Melhoria nos testes do Token.php e Authorizator.php.

Author: fernando-scolari-bvc

src/Auth/Authorizator.php

@@ -11,7 +11,6 @@
 use Zend\Mvc\OIDC\Common\Parse\ConfigurationParser;
 use Zend\ServiceManager\ServiceLocatorInterface;
 use Zend\ServiceManager\ServiceManager;
-use Zend\Stdlib\RequestInterface;
 
 /**
  * Class Authorizator
@@ -79,11 +78,12 @@ public function authorize(Request $request): bool
 
     private function isAuthorized(Token $token, array $authorizeConfig): bool
     {
-        $result = true;
+        $result = false;
+        $claimName = $authorizeConfig['requireClaim'];
 
-        foreach ($authorizeConfig as $claim) {
-            if (!$token->hasClaim($claim)) {
-                $result = false;
+        foreach ($authorizeConfig['values'] as $claimValue) {
+            if ($token->hasClaim($claimName, $claimValue)) {
+                $result = true;
                 break;
             }
         }
@@ -95,14 +95,13 @@ private function getAuthorizeConfiguration(Request $request): array
     {
         $url = $request->getUriString();
 
-        if (isset($this->routesConfig[$url])) {
-            if (isset($this->routesConfig[$url]['options']['defaults']['authorize'])) {
-                return $this->routesConfig[$url]['options']['defaults']['authorize'];
-            }
+        if (isset($this->routesConfig[$url]) &&
+            isset($this->routesConfig[$url]['options']['defaults']['authorize'])) {
+            return $this->routesConfig[$url]['options']['defaults']['authorize'];
         }
 
         return [];
-   }
+    }
 
     /**
      * @param Request $request
@@ -115,8 +114,7 @@ private function getAuthorizationToken(Request $request): string
         $headers = $request->getHeaders('Authorization', null);
         $token = '';
 
-        if (!is_null($headers))
-        {
+        if (!is_null($headers)) {
             $token = $headers->toString();
             $token = str_replace('Authorization: Bearer', null, $token);
 

src/Common/Configuration.php

@@ -29,6 +29,12 @@ class Configuration
      */
     private $authServiceUrl;
 
+    /**
+     * @var string
+     */
+    private $audience;
+
+
     /**
      * @return string
      */
@@ -101,4 +107,22 @@ public function setAuthServiceUrl(string $authServiceUrl): void
     {
         $this->authServiceUrl = $authServiceUrl;
     }
+
+    /**
+     * @return string
+     */
+    public function getAudience(): string
+    {
+        return $this->audience;
+    }
+
+    /**
+     * @param string $audience
+     */
+    public function setAudience(string $audience): void
+    {
+        $this->audience = $audience;
+    }
+
+
 }

src/Common/Model/Token.php

@@ -58,15 +58,20 @@ public function validate(Configuration $configuration): int
         }
     }
 
-    public function hasClaim(string $value): bool
+    public function hasClaim(string $name, string $value): bool
     {
-        return $this->jwt->hasClaim($value);
+        if ($this->jwt->hasClaim($name)) {
+            return ($this->jwt->getClaim($name) === $value);
+        }
+
+        return false;
     }
 
     private function setValidationData(\DateTime $moment, Configuration $configuration): ValidationData
     {
         $data = new ValidationData($moment->getTimestamp());
         $data->setIssuer($configuration->getRealmUrl());
+        $data->setAudience($configuration->getAudience());
 
         return $data;
     }

tests/Auth/AuthorizatorTest.php

@@ -48,6 +48,11 @@ class AuthorizatorTest extends TestCase
      */
     private $issuer;
 
+    /**
+     * @var string
+     */
+    private $audience;
+
     /**
      * setUp
      */
@@ -79,6 +84,27 @@ public function testWhenAnUnauthorizedRequestIsMade(): void
         $module->onDispatch($this->mvcEvent);
     }
 
