AuthTest

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.

Defined (1)

The class is defined in the following location(s).

/lib/vendor/google/apiclient/tests/general/AuthTest.php  
  1. class AuthTest extends BaseTest { 
  2. const PRIVATE_KEY_FILE = "testdata/cert.p12"; 
  3. const PUBLIC_KEY_FILE_JSON = "testdata/cacert.json"; 
  4. const PUBLIC_KEY_FILE = "testdata/cacert.pem"; 
  5. const USER_ID = "102102479283111695822"; 
  6.  
  7. /** @var Google_Signer_P12 */ 
  8. private $signer; 
  9.  
  10. /** @var string */ 
  11. private $pem; 
  12.  
  13. /** @var Google_Verifier_Pem */ 
  14. private $verifier; 
  15.  
  16. public function setUp() { 
  17. $this->signer = new Google_Signer_P12(file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true), "notasecret"); 
  18. $this->pem = file_get_contents(__DIR__.'/'.self::PUBLIC_KEY_FILE, true); 
  19. $this->verifier = new Google_Verifier_Pem($this->pem); 
  20.  
  21. public function testDirectInject() { 
  22. $privateKeyString = <<<PK 
  23. -----BEGIN RSA PRIVATE KEY----- 
  24. MIICWwIBAAKBgQC8iqFTYTrSGxddW+Tsx6cdWbQxITdM2anRbMYcohnQpQuPG46B 
  25. HO3WbUA8suC6PXqeIi4JkDrAYbI2+TN6w1FE/fh2H7WczuDVKtosBcfsoL2C5loU 
  26. mOf+4jL1xx4EL6xy8wMntZhNgimVCO9LkWCix/Qh9mpqx2zbC3OV4QsSQQIDAQAB 
  27. AoGASAosRCClifxB/DENko9iwisxV4haiemtIlEOjYg+luNJPGAKHjlAgyrxXX/3 
  28. sBGnlV53+r16RWHO54RmcCTLGwpC6zzVc6C4Or9KItdMDMnqBjmqiYDz3Na7tIPv 
  29. vwzn8k8Uto26HZF8d1bTdoinxHrv7w1OVkDQWnHmWkQRjBUCQQDpNw8F1qiJJoYr 
  30. tkkBmlObmSQRYD3mlEvRwu348e4dFb01oN2cfw/YNhh+Lt2TPHFz2GNn6VwJf1Yb 
  31. qRKBqo/jAkEAzvY91ReYrkBm50pi2nqJc1Hcxm5CVP7MMnHbn8wExKrRG2rCDY9Y 
  32. zOdsw7pP/x6mesdUy3tTrPYVbeWP6YPmiwJANx41Jbsa7/cz5KbbUE6qDe8+sACg 
  33. AJvx42x/k8OR9DvMER2o4rDBDOeUGFZ5NbAmXCu7KrbjcrcuobDu18h44wJAQ2s5 
  34. x0HxjcoS+4Ni4nMKdZOUTNu8Jf3+vOwUNGD8qKhQiBLl9g7dSZqV9sipqJzudI6c 
  35. k9Cv+GcNoggnMlWycwJAHMVgaBmNc+RVCMar/gN6i5sENjN9Itu7U1V4Qj/mG6+4 
  36. MHOXhXSKhtTe0Bqm/MssVvCmc8AraKwBMs0rkMadsA== 
  37. -----END RSA PRIVATE KEY----- 
  38. PK; 
  39. $sign = new Google_Signer_P12($privateKeyString, null); 
  40.  
  41. public function testCantOpenP12() { 
  42. try { 
  43. new Google_Signer_P12(file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true), "badpassword"); 
  44. $this->fail("Should have thrown"); 
  45. } catch (Google_Auth_Exception $e) { 
  46. $this->assertContains("mac verify failure", $e->getMessage()); 
  47.  
  48. try { 
  49. new Google_Signer_P12(file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true) . "foo", "badpassword"); 
  50. $this->fail("Should have thrown"); 
  51. } catch (Exception $e) { 
  52. $this->assertContains("Unable to parse", $e->getMessage()); 
  53.  
  54. public function testVerifySignature() { 
  55. $binary_data = "\x00\x01\x02\x66\x6f\x6f"; 
  56. $signature = $this->signer->sign($binary_data); 
  57. $this->assertTrue($this->verifier->verify($binary_data, $signature)); 
  58.  
