ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2025-05-31 14:11:46 +05:30
Code Issues Packages Projects Releases Wiki Activity

Upgrade oauth2-server to 8.0.0 version, rewrite repositories and entities, start rewriting tests. Intermediate commit [skip ci]

Browse Source
This commit is contained in:
ErickSkrauch
2019-08-23 11:28:04 +03:00
parent 23a220637c
commit 0b63dc2d84
33 changed files with 604 additions and 363 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
api/components/OAuth2/Repositories/AccessTokenRepository.php Normal file
View File

@@ -0,0 +1,56 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
class AccessTokenRepository implements AccessTokenRepositoryInterface {
/**
* Create a new access token
*
* @param ClientEntityInterface $clientEntity
* @param \League\OAuth2\Server\Entities\ScopeEntityInterface $scopes
* @param mixed $userIdentifier
*
* @return AccessTokenEntityInterface
*/
public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null) {
// TODO: Implement getNewToken() method.
}
/**
* Persists a new access token to permanent storage.
*
* @param AccessTokenEntityInterface $accessTokenEntity
*
* @throws \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
*/
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity) {
// TODO: Implement persistNewAccessToken() method.
}
/**
* Revoke an access token.
*
* @param string $tokenId
*/
public function revokeAccessToken($tokenId) {
// TODO: Implement revokeAccessToken() method.
}
/**
* Check if the access token has been revoked.
*
* @param string $tokenId
*
* @return bool Return true if this token has been revoked
*/
public function isAccessTokenRevoked($tokenId) {
// TODO: Implement isAccessTokenRevoked() method.
}
}

70
api/components/OAuth2/Repositories/AccessTokenStorage.php Normal file
View File

@@ -0,0 +1,70 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AccessTokenEntity;
use common\components\Redis\Key;
use common\components\Redis\Set;
use League\OAuth2\Server\Entity\AccessTokenEntity as OriginalAccessTokenEntity;
use League\OAuth2\Server\Entity\ScopeEntity;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\AccessTokenInterface;
use yii\helpers\Json;
class AccessTokenStorage extends AbstractStorage implements AccessTokenInterface {
public $dataTable = 'oauth_access_tokens';
public function get($token) {
$result = Json::decode((new Key($this->dataTable, $token))->getValue());
if ($result === null) {
return null;
}
$token = new AccessTokenEntity($this->server);
$token->setId($result['id']);
$token->setExpireTime($result['expire_time']);
$token->setSessionId($result['session_id']);
return $token;
}
public function getScopes(OriginalAccessTokenEntity $token) {
$scopes = $this->scopes($token->getId());
$entities = [];
foreach ($scopes as $scope) {
if ($this->server->getScopeStorage()->get($scope) !== null) {
$entities[] = (new ScopeEntity($this->server))->hydrate(['id' => $scope]);
}
}
return $entities;
}
public function create($token, $expireTime, $sessionId) {
$payload = Json::encode([
'id' => $token,
'expire_time' => $expireTime,
'session_id' => $sessionId,
]);
$this->key($token)->setValue($payload)->expireAt($expireTime);
}
public function associateScope(OriginalAccessTokenEntity $token, ScopeEntity $scope) {
$this->scopes($token->getId())->add($scope->getId())->expireAt($token->getExpireTime());
}
public function delete(OriginalAccessTokenEntity $token) {
$this->key($token->getId())->delete();
$this->scopes($token->getId())->delete();
}
private function key(string $token): Key {
return new Key($this->dataTable, $token);
}
private function scopes(string $token): Set {
return new Set($this->dataTable, $token, 'scopes');
}
}

26
api/components/OAuth2/Repositories/AuthCodeRepository.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AuthCodeEntity;
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
class AuthCodeRepository implements AuthCodeRepositoryInterface {
public function getNewAuthCode(): AuthCodeEntityInterface {
return new AuthCodeEntity();
}
public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void {
}
public function revokeAuthCode($codeId): void {
}
public function isAuthCodeRevoked($codeId): bool {
return false;
}
}

