ClientAssertionJwtAuthenticationMethodTest - Code Metrics - Inspection of "ClientAssertionJwt Tests added and bugs fixed" - OAuth2-Framework/oauth2-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — ng ( 8b0de7...c3dfca )

by Florent

created 2018-03-22 12:50 UTC

ClientAssertionJwtAuthenticationMethodTest A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	470
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	3

Importance

Changes

Metric	Value
wmc	27
lcom	1
cbo	3
dl	0
loc	470
rs	10
c	0
b	0
f	0

23 Methods

Rating	Name	Size	Complexity
A	genericCalls()	10	1
A	theClientIdCannotBeFoundInTheRequest()	11	1
A	theClientAssertionTypeIsNotSupported()	13	1
A	theClientAssertionIsMissing()	17	2
A	theClientAssertionIsInvalid()	18	2
A	theClientAssertionSignedByTheClientIsInvalidBecauseOfMissingClaims()	18	2
A	theClientAssertionIsValidAndTheClientIdIsRetrieved()	13	1
A	theClientConfigurationCanBeCheckedWithClientSecretJwt()	11	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfBothJwksAndJwksUriAreSet()	10	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfNoneOfTheJwksAndJwksUriAreSet()	8	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksIsNotAValidKeySet()	9	1
A	theClientConfigurationCanBeCheckedWithPrivateKeyJwtIfJwksIsValid()	12	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriFactoryIsNotAvailable()	9	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriIsNotValid()	13	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriCannotBeReached()	14	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesNotContainAValidKeySet()	17	1
A	theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesContainAnEmptyKeySet()	17	1
A	theClientConfigurationCanBeCheckedWithPrivateKeyJwt()	20	1
A	getMethod()	22	2
A	getJkuFactory()	8	1
A	getHttpClient()	6	1
B	createValidClientAssertionSignedByTheClient()	28	1
A	createInvalidClientAssertionSignedByTheClient()	23	1

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace OAuth2Framework\Component\ClientAuthentication\Tests;

use Http\Message\MessageFactory\DiactorosMessageFactory;
use Jose\Component\Checker\ClaimCheckerManager;
use Jose\Component\Checker\HeaderCheckerManager;
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\Converter\StandardConverter;
use Jose\Component\Core\JWK;
use Jose\Component\KeyManagement\JKUFactory;
use Jose\Component\Signature\Algorithm\HS256;
use Jose\Component\Signature\Algorithm\RS256;
use Jose\Component\Signature\JWSBuilder;
use Jose\Component\Signature\JWSTokenSupport;
use Jose\Component\Signature\JWSVerifier;
use Jose\Component\Signature\Serializer\CompactSerializer;
use OAuth2Framework\Component\Core\Client\Client;
use OAuth2Framework\Component\Core\Client\ClientId;
use OAuth2Framework\Component\Core\DataBag\DataBag;
use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
use OAuth2Framework\Component\ClientAuthentication\AuthenticationMethodManager;
use OAuth2Framework\Component\ClientAuthentication\ClientAssertionJwt;
use PHPUnit\Framework\TestCase;
use Psr\Http\Message\ServerRequestInterface;
use Zend\Diactoros\Response;

/**
 * @group TokenEndpoint
 * @group ClientAuthentication
 */
class ClientAssertionJwtAuthenticationMethodTest extends TestCase
{
    /**
     * @test
     */
    public function genericCalls()
    {
        $method = $this->getMethod();

        self::assertEquals([], $method->getSchemesParameters());
        self::assertEquals(['client_secret_jwt', 'private_key_jwt'], $method->getSupportedMethods());
        self::assertEquals(['HS256', 'RS256'], $method->getSupportedSignatureAlgorithms());
        self::assertEquals([], $method->getSupportedKeyEncryptionAlgorithms());
        self::assertEquals([], $method->getSupportedContentEncryptionAlgorithms());
    }

    /**
     * @test
     */
    public function theClientIdCannotBeFoundInTheRequest()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([]);

        $clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
        self::assertNull($clientId);
        self::assertNull($credentials);
    }

    /**
     * @test
     */
    public function theClientAssertionTypeIsNotSupported()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'foo',
        ]);

        $clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
        self::assertNull($clientId);
        self::assertNull($credentials);
    }

