Refactor Authorization database model and state usage

Author: robertlemke

Classes/Authorization.php

@@ -25,6 +25,8 @@
  */
 class Authorization
 {
+    public const GRANT_AUTHORIZATION_CODE = 'authorization_code';
+
     /**
      * @ORM\Id
      * @var string
@@ -67,18 +69,30 @@ class Authorization
     /**
      * @param string $serviceName
      * @param string $clientId
-     * @param string $clientSecret
      * @param string $grantType
      * @param string $scope
      */
-    public function __construct(string $serviceName, string $clientId, string $clientSecret, string $grantType, string $scope)
+    public function __construct(string $serviceName, string $clientId, string $grantType, string $scope)
     {
+        $this->authorizationId = self::calculateAuthorizationId($serviceName, $clientId, $grantType, $scope);
         $this->serviceName = $serviceName;
         $this->clientId = $clientId;
-        $this->clientSecret = $clientSecret;
         $this->grantType = $grantType;
         $this->scope = $scope;
-        $this->authorizationId = sha1($serviceName . $clientId . $grantType . $scope);
+    }
+
+    /**
+     * Calculate an authorization identifier (for this model) from the given parameters.
+     *
+     * @param string $serviceName
+     * @param string $clientId
+     * @param string $grantType
+     * @param string $scope
+     * @return string
+     */
+    public static function calculateAuthorizationId(string $serviceName, string $clientId, string $grantType, string $scope): string
+    {
+        return sha1($serviceName . $clientId . $grantType . $scope);
     }
 
     /**
@@ -105,6 +119,14 @@ public function getClientId(): string
         return $this->clientId;
     }
 
+    /**
+     * @param string $clientSecret
+     */
+    public function setClientSecret(string $clientSecret): void
+    {
+        $this->clientSecret = $clientSecret;
+    }
+
     /**
      * @return string
      */

Classes/Controller/OAuthController.php

@@ -59,17 +59,12 @@ public function startAuthorizationAction(string $clientId, string $clientSecret,
      * @param string $serviceType
      * @param string $serviceName
      * @param string $scope
-     * @throws OAuthClientException
-     * @throws \Doctrine\ORM\ORMException
-     * @throws \Doctrine\ORM\OptimisticLockException
-     * @throws \Doctrine\ORM\TransactionRequiredException
-     * @throws \Neos\Flow\Mvc\Exception\StopActionException
-     * @throws \Neos\Flow\Mvc\Exception\UnsupportedRequestTypeException
+     * @throws
      */
     public function finishAuthorizationAction(string $code, string $state, string $serviceType, string $serviceName, string $scope = ''): void
     {
         if (!isset($this->serviceTypes[$serviceType])) {
-            throw new OAuthClientException(sprintf('Failed finishing OAuth2 authorization because the given service type "%s" is unknown.', $serviceName), 1511193117184);
+            throw new OAuthClientException(sprintf('OAuth: Failed finishing OAuth2 authorization because the given service type "%s" is unknown.', $serviceName), 1511193117184);
         }
 
         $client = new $this->serviceTypes[$serviceType]($serviceName);
@@ -85,12 +80,7 @@ public function finishAuthorizationAction(string $code, string $state, string $s
      * @param string $clientId
      * @param string $returnToUri
      * @param string $serviceName
-     * @throws OAuthClientException
-     * @throws \Doctrine\ORM\ORMException
-     * @throws \Doctrine\ORM\OptimisticLockException
-     * @throws \Doctrine\ORM\TransactionRequiredException
-     * @throws \Neos\Flow\Mvc\Exception\StopActionException
-     * @throws \Neos\Flow\Mvc\Exception\UnsupportedRequestTypeException
+     * @throws
      */
     public function refreshAuthorizationAction(string $clientId, string $returnToUri, string $serviceName): void
     {

Classes/OAuthClient.php

@@ -34,7 +34,12 @@
 
 abstract class OAuthClient
 {
-    public const STATE_QUERY_PARAMETER_NAME = 'flownative_oauth2_state';
+    /**
+     * Name of the HTTP query parameter used for passing around the authorization id
+     *
+     * @const string
+     */
+    public const AUTHORIZATION_ID_QUERY_PARAMETER_NAME = 'flownative_oauth2_authorization_id';
 
     /**
      * @var string
@@ -235,38 +240,52 @@ public function getAccessToken(string $grant, string $clientId, string $clientSe
      * @param string $clientId The client id, as provided by the OAuth server
      * @param string $clientSecret The client secret, provided by the OAuth server
      * @param Uri $returnToUri URI to return to when authorization is finished
-     * @param array $scopes Scopes to request for authorization
+     * @param string $scope Scope to request for authorization. Must be scope ids separated by space, e.g. "openid profile email"
      * @return Uri The URL the browser should redirect to, asking the user to authorize
      * @throws OAuthClientException
      */
-    public function startAuthorization(string $clientId, string $clientSecret, Uri $returnToUri, array $scopes = []): Uri
+    public function startAuthorization(string $clientId, string $clientSecret, Uri $returnToUri, string $scope): Uri
     {
+        $authorization = new Authorization($this->getServiceType(), $clientId, Authorization::GRANT_AUTHORIZATION_CODE, $scope);
+        $this->logger->info(sprintf('OAuth (%s): Starting authorization %s using client id "%s", a %s bytes long secret and scope "%s".', $this->getServiceType(), $authorization->getAuthorizationId(), $clientId, strlen($clientSecret), $scope));
+
+        try {
+            $oldAuthorization = $this->entityManager->find(Authorization::class, $authorization->getAuthorizationId());
+            if ($oldAuthorization !== null) {
+                $authorization = $oldAuthorization;
+            }
+            $authorization->setClientSecret($clientSecret);
+            $this->entityManager->persist($authorization);
+            $this->entityManager->flush();
+        } catch (ORMException $exception) {
+            throw new OAuthClientException(sprintf('OAuth (%s): Failed storing authorization in database: %s', $this->getServiceType(), $exception->getMessage()), 1568727133);
+        }
+
         $oAuthProvider = $this->createOAuthProvider($clientId, $clientSecret);
-        $authorizationUri = new Uri($oAuthProvider->getAuthorizationUrl(['scope' => implode(' ', $scopes)]));
-        $stateIdentifier = $oAuthProvider->getState();
+        $authorizationUri = new Uri($oAuthProvider->getAuthorizationUrl(['scope' => $scope]));
 
         try {
             $this->stateCache->set(
-                $stateIdentifier,
+                $oAuthProvider->getState(),
                 [
+                    'authorizationId' => $authorization->getAuthorizationId(),
                     'clientId' => $clientId,
                     'clientSecret' => $clientSecret,
                     'returnToUri' => (string)$returnToUri
                 ]
             );
         } catch (Exception $exception) {
-            throw new OAuthClientException(sprintf('Failed setting cache entry for OAuth authorization: %s', $exception->getMessage()), 1560178858);
+            throw new OAuthClientException(sprintf('OAuth (%s): Failed setting cache entry for authorization: %s', $this->getServiceType(), $exception->getMessage()), 1560178858);
         }
 
-        $this->logger->info(sprintf('OAuth (%s): Starting authorization %s using client id "%s" and a %s bytes long secret, returning to "%s".', $this->getServiceType(), $stateIdentifier, $clientId, strlen($clientSecret), $returnToUri), LogEnvironment::fromMethodName(__METHOD__));
         return $authorizationUri;
     }
 
     /**
      * Finish an OAuth authorization with the Authorization Code flow
      *
      * @param string $code The authorization code given by the OAuth server
-     * @param string $stateIdentifier The authorization identifier, passed back by the OAuth server as the "state" parameter
+     * @param string $stateIdentifier The state identifier, passed back by the OAuth server as the "state" parameter
      * @param string $scope The scope for the granted authorization (syntax varies depending on the service)
      * @return Uri The URI to return to
      * @throws OAuthClientException
@@ -278,36 +297,38 @@ public function finishAuthorization(string $code, string $stateIdentifier, strin
     {
         $stateFromCache = $this->stateCache->get($stateIdentifier);
         if (empty($stateFromCache)) {
-            throw new OAuthClientException(sprintf('OAuth2: Finishing authorization failed because oAuth state %s could not be retrieved from the state cache.', $stateIdentifier), 1558956494);
+            throw new OAuthClientException(sprintf('OAuth: Finishing authorization failed because oAuth state %s could not be retrieved from the state cache.', $stateIdentifier), 1558956494);
         }
 
+        $authorizationId = $stateFromCache['authorizationId'];
         $clientId = $stateFromCache['clientId'];
         $clientSecret = $stateFromCache['clientSecret'];
         $oAuthProvider = $this->createOAuthProvider($clientId, $clientSecret);
 
+        $this->logger->info(sprintf('OAuth (%s): Finishing authorization for client "%s", authorization id "%s", using state %s.', $this->getServiceType(), $clientId, $authorizationId, $stateIdentifier));
         try {
-            $this->logger->info(sprintf('OAuth (%s): Finishing authorization for client "%s", state "%s", using a %s bytes long secret.', $this->getServiceType(), $clientId, $stateIdentifier, strlen($clientSecret)), LogEnvironment::fromMethodName(__METHOD__));
-
-            $oldOAuthToken = $this->entityManager->find(Authorization::class, ['authorizationId' => $stateIdentifier]);
-            if ($oldOAuthToken !== null) {
-                $this->entityManager->remove($oldOAuthToken);
-                $this->entityManager->flush();
-
-                $this->logger->info(sprintf('OAuth (%s): Removed old OAuth token "%s".', $this->getServiceType(), $stateIdentifier), LogEnvironment::fromMethodName(__METHOD__));
+            $authorization = $this->entityManager->find(Authorization::class, $authorizationId);
+            if (!$authorization instanceof Authorization) {
+                throw new OAuthClientException(sprintf('OAuth2 (%s): Finishing authorization failed because authorization %s could not be retrieved from the database.', $this->getServiceType(), $authorizationId), 1568710771);
             }
+
             $accessToken = $oAuthProvider->getAccessToken('authorization_code', ['code' => $code]);
-            $authorization = $this->createNewAuthorization($clientId, $clientSecret, 'authorization_code', $accessToken, $scope);
+            $this->logger->info(sprintf('OAuth (%s): Persisting OAuth token for authorization "%s" with expiry time %s.', $this->getServiceType(), $authorizationId, $accessToken->getExpires()));
 
-            $this->logger->info(sprintf('OAuth (%s): Persisted new OAuth token for authorization "%s" with expiry time %s.', $this->getServiceType(), $stateIdentifier, $accessToken->getExpires()), LogEnvironment::fromMethodName(__METHOD__));
+            $authorization->setAccessToken($accessToken);
 
             $this->entityManager->persist($authorization);
             $this->entityManager->flush();
+
         } catch (IdentityProviderException $exception) {
             throw new OAuthClientException($exception->getMessage(), 1511187001671, $exception);
         }
 
         $returnToUri = new Uri($stateFromCache['returnToUri']);
-        return $returnToUri->withQuery(trim($returnToUri->getQuery() . '&' . self::STATE_QUERY_PARAMETER_NAME . '=' . $stateIdentifier, '&'));
+        $returnToUri = $returnToUri->withQuery(trim($returnToUri->getQuery() . '&' . self::AUTHORIZATION_ID_QUERY_PARAMETER_NAME . '=' . $authorizationId, '&'));
+
+        $this->logger->debug(sprintf('OAuth (%s): Finished authorization "%s", $returnToUri is %s.', $this->getServiceType(), $authorizationId, $returnToUri));
+        return $returnToUri;
     }
 
     /**

Tests/Unit/AuthorizationTest.php

@@ -48,7 +48,7 @@ public function correctConstructorArguments(): array
      */
     public function constructSetsAuthorizationIdentifier(string $expectedAuthorizationId, string $serviceName, string $clientId, string $clientSecret, string $grantType, string $scope): void
     {
-        $authorization = new Authorization($serviceName, $clientId, $clientSecret, $grantType, $scope);
+        $authorization = new Authorization($serviceName, $clientId, $grantType, $scope);
         self::assertSame($expectedAuthorizationId, $authorization->getAuthorizationId());
     }
 
@@ -59,7 +59,7 @@ public function getAccessTokenReturnsClonedObject(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId', 'clientSecret', 'authorization_code', '');
+        $authorization = new Authorization('service', 'clientId',Authorization::GRANT_AUTHORIZATION_CODE, 'profile');
         $authorization->setAccessToken($accessToken);
         $retrievedAccessToken = $authorization->getAccessToken();
 
@@ -74,7 +74,7 @@ public function getSerializedAccessTokenReturnsCorrectJsonString(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId', 'clientSecret', 'authorization_code', '');
+        $authorization = new Authorization('service', 'clientId',  Authorization::GRANT_AUTHORIZATION_CODE, '');
         $authorization->setAccessToken($accessToken);
 
         $secondAccessToken = new AccessToken($authorization->getSerializedAccessToken());
@@ -88,13 +88,27 @@ public function getAccessTokenReturnsPreviouslySetSerializedToken(): void
     {
         $accessToken = $this->createValidAccessToken();
 
-        $authorization = new Authorization('service', 'clientId', 'clientSecret', 'authorization_code', '');
+        $authorization = new Authorization('service', 'clientId', Authorization::GRANT_AUTHORIZATION_CODE, '');
         $authorization->setSerializedAccessToken($accessToken->jsonSerialize());
 
         $secondAccessToken = new AccessToken($authorization->getSerializedAccessToken());
         $this->assertEquals($accessToken, $secondAccessToken);
     }
 
+    /**
+     * @test
+     */
+    public function calculateAuthorizationIdReturnsSha1(): void
+    {
+        $authorizationId = Authorization::calculateAuthorizationId(
+            'oidc_test',
+            'ac36cGG4d2Cef1DeuevA7T1u7V4WOUI14',
+            'authorization_code',
+            'oidc profile'
+        );
+        self::assertSame('21de19f789834af6edff3346e8d9449fcd0d4dae', $authorizationId);
+    }
+
     /**
      * @return AccessToken
      */