123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599 |
- <?php
- /**
- * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
- namespace OCA\OAuth2\Tests\Controller;
- use OC\Authentication\Exceptions\ExpiredTokenException;
- use OC\Authentication\Exceptions\InvalidTokenException;
- use OC\Authentication\Token\IProvider as TokenProvider;
- use OC\Authentication\Token\PublicKeyToken;
- use OCA\OAuth2\Controller\OauthApiController;
- use OCA\OAuth2\Db\AccessToken;
- use OCA\OAuth2\Db\AccessTokenMapper;
- use OCA\OAuth2\Db\Client;
- use OCA\OAuth2\Db\ClientMapper;
- use OCA\OAuth2\Exceptions\AccessTokenNotFoundException;
- use OCA\OAuth2\Exceptions\ClientNotFoundException;
- use OCP\AppFramework\Http;
- use OCP\AppFramework\Http\JSONResponse;
- use OCP\AppFramework\Utility\ITimeFactory;
- use OCP\IRequest;
- use OCP\Security\Bruteforce\IThrottler;
- use OCP\Security\ICrypto;
- use OCP\Security\ISecureRandom;
- use Psr\Log\LoggerInterface;
- use Test\TestCase;
- /* We have to use this to add a property to the mocked request and avoid warnings about dynamic properties on PHP>=8.2 */
- abstract class RequestMock implements IRequest {
- public array $server = [];
- }
- class OauthApiControllerTest extends TestCase {
- /** @var IRequest|\PHPUnit\Framework\MockObject\MockObject */
- private $request;
- /** @var ICrypto|\PHPUnit\Framework\MockObject\MockObject */
- private $crypto;
- /** @var AccessTokenMapper|\PHPUnit\Framework\MockObject\MockObject */
- private $accessTokenMapper;
- /** @var ClientMapper|\PHPUnit\Framework\MockObject\MockObject */
- private $clientMapper;
- /** @var TokenProvider|\PHPUnit\Framework\MockObject\MockObject */
- private $tokenProvider;
- /** @var ISecureRandom|\PHPUnit\Framework\MockObject\MockObject */
- private $secureRandom;
- /** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
- private $time;
- /** @var IThrottler|\PHPUnit\Framework\MockObject\MockObject */
- private $throttler;
- /** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */
- private $logger;
- /** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
- private $timeFactory;
- /** @var OauthApiController */
- private $oauthApiController;
- protected function setUp(): void {
- parent::setUp();
- $this->request = $this->createMock(RequestMock::class);
- $this->crypto = $this->createMock(ICrypto::class);
- $this->accessTokenMapper = $this->createMock(AccessTokenMapper::class);
- $this->clientMapper = $this->createMock(ClientMapper::class);
- $this->tokenProvider = $this->createMock(TokenProvider::class);
- $this->secureRandom = $this->createMock(ISecureRandom::class);
- $this->time = $this->createMock(ITimeFactory::class);
- $this->throttler = $this->createMock(IThrottler::class);
- $this->logger = $this->createMock(LoggerInterface::class);
- $this->timeFactory = $this->createMock(ITimeFactory::class);
- $this->oauthApiController = new OauthApiController(
- 'oauth2',
- $this->request,
- $this->crypto,
- $this->accessTokenMapper,
- $this->clientMapper,
- $this->tokenProvider,
- $this->secureRandom,
- $this->time,
- $this->logger,
- $this->throttler,
- $this->timeFactory
- );
- }
- public function testGetTokenInvalidGrantType() {
- $expected = new JSONResponse([
- 'error' => 'invalid_grant',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_grant' => 'foo']);
- $this->assertEquals($expected, $this->oauthApiController->getToken('foo', null, null, null, null));
- }
- public function testGetTokenInvalidCode() {
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidcode']);
- $this->accessTokenMapper->method('getByCode')
- ->with('invalidcode')
- ->willThrowException(new AccessTokenNotFoundException());
- $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'invalidcode', null, null, null));
- }
- public function testGetTokenExpiredCode() {
- $codeCreatedAt = 100;
- $expiredSince = 123;
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setCodeCreatedAt($codeCreatedAt);
- $this->accessTokenMapper->method('getByCode')
- ->with('validcode')
- ->willReturn($accessToken);
- $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER + $expiredSince;
- $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
- $this->timeFactory->method('now')
- ->willReturn($dateNow);
- $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
- }
- public function testGetTokenWithCodeForActiveToken() {
- // if a token has already delivered oauth tokens,
- // it should not be possible to get a new oauth token from a valid authorization code
- $codeCreatedAt = 100;
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setCodeCreatedAt($codeCreatedAt);
- $accessToken->setTokenCount(1);
- $this->accessTokenMapper->method('getByCode')
- ->with('validcode')
- ->willReturn($accessToken);
- $tsNow = $codeCreatedAt + 1;
- $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
- $this->timeFactory->method('now')
- ->willReturn($dateNow);
