From: =?utf-8?q?David_Pr=C3=A9vot?= Date: Tue, 23 May 2023 23:30:52 +0200 Subject: Group jwt for tests depending on it --- .../CompleteConfigurationTestCase.php | 3 + .../Security/Factory/AccessTokenFactoryTest.php | 620 --------------------- .../Tests/Functional/AccessTokenTest.php | 4 + .../AccessToken/Oidc/OidcTokenGeneratorTest.php | 3 + .../AccessToken/Oidc/OidcTokenHandlerTest.php | 314 ----------- 5 files changed, 10 insertions(+), 934 deletions(-) delete mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php delete mode 100644 src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php index dcb6701..3344ce2 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php @@ -11,6 +11,7 @@ namespace Symfony\Bundle\SecurityBundle\Tests\DependencyInjection; +use PHPUnit\Framework\Attributes\Group; use PHPUnit\Framework\TestCase; use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension; use Symfony\Bundle\SecurityBundle\SecurityBundle; @@ -726,6 +727,7 @@ abstract class CompleteConfigurationTestCase extends TestCase $this->assertSame('(?:^/register$|^/documentation$)', $container->getDefinition($requestMatcherId)->getArgument(0)); } + #[Group('jwt')] public function testAccessTokenOidc() { $container = $this->getContainer('access_token_oidc'); @@ -739,6 +741,7 @@ abstract class CompleteConfigurationTestCase extends TestCase $this->assertSame('sub', $def->getArgument(4)); } + #[Group('jwt')] public function testAccessTokenOidcWithEncryption() { $container = $this->getContainer('access_token_oidc_encryption'); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php deleted file mode 100644 index a3655a0..0000000 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php +++ /dev/null @@ -1,620 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Bundle\SecurityBundle\Tests\DependencyInjection\Security\Factory; - -use PHPUnit\Framework\Attributes\DataProvider; -use PHPUnit\Framework\TestCase; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\CasTokenHandlerFactory; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\OAuth2TokenHandlerFactory; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\OidcTokenHandlerFactory; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\OidcUserInfoTokenHandlerFactory; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\ServiceTokenHandlerFactory; -use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AccessTokenFactory; -use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition; -use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException; -use Symfony\Component\DependencyInjection\ChildDefinition; -use Symfony\Component\DependencyInjection\ContainerBuilder; -use Symfony\Component\DependencyInjection\Exception\LogicException; -use Symfony\Component\DependencyInjection\Reference; -use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator; -use Symfony\Contracts\HttpClient\HttpClientInterface; - -class AccessTokenFactoryTest extends TestCase -{ - public function testBasicServiceConfiguration() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => 'in_memory_token_handler_service_id', - 'success_handler' => 'success_handler_service_id', - 'failure_handler' => 'failure_handler_service_id', - 'token_extractors' => ['BAR', 'FOO'], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - } - - public function testDefaultTokenHandlerConfiguration() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => 'in_memory_token_handler_service_id', - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - } - - public function testIdTokenHandlerConfiguration() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => ['id' => 'in_memory_token_handler_service_id'], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - } - - public function testCasTokenHandlerConfiguration() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => ['cas' => ['validation_url' => 'https://www.example.com/cas/validate']], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.access_token_handler.cas')); - - $arguments = $container->getDefinition('security.access_token_handler.cas')->getArguments(); - $this->assertSame((string) $arguments[0], 'request_stack'); - $this->assertSame($arguments[1], 'https://www.example.com/cas/validate'); - $this->assertSame($arguments[2], 'cas'); - $this->assertNull($arguments[3]); - } - - public function testInvalidOidcTokenHandlerConfigurationKeyMissing() - { - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('You must set either "discovery" or "keyset".'); - - $this->processConfig($config, $factory); - } - - public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithmParameters() - { - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => 'keyset', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('The child config "algorithms" under "access_token.token_handler.oidc" must be configured: Algorithms used to sign the token.'); - - $this->processConfig($config, $factory); - } - - public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms() - { - $container = new ContainerBuilder(); - $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}'; - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => $jwkset, - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expected = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc.signature')) - ->replaceArgument(0, ['RS256', 'ES256']), - 'index_1' => (new ChildDefinition('security.access_token_handler.oidc.jwkset')) - ->replaceArgument(0, $jwkset), - 'index_2' => 'audience', - 'index_3' => ['https://www.example.com'], - 'index_4' => 'sub', - ]; - $this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - } - - public function testOidcTokenHandlerConfigurationWithEncryption() - { - $container = new ContainerBuilder(); - $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}'; - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => $jwkset, - 'encryption' => [ - 'enabled' => true, - 'keyset' => $jwkset, - 'algorithms' => ['RSA-OAEP', 'RSA1_5'], - ], - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - } - - public function testInvalidOidcTokenHandlerConfigurationMissingEncryptionKeyset() - { - $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}'; - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => $jwkset, - 'encryption' => [ - 'enabled' => true, - 'algorithms' => ['RSA-OAEP', 'RSA1_5'], - ], - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc.encryption" must be configured: JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).'); - - $this->processConfig($config, $factory); - } - - public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithm() - { - $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}'; - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => $jwkset, - 'encryption' => [ - 'enabled' => true, - 'keyset' => $jwkset, - 'algorithms' => [], - ], - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('The path "access_token.token_handler.oidc.encryption.algorithms" should have at least 1 element(s) defined.'); - - $this->processConfig($config, $factory); - } - - public function testOidcTokenHandlerConfigurationWithDiscovery() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'discovery' => [ - 'base_uri' => 'https://www.example.com/realms/demo/', - 'cache' => [ - 'id' => 'oidc_cache', - ], - ], - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expectedArgs = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc.signature')) - ->replaceArgument(0, ['RS256', 'ES256']), - 'index_1' => null, - 'index_2' => 'audience', - 'index_3' => ['https://www.example.com'], - 'index_4' => 'sub', - ]; - $expectedCalls = [ - [ - 'enableDiscovery', - [ - new Reference('oidc_cache'), - [ - (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client')) - ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/']), - ], - 'security.access_token_handler.firewall1.oidc_configuration', - ], - ], - ]; - $this->assertEquals($expectedArgs, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - $this->assertEquals($expectedCalls, $container->getDefinition('security.access_token_handler.firewall1')->getMethodCalls()); - } - - public function testOidcTokenHandlerConfigurationWithMultipleDiscoveryBaseUri() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'discovery' => [ - 'base_uri' => [ - 'https://www.example.com/realms/demo/', - 'https://www.api.com/realms/api/', - ], - 'cache' => [ - 'id' => 'oidc_cache', - ], - ], - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expectedArgs = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc.signature')) - ->replaceArgument(0, ['RS256', 'ES256']), - 'index_1' => null, - 'index_2' => 'audience', - 'index_3' => ['https://www.example.com'], - 'index_4' => 'sub', - ]; - $expectedCalls = [ - [ - 'enableDiscovery', - [ - new Reference('oidc_cache'), - [ - (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client')) - ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/']), - (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client')) - ->replaceArgument(0, ['base_uri' => 'https://www.api.com/realms/api/']), - ], - 