mirror of
https://github.com/elyby/accounts.git
synced 2024-12-27 15:40:21 +05:30
Rewrite tests for OAuth2 validate and auth code complete steps [skip ci]
This commit is contained in:
parent
0b63dc2d84
commit
4dc2a3025b
16
api/components/OAuth2/Entities/UserEntity.php
Normal file
16
api/components/OAuth2/Entities/UserEntity.php
Normal file
@ -0,0 +1,16 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace api\components\OAuth2\Entities;
|
||||
|
||||
use League\OAuth2\Server\Entities\Traits\EntityTrait;
|
||||
use League\OAuth2\Server\Entities\UserEntityInterface;
|
||||
|
||||
class UserEntity implements UserEntityInterface {
|
||||
use EntityTrait;
|
||||
|
||||
public function __construct($id) {
|
||||
$this->identifier = $id;
|
||||
}
|
||||
|
||||
}
|
@ -3,6 +3,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace api\modules\oauth\models;
|
||||
|
||||
use api\components\OAuth2\Entities\UserEntity;
|
||||
use api\rbac\Permissions as P;
|
||||
use common\models\Account;
|
||||
use common\models\OauthClient;
|
||||
@ -105,6 +106,7 @@ class OauthProcess {
|
||||
}
|
||||
}
|
||||
|
||||
$authRequest->setUser(new UserEntity($account->id));
|
||||
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
|
||||
|
||||
$response = [
|
||||
|
@ -3,100 +3,19 @@ declare(strict_types=1);
|
||||
|
||||
namespace api\tests\functional\oauth;
|
||||
|
||||
use api\rbac\Permissions as P;
|
||||
use api\tests\_pages\OauthRoute;
|
||||
use api\tests\FunctionalTester;
|
||||
|
||||
class AuthCodeCest {
|
||||
|
||||
/**
|
||||
* @var OauthRoute
|
||||
*/
|
||||
private $route;
|
||||
|
||||
public function _before(FunctionalTester $I) {
|
||||
$this->route = new OauthRoute($I);
|
||||
}
|
||||
|
||||
public function testValidateRequest(FunctionalTester $I) {
|
||||
$this->testOauthParamsValidation($I, 'validate');
|
||||
}
|
||||
|
||||
public function testCompleteValidationAction(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('validate all oAuth params on complete request');
|
||||
$this->testOauthParamsValidation($I, 'complete');
|
||||
}
|
||||
|
||||
public function testCompleteActionOnWrongConditions(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
|
||||
$I->wantTo('get accept_required if I don\'t require any scope, but this is first time request');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code'
|
||||
));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'accept_required',
|
||||
'parameter' => '',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
|
||||
$I->wantTo('get accept_required if I require some scopes on first time');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION]
|
||||
));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'accept_required',
|
||||
'parameter' => '',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
}
|
||||
|
||||
public function testCompleteActionSuccess(FunctionalTester $I) {
|
||||
public function completeSuccess(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get auth code if I require some scope and pass accept field');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION]
|
||||
), ['accept' => true]);
|
||||
$I->canSeeResponseCodeIs(200);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => true,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
|
||||
$I->wantTo('get auth code if I don\'t require any scope and don\'t pass accept field, but previously have ' .
|
||||
'successful request');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code'
|
||||
));
|
||||
$I->canSeeResponseCodeIs(200);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => true,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
|
||||
$I->wantTo('get auth code if I require some scopes and don\'t pass accept field, but previously have successful ' .
|
||||
'request with same scopes');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION]
|
||||
));
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session',
|
||||
]), ['accept' => true]);
|
||||
$I->canSeeResponseCodeIs(200);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => true,
|
||||
@ -104,21 +23,93 @@ class AuthCodeCest {
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
public function testAcceptRequiredOnNewScope(FunctionalTester $I) {
|
||||
/**
|
||||
* @before completeSuccess
|
||||
*/
|
||||
public function completeSuccessWithLessScopes(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get auth code with less scopes as passed in the previous request without accept param');
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(200);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => true,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
/**
|
||||
* @before completeSuccess
|
||||
*/
|
||||
public function completeSuccessWithSameScopes(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get auth code with the same scopes as passed in the previous request without accept param');
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(200);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => true,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
public function acceptRequiredOnFirstAuthRequest1(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get accept_required if I don\'t require any scope, but this is first time request');
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'accept_required',
|
||||
'parameter' => '',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
}
|
||||
|
||||
public function acceptRequiredOnFirstAuthRequest2(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get accept_required if I require some scopes on first time');
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'accept_required',
|
||||
'parameter' => '',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
}
|
||||
|
||||
public function acceptRequiredOnNewScope(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get accept_required if I have previous successful request, but now require some new scope');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION]
|
||||
), ['accept' => true]);
