diff --git a/.gitignore b/.gitignore index e9100837..371a1385 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,6 @@ -/vendor/ +/vendor /composer.lock -/docs/build/ -/build/logs/ -/build/coverage/ -test -/docs/ -/testing/ \ No newline at end of file +/build/logs +/build/coverage +/docs +/testing \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 5034e99f..4f428b5f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,4 +5,4 @@ php: - 5.4 before_script: composer install --dev -script: phpunit -c build/phpunit.xml \ No newline at end of file +script: phpunit \ No newline at end of file diff --git a/README.md b/README.md index 67623f25..109279c8 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ The framework is provided as a Composer package which can be installed by adding ```javascript { "require": { - "lncd/OAuth2": "*" + "league/oauth2server": "2.*" } } ``` @@ -51,11 +51,8 @@ A tutorial on how to use the resource server to secure an API server can be foun --- -This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme. +The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme. -This code was principally developed by [Alex Bilbie](http://alexbilbie.com/) ([Twitter](https://twitter.com/alexbilbie)|[Github](https://github.com/alexbilbie)). +This code is principally developed by [Alex Bilbie](http://alexbilbie.com/) ([Twitter](https://twitter.com/alexbilbie)|[Github](https://github.com/alexbilbie)). -Valuable contribtions have been made by the following: - -* [Dan Horrigan](http://dandoescode.com) ([Twitter](https://twitter.com/dandoescode)|[Github](https://github.com/dandoescode)) -* [Nick Jackson](http://nickjackson.me) ([Twitter](https://twitter.com/jacksonj04)|[Github](https://github.com/jacksonj04)) +A list of contributors can be found at [https://github.com/php-loep/oauth2-server/contributors](https://github.com/php-loep/oauth2-server/contributors). \ No newline at end of file diff --git a/build/phpcs.xml b/build/phpcs.xml deleted file mode 100644 index a6ee80da..00000000 --- a/build/phpcs.xml +++ /dev/null @@ -1,8 +0,0 @@ - - - - PHP_CodeSniffer configuration - - - - \ No newline at end of file diff --git a/build/phpmd.xml b/build/phpmd.xml deleted file mode 100644 index 11f54dc1..00000000 --- a/build/phpmd.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - Ruleset for OAuth 2.0 server - - - - - \ No newline at end of file diff --git a/build/phpunit.xml b/build/phpunit.xml deleted file mode 100644 index 3281974b..00000000 --- a/build/phpunit.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - ../tests/authorization - - - ../tests/resource - - - ../tests/util - - - - - PEAR_INSTALL_DIR - PHP_LIBDIR - ../vendor/composer - ../vendor/mockery - ../vendor/phpunit - ../tests - ../testing - - - - - - - - - \ No newline at end of file diff --git a/composer.json b/composer.json index e30a2b36..9bd64747 100644 --- a/composer.json +++ b/composer.json @@ -1,20 +1,20 @@ { - "name": "lncd/oauth2", - "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants", - "version": "1.0.8", - "homepage": "https://github.com/lncd/OAuth2", + "name": "league/oauth2server", + "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.", + "version": "2.0", + "homepage": "https://github.com/php-leop/oauth2-server", "license": "MIT", "require": { - "php": ">=5.3.0" + "php": ">=5.3.0", + "zetacomponents/database": "dev-master" }, "require-dev": { - "phpunit/phpunit": "*", - "mockery/mockery": ">=0.7.2" + "mockery/mockery": ">=0.7.2" }, "repositories": [ { "type": "git", - "url": "https://github.com/lncd/OAuth2" + "url": "https://github.com/php-leop/oauth2-server" } ], "keywords": [ @@ -34,6 +34,9 @@ "role": "Developer" } ], + "replace": { + "lncd/oauth2": "*" + }, "autoload": { "psr-0": { "OAuth2": "src/" diff --git a/phpunit.xml b/phpunit.xml new file mode 100644 index 00000000..219005bc --- /dev/null +++ b/phpunit.xml @@ -0,0 +1,31 @@ + + + + + tests/authorization + + + tests/resource + + + tests/util + + + + + PEAR_INSTALL_DIR + PHP_LIBDIR + vendor/composer + vendor/mockery + vendor/phpunit + tests + testing + + + + + + + + + \ No newline at end of file diff --git a/sql/mysql.sql b/sql/mysql.sql index a6e96d0c..9debe1a7 100644 --- a/sql/mysql.sql +++ b/sql/mysql.sql @@ -1,53 +1,80 @@ CREATE TABLE `oauth_clients` ( - `id` varchar(40) NOT NULL DEFAULT '', - `secret` varchar(40) NOT NULL DEFAULT '', - `name` varchar(255) NOT NULL DEFAULT '', - `auto_approve` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; + `id` CHAR(40) NOT NULL, + `secret` CHAR(40) NOT NULL, + `name` VARCHAR(255) NOT NULL, + `auto_approve` TINYINT(1) NOT NULL DEFAULT '0', + PRIMARY KEY (`id`), + UNIQUE KEY `u_oacl_clse_clid` (`secret`,`id`) +) ENGINE=INNODB DEFAULT CHARSET=utf8; CREATE TABLE `oauth_client_endpoints` ( - `id` int(11) unsigned NOT NULL AUTO_INCREMENT, - `client_id` varchar(40) NOT NULL DEFAULT '', - `redirect_uri` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `client_id` (`client_id`), - CONSTRAINT `oauth_client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=utf8; + `endpoint_id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT, + `client_id` CHAR(40) NOT NULL, + `redirect_uri` VARCHAR(255) NOT NULL, + PRIMARY KEY (`endpoint_id`), + KEY `i_oaclen_clid` (`client_id`), + CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=INNODB DEFAULT CHARSET=utf8; CREATE TABLE `oauth_sessions` ( - `id` int(11) unsigned NOT NULL AUTO_INCREMENT, - `client_id` varchar(40) NOT NULL DEFAULT '', - `redirect_uri` varchar(250) DEFAULT '', + `id` int(10) unsigned NOT NULL AUTO_INCREMENT, + `client_id` char(40) NOT NULL, `owner_type` enum('user','client') NOT NULL DEFAULT 'user', - `owner_id` varchar(255) DEFAULT '', - `auth_code` varchar(40) DEFAULT '', - `access_token` varchar(40) DEFAULT '', - `refresh_token` varchar(40) DEFAULT '', - `access_token_expires` int(10) DEFAULT NULL, - `stage` enum('requested','granted') NOT NULL DEFAULT 'requested', - `first_requested` int(10) unsigned NOT NULL, - `last_updated` int(10) unsigned NOT NULL, + `owner_id` varchar(255) NOT NULL, PRIMARY KEY (`id`), - KEY `client_id` (`client_id`) + KEY `i_uase_clid_owty_owid` (`client_id`,`owner_type`,`owner_id`), + CONSTRAINT `f_oase_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `oauth_session_access_tokens` ( + `id` int(10) unsigned NOT NULL AUTO_INCREMENT, + `session_id` int(10) unsigned NOT NULL, + `access_token` char(40) NOT NULL DEFAULT '', + `access_token_expires` int(10) unsigned NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `u_oaseacto_acto_seid` (`access_token`,`session_id`), + KEY `f_oaseto_seid` (`session_id`), + CONSTRAINT `f_oaseto_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `oauth_session_authcodes` ( + `session_id` int(10) unsigned NOT NULL, + `auth_code` char(40) NOT NULL DEFAULT '', + `auth_code_expires` int(10) unsigned NOT NULL, + PRIMARY KEY (`session_id`), + CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `oauth_session_redirects` ( + `session_id` int(10) unsigned NOT NULL, + `redirect_uri` varchar(255) NOT NULL DEFAULT '', + PRIMARY KEY (`session_id`), + CONSTRAINT `f_oasere_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `oauth_session_refresh_tokens` ( + `session_access_token_id` int(10) unsigned NOT NULL, + `refresh_token` char(40) NOT NULL DEFAULT '', + PRIMARY KEY (`session_access_token_id`), + CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `oauth_scopes` ( - `id` int(11) unsigned NOT NULL AUTO_INCREMENT, - `scope` varchar(255) NOT NULL DEFAULT '', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', + `id` SMALLINT(5) UNSIGNED NOT NULL AUTO_INCREMENT, + `key` VARCHAR(255) NOT NULL, + `name` VARCHAR(255) NOT NULL, + `description` VARCHAR(255) DEFAULT NULL, PRIMARY KEY (`id`), - UNIQUE KEY `scope` (`scope`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; + UNIQUE KEY `u_oasc_sc` (`key`) +) ENGINE=INNODB DEFAULT CHARSET=utf8; -CREATE TABLE `oauth_session_scopes` ( - `id` int(11) unsigned NOT NULL AUTO_INCREMENT, - `session_id` int(11) unsigned NOT NULL, - `scope_id` int(11) unsigned NOT NULL, - PRIMARY KEY (`id`), - KEY `session_id` (`session_id`), - KEY `scope_id` (`scope_id`), - CONSTRAINT `oauth_session_scopes_ibfk_5` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE +CREATE TABLE `oauth_session_token_scopes` ( + `session_token_scope_id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, + `session_access_token_id` int(10) unsigned DEFAULT NULL, + `scope_id` smallint(5) unsigned NOT NULL, + PRIMARY KEY (`session_token_scope_id`), + UNIQUE KEY `u_setosc_setoid_scid` (`session_access_token_id`,`scope_id`), + KEY `f_oasetosc_scid` (`scope_id`), + CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION, + CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION ) ENGINE=InnoDB DEFAULT CHARSET=utf8; \ No newline at end of file diff --git a/src/OAuth2/AuthServer.php b/src/OAuth2/AuthServer.php index f72ff446..24787c6a 100644 --- a/src/OAuth2/AuthServer.php +++ b/src/OAuth2/AuthServer.php @@ -37,7 +37,7 @@ class AuthServer * The TTL (time to live) of an access token in seconds (default: 3600) * @var integer */ - static protected $expiresIn = 3600; + protected $expiresIn = 3600; /** * The registered grant response types @@ -49,13 +49,13 @@ class AuthServer * The client, scope and session storage classes * @var array */ - static protected $storages = array(); + protected $storages = array(); /** * The registered grant types * @var array */ - static protected $grantTypes = array(); + protected $grantTypes = array(); /** * Require the "scope" parameter to be in checkAuthoriseParams() @@ -63,6 +63,12 @@ class AuthServer */ protected $requireScopeParam = true; + /** + * Default scope to be used if none is provided and requireScopeParam is false + * @var string + */ + protected $defaultScope = null; + /** * Require the "state" parameter to be in checkAuthoriseParams() * @var boolean @@ -73,7 +79,7 @@ class AuthServer * The request object * @var Util\RequestInterface */ - static protected $request = null; + protected $request = null; /** * Exception error codes @@ -96,7 +102,7 @@ class AuthServer * Exception error messages * @var array */ - static protected $exceptionMessages = array( + protected static $exceptionMessages = array( 'invalid_request' => 'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.', 'unauthorized_client' => 'The client is not authorized to request an access token using this method.', 'access_denied' => 'The resource owner or authorization server denied the request.', @@ -111,6 +117,87 @@ class AuthServer 'invalid_refresh' => 'The refresh token is invalid.', ); + /** + * Exception error HTTP status codes + * @var array + * + * RFC 6749, section 4.1.2.1.: + * No 503 status code for 'temporarily_unavailable', because + * "a 503 Service Unavailable HTTP status code cannot be + * returned to the client via an HTTP redirect" + */ + protected static $exceptionHttpStatusCodes = array( + 'invalid_request' => 400, + 'unauthorized_client' => 400, + 'access_denied' => 401, + 'unsupported_response_type' => 400, + 'invalid_scope' => 400, + 'server_error' => 500, + 'temporarily_unavailable' => 400, + 'unsupported_grant_type' => 501, + 'invalid_client' => 401, + 'invalid_grant' => 400, + 'invalid_credentials' => 400, + 'invalid_refresh' => 400, + ); + + /** + * Get all headers that have to be send with the error response + * + * @param string $error The error message key + * @return array Array with header values + */ + public static function getExceptionHttpHeaders($error) + { + $headers = array(); + switch (self::$exceptionHttpStatusCodes[$error]) { + case 401: + $headers[] = 'HTTP/1.1 401 Unauthorized'; + break; + case 500: + $headers[] = 'HTTP/1.1 500 Internal Server Error'; + break; + case 501: + $headers[] = 'HTTP/1.1 501 Not Implemented'; + break; + case 400: + default: + $headers[] = 'HTTP/1.1 400 Bad Request'; + } + + // Add "WWW-Authenticate" header + // + // RFC 6749, section 5.2.: + // "If the client attempted to authenticate via the 'Authorization' + // request header field, the authorization server MUST + // respond with an HTTP 401 (Unauthorized) status code and + // include the "WWW-Authenticate" response header field + // matching the authentication scheme used by the client. + // @codeCoverageIgnoreStart + if ($error === 'invalid_client') { + $authScheme = null; + $request = new Request(); + if ($request->server('PHP_AUTH_USER') !