Добавлен контроллер для блокировки аккаунта

Добавлен client_credentials grant для oAuth
Рефакторинг структуры OauthScopes чтобы можно было разделить владельца прав на пользовательские и общие (машинные)
Исправлена стилистика кода, внедряются фишки PHP 7.1
This commit is contained in:
ErickSkrauch 2016-12-18 02:20:53 +03:00
parent 1e7039c05c
commit 79bbc12206
21 changed files with 332 additions and 68 deletions

View File

@ -6,8 +6,8 @@ use yii\web\User as YiiUserComponent;
/**
* @property Identity|null $identity
*
* @method Identity|null getIdentity()
* @method Identity|null loginByAccessToken(string $token, $type = null)
* @method Identity|null getIdentity($autoRenew = true)
* @method Identity|null loginByAccessToken($token, $type = null)
*/
class Component extends YiiUserComponent {

View File

@ -26,7 +26,8 @@ class Identity implements IdentityInterface {
/**
* @inheritdoc
*/
public static function findIdentityByAccessToken($token, $type = null) {
public static function findIdentityByAccessToken($token, $type = null): self {
/** @var AccessTokenEntity|null $model */
$model = Yii::$app->oauth->getAuthServer()->getAccessTokenStorage()->get($token);
if ($model === null) {
throw new UnauthorizedHttpException('Incorrect token');
@ -62,7 +63,7 @@ class Identity implements IdentityInterface {
* У нас права привязываются к токенам, так что возвращаем именно его id.
* @inheritdoc
*/
public function getId() {
public function getId(): string {
return $this->_accessToken->getId();
}

View File

@ -3,6 +3,8 @@ namespace api\components\OAuth2\Entities;
class ClientEntity extends \League\OAuth2\Server\Entity\ClientEntity {
private $isTrusted;
public function setId(string $id) {
$this->id = $id;
}
@ -19,4 +21,12 @@ class ClientEntity extends \League\OAuth2\Server\Entity\ClientEntity {
$this->redirectUri = $redirectUri;
}
public function setIsTrusted(bool $isTrusted) {
$this->isTrusted = $isTrusted;
}
public function isTrusted(): bool {
return $this->isTrusted;
}
}

View File

@ -0,0 +1,20 @@
<?php
namespace api\components\OAuth2\Grants;
use api\components\OAuth2\Entities;
class ClientCredentialsGrant extends \League\OAuth2\Server\Grant\ClientCredentialsGrant {
protected function createAccessTokenEntity() {
return new Entities\AccessTokenEntity($this->server);
}
protected function createRefreshTokenEntity() {
return new Entities\RefreshTokenEntity($this->server);
}
protected function createSessionEntity() {
return new Entities\SessionEntity($this->server);
}
}

View File

@ -74,6 +74,7 @@ class ClientStorage extends AbstractStorage implements ClientInterface {
$entity->setId($model->id);
$entity->setName($model->name);
$entity->setSecret($model->secret);
$entity->setIsTrusted($model->is_trusted);
$entity->setRedirectUri($model->redirect_uri);
return $entity;

View File

@ -1,10 +1,12 @@
<?php
namespace api\components\OAuth2\Storage;
use api\components\OAuth2\Entities\ClientEntity;
use api\components\OAuth2\Entities\ScopeEntity;
use common\models\OauthScope;
use League\OAuth2\Server\Storage\AbstractStorage;
use League\OAuth2\Server\Storage\ScopeInterface;
use yii\base\ErrorException;
class ScopeStorage extends AbstractStorage implements ScopeInterface {
@ -12,7 +14,27 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface {
* @inheritdoc
*/
public function get($scope, $grantType = null, $clientId = null) {
$scopes = $grantType === 'authorization_code' ? OauthScope::getPublicScopes() : OauthScope::getScopes();
$query = OauthScope::find();
if ($grantType === 'authorization_code') {
$query->onlyPublic()->usersScopes();
} elseif ($grantType === 'client_credentials') {
$query->machineScopes();
$isTrusted = false;
if ($clientId !== null) {
$client = $this->server->getClientStorage()->get($clientId);
if (!$client instanceof ClientEntity) {
throw new ErrorException('client storage must return instance of ' . ClientEntity::class);
}
$isTrusted = $client->isTrusted();
}
if (!$isTrusted) {
$query->onlyPublic();
}
}
$scopes = $query->all();
if (!in_array($scope, $scopes, true)) {
return null;
}

