LICENSE 0000666 00000024020 13436751451 0005564 0 ustar 00 Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
README.md 0000666 00000012402 13436751451 0006037 0 ustar 00 # Google Auth Library for PHP
- Homepage
- http://www.github.com/google/google-auth-library-php
- Authors
- Tim Emiola
- Stanley Cheung
- Copyright
- Copyright © 2015 Google, Inc.
- License
- Apache 2.0
## Description
This is Google's officially supported PHP client library for using OAuth 2.0
authorization and authentication with Google APIs.
## Alpha
This library is in Alpha. We will make an effort to support the library, but
we reserve the right to make incompatible changes when necessary.
### Installing via Composer
The recommended way to install the google auth library is through
[Composer](http://getcomposer.org).
```bash
# Install Composer
curl -sS https://getcomposer.org/installer | php
```
Next, run the Composer command to install the latest stable version:
```bash
composer.phar require google/auth:dev-master
```
> As this project is in alpha, there is currently no "stable" composer version,
> so specifying `dev-master` is required.
## Application Default Credentials
This library provides an implementation of
[application default credentials][application default credentials] for PHP.
The Application Default Credentials provide a simple way to get authorization
credentials for use in calling Google APIs.
They are best suited for cases when the call needs to have the same identity
and authorization level for the application independent of the user. This is
the recommended approach to authorize calls to Cloud APIs, particularly when
you're building an application that uses Google Compute Engine.
#### Download your Service Account Credentials JSON file
To use `Application Default Credentials`, You first need to download a set of
JSON credentials for your project. Go to **APIs & Auth** > **Credentials** in
the [Google Developers Console](developer console) and select
**Service account** from the **Add credentials** dropdown.
> This file is your *only copy* of these credentials. It should never be
> committed with your source code, and should be stored securely.
Once downloaded, store the path to this file in the
`GOOGLE_APPLICATION_CREDENTIALS` environment variable.
```php
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
```
> PHP's `putenv` function is just one way to set an environment variable.
> Consider using `.htaccess` or apache configuration files as well.
#### Enable the API you want to use
Before making your API call, you must be sure the API you're calling has been
enabled. Go to **APIs & Auth** > **APIs** in the
[Google Developers Console](developer console) and enable the APIs you'd like to
call. For the example below, you must enable the `Drive API`.
#### Call the APIs
As long as you update the environment variable below to point to *your* JSON
credentials file, the following code should output a list of your Drive files.
```php
use GuzzleHttp\Client;
use Google\Auth\ApplicationDefaultCredentials;
// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];
// create the HTTP client
$client = new Client([
'base_url' => 'https://www.googleapis.com',
'defaults' => ['auth' => 'google_auth'] // authorize all requests
]);
// attach this library's auth listener
$fetcher = ApplicationDefaultCredentials::getFetcher($scopes);
$client->getEmitter()->attach($fetcher);
// make the request
$response = $client->get('drive/v2/files');
// show the result!
print_r($response->json());
```
## What about auth in google-apis-php-client?
The goal is for auth done by
[google-apis-php-client][google-apis-php-client] to be be performed
by this library.
Eventually, google-apis-php-client should have a dependency on this library.
At the moment, there is no ETA for this, a key prequisite being for google-apis-php-client
itself take a dependency on [Guzzle][Guzzle] so that it can use the Guzzle
subscribers that this package provides. That's currently [being discussed](http://github.com/google/google-api-php-client#473).
This package's availability should make that transition simpler as there is one
less thing that need to be handled.
## License
This library is licensed under Apache 2.0. Full license text is
available in [COPYING][copying].
## Contributing
See [CONTRIBUTING][contributing].
## Support
Please
[report bugs at the project on Github](https://github.com/google/google-auth-library-php/issues). Don't
hesitate to
[ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-php)
about the client or APIs on [StackOverflow](http://stackoverflow.com).
[google-apis-php-client]: https://github.com/google/google-api-php-client
[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
[contributing]: https://github.com/google/google-auth-library-php/tree/master/CONTRIBUTING.md
[copying]: https://github.com/google/google-auth-library-php/tree/master/COPYING
[Guzzle]: https://github.com/guzzle/guzzle
[developer console]: https://console.developers.google.com
autoload.php 0000666 00000002074 13436751451 0007105 0 ustar 00 3) {
// Maximum class file path depth in this project is 3.