== null) { + $authScheme = 'Basic'; + } else { + $authHeader = $request->header('Authorization'); + if ($authHeader !== null) { + if (strpos($authHeader, 'Bearer') === 0) { + $authScheme = 'Bearer'; + } elseif (strpos($authHeader, 'Basic') === 0) { + $authScheme = 'Basic'; + } + } + } + if ($authScheme !== null) { + $headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""'; + } + } + // @codeCoverageIgnoreEnd + + return $headers; + } + /** * Get an exception message * @@ -142,7 +229,7 @@ class AuthServer */ public function __construct(ClientInterface $client, SessionInterface $session, ScopeInterface $scope) { - self::$storages = array( + $this->storages = array( 'client' => $client, 'session' => $session, 'scope' => $scope @@ -159,7 +246,7 @@ class AuthServer if (is_null($identifier)) { $identifier = $grantType->getIdentifier(); } - self::$grantTypes[$identifier] = $grantType; + $this->grantTypes[$identifier] = $grantType; if ( ! is_null($grantType->getResponseType())) { $this->responseTypes[] = $grantType->getResponseType(); @@ -171,9 +258,14 @@ class AuthServer * @param string $identifier The grant type identifier * @return boolean Returns "true" if enabled, "false" if not */ - public static function hasGrantType($identifier) + public function hasGrantType($identifier) { - return (array_key_exists($identifier, self::$grantTypes)); + return (array_key_exists($identifier, $this->grantTypes)); + } + + public function getResponseTypes() + { + return $this->responseTypes; } /** @@ -186,6 +278,43 @@ class AuthServer $this->requireScopeParam = $require; } + /** + * Is the scope parameter required? + * @return bool + */ + public function scopeParamRequired() + { + return $this->requireScopeParam; + } + + /** + * Default scope to be used if none is provided and requireScopeParam is false + * @var string + */ + public function setDefaultScope($default = null) + { + $this->defaultScope = $default; + } + + /** + * Default scope to be used if none is provided and requireScopeParam is false + * @return string|null + */ + public function getDefaultScope() + { + return $this->defaultScope; + } + + /** + * Require the "state" paremter in checkAuthoriseParams() + * @param boolean $require + * @return void + */ + public function stateParamRequired() + { + return $this->requireStateParam; + } + /** * Require the "state" paremter in checkAuthoriseParams() * @param boolean $require @@ -220,9 +349,9 @@ class AuthServer * Get the TTL for an access token * @return int The TTL */ - public static function getExpiresIn() + public function getExpiresIn() { - return self::$expiresIn; + return $this->expiresIn; } /** @@ -231,7 +360,7 @@ class AuthServer */ public function setExpiresIn($expiresIn) { - self::$expiresIn = $expiresIn; + $this->expiresIn = $expiresIn; } /** @@ -241,7 +370,7 @@ class AuthServer */ public function setRequest(Util\RequestInterface $request) { - self::$request = $request; + $this->request = $request; } /** @@ -249,16 +378,16 @@ class AuthServer * * @return Util\RequestInterface */ - public static function getRequest() + public function getRequest() { - if (self::$request === null) { + if ($this->request === null) { // @codeCoverageIgnoreStart - self::$request = Request::buildFromGlobals(); + $this->request = Request::buildFromGlobals(); } // @codeCoverageIgnoreEnd - return self::$request; + return $this->request; } /** @@ -266,106 +395,9 @@ class AuthServer * @param string $obj The class required * @return Storage\ClientInterface|Storage\ScopeInterface|Storage\SessionInterface */ - public static function getStorage($obj) + public function getStorage($obj) { - return self::$storages[$obj]; - } - - /** - * Check authorise parameters - * - * @param array $inputParams Optional array of parsed $_GET keys - * @throws \OAuth2\Exception\ClientException - * @return array Authorise request parameters - */ - public function checkAuthoriseParams($inputParams = array()) - { - // Auth params - $authParams = self::getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams); - - if (is_null($authParams['client_id'])) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'client_id'), 0); - } - - if (is_null($authParams['redirect_uri'])) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'redirect_uri'), 0); - } - - if ($this->requireStateParam === true && is_null($authParams['state'])) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'state'), 0); - } - - // Validate client ID and redirect URI - $clientDetails = self::getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']); - - if ($clientDetails === false) { - throw new Exception\ClientException(self::$exceptionMessages['invalid_client'], 8); - } - - $authParams['client_details'] = $clientDetails; - - if (is_null($authParams['response_type'])) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'response_type'), 0); - } - - // Ensure response type is one that is recognised - if ( ! in_array($authParams['response_type'], $this->responseTypes)) { - throw new Exception\ClientException(self::$exceptionMessages['unsupported_response_type'], 3); - } - - // Validate scopes - $scopes = explode($this->scopeDelimeter, $authParams['scope']); - - for ($i = 0; $i < count($scopes); $i++) { - $scopes[$i] = trim($scopes[$i]); - if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes - } - - if ($this->requireScopeParam === true && count($scopes) === 0) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'scope'), 0); - } - - $authParams['scopes'] = array(); - - foreach ($scopes as $scope) { - $scopeDetails = self::getStorage('scope')->getScope($scope); - - if ($scopeDetails === false) { - throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_scope'], $scope), 4); - } - - $authParams['scopes'][] = $scopeDetails; - } - - return $authParams; - } - - /** - * Parse a new authorise request - * - * @param string $type The session owner's type - * @param string $typeId The session owner's ID - * @param array $authParams The authorise request $_GET parameters - * @return string An authorisation code - */ - public function newAuthoriseRequest($type, $typeId, $authParams = array()) - { - // Generate an auth code - $authCode = SecureKey::make(); - - // Remove any old sessions the user might have - self::getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId); - - // Create a new session - $sessionId = self::getStorage('session')->createSession($authParams['client_id'], $authParams['redirect_uri'], $type, $typeId, $authCode); - - // Associate scopes with the new session - foreach ($authParams['scopes'] as $scope) - { - self::getStorage('session')->associateScope($sessionId, $scope['id']); - } - - return $authCode; + return $this->storages[$obj]; } /** @@ -376,14 +408,14 @@ class AuthServer */ public function issueAccessToken($inputParams = array()) { - $grantType = self::getParam('grant_type', 'post', $inputParams); + $grantType = $this->getParam('grant_type', 'post', $inputParams); if (is_null($grantType)) { throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'grant_type'), 0); } // Ensure grant type is one that is recognised and is enabled - if ( ! in_array($grantType, array_keys(self::$grantTypes))) { + if ( ! in_array($grantType, array_keys($this->grantTypes))) { throw new Exception\ClientException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 7); } @@ -396,26 +428,34 @@ class AuthServer * @param string $grantType The grant type identifer * @return class */ - protected function getGrantType($grantType) + public function getGrantType($grantType) { - return self::$grantTypes[$grantType]; + return $this->grantTypes[$grantType]; } /** * Get a parameter from passed input parameters or the Request class - * @param string|array $param Requried parameter + * @param string|array $param Required parameter * @param string $method Get/put/post/delete * @param array $inputParams Passed input parameters * @return mixed 'Null' if parameter is missing */ - public static function getParam($param = '', $method = 'get', $inputParams = array()) + public function getParam($param = '', $method = 'get', $inputParams = array(), $default = null) { if (is_string($param)) { - return (isset($inputParams[$param])) ? $inputParams[$param] : self::getRequest()->{$method}($param); + if (isset($inputParams[$param])) { + return $inputParams[$param]; + } elseif ($param === 'client_id' && ! is_null($client_id = $this->getRequest()->server('PHP_AUTH_USER'))) { + return $client_id; + } elseif ($param === 'client_secret' && ! is_null($client_secret = $this->getRequest()->server('PHP_AUTH_PW'))) { + return $client_secret; + } else { + return $this->getRequest()->{$method}($param, $default); + } } else { $response = array(); foreach ($param as $p) { - $response[$p] = self::getParam($p, $method, $inputParams); + $response[$p] = $this->getParam($p, $method, $inputParams); } return $response; } diff --git a/src/OAuth2/Grant/AuthCode.php b/src/OAuth2/Grant/AuthCode.php index 38c0316c..b0edc0b0 100644 --- a/src/OAuth2/Grant/AuthCode.php +++ b/src/OAuth2/Grant/AuthCode.php @@ -36,6 +36,22 @@ class AuthCode implements GrantTypeInterface { */ protected $responseType = 'code'; + /** + * AuthServer instance + * @var AuthServer + */ + protected $authServer = null; + + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer) + { + $this->authServer = $authServer; + } + /** * Return the identifier * @return string @@ -54,6 +70,112 @@ class AuthCode implements GrantTypeInterface { return $this->responseType; } + /** + * Check authorise parameters + * + * @param array $inputParams Optional array of parsed $_GET keys + * @throws \OAuth2\Exception\ClientException + * @return array Authorise request parameters + */ + public function checkAuthoriseParams($inputParams = array()) + { + // Auth params + $authParams = $this->authServer->getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams); + + if (is_null($authParams['client_id'])) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); + } + + if (is_null($authParams['redirect_uri'])) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0); + } + + if ($this->authServer->stateParamRequired() === true && is_null($authParams['state'])) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'state'), 0); + } + + // Validate client ID and redirect URI + $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']); + + if ($clientDetails === false) { + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8); + } + + $authParams['client_details'] = $clientDetails; + + if (is_null($authParams['response_type'])) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'response_type'), 0); + } + + // Ensure response type is one that is recognised + if ( ! in_array($authParams['response_type'], $this->authServer->getResponseTypes())) { + throw new Exception\ClientException($this->authServer->getExceptionMessage('unsupported_response_type'), 3); + } + + // Validate scopes + $scopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']); + + for ($i = 0; $i < count($scopes); $i++) { + $scopes[$i] = trim($scopes[$i]); + if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes + } + + if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0); + } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) { + $scopes = array($this->authServer->getDefaultScope()); + } + + $authParams['scopes'] = array(); + + foreach ($scopes as $scope) { + $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier); + + if ($scopeDetails === false) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4); + } + + $authParams['scopes'][] = $scopeDetails; + } + + return $authParams; + } + + /** + * Parse a new authorise request + * + * @param string $type The session owner's type + * @param string $typeId The session owner's ID + * @param array $authParams The authorise request $_GET parameters + * @return string An authorisation code + */ + public function newAuthoriseRequest($type, $typeId, $authParams = array()) + { + // Generate an auth code + $authCode = SecureKey::make(); + + // Remove any old sessions the user