View File

@ -7,7 +7,7 @@ $params = array_merge(
return [
'id' => 'accounts-site-api',
'basePath' => dirname(__DIR__),
'bootstrap' => ['log', 'authserver'],
'bootstrap' => ['log', 'authserver', 'internal'],
'controllerNamespace' => 'api\controllers',
'params' => $params,
'components' => [
@ -75,10 +75,11 @@ return [
],
'oauth' => [
'class' => api\components\OAuth2\Component::class,
'grantTypes' => ['authorization_code'],
'grantTypes' => ['authorization_code', 'client_credentials'],
'grantMap' => [
'authorization_code' => api\components\OAuth2\Grants\AuthCodeGrant::class,
'refresh_token' => api\components\OAuth2\Grants\RefreshTokenGrant::class,
'client_credentials' => api\components\OAuth2\Grants\ClientCredentialsGrant::class,
],
],
'errorHandler' => [
@ -96,5 +97,8 @@ return [
'mojang' => [
'class' => api\modules\mojang\Module::class,
],
'internal' => [
'class' => api\modules\internal\Module::class,
],
],
];

View File

@ -7,7 +7,9 @@ use api\components\OAuth2\Exception\AccessDeniedException;
use common\models\Account;
use common\models\OauthClient;
use common\models\OauthScope;
use League\OAuth2\Server\AuthorizationServer;
use League\OAuth2\Server\Exception\OAuthException;
use League\OAuth2\Server\Grant\AuthCodeGrant;
use Yii;
use yii\filters\AccessControl;
use yii\helpers\ArrayHelper;
@ -274,17 +276,12 @@ class OauthController extends Controller {
return $response;
}
/**
* @return \League\OAuth2\Server\AuthorizationServer
*/
private function getServer() {
private function getServer(): AuthorizationServer {
return Yii::$app->oauth->authServer;
}
/**
* @return \League\OAuth2\Server\Grant\AuthCodeGrant
*/
private function getGrantType() {
private function getGrantType(): AuthCodeGrant {
/** @noinspection PhpIncompatibleReturnTypeInspection */
return $this->getServer()->getGrantType('authorization_code');
}

View File

@ -0,0 +1,19 @@
<?php
namespace api\modules\internal;
use yii\base\BootstrapInterface;
class Module extends \yii\base\Module implements BootstrapInterface {
public $id = 'internal';
/**
* @param \yii\base\Application $app the application currently running
*/
public function bootstrap($app) {
$app->getUrlManager()->addRules([
'/internal/<controller>/<accountId>/<action>' => "{$this->id}/<controller>/<action>",
], false);
}
}

View File

@ -3,7 +3,7 @@ namespace api\modules\internal\controllers;
use api\components\ApiUser\AccessControl;
use api\controllers\Controller;
use api\modules\internal\models\BlockForm;
use api\modules\internal\models\BanForm;
use common\models\Account;
use common\models\OauthScope as S;
use Yii;
@ -14,11 +14,14 @@ class AccountsController extends Controller {
public function behaviors() {
return ArrayHelper::merge(parent::behaviors(), [
'authenticator' => [
'user' => Yii::$app->apiUser,
],
'access' => [
'class' => AccessControl::class,
'rules' => [
[
'actions' => ['block'],
'actions' => ['ban'],
'allow' => true,
'roles' => [S::ACCOUNT_BLOCK],
],
@ -27,9 +30,9 @@ class AccountsController extends Controller {
]);
}
public function actionBlock(int $accountId) {
public function actionBan(int $accountId) {
$account = $this->findAccount($accountId);
$model = new BlockForm($account);
$model = new BanForm($account);
$model->load(Yii::$app->request->post());
if (!$model->ban()) {
return [

