From 1d90eca73917aa5d8ad5f3109813cec327d8104c Mon Sep 17 00:00:00 2001 From: GuntherDebrauwer <22586858+GuntherDebrauwer@users.noreply.github.com> Date: Thu, 7 Nov 2019 18:25:29 +0100 Subject: [PATCH 1/3] Update 'check client credentials (for any scopes)' middlewares Use 'oauth_scopes' and 'oauth_client_id' attributes in psr request --- src/Http/Middleware/CheckClientCredentials.php | 18 +++++++++--------- .../CheckClientCredentialsForAnyScope.php | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/Http/Middleware/CheckClientCredentials.php b/src/Http/Middleware/CheckClientCredentials.php index 6cf006dda..bc4ca722c 100644 --- a/src/Http/Middleware/CheckClientCredentials.php +++ b/src/Http/Middleware/CheckClientCredentials.php @@ -5,7 +5,7 @@ use Closure; use Illuminate\Auth\AuthenticationException; use Laravel\Passport\Exceptions\MissingScopeException; -use Laravel\Passport\TokenRepository; +use Laravel\Passport\ClientRepository; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory; @@ -24,9 +24,9 @@ class CheckClientCredentials protected $server; /** - * Token Repository. + * Client Repository. * - * @var \Laravel\Passport\TokenRepository + * @var \Laravel\Passport\ClientRepository */ protected $repository; @@ -34,10 +34,10 @@ class CheckClientCredentials * Create a new middleware instance. * * @param \League\OAuth2\Server\ResourceServer $server - * @param \Laravel\Passport\TokenRepository $repository + * @param \Laravel\Passport\ClientRepository $repository * @return void */ - public function __construct(ResourceServer $server, TokenRepository $repository) + public function __construct(ResourceServer $server, ClientRepository $repository) { $this->server = $server; $this->repository = $repository; @@ -82,18 +82,18 @@ public function handle($request, Closure $next, ...$scopes) */ protected function validate($psr, $scopes) { - $token = $this->repository->find($psr->getAttribute('oauth_access_token_id')); + $client = $this->repository->find($psr->getAttribute('oauth_client_id')); - if (! $token || $token->client->firstParty()) { + if (! $client || $client->firstParty()) { throw new AuthenticationException; } - if (in_array('*', $token->scopes)) { + if (in_array('*', $tokenScopes = $psr->getAttribute('oauth_scopes'))) { return; } foreach ($scopes as $scope) { - if ($token->cant($scope)) { + if (! in_array($scope, $tokenScopes)) { throw new MissingScopeException($scope); } } diff --git a/src/Http/Middleware/CheckClientCredentialsForAnyScope.php b/src/Http/Middleware/CheckClientCredentialsForAnyScope.php index 6c1337ce9..a8a7e50fc 100644 --- a/src/Http/Middleware/CheckClientCredentialsForAnyScope.php +++ b/src/Http/Middleware/CheckClientCredentialsForAnyScope.php @@ -5,7 +5,7 @@ use Closure; use Illuminate\Auth\AuthenticationException; use Laravel\Passport\Exceptions\MissingScopeException; -use Laravel\Passport\TokenRepository; +use Laravel\Passport\ClientRepository; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory; @@ -24,9 +24,9 @@ class CheckClientCredentialsForAnyScope protected $server; /** - * Token Repository. + * Client Repository. * - * @var \Laravel\Passport\TokenRepository + * @var \Laravel\Passport\ClientRepository */ protected $repository; @@ -34,10 +34,10 @@ class CheckClientCredentialsForAnyScope * Create a new middleware instance. * * @param \League\OAuth2\Server\ResourceServer $server - * @param \Laravel\Passport\TokenRepository $repository + * @param \Laravel\Passport\ClientRepository $repository * @return void */ - public function __construct(ResourceServer $server, TokenRepository $repository) + public function __construct(ResourceServer $server, ClientRepository $repository) { $this->server = $server; $this->repository = $repository; @@ -84,18 +84,18 @@ public function handle($request, Closure $next, ...$scopes) */ protected function validate($psr, $scopes) { - $token = $this->repository->find($psr->getAttribute('oauth_access_token_id')); + $client = $this->repository->find($psr->getAttribute('oauth_client_id')); - if (! $token || $token->client->firstParty()) { + if (! $client || $client->firstParty()) { throw new AuthenticationException; } - if (in_array('*', $token->scopes)) { + if (in_array('*', $tokenScopes = $psr->getAttribute('oauth_scopes'))) { return true; } foreach ($scopes as $scope) { - if ($token->can($scope)) { + if (in_array($scope, $tokenScopes)) { return true; } } From 88a349a535b70a4135349967bde8c5567c78404b Mon Sep 17 00:00:00 2001 From: GuntherDebrauwer <22586858+GuntherDebrauwer@users.noreply.github.com> Date: Thu, 7 Nov 2019 18:25:55 +0100 Subject: [PATCH 2/3] Update tests of 'check client credentials (of any scope)' middlewares --- .../CheckClientCredentialsForAnyScopeTest.php | 58 ++++++------------- tests/CheckClientCredentialsTest.php | 55 ++++++------------ 2 files changed, 38 insertions(+), 75 deletions(-) diff --git a/tests/CheckClientCredentialsForAnyScopeTest.php b/tests/CheckClientCredentialsForAnyScopeTest.php index 96d9d646e..45bb7a4d6 100644 --- a/tests/CheckClientCredentialsForAnyScopeTest.php +++ b/tests/CheckClientCredentialsForAnyScopeTest.php @@ -5,8 +5,7 @@ use Illuminate\Http\Request; use Laravel\Passport\Client; use Laravel\Passport\Http\Middleware\CheckClientCredentialsForAnyScope; -use Laravel\Passport\Token; -use Laravel\Passport\TokenRepository; +use Laravel\Passport\ClientRepository; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Mockery as m; @@ -24,21 +23,17 @@ public function test_request_is_passed_along_if_token_is_valid() $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['*']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['*']); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); - - $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -55,23 +50,17 @@ public function test_request_is_passed_along_if_token_has_any_required_scope() $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['foo', 'bar', 'baz']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['foo', 'bar', 'baz']); - $token->shouldReceive('can')->with('notfoo')->andReturnFalse(); - $token->shouldReceive('can')->with('bar')->andReturnTrue(); - - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -88,13 +77,13 @@ public function test_request_is_passed_along_if_token_has_any_required_scope() */ public function test_exception_is_thrown_when_oauth_throws_exception() { - $tokenRepository = m::mock(TokenRepository::class); + $clientRepository = m::mock(ClientRepository::class); $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andThrow( new OAuthServerException('message', 500, 'error type') ); - $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -112,23 +101,17 @@ public function test_exception_is_thrown_if_token_does_not_have_required_scope() $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['foo', 'bar']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['foo', 'bar']); - $token->shouldReceive('can')->with('baz')->andReturnFalse(); - $token->shouldReceive('can')->with('notbar')->andReturnFalse(); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); - - $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -146,20 +129,17 @@ public function test_exception_is_thrown_if_token_belongs_to_first_party_client( $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['*']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnTrue(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentialsForAnyScope($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); diff --git a/tests/CheckClientCredentialsTest.php b/tests/CheckClientCredentialsTest.php index 435ae9f7a..5ac89bac9 100644 --- a/tests/CheckClientCredentialsTest.php +++ b/tests/CheckClientCredentialsTest.php @@ -7,6 +7,7 @@ use Laravel\Passport\Http\Middleware\CheckClientCredentials; use Laravel\Passport\Token; use Laravel\Passport\TokenRepository; +use Laravel\Passport\ClientRepository; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Mockery as m; @@ -24,21 +25,17 @@ public function test_request_is_passed_along_if_token_is_valid() $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['*']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['*']); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); - - $middleware = new CheckClientCredentials($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentials($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -55,22 +52,17 @@ public function test_request_is_passed_along_if_token_and_scope_are_valid() $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['see-profile']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['see-profile']); - $token->shouldReceive('cant')->with('see-profile')->andReturnFalse(); - - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $middleware = new CheckClientCredentials($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentials($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -87,13 +79,13 @@ public function test_request_is_passed_along_if_token_and_scope_are_valid() */ public function test_exception_is_thrown_when_oauth_throws_exception() { - $tokenRepository = m::mock(TokenRepository::class); + $clientRepository = m::mock(ClientRepository::class); $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andThrow( new OAuthServerException('message', 500, 'error type') ); - $middleware = new CheckClientCredentials($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentials($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -111,23 +103,17 @@ public function