Change the ClientRepository::getClientEntity() implementation and re-write tests

thexpand · thexpand · commit d585429f8fde · 2019-10-07T23:25:50.000+03:00
diff --git a/src/Repository/Pdo/ClientRepository.php b/src/Repository/Pdo/ClientRepository.php
@@ -21,39 +21,69 @@ class ClientRepository extends AbstractRepository implements ClientRepositoryInt
     /**
      * {@inheritDoc}
      */
-    public function getClientEntity(
-        $clientIdentifier,
-        $grantType = null,
-        $clientSecret = null,
-        $mustValidateSecret = true
-    ) {
-        $sth = $this->pdo->prepare(
-            'SELECT * FROM oauth_clients WHERE name = :clientIdentifier'
-        );
-        $sth->bindParam(':clientIdentifier', $clientIdentifier);
+    public function getClientEntity($clientIdentifier) : ?ClientEntityInterface
+    {
+        $clientData = $this->getClientData($clientIdentifier);
 
-        if (false === $sth->execute()) {
+        if (empty($clientData)) {
             return null;
         }
-        $row = $sth->fetch();
-        if (empty($row) || ! $this->isGranted($row, $grantType)) {
+
+        return new ClientEntity(
+            $clientIdentifier,
+            $clientData['name'] ?? '',
+            $clientData['redirect'] ?? '',
+        );
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function validateClient($clientIdentifier, $clientSecret, $grantType) : bool
+    {
+        $clientData = $this->getClientData($clientIdentifier);
+
+        if (empty($clientData)) {
+            return false;
+        }
+
+        if (! $this->isGranted($clientData, $grantType)) {
+            return false;
+        }
+
+        if (empty($clientData['secret']) || ! password_verify((string) $clientSecret, $clientData['secret'])) {
+            return false;
+        }
+
+        return true;
+    }
+
+    protected function getClientData(string $clientIdentifier) : ?array
+    {
+        $statement = $this->pdo->prepare(
+            'SELECT * FROM oauth_clients WHERE name = :clientIdentifier'
+        );
+        $statement->bindParam(':clientIdentifier', $clientIdentifier);
+
+        if ($statement->execute() === false) {
             return null;
         }
 
-        if ($mustValidateSecret
-            && (empty($row['secret']) || ! password_verify((string) $clientSecret, $row['secret']))
-        ) {
+        $row = $statement->fetch();
+
+        if (empty($row)) {
             return null;
         }
 
-        return new ClientEntity($clientIdentifier, $row['name'], $row['redirect']);
+        return $row;
     }
 
     /**
      * Check the grantType for the client value, stored in $row
      *
-     * @param array $row
+     * @param array  $row
      * @param string $grantType
+     *
      * @return bool
      */
     protected function isGranted(array $row, string $grantType = null) : bool
@@ -69,18 +99,4 @@ protected function isGranted(array $row, string $grantType = null) : bool
                 return true;
         }
     }
-
-    /**
-     * {@inheritDoc}
-     */
-    public function validateClient($clientIdentifier, $clientSecret, $grantType) : bool
-    {
-        $client = $this->getClientEntity(
-            $clientIdentifier,
-            $grantType,
-            $clientSecret
-        );
-
-        return $client instanceof ClientEntityInterface;
-    }
 }
diff --git a/test/Pdo/OAuth2PdoMiddlewareTest.php b/test/Pdo/OAuth2PdoMiddlewareTest.php
@@ -12,6 +12,7 @@
 
 use DateInterval;
 use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
 use League\OAuth2\Server\Grant\ImplicitGrant;
@@ -64,6 +65,8 @@ class OAuth2PdoMiddlewareTest extends TestCase
     const PRIVATE_KEY    = __DIR__ .'/../TestAsset/private.key';
     const ENCRYPTION_KEY = 'T2x2+1OGrEzfS+01OUmwhOcJiGmE58UD1fllNn6CGcQ=';
 
+    const CODE_VERIFIER = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
+
     /** @var AccessTokenRepository */
     private $accessTokenRepository;
 
