$user->roles()->syncWithoutDetaching($groupsAsRoles);
}
}
-}
\ No newline at end of file
+}
}
$userGroups = $this->groupFilter($user);
+
return $this->getGroupsRecursive($userGroups, []);
}
* Constructs an access token.
*
* @param array $options An array of options returned by the service provider
- * in the access token request. The `access_token` option is required.
+ * in the access token request. The `access_token` option is required.
+ *
* @throws InvalidArgumentException if `access_token` is not provided in `$options`.
*/
public function __construct(array $options = [])
$this->validate($options);
}
-
/**
* Validate this access token response for OIDC.
* As per https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK.
{
return $this->getValues()['id_token'];
}
-
-}
\ No newline at end of file
+}
{
$json = $this->base64UrlDecode($part) ?: '{}';
$decoded = json_decode($json, true);
+
return is_array($decoded) ? $decoded : [];
}
/**
* Validate all possible parts of the id token.
+ *
* @throws OidcInvalidTokenException
*/
public function validate(string $clientId): bool
$this->validateTokenStructure();
$this->validateTokenSignature();
$this->validateTokenClaims($clientId);
+
return true;
}
/**
* Fetch a specific claim from this token.
* Returns null if it is null or does not exist.
+ *
* @return mixed|null
*/
public function getClaim(string $claim)
/**
* Validate the structure of the given token and ensure we have the required pieces.
- * As per https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
+ * As per https://datatracker.ietf.org/doc/html/rfc7519#section-7.2.
+ *
* @throws OidcInvalidTokenException
*/
protected function validateTokenStructure(): void
}
if (empty($this->signature) || !is_string($this->signature)) {
- throw new OidcInvalidTokenException("Could not parse out a valid signature within the provided token");
+ throw new OidcInvalidTokenException('Could not parse out a valid signature within the provided token');
}
}
/**
* Validate the signature of the given token and ensure it validates against the provided key.
+ *
* @throws OidcInvalidTokenException
*/
protected function validateTokenSignature(): void
throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
}
- $parsedKeys = array_map(function($key) {
+ $parsedKeys = array_map(function ($key) {
try {
return new OidcJwtSigningKey($key);
} catch (OidcInvalidKeyException $e) {
/**
* Validate the claims of the token.
- * As per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
+ * As per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation.
+ *
* @throws OidcInvalidTokenException
*/
protected function validateTokenClaims(string $clientId): void
throw new OidcInvalidTokenException('Missing token subject value');
}
}
-
-}
\ No newline at end of file
+}
class OidcInvalidKeyException extends \Exception
{
-
-}
\ No newline at end of file
+}
class OidcInvalidTokenException extends Exception
{
-
-}
\ No newline at end of file
+}
class OidcIssuerDiscoveryException extends \Exception
{
-
-}
\ No newline at end of file
+}
* Can be created either from a JWK parameter array or local file path to load a certificate from.
* Examples:
* 'file:///var/www/cert.pem'
- * ['kty' => 'RSA', 'alg' => 'RS256', 'n' => 'abc123...']
+ * ['kty' => 'RSA', 'alg' => 'RS256', 'n' => 'abc123...'].
+ *
* @param array|string $jwkOrKeyPath
+ *
* @throws OidcInvalidKeyException
*/
public function __construct($jwkOrKeyPath)
{
if (is_array($jwkOrKeyPath)) {
$this->loadFromJwkArray($jwkOrKeyPath);
- } else if (is_string($jwkOrKeyPath) && strpos($jwkOrKeyPath, 'file://') === 0) {
+ } elseif (is_string($jwkOrKeyPath) && strpos($jwkOrKeyPath, 'file://') === 0) {
$this->loadFromPath($jwkOrKeyPath);
} else {
throw new OidcInvalidKeyException('Unexpected type of key value provided');
}
if (!($this->key instanceof RSA)) {
- throw new OidcInvalidKeyException("Key loaded from file path is not an RSA key as expected");
+ throw new OidcInvalidKeyException('Key loaded from file path is not an RSA key as expected');
}
}
{
return $this->key->toString('PKCS8');
}
-
-}
\ No newline at end of file
+}
*/
protected $tokenEndpoint;
-
/**
* Returns the base URL for authorizing a client.