$classPath = array_slice($classPath, 0, 3);
}
$filePath = dirname(__FILE__) . '/src/' . implode('/', $classPath) . '.php';
if (file_exists($filePath)) {
require_once($filePath);
}
}
spl_autoload_register('oauth2client_php_autoload');
src/OAuth2.php 0000666 00000065253 13436751451 0007176 0 ustar 00 self::DEFAULT_EXPIRY_MINUTES,
'extensionParams' => []
], []);
$this->setAuthorizationUri($opts->get('authorizationUri'));
$this->setRedirectUri($opts->get('redirectUri'));
$this->setTokenCredentialUri($opts->get('tokenCredentialUri'));
$this->setState($opts->get('state'));
$this->setUsername($opts->get('username'));
$this->setPassword($opts->get('password'));
$this->setClientId($opts->get('clientId'));
$this->setClientSecret($opts->get('clientSecret'));
$this->setIssuer($opts->get('issuer'));
$this->setPrincipal($opts->get('principal'));
$this->setSub($opts->get('sub'));
$this->setExpiry($opts->get('expiry'));
$this->setAudience($opts->get('audience'));
$this->setSigningKey($opts->get('signingKey'));
$this->setSigningAlgorithm($opts->get('signingAlgorithm'));
$this->setScope($opts->get('scope'));
$this->setExtensionParams($opts->get('extensionParams'));
$this->updateToken($config);
}
/**
* Verifies the idToken if present.
*
* - if none is present, return null
* - if present, but invalid, raises DomainException.
* - otherwise returns the payload in the idtoken as a PHP object.
*
* if $publicKey is null, the key is decoded without being verified.
*
* @param $publicKey the publicKey to use to authenticate the token
* @param Array $allowed_algs List of supported verification algorithms
*/
public function verifyIdToken($publicKey = null, $allowed_algs = array())
{
$idToken = $this->getIdToken();
if (is_null($idToken)) {
return null;
}
$resp = JWT::decode($idToken, $publicKey, $allowed_algs);
if (!property_exists($resp, 'aud')) {
throw new \DomainException('No audience found the id token');
}
if ($resp->aud != $this->getAudience()) {
throw new \DomainException('Wrong audience present in the id token');
}
return $resp;
}
/**
* Obtains the encoded jwt from the instance data.
*
* @param $config array optional configuration parameters
*/
public function toJwt(array $config = null)
{
if (is_null($this->getSigningKey())) {
throw new \DomainException('No signing key available');
}
if (is_null($this->getSigningAlgorithm())) {
throw new \DomainException('No signing algorithm specified');
}
$now = time();
if (is_null($config)) {
$config = [];
}
$opts = Collection::fromConfig($config, [
'skew' => self::DEFAULT_SKEW,
], []);
$assertion = [
'iss' => $this->getIssuer(),
'aud' => $this->getAudience(),
'exp' => ($now + $this->getExpiry()),
'iat' => ($now - $opts->get('skew'))
];
foreach ($assertion as $k => $v) {
if (is_null($v)) {
throw new \DomainException($k . ' should not be null');
}
}
if (!(is_null($this->getScope()))) {
$assertion['scope'] = $this->getScope();
}
if (!(is_null($this->getPrincipal()))) {
$assertion['prn'] = $this->getPrincipal();
}
if (!(is_null($this->getSub()))) {
$assertion['sub'] = $this->getSub();
}
return JWT::encode($assertion, $this->getSigningKey(),
$this->getSigningAlgorithm());
}
/**
* Generates a request for token credentials.
*
* @param $client GuzzleHttp\ClientInterface the optional client.
* @return GuzzleHttp\RequestInterface the authorization Url.
*/
public function generateCredentialsRequest(ClientInterface $client = null)
{
$uri = $this->getTokenCredentialUri();
if (is_null($uri)) {
throw new \DomainException('No token credential URI was set.');
}
if (is_null($client)) {
$client = new Client();
}
$grantType = $this->getGrantType();
$params = array('grant_type' => $grantType);
switch($grantType) {
case 'authorization_code':
$params['code'] = $this->getCode();
$params['redirect_uri'] = $this->getRedirectUri();
$this->addClientCredentials($params);
break;
case 'password':
$params['username'] = $this->getUsername();
$params['password'] = $this->getPassword();
$this->addClientCredentials($params);
break;
case 'refresh_token':
$params['refresh_token'] = $this->getRefreshToken();
$this->addClientCredentials($params);
break;
case self::JWT_URN:
$params['assertion'] = $this->toJwt();
break;
default:
if (!is_null($this->getRedirectUri())) {
# Grant type was supposed to be 'authorization_code', as there
# is a redirect URI.
throw new \DomainException('Missing authorization code');
}
unset($params['grant_type']);
if (!is_null($grantType)) {
$params['grant_type'] = strval($grantType);
}
$params = array_merge($params, $this->getExtensionParams());
}
$request = $client->createRequest('POST', $uri);
$request->addHeader('Cache-Control', 'no-store');
$request->addHeader('Content-Type', 'application/x-www-form-urlencoded');
$request->getBody()->replaceFields($params);
return $request;
}
/**
* Fetchs the auth tokens based on the current state.
*
* @param $client GuzzleHttp\ClientInterface the optional client.
