Introduce RefreshTokenIssuer

cicnavi · cicnavi · commit c59a0365bae5 · 2024-10-21T10:57:15.000+02:00
diff --git a/routing/services/services.yml b/routing/services/services.yml
@@ -35,6 +35,9 @@ services:
   SimpleSAML\Module\oidc\Bridges\:
     resource: '../../src/Bridges/*'
 
+  SimpleSAML\Module\oidc\Server\TokenIssuers\:
+    resource: '../../src/Server/TokenIssuers/*'
+
   SimpleSAML\Module\oidc\ModuleConfig: ~
   SimpleSAML\Module\oidc\Helpers: ~
   SimpleSAML\Module\oidc\Forms\Controls\CsrfProtection: ~
diff --git a/src/Factories/Grant/AuthCodeGrantFactory.php b/src/Factories/Grant/AuthCodeGrantFactory.php
@@ -18,14 +18,13 @@
 
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
-use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 
 class AuthCodeGrantFactory
@@ -39,8 +38,7 @@ public function __construct(
         private readonly RequestParamsResolver $requestParamsResolver,
         private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
         private readonly AuthCodeEntityFactory $authCodeEntityFactory,
-        private readonly RefreshTokenEntityFactory $refreshTokenEntityFactory,
-        private readonly LoggerService $logger,
+        private readonly RefreshTokenIssuer $refreshTokenIssuer,
     ) {
     }
 
@@ -58,8 +56,7 @@ public function build(): AuthCodeGrant
             $this->requestParamsResolver,
             $this->accessTokenEntityFactory,
             $this->authCodeEntityFactory,
-            $this->refreshTokenEntityFactory,
-            $this->logger,
+            $this->refreshTokenIssuer,
         );
         $authCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 
diff --git a/src/Factories/Grant/RefreshTokenGrantFactory.php b/src/Factories/Grant/RefreshTokenGrantFactory.php
@@ -19,19 +19,26 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 
 class RefreshTokenGrantFactory
 {
     public function __construct(
         private readonly ModuleConfig $moduleConfig,
         private readonly RefreshTokenRepository $refreshTokenRepository,
         private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
+        private readonly RefreshTokenIssuer $refreshTokenIssuer,
     ) {
     }
 
     public function build(): RefreshTokenGrant
     {
-        $refreshTokenGrant = new RefreshTokenGrant($this->refreshTokenRepository, $this->accessTokenEntityFactory);
+        $refreshTokenGrant = new RefreshTokenGrant(
+            $this->refreshTokenRepository,
+            $this->accessTokenEntityFactory,
+            $this->refreshTokenIssuer,
+        );
+
         $refreshTokenGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 
         return $refreshTokenGrant;
diff --git a/src/Helpers.php b/src/Helpers.php
@@ -8,6 +8,7 @@
 use SimpleSAML\Module\oidc\Helpers\Client;
 use SimpleSAML\Module\oidc\Helpers\DateTime;
 use SimpleSAML\Module\oidc\Helpers\Http;
+use SimpleSAML\Module\oidc\Helpers\Random;
 use SimpleSAML\Module\oidc\Helpers\Str;
 
 class Helpers
@@ -17,6 +18,7 @@ class Helpers
     protected static ?DateTime $dateTIme = null;
     protected static ?Str $str = null;
     protected static ?Arr $arr = null;
+    protected static ?Random $random = null;
 
     public function http(): Http
     {
@@ -44,4 +46,9 @@ public function arr(): Arr
     {
         return static::$arr ??= new Arr();
     }
+
+    public function random(): Random
+    {
+        return static::$random ??= new Random();
+    }
 }
diff --git a/src/Helpers/Random.php b/src/Helpers/Random.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Helpers;
+
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use Throwable;
+
+class Random
+{
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function getIdentifier(int $length = 40): string
+    {
+        if ($length < 1) {
+            throw OidcServerException::serverError('Random string length can not be less than 1');
+        }
+
+        try {
+            return bin2hex(random_bytes($length));
+        } catch (Throwable $e) {
+            throw OidcServerException::serverError('Could not generate a random string', $e);
+        }
+    }
+}
diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php
@@ -27,7 +27,6 @@
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AccessTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AuthCodeRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\RefreshTokenRepositoryInterface;
@@ -58,7 +57,7 @@
 use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\AuthTimeResponseTypeInterface;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\NonceResponseTypeInterface;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\SessionIdResponseTypeInterface;
-use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 use SimpleSAML\Module\oidc\Utils\Arr;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\ScopeHelper;
@@ -165,8 +164,7 @@ public function __construct(
         protected RequestParamsResolver $requestParamsResolver,
         AccessTokenEntityFactory $accessTokenEntityFactory,
         protected AuthCodeEntityFactory $authCodeEntityFactory,
-        protected RefreshTokenEntityFactory $refreshTokenEntityFactory,
-        protected LoggerService $logger,
+        protected RefreshTokenIssuer $refreshTokenIssuer,
     ) {
         parent::__construct($authCodeRepository, $refreshTokenRepository, $authCodeTTL);
 
