ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2024-11-26 16:52:04 +05:30
Code Issues Packages Projects Releases Wiki Activity

New property on AuthorizationServer to receive an encryption key which is used for future encryption/decryption instead of keybased encryption/decryption

Browse Source
This commit is contained in:
Alex Bilbie 2017-07-01 15:57:40 +01:00
parent 4a717104fa
commit 1af4012df4
6 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
composer.json
View File

@ -9,7 +9,8 @@
"league/event": "^2.1", "league/event": "^2.1",
"lcobucci/jwt": "^3.1", "lcobucci/jwt": "^3.1",
"paragonie/random_compat": "^1.1 || ^2.0", "paragonie/random_compat": "^1.1 || ^2.0",
"psr/http-message": "^1.0" "psr/http-message": "^1.0",
"defuse/php-encryption": "^2.1"
}, },
"require-dev": { "require-dev": {
"phpunit/phpunit": "^4.8 || ^5.0", "phpunit/phpunit": "^4.8 || ^5.0",

26
src/AuthorizationServer.php
View File

@ -26,6 +26,8 @@ class AuthorizationServer implements EmitterAwareInterface
{ {
use EmitterAwareTrait; use EmitterAwareTrait;
const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://xxxx/xxxx';
/** /**
* @var GrantTypeInterface[] * @var GrantTypeInterface[]
*/ */
@ -66,6 +68,11 @@ class AuthorizationServer implements EmitterAwareInterface
*/ */
private $scopeRepository; private $scopeRepository;
/**
* @var string
*/
private $encryptionKey;
/** /**
* New server instance. * New server instance.
* *
@ -101,6 +108,16 @@ class AuthorizationServer implements EmitterAwareInterface
$this->responseType = $responseType; $this->responseType = $responseType;
} }
/**
* Set the encryption key
*
* @param string $key
*/
public function setEncryptionKey($key)
{
$this->encryptionKey = $key;
}
/** /**
* Enable a grant type on the server. * Enable a grant type on the server.
* *
@ -120,6 +137,11 @@ class AuthorizationServer implements EmitterAwareInterface
$grantType->setPublicKey($this->publicKey); $grantType->setPublicKey($this->publicKey);
$grantType->setEmitter($this->getEmitter()); $grantType->setEmitter($this->getEmitter());
if ($this->encryptionKey === null) {
error_log(self::ENCRYPTION_KEY_ERROR);
}
$grantType->setEncryptionKey($this->encryptionKey);
$this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType; $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
$this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL; $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
} }
@ -135,6 +157,10 @@ class AuthorizationServer implements EmitterAwareInterface
*/ */
public function validateAuthorizationRequest(ServerRequestInterface $request) public function validateAuthorizationRequest(ServerRequestInterface $request)
{ {
if ($this->encryptionKey === null) {
error_log(self::ENCRYPTION_KEY_ERROR);
}
foreach ($this->enabledGrantTypes as $grantType) { foreach ($this->enabledGrantTypes as $grantType) {
if ($grantType->canRespondToAuthorizationRequest($request)) { if ($grantType->canRespondToAuthorizationRequest($request)) {
return $grantType->validateAuthorizationRequest($request); return $grantType->validateAuthorizationRequest($request);

25
src/CryptTrait.php
View File

@ -11,6 +11,8 @@
namespace League\OAuth2\Server; namespace League\OAuth2\Server;
use Defuse\Crypto\Crypto;
trait CryptTrait trait CryptTrait
{ {
/** /**
@ -23,6 +25,11 @@ trait CryptTrait
*/ */
protected $publicKey; protected $publicKey;
/**
* @var string
*/
protected $encryptionKey;
/** /**
* Set path to private key. * Set path to private key.
* *
@ -54,6 +61,10 @@ trait CryptTrait
*/ */
protected function encrypt($unencryptedData) protected function encrypt($unencryptedData)
{ {
if ($this->encryptionKey !== null) {
return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
}
$privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase()); $privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
$privateKeyDetails = @openssl_pkey_get_details($privateKey); $privateKeyDetails = @openssl_pkey_get_details($privateKey);
if ($privateKeyDetails === null) { if ($privateKeyDetails === null) {
@ -91,6 +102,10 @@ trait CryptTrait
*/ */
protected function decrypt($encryptedData) protected function decrypt($encryptedData)
{ {
if ($this->encryptionKey !== null) {
return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
}
$publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath()); $publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
$publicKeyDetails = @openssl_pkey_get_details($publicKey); $publicKeyDetails = @openssl_pkey_get_details($publicKey);
if ($publicKeyDetails === null) { if ($publicKeyDetails === null) {
@ -118,4 +133,14 @@ trait CryptTrait
return $output; return $output;
} }
/**
* Set the encryption key
*
* @param string $key
*/
public function setEncryptionKey($key = null)
{
$this->encryptionKey = $key;
}
} }

7
src/Grant/GrantTypeInterface.php
View File

@ -132,4 +132,11 @@ interface GrantTypeInterface extends EmitterAwareInterface
* @param CryptKey $publicKey * @param CryptKey $publicKey
*/ */
public function setPublicKey(CryptKey $publicKey); public function setPublicKey(CryptKey $publicKey);
/**
* Set the encryption key
*
* @param string|null $key
*/
public function setEncryptionKey($key = null);
} }

6
tests/AuthorizationServerTest.php
View File

@ -36,6 +36,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/public.key', 'file://' . __DIR__ . '/Stubs/public.key',
new StubResponseType() new StubResponseType()
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M')); $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
@ -66,6 +67,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/public.key', 'file://' . __DIR__ . '/Stubs/public.key',
new StubResponseType() new StubResponseType()
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M')); $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
@ -87,6 +89,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/private.key', 'file://' . __DIR__ . '/Stubs/private.key',
'file://' . __DIR__ . '/Stubs/public.key' 'file://' . __DIR__ . '/Stubs/public.key'
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$abstractGrantReflection = new \ReflectionClass($server); $abstractGrantReflection = new \ReflectionClass($server);
$method = $abstractGrantReflection->getMethod('getResponseType'); $method = $abstractGrantReflection->getMethod('getResponseType');
@ -106,6 +109,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/private.key', 'file://' . __DIR__ . '/Stubs/private.key',
'file://' . __DIR__ . '/Stubs/public.key' 'file://' . __DIR__ . '/Stubs/public.key'
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(); $authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
$authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity()); $authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
@ -152,6 +156,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/private.key', 'file://' . __DIR__ . '/Stubs/private.key',
'file://' . __DIR__ . '/Stubs/public.key' 'file://' . __DIR__ . '/Stubs/public.key'
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$server->enableGrantType($grant); $server->enableGrantType($grant);
$request = new ServerRequest( $request = new ServerRequest(
@ -184,6 +189,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/Stubs/private.key', 'file://' . __DIR__ . '/Stubs/private.key',
'file://' . __DIR__ . '/Stubs/public.key' 'file://' . __DIR__ . '/Stubs/public.key'
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$request = new ServerRequest( $request = new ServerRequest(
[], [],

2
tests/Middleware/AuthorizationServerMiddlewareTest.php
View File

@ -36,6 +36,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/../Stubs/public.key', 'file://' . __DIR__ . '/../Stubs/public.key',
new StubResponseType() new StubResponseType()
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$server->enableGrantType(new ClientCredentialsGrant()); $server->enableGrantType(new ClientCredentialsGrant());
@ -69,6 +70,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
'file://' . __DIR__ . '/../Stubs/public.key', 'file://' . __DIR__ . '/../Stubs/public.key',
new StubResponseType() new StubResponseType()
); );
$server->setEncryptionKey(base64_encode(random_bytes(36)));
$server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M')); $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));