Rewrite tests for OAuth2 validate and auth code complete steps [skip ci]

This commit is contained in:
ErickSkrauch 2019-09-06 02:32:57 +03:00
parent 0b63dc2d84
commit 4dc2a3025b
4 changed files with 193 additions and 177 deletions

View File

@ -0,0 +1,16 @@
<?php
declare(strict_types=1);
namespace api\components\OAuth2\Entities;
use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\UserEntityInterface;
class UserEntity implements UserEntityInterface {
use EntityTrait;
public function __construct($id) {
$this->identifier = $id;
}
}

View File

@ -3,6 +3,7 @@ declare(strict_types=1);
namespace api\modules\oauth\models; namespace api\modules\oauth\models;
use api\components\OAuth2\Entities\UserEntity;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use common\models\Account; use common\models\Account;
use common\models\OauthClient; use common\models\OauthClient;
@ -105,6 +106,7 @@ class OauthProcess {
} }
} }
$authRequest->setUser(new UserEntity($account->id));
$responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200)); $responseObj = $this->server->completeAuthorizationRequest($authRequest, new Response(200));
$response = [ $response = [

View File

@ -3,100 +3,19 @@ declare(strict_types=1);
namespace api\tests\functional\oauth; namespace api\tests\functional\oauth;
use api\rbac\Permissions as P;
use api\tests\_pages\OauthRoute;
use api\tests\FunctionalTester; use api\tests\FunctionalTester;
class AuthCodeCest { class AuthCodeCest {
/** public function completeSuccess(FunctionalTester $I) {
* @var OauthRoute
*/
private $route;
public function _before(FunctionalTester $I) {
$this->route = new OauthRoute($I);
}
public function testValidateRequest(FunctionalTester $I) {
$this->testOauthParamsValidation($I, 'validate');
}
public function testCompleteValidationAction(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('validate all oAuth params on complete request');
$this->testOauthParamsValidation($I, 'complete');
}
public function testCompleteActionOnWrongConditions(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('get accept_required if I don\'t require any scope, but this is first time request');
$this->route->complete($this->buildQueryParams(
'ely',
'http://ely.by',
'code'
));
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'accept_required',
'parameter' => '',
'statusCode' => 401,
]);
$I->wantTo('get accept_required if I require some scopes on first time');
$this->route->complete($this->buildQueryParams(
'ely',
'http://ely.by',
'code',
[P::MINECRAFT_SERVER_SESSION]
));
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'accept_required',
'parameter' => '',
'statusCode' => 401,
]);
}
public function testCompleteActionSuccess(FunctionalTester $I) {
$I->amAuthenticated(); $I->amAuthenticated();
$I->wantTo('get auth code if I require some scope and pass accept field'); $I->wantTo('get auth code if I require some scope and pass accept field');
$this->route->complete($this->buildQueryParams( $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'ely', 'client_id' => 'ely',
'http://ely.by', 'redirect_uri' => 'http://ely.by',
'code', 'response_type' => 'code',
[P::MINECRAFT_SERVER_SESSION] 'scope' => 'minecraft_server_session',
), ['accept' => true]); ]), ['accept' => true]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
$I->wantTo('get auth code if I don\'t require any scope and don\'t pass accept field, but previously have ' .
'successful request');
$this->route->complete($this->buildQueryParams(
'ely',
'http://ely.by',
'code'
));
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
$I->wantTo('get auth code if I require some scopes and don\'t pass accept field, but previously have successful ' .
'request with same scopes');
$this->route->complete($this->buildQueryParams(
'ely',
'http://ely.by',
'code',
[P::MINECRAFT_SERVER_SESSION]
));
$I->canSeeResponseCodeIs(200); $I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
'success' => true, 'success' => true,
@ -104,21 +23,93 @@ class AuthCodeCest {
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
} }
public function testAcceptRequiredOnNewScope(FunctionalTester $I) { /**
* @before completeSuccess
*/
public function completeSuccessWithLessScopes(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('get auth code with less scopes as passed in the previous request without accept param');
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
]));
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
/**
* @before completeSuccess
*/
public function completeSuccessWithSameScopes(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('get auth code with the same scopes as passed in the previous request without accept param');
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session',
]));
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
public function acceptRequiredOnFirstAuthRequest1(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('get accept_required if I don\'t require any scope, but this is first time request');
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
]));
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'accept_required',
'parameter' => '',
'statusCode' => 401,
]);
}
public function acceptRequiredOnFirstAuthRequest2(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('get accept_required if I require some scopes on first time');
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session',
]));
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'accept_required',
'parameter' => '',
'statusCode' => 401,
]);
}
public function acceptRequiredOnNewScope(FunctionalTester $I) {
$I->amAuthenticated(); $I->amAuthenticated();
$I->wantTo('get accept_required if I have previous successful request, but now require some new scope'); $I->wantTo('get accept_required if I have previous successful request, but now require some new scope');
$this->route->complete($this->buildQueryParams( $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'ely', 'client_id' => 'ely',
'http://ely.by', 'redirect_uri' => 'http://ely.by',
'code', 'response_type' => 'code',
[P::MINECRAFT_SERVER_SESSION] 'scope' => 'minecraft_server_session',
), ['accept' => true]); ]), ['accept' => true]);
$this->route->complete($this->buildQueryParams( $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'ely', 'client_id' => 'ely',
'http://ely.by', 'redirect_uri' => 'http://ely.by',
'code', 'response_type' => 'code',
[P::MINECRAFT_SERVER_SESSION, 'account_info'] 'scope' => 'minecraft_server_session account_info',
)); ]));
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
'success' => false, 'success' => false,
@ -131,12 +122,12 @@ class AuthCodeCest {
public function testCompleteActionWithDismissState(FunctionalTester $I) { public function testCompleteActionWithDismissState(FunctionalTester $I) {
$I->amAuthenticated(); $I->amAuthenticated();
$I->wantTo('get access_denied error if I pass accept in false state'); $I->wantTo('get access_denied error if I pass accept in false state');
$this->route->complete($this->buildQueryParams( $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'ely', 'client_id' => 'ely',
'http://ely.by', 'redirect_uri' => 'http://ely.by',
'code', 'response_type' => 'code',
[P::MINECRAFT_SERVER_SESSION] 'scope' => 'minecraft_server_session',
), ['accept' => false]); ]), ['accept' => false]);
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
'success' => false, 'success' => false,
@ -147,56 +138,14 @@ class AuthCodeCest {
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
} }
private function buildQueryParams( public function invalidClientId(FunctionalTester $I) {
$clientId = null, $I->amAuthenticated();
$redirectUri = null,
$responseType = null,
$scopes = [],
$state = null,
$customData = []
) {
$params = $customData;
if ($clientId !== null) {
$params['client_id'] = $clientId;
}
if ($redirectUri !== null) {
$params['redirect_uri'] = $redirectUri;
}
if ($responseType !== null) {
$params['response_type'] = $responseType;
}
if ($state !== null) {
$params['state'] = $state;
}
if (!empty($scopes)) {
if (is_array($scopes)) {
$scopes = implode(',', $scopes);
}
$params['scope'] = $scopes;
}
return $params;
}
private function testOauthParamsValidation(FunctionalTester $I, $action) {
$I->wantTo('check behavior on invalid request without one or few params');
$this->route->$action($this->buildQueryParams());
$I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'invalid_request',
'parameter' => 'client_id',
'statusCode' => 400,
]);
$I->wantTo('check behavior on invalid client id'); $I->wantTo('check behavior on invalid client id');
$this->route->$action($this->buildQueryParams('non-exists-client', 'http://some-resource.by', 'code')); $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'non-exists-client',
'redirect_uri' => 'http://some-resource.by',
'response_type' => 'code',
]));
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
$I->canSeeResponseIsJson(); $I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
@ -204,23 +153,16 @@ class AuthCodeCest {
'error' => 'invalid_client', 'error' => 'invalid_client',
'statusCode' => 401, 'statusCode' => 401,
]); ]);
}
$I->wantTo('check behavior on invalid response type'); public function invalidScopes(FunctionalTester $I) {
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'kitty')); $I->amAuthenticated();
$I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'unsupported_response_type',
'parameter' => 'kitty',
'statusCode' => 400,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
$I->wantTo('check behavior on some invalid scopes'); $I->wantTo('check behavior on some invalid scopes');
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [ $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
P::MINECRAFT_SERVER_SESSION, 'client_id' => 'ely',
'some_wrong_scope', 'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session some_wrong_scope',
])); ]));
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson(); $I->canSeeResponseIsJson();
@ -231,18 +173,23 @@ class AuthCodeCest {
'statusCode' => 400, 'statusCode' => 400,
]); ]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
public function requestInternalScope(FunctionalTester $I) {
$I->amAuthenticated();
$I->wantTo('check behavior on request internal scope'); $I->wantTo('check behavior on request internal scope');
$this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [ $I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
P::MINECRAFT_SERVER_SESSION, 'client_id' => 'ely',
P::BLOCK_ACCOUNT, 'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session block_account',
])); ]));
$I->canSeeResponseCodeIs(400); $I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson(); $I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([
'success' => false, 'success' => false,
'error' => 'invalid_scope', 'error' => 'invalid_scope',
'parameter' => P::BLOCK_ACCOUNT, 'parameter' => 'block_account',
'statusCode' => 400, 'statusCode' => 400,
]); ]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');