*/
return ['openid', 'profile', 'email'];
}
-
/**
* Returns the string that should be used to separate scopes when building
* the URL for requesting an access token.
* Checks a provider response for errors.
*
* @param ResponseInterface $response
- * @param array|string $data Parsed response data
- * @return void
+ * @param array|string $data Parsed response data
+ *
* @throws IdentityProviderException
+ *
+ * @return void
*/
protected function checkResponse(ResponseInterface $response, $data)
{
* Generates a resource owner object from a successful resource owner
* details request.
*
- * @param array $response
+ * @param array $response
* @param AccessToken $token
+ *
* @return ResourceOwnerInterface
*/
protected function createResourceOwner(array $response, AccessToken $token)
* The grant that was used to fetch the response can be used to provide
* additional context.
*
- * @param array $response
+ * @param array $response
* @param AbstractGrant $grant
+ *
* @return OidcAccessToken
*/
protected function createAccessToken(array $response, AbstractGrant $grant)
{
return new OidcAccessToken($response);
}
-
-
-}
\ No newline at end of file
+}
/**
* Validate any core, required properties have been set.
+ *
* @throws InvalidArgumentException
*/
protected function validateInitial()
}
if (strpos($this->issuer, 'https://') !== 0) {
- throw new InvalidArgumentException("Issuer value must start with https://");
+ throw new InvalidArgumentException('Issuer value must start with https://');
}
}
/**
* Perform a full validation on these settings.
+ *
* @throws InvalidArgumentException
*/
public function validate(): void
/**
* Discover and autoload settings from the configured issuer.
+ *
* @throws OidcIssuerDiscoveryException
*/
public function discoverFromIssuer(ClientInterface $httpClient, Repository $cache, int $cacheMinutes)
{
try {
$cacheKey = 'oidc-discovery::' . $this->issuer;
- $discoveredSettings = $cache->remember($cacheKey, $cacheMinutes * 60, function() use ($httpClient) {
+ $discoveredSettings = $cache->remember($cacheKey, $cacheMinutes * 60, function () use ($httpClient) {
return $this->loadSettingsFromIssuerDiscovery($httpClient);
});
$this->applySettingsFromArray($discoveredSettings);
}
if ($result['issuer'] !== $this->issuer) {
- throw new OidcIssuerDiscoveryException("Unexpected issuer value found on discovery response");
+ throw new OidcIssuerDiscoveryException('Unexpected issuer value found on discovery response');
}
$discoveredSettings = [];
*/
protected function filterKeys(array $keys): array
{
- return array_filter($keys, function(array $key) {
+ return array_filter($keys, function (array $key) {
return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256';
});
}
/**
* Return an array of jwks as PHP key=>value arrays.
+ *
* @throws ClientExceptionInterface
* @throws OidcIssuerDiscoveryException
*/
$result = json_decode($response->getBody()->getContents(), true);
if (empty($result) || !is_array($result) || !isset($result['keys'])) {
- throw new OidcIssuerDiscoveryException("Error reading keys from issuer jwks_uri");
+ throw new OidcIssuerDiscoveryException('Error reading keys from issuer jwks_uri');
}
return $result['keys'];
foreach ($settingKeys as $setting) {
$settings[$setting] = $this->$setting;
}
+
return $settings;
}
-}
\ No newline at end of file
+}
-<?php namespace BookStack\Auth\Access\Oidc;
+<?php
+namespace BookStack\Auth\Access\Oidc;
+
+use function auth;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\RegistrationService;
use BookStack\Auth\User;
use BookStack\Exceptions\OpenIdConnectException;
use BookStack\Exceptions\StoppedAuthenticationException;
use BookStack\Exceptions\UserRegistrationException;
+use function config;
use Exception;
use Illuminate\Support\Facades\Cache;
use League\OAuth2\Client\OptionProvider\HttpBasicAuthOptionProvider;
use Psr\Http\Client\ClientExceptionInterface;
use Psr\Http\Client\ClientInterface as HttpClient;
-use function auth;
-use function config;
use function trans;
use function url;
/**
* Initiate an authorization flow.