    /**
     * @test
     */
    public function theClientAssertionIsMissing()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
        ]);

        try {
            $method->findClientIdAndCredentials($request->reveal(), $credentials);
            $this->fail('An OAuth2 exception should be thrown.');
        } catch (OAuth2Exception $e) {
            self::assertEquals('invalid_request', $e->getMessage());
            self::assertEquals('Parameter "client_assertion" is missing.', $e->getErrorDescription());
        }
    }

    /**
     * @test
     */
    public function theClientAssertionIsInvalid()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion' => 'foo',
        ]);

        try {
            $method->findClientIdAndCredentials($request->reveal(), $credentials);
            $this->fail('An OAuth2 exception should be thrown.');
        } catch (OAuth2Exception $e) {
            self::assertEquals('invalid_request', $e->getMessage());
            self::assertEquals('Unable to load, decrypt or verify the client assertion.', $e->getErrorDescription());
        }
    }

    /**
     * @test
     */
    public function theClientAssertionSignedByTheClientIsInvalidBecauseOfMissingClaims()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion' => $this->createInvalidClientAssertionSignedByTheClient(),
        ]);

        try {
            $method->findClientIdAndCredentials($request->reveal(), $credentials);
            $this->fail('An OAuth2 exception should be thrown.');
        } catch (OAuth2Exception $e) {
            self::assertEquals('invalid_request', $e->getMessage());
            self::assertEquals('The following claim(s) is/are mandatory: "iss, sub, aud, exp".', $e->getErrorDescription());
        }
    }

    /**
     * @test
     */
    public function theClientAssertionIsValidAndTheClientIdIsRetrieved()
    {
        $method = $this->getMethod();
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getHeader('Authorization')->willReturn([]);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion' => $this->createValidClientAssertionSignedByTheClient(),
        ]);

        $clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
        self::assertEquals('ClientId', $clientId->getValue());
    }

    /**
     * @test
     */
    /*public function theClientUsesAnotherAuthenticationMethod()

    {
        $method = $this->getMethod();
        $manager = new AuthenticationMethodManager();
        $method->add($method);
        $client = Client::createEmpty();
        $client = $client->create(
            ClientId::create('CLIENT_ID'),
            DataBag::create([
                'client_secret' => 'CLIENT_SECRET',
                'token_endpoint_auth_method' => 'client_secret_post',
            ]),
            UserAccountId::create('USER_ACCOUNT_ID')
        );
        $request = $this->prophesize(ServerRequestInterface::class);
        $request->getParsedBody()->willReturn([
            'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion'      => 'CLIENT_SECRET',
        ]);

        self::assertFalse($method->isClientAuthenticated($request->reveal(), $client, $method, 'CLIENT_SECRET'));
    }*/

    /**
     * @test
     */
    public function theClientConfigurationCanBeCheckedWithClientSecretJwt()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'client_secret_jwt',
        ]);
        $validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));

        self::assertTrue($validatedParameters->has('client_secret'));
        self::assertTrue($validatedParameters->has('client_secret_expires_at'));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage Either the parameter "jwks" or "jwks_uri" must be set.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfBothJwksAndJwksUriAreSet()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks' => 'foo',
            'jwks_uri' => 'bar',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage Either the parameter "jwks" or "jwks_uri" must be set.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfNoneOfTheJwksAndJwksUriAreSet()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage The parameter "jwks" must be a valid JWKSet object.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksIsNotAValidKeySet()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks' => 'foo',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     */
    public function theClientConfigurationCanBeCheckedWithPrivateKeyJwtIfJwksIsValid()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks' => '{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}',
        ]);
        $validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));

