BookStack Code Mirror - bookstack/blob - tests/Unit/OidcIdTokenTest.php

1 <?php

2

3 namespace Tests\Unit;

4

5 use BookStack\Auth\Access\Oidc\OidcInvalidTokenException;

6 use BookStack\Auth\Access\Oidc\OidcIdToken;

7 use Tests\Helpers\OidcJwtHelper;

8 use Tests\TestCase;

9

10 class OidcIdTokenTest extends TestCase

11 {

12 public function test_valid_token_passes_validation()

13 {

14 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [

15 OidcJwtHelper::publicJwkKeyArray()

16 ]);

17

18 $this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));

19 }

20

21 public function test_get_claim_returns_value_if_existing()

22 {

23 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), []);

24 $this->assertEquals('[email protected]', $token->getClaim('email'));

25 }

26

27 public function test_get_claim_returns_null_if_not_existing()

28 {

29 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), []);

30 $this->assertEquals(null, $token->getClaim('emails'));

31 }

32

33 public function test_get_all_claims_returns_all_payload_claims()

34 {

35 $defaultPayload = OidcJwtHelper::defaultPayload();

36 $token = new OidcIdToken(OidcJwtHelper::idToken($defaultPayload), OidcJwtHelper::defaultIssuer(), []);

37 $this->assertEquals($defaultPayload, $token->getAllClaims());

38 }

39

40 public function test_token_structure_error_cases()

41 {

42 $idToken = OidcJwtHelper::idToken();

43 $idTokenExploded = explode('.', $idToken);

44

45 $messagesAndTokenValues = [

46 ['Could not parse out a valid header within the provided token', ''],

47 ['Could not parse out a valid header within the provided token', 'cat'],

48 ['Could not parse out a valid payload within the provided token', $idTokenExploded[0]],

49 ['Could not parse out a valid payload within the provided token', $idTokenExploded[0] . '.' . 'dog'],

50 ['Could not parse out a valid signature within the provided token', $idTokenExploded[0] . '.' . $idTokenExploded[1]],

51 ['Could not parse out a valid signature within the provided token', $idTokenExploded[0] . '.' . $idTokenExploded[1] . '.' . '@$%'],

52 ];

53

54 foreach ($messagesAndTokenValues as [$message, $tokenValue]) {

55 $token = new OidcIdToken($tokenValue, OidcJwtHelper::defaultIssuer(), []);

56 $err = null;

57 try {

58 $token->validate('abc');

59 } catch (\Exception $exception) {

60 $err = $exception;

61 }

62

63 $this->assertInstanceOf(OidcInvalidTokenException::class, $err, $message);

64 $this->assertEquals($message, $err->getMessage());

65 }

66 }

67

68 public function test_error_thrown_if_token_signature_not_validated_from_no_keys()

69 {

70 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), []);

71 $this->expectException(OidcInvalidTokenException::class);

72 $this->expectExceptionMessage('Token signature could not be validated using the provided keys');

73 $token->validate('abc');

74 }

75

76 public function test_error_thrown_if_token_signature_not_validated_from_non_matching_key()

77 {

78 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [

79 array_merge(OidcJwtHelper::publicJwkKeyArray(), [

80 'n' => 'iqK-1QkICMf_cusNLpeNnN-bhT0-9WLBvzgwKLALRbrevhdi5ttrLHIQshaSL0DklzfyG2HWRmAnJ9Q7sweEjuRiiqRcSUZbYu8cIv2hLWYu7K_NH67D2WUjl0EnoHEuiVLsZhQe1CmdyLdx087j5nWkd64K49kXRSdxFQUlj8W3NeK3CjMEUdRQ3H4RZzJ4b7uuMiFA29S2ZhMNG20NPbkUVsFL-jiwTd10KSsPT8yBYipI9O7mWsUWt_8KZs1y_vpM_k3SyYihnWpssdzDm1uOZ8U3mzFr1xsLAO718GNUSXk6npSDzLl59HEqa6zs4O9awO2qnSHvcmyELNk31w'

