mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-01-03 18:51:53 +05:30
New property on AuthorizationServer to receive an encryption key which is used for future encryption/decryption instead of keybased encryption/decryption
This commit is contained in:
parent
4a717104fa
commit
1af4012df4
@ -9,7 +9,8 @@
|
|||||||
"league/event": "^2.1",
|
"league/event": "^2.1",
|
||||||
"lcobucci/jwt": "^3.1",
|
"lcobucci/jwt": "^3.1",
|
||||||
"paragonie/random_compat": "^1.1 || ^2.0",
|
"paragonie/random_compat": "^1.1 || ^2.0",
|
||||||
"psr/http-message": "^1.0"
|
"psr/http-message": "^1.0",
|
||||||
|
"defuse/php-encryption": "^2.1"
|
||||||
},
|
},
|
||||||
"require-dev": {
|
"require-dev": {
|
||||||
"phpunit/phpunit": "^4.8 || ^5.0",
|
"phpunit/phpunit": "^4.8 || ^5.0",
|
||||||
|
@ -26,6 +26,8 @@ class AuthorizationServer implements EmitterAwareInterface
|
|||||||
{
|
{
|
||||||
use EmitterAwareTrait;
|
use EmitterAwareTrait;
|
||||||
|
|
||||||
|
const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://xxxx/xxxx';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @var GrantTypeInterface[]
|
* @var GrantTypeInterface[]
|
||||||
*/
|
*/
|
||||||
@ -66,6 +68,11 @@ class AuthorizationServer implements EmitterAwareInterface
|
|||||||
*/
|
*/
|
||||||
private $scopeRepository;
|
private $scopeRepository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
private $encryptionKey;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* New server instance.
|
* New server instance.
|
||||||
*
|
*
|
||||||
@ -101,6 +108,16 @@ class AuthorizationServer implements EmitterAwareInterface
|
|||||||
$this->responseType = $responseType;
|
$this->responseType = $responseType;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the encryption key
|
||||||
|
*
|
||||||
|
* @param string $key
|
||||||
|
*/
|
||||||
|
public function setEncryptionKey($key)
|
||||||
|
{
|
||||||
|
$this->encryptionKey = $key;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Enable a grant type on the server.
|
* Enable a grant type on the server.
|
||||||
*
|
*
|
||||||
@ -120,6 +137,11 @@ class AuthorizationServer implements EmitterAwareInterface
|
|||||||
$grantType->setPublicKey($this->publicKey);
|
$grantType->setPublicKey($this->publicKey);
|
||||||
$grantType->setEmitter($this->getEmitter());
|
$grantType->setEmitter($this->getEmitter());
|
||||||
|
|
||||||
|
if ($this->encryptionKey === null) {
|
||||||
|
error_log(self::ENCRYPTION_KEY_ERROR);
|
||||||
|
}
|
||||||
|
$grantType->setEncryptionKey($this->encryptionKey);
|
||||||
|
|
||||||
$this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
|
$this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
|
||||||
$this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
|
$this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
|
||||||
}
|
}
|
||||||
@ -135,6 +157,10 @@ class AuthorizationServer implements EmitterAwareInterface
|
|||||||
*/
|
*/
|
||||||
public function validateAuthorizationRequest(ServerRequestInterface $request)
|
public function validateAuthorizationRequest(ServerRequestInterface $request)
|
||||||
{
|
{
|
||||||
|
if ($this->encryptionKey === null) {
|
||||||
|
error_log(self::ENCRYPTION_KEY_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
foreach ($this->enabledGrantTypes as $grantType) {
|
foreach ($this->enabledGrantTypes as $grantType) {
|
||||||
if ($grantType->canRespondToAuthorizationRequest($request)) {
|
if ($grantType->canRespondToAuthorizationRequest($request)) {
|
||||||
return $grantType->validateAuthorizationRequest($request);
|
return $grantType->validateAuthorizationRequest($request);
|
||||||
|
@ -11,6 +11,8 @@
|
|||||||
|
|
||||||
namespace League\OAuth2\Server;
|
namespace League\OAuth2\Server;
|
||||||
|
|
||||||
|
use Defuse\Crypto\Crypto;
|
||||||
|
|
||||||
trait CryptTrait
|
trait CryptTrait
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
@ -23,6 +25,11 @@ trait CryptTrait
|
|||||||
*/
|
*/
|
||||||
protected $publicKey;
|
protected $publicKey;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
protected $encryptionKey;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set path to private key.
|
* Set path to private key.