might have + $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId); + + // List of scopes IDs + $scopeIds = array(); + foreach ($authParams['scopes'] as $scope) + { + $scopeIds[] = $scope['id']; + } + + // Create a new session + $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId); + + // Associate a redirect URI + $this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']); + + // Associate the auth code + $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time()+600, implode(',', $scopeIds)); + + return $authCode; + } + /** * Complete the auth code grant * @param null|array $inputParams @@ -62,58 +184,61 @@ class AuthCode implements GrantTypeInterface { public function completeFlow($inputParams = null) { // Get the required params - $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams); + $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams); if (is_null($authParams['client_id'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } if (is_null($authParams['client_secret'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } if (is_null($authParams['redirect_uri'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'redirect_uri'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0); } // Validate client ID and redirect URI - $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri']); + $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri'], $this->identifier); if ($clientDetails === false) { - throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8); + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8); } $authParams['client_details'] = $clientDetails; // Validate the authorization code if (is_null($authParams['code'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'code'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'code'), 0); } // Verify the authorization code matches the client_id and the request_uri - $session = AuthServer::getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']); + $session = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']); if ( ! $session) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_grant'), 'code'), 9); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9); } - // A session ID was returned so update it with an access token, - // remove the authorisation code, change the stage to 'granted' + // A session ID was returned so update it with an access token and remove the authorisation code $accessToken = SecureKey::make(); - $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null; + $accessTokenExpires = time() + $this->authServer->getExpiresIn(); + $accessTokenExpiresIn = $this->authServer->getExpiresIn(); - $accessTokenExpires = time() + AuthServer::getExpiresIn(); - $accessTokenExpiresIn = AuthServer::getExpiresIn(); + // Remove the auth code + $this->authServer->getStorage('session')->removeAuthCode($session['id']); - AuthServer::getStorage('session')->updateSession( - $session['id'], - null, - $accessToken, - $refreshToken, - $accessTokenExpires, - 'granted' - ); + // Create an access token + $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($session['id'], $accessToken, $accessTokenExpires); + + // Associate scopes with the access token + if ( ! is_null($session['scope_ids'])) { + $scopeIds = explode(',', $session['scope_ids']); + + foreach ($scopeIds as $scopeId) { + $this->authServer->getStorage('session')->associateScope($accessTokenId, $scopeId); + } + } $response = array( 'access_token' => $accessToken, @@ -122,7 +247,10 @@ class AuthCode implements GrantTypeInterface { 'expires_in' => $accessTokenExpiresIn ); - if (AuthServer::hasGrantType('refresh_token')) { + // Associate a refresh token if set + if ($this->authServer->hasGrantType('refresh_token')) { + $refreshToken = SecureKey::make(); + $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken); $response['refresh_token'] = $refreshToken; } diff --git a/src/OAuth2/Grant/ClientCredentials.php b/src/OAuth2/Grant/ClientCredentials.php index 3bb590bb..4a520ee7 100644 --- a/src/OAuth2/Grant/ClientCredentials.php +++ b/src/OAuth2/Grant/ClientCredentials.php @@ -1,6 +1,6 @@ @@ -36,6 +36,22 @@ class ClientCredentials implements GrantTypeInterface { */ protected $responseType = null; + /** + * AuthServer instance + * @var AuthServer + */ + protected $authServer = null; + + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer) + { + $this->authServer = $authServer; + } + /** * Return the identifier * @return string @@ -62,7 +78,7 @@ class ClientCredentials implements GrantTypeInterface { public function completeFlow($inputParams = null) { // Get the required params - $authParams = AuthServer::getParam(array('client_id', 'client_secret'), 'post', $inputParams); + $authParams = $this->authServer->getParam(array('client_id', 'client_secret'), 'post', $inputParams); if (is_null($authParams['client_id'])) { throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0); @@ -73,7 +89,7 @@ class ClientCredentials implements GrantTypeInterface { } // Validate client ID and client secret - $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']); + $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier); if ($clientDetails === false) { throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8); @@ -81,28 +97,53 @@ class ClientCredentials implements GrantTypeInterface { $authParams['client_details'] = $clientDetails; + // Validate any scopes that are in the request + $scope = $this->authServer->getParam('scope', 'post', $inputParams, ''); + $scopes = explode($this->authServer->getScopeDelimeter(), $scope); + + for ($i = 0; $i < count($scopes); $i++) { + $scopes[$i] = trim($scopes[$i]); + if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes + } + + if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0); + } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) { + $scopes = array($this->authServer->getDefaultScope()); + } + + $authParams['scopes'] = array(); + + foreach ($scopes as $scope) { + $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier); + + if ($scopeDetails === false) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4); + } + + $authParams['scopes'][] = $scopeDetails; + } + // Generate an access token $accessToken = SecureKey::make(); - $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null; - $accessTokenExpires = time() + AuthServer::getExpiresIn(); - $accessTokenExpiresIn = AuthServer::getExpiresIn(); + $accessTokenExpires = time() + $this->authServer->getExpiresIn(); + $accessTokenExpiresIn = $this->authServer->getExpiresIn(); // Delete any existing sessions just to be sure - AuthServer::getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']); + $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']); // Create a new session - AuthServer::getStorage('session')->createSession( - $authParams['client_id'], - null, - 'client', - $authParams['client_id'], - null, - $accessToken, - $refreshToken, - $accessTokenExpires, - 'granted' - ); + $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'client', $authParams['client_id']); + + // Add the access token + $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires); + + // Associate scopes with the new session + foreach ($authParams['scopes'] as $scope) + { + $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']); + } $response = array( 'access_token' => $accessToken, @@ -111,11 +152,7 @@ class ClientCredentials implements GrantTypeInterface { 'expires_in' => $accessTokenExpiresIn ); - if (AuthServer::hasGrantType('refresh_token')) { - $response['refresh_token'] = $refreshToken; - } - return $response; } -} \ No newline at end of file +} diff --git a/src/OAuth2/Grant/GrantTypeInterface.php b/src/OAuth2/Grant/GrantTypeInterface.php index b05c959e..56e45cfd 100644 --- a/src/OAuth2/Grant/GrantTypeInterface.php +++ b/src/OAuth2/Grant/GrantTypeInterface.php @@ -21,10 +21,17 @@ use OAuth2\Storage\ScopeInterface; interface GrantTypeInterface { - /** - * Returns the grant identifier (used to validate grant_type in OAuth2\AuthServer\issueAccessToken()) - * @return string - */ + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer); + + /** + * Returns the grant identifier (used to validate grant_type in OAuth2\AuthServer\issueAccessToken()) + * @return string + */ public function getIdentifier(); /** diff --git a/src/OAuth2/Grant/Implicit.php b/src/OAuth2/Grant/Implicit.php new file mode 100644 index 00000000..9ca9d611 --- /dev/null +++ b/src/OAuth2/Grant/Implicit.php @@ -0,0 +1,107 @@ + + * @copyright Copyright (c) 2013 University of Lincoln + * @license http://mit-license.org/ + * @link http://github.com/lncd/oauth2 + */ + +namespace OAuth2\Grant; + +use OAuth2\Request; +use OAuth2\AuthServer; +use OAuth2\Exception; +use OAuth2\Util\SecureKey; +use OAuth2\Storage\SessionInterface; +use OAuth2\Storage\ClientInterface; +use OAuth2\Storage\ScopeInterface; + +/** + * Client credentials grant class + */ +class Implict implements GrantTypeInterface { + + /** + * Grant identifier + * @var string + */ + protected $identifier = 'implicit'; + + /** + * Response type + * @var string + */ + protected $responseType = 'token'; + + /** + * AuthServer instance + * @var AuthServer + */ + protected $authServer = null; + + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer) + { + $this->authServer = $authServer; + } + + /** + * Return the identifier + * @return string + */ + public function getIdentifier() + { + return $this->identifier; + } + + /** + * Return the response type + * @return string + */ + public function getResponseType() + { + return $this->responseType; + } + + /** + * Complete the client credentials grant + * @param null|array $inputParams + * @return array + */ + public function completeFlow($authParams = null) + { + // Remove any old sessions the user might have + $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $authParams['user_id']); + + // Generate a new access token + $accessToken = SecureKey::make(); + + // Compute expiry time + $accessTokenExpires = time() + $this->authServer->getExpiresIn(); + + // Create a new session + $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $authParams['user_id']); + + // Create an access token + $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires); + + // Associate scopes with the access token + foreach ($authParams['scopes'] as $scope) { + $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']); + } + + $response = array( + 'access_token' => $accessToken + ); + + return $response; + } + +} \ No newline at end of file diff --git a/src/OAuth2/Grant/Password.php b/src/OAuth2/Grant/Password.php index 582bf4da..b8d098db 100644 --- a/src/OAuth2/Grant/Password.php +++ b/src/OAuth2/Grant/Password.php @@ -42,6 +42,22 @@ class Password implements GrantTypeInterface { */ protected $callback = null; + /** + * AuthServer instance + * @var AuthServer + */ + protected $authServer = null; + + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer) + { + $this->authServer = $authServer; + } + /** * Return the identifier * @return string @@ -90,62 +106,85 @@ class Password implements GrantTypeInterface { public function completeFlow($inputParams = null) { // Get the required params - $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams); + $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams); if (is_null($authParams['client_id'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } if (is_null($authParams['client_secret'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } - // Validate client ID and redirect URI - $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']); + // Validate client credentials + $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier); if ($clientDetails === false) { - throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8); + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8); } $authParams['client_details'] = $clientDetails; if (is_null($authParams['username'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'username'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'username'), 0); } if (is_null($authParams['password'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'password'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'password'), 0); } // Check