        self::assertTrue($validatedParameters->has('jwks'));
        self::assertEquals('{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}', $validatedParameters->get('jwks'));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage Distant key sets cannot be used. Please use "jwks" instead of "jwks_uri".
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriFactoryIsNotAvailable()
    {
        $method = $this->getMethod();
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'foo',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriIsNotValid()
    {
        $method = clone $this->getMethod();
        $httpClient = $this->getHttpClient();
        $method->enableJkuSupport(
            $this->getJkuFactory($httpClient)
        );
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'foo',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriCannotBeReached()
    {
        $method = clone $this->getMethod();
        $httpClient = $this->getHttpClient();
        $httpClient->addResponse(new Response('php://memory', 404));
        $method->enableJkuSupport(
            $this->getJkuFactory($httpClient)
        );
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'https://www.foo.com/bad-url.jwkset',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesNotContainAValidKeySet()
    {
        $method = clone $this->getMethod();
        $httpClient = $this->getHttpClient();
        $stream = fopen('php://memory', 'w+');
        fwrite($stream, 'Hello World!');
        rewind($stream);
        $httpClient->addResponse(new Response($stream, 200));
        $method->enableJkuSupport(
            $this->getJkuFactory($httpClient)
        );
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'https://www.foo.com/index.html',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     * @expectedException \InvalidArgumentException
     * @expectedExceptionMessage The distant key set is empty.
     */
    public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesContainAnEmptyKeySet()
    {
        $method = clone $this->getMethod();
        $httpClient = $this->getHttpClient();
        $stream = fopen('php://memory', 'w+');
        fwrite($stream, '{"keys":[]}');
        rewind($stream);
        $httpClient->addResponse(new Response($stream, 200));
        $method->enableJkuSupport(
            $this->getJkuFactory($httpClient)
        );
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'https://www.foo.com/index.html',
        ]);
        $method->checkClientConfiguration($commandParameters, DataBag::create([]));
    }

    /**
     * @test
     */
    public function theClientConfigurationCanBeCheckedWithPrivateKeyJwt()
    {
        $method = clone $this->getMethod();
        $httpClient = $this->getHttpClient();
        $stream = fopen('php://memory', 'w+');
        fwrite($stream, '{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}');
        rewind($stream);
        $httpClient->addResponse(new Response($stream, 200));
        $method->enableJkuSupport(
            $this->getJkuFactory($httpClient)
        );
        $commandParameters = DataBag::create([
            'token_endpoint_auth_method' => 'private_key_jwt',
            'jwks_uri' => 'https://www.foo.com/keyset',
        ]);
        $validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));

        self::assertTrue($validatedParameters->has('jwks_uri'));
        self::assertEquals('https://www.foo.com/keyset', $validatedParameters->get('jwks_uri'));
    }

    /**
     * @var null|ClientAssertionJwt
     */
    private $method = null;

    /**
     * @return ClientAssertionJwt
     */
    private function getMethod(): ClientAssertionJwt
    {
        if (null === $this->method) {
            $this->method = new ClientAssertionJwt(
                new StandardConverter(),
                new JWSVerifier(
                    AlgorithmManager::create([
                        new HS256(),
                        new RS256(),
                    ])
                ),
                HeaderCheckerManager::create(
                    [],
                    [new JWSTokenSupport()]
                ),
                ClaimCheckerManager::create([]),
                3600
            );
        }

        return $this->method;
    }

    /**
     * @param \Http\Mock\Client $client
     *
     * @return JKUFactory
     */
    private function getJkuFactory(\Http\Mock\Client $client):JKUFactory
    {
        return new JKUFactory(
            new StandardConverter(),
            $client,
            new DiactorosMessageFactory()
        );
    }

    /**
     * @return \Http\Mock\Client
     */
    private function getHttpClient(): \Http\Mock\Client
    {
        return new \Http\Mock\Client(
            new DiactorosMessageFactory()
        );
    }

    /**
     * @return string
     */
    private function createValidClientAssertionSignedByTheClient(): string
    {
        $jsonConverter = new StandardConverter();
        $jwsBuilder = new JWSBuilder(
            $jsonConverter,
            AlgorithmManager::create([
                new HS256(),
            ])
        );

        $jws = $jwsBuilder
            ->create()
            ->withPayload($jsonConverter->encode([
                'iss' => 'ClientId',
                'sub' => 'ClientId',
                'aud' => 'My Server',
                'exp' => time()+3600,
            ]))
            ->addSignature(
                JWK::createFromJson('{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"}'),
                ['alg' => 'HS256']
            )
            ->build();

        $serializer = new CompactSerializer($jsonConverter);

        return $serializer->serialize($jws, 0);
    }

    /**
     * @return string
     */
    private function createInvalidClientAssertionSignedByTheClient(): string
    {
        $jsonConverter = new StandardConverter();
        $jwsBuilder = new JWSBuilder(
            $jsonConverter,
            AlgorithmManager::create([
                new HS256(),
            ])
        );

        $jws = $jwsBuilder
            ->create()
            ->withPayload($jsonConverter->encode([]))
            ->addSignature(
                JWK::createFromJson('{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"}'),
                ['alg' => 'HS256']
            )
            ->build();