+ *
* @return array{url: string, state: string}
*/
public function login(): array
{
$settings = $this->getProviderSettings();
$provider = $this->getProvider($settings);
+
return [
- 'url' => $provider->getAuthorizationUrl(),
+ 'url' => $provider->getAuthorizationUrl(),
'state' => $provider->getState(),
];
}
* return the matching, or new if registration active, user matched to
* the authorization server.
* Returns null if not authenticated.
+ *
* @throws Exception
* @throws ClientExceptionInterface
*/
{
$config = $this->config();
$settings = new OidcProviderSettings([
- 'issuer' => $config['issuer'],
- 'clientId' => $config['client_id'],
- 'clientSecret' => $config['client_secret'],
- 'redirectUri' => url('/oidc/callback'),
+ 'issuer' => $config['issuer'],
+ 'clientId' => $config['client_id'],
+ 'clientSecret' => $config['client_secret'],
+ 'redirectUri' => url('/oidc/callback'),
'authorizationEndpoint' => $config['authorization_endpoint'],
- 'tokenEndpoint' => $config['token_endpoint'],
+ 'tokenEndpoint' => $config['token_endpoint'],
]);
// Use keys if configured
protected function getProvider(OidcProviderSettings $settings): OidcOAuthProvider
{
return new OidcOAuthProvider($settings->arrayForProvider(), [
- 'httpClient' => $this->httpClient,
+ 'httpClient' => $this->httpClient,
'optionProvider' => new HttpBasicAuthOptionProvider(),
]);
}
/**
- * Calculate the display name
+ * Calculate the display name.
*/
protected function getUserDisplayName(OidcIdToken $token, string $defaultValue): string
{
/**
* Extract the details of a user from an ID token.
+ *
* @return array{name: string, email: string, external_id: string}
*/
protected function getUserDetails(OidcIdToken $token): array
{
$id = $token->getClaim('sub');
+
return [
'external_id' => $id,
- 'email' => $token->getClaim('email'),
- 'name' => $this->getUserDisplayName($token, $id),
+ 'email' => $token->getClaim('email'),
+ 'name' => $this->getUserDisplayName($token, $id),
];
}
/**
* Processes a received access token for a user. Login the user when
* they exist, optionally registering them automatically.
+ *
* @throws OpenIdConnectException
* @throws JsonDebugException
* @throws UserRegistrationException
}
$user = $this->registrationService->findOrRegister(
- $userDetails['name'], $userDetails['email'], $userDetails['external_id']
+ $userDetails['name'],
+ $userDetails['email'],
+ $userDetails['external_id']
);
if ($user === null) {
}
$this->loginService->login($user, 'oidc');
+
return $user;
}
/**
* Attempt to find a user in the system otherwise register them as a new
* user. For use with external auth systems since password is auto-generated.
+ *
* @throws UserRegistrationException
*/
public function findOrRegister(string $name, string $email, string $externalId): User
*/
public function __construct(
RegistrationService $registrationService,
- LoginService $loginService,
- GroupSyncService $groupSyncService
- )
- {
+ LoginService $loginService,
+ GroupSyncService $groupSyncService
+ ) {
$this->config = config('saml2');
$this->registrationService = $registrationService;
$this->loginService = $loginService;
return [
'url' => $toolKit->login($returnRoute, [], false, false, true),
- 'id' => $toolKit->getLastRequestID(),
+ 'id' => $toolKit->getLastRequestID(),
];
}
protected function loadOneloginServiceProviderDetails(): array
{
$spDetails = [
- 'entityId' => url('/saml2/metadata'),
+ 'entityId' => url('/saml2/metadata'),
'assertionConsumerService' => [
'url' => url('/saml2/acs'),
],
return [
'baseurl' => url('/saml2'),
- 'sp' => $spDetails,
+ 'sp' => $spDetails,
];
}
/**
* Extract the details of a user from a SAML response.