* @return array the response
*/
public function fetchAuthToken(ClientInterface $client = null)
{
if (is_null($client)) {
$client = new Client();
}
$resp = $client->send($this->generateCredentialsRequest($client));
$creds = $this->parseTokenResponse($resp);
$this->updateToken($creds);
return $creds;
}
/**
* Obtains a key that can used to cache the results of #fetchAuthToken.
*
* The key is derived from the scopes.
*
* @return string a key that may be used to cache the auth token.
*/
public function getCacheKey() {
if (is_string($this->scope)) {
return $this->scope;
} else if (is_array($this->scope)) {
return implode(":", $this->scope);
}
// If scope has not set, return null to indicate no caching.
return null;
}
/**
* Parses the fetched tokens.
*
* @param $resp GuzzleHttp\Message\ReponseInterface the response.
* @return array the tokens parsed from the response body.
*/
public function parseTokenResponse(ResponseInterface $resp)
{
$body = $resp->getBody()->getContents();
if ($resp->hasHeader('Content-Type') &&
$resp->getHeader('Content-Type') == 'application/x-www-form-urlencoded') {
$res = array();
parse_str($body, $res);
return $res;
} else {
// Assume it's JSON; if it's not there needs to be an exception, so
// we use the json decode exception instead of adding a new one.
return $resp->json();
}
}
/**
* Updates an OAuth 2.0 client.
*
* @example
* client.updateToken([
* 'refresh_token' => 'n4E9O119d',
* 'access_token' => 'FJQbwq9',
* 'expires_in' => 3600
* ])
*
* @param array options
* The configuration parameters related to the token.
*
* - refresh_token
* The refresh token associated with the access token
* to be refreshed.
*
* - access_token
* The current access token for this client.
*
* - id_token
* The current ID token for this client.
*
* - expires_in
* The time in seconds until access token expiration.
*
* - expires_at
* The time as an integer number of seconds since the Epoch
*
* - issued_at
* The timestamp that the token was issued at.
*/
public function updateToken(array $config)
{
$opts = Collection::fromConfig($config, [
'extensionParams' => []
], []);
$this->setExpiresAt($opts->get('expires'));
$this->setExpiresAt($opts->get('expires_at'));
$this->setExpiresIn($opts->get('expires_in'));
// By default, the token is issued at `Time.now` when `expiresIn` is set,
// but this can be used to supply a more precise time.
$this->setIssuedAt($opts->get('issued_at'));
$this->setAccessToken($opts->get('access_token'));
$this->setIdToken($opts->get('id_token'));
$this->setRefreshToken($opts->get('refresh_token'));
}
/**
* Builds the authorization Uri that the user should be redirected to.
*
* @param $config configuration options that customize the return url
* @return GuzzleHttp::Url the authorization Url.
*/
public function buildFullAuthorizationUri(array $config = null)
{
if (is_null($this->getAuthorizationUri())) {
throw new \InvalidArgumentException(
'requires an authorizationUri to have been set');
}
$defaults = [
'response_type' => 'code',
'access_type' => 'offline',
'client_id' => $this->clientId,
'redirect_uri' => $this->redirectUri,
'state' => $this->state,
'scope' => $this->getScope()
];
$params = new Collection($defaults);
if (!is_null($config)) {
$params = Collection::fromConfig($config, $defaults, []);
}
// Validate the auth_params
if (is_null($params->get('client_id'))) {
throw new \InvalidArgumentException(
'missing the required client identifier');
}
if (is_null($params->get('redirect_uri'))) {
throw new \InvalidArgumentException('missing the required redirect URI');
}
if ($params->hasKey('prompt') && $params->hasKey('approval_prompt')) {
throw new \InvalidArgumentException(
'prompt and approval_prompt are mutually exclusive');
}
// Construct the uri object; return it if it is valid.
$result = clone $this->authorizationUri;
if (is_string($result)) {
$result = Url::fromString($this->getAuthorizationUri());
}
$result->getQuery()->merge($params);
if ($result->getScheme() != 'https') {
throw new \InvalidArgumentException(
'Authorization endpoint must be protected by TLS');
}
return $result;
}
/**
* Sets the authorization server's HTTP endpoint capable of authenticating
* the end-user and obtaining authorization.
*/
public function setAuthorizationUri($uri)
{
$this->authorizationUri = $this->coerceUri($uri);
}
/**
* Gets the authorization server's HTTP endpoint capable of authenticating
* the end-user and obtaining authorization.
*/
public function getAuthorizationUri()
{
return $this->authorizationUri;
}
/**
* Gets the authorization server's HTTP endpoint capable of issuing tokens
* and refreshing expired tokens.
*/
public function getTokenCredentialUri()
{
return $this->tokenCredentialUri;
}
/**
* Sets the authorization server's HTTP endpoint capable of issuing tokens
* and refreshing expired tokens.
*/
public function setTokenCredentialUri($uri)
{
$this->tokenCredentialUri = $this->coerceUri($uri);
}
/**
* Gets the redirection URI used in the initial request.
*/
public function getRedirectUri()
{
return $this->redirectUri;
}
/**
* Sets the redirection URI used in the initial request.
*/
public function setRedirectUri($uri)
{
if (is_null($uri)) {
$this->redirectUri = null;
return;
}
$u = $this->coerceUri($uri);
if (!$this->isAbsoluteUri($u)) {
throw new \InvalidArgumentException(
'Redirect URI must be absolute');
}
$this->redirectUri = $u;
}
/**
* Gets the scope of the access requests as a space-delimited String.
*/
public function getScope()
{
if (is_null($this->scope)) {
return $this->scope;
}
return implode(' ', $this->scope);
}
/**
* Sets the scope of the access request, expressed either as an Array or as
* a space-delimited String.
*/
public function setScope($scope)
{
if (is_null($scope)) {
$this->scope = null;
} else if (is_string($scope)) {
$this->scope = explode(' ', $scope);
} else if (is_array($scope)) {
foreach ($scope as $s) {
$pos = strpos($s, ' ');
if ($pos !== false) {
throw new \InvalidArgumentException(
'array scope values should not contain spaces');
}
}
$this->scope = $scope;
} else {
throw new \InvalidArgumentException(
'scopes should be a string or array of strings');
}
}
/**
* Gets the current grant type.
*/
public function getGrantType()
{
if (!is_null($this->grantType)) {
return $this->grantType;
}
// Returns the inferred grant type, based on the current object instance
// state.
if (!is_null($this->code) && !is_null($this->redirectUri)) {
return 'authorization_code';
} else if (!is_null($this->refreshToken)) {
return 'refresh_token';
} else if (!is_null($this->username) && !is_null($this->password)) {
return 'password';
} else if (!is_null($this->issuer) && !is_null($this->signingKey)) {
return self::JWT_URN;
} else {
return null;
}
}
/**
* Sets the current grant type.
*/
public function setGrantType($gt)
{
if (in_array($gt, self::$knownGrantTypes)) {
$this->grantType = $gt;
} else {
$this->grantType = Url::fromString($gt);
}
}
/**
* Gets an arbitrary string designed to allow the client to maintain state.
*/
public function getState()
{
return $this->state;
}
/**
* Sets an arbitrary string designed to allow the client to maintain state.
*/
public function setState($state)
{
$this->state = $state;
}
/**
* Gets the authorization code issued to this client.
*/
public function getCode()
{
return $this->code;
}
/**
* Sets the authorization code issued to this client.
*/
public function setCode($code)
{
$this->code = $code;
}
/**
* Gets the resource owner's username.
*/
public function getUsername()
{
return $this->username;
}
/**
* Sets the resource owner's username.
*/
public function setUsername($username)
{
$this->username = $username;
}
/**
* Gets the resource owner's password.
*/
public function getPassword()
{
return $this->password;
}
/**
* Sets the resource owner's password.
*/
public function setPassword($password)
{
$this->password = $password;
}
/**
* Sets a unique identifier issued to the client to identify itself to the
* authorization server.
*/
public function getClientId()
{
return $this->clientId;
}
/**
* Sets a unique identifier issued to the client to identify itself to the
* authorization server.
*/
public function setClientId($clientId)
{
$this->clientId = $clientId;
}
/**
* Gets a shared symmetric secret issued by the authorization server, which
* is used to authenticate the client.
*/
public function getClientSecret()
{
return $this->clientSecret;
}
/**
* Sets a shared symmetric secret issued by the authorization server, which
* is used to authenticate the client.
*/
public function setClientSecret($clientSecret)
{
$this->clientSecret = $clientSecret;
}
/**
* Gets the Issuer ID when using assertion profile.
*/
public function getIssuer()
{
return $this->issuer;
}
/**
* Sets the Issuer ID when using assertion profile.
*/
public function setIssuer($issuer)
{
$this->issuer = $issuer;
}
/**
* Gets the target user for the assertions.
*/
public function getPrincipal()
{
return $this->principal;
}
/**
* Sets the target user for the assertions.
*/
public function setPrincipal($p)
{
$this->principal = $p;
}
/**
* Gets the target sub when issuing assertions.
*/
public function getSub()
{
return $this->sub;
}
/**
* Sets the target sub when issuing assertions.
*/
public function setSub($sub)
{
$this->sub = $sub;
}
/**
* Gets the target audience when issuing assertions.
*/
public function getAudience()
{
return $this->audience;
}
/**
* Sets the target audience when issuing assertions.
*/
public function setAudience($audience)
{
$this->audience = $audience;
}
/**
* Gets the signing key when using an assertion profile.
*/
public function getSigningKey()
{
return $this->signingKey;
}
/**
* Sets the signing key when using an assertion profile.
*/
public function setSigningKey($signingKey)
{
$this->signingKey = $signingKey;
}
/**
* Gets the signing algorithm when using an assertion profile.
*/
public function getSigningAlgorithm()
{
return $this->signingAlgorithm;
}
/**
* Sets the signing algorithm when using an assertion profile.
*/
public function setSigningAlgorithm($sa)
{
if (is_null($sa)) {
$this->signingAlgorithm = null;
} else if (!in_array($sa, self::$knownSigningAlgorithms)) {
throw new \InvalidArgumentException('unknown signing algorithm');
} else {
$this->signingAlgorithm = $sa;
}
}
/**
* Gets the set of parameters used by extension when using an extension
* grant type.
*/
public function getExtensionParams()
{
return $this->extensionParams;
}
/**
* Sets the set of parameters used by extension when using an extension
* grant type.
*/
public function setExtensionParams($extensionParams)
{
$this->extensionParams = $extensionParams;
}
/**
* Gets the number of seconds assertions are valid for.
*/
public function getExpiry()
{
return $this->expiry;
}
/**
* Sets the number of seconds assertions are valid for.
*/
public function setExpiry($expiry)
{
$this->expiry = $expiry;
}
/**
* Gets the lifetime of the access token in seconds.
*/
public function getExpiresIn()
{
return $this->expiresIn;
}
/**
* Sets the lifetime of the access token in seconds.
*/
public function setExpiresIn($expiresIn)
{
if (is_null($expiresIn)) {
$this->expiresIn = null;
$this->issuedAt = null;
} else {
$this->issuedAt = time();
$this->expiresIn = (int) $expiresIn;
}
}
/**
* Gets the time the current access token expires at.
*/
public function getExpiresAt()
{
if (!is_null($this->expiresAt)) {
return $this->expiresAt;
} else if (!is_null($this->issuedAt) && !is_null($this->expiresIn)) {
return $this->issuedAt + $this->expiresIn;
}
return null;
}
/**
* Returns true if the acccess token has expired.
*/
public function isExpired()
{
$expiration = $this->getExpiresAt();
$now = time();
return (!is_null($expiration) && $now >= $expiration);
}
/**
* Sets the time the current access token expires at.
*/
public function setExpiresAt($expiresAt)
{
$this->expiresAt = $expiresAt;
}
/**
* Gets the time the current access token was issued at.
*/
public function getIssuedAt()
{
return $this->issuedAt;
}
/**
* Sets the time the current access token was issued at.
*/
public function setIssuedAt($issuedAt)
{
$this->issuedAt = $issuedAt;
}
/**
* Gets the current access token.
*/
public function getAccessToken()
{
return $this->accessToken;
}
/**
* Sets the current access token.
*/
public function setAccessToken($accessToken)
{
$this->accessToken = $accessToken;
}
/**
* Gets the current ID token.
*/
public function getIdToken()
{
return $this->idToken;
}
/**
* Sets the current ID token.
*/
public function setIdToken($idToken)
{
$this->idToken = $idToken;
}
/**
* Gets the refresh token associated with the current access token.
*/
public function getRefreshToken()
{
return $this->refreshToken;
}
/**
* Sets the refresh token associated with the current access token.
*/
public function setRefreshToken($refreshToken)
{
$this->refreshToken = $refreshToken;
}
private function coerceUri($uri)
{
if (is_null($uri)) {
return null;
} else if (is_string($uri)) {
return Url::fromString($uri);
} else if (is_array($uri)) {
return Url::buildUrl($uri);
} else if (get_class($uri) == 'GuzzleHttp\Url') {
return $uri;
} else {
throw new \InvalidArgumentException(
'unexpected type for a uri: ' . get_class($uri));
}
}
/**
* Determines if the URI is absolute based on its scheme and host or path
* (RFC 3986)
*/
private function isAbsoluteUri($u)
{
return $u->getScheme() && ($u->getHost() || $u->getPath());
}
private function addClientCredentials(&$params)
{
$clientId = $this->getClientId();
$clientSecret = $this->getClientSecret();
if ($clientId && $clientSecret) {
$params['client_id'] = $clientId;
$params['client_secret'] = $clientSecret;
}
return $params;
}
}
src/CredentialsLoader.php 0000666 00000012426 13436751451 0011452 0 ustar 00 getContents(), true);
if (!array_key_exists('type', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the type field');
}
if ($jsonKey['type'] == 'service_account') {
return new ServiceAccountCredentials($scope, $jsonKey);
} else if ($jsonKey['type'] == 'authorized_user') {
return new UserRefreshCredentials($scope, $jsonKey);
} else {
throw new \InvalidArgumentException(
'invalid value in the type field');
}
}
/**
* export a callback function which updates runtime metadata
*
* @return an updateMetadata function
*/
public function getUpdateMetadataFunc()
{
return array($this, 'updateMetadata');
}
/**
* Updates metadata with the authorization token
*
* @param $metadata array metadata hashmap
* @param $authUri string optional auth uri
* @param $client optional client interface
*
* @return array updated metadata hashmap
*/
public function updateMetadata($metadata,
$authUri = null,
ClientInterface $client = null)
{
$result = $this->fetchAuthToken($client);
if (!isset($result['access_token'])) {
return $metadata;
}
$metadata_copy = $metadata;
$metadata_copy[self::AUTH_METADATA_KEY] = array('Bearer ' . $result['access_token']);
return $metadata_copy;
}
}
src/GCECredentials.php 0000666 00000011030 13436751451 0010630 0 ustar 00 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'google_auth']
* ]);
* $client->getEmitter()->attach($gce);
* $res = $client->get('myproject/taskqueues/myqueue');
*/
class GCECredentials extends CredentialsLoader
{
/**
* The metadata IP address on appengine instances.
*
* The IP is used instead of the domain 'metadata' to avoid slow responses
* when not on Compute Engine.
*/
const METADATA_IP = '169.254.169.254';
/**
* The metadata path of the default token.
*/
const TOKEN_URI_PATH = 'v1/instance/service-accounts/default/token';
/**
* The header whose presence indicates GCE presence.
*/
const FLAVOR_HEADER = 'Metadata-Flavor';
/**
* Flag used to ensure that the onGCE test is only done once;
*/
private $hasCheckedOnGce = false;
/**
* Flag that stores the value of the onGCE check.
*/
private $isOnGce = false;
/**
* The full uri for accessing the default token.
*/
public static function getTokenUri()
{
$base = 'http://' . self::METADATA_IP . '/computeMetadata/';
return $base . self::TOKEN_URI_PATH;
}
/**
* Determines if this a GCE instance, by accessing the expected metadata
* host.
* If $client is not specified a new GuzzleHttp\Client instance is used.
*
* @param $client GuzzleHttp\ClientInterface optional client.
* @return true if this a GCEInstance false otherwise
*/
public static function onGce(ClientInterface $client = null)
{
if (is_null($client)) {
$client = new Client();
}
$checkUri = 'http://' . self::METADATA_IP;
try {
// Comment from: oauth2client/client.py
//
// Note: the explicit `timeout` below is a workaround. The underlying
// issue is that resolving an unknown host on some networks will take
// 20-30 seconds; making this timeout short fixes the issue, but
// could lead to false negatives in the event that we are on GCE, but
// the metadata resolution was particularly slow. The latter case is
// "unlikely".
$resp = $client->get($checkUri, ['timeout' => 0.3]);
return $resp->getHeader(self::FLAVOR_HEADER) == 'Google';
} catch (ClientException $e) {
return false;
} catch (ServerException $e) {
return false;
} catch (RequestException $e) {
return false;
}
}
/**
* Implements FetchAuthTokenInterface#fetchAuthToken.
*
* Fetches the auth tokens from the GCE metadata host if it is available.
* If $client is not specified a new GuzzleHttp\Client instance is used.
*
* @param $client GuzzleHttp\ClientInterface optional client.
* @return array the response
*/
public function fetchAuthToken(ClientInterface $client = null)
{
if (is_null($client)) {
$client = new Client();
}
if (!$this->hasCheckedOnGce) {
$this->isOnGce = self::onGce($client);
}
if (!$this->isOnGce) {
return array(); // return an empty array with no access token
}
$resp = $client->get(self::getTokenUri(),
[ 'headers' => [self::FLAVOR_HEADER => 'Google']]);
return $resp->json();
}
/**
* Implements FetchAuthTokenInterface#getCacheKey.
*
* @return 'GOOGLE_AUTH_PHP_GCE'
*/
public function getCacheKey() {
return 'GOOGLE_AUTH_PHP_GCE';
}
}
src/ServiceAccountJwtAccessCredentials.php 0000666 00000005673 13436751451 0014776 0 ustar 00 auth = new OAuth2([
'issuer' => $jsonKey['client_email'],
'sub' => $jsonKey['client_email'],
'signingAlgorithm' => 'RS256',
'signingKey' => $jsonKey['private_key'],
]);
}
/**
* Updates metadata with the authorization token
*
* @param $metadata array metadata hashmap
* @param $authUri string optional auth uri
* @param $client optional client interface
*
* @return array updated metadata hashmap
*/
public function updateMetadata($metadata,
$authUri = null,
ClientInterface $client = null)
{
if (empty($authUri)) {
return $metadata;
}
$this->auth->setAudience($authUri);
return parent::updateMetadata($metadata, $authUri, $client);
}
/**
* Implements FetchAuthTokenInterface#fetchAuthToken.
*/
public function fetchAuthToken(ClientInterface $unusedClient = null)
{
$audience = $this->auth->getAudience();
if (empty($audience)) {
return null;
}
$access_token = $this->auth->toJwt();
return array('access_token' => $access_token);
}
/**
* Implements FetchAuthTokenInterface#getCacheKey.
*/
public function getCacheKey()
{
return $this->auth->getCacheKey();
}
}
src/ScopedAccessToken.php 0000666 00000011105 13436751451 0011417 0 ustar 00 '
*/
class ScopedAccessToken implements SubscriberInterface
{
const DEFAULT_CACHE_LIFETIME = 1500;
/** @var An implementation of CacheInterface */
private $cache;
/** @var The access token generator function */
private $tokenFunc;
/** @var The scopes used to generate the token */
private $scopes;
/** @var cache configuration */
private $cacheConfig;
/**
* Creates a new ScopedAccessToken plugin.
*
* @param object $tokenFunc a token generator function
* @param array|string scopes the token authentication scopes
* @param cacheConfig configuration for the cache when it's present
* @param object $cache an implementation of CacheInterface
*/
public function __construct(callable $tokenFunc, $scopes, array $cacheConfig,
CacheInterface $cache=NULL)
{
$this->tokenFunc = $tokenFunc;
if (!(is_string($scopes) || is_array($scopes))) {
throw new \InvalidArgumentException(
'wants scope should be string or array');
}
$this->scopes = $scopes;
if (!is_null($cache)) {
$this->cache = $cache;
$this->cacheConfig = Collection::fromConfig($cacheConfig, [
'lifetime' => self::DEFAULT_CACHE_LIFETIME,
'prefix' => ''
], []);
}
}
/* Implements SubscriberInterface */
public function getEvents()
{
return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]];
}
/**
* Updates the request with an Authorization header when auth is 'scoped'.
*
* E.g this could be used to authenticate using the AppEngine
* AppIdentityService.
*
* use google\appengine\api\app_identity\AppIdentityService;
* use GuzzleHttp\Client;
* use Google\Auth\ScopedAccessToken;
*
* $scope = 'https://www.googleapis.com/auth/taskqueue'
* $scoped = new ScopedAccessToken('AppIdentityService::getAccessToken',
* $scope,
* [ 'prefix' => 'Google\Auth\ScopedAccessToken::' ],
* $cache = new Memcache());
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'scoped']
* ]);
*
* $res = $client->get('myproject/taskqueues/myqueue');
*/
public function onBefore(BeforeEvent $event)
{
// Requests using "auth"="scoped" will be authorized.
$request = $event->getRequest();
if ($request->getConfig()['auth'] != 'scoped') {
return;
}
$auth_header = 'Bearer ' . $this->fetchToken();
$request->setHeader('Authorization', $auth_header);
}
private function fetchToken()
{
// Determine if token is available in the cache, if not call tokenFunc to
// fetch it.
$token = false;
$hasCache = !is_null($this->cache);
if ($hasCache) {
$token = $this->cache->get($this->buildCacheKey(), $this->cacheConfig['lifetime']);
}
if (!$token) {
$token = call_user_func($this->tokenFunc, $this->scopes);
if ($hasCache) {
$this->cache->set($this->buildCacheKey(), $token);
}
}
return $token;
}
private function buildCacheKey() {
$cacheKey = $this->cacheConfig['prefix'];
if (is_string($this->scopes)) {
$cacheKey .= $this->scopes;
} else if (is_array($this->scopes)) {
$cacheKey .= implode(":", $this->scopes);
}
return $cacheKey;
}
}
src/Simple.php 0000666 00000004303 13436751451 0007312 0 ustar 00 config = Collection::fromConfig($config, [], ['key']);
}
/* Implements SubscriberInterface */
public function getEvents()
{
return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]];
}
/**
* Updates the request query with the developer key if auth is set to simple
*
* use GuzzleHttp\Client;
* use Google\Auth\Simple;
*
* $my_key = 'is not the same as yours';
* $simple = new Simple(['key' => $my_key]);
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/discovery/v1/',
* 'defaults' => ['auth' => 'simple']
* ]);
*
* $res = $client->get('drive/v2/rest');
*/
public function onBefore(BeforeEvent $event)
{
// Requests using "auth"="simple" with the developer key.
$request = $event->getRequest();
if ($request->getConfig()['auth'] != 'simple') {
return;
}
$request->getQuery()->overwriteWith($this->config);
}
}
src/FetchAuthTokenInterface.php 0000666 00000002360 13436751451 0012557 0 ustar 00 $value
*
* Implementations will serialize $value.
*
* @param string $key the cachke key
* @param string $value data
*/
public function set($key, $value);
/**
* Removes the key/data pair.
*
* @param String $key
*/
public function delete($key);
} src/ApplicationDefaultCredentials.php 0000666 00000010060 13436751451 0014004 0 ustar 00 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'google_auth'] // authorize all requests
* ]);
* $fetcher = ApplicationDefaultCredentials::getFetcher(
* 'https://www.googleapis.com/auth/taskqueue');
* $client->getEmitter()->attach($fetcher);
*
* $res = $client->get('myproject/taskqueues/myqueue');
*/
class ApplicationDefaultCredentials
{
/**
* Obtains an AuthTokenFetcher that uses the default FetchAuthTokenInterface
* implementation to use in this environment.
*
* If supplied, $scope is used to in creating the credentials instance if
* this does not fallback to the compute engine defaults.
*
* @param string|array scope the scope of the access request, expressed
* either as an Array or as a space-delimited String.
* @param $client GuzzleHttp\ClientInterface optional client.
* @param cacheConfig configuration for the cache when it's present
* @param object $cache an implementation of CacheInterface
*
* @throws DomainException if no implementation can be obtained.
*/
public static function getFetcher(
$scope = null,
ClientInterface $client = null,
array $cacheConfig = null,
CacheInterface $cache = null)
{
$creds = self::getCredentials($scope, $client);
return new AuthTokenFetcher($creds, $cacheConfig, $cache, $client);
}
/**
* Obtains the default FetchAuthTokenInterface implementation to use
* in this environment.
*
* If supplied, $scope is used to in creating the credentials instance if
* this does not fallback to the Compute Engine defaults.
*
* @param string|array scope the scope of the access request, expressed
* either as an Array or as a space-delimited String.
*
* @param $client GuzzleHttp\ClientInterface optional client.
* @throws DomainException if no implementation can be obtained.
*/
public static function getCredentials($scope = null, $client = null)
{
$creds = CredentialsLoader::fromEnv($scope);
if (!is_null($creds)) {
return $creds;
}
$creds = CredentialsLoader::fromWellKnownFile($scope);
if (!is_null($creds)) {
return $creds;
}
if (AppIdentityCredentials::onAppEngine()) {
return new AppIdentityCredentials($scope);
}
if (GCECredentials::onGce($client)) {
return new GCECredentials();
}
throw new \DomainException(self::notFound());
}
private static function notFound()
{
$msg = 'Could not load the default credentials. Browse to ';
$msg .= 'https://developers.google.com';
$msg .= '/accounts/docs/application-default-credentials';
$msg .= ' for more information' ;
return $msg;
}
}
src/UserRefreshCredentials.php 0000666 00000005660 13436751451 0012503 0 ustar 00 getContents(), true);
}
if (!array_key_exists('client_id', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the client_id field');
}
if (!array_key_exists('client_secret', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the client_secret field');
}
if (!array_key_exists('refresh_token', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the refresh_token field');
}
$this->auth = new OAuth2([
'clientId' => $jsonKey['client_id'],
'clientSecret' => $jsonKey['client_secret'],
'refresh_token' => $jsonKey['refresh_token'],
'scope' => $scope,
'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI
]);
}
/**
* Implements FetchAuthTokenInterface#fetchAuthToken.
*/
public function fetchAuthToken(ClientInterface $client = null)
{
return $this->auth->fetchAuthToken($client);
}
/**
* Implements FetchAuthTokenInterface#getCacheKey.
*/
public function getCacheKey()
{
return $this->auth->getClientId() . ':' . $this->auth->getCacheKey();
}
}
src/IAMCredentials.php 0000666 00000004372 13436751451 0010653 0 ustar 00 selector = $selector;
$this->token = $token;
}
/**
* export a callback function which updates runtime metadata
*
* @return an updateMetadata function
*/
public function getUpdateMetadataFunc()
{
return array($this, 'updateMetadata');
}
/**
* Updates metadata with the appropriate header metadata
*
* @param $metadata array metadata hashmap
* @param $unusedAuthUri optional auth uri
* @param $unusedClient optional client interface
* Note: this param is unused here, only included here for
* consistency with other credentials class
*
* @return array updated metadata hashmap
*/
public function updateMetadata($metadata,
$unusedAuthUri = null,
ClientInterface $unusedClient = null)
{
$metadata_copy = $metadata;
$metadata_copy[self::SELECTOR_KEY] = $this->selector;
$metadata_copy[self::TOKEN_KEY] = $this->token;
return $metadata_copy;
}
}
src/AppIdentityCredentials.php 0000666 00000007162 13436751451 0012477 0 ustar 00 'https://www.googleapis.com/books/v1',
* 'defaults' => ['auth' => 'google_auth']
* ]);
* $client->setDefaultOption('verify', '/etc/ca-certificates.crt');
* $client->getEmitter()->attach($subscriber);
* $res = $client->get('volumes?q=Henry+David+Thoreau&country=US');
*
* In Guzzle 5 and below, the App Engine certificates need to be set on the
* guzzle client in order for SSL requests to succeed.
*
* $client->setDefaultOption('verify', '/etc/ca-certificates.crt');
*/
class