875 lines
28 KiB
PHP
875 lines
28 KiB
PHP
<?php
|
|
/*
|
|
* Copyright 2010 Google Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
namespace Google\Auth\Tests;
|
|
|
|
use Google\Auth\OAuth2;
|
|
use GuzzleHttp\Psr7;
|
|
use GuzzleHttp\Psr7\Response;
|
|
use PHPUnit\Framework\TestCase;
|
|
|
|
class OAuth2AuthorizationUriTest extends TestCase
|
|
{
|
|
private $minimal = [
|
|
'authorizationUri' => 'https://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testIsNullIfAuthorizationUriIsNull()
|
|
{
|
|
$o = new OAuth2([]);
|
|
$this->assertNull($o->buildFullAuthorizationUri());
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testRequiresTheClientId()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'https://accounts.test.org/auth/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
]);
|
|
$o->buildFullAuthorizationUri();
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testRequiresTheRedirectUri()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'https://accounts.test.org/auth/url',
|
|
'clientId' => 'aClientID',
|
|
]);
|
|
$o->buildFullAuthorizationUri();
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testCannotHavePromptAndApprovalPrompt()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'https://accounts.test.org/auth/url',
|
|
'clientId' => 'aClientID',
|
|
]);
|
|
$o->buildFullAuthorizationUri([
|
|
'approval_prompt' => 'an approval prompt',
|
|
'prompt' => 'a prompt',
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testCannotHaveInsecureAuthorizationUri()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'http://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
]);
|
|
$o->buildFullAuthorizationUri();
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testCannotHaveRelativeRedirectUri()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'http://accounts.test.org/insecure/url',
|
|
'redirectUri' => '/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
]);
|
|
$o->buildFullAuthorizationUri();
|
|
}
|
|
|
|
public function testHasDefaultXXXTypeParams()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$q = Psr7\parse_query($o->buildFullAuthorizationUri()->getQuery());
|
|
$this->assertEquals('code', $q['response_type']);
|
|
$this->assertEquals('offline', $q['access_type']);
|
|
}
|
|
|
|
public function testCanBeUrlObject()
|
|
{
|
|
$config = array_merge($this->minimal, [
|
|
'authorizationUri' => Psr7\uri_for('https://another/uri'),
|
|
]);
|
|
$o = new OAuth2($config);
|
|
$this->assertEquals('/uri', $o->buildFullAuthorizationUri()->getPath());
|
|
}
|
|
|
|
public function testCanOverrideParams()
|
|
{
|
|
$overrides = [
|
|
'access_type' => 'o_access_type',
|
|
'client_id' => 'o_client_id',
|
|
'redirect_uri' => 'o_redirect_uri',
|
|
'response_type' => 'o_response_type',
|
|
'state' => 'o_state',
|
|
];
|
|
$config = array_merge($this->minimal, ['state' => 'the_state']);
|
|
$o = new OAuth2($config);
|
|
$q = Psr7\parse_query($o->buildFullAuthorizationUri($overrides)->getQuery());
|
|
$this->assertEquals('o_access_type', $q['access_type']);
|
|
$this->assertEquals('o_client_id', $q['client_id']);
|
|
$this->assertEquals('o_redirect_uri', $q['redirect_uri']);
|
|
$this->assertEquals('o_response_type', $q['response_type']);
|
|
$this->assertEquals('o_state', $q['state']);
|
|
}
|
|
|
|
public function testIncludesTheScope()
|
|
{
|
|
$with_strings = array_merge($this->minimal, ['scope' => 'scope1 scope2']);
|
|
$o = new OAuth2($with_strings);
|
|
$q = Psr7\parse_query($o->buildFullAuthorizationUri()->getQuery());
|
|
$this->assertEquals('scope1 scope2', $q['scope']);
|
|
|
|
$with_array = array_merge($this->minimal, [
|
|
'scope' => ['scope1', 'scope2'],
|
|
]);
|
|
$o = new OAuth2($with_array);
|
|
$q = Psr7\parse_query($o->buildFullAuthorizationUri()->getQuery());
