Move to dedicated AuthCodeEntity Factory (#257)

* Move to dedicated AuthCodeEntity Factory

---------

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

src/Entities/AuthCodeEntity.php

@@ -16,16 +16,14 @@
 namespace SimpleSAML\Module\oidc\Entities;
 
 use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
 use PDO;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AuthCodeEntityInterface;
-use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\MementoInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\OidcAuthCodeTrait;
 use SimpleSAML\Module\oidc\Entities\Traits\RevokeTokenTrait;
-use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
 
 class AuthCodeEntity implements AuthCodeEntityInterface, MementoInterface
 {
@@ -35,49 +33,26 @@ class AuthCodeEntity implements AuthCodeEntityInterface, MementoInterface
     use RevokeTokenTrait;
 
     /**
-     * @throws \Exception
-     * @throws \JsonException
-     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
      */
-    public static function fromState(array $state): self
-    {
-        $authCode = new self();
-
-        if (
-            !is_string($state['scopes']) ||
-            !is_string($state['id']) ||
-            !is_string($state['expires_at']) ||
-            !is_a($state['client'], ClientEntityInterface::class)
-        ) {
-            throw OidcServerException::serverError('Invalid Auth Code Entity state');
-        }
-
-        $stateScopes = json_decode($state['scopes'], true, 512, JSON_THROW_ON_ERROR);
-
-        if (!is_array($stateScopes)) {
-            throw OidcServerException::serverError('Invalid Auth Code Entity state: scopes');
-        }
-
-        $scopes = array_map(
-            /**
-             * @return ScopeEntity
-             */
-            fn(string $scope) => ScopeEntity::fromData($scope),
-            $stateScopes,
-        );
-
-        $authCode->identifier = $state['id'];
-        $authCode->scopes = $scopes;
-        $authCode->expiryDateTime = DateTimeImmutable::createFromMutable(
-            TimestampGenerator::utc($state['expires_at']),
-        );
-        $authCode->userIdentifier = empty($state['user_id']) ? null : (string)$state['user_id'];
-        $authCode->client = $state['client'];
-        $authCode->isRevoked = (bool) $state['is_revoked'];
-        $authCode->redirectUri = empty($state['redirect_uri']) ? null : (string)$state['redirect_uri'];
-        $authCode->nonce = empty($state['nonce']) ? null : (string)$state['nonce'];
-
-        return $authCode;
+    public function __construct(
+        string $id,
+        OAuth2ClientEntityInterface $client,
+        array $scopes,
+        DateTimeImmutable $expiryDateTime,
+        string $userIdentifier = null,
+        string $redirectUri = null,
+        string $nonce = null,
+        bool $isRevoked = false,
+    ) {
+        $this->identifier = $id;
+        $this->client = $client;
+        $this->scopes = $scopes;
+        $this->expiryDateTime = $expiryDateTime;
+        $this->userIdentifier = $userIdentifier;
+        $this->redirectUri = $redirectUri;
+        $this->nonce = $nonce;
+        $this->isRevoked = $isRevoked;
     }
 