        $serializer = new CompactSerializer($jsonConverter);

        return $serializer->serialize($jws, 0);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace OAuth2Framework\Component\ClientAuthentication\Tests;
15
16			use Http\Message\MessageFactory\DiactorosMessageFactory;
17			use Jose\Component\Checker\ClaimCheckerManager;
18			use Jose\Component\Checker\HeaderCheckerManager;
19			use Jose\Component\Core\AlgorithmManager;
20			use Jose\Component\Core\Converter\StandardConverter;
21			use Jose\Component\Core\JWK;
22			use Jose\Component\KeyManagement\JKUFactory;
23			use Jose\Component\Signature\Algorithm\HS256;
24			use Jose\Component\Signature\Algorithm\RS256;
25			use Jose\Component\Signature\JWSBuilder;
26			use Jose\Component\Signature\JWSTokenSupport;
27			use Jose\Component\Signature\JWSVerifier;
28			use Jose\Component\Signature\Serializer\CompactSerializer;
29			use OAuth2Framework\Component\Core\Client\Client;
30			use OAuth2Framework\Component\Core\Client\ClientId;
31			use OAuth2Framework\Component\Core\DataBag\DataBag;
32			use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
33			use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
34			use OAuth2Framework\Component\ClientAuthentication\AuthenticationMethodManager;
35			use OAuth2Framework\Component\ClientAuthentication\ClientAssertionJwt;
36			use PHPUnit\Framework\TestCase;
37			use Psr\Http\Message\ServerRequestInterface;
38			use Zend\Diactoros\Response;
39
40			/**
41			* @group TokenEndpoint
42			* @group ClientAuthentication
43			*/
44			class ClientAssertionJwtAuthenticationMethodTest extends TestCase
45			{
46			/**
47			* @test
48			*/
49			public function genericCalls()
50			{
51			$method = $this->getMethod();
52
53			self::assertEquals([], $method->getSchemesParameters());
54			self::assertEquals(['client_secret_jwt', 'private_key_jwt'], $method->getSupportedMethods());
55			self::assertEquals(['HS256', 'RS256'], $method->getSupportedSignatureAlgorithms());
56			self::assertEquals([], $method->getSupportedKeyEncryptionAlgorithms());
57			self::assertEquals([], $method->getSupportedContentEncryptionAlgorithms());
58			}
59
60			/**
61			* @test
62			*/
63			public function theClientIdCannotBeFoundInTheRequest()
64			{
65			$method = $this->getMethod();
66			$request = $this->prophesize(ServerRequestInterface::class);
67			$request->getHeader('Authorization')->willReturn([]);
68			$request->getParsedBody()->willReturn([]);
69
70			$clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
71			self::assertNull($clientId);
72			self::assertNull($credentials);
73			}
74
75			/**
76			* @test
77			*/
78			public function theClientAssertionTypeIsNotSupported()
79			{
80			$method = $this->getMethod();
81			$request = $this->prophesize(ServerRequestInterface::class);
82			$request->getHeader('Authorization')->willReturn([]);
83			$request->getParsedBody()->willReturn([
84			'client_assertion_type' => 'foo',
85			]);
86
87			$clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
88			self::assertNull($clientId);
89			self::assertNull($credentials);
90			}
91
92			/**
93			* @test
94			*/
95			public function theClientAssertionIsMissing()
96			{
97			$method = $this->getMethod();
98			$request = $this->prophesize(ServerRequestInterface::class);
99			$request->getHeader('Authorization')->willReturn([]);
100			$request->getParsedBody()->willReturn([
101			'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
102			]);
103
104			try {
105			$method->findClientIdAndCredentials($request->reveal(), $credentials);
106			$this->fail('An OAuth2 exception should be thrown.');
107			} catch (OAuth2Exception $e) {
108			self::assertEquals('invalid_request', $e->getMessage());
109			self::assertEquals('Parameter "client_assertion" is missing.', $e->getErrorDescription());
110			}
111			}
112
113			/**
114			* @test
115			*/
116			public function theClientAssertionIsInvalid()
117			{
118			$method = $this->getMethod();
119			$request = $this->prophesize(ServerRequestInterface::class);
120			$request->getHeader('Authorization')->willReturn([]);
121			$request->getParsedBody()->willReturn([
122			'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
123			'client_assertion' => 'foo',
124			]);
125
126			try {
127			$method->findClientIdAndCredentials($request->reveal(), $credentials);