View File

@ -7,8 +7,6 @@ use api\tests\FunctionalTester;
class ValidateCest { class ValidateCest {
// TODO: validate case, when scopes are passed with commas
public function completelyValidateValidRequest(FunctionalTester $I) { public function completelyValidateValidRequest(FunctionalTester $I) {
$I->wantTo('validate and obtain information about new oauth request'); $I->wantTo('validate and obtain information about new oauth request');
$I->sendGET('/api/oauth2/v1/validate', [ $I->sendGET('/api/oauth2/v1/validate', [
@ -59,4 +57,57 @@ class ValidateCest {
]); ]);
} }
public function unknownClientId(FunctionalTester $I) {
$I->wantTo('check behavior on invalid client id');
$I->sendGET('/api/oauth2/v1/validate', [
'client_id' => 'non-exists-client',
'redirect_uri' => 'http://some-resource.by',
'response_type' => 'code',
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'invalid_client',
'statusCode' => 401,
]);
}
public function invalidScopes(FunctionalTester $I) {
$I->wantTo('check behavior on some invalid scopes');
$I->sendGET('/api/oauth2/v1/validate', [
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session some_wrong_scope',
]);
$I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'invalid_scope',
'parameter' => 'some_wrong_scope',
'statusCode' => 400,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
public function requestInternalScope(FunctionalTester $I) {
$I->wantTo('check behavior on request internal scope');
$I->sendGET('/api/oauth2/v1/validate', [
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session block_account',
]);
$I->canSeeResponseCodeIs(400);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => false,
'error' => 'invalid_scope',
'parameter' => 'block_account',
'statusCode' => 400,
]);
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
} }