'security.access_token_handler.firewall1.oidc_configuration', - ], - ], - ]; - $this->assertEquals($expectedArgs, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - $this->assertEquals($expectedCalls, $container->getDefinition('security.access_token_handler.firewall1')->getMethodCalls()); - } - - public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => [ - 'oidc_user_info' => [ - 'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo', - 'client' => 'oidc.client', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expected = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc_user_info.http_client')) - ->setFactory([new Reference('oidc.client'), 'withOptions']) - ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']), - 'index_2' => 'sub', - ]; - $this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - } - - #[DataProvider('getOidcUserInfoConfiguration')] - public function testOidcUserInfoTokenHandlerConfigurationWithBaseUri(array|string $configuration) - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => ['oidc_user_info' => $configuration], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expected = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc_user_info.http_client')) - ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']), - 'index_2' => 'sub', - ]; - - if (!interface_exists(HttpClientInterface::class)) { - $this->expectException(LogicException::class); - $this->expectExceptionMessage('You cannot use the "oidc_user_info" token handler since the HttpClient component is not installed. Try running "composer require symfony/http-client".'); - } - - $this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - } - - public static function getOidcUserInfoConfiguration(): iterable - { - yield [['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']]; - yield ['https://www.example.com/realms/demo/protocol/openid-connect/userinfo']; - } - - public function testOidcUserInfoTokenHandlerConfigurationWithDiscovery() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => [ - 'oidc_user_info' => [ - 'discovery' => [ - 'cache' => [ - 'id' => 'oidc_cache', - ], - ], - 'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - - $expectedArgs = [ - 'index_0' => (new ChildDefinition('security.access_token_handler.oidc_user_info.http_client')) - ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']), - 'index_2' => 'sub', - ]; - $expectedCalls = [ - [ - 'enableDiscovery', - [ - new Reference('oidc_cache'), - 'security.access_token_handler.firewall1.oidc_configuration', - ], - ], - ]; - $this->assertEquals($expectedArgs, $container->getDefinition('security.access_token_handler.firewall1')->getArguments()); - $this->assertEquals($expectedCalls, $container->getDefinition('security.access_token_handler.firewall1')->getMethodCalls()); - } - - public function testMultipleTokenHandlersSet() - { - $config = [ - 'token_handler' => [ - 'id' => 'in_memory_token_handler_service_id', - 'oidc_user_info' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo', - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('You cannot configure multiple token handlers.'); - - $this->processConfig($config, $factory); - } - - public function testOAuth2TokenHandlerConfiguration() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => ['oauth2' => true], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1')); - $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1')); - } - - public function testNoTokenHandlerSet() - { - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('You must set a token handler.'); - - $config = [ - 'token_handler' => [], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $this->processConfig($config, $factory); - } - - public function testNoExtractorsDefined() - { - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('The path "access_token.token_extractors" should have at least 1 element(s) defined.'); - $config = [ - 'token_handler' => 'in_memory_token_handler_service_id', - 'success_handler' => 'success_handler_service_id', - 'failure_handler' => 'failure_handler_service_id', - 'token_extractors' => [], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $this->processConfig($config, $factory); - } - - public function testNoHandlerDefined() - { - $this->expectException(InvalidConfigurationException::class); - $this->expectExceptionMessage('The child config "token_handler" under "access_token" must be configured.'); - $config = [ - 'success_handler' => 'success_handler_service_id', - 'failure_handler' => 