test_exception_is_thrown_if_token_does_not_have_required_scopes( $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['foo', 'notbar']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnFalse(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - $token->shouldReceive('getAttribute')->with('scopes')->andReturn(['foo', 'notbar']); - $token->shouldReceive('cant')->with('foo')->andReturnFalse(); - $token->shouldReceive('cant')->with('bar')->andReturnTrue(); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); - - $middleware = new CheckClientCredentials($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentials($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); @@ -145,20 +131,17 @@ public function test_exception_is_thrown_if_token_belongs_to_first_party_client( $resourceServer = m::mock(ResourceServer::class); $resourceServer->shouldReceive('validateAuthenticatedRequest')->andReturn($psr = m::mock()); $psr->shouldReceive('getAttribute')->with('oauth_user_id')->andReturn(1); - $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(1); + $psr->shouldReceive('getAttribute')->with('oauth_client_id')->andReturn(2); $psr->shouldReceive('getAttribute')->with('oauth_access_token_id')->andReturn('token'); $psr->shouldReceive('getAttribute')->with('oauth_scopes')->andReturn(['*']); $client = m::mock(Client::class); $client->shouldReceive('firstParty')->andReturnTrue(); - $token = m::mock(Token::class); - $token->shouldReceive('getAttribute')->with('client')->andReturn($client); - - $tokenRepository = m::mock(TokenRepository::class); - $tokenRepository->shouldReceive('find')->with('token')->andReturn($token); + $clientRepository = m::mock(ClientRepository::class); + $clientRepository->shouldReceive('find')->with(2)->andReturn($client); - $middleware = new CheckClientCredentials($resourceServer, $tokenRepository); + $middleware = new CheckClientCredentials($resourceServer, $clientRepository); $request = Request::create('/'); $request->headers->set('Authorization', 'Bearer token'); From c829d03c7fb240e966e66d63d2b1fae0db45d31f Mon Sep 17 00:00:00 2001 From: GuntherDebrauwer <22586858+GuntherDebrauwer@users.noreply.github.com> Date: Fri, 8 Nov 2019 17:59:15 +0100 Subject: [PATCH 3/3] Fix StyleCI issues --- src/Http/Middleware/CheckClientCredentials.php | 2 +- src/Http/Middleware/CheckClientCredentialsForAnyScope.php | 2 +- tests/CheckClientCredentialsForAnyScopeTest.php | 2 +- tests/CheckClientCredentialsTest.php | 4 +--- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/Http/Middleware/CheckClientCredentials.php b/src/Http/Middleware/CheckClientCredentials.php index bc4ca722c..1f667aa2e 100644 --- a/src/Http/Middleware/CheckClientCredentials.php +++ b/src/Http/Middleware/CheckClientCredentials.php @@ -4,8 +4,8 @@ use Closure; use Illuminate\Auth\AuthenticationException; -use Laravel\Passport\Exceptions\MissingScopeException; use Laravel\Passport\ClientRepository; +use Laravel\Passport\Exceptions\MissingScopeException; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory; diff --git a/src/Http/Middleware/CheckClientCredentialsForAnyScope.php b/src/Http/Middleware/CheckClientCredentialsForAnyScope.php index a8a7e50fc..43e888426 100644 --- a/src/Http/Middleware/CheckClientCredentialsForAnyScope.php +++ b/src/Http/Middleware/CheckClientCredentialsForAnyScope.php @@ -4,8 +4,8 @@ use Closure; use Illuminate\Auth\AuthenticationException; -use Laravel\Passport\Exceptions\MissingScopeException; use Laravel\Passport\ClientRepository; +use Laravel\Passport\Exceptions\MissingScopeException; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory; diff --git a/tests/CheckClientCredentialsForAnyScopeTest.php b/tests/CheckClientCredentialsForAnyScopeTest.php index 45bb7a4d6..d14ccc4b7 100644 --- a/tests/CheckClientCredentialsForAnyScopeTest.php +++ b/tests/CheckClientCredentialsForAnyScopeTest.php @@ -4,8 +4,8 @@ use Illuminate\Http\Request; use Laravel\Passport\Client; -use Laravel\Passport\Http\Middleware\CheckClientCredentialsForAnyScope; use Laravel\Passport\ClientRepository; +use Laravel\Passport\Http\Middleware\CheckClientCredentialsForAnyScope; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Mockery as m; diff --git a/tests/CheckClientCredentialsTest.php b/tests/CheckClientCredentialsTest.php index 5ac89bac9..08edd8e4f 100644 --- a/tests/CheckClientCredentialsTest.php +++ b/tests/CheckClientCredentialsTest.php @@ -4,10 +4,8 @@ use Illuminate\Http\Request; use Laravel\Passport\Client; -use Laravel\Passport\Http\Middleware\CheckClientCredentials; -use Laravel\Passport\Token; -use Laravel\Passport\TokenRepository; use Laravel\Passport\ClientRepository; +use Laravel\Passport\Http\Middleware\CheckClientCredentials; use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\ResourceServer; use Mockery as m;