if user's username and password are correct $userId = call_user_func($this->getVerifyCredentialsCallback(), $authParams['username'], $authParams['password']); - if ($userId === false || $userId === null) { - throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_credentials'), 0); + if ($userId === false) { + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_credentials'), 0); + } + + // Validate any scopes that are in the request + $scope = $this->authServer->getParam('scope', 'post', $inputParams, ''); + $scopes = explode($this->authServer->getScopeDelimeter(), $scope); + + for ($i = 0; $i < count($scopes); $i++) { + $scopes[$i] = trim($scopes[$i]); + if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes + } + + if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0); + } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) { + $scopes = array($this->authServer->getDefaultScope()); + } + + $authParams['scopes'] = array(); + + foreach ($scopes as $scope) { + $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier); + + if ($scopeDetails === false) { + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4); + } + + $authParams['scopes'][] = $scopeDetails; } // Generate an access token $accessToken = SecureKey::make(); - $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null; - - $accessTokenExpires = time() + AuthServer::getExpiresIn(); - $accessTokenExpiresIn = AuthServer::getExpiresIn(); + $accessTokenExpires = time() + $this->authServer->getExpiresIn(); + $accessTokenExpiresIn = $this->authServer->getExpiresIn(); // Delete any existing sessions just to be sure - AuthServer::getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId); + $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId); // Create a new session - AuthServer::getStorage('session')->createSession( - $authParams['client_id'], - null, - 'user', - $userId, - null, - $accessToken, - $refreshToken, - $accessTokenExpires, - 'granted' - ); + $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $userId); + + // Associate an access token with the session + $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires); + + // Associate scopes with the access token + foreach ($authParams['scopes'] as $scope) { + $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']); + } $response = array( 'access_token' => $accessToken, @@ -154,7 +193,10 @@ class Password implements GrantTypeInterface { 'expires_in' => $accessTokenExpiresIn ); - if (AuthServer::hasGrantType('refresh_token')) { + // Associate a refresh token if set + if ($this->authServer->hasGrantType('refresh_token')) { + $refreshToken = SecureKey::make(); + $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken); $response['refresh_token'] = $refreshToken; } diff --git a/src/OAuth2/Grant/RefreshToken.php b/src/OAuth2/Grant/RefreshToken.php index bd7839ca..538d75bd 100644 --- a/src/OAuth2/Grant/RefreshToken.php +++ b/src/OAuth2/Grant/RefreshToken.php @@ -36,6 +36,22 @@ class RefreshToken implements GrantTypeInterface { */ protected $responseType = null; + /** + * AuthServer instance + * @var AuthServer + */ + protected $authServer = null; + + /** + * Constructor + * @param AuthServer $authServer AuthServer instance + * @return void + */ + public function __construct(AuthServer $authServer) + { + $this->authServer = $authServer; + } + /** * Return the identifier * @return string @@ -62,47 +78,55 @@ class RefreshToken implements GrantTypeInterface { public function completeFlow($inputParams = null) { // Get the required params - $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams); + $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams); if (is_null($authParams['client_id'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0); } if (is_null($authParams['client_secret'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0); } // Validate client ID and client secret - $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']); + $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier); if ($clientDetails === false) { - throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8); + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8); } $authParams['client_details'] = $clientDetails; if (is_null($authParams['refresh_token'])) { - throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'refresh_token'), 0); + throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'refresh_token'), 0); } // Validate refresh token - $sessionId = AuthServer::getStorage('client')->validateRefreshToken( - $authParams['refresh_token'], - $authParams['client_id'] - ); + $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']); - if ($sessionId === false) { - throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_refresh'), 0); + if ($accessTokenId === false) { + throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0); } - // Generate new tokens + // Get the existing access token + $accessTokenDetails = $this->authServer->getStorage('session')->getAccessToken($accessTokenId); + + // Get the scopes for the existing access token + $scopes = $this->authServer->getStorage('session')->getScopes($accessTokenDetails['access_token']); + + // Generate new tokens and associate them to the session $accessToken = SecureKey::make(); - $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null; + $accessTokenExpires = time() + $this->authServer->getExpiresIn(); + $accessTokenExpiresIn = $this->authServer->getExpiresIn(); + $refreshToken = SecureKey::make(); - $accessTokenExpires = time() + AuthServer::getExpiresIn(); - $accessTokenExpiresIn = AuthServer::getExpiresIn(); + $newAccessTokenId = $this->authServer->getStorage('session')->associateAccessToken($accessTokenDetails['session_id'], $accessToken, $accessTokenExpires); - AuthServer::getStorage('session')->updateRefreshToken($sessionId, $accessToken, $refreshToken, $accessTokenExpires); + foreach ($scopes as $scope) { + $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']); + } + + $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken); return array( 'access_token' => $accessToken, @@ -113,4 +137,4 @@ class RefreshToken implements GrantTypeInterface { ); } -} \ No newline at end of file +} diff --git a/src/OAuth2/ResourceServer.php b/src/OAuth2/ResourceServer.php index e7cc7d2f..f9e51fc5 100644 --- a/src/OAuth2/ResourceServer.php +++ b/src/OAuth2/ResourceServer.php @@ -13,7 +13,6 @@ namespace OAuth2; use OutOfBoundsException; use OAuth2\Storage\SessionInterface; -use OAuth2\Storage\SessionScopeInterface; use OAuth2\Util\RequestInterface; use OAuth2\Util\Request; @@ -164,24 +163,37 @@ class ResourceServer */ public function isValid() { - $access_token = $this->determineAccessToken(); + $accessToken = $this->determineAccessToken(); - $result = $this->storages['session']->validateAccessToken($access_token); + $result = $this->storages['session']->validateAccessToken($accessToken); if ( ! $result) { throw new Exception\InvalidAccessTokenException('Access token is not valid'); } - $this->accessToken = $access_token; - $this->sessionId = $result['id']; + $this->accessToken = $accessToken; + $this->sessionId = $result['session_id']; + $this->clientId = $result['client_id']; $this->ownerType = $result['owner_type']; $this->ownerId = $result['owner_id']; - $this->sessionScopes = $this->storages['session']->getScopes($this->sessionId); + $sessionScopes = $this->storages['session']->getScopes($this->accessToken); + foreach ($sessionScopes as $scope) { + $this->sessionScopes[] = $scope['key']; + } return true; } + /** + * Get the session scopes + * @return [type] [description] + */ + public function getScopes() + { + return $this->sessionScopes; + } + /** * Checks if the presented access token has the given scope(s). * @@ -216,17 +228,17 @@ class ResourceServer protected function determineAccessToken() { if ($header = $this->getRequest()->header('Authorization')) { - $access_token = base64_decode(trim(str_replace('Bearer', '', $header))); + $accessToken = trim(str_replace('Bearer', '', $header)); } else { $method = $this->getRequest()->server('REQUEST_METHOD'); - $access_token = $this->getRequest()->{$method}($this->tokenKey); + $accessToken = $this->getRequest()->{$method}($this->tokenKey); } - if (empty($access_token)) { + if (empty($accessToken)) { throw new Exception\InvalidAccessTokenException('Access token is missing'); } - return $access_token; + return $accessToken; } } diff --git a/src/OAuth2/Storage/ClientInterface.php b/src/OAuth2/Storage/ClientInterface.php index 408ff959..ee4437b8 100644 --- a/src/OAuth2/Storage/ClientInterface.php +++ b/src/OAuth2/Storage/ClientInterface.php @@ -48,7 +48,8 @@ interface ClientInterface * @param string $clientId The client's ID * @param string $clientSecret The client's secret (default = "null") * @param string $redirectUri The client's redirect URI (default = "null") + * @param string $grantType The grant type used in the request * @return bool|array Returns false if the validation fails, array on success */ - public function getClient($clientId = null, $clientSecret = null, $redirectUri = null); + public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null); } \ No newline at end of file diff --git a/src/OAuth2/Storage/PDO/Client.php b/src/OAuth2/Storage/PDO/Client.php new file mode 100644 index 00000000..a972aa15 --- /dev/null +++ b/src/OAuth2/Storage/PDO/Client.php @@ -0,0 +1,45 @@ +prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri'); + $stmt->bindValue(':redirectUri', $redirectUri); + } + + elseif ( ! is_null($clientSecret) && is_null($redirectUri)) { + $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret'); + $stmt->bindValue(':clientSecret', $clientSecret); + } + + elseif ( ! is_null($clientSecret) && ! is_null($redirectUri)) { + $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND oauth_client_endpoints.redirect_uri = :redirectUri'); + $stmt->bindValue(':redirectUri', $redirectUri); + $stmt->bindValue(':clientSecret', $clientSecret); + } + + $stmt->bindValue(':clientId', $clientId); + $stmt->execute(); + + $row = $stmt->fetchObject(); + + if ($row === false) { + return false; + } + + return array( + 'client_id' => $row->id, + 'client_secret' => $row->secret, + 'redirect_uri' => (isset($row->redirect_uri)) ? $row->redirect_uri : null, + 'name' => $row->name + ); + } +} \ No newline at end of file diff --git a/src/OAuth2/Storage/PDO/Db.php b/src/OAuth2/Storage/PDO/Db.php new file mode 100644 index 00000000..0d47642e --- /dev/null +++ b/src/OAuth2/Storage/PDO/Db.php @@ -0,0 +1,12 @@ +prepare('SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope'); + $stmt->bindValue(':scope', $scope); + $stmt->execute(); + + $row = $stmt->fetchObject(); + + if ($row === false) { + return false; + } + + return array( + 'id' => $row->id, + 'scope' => $row->key, + 'name' => $row->name, + 'description' => $row->description + ); + + } +} \ No newline at end of file diff --git a/src/OAuth2/Storage/PDO/Session.php b/src/OAuth2/Storage/PDO/Session.php new file mode 100644 index 00000000..a5121074 --- /dev/null +++ b/src/OAuth2/Storage/PDO/Session.php @@ -0,0 +1,267 @@ +prepare('INSERT INTO oauth_sessions (client_id, owner_type, owner_id) VALUE + (:clientId, :ownerType, :ownerId)'); + $stmt->bindValue(':clientId', $clientId); + $stmt->bindValue(':ownerType', $ownerType); + $stmt->bindValue(':ownerId', $ownerId); + $stmt->execute(); + + return $db->lastInsertId(); + } + + /** + * Delete a session + * @param string $clientId The client ID + * @param string $ownerType The type of the session owner (e.g. "user") + * @param string $ownerId The ID of the session owner (e.g. "123") + * @return void + */ + public function deleteSession($clientId, $ownerType, $ownerId) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('DELETE FROM oauth_sessions WHERE client_id = :clientId AND + owner_type = :type AND owner_id = :typeId'); + $stmt->bindValue(':clientId', $clientId); + $stmt->bindValue(':type', $ownerType); + $stmt->bindValue(':typeId', $ownerId); + $stmt->execute(); + } + + /** + * Associate a redirect URI with a session + * @param int $sessionId The session ID + * @param string $redirectUri The redirect URI + * @return void + */ + public function