'failure_handler_service_id', - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $this->processConfig($config, $factory); - } - - private function processConfig(array $config, AccessTokenFactory $factory) - { - $nodeDefinition = new ArrayNodeDefinition('access_token'); - $factory->addConfiguration($nodeDefinition); - - $node = $nodeDefinition->getNode(); - $normalizedConfig = $node->normalize($config); - - return $node->finalize($normalizedConfig); - } - - private function createTokenHandlerFactories(): array - { - return [ - new ServiceTokenHandlerFactory(), - new OidcUserInfoTokenHandlerFactory(), - new OidcTokenHandlerFactory(), - new CasTokenHandlerFactory(), - new OAuth2TokenHandlerFactory(), - ]; - } - - public function testOidcTokenGenerator() - { - if (!class_exists(OidcTokenGenerator::class)) { - $this->markTestSkipped('OidcTokenGenerator not available.'); - } - - $container = new ContainerBuilder(); - $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}'; - $config = [ - 'token_handler' => [ - 'oidc' => [ - 'algorithms' => ['RS256', 'ES256'], - 'issuers' => ['https://www.example.com'], - 'audience' => 'audience', - 'keyset' => $jwkset, - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertTrue($container->hasDefinition('security.access_token_handler.oidc.command.generate')); - $this->assertTrue($container->getDefinition('security.access_token_handler.oidc.command.generate')->hasMethodCall('addGenerator')); - } - - public function testOidcTokenGeneratorCommandWithNoTokenHandler() - { - $container = new ContainerBuilder(); - $config = [ - 'token_handler' => [ - 'oidc_user_info' => [ - 'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo', - 'client' => 'oidc.client', - ], - ], - ]; - - $factory = new AccessTokenFactory($this->createTokenHandlerFactories()); - $finalizedConfig = $this->processConfig($config, $factory); - - $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider'); - - $this->assertFalse($container->hasDefinition('security.access_token_handler.oidc.command.generate')); - } -} diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php index 7a2dc84..d985860 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php @@ -21,6 +21,7 @@ use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\JWSBuilder; use Jose\Component\Signature\Serializer\CompactSerializer as JwsCompactSerializer; use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Group; use PHPUnit\Framework\Attributes\RequiresPhpExtension; use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException; use Symfony\Component\HttpClient\MockHttpClient; @@ -339,6 +340,7 @@ class AccessTokenTest extends AbstractWebTestCase #[DataProvider('validAccessTokens')] #[RequiresPhpExtension('openssl')] + #[Group('jwt')] public function testOidcSuccess(callable $tokenFactory) { try { @@ -358,6 +360,7 @@ class AccessTokenTest extends AbstractWebTestCase #[DataProvider('invalidAccessTokens')] #[RequiresPhpExtension('openssl')] + #[Group('jwt')] public function testOidcFailure(callable $tokenFactory) { try { @@ -376,6 +379,7 @@ class AccessTokenTest extends AbstractWebTestCase } #[RequiresPhpExtension('openssl')] + #[Group('jwt')] public function testOidcFailureWithJweEnforced() { $client = $this->createClient(['test_case' => 'AccessToken', 'root_config' => 'config_oidc_jwe.yml']); diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenGeneratorTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenGeneratorTest.php index ebd666e..2f0f7d4 100644 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenGeneratorTest.php +++ b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenGeneratorTest.php @@ -17,6 +17,7 @@ use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES512; use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Group; use PHPUnit\Framework\Attributes\RequiresPhpExtension; use PHPUnit\Framework\TestCase; use Symfony\Component\Clock\MockClock; @@ -26,6 +27,7 @@ use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler; #[RequiresPhpExtension('openssl')] class OidcTokenGeneratorTest extends TestCase { + #[Group('jwt')] public function testGenerate() { $algorithmManager = new AlgorithmManager([new ES256()]); @@ -49,6 +51,7 @@ class OidcTokenGeneratorTest extends TestCase } #[DataProvider('provideGenerateWithInvalid')] + #[Group('jwt')] public function testGenerateWithInvalid(?string $algorithm, ?string $issuer, ?int $ttl, ?int $notBefore, string $expectedMessage) { $this->expectException(\InvalidArgumentException::class); diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php deleted file mode 100644 index 208cae9..0000000 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php +++ /dev/null @@ -1,314 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Http\Tests\AccessToken\Oidc; - -use Jose\Component\Core\AlgorithmManager; -use Jose\Component\Core\JWK; -use Jose\Component\Core\JWKSet; -use Jose\Component\Signature\Algorithm\ES256; -use Jose\Component\Signature\JWSBuilder; -use Jose\Component\Signature\Serializer\CompactSerializer; -use PHPUnit\Framework\Attributes\DataProvider; -use PHPUnit\Framework\Attributes\RequiresPhpExtension; -use PHPUnit\Framework\TestCase; -use Psr\Log\LoggerInterface; -use Symfony\Component\Cache\Adapter\ArrayAdapter; -use Symfony\Component\HttpClient\MockHttpClient; -use Symfony\Component\HttpClient\Response\JsonMockResponse; -use Symfony\Component\Security\Core\Exception\BadCredentialsException; -use Symfony\Component\Security\Core\User\OidcUser; -use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler; -use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; - -#[RequiresPhpExtension('openssl')] -class OidcTokenHandlerTest extends TestCase -{ - private const AUDIENCE = 'Symfony OIDC'; - - #[DataProvider('getClaims')] - public function testGetsUserIdentifierFromSignedToken(string $claim, string $expected) - { - $time = time(); - $claims = [ - 'iat' => $time, - 'nbf' => $time, - 'exp' => $time + 3600, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f', - 'email' => 'foo@example.com', - ]; - $token = self::buildJWS(json_encode($claims)); - $expectedUser = new OidcUser(...$claims, userIdentifier: $claims[$claim]); - - $loggerMock = $this->createMock(LoggerInterface::class); - $loggerMock->expects($this->never())->method('error'); - - $userBadge = (new OidcTokenHandler( - new AlgorithmManager([new ES256()]), - self::getJWKSet(), - self::AUDIENCE, - ['https://www.example.com'], - $claim, - $loggerMock, - ))->getUserBadgeFrom($token); - $actualUser = $userBadge->getUserLoader()(); - - $this->assertInstanceOf(UserBadge::class, $userBadge); - $this->assertSame($expected, $userBadge->getUserIdentifier()); - $this->assertSame($claims, $userBadge->getAttributes()); - $this->assertInstanceOf(OidcUser::class, $actualUser); - $this->assertEquals($expectedUser, $actualUser); - $this->assertEquals($claims, $userBadge->getAttributes()); - $this->assertEquals($claims[$claim], $actualUser->getUserIdentifier()); - } - - public static function getClaims(): iterable - { - yield ['sub', 'e21bf182-1538-406e-8ccb-e25a17aba39f']; - yield ['email', 'foo@example.com']; - } - - #[DataProvider('getInvalidTokens')] - public function testThrowsAnErrorIfTokenIsInvalid(string $token) - { - $loggerMock = $this->createMock(LoggerInterface::class); - $loggerMock->expects($this->once())->method('error'); - - $this->expectException(BadCredentialsException::class); - $this->expectExceptionMessage('Invalid credentials.'); - - (new OidcTokenHandler( - new AlgorithmManager([new ES256()]), - self::getJWKSet(), - self::AUDIENCE, - ['https://www.example.com'], - 'sub', - $loggerMock, - ))->getUserBadgeFrom($token); - } - - public static function getInvalidTokens(): iterable - { - // Invalid token - yield ['invalid']; - // Token is expired - yield [ - self::buildJWS(json_encode([ - 'iat' => time() - 3600, - 'nbf' => time() - 3600, - 'exp' => time() - 3590, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f', - 'email' => 'foo@example.com', - ])), - ]; - // Invalid audience - yield [ - self::buildJWS(json_encode([ - 'iat' => time(), - 'nbf' => time(), - 'exp' => time() + 3590, - 'iss' => 'https://www.example.com', - 'aud' => 'invalid', - 'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f', - 'email' => 'foo@example.com', - ])), - ]; - } - - public function testThrowsAnErrorIfUserPropertyIsMissing() - { - $loggerMock = $this->createMock(LoggerInterface::class); - $loggerMock->expects($this->once())->method('error'); - - $time = time(); - $claims = [ - 'iat' => $time, - 'nbf' => $time, - 'exp' => $time + 3600, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f', - ]; - $token = $this->buildJWS(json_encode($claims)); - - $this->expectException(BadCredentialsException::class); - $this->expectExceptionMessage('Invalid credentials.'); - - (new OidcTokenHandler( - new AlgorithmManager([new ES256()]), - self::getJWKSet(), - self::AUDIENCE, - ['https://www.example.com'], - 'email', - $loggerMock, - ))->getUserBadgeFrom($token); - } - - private static function