(feat): Domain enforce; (test): Spec test

1155faab · Emiliano Balbuena · ef3d7433 · 1155faab · 1155faab
Commit 1155faab authored 16 minutes ago by Emiliano Balbuena
Hide whitespace changes
Inline Side-by-side

Showing with 207 additions and 0 deletions
--- a/Core/SSO/Manager.php
+++ b/Core/SSO/Manager.php
@@ -139,6 +139,10 @@ class Manager
                ->setKey($key)
                ->decode($jwt);

+            if ($this->domain !== $data['domain']) {
+                throw new Exception('Invalid domain');
+            }
+
            $ssoKey = $data['key'];

            $sessionToken = $this->cache

--- a/Spec/Core/SSO/ManagerSpec.php
+++ b/Spec/Core/SSO/ManagerSpec.php
+<?php
+
+namespace Spec\Minds\Core\SSO;
+
+use Minds\Common\Jwt;
+use Minds\Core\Config;
+use Minds\Core\Data\cache\abstractCacher;
+use Minds\Core\Sessions\Manager as SessionsManager;
+use Minds\Core\Sessions\Session;
+use Minds\Core\SSO\Delegates;
+use Minds\Core\SSO\Manager;
+use PhpSpec\ObjectBehavior;
+use Prophecy\Argument;
+
+class ManagerSpec extends ObjectBehavior
+{
+    /** @var Config */
+    protected $config;
+
+    /** @var abstractCacher */
+    protected $cache;
+
+    /** @var Jwt */
+    protected $jwt;
+
+    /** @var SessionsManager */
+    protected $sessions;
+
+    /** @var Delegates\ProDelegate */
+    protected $proDelegate;
+
+    public function let(
+        Config $config,
+        abstractCacher $cache,
+        Jwt $jwt,
+        SessionsManager $sessions,
+        Delegates\ProDelegate $proDelegate
+    ) {
+        $this->config = $config;
+        $this->cache = $cache;
+        $this->jwt = $jwt;
+        $this->sessions = $sessions;
+        $this->proDelegate = $proDelegate;
+
+        $this->config->get('oauth')
+            ->willReturn([
+                'encryption_key' => '~key~'
+            ]);
+
+        $this->beConstructedWith(
+            $config,
+            $cache,
+            $jwt,
+            $sessions,
+            $proDelegate
+        );
+    }
+
+    public function it_is_initializable()
+    {
+        $this->shouldHaveType(Manager::class);
+    }
+
+    public function it_should_check_if_allowed()
+    {
+        $this->proDelegate->isAllowed('phpspec.test')
+            ->shouldBeCalled()
+            ->willReturn(true);
+
+        $this
+            ->setDomain('phpspec.test')
+            ->isAllowed()
+            ->shouldReturn(true);
+    }
+
+    public function it_should_check_if_not_allowed()
+    {
+        $this->proDelegate->isAllowed('phpspec.test')
+            ->shouldBeCalled()
+            ->willReturn(false);
+
+        $this
+            ->setDomain('phpspec.test')
+            ->isAllowed()
+            ->shouldReturn(false);
+    }
+
+    public function it_should_generate_token(
+        Session $session
+    ) {
+        $this->sessions->getSession()
+            ->shouldBeCalled()
+            ->willReturn($session);
+
+        $session->getUserGuid()
+            ->shouldBeCalled()
+            ->willReturn(1000);
+
+        $session->getToken()
+            ->shouldBeCalled()
+            ->willReturn('~token~');
+
+        $this->jwt->randomString()
+            ->shouldBeCalled()
+            ->willReturn('~random~');
+
+        $this->jwt->setKey('~key~')
+            ->shouldBeCalled()
+            ->willReturn($this->jwt);
+
+        $ssoKey = sprintf(
+            "sso:%s:%s:%s",
+            'phpspec.test',
+            hash('sha256', '~key~~token~'),
+            '~random~'
+        );
+
+        $this->jwt->encode([
+            'key' => $ssoKey,
+            'domain' => 'phpspec.test'
+        ], Argument::type('int'), Argument::type('int'))
+            ->shouldBeCalled()
+            ->willReturn('~jwt~');
+
+        $this->cache->set($ssoKey, '~token~', Argument::type('int'))
+            ->shouldBeCalled()
+            ->willReturn(true);
+
+        $this
+            ->setDomain('phpspec.test')
+            ->generateToken()
+            ->shouldReturn('~jwt~');
+    }
+
+    public function it_should_not_generate_a_token_if_logged_out()
+    {
+        $this->sessions->getSession()
+            ->shouldBeCalled()
+            ->willReturn(null);
+
+        $this
+            ->setDomain('phpspec.test')
+            ->generateToken()
+            ->shouldReturn(null);
+    }
+
+    public function it_should_authorize()
+    {
+        $this->jwt->setKey('~key~')
+            ->shouldBeCalled()
+            ->willReturn($this->jwt);
+
+        $this->jwt->decode('~jwt~')
+            ->shouldBeCalled()
+            ->willReturn([
+                'key' => 'sso:key',
+                'domain' => 'phpspec.test'
+            ]);
+
+        $this->cache->get('sso:key')
+            ->shouldBeCalled()
+            ->willReturn('~token~');
+
+        $this->sessions->withString('~token~')
+            ->shouldBeCalled()
+            ->willReturn($this->sessions);
+
+        $this->sessions->save()
+            ->shouldBeCalled()
+            ->willReturn(true);
+
+        $this->cache->destroy('sso:key')
+            ->shouldBeCalled()
+            ->willReturn(true);
+
+        $this
+            ->setDomain('phpspec.test')
+            ->authorize('~jwt~')
+            ->shouldReturn(true);
+    }
+
+    public function it_should_not_authorize_if_domain_mismatches()
+    {
+        $this->jwt->setKey('~key~')
+            ->shouldBeCalled()
+            ->willReturn($this->jwt);
+
+        $this->jwt->decode('~jwt~')
+            ->shouldBeCalled()
+            ->willReturn([
+                'key' => 'sso:key',
+                'domain' => 'phpspec.test'
+            ]);
+
+        $this->sessions->withString(Argument::cetera())
+            ->shouldNotBeCalled();
+
+        $this
+            ->setDomain('phpspec-invalid.test')
+            ->authorize('~jwt~')
+            ->shouldReturn(false);
+    }
+}