AuthTest

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.

Defined (1)

The class is defined in the following location(s).

/vendor/google/apiclient/tests/general/AuthTest.php  
  1. class AuthTest extends BaseTest 
  2. const PRIVATE_KEY_FILE = "testdata/cert.p12"; 
  3. const PUBLIC_KEY_FILE_JSON = "testdata/cacert.json"; 
  4. const PUBLIC_KEY_FILE = "testdata/cacert.pem"; 
  5. const USER_ID = "102102479283111695822"; 
  6.  
  7. /** @var Google_Signer_P12 */ 
  8. private $signer; 
  9.  
  10. /** @var string */ 
  11. private $pem; 
  12.  
  13. /** @var Google_Verifier_Pem */ 
  14. private $verifier; 
  15.  
  16. public function setUp() 
  17. $this->signer = new Google_Signer_P12( 
  18. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true),  
  19. "notasecret" 
  20. ); 
  21. $this->pem = file_get_contents(__DIR__.'/'.self::PUBLIC_KEY_FILE, true); 
  22. $this->verifier = new Google_Verifier_Pem($this->pem); 
  23.  
  24. public function testDirectInject() 
  25. $privateKeyString = <<<PK 
  26. -----BEGIN RSA PRIVATE KEY----- 
  27. MIICWwIBAAKBgQC8iqFTYTrSGxddW+Tsx6cdWbQxITdM2anRbMYcohnQpQuPG46B 
  28. HO3WbUA8suC6PXqeIi4JkDrAYbI2+TN6w1FE/fh2H7WczuDVKtosBcfsoL2C5loU 
  29. mOf+4jL1xx4EL6xy8wMntZhNgimVCO9LkWCix/Qh9mpqx2zbC3OV4QsSQQIDAQAB 
  30. AoGASAosRCClifxB/DENko9iwisxV4haiemtIlEOjYg+luNJPGAKHjlAgyrxXX/3 
  31. sBGnlV53+r16RWHO54RmcCTLGwpC6zzVc6C4Or9KItdMDMnqBjmqiYDz3Na7tIPv 
  32. vwzn8k8Uto26HZF8d1bTdoinxHrv7w1OVkDQWnHmWkQRjBUCQQDpNw8F1qiJJoYr 
  33. tkkBmlObmSQRYD3mlEvRwu348e4dFb01oN2cfw/YNhh+Lt2TPHFz2GNn6VwJf1Yb 
  34. qRKBqo/jAkEAzvY91ReYrkBm50pi2nqJc1Hcxm5CVP7MMnHbn8wExKrRG2rCDY9Y 
  35. zOdsw7pP/x6mesdUy3tTrPYVbeWP6YPmiwJANx41Jbsa7/cz5KbbUE6qDe8+sACg 
  36. AJvx42x/k8OR9DvMER2o4rDBDOeUGFZ5NbAmXCu7KrbjcrcuobDu18h44wJAQ2s5 
  37. x0HxjcoS+4Ni4nMKdZOUTNu8Jf3+vOwUNGD8qKhQiBLl9g7dSZqV9sipqJzudI6c 
  38. k9Cv+GcNoggnMlWycwJAHMVgaBmNc+RVCMar/gN6i5sENjN9Itu7U1V4Qj/mG6+4 
  39. MHOXhXSKhtTe0Bqm/MssVvCmc8AraKwBMs0rkMadsA== 
  40. -----END RSA PRIVATE KEY----- 
  41. PK; 
  42. $sign = new Google_Signer_P12($privateKeyString, null); 
  43.  
  44. public function testCantOpenP12() 
  45. try { 
  46. new Google_Signer_P12( 
  47. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true),  
  48. "badpassword" 
  49. ); 
  50. $this->fail("Should have thrown"); 
  51. } catch (Google_Auth_Exception $e) { 
  52. $this->assertContains("mac verify failure", $e->getMessage()); 
  53.  
  54. try { 
  55. new Google_Signer_P12( 
  56. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true) . "foo",  
  57. "badpassword" 
  58. ); 
  59. $this->fail("Should have thrown"); 
  60. } catch (Exception $e) { 
  61. $this->assertContains("Unable to parse", $e->getMessage()); 
  62.  
  63. public function testVerifySignature() 
  64. $binary_data = "\x00\x01\x02\x66\x6f\x6f"; 
  65. $signature = $this->signer->sign($binary_data); 
  66. $this->assertTrue($this->verifier->verify($binary_data, $signature)); 
  67.  
  68. $empty_string = ""; 
  69. $signature = $this->signer->sign($empty_string); 
  70. $this->assertTrue($this->verifier->verify($empty_string, $signature)); 
  71.  
  72. $text = "foobar"; 
  73. $signature = $this->signer->sign($text); 
  74. $this->assertTrue($this->verifier->verify($text, $signature)); 
  75.  
  76. $this->assertFalse($this->verifier->verify($empty_string, $signature)); 
  77.  
  78. // Creates a signed JWT similar to the one created by google authentication. 