@@ -752,37 +750,15 @@ protected function issueRefreshToken(
         OAuth2AccessTokenEntityInterface $accessToken,
         string $authCodeId = null,
     ): ?RefreshTokenEntityInterface {
-        if (! is_a($this->refreshTokenRepository, RefreshTokenRepositoryInterface::class)) {
-            throw OidcServerException::serverError('Unexpected refresh token repository entity type.');
-        }
         if (! is_a($accessToken, AccessTokenEntityInterface::class)) {
             throw OidcServerException::serverError('Unexpected access token entity type.');
         }
 
-        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
-
-        while ($maxGenerationAttempts-- > 0) {
-            try {
-                $refreshToken = $this->refreshTokenEntityFactory->fromData(
-                    $this->generateUniqueIdentifier(),
-                    (new DateTimeImmutable())->add($this->refreshTokenTTL),
-                    $accessToken,
-                    $authCodeId,
-                );
-                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
-                return $refreshToken;
-            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
-                if ($maxGenerationAttempts === 0) {
-                    throw $e;
-                }
-            }
-        }
-
-        $this->logger->error('Unable to issue refresh token.', [
-            'accessTokenId' => $accessToken->getIdentifier(),
-            'authCodeId' => $authCodeId,
-        ]);
-
-        return null;
+        return $this->refreshTokenIssuer->issue(
+            $accessToken,
+            $this->refreshTokenTTL,
+            $authCodeId,
+            self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS,
+        );
     }
 }
diff --git a/src/Server/Grants/RefreshTokenGrant.php b/src/Server/Grants/RefreshTokenGrant.php
@@ -5,13 +5,17 @@
 namespace SimpleSAML\Module\oidc\Server\Grants;
 
 use Exception;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface as OAuth2AccessTokenEntityInterface;
 use League\OAuth2\Server\Grant\RefreshTokenGrant as OAuth2RefreshTokenGrant;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
 use Psr\Http\Message\ServerRequestInterface;
+use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
+use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Server\Grants\Traits\IssueAccessTokenTrait;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 
 use function is_null;
 use function json_decode;
@@ -48,6 +52,7 @@ class RefreshTokenGrant extends OAuth2RefreshTokenGrant
     public function __construct(
         RefreshTokenRepositoryInterface $refreshTokenRepository,
         AccessTokenEntityFactory $accessTokenEntityFactory,
+        protected readonly RefreshTokenIssuer $refreshTokenIssuer,
     ) {
         parent::__construct($refreshTokenRepository);
         $this->accessTokenEntityFactory = $accessTokenEntityFactory;
@@ -95,4 +100,20 @@ protected function validateOldRefreshToken(ServerRequestInterface $request, $cli
 