|
|
$this->assertEquals('scope1 scope2', $q['scope']);
|
|
}
|
|
|
|
public function testRedirectUriPostmessageIsAllowed()
|
|
{
|
|
$o = new OAuth2([
|
|
'authorizationUri' => 'https://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'postmessage',
|
|
'clientId' => 'aClientID',
|
|
]);
|
|
$this->assertEquals('postmessage', $o->getRedirectUri());
|
|
$url = $o->buildFullAuthorizationUri();
|
|
$parts = parse_url((string)$url);
|
|
parse_str($parts['query'], $query);
|
|
$this->assertArrayHasKey('redirect_uri', $query);
|
|
$this->assertEquals('postmessage', $query['redirect_uri']);
|
|
}
|
|
}
|
|
|
|
class OAuth2GrantTypeTest extends TestCase
|
|
{
|
|
private $minimal = [
|
|
'authorizationUri' => 'https://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
public function testReturnsNullIfCannotBeInferred()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getGrantType());
|
|
}
|
|
|
|
public function testInfersAuthorizationCode()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setCode('an auth code');
|
|
$this->assertEquals('authorization_code', $o->getGrantType());
|
|
}
|
|
|
|
public function testInfersRefreshToken()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setRefreshToken('a refresh token');
|
|
$this->assertEquals('refresh_token', $o->getGrantType());
|
|
}
|
|
|
|
public function testInfersPassword()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setPassword('a password');
|
|
$o->setUsername('a username');
|
|
$this->assertEquals('password', $o->getGrantType());
|
|
}
|
|
|
|
public function testInfersJwtBearer()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setIssuer('an issuer');
|
|
$o->setSigningKey('a key');
|
|
$this->assertEquals('urn:ietf:params:oauth:grant-type:jwt-bearer',
|
|
$o->getGrantType());
|
|
}
|
|
|
|
public function testSetsKnownTypes()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
foreach (OAuth2::$knownGrantTypes as $t) {
|
|
$o->setGrantType($t);
|
|
$this->assertEquals($t, $o->getGrantType());
|
|
}
|
|
}
|
|
|
|
public function testSetsUrlAsGrantType()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setGrantType('http://a/grant/url');
|
|
$this->assertEquals('http://a/grant/url', $o->getGrantType());
|
|
}
|
|
}
|
|
|
|
class OAuth2GetCacheKeyTest extends TestCase
|
|
{
|
|
private $minimal = [
|
|
'clientID' => 'aClientID',
|
|
];
|
|
|
|
public function testIsNullWithNoScopes()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getCacheKey());
|
|
}
|
|
|
|
public function testIsScopeIfSingleScope()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setScope('test/scope/1');
|
|
$this->assertEquals('test/scope/1', $o->getCacheKey());
|
|
}
|
|
|
|
public function testIsAllScopesWhenScopeIsArray()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setScope(['test/scope/1', 'test/scope/2']);
|
|
$this->assertEquals('test/scope/1:test/scope/2', $o->getCacheKey());
|
|
}
|
|
}
|
|
|
|
class OAuth2TimingTest extends TestCase
|
|
{
|
|
private $minimal = [
|
|
'authorizationUri' => 'https://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
public function testIssuedAtDefaultsToNull()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getIssuedAt());
|
|
}
|
|
|
|
public function testExpiresAtDefaultsToNull()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getExpiresAt());
|
|
}
|
|
|
|
public function testExpiresInDefaultsToNull()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getExpiresIn());
|
|
}
|
|
|
|
public function testSettingExpiresInSetsIssuedAt()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getIssuedAt());
|
|
$aShortWhile = 5;
|
|
$o->setExpiresIn($aShortWhile);
|
|
$this->assertEquals($aShortWhile, $o->getExpiresIn());
|
|
$this->assertNotNull($o->getIssuedAt());
