1 | <?php |
---|
2 | require __DIR__ . '/../lib/OAuth2.php'; |
---|
3 | require __DIR__ . '/../lib/IOAuth2Storage.php'; |
---|
4 | require __DIR__ . '/../lib/IOAuth2GrantCode.php'; |
---|
5 | |
---|
6 | /** |
---|
7 | * OAuth2 test case. |
---|
8 | */ |
---|
9 | class OAuth2Test extends PHPUnit_Framework_TestCase { |
---|
10 | |
---|
11 | /** |
---|
12 | * @var OAuth2 |
---|
13 | */ |
---|
14 | private $fixture; |
---|
15 | |
---|
16 | /** |
---|
17 | * The actual token ID is irrelevant, so choose one: |
---|
18 | * @var string |
---|
19 | */ |
---|
20 | private $tokenId = 'my_token'; |
---|
21 | |
---|
22 | /** |
---|
23 | * Tests OAuth2->verifyAccessToken() with a missing token |
---|
24 | */ |
---|
25 | public function testVerifyAccessTokenWithNoParam() { |
---|
26 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
27 | $this->fixture = new OAuth2($mockStorage); |
---|
28 | |
---|
29 | $scope = null; |
---|
30 | $this->setExpectedException('OAuth2AuthenticateException'); |
---|
31 | $this->fixture->verifyAccessToken('', $scope); |
---|
32 | } |
---|
33 | |
---|
34 | /** |
---|
35 | * Tests OAuth2->verifyAccessToken() with a invalid token |
---|
36 | */ |
---|
37 | public function testVerifyAccessTokenInvalidToken() { |
---|
38 | |
---|
39 | // Set up the mock storage to say this token does not exist |
---|
40 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
41 | $mockStorage->expects($this->once()) |
---|
42 | ->method('getAccessToken') |
---|
43 | ->will($this->returnValue(false)); |
---|
44 | |
---|
45 | $this->fixture = new OAuth2($mockStorage); |
---|
46 | |
---|
47 | $scope = null; |
---|
48 | $this->setExpectedException('OAuth2AuthenticateException'); |
---|
49 | $this->fixture->verifyAccessToken($this->tokenId, $scope); |
---|
50 | } |
---|
51 | |
---|
52 | /** |
---|
53 | * Tests OAuth2->verifyAccessToken() with a malformed token |
---|
54 | * |
---|
55 | * @dataProvider generateMalformedTokens |
---|
56 | */ |
---|
57 | public function testVerifyAccessTokenMalformedToken($token) { |
---|
58 | |
---|
59 | // Set up the mock storage to say this token does not exist |
---|
60 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
61 | $mockStorage->expects($this->once()) |
---|
62 | ->method('getAccessToken') |
---|
63 | ->will($this->returnValue($token)); |
---|
64 | |
---|
65 | $this->fixture = new OAuth2($mockStorage); |
---|
66 | |
---|
67 | $scope = null; |
---|
68 | $this->setExpectedException('OAuth2AuthenticateException'); |
---|
69 | $this->fixture->verifyAccessToken($this->tokenId, $scope); |
---|
70 | } |
---|
71 | |
---|
72 | /** |
---|
73 | * Tests OAuth2->verifyAccessToken() with different expiry dates |
---|
74 | * |
---|
75 | * @dataProvider generateExpiryTokens |
---|
76 | */ |
---|
77 | public function testVerifyAccessTokenCheckExpiry($token, $expectedToPass) { |
---|
78 | |
---|
79 | // Set up the mock storage to say this token does not exist |
---|
80 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
81 | $mockStorage->expects($this->once()) |
---|
82 | ->method('getAccessToken') |
---|
83 | ->will($this->returnValue($token)); |
---|
84 | |
---|
85 | $this->fixture = new OAuth2($mockStorage); |
---|
86 | |
---|
87 | $scope = null; |
---|
88 | |
---|
89 | |
---|
90 | // When valid, we just want any sort of token |
---|
91 | if ($expectedToPass) { |
---|
92 | $actual = $this->fixture->verifyAccessToken($this->tokenId, $scope); |