View File

@ -0,0 +1,8 @@
<?php
namespace api\modules\internal\helpers;
final class Error {
public const ACCOUNT_ALREADY_BANNED = 'error.account_already_banned';
}

View File

@ -2,6 +2,7 @@
namespace api\modules\internal\models;
use api\models\base\ApiForm;
use api\modules\internal\helpers\Error as E;
use common\helpers\Amqp;
use common\models\Account;
use common\models\amqp\AccountBanned;
@ -9,14 +10,14 @@ use PhpAmqpLib\Message\AMQPMessage;
use Yii;
use yii\base\ErrorException;
class BlockForm extends ApiForm {
class BanForm extends ApiForm {
const DURATION_FOREVER = -1;
public const DURATION_FOREVER = -1;
/**
* Нереализованный функционал блокировки аккаунта на определённый период времени.
* Сейчас установка этого параметра ничего не даст, аккаунт будет заблокирован навечно,
* но по задумке, здесь необходимо передать количество секунд, на которое будет
* но, по задумке, здесь можно передать количество секунд, на которое будет
* заблокирован аккаунт пользователя.
*
* @var int
@ -35,10 +36,11 @@ class BlockForm extends ApiForm {
*/
private $account;
public function rules() {
public function rules(): array {
return [
[['duration'], 'integer', 'min' => self::DURATION_FOREVER],
[['message'], 'string'],
[['account'], 'validateAccountActivity'],
];
}
@ -46,7 +48,17 @@ class BlockForm extends ApiForm {
return $this->account;
}
public function validateAccountActivity() {
if ($this->account->status === Account::STATUS_BANNED) {
$this->addError('account', E::ACCOUNT_ALREADY_BANNED);
}
}
public function ban(): bool {
if (!$this->validate()) {
return false;
}
$transaction = Yii::$app->db->beginTransaction();
$account = $this->account;
@ -62,7 +74,7 @@ class BlockForm extends ApiForm {
return true;
}
public function createTask() {
public function createTask(): void {
$model = new AccountBanned();
$model->accountId = $this->account->id;
$model->duration = $this->duration;

View File

@ -4,32 +4,33 @@ namespace common\models;
use common\components\Annotations\Reader;
use ReflectionClass;
use Yii;
use yii\helpers\ArrayHelper;
class OauthScope {
/**
* @owner user
*/
const OFFLINE_ACCESS = 'offline_access';
/**
* @owner user
*/
const MINECRAFT_SERVER_SESSION = 'minecraft_server_session';
/**
* @owner user
*/
const ACCOUNT_INFO = 'account_info';
/**
* @owner user
*/
const ACCOUNT_EMAIL = 'account_email';
/** @internal */
/**
* @internal
* @owner machine
*/
const ACCOUNT_BLOCK = 'account_block';
public static function getScopes(): array {
return ArrayHelper::getColumn(static::queryScopes(), 'value');
}
public static function getPublicScopes(): array {
return ArrayHelper::getColumn(array_filter(static::queryScopes(), function($value) {
return !isset($value['internal']);
}), 'value');
}
public static function getInternalScopes(): array {
return ArrayHelper::getColumn(array_filter(static::queryScopes(), function($value) {
return isset($value['internal']);
}), 'value');
public static function find(): OauthScopeQuery {
return new OauthScopeQuery(static::queryScopes());
}
private static function queryScopes(): array {
@ -43,12 +44,12 @@ class OauthScope {
foreach ($constants as $constName => $value) {
$annotations = $reader->getConstantAnnotations(static::class, $constName);
$isInternal = $annotations->get('internal', false);
$owner = $annotations->get('owner', 'user');
$keyValue = [
'value' => $value,
'internal' => $isInternal,
'owner' => $owner,
];
if ($isInternal) {
$keyValue['internal'] = true;
}
$scopes[$constName] = $keyValue;
}