|
||||||
*
|
*
|
||||||
@ -54,6 +61,10 @@ trait CryptTrait
|
|||||||
*/
|
*/
|
||||||
protected function encrypt($unencryptedData)
|
protected function encrypt($unencryptedData)
|
||||||
{
|
{
|
||||||
|
if ($this->encryptionKey !== null) {
|
||||||
|
return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
|
||||||
|
}
|
||||||
|
|
||||||
$privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
|
$privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
|
||||||
$privateKeyDetails = @openssl_pkey_get_details($privateKey);
|
$privateKeyDetails = @openssl_pkey_get_details($privateKey);
|
||||||
if ($privateKeyDetails === null) {
|
if ($privateKeyDetails === null) {
|
||||||
@ -91,6 +102,10 @@ trait CryptTrait
|
|||||||
*/
|
*/
|
||||||
protected function decrypt($encryptedData)
|
protected function decrypt($encryptedData)
|
||||||
{
|
{
|
||||||
|
if ($this->encryptionKey !== null) {
|
||||||
|
return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
|
||||||
|
}
|
||||||
|
|
||||||
$publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
|
$publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
|
||||||
$publicKeyDetails = @openssl_pkey_get_details($publicKey);
|
$publicKeyDetails = @openssl_pkey_get_details($publicKey);
|
||||||
if ($publicKeyDetails === null) {
|
if ($publicKeyDetails === null) {
|
||||||
@ -118,4 +133,14 @@ trait CryptTrait
|
|||||||
|
|
||||||
return $output;
|
return $output;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the encryption key
|
||||||
|
*
|
||||||
|
* @param string $key
|
||||||
|
*/
|
||||||
|
public function setEncryptionKey($key = null)
|
||||||
|
{
|
||||||
|
$this->encryptionKey = $key;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -132,4 +132,11 @@ interface GrantTypeInterface extends EmitterAwareInterface
|
|||||||
* @param CryptKey $publicKey
|
* @param CryptKey $publicKey
|
||||||
*/
|
*/
|
||||||
public function setPublicKey(CryptKey $publicKey);
|
public function setPublicKey(CryptKey $publicKey);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the encryption key
|
||||||
|
*
|
||||||
|
* @param string|null $key
|
||||||
|
*/
|
||||||
|
public function setEncryptionKey($key = null);
|
||||||
}
|
}
|
||||||
|
@ -36,6 +36,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/public.key',
|
'file://' . __DIR__ . '/Stubs/public.key',
|
||||||
new StubResponseType()
|
new StubResponseType()
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
||||||
|
|
||||||
@ -66,6 +67,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/public.key',
|
'file://' . __DIR__ . '/Stubs/public.key',
|
||||||
new StubResponseType()
|
new StubResponseType()
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
||||||
|
|
||||||
@ -87,6 +89,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/private.key',
|
'file://' . __DIR__ . '/Stubs/private.key',
|
||||||
'file://' . __DIR__ . '/Stubs/public.key'
|
'file://' . __DIR__ . '/Stubs/public.key'
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$abstractGrantReflection = new \ReflectionClass($server);
|
$abstractGrantReflection = new \ReflectionClass($server);
|
||||||
$method = $abstractGrantReflection->getMethod('getResponseType');
|
$method = $abstractGrantReflection->getMethod('getResponseType');
|
||||||
@ -106,6 +109,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/private.key',
|
'file://' . __DIR__ . '/Stubs/private.key',
|
||||||
'file://' . __DIR__ . '/Stubs/public.key'
|
'file://' . __DIR__ . '/Stubs/public.key'
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
|
$authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
|
||||||
$authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
|
$authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
|
||||||
@ -152,6 +156,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/private.key',
|
'file://' . __DIR__ . '/Stubs/private.key',
|
||||||
'file://' . __DIR__ . '/Stubs/public.key'
|
'file://' . __DIR__ . '/Stubs/public.key'
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
$server->enableGrantType($grant);
|
$server->enableGrantType($grant);
|
||||||
|
|
||||||
$request = new ServerRequest(
|
$request = new ServerRequest(
|
||||||
@ -184,6 +189,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/Stubs/private.key',
|
'file://' . __DIR__ . '/Stubs/private.key',
|
||||||
'file://' . __DIR__ . '/Stubs/public.key'
|
'file://' . __DIR__ . '/Stubs/public.key'
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$request = new ServerRequest(
|
$request = new ServerRequest(
|
||||||
[],
|
[],
|
||||||
|
@ -36,6 +36,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/../Stubs/public.key',
|
'file://' . __DIR__ . '/../Stubs/public.key',
|
||||||
new StubResponseType()
|
new StubResponseType()
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$server->enableGrantType(new ClientCredentialsGrant());
|
$server->enableGrantType(new ClientCredentialsGrant());
|
||||||
|
|
||||||
@ -69,6 +70,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
|
|||||||
'file://' . __DIR__ . '/../Stubs/public.key',
|
'file://' . __DIR__ . '/../Stubs/public.key',
|
||||||
new StubResponseType()
|
new StubResponseType()
|
||||||
);
|
);
|
||||||
|
$server->setEncryptionKey(base64_encode(random_bytes(36)));
|
||||||
|
|
||||||
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user