|
|
}
|
|
|
|
public function testSettingExpiresInSetsExpireAt()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertNull($o->getExpiresAt());
|
|
$aShortWhile = 5;
|
|
$o->setExpiresIn($aShortWhile);
|
|
$this->assertNotNull($o->getExpiresAt());
|
|
$this->assertEquals($aShortWhile, $o->getExpiresAt() - $o->getIssuedAt());
|
|
}
|
|
|
|
public function testIsNotExpiredByDefault()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$this->assertFalse($o->isExpired());
|
|
}
|
|
|
|
public function testIsNotExpiredIfExpiresAtIsOld()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setExpiresAt(time() - 2);
|
|
$this->assertTrue($o->isExpired());
|
|
}
|
|
}
|
|
|
|
class OAuth2GeneralTest extends TestCase
|
|
{
|
|
private $minimal = [
|
|
'authorizationUri' => 'https://accounts.test.org/insecure/url',
|
|
'redirectUri' => 'https://accounts.test.org/redirect/url',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testFailsOnUnknownSigningAlgorithm()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setSigningAlgorithm('this is definitely not an algorithm name');
|
|
}
|
|
|
|
public function testAllowsKnownSigningAlgorithms()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
foreach (OAuth2::$knownSigningAlgorithms as $a) {
|
|
$o->setSigningAlgorithm($a);
|
|
$this->assertEquals($a, $o->getSigningAlgorithm());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @expectedException InvalidArgumentException
|
|
*/
|
|
public function testFailsOnRelativeRedirectUri()
|
|
{
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setRedirectUri('/relative/url');
|
|
}
|
|
|
|
public function testAllowsUrnRedirectUri()
|
|
{
|
|
$urn = 'urn:ietf:wg:oauth:2.0:oob';
|
|
$o = new OAuth2($this->minimal);
|
|
$o->setRedirectUri($urn);
|
|
$this->assertEquals($urn, $o->getRedirectUri());
|
|
}
|
|
}
|
|
|
|
class OAuth2JwtTest extends TestCase
|
|
{
|
|
private $signingMinimal = [
|
|
'signingKey' => 'example_key',
|
|
'signingAlgorithm' => 'HS256',
|
|
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
|
|
'issuer' => 'app@example.com',
|
|
'audience' => 'accounts.google.com',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsWithMissingAudience()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
unset($testConfig['audience']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->toJwt();
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsWithMissingIssuer()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
unset($testConfig['issuer']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->toJwt();
|
|
}
|
|
|
|
/**
|
|
*/
|
|
public function testCanHaveNoScope()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
unset($testConfig['scope']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->toJwt();
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsWithMissingSigningKey()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
unset($testConfig['signingKey']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->toJwt();
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsWithMissingSigningAlgorithm()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
unset($testConfig['signingAlgorithm']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->toJwt();
|
|
}
|
|
|
|
public function testCanHS256EncodeAValidPayload()
|
|
{
|
|
$testConfig = $this->signingMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$payload = $o->toJwt();
|
|
$roundTrip = $this->jwtDecode($payload, $testConfig['signingKey'], array('HS256'));
|
|
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
|
|
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
|
|
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
|
|
}
|
|
|
|
public function testCanRS256EncodeAValidPayload()
|
|
{
|
|