128			$this->fail('An OAuth2 exception should be thrown.');
129			} catch (OAuth2Exception $e) {
130			self::assertEquals('invalid_request', $e->getMessage());
131			self::assertEquals('Unable to load, decrypt or verify the client assertion.', $e->getErrorDescription());
132			}
133			}
134
135			/**
136			* @test
137			*/
138			public function theClientAssertionSignedByTheClientIsInvalidBecauseOfMissingClaims()
139			{
140			$method = $this->getMethod();
141			$request = $this->prophesize(ServerRequestInterface::class);
142			$request->getHeader('Authorization')->willReturn([]);
143			$request->getParsedBody()->willReturn([
144			'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
145			'client_assertion' => $this->createInvalidClientAssertionSignedByTheClient(),
146			]);
147
148			try {
149			$method->findClientIdAndCredentials($request->reveal(), $credentials);
150			$this->fail('An OAuth2 exception should be thrown.');
151			} catch (OAuth2Exception $e) {
152			self::assertEquals('invalid_request', $e->getMessage());
153			self::assertEquals('The following claim(s) is/are mandatory: "iss, sub, aud, exp".', $e->getErrorDescription());
154			}
155			}
156
157			/**
158			* @test
159			*/
160			public function theClientAssertionIsValidAndTheClientIdIsRetrieved()
161			{
162			$method = $this->getMethod();
163			$request = $this->prophesize(ServerRequestInterface::class);
164			$request->getHeader('Authorization')->willReturn([]);
165			$request->getParsedBody()->willReturn([
166			'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
167			'client_assertion' => $this->createValidClientAssertionSignedByTheClient(),
168			]);
169
170			$clientId = $method->findClientIdAndCredentials($request->reveal(), $credentials);
171			self::assertEquals('ClientId', $clientId->getValue());
172			}
173
174			/**
175			* @test
176			*/
177			/*public function theClientUsesAnotherAuthenticationMethod()
			0 ignored issues – show Unused Code Comprehensibility introduced 2018-03-22 12:56 UTC by Report Bug Copy Issue Report `59%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
178			{
179			$method = $this->getMethod();
180			$manager = new AuthenticationMethodManager();
181			$method->add($method);
182			$client = Client::createEmpty();
183			$client = $client->create(
184			ClientId::create('CLIENT_ID'),
185			DataBag::create([
186			'client_secret' => 'CLIENT_SECRET',
187			'token_endpoint_auth_method' => 'client_secret_post',
188			]),
189			UserAccountId::create('USER_ACCOUNT_ID')
190			);
191			$request = $this->prophesize(ServerRequestInterface::class);
192			$request->getParsedBody()->willReturn([
193			'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
194			'client_assertion' => 'CLIENT_SECRET',
195			]);
196
197			self::assertFalse($method->isClientAuthenticated($request->reveal(), $client, $method, 'CLIENT_SECRET'));
198			}*/
199
200			/**
201			* @test
202			*/
203			public function theClientConfigurationCanBeCheckedWithClientSecretJwt()
204			{
205			$method = $this->getMethod();
206			$commandParameters = DataBag::create([
207			'token_endpoint_auth_method' => 'client_secret_jwt',
208			]);
209			$validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));
210
211			self::assertTrue($validatedParameters->has('client_secret'));
212			self::assertTrue($validatedParameters->has('client_secret_expires_at'));
213			}
214
215			/**
216			* @test
217			* @expectedException \InvalidArgumentException
218			* @expectedExceptionMessage Either the parameter "jwks" or "jwks_uri" must be set.
219			*/
220			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfBothJwksAndJwksUriAreSet()
221			{
222			$method = $this->getMethod();
223			$commandParameters = DataBag::create([
224			'token_endpoint_auth_method' => 'private_key_jwt',
225			'jwks' => 'foo',
226			'jwks_uri' => 'bar',
227			]);
228			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
229			}
230
231			/**
232			* @test
233			* @expectedException \InvalidArgumentException
234			* @expectedExceptionMessage Either the parameter "jwks" or "jwks_uri" must be set.
235			*/
236			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfNoneOfTheJwksAndJwksUriAreSet()
237			{
238			$method = $this->getMethod();
239			$commandParameters = DataBag::create([
240			'token_endpoint_auth_method' => 'private_key_jwt',
