Add coverage

Author: cicnavi

UPGRADE.md

@@ -12,7 +12,11 @@
 # Version 5 to 6
 
 ## New features
-
+- Caching support for OIDC protocol artifacts like Access Tokens, Authorization Codes, Refresh Tokens, but also
+  client and user data. The cache layer stands in front of the database store, so it can improve performance, especially 
+  in cases of sudden surge of users trying to authenticate. Implementation is based on Symfony Cache component, so any 
+  compatible Symfony cache adapter can be used. Check the module config file for more information on how to set the
+  protocol cache. 
 - OpenID capabilities
   - New federation endpoints:
     - endpoint for issuing configuration entity statement (statement about itself)
@@ -40,7 +44,7 @@ https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
 
 - (optional) Issuer - you can now override the issuer (OP identifier). If not set, it falls back to current scheme, host
 and optionally a port (as in all previous module versions).
-- protocol caching adapter and its arguments
+- (optional) Protocol caching adapter and its arguments
 - (optional) OpenID Federation related options (needed if federation capabilities are to be used):
   - enabled or disabled federation capabilities
   - valid trust anchors

src/Helpers/Client.php

@@ -30,7 +30,7 @@ public function getFromRequest(
         $clientId = empty($params['client_id']) ? null : (string)$params['client_id'];
 
         if (!is_string($clientId)) {
-            throw new BadRequest('Client id is missing.');
+            throw new BadRequest('Client ID is missing.');
         }
 
         $client = $clientRepository->findById($clientId);

src/Helpers/Random.php

@@ -20,8 +20,10 @@ public function getIdentifier(int $length = 40): string
 
         try {
             return bin2hex(random_bytes($length));
+            // @codeCoverageIgnoreStart
         } catch (Throwable $e) {
             throw OidcServerException::serverError('Could not generate a random string', $e);
         }
+        // @codeCoverageIgnoreEnd
     }
 }

src/Repositories/ClientRepository.php

@@ -119,9 +119,11 @@ public function findById(string $clientIdentifier, ?string $owner = null): ?Clie
 
         $row = current($rows);
 
+        // @codeCoverageIgnoreStart
         if (!is_array($row)) {
             return null;
         }
+        // @codeCoverageIgnoreEnd
 
         $clientEntity = $this->clientEntityFactory->fromState($row);
 
@@ -171,9 +173,11 @@ public function findByEntityIdentifier(string $entityIdentifier, ?string $owner
 
         $row = current($rows);
 
+        // @codeCoverageIgnoreStart
         if (!is_array($row)) {
             return null;
         }
+        // @codeCoverageIgnoreEnd
 
         $clientEntity = $this->clientEntityFactory->fromState($row);
 

tests/config/module_oidc.php

@@ -23,8 +23,6 @@
     ModuleConfig::OPTION_TOKEN_REFRESH_TOKEN_TTL => 'P1M',
     ModuleConfig::OPTION_TOKEN_ACCESS_TOKEN_TTL => 'PT1H',
 
-    ModuleConfig::OPTION_CRON_TAG => 'hourly',
-
     ModuleConfig::OPTION_TOKEN_SIGNER => Sha256::class,
 
