Added positive test case for OIDC implementation
- To continue coverage and spec cases next.
This commit is contained in:
parent
6b182a435a
commit
f3d54e4a2d
3 changed files with 128 additions and 5 deletions
|
@ -60,15 +60,19 @@ class JwtSigningKey
|
|||
throw new InvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
|
||||
}
|
||||
|
||||
if ($jwk['use'] !== 'sig') {
|
||||
throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['sig']}");
|
||||
if (empty($jwk['use'])) {
|
||||
throw new InvalidKeyException('A "use" parameter on the provided key is expected');
|
||||
}
|
||||
|
||||
if (empty($jwk['e'] ?? '')) {
|
||||
if ($jwk['use'] !== 'sig') {
|
||||
throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");
|
||||
}
|
||||
|
||||
if (empty($jwk['e'])) {
|
||||
throw new InvalidKeyException('An "e" parameter on the provided key is expected');
|
||||
}
|
||||
|
||||
if (empty($jwk['n'] ?? '')) {
|
||||
if (empty($jwk['n'])) {
|
||||
throw new InvalidKeyException('A "n" parameter on the provided key is expected');
|
||||
}
|
||||
|
||||
|
|
|
@ -76,11 +76,12 @@ class OpenIdConnectIdToken
|
|||
* Validate all possible parts of the id token.
|
||||
* @throws InvalidTokenException
|
||||
*/
|
||||
public function validate(string $clientId)
|
||||
public function validate(string $clientId): bool
|
||||
{
|
||||
$this->validateTokenStructure();
|
||||
$this->validateTokenSignature();
|
||||
$this->validateTokenClaims($clientId);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
118
tests/Unit/OpenIdConnectIdTokenTest.php
Normal file
118
tests/Unit/OpenIdConnectIdTokenTest.php
Normal file
|
@ -0,0 +1,118 @@
|
|||
<?php
|
||||
|
||||
namespace Tests\Unit;
|
||||
|
||||
use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectIdToken;
|
||||
use phpseclib3\Crypt\RSA;
|
||||
use Tests\TestCase;
|
||||
|
||||
class OpenIdConnectIdTokenTest extends TestCase
|
||||
{
|
||||
|
||||
public function test_valid_token_passes_validation()
|
||||
{
|
||||
$token = new OpenIdConnectIdToken($this->getValidToken(), 'https://auth.example.com', [
|
||||
$this->jwkKeyArray()
|
||||
]);
|
||||
|
||||
$this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));
|
||||
}
|
||||
|
||||
protected function getValidToken($payloadOverrides = []): string
|
||||
{
|
||||
$defaultPayload = [
|
||||
"sub" => "abc1234def",
|
||||
"name" => "Barry Scott",
|
||||
"email" => "bscott@example.com",
|
||||
"ver" => 1,
|
||||
"iss" => "https://auth.example.com",
|
||||
"aud" => "xxyyzz.aaa.bbccdd.123",
|
||||
"iat" => time(),
|
||||
"exp" => time() + 720,
|
||||
"jti" => "ID.AaaBBBbbCCCcccDDddddddEEEeeeeee",
|
||||
"amr" => ["pwd"],
|
||||
"idp" => "fghfghgfh546456dfgdfg",
|
||||
"preferred_username" => "xXBazzaXx",
|
||||
"auth_time" => time(),
|
||||
"at_hash" => "sT4jbsdSGy9w12pq3iNYDA",
|
||||
];
|
||||
|
||||
$payload = array_merge($defaultPayload, $payloadOverrides);
|
||||
$header = [
|
||||
'kid' => 'xyz456',
|
||||
'alg' => 'RS256',
|
||||
];
|
||||
|
||||
$top = implode('.', [
|
||||
$this->base64UrlEncode(json_encode($header)),
|
||||
$this->base64UrlEncode(json_encode($payload)),
|
||||
]);
|
||||
|
||||
$privateKey = RSA::loadPrivateKey($this->privatePemKey())->withPadding(RSA::SIGNATURE_PKCS1);
|
||||
$signature = $privateKey->sign($top);
|
||||
|
||||
return $top . '.' . $this->base64UrlEncode($signature);
|
||||
