Move to dedicated RefreshTokenEntity Factory

Author: cicnavi

src/Entities/RefreshTokenEntity.php

@@ -24,8 +24,6 @@
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\AssociateWithAuthCodeTrait;
 use SimpleSAML\Module\oidc\Entities\Traits\RevokeTokenTrait;
-use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
 
 class RefreshTokenEntity implements RefreshTokenEntityInterface
 {
@@ -34,31 +32,18 @@ class RefreshTokenEntity implements RefreshTokenEntityInterface
     use RevokeTokenTrait;
     use AssociateWithAuthCodeTrait;
 
-    /**
-     * @throws \Exception
-     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
-     */
-    public static function fromState(array $state): RefreshTokenEntityInterface
-    {
-        $refreshToken = new self();
-
-        if (
-            !is_string($state['id']) ||
-            !is_string($state['expires_at']) ||
-            !is_a($state['access_token'], AccessTokenEntityInterface::class)
-        ) {
-            throw OidcServerException::serverError('Invalid Refresh Token state');
-        }
-
-        $refreshToken->identifier = $state['id'];
-        $refreshToken->expiryDateTime = DateTimeImmutable::createFromMutable(
-            TimestampGenerator::utc($state['expires_at']),
-        );
-        $refreshToken->accessToken = $state['access_token'];
-        $refreshToken->isRevoked = (bool) $state['is_revoked'];
-        $refreshToken->authCodeId = empty($state['auth_code_id']) ? null : (string)$state['auth_code_id'];
-
-        return $refreshToken;
+    public function __construct(
+        string $id,
+        DateTimeImmutable $expiryDateTime,
+        AccessTokenEntityInterface $accessTokenEntity,
+        ?string $authCodeId = null,
+        bool $isRevoked = false,
+    ) {
+        $this->setIdentifier($id);
+        $this->setExpiryDateTime($expiryDateTime);
+        $this->setAccessToken($accessTokenEntity);
+        $this->setAuthCodeId($authCodeId);
+        $this->isRevoked = $isRevoked;
     }
 
     public function getState(): array

src/Factories/Entities/RefreshTokenEntityFactory.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories\Entities;
+
+use DateTimeImmutable;
+use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
+use SimpleSAML\Module\oidc\Entities\RefreshTokenEntity;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+
+class RefreshTokenEntityFactory
+{
+    public function __construct(
+        protected Helpers $helpers,
+    ) {
+    }
+
+    public function fromData(
+        string $id,
+        DateTimeImmutable $expiryDateTime,
+        AccessTokenEntityInterface $accessTokenEntity,
+        ?string $authCodeId = null,
+        bool $isRevoked = false,
+    ): RefreshTokenEntity {
+        return new RefreshTokenEntity(
+            $id,
+            $expiryDateTime,
+            $accessTokenEntity,
+            $authCodeId,
+            $isRevoked,
+        );
+    }
+
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function fromState(array $state): RefreshTokenEntity
+    {
+        if (
+            !is_string($state['id']) ||
+            !is_string($state['expires_at']) ||
+            !is_a($state['access_token'], AccessTokenEntityInterface::class)
+        ) {
+            throw OidcServerException::serverError('Invalid Refresh Token state');
+        }
+
+        $id = $state['id'];
+        $expiryDateTime = $this->helpers->dateTime()->getUtc($state['expires_at']);
+        $accessToken = $state['access_token'];
+        $isRevoked = (bool) $state['is_revoked'];
+        $authCodeId = empty($state['auth_code_id']) ? null : (string)$state['auth_code_id'];
+
+        return $this->fromData(
+            $id,
+            $expiryDateTime,
+            $accessToken,
+            $authCodeId,
+            $isRevoked,
+        );
+    }
+}

src/Repositories/RefreshTokenRepository.php

@@ -21,6 +21,7 @@
 use RuntimeException;
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\RefreshTokenEntity;
+use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\RefreshTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Traits\RevokeTokenByAuthCodeIdTrait;
@@ -35,6 +36,7 @@ class RefreshTokenRepository extends AbstractDatabaseRepository implements Refre
     public function __construct(
         ModuleConfig $moduleConfig,
         protected readonly AccessTokenRepository $accessTokenRepository,
+        protected readonly RefreshTokenEntityFactory $refreshTokenEntityFactory,
     ) {
         parent::__construct($moduleConfig);
     }
@@ -52,7 +54,7 @@ public function getTableName(): string
      */
     public function getNewRefreshToken(): RefreshTokenEntityInterface
     {
-        return new RefreshTokenEntity();
+        throw new RuntimeException('Not implemented. Use RefreshTokenEntityFactory instead.');
     }
 