---|
93 | $this->assertNotEmpty($actual, "verifyAccessToken() was expected to PASS, but it failed"); |
---|
94 | $this->assertInternalType('array', $actual); |
---|
95 | } |
---|
96 | else { |
---|
97 | $this->setExpectedException('OAuth2AuthenticateException'); |
---|
98 | $this->fixture->verifyAccessToken($this->tokenId, $scope); |
---|
99 | } |
---|
100 | } |
---|
101 | |
---|
102 | /** |
---|
103 | * Tests OAuth2->verifyAccessToken() with different scopes |
---|
104 | * |
---|
105 | * @dataProvider generateScopes |
---|
106 | */ |
---|
107 | public function testVerifyAccessTokenCheckScope($scopeRequired, $token, $expectedToPass) { |
---|
108 | |
---|
109 | // Set up the mock storage to say this token does not exist |
---|
110 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
111 | $mockStorage->expects($this->once()) |
---|
112 | ->method('getAccessToken') |
---|
113 | ->will($this->returnValue($token)); |
---|
114 | |
---|
115 | $this->fixture = new OAuth2($mockStorage); |
---|
116 | |
---|
117 | // When valid, we just want any sort of token |
---|
118 | if ($expectedToPass) { |
---|
119 | $actual = $this->fixture->verifyAccessToken($this->tokenId, $scopeRequired); |
---|
120 | $this->assertNotEmpty($actual, "verifyAccessToken() was expected to PASS, but it failed"); |
---|
121 | $this->assertInternalType('array', $actual); |
---|
122 | } |
---|
123 | else { |
---|
124 | $this->setExpectedException('OAuth2AuthenticateException'); |
---|
125 | $this->fixture->verifyAccessToken($this->tokenId, $scopeRequired); |
---|
126 | } |
---|
127 | } |
---|
128 | |
---|
129 | /** |
---|
130 | * Tests OAuth2->grantAccessToken() for missing data |
---|
131 | * |
---|
132 | * @dataProvider generateEmptyDataForGrant |
---|
133 | */ |
---|
134 | public function testGrantAccessTokenMissingData($inputData, $authHeaders) { |
---|
135 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
136 | $this->fixture = new OAuth2($mockStorage); |
---|
137 | |
---|
138 | $this->setExpectedException('OAuth2ServerException'); |
---|
139 | $this->fixture->grantAccessToken($inputData, $authHeaders); |
---|
140 | } |
---|
141 | |
---|
142 | /** |
---|
143 | * Tests OAuth2->grantAccessToken() |
---|
144 | * |
---|
145 | * Tests the different ways client credentials can be provided. |
---|
146 | */ |
---|
147 | public function testGrantAccessTokenCheckClientCredentials() { |
---|
148 | $mockStorage = $this->getMock('IOAuth2Storage'); |
---|
149 | $mockStorage->expects($this->any()) |
---|
150 | ->method('checkClientCredentials') |
---|
151 | ->will($this->returnValue(TRUE)); // Always return true for any combination of user/pass |
---|
152 | $this->fixture = new OAuth2($mockStorage); |
---|
153 | |
---|
154 | $inputData = array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE); |
---|
155 | $authHeaders = array(); |
---|
156 | |
---|
157 | // First, confirm that an non-client related error is thrown: |
---|
158 | try { |
---|
159 | $this->fixture->grantAccessToken($inputData, $authHeaders); |
---|
160 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
161 | } catch ( OAuth2ServerException $e ) { |
---|
162 | $this->assertEquals(OAuth2::ERROR_INVALID_CLIENT, $e->getMessage()); |
---|
163 | } |
---|
164 | |
---|
165 | // Confirm Auth header |
---|
166 | $authHeaders = array('PHP_AUTH_USER' => 'dev-abc', 'PHP_AUTH_PW' => 'pass'); |
---|