81 ])

82 ]);

83 $this->expectException(OidcInvalidTokenException::class);

84 $this->expectExceptionMessage('Token signature could not be validated using the provided keys');

85 $token->validate('abc');

86 }

87

88 public function test_error_thrown_if_invalid_key_provided()

89 {

90 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), ['url://example.com']);

91 $this->expectException(OidcInvalidTokenException::class);

92 $this->expectExceptionMessage('Unexpected type of key value provided');

93 $token->validate('abc');

94 }

95

96 public function test_error_thrown_if_token_algorithm_is_not_rs256()

97 {

98 $token = new OidcIdToken(OidcJwtHelper::idToken([], ['alg' => 'HS256']), OidcJwtHelper::defaultIssuer(), []);

99 $this->expectException(OidcInvalidTokenException::class);

100 $this->expectExceptionMessage("Only RS256 signature validation is supported. Token reports using HS256");

101 $token->validate('abc');

102 }

103

104 public function test_token_claim_error_cases()

105 {

106 /** @var array<array{0: string: 1: array}> $claimOverridesByErrorMessage */

107 $claimOverridesByErrorMessage = [

108 // 1. iss claim present

109 ['Missing or non-matching token issuer value', ['iss' => null]],

110 // 1. iss claim matches provided issuer

111 ['Missing or non-matching token issuer value', ['iss' => 'https://auth.example.co.uk']],

112 // 2. aud claim present

113 ['Missing token audience value', ['aud' => null]],

114 // 2. aud claim validates all values against those expected (Only expect single)

115 ['Token audience value has 2 values, Expected 1', ['aud' => ['abc', 'def']]],

116 // 2. aud claim matches client id

117 ['Token audience value did not match the expected client_id', ['aud' => 'xxyyzz.aaa.bbccdd.456']],

118 // 4. azp claim matches client id if present

119 ['Token authorized party exists but does not match the expected client_id', ['azp' => 'xxyyzz.aaa.bbccdd.456']],

120 // 5. exp claim present

121 ['Missing token expiration time value', ['exp' => null]],

122 // 5. exp claim not expired

123 ['Token has expired', ['exp' => time() - 360]],

124 // 6. iat claim present

125 ['Missing token issued at time value', ['iat' => null]],

126 // 6. iat claim too far in the future

127 ['Token issue at time is not recent or is invalid', ['iat' => time() + 600]],

128 // 6. iat claim too far in the past

129 ['Token issue at time is not recent or is invalid', ['iat' => time() - 172800]],

130

131 // Custom: sub is present

132 ['Missing token subject value', ['sub' => null]],

133 ];

134

135 foreach ($claimOverridesByErrorMessage as [$message, $overrides]) {

136 $token = new OidcIdToken(OidcJwtHelper::idToken($overrides), OidcJwtHelper::defaultIssuer(), [

137 OidcJwtHelper::publicJwkKeyArray()

138 ]);

139

140 $err = null;

141 try {

142 $token->validate('xxyyzz.aaa.bbccdd.123');

143 } catch (\Exception $exception) {

144 $err = $exception;

145 }

146

147 $this->assertInstanceOf(OidcInvalidTokenException::class, $err, $message);

148 $this->assertEquals($message, $err->getMessage());

149 }

150 }

151

152 public function test_keys_can_be_a_local_file_reference_to_pem_key()

153 {

154 $file = tmpfile();

155 $testFilePath = 'file://' . stream_get_meta_data($file)['uri'];

156 file_put_contents($testFilePath, OidcJwtHelper::publicPemKey());

157 $token = new OidcIdToken(OidcJwtHelper::idToken(), OidcJwtHelper::defaultIssuer(), [

158 $testFilePath

159 ]);

160

161 $this->assertTrue($token->validate('xxyyzz.aaa.bbccdd.123'));

162 unlink($testFilePath);

163 }

164 }