar-resources-filtered/exsaml.xqm
+++ b/src/main/xar-resources-filtered/exsaml.xqm
@@ -122,7 +122,7 @@ declare %private function exsaml:build-saml-authnreq() {
     return $req
 };
 
-declare %private function exsaml:store-authnreqid-as-exsol-user($id as xs:string, $instant as xs:string) {
+declare %private function exsaml:store-authnreqid-as-exsol-user($id as xs:string, $instant as xs:dateTime) {
       let $create-collection := 
         if (        
             not(xmldb:collection-available($exsaml:saml-coll-reqid))
@@ -139,7 +139,7 @@ declare %private function exsaml:store-authnreqid-as-exsol-user($id as xs:string
 };
 
 (: store issued request ids in a collection,  :)
-declare %private function exsaml:store-authnreqid($id as xs:string, $instant as xs:string) {
+declare %private function exsaml:store-authnreqid($id as xs:string, $instant as xs:dateTime) {
     let $log := exsaml:log("info", "storing SAML request id: " || $id || ", date: " || $instant)
     return
         system:as-user(

From ec01352ae76a04878fb5cb0204d97dc6f915731e Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 14:51:27 -0500
Subject: [PATCH 4/8] fixup! [feature] Switch from Ant build to Maven and add
 GitHub Actions CI

---
 src/main/xar-resources-filtered/{ => modules}/exsaml.xqm | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename src/main/xar-resources-filtered/{ => modules}/exsaml.xqm (100%)

diff --git a/src/main/xar-resources-filtered/exsaml.xqm b/src/main/xar-resources-filtered/modules/exsaml.xqm
similarity index 100%
rename from src/main/xar-resources-filtered/exsaml.xqm
rename to src/main/xar-resources-filtered/modules/exsaml.xqm

From 1b4b62395dc8c59d77ef8f60256d01da1098b3cd Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 14:55:43 -0500
Subject: [PATCH 5/8] [bugfix] Forward port from -
 https://github.com/eXist-db/existdb-saml/pull/19 - Export the exsaml module
 as an EXPath Package Module

---
 pom.xml          |  2 +-
 xar-assembly.xml | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 31ab3d5..7e3f355 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
 
     <!-- used in the EXPath Package Descriptor -->
     <package-name>http://exist-db.org/apps/exsaml</package-name>
-    
+
     <exist.version>6.0.1</exist.version>
 
     <exist.saml.library.path>/db/system/repo/${project.artifactId}-${project.version}</exist.saml.library.path>
diff --git a/xar-assembly.xml b/xar-assembly.xml
index 30b8378..9f35778 100644
--- a/xar-assembly.xml
+++ b/xar-assembly.xml
@@ -40,5 +40,16 @@
       </includes>
     </fileSet>
   </fileSets>
-  
+
+  <!-- Export the XQuery Library modules written in XQuery from this project -->
+  <xquerySets>
+    <xquerySet>
+      <namespace>http://exist-db.org/xquery/exsaml</namespace>
+      <directory>${project.build.outputDirectory}</directory>
+      <includes>
+        <include>modules/exsaml.xqm</include>
+      </includes>
+    </xquerySet>
+  </xquerySets>
+
 </package>

From 19f5d29a2482717545ce6fbc2173ce4aaa1eb2ac Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 15:23:57 -0500
Subject: [PATCH 6/8] [bugfix] Forward port from -
 https://github.com/eXist-db/existdb-saml/pull/19 - Make sure the
 saml-request-ids collection is accessible by the 'exsaml' user

---
 pom.xml                                          | 1 +
 src/main/xar-resources/modules/config-exsaml.xml | 2 +-
 src/main/xar-resources/post-install.xq           | 6 +++++-
 src/main/xar-resources/pre-install.xq            | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 7e3f355..88cfc11 100644
--- a/pom.xml
+++ b/pom.xml
@@ -34,6 +34,7 @@
 
     <exist.version>6.0.1</exist.version>
 
+    <exist.saml.username>exsaml</exist.saml.username>
     <exist.saml.library.path>/db/system/repo/${project.artifactId}-${project.version}</exist.saml.library.path>
 