@@ -269,6 +272,17 @@ public function testProcessGetAuthorizationCode()
             'scope'         => 'test',
             'state'         => $state
         ];
+
+        $codeVerifier = new S256Verifier();
+
+        $params['code_challenge_method'] = $codeVerifier->getMethod();
+        $params['code_verifier'] = self::CODE_VERIFIER;
+        $params['code_challenge'] = strtr(
+            rtrim(base64_encode(hash('sha256', self::CODE_VERIFIER, true)), '='),
+            '+/',
+            '-_'
+        );
+
         $request = $this->buildServerRequest(
             'GET',
             '/auth_code?' . http_build_query($params),
@@ -324,8 +338,10 @@ public function testProcessFromAuthorizationCode(string $code)
             'client_id'     => 'client_test2',
             'client_secret' => 'test',
             'redirect_uri'  => '/redirect',
-            'code'          => $code
+            'code'          => $code,
+            'code_verifier' => self::CODE_VERIFIER,
         ];
+
         $request = $this->buildServerRequest(
             'POST',
             '/access_token',
diff --git a/test/Repository/Pdo/ClientRepositoryTest.php b/test/Repository/Pdo/ClientRepositoryTest.php
@@ -36,10 +36,7 @@ public function testGetClientEntityReturnsNullIfStatementExecutionReturnsFalse()
             ->will([$statement, 'reveal']);
 
         $this->assertNull(
-            $this->repo ->getClientEntity(
-                'client_id',
-                'grant_type'
-            )
+            $this->repo ->getClientEntity('client_id')
         );
     }
 
@@ -59,10 +56,7 @@ public function testGetClientEntityReturnsNullIfNoRowReturned()
         $client = $this->prophesize(ClientEntityInterface::class);
 
         $this->assertNull(
-            $this->repo ->getClientEntity(
-                'client_id',
-                'grant_type'
-            )
+            $this->repo ->getClientEntity('client_id')
         );
     }
 
@@ -85,7 +79,7 @@ public function invalidGrants()
     /**
      * @dataProvider invalidGrants
      */
-    public function testGetClientEntityReturnsNullIfRowIndicatesNotGranted(string $grantType, array $rowReturned)
+    public function testValidateClientReturnsFalseIfRowIndicatesNotGranted(string $grantType, array $rowReturned)
     {
         $statement = $this->prophesize(PDOStatement::class);
         $statement->bindParam(':clientIdentifier', 'client_id')->shouldBeCalled();
@@ -100,22 +94,23 @@ public function testGetClientEntityReturnsNullIfRowIndicatesNotGranted(string $g
 
         $client = $this->prophesize(ClientEntityInterface::class);
 
-        $this->assertNull(
-            $this->repo ->getClientEntity(
+        $this->assertFalse(
+            $this->repo ->validateClient(
                 'client_id',
+                '',
                 $grantType
             )
         );
     }
 
-    public function testGetClientReturnsNullForNonMatchingClientSecret()
+    public function testValidateClientReturnsFalseForNonMatchingClientSecret()
     {
         $statement = $this->prophesize(PDOStatement::class);
         $statement->bindParam(':clientIdentifier', 'client_id')->shouldBeCalled();
         $statement->execute()->will(function () use ($statement) {
             $statement->fetch()->willReturn([
                 'password_client' => true,
-                'secret' => 'unknown password',
+                'secret' => 'bar',
             ]);
             return null;
         });
@@ -126,17 +121,16 @@ public function testGetClientReturnsNullForNonMatchingClientSecret()
 
         $client = $this->prophesize(ClientEntityInterface::class);
 
-        $this->assertNull(
-            $this->repo ->getClientEntity(
+        $this->assertFalse(
+            $this->repo ->validateClient(
                 'client_id',
-                'password_client',
-                'password',
-                true
+                'foo',
+                'password'
             )
         );
     }
 
-    public function testGetClientReturnsNullForEmptyClientSecret()
+    public function testValidateClientReturnsFalseForEmptyClientSecret()
     {
         $statement = $this->prophesize(PDOStatement::class);
         $statement->bindParam(':clientIdentifier', 'client_id')->shouldBeCalled();
@@ -154,12 +148,11 @@ public function testGetClientReturnsNullForEmptyClientSecret()
 
         $client = $this->prophesize(ClientEntityInterface::class);
 
-        $this->assertNull(
-            $this->repo ->getClientEntity(
+        $this->assertFalse(
+            $this->repo ->validateClient(
                 'client_id',
-                'password_client',
-                'password',
-                true
+                'foo',
+                'password'
             )
         );
     }
