SecurityBundleTest::anApiRequestIsReceivedButTheTokenDoesNotHaveTheRequiredScope() - Code Metrics - Inspection of "Rework of the bundles (#125)" - OAuth2-Framework/oauth2-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — master ( 349866...67c1d1 )

by Florent

created 2018-05-03 14:33 UTC

anApiRequestIsReceivedButTheTokenDoesNotHaveTheRequiredScope() B

↳ Parent: SecurityBundleTest

Complexity

Conditions	1
Paths	1

Size

Total Lines	25
Code Lines	19

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	25
rs	8.8571
c	0
b	0
f	0
cc	1
eloc	19
nc	1
nop	0

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace OAuth2Framework\SecurityBundle\Tests\Functional\Security;

use OAuth2Framework\Component\Core\AccessToken\AccessToken;
use OAuth2Framework\Component\Core\AccessToken\AccessTokenId;
use OAuth2Framework\Component\Core\Client\ClientId;
use OAuth2Framework\Component\Core\DataBag\DataBag;
use OAuth2Framework\Component\Core\ResourceServer\ResourceServerId;
use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
use OAuth2Framework\SecurityBundle\Tests\TestBundle\Service\AccessTokenHandler;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;

/**
 * @group Firewall
 */
class SecurityBundleTest extends WebTestCase
{
    /**
     * @test
     */
    public function anApiRequestWithoutAccessTokenIsReceived()
    {
        $client = static::createClient();
        $client->request('GET', '/api/hello/World');
        $response = $client->getResponse();
        self::assertEquals(200, $response->getStatusCode());
        self::assertEquals('{"name":"World","message":"Hello World!"}', $response->getContent());
    }

    /**
     * @test
     */
    public function anApiRequestIsReceivedWithAnUnsupportedTokenType()
    {
        $client = static::createClient();
        $client->request('GET', '/api/hello/World', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'POP UNKNOWN_ACCESS_TOKEN_ID']);
        $response = $client->getResponse();
        self::assertEquals(200, $response->getStatusCode());
        self::assertEquals('{"name":"World","message":"Hello World!"}', $response->getContent());
    }

    /**
     * @test
     */
    public function anApiRequestIsReceivedButTheTokenDoesNotExist()
    {
        $client = static::createClient();
        $client->request('GET', '/api/hello/World', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer UNKNOWN_ACCESS_TOKEN_ID']);
        $response = $client->getResponse();
        self::assertEquals(401, $response->getStatusCode());
        self::assertEquals('', $response->getContent());
        self::assertTrue($response->headers->has('www-authenticate'));
        self::assertEquals('Bearer realm="Protected API",error="access_denied",error_description="OAuth2 authentication required. Invalid access token."', $response->headers->get('www-authenticate'));
    }

    /**
     * @test
     */
    public function anApiRequestIsReceivedButTheTokenDoesNotHaveTheRequiredScope()
    {
        $client = static::createClient();
        /** @var AccessTokenHandler $accessTokenHandler */
        $accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
        $accessToken = AccessToken::createEmpty();
        $accessToken = $accessToken->create(
            AccessTokenId::create('ACCESS_TOKEN_WITH_INSUFFICIENT_SCOPE'),
            UserAccountId::create('USER_ACCOUNT_ID'),
            ClientId::create('CLIENT_ID'),
            DataBag::create([
                'token_type' => 'Bearer',
                'scope' => 'openid',
            ]),
            DataBag::create([]),
            new \DateTimeImmutable('now +1 hour'),
            ResourceServerId::create('RESOURCE_SERVER_ID')
        );
        $accessTokenHandler->save($accessToken);

        $client->request('GET', '/api/hello-profile', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer ACCESS_TOKEN_WITH_INSUFFICIENT_SCOPE']);
        $response = $client->getResponse();
        self::assertEquals(403, $response->getStatusCode());
        self::assertEquals('{"scope":"profile openid","error":"access_denied","error_description":"Insufficient scope. The required scope is \"profile openid\""}', $response->getContent());
    }