72
api/components/OAuth2/Repositories/AuthCodeStorage.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AuthCodeEntity;
use common\components\Redis\Key;
use common\components\Redis\Set;
use League\OAuth2\Server\Entity\AuthCodeEntity as OriginalAuthCodeEntity;
use League\OAuth2\Server\Entity\ScopeEntity;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\AuthCodeInterface;
use yii\helpers\Json;
class AuthCodeStorage extends AbstractStorage implements AuthCodeInterface {
public $dataTable = 'oauth_auth_codes';
public function get($code) {
$result = Json::decode((new Key($this->dataTable, $code))->getValue());
if ($result === null) {
return null;
}
$entity = new AuthCodeEntity($this->server);
$entity->setId($result['id']);
$entity->setExpireTime($result['expire_time']);
$entity->setSessionId($result['session_id']);
$entity->setRedirectUri($result['client_redirect_uri']);
return $entity;
}
public function create($token, $expireTime, $sessionId, $redirectUri) {
$payload = Json::encode([
'id' => $token,
'expire_time' => $expireTime,
'session_id' => $sessionId,
'client_redirect_uri' => $redirectUri,
]);
$this->key($token)->setValue($payload)->expireAt($expireTime);
}
public function getScopes(OriginalAuthCodeEntity $token) {
$scopes = $this->scopes($token->getId());
$scopesEntities = [];
foreach ($scopes as $scope) {
if ($this->server->getScopeStorage()->get($scope) !== null) {
$scopesEntities[] = (new ScopeEntity($this->server))->hydrate(['id' => $scope]);
}
}
return $scopesEntities;
}
public function associateScope(OriginalAuthCodeEntity $token, ScopeEntity $scope) {
$this->scopes($token->getId())->add($scope->getId())->expireAt($token->getExpireTime());
}
public function delete(OriginalAuthCodeEntity $token) {
$this->key($token->getId())->delete();
$this->scopes($token->getId())->delete();
}
private function key(string $token): Key {
return new Key($this->dataTable, $token);
}
private function scopes(string $token): Set {
return new Set($this->dataTable, $token, 'scopes');
}
}

41
api/components/OAuth2/Repositories/ClientRepository.php Normal file
View File

@@ -0,0 +1,41 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ClientEntity;
use common\models\OauthClient;
use League\OAuth2\Server\Entities\ClientEntityInterface;
use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
class ClientRepository implements ClientRepositoryInterface {
public function getClientEntity($clientId): ?ClientEntityInterface {
$client = $this->findModel($clientId);
if ($client === null) {
return null;
}
return new ClientEntity($client->id, $client->name, $client->redirect_uri, (bool)$client->is_trusted);
}
public function validateClient($clientId, $clientSecret, $grantType): bool {
$client = $this->findModel($clientId);
if ($client === null) {
return false;
}
if ($clientSecret !== null && $clientSecret !== $client->secret) {
return false;
}
// TODO: there is missing behavior of checking redirectUri. Is it now bundled into grant?
return true;
}
private function findModel(string $id): ?OauthClient {
return OauthClient::findOne(['id' => $id]);
}
}