  59. $empty_string = ""; 
  60. $signature = $this->signer->sign($empty_string); 
  61. $this->assertTrue($this->verifier->verify($empty_string, $signature)); 
  62.  
  63. $text = "foobar"; 
  64. $signature = $this->signer->sign($text); 
  65. $this->assertTrue($this->verifier->verify($text, $signature)); 
  66.  
  67. $this->assertFalse($this->verifier->verify($empty_string, $signature)); 
  68.  
  69. // Creates a signed JWT similar to the one created by google authentication. 
  70. private function makeSignedJwt($payload) { 
  71. $header = array("typ" => "JWT", "alg" => "RS256"); 
  72. $segments = array(); 
  73. $segments[] = Google_Utils::urlSafeB64Encode(json_encode($header)); 
  74. $segments[] = Google_Utils::urlSafeB64Encode(json_encode($payload)); 
  75. $signing_input = implode(".", $segments); 
  76.  
  77. $signature = $this->signer->sign($signing_input); 
  78. $segments[] = Google_Utils::urlSafeB64Encode($signature); 
  79.  
  80. return implode(".", $segments); 
  81.  
  82. // Returns certificates similar to the ones used by google authentication. 
  83. private function getSignonCerts() { 
  84. return array("keyid" => $this->pem); 
  85.  
  86. public function testVerifySignedJwtWithCerts() { 
  87. $id_token = $this->makeSignedJwt(array( 
  88. "iss" => "federated-signon@system.gserviceaccount.com",  
  89. "aud" => "client_id",  
  90. "sub" => self::USER_ID,  
  91. "iat" => time(),  
  92. "exp" => time() + 3600)); 
  93. $certs = $this->getSignonCerts(); 
  94. $oauth2 = new Google_Auth_OAuth2($this->getClient()); 
  95. $ticket = $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id"); 
  96. $this->assertEquals(self::USER_ID, $ticket->getUserId()); 
  97. // Check that payload and envelope got filled in. 
  98. $attributes = $ticket->getAttributes(); 
  99. $this->assertEquals("JWT", $attributes["envelope"]["typ"]); 
  100. $this->assertEquals("client_id", $attributes["payload"]["aud"]); 
  101.  
  102. // Checks that the id token fails to verify with the expected message. 
  103. private function checkIdTokenFailure($id_token, $msg) { 
  104. $certs = $this->getSignonCerts(); 
  105. $oauth2 = new Google_Auth_OAuth2($this->getClient()); 
  106. try { 
  107. $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id"); 
  108. $this->fail("Should have thrown for $id_token"); 
  109. } catch (Google_Auth_Exception $e) { 
  110. $this->assertContains($msg, $e->getMessage()); 
  111.  
  112. public function testVerifySignedJwt_badJwt() { 
  113. $this->checkIdTokenFailure("foo", "Wrong number of segments"); 
  114. $this->checkIdTokenFailure("foo.bar", "Wrong number of segments"); 
  115. $this->checkIdTokenFailure("foo.bar.baz",  
  116. "Can't parse token envelope: foo"); 
  117.  
  118. public function testVerifySignedJwt_badSignature() { 
  119. $id_token = $this->makeSignedJwt(array( 
  120. "iss" => "federated-signon@system.gserviceaccount.com",  
  121. "aud" => "client_id",  
  122. "id" => self::USER_ID,  
  123. "iat" => time(),  
  124. "exp" => time() + 3600)); 
  125. $id_token = $id_token . "a"; 
  126. $this->checkIdTokenFailure($id_token, "Invalid token signature"); 
  127.  
  128. public function testVerifySignedJwt_noIssueTime() { 
  129. $id_token = $this->makeSignedJwt(array( 
  130. "iss" => "federated-signon@system.gserviceaccount.com",  
  131. "aud" => "client_id",  
  132. "id" => self::USER_ID,  
  133. "exp" => time() + 3600)); 
  134. $this->checkIdTokenFailure($id_token, "No issue time"); 
  135.  
  136. public function testVerifySignedJwt_noExpirationTime() { 
  137. $id_token = $this->makeSignedJwt(array( 
  138. "iss" => "federated-signon@system.gserviceaccount.com",  
  139. "aud" => "client_id",  
  140. "id" => self::USER_ID,  
  141. "iat" => time())); 
  142. $this->checkIdTokenFailure($id_token, "No expiration time"); 
  143.  