     /**
@@ -99,7 +101,7 @@ public function findById(string $tokenId): ?RefreshTokenEntityInterface
         $data = current($rows);
         $data['access_token'] = $this->accessTokenRepository->findById((string)$data['access_token_id']);
 
-        return RefreshTokenEntity::fromState($data);
+        return $this->refreshTokenEntityFactory->fromState($data);
     }
 
     /**

src/Services/Container.php

@@ -42,6 +42,7 @@
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClaimSetEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
 use SimpleSAML\Module\oidc\Factories\FederationFactory;
 use SimpleSAML\Module\oidc\Factories\FormFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\AuthCodeGrantFactory;
@@ -238,7 +239,14 @@ public function __construct()
         );
         $this->services[AccessTokenRepository::class] = $accessTokenRepository;
 
-        $refreshTokenRepository = new RefreshTokenRepository($moduleConfig, $accessTokenRepository);
+        $refreshTokenEntityFactory = new RefreshTokenEntityFactory($helpers);
+        $this->services[RefreshTokenEntityFactory::class] = $refreshTokenEntityFactory;
+
+        $refreshTokenRepository = new RefreshTokenRepository(
+            $moduleConfig,
+            $accessTokenRepository,
+            $refreshTokenEntityFactory,
+        );
         $this->services[RefreshTokenRepository::class] = $refreshTokenRepository;
 
         $scopeRepository = new ScopeRepository($moduleConfig);

tests/unit/src/Entities/RefreshTokenEntityTest.php

@@ -4,6 +4,8 @@
 
 namespace SimpleSAML\Test\Module\oidc\unit\Entities;
 
+use DateTimeImmutable;
+use DateTimeZone;
 use PDO;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -16,33 +18,37 @@
  */
 class RefreshTokenEntityTest extends TestCase
 {
+    protected string $id;
+    protected DateTimeImmutable $expiryDateTime;
     protected MockObject $accessTokenEntityMock;
-    protected array $state;
+    protected false $isRevoked;
+    protected string $authCodeId;
 
     /**
      * @throws \Exception
      */
     protected function setUp(): void
     {
+        $this->id = 'id';
+        $this->expiryDateTime = new DateTimeImmutable('1970-01-01 00:00:00', new DateTimeZone('UTC'));
         $this->accessTokenEntityMock = $this->createMock(AccessTokenEntity::class);
         $this->accessTokenEntityMock->method('getIdentifier')->willReturn('access_token_id');
-
-        $this->state = [
-            'id' => 'id',
-            'expires_at' => '1970-01-01 00:00:00',
-            'access_token' => $this->accessTokenEntityMock,
-            'is_revoked' => false,
-            'auth_code_id' => '123',
-        ];
+        $this->isRevoked = false;
+        $this->authCodeId = 'auth_code_id';
     }
 
     /**
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      */
-    protected function prepareMockedInstance(array $state = null): RefreshTokenEntityInterface
+    protected function mock(): RefreshTokenEntityInterface
     {
-        $state ??= $this->state;
-        return RefreshTokenEntity::fromState($state);
+        return new RefreshTokenEntity(
+            $this->id,
+            $this->expiryDateTime,
+            $this->accessTokenEntityMock,
+            $this->authCodeId,
+            $this->isRevoked,
+        );
     }
 
     /**
@@ -52,7 +58,7 @@ public function testItIsInitializable(): void
     {
         $this->assertInstanceOf(
             RefreshTokenEntity::class,
-            $this->prepareMockedInstance(),
+            $this->mock(),
         );
     }
 