$publicKey = file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
|
|
$privateKey = file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
|
|
$testConfig = $this->signingMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$o->setSigningAlgorithm('RS256');
|
|
$o->setSigningKey($privateKey);
|
|
$payload = $o->toJwt();
|
|
$roundTrip = $this->jwtDecode($payload, $publicKey, array('RS256'));
|
|
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
|
|
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
|
|
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
|
|
}
|
|
|
|
public function testCanHaveAdditionalClaims()
|
|
{
|
|
$publicKey = file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
|
|
$privateKey = file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
|
|
$testConfig = $this->signingMinimal;
|
|
$targetAud = '123@456.com';
|
|
$testConfig['additionalClaims'] = ['target_audience' => $targetAud];
|
|
$o = new OAuth2($testConfig);
|
|
$o->setSigningAlgorithm('RS256');
|
|
$o->setSigningKey($privateKey);
|
|
$payload = $o->toJwt();
|
|
$roundTrip = $this->jwtDecode($payload, $publicKey, array('RS256'));
|
|
$this->assertEquals($roundTrip->target_audience, $targetAud);
|
|
}
|
|
|
|
private function jwtDecode()
|
|
{
|
|
$args = func_get_args();
|
|
$class = 'JWT';
|
|
if (class_exists('Firebase\JWT\JWT')) {
|
|
$class = 'Firebase\JWT\JWT';
|
|
}
|
|
|
|
return call_user_func_array("$class::decode", $args);
|
|
}
|
|
}
|
|
|
|
class OAuth2GenerateAccessTokenRequestTest extends TestCase
|
|
{
|
|
private $tokenRequestMinimal = [
|
|
'tokenCredentialUri' => 'https://tokens_r_us/test',
|
|
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
|
|
'issuer' => 'app@example.com',
|
|
'audience' => 'accounts.google.com',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsIfNoTokenCredentialUri()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
unset($testConfig['tokenCredentialUri']);
|
|
$o = new OAuth2($testConfig);
|
|
$o->generateCredentialsRequest();
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsIfAuthorizationCodeIsMissing()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$testConfig['redirectUri'] = 'https://has/redirect/uri';
|
|
$o = new OAuth2($testConfig);
|
|
$o->generateCredentialsRequest();
|
|
}
|
|
|
|
public function testGeneratesAuthorizationCodeRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$testConfig['redirectUri'] = 'https://has/redirect/uri';
|
|
$o = new OAuth2($testConfig);
|
|
$o->setCode('an_auth_code');
|
|
|
|
// Generate the request and confirm that it's correct.
|
|
$req = $o->generateCredentialsRequest();
|
|
$this->assertInstanceOf('Psr\Http\Message\RequestInterface', $req);
|
|
$this->assertEquals('POST', $req->getMethod());
|
|
$fields = Psr7\parse_query((string)$req->getBody());
|
|
$this->assertEquals('authorization_code', $fields['grant_type']);
|
|
$this->assertEquals('an_auth_code', $fields['code']);
|
|
}
|
|
|
|
public function testGeneratesPasswordRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$o->setUsername('a_username');
|
|
$o->setPassword('a_password');
|
|
|
|
// Generate the request and confirm that it's correct.
|
|
$req = $o->generateCredentialsRequest();
|
|
$this->assertInstanceOf('Psr\Http\Message\RequestInterface', $req);
|
|
$this->assertEquals('POST', $req->getMethod());
|
|
$fields = Psr7\parse_query((string)$req->getBody());
|
|
$this->assertEquals('password', $fields['grant_type']);
|
|
$this->assertEquals('a_password', $fields['password']);
|
|
$this->assertEquals('a_username', $fields['username']);
|
|
}
|
|
|
|
public function testGeneratesRefreshTokenRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$o->setRefreshToken('a_refresh_token');
|
|
|
|
// Generate the request and confirm that it's correct.
|
|
$req = $o->generateCredentialsRequest();
|
|
$this->assertInstanceOf('Psr\Http\Message\RequestInterface', $req);
|
|
$this->assertEquals('POST', $req->getMethod());
|
|
$fields = Psr7\parse_query((string)$req->getBody());
|
|
$this->assertEquals('refresh_token', $fields['grant_type']);
|
|
$this->assertEquals('a_refresh_token', $fields['refresh_token']);
|
|
}
|
|
|
|
public function testClientSecretAddedIfSetForAuthorizationCodeRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$testConfig['clientSecret'] = 'a_client_secret';
|
|
$testConfig['redirectUri'] = 'https://has/redirect/uri';
|
|
$o = new OAuth2($testConfig);
|
|
$o->setCode('an_auth_code');
|
|
$request = $o->generateCredentialsRequest();
|
|
$fields = Psr7\parse_query((string)$request->getBody());
|
|
$this->assertEquals('a_client_secret', $fields['client_secret']);
|
|
}
|
|
|
|
public function testClientSecretAddedIfSetForRefreshTokenRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$testConfig['clientSecret'] = 'a_client_secret';
|
|
$o = new OAuth2($testConfig);
|
|
$o->setRefreshToken('a_refresh_token');
|
|
$request = $o->generateCredentialsRequest();
|
|
$fields = Psr7\parse_query((string)$request->getBody());
|
|
$this->assertEquals('a_client_secret', $fields['client_secret']);
|
|
}
|
|
|
|
public function testClientSecretAddedIfSetForPasswordRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$testConfig['clientSecret'] = 'a_client_secret';
|
|
$o = new OAuth2($testConfig);
|
|
$o->setUsername('a_username');
|
|
$o->setPassword('a_password');
|
|
$request = $o->generateCredentialsRequest();
|
|
$fields = Psr7\parse_query((string)$request->getBody());
|
|
$this->assertEquals('a_client_secret', $fields['client_secret']);
|
|
}
|
|
|
|
public function testGeneratesAssertionRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$o->setSigningKey('a_key');
|
|
$o->setSigningAlgorithm('HS256');
|
|
|
|
// Generate the request and confirm that it's correct.
|
|
$req = $o->generateCredentialsRequest();
|
|
$this->assertInstanceOf('Psr\Http\Message\RequestInterface', $req);
|
|
$this->assertEquals('POST', $req->getMethod());
|
|
$fields = Psr7\parse_query((string)$req->getBody());
|
|
$this->assertEquals(OAuth2::JWT_URN, $fields['grant_type']);
|
|
$this->assertArrayHasKey('assertion', $fields);
|
|
}
|
|
|
|
public function testGeneratesExtendedRequests()
|
|
{
|
|
$testConfig = $this->tokenRequestMinimal;
|
|
$o = new OAuth2($testConfig);
|
|
$o->setGrantType('urn:my_test_grant_type');
|
|
$o->setExtensionParams(['my_param' => 'my_value']);
|
|
|
|
// Generate the request and confirm that it's correct.
|
|
$req = $o->generateCredentialsRequest();
|
|
$this->assertInstanceOf('Psr\Http\Message\RequestInterface', $req);
|
|
$this->assertEquals('POST', $req->getMethod());
|
|
$fields = Psr7\parse_query((string)$req->getBody());
|
|
$this->assertEquals('my_value', $fields['my_param']);
|
|
$this->assertEquals('urn:my_test_grant_type', $fields['grant_type']);
|
|
}
|
|
}
|
|
|
|
class OAuth2FetchAuthTokenTest extends TestCase
|
|
{
|
|
private $fetchAuthTokenMinimal = [
|
|
'tokenCredentialUri' => 'https://tokens_r_us/test',
|
|
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
|
|
'signingKey' => 'example_key',
|
|
'signingAlgorithm' => 'HS256',
|
|
'issuer' => 'app@example.com',
|
|
'audience' => 'accounts.google.com',
|
|
'clientId' => 'aClientID',
|
|
];
|
|
|
|
/**
|
|
* @expectedException GuzzleHttp\Exception\ClientException
|
|
*/
|
|