     /**

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories\Entities;
+
+use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
+use SimpleSAML\Module\oidc\Entities\AuthCodeEntity;
+use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
+use SimpleSAML\Module\oidc\Entities\ScopeEntity;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+
+class AuthCodeEntityFactory
+{
+    public function __construct(
+        protected readonly Helpers $helpers,
+    ) {
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
+     */
+    public function fromData(
+        string $id,
+        OAuth2ClientEntityInterface $client,
+        array $scopes,
+        DateTimeImmutable $expiryDateTime,
+        string $userIdentifier = null,
+        string $redirectUri = null,
+        string $nonce = null,
+        bool $isRevoked = false,
+    ): AuthCodeEntity {
+        return new AuthCodeEntity(
+            $id,
+            $client,
+            $scopes,
+            $expiryDateTime,
+            $userIdentifier,
+            $redirectUri,
+            $nonce,
+            $isRevoked,
+        );
+    }
+
+    /**
+     * @throws \Exception
+     * @throws \JsonException
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function fromState(array $state): AuthCodeEntity
+    {
+        if (
+            !is_string($state['scopes']) ||
+            !is_string($state['id']) ||
+            !is_string($state['expires_at']) ||
+            !is_a($state['client'], ClientEntityInterface::class)
+        ) {
+            throw OidcServerException::serverError('Invalid Auth Code Entity state');
+        }
+
+        $stateScopes = json_decode($state['scopes'], true, 512, JSON_THROW_ON_ERROR);
+
+        if (!is_array($stateScopes)) {
+            throw OidcServerException::serverError('Invalid Auth Code Entity state: scopes');
+        }
+
+        $scopes = array_map(
+            /**
+             * @return ScopeEntity
+             */
+            fn(string $scope) => ScopeEntity::fromData($scope),
+            $stateScopes,
+        );
+
+        $id = $state['id'];
+        $client = $state['client'];
+        $expiryDateTime = $this->helpers->dateTime()->getUtc($state['expires_at']);
+        $userIdentifier = empty($state['user_id']) ? null : (string)$state['user_id'];
+        $redirectUri = empty($state['redirect_uri']) ? null : (string)$state['redirect_uri'];
+        $nonce = empty($state['nonce']) ? null : (string)$state['nonce'];
+        $isRevoked = (bool) $state['is_revoked'];
+
+        return $this->fromData(
+            $id,
+            $client,
+            $scopes,
+            $expiryDateTime,
+            $userIdentifier,
+            $redirectUri,
+            $nonce,
+            $isRevoked,
+        );
+    }
+}

src/Factories/Grant/AuthCodeGrantFactory.php

@@ -17,6 +17,7 @@
 namespace SimpleSAML\Module\oidc\Factories\Grant;
 
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
@@ -35,6 +36,7 @@ public function __construct(
         private readonly RequestRulesManager $requestRulesManager,
         private readonly RequestParamsResolver $requestParamsResolver,
         private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
+        private readonly AuthCodeEntityFactory $authCodeEntityFactory,
     ) {
     }
 
@@ -51,6 +53,7 @@ public function build(): AuthCodeGrant
             $this->requestRulesManager,
             $this->requestParamsResolver,
             $this->accessTokenEntityFactory,
+            $this->authCodeEntityFactory,
         );
         $authCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 

src/Repositories/AuthCodeRepository.php

@@ -21,6 +21,7 @@
 use SimpleSAML\Error\Error;
 use SimpleSAML\Module\oidc\Entities\AuthCodeEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AuthCodeEntityInterface;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AuthCodeRepositoryInterface;
 use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
@@ -30,6 +31,7 @@ class AuthCodeRepository extends AbstractDatabaseRepository implements AuthCodeR
     public function __construct(
         ModuleConfig $moduleConfig,
         protected readonly ClientRepository $clientRepository,
+        protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
     ) {
         parent::__construct($moduleConfig);
     }
@@ -46,7 +48,7 @@ public function getTableName(): string
      */
     public function getNewAuthCode(): AuthCodeEntityInterface
     {
-        return new AuthCodeEntity();
+        throw new RuntimeException('Not implemented. Use AuthCodeEntityFactory instead.');
     }
 
     /**
@@ -93,7 +95,7 @@ public function findById(string $codeId): ?AuthCodeEntityInterface
         $data = current($rows);
         $data['client'] = $this->clientRepository->findById((string)$data['client_id']);
 
-        return AuthCodeEntity::fromState($data);
+        return $this->authCodeEntityFactory->fromState($data);
     }
 
     /**

src/Server/Grants/AuthCodeGrant.php

@@ -25,6 +25,7 @@
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AccessTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AuthCodeRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\RefreshTokenRepositoryInterface;
@@ -160,6 +161,7 @@ public function __construct(
         protected RequestRulesManager $requestRulesManager,
         protected RequestParamsResolver $requestParamsResolver,
         AccessTokenEntityFactory $accessTokenEntityFactory,
+        protected AuthCodeEntityFactory $authCodeEntityFactory,
     ) {
         parent::__construct($authCodeRepository, $refreshTokenRepository, $authCodeTTL);
 
