Merge branch 'develop'

Author: Xerkus

.travis.yml

@@ -1,5 +1,3 @@
-sudo: false
-
 language: php
 
 cache:
@@ -54,6 +52,15 @@ matrix:
     - php: 7.2
       env:
         - DEPS=latest
+    - php: 7.3
+      env:
+        - DEPS=lowest
+    - php: 7.3
+      env:
+        - DEPS=locked
+    - php: 7.3
+      env:
+        - DEPS=latest
 
 before_install:
   - if [[ $TEST_COVERAGE != 'true' ]]; then phpenv config-rm xdebug.ini || return 0 ; fi

CHANGELOG.md

@@ -2,6 +2,33 @@
 
 All notable changes to this project will be documented in this file, in reverse chronological order by release.
 
+## 2.7.0 - TBD
+
+### Added
+
+- [#44](https://github.com/zendframework/zend-authentication/pull/44) adds support for PHP 7.3.
+- [#47](https://github.com/zendframework/zend-authentication/pull/47) adds
+  configuration option to `Zend\Authentication\Validator\Authentication` for
+  mapping custom authentication result codes to existing and new validation
+  message types.
+
+### Changed
+
+- [#42](https://github.com/zendframework/zend-authentication/pull/42) Changes authentication using Basic scheme
+  to re-challenge the client when credentials in Authorization header can not be base64 decoded.
+
+### Deprecated
+
+- Nothing.
+
+### Removed
+
+- [#44](https://github.com/zendframework/zend-authentication/pull/44) removes support for zend-stdlib v2 releases.
+
+### Fixed
+
+- Nothing.
+
 ## 2.6.1 - TBD
 
 ### Added

composer.json

@@ -17,7 +17,7 @@
     },
     "require": {
         "php": "^5.6 || ^7.0",
-        "zendframework/zend-stdlib": "^2.7.7 || ^3.1"
+        "zendframework/zend-stdlib": "^3.2.1"
     },
     "require-dev": {
         "phpunit/phpunit": "^5.7.27 || ^6.5.8 || ^7.1.2",

composer.lock

@@ -13,6 +13,7 @@ The available configuration options include:
 - `identity`: the identity or name of the identity field in the provided context.
 - `credential`: credential or the name of the credential field in the provided context.
 - `service`: an instance of `Zend\Authentication\AuthenticationService`.
+- `code_map`: map of `Zend\Authentication\Result` codes to validator message identifiers.
 
 ## Usage
 
@@ -33,3 +34,65 @@ $validator->isValid('myIdentity', [
      'myCredentialContext' => 'myCredential',
 ]);
 ```
+
+## Validation messages
+
+The authentication validator defines five failure message types; identifiers
+for them are available as constants for convenience.
+Common authentication failure codes, defined as constants in
+`Zend\Authentication\Result`, are mapped to validation messages
+using a map in `CODE_MAP` constant. Other authentication codes default to the
+`general` message type.
+
+```php
+namespace Zend\Authentication\Validator;
+
+use Zend\Authentication\Result;
+
+class Authentication
+{
+    const IDENTITY_NOT_FOUND = 'identityNotFound';
+    const IDENTITY_AMBIGUOUS = 'identityAmbiguous';
+    const CREDENTIAL_INVALID = 'credentialInvalid';
+    const UNCATEGORIZED      = 'uncategorized';
+    const GENERAL            = 'general';
+
+    const CODE_MAP = [
+        Result::FAILURE_IDENTITY_NOT_FOUND => self::IDENTITY_NOT_FOUND,
+        Result::FAILURE_CREDENTIAL_INVALID => self::CREDENTIAL_INVALID,
+        Result::FAILURE_IDENTITY_AMBIGUOUS => self::IDENTITY_AMBIGUOUS,
+        Result::FAILURE_UNCATEGORIZED      => self::UNCATEGORIZED,
+    ];
+}
+```
+
+The authentication validator extends `Zend\Validator\AbstractValidator`, providing
+a way common for all framework validators to access, change or translate message templates.  
+More information is available in the
+[zend-validator documentation](https://docs.zendframework.com/zend-validator/messages/)
+
+## Configure validation messages for custom authentication result codes
+
+The constructor configuration option `code_map` allows mapping custom codes
+from `Zend\Authentication\Result` to validation message identifiers.  
+`code_map` is an array of integer code => string message identifier pairs
+
+A new custom message identifier can be specified in `code_map` which will then
+be registered as a new message type with the template value set to the `general` message.
+Once registered, the message template for the new identifier can be changed
+as described in the [zend-validator documentation](https://docs.zendframework.com/zend-validator/messages/).
+
+```php
+use Zend\Authentication\Validator\Authentication as AuthenticationValidator;
+
+$validator = new AuthenticationValidator([
+    'code_map' => [
+        // map custom result code to existing message
+        -990 => AuthenticationValidator::IDENTITY_NOT_FOUND,
+        // map custom result code to a new message type
+        -991 => 'custom_failure_identifier',
+    ],
+]);
+
+$validator->setMessage('Custom Error Happened', 'custom_failure_identifier');
+```

docs/book/validator.md

@@ -348,7 +348,7 @@ protected function authenticateQuerySelect(Sql\Select $dbSelect)
      */
     protected function authenticateValidateResultSet(array $resultIdentities)
     {
-        if (count($resultIdentities) < 1) {
+        if (! $resultIdentities) {
             $this->authenticateResultInfo['code']       = AuthenticationResult::FAILURE_IDENTITY_NOT_FOUND;
             $this->authenticateResultInfo['messages'][] = 'A record with the supplied identity could not be found.';
             return $this->authenticateCreateAuthResult();

src/Adapter/DbTable/AbstractAdapter.php

@@ -162,7 +162,6 @@ public function authenticate()
         }
 
         $id       = "$this->identity:$this->realm";
-        $idLength = strlen($id);
 
         $result = [
             'code'  => AuthenticationResult::FAILURE,
@@ -178,7 +177,7 @@ public function authenticate()
             if (empty($line)) {
                 break;
             }
-            if (substr($line, 0, $idLength) === $id) {
+            if (0 === strpos($line, $id)) {
                 if (CryptUtils::compareStrings(
                     substr($line, -32),
                     md5("$this->identity:$this->realm:$this->credential")

src/Adapter/Digest.php

@@ -484,7 +484,7 @@ protected function _basicAuth($header)
         $auth = substr($header, strlen('Basic '));
         $auth = base64_decode($auth);
         if (! $auth) {
-            throw new Exception\RuntimeException('Unable to base64_decode Authorization header value');
+            return $this->challengeClient();
         }
 
         // See ZF-1253. Validate the credentials the same way the digest

src/Adapter/Http.php

@@ -1,7 +1,7 @@
 <?php
 /**
  * @see       https://github.com/zendframework/zend-authentication for the canonical source repository
- * @copyright Copyright (c) 2013-2018 Zend Technologies USA Inc. (https://www.zend.com)
+ * @copyright Copyright (c) 2013-2019 Zend Technologies USA Inc. (https://www.zend.com)
  * @license   https://github.com/zendframework/zend-authentication/blob/master/LICENSE.md New BSD License
  */
 
@@ -15,6 +15,9 @@
 use Zend\Stdlib\ArrayUtils;
 use Zend\Validator\AbstractValidator;
 
+use function is_array;
+use function is_string;
+
 /**
  * Authentication Validator
  */
@@ -41,6 +44,12 @@ class Authentication extends AbstractValidator
         Result::FAILURE_UNCATEGORIZED      => self::UNCATEGORIZED,
     ];
 
+    /**
+     * Authentication\Result codes mapping configurable overrides
+     * @var string[]
+     */
+    protected $codeMap = [];
+
     /**
      * Error Messages
      * @var array
@@ -89,18 +98,31 @@ public function __construct($options = null)
         }
 
         if (is_array($options)) {
-            if (array_key_exists('adapter', $options)) {
+            if (isset($options['adapter'])) {
                 $this->setAdapter($options['adapter']);
             }
-            if (array_key_exists('identity', $options)) {
+            if (isset($options['identity'])) {
                 $this->setIdentity($options['identity']);
             }
-            if (array_key_exists('credential', $options)) {
+            if (isset($options['credential'])) {
                 $this->setCredential($options['credential']);
             }
-            if (array_key_exists('service', $options)) {
+            if (isset($options['service'])) {
                 $this->setService($options['service']);
             }
+            if (isset($options['code_map'])) {
+                foreach ($options['code_map'] as $code => $template) {
+                    if (empty($template) || ! is_string($template)) {
+                        throw new Exception\InvalidArgumentException(
+                            'Message key in code_map option must be a non-empty string'
+                        );
+                    }
+                    if (! isset($this->messageTemplates[$template])) {
+                        $this->messageTemplates[$template] = $this->messageTemplates[static::GENERAL];
+                    }
+                    $this->codeMap[(int) $code] = $template;
+                }
+            }
         }
         parent::__construct($options);
     }
@@ -244,15 +266,27 @@ public function isValid($value = null, $context = null)
             return true;
         }
 
-        $code = self::GENERAL;
-        if (array_key_exists($result->getCode(), self::CODE_MAP)) {
-            $code = self::CODE_MAP[$result->getCode()];
-        }
-        $this->error($code);
+        $messageKey = $this->mapResultCodeToMessageKey($result->getCode());
+        $this->error($messageKey);
 
         return false;
     }
 
+    /**
+     * @param int $code Authentication result code
+     * @return string Message key that should be used for the code
+     */
+    protected function mapResultCodeToMessageKey($code)
+    {
+        if (isset($this->codeMap[$code])) {
+            return $this->codeMap[$code];
+        }
+        if (array_key_exists($code, static::CODE_MAP)) {
+            return static::CODE_MAP[$code];
+        }
+        return self::GENERAL;
+    }
+
     /**
      * @return ValidatableAdapterInterface
      * @throws Exception\RuntimeException if no adapter present in

src/Validator/Authentication.php

@@ -215,6 +215,21 @@ public function testBasicAuthBadPassword()
         $this->_checkUnauthorized($data, $basic);
     }
 
+    public function testBasicAuthTokenIsNotBase64()
+    {
+        // Attempt Basic Authentication with a valid username, but invalid
+        // password
+
+        // The expected Basic Www-Authenticate header value
+        $basic = [
+            'type'   => 'Basic ',
+            'realm'  => 'realm="' . $this->_basicConfig['realm'] . '"',
+        ];
+
+        $data = $this->_doAuth('Basic', 'basic');
+        $this->_checkUnauthorized($data, $basic);
+    }
+
     public function testDigestAuthValidCreds()
     {
         // Attempt Digest Authentication with a valid username and password