Move to dedicated AccessTokenEntity Factory (#256)

* Add AccessTokenEntityFactory

---------

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

routing/services/services.yml

@@ -70,6 +70,9 @@ services:
   SimpleSAML\Module\oidc\Factories\IdTokenResponseFactory:
     arguments:
       $privateKey: '@oidc.key.private'
+  SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory:
+    arguments:
+      $privateKey: '@oidc.key.private'
 
   SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator:
     arguments:

src/Entities/AccessTokenEntity.php

@@ -17,20 +17,19 @@
 namespace SimpleSAML\Module\oidc\Entities;
 
 use DateTimeImmutable;
+use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Token;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
 use PDO;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
-use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\EntityStringRepresentationInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\AssociateWithAuthCodeTrait;
 use SimpleSAML\Module\oidc\Entities\Traits\RevokeTokenTrait;
-use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
-use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
 use Stringable;
 
 /**
@@ -57,86 +56,35 @@ class AccessTokenEntity implements AccessTokenEntityInterface, EntityStringRepre
     protected array $requestedClaims;
 
     /**
-     * Constructor.
-     */
-    private function __construct()
-    {
-    }
-
-    /**
-     * Create new Access Token from data.
-     *
      * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
      */
-    public static function fromData(
+    public function __construct(
+        string $id,
         OAuth2ClientEntityInterface $clientEntity,
         array $scopes,
+        DateTimeImmutable $expiryDateTime,
+        CryptKey $privateKey,
+        protected JsonWebTokenBuilderService $jsonWebTokenBuilderService,
         int|string $userIdentifier = null,
         string $authCodeId = null,
         array $requestedClaims = null,
-    ): self {
-        $accessToken = new self();
-
-        $accessToken->setClient($clientEntity);
-        $accessToken->setUserIdentifier($userIdentifier);
-        $accessToken->setAuthCodeId($authCodeId);
+        bool $isRevoked = false,
+        Configuration $jwtConfiguration = null,
+    ) {
+        $this->setIdentifier($id);
+        $this->setClient($clientEntity);
         foreach ($scopes as $scope) {
-            $accessToken->addScope($scope);
+            $this->addScope($scope);
         }
-        $accessToken->setRequestedClaims($requestedClaims ?? []);
-
-        return $accessToken;
-    }
-
-    /**
-     * @throws \Exception
-     * @throws \JsonException
-     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
-     */
-    public static function fromState(array $state): self
-    {
-        $accessToken = new self();
-
-        if (
-            !is_string($state['scopes']) ||
-            !is_string($state['id']) ||
-            !is_string($state['expires_at']) ||
-            !is_a($state['client'], ClientEntityInterface::class)
-        ) {
-            throw OidcServerException::serverError('Invalid Access Token Entity state');
-        }
-
-        $stateScopes = json_decode($state['scopes'], true, 512, JSON_THROW_ON_ERROR);
-        if (!is_array($stateScopes)) {
-            throw OidcServerException::serverError('Invalid Access Token Entity state: scopes');
+        $this->setExpiryDateTime($expiryDateTime);
+        $this->setPrivateKey($privateKey);
+        $this->setUserIdentifier($userIdentifier);
+        $this->setAuthCodeId($authCodeId);
+        $this->setRequestedClaims($requestedClaims ?? []);
+        if ($isRevoked) {
+            $this->revoke();
         }
-
-        /** @psalm-var string $scope */
-        $scopes = array_map(fn(string $scope) => ScopeEntity::fromData($scope), $stateScopes);
-
-        $accessToken->identifier = $state['id'];
-        $accessToken->scopes = $scopes;
-        // TODO mivanci move to new 'utcImmutable' method in TimestampGenerator.
-        $accessToken->expiryDateTime = DateTimeImmutable::createFromMutable(
-            TimestampGenerator::utc($state['expires_at']),
-        );
-        $accessToken->userIdentifier = empty($state['user_id']) ? null : (string)$state['user_id'];
-        $accessToken->client = $state['client'];
-        $accessToken->isRevoked = (bool) $state['is_revoked'];
-        $accessToken->authCodeId = empty($state['auth_code_id']) ? null : (string)$state['auth_code_id'];
-
-        $stateRequestedClaims = json_decode(
-            empty($state['requested_claims']) ? '[]' : (string)$state['requested_claims'],
-            true,
-            512,
-            JSON_THROW_ON_ERROR,
-        );
-        if (!is_array($stateRequestedClaims)) {
-            throw OidcServerException::serverError('Invalid Access Token Entity state: requested claims');
-        }
-        $accessToken->requestedClaims = $stateRequestedClaims;
-
-        return $accessToken;
+        $jwtConfiguration !== null ? $this->jwtConfiguration = $jwtConfiguration : $this->initJwtConfiguration();
     }
 
     /**
@@ -199,9 +147,8 @@ public function toString(): ?string
      */
     protected function convertToJWT(): Token
     {
-        $jwtBuilderService = new JsonWebTokenBuilderService();
         /** @psalm-suppress ArgumentTypeCoercion */
-        $jwtBuilder = $jwtBuilderService->getProtocolJwtBuilder()
+        $jwtBuilder = $this->jsonWebTokenBuilderService->getProtocolJwtBuilder()
             ->permittedFor($this->getClient()->getIdentifier())
             ->identifiedBy((string)$this->getIdentifier())
             ->issuedAt(new DateTimeImmutable())
@@ -210,6 +157,6 @@ protected function convertToJWT(): Token
             ->relatedTo((string) $this->getUserIdentifier())
             ->withClaim('scopes', $this->getScopes());
 
