Fix various bugs in DPop class + unit-tests

Potherca · Potherca · commit 8d2c8262d6da · 2022-09-18T19:40:56.000+02:00
- Add various checks for unset keys
- Change Exception message to state what makes a token invalid
-
diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
@@ -2,19 +2,15 @@
 
 namespace Pdsinterop\Solid\Auth\Utils;
 
-use Lcobucci\JWT\Configuration;
+use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\ECKey;
+use Jose\Component\Core\Util\RSAKey;
 use Lcobucci\Clock\SystemClock;
-use DateTimeImmutable;
-use DateInterval;
+use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
 
-use Jose\Component\Core\JWK;
-use Jose\Component\Core\Util\ECKey;
-use Jose\Component\Core\Util\RSAKey;
-
 /**
  * This class contains code to fetch the WebId from a request
  * It also verifies that the request has a valid DPoP token
@@ -44,12 +40,13 @@ public function getWebId($request) {
 			$dpop = $request->getServerParams()['HTTP_DPOP'];
 			//@FIXME: check that there is just one DPoP token in the request
 			if ($dpop) {
-				$dpopKey = $this->getDpopKey($dpop, $request);
 				try {
-                    // @FIXME: What happens when DPOP is not valid?
+					$dpopKey = $this->getDpopKey($dpop, $request);
 					$this->validateJwtDpop($jwt, $dpopKey);
-				} catch (Lcobucci\JWT\Validation\RequiredConstraintsViolated $e) {
-					throw new \Exception("Invalid token", $e);
+				} catch (\Lcobucci\JWT\Validation\RequiredConstraintsViolated $e) {
+					throw new \Exception("Invalid token: {$e->getMessage()}", 0, $e);
+				} catch (\Exception $e) {
+					throw new \Exception("Invalid token: {$e->getMessage()}", 0, $e);
 				}
 			} else {
 				throw new \Exception("Missing DPoP token");
@@ -84,19 +81,28 @@ public function getDpopKey($dpop, $request) {
 		$dpop = $jwtConfig->parser()->parse($dpop);
 		$jwk  = $dpop->headers()->get("jwk");
 
-        // @FIXME: What happens when 'kid' is not set? 'Undefined array key "kid"'
+		if (isset($jwk['kid']) === false) {
+			throw new \Exception('Key ID is missing from JWK header');
+		}
+
 		return $jwk['kid'];
 	}
 
 	private function validateJwtDpop($jwt, $dpopKey) {
 		$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
 		$jwt = $jwtConfig->parser()->parse($jwt);
-        // @FIXME: What happens if CNF is not set?
 		$cnf = $jwt->claims()->get("cnf");
 
-        // @FIXME: What happens if JKT is not set?
-		if ($cnf['jkt'] == $dpopKey) {
-			return true;
+		if ($cnf === null) {
+			throw new \Exception('JWT Confirmation claim (cnf) is missing');
+		}
+
+		if (isset($cnf['jkt']) === false) {
+			throw new \Exception('JWT Confirmation claim (cnf) is missing Thumbprint (jkt)');
+		}
+
+		if ($cnf['jkt'] !== $dpopKey) {
+			throw new \Exception('JWT Confirmation claim (cnf) provided Thumbprint (jkt) does not match Key ID from JWK header');
 		}
 
 		//@FIXME: add check for "ath" claim in DPoP token, per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-7
@@ -241,6 +247,9 @@ private function getSubjectFromJwt($jwt) {
 
         // @FIXME: What happens when "sub" is not provided?
 		$sub = $jwt->claims()->get("sub");
+        if ($sub === null) {
+            throw new \Exception('Invalid token: Missing "SUB');
+        }
 		return $sub;
 	}
 }
diff --git a/tests/unit/Utils/DPOPTest.php b/tests/unit/Utils/DPOPTest.php
@@ -3,8 +3,9 @@
 namespace Pdsinterop\Solid\Auth\Utils;
 
 use Laminas\Diactoros\ServerRequest;
-use Pdsinterop\Solid\Auth\AbstractTestCase;
 use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
+use Pdsinterop\Solid\Auth\AbstractTestCase;
+use Pdsinterop\Solid\Auth\Enum\Jwk\Parameter as JwkParameter;
 
 /**
  * @coversDefaultClass \Pdsinterop\Solid\Auth\Utils\DPop
@@ -16,6 +17,9 @@ class DPOPTest extends AbstractTestCase
 {
     ////////////////////////////////// FIXTURES \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
+    const MOCK_SUBJECT = 'mock sub';
+    const MOCK_THUMBPRINT = 'Mock Thumbprint';
+
     private $dpop;
     private $url;
     private $serverRequest;
@@ -81,7 +85,7 @@ final public function testInstantiation(): void
     }
 
     /**
-     * @testdox Dpop SHOULD complain WHEN ask to validate DPOP without JWT given
+     * @testdox Dpop SHOULD complain WHEN asked to validate DPOP without JWT given
      *
      * @covers ::validateDpop
      */
@@ -95,7 +99,7 @@ final public function testValidateDpopWithoutJwt(): void
     }
 
     /**
-     * @testdox Dpop SHOULD complain WHEN ask to validate DPOP without Request given
+     * @testdox Dpop SHOULD complain WHEN asked to validate DPOP without Request given
      *
      * @covers ::validateDpop
      */
@@ -180,6 +184,11 @@ public function testValidateDpopWithCorrectToken(): void
         $this->assertTrue($result);
     }
 
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId without Request given
+     *
+     * @covers ::getWebId
+     */
     final public function testGetWebIdWithoutRequest(): void
     {
         $dpop = new DPop();
@@ -190,6 +199,8 @@ final public function testGetWebIdWithoutRequest(): void
     }
 
     /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request without Authorization Header
+     *
      * @covers ::getWebId
      */
     final public function testGetWebIdWithoutHttpAuthorizationHeader(): void
@@ -205,6 +216,25 @@ final public function testGetWebIdWithoutHttpAuthorizationHeader(): void
     }
 
     /**
+     * @testdox Dpop SHOULD  return "public" WHEN asked to get WebId from Request with incorrect Authorization Header format
+     *
+     * @covers ::getWebId
+     */
+    final public function testGetWebIdWithIncorrectAuthHeaderFormat(): void
+    {
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array('HTTP_AUTHORIZATION' => 'IncorrectAuthorizationFormat'),array(), $this->url);
+
+        $actual = $dpop->getWebId($request);
+        $expected = 'public';
+
+        $this->assertEquals($expected, $actual);
+    }
+
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with invalid JWT
+     *
      * @covers ::getWebId
      */
     final public function testGetWebIdWithInvalidJwt(): void
@@ -219,27 +249,194 @@ final public function testGetWebIdWithInvalidJwt(): void
         $dpop->getWebId($request);
     }
 
-
     /**
+     * @testdox Dpop SHOULD return "public" WHEN asked to get WebId from Request with "Basic" authorization
+     *
      * @covers ::getWebId
      */
-    final public function testGetWebId(): void
+    final public function testGetWebIdWithoutDpop(): void
     {
         $dpop = new DPop();
 
-        $token = $this->sign($this->dpop)['token'];
+        $request = new ServerRequest(array('HTTP_AUTHORIZATION' => "Basic YWxhZGRpbjpvcGVuc2VzYW1l"),array(), $this->url);
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Missing DPoP token');
 
-        $request = new ServerRequest(array('HTTP_AUTHORIZATION' => $token),array(), $this->url);
+        $this->markTestIncomplete('The current result is not testable (Undefined array key "HTTP_DPOP")');
 
         $actual = $dpop->getWebId($request);
-        $expected = 'public';
+    }
 
-        $this->assertEquals($expected, $actual);
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP without JWT Key Id
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpopWithoutKeyId(): void
+    {
+        $this->dpop['payload']['cnf'] = ['jkt' => self::MOCK_THUMBPRINT];
+        $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Invalid token');
+
+        $dpop->getWebId($request);
     }
 
-    /////////////////////////////// DATAPROVIDERS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP without Confirmation Claim
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpopWithoutConfirmationClaim(): void
+    {
+        $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT;
+        $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
 
-    ////////////////////////////// MOCKS AND STUBS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Invalid token');
+
+        $dpop->getWebId($request);
+    }
+
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP without JWT Key Thumbprint
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpopWithoutThumbprint(): void
+    {
+        $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT;
+        $this->dpop['payload']['cnf'] = [];
+        $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Invalid token');
+
+        $dpop->getWebId($request);
+    }
+
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP with Thumbprint not matching Key Id
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpopWithMismatchingThumbprintAndKeyId(): void
+    {
+        $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT . 'Mismatch';
+        $this->dpop['payload']['cnf'] = ['jkt' => self::MOCK_THUMBPRINT];
+        $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Invalid token');
+
+        $dpop->getWebId($request);
+    }
+
+    /**
+     * @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP without "sub"
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpopWithoutSub(): void
+    {
+        $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT;
+        $this->dpop['payload']['cnf'] = ['jkt' => self::MOCK_THUMBPRINT];
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
+
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Invalid token');
+
+        $dpop->getWebId($request);
+    }
+
+    /**
+     * @testdox Dpop SHOULD return given "sub" WHEN asked to get WebId from Request with complete DPOP
+     *
+     * @covers ::getWebId
+     *
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
+     * @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
+     */
+    final public function testGetWebIdWithDpop(): void
+    {
+        $this->dpop['header']['jwk'][JwkParameter::KEY_ID] = self::MOCK_THUMBPRINT;
+        $this->dpop['payload']['cnf'] = ['jkt' => self::MOCK_THUMBPRINT];
+        $this->dpop['payload']['sub'] = self::MOCK_SUBJECT;
+
+        $token = $this->sign($this->dpop);
+
+        $dpop = new DPop();
+
+        $request = new ServerRequest(array(
+            'HTTP_AUTHORIZATION' => "dpop {$token['token']}",
+            'HTTP_DPOP' => $token['token'],
+        ),array(), $this->url);
+
+        $actual = $dpop->getWebId($request);
+
+        $this->assertEquals(self::MOCK_SUBJECT, $actual);
+    }
 
     ///////////////////////////// HELPER FUNCTIONS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