+ *
* @return array{external_id: string, name: string, email: string, saml_id: string}
*/
protected function getUserDetails(string $samlID, $samlAttributes): array
return [
'external_id' => $externalId,
- 'name' => $this->getUserDisplayName($samlAttributes, $externalId),
- 'email' => $email,
- 'saml_id' => $samlID,
+ 'name' => $this->getUserDisplayName($samlAttributes, $externalId),
+ 'email' => $email,
+ 'saml_id' => $samlID,
];
}
if ($this->config['dump_user_details']) {
throw new JsonDebugException([
- 'id_from_idp' => $samlID,
- 'attrs_from_idp' => $samlAttributes,
+ 'id_from_idp' => $samlID,
+ 'attrs_from_idp' => $samlAttributes,
'attrs_after_parsing' => $userDetails,
]);
}
}
$user = $this->registrationService->findOrRegister(
- $userDetails['name'], $userDetails['email'], $userDetails['external_id']
+ $userDetails['name'],
+ $userDetails['email'],
+ $userDetails['external_id']
);
if ($user === null) {
'provider' => 'external',
],
'oidc' => [
- 'driver' => 'async-external-session',
+ 'driver' => 'async-external-session',
'provider' => 'external',
],
'api' => [
// OAuth2 endpoints.
'authorization_endpoint' => env('OIDC_AUTH_ENDPOINT', null),
- 'token_endpoint' => env('OIDC_TOKEN_ENDPOINT', null),
+ 'token_endpoint' => env('OIDC_TOKEN_ENDPOINT', null),
];
-<?php namespace BookStack\Exceptions;
+<?php
+
+namespace BookStack\Exceptions;
class OpenIdConnectException extends NotifyException
{
-
}
class OidcController extends Controller
{
-
protected $oidcService;
/**
if ($storedState !== $responseState) {
$this->showErrorNotification(trans('errors.oidc_fail_authed', ['system' => config('oidc.name')]));
+
return redirect('/login');
}
$this->oidcService->processAuthorizeResponse($request->query('code'));
+
return redirect()->intended();
}
}
use Illuminate\Support\Facades\View;
use Illuminate\Support\ServiceProvider;
use Laravel\Socialite\Contracts\Factory as SocialiteFactory;
-use Whoops\Handler\HandlerInterface;
use Psr\Http\Client\ClientInterface as HttpClientInterface;
+use Whoops\Handler\HandlerInterface;
class AppServiceProvider extends ServiceProvider
{
return new CspService();
});
- $this->app->bind(HttpClientInterface::class, function($app) {
+ $this->app->bind(HttpClientInterface::class, function ($app) {
return new Client([
'timeout' => 3,
]);
use BookStack\Api\ApiTokenGuard;
use BookStack\Auth\Access\ExternalBaseUserProvider;
-use BookStack\Auth\Access\Guards\LdapSessionGuard;
use BookStack\Auth\Access\Guards\AsyncExternalBaseSessionGuard;
+use BookStack\Auth\Access\Guards\LdapSessionGuard;
use BookStack\Auth\Access\LdapService;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\RegistrationService;
-<?php namespace Tests\Auth;
+<?php
+
+namespace Tests\Auth;
use BookStack\Actions\ActivityType;
-use BookStack\Auth\Access\Oidc\OidcService;
