. namespace core; use core\oauth2\access_token; use core\oauth2\api; use core\oauth2\endpoint; use core\oauth2\issuer; use core\oauth2\system_account; /** * Tests for oauth2 apis (\core\oauth2\*). * * @package core * @copyright 2017 Damyon Wiese * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later. * @coversDefaultClass \core\oauth2\api */ class oauth2_test extends \advanced_testcase { /** * Tests the crud operations on oauth2 issuers. */ public function test_create_and_delete_standard_issuers() { $this->resetAfterTest(); $this->setAdminUser(); api::create_standard_issuer('google'); api::create_standard_issuer('facebook'); api::create_standard_issuer('microsoft'); api::create_standard_issuer('nextcloud', 'https://dummy.local/nextcloud/'); $issuers = api::get_all_issuers(); $this->assertEquals($issuers[0]->get('name'), 'Google'); $this->assertEquals($issuers[1]->get('name'), 'Facebook'); $this->assertEquals($issuers[2]->get('name'), 'Microsoft'); $this->assertEquals($issuers[3]->get('name'), 'Nextcloud'); api::move_down_issuer($issuers[0]->get('id')); $issuers = api::get_all_issuers(); $this->assertEquals($issuers[0]->get('name'), 'Facebook'); $this->assertEquals($issuers[1]->get('name'), 'Google'); $this->assertEquals($issuers[2]->get('name'), 'Microsoft'); $this->assertEquals($issuers[3]->get('name'), 'Nextcloud'); api::delete_issuer($issuers[1]->get('id')); $issuers = api::get_all_issuers(); $this->assertEquals($issuers[0]->get('name'), 'Facebook'); $this->assertEquals($issuers[1]->get('name'), 'Microsoft'); $this->assertEquals($issuers[2]->get('name'), 'Nextcloud'); } /** * Tests the crud operations on oauth2 issuers. */ public function test_create_nextcloud_without_url() { $this->resetAfterTest(); $this->setAdminUser(); $this->expectException(\moodle_exception::class); api::create_standard_issuer('nextcloud'); } /** * Tests we can list and delete each of the persistents related to an issuer. */ public function test_getters() { $this->resetAfterTest(); $this->setAdminUser(); $issuer = api::create_standard_issuer('microsoft'); $same = api::get_issuer($issuer->get('id')); foreach ($same->properties_definition() as $name => $def) { $this->assertTrue($issuer->get($name) == $same->get($name)); } $endpoints = api::get_endpoints($issuer); $same = api::get_endpoint($endpoints[0]->get('id')); $this->assertEquals($endpoints[0]->get('id'), $same->get('id')); $this->assertEquals($endpoints[0]->get('name'), $same->get('name')); $todelete = $endpoints[0]; api::delete_endpoint($todelete->get('id')); $endpoints = api::get_endpoints($issuer); $this->assertNotEquals($endpoints[0]->get('id'), $todelete->get('id')); $userfields = api::get_user_field_mappings($issuer); $same = api::get_user_field_mapping($userfields[0]->get('id')); $this->assertEquals($userfields[0]->get('id'), $same->get('id')); $todelete = $userfields[0]; api::delete_user_field_mapping($todelete->get('id')); $userfields = api::get_user_field_mappings($issuer); $this->assertNotEquals($userfields[0]->get('id'), $todelete->get('id')); } /** * Data provider for \core_oauth2_testcase::test_get_system_oauth_client(). * * @return array */ public function system_oauth_client_provider() { return [ [ (object) [ 'access_token' => 'fdas...', 'token_type' => 'Bearer', 'expires_in' => '3600', 'id_token' => 'llfsd..', ], HOURSECS - 10 ], [ (object) [ 'access_token' => 'fdas...', 'token_type' => 'Bearer', 'id_token' => 'llfsd..', ], WEEKSECS ], ]; } /** * Tests we can get a logged in oauth client for a system account. * * @dataProvider system_oauth_client_provider * @param \stdClass $responsedata The response data to be mocked. * @param int $expiresin The expected expiration time. */ public function test_get_system_oauth_client($responsedata, $expiresin) { $this->resetAfterTest(); $this->setAdminUser(); $issuer = api::create_standard_issuer('microsoft'); $requiredscopes = api::get_system_scopes_for_issuer($issuer); // Fake a system account. $data = (object) [ 'issuerid' => $issuer->get('id'), 'refreshtoken' => 'abc', 'grantedscopes' => $requiredscopes, 'email' => 'sys@example.com', 'username' => 'sys' ]; $sys = new system_account(0, $data); $sys->create(); // Fake a response with an access token. $response = json_encode($responsedata); \curl::mock_response($response); $client = api::get_system_oauth_client($issuer); $this->assertTrue($client->is_logged_in()); // Check token expiry. $accesstoken = access_token::get_record(['issuerid' => $issuer->get('id')]); // Get the difference between the actual and expected expiry times. // They might differ by a couple of seconds depending on the timing when the token gets actually processed. $expiresdifference = time() + $expiresin - $accesstoken->get('expires'); // Assert that the actual token expiration is more or less the same as the expected. $this->assertGreaterThanOrEqual(0, $expiresdifference); $this->assertLessThanOrEqual(3, $expiresdifference); } /** * Tests we can enable and disable an issuer. */ public function test_enable_disable_issuer() { $this->resetAfterTest(); $this->setAdminUser(); $issuer = api::create_standard_issuer('microsoft'); $issuerid = $issuer->get('id'); api::enable_issuer($issuerid); $check = api::get_issuer($issuer->get('id')); $this->assertTrue((boolean)$check->get('enabled')); api::enable_issuer($issuerid); $check = api::get_issuer($issuer->get('id')); $this->assertTrue((boolean)$check->get('enabled')); api::disable_issuer($issuerid); $check = api::get_issuer($issuer->get('id')); $this->assertFalse((boolean)$check->get('enabled')); api::enable_issuer($issuerid); $check = api::get_issuer($issuer->get('id')); $this->assertTrue((boolean)$check->get('enabled')); } /** * Test the alloweddomains for an issuer. */ public function test_issuer_alloweddomains() { $this->resetAfterTest(); $this->setAdminUser(); $issuer = api::create_standard_issuer('microsoft'); $issuer->set('alloweddomains', ''); // Anything is allowed when domain is empty. $this->assertTrue($issuer->is_valid_login_domain('')); $this->assertTrue($issuer->is_valid_login_domain('a@b')); $this->assertTrue($issuer->is_valid_login_domain('longer.example@example.com')); $issuer->set('alloweddomains', 'example.com'); // One domain - must match exactly - no substrings etc. $this->assertFalse($issuer->is_valid_login_domain('')); $this->assertFalse($issuer->is_valid_login_domain('a@b')); $this->assertFalse($issuer->is_valid_login_domain('longer.example@example')); $this->assertTrue($issuer->is_valid_login_domain('longer.example@example.com')); $issuer->set('alloweddomains', 'example.com,example.net'); // Multiple domains - must match any exactly - no substrings etc. $this->assertFalse($issuer->is_valid_login_domain('')); $this->assertFalse($issuer->is_valid_login_domain('a@b')); $this->assertFalse($issuer->is_valid_login_domain('longer.example@example')); $this->assertFalse($issuer->is_valid_login_domain('invalid@email@example.net')); $this->assertTrue($issuer->is_valid_login_domain('longer.example@example.net')); $this->assertTrue($issuer->is_valid_login_domain('longer.example@example.com')); $issuer->set('alloweddomains', '*.example.com'); // Wildcard. $this->assertFalse($issuer->is_valid_login_domain('')); $this->assertFalse($issuer->is_valid_login_domain('a@b')); $this->assertFalse($issuer->is_valid_login_domain('longer.example@example')); $this->assertFalse($issuer->is_valid_login_domain('longer.example@example.com')); $this->assertTrue($issuer->is_valid_login_domain('longer.example@sub.example.com')); } /** * Test endpoints creation for issuers. * @dataProvider create_endpoints_for_standard_issuer_provider * * @covers ::create_endpoints_for_standard_issuer * * @param string $type Issuer type to create. * @param string|null $discoveryurl Expected discovery URL or null if this endpoint doesn't exist. * @param bool $hasmappingfields True if it's expected the issuer to create has mapping fields. * @param string|null $baseurl The service URL (mandatory parameter for some issuers, such as NextCloud or IMS OBv2.1). * @param string|null $expectedexception Name of the expected expection or null if no exception will be thrown. */ public function test_create_endpoints_for_standard_issuer(string $type, ?string $discoveryurl = null, bool $hasmappingfields = true, ?string $baseurl = null, ?string $expectedexception = null): void { $this->resetAfterTest(); // Mark test as long because it connects with external services. if (!PHPUNIT_LONGTEST) { $this->markTestSkipped('PHPUNIT_LONGTEST is not defined'); } $this->setAdminUser(); // Method create_endpoints_for_standard_issuer is called internally from create_standard_issuer. if ($expectedexception) { $this->expectException($expectedexception); } $issuer = api::create_standard_issuer($type, $baseurl); // Check endpoints have been created. $endpoints = api::get_endpoints($issuer); $this->assertNotEmpty($endpoints); $this->assertNotEmpty($issuer->get('image')); // Check discovery URL. if ($discoveryurl) { $this->assertStringContainsString($discoveryurl, $issuer->get_endpoint_url('discovery')); } else { $this->assertFalse($issuer->get_endpoint_url('discovery')); } // Check userfield mappings. $userfieldmappings =api::get_user_field_mappings($issuer); if ($hasmappingfields) { $this->assertNotEmpty($userfieldmappings); } else { $this->assertEmpty($userfieldmappings); } } /** * Data provider for test_create_endpoints_for_standard_issuer. * * @return array */ public function create_endpoints_for_standard_issuer_provider(): array { return [ 'Google' => [ 'type' => 'google', 'discoveryurl' => '.well-known/openid-configuration', ], 'Google will work too with a valid baseurl parameter' => [ 'type' => 'google', 'discoveryurl' => '.well-known/openid-configuration', 'hasmappingfields' => true, 'baseurl' => 'https://accounts.google.com/', ], 'IMS OBv2.1' => [ 'type' => 'imsobv2p1', 'discoveryurl' => '.well-known/badgeconnect.json', 'hasmappingfields' => false, 'baseurl' => 'https://dc.imsglobal.org/', ], 'IMS OBv2.1 without slash in baseurl should work too' => [ 'type' => 'imsobv2p1', 'discoveryurl' => '.well-known/badgeconnect.json', 'hasmappingfields' => false, 'baseurl' => 'https://dc.imsglobal.org', ], 'IMS OBv2.1 with empty baseurl should return an exception' => [ 'type' => 'imsobv2p1', 'discoveryurl' => null, 'hasmappingfields' => false, 'baseurl' => null, 'expectedexception' => \moodle_exception::class, ], 'Microsoft' => [ 'type' => 'microsoft', ], 'Facebook' => [ 'type' => 'facebook', ], 'NextCloud' => [ 'type' => 'nextcloud', 'discoveryurl' => null, 'hasmappingfields' => true, 'baseurl' => 'https://dummy.local/nextcloud/', ], 'NextCloud with empty baseurl should return an exception' => [ 'type' => 'nextcloud', 'discoveryurl' => null, 'hasmappingfields' => true, 'baseurl' => null, 'expectedexception' => \moodle_exception::class, ], 'Invalid type should return an exception' => [ 'type' => 'fictitious', 'discoveryurl' => null, 'hasmappingfields' => true, 'baseurl' => null, 'expectedexception' => \moodle_exception::class, ], ]; } /** * Test for get all issuers. */ public function test_get_all_issuers() { $this->resetAfterTest(); $this->setAdminUser(); $googleissuer = api::create_standard_issuer('google'); api::create_standard_issuer('facebook'); api::create_standard_issuer('microsoft'); // Set Google issuer to be shown only on login page. $record = $googleissuer->to_record(); $record->showonloginpage = $googleissuer::LOGINONLY; api::update_issuer($record); $issuers = api::get_all_issuers(); $this->assertCount(2, $issuers); $expected = ['Microsoft', 'Facebook']; $this->assertEqualsCanonicalizing($expected, [$issuers[0]->get_display_name(), $issuers[1]->get_display_name()]); $issuers = api::get_all_issuers(true); $this->assertCount(3, $issuers); $expected = ['Google', 'Microsoft', 'Facebook']; $this->assertEqualsCanonicalizing($expected, [$issuers[0]->get_display_name(), $issuers[1]->get_display_name(), $issuers[2]->get_display_name()]); } /** * Test for is available for login. */ public function test_is_available_for_login() { $this->resetAfterTest(); $this->setAdminUser(); $googleissuer = api::create_standard_issuer('google'); // Set Google issuer to be shown only on login page. $record = $googleissuer->to_record(); $record->showonloginpage = $googleissuer::LOGINONLY; api::update_issuer($record); $this->assertFalse($googleissuer->is_available_for_login()); // Set a clientid and clientsecret. $googleissuer->set('clientid', 'clientid'); $googleissuer->set('clientsecret', 'secret'); $googleissuer->update(); $this->assertTrue($googleissuer->is_available_for_login()); // Set showonloginpage to service only. $googleissuer->set('showonloginpage', issuer::SERVICEONLY); $googleissuer->update(); $this->assertFalse($googleissuer->is_available_for_login()); // Set showonloginpage to everywhere (service and login) and disable issuer. $googleissuer->set('showonloginpage', issuer::EVERYWHERE); $googleissuer->set('enabled', 0); $googleissuer->update(); $this->assertFalse($googleissuer->is_available_for_login()); // Enable issuer. $googleissuer->set('enabled', 1); $googleissuer->update(); $this->assertTrue($googleissuer->is_available_for_login()); // Remove userinfo endpoint from issuer. $endpoint = endpoint::get_record([ 'issuerid' => $googleissuer->get('id'), 'name' => 'userinfo_endpoint' ]); api::delete_endpoint($endpoint->get('id')); $this->assertFalse($googleissuer->is_available_for_login()); } }