buildJWS(string $payload): string - { - return (new CompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([ - new ES256(), - ])))->create() - ->withPayload($payload) - ->addSignature(self::getJWK(), ['alg' => 'ES256']) - ->build() - ); - } - - private static function getJWK(): JWK - { - // tip: use https://mkjwk.org/ to generate a JWK - return new JWK([ - 'kty' => 'EC', - 'crv' => 'P-256', - 'x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4', - 'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo', - 'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220', - ]); - } - - private static function getSecondJWK(): JWK - { - return new JWK([ - 'kty' => 'EC', - 'd' => '0LCBSOYvrksazPnC0pzwY0P5MWEESUhEzbc2zJEnOsc', - 'crv' => 'P-256', - 'x' => 'N1aUu8Pd2WdClkpCQ4QCPnGjYe_bTmDgEaSoxy5LhTw', - 'y' => 'Yr1v-tCNxE8QgAGlartrJAi343bI8VlAaNvgCOp8Azs', - ]); - } - - private static function getJWKSet(): JWKSet - { - return new JWKSet([ - new JWK([ - 'kty' => 'EC', - 'crv' => 'P-256', - 'x' => 'FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars', - 'y' => 'rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY', - 'd' => '4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0', - ]), - self::getJWK(), - ]); - } - - public function testGetsUserIdentifierWithSingleDiscoveryEndpoint() - { - $time = time(); - $claims = [ - 'iat' => $time, - 'nbf' => $time, - 'exp' => $time + 3600, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f', - 'email' => 'foo@example.com', - ]; - $token = $this->buildJWS(json_encode($claims)); - - $httpClient = new MockHttpClient([ - new JsonMockResponse(['jwks_uri' => 'https://www.example.com/.well-known/jwks.json']), - new JsonMockResponse(['keys' => [array_merge(self::getJWK()->all(), ['use' => 'sig'])]]), - ]); - - $cache = new ArrayAdapter(); - $handler = new OidcTokenHandler( - new AlgorithmManager([new ES256()]), - null, - self::AUDIENCE, - ['https://www.example.com'] - ); - $handler->enableDiscovery($cache, $httpClient, 'oidc_config'); - - $userBadge = $handler->getUserBadgeFrom($token); - - $this->assertInstanceOf(UserBadge::class, $userBadge); - $this->assertSame('e21bf182-1538-406e-8ccb-e25a17aba39f', $userBadge->getUserIdentifier()); - } - - public function testGetsUserIdentifierWithMultipleDiscoveryEndpoints() - { - $time = time(); - - $httpClient1 = new MockHttpClient(function ($method, $url) { - if (str_contains($url, 'openid-configuration')) { - return new JsonMockResponse(['jwks_uri' => 'https://provider1.example.com/.well-known/jwks.json']); - } - - return new JsonMockResponse(['keys' => [array_merge(self::getJWK()->all(), ['use' => 'sig'])]]); - }); - - $httpClient2 = new MockHttpClient(function ($method, $url) { - if (str_contains($url, 'openid-configuration')) { - return new JsonMockResponse(['jwks_uri' => 'https://provider2.example.com/.well-known/jwks.json']); - } - - return new JsonMockResponse(['keys' => [array_merge(self::getSecondJWK()->all(), ['use' => 'sig'])]]); - }); - - $cache = new ArrayAdapter(); - - $handler = new OidcTokenHandler( - new AlgorithmManager([new ES256()]), - null, - self::AUDIENCE, - ['https://www.example.com'] - ); - $handler->enableDiscovery($cache, [$httpClient1, $httpClient2], 'oidc_config'); - - $claims1 = [ - 'iat' => $time, - 'nbf' => $time, - 'exp' => $time + 3600, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'user-from-provider1', - 'email' => 'user1@example.com', - ]; - $token1 = self::buildJWSWithKey(json_encode($claims1), self::getJWK()); - $userBadge1 = $handler->getUserBadgeFrom($token1); - - $this->assertInstanceOf(UserBadge::class, $userBadge1); - $this->assertSame('user-from-provider1', $userBadge1->getUserIdentifier()); - - $claims2 = [ - 'iat' => $time, - 'nbf' => $time, - 'exp' => $time + 3600, - 'iss' => 'https://www.example.com', - 'aud' => self::AUDIENCE, - 'sub' => 'user-from-provider2', - 'email' => 'user2@example.com', - ]; - $token2 = self::buildJWSWithKey(json_encode($claims2), self::getSecondJWK()); - $userBadge2 = $handler->getUserBadgeFrom($token2); - - $this->assertInstanceOf(UserBadge::class, $userBadge2); - $this->assertSame('user-from-provider2', $userBadge2->getUserIdentifier()); - - $this->assertTrue($cache->hasItem('oidc_config')); - } - - private static function buildJWSWithKey(string $payload, JWK $jwk): string - { - return (new CompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([ - new ES256(), - ])))->create() - ->withPayload($payload) - ->addSignature($jwk, ['alg' => 'ES256']) - ->build() - ); - } -}