241			]);
242			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
243			}
244
245			/**
246			* @test
247			* @expectedException \InvalidArgumentException
248			* @expectedExceptionMessage The parameter "jwks" must be a valid JWKSet object.
249			*/
250			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksIsNotAValidKeySet()
251			{
252			$method = $this->getMethod();
253			$commandParameters = DataBag::create([
254			'token_endpoint_auth_method' => 'private_key_jwt',
255			'jwks' => 'foo',
256			]);
257			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
258			}
259
260			/**
261			* @test
262			*/
263			public function theClientConfigurationCanBeCheckedWithPrivateKeyJwtIfJwksIsValid()
264			{
265			$method = $this->getMethod();
266			$commandParameters = DataBag::create([
267			'token_endpoint_auth_method' => 'private_key_jwt',
268			'jwks' => '{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}',
269			]);
270			$validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));
271
272			self::assertTrue($validatedParameters->has('jwks'));
273			self::assertEquals('{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}', $validatedParameters->get('jwks'));
274			}
275
276			/**
277			* @test
278			* @expectedException \InvalidArgumentException
279			* @expectedExceptionMessage Distant key sets cannot be used. Please use "jwks" instead of "jwks_uri".
280			*/
281			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriFactoryIsNotAvailable()
282			{
283			$method = $this->getMethod();
284			$commandParameters = DataBag::create([
285			'token_endpoint_auth_method' => 'private_key_jwt',
286			'jwks_uri' => 'foo',
287			]);
288			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
289			}
290
291			/**
292			* @test
293			* @expectedException \InvalidArgumentException
294			* @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
295			*/
296			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriIsNotValid()
297			{
298			$method = clone $this->getMethod();
299			$httpClient = $this->getHttpClient();
300			$method->enableJkuSupport(
301			$this->getJkuFactory($httpClient)
302			);
303			$commandParameters = DataBag::create([
304			'token_endpoint_auth_method' => 'private_key_jwt',
305			'jwks_uri' => 'foo',
306			]);
307			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
308			}
309
310			/**
311			* @test
312			* @expectedException \InvalidArgumentException
313			* @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
314			*/
315			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriCannotBeReached()
316			{
317			$method = clone $this->getMethod();
318			$httpClient = $this->getHttpClient();
319			$httpClient->addResponse(new Response('php://memory', 404));
320			$method->enableJkuSupport(
321			$this->getJkuFactory($httpClient)
322			);
323			$commandParameters = DataBag::create([
324			'token_endpoint_auth_method' => 'private_key_jwt',
325			'jwks_uri' => 'https://www.foo.com/bad-url.jwkset',
326			]);
327			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
328			}
329
330			/**
331			* @test
332			* @expectedException \InvalidArgumentException
333			* @expectedExceptionMessage The parameter "jwks_uri" must be a valid uri to a JWKSet.
334			*/
335			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesNotContainAValidKeySet()
336			{
337			$method = clone $this->getMethod();
338			$httpClient = $this->getHttpClient();
339			$stream = fopen('php://memory', 'w+');
340			fwrite($stream, 'Hello World!');
341			rewind($stream);
342			$httpClient->addResponse(new Response($stream, 200));
343			$method->enableJkuSupport(
344			$this->getJkuFactory($httpClient)
345			);
346			$commandParameters = DataBag::create([
347			'token_endpoint_auth_method' => 'private_key_jwt',
348			'jwks_uri' => 'https://www.foo.com/index.html',
349			]);
350			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
351			}
352
353			/**
354			* @test
355			* @expectedException \InvalidArgumentException
356			* @expectedExceptionMessage The distant key set is empty.
357			*/
358			public function theClientConfigurationCannotBeCheckedWithPrivateKeyJwtIfJwksUriDoesContainAnEmptyKeySet()
359			{
360			$method = clone $this->getMethod();
361			$httpClient = $this->getHttpClient();
362			$stream = fopen('php://memory', 'w+');