associateRedirectUri($sessionId, $redirectUri) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO oauth_session_redirects (session_id, redirect_uri) + VALUE (:sessionId, :redirectUri)'); + $stmt->bindValue(':sessionId', $sessionId); + $stmt->bindValue(':redirectUri', $redirectUri); + $stmt->execute(); + } + + /** + * Associate an access token with a session + * @param int $sessionId The session ID + * @param string $accessToken The access token + * @param int $expireTime Unix timestamp of the access token expiry time + * @return void + */ + public function associateAccessToken($sessionId, $accessToken, $expireTime) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires) + VALUE (:sessionId, :accessToken, :accessTokenExpire)'); + $stmt->bindValue(':sessionId', $sessionId); + $stmt->bindValue(':accessToken', $accessToken); + $stmt->bindValue(':accessTokenExpire', $expireTime); + $stmt->execute(); + + return $db->lastInsertId(); + } + + /** + * Remove an associated access token from a session + * @param int $sessionId The session ID + * @return void + */ + public function removeAccessToken($sessionId) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token) VALUE + (:accessTokenId, :refreshToken)'); + $stmt->bindValue(':accessTokenId', $accessTokenId); + $stmt->bindValue(':refreshToken', $params['refresh_token']); + $stmt->execute(); + } + + /** + * Associate a refresh token with a session + * @param int $accessTokenId The access token ID + * @param string $refreshToken The refresh token + * @return void + */ + public function associateRefreshToken($accessTokenId, $refreshToken) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token) VALUE + (:accessTokenId, :refreshToken)'); + $stmt->bindValue(':accessTokenId', $accessTokenId); + $stmt->bindValue(':refreshToken', $refreshToken); + $stmt->execute(); + } + + /** + * Assocate an authorization code with a session + * @param int $sessionId The session ID + * @param string $authCode The authorization code + * @param int $expireTime Unix timestamp of the access token expiry time + * @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null) + * @return void + */ + public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids) + VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)'); + $stmt->bindValue(':sessionId', $sessionId); + $stmt->bindValue(':authCode', $authCode); + $stmt->bindValue(':authCodeExpires', $expireTime); + $stmt->bindValue(':scopeIds', $scopeIds); + $stmt->execute(); + } + + /** + * Remove an associated authorization token from a session + * @param int $sessionId The session ID + * @return void + */ + public function removeAuthCode($sessionId) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId'); + $stmt->bindValue(':sessionId', $sessionId); + $stmt->execute(); + } + + /** + * Validate an authorization code + * @param string $clientId The client ID + * @param string $redirectUri The redirect URI + * @param string $authCode The authorization code + * @return void + */ + public function validateAuthCode($clientId, $redirectUri, $authCode) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions JOIN + oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id JOIN + oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE + oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode AND + `oauth_session_authcodes`.`auth_code_expires` >= :time AND `oauth_session_redirects`.`redirect_uri` + = :redirectUri'); + $stmt->bindValue(':clientId', $clientId); + $stmt->bindValue(':redirectUri', $redirectUri); + $stmt->bindValue(':authCode', $authCode); + $stmt->bindValue(':time', time()); + $stmt->execute(); + + $result = $stmt->fetchObject(); + + return ($result === false) ? false : (array) $result; + } + + /** + * Validate an access token + * @param string $accessToken The access token to be validated + * @return void + */ + public function validateAccessToken($accessToken) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type` FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE access_token = :accessToken AND access_token_expires >= ' . time()); + $stmt->bindValue(':accessToken', $accessToken); + $stmt->execute(); + + $result = $stmt->fetchObject(); + return ($result === false) ? false : (array) $result; + } + + /** + * Validate a refresh token + * @param string $refreshToken The access token + * @return void + */ + public function validateRefreshToken($refreshToken) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE + refresh_token = :refreshToken'); + $stmt->bindValue(':refreshToken', $refreshToken); + $stmt->execute(); + + $result = $stmt->fetchObject(); + return ($result === false) ? false : $result->session_access_token_id; + } + + /** + * Get an access token by ID + * @param int $accessTokenId The access token ID + * @return array + */ + public function getAccessToken($accessTokenId) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId'); + $stmt->bindValue(':accessTokenId', $accessTokenId); + $stmt->execute(); + + $result = $stmt->fetchObject(); + return ($result === false) ? false : (array) $result; + } + + /** + * Associate a scope with an access token + * @param int $accessTokenId The ID of the access token + * @param int $scopeId The ID of the scope + * @return void + */ + public function associateScope($accessTokenId, $scopeId) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`) + VALUE (:accessTokenId, :scopeId)'); + $stmt->bindValue(':accessTokenId', $accessTokenId); + $stmt->bindValue(':scopeId', $scopeId); + $stmt->execute(); + } + + /** + * Get all associated access tokens for an access token + * @param string $accessToken The access token + * @return array + */ + public function getScopes($accessToken) + { + $db = \ezcDbInstance::get(); + + $stmt = $db->prepare('SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id` JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id` WHERE access_token = :accessToken'); + $stmt->bindValue(':accessToken', $accessToken); + $stmt->execute(); + + return $stmt->fetchAll(); + } +} \ No newline at end of file diff --git a/src/OAuth2/Storage/ScopeInterface.php b/src/OAuth2/Storage/ScopeInterface.php index 99c6689a..f254facc 100644 --- a/src/OAuth2/Storage/ScopeInterface.php +++ b/src/OAuth2/Storage/ScopeInterface.php @@ -34,8 +34,9 @@ interface ScopeInterface * ) * * - * @param string $scope The scope + * @param string $scope The scope + * @param string $clientId The client ID * @return bool|array If the scope doesn't exist return false */ - public function getScope($scope); + public function getScope($scope, $clientId = null, $grantType = null); } diff --git a/src/OAuth2/Storage/SessionInterface.php b/src/OAuth2/Storage/SessionInterface.php index 84651909..2933af6c 100644 --- a/src/OAuth2/Storage/SessionInterface.php +++ b/src/OAuth2/Storage/SessionInterface.php @@ -13,224 +13,115 @@ namespace OAuth2\Storage; interface SessionInterface { - /** - * Create a new OAuth session - * - * Example SQL query: - * - * - * INSERT INTO oauth_sessions (client_id, redirect_uri, owner_type, - * owner_id, auth_code, access_token, refresh_token, stage, first_requested, - * last_updated) VALUES ($clientId, $redirectUri, $type, $typeId, $authCode, - * $accessToken, $stage, UNIX_TIMESTAMP(NOW()), UNIX_TIMESTAMP(NOW())) - * - * - * @param string $clientId The client ID - * @param string $redirectUri The redirect URI - * @param string $type The session owner's type (default = "user") - * @param string $typeId The session owner's ID (default = "null") - * @param string $authCode The authorisation code (default = "null") - * @param string $accessToken The access token (default = "null") - * @param string $refreshToken The refresh token (default = "null") - * @param int $accessTokenExpire The expiry time of an access token as a unix timestamp - * @param string $stage The stage of the session (default ="request") - * @return int The session ID + /** + * Create a new session + * @param string $clientId The client ID + * @param string $ownerType The type of the session owner (e.g. "user") + * @param string $ownerId The ID of the session owner (e.g. "123") + * @return int The session ID */ - public function createSession( - $clientId, - $redirectUri, - $type = 'user', - $typeId = null, - $authCode = null, - $accessToken = null, - $refreshToken = null, - $accessTokenExpire = null, - $stage = 'requested' - ); + public function createSession($clientId, $ownerType, $ownerId); /** - * Update an OAuth session - * - * Example SQL query: - * - * - * UPDATE oauth_sessions SET auth_code = $authCode, access_token = - * $accessToken, stage = $stage, last_updated = UNIX_TIMESTAMP(NOW()) WHERE - * id = $sessionId - * - * - * @param string $sessionId The session ID - * @param string $authCode The authorisation code (default = "null") - * @param string $accessToken The access token (default = "null") - * @param string $refreshToken The refresh token (default = "null") - * @param int $accessTokenExpire The expiry time of an access token as a unix timestamp - * @param string $stage The stage of the session (default ="request") - * @return void + * Delete a session + * @param string $clientId The client ID + * @param string $ownerType The type of the session owner (e.g. "user") + * @param string $ownerId The ID of the session owner (e.g. "123") + * @return void */ - public function updateSession( - $sessionId, - $authCode = null, - $accessToken = null, - $refreshToken = null, - $accessTokenExpire = null, - $stage = 'requested' - ); + public function deleteSession($clientId, $ownerType, $ownerId); /** - * Delete an OAuth session - * - * - * DELETE FROM oauth_sessions WHERE client_id = $clientId AND owner_type = - * $type AND owner_id = $typeId - * - * - * @param string $clientId The client ID - * @param string $type The session owner's type - * @param string $typeId The session owner's ID - * @return void + * Associate a redirect URI with a session + * @param int $sessionId The session ID + * @param string $redirectUri The redirect URI + * @return void */ - public function deleteSession( - $clientId, - $type, - $typeId - ); + public function associateRedirectUri($sessionId, $redirectUri); /** - * Validate that an authorisation code is valid - * - * Example SQL query: - * - * - * SELECT id FROM oauth_sessions WHERE client_id = $clientID AND - * redirect_uri = $redirectUri AND auth_code = $authCode - * - * - * @param string $clientId The client ID - * @param string $redirectUri The redirect URI - * @param string $authCode The authorisation code - * @return int|bool Returns the session ID if the auth code - * is valid otherwise returns false + * Associate an access token with a session + * @param int $sessionId The session ID + * @param string $accessToken The access token + * @param int $expireTime Unix timestamp of the access token expiry time + * @return void */ - public function validateAuthCode( - $clientId, - $redirectUri, - $authCode - ); + public function associateAccessToken($sessionId, $accessToken, $expireTime); + + /** + * Remove an associated access token from a session + * @param int $sessionId The session ID + * @return void + */ + public function removeAccessToken($sessionId); + + /** + * Associate a refresh token with a session + * @param int $accessTokenId The access token ID + * @param string $refreshToken The refresh token + * @return void + */ + public function associateRefreshToken($accessTokenId, $refreshToken); + + /** + * Assocate an authorization code with a session + * @param int $sessionId The session ID + * @param string $authCode The authorization code + * @param int $expireTime Unix timestamp of the access token expiry time + * @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null) + * @return void + */ + public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null); + + /** + * Remove an associated authorization token from a session + * @param int $sessionId The session ID + * @return void + */ + public function removeAuthCode($sessionId); + + /** + * Validate an authorization code + * @param string $clientId The client ID + * @param string $redirectUri The redirect URI + * @param string $authCode The authorization code + * @return void + */ + public function validateAuthCode($clientId, $redirectUri, $authCode); /** * Validate