diff --git a/api/components/OAuth2/Entities/UserEntity.php b/api/components/OAuth2/Entities/UserEntity.php new file mode 100644 index 0000000..9101263 --- /dev/null +++ b/api/components/OAuth2/Entities/UserEntity.php @@ -0,0 +1,16 @@ +identifier = $id; + } + +} diff --git a/api/modules/oauth/models/OauthProcess.php b/api/modules/oauth/models/OauthProcess.php index d7d6461..5ed5c89 100644 --- a/api/modules/oauth/models/OauthProcess.php +++ b/api/modules/oauth/models/OauthProcess.php @@ -3,6 +3,7 @@ declare(strict_types=1); namespace api\modules\oauth\models; +use api\components\OAuth2\Entities\UserEntity; use api\rbac\Permissions as P; use common\models\Account; use common\models\OauthClient; @@ -105,6 +106,7 @@ class OauthProcess { } } + $authRequest->setUser(new UserEntity($account->id)); $responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200)); $response = [ diff --git a/api/tests/functional/oauth/AuthCodeCest.php b/api/tests/functional/oauth/AuthCodeCest.php index cab2d35..cdbae07 100644 --- a/api/tests/functional/oauth/AuthCodeCest.php +++ b/api/tests/functional/oauth/AuthCodeCest.php @@ -3,100 +3,19 @@ declare(strict_types=1); namespace api\tests\functional\oauth; -use api\rbac\Permissions as P; -use api\tests\_pages\OauthRoute; use api\tests\FunctionalTester; class AuthCodeCest { - /** - * @var OauthRoute - */ - private $route; - - public function _before(FunctionalTester $I) { - $this->route = new OauthRoute($I); - } - - public function testValidateRequest(FunctionalTester $I) { - $this->testOauthParamsValidation($I, 'validate'); - } - - public function testCompleteValidationAction(FunctionalTester $I) { - $I->amAuthenticated(); - $I->wantTo('validate all oAuth params on complete request'); - $this->testOauthParamsValidation($I, 'complete'); - } - - public function testCompleteActionOnWrongConditions(FunctionalTester $I) { - $I->amAuthenticated(); - - $I->wantTo('get accept_required if I don\'t require any scope, but this is first time request'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code' - )); - $I->canSeeResponseCodeIs(401); - $I->canSeeResponseContainsJson([ - 'success' => false, - 'error' => 'accept_required', - 'parameter' => '', - 'statusCode' => 401, - ]); - - $I->wantTo('get accept_required if I require some scopes on first time'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION] - )); - $I->canSeeResponseCodeIs(401); - $I->canSeeResponseContainsJson([ - 'success' => false, - 'error' => 'accept_required', - 'parameter' => '', - 'statusCode' => 401, - ]); - } - - public function testCompleteActionSuccess(FunctionalTester $I) { + public function completeSuccess(FunctionalTester $I) { $I->amAuthenticated(); $I->wantTo('get auth code if I require some scope and pass accept field'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION] - ), ['accept' => true]); - $I->canSeeResponseCodeIs(200); - $I->canSeeResponseContainsJson([ - 'success' => true, - ]); - $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); - - $I->wantTo('get auth code if I don\'t require any scope and don\'t pass accept field, but previously have ' . - 'successful request'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code' - )); - $I->canSeeResponseCodeIs(200); - $I->canSeeResponseContainsJson([ - 'success' => true, - ]); - $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); - - $I->wantTo('get auth code if I require some scopes and don\'t pass accept field, but previously have successful ' . - 'request with same scopes'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION] - )); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session', + ]), ['accept' => true]); $I->canSeeResponseCodeIs(200); $I->canSeeResponseContainsJson([ 'success' => true, @@ -104,21 +23,93 @@ class AuthCodeCest { $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); } - public function testAcceptRequiredOnNewScope(FunctionalTester $I) { + /** + * @before completeSuccess + */ + public function completeSuccessWithLessScopes(FunctionalTester $I) { + $I->amAuthenticated(); + $I->wantTo('get auth code with less scopes as passed in the previous request without accept param'); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + ])); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + } + + /** + * @before completeSuccess + */ + public function completeSuccessWithSameScopes(FunctionalTester $I) { + $I->amAuthenticated(); + $I->wantTo('get auth code with the same scopes as passed in the previous request without accept param'); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session', + ])); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + } + + public function acceptRequiredOnFirstAuthRequest1(FunctionalTester $I) { + $I->amAuthenticated(); + $I->wantTo('get accept_required if I don\'t require any scope, but this is first time request'); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + ])); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'accept_required', + 'parameter' => '', + 'statusCode' => 401, + ]); + } + + public function acceptRequiredOnFirstAuthRequest2(FunctionalTester $I) { + $I->amAuthenticated(); + $I->wantTo('get accept_required if I require some scopes on first time'); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session', + ])); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'accept_required', + 'parameter' => '', + 'statusCode' => 401, + ]); + } + + public function acceptRequiredOnNewScope(FunctionalTester $I) { $I->amAuthenticated(); $I->wantTo('get accept_required if I have previous successful request, but now require some new scope'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION] - ), ['accept' => true]); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION, 'account_info'] - )); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session', + ]), ['accept' => true]); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session