public function testFailsOn400()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$httpHandler = getHandler([
|
|
buildResponse(400),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$o->fetchAuthToken($httpHandler);
|
|
}
|
|
|
|
/**
|
|
* @expectedException GuzzleHttp\Exception\ServerException
|
|
*/
|
|
public function testFailsOn500()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$httpHandler = getHandler([
|
|
buildResponse(500),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$o->fetchAuthToken($httpHandler);
|
|
}
|
|
|
|
/**
|
|
* @expectedException Exception
|
|
* @expectedExceptionMessage Invalid JSON response
|
|
*/
|
|
public function testFailsOnNoContentTypeIfResponseIsNotJSON()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$notJson = '{"foo": , this is cannot be passed as json" "bar"}';
|
|
$httpHandler = getHandler([
|
|
buildResponse(200, [], Psr7\stream_for($notJson)),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$o->fetchAuthToken($httpHandler);
|
|
}
|
|
|
|
public function testFetchesJsonResponseOnNoContentTypeOK()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$json = '{"foo": "bar"}';
|
|
$httpHandler = getHandler([
|
|
buildResponse(200, [], Psr7\stream_for($json)),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$tokens = $o->fetchAuthToken($httpHandler);
|
|
$this->assertEquals($tokens['foo'], 'bar');
|
|
}
|
|
|
|
public function testFetchesFromFormEncodedResponseOK()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$json = 'foo=bar&spice=nice';
|
|
$httpHandler = getHandler([
|
|
buildResponse(
|
|
200,
|
|
['Content-Type' => 'application/x-www-form-urlencoded'],
|
|
Psr7\stream_for($json)
|
|
),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$tokens = $o->fetchAuthToken($httpHandler);
|
|
$this->assertEquals($tokens['foo'], 'bar');
|
|
$this->assertEquals($tokens['spice'], 'nice');
|
|
}
|
|
|
|
public function testUpdatesTokenFieldsOnFetch()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$wanted_updates = [
|
|
'expires_at' => '1',
|
|
'expires_in' => '57',
|
|
'issued_at' => '2',
|
|
'access_token' => 'an_access_token',
|
|
'id_token' => 'an_id_token',
|
|
'refresh_token' => 'a_refresh_token',
|
|
];
|
|
$json = json_encode($wanted_updates);
|
|
$httpHandler = getHandler([
|
|
buildResponse(200, [], Psr7\stream_for($json)),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$this->assertNull($o->getExpiresAt());
|
|
$this->assertNull($o->getExpiresIn());
|
|
$this->assertNull($o->getIssuedAt());
|
|
$this->assertNull($o->getAccessToken());
|
|
$this->assertNull($o->getIdToken());
|
|
$this->assertNull($o->getRefreshToken());
|
|
$tokens = $o->fetchAuthToken($httpHandler);
|
|
$this->assertEquals(1, $o->getExpiresAt());
|
|
$this->assertEquals(57, $o->getExpiresIn());
|
|
$this->assertEquals(2, $o->getIssuedAt());
|
|
$this->assertEquals('an_access_token', $o->getAccessToken());
|
|
$this->assertEquals('an_id_token', $o->getIdToken());
|
|
$this->assertEquals('a_refresh_token', $o->getRefreshToken());
|
|
}
|
|
|
|
public function testUpdatesTokenFieldsOnFetchMissingRefreshToken()
|
|
{
|
|
$testConfig = $this->fetchAuthTokenMinimal;
|
|
$testConfig['refresh_token'] = 'a_refresh_token';
|
|
$wanted_updates = [
|
|
'expires_at' => '1',
|
|
'expires_in' => '57',
|
|
'issued_at' => '2',
|
|
'access_token' => 'an_access_token',
|
|
'id_token' => 'an_id_token',
|
|
];
|
|
$json = json_encode($wanted_updates);
|
|
$httpHandler = getHandler([
|
|