80
api/components/OAuth2/Repositories/ClientStorage.php Normal file
View File

@@ -0,0 +1,80 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ClientEntity;
use api\components\OAuth2\Entities\SessionEntity;
use common\models\OauthClient;
use League\OAuth2\Server\Entity\SessionEntity as OriginalSessionEntity;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\ClientInterface;
use yii\helpers\StringHelper;
class ClientStorage extends AbstractStorage implements ClientInterface {
private const REDIRECT_STATIC_PAGE = 'static_page';
private const REDIRECT_STATIC_PAGE_WITH_CODE = 'static_page_with_code';
/**
* @inheritdoc
*/
public function get($clientId, $clientSecret = null, $redirectUri = null, $grantType = null) {
$model = $this->findClient($clientId);
if ($model === null) {
return null;
}
if ($clientSecret !== null && $clientSecret !== $model->secret) {
return null;
}
// TODO: should check application type
// For "desktop" app type redirect_uri is not required and should be by default set
// to the static redirect, but for "site" it's required always.
if ($redirectUri !== null) {
if (in_array($redirectUri, [self::REDIRECT_STATIC_PAGE, self::REDIRECT_STATIC_PAGE_WITH_CODE], true)) {
// I think we should check the type of application here
} else {
if (!StringHelper::startsWith($redirectUri, $model->redirect_uri, false)) {
return null;
}
}
}
$entity = $this->hydrate($model);
$entity->setRedirectUri($redirectUri);
return $entity;
}
/**
* @inheritdoc
*/
public function getBySession(OriginalSessionEntity $session) {
if (!$session instanceof SessionEntity) {
throw new \ErrorException('This module assumes that $session typeof ' . SessionEntity::class);
}
$model = $this->findClient($session->getClientId());
if ($model === null) {
return null;
}
return $this->hydrate($model);
}
private function hydrate(OauthClient $model): ClientEntity {
$entity = new ClientEntity($this->server);
$entity->setId($model->id);
$entity->setName($model->name);
$entity->setSecret($model->secret);
$entity->setIsTrusted($model->is_trusted);
$entity->setRedirectUri($model->redirect_uri);
return $entity;
}
private function findClient(string $clientId): ?OauthClient {
return OauthClient::findOne($clientId);
}
}

51
api/components/OAuth2/Repositories/RefreshTokenRepository.php Normal file
View File

@@ -0,0 +1,51 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
class RefreshTokenRepository implements RefreshTokenRepositoryInterface {
/**
* Creates a new refresh token
*
* @return RefreshTokenEntityInterface|null
*/
public function getNewRefreshToken(): RefreshTokenEntityInterface {
// TODO: Implement getNewRefreshToken() method.
}
/**
* Create a new refresh token_name.
*
* @param RefreshTokenEntityInterface $refreshTokenEntity
*
* @throws \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
*/
public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity) {
// TODO: Implement persistNewRefreshToken() method.
}
/**
* Revoke the refresh token.
*
* @param string $tokenId
*/
public function revokeRefreshToken($tokenId) {
// TODO: Implement revokeRefreshToken() method.
}
/**
* Check if the refresh token has been revoked.
*
* @param string $tokenId
*
* @return bool Return true if this token has been revoked
*/
public function isRefreshTokenRevoked($tokenId) {
// TODO: Implement isRefreshTokenRevoked() method.
}
}

63
api/components/OAuth2/Repositories/RefreshTokenStorage.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\RefreshTokenEntity;
use common\components\Redis\Key;
use common\components\Redis\Set;
use common\models\OauthSession;
use ErrorException;
use League\OAuth2\Server\Entity\RefreshTokenEntity as OriginalRefreshTokenEntity;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\RefreshTokenInterface;
use Yii;
use yii\helpers\Json;
class RefreshTokenStorage extends AbstractStorage implements RefreshTokenInterface {
public $dataTable = 'oauth_refresh_tokens';
public function get($token) {
$result = Json::decode((new Key($this->dataTable, $token))->getValue());
if ($result === null) {
return null;
}
$entity = new RefreshTokenEntity($this->server);
$entity->setId($result['id']);
$entity->setAccessTokenId($result['access_token_id']);
$entity->setSessionId($result['session_id']);
return $entity;
}
public function create($token, $expireTime, $accessToken) {
$sessionId = $this->server->getAccessTokenStorage()->get($accessToken)->getSession()->getId();
$payload = Json::encode([
'id' => $token,
'access_token_id' => $accessToken,
'session_id' => $sessionId,
]);
$this->key($token)->setValue($payload);
$this->sessionHash($sessionId)->add($token);
}
public function delete(OriginalRefreshTokenEntity $token) {
if (!$token instanceof RefreshTokenEntity) {
throw new ErrorException('Token must be instance of ' . RefreshTokenEntity::class);
}
$this->key($token->getId())->delete();
$this->sessionHash($token->getSessionId())->remove($token->getId());
}
public function sessionHash(string $sessionId): Set {
$tableName = Yii::$app->db->getSchema()->getRawTableName(OauthSession::tableName());
return new Set($tableName, $sessionId, 'refresh_tokens');
}
private function key(string $token): Key {
return new Key($this->dataTable, $token);
}
}

37
api/components/OAuth2/Repositories/ScopeRepository.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ScopeEntity;
use League\OAuth2\Server\Entities\ScopeEntityInterface;
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
class ScopeRepository implements ScopeRepositoryInterface {
public function getScopeEntityByIdentifier($identifier): ?ScopeEntityInterface {
// TODO: validate not exists scopes
return new ScopeEntity($identifier);
}
/**
* Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
* append additional scopes or remove requested scopes.
*
* @param ScopeEntityInterface $scopes
* @param string $grantType
* @param \League\OAuth2\Server\Entities\ClientEntityInterface $clientEntity
* @param null|string $userIdentifier
*
* @return ScopeEntityInterface
*/
public function finalizeScopes(
array $scopes,
$grantType,
\League\OAuth2\Server\Entities\ClientEntityInterface $clientEntity,
$userIdentifier = null
): array {
// TODO: Implement finalizeScopes() method.
}
}

93
api/components/OAuth2/Repositories/ScopeStorage.php Normal file
View File

@@ -0,0 +1,93 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\ClientEntity;
use api\components\OAuth2\Entities\ScopeEntity;
use api\rbac\Permissions as P;
use Assert\Assert;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\ScopeInterface;
class ScopeStorage extends AbstractStorage implements ScopeInterface {
public const OFFLINE_ACCESS = 'offline_access';
public const CHANGE_SKIN = 'change_skin';
private const PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS = [
'account_info' => P::OBTAIN_OWN_ACCOUNT_INFO,
'account_email' => P::OBTAIN_ACCOUNT_EMAIL,
'account_block' => P::BLOCK_ACCOUNT,
'internal_account_info' => P::OBTAIN_EXTENDED_ACCOUNT_INFO,
];
private const AUTHORIZATION_CODE_PERMISSIONS = [
P::OBTAIN_OWN_ACCOUNT_INFO,
P::OBTAIN_ACCOUNT_EMAIL,
P::MINECRAFT_SERVER_SESSION,
self::OFFLINE_ACCESS,
self::CHANGE_SKIN,
];
private const CLIENT_CREDENTIALS_PERMISSIONS = [
];
private const CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL = [
P::CHANGE_ACCOUNT_USERNAME,
P::CHANGE_ACCOUNT_PASSWORD,
P::BLOCK_ACCOUNT,
P::OBTAIN_EXTENDED_ACCOUNT_INFO,
P::ESCAPE_IDENTITY_VERIFICATION,
];
/**
* @param string $scope
* @param string $grantType is passed on if called from the grant.
* In this case, you only need to filter out the rights that you can get on this grant.
* @param string $clientId
*
* @return ScopeEntity|null
*/
public function get($scope, $grantType = null, $clientId = null): ?ScopeEntity {
$permission = $this->convertToInternalPermission($scope);
if ($grantType === 'authorization_code') {
$permissions = self::AUTHORIZATION_CODE_PERMISSIONS;
} elseif ($grantType === 'client_credentials') {
$permissions = self::CLIENT_CREDENTIALS_PERMISSIONS;
$isTrusted = false;
if ($clientId !== null) {
/** @var ClientEntity $client */
$client = $this->server->getClientStorage()->get($clientId);
Assert::that($client)->isInstanceOf(ClientEntity::class);
/** @noinspection NullPointerExceptionInspection */
$isTrusted = $client->isTrusted();
}
if ($isTrusted) {
$permissions = array_merge($permissions, self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL);
}
} else {
$permissions = array_merge(
self::AUTHORIZATION_CODE_PERMISSIONS,
self::CLIENT_CREDENTIALS_PERMISSIONS,
self::CLIENT_CREDENTIALS_PERMISSIONS_INTERNAL
);
}
if (!in_array($permission, $permissions, true)) {
return null;
}
$entity = new ScopeEntity($this->server);
$entity->setId($permission);
return $entity;
}
private function convertToInternalPermission(string $publicScope): string {
return self::PUBLIC_SCOPES_TO_INTERNAL_PERMISSIONS[$publicScope] ?? $publicScope;
}
}