363			fwrite($stream, '{"keys":[]}');
364			rewind($stream);
365			$httpClient->addResponse(new Response($stream, 200));
366			$method->enableJkuSupport(
367			$this->getJkuFactory($httpClient)
368			);
369			$commandParameters = DataBag::create([
370			'token_endpoint_auth_method' => 'private_key_jwt',
371			'jwks_uri' => 'https://www.foo.com/index.html',
372			]);
373			$method->checkClientConfiguration($commandParameters, DataBag::create([]));
374			}
375
376			/**
377			* @test
378			*/
379			public function theClientConfigurationCanBeCheckedWithPrivateKeyJwt()
380			{
381			$method = clone $this->getMethod();
382			$httpClient = $this->getHttpClient();
383			$stream = fopen('php://memory', 'w+');
384			fwrite($stream, '{"keys":[{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"},{"kty":"oct","k":"dIx5cdLn-dAgNkvfZSiroJuy5oykHO4hDnYpmwlMq6A"}]}');
385			rewind($stream);
386			$httpClient->addResponse(new Response($stream, 200));
387			$method->enableJkuSupport(
388			$this->getJkuFactory($httpClient)
389			);
390			$commandParameters = DataBag::create([
391			'token_endpoint_auth_method' => 'private_key_jwt',
392			'jwks_uri' => 'https://www.foo.com/keyset',
393			]);
394			$validatedParameters = $method->checkClientConfiguration($commandParameters, DataBag::create([]));
395
396			self::assertTrue($validatedParameters->has('jwks_uri'));
397			self::assertEquals('https://www.foo.com/keyset', $validatedParameters->get('jwks_uri'));
398			}
399
400			/**
401			* @var null\|ClientAssertionJwt
402			*/
403			private $method = null;
404
405			/**
406			* @return ClientAssertionJwt
407			*/
408			private function getMethod(): ClientAssertionJwt
409			{
410			if (null === $this->method) {
411			$this->method = new ClientAssertionJwt(
412			new StandardConverter(),
413			new JWSVerifier(
414			AlgorithmManager::create([
415			new HS256(),
416			new RS256(),
417			])
418			),
419			HeaderCheckerManager::create(
420			[],
421			[new JWSTokenSupport()]
422			),
423			ClaimCheckerManager::create([]),
424			3600
425			);
426			}
427
428			return $this->method;
429			}
430
431			/**
432			* @param \Http\Mock\Client $client
433			*
434			* @return JKUFactory
435			*/
436			private function getJkuFactory(\Http\Mock\Client $client):JKUFactory
437			{
438			return new JKUFactory(
439			new StandardConverter(),
440			$client,
441			new DiactorosMessageFactory()
442			);
443			}
444
445			/**
446			* @return \Http\Mock\Client
447			*/
448			private function getHttpClient(): \Http\Mock\Client
449			{
450			return new \Http\Mock\Client(
451			new DiactorosMessageFactory()
452			);
453			}
454
455			/**
456			* @return string
457			*/
458			private function createValidClientAssertionSignedByTheClient(): string
459			{
460			$jsonConverter = new StandardConverter();
461			$jwsBuilder = new JWSBuilder(
462			$jsonConverter,
463			AlgorithmManager::create([
464			new HS256(),
465			])
466			);
467
468			$jws = $jwsBuilder
469			->create()
470			->withPayload($jsonConverter->encode([
471			'iss' => 'ClientId',
472			'sub' => 'ClientId',
473			'aud' => 'My Server',
474			'exp' => time()+3600,
475			]))
476			->addSignature(
477			JWK::createFromJson('{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"}'),
478			['alg' => 'HS256']
479			)
480			->build();
481
482			$serializer = new CompactSerializer($jsonConverter);
483
484			return $serializer->serialize($jws, 0);
485			}
486
487			/**
488			* @return string
489			*/
490			private function createInvalidClientAssertionSignedByTheClient(): string
491			{
492			$jsonConverter = new StandardConverter();
493			$jwsBuilder = new JWSBuilder(
494			$jsonConverter,
495			AlgorithmManager::create([
496			new HS256(),
497			])
498			);
499
500			$jws = $jwsBuilder
501			->create()
502			->withPayload($jsonConverter->encode([]))
503			->addSignature(
504			JWK::createFromJson('{"kty":"oct","k":"bJzb8RaN7TzPz001PeF0lw0ZoUJqbazGxMvBd_xzfms"}'),
505			['alg' => 'HS256']
506			)
507			->build();
508
509			$serializer = new CompactSerializer($jsonConverter);
510
511			return $serializer->serialize($jws, 0);
512			}
513			}
514

OAuth2-Framework / oauth2-framework

Push — ng ( 8b0de7...c3dfca )

ClientAssertionJwtAuthenticationMethodTest A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

23 Methods

Duplication Side-by-Side

Filter issues like