- $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
- }
- public function testGetTokenClientDoesNotExist() {
- // In this test, the token's authorization code is valid and has not expired
- // and we check what happens when the associated Oauth client does not exist
- $codeCreatedAt = 100;
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setCodeCreatedAt($codeCreatedAt);
- $this->accessTokenMapper->method('getByCode')
- ->with('validcode')
- ->willReturn($accessToken);
- // 'now' is before the token's authorization code expiration
- $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER - 1;
- $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
- $this->timeFactory->method('now')
- ->willReturn($dateNow);
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willThrowException(new ClientNotFoundException());
- $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
- }
- public function testRefreshTokenInvalidRefreshToken() {
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidrefresh']);
- $this->accessTokenMapper->method('getByCode')
- ->with('invalidrefresh')
- ->willThrowException(new AccessTokenNotFoundException());
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'invalidrefresh', null, null));
- }
- public function testRefreshTokenClientDoesNotExist() {
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willThrowException(new ClientNotFoundException());
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
- }
- public function invalidClientProvider() {
- return [
- ['invalidClientId', 'invalidClientSecret'],
- ['clientId', 'invalidClientSecret'],
- ['invalidClientId', 'clientSecret'],
- ];
- }
- /**
- * @dataProvider invalidClientProvider
- *
- * @param string $clientId
- * @param string $clientSecret
- */
- public function testRefreshTokenInvalidClient($clientId, $clientSecret) {
- $expected = new JSONResponse([
- 'error' => 'invalid_client',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_client' => 'client ID or secret does not match']);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $client = new Client();
- $client->setClientIdentifier('clientId');
- $client->setSecret('clientSecret');
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willReturn($client);
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', $clientId, $clientSecret));
- }
- public function testRefreshTokenInvalidAppToken() {
- $expected = new JSONResponse([
- 'error' => 'invalid_request',
- ], Http::STATUS_BAD_REQUEST);
- $expected->throttle(['invalid_request' => 'token is invalid']);
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setTokenId(1337);
- $accessToken->setEncryptedToken('encryptedToken');
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $client = new Client();
- $client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willReturn($client);
- $this->crypto
- ->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
- $this->tokenProvider->method('getTokenById')
- ->with(1337)
- ->willThrowException(new InvalidTokenException());
- $this->accessTokenMapper->expects($this->once())
- ->method('delete')
- ->with($accessToken);
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
- }
- public function testRefreshTokenValidAppToken() {
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setTokenId(1337);
- $accessToken->setEncryptedToken('encryptedToken');
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $client = new Client();
- $client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willReturn($client);
- $this->crypto
- ->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
- $appToken = new PublicKeyToken();
- $appToken->setUid('userId');
- $this->tokenProvider->method('getTokenById')
- ->with(1337)
- ->willThrowException(new ExpiredTokenException($appToken));
- $this->accessTokenMapper->expects($this->never())
- ->method('delete')
- ->with($accessToken);
- $this->secureRandom->method('generate')
- ->willReturnCallback(function ($len) {
- return 'random'.$len;
- });
- $this->tokenProvider->expects($this->once())
- ->method('rotate')
- ->with(
- $appToken,
- 'decryptedToken',
- 'random72'
- )->willReturn($appToken);
- $this->time->method('getTime')
- ->willReturn(1000);
- $this->tokenProvider->expects($this->once())
- ->method('updateToken')
- ->with(
- $this->callback(function (PublicKeyToken $token) {
- return $token->getExpires() === 4600;
- })
- );
- $this->crypto->method('encrypt')
- ->with('random72', 'random128')
- ->willReturn('newEncryptedToken');
- $this->accessTokenMapper->expects($this->once())
- ->method('update')
- ->with(
- $this->callback(function (AccessToken $token) {
- return $token->getHashedCode() === hash('sha512', 'random128') &&
- $token->getEncryptedToken() === 'newEncryptedToken';
- })
- );
- $expected = new JSONResponse([
- 'access_token' => 'random72',
- 'token_type' => 'Bearer',
- 'expires_in' => 3600,
