Viel neues

2026-04-30 12:06:00 +02:00
parent 118809bfae
commit fce31ebcd7
1274 changed files with 181255 additions and 0 deletions
--- a/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/OpenIDConnectClientTest.php
+++ b/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/OpenIDConnectClientTest.php
@@ -0,0 +1,240 @@
+<?php
+
+use Jumbojett\OpenIDConnectClient;
+use Jumbojett\OpenIDConnectClientException;
+use PHPUnit\Framework\MockObject\MockObject;
+use Yoast\PHPUnitPolyfills\TestCases\TestCase;
+
+class OpenIDConnectClientTest extends TestCase
+{
+    /**
+     * @return void
+     */
+    public function testGetRedirectURL()
+    {
+        $client = new OpenIDConnectClient();
+
+        self::assertSame('http:///', $client->getRedirectURL());
+
+        $_SERVER['SERVER_NAME'] = 'domain.test';
+        $_SERVER['REQUEST_URI'] = '/path/index.php?foo=bar&baz#fragment';
+        self::assertSame('http://domain.test/path/index.php', $client->getRedirectURL());
+    }
+
+    public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
+    {
+        $fakeClaims = new StdClass();
+        $fakeClaims->iss = 'fake-issuer';
+        $fakeClaims->aud = 'fake-client-id';
+        $fakeClaims->nonce = null;
+
+        $_REQUEST['id_token'] = 'abc.123.xyz';
+        $_REQUEST['state'] = false;
+        $_SESSION['openid_connect_state'] = false;
+
+        /** @var OpenIDConnectClient | MockObject $client */
+        $client = $this->getMockBuilder(OpenIDConnectClient::class)->setMethods(['decodeJWT', 'getProviderConfigValue', 'verifyJWTSignature'])->getMock();
+        $client->method('decodeJWT')->willReturn($fakeClaims);
+        $client->method('getProviderConfigValue')->with('jwks_uri')->willReturn(true);
+        $client->method('verifyJWTSignature')->willReturn(true);
+
+        $client->setClientID('fake-client-id');
+        $client->setIssuer('fake-issuer');
+        $client->setIssuerValidator(function() {
+            return true;
+        });
+        $client->setAllowImplicitFlow(true);
+        $client->setProviderURL('https://jwt.io/');
+
+        try {
+            $authenticated = $client->authenticate();
+            $this->assertTrue($authenticated);
+        } catch ( OpenIDConnectClientException $e ) {
+            if ( $e->getMessage() === 'Unable to verify JWT claims' ) {
+                self::fail( 'OpenIDConnectClientException was thrown when it should not have been.' );
+            }
+        }
+    }
+
+    public function testSerialize()
+    {
+        $client = new OpenIDConnectClient('https://example.com', 'foo', 'bar', 'baz');
+        $serialized = serialize($client);
+        $this->assertInstanceOf(OpenIDConnectClient::class, unserialize($serialized));
+    }
+
+    /**
+     * @dataProvider provider
+     */
+    public function testAuthMethodSupport($expected, $authMethod, $clientAuthMethods, $idpAuthMethods)
+    {
+        $client = new OpenIDConnectClient();
+        if ($clientAuthMethods !== null) {
+            $client->setTokenEndpointAuthMethodsSupported($clientAuthMethods);
+        }
+        $this->assertEquals($expected, $client->supportsAuthMethod($authMethod, $idpAuthMethods));
+    }
+
+    public function provider(): array
+    {
+        return [
+            'client_secret_basic - default config' => [true, 'client_secret_basic', null, ['client_secret_basic']],
+
+            'client_secret_jwt - default config' => [false, 'client_secret_jwt', null, ['client_secret_basic', 'client_secret_jwt']],
+            'client_secret_jwt - explicitly enabled' => [true, 'client_secret_jwt', ['client_secret_jwt'], ['client_secret_basic', 'client_secret_jwt']],