@@ -317,27 +319,17 @@ protected function issueOidcAuthCode(
             throw OidcServerException::serverError('Unexpected auth code repository entity type.');
         }
 
-        $authCode = $this->authCodeRepository->getNewAuthCode();
-
-        if (!is_a($authCode, AuthCodeEntityInterface::class)) {
-            throw OidcServerException::serverError('Unexpected auth code entity type.');
-        }
-
-        $authCode->setExpiryDateTime((new DateTimeImmutable())->add($authCodeTTL));
-        $authCode->setClient($client);
-        $authCode->setUserIdentifier($userIdentifier);
-        $authCode->setRedirectUri($redirectUri);
-        if (null !== $nonce) {
-            $authCode->setNonce($nonce);
-        }
-
-        foreach ($scopes as $scope) {
-            $authCode->addScope($scope);
-        }
-
         while ($maxGenerationAttempts-- > 0) {
-            $authCode->setIdentifier($this->generateUniqueIdentifier());
             try {
+                $authCode = $this->authCodeEntityFactory->fromData(
+                    $this->generateUniqueIdentifier(),
+                    $client,
+                    $scopes,
+                    (new DateTimeImmutable())->add($authCodeTTL),
+                    $userIdentifier,
+                    $redirectUri,
+                    $nonce,
+                );
                 $this->authCodeRepository->persistNewAuthCode($authCode);
 
                 return $authCode;

src/Services/Container.php

@@ -39,6 +39,7 @@
 use SimpleSAML\Module\oidc\Factories\ClaimTranslatorExtractorFactory;
 use SimpleSAML\Module\oidc\Factories\CryptKeyFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\Factories\FederationFactory;
 use SimpleSAML\Module\oidc\Factories\FormFactory;
@@ -200,7 +201,14 @@ public function __construct()
         $userRepository = new UserRepository($moduleConfig);
         $this->services[UserRepository::class] = $userRepository;
 
-        $authCodeRepository = new AuthCodeRepository($moduleConfig, $clientRepository);
+        $authCodeEntityFactory = new AuthCodeEntityFactory($helpers);
+        $this->services[AuthCodeEntityFactory::class] = $authCodeEntityFactory;
+
+        $authCodeRepository = new AuthCodeRepository(
+            $moduleConfig,
+            $clientRepository,
+            $authCodeEntityFactory,
+        );
         $this->services[AuthCodeRepository::class] = $authCodeRepository;
 
         $cryptKeyFactory = new CryptKeyFactory($moduleConfig);
@@ -341,6 +349,7 @@ public function __construct()
             $requestRuleManager,
             $requestParamsResolver,
             $accessTokenEntityFactory,
+            $authCodeEntityFactory,
         );
         $this->services[AuthCodeGrant::class] = $authCodeGrantFactory->build();
 

tests/integration/src/Repositories/Traits/RevokeTokenByAuthCodeIdTraitTest.php

@@ -107,10 +107,11 @@ public function setUp(): void
             'id' => self::ACCESS_TOKEN_ID,
             'scopes' => '{"openid":"openid","profile":"profile"}',
             'expires_at' => date('Y-m-d H:i:s', time() - 60), // expired...
-            'user_id' => 'user123',
+            'user_id' => self::USER_ID,
             'client_id' => self::CLIENT_ID,
-            'is_revoked' => false,
-            'auth_code_id' => 'authCode123',
+            'is_revoked' => [false, PDO::PARAM_BOOL],
+            'auth_code_id' => self::AUTH_CODE_ID,
+            'requested_claims' => '[]',
         ];
 
         $this->accessTokenEntityMock = $this->createMock(AccessTokenEntity::class);
@@ -264,8 +265,8 @@ public static function loadMySqlDatabase(): array
     public static function databaseToTest(): array
     {
         return [
-            //'PostgreSql' => ['pgConfig'],
-            //'MySql' => ['mysqlConfig'],
+            'PostgreSql' => ['pgConfig'],
+            'MySql' => ['mysqlConfig'],
             'Sqlite' => ['sqliteConfig'],
         ];
     }