  79. private function makeSignedJwt($payload) 
  80. $header = array("typ" => "JWT", "alg" => "RS256"); 
  81. $segments = array(); 
  82. $segments[] = Google_Utils::urlSafeB64Encode(json_encode($header)); 
  83. $segments[] = Google_Utils::urlSafeB64Encode(json_encode($payload)); 
  84. $signing_input = implode(".", $segments); 
  85.  
  86. $signature = $this->signer->sign($signing_input); 
  87. $segments[] = Google_Utils::urlSafeB64Encode($signature); 
  88.  
  89. return implode(".", $segments); 
  90.  
  91. // Returns certificates similar to the ones used by google authentication. 
  92. private function getSignonCerts() 
  93. return array("keyid" => $this->pem); 
  94.  
  95. public function testVerifySignedJwtWithCerts() 
  96. $id_token = $this->makeSignedJwt( 
  97. array( 
  98. "iss" => "federated-signon@system.gserviceaccount.com",  
  99. "aud" => "client_id",  
  100. "sub" => self::USER_ID,  
  101. "iat" => time(),  
  102. "exp" => time() + 3600 
  103. ); 
  104. $certs = $this->getSignonCerts(); 
  105. $oauth2 = new Google_Auth_OAuth2($this->getClient()); 
  106. $ticket = $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id"); 
  107. $this->assertEquals(self::USER_ID, $ticket->getUserId()); 
  108. // Check that payload and envelope got filled in. 
  109. $attributes = $ticket->getAttributes(); 
  110. $this->assertEquals("JWT", $attributes["envelope"]["typ"]); 
  111. $this->assertEquals("client_id", $attributes["payload"]["aud"]); 
  112.  
  113. // Checks that the id token fails to verify with the expected message. 
  114. private function checkIdTokenFailure($id_token, $msg, $issuer = null) 
  115. $certs = $this->getSignonCerts(); 
  116. $oauth2 = new Google_Auth_OAuth2($this->getClient()); 
  117. try { 
  118. $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id", $issuer); 
  119. $this->fail("Should have thrown for $id_token"); 
  120. } catch (Google_Auth_Exception $e) { 
  121. $this->assertContains($msg, $e->getMessage()); 
  122.  
  123. public function testVerifySignedJwtWithMultipleIssuers() 
  124. $id_token = $this->makeSignedJwt( 
  125. array( 
  126. "iss" => "system.gserviceaccount.com",  
  127. "aud" => "client_id",  
  128. "sub" => self::USER_ID,  
  129. "iat" => time(),  
  130. "exp" => time() + 3600 
  131. ); 
  132. $certs = $this->getSignonCerts(); 
  133. $oauth2 = new Google_Auth_OAuth2($this->getClient()); 
  134. $ticket = $oauth2->verifySignedJwtWithCerts( 
  135. $id_token,  
  136. $certs,  
  137. "client_id",  
  138. array('system.gserviceaccount.com', 'https://system.gserviceaccount.com') 
  139. ); 
  140. $this->assertEquals(self::USER_ID, $ticket->getUserId()); 
  141. // Check that payload and envelope got filled in. 
  142. $attributes = $ticket->getAttributes(); 
  143. $this->assertEquals("JWT", $attributes["envelope"]["typ"]); 
  144. $this->assertEquals("client_id", $attributes["payload"]["aud"]); 
  145.  
  146. public function testVerifySignedJwtWithBadIssuer() 
  147. $id_token = $this->makeSignedJwt( 
  148. array( 
  149. "iss" => "fake.gserviceaccount.com",  
  150. "aud" => "client_id",  
  151. "sub" => self::USER_ID,  
  152. "iat" => time(),  
  153. "exp" => time() + 3600 
  154. ); 
  155.  
  156. $issuers = array('system.gserviceaccount.com', 'https://system.gserviceaccount.com'); 
  157. $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers[0]); 
  158. $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers); 
  159.  
  160. public function testVerifySignedJwtWithBadJwt() 
  161. $this->checkIdTokenFailure("foo", "Wrong number of segments"); 
  162. $this->checkIdTokenFailure("foo.bar", "Wrong number of segments"); 
  163. $this->checkIdTokenFailure( 
  164. "foo.bar.baz",  
  165. "Can't parse token envelope: foo" 
  166. ); 
  167.  
  168. public function testVerifySignedJwtWithBadSignature() 
  169. $id_token = $this->makeSignedJwt( 
  170. array( 
  171. "iss" => "federated-signon@system.gserviceaccount.com",  
  172. "aud" => "client_id",  
  173. "id" => self::USER_ID,  
  174. "iat" => time(),  
  175. "exp" => time() + 3600 
  176. ); 
  177. $id_token = $id_token . "a"; 
  178. $this->checkIdTokenFailure($id_token, "Invalid token signature"); 
  179.  