use BookStack\Auth\User;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Response;
file_put_contents($this->keyFilePath, OidcJwtHelper::publicPemKey());
config()->set([
- 'auth.method' => 'oidc',
- 'auth.defaults.guard' => 'oidc',
- 'oidc.name' => 'SingleSignOn-Testing',
- 'oidc.display_name_claims' => ['name'],
- 'oidc.client_id' => OidcJwtHelper::defaultClientId(),
- 'oidc.client_secret' => 'testpass',
- 'oidc.jwt_public_key' => $this->keyFilePath,
- 'oidc.issuer' => OidcJwtHelper::defaultIssuer(),
+ 'auth.method' => 'oidc',
+ 'auth.defaults.guard' => 'oidc',
+ 'oidc.name' => 'SingleSignOn-Testing',
+ 'oidc.display_name_claims' => ['name'],
+ 'oidc.client_id' => OidcJwtHelper::defaultClientId(),
+ 'oidc.client_secret' => 'testpass',
+ 'oidc.jwt_public_key' => $this->keyFilePath,
+ 'oidc.issuer' => OidcJwtHelper::defaultIssuer(),
'oidc.authorization_endpoint' => 'https://oidc.local/auth',
- 'oidc.token_endpoint' => 'https://oidc.local/token',
- 'oidc.discover' => false,
- 'oidc.dump_user_details' => false,
+ 'oidc.token_endpoint' => 'https://oidc.local/token',
+ 'oidc.discover' => false,
+ 'oidc.dump_user_details' => false,
]);
}
$transactions = &$this->mockHttpClient([$this->getMockAuthorizationResponse([
- 'sub' => 'benny1010101'
+ 'sub' => 'benny1010101',
])]);
// Callback from auth provider
$this->assertStringContainsString('code=SplxlOBeZQQYbYS6WxSbIA', $tokenRequest->getBody());
$this->assertStringContainsString('redirect_uri=' . urlencode(url('/oidc/callback')), $tokenRequest->getBody());
-
$this->assertTrue(auth()->check());
$this->assertDatabaseHas('users', [
'external_auth_id' => 'benny1010101',
- 'email_confirmed' => false,
+ 'email_confirmed' => false,
]);
$resp = $this->runLogin([
- 'sub' => 'benny505'
+ 'sub' => 'benny505',
]);
$resp->assertStatus(200);
$resp->assertJson([
- 'sub' => 'benny505',
- "iss" => OidcJwtHelper::defaultIssuer(),
- "aud" => OidcJwtHelper::defaultClientId(),
+ 'sub' => 'benny505',
+ 'iss' => OidcJwtHelper::defaultIssuer(),
+ 'aud' => OidcJwtHelper::defaultClientId(),
]);
$this->assertFalse(auth()->check());
}
{
$this->runLogin([
'email' => '',
- 'sub' => 'benny505'
+ 'sub' => 'benny505',
]);
$this->assertSessionError('Could not find an email address, for this user, in the data provided by the external authentication system');
$this->runLogin([
- 'sub' => 'benny505'
+ 'sub' => 'benny505',
]);
$this->assertSessionError('Already logged in');
$this->runLogin([
- 'sub' => 'benny505'
+ 'sub' => 'benny505',
]);
$this->assertTrue(auth()->check());
$this->runLogin([
'email' => $editor->email,
- 'sub' => 'benny505'
+ 'sub' => 'benny505',
]);
$this->assertSessionError('A user with the email ' . $editor->email . ' already exists but with different credentials.');
$this->getAutoDiscoveryResponse(),