   </properties>
diff --git a/src/main/xar-resources/modules/config-exsaml.xml b/src/main/xar-resources/modules/config-exsaml.xml
index ed2a34d..8e77e72 100644
--- a/src/main/xar-resources/modules/config-exsaml.xml
+++ b/src/main/xar-resources/modules/config-exsaml.xml
@@ -52,7 +52,7 @@
     <!--   @username: username of privileged user -->
     <!--   @username: username of privileged user -->
     <!--   @pass: plaintext password, WILL GO AWAY -->
-    <exsaml-creds username="exsaml" group="exsaml" pass="exsaml"/>
+    <exsaml-creds username="${exist.saml.username}" group="${exist.saml.username}" pass="${exist.saml.username}"/>
 
     <!-- settings for dynamic user creation -->
     <!-- Since we are using a third party for authentication (SAML IDP), there
diff --git a/src/main/xar-resources/post-install.xq b/src/main/xar-resources/post-install.xq
index f519d3e..71f741f 100644
--- a/src/main/xar-resources/post-install.xq
+++ b/src/main/xar-resources/post-install.xq
@@ -6,8 +6,10 @@ import module namespace xmldb = "http://exist-db.org/xquery/xmldb";
 (: the target collection into which the app is deployed :)
 declare variable $target external;
 
+declare variable $saml-user-name := "${exist.saml.username}";
 declare variable $saml-request-ids-collection-name := "saml-request-ids";
 declare variable $saml-request-ids-collection-path := $target || "/" || $saml-request-ids-collection-name;
+declare variable $saml-request-ids-collection-uri := xs:anyURI($saml-request-ids-collection-path);
 
 let $_ :=
     if (fn:not(xmldb:collection-available($saml-request-ids-collection-path)))
@@ -15,4 +17,6 @@ let $_ :=
       xmldb:create-collection($target, $saml-request-ids-collection-name)
     else()
 return
-    sm:chmod(xs:anyURI($saml-request-ids-collection-path), "rwx------")
+    let $_ := sm:chmod($saml-request-ids-collection-uri, "rwxr-x---")
+    return
+        sm:chown($saml-request-ids-collection-uri, $saml-user-name || ":" || $saml-user-name)
diff --git a/src/main/xar-resources/pre-install.xq b/src/main/xar-resources/pre-install.xq
index c290d8b..81ad9bc 100644
--- a/src/main/xar-resources/pre-install.xq
+++ b/src/main/xar-resources/pre-install.xq
@@ -2,7 +2,7 @@ xquery version "3.1";
 
 import module namespace sm = "http://exist-db.org/xquery/securitymanager";
 
-declare variable $saml-user-name := "exsaml";
+declare variable $saml-user-name := "${exist.saml.username}";
 
 (: Create the default 'exsaml' user account :)
 if (fn:not(sm:user-exists($saml-user-name)))

From b88e6aaa09d52b974a69c6a319cabbfb555d68cb Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Fri, 25 Aug 2023 15:42:30 -0500
Subject: [PATCH 7/8] [bugfix] Forward port from -
 https://github.com/eXist-db/existdb-saml/pull/24 - Add missing XDM base64
 type cast for compatibility with eXist-db 6.x.x Closes
 https://github.com/eXist-db/existdb-saml/issues/23

---
 src/main/xar-resources-filtered/modules/exsaml.xqm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/xar-resources-filtered/modules/exsaml.xqm b/src/main/xar-resources-filtered/modules/exsaml.xqm
index 074b206..441f562 100644
--- a/src/main/xar-resources-filtered/modules/exsaml.xqm
+++ b/src/main/xar-resources-filtered/modules/exsaml.xqm
@@ -100,7 +100,7 @@ declare function exsaml:build-authnreq-redir-url($relaystate as xs:string) {
     let $zip := compression:deflate($bin, true())
 (:    let $log := exsaml:log("debug", "build-authnreq-redir-url; zip: " || $zip):)
     (: urlencode base64 request data :)
-    let $urlenc := xmldb:encode($zip)
+    let $urlenc := xmldb:encode($zip cast as xs:string)
 
     let $log := exsaml:log("debug", "build-authnreq-redir-url; urlenc: " || $urlenc)
 

From ca52802741d01835c3b8b5e9290edc699e2d2059 Mon Sep 17 00:00:00 2001
From: Adam Retter <adam.retter@googlemail.com>
Date: Tue, 29 Aug 2023 19:27:22 -0400
Subject: [PATCH 8/8] [feature] Start of a test application