  180. public function testVerifySignedJwtWithNoIssueTime() 
  181. $id_token = $this->makeSignedJwt( 
  182. array( 
  183. "iss" => "federated-signon@system.gserviceaccount.com",  
  184. "aud" => "client_id",  
  185. "id" => self::USER_ID,  
  186. "exp" => time() + 3600 
  187. ); 
  188. $this->checkIdTokenFailure($id_token, "No issue time"); 
  189.  
  190. public function testVerifySignedJwtWithNoExpirationTime() 
  191. $id_token = $this->makeSignedJwt( 
  192. array( 
  193. "iss" => "federated-signon@system.gserviceaccount.com",  
  194. "aud" => "client_id",  
  195. "id" => self::USER_ID,  
  196. "iat" => time() 
  197. ); 
  198. $this->checkIdTokenFailure($id_token, "No expiration time"); 
  199.  
  200. public function testVerifySignedJwtWithTooEarly() 
  201. $id_token = $this->makeSignedJwt( 
  202. array( 
  203. "iss" => "federated-signon@system.gserviceaccount.com",  
  204. "aud" => "client_id",  
  205. "id" => self::USER_ID,  
  206. "iat" => time() + 1800,  
  207. "exp" => time() + 3600 
  208. ); 
  209. $this->checkIdTokenFailure($id_token, "Token used too early"); 
  210.  
  211. public function testVerifySignedJwtWithTooLate() 
  212. $id_token = $this->makeSignedJwt( 
  213. array( 
  214. "iss" => "federated-signon@system.gserviceaccount.com",  
  215. "aud" => "client_id",  
  216. "id" => self::USER_ID,  
  217. "iat" => time() - 3600,  
  218. "exp" => time() - 1800 
  219. ); 
  220. $this->checkIdTokenFailure($id_token, "Token used too late"); 
  221.  
  222. public function testVerifySignedJwtWithLifetimeTooLong() 
  223. $id_token = $this->makeSignedJwt( 
  224. array( 
  225. "iss" => "federated-signon@system.gserviceaccount.com",  
  226. "aud" => "client_id",  
  227. "id" => self::USER_ID,  
  228. "iat" => time(),  
  229. "exp" => time() + 3600 * 25 
  230. ); 
  231. $this->checkIdTokenFailure($id_token, "Expiration time too far in future"); 
  232.  
  233. public function testVerifySignedJwtWithBadAudience() 
  234. $id_token = $this->makeSignedJwt( 
  235. array( 
  236. "iss" => "federated-signon@system.gserviceaccount.com",  
  237. "aud" => "wrong_client_id",  
  238. "id" => self::USER_ID,  
  239. "iat" => time(),  
  240. "exp" => time() + 3600 
  241. ); 
  242. $this->checkIdTokenFailure($id_token, "Wrong recipient"); 
  243.  
  244. public function testNoAuth() 
  245. /** @var $noAuth Google_Auth_Simple */ 
  246. $noAuth = new Google_Auth_Simple($this->getClient()); 
  247. $oldAuth = $this->getClient()->getAuth(); 
  248. $this->getClient()->setAuth($noAuth); 
  249. $this->getClient()->setDeveloperKey(null); 
  250. $req = new Google_Http_Request("http://example.com"); 
  251.  
  252. $resp = $noAuth->sign($req); 
  253. $this->assertEquals("http://example.com", $resp->getUrl()); 
  254. $this->getClient()->setAuth($oldAuth); 
  255.  
  256. public function testAssertionCredentials() 
  257. $assertion = new Google_Auth_AssertionCredentials( 
  258. 'name',  
  259. 'scope',  
  260. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true) 
  261. ); 
  262.  
  263. $token = explode(".", $assertion->generateAssertion()); 
  264. $this->assertEquals('{"typ":"JWT", "alg":"RS256"}', base64_decode($token[0])); 
  265.  
  266. $jwt = json_decode(base64_decode($token[1]), true); 
  267. $this->assertEquals('https://accounts.google.com/o/oauth2/token', $jwt['aud']); 
  268. $this->assertEquals('scope', $jwt['scope']); 
  269. $this->assertEquals('name', $jwt['iss']); 
  270.  
  271. $key = $assertion->getCacheKey(); 
  272. $this->assertTrue($key != false); 
  273. $assertion = new Google_Auth_AssertionCredentials( 
  274. 'name2',  
  275. 'scope',  
  276. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true) 
  277. ); 
  278. $this->assertNotEquals($key, $assertion->getCacheKey()); 
  279.  
  280. public function testVerifySignedJWT() 
  281. $assertion = new Google_Auth_AssertionCredentials( 
  282. 'issuer',  
  283. 'scope',  
  284. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true) 
  285. ); 
  286. $client = $this->getClient(); 
  287.  
  288. $this->assertInstanceOf( 
  289. 'Google_Auth_LoginTicket',  
  290. $client->verifySignedJwt( 
  291. $assertion->generateAssertion(),  
  292. __DIR__ . DIRECTORY_SEPARATOR . self::PUBLIC_KEY_FILE_JSON,  
  293. 'https://accounts.google.com/o/oauth2/token',  
  294. 'issuer' 
  295. );