$this->getJwksResponse(),
$this->getAutoDiscoveryResponse([
- 'issuer' => 'https://auto.example.com'
+ 'issuer' => 'https://auto.example.com',
]),
$this->getJwksResponse(),
]);
protected function withAutodiscovery()
{
config()->set([
- 'oidc.issuer' => OidcJwtHelper::defaultIssuer(),
- 'oidc.discover' => true,
+ 'oidc.issuer' => OidcJwtHelper::defaultIssuer(),
+ 'oidc.discover' => true,
'oidc.authorization_endpoint' => null,
- 'oidc.token_endpoint' => null,
- 'oidc.jwt_public_key' => null,
+ 'oidc.token_endpoint' => null,
+ 'oidc.jwt_public_key' => null,
]);
}
protected function getAutoDiscoveryResponse($responseOverrides = []): Response
{
return new Response(200, [
- 'Content-Type' => 'application/json',
+ 'Content-Type' => 'application/json',
'Cache-Control' => 'no-cache, no-store',
- 'Pragma' => 'no-cache'
+ 'Pragma' => 'no-cache',
], json_encode(array_merge([
- 'token_endpoint' => OidcJwtHelper::defaultIssuer() . '/oidc/token',
+ 'token_endpoint' => OidcJwtHelper::defaultIssuer() . '/oidc/token',
'authorization_endpoint' => OidcJwtHelper::defaultIssuer() . '/oidc/authorize',
- 'jwks_uri' => OidcJwtHelper::defaultIssuer() . '/oidc/keys',
- 'issuer' => OidcJwtHelper::defaultIssuer()
+ 'jwks_uri' => OidcJwtHelper::defaultIssuer() . '/oidc/keys',
+ 'issuer' => OidcJwtHelper::defaultIssuer(),
], $responseOverrides)));
}
protected function getJwksResponse(): Response
{
return new Response(200, [
- 'Content-Type' => 'application/json',
+ 'Content-Type' => 'application/json',
'Cache-Control' => 'no-cache, no-store',
- 'Pragma' => 'no-cache'
+ 'Pragma' => 'no-cache',
], json_encode([
'keys' => [
- OidcJwtHelper::publicJwkKeyArray()
- ]
+ OidcJwtHelper::publicJwkKeyArray(),
+ ],
]));
}
protected function getMockAuthorizationResponse($claimOverrides = []): Response
{
return new Response(200, [
- 'Content-Type' => 'application/json',
+ 'Content-Type' => 'application/json',
'Cache-Control' => 'no-cache, no-store',
- 'Pragma' => 'no-cache'
+ 'Pragma' => 'no-cache',
], json_encode([
'access_token' => 'abc123',
- 'token_type' => 'Bearer',
- 'expires_in' => 3600,
- 'id_token' => OidcJwtHelper::idToken($claimOverrides)
+ 'token_type' => 'Bearer',
+ 'expires_in' => 3600,
+ 'id_token' => OidcJwtHelper::idToken($claimOverrides),
]));
}
}
{
public static function defaultIssuer(): string
{
- return "https://auth.example.com";
+ return 'https://auth.example.com';
}
public static function defaultClientId(): string
{
- return "xxyyzz.aaa.bbccdd.123";
+ return 'xxyyzz.aaa.bbccdd.123';
}
public static function defaultPayload(): array
{
return [
- "sub" => "abc1234def",
- "name" => "Barry Scott",
- "ver" => 1,
- "iss" => static::defaultIssuer(),
- "aud" => static::defaultClientId(),
- "iat" => time(),
- "exp" => time() + 720,
- "jti" => "ID.AaaBBBbbCCCcccDDddddddEEEeeeeee",