+    public function testWhenAnAuthorizedRequestIsMade(): void
+    {
+        $success = true;
+
+        try {
+            $this->request->setUri('/auth/login');
+
+            $token = $this->createJwt('SpecialPerson');
+
+            $this->request->getHeaders()->addHeaderLine('Authorization', 'Bearer ' . $token);
+            $this->mvcEvent->setRequest($this->request);
+
+            $module = new Module();
+            $module->onDispatch($this->mvcEvent);
+        } catch (AuthorizeException $ex) {
+            $success = false;
+        }
+
+        $this->assertTrue($success);
+    }
+
     private function createJwt(string $claim): \Lcobucci\JWT\Token
     {
         $this->now = new DateTime();
@@ -87,6 +113,7 @@ private function createJwt(string $claim): \Lcobucci\JWT\Token
 
         $this->publicKey = 'file://' . $path;
         $this->issuer = 'http://issuedby.com/auth/realms/teste';
+        $this->audience = 'pos-api.com';
 
         $signer = new Sha256();
         $privateKey = new Key('file://teste.key');
@@ -96,7 +123,8 @@ private function createJwt(string $claim): \Lcobucci\JWT\Token
             ->issuedAt($this->now->getTimestamp())
             ->canOnlyBeUsedAfter($this->now->getTimestamp())
             ->expiresAt($this->now->getTimestamp() + 60)
-            ->withClaim('user_role', $claim)
+            ->permittedFor($this->audience)
+            ->withClaim('user_roles', $claim)
             ->getToken($signer, $privateKey);
     }
 }

tests/Common/Model/TokenTest.php

@@ -18,10 +18,6 @@
  */
 class TokenTest extends TestCase
 {
-    /**
-     * @var Token
-     */
-    private $token;
 
     /**
      * @var string
@@ -46,10 +42,6 @@ public function setUp()
 
         $this->publicKey = 'file://' . $path;
         $this->issuer = 'http://issuedby.com/auth/realms/teste';
-
-        $jwt = $this->createJwt();
-
-        $this->token = new Token($jwt);
     }
 
     private function createJwt(): \Lcobucci\JWT\Token
@@ -62,6 +54,7 @@ private function createJwt(): \Lcobucci\JWT\Token
             ->issuedAt($this->now->getTimestamp())
             ->canOnlyBeUsedAfter($this->now->getTimestamp())
             ->expiresAt($this->now->getTimestamp() + 60)
+            ->permittedFor('pos-api.com')
             ->getToken($signer, $privateKey);
     }
 
@@ -72,9 +65,14 @@ public function testValidateWithCorrectIssuerClaimTokenShouldReturnValidResult()
         $configuration->setPublicKey($this->publicKey);
         $configuration->setRealmId('teste');
         $configuration->setAuthServiceUrl('http://issuedby.com');
+        $configuration->setAudience('pos-api.com');
+
+        $jwt = $this->createJwt();
+
+        $token = new Token($jwt);
 
         // act
-        $result = $this->token->validate($configuration);
+        $result = $token->validate($configuration);
 
