Added positive test case for OIDC implementation

ssddanbrown · ssddanbrown · commit f3d54e4a2dd0 · 2021-10-12T00:01:51.000+01:00
- To continue coverage and spec cases next.
diff --git a/app/Auth/Access/OpenIdConnect/JwtSigningKey.php b/app/Auth/Access/OpenIdConnect/JwtSigningKey.php
@@ -60,15 +60,19 @@ protected function loadFromJwkArray(array $jwk)
             throw new InvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
         }
 
+        if (empty($jwk['use'])) {
+            throw new InvalidKeyException('A "use" parameter on the provided key is expected');
+        }
+
         if ($jwk['use'] !== 'sig') {
-            throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['sig']}");
+            throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");
         }
 
-        if (empty($jwk['e'] ?? '')) {
+        if (empty($jwk['e'])) {
             throw new InvalidKeyException('An "e" parameter on the provided key is expected');
         }
 
-        if (empty($jwk['n'] ?? '')) {
+        if (empty($jwk['n'])) {
             throw new InvalidKeyException('A "n" parameter on the provided key is expected');
         }
 
diff --git a/app/Auth/Access/OpenIdConnect/OpenIdConnectIdToken.php b/app/Auth/Access/OpenIdConnect/OpenIdConnectIdToken.php
@@ -76,11 +76,12 @@ protected function base64UrlDecode(string $encoded): string
      * Validate all possible parts of the id token.
      * @throws InvalidTokenException
      */
-    public function validate(string $clientId)
+    public function validate(string $clientId): bool
     {
         $this->validateTokenStructure();
         $this->validateTokenSignature();
         $this->validateTokenClaims($clientId);
+        return true;
     }
 