- "amr" => ["pwd"],
- "idp" => "fghfghgfh546456dfgdfg",
- "preferred_username" => "xXBazzaXx",
- "auth_time" => time(),
- "at_hash" => "sT4jbsdSGy9w12pq3iNYDA",
+ 'sub' => 'abc1234def',
+ 'name' => 'Barry Scott',
+ 'ver' => 1,
+ 'iss' => static::defaultIssuer(),
+ 'aud' => static::defaultClientId(),
+ 'iat' => time(),
+ 'exp' => time() + 720,
+ 'jti' => 'ID.AaaBBBbbCCCcccDDddddddEEEeeeeee',
+ 'amr' => ['pwd'],
+ 'idp' => 'fghfghgfh546456dfgdfg',
+ 'preferred_username' => 'xXBazzaXx',
+ 'auth_time' => time(),
+ 'at_hash' => 'sT4jbsdSGy9w12pq3iNYDA',
];
}
$privateKey = static::privateKeyInstance();
$signature = $privateKey->sign($top);
+
return $top . '.' . static::base64UrlEncode($signature);
}
public static function publicPemKey(): string
{
- return "-----BEGIN PUBLIC KEY-----
+ return '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqo1OmfNKec5S2zQC4SP9
DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvm
zXL16c93Obn7G8x8A3ao6yN5qKO5S5+CETqOZfKN/g75Xlz7VsC3igOhgsXnPx6i
+zihMHCZUUvQu99P+o0MDR0lMUT+vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNk
WvsLta1+jNUee+8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw
3wIDAQAB
------END PUBLIC KEY-----";
+-----END PUBLIC KEY-----';
}
public static function privatePemKey(): string
{
- return "-----BEGIN PRIVATE KEY-----
+ return '-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqjU6Z80p5zlLb
NALhI/0Ose5RHRWAKLqipwYRHPvOo7fqGqTcDdHdoKAmQSN+ducy6zNFEqzjk1te
g6n2m+bNcvXpz3c5ufsbzHwDdqjrI3moo7lLn4IROo5l8o3+DvleXPtWwLeKA6GC
efqXPwg2wAPYeiec49EbfnteQQKAkqNfJ9K69yE2naf6bw3/5mCBsq/cXeuaBMII
ylysUIRBqt2J0kWm2yCpFWR7H+Ilhdx9A7ZLCqYVt8e+vjO/BOI3cQDe2VPOLPSl
q/1PY4iJviGKddtmfClH3v4=
------END PRIVATE KEY-----";
+-----END PRIVATE KEY-----';
}
public static function publicJwkKeyArray(): array
'alg' => 'RS256',
'kid' => '066e52af-8884-4926-801d-032a276f9f2a',
'use' => 'sig',
- 'e' => 'AQAB',
- 'n' => 'qo1OmfNKec5S2zQC4SP9DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvmzXL16c93Obn7G8x8A3ao6yN5qKO5S5-CETqOZfKN_g75Xlz7VsC3igOhgsXnPx6iiM6sbYbk0U_XpFaT84LXKI8VTIPUo7gTeZN1pTET__i9FlzAOzX-xfWBKdOqlEzl-zihMHCZUUvQu99P-o0MDR0lMUT-vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNkWvsLta1-jNUee-8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw3w',
+ 'e' => 'AQAB',
+ 'n' => 'qo1OmfNKec5S2zQC4SP9DrHuUR0VgCi6oqcGERz7zqO36hqk3A3R3aCgJkEjfnbnMuszRRKs45NbXoOp9pvmzXL16c93Obn7G8x8A3ao6yN5qKO5S5-CETqOZfKN_g75Xlz7VsC3igOhgsXnPx6iiM6sbYbk0U_XpFaT84LXKI8VTIPUo7gTeZN1pTET__i9FlzAOzX-xfWBKdOqlEzl-zihMHCZUUvQu99P-o0MDR0lMUT-vPJ6SJeRfnoHexwt6bZFiNnsZIEL03bX4QNkWvsLta1-jNUee-8IPVhzCO8bvM86NzLaKUJ4k6NZ5IVrmdCFpFsjCWByOrDG8wdw3w',
];
}
-}
\ No newline at end of file
+}
/**
* Mock the http client used in BookStack.
* Returns a reference to the container which holds all history of http transactions.