         return $refreshTokenData;
     }
+
+    protected function issueRefreshToken(
+        OAuth2AccessTokenEntityInterface $accessToken,
+        string $authCodeId = null,
+    ): ?RefreshTokenEntityInterface {
+        if (! is_a($accessToken, AccessTokenEntityInterface::class)) {
+            throw OidcServerException::serverError('Unexpected access token entity type.');
+        }
+
+        return $this->refreshTokenIssuer->issue(
+            $accessToken,
+            $this->refreshTokenTTL,
+            $authCodeId,
+            self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS,
+        );
+    }
 }
diff --git a/src/Server/TokenIssuers/AbstractTokenIssuer.php b/src/Server/TokenIssuers/AbstractTokenIssuer.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Server\TokenIssuers;
+
+use SimpleSAML\Module\oidc\Helpers;
+
+abstract class AbstractTokenIssuer
+{
+    public const MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS = 5;
+
+    public function __construct(
+        protected readonly Helpers $helpers,
+    ) {
+    }
+}
diff --git a/src/Server/TokenIssuers/RefreshTokenIssuer.php b/src/Server/TokenIssuers/RefreshTokenIssuer.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Server\TokenIssuers;
+
+use DateInterval;
+use DateTimeImmutable;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface as Oauth2TokenEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
+use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
+use SimpleSAML\Module\oidc\Factories\Entities\RefreshTokenEntityFactory;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+
+class RefreshTokenIssuer extends AbstractTokenIssuer
+{
+    public function __construct(
+        Helpers $helpers,
+        protected readonly RefreshTokenRepository $refreshTokenRepository,
+        protected readonly RefreshTokenEntityFactory $refreshTokenEntityFactory,
+        protected readonly LoggerService $logger,
+    ) {
+        parent::__construct($helpers);
+    }
+
+    /**
+     * @throws \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function issue(
+        Oauth2TokenEntityInterface $accessToken,
+        DateInterval $refreshTokenTtl,
+        string $authCodeId = null,
+        int $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS,
+    ): ?RefreshTokenEntityInterface {
+        if (! is_a($accessToken, AccessTokenEntityInterface::class)) {
+            throw OidcServerException::serverError('Unexpected access token entity type.');
+        }
+
+        while ($maxGenerationAttempts-- > 0) {
+            try {
+                $refreshToken = $this->refreshTokenEntityFactory->fromData(
+                    $this->helpers->random()->getIdentifier(),
+                    (new DateTimeImmutable())->add($refreshTokenTtl),
+                    $accessToken,
+                    $authCodeId,
+                );
+                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
+                return $refreshToken;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    $this->logger->error('Maximum generation attempts reached.', [
+                        'maxGenerationAttempts' => $maxGenerationAttempts,
+                        'accessTokenId' => $accessToken->getIdentifier(),
+                        'authCodeId' => $authCodeId,
+                    ]);
+                    throw $e;
+                }
+            }
+        }
+
+        $this->logger->error('Unable to issue refresh token.', [
+            'accessTokenId' => $accessToken->getIdentifier(),
+            'authCodeId' => $authCodeId,
+        ]);
+
+        return null;
+    }
+}
diff --git a/src/Services/Container.php b/src/Services/Container.php
@@ -93,6 +93,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 use SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator;
 use SimpleSAML\Module\oidc\Stores\Session\LogoutTicketStoreBuilder;
 use SimpleSAML\Module\oidc\Stores\Session\LogoutTicketStoreDb;
@@ -354,6 +355,14 @@ public function __construct()
 
         $this->services[Helpers::class] = $helpers;
 
+        $refreshTokenIssuer = new RefreshTokenIssuer(
+            $helpers,
+            $refreshTokenRepository,
+            $refreshTokenEntityFactory,
+            $loggerService,
+        );
+        $this->services[RefreshTokenIssuer::class] = $refreshTokenIssuer;
+
         $authCodeGrantFactory = new AuthCodeGrantFactory(
             $moduleConfig,
             $authCodeRepository,
@@ -363,8 +372,7 @@ public function __construct()
             $requestParamsResolver,
             $accessTokenEntityFactory,
             $authCodeEntityFactory,
-            $refreshTokenEntityFactory,
-            $loggerService,
+            $refreshTokenIssuer,
         );
         $this->services[AuthCodeGrant::class] = $authCodeGrantFactory->build();
 
@@ -385,6 +393,7 @@ public function __construct()
             $moduleConfig,
             $refreshTokenRepository,
             $accessTokenEntityFactory,
+            $refreshTokenIssuer,
         );
         $this->services[RefreshTokenGrant::class] = $refreshTokenGrantFactory->build();
 
diff --git a/src/Utils/UniqueIdentifierGenerator.php b/src/Utils/UniqueIdentifierGenerator.php
@@ -7,6 +7,9 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use Throwable;
 
+/**
+ * TODO mivanci Move to Helpers\Random
+ */
 class UniqueIdentifierGenerator
 {
     /**
diff --git a/tests/unit/src/Server/Grants/AuthCodeGrantTest.php b/tests/unit/src/Server/Grants/AuthCodeGrantTest.php

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`use SimpleSAML\Module\oidc\Helpers\Client;`
`9`	`9`	`use SimpleSAML\Module\oidc\Helpers\DateTime;`
`10`	`10`	`use SimpleSAML\Module\oidc\Helpers\Http;`
	`11`	`+use SimpleSAML\Module\oidc\Helpers\Random;`
`11`	`12`	`use SimpleSAML\Module\oidc\Helpers\Str;`
`12`	`13`
`13`	`14`	`class Helpers`
`@@ -17,6 +18,7 @@ class Helpers`
`17`	`18`	`protected static ?DateTime $dateTIme = null;`
`18`	`19`	`protected static ?Str $str = null;`
`19`	`20`	`protected static ?Arr $arr = null;`
	`21`	`+ protected static ?Random $random = null;`
`20`	`22`
`21`	`23`	`public function http(): Http`
`22`	`24`	`{`
`@@ -44,4 +46,9 @@ public function arr(): Arr`
`44`	`46`	`{`
`45`	`47`	`return static::$arr ??= new Arr();`
`46`	`48`	`}`
	`49`	`+`
	`50`	`+ public function random(): Random`
	`51`	`+ {`
	`52`	`+ return static::$random ??= new Random();`
	`53`	`+ }`
`47`	`54`	`}`