---
 src/test/resources/config-exsaml.xml   | 84 ++++++++++++++++++++++++++
 src/test/resources/myapp/controller.xq | 63 +++++++++++++++++++
 src/test/resources/myapp/index.html    |  8 +++
 3 files changed, 155 insertions(+)
 create mode 100644 src/test/resources/config-exsaml.xml
 create mode 100644 src/test/resources/myapp/controller.xq
 create mode 100644 src/test/resources/myapp/index.html

diff --git a/src/test/resources/config-exsaml.xml b/src/test/resources/config-exsaml.xml
new file mode 100644
index 0000000..e24bd26
--- /dev/null
+++ b/src/test/resources/config-exsaml.xml
@@ -0,0 +1,84 @@
+<!-- To disable SAML authentication, set @enabled="false" -->
+<config enabled="true">
+
+    <!-- In SAML terminology, the eXist DB is the "service provider" (SP)
+         which uses a remote "identity provider" (IDP, eg PingFederate) to
+         perform user authentication.  Both peers are expected to encode their
+         "entity" names in requests/responses and to validate the peer's entity.
+         Also the URI endpoints of both peers need to be configured here. -->
+
+    <!-- SERVICE PROVIDER CONFIGURATION  -->
+
+    <!-- sp (service provider) is our local eXist DB -->
+    <!--   @entity: just a namestring in URI format -->
+    <!--   @endpoint: our HTTP endpoint to post SAML responses to -->
+    <!--   @fallback-relaystate: used if IdP does not send a relaystate -->
+
+    <!-- SERVICE PROVIDER CONFIGURATION  -->
+    <sp entity="https://service-provider.org" endpoint="http://localhost:8080/exist/apps/myapp/SAML2SP" fallback-relaystate="https://service-provider.org"/>
+
+
+    <!-- IDENTITY PROVIDER -->
+    <!-- idp (identity provider) is a remote SAML IDP, eg PingFederate -->
+    <!--   @entity: their namestring in URI format -->
+    <!--   @endpoint: their HTTP endpoint to send SAML requests to -->
+    <!--   @accept-unsolicited: enable IDP-initiated SAML -->
+    <!--   @force-relaystate: force clients to a local endpoint URI -->
+    <!--   @certfile: required for XML signature validation if sig sent by IDP -->
+    <!--   @verify-issuer: is a hack to deal with misconfigured IDPs -->
+
+    <idp entity="https://saml.example.com/entityid" endpoint="http://localhost:4000/api/saml/sso" accept-unsolicited="false" force-relaystate="" certfile="/usr/local/existdb/exist/cert/sso-prod.crt" verify-issuer="true"/>
+
+    <!-- crypto settings -->
+    <!--   @hmac-key: server-side secret key for HMACs -->
+    <!--   @hmac-alg: HMAC algorithm -->
+    <crypto hmac-key="existdb-saml-xquery-integration-test" hmac-alg="HMAC-SHA-256"/>
+
+    <!-- token settings.  @valid-mins is important here.
+         This defines how many minutes the local eXist DB will trust a SAML
+         assertion.  Setting this to "0" will force SAML roundtrip for every
+         request, including images, css etc.  This will put load on the IDP and
+         should be avoided.  Reasonable values might be 5-30. -->
+    <!--   @valid-mins: validity duration of an auth token in minutes -->
+    <!--   @name: name to store the token into session parameters -->
+    <token valid-mins="5" name="_token"/>
+
+    <!-- credentials for special user "exsaml".  This is a privileged user
+         in group "dba", needed for 2 purposes:
+         - "dba" privs required to check user exists / create user on the fly
+         - SAML requires that an SP (= eXist) maintains a collection of SAML
+           request IDs that it sent, and that this collection is tamperproof.
+           Only this user has access to the reqids collection. -->
+    <!--   @username: username of privileged user -->
+    <!--   @username: username of privileged user -->
+    <!--   @pass: plaintext password, WILL GO AWAY -->
+    <exsaml-creds username="exsaml" group="exsaml" pass="exsaml"/>
+
+    <!-- settings for dynamic user creation -->
+    <!-- Since we are using a third party for authentication (SAML IDP), there
+         is no need to keep users in the local eXist DB.  These settings may
+         be used to create local DB users on the fly, if required. -->
+    <!--   @create: either "true" (create local DB users) or "false" (do not) -->
+    <!--   @group: group membership for created users -->
+    <dynamic-users create="false"/>
+    <!-- dynamic-users create="true" group="sso-user"/ -->