View File

@ -0,0 +1,50 @@
<?php
namespace common\models;
use yii\helpers\ArrayHelper;
class OauthScopeQuery {
private $scopes;
private $internal;
private $owner;
public function onlyPublic(): self {
$this->internal = false;
return $this;
}
public function onlyInternal(): self {
$this->internal = true;
return $this;
}
public function usersScopes(): self {
$this->owner = 'user';
return $this;
}
public function machineScopes(): self {
$this->owner = 'machine';
return $this;
}
public function all(): array {
return ArrayHelper::getColumn(array_filter($this->scopes, function($value) {
$shouldCheckInternal = $this->internal !== null;
$isInternalMatch = $value['internal'] === $this->internal;
$shouldCheckOwner = $this->owner !== null;
$isOwnerMatch = $value['owner'] === $this->owner;
return (!$shouldCheckInternal || $isInternalMatch)
&& (!$shouldCheckOwner || $isOwnerMatch);
}), 'value');
}
public function __construct(array $scopes) {
$this->scopes = $scopes;
}
}

View File

@ -0,0 +1,15 @@
<?php
use console\db\Migration;
class m161228_101022_oauth_clients_allow_null_redirect_uri extends Migration {
public function safeUp() {
$this->alterColumn('{{%oauth_clients}}', 'redirect_uri', $this->string());
}
public function safeDown() {
$this->alterColumn('{{%oauth_clients}}', 'redirect_uri', $this->string()->notNull());
}
}

View File

@ -0,0 +1,16 @@
<?php
namespace tests\codeception\api\_pages;
use yii\codeception\BasePage;
/**
* @property \tests\codeception\api\FunctionalTester $actor
*/
class InternalRoute extends BasePage {
public function ban($accountId) {
$this->route = '/internal/accounts/' . $accountId . '/ban';
$this->actor->sendPOST($this->getUrl());
}
}

View File

@ -3,11 +3,12 @@ namespace tests\codeception\api\functional\_steps;
use common\models\OauthScope as S;
use tests\codeception\api\_pages\OauthRoute;
use tests\codeception\api\FunctionalTester;
class OauthSteps extends \tests\codeception\api\FunctionalTester {
class OauthSteps extends FunctionalTester {
public function getAuthCode(array $permissions = []) {
// TODO: по идее можно напрямую сделать зпись в базу, что ускорит процесс тестирования
// TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования
$this->loggedInAsActiveAccount();
$route = new OauthRoute($this);
$route->complete([
@ -31,7 +32,7 @@ class OauthSteps extends \tests\codeception\api\FunctionalTester {
}
public function getRefreshToken(array $permissions = []) {
// TODO: по идее можно напрямую сделать зпись в базу, что ускорит процесс тестирования
// TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования
$authCode = $this->getAuthCode(array_merge([S::OFFLINE_ACCESS], $permissions));
$response = $this->issueToken($authCode);
@ -51,4 +52,18 @@ class OauthSteps extends \tests\codeception\api\FunctionalTester {
return json_decode($this->grabResponse(), true);
}
public function getAccessTokenByClientCredentialsGrant(array $permissions = [], $useTrusted = true) {
$route = new OauthRoute($this);
$route->issueToken([
'client_id' => $useTrusted ? 'trusted-client' : 'default-client',
'client_secret' => $useTrusted ? 'tXBbyvMcyaOgHMOAXBpN2EC7uFoJAaL9' : 'AzWRy7ZjS1yRQUk2vRBDic8fprOKDB1W',
'grant_type' => 'client_credentials',
'scope' => implode(',', $permissions),
]);
$response = json_decode($this->grabResponse(), true);
return $response['access_token'];
}
}