-        return $jwtBuilderService->getSignedProtocolJwt($jwtBuilder);
+        return $this->jsonWebTokenBuilderService->getSignedProtocolJwt($jwtBuilder);
     }
 }

src/Factories/Entities/AccessTokenEntityFactory.php

@@ -0,0 +1,104 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories\Entities;
+
+use DateTimeImmutable;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
+use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
+use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
+use SimpleSAML\Module\oidc\Entities\ScopeEntity;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
+
+class AccessTokenEntityFactory
+{
+    public function __construct(
+        protected readonly Helpers $helpers,
+        protected readonly CryptKey $privateKey,
+        protected readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
+    ) {
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
+     */
+    public function fromData(
+        string $id,
+        OAuth2ClientEntityInterface $clientEntity,
+        array $scopes,
+        DateTimeImmutable $expiryDateTime,
+        int|string $userIdentifier = null,
+        string $authCodeId = null,
+        array $requestedClaims = null,
+        bool $isRevoked = false,
+    ): AccessTokenEntity {
+        return new AccessTokenEntity(
+            $id,
+            $clientEntity,
+            $scopes,
+            $expiryDateTime,
+            $this->privateKey,
+            $this->jsonWebTokenBuilderService,
+            $userIdentifier,
+            $authCodeId,
+            $requestedClaims,
+            $isRevoked,
+        );
+    }
+
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     * @throws \JsonException
+     */
+    public function fromState(array $state): AccessTokenEntity
+    {
+        if (
+            !is_string($state['scopes']) ||
+            !is_string($state['id']) ||
+            !is_string($state['expires_at']) ||
+            !is_a($state['client'], ClientEntityInterface::class)
+        ) {
+            throw OidcServerException::serverError('Invalid Access Token Entity state');
+        }
+
+        $stateScopes = json_decode($state['scopes'], true, 512, JSON_THROW_ON_ERROR);
+        if (!is_array($stateScopes)) {
+            throw OidcServerException::serverError('Invalid Access Token Entity state: scopes');
+        }
+
+        /** @psalm-var string $scope */
+        $scopes = array_map(fn(string $scope) => ScopeEntity::fromData($scope), $stateScopes);
+
+        $id = $state['id'];
+        $expiryDateTime = $this->helpers->dateTime()->getUtc($state['expires_at']);
+        $userIdentifier = empty($state['user_id']) ? null : (string)$state['user_id'];
+        $client = $state['client'];
+        $isRevoked = (bool) $state['is_revoked'];
+        $authCodeId = empty($state['auth_code_id']) ? null : (string)$state['auth_code_id'];
+
+        $stateRequestedClaims = json_decode(
+            empty($state['requested_claims']) ? '[]' : (string)$state['requested_claims'],
+            true,
+            512,
+            JSON_THROW_ON_ERROR,
+        );
+        if (!is_array($stateRequestedClaims)) {
+            throw OidcServerException::serverError('Invalid Access Token Entity state: requested claims');
+        }
+
+        return $this->fromData(
+            $id,
+            $client,
+            $scopes,
+            $expiryDateTime,
+            $userIdentifier,
+            $authCodeId,
+            $stateRequestedClaims,
+            $isRevoked,
+        );
+    }
+}

src/Factories/Grant/AuthCodeGrantFactory.php

@@ -16,6 +16,7 @@
 
 namespace SimpleSAML\Module\oidc\Factories\Grant;
 
+use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
@@ -33,6 +34,7 @@ public function __construct(
         private readonly RefreshTokenRepository $refreshTokenRepository,
         private readonly RequestRulesManager $requestRulesManager,
         private readonly RequestParamsResolver $requestParamsResolver,
+        private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
     ) {
     }
 
@@ -48,6 +50,7 @@ public function build(): AuthCodeGrant
             $this->moduleConfig->getAuthCodeDuration(),
             $this->requestRulesManager,
             $this->requestParamsResolver,
+            $this->accessTokenEntityFactory,
         );
         $authCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 

src/Factories/Grant/ImplicitGrantFactory.php

@@ -15,6 +15,7 @@
  */
 namespace SimpleSAML\Module\oidc\Factories\Grant;
 
+use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant;
@@ -30,6 +31,7 @@ public function __construct(
         private readonly RequestRulesManager $requestRulesManager,
         private readonly AccessTokenRepository $accessTokenRepository,
         private readonly RequestParamsResolver $requestParamsResolver,
+        private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
     ) {
     }
 
@@ -42,6 +44,7 @@ public function build(): ImplicitGrant
             $this->requestRulesManager,
             $this->requestParamsResolver,
             '#',
+            $this->accessTokenEntityFactory,
         );
     }
 }

src/Factories/Grant/RefreshTokenGrantFactory.php

@@ -15,6 +15,7 @@
  */
 namespace SimpleSAML\Module\oidc\Factories\Grant;
 
+use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
@@ -24,12 +25,13 @@ class RefreshTokenGrantFactory
     public function __construct(
         private readonly ModuleConfig $moduleConfig,
         private readonly RefreshTokenRepository $refreshTokenRepository,
+        private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
     ) {
     }
 
     public function build(): RefreshTokenGrant
     {
-        $refreshTokenGrant = new RefreshTokenGrant($this->refreshTokenRepository);
+        $refreshTokenGrant = new RefreshTokenGrant($this->refreshTokenRepository, $this->accessTokenEntityFactory);
         $refreshTokenGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 
         return $refreshTokenGrant;