+
+    <!-- group-attribute -->
+    <!-- This defines a SAML attribute name that is used specify group
+         membership, if the IDP passes this information as SAML attribute
+         assertion -->
+    <group-attribute>sso-user</group-attribute>
+
+    <!-- fake IDP for debugging, if no real IDP is available -->
+    <!-- Should be empty for production use.  If this is non-empty AND
+         idp/@ep above points to the local server, then a fake SAML assertion
+         is generated without any user/password dialog. -->
+    <!--   @result: fake result to return, either "true" (auth ok) or "false"
+                    (auth fail) -->
+    <!--   @minutes-valid: how long the returned SAML assertion is claimed
+                           valid by the IDP -->
+    <!--   @user: username to return an assertion for -->
+    <!--   @group: group membership to return for this user -->
+    <fake-idp/>
+    <!-- fake-idp result="true" minutes-valid="10" user="sso-user3" group="sso-user"/-->
+</config>
diff --git a/src/test/resources/myapp/controller.xq b/src/test/resources/myapp/controller.xq
new file mode 100644
index 0000000..b070821
--- /dev/null
+++ b/src/test/resources/myapp/controller.xq
@@ -0,0 +1,63 @@
+xquery version "3.1";
+
+declare namespace exist = "http://exist.sourceforge.net/NS/exist";
+
+(: import exsaml module :)
+import module namespace exsaml = "http://exist-db.org/xquery/exsaml" at 'xmldb:///db/system/repo/existdb-saml-xquery-1.7.0-SNAPSHOT/modules/exsaml.xqm';
+
+declare variable $exist:controller external;
+declare variable $exist:path external;
+
+(: this is required for SAML so that the IDP response can be rendered as a form
+   that gets auto-submitted by the user's browser, back to the SP (eXist) :)
+declare option exist:serialize "method=html media-type=text/html indent=no";
+
+(: handle SP endpoint to process SAML response in HTTP POST :)
+if ($exist:path = "/SAML2SP")
+then
+    let $log := util:log('info', "SAML2SP: processing SAML response")
+    let $status := exsaml:process-saml-response-post()
+    let $log := util:log('debug', "endpoint SAML2SP; status: " || $status/@code)
+    return
+        if ($status/@code >= 0) then
+            (: forward to page that was requested by the user :)
+            let $debug := util:log("info", "Auth success - code " || $status/@code || " - relaystate: " || $status/@relaystate)
+            return
+                <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+                    <redirect url="{$status/@relaystate}"/>
+                </dispatch>
+        else
+            (: if SAML failed, display an error message for now :)
+            <data>{string($status/@msg) || ": " || string($status/@data)}</data>
+
+(: if logout, invalidate SAML token :)
+else if ($exist:path = '/logout')
+then
+    let $_ :=
+            if (exsaml:is-enabled())
+            then
+                exsaml:invalidate-saml-token()
+            else ()
+    return
+        <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+            <redirect url="https://www.evolvedbinary.com"/>
+        </dispatch>
+
+(: if no valid token, redirect to SAML auth :)
+else if (exsaml:is-enabled() and not(exsaml:check-valid-saml-token()))
+then
+    let $debug := exsaml:log('info', "controller: no valid token, redirect to SAML auth")
+    let $return-path := "/exist/apps" || $exist:controller || $exist:path
+    return
+        <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
+            <redirect url="{exsaml:build-authnreq-redir-url($return-path)}">
+                <set-header name="Cache-Control" value="no-cache, no-store" />
+                <set-header name="Pragma" value="no-cache" />
+            </redirect>
+        </dispatch>
+
+(: We have an existing valid SAML token! :)
+else
+    <ignore xmlns="http://exist.sourceforge.net/NS/exist">
+      <cache-control cache="no"/>
+    </ignore>
diff --git a/src/test/resources/myapp/index.html b/src/test/resources/myapp/index.html
new file mode 100644
index 0000000..c8263e3
--- /dev/null
+++ b/src/test/resources/myapp/index.html
@@ -0,0 +1,8 @@
+<html>
+    <head>
+        <title>My App</title>
+    </head>
+    <body>
+        <h1>Welcome to MyApp</h1>
+    </body>
+</html>
\ No newline at end of file