167 | $inputData = array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'client_id' => 'dev-abc'); // When using auth, client_id must match |
---|
168 | try { |
---|
169 | $this->fixture->grantAccessToken($inputData, $authHeaders); |
---|
170 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
171 | } catch ( OAuth2ServerException $e ) { |
---|
172 | $this->assertNotEquals(OAuth2::ERROR_INVALID_CLIENT, $e->getMessage()); |
---|
173 | } |
---|
174 | |
---|
175 | // Confirm GET/POST |
---|
176 | $authHeaders = array(); |
---|
177 | $inputData = array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'client_id' => 'dev-abc', 'client_secret' => 'foo'); // When using auth, client_id must match |
---|
178 | try { |
---|
179 | $this->fixture->grantAccessToken($inputData, $authHeaders); |
---|
180 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
181 | } catch ( OAuth2ServerException $e ) { |
---|
182 | $this->assertNotEquals(OAuth2::ERROR_INVALID_CLIENT, $e->getMessage()); |
---|
183 | } |
---|
184 | } |
---|
185 | |
---|
186 | /** |
---|
187 | * Tests OAuth2->grantAccessToken() with Auth code grant |
---|
188 | * |
---|
189 | */ |
---|
190 | public function testGrantAccessTokenWithGrantAuthCodeMandatoryParams() { |
---|
191 | $mockStorage = $this->createBaseMock('IOAuth2GrantCode'); |
---|
192 | $inputData = array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'client_id' => 'a', 'client_secret' => 'b'); |
---|
193 | $fakeAuthCode = array('client_id' => $inputData['client_id'], 'redirect_uri' => '/foo', 'expires' => time() + 60); |
---|
194 | $fakeAccessToken = array('access_token' => 'abcde'); |
---|
195 | |
---|
196 | // Ensure redirect URI and auth-code is mandatory |
---|
197 | try { |
---|
198 | $this->fixture = new OAuth2($mockStorage); |
---|
199 | $this->fixture->setVariable(OAuth2::CONFIG_ENFORCE_INPUT_REDIRECT, true); // Only required when this is set |
---|
200 | $this->fixture->grantAccessToken($inputData + array('code' => 'foo'), array()); |
---|
201 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
202 | } catch ( OAuth2ServerException $e ) { |
---|
203 | $this->assertEquals(OAuth2::ERROR_INVALID_REQUEST, $e->getMessage()); |
---|
204 | } |
---|
205 | try { |
---|
206 | $this->fixture = new OAuth2($mockStorage); |
---|
207 | $this->fixture->grantAccessToken($inputData + array('redirect_uri' => 'foo'), array()); |
---|
208 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
209 | } catch ( OAuth2ServerException $e ) { |
---|
210 | $this->assertEquals(OAuth2::ERROR_INVALID_REQUEST, $e->getMessage()); |
---|
211 | } |
---|
212 | } |
---|
213 | |
---|
214 | /** |
---|
215 | * Tests OAuth2->grantAccessToken() with Auth code grant |
---|
216 | * |
---|
217 | */ |
---|
218 | public function testGrantAccessTokenWithGrantAuthCodeNoToken() { |
---|
219 | $mockStorage = $this->createBaseMock('IOAuth2GrantCode'); |
---|
220 | $inputData = array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'client_id' => 'a', 'client_secret' => 'b', 'redirect_uri' => 'foo', 'code'=> 'foo'); |
---|
221 | |
---|
222 | // Ensure missing auth code raises an error |
---|
223 | try { |
---|
224 | $this->fixture = new OAuth2($mockStorage); |
---|
225 | $this->fixture->grantAccessToken($inputData + array(), array()); |
---|
226 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
227 | } |
---|
228 | catch ( OAuth2ServerException $e ) { |
---|