account_info', + ])); $I->canSeeResponseCodeIs(401); $I->canSeeResponseContainsJson([ 'success' => false, @@ -131,12 +122,12 @@ class AuthCodeCest { public function testCompleteActionWithDismissState(FunctionalTester $I) { $I->amAuthenticated(); $I->wantTo('get access_denied error if I pass accept in false state'); - $this->route->complete($this->buildQueryParams( - 'ely', - 'http://ely.by', - 'code', - [P::MINECRAFT_SERVER_SESSION] - ), ['accept' => false]); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session', + ]), ['accept' => false]); $I->canSeeResponseCodeIs(401); $I->canSeeResponseContainsJson([ 'success' => false, @@ -147,56 +138,14 @@ class AuthCodeCest { $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); } - private function buildQueryParams( - $clientId = null, - $redirectUri = null, - $responseType = null, - $scopes = [], - $state = null, - $customData = [] - ) { - $params = $customData; - if ($clientId !== null) { - $params['client_id'] = $clientId; - } - - if ($redirectUri !== null) { - $params['redirect_uri'] = $redirectUri; - } - - if ($responseType !== null) { - $params['response_type'] = $responseType; - } - - if ($state !== null) { - $params['state'] = $state; - } - - if (!empty($scopes)) { - if (is_array($scopes)) { - $scopes = implode(',', $scopes); - } - - $params['scope'] = $scopes; - } - - return $params; - } - - private function testOauthParamsValidation(FunctionalTester $I, $action) { - $I->wantTo('check behavior on invalid request without one or few params'); - $this->route->$action($this->buildQueryParams()); - $I->canSeeResponseCodeIs(400); - $I->canSeeResponseIsJson(); - $I->canSeeResponseContainsJson([ - 'success' => false, - 'error' => 'invalid_request', - 'parameter' => 'client_id', - 'statusCode' => 400, - ]); - + public function invalidClientId(FunctionalTester $I) { + $I->amAuthenticated(); $I->wantTo('check behavior on invalid client id'); - $this->route->$action($this->buildQueryParams('non-exists-client', 'http://some-resource.by', 'code')); + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'non-exists-client', + 'redirect_uri' => 'http://some-resource.by', + 'response_type' => 'code', + ])); $I->canSeeResponseCodeIs(401); $I->canSeeResponseIsJson(); $I->canSeeResponseContainsJson([ @@ -204,23 +153,16 @@ class AuthCodeCest { 'error' => 'invalid_client', 'statusCode' => 401, ]); + } - $I->wantTo('check behavior on invalid response type'); - $this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'kitty')); - $I->canSeeResponseCodeIs(400); - $I->canSeeResponseIsJson(); - $I->canSeeResponseContainsJson([ - 'success' => false, - 'error' => 'unsupported_response_type', - 'parameter' => 'kitty', - 'statusCode' => 400, - ]); - $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); - + public function invalidScopes(FunctionalTester $I) { + $I->amAuthenticated(); $I->wantTo('check behavior on some invalid scopes'); - $this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [ - P::MINECRAFT_SERVER_SESSION, - 'some_wrong_scope', + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session some_wrong_scope', ])); $I->canSeeResponseCodeIs(400); $I->canSeeResponseIsJson(); @@ -231,18 +173,23 @@ class AuthCodeCest { 'statusCode' => 400, ]); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + } + public function requestInternalScope(FunctionalTester $I) { + $I->amAuthenticated(); $I->wantTo('check behavior on request internal scope'); - $this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [ - P::MINECRAFT_SERVER_SESSION, - P::BLOCK_ACCOUNT, + $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session block_account', ])); $I->canSeeResponseCodeIs(400); $I->canSeeResponseIsJson(); $I->canSeeResponseContainsJson([ 'success' => false, 'error' => 'invalid_scope', - 'parameter' => P::BLOCK_ACCOUNT, + 'parameter' => 'block_account', 'statusCode' => 400, ]); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); diff --git a/api/tests/functional/oauth/ValidateCest.php b/api/tests/functional/oauth/ValidateCest.php index e021422..9769f92 100644 --- a/api/tests/functional/oauth/ValidateCest.php +++ b/api/tests/functional/oauth/ValidateCest.php @@ -7,8 +7,6 @@ use api\tests\FunctionalTester; class ValidateCest { - // TODO: validate case, when scopes are passed with commas - public function completelyValidateValidRequest(FunctionalTester $I) { $I->wantTo('validate and obtain information about new oauth request'); $I->sendGET('/api/oauth2/v1/validate', [ @@ -59,4 +57,57 @@ class ValidateCest { ]); } + public function unknownClientId(FunctionalTester $I) { + $I->wantTo('check behavior on invalid client id'); + $I->sendGET('/api/oauth2/v1/validate', [ + 'client_id' => 'non-exists-client', + 'redirect_uri' => 'http://some-resource.by', + 'response_type' => 'code', + ]); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'invalid_client', + 'statusCode' => 401, + ]); + } + + public function invalidScopes(FunctionalTester $I) { + $I->wantTo('check behavior on some invalid scopes'); + $I->sendGET('/api/oauth2/v1/validate', [ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session some_wrong_scope', + ]); + $I->canSeeResponseCodeIs(400); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'invalid_scope', + 'parameter' => 'some_wrong_scope', + 'statusCode' => 400, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + } + + public function requestInternalScope(FunctionalTester $I) { + $I->wantTo('check behavior on request internal scope'); + $I->sendGET('/api/oauth2/v1/validate', [ + 'client_id' => 'ely', + 'redirect_uri' => 'http://ely.by', + 'response_type' => 'code', + 'scope' => 'minecraft_server_session block_account', + ]); + $I->canSeeResponseCodeIs(400); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'invalid_scope', + 'parameter' => 'block_account', + 'statusCode' => 400, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + } + }