From 960d7b44aa8e4176b44d3c5b10051f3dca4c4439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Karf=C3=ADk?= Date: Thu, 13 Jun 2024 21:09:42 +0200 Subject: [PATCH] fix: attempt verifier v0.5 support - requires more domain knowledge --- src/Client/Metadata/ClientMetadata.php | 11 ++++---- .../Metadata/ClientMetadataInterface.php | 13 ++++----- .../Metadata/MetadataFactoryInterface.php | 6 +++-- src/Issuer/IssuerBuilder.php | 2 +- src/Issuer/Metadata/IssuerMetadata.php | 9 ++++--- .../Metadata/IssuerMetadataInterface.php | 19 ++++++------- .../Provider/CachedProviderDecorator.php | 7 ++--- .../Metadata/Provider/DiscoveryProvider.php | 9 ++++--- .../Provider/DiscoveryProviderInterface.php | 6 +++-- .../Provider/RemoteProviderInterface.php | 6 +++-- .../Metadata/Provider/WebFingerProvider.php | 5 ++-- src/Token/AccessTokenVerifierBuilder.php | 27 +++---------------- src/Token/IdTokenVerifierBuilder.php | 14 +++------- src/Token/ResponseVerifierBuilder.php | 16 ++++------- src/Token/UserInfoVerifierBuilder.php | 17 +++++------- 15 files changed, 70 insertions(+), 97 deletions(-) diff --git a/src/Client/Metadata/ClientMetadata.php b/src/Client/Metadata/ClientMetadata.php index ddd781a..e608711 100644 --- a/src/Client/Metadata/ClientMetadata.php +++ b/src/Client/Metadata/ClientMetadata.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Client\Metadata; +use Facile\JoseVerifier\TokenVerifierInterface; use function array_diff; use function array_key_exists; use function array_keys; @@ -13,14 +14,14 @@ use function implode; /** - * @psalm-import-type ClientMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type ClientMetadataType from TokenVerifierInterface */ final class ClientMetadata implements ClientMetadataInterface { /** * @var array * - * @psalm-var ClientMetadataObject + * @psalm-var ClientMetadataType */ private $metadata; @@ -37,7 +38,7 @@ final class ClientMetadata implements ClientMetadataInterface * * @param array $claims * - * @psalm-param ClientMetadataObject|array $claims + * @psalm-param ClientMetadataType|array $claims */ public function __construct(string $clientId, array $claims = []) { @@ -47,7 +48,7 @@ public function __construct(string $clientId, array $claims = []) $defaults = self::$defaults; - /** @var ClientMetadataObject $merged */ + /** @var ClientMetadataType $merged */ $merged = array_merge($defaults, $claims, $requiredClaims); $this->metadata = $merged; } @@ -57,7 +58,7 @@ public function __construct(string $clientId, array $claims = []) * * @return static * - * @psalm-param ClientMetadataObject $claims + * @psalm-param ClientMetadataType $claims */ public static function fromArray(array $claims): self { diff --git a/src/Client/Metadata/ClientMetadataInterface.php b/src/Client/Metadata/ClientMetadataInterface.php index 8f27268..fd9b46c 100644 --- a/src/Client/Metadata/ClientMetadataInterface.php +++ b/src/Client/Metadata/ClientMetadataInterface.php @@ -4,12 +4,13 @@ namespace Facile\OpenIDClient\Client\Metadata; +use Facile\JoseVerifier\TokenVerifierInterface; use JsonSerializable; /** - * @psalm-import-type ClientMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type JWKObject from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type JWKSetObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type ClientMetadataType from TokenVerifierInterface + * @psalm-import-type JWTPayloadType from TokenVerifierInterface + * @psalm-import-type JWKSetType from TokenVerifierInterface */ interface ClientMetadataInterface extends JsonSerializable { @@ -65,21 +66,21 @@ public function getIntrospectionEndpointAuthMethod(): string; public function getRevocationEndpointAuthMethod(): string; /** - * @psalm-return JWKSetObject|null + * @psalm-return JWKSetType|null */ public function getJwks(): ?array; /** * @return array * - * @psalm-return ClientMetadataObject + * @psalm-return ClientMetadataType */ public function jsonSerialize(): array; /** * @return array * - * @psalm-return ClientMetadataObject + * @psalm-return ClientMetadataType */ public function toArray(): array; } diff --git a/src/Client/Metadata/MetadataFactoryInterface.php b/src/Client/Metadata/MetadataFactoryInterface.php index ba7b93f..6557549 100644 --- a/src/Client/Metadata/MetadataFactoryInterface.php +++ b/src/Client/Metadata/MetadataFactoryInterface.php @@ -4,15 +4,17 @@ namespace Facile\OpenIDClient\Client\Metadata; +use Facile\JoseVerifier\TokenVerifierInterface; + /** - * @psalm-import-type ClientMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type ClientMetadataType from TokenVerifierInterface */ interface MetadataFactoryInterface { /** * @param array $metadata * - * @psalm-param ClientMetadataObject $metadata + * @psalm-param ClientMetadataType $metadata */ public function fromArray(array $metadata): ClientMetadataInterface; } diff --git a/src/Issuer/IssuerBuilder.php b/src/Issuer/IssuerBuilder.php index db6a66d..ab5930c 100644 --- a/src/Issuer/IssuerBuilder.php +++ b/src/Issuer/IssuerBuilder.php @@ -46,7 +46,7 @@ public function build(string $resource): IssuerInterface $metadata = IssuerMetadata::fromArray($metadataBuilder->build()->fetch($resource)); $jwksProviderBuilder = $this->buildJwksProviderBuilder(); - $jwksProviderBuilder->setJwksUri($metadata->getJwksUri()); + $jwksProviderBuilder->withJwksUri($metadata->getJwksUri()); $jwksProvider = $jwksProviderBuilder->build(); return new Issuer( diff --git a/src/Issuer/Metadata/IssuerMetadata.php b/src/Issuer/Metadata/IssuerMetadata.php index 1fea6be..89d7d64 100644 --- a/src/Issuer/Metadata/IssuerMetadata.php +++ b/src/Issuer/Metadata/IssuerMetadata.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Issuer\Metadata; +use Facile\JoseVerifier\TokenVerifierInterface; use function array_diff; use function array_key_exists; use function array_keys; @@ -13,14 +14,14 @@ use function implode; /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ final class IssuerMetadata implements IssuerMetadataInterface { /** * @var array * - * @psalm-var IssuerMetadataObject + * @psalm-var IssuerMetadataType */ private $metadata; @@ -48,7 +49,7 @@ public function __construct( 'jwks_uri' => $jwksUri, ]; - /** @var IssuerMetadataObject $merged */ + /** @var IssuerMetadataType $merged */ $merged = array_merge($claims, $requiredClaims); $this->metadata = $merged; } @@ -58,7 +59,7 @@ public function __construct( * * @return static * - * @psalm-param IssuerMetadataObject $claims + * @psalm-param IssuerMetadataType $claims */ public static function fromArray(array $claims): self { diff --git a/src/Issuer/Metadata/IssuerMetadataInterface.php b/src/Issuer/Metadata/IssuerMetadataInterface.php index b7991a8..8b14eaa 100644 --- a/src/Issuer/Metadata/IssuerMetadataInterface.php +++ b/src/Issuer/Metadata/IssuerMetadataInterface.php @@ -4,18 +4,15 @@ namespace Facile\OpenIDClient\Issuer\Metadata; +use Facile\JoseVerifier\TokenVerifierInterface; use JsonSerializable; /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdDisplayType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdClaimType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdResponseType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdResponseMode from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdGrantType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdApplicationType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdSubjectType from \Facile\JoseVerifier\Psalm\PsalmTypes - * @psalm-import-type OpenIdAuthMethod