         // assert
         $this->assertEquals(ValidationTokenResultEnum::VALID, $result);
@@ -87,9 +85,92 @@ public function testValidateWithIncorrectIssuerClaimShouldReturnInvalidResult()
         $configuration->setPublicKey($this->publicKey);
         $configuration->setRealmId('teste');
         $configuration->setAuthServiceUrl('http://issuedby.com/bla/bla');
+        $configuration->setAudience('pos-api.com');
+
+        $jwt = $this->createJwt();
+
+        $token = new Token($jwt);
+
+        // act
+        $result = $token->validate($configuration);
+
+        // assert
+        $this->assertEquals(ValidationTokenResultEnum::INVALID, $result);
+    }
+
+    public function testValidateWithIncorrectAudienceClaimShouldReturnInvalidResult()
+    {
+        // arrange
+        $configuration = new Configuration();
+        $configuration->setPublicKey($this->publicKey);
+        $configuration->setRealmId('teste');
+        $configuration->setAuthServiceUrl('http://issuedby.com');
+        $configuration->setAudience('wrong.pos-api.com');
+
+        $jwt = $this->createJwt();
+
+        $token = new Token($jwt);
+
+        // act
+        $result = $token->validate($configuration);
+
+        // assert
+        $this->assertEquals(ValidationTokenResultEnum::INVALID, $result);
+    }
+
+    public function testValidateWithExpiredTokenShouldReturnExpiredResult()
+    {
+        // arrange
+        $configuration = new Configuration();
+        $configuration->setPublicKey($this->publicKey);
+        $configuration->setRealmId('teste');
+        $configuration->setAuthServiceUrl('http://issuedby.com');
+        $configuration->setAudience('wrong.pos-api.com');
+
+        $signer = new Sha256();
+        $privateKey = new Key('file://teste.key');
+
+        $jwt = (new Builder())
+            ->issuedBy($this->issuer)
+            ->issuedAt($this->now->getTimestamp() - 10)
+            ->canOnlyBeUsedAfter($this->now->getTimestamp() - 9)
+            ->expiresAt($this->now->getTimestamp() - 9)
+            ->permittedFor('pos-api.com')
+            ->getToken($signer, $privateKey);
+
+        $token = new Token($jwt);
+
+        // act
+        $result = $token->validate($configuration);
+
+        // assert
+        $this->assertEquals(ValidationTokenResultEnum::EXPIRED, $result);
+    }
+
+    public function testValidateWithInvalidNotBeforeClaimShouldReturnInvalidResult()
+    {
+        // arrange
+        $configuration = new Configuration();
+        $configuration->setPublicKey($this->publicKey);
+        $configuration->setRealmId('teste');
+        $configuration->setAuthServiceUrl('http://issuedby.com');
+        $configuration->setAudience('wrong.pos-api.com');
+
+        $signer = new Sha256();
+        $privateKey = new Key('file://teste.key');
+
+        $jwt = (new Builder())
+            ->issuedBy($this->issuer)
+            ->issuedAt($this->now->getTimestamp())
+            ->canOnlyBeUsedAfter($this->now->getTimestamp() - 9)
+            ->expiresAt($this->now->getTimestamp() + 60)
+            ->permittedFor('pos-api.com')
+            ->getToken($signer, $privateKey);
+
+        $token = new Token($jwt);
 
         // act
-        $result = $this->token->validate($configuration);
+        $result = $token->validate($configuration);
 
         // assert
         $this->assertEquals(ValidationTokenResultEnum::INVALID, $result);

tests/Shared/module.config.php

@@ -5,27 +5,40 @@
 return [
     'auth_service' => [
         'auth_service_url' => 'http://34.95.175.142:8080',
-        'realmId' => 'bvcteste',
-        'client_id' => 'demo-app',
-        'public_key' => ''
+        'realmId'          => 'bvcteste',
+        'client_id'        => 'demo-app',
+        'public_key'       => '',
+        'audience'         => 'pos-api.com'
     ],
-    'router' => [
+    'router'       => [
         'routes' => [
             '/auth/login' => [
-                'type' => Literal::class,
+                'type'    => Literal::class,
                 'options' => [
-                    'route' => '/auth/login',
+                    'route'    => '/auth/login',
                     'defaults' => [
                         'controller' => 'SomeController::class',
-                        'action' => 'login',
-                        'authorize' => [
-                            'Administrator',
-                            'SpecialPerson'
+                        'action'     => 'login',
+                        'authorize'  => [
+                            'requireClaim' => 'user_roles',
+                            'values'       => [
+                                'Administrator',
+                                'SpecialPerson'
+                            ]
                         ]
                     ],
                 ],
             ],
-            'whitelist' => [
+            'policies'    => [
+                'Administrator' => [
+                    'requireClaim' => 'user_roles',
+                    'values'       => [
+                        'read:person',
+                        'write:person'
+                    ]
+                ]
+            ],
+            'whitelist'   => [
                 '/login'
             ]
         ]