- 'refresh_token' => 'random128',
- 'user_id' => 'userId',
- ]);
- $this->request->method('getRemoteAddress')
- ->willReturn('1.2.3.4');
- $this->throttler->expects($this->once())
- ->method('resetDelay')
- ->with(
- '1.2.3.4',
- 'login',
- ['user' => 'userId']
- );
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
- }
- public function testRefreshTokenValidAppTokenBasicAuth() {
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setTokenId(1337);
- $accessToken->setEncryptedToken('encryptedToken');
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $client = new Client();
- $client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willReturn($client);
- $this->crypto
- ->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
- $appToken = new PublicKeyToken();
- $appToken->setUid('userId');
- $this->tokenProvider->method('getTokenById')
- ->with(1337)
- ->willThrowException(new ExpiredTokenException($appToken));
- $this->accessTokenMapper->expects($this->never())
- ->method('delete')
- ->with($accessToken);
- $this->secureRandom->method('generate')
- ->willReturnCallback(function ($len) {
- return 'random'.$len;
- });
- $this->tokenProvider->expects($this->once())
- ->method('rotate')
- ->with(
- $appToken,
- 'decryptedToken',
- 'random72'
- )->willReturn($appToken);
- $this->time->method('getTime')
- ->willReturn(1000);
- $this->tokenProvider->expects($this->once())
- ->method('updateToken')
- ->with(
- $this->callback(function (PublicKeyToken $token) {
- return $token->getExpires() === 4600;
- })
- );
- $this->crypto->method('encrypt')
- ->with('random72', 'random128')
- ->willReturn('newEncryptedToken');
- $this->accessTokenMapper->expects($this->once())
- ->method('update')
- ->with(
- $this->callback(function (AccessToken $token) {
- return $token->getHashedCode() === hash('sha512', 'random128') &&
- $token->getEncryptedToken() === 'newEncryptedToken';
- })
- );
- $expected = new JSONResponse([
- 'access_token' => 'random72',
- 'token_type' => 'Bearer',
- 'expires_in' => 3600,
- 'refresh_token' => 'random128',
- 'user_id' => 'userId',
- ]);
- $this->request->server['PHP_AUTH_USER'] = 'clientId';
- $this->request->server['PHP_AUTH_PW'] = 'clientSecret';
- $this->request->method('getRemoteAddress')
- ->willReturn('1.2.3.4');
- $this->throttler->expects($this->once())
- ->method('resetDelay')
- ->with(
- '1.2.3.4',
- 'login',
- ['user' => 'userId']
- );
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
- }
- public function testRefreshTokenExpiredAppToken() {
- $accessToken = new AccessToken();
- $accessToken->setClientId(42);
- $accessToken->setTokenId(1337);
- $accessToken->setEncryptedToken('encryptedToken');
- $this->accessTokenMapper->method('getByCode')
- ->with('validrefresh')
- ->willReturn($accessToken);
- $client = new Client();
- $client->setClientIdentifier('clientId');
- $client->setSecret('encryptedClientSecret');
- $this->clientMapper->method('getByUid')
- ->with(42)
- ->willReturn($client);
- $this->crypto
- ->method('decrypt')
- ->with($this->callback(function (string $text) {
- return $text === 'encryptedClientSecret' || $text === 'encryptedToken';
- }))
- ->willReturnCallback(function (string $text) {
- return $text === 'encryptedClientSecret'
- ? 'clientSecret'
- : ($text === 'encryptedToken' ? 'decryptedToken' : '');
- });
- $appToken = new PublicKeyToken();
- $appToken->setUid('userId');
- $this->tokenProvider->method('getTokenById')
- ->with(1337)
- ->willReturn($appToken);
- $this->accessTokenMapper->expects($this->never())
- ->method('delete')
- ->with($accessToken);
- $this->secureRandom->method('generate')
- ->willReturnCallback(function ($len) {
- return 'random'.$len;
- });
- $this->tokenProvider->expects($this->once())
- ->method('rotate')
- ->with(
- $appToken,
- 'decryptedToken',
- 'random72'
- )->willReturn($appToken);
- $this->time->method('getTime')
- ->willReturn(1000);
- $this->tokenProvider->expects($this->once())
- ->method('updateToken')
- ->with(
- $this->callback(function (PublicKeyToken $token) {
- return $token->getExpires() === 4600;
- })
- );
- $this->crypto->method('encrypt')
- ->with('random72', 'random128')
- ->willReturn('newEncryptedToken');
- $this->accessTokenMapper->expects($this->once())
- ->method('update')
- ->with(
- $this->callback(function (AccessToken $token) {
- return $token->getHashedCode() === hash('sha512', 'random128') &&
- $token->getEncryptedToken() === 'newEncryptedToken';
- })
- );
- $expected = new JSONResponse([
- 'access_token' => 'random72',
- 'token_type' => 'Bearer',
- 'expires_in' => 3600,
- 'refresh_token' => 'random128',
- 'user_id' => 'userId',
- ]);
- $this->request->method('getRemoteAddress')
- ->willReturn('1.2.3.4');
- $this->throttler->expects($this->once())
- ->method('resetDelay')
- ->with(
- '1.2.3.4',
- 'login',
- ['user' => 'userId']
- );
- $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
- }
- }
|