@@ -62,13 +68,13 @@ public function testItIsInitializable(): void
     public function testCanGetState(): void
     {
         $this->assertSame(
-            $this->prepareMockedInstance()->getState(),
+            $this->mock()->getState(),
             [
-                'id' => 'id',
+                'id' => $this->id,
                 'expires_at' => '1970-01-01 00:00:00',
-                'access_token_id' => 'access_token_id',
-                'is_revoked' => [$this->state['is_revoked'], PDO::PARAM_BOOL],
-                'auth_code_id' => '123',
+                'access_token_id' => $this->accessTokenEntityMock->getIdentifier(),
+                'is_revoked' => [$this->isRevoked, PDO::PARAM_BOOL],
+                'auth_code_id' => $this->authCodeId,
             ],
         );
     }

tests/unit/src/Repositories/RefreshTokenRepositoryTest.php

@@ -16,16 +16,18 @@
 namespace SimpleSAML\Test\Module\oidc\unit\Repositories;
 
 use DateTimeImmutable;
+use DateTimeZone;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use RuntimeException;
 use SimpleSAML\Configuration;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
+use SimpleSAML\Module\oidc\Entities\RefreshTokenEntity;
+use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Services\DatabaseMigration;
-use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
 
 /**
  * @covers \SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository
@@ -40,6 +42,8 @@ class RefreshTokenRepositoryTest extends TestCase
     protected RefreshTokenRepository $repository;
     protected MockObject $accessTokenMock;
     protected MockObject $accessTokenRepositoryMock;
+    protected MockObject $refreshTokenEntityFactoryMock;
+    protected MockObject $refreshTokenEntityMock;
 
     /**
      * @throws \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
@@ -67,10 +71,14 @@ protected function setUp(): void
         $this->accessTokenMock = $this->createMock(AccessTokenEntity::class);
         $this->accessTokenMock->method('getIdentifier')->willReturn(self::ACCESS_TOKEN_ID);
         $this->accessTokenRepositoryMock = $this->createMock(AccessTokenRepository::class);
+        $this->refreshTokenEntityFactoryMock = $this->createMock(RefreshTokenEntityFactory::class);
+
+        $this->refreshTokenEntityMock = $this->createMock(RefreshTokenEntity::class);
 
         $this->repository = new RefreshTokenRepository(
             new ModuleConfig(),
             $this->accessTokenRepositoryMock,
+            $this->refreshTokenEntityFactoryMock,
         );
     }
 
@@ -87,13 +95,19 @@ public function testGetTableName(): void
      */
     public function testAddAndFound(): void
     {
-        $refreshToken = $this->repository->getNewRefreshToken();
-        $refreshToken->setIdentifier(self::REFRESH_TOKEN_ID);
-        $refreshToken->setExpiryDateTime(DateTimeImmutable::createFromMutable(TimestampGenerator::utc('yesterday')));
-        $refreshToken->setAccessToken($this->accessTokenMock);
-
+        $refreshToken = new RefreshTokenEntity(
+            self::REFRESH_TOKEN_ID,
+            new DateTimeImmutable('yesterday', new DateTimeZone('UTC')),
+            $this->accessTokenMock,
+        );
         $this->repository->persistNewRefreshToken($refreshToken);
 
+        $this->refreshTokenEntityFactoryMock->expects($this->once())
+            ->method('fromState')
+            ->with($this->callback(function (array $state): bool {
+                return $state['id'] === self::REFRESH_TOKEN_ID;
+            }))->willReturn($refreshToken);
+
         $this->accessTokenRepositoryMock->method('findById')->willReturn($this->accessTokenMock);
         $foundRefreshToken = $this->repository->findById(self::REFRESH_TOKEN_ID);
 
@@ -115,7 +129,17 @@ public function testAddAndNotFound(): void
      */
     public function testRevokeToken(): void
     {
+        $revokedRefreshTokenMock = $this->createMock(RefreshTokenEntity::class);
+        $revokedRefreshTokenMock->method('isRevoked')->willReturn(true);
         $this->accessTokenRepositoryMock->method('findById')->willReturn($this->accessTokenMock);
+        $this->refreshTokenEntityMock->expects($this->once())->method('revoke');
+        $this->refreshTokenEntityFactoryMock->expects($this->atLeastOnce())
+            ->method('fromState')
+            ->with($this->callback(function (array $state): bool {
+                return $state['id'] === self::REFRESH_TOKEN_ID;
+            }))
+            ->willReturnOnConsecutiveCalls($this->refreshTokenEntityMock, $revokedRefreshTokenMock);
+
         $this->repository->revokeRefreshToken(self::REFRESH_TOKEN_ID);
         $isRevoked = $this->repository->isRefreshTokenRevoked(self::REFRESH_TOKEN_ID);