X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/f910738a80f918e1fdcf9f1ae4e63bce4287bd83..refs/pull/4467/head:/tests/Auth/OidcTest.php diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php index 0b033ea81..191a25f88 100644 --- a/tests/Auth/OidcTest.php +++ b/tests/Auth/OidcTest.php @@ -2,18 +2,20 @@ namespace Tests\Auth; -use BookStack\Actions\ActivityType; -use BookStack\Auth\User; +use BookStack\Activity\ActivityType; +use BookStack\Facades\Theme; +use BookStack\Theming\ThemeEvents; +use BookStack\Users\Models\Role; +use BookStack\Users\Models\User; use GuzzleHttp\Psr7\Request; use GuzzleHttp\Psr7\Response; -use Illuminate\Filesystem\Cache; +use Illuminate\Testing\TestResponse; use Tests\Helpers\OidcJwtHelper; use Tests\TestCase; -use Tests\TestResponse; class OidcTest extends TestCase { - protected $keyFilePath; + protected string $keyFilePath; protected $keyFile; protected function setUp(): void @@ -38,6 +40,11 @@ class OidcTest extends TestCase 'oidc.token_endpoint' => 'https://oidc.local/token', 'oidc.discover' => false, 'oidc.dump_user_details' => false, + 'oidc.additional_scopes' => '', + 'oidc.user_to_groups' => false, + 'oidc.groups_claim' => 'group', + 'oidc.remove_from_groups' => false, + 'oidc.external_id_claim' => 'sub', ]); } @@ -53,7 +60,7 @@ class OidcTest extends TestCase { $req = $this->get('/login'); $req->assertSeeText('SingleSignOn-Testing'); - $req->assertElementExists('form[action$="/oidc/login"][method=POST] button'); + $this->withHtml($req)->assertElementExists('form[action$="/oidc/login"][method=POST] button'); } public function test_oidc_routes_are_only_active_if_oidc_enabled() @@ -89,7 +96,7 @@ class OidcTest extends TestCase public function test_logout_route_functions() { - $this->actingAs($this->getEditor()); + $this->actingAs($this->users->editor()); $this->post('/logout'); $this->assertFalse(auth()->check()); } @@ -160,6 +167,17 @@ class OidcTest extends TestCase $this->assertActivityExists(ActivityType::AUTH_LOGIN, null, "oidc; ({$user->id}) Barry Scott"); } + public function test_login_uses_custom_additional_scopes_if_defined() + { + config()->set([ + 'oidc.additional_scopes' => 'groups, badgers', + ]); + + $redirect = $this->post('/oidc/login')->headers->get('location'); + + $this->assertStringContainsString('scope=openid%20profile%20email%20groups%20badgers', $redirect); + } + public function test_callback_fails_if_no_state_present_or_matching() { $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=abc124'); @@ -213,7 +231,7 @@ class OidcTest extends TestCase public function test_auth_login_as_existing_user() { - $editor = $this->getEditor(); + $editor = $this->users->editor(); $editor->external_auth_id = 'benny505'; $editor->save(); @@ -230,28 +248,30 @@ class OidcTest extends TestCase public function test_auth_login_as_existing_user_email_with_different_auth_id_fails() { - $editor = $this->getEditor(); + $editor = $this->users->editor(); $editor->external_auth_id = 'editor101'; $editor->save(); $this->assertFalse(auth()->check()); - $this->runLogin([ + $resp = $this->runLogin([ 'email' => $editor->email, 'sub' => 'benny505', ]); + $resp = $this->followRedirects($resp); - $this->assertSessionError('A user with the email ' . $editor->email . ' already exists but with different credentials.'); + $resp->assertSeeText('A user with the email ' . $editor->email . ' already exists but with different credentials.'); $this->assertFalse(auth()->check()); } public function test_auth_login_with_invalid_token_fails() { - $this->runLogin([ + $resp = $this->runLogin([ 'sub' => null, ]); + $resp = $this->followRedirects($resp); - $this->assertSessionError('ID token validate failed with error: Missing token subject value'); + $resp->assertSeeText('ID token validate failed with error: Missing token subject value'); $this->assertFalse(auth()->check()); } @@ -287,9 +307,9 @@ class OidcTest extends TestCase new Response(404, [], 'Not found'), ]); - $this->runLogin(); + $resp = $this->followRedirects($this->runLogin()); $this->assertFalse(auth()->check()); - $this->assertSessionError('Login using SingleSignOn-Testing failed, system did not provide successful authorization'); + $resp->assertSeeText('Login using SingleSignOn-Testing failed, system did not provide successful authorization'); } public function test_autodiscovery_calls_are_cached() @@ -318,6 +338,187 @@ class OidcTest extends TestCase $this->assertCount(4, $transactions); } + public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property() + { + $this->withAutodiscovery(); + + $keyArray = OidcJwtHelper::publicJwkKeyArray(); + unset($keyArray['alg']); + + $this->mockHttpClient([ + $this->getAutoDiscoveryResponse(), + new Response(200, [ + 'Content-Type' => 'application/json', + 'Cache-Control' => 'no-cache, no-store', + 'Pragma' => 'no-cache', + ], json_encode([ + 'keys' => [ + $keyArray, + ], + ])), + ]); + + $this->assertFalse(auth()->check()); + $this->runLogin(); + $this->assertTrue(auth()->check()); + } + + public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_use_property() + { + // Based on reading the OIDC discovery spec: + // > This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also + // > contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When + // > both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all + // > keys in the referenced JWK Set to indicate each key's intended usage. + // We can assume that keys without use are intended for signing. + $this->withAutodiscovery(); + + $keyArray = OidcJwtHelper::publicJwkKeyArray(); + unset($keyArray['use']); + + $this->mockHttpClient([ + $this->getAutoDiscoveryResponse(), + new Response(200, [ + 'Content-Type' => 'application/json', + 'Cache-Control' => 'no-cache, no-store', + 'Pragma' => 'no-cache', + ], json_encode([ + 'keys' => [ + $keyArray, + ], + ])), + ]); + + $this->assertFalse(auth()->check()); + $this->runLogin(); + $this->assertTrue(auth()->check()); + } + + public function test_auth_uses_configured_external_id_claim_option() + { + config()->set([ + 'oidc.external_id_claim' => 'super_awesome_id', + ]); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'super_awesome_id' => 'xXBennyTheGeezXx', + ]); + $resp->assertRedirect('/'); + + /** @var User $user */ + $user = User::query()->where('email', '=', 'benny@example.com')->first(); + $this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id); + } + + public function test_login_group_sync() + { + config()->set([ + 'oidc.user_to_groups' => true, + 'oidc.groups_claim' => 'groups', + 'oidc.remove_from_groups' => false, + ]); + $roleA = Role::factory()->create(['display_name' => 'Wizards']); + $roleB = Role::factory()->create(['display_name' => 'ZooFolks', 'external_auth_id' => 'zookeepers']); + $roleC = Role::factory()->create(['display_name' => 'Another Role']); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'groups' => ['Wizards', 'Zookeepers'], + ]); + $resp->assertRedirect('/'); + + /** @var User $user */ + $user = User::query()->where('email', '=', 'benny@example.com')->first(); + + $this->assertTrue($user->hasRole($roleA->id)); + $this->assertTrue($user->hasRole($roleB->id)); + $this->assertFalse($user->hasRole($roleC->id)); + } + + public function test_login_group_sync_with_nested_groups_in_token() + { + config()->set([ + 'oidc.user_to_groups' => true, + 'oidc.groups_claim' => 'my.custom.groups.attr', + 'oidc.remove_from_groups' => false, + ]); + $roleA = Role::factory()->create(['display_name' => 'Wizards']); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'my' => [ + 'custom' => [ + 'groups' => [ + 'attr' => ['Wizards'], + ], + ], + ], + ]); + $resp->assertRedirect('/'); + + /** @var User $user */ + $user = User::query()->where('email', '=', 'benny@example.com')->first(); + $this->assertTrue($user->hasRole($roleA->id)); + } + + public function test_oidc_id_token_pre_validate_theme_event_without_return() + { + $args = []; + $callback = function (...$eventArgs) use (&$args) { + $args = $eventArgs; + }; + Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $callback); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'name' => 'Benny', + ]); + $resp->assertRedirect('/'); + + $this->assertDatabaseHas('users', [ + 'external_auth_id' => 'benny1010101', + ]); + + $this->assertArrayHasKey('iss', $args[0]); + $this->assertArrayHasKey('sub', $args[0]); + $this->assertEquals('Benny', $args[0]['name']); + $this->assertEquals('benny1010101', $args[0]['sub']); + + $this->assertArrayHasKey('access_token', $args[1]); + $this->assertArrayHasKey('expires_in', $args[1]); + $this->assertArrayHasKey('refresh_token', $args[1]); + } + + public function test_oidc_id_token_pre_validate_theme_event_with_return() + { + $callback = function (...$eventArgs) { + return array_merge($eventArgs[0], [ + 'email' => 'lenny@example.com', + 'sub' => 'lenny1010101', + 'name' => 'Lenny', + ]); + }; + Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $callback); + + $resp = $this->runLogin([ + 'email' => 'benny@example.com', + 'sub' => 'benny1010101', + 'name' => 'Benny', + ]); + $resp->assertRedirect('/'); + + $this->assertDatabaseHas('users', [ + 'email' => 'lenny@example.com', + 'external_auth_id' => 'lenny1010101', + 'name' => 'Lenny', + ]); + } + protected function withAutodiscovery() { config()->set([