97
api/components/OAuth2/Repositories/SessionStorage.php Normal file
View File

@@ -0,0 +1,97 @@
<?php
namespace api\components\OAuth2\Repositories;
use api\components\OAuth2\Entities\AuthCodeEntity;
use api\components\OAuth2\Entities\SessionEntity;
use common\models\OauthSession;
use ErrorException;
use League\OAuth2\Server\Entity\AccessTokenEntity as OriginalAccessTokenEntity;
use League\OAuth2\Server\Entity\AuthCodeEntity as OriginalAuthCodeEntity;
use League\OAuth2\Server\Entity\ScopeEntity;
use League\OAuth2\Server\Entity\SessionEntity as OriginalSessionEntity;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\SessionInterface;
use yii\db\Exception;
class SessionStorage extends AbstractStorage implements SessionInterface {
/**
* @param string $sessionId
* @return SessionEntity|null
*/
public function getById($sessionId) {
return $this->hydrate($this->getSessionModel($sessionId));
}
public function getByAccessToken(OriginalAccessTokenEntity $accessToken) {
throw new ErrorException('This method is not implemented and should not be used');
}
public function getByAuthCode(OriginalAuthCodeEntity $authCode) {
if (!$authCode instanceof AuthCodeEntity) {
throw new ErrorException('This module assumes that $authCode typeof ' . AuthCodeEntity::class);
}
return $this->getById($authCode->getSessionId());
}
public function getScopes(OriginalSessionEntity $session) {
$result = [];
foreach ($this->getSessionModel($session->getId())->getScopes() as $scope) {
if ($this->server->getScopeStorage()->get($scope) !== null) {
$result[] = (new ScopeEntity($this->server))->hydrate(['id' => $scope]);
}
}
return $result;
}
public function create($ownerType, $ownerId, $clientId, $clientRedirectUri = null) {
$sessionId = OauthSession::find()
->select('id')
->andWhere([
'client_id' => $clientId,
'owner_type' => $ownerType,
'owner_id' => (string)$ownerId, // Casts as a string to make the indexes work, because the varchar field
])->scalar();
if ($sessionId === false) {
$model = new OauthSession();
$model->client_id = $clientId;
$model->owner_type = $ownerType;
$model->owner_id = $ownerId;
$model->client_redirect_uri = $clientRedirectUri;
if (!$model->save()) {
throw new Exception('Cannot save ' . OauthSession::class . ' model.');
}
$sessionId = $model->id;
}
return $sessionId;
}
public function associateScope(OriginalSessionEntity $session, ScopeEntity $scope) {
$this->getSessionModel($session->getId())->getScopes()->add($scope->getId());
}
private function getSessionModel(string $sessionId): OauthSession {
$session = OauthSession::findOne($sessionId);
if ($session === null) {
throw new ErrorException('Cannot find oauth session');
}
return $session;
}
private function hydrate(OauthSession $sessionModel) {
$entity = new SessionEntity($this->server);
$entity->setId($sessionModel->id);
$entity->setClientId($sessionModel->client_id);
$entity->setOwner($sessionModel->owner_type, $sessionModel->owner_id);
return $entity;
}
}