    /**
     * @test
     */
    public function anApiRequestIsReceivedButTheTokenTypeIsNotAllowed()
    {
        $client = static::createClient();
        /** @var AccessTokenHandler $accessTokenHandler */
        $accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
        $accessToken = AccessToken::createEmpty();
        $accessToken = $accessToken->create(
            AccessTokenId::create('ACCESS_TOKEN_WITH_BAD_TOKEN_TYPE'),
            UserAccountId::create('USER_ACCOUNT_ID'),
            ClientId::create('CLIENT_ID'),
            DataBag::create([
                'token_type' => 'Bearer',
                'scope' => 'openid',
            ]),
            DataBag::create([]),
            new \DateTimeImmutable('now +1 hour'),
            ResourceServerId::create('RESOURCE_SERVER_ID')
        );
        $accessTokenHandler->save($accessToken);

        $client->request('GET', '/api/hello-token', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer ACCESS_TOKEN_WITH_BAD_TOKEN_TYPE']);
        $response = $client->getResponse();
        self::assertEquals(403, $response->getStatusCode());
        self::assertEquals('{"error":"access_denied","error_description":"Token type \"Bearer\" not allowed. Please use \"MAC\""}', $response->getContent());
    }

    /**
     * @test
     */
    public function aValidApiRequestIsReceivedAndTheAccessTokenResolverIsUsed()
    {
        $client = static::createClient();
        /** @var AccessTokenHandler $accessTokenHandler */
        $accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
        $accessToken = AccessToken::createEmpty();
        $accessToken = $accessToken->create(
            AccessTokenId::create('VALID_ACCESS_TOKEN'),
            UserAccountId::create('USER_ACCOUNT_ID'),
            ClientId::create('CLIENT_ID'),
            DataBag::create([
                'token_type' => 'Bearer',
                'scope' => 'openid',
            ]),
            DataBag::create([]),
            new \DateTimeImmutable('now +1 hour'),
            ResourceServerId::create('RESOURCE_SERVER_ID')
        );
        $accessTokenHandler->save($accessToken);