+ *
* @link https://docs.guzzlephp.org/en/stable/testing.html#history-middleware
*/
protected function &mockHttpClient(array $responses = []): array
$handlerStack = new HandlerStack($mock);
$handlerStack->push($history);
$this->app[ClientInterface::class] = new Client(['handler' => $handlerStack]);
+
return $container;
}
namespace Tests\Unit;
-use BookStack\Auth\Access\Oidc\OidcInvalidTokenException;
use BookStack\Auth\Access\Oidc\OidcIdToken;
+use BookStack\Auth\Access\Oidc\OidcInvalidTokenException;
use Tests\Helpers\OidcJwtHelper;
use Tests\TestCase;
public function test_valid_token_passes_validation()
{
$token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [
- OidcJwtHelper::publicJwkKeyArray()
+ OidcJwtHelper::publicJwkKeyArray(),
]);
$this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));
foreach ($messagesAndTokenValues as [$message, $tokenValue]) {
$token = new OidcIdToken($tokenValue, OidcJwtHelper::defaultIssuer(), []);
$err = null;
+
try {
$token->validate('abc');
} catch (\Exception $exception) {
{
$token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [
array_merge(OidcJwtHelper::publicJwkKeyArray(), [
- 'n' => 'iqK-1QkICMf_cusNLpeNnN-bhT0-9WLBvzgwKLALRbrevhdi5ttrLHIQshaSL0DklzfyG2HWRmAnJ9Q7sweEjuRiiqRcSUZbYu8cIv2hLWYu7K_NH67D2WUjl0EnoHEuiVLsZhQe1CmdyLdx087j5nWkd64K49kXRSdxFQUlj8W3NeK3CjMEUdRQ3H4RZzJ4b7uuMiFA29S2ZhMNG20NPbkUVsFL-jiwTd10KSsPT8yBYipI9O7mWsUWt_8KZs1y_vpM_k3SyYihnWpssdzDm1uOZ8U3mzFr1xsLAO718GNUSXk6npSDzLl59HEqa6zs4O9awO2qnSHvcmyELNk31w'
- ])
+ 'n' => 'iqK-1QkICMf_cusNLpeNnN-bhT0-9WLBvzgwKLALRbrevhdi5ttrLHIQshaSL0DklzfyG2HWRmAnJ9Q7sweEjuRiiqRcSUZbYu8cIv2hLWYu7K_NH67D2WUjl0EnoHEuiVLsZhQe1CmdyLdx087j5nWkd64K49kXRSdxFQUlj8W3NeK3CjMEUdRQ3H4RZzJ4b7uuMiFA29S2ZhMNG20NPbkUVsFL-jiwTd10KSsPT8yBYipI9O7mWsUWt_8KZs1y_vpM_k3SyYihnWpssdzDm1uOZ8U3mzFr1xsLAO718GNUSXk6npSDzLl59HEqa6zs4O9awO2qnSHvcmyELNk31w',
+ ]),
]);
$this->expectException(OidcInvalidTokenException::class);
$this->expectExceptionMessage('Token signature could not be validated using the provided keys');
{
$token = new OidcIdToken(OidcJwtHelper::idToken([], ['alg' => 'HS256']), OidcJwtHelper::defaultIssuer(), []);
$this->expectException(OidcInvalidTokenException::class);
- $this->expectExceptionMessage("Only RS256 signature validation is supported. Token reports using HS256");
+ $this->expectExceptionMessage('Only RS256 signature validation is supported. Token reports using HS256');
$token->validate('abc');
}
foreach ($claimOverridesByErrorMessage as [$message, $overrides]) {
$token = new OidcIdToken(OidcJwtHelper::idToken($overrides), OidcJwtHelper::defaultIssuer(), [
- OidcJwtHelper::publicJwkKeyArray()
+ OidcJwtHelper::publicJwkKeyArray(),
]);
$err = null;
+
try {
$token->validate('xxyyzz.aaa.bbccdd.123');
} catch (\Exception $exception) {
$testFilePath = 'file://' . stream_get_meta_data($file)['uri'];
file_put_contents($testFilePath, OidcJwtHelper::publicPemKey());
$token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [
- $testFilePath
+ $testFilePath,
]);
$this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));
unlink($testFilePath);
}
-}
\ No newline at end of file
+}
projects / bookstack / commitdiff