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION, 'account_info']
|
||||
));
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session',
|
||||
]), ['accept' => true]);
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session account_info',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
@ -131,12 +122,12 @@ class AuthCodeCest {
|
||||
public function testCompleteActionWithDismissState(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('get access_denied error if I pass accept in false state');
|
||||
$this->route->complete($this->buildQueryParams(
|
||||
'ely',
|
||||
'http://ely.by',
|
||||
'code',
|
||||
[P::MINECRAFT_SERVER_SESSION]
|
||||
), ['accept' => false]);
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session',
|
||||
]), ['accept' => false]);
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
@ -147,56 +138,14 @@ class AuthCodeCest {
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
private function buildQueryParams(
|
||||
$clientId = null,
|
||||
$redirectUri = null,
|
||||
$responseType = null,
|
||||
$scopes = [],
|
||||
$state = null,
|
||||
$customData = []
|
||||
) {
|
||||
$params = $customData;
|
||||
if ($clientId !== null) {
|
||||
$params['client_id'] = $clientId;
|
||||
}
|
||||
|
||||
if ($redirectUri !== null) {
|
||||
$params['redirect_uri'] = $redirectUri;
|
||||
}
|
||||
|
||||
if ($responseType !== null) {
|
||||
$params['response_type'] = $responseType;
|
||||
}
|
||||
|
||||
if ($state !== null) {
|
||||
$params['state'] = $state;
|
||||
}
|
||||
|
||||
if (!empty($scopes)) {
|
||||
if (is_array($scopes)) {
|
||||
$scopes = implode(',', $scopes);
|
||||
}
|
||||
|
||||
$params['scope'] = $scopes;
|
||||
}
|
||||
|
||||
return $params;
|
||||
}
|
||||
|
||||
private function testOauthParamsValidation(FunctionalTester $I, $action) {
|
||||
$I->wantTo('check behavior on invalid request without one or few params');
|
||||
$this->route->$action($this->buildQueryParams());
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'invalid_request',
|
||||
'parameter' => 'client_id',
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
|
||||
public function invalidClientId(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('check behavior on invalid client id');
|
||||
$this->route->$action($this->buildQueryParams('non-exists-client', 'http://some-resource.by', 'code'));
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'non-exists-client',
|
||||
'redirect_uri' => 'http://some-resource.by',
|
||||
'response_type' => 'code',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
@ -204,23 +153,16 @@ class AuthCodeCest {
|
||||
'error' => 'invalid_client',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
}
|
||||
|
||||
$I->wantTo('check behavior on invalid response type');
|
||||
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'kitty'));
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'unsupported_response_type',
|
||||
'parameter' => 'kitty',
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
|
||||
public function invalidScopes(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('check behavior on some invalid scopes');
|
||||
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [
|
||||
P::MINECRAFT_SERVER_SESSION,
|
||||
'some_wrong_scope',
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session some_wrong_scope',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
@ -231,18 +173,23 @@ class AuthCodeCest {
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
public function requestInternalScope(FunctionalTester $I) {
|
||||
$I->amAuthenticated();
|
||||
$I->wantTo('check behavior on request internal scope');
|
||||
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [
|
||||
P::MINECRAFT_SERVER_SESSION,
|
||||
P::BLOCK_ACCOUNT,
|
||||
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session block_account',
|
||||
]));
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'invalid_scope',
|
||||
'parameter' => P::BLOCK_ACCOUNT,
|
||||
'parameter' => 'block_account',
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
|
@ -7,8 +7,6 @@ use api\tests\FunctionalTester;
|
||||
|
||||
class ValidateCest {
|
||||
|
||||
// TODO: validate case, when scopes are passed with commas
|
||||
|
||||
public function completelyValidateValidRequest(FunctionalTester $I) {
|
||||
$I->wantTo('validate and obtain information about new oauth request');
|
||||
$I->sendGET('/api/oauth2/v1/validate', [
|
||||
@ -59,4 +57,57 @@ class ValidateCest {
|
||||
]);
|
||||
}
|
||||
|
||||
public function unknownClientId(FunctionalTester $I) {
|
||||
$I->wantTo('check behavior on invalid client id');
|
||||
$I->sendGET('/api/oauth2/v1/validate', [
|
||||
'client_id' => 'non-exists-client',
|
||||
'redirect_uri' => 'http://some-resource.by',
|
||||
'response_type' => 'code',
|
||||
]);
|
||||
$I->canSeeResponseCodeIs(401);
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'invalid_client',
|
||||
'statusCode' => 401,
|
||||
]);
|
||||
}
|
||||
|
||||
public function invalidScopes(FunctionalTester $I) {
|
||||
$I->wantTo('check behavior on some invalid scopes');
|
||||
$I->sendGET('/api/oauth2/v1/validate', [
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session some_wrong_scope',
|
||||
]);
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'invalid_scope',
|
||||
'parameter' => 'some_wrong_scope',
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
public function requestInternalScope(FunctionalTester $I) {
|
||||
$I->wantTo('check behavior on request internal scope');
|
||||
$I->sendGET('/api/oauth2/v1/validate', [
|
||||
'client_id' => 'ely',
|
||||
'redirect_uri' => 'http://ely.by',
|
||||
'response_type' => 'code',
|
||||
'scope' => 'minecraft_server_session block_account',
|
||||
]);
|
||||
$I->canSeeResponseCodeIs(400);
|
||||
$I->canSeeResponseIsJson();
|
||||
$I->canSeeResponseContainsJson([
|
||||
'success' => false,
|
||||
'error' => 'invalid_scope',
|
||||
'parameter' => 'block_account',
|
||||
'statusCode' => 400,
|
||||
]);
|
||||
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user