an access token - * - * Example SQL query: - * - * - * SELECT id, owner_id, owner_type FROM oauth_sessions WHERE access_token = $accessToken - * - * - * Response: - * - * - * Array - * ( - * [id] => (int) The session ID - * [owner_type] => (string) The owner type - * [owner_id] => (string) The owner ID - * ) - * - * - * @param [type] $accessToken [description] - * @return [type] [description] + * @param string $accessToken [description] + * @return void */ public function validateAccessToken($accessToken); - /** - * Return the access token for a given session - * - * Example SQL query: - * - * - * SELECT access_token FROM oauth_sessions WHERE id = $sessionId - * - * - * @param int $sessionId The OAuth session ID - * @return string|null Returns the access token as a string if - * found otherwise returns null - */ - public function getAccessToken($sessionId); - /** * Validate a refresh token - * @param string $refreshToken The refresh token - * @param string $clientId The client ID - * @return int The session ID - */ - public function validateRefreshToken($refreshToken, $clientId); - - /** - * Update the refresh token - * - * Example SQL query: - * - * - * UPDATE oauth_sessions SET access_token = $newAccessToken, refresh_token = - * $newRefreshToken, access_toke_expires = $accessTokenExpires, last_updated = UNIX_TIMESTAMP(NOW()) WHERE - * id = $sessionId - * - * - * @param string $sessionId The session ID - * @param string $newAccessToken The new access token for this session - * @param string $newRefreshToken The new refresh token for the session - * @param int $accessTokenExpires The UNIX timestamp of when the new token expires + * @param string $refreshToken The access token * @return void */ - public function updateRefreshToken( - $sessionId, - $newAccessToken, - $newRefreshToken, - $accessTokenExpires - ); + public function validateRefreshToken($refreshToken); /** - * Associates a session with a scope - * - * Example SQL query: - * - * - * INSERT INTO oauth_session_scopes (session_id, scope_id) VALUE ($sessionId, - * $scopeId) - * - * - * @param int $sessionId The session ID - * @param string $scopeId The scope ID - * @return void - */ - public function associateScope($sessionId, $scopeId); - - /** - * Return the scopes associated with an access token - * - * Example SQL query: - * - * - * SELECT oauth_scopes.scope FROM oauth_session_scopes JOIN oauth_scopes ON - * oauth_session_scopes.scope_id = oauth_scopes.id WHERE - * session_id = $sessionId - * - * - * Response: - * - * - * Array - * ( - * [0] => (string) The scope - * [1] => (string) The scope - * [2] => (string) The scope - * ... - * ... - * ) - * - * - * @param int $sessionId The session ID + * Get an access token by ID + * @param int $accessTokenId The access token ID * @return array */ - public function getScopes($sessionId); + public function getAccessToken($accessTokenId); + + /** + * Associate a scope with an access token + * @param int $accessTokenId The ID of the access token + * @param int $scopeId The ID of the scope + * @return void + */ + public function associateScope($accessTokenId, $scopeId); + + /** + * Get all associated access tokens for an access token + * @param string $accessToken The access token + * @return array + */ + public function getScopes($accessToken); } diff --git a/tests/authorization/AuthCodeGrantTest.php b/tests/authorization/AuthCodeGrantTest.php new file mode 100644 index 00000000..38a8e27c --- /dev/null +++ b/tests/authorization/AuthCodeGrantTest.php @@ -0,0 +1,361 @@ +client = M::mock('OAuth2\Storage\ClientInterface'); + $this->session = M::mock('OAuth2\Storage\SessionInterface'); + $this->scope = M::mock('OAuth2\Storage\ScopeInterface'); + } + + private function returnDefault() + { + return new OAuth2\AuthServer($this->client, $this->session, $this->scope); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_noClientId() + { + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $g->checkAuthoriseParams(); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_noRedirectUri() + { + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234 + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_noRequiredState() + { + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->requireStateParam(true); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect' + )); + } + + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 8 + */ + public function test_checkAuthoriseParams_badClient() + { + $this->client->shouldReceive('getClient')->andReturn(false); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect' + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_missingResponseType() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect' + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 3 + */ + public function test_checkAuthoriseParams_badResponseType() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => 'foo' + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_checkAuthoriseParams_missingScopes() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => 'code', + 'scope' => '' + )); + } + + public function test_checkAuthoriseParams_defaultScope() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + $a->setDefaultScope('test.scope'); + $a->requireScopeParam(false); + + $params = $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => 'code', + 'scope' => '' + )); + + $this->assertArrayHasKey('scopes', $params); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 4 + */ + public function test_checkAuthoriseParams_badScopes() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->scope->shouldReceive('getScope')->andReturn(false); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + + $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => 'code', + 'scope' => 'foo' + )); + } + + public function test_checkAuthoriseParams_passedInput() + { + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $v = $g->checkAuthoriseParams(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'response_type' => 'code', + 'scope' => 'foo', + 'state' => 'xyz' + )); + + $this->assertEquals(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'client_details' => array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + ), + 'response_type' => 'code', + 'scopes' => array( + array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + ) + ), + 'scope' => 'foo', + 'state' => 'xyz' + ), $v); + } + + public function test_checkAuthoriseParams() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + + $_GET['client_id'] = 1234; + $_GET['redirect_uri'] = 'http://foo/redirect'; + $_GET['response_type'] = 'code'; + $_GET['scope'] = 'foo'; + $_GET['state'] = 'xyz'; + + $request = new OAuth2\Util\Request($_GET); + $a->setRequest($request); + + $v = $g->checkAuthoriseParams(); + + $this->assertEquals(array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'client_details' => array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + ), + 'response_type' => 'code', + 'scopes' => array( + array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + ) + ), + 'scope' => 'foo', + 'state' => 'xyz' + ), $v); + } + + + function test_newAuthoriseRequest() + { + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('associateScope')->andReturn(null); + $this->session->shouldReceive('associateRedirectUri')->andReturn(null); + $this->session->shouldReceive('associateAuthCode')->andReturn(null); + + $a = $this->returnDefault(); + $g = new OAuth2\Grant\AuthCode($a); + $a->addGrantType($g); + + $params = array( + 'client_id' => 1234, + 'redirect_uri' => 'http://foo/redirect', + 'client_details' => array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + ), + 'response_type' => 'code', + 'scopes' => array( + array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + ) + ) + ); + + $v = $g->newAuthoriseRequest('user', 123, $params); + + $this->assertEquals(40, strlen($v)); + } + + +} \ No newline at end of file diff --git a/tests/authorization/AuthServerTest.php b/tests/authorization/AuthServerTest.php index 6ab843f3..5ffa92fb 100644 --- a/tests/authorization/AuthServerTest.php +++ b/tests/authorization/AuthServerTest.php @@ -50,9 +50,18 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->assertEquals('access_denied', OAuth2\AuthServer::getExceptionType(2)); } + public function test_getExceptionHttpHeaders() + { + $this->assertEquals(array('HTTP/1.1 401 Unauthorized'), OAuth2\AuthServer::getExceptionHttpHeaders('access_denied')); + $this->assertEquals(array('HTTP/1.1 500 Internal Server Error'), OAuth2\AuthServer::getExceptionHttpHeaders('server_error')); + $this->assertEquals(array('HTTP/1.1 501 Not Implemented'), OAuth2\AuthServer::getExceptionHttpHeaders('unsupported_grant_type')); + $this->assertEquals(array('HTTP/1.1 400 Bad Request'), OAuth2\AuthServer::getExceptionHttpHeaders('invalid_refresh')); + } + public function test_hasGrantType() { - $this->assertFalse(OAuth2\AuthServer::hasGrantType('test')); + $a = $this->returnDefault(); + $this->assertFalse($a->hasGrantType('test')); } public function test_addGrantType() @@ -62,7 +71,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $grant->shouldReceive('getResponseType')->andReturn('test'); $a->addGrantType($grant, 'test'); - $this->assertTrue(OAuth2\AuthServer::hasGrantType('test')); + $this->assertTrue($a->hasGrantType('test')); } public function test_addGrantType_noIdentifier() @@ -73,7 +82,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $grant->shouldReceive('getResponseType')->andReturn('test'); $a->addGrantType($grant); - $this->assertTrue(OAuth2\AuthServer::hasGrantType('test')); + $this->assertTrue($a->hasGrantType('test')); } public function test_getScopeDelimeter() @@ -102,6 +111,34 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->assertFalse($v); } + public function test_scopeParamRequired() + { + $a = $this->returnDefault(); + $a->requireScopeParam(false); + + $this->assertFalse($a->scopeParamRequired()); + } + + public function test_setDefaultScope() + { + $a = $this->returnDefault(); + $a->setDefaultScope('test.default'); + + $reflector = new ReflectionClass($a); + $requestProperty = $reflector->getProperty('defaultScope'); + $requestProperty->setAccessible(true); + $v = $requestProperty->getValue($a); + + $this->assertEquals('test.default', $v); + } + + public function test_getDefaultScope() + { + $a = $this->returnDefault(); + $a->setDefaultScope('test.default'); + $this->assertEquals('test.default', $a->getDefaultScope()); + } + public function test_requireStateParam() { $a = $this->returnDefault(); @@ -119,7 +156,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase { $a = $this->returnDefault(); $a->setExpiresIn(7200); - $this->assertEquals(7200, $a::getExpiresIn()); + $this->assertEquals(7200, $a->getExpiresIn()); } public function test_setExpiresIn() @@ -138,7 +175,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $reflector = new ReflectionClass($a); $requestProperty = $reflector->getProperty('request'); $requestProperty->setAccessible(true); - $v = $requestProperty->getValue(); + $v = $requestProperty->getValue($a); $this->assertTrue($v instanceof OAuth2\Util\RequestInterface); } @@ -148,7 +185,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $a = $this->returnDefault(); $request = new OAuth2\Util\Request(); $a->setRequest($request); - $v = $a::getRequest(); + $v = $a->getRequest(); $this->assertTrue($v instanceof OAuth2\Util\RequestInterface); } @@ -159,274 +196,10 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->assertTrue($a->getStorage('session') instanceof OAuth2\Storage\SessionInterface); } - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 0 - */ - public function test_checkAuthoriseParams_noClientId() - { - $a = $this->returnDefault(); - $a->checkAuthoriseParams(); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 0 - */ - public function test_checkAuthoriseParams_noRedirectUri() - { - $a = $this->returnDefault(); - $a->checkAuthoriseParams(array( - 'client_id' => 1234 - )); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 8 - */ - public function test_checkAuthoriseParams_badClient() - { - $this->client->shouldReceive('getClient')->andReturn(false); - - $a = $this->returnDefault(); - $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect' - )); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 0 - */ - public function test_checkAuthoriseParams_missingResponseType() - { - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $a = $this->returnDefault(); - $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect' - )); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 3 - */ - public function test_checkAuthoriseParams_badResponseType() - { - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $a = $this->returnDefault(); - $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'response_type' => 'foo' - )); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 0 - */ - public function test_checkAuthoriseParams_missingScopes() - { - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); - - $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'response_type' => 'code', - 'scope' => '' - )); - } - - /** - * @expectedException OAuth2\Exception\ClientException - * @expectedExceptionCode 4 - */ - public function test_checkAuthoriseParams_badScopes() - { - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $this->scope->shouldReceive('getScope')->andReturn(false); - - $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); - - $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'response_type' => 'code', - 'scope' => 'foo' - )); - } - - public function test_checkAuthoriseParams_passedInput() - { - $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); - - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $this->scope->shouldReceive('getScope')->andReturn(array( - 'id' => 1, - 'scope' => 'foo', - 'name' => 'Foo Name', - 'description' => 'Foo Name Description' - )); - - $v = $a->checkAuthoriseParams(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'response_type' => 'code', - 'scope' => 'foo', - 'state' => 'xyz' - )); - - $this->assertEquals(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'client_details' => array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - ), - 'response_type' => 'code', - 'scopes' => array( - array( - 'id' => 1, - 'scope' => 'foo', - 'name' => 'Foo Name', - 'description' => 'Foo Name Description' - ) - ), - 'scope' => 'foo', - 'state' => 'xyz' - ), $v); - } - - public function test_checkAuthoriseParams() - { - $this->client->shouldReceive('getClient')->andReturn(array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - )); - - $this->scope->shouldReceive('getScope')->andReturn(array( - 'id' => 1, - 'scope' => 'foo', - 'name' => 'Foo Name', - 'description' => 'Foo Name Description' - )); - - $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); - - $_GET['client_id'] = 1234; - $_GET['redirect_uri'] = 'http://foo/redirect'; - $_GET['response_type'] = 'code'; - $_GET['scope'] = 'foo'; - $_GET['state'] = 'xyz'; - - $request = new OAuth2\Util\Request($_GET); - $a->setRequest($request); - - $v = $a->checkAuthoriseParams(); - - $this->assertEquals(array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'client_details' => array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - ), - 'response_type' => 'code', - 'scopes' => array( - array( - 'id' => 1, - 'scope' => 'foo', - 'name' => 'Foo Name', - 'description' => 'Foo Name Description' - ) - ), - 'scope' => 'foo', - 'state' => 'xyz' - ), $v); - } - - function test_newAuthoriseRequest() - { - $this->session->shouldReceive('deleteSession')->andReturn(null); - $this->session->shouldReceive('createSession')->andReturn(1); - $this->session->shouldReceive('associateScope')->andReturn(null); - - $a = $this->returnDefault(); - - $params = array( - 'client_id' => 1234, - 'redirect_uri' => 'http://foo/redirect', - 'client_details' => array( - 'client_id' => 1234, - 'client_secret' => 5678, - 'redirect_uri' => 'http://foo/redirect', - 'name' => 'Example Client' - ), - 'response_type' => 'code', - 'scopes' => array( - array( - 'id' => 1, - 'scope' => 'foo', - 'name' => 'Foo Name', - 'description' => 'Foo Name Description' - ) - ) - ); - - $v = $a->newAuthoriseRequest('user', 123, $params); - - $this->assertEquals(40, strlen($v)); - } - public function test_getGrantType() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $reflector = new ReflectionClass($a); $method = $reflector->getMethod('getGrantType'); @@ -444,7 +217,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_missingGrantType() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(); } @@ -456,7 +229,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_badGrantType() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array('grant_type' => 'foo')); } @@ -468,7 +241,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_missingClientId() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code' @@ -482,7 +255,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_missingClientSecret() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -497,7 +270,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_missingRedirectUri() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -515,7 +288,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -534,7 +307,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(array()); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -554,7 +327,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -574,11 +347,17 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase 'name' => 'Example Client' )); - $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(array( + 'id' => 1, + 'scope_ids' => '1' + )); $this->session->shouldReceive('updateSession')->andReturn(null); + $this->session->shouldReceive('removeAuthCode')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + $this->session->shouldReceive('associateScope')->andReturn(null); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'authorization_code', @@ -593,8 +372,8 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } public function test_issueAccessToken() @@ -608,9 +387,11 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('updateSession')->andReturn(null); + $this->session->shouldReceive('removeAuthCode')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); $_POST['grant_type'] = 'authorization_code'; $_POST['client_id'] = 1234; @@ -628,8 +409,45 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); + } + + public function test_issueAccessToken_HTTP_auth() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('updateSession')->andReturn(null); + $this->session->shouldReceive('removeAuthCode')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + + $a = $this->returnDefault(); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + + $_POST['grant_type'] = 'authorization_code'; + $_SERVER['PHP_AUTH_USER'] = 1234; + $_SERVER['PHP_AUTH_PW'] = 5678; + $_POST['redirect_uri'] = 'http://foo/redirect'; + $_POST['code'] = 'foobar'; + + $request = new OAuth2\Util\Request(array(), $_POST, array(), array(), $_SERVER); + $a->setRequest($request); + + $v = $a->issueAccessToken(); + + $this->assertArrayHasKey('access_token', $v); + $this->assertArrayHasKey('token_type', $v); + $this->assertArrayHasKey('expires', $v); + $this->assertArrayHasKey('expires_in', $v); + + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } public function tearDown() { diff --git a/tests/authorization/ClientCredentialsGrantTest.php b/tests/authorization/ClientCredentialsGrantTest.php index 72e68919..327030d9 100644 --- a/tests/authorization/ClientCredentialsGrantTest.php +++ b/tests/authorization/ClientCredentialsGrantTest.php @@ -27,7 +27,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_clientCredentialsGrant_missingClientId() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -44,7 +44,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_clientCredentialsGrant_missingClientPassword() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -64,7 +64,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -76,6 +76,137 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase )); } + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_clientCredentialsGrant_missingScopes() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + + $a = $this->returnDefault(); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + $a->requireScopeParam(true); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => 1234, + 'client_secret' => 5678 + )); + } + + public function test_issueAccessToken_clientCredentialsGrant_defaultScope() + { + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'key' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('associateScope')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + + $a = $this->returnDefault(); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + $a->requireScopeParam(false); + $a->setDefaultScope('foobar'); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => 1234, + 'client_secret' => 5678, + 'scope' => '' + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 4 + */ + public function test_issueAccessToken_clientCredentialsGrant_badScope() + { + $this->scope->shouldReceive('getScope')->andReturn(false); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('associateScope')->andReturn(null); + + $a = $this->returnDefault(); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => 1234, + 'client_secret' => 5678, + 'scope' => 'blah' + )); + } + + public function test_issueAccessToken_clientCredentialsGrant_goodScope() + { + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'key' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('associateScope')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + + $a = $this->returnDefault(); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'client_credentials', + 'client_id' => 1234, + 'client_secret' => 5678, + 'scope' => 'blah' + )); + } + function test_issueAccessToken_clientCredentialsGrant_passedInput() { $this->client->shouldReceive('getClient')->andReturn(array( @@ -90,15 +221,16 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); - $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + $a->requireScopeParam(false); $v = $a->issueAccessToken(array( 'grant_type' => 'client_credentials', 'client_id' => 1234, - 'client_secret' => 5678 + 'client_secret' => 5678, )); $this->assertArrayHasKey('access_token', $v); @@ -106,8 +238,8 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } function test_issueAccessToken_clientCredentialsGrant() @@ -124,10 +256,11 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); - $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + $a->requireScopeParam(false); $_POST['grant_type'] = 'client_credentials'; $_POST['client_id'] = 1234; @@ -143,8 +276,8 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } function test_issueAccessToken_clientCredentialsGrant_withRefreshToken() @@ -161,11 +294,11 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); - $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\ClientCredentials()); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\ClientCredentials($a)); + $a->requireScopeParam(false); $_POST['grant_type'] = 'client_credentials'; $_POST['client_id'] = 1234; @@ -180,10 +313,9 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('token_type', $v); $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertArrayHasKey('refresh_token', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } } \ No newline at end of file diff --git a/tests/authorization/PasswordGrantTest.php b/tests/authorization/PasswordGrantTest.php index ac6a7c83..bb54d808 100644 --- a/tests/authorization/PasswordGrantTest.php +++ b/tests/authorization/PasswordGrantTest.php @@ -27,7 +27,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_passwordGrant_missingClientId() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\Password()); + $a->addGrantType(new OAuth2\Grant\Password($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -44,7 +44,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_passwordGrant_missingClientPassword() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\Password()); + $a->addGrantType(new OAuth2\Grant\Password($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -64,7 +64,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\Password()); + $a->addGrantType(new