229 | $this->assertEquals(OAuth2::ERROR_INVALID_GRANT, $e->getMessage()); |
---|
230 | } |
---|
231 | } |
---|
232 | |
---|
233 | /** |
---|
234 | * Tests OAuth2->grantAccessToken() with checks the redirect URI |
---|
235 | * |
---|
236 | */ |
---|
237 | public function testGrantAccessTokenWithGrantAuthCodeRedirectChecked() { |
---|
238 | $inputData = array('redirect_uri' => 'http://www.crossdomain.com/my/subdir', 'grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'client_id' => 'my_little_app', 'client_secret' => 'b', 'code'=> 'foo'); |
---|
239 | $storedToken = array('redirect_uri' => 'http://www.example.com', 'client_id' => 'my_little_app', 'expires' => time() + 60); |
---|
240 | |
---|
241 | $mockStorage = $this->createBaseMock('IOAuth2GrantCode'); |
---|
242 | $mockStorage->expects($this->any()) |
---|
243 | ->method('getAuthCode') |
---|
244 | ->will($this->returnValue($storedToken)); |
---|
245 | |
---|
246 | // Ensure that the redirect_uri is checked |
---|
247 | try { |
---|
248 | $this->fixture = new OAuth2($mockStorage); |
---|
249 | $this->fixture->grantAccessToken($inputData, array()); |
---|
250 | |
---|
251 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
252 | } |
---|
253 | catch ( OAuth2ServerException $e ) { |
---|
254 | $this->assertEquals(OAuth2::ERROR_REDIRECT_URI_MISMATCH, $e->getMessage()); |
---|
255 | } |
---|
256 | } |
---|
257 | |
---|
258 | /** |
---|
259 | * Tests OAuth2->grantAccessToken() with checks the client ID is matched |
---|
260 | * |
---|
261 | */ |
---|
262 | public function testGrantAccessTokenWithGrantAuthCodeClientIdChecked() { |
---|
263 | $inputData = array('client_id' => 'another_app', 'grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE, 'redirect_uri' => 'http://www.example.com/my/subdir', 'client_secret' => 'b', 'code'=> 'foo'); |
---|
264 | $storedToken = array('client_id' => 'my_little_app', 'redirect_uri' => 'http://www.example.com', 'expires' => time() + 60); |
---|
265 | |
---|
266 | $mockStorage = $this->createBaseMock('IOAuth2GrantCode'); |
---|
267 | $mockStorage->expects($this->any()) |
---|
268 | ->method('getAuthCode') |
---|
269 | ->will($this->returnValue($storedToken)); |
---|
270 | |
---|
271 | // Ensure the client ID is checked |
---|
272 | try { |
---|
273 | $this->fixture = new OAuth2($mockStorage); |
---|
274 | $this->fixture->grantAccessToken($inputData, array()); |
---|
275 | |
---|
276 | $this->fail('The expected exception OAuth2ServerException was not thrown'); |
---|
277 | } |
---|
278 | catch ( OAuth2ServerException $e ) { |
---|
279 | $this->assertEquals(OAuth2::ERROR_INVALID_GRANT, $e->getMessage()); |
---|
280 | } |
---|
281 | } |
---|
282 | |
---|
283 | /** |
---|
284 | * Tests OAuth2->grantAccessToken() with implicit |
---|
285 | * |
---|
286 | */ |
---|
287 | public function testGrantAccessTokenWithGrantImplicit() { |
---|
288 | $this->markTestIncomplete ( "grantAccessToken test not implemented" ); |
---|
289 | |
---|
290 | $this->fixture->grantAccessToken(/* parameters */); |
---|
291 | } |
---|
292 | |
---|
293 | /** |
---|
294 | * Tests OAuth2->grantAccessToken() with user credentials |
---|
295 | * |
---|
296 | */ |
---|
297 | public function testGrantAccessTokenWithGrantUser() { |
---|
298 | $this->markTestIncomplete ( "grantAccessToken test not implemented" ); |
---|
299 | |
---|
300 | $this->fixture->grantAccessToken(/* parameters */); |
---|
301 | } |