     /**
diff --git a/tests/Unit/OpenIdConnectIdTokenTest.php b/tests/Unit/OpenIdConnectIdTokenTest.php
@@ -0,0 +1,118 @@
+<?php
+
+namespace Tests\Unit;
+
+use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectIdToken;
+use phpseclib3\Crypt\RSA;
+use Tests\TestCase;
+
+class OpenIdConnectIdTokenTest extends TestCase
+{
+
+    public function test_valid_token_passes_validation()
+    {
+        $token = new OpenIdConnectIdToken($this->getValidToken(), 'https://auth.example.com', [
+            $this->jwkKeyArray()
+        ]);
+
+        $this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));
+    }
+
+    protected function getValidToken($payloadOverrides = []): string
+    {
+        $defaultPayload = [
+            "sub" => "abc1234def",
+            "name" => "Barry Scott",
+            "email" => "bscott@example.com",
+            "ver" => 1,
+            "iss" => "https://auth.example.com",
+            "aud" => "xxyyzz.aaa.bbccdd.123",
+            "iat" => time(),
+            "exp" => time() + 720,
+            "jti" => "ID.AaaBBBbbCCCcccDDddddddEEEeeeeee",
+            "amr" => ["pwd"],
+            "idp" => "fghfghgfh546456dfgdfg",
+            "preferred_username" => "xXBazzaXx",
+            "auth_time" => time(),
+            "at_hash" => "sT4jbsdSGy9w12pq3iNYDA",
+        ];
+
+        $payload = array_merge($defaultPayload, $payloadOverrides);
+        $header = [
+            'kid' => 'xyz456',
+            'alg' => 'RS256',
+        ];
+
+        $top = implode('.', [
+            $this->base64UrlEncode(json_encode($header)),
+            $this->base64UrlEncode(json_encode($payload)),
+        ]);
+
+        $privateKey = RSA::loadPrivateKey($this->privatePemKey())->withPadding(RSA::SIGNATURE_PKCS1);
+        $signature = $privateKey->sign($top);
+
+        return $top . '.' . $this->base64UrlEncode($signature);
+    }
+
+    protected function base64UrlEncode(string $decoded): string
+    {
+        return strtr(base64_encode($decoded), '+/', '-_');
+    }
+
+    protected function pemKey(): string
+    {
+        return "-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqo1OmfNKec5S2zQC4SP9
+DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvm
+zXL16c93Obn7G8x8A3ao6yN5qKO5S5+CETqOZfKN/g75Xlz7VsC3igOhgsXnPx6i
+iM6sbYbk0U/XpFaT84LXKI8VTIPUo7gTeZN1pTET//i9FlzAOzX+xfWBKdOqlEzl
++zihMHCZUUvQu99P+o0MDR0lMUT+vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNk
+WvsLta1+jNUee+8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw
+3wIDAQAB
+-----END PUBLIC KEY-----";
+    }
+
+    protected function privatePemKey(): string
+    {
+        return "-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqjU6Z80p5zlLb
+NALhI/0Ose5RHRWAKLqipwYRHPvOo7fqGqTcDdHdoKAmQSN+ducy6zNFEqzjk1te
+g6n2m+bNcvXpz3c5ufsbzHwDdqjrI3moo7lLn4IROo5l8o3+DvleXPtWwLeKA6GC
+xec/HqKIzqxthuTRT9ekVpPzgtcojxVMg9SjuBN5k3WlMRP/+L0WXMA7Nf7F9YEp
+06qUTOX7OKEwcJlRS9C730/6jQwNHSUxRP688npIl5F+egd7HC3ptkWI2exkgQvT
+dtfhA2Ra+wu1rX6M1R577wg9WHMI7xu8zzo3MtopQniTo1nkhWuZ0IWkWyMJYHI6
+sMbzB3DfAgMBAAECggEADm7K2ghWoxwsstQh8j+DaLzx9/dIHIJV2PHdd5FGVeRQ
+6gS7MswQmHrBUrtsb4VMZ2iz/AJqkw+jScpGldH3pCc4XELsSfxNHbseO4TNIqjr
+4LOKOLYU4bRc3I+8KGXIAI5JzrucTJemEVUCDrte8cjbmqExt+zTyNpyxsapworF
+v+vnSdv40d62f+cS1xvwB+ymLK/B/wZ/DemDCi8jsi7ou/M7l5xNCzjH4iMSLtOW
+fgEhejIBG9miMJWPiVpTXE3tMdNuN3OsWc4XXm2t4VRovlZdu30Fax1xWB+Locsv
+HlHKLOFc8g+jZh0TL2KCNjPffMcC7kHhW3afshpIsQKBgQDhyWUnkqd6FzbwIX70
+SnaMgKoUv5W/K5T+Sv/PA2CyN8Gu8ih/OsoNZSnI0uqe3XQIvvgN/Fq3wO1ttLzf
+z5B6ZC7REfTgcR0190gihk6f5rtcj7d6Fy/oG2CE8sDSXgPnpEaBjvJVgN5v/U2s
+HpVaidmHTyGLCfEszoeoy8jyrQKBgQDBX8caGylmzQLc6XNntZChlt3e18Nj8MPA
+DxWLcoqgdDoofLDQAmLl+vPKyDmhQjos5eas1jgmVVEM4ge+MysaVezvuLBsSnOh
+ihc0i63USU6i7YDE83DrCewCthpFHi/wW1S5FoCAzpVy8y99vwcqO4kOXcmf4O6Y
+uW6sMsjvOwKBgQDbFtqB+MtsLCSSBF61W6AHHD5tna4H75lG2623yXZF2NanFLF5
+K6muL9DI3ujtOMQETJJUt9+rWJjLEEsJ/dYa/SV0l7D/LKOEnyuu3JZkkLaTzZzi
+6qcA2bfhqdCzEKlHV99WjkfV8hNlpex9rLuOPB8JLh7FVONicBGxF/UojQKBgDXs
+IlYaSuI6utilVKQP0kPtEPOKERc2VS+iRSy8hQGXR3xwwNFQSQm+f+sFCGT6VcSd
+W0TI+6Fc2xwPj38vP465dTentbKM1E+wdSYW6SMwSfhO6ECDbfJsst5Sr2Kkt1N7
+9FUkfDLu6GfEfnK/KR1SurZB2u51R7NYyg7EnplvAoGAT0aTtOcck0oYN30g5mdf
+efqXPwg2wAPYeiec49EbfnteQQKAkqNfJ9K69yE2naf6bw3/5mCBsq/cXeuaBMII
+ylysUIRBqt2J0kWm2yCpFWR7H+Ilhdx9A7ZLCqYVt8e+vjO/BOI3cQDe2VPOLPSl
+q/1PY4iJviGKddtmfClH3v4=
+-----END PRIVATE KEY-----";
+    }
+
+    protected function jwkKeyArray(): array
+    {
+        return [
+            'kty' => 'RSA',
+            'alg' => 'RS256',
+            'kid' => '066e52af-8884-4926-801d-032a276f9f2a',
+            'use' => 'sig',
+            'e' => 'AQAB',
+            'n' => 'qo1OmfNKec5S2zQC4SP9DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvmzXL16c93Obn7G8x8A3ao6yN5qKO5S5-CETqOZfKN_g75Xlz7VsC3igOhgsXnPx6iiM6sbYbk0U_XpFaT84LXKI8VTIPUo7gTeZN1pTET__i9FlzAOzX-xfWBKdOqlEzl-zihMHCZUUvQu99P-o0MDR0lMUT-vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNkWvsLta1-jNUee-8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw3w',
+        ];
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -60,15 +60,19 @@ protected function loadFromJwkArray(array $jwk)`
`60`	`60`	`throw new InvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");`
`61`	`61`	`}`
`62`	`62`
	`63`	`+ if (empty($jwk['use'])) {`
	`64`	`+ throw new InvalidKeyException('A "use" parameter on the provided key is expected');`
	`65`	`+ }`
	`66`	`+`
`63`	`67`	`if ($jwk['use'] !== 'sig') {`
`64`		`- throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['sig']}");`
	`68`	`+ throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");`
`65`	`69`	`}`
`66`	`70`
`67`		`- if (empty($jwk['e'] ?? '')) {`
	`71`	`+ if (empty($jwk['e'])) {`
`68`	`72`	`throw new InvalidKeyException('An "e" parameter on the provided key is expected');`
`69`	`73`	`}`
`70`	`74`
`71`		`- if (empty($jwk['n'] ?? '')) {`
	`75`	`+ if (empty($jwk['n'])) {`
`72`	`76`	`throw new InvalidKeyException('A "n" parameter on the provided key is expected');`
`73`	`77`	`}`
`74`	`78`
Original file line number	Diff line number	Diff line change
`@@ -76,11 +76,12 @@ protected function base64UrlDecode(string $encoded): string`
`76`	`76`	`* Validate all possible parts of the id token.`
`77`	`77`	`* @throws InvalidTokenException`
`78`	`78`	`*/`
`79`		`- public function validate(string $clientId)`
	`79`	`+ public function validate(string $clientId): bool`
`80`	`80`	`{`
`81`	`81`	`$this->validateTokenStructure();`
`82`	`82`	`$this->validateTokenSignature();`
`83`	`83`	`$this->validateTokenClaims($clientId);`
	`84`	`+ return true;`
`84`	`85`	`}`
`85`	`86`
`86`	`87`	`/**`