     ModuleConfig::OPTION_AUTH_SOURCE => 'default-sp',
@@ -44,15 +42,70 @@
 
     ModuleConfig::OPTION_AUTH_FORCED_ACR_VALUE_FOR_COOKIE_AUTHENTICATION => null,
 
-    ModuleConfig::OPTION_FEDERATION_TOKEN_SIGNER => Sha256::class,
+    ModuleConfig::OPTION_AUTH_PROCESSING_FILTERS => [
+    ],
+
+    ModuleConfig::OPTION_PROTOCOL_CACHE_ADAPTER => \Symfony\Component\Cache\Adapter\ArrayAdapter::class,
+    ModuleConfig::OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS => [],
+    ModuleConfig::OPTION_PROTOCOL_USER_ENTITY_CACHE_DURATION => null,
+    ModuleConfig::OPTION_PROTOCOL_CLIENT_ENTITY_CACHE_DURATION => 'PT10M',
+
+    ModuleConfig::OPTION_CRON_TAG => 'hourly',
+
+    ModuleConfig::OPTION_ADMIN_UI_PERMISSIONS => [
+        'attribute' => 'eduPersonEntitlement',
+        'client' => ['urn:example:oidc:manage:client'],
+    ],
+
+    ModuleConfig::OPTION_ADMIN_UI_PAGINATION_ITEMS_PER_PAGE => 20,
+
+    ModuleConfig::OPTION_FEDERATION_ENABLED => false,
+
+    ModuleConfig::OPTION_FEDERATION_TRUST_ANCHORS => [
+        // phpcs:ignore
+        'https://ta.example.org/' => '{"keys":[{"kty": "RSA","alg": "RS256","use": "sig","kid": "Nzb...9Xs","e": "AQAB","n": "pnXB...ub9J"}]}',
+        'https://ta2.example.org/' => null,
+    ],
+
+    ModuleConfig::OPTION_FEDERATION_AUTHORITY_HINTS => [
+        'https://intermediate.example.org/',
+    ],
+
+    ModuleConfig::OPTION_FEDERATION_TRUST_MARK_TOKENS => [
+        'eyJ...GHg',
+    ],
+
+    ModuleConfig::OPTION_FEDERATION_PARTICIPATION_LIMIT_BY_TRUST_MARKS => [
+        // We are limiting federation participation using Trust Marks for 'https://ta.example.org/'.
+        'https://ta.example.org/' => [
+            // Entities must have (at least) one Trust Mark from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::OneOf->value => [
+                'trust-mark-id',
+                'trust-mark-id-2',
+            ],
+            // Entities must have all Trust Marks from the list below.
+            \SimpleSAML\Module\oidc\Codebooks\LimitsEnum::AllOf->value => [
+                'trust-mark-id-3',
+                'trust-mark-id-4',
+            ],
+        ],
+    ],
+
+    ModuleConfig::OPTION_FEDERATION_CACHE_ADAPTER => \Symfony\Component\Cache\Adapter\ArrayAdapter::class,
+    ModuleConfig::OPTION_FEDERATION_CACHE_ADAPTER_ARGUMENTS => [],
+    ModuleConfig::OPTION_FEDERATION_ENTITY_STATEMENT_DURATION => 'P1D',
+    ModuleConfig::OPTION_FEDERATION_CACHE_DURATION_FOR_PRODUCED => 'PT2M',
+
+    ModuleConfig::OPTION_FEDERATION_CACHE_MAX_DURATION_FOR_FETCHED => 'PT6H',
+
     ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_FILENAME =>
         ModuleConfig::DEFAULT_PKI_FEDERATION_PRIVATE_KEY_FILENAME,
     ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_PASSPHRASE => 'abc123',
     ModuleConfig::OPTION_PKI_FEDERATION_CERTIFICATE_FILENAME =>
         ModuleConfig::DEFAULT_PKI_FEDERATION_CERTIFICATE_FILENAME,
-    ModuleConfig::OPTION_FEDERATION_AUTHORITY_HINTS => [
-        'abc123',
-    ],
+
+    ModuleConfig::OPTION_FEDERATION_TOKEN_SIGNER => Sha256::class,
+
     ModuleConfig::OPTION_ORGANIZATION_NAME => 'Foo corp',
     ModuleConfig::OPTION_CONTACTS => [
         'John Doe [email protected]',

tests/unit/src/Helpers/ArrTest.php

@@ -16,6 +16,14 @@ protected function sut(): Arr
         return new Arr();
     }
 
+    public function testEnsureStringValues(): void
+    {
+        $this->assertSame(
+            ['1', '2'],
+            $this->sut()->ensureStringValues([1, 2]),
+        );
+    }
+
     public function testIsValueOneOf(): void
     {
         $this->assertTrue($this->sut()->isValueOneOf('a', ['a']));

tests/unit/src/Helpers/ClientTest.php

@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\oidc\unit\Helpers;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use SimpleSAML\Error\BadRequest;
+use SimpleSAML\Error\NotFound;
+use SimpleSAML\Module\oidc\Entities\ClientEntity;
+use SimpleSAML\Module\oidc\Helpers\Client;
+use SimpleSAML\Module\oidc\Helpers\Http;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+
+#[CoversClass(Client::class)]
+class ClientTest extends TestCase
+{
+    protected MockObject $httpMock;
+    protected MockObject $requestMock;
+    protected MockObject $clientRepositoryMock;
+    protected MockObject $clientEntityMock;
+
+    protected function sut(
+        ?Http $http = null,
+    ): Client {
+        $http ??= $this->httpMock;
+
+        return new Client($http);
+    }
+
+    protected function setUp(): void
+    {
+        $this->httpMock = $this->createMock(Http::class);
+        $this->requestMock = $this->createMock(ServerRequestInterface::class);
+        $this->clientRepositoryMock = $this->createMock(ClientRepository::class);
+        $this->clientEntityMock = $this->createMock(ClientEntity::class);
+    }
+
+    public function testCanGetFromRequest(): void
+    {
+        $this->httpMock->expects($this->once())->method('getAllRequestParams')
+            ->willReturn(['client_id' => 'clientId']);
+
+        $this->clientRepositoryMock->expects($this->once())->method('findById')
+            ->with('clientId')
+            ->willReturn($this->clientEntityMock);
+
+        $this->assertInstanceOf(
+            ClientEntity::class,
+            $this->sut()->getFromRequest($this->requestMock, $this->clientRepositoryMock),
+        );
+    }
+
+    public function testGetFromRequestThrowsIfNoClientId(): void
+    {
+        $this->expectException(BadRequest::class);
+        $this->expectExceptionMessage('Client ID');
+
+        $this->sut()->getFromRequest($this->requestMock, $this->clientRepositoryMock);
+    }
+
+    public function testGetFromRequestThrowsIfClientNotFound(): void
+    {
+        $this->expectException(NotFound::class);
+        $this->expectExceptionMessage('Client not found');
+
+        $this->httpMock->expects($this->once())->method('getAllRequestParams')
+            ->willReturn(['client_id' => 'clientId']);
+        $this->clientRepositoryMock->expects($this->once())->method('findById')
+            ->with('clientId')
+            ->willReturn(null);
+
+        $this->sut()->getFromRequest($this->requestMock, $this->clientRepositoryMock);
+    }
+}

tests/unit/src/Helpers/DateTimeTest.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\oidc\unit\Helpers;
+
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\oidc\Helpers\DateTime;
+
+#[CoversClass(DateTime::class)]
+class DateTimeTest extends TestCase
+{
+    protected function sut(): DateTime
+    {
+        return new DateTime();
+    }
+
+    public function testCanGetUtc(): void
+    {
+        $this->assertInstanceOf(\DateTimeImmutable::class, $this->sut()->getUtc());
+        $this->assertSame(
+            'UTC',
+            $this->sut()->getUtc()->getTimezone()->getName(),
+        );
+    }
+
+    public function testCanGetFromTimestamp(): void
+    {
+        $timestamp = (new DateTimeImmutable())->getTimestamp();
+
+        $this->assertSame(
+            $timestamp,
+            $this->sut()->getFromTimestamp($timestamp)->getTimestamp(),
+        );
+    }
+
+    public function testCanGetSecondsToExpirationTime(): void
+    {
+        $expirationTime = (new DateTimeImmutable())->getTimestamp() + 60;
+
+        $this->assertSame(
+            60,
+            $this->sut()->getSecondsToExpirationTime($expirationTime),
+        );
+    }
+}

tests/unit/src/Helpers/HttpTest.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\oidc\unit\Helpers;
+
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use SimpleSAML\Module\oidc\Helpers\Http;
+use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
+
+class HttpTest extends TestCase
+{
+    protected MockObject $serverRequestMock;
+
+    protected function setUp(): void
+    {
+        $this->serverRequestMock = $this->createMock(ServerRequestInterface::class);
+    }
+
+    protected function sut(): Http
+    {
+        return new Http();
+    }
+
+    public function testCanGetAllRequestParams(): void
+    {
+        $this->serverRequestMock->expects($this->once())->method('getQueryParams')
+            ->willReturn(['a' => 'b']);
+
+        $this->serverRequestMock->expects($this->once())->method('getParsedBody')
+            ->willReturn(['c' => 'd']);
+
+        $this->assertSame(
+            ['a' => 'b', 'c' => 'd'],
+            $this->sut()->getAllRequestParams($this->serverRequestMock),
+        );
+    }
+
+    public function testCanGetAllRequestParamsBasedOnAllowedMethodsForGet(): void
+    {
+        $this->serverRequestMock->expects($this->once())->method('getMethod')
+            ->willReturn(HttpMethodsEnum::GET->value);
+
+        $this->serverRequestMock->expects($this->once())->method('getQueryParams')
+            ->willReturn(['a' => 'b']);
+
+        $this->assertSame(
+            ['a' => 'b'],
+            $this->sut()->getAllRequestParamsBasedOnAllowedMethods(
+                $this->serverRequestMock,
+                [HttpMethodsEnum::GET, HttpMethodsEnum::POST],
+            ),
+        );
+    }
+
+    public function testCanGetAllRequestParamsBasedOnAllowedMethodsForPost(): void
+    {
+        $this->serverRequestMock->expects($this->once())->method('getMethod')
+            ->willReturn(HttpMethodsEnum::POST->value);
+
+        $this->serverRequestMock->expects($this->once())->method('getParsedBody')
+            ->willReturn(['c' => 'd']);
+
+        $this->assertSame(
+            ['c' => 'd'],
+            $this->sut()->getAllRequestParamsBasedOnAllowedMethods(
+                $this->serverRequestMock,
+                [HttpMethodsEnum::GET, HttpMethodsEnum::POST],
+            ),
+        );
+    }
+
+    public function testGerAllRequestParamsBasedOnAllowedMethodsReturnsNullForNonAllowedMethod(): void
+    {
+        $this->serverRequestMock->expects($this->once())->method('getMethod')
+            ->willReturn(HttpMethodsEnum::POST->value);
+
+        $this->assertNull(
+            $this->sut()->getAllRequestParamsBasedOnAllowedMethods(
+                $this->serverRequestMock,
+                [HttpMethodsEnum::GET],
+            ),
+        );
+    }
+}