        $client->request('GET', '/api/hello-resolver', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer VALID_ACCESS_TOKEN']);
        $response = $client->getResponse();
        self::assertEquals(200, $response->getStatusCode());
        self::assertEquals(json_encode($accessToken), $response->getContent());
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace OAuth2Framework\SecurityBundle\Tests\Functional\Security;
15
16			use OAuth2Framework\Component\Core\AccessToken\AccessToken;
17			use OAuth2Framework\Component\Core\AccessToken\AccessTokenId;
18			use OAuth2Framework\Component\Core\Client\ClientId;
19			use OAuth2Framework\Component\Core\DataBag\DataBag;
20			use OAuth2Framework\Component\Core\ResourceServer\ResourceServerId;
21			use OAuth2Framework\Component\Core\UserAccount\UserAccountId;
22			use OAuth2Framework\SecurityBundle\Tests\TestBundle\Service\AccessTokenHandler;
23			use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
24
25			/**
26			* @group Firewall
27			*/
28			class SecurityBundleTest extends WebTestCase
29			{
30			/**
31			* @test
32			*/
33			public function anApiRequestWithoutAccessTokenIsReceived()
34			{
35			$client = static::createClient();
36			$client->request('GET', '/api/hello/World');
37			$response = $client->getResponse();
38			self::assertEquals(200, $response->getStatusCode());
39			self::assertEquals('{"name":"World","message":"Hello World!"}', $response->getContent());
40			}
41
42			/**
43			* @test
44			*/
45			public function anApiRequestIsReceivedWithAnUnsupportedTokenType()
46			{
47			$client = static::createClient();
48			$client->request('GET', '/api/hello/World', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'POP UNKNOWN_ACCESS_TOKEN_ID']);
49			$response = $client->getResponse();
50			self::assertEquals(200, $response->getStatusCode());
51			self::assertEquals('{"name":"World","message":"Hello World!"}', $response->getContent());
52			}
53
54			/**
55			* @test
56			*/
57			public function anApiRequestIsReceivedButTheTokenDoesNotExist()
58			{
59			$client = static::createClient();
60			$client->request('GET', '/api/hello/World', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer UNKNOWN_ACCESS_TOKEN_ID']);
61			$response = $client->getResponse();
62			self::assertEquals(401, $response->getStatusCode());
63			self::assertEquals('', $response->getContent());
64			self::assertTrue($response->headers->has('www-authenticate'));
65			self::assertEquals('Bearer realm="Protected API",error="access_denied",error_description="OAuth2 authentication required. Invalid access token."', $response->headers->get('www-authenticate'));
66			}
67
68			/**
69			* @test
70			*/
71			public function anApiRequestIsReceivedButTheTokenDoesNotHaveTheRequiredScope()
72			{
73			$client = static::createClient();
74			/** @var AccessTokenHandler $accessTokenHandler */
75			$accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
76			$accessToken = AccessToken::createEmpty();
77			$accessToken = $accessToken->create(
78			AccessTokenId::create('ACCESS_TOKEN_WITH_INSUFFICIENT_SCOPE'),
79			UserAccountId::create('USER_ACCOUNT_ID'),
80			ClientId::create('CLIENT_ID'),
81			DataBag::create([
82			'token_type' => 'Bearer',
83			'scope' => 'openid',
84			]),
85			DataBag::create([]),
86			new \DateTimeImmutable('now +1 hour'),
87			ResourceServerId::create('RESOURCE_SERVER_ID')
88			);
89			$accessTokenHandler->save($accessToken);
90
91			$client->request('GET', '/api/hello-profile', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer ACCESS_TOKEN_WITH_INSUFFICIENT_SCOPE']);
92			$response = $client->getResponse();
93			self::assertEquals(403, $response->getStatusCode());
94			self::assertEquals('{"scope":"profile openid","error":"access_denied","error_description":"Insufficient scope. The required scope is \"profile openid\""}', $response->getContent());
95			}
96
97			/**
98			* @test
99			*/
100			public function anApiRequestIsReceivedButTheTokenTypeIsNotAllowed()
101			{
102			$client = static::createClient();
103			/** @var AccessTokenHandler $accessTokenHandler */
104			$accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
105			$accessToken = AccessToken::createEmpty();
106			$accessToken = $accessToken->create(
107			AccessTokenId::create('ACCESS_TOKEN_WITH_BAD_TOKEN_TYPE'),
108			UserAccountId::create('USER_ACCOUNT_ID'),
109			ClientId::create('CLIENT_ID'),
110			DataBag::create([
111			'token_type' => 'Bearer',
112			'scope' => 'openid',
113			]),
114			DataBag::create([]),
115			new \DateTimeImmutable('now +1 hour'),
116			ResourceServerId::create('RESOURCE_SERVER_ID')
117			);
118			$accessTokenHandler->save($accessToken);
119
120			$client->request('GET', '/api/hello-token', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer ACCESS_TOKEN_WITH_BAD_TOKEN_TYPE']);
121			$response = $client->getResponse();
122			self::assertEquals(403, $response->getStatusCode());
123			self::assertEquals('{"error":"access_denied","error_description":"Token type \"Bearer\" not allowed. Please use \"MAC\""}', $response->getContent());
124			}
125
126			/**
127			* @test
128			*/
129			public function aValidApiRequestIsReceivedAndTheAccessTokenResolverIsUsed()
130			{
131			$client = static::createClient();
132			/** @var AccessTokenHandler $accessTokenHandler */
133			$accessTokenHandler = $client->getContainer()->get(AccessTokenHandler::class);
134			$accessToken = AccessToken::createEmpty();
135			$accessToken = $accessToken->create(
136			AccessTokenId::create('VALID_ACCESS_TOKEN'),
137			UserAccountId::create('USER_ACCOUNT_ID'),
138			ClientId::create('CLIENT_ID'),
139			DataBag::create([
140			'token_type' => 'Bearer',
141			'scope' => 'openid',
142			]),
143			DataBag::create([]),
144			new \DateTimeImmutable('now +1 hour'),
145			ResourceServerId::create('RESOURCE_SERVER_ID')
146			);
147			$accessTokenHandler->save($accessToken);
148
149			$client->request('GET', '/api/hello-resolver', [], [], ['HTTPS' => 'on', 'HTTP_AUTHORIZATION' => 'Bearer VALID_ACCESS_TOKEN']);
150			$response = $client->getResponse();
151			self::assertEquals(200, $response->getStatusCode());
152			self::assertEquals(json_encode($accessToken), $response->getContent());
153			}
154			}
155

OAuth2-Framework / oauth2-framework

Push — master ( 349866...67c1d1 )

anApiRequestIsReceivedButTheTokenDoesNotHaveTheRequiredScope() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like