buildResponse(200, [], Psr7\stream_for($json)),
|
|
]);
|
|
$o = new OAuth2($testConfig);
|
|
$this->assertNull($o->getExpiresAt());
|
|
$this->assertNull($o->getExpiresIn());
|
|
$this->assertNull($o->getIssuedAt());
|
|
$this->assertNull($o->getAccessToken());
|
|
$this->assertNull($o->getIdToken());
|
|
$this->assertEquals('a_refresh_token', $o->getRefreshToken());
|
|
$tokens = $o->fetchAuthToken($httpHandler);
|
|
$this->assertEquals(1, $o->getExpiresAt());
|
|
$this->assertEquals(57, $o->getExpiresIn());
|
|
$this->assertEquals(2, $o->getIssuedAt());
|
|
$this->assertEquals('an_access_token', $o->getAccessToken());
|
|
$this->assertEquals('an_id_token', $o->getIdToken());
|
|
$this->assertEquals('a_refresh_token', $o->getRefreshToken());
|
|
}
|
|
}
|
|
|
|
class OAuth2VerifyIdTokenTest extends TestCase
|
|
{
|
|
private $publicKey;
|
|
private $privateKey;
|
|
private $verifyIdTokenMinimal = [
|
|
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
|
|
'audience' => 'myaccount.on.host.issuer.com',
|
|
'issuer' => 'an.issuer.com',
|
|
'clientId' => 'myaccount.on.host.issuer.com',
|
|
];
|
|
|
|
public function setUp()
|
|
{
|
|
$this->publicKey =
|
|
file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
|
|
$this->privateKey =
|
|
file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
|
|
}
|
|
|
|
/**
|
|
* @expectedException UnexpectedValueException
|
|
*/
|
|
public function testFailsIfIdTokenIsInvalid()
|
|
{
|
|
$testConfig = $this->verifyIdTokenMinimal;
|
|
$not_a_jwt = 'not a jot';
|
|
$o = new OAuth2($testConfig);
|
|
$o->setIdToken($not_a_jwt);
|
|
$o->verifyIdToken($this->publicKey);
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsIfAudienceIsMissing()
|
|
{
|
|
$testConfig = $this->verifyIdTokenMinimal;
|
|
$now = time();
|
|
$origIdToken = [
|
|
'issuer' => $testConfig['issuer'],
|
|
'exp' => $now + 65, // arbitrary
|
|
'iat' => $now,
|
|
];
|
|
$o = new OAuth2($testConfig);
|
|
$jwtIdToken = $this->jwtEncode($origIdToken, $this->privateKey, 'RS256');
|
|
$o->setIdToken($jwtIdToken);
|
|
$o->verifyIdToken($this->publicKey, ['RS256']);
|
|
}
|
|
|
|
/**
|
|
* @expectedException DomainException
|
|
*/
|
|
public function testFailsIfAudienceIsWrong()
|
|
{
|
|
$now = time();
|
|
$testConfig = $this->verifyIdTokenMinimal;
|
|
$origIdToken = [
|
|
'aud' => 'a different audience',
|
|
'iss' => $testConfig['issuer'],
|
|
'exp' => $now + 65, // arbitrary
|
|
'iat' => $now,
|
|
];
|
|
$o = new OAuth2($testConfig);
|
|
$jwtIdToken = $this->jwtEncode($origIdToken, $this->privateKey, 'RS256');
|
|
$o->setIdToken($jwtIdToken);
|
|
$o->verifyIdToken($this->publicKey, ['RS256']);
|
|
}
|
|
|
|
public function testShouldReturnAValidIdToken()
|
|
{
|
|
$testConfig = $this->verifyIdTokenMinimal;
|
|
$now = time();
|
|
$origIdToken = [
|
|
'aud' => $testConfig['audience'],
|
|
'iss' => $testConfig['issuer'],
|
|
'exp' => $now + 65, // arbitrary
|
|
'iat' => $now,
|
|
];
|
|
$o = new OAuth2($testConfig);
|
|
$alg = 'RS256';
|
|
$jwtIdToken = $this->jwtEncode($origIdToken, $this->privateKey, $alg);
|
|
$o->setIdToken($jwtIdToken);
|
|
$roundTrip = $o->verifyIdToken($this->publicKey, array($alg));
|
|
$this->assertEquals($origIdToken['aud'], $roundTrip->aud);
|
|
}
|
|
|
|
private function jwtEncode()
|
|
{
|
|
$args = func_get_args();
|
|
$class = 'JWT';
|
|
if (class_exists('Firebase\JWT\JWT')) {
|
|
$class = 'Firebase\JWT\JWT';
|
|
}
|
|
|
|
return call_user_func_array("$class::encode", $args);
|
|
}
|
|
}
|