  144. public function testVerifySignedJwt_tooEarly() { 
  145. $id_token = $this->makeSignedJwt(array( 
  146. "iss" => "federated-signon@system.gserviceaccount.com",  
  147. "aud" => "client_id",  
  148. "id" => self::USER_ID,  
  149. "iat" => time() + 1800,  
  150. "exp" => time() + 3600)); 
  151. $this->checkIdTokenFailure($id_token, "Token used too early"); 
  152.  
  153. public function testVerifySignedJwt_tooLate() { 
  154. $id_token = $this->makeSignedJwt(array( 
  155. "iss" => "federated-signon@system.gserviceaccount.com",  
  156. "aud" => "client_id",  
  157. "id" => self::USER_ID,  
  158. "iat" => time() - 3600,  
  159. "exp" => time() - 1800)); 
  160. $this->checkIdTokenFailure($id_token, "Token used too late"); 
  161.  
  162. public function testVerifySignedJwt_lifetimeTooLong() { 
  163. $id_token = $this->makeSignedJwt(array( 
  164. "iss" => "federated-signon@system.gserviceaccount.com",  
  165. "aud" => "client_id",  
  166. "id" => self::USER_ID,  
  167. "iat" => time(),  
  168. "exp" => time() + 3600 * 25)); 
  169. $this->checkIdTokenFailure($id_token, "Expiration time too far in future"); 
  170.  
  171. public function testVerifySignedJwt_badAudience() { 
  172. $id_token = $this->makeSignedJwt(array( 
  173. "iss" => "federated-signon@system.gserviceaccount.com",  
  174. "aud" => "wrong_client_id",  
  175. "id" => self::USER_ID,  
  176. "iat" => time(),  
  177. "exp" => time() + 3600)); 
  178. $this->checkIdTokenFailure($id_token, "Wrong recipient"); 
  179.  
  180. public function testNoAuth() { 
  181. /** @var $noAuth Google_Auth_Simple */ 
  182. $noAuth = new Google_Auth_Simple($this->getClient()); 
  183. $oldAuth = $this->getClient()->getAuth(); 
  184. $this->getClient()->setAuth($noAuth); 
  185. $this->getClient()->setDeveloperKey(null); 
  186. $req = new Google_Http_Request("http://example.com"); 
  187.  
  188. $resp = $noAuth->sign($req); 
  189. $this->assertEquals("http://example.com", $resp->getUrl()); 
  190. $this->getClient()->setAuth($oldAuth); 
  191.  
  192. public function testAssertionCredentials() { 
  193. $assertion = new Google_Auth_AssertionCredentials('name', 'scope',  
  194. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true)); 
  195.  
  196. $token = explode(".", $assertion->generateAssertion()); 
  197. $this->assertEquals('{"typ":"JWT", "alg":"RS256"}', base64_decode($token[0])); 
  198.  
  199. $jwt = json_decode(base64_decode($token[1]), true); 
  200. $this->assertEquals('https://accounts.google.com/o/oauth2/token', $jwt['aud']); 
  201. $this->assertEquals('scope', $jwt['scope']); 
  202. $this->assertEquals('name', $jwt['iss']); 
  203.  
  204. $key = $assertion->getCacheKey(); 
  205. $this->assertTrue($key != false); 
  206. $assertion = new Google_Auth_AssertionCredentials('name2', 'scope',  
  207. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true)); 
  208. $this->assertNotEquals($key, $assertion->getCacheKey()); 
  209.  
  210. public function testVerifySignedJWT() { 
  211. $assertion = new Google_Auth_AssertionCredentials('issuer', 'scope',  
  212. file_get_contents(__DIR__.'/'.self::PRIVATE_KEY_FILE, true)); 
  213. $client = $this->getClient(); 
  214.  
  215. $this->assertInstanceOf('Google_Auth_LoginTicket', $client->verifySignedJwt( 
  216. $assertion->generateAssertion(),  
  217. __DIR__ . DIRECTORY_SEPARATOR . self::PUBLIC_KEY_FILE_JSON,  
  218. 'https://accounts.google.com/o/oauth2/token',  
  219. 'issuer' 
  220. ));