---|
302 | |
---|
303 | |
---|
304 | /** |
---|
305 | * Tests OAuth2->grantAccessToken() with client credentials |
---|
306 | * |
---|
307 | */ |
---|
308 | public function testGrantAccessTokenWithGrantClient() { |
---|
309 | $this->markTestIncomplete ( "grantAccessToken test not implemented" ); |
---|
310 | |
---|
311 | $this->fixture->grantAccessToken(/* parameters */); |
---|
312 | } |
---|
313 | |
---|
314 | /** |
---|
315 | * Tests OAuth2->grantAccessToken() with refresh token |
---|
316 | * |
---|
317 | */ |
---|
318 | public function testGrantAccessTokenWithGrantRefresh() { |
---|
319 | $this->markTestIncomplete ( "grantAccessToken test not implemented" ); |
---|
320 | |
---|
321 | $this->fixture->grantAccessToken(/* parameters */); |
---|
322 | } |
---|
323 | |
---|
324 | /** |
---|
325 | * Tests OAuth2->grantAccessToken() with extension |
---|
326 | * |
---|
327 | */ |
---|
328 | public function testGrantAccessTokenWithGrantExtension() { |
---|
329 | $this->markTestIncomplete ( "grantAccessToken test not implemented" ); |
---|
330 | |
---|
331 | $this->fixture->grantAccessToken(/* parameters */); |
---|
332 | } |
---|
333 | |
---|
334 | /** |
---|
335 | * Tests OAuth2->getAuthorizeParams() |
---|
336 | */ |
---|
337 | public function testGetAuthorizeParams() { |
---|
338 | // TODO Auto-generated OAuth2Test->testGetAuthorizeParams() |
---|
339 | $this->markTestIncomplete ( "getAuthorizeParams test not implemented" ); |
---|
340 | |
---|
341 | $this->fixture->getAuthorizeParams(/* parameters */); |
---|
342 | |
---|
343 | } |
---|
344 | |
---|
345 | /** |
---|
346 | * Tests OAuth2->finishClientAuthorization() |
---|
347 | */ |
---|
348 | public function testFinishClientAuthorization() { |
---|
349 | // TODO Auto-generated OAuth2Test->testFinishClientAuthorization() |
---|
350 | $this->markTestIncomplete ( "finishClientAuthorization test not implemented" ); |
---|
351 | |
---|
352 | $this->fixture->finishClientAuthorization(/* parameters */); |
---|
353 | |
---|
354 | } |
---|
355 | |
---|
356 | // Utility methods |
---|
357 | |
---|
358 | /** |
---|
359 | * |
---|
360 | * @param string $interfaceName |
---|
361 | */ |
---|
362 | protected function createBaseMock($interfaceName) { |
---|
363 | $mockStorage = $this->getMock($interfaceName); |
---|
364 | $mockStorage->expects($this->any()) |
---|
365 | ->method('checkClientCredentials') |
---|
366 | ->will($this->returnValue(TRUE)); // Always return true for any combination of user/pass |
---|
367 | $mockStorage->expects($this->any()) |
---|
368 | ->method('checkRestrictedGrantType') |
---|
369 | ->will($this->returnValue(TRUE)); // Always return true for any combination of user/pass |
---|
370 | |
---|
371 | return $mockStorage; |
---|
372 | } |
---|
373 | |
---|
374 | // Data Providers below: |
---|
375 | |
---|
376 | /** |
---|
377 | * Dataprovider for testVerifyAccessTokenMalformedToken(). |
---|
378 | * |
---|
379 | * Produces malformed access tokens |
---|
380 | */ |
---|
381 | public function generateMalformedTokens() { |
---|
382 | return array( |
---|
383 | array(array()), // an empty array as a token |
---|
384 | array(array('expires' => 5)), // missing client_id |
---|
385 | array(array('client_id' => 6)), // missing expires |
---|
386 | array(array('something' => 6)), // missing both 'expires' and 'client_id' |
---|
387 | ); |
---|
388 | } |
---|
389 | |
---|
390 | /** |