}
|
||||
|
||||
protected function base64UrlEncode(string $decoded): string
|
||||
{
|
||||
return strtr(base64_encode($decoded), '+/', '-_');
|
||||
}
|
||||
|
||||
protected function pemKey(): string
|
||||
{
|
||||
return "-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqo1OmfNKec5S2zQC4SP9
|
||||
DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvm
|
||||
zXL16c93Obn7G8x8A3ao6yN5qKO5S5+CETqOZfKN/g75Xlz7VsC3igOhgsXnPx6i
|
||||
iM6sbYbk0U/XpFaT84LXKI8VTIPUo7gTeZN1pTET//i9FlzAOzX+xfWBKdOqlEzl
|
||||
+zihMHCZUUvQu99P+o0MDR0lMUT+vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNk
|
||||
WvsLta1+jNUee+8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw
|
||||
3wIDAQAB
|
||||
-----END PUBLIC KEY-----";
|
||||
}
|
||||
|
||||
protected function privatePemKey(): string
|
||||
{
|
||||
return "-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqjU6Z80p5zlLb
|
||||
NALhI/0Ose5RHRWAKLqipwYRHPvOo7fqGqTcDdHdoKAmQSN+ducy6zNFEqzjk1te
|
||||
g6n2m+bNcvXpz3c5ufsbzHwDdqjrI3moo7lLn4IROo5l8o3+DvleXPtWwLeKA6GC
|
||||
xec/HqKIzqxthuTRT9ekVpPzgtcojxVMg9SjuBN5k3WlMRP/+L0WXMA7Nf7F9YEp
|
||||
06qUTOX7OKEwcJlRS9C730/6jQwNHSUxRP688npIl5F+egd7HC3ptkWI2exkgQvT
|
||||
dtfhA2Ra+wu1rX6M1R577wg9WHMI7xu8zzo3MtopQniTo1nkhWuZ0IWkWyMJYHI6
|
||||
sMbzB3DfAgMBAAECggEADm7K2ghWoxwsstQh8j+DaLzx9/dIHIJV2PHdd5FGVeRQ
|
||||
6gS7MswQmHrBUrtsb4VMZ2iz/AJqkw+jScpGldH3pCc4XELsSfxNHbseO4TNIqjr
|
||||
4LOKOLYU4bRc3I+8KGXIAI5JzrucTJemEVUCDrte8cjbmqExt+zTyNpyxsapworF
|
||||
v+vnSdv40d62f+cS1xvwB+ymLK/B/wZ/DemDCi8jsi7ou/M7l5xNCzjH4iMSLtOW
|
||||
fgEhejIBG9miMJWPiVpTXE3tMdNuN3OsWc4XXm2t4VRovlZdu30Fax1xWB+Locsv
|
||||
HlHKLOFc8g+jZh0TL2KCNjPffMcC7kHhW3afshpIsQKBgQDhyWUnkqd6FzbwIX70
|
||||
SnaMgKoUv5W/K5T+Sv/PA2CyN8Gu8ih/OsoNZSnI0uqe3XQIvvgN/Fq3wO1ttLzf
|
||||
z5B6ZC7REfTgcR0190gihk6f5rtcj7d6Fy/oG2CE8sDSXgPnpEaBjvJVgN5v/U2s
|
||||
HpVaidmHTyGLCfEszoeoy8jyrQKBgQDBX8caGylmzQLc6XNntZChlt3e18Nj8MPA
|
||||
DxWLcoqgdDoofLDQAmLl+vPKyDmhQjos5eas1jgmVVEM4ge+MysaVezvuLBsSnOh
|
||||
ihc0i63USU6i7YDE83DrCewCthpFHi/wW1S5FoCAzpVy8y99vwcqO4kOXcmf4O6Y
|
||||
uW6sMsjvOwKBgQDbFtqB+MtsLCSSBF61W6AHHD5tna4H75lG2623yXZF2NanFLF5
|
||||
K6muL9DI3ujtOMQETJJUt9+rWJjLEEsJ/dYa/SV0l7D/LKOEnyuu3JZkkLaTzZzi
|
||||
6qcA2bfhqdCzEKlHV99WjkfV8hNlpex9rLuOPB8JLh7FVONicBGxF/UojQKBgDXs
|
||||
IlYaSuI6utilVKQP0kPtEPOKERc2VS+iRSy8hQGXR3xwwNFQSQm+f+sFCGT6VcSd
|
||||
W0TI+6Fc2xwPj38vP465dTentbKM1E+wdSYW6SMwSfhO6ECDbfJsst5Sr2Kkt1N7
|
||||
9FUkfDLu6GfEfnK/KR1SurZB2u51R7NYyg7EnplvAoGAT0aTtOcck0oYN30g5mdf
|
||||
efqXPwg2wAPYeiec49EbfnteQQKAkqNfJ9K69yE2naf6bw3/5mCBsq/cXeuaBMII
|
||||
ylysUIRBqt2J0kWm2yCpFWR7H+Ilhdx9A7ZLCqYVt8e+vjO/BOI3cQDe2VPOLPSl
|
||||
q/1PY4iJviGKddtmfClH3v4=
|
||||
-----END PRIVATE KEY-----";
|
||||
}
|
||||
|
||||
protected function jwkKeyArray(): array
|
||||
{
|
||||
return [
|
||||
'kty' => 'RSA',
|
||||
'alg' => 'RS256',
|
||||
'kid' => '066e52af-8884-4926-801d-032a276f9f2a',
|
||||
'use' => 'sig',
|
||||
'e' => 'AQAB',
|
||||
'n' => 'qo1OmfNKec5S2zQC4SP9DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvmzXL16c93Obn7G8x8A3ao6yN5qKO5S5-CETqOZfKN_g75Xlz7VsC3igOhgsXnPx6iiM6sbYbk0U_XpFaT84LXKI8VTIPUo7gTeZN1pTET__i9FlzAOzX-xfWBKdOqlEzl-zihMHCZUUvQu99P-o0MDR0lMUT-vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNkWvsLta1-jNUee-8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw3w',
|
||||
];
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue