Change Dpop to use the JtiValidator + unit-tests.

Author: Potherca

src/JtiStorageInterface.php

@@ -6,7 +6,7 @@
  * This interface defines methods that a storage layer need to implement
  * in order to allow the JTI Service to validate JTI tokens.
  *
- * Such a token is a string between 12 and [..] characters of length.
+ * Such a token is a string between 12 and 256 characters of length.
  */
 interface JtiStorageInterface
 {

src/Utils/DPop.php

@@ -18,6 +18,13 @@
  */
 class DPop {
 
+    private JtiValidator $jtiValidator;
+
+    public function __construct(JtiValidator $jtiValidator)
+    {
+        $this->jtiValidator = $jtiValidator;
+    }
+
 	/**
 	 * This method fetches the WebId from a request and verifies
 	 * that the request has a valid DPoP token that matches
@@ -223,13 +230,20 @@ public function validateDpop($dpop, $request) {
 
 		$leeway = new \DateInterval("PT60S"); // allow 60 seconds clock skew
 		$clock = SystemClock::fromUTC();
-		$validationsConstraints[] = new LooseValidAt($clock, $leeway); // It will use the current time to validate (iat, nbf and exp)
+		$validationConstraints[] = new LooseValidAt($clock, $leeway); // It will use the current time to validate (iat, nbf and exp)
 		if (!$jwtConfig->validator()->validate($dpop, ...$validationConstraints)) {
 			$jwtConfig->validator()->assert($dpop, ...$validationConstraints); // throws an explanatory exception
 		}
 
 		// 9.  that, within a reasonable consideration of accuracy and resource utilization, a JWT with the same "jti" value has not been received previously (see Section 9.1).
-		// TODO: Check if we know the jti;
+		$jti = $dpop->claims()->get("jti");
+		if ($jti === null) {
+			throw new \Exception("jti is missing");
+		}
+		$isJtiValid = $this->jtiValidator->validate($jti, (string) $request->getUri());
+		if (! $isJtiValid) {
+			throw new \Exception("jti is invalid");
+		}
 
 		// 10. that, if used with an access token, it also contains the 'ath' claim, with a hash of the access token
 		// TODO: implement
@@ -245,11 +259,10 @@ private function getSubjectFromJwt($jwt) {
 			throw new \Exception("Invalid JWT token", 409, $e);
 		}
 
-        // @FIXME: What happens when "sub" is not provided?
 		$sub = $jwt->claims()->get("sub");
-        if ($sub === null) {
-            throw new \Exception('Invalid token: Missing "SUB');
-        }
+		if ($sub === null) {
+			throw new \Exception('Invalid token: Missing "SUB');
+		}
 		return $sub;
 	}
 }

src/Utils/JtiValidator.php

@@ -73,7 +73,9 @@ public function validate($jti, $targetUri): bool
 
         return $isValid;
     }
+
     ////////////////////////////// UTILITY METHODS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
     private function shouldRotate(): bool
     {
         $shouldRotate = false;

tests/unit/Utils/DPOPTest.php

@@ -10,8 +10,10 @@
 /**
  * @coversDefaultClass \Pdsinterop\Solid\Auth\Utils\DPop
  * @covers ::<!public>
+ * @covers ::__construct
  *
  * @uses \Pdsinterop\Solid\Auth\Utils\Base64Url
+ * @uses \Pdsinterop\Solid\Auth\Utils\JtiValidator
  */
 class DPOPTest extends AbstractTestCase
 {
@@ -74,11 +76,22 @@ private function getWrongKey()
     /////////////////////////////////// TESTS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
     /**
-     * @testdox Dpop SHOULD be created WHEN instantiated without parameters
+     * @testdox Dpop SHOULD complain WHEN instantiated without JtiValidator
+     */
+    final public function testInstantiationWithoutJtiValidator(): void
+    {
+        $this->expectArgumentCountError(1);
+
+        new DPop();
+    }
+
+    /**
+     * @testdox Dpop SHOULD be created WHEN instantiated with JtiValidator
      */
     final public function testInstantiation(): void
     {
-        $actual = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $actual = new DPop($mockJtiValidator);
         $expected = DPop::class;
 
         $this->assertInstanceOf($expected, $actual);
@@ -93,7 +106,8 @@ final public function testValidateDpopWithoutJwt(): void
     {
         $this->expectArgumentCountError(1);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $dpop->validateDpop();
     }
@@ -107,7 +121,8 @@ final public function testValidateDpopWithoutRequest(): void
     {
         $this->expectArgumentCountError(2);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $dpop->validateDpop('mock jwt');
     }
@@ -122,7 +137,9 @@ public function testValidateDpopWithWrongTyp(): void
         $this->dpop['header']['typ'] = 'jwt';
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
+
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('typ is not dpop+jwt');
 
@@ -139,7 +156,9 @@ public function testValidateDpopWithAlgNone(): void
         $this->dpop['header']['alg'] = 'none';
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
+
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('alg is none');
         $result = $dpop->validateDpop($token['token'], $this->serverRequest);
@@ -161,7 +180,9 @@ public function testValidateDpopWithWrongKey(): void
         ];
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
+
         try {
             $dpop->validateDpop($token['token'], $this->serverRequest);
         } catch(RequiredConstraintsViolated $e) {
@@ -177,10 +198,21 @@ public function testValidateDpopWithWrongKey(): void
      */
     public function testValidateDpopWithCorrectToken(): void
     {
+        $this->dpop['payload']['jti'] = 'mock jti';
+
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+
+        $mockJtiValidator->expects($this->once())
+            ->method('validate')
+            ->willReturn(true)
+        ;
+
+        $dpop = new DPop($mockJtiValidator);
+
         $result = $dpop->validateDpop($token['token'], $this->serverRequest);
+
         $this->assertTrue($result);
     }
 
@@ -191,7 +223,8 @@ public function testValidateDpopWithCorrectToken(): void
      */
     final public function testGetWebIdWithoutRequest(): void
     {
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $this->expectArgumentCountError(1);
 
@@ -205,8 +238,8 @@ final public function testGetWebIdWithoutRequest(): void
      */
     final public function testGetWebIdWithoutHttpAuthorizationHeader(): void
     {
-
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(),array(), $this->url);
 
@@ -222,7 +255,8 @@ final public function testGetWebIdWithoutHttpAuthorizationHeader(): void
      */
     final public function testGetWebIdWithIncorrectAuthHeaderFormat(): void
     {
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array('HTTP_AUTHORIZATION' => 'IncorrectAuthorizationFormat'),array(), $this->url);
 
@@ -239,7 +273,8 @@ final public function testGetWebIdWithIncorrectAuthHeaderFormat(): void
      */
     final public function testGetWebIdWithInvalidJwt(): void
     {
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('Invalid JWT token');
@@ -256,7 +291,8 @@ final public function testGetWebIdWithInvalidJwt(): void
      */
     final public function testGetWebIdWithoutDpop(): void
     {
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array('HTTP_AUTHORIZATION' => "Basic YWxhZGRpbjpvcGVuc2VzYW1l"),array(), $this->url);
 
@@ -283,7 +319,8 @@ final public function testGetWebIdWithDpopWithoutKeyId(): void
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -311,7 +348,8 @@ final public function testGetWebIdWithDpopWithoutConfirmationClaim(): void
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -340,7 +378,8 @@ final public function testGetWebIdWithDpopWithoutThumbprint(): void
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -369,7 +408,8 @@ final public function testGetWebIdWithDpopWithMismatchingThumbprintAndKeyId(): v
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -397,7 +437,8 @@ final public function testGetWebIdWithDpopWithoutSub(): void
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -422,11 +463,19 @@ final public function testGetWebIdWithDpop(): void
     {
         $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT;
         $this->dpop['payload']['cnf'] = ['jkt' => self::MOCK_THUMBPRINT];
+        $this->dpop['payload']['jti'] = 'mock jti';
         $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
 
         $token = $this->sign($this->dpop);
 
-        $dpop = new DPop();
+        $mockJtiValidator = $this->createMockJtiValidator();
+
+        $mockJtiValidator->expects($this->once())
+            ->method('validate')
+            ->willReturn(true)
+        ;
+
+        $dpop = new DPop($mockJtiValidator);
 
         $request = new ServerRequest(array(
             'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
@@ -438,6 +487,17 @@ final public function testGetWebIdWithDpop(): void
         $this->assertEquals(self::MOCK_SUBJECT, $actual);
     }
 
+    ////////////////////////////// MOCKS AND STUBS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
+    private function createMockJtiValidator()
+    {
+        $mockJtiValidator = $this->getMockBuilder(JtiValidator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        return $mockJtiValidator;
+    }
+
     ///////////////////////////// HELPER FUNCTIONS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
     protected function sign($dpop, $privateKey = null)