---|
391 | * Dataprovider for testVerifyAccessTokenCheckExpiry(). |
---|
392 | * |
---|
393 | * Produces malformed access tokens |
---|
394 | */ |
---|
395 | public function generateExpiryTokens() { |
---|
396 | return array( |
---|
397 | array(array('client_id' => 'blah', 'expires' => time() - 30), FALSE), // 30 seconds ago should fail |
---|
398 | array(array('client_id' => 'blah', 'expires' => time() - 1), FALSE), // now-ish should fail |
---|
399 | array(array('client_id' => 'blah', 'expires' => 0), FALSE), // 1970 should fail |
---|
400 | array(array('client_id' => 'blah', 'expires' => time() + 30), TRUE), // 30 seconds in the future should be valid |
---|
401 | array(array('client_id' => 'blah', 'expires' => time() + 86400), TRUE), // 1 day in the future should be valid |
---|
402 | array(array('client_id' => 'blah', 'expires' => time() + (365 * 86400)), TRUE), // 1 year should be valid |
---|
403 | array(array('client_id' => 'blah', 'expires' => time() + (10 * 365 * 86400)), TRUE), // 10 years should be valid |
---|
404 | ); |
---|
405 | } |
---|
406 | |
---|
407 | /** |
---|
408 | * Dataprovider for testVerifyAccessTokenCheckExpiry(). |
---|
409 | * |
---|
410 | * Produces malformed access tokens |
---|
411 | */ |
---|
412 | public function generateScopes() { |
---|
413 | $baseToken = array('client_id' => 'blah', 'expires' => time() + 60); |
---|
414 | |
---|
415 | return array( |
---|
416 | array(null, $baseToken + array(), TRUE), // missing scope is valif |
---|
417 | array(null, $baseToken + array('scope' => null), TRUE), // null scope is valid |
---|
418 | array('', $baseToken + array('scope' => ''), TRUE), // empty scope is valid |
---|
419 | array('read', $baseToken + array('scope' => 'read'), TRUE), // exact same scope is valid |
---|
420 | array('read', $baseToken + array('scope' => ' read '), TRUE), // exact same scope is valid |
---|
421 | array(' read ', $baseToken + array('scope' => 'read'), TRUE), // exact same scope is valid |
---|
422 | array('read', $baseToken + array('scope' => 'read write delete'), TRUE), // contains scope |
---|
423 | array('read', $baseToken + array('scope' => 'write read delete'), TRUE), // contains scope |
---|
424 | array('read', $baseToken + array('scope' => 'delete write read'), TRUE), // contains scope |
---|
425 | |
---|
426 | // Invalid combinations |
---|
427 | array('read', $baseToken + array('scope' => 'write'), FALSE), |
---|
428 | array('read', $baseToken + array('scope' => 'apple banana'), FALSE), |
---|
429 | array('read', $baseToken + array('scope' => 'apple read-write'), FALSE), |
---|
430 | array('read', $baseToken + array('scope' => 'apple read,write'), FALSE), |
---|
431 | array('read', $baseToken + array('scope' => null), FALSE), |
---|
432 | array('read', $baseToken + array('scope' => ''), FALSE), |
---|
433 | ); |
---|
434 | } |
---|
435 | |
---|
436 | /** |
---|
437 | * Provider for OAuth2->grantAccessToken() |
---|
438 | */ |
---|
439 | public function generateEmptyDataForGrant() { |
---|
440 | return array( |
---|
441 | array( |
---|
442 | array(), array() |
---|
443 | ), |
---|
444 | array( |
---|
445 | array(), array('grant_type' => OAuth2::GRANT_TYPE_AUTH_CODE) // grant_type in auth headers should be ignored |
---|
446 | ), |
---|
447 | array( |
---|
448 | array('not_grant_type' => 5), array() |
---|
449 | ), |
---|
450 | ); |
---|
451 | } |
---|
452 | } |
---|
453 | |
---|