OAuth2\Grant\Password($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -98,7 +98,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $testCredentials = null; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); @@ -134,7 +134,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $testCredentials = function($u, $p) { return false; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); @@ -168,7 +168,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $testCredentials = function($u, $p) { return false; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); @@ -203,7 +203,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $testCredentials = function($u, $p) { return false; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); @@ -216,6 +216,164 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase )); } + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 4 + */ + public function test_issueAccessToken_passwordGrant_badScopes() + { + $this->scope->shouldReceive('getScope')->andReturn(false); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + + $testCredentials = function($u, $p) { return 1; }; + + $a = $this->returnDefault(); + $pgrant = new OAuth2\Grant\Password($a); + $pgrant->setVerifyCredentialsCallback($testCredentials); + $a->addGrantType($pgrant); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => 1234, + 'client_secret' => 5678, + 'username' => 'foo', + 'password' => 'bar', + 'scope' => 'blah' + )); + } + + /** + * @expectedException OAuth2\Exception\ClientException + * @expectedExceptionCode 0 + */ + public function test_issueAccessToken_passwordGrant_missingScopes() + { + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + + $testCredentials = function($u, $p) { return 1; }; + + $a = $this->returnDefault(); + $pgrant = new OAuth2\Grant\Password($a); + $pgrant->setVerifyCredentialsCallback($testCredentials); + $a->addGrantType($pgrant); + $a->requireScopeParam(true); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => 1234, + 'client_secret' => 5678, + 'username' => 'foo', + 'password' => 'bar' + )); + } + + public function test_issueAccessToken_passwordGrant_defaultScope() + { + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateScope')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + + $testCredentials = function($u, $p) { return 1; }; + + $a = $this->returnDefault(); + $pgrant = new OAuth2\Grant\Password($a); + $pgrant->setVerifyCredentialsCallback($testCredentials); + $a->addGrantType($pgrant); + $a->requireScopeParam(false); + $a->setDefaultScope('foobar'); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => 1234, + 'client_secret' => 5678, + 'username' => 'foo', + 'password' => 'bar', + 'scope' => '' + )); + } + + public function test_issueAccessToken_passwordGrant_goodScope() + { + $this->scope->shouldReceive('getScope')->andReturn(array( + 'id' => 1, + 'scope' => 'foo', + 'name' => 'Foo Name', + 'description' => 'Foo Name Description' + )); + + $this->client->shouldReceive('getClient')->andReturn(array( + 'client_id' => 1234, + 'client_secret' => 5678, + 'redirect_uri' => 'http://foo/redirect', + 'name' => 'Example Client' + )); + + $this->client->shouldReceive('validateRefreshToken')->andReturn(1); + $this->session->shouldReceive('validateAuthCode')->andReturn(1); + $this->session->shouldReceive('createSession')->andReturn(1); + $this->session->shouldReceive('deleteSession')->andReturn(null); + $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateScope')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + + $testCredentials = function($u, $p) { return 1; }; + + $a = $this->returnDefault(); + $pgrant = new OAuth2\Grant\Password($a); + $pgrant->setVerifyCredentialsCallback($testCredentials); + $a->addGrantType($pgrant); + + $v = $a->issueAccessToken(array( + 'grant_type' => 'password', + 'client_id' => 1234, + 'client_secret' => 5678, + 'username' => 'foo', + 'password' => 'bar', + 'scope' => 'blah' + )); + } + function test_issueAccessToken_passwordGrant_passedInput() { $this->client->shouldReceive('getClient')->andReturn(array( @@ -231,13 +389,15 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $testCredentials = function($u, $p) { return 1; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); + $a->requireScopeParam(false); $v = $a->issueAccessToken(array( 'grant_type' => 'password', @@ -252,8 +412,8 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } function test_issueAccessToken_passwordGrant() @@ -271,13 +431,15 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); $testCredentials = function($u, $p) { return 1; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); + $a->requireScopeParam(false); $_POST['grant_type'] = 'password'; $_POST['client_id'] = 1234; @@ -295,8 +457,8 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires', $v); $this->assertArrayHasKey('expires_in', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } function test_issueAccessToken_passwordGrant_withRefreshToken() @@ -309,19 +471,21 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase )); $this->client->shouldReceive('validateRefreshToken')->andReturn(1); - $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('deleteSession')->andReturn(null); $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + $this->session->shouldReceive('associateRefreshToken')->andReturn(null); $testCredentials = function($u, $p) { return 1; }; $a = $this->returnDefault(); - $pgrant = new OAuth2\Grant\Password(); + $pgrant = new OAuth2\Grant\Password($a); $pgrant->setVerifyCredentialsCallback($testCredentials); $a->addGrantType($pgrant); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); + $a->requireScopeParam(false); $_POST['grant_type'] = 'password'; $_POST['client_id'] = 1234; @@ -340,8 +504,8 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires_in', $v); $this->assertArrayHasKey('refresh_token', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } } \ No newline at end of file diff --git a/tests/authorization/RefreshTokenTest.php b/tests/authorization/RefreshTokenTest.php index 556477b3..188eb6fb 100644 --- a/tests/authorization/RefreshTokenTest.php +++ b/tests/authorization/RefreshTokenTest.php @@ -31,10 +31,13 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('updateSession')->andReturn(null); + $this->session->shouldReceive('removeAuthCode')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + $this->session->shouldReceive('associateRefreshToken')->andReturn(1); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\AuthCode()); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\AuthCode($a)); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $_POST['grant_type'] = 'authorization_code'; $_POST['client_id'] = 1234; @@ -53,8 +56,8 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires_in', $v); $this->assertArrayHasKey('refresh_token', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } /** @@ -64,7 +67,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_refreshTokenGrant_missingClientId() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -81,7 +84,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_refreshTokenGrant_missingClientSecret() { $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -101,7 +104,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -122,7 +125,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->client->shouldReceive('getClient')->andReturn(array()); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -142,10 +145,10 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase public function test_issueAccessToken_refreshTokenGrant_badRefreshToken() { $this->client->shouldReceive('getClient')->andReturn(array()); - $this->client->shouldReceive('validateRefreshToken')->andReturn(false); + $this->session->shouldReceive('validateRefreshToken')->andReturn(false); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $request = new OAuth2\Util\Request(array(), $_POST); $a->setRequest($request); @@ -167,14 +170,17 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase 'name' => 'Example Client' )); - $this->client->shouldReceive('validateRefreshToken')->andReturn(1); - + $this->session->shouldReceive('validateRefreshToken')->andReturn(1); $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + $this->session->shouldReceive('associateRefreshToken')->andReturn(1); + $this->session->shouldReceive('getAccessToken')->andReturn(null); + $this->session->shouldReceive('getScopes')->andReturn(array()); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $_POST['grant_type'] = 'refresh_token'; $_POST['client_id'] = 1234; @@ -192,8 +198,8 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires_in', $v); $this->assertArrayHasKey('refresh_token', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } public function test_issueAccessToken_refreshTokenGrant() @@ -205,14 +211,18 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase 'name' => 'Example Client' )); - $this->client->shouldReceive('validateRefreshToken')->andReturn(1); - + $this->session->shouldReceive('validateRefreshToken')->andReturn(1); $this->session->shouldReceive('validateAuthCode')->andReturn(1); $this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateRefreshToken')->andReturn(null); + $this->session->shouldReceive('getAccessToken')->andReturn(null); + $this->session->shouldReceive('getScopes')->andReturn(array('id' => 1)); + $this->session->shouldReceive('associateAccessToken')->andReturn(1); + $this->session->shouldReceive('associateRefreshToken')->andReturn(1); + $this->session->shouldReceive('associateScope')->andReturn(null); $a = $this->returnDefault(); - $a->addGrantType(new OAuth2\Grant\RefreshToken()); + $a->addGrantType(new OAuth2\Grant\RefreshToken($a)); $v = $a->issueAccessToken(array( 'grant_type' => 'refresh_token', @@ -227,7 +237,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase $this->assertArrayHasKey('expires_in', $v); $this->assertArrayHasKey('refresh_token', $v); - $this->assertEquals($a::getExpiresIn(), $v['expires_in']); - $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']); + $this->assertEquals($a->getExpiresIn(), $v['expires_in']); + $this->assertEquals(time()+$a->getExpiresIn(), $v['expires']); } } \ No newline at end of file diff --git a/tests/resource/ResourceServerTest.php b/tests/resource/ResourceServerTest.php index c6bc058d..f4e16c16 100644 --- a/tests/resource/ResourceServerTest.php +++ b/tests/resource/ResourceServerTest.php @@ -59,6 +59,12 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase $this->assertEquals('oauth_token', $v); } + public function test_getScopes() + { + $s = $this->returnDefault(); + $this->assertEquals(array(), $s->getScopes()); + } + /** * @expectedException OAuth2\Exception\InvalidAccessTokenException */ @@ -85,7 +91,7 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase $param = $requestReflector->getProperty('headers'); $param->setAccessible(true); $param->setValue($request, array( - 'Authorization' => 'Bearer YWJjZGVm' + 'Authorization' => 'Bearer abcdef' )); $s = $this->returnDefault(); $s->setRequest($request); @@ -131,7 +137,7 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase $param = $requestReflector->getProperty('headers'); $param->setAccessible(true); $param->setValue($request, array( - 'Authorization' => 'Bearer YWJjZGVm' + 'Authorization' => 'Bearer abcdef' )); $s = $this->returnDefault(); $s->setRequest($request); @@ -142,19 +148,25 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase public function test_isValid_valid() { $this->session->shouldReceive('validateAccessToken')->andReturn(array( - 'id' => 1, - 'owner_type' => 'user', - 'owner_id' => 123 + 'session_id' => 1, + 'owner_type' => 'user', + 'owner_id' => 123, + 'client_id' => 'testapp' )); - $this->session->shouldReceive('getScopes')->andReturn(array('foo', 'bar')); + + $this->session->shouldReceive('getScopes')->andReturn(array( + array('key' => 'foo'), + array('key' => 'bar') + )); $request = new OAuth2\Util\Request(); $requestReflector = new ReflectionClass($request); $param = $requestReflector->getProperty('headers'); $param->setAccessible(true); $param->setValue($request, array( - 'Authorization' => 'Bearer YWJjZGVm' + 'Authorization' => 'Bearer abcdef' )); + $s = $this->returnDefault(); $s->setRequest($request);