+
+            'private_key_jwt - default config' => [false, 'private_key_jwt', null, ['client_secret_basic', 'client_secret_jwt', 'private_key_jwt']],
+            'private_key_jwt - explicitly enabled' => [true, 'private_key_jwt', ['private_key_jwt'], ['client_secret_basic', 'client_secret_jwt', 'private_key_jwt']],
+
+        ];
+    }
+
+    /**
+     * @covers       Jumbojett\\OpenIDConnectClient::verifyLogoutTokenClaims
+     * @dataProvider provideTestVerifyLogoutTokenClaimsData
+     * @throws OpenIDConnectClientException
+     */
+    public function testVerifyLogoutTokenClaims( $claims, $expectedResult )
+    {
+        /** @var OpenIDConnectClient | MockObject $client */
+        $client = $this->getMockBuilder(OpenIDConnectClient::class)->setMethods(['decodeJWT'])->getMock();
+
+        $client->setClientID('fake-client-id');
+        $client->setIssuer('fake-issuer');
+        $client->setIssuerValidator(function() {
+            return true;
+        });
+        $client->setProviderURL('https://jwt.io/');
+
+        $actualResult = $client->verifyLogoutTokenClaims( $claims );
+
+        $this->assertEquals( $expectedResult, $actualResult );
+    }
+
+    /**
+     * @return array
+     */
+    public function provideTestVerifyLogoutTokenClaimsData(): array
+    {
+        return [
+            'valid-single-aud' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => 'fake-client-id',
+                    'sid' => 'fake-client-sid',
+                    'sub' => 'fake-client-sub',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                true
+            ],
+            'valid-multiple-auds' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'sub' => 'fake-client-sub',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                true
+            ],
+            'invalid-no-sid-and-no-sub' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                false
+            ],
+            'valid-no-sid' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sub' => 'fake-client-sub',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                true
+            ],
+            'valid-no-sub' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                true
+            ],
+            'invalid-with-nonce' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                    'nonce' => 'must-not-be-set'
+                ],
+                false
+            ],
+            'invalid-no-events' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'nonce' => 'must-not-be-set'
+                ],
+                false
+            ],
+            'invalid-no-backchannel-event' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'events' => (object) [],
+                    'nonce' => 'must-not-be-set'
+                ],
+                false
+            ],
+            'invalid-no-iat' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+            'invalid-bad-iat' => [
+                (object)[
+                    'iss' => 'fake-issuer',
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sid' => 'fake-client-sid',
+                    'iat' => time() + 301,
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ]
+                ],
+                false
+            ],
+        ];
+    }
+}
--- a/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/TokenVerificationTest.php
+++ b/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/TokenVerificationTest.php
@@ -0,0 +1,35 @@
+<?php
+
+
+use Jumbojett\OpenIDConnectClient;
+use Jumbojett\OpenIDConnectClientException;
+use PHPUnit\Framework\MockObject\MockObject;
+use Yoast\PHPUnitPolyfills\TestCases\TestCase;
+
+class TokenVerificationTest extends TestCase
+{
+    /**
+     * @param $alg
+     * @param $jwt
+     * @throws OpenIDConnectClientException
+     * @dataProvider providesTokens
+     */
+    public function testTokenVerification($alg, $jwt)
+    {
+        /** @var OpenIDConnectClient | MockObject $client */
+        $client = $this->getMockBuilder(OpenIDConnectClient::class)->setMethods(['fetchUrl'])->getMock();
+        $client->method('fetchUrl')->willReturn(file_get_contents(__DIR__ . "/data/jwks-$alg.json"));
+        $client->setProviderURL('https://jwt.io/');
+        $client->providerConfigParam(['jwks_uri' => 'https://jwt.io/.well-known/jwks.json']);
+        $verified = $client->verifyJWTSignature($jwt);
+        self::assertTrue($verified);
+        $client->setAccessToken($jwt);
+    }
+
+    public function providesTokens(): array
+    {
+        return [
+            'PS256' => ['ps256', 'eyJhbGciOiJQUzI1NiIsImtpZCI6Imtvbm5lY3RkLXRva2Vucy1zaWduaW5nLWtleSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJrcG9wLWh0dHBzOi8va29wYW5vLmRlbW8vbWVldC8iLCJleHAiOjE1NjgzNzE0NjEsImp0aSI6IkpkR0tDbEdOTXl2VXJpcmlRRUlWUXZCVmttT2FfQkRjIiwiaWF0IjoxNTY4MzcxMjIxLCJpc3MiOiJodHRwczovL2tvcGFuby5kZW1vIiwic3ViIjoiUHpUVWp3NHBlXzctWE5rWlBILXJxVHE0MTQ1Z3lDdlRvQmk4V1E5bFBrcW5rbEc1aktvRU5LM21Qb0I1WGY1ZTM5dFRMR2RKWXBMNEJubXFnelpaX0FAa29ubmVjdCIsImtjLmlzQWNjZXNzVG9rZW4iOnRydWUsImtjLmF1dGhvcml6ZWRTY29wZXMiOlsicHJvZmlsZSIsImVtYWlsIiwia29wYW5vL2t3bSIsImtvcGFuby9nYyIsImtvcGFuby9rdnMiLCJvcGVuaWQiXSwia2MuYXV0aG9yaXplZENsYWltcyI6eyJpZF90b2tlbiI6eyJuYW1lIjpudWxsfX0sImtjLmlkZW50aXR5Ijp7ImtjLmkuZG4iOiJKb25hcyBCcmVra2UiLCJrYy5pLmlkIjoiQUFBQUFLd2hxVkJBMCs1SXN4bjdwMU13UkNVQkFBQUFCZ0FBQUJzQUFBQk5VVDA5QUFBQUFBPT0iLCJrYy5pLnVuIjoidXNlcjEiLCJrYy5pLnVzIjoiTVEifSwia2MucHJvdmlkZXIiOiJpZGVudGlmaWVyLWtjIn0.hGRuXvul2kOiALHexwYp5MBEJVwz1YV3ehyM3AOuwCoK2w5sJxdciqqY_TfXCKyO6nAEbYLK3J0CBOjfup_IG0aCZcwzjto8khYlc4ezXkGnFsbJBNQdDGkpHtWnioWx-OJ3cXvY9F8aOvjaq0gw11ZDAcqQl0g7LTbJ9-J_yx0pmy3NGai2JB30Fh1OgSDzYfxWnE0RRgZG-x68e65RXfSBaEGW85OUh4wihxO2zdTGAHJ3Iq_-QAG4yRbXZtLx3ZspG7LNmqG-YE3huy3Rd8u3xrJNhmUOfEnz3x07q7VW0cj9NedX98BAbj3iNvksQsE0oG0J_f_Tu8Ai8VbWB72sJuXZWxANDKdz0BBYLzXhsjXkNByRq9x3zqDVsX-cVHei_XudxEOVRBjhkvW2MmIjcAHNKCKsdar865-gFG9McP4PCcBlY28tC0Cvnzyi83LBfpGRXdl6MJunnUsKQ1C79iCoVI1doK1erFN959Q-TGJfJA3Tr5LNpuGawB5rpe1nDGWvmYhg3uYfNl8uTTyvNgvvejcflEb2DURuXdqABuSiP7RkDWYtzx6mq49G0tRxelBbvyjQ2id2QjmRRdQ6dHEZ2NCJ51b8OFoDJBtxN1CD62TTxa3FUqCdZAPAUR3hHn_69vYq82MR514s-Gb67A6j2PbMPFATQP2UdK8']
+        ];
+    }
+}
--- a/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/data/jwks-ps256.json
+++ b/qa-tool/htdocs/vendor/jumbojett/openid-connect-php/tests/data/jwks-ps256.json
@@ -0,0 +1,12 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "use": "sig",
+      "kid": "konnectd-tokens-signing-key",
+      "n": "10hb3pFUVcqJcS-d1pLCkFTyTqVD1GavlAai582CoRwFcyIQxCPJz0LJVgkUNwxSRkY0g0PcgFN_MmuuzpFXMkkiMIC9O_KwnuL34FrbijZvcGpnDn7kb9KAM883OVTr_w3wFeQIyh0ksSwVQ9CxVQ-ZeCXP73CCGk99uDb8SeF8_vncXJmaak99pK6HKJteSLkA-Ywxo9HOINZK2vW06UYcSkeoQnSI27Cd5-T6GVgqKH0Su4c5Ydou_w0tL_UkbZA4fIbMZC6dtWmBQf6tyYsCM9fbWNIVOj_7WlWcAOSTFNF2We2dxJrOzt6vDND3k1nCgg_EEM6cgBO3swUCktTFuQxo1sryYX5WXz9wnJb38b9mTXhOeF0bd9y_VQq8erSlcyRu8UGzX65tIf534hLL16KQaHbjROGSQvzqFrISmSBjBTjkPedTZSYOhiVJ95-em_Y6uLi-T7V4bs4dcg3oa0H_glXltoC9JxzS6gfMGGLgh-NpGEOdC_QosyzVVfzT70TurOGnsB1_VcAm_fK-T1Zv_ztpr5OZNfXWXC3Pfq_3sxP5HDKMk8luZ7LOWk7HVSYBdCFmOM1A3KmHNS2fEs-QHIr-XjYQ7QrXsRFP3dmoEPfiYlu03m8Xs3UMB70eGeGQx7OhZSuogxV_oCfApV5EJfuz97tVmOg8iMs",
+      "e": "AQAB"
+    }
+  ],
+  "kty": ""
+}