from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface + * @psalm-import-type OpenIdResponseMode from TokenVerifierInterface + * @psalm-import-type OpenIdGrantType from TokenVerifierInterface + * @psalm-import-type OpenIdClaimType from TokenVerifierInterface + * @psalm-import-type OpenIdSubjectType from TokenVerifierInterface */ interface IssuerMetadataInterface extends JsonSerializable { @@ -348,14 +345,14 @@ public function getMtlsEndpointAliases(): array; /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType */ public function jsonSerialize(): array; /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType */ public function toArray(): array; } diff --git a/src/Issuer/Metadata/Provider/CachedProviderDecorator.php b/src/Issuer/Metadata/Provider/CachedProviderDecorator.php index 479bb0e..203184c 100644 --- a/src/Issuer/Metadata/Provider/CachedProviderDecorator.php +++ b/src/Issuer/Metadata/Provider/CachedProviderDecorator.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Issuer\Metadata\Provider; +use Facile\JoseVerifier\TokenVerifierInterface; use function is_array; use function json_decode; use function json_encode; @@ -13,7 +14,7 @@ use function substr; /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ final class CachedProviderDecorator implements RemoteProviderInterface { @@ -51,7 +52,7 @@ public function __construct( /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType * * @psalm-suppress MixedReturnTypeCoercion */ @@ -63,7 +64,7 @@ public function fetch(string $uri): array $cached = $this->cache->get($cacheId) ?? ''; try { - /** @psalm-var null|string|IssuerMetadataObject $data */ + /** @psalm-var null|string|IssuerMetadataType $data */ $data = json_decode($cached, true, 512, JSON_THROW_ON_ERROR); } catch (JsonException $e) { $data = null; diff --git a/src/Issuer/Metadata/Provider/DiscoveryProvider.php b/src/Issuer/Metadata/Provider/DiscoveryProvider.php index d92226b..b74488e 100644 --- a/src/Issuer/Metadata/Provider/DiscoveryProvider.php +++ b/src/Issuer/Metadata/Provider/DiscoveryProvider.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Issuer\Metadata\Provider; +use Facile\JoseVerifier\TokenVerifierInterface; use function array_key_exists; use Facile\OpenIDClient\Exception\RuntimeException; use function Facile\OpenIDClient\parse_metadata_response; @@ -16,7 +17,7 @@ use function strpos; /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ final class DiscoveryProvider implements DiscoveryProviderInterface { @@ -51,7 +52,7 @@ public function isAllowedUri(string $uri): bool /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType * * @psalm-suppress MixedReturnTypeCoercion */ @@ -84,7 +85,7 @@ public function discovery(string $url): array /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType */ private function fetchOpenIdConfiguration(string $uri): array { @@ -92,7 +93,7 @@ private function fetchOpenIdConfiguration(string $uri): array ->withHeader('accept', 'application/json'); try { - /** @psalm-var IssuerMetadataObject $data */ + /** @psalm-var IssuerMetadataType $data */ $data = parse_metadata_response($this->client->sendRequest($request)); } catch (ClientExceptionInterface $e) { throw new RuntimeException('Unable to fetch provider metadata', 0, $e); diff --git a/src/Issuer/Metadata/Provider/DiscoveryProviderInterface.php b/src/Issuer/Metadata/Provider/DiscoveryProviderInterface.php index 4b79ef3..1df5043 100644 --- a/src/Issuer/Metadata/Provider/DiscoveryProviderInterface.php +++ b/src/Issuer/Metadata/Provider/DiscoveryProviderInterface.php @@ -4,15 +4,17 @@ namespace Facile\OpenIDClient\Issuer\Metadata\Provider; +use Facile\JoseVerifier\TokenVerifierInterface; + /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ interface DiscoveryProviderInterface extends RemoteProviderInterface { /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType */ public function discovery(string $url): array; } diff --git a/src/Issuer/Metadata/Provider/RemoteProviderInterface.php b/src/Issuer/Metadata/Provider/RemoteProviderInterface.php index 4640a07..30bfefd 100644 --- a/src/Issuer/Metadata/Provider/RemoteProviderInterface.php +++ b/src/Issuer/Metadata/Provider/RemoteProviderInterface.php @@ -4,8 +4,10 @@ namespace Facile\OpenIDClient\Issuer\Metadata\Provider; +use Facile\JoseVerifier\TokenVerifierInterface; + /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ interface RemoteProviderInterface { @@ -14,7 +16,7 @@ public function isAllowedUri(string $uri): bool; /** * @return array * - * @psalm-return IssuerMetadataObject + * @psalm-return IssuerMetadataType */ public function fetch(string $uri): array; } diff --git a/src/Issuer/Metadata/Provider/WebFingerProvider.php b/src/Issuer/Metadata/Provider/WebFingerProvider.php index 8ac3c29..117bc00 100644 --- a/src/Issuer/Metadata/Provider/WebFingerProvider.php +++ b/src/Issuer/Metadata/Provider/WebFingerProvider.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Issuer\Metadata\Provider; +use Facile\JoseVerifier\TokenVerifierInterface; use function array_key_exists; use function array_pop; use function explode; @@ -24,7 +25,7 @@ use function substr; /** - * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes + * @psalm-import-type IssuerMetadataType from TokenVerifierInterface */ final class WebFingerProvider implements RemoteProviderInterface, WebFingerProviderInterface { @@ -128,7 +129,7 @@ public function fetch(string $uri): array throw new RuntimeException('Discovered issuer mismatch'); } - /** @var IssuerMetadataObject $metadata */ + /** @var IssuerMetadataType $metadata */ return $metadata; } diff --git a/src/Token/AccessTokenVerifierBuilder.php b/src/Token/AccessTokenVerifierBuilder.php index 31e459a..260b10b 100644 --- a/src/Token/AccessTokenVerifierBuilder.php +++ b/src/Token/AccessTokenVerifierBuilder.php @@ -4,7 +4,6 @@ namespace Facile\OpenIDClient\Token; -use Facile\JoseVerifier\TokenVerifierBuilderInterface; use Facile\JoseVerifier\TokenVerifierInterface; use Facile\OpenIDClient\Client\ClientInterface; @@ -16,9 +15,6 @@ final class AccessTokenVerifierBuilder implements AccessTokenVerifierBuilderInte /** @var int */ private $clockTolerance = 0; - /** @var null|TokenVerifierBuilderInterface */ - private $joseBuilder; - public function setAadIssValidation(bool $aadIssValidation): self { $this->aadIssValidation = $aadIssValidation; @@ -33,26 +29,11 @@ public function setClockTolerance(int $clockTolerance): self return $this; } - public function setJoseBuilder(?TokenVerifierBuilderInterface $joseBuilder): void - { - $this->joseBuilder = $joseBuilder; - } - - private function getJoseBuilder(): TokenVerifierBuilderInterface - { - return $this->joseBuilder ?? new \Facile\JoseVerifier\AccessTokenVerifierBuilder(); - } - public function build(ClientInterface $client): TokenVerifierInterface { - $builder = $this->getJoseBuilder(); - $builder->setJwksProvider($client->getIssuer()->getJwksProvider()); - $builder->setClientMetadata($client->getMetadata()->toArray()); - $builder->setClientJwksProvider($client->getJwksProvider()); - $builder->setIssuerMetadata($client->getIssuer()->getMetadata()->toArray()); - $builder->setClockTolerance($this->clockTolerance); - $builder->setAadIssValidation($this->aadIssValidation); - - return $builder->build(); + return \Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder::create( + $client->getIssuer()->getMetadata()->toArray(), + $client->getMetadata()->toArray(), + )->build(); } } diff --git a/src/Token/IdTokenVerifierBuilder.php b/src/Token/IdTokenVerifierBuilder.php index bd43380..78f4fd7 100644 --- a/src/Token/IdTokenVerifierBuilder.php +++ b/src/Token/IdTokenVerifierBuilder.php @@ -31,15 +31,9 @@ public function setClockTolerance(int $clockTolerance): self public function build(ClientInterface $client): IdTokenVerifierInterface { - $builder = new \Facile\JoseVerifier\IdTokenVerifierBuilder(); - - $builder->setJwksProvider($client->getIssuer()->getJwksProvider()); - $builder->setClientMetadata($client->getMetadata()->toArray()); - $builder->setClientJwksProvider($client->getJwksProvider()); - $builder->setIssuerMetadata($client->getIssuer()->getMetadata()->toArray()); - $builder->setClockTolerance($this->clockTolerance); - $builder->setAadIssValidation($this->aadIssValidation); - - return $builder->build(); + return \Facile\JoseVerifier\Builder\IdTokenVerifierBuilder::create( + $client->getIssuer()->getMetadata()->toArray(), + $client->getMetadata()->toArray(), + )->build(); } } diff --git a/src/Token/ResponseVerifierBuilder.php b/src/Token/ResponseVerifierBuilder.php index 873cdfe..34a5db7 100644 --- a/src/Token/ResponseVerifierBuilder.php +++ b/src/Token/ResponseVerifierBuilder.php @@ -4,7 +4,7 @@ namespace Facile\OpenIDClient\Token; -use Facile\JoseVerifier\AuthorizationResponseVerifierBuilder; +use Facile\JoseVerifier\Builder\AuthorizationResponseVerifierBuilder; use Facile\OpenIDClient\Client\ClientInterface; final class ResponseVerifierBuilder implements TokenVerifierBuilderInterface @@ -31,15 +31,9 @@ public function setClockTolerance(int $clockTolerance): self public function build(ClientInterface $client): \Facile\JoseVerifier\TokenVerifierInterface { - $builder = new AuthorizationResponseVerifierBuilder(); - - $builder->setJwksProvider($client->getIssuer()->getJwksProvider()); - $builder->setClientMetadata($client->getMetadata()->toArray()); - $builder->setClientJwksProvider($client->getJwksProvider()); - $builder->setIssuerMetadata($client->getIssuer()->getMetadata()->toArray()); - $builder->setClockTolerance($this->clockTolerance); - $builder->setAadIssValidation($this->aadIssValidation); - - return $builder->build(); + return AuthorizationResponseVerifierBuilder::create( + $client->getIssuer()->getMetadata()->toArray(), + $client->getMetadata()->toArray(), + )->build(); } } diff --git a/src/Token/UserInfoVerifierBuilder.php b/src/Token/UserInfoVerifierBuilder.php index 2bcb8f5..2ec98b1 100644 --- a/src/Token/UserInfoVerifierBuilder.php +++ b/src/Token/UserInfoVerifierBuilder.php @@ -4,6 +4,7 @@ namespace Facile\OpenIDClient\Token; +use Facile\JoseVerifier\TokenVerifierInterface; use Facile\OpenIDClient\Client\ClientInterface; final class UserInfoVerifierBuilder implements TokenVerifierBuilderInterface @@ -28,17 +29,11 @@ public function setClockTolerance(int $clockTolerance): self return $this; } - public function build(ClientInterface $client): \Facile\JoseVerifier\TokenVerifierInterface + public function build(ClientInterface $client): TokenVerifierInterface { - $builder = new \Facile\JoseVerifier\UserInfoVerifierBuilder(); - - $builder->setJwksProvider($client->getIssuer()->getJwksProvider()); - $builder->setClientMetadata($client->getMetadata()->toArray()); - $builder->setClientJwksProvider($client->getJwksProvider()); - $builder->setIssuerMetadata($client->getIssuer()->getMetadata()->toArray()); - $builder->setClockTolerance($this->clockTolerance); - $builder->setAadIssValidation($this->aadIssValidation); - - return $builder->build(); + return \Facile\JoseVerifier\Builder\UserInfoVerifierBuilder::create( + $client->getIssuer()->getMetadata()->toArray(), + $client->getMetadata()->toArray(), + )->build(); } }