View File

@ -0,0 +1,47 @@
<?php
namespace tests\codeception\api\functional\internal;
use common\models\OauthScope as S;
use tests\codeception\api\_pages\InternalRoute;
use tests\codeception\api\functional\_steps\OauthSteps;
use tests\codeception\api\FunctionalTester;
class BanCest {
/**
* @var InternalRoute
*/
private $route;
public function _before(FunctionalTester $I) {
$this->route = new InternalRoute($I);
}
public function testBanAccount(OauthSteps $I) {
$accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]);
$I->amBearerAuthenticated($accessToken);
$this->route->ban(1);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => true,
]);
}
public function testBanBannedAccount(OauthSteps $I) {
$accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]);
$I->amBearerAuthenticated($accessToken);
$this->route->ban(10);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'success' => false,
'errors' => [
'account' => 'error.account_already_banned',
],
]);
}
}

View File

@ -1,11 +1,26 @@
<?php
namespace tests\codeception\api\unit\modules\internal\models;
use api\modules\internal\models\BlockForm;
use api\modules\internal\helpers\Error as E;
use api\modules\internal\models\BanForm;
use common\models\Account;
use tests\codeception\api\unit\TestCase;
class BlockFormTest extends TestCase {
class BanFormTest extends TestCase {
public function testValidateAccountActivity() {
$account = new Account();
$account->status = Account::STATUS_ACTIVE;
$form = new BanForm($account);
$form->validateAccountActivity();
$this->assertEmpty($form->getErrors('account'));
$account = new Account();
$account->status = Account::STATUS_BANNED;
$form = new BanForm($account);
$form->validateAccountActivity();
$this->assertEquals([E::ACCOUNT_ALREADY_BANNED], $form->getErrors('account'));
}
public function testBan() {
/** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */
@ -17,7 +32,7 @@ class BlockFormTest extends TestCase {
->method('save')
->willReturn(true);
$model = new BlockForm($account);
$model = new BanForm($account);
$this->assertTrue($model->ban());
$this->assertEquals(Account::STATUS_BANNED, $account->status);
$this->tester->canSeeAmqpMessageIsCreated('events');
@ -27,14 +42,14 @@ class BlockFormTest extends TestCase {
$account = new Account();
$account->id = 3;
$model = new BlockForm($account);
$model = new BanForm($account);
$model->createTask();
$message = json_decode($this->tester->grabLastSentAmqpMessage('events')->body, true);
$this->assertSame(3, $message['accountId']);
$this->assertSame(-1, $message['duration']);
$this->assertSame('', $message['message']);
$model = new BlockForm($account);
$model = new BanForm($account);
$model->duration = 123;
$model->message = 'test';
$model->createTask();

View File

@ -30,4 +30,24 @@ return [
'is_trusted' => 0,
'created_at' => 1479937982,
],
'trustedClient' => [
'id' => 'trusted-client',
'secret' => 'tXBbyvMcyaOgHMOAXBpN2EC7uFoJAaL9',
'name' => 'Trusted client',
'description' => 'Это клиент, которому мы доверяем',
'redirect_uri' => null,
'account_id' => null,
'is_trusted' => 1,
'created_at' => 1482922663,
],
'defaultClient' => [
'id' => 'default-client',
'secret' => 'AzWRy7ZjS1yRQUk2vRBDic8fprOKDB1W',
'name' => 'Default client',
'description' => 'Это обычный клиент, каких может быть много',
'redirect_uri' => null,
'account_id' => null,
'is_trusted' => 0,
'created_at' => 1482922711,
],
];

View File

@ -1,12 +0,0 @@
<?php
namespace tests\codeception\common\unit\models;
use tests\codeception\common\unit\TestCase;
class OauthScopeTest extends TestCase {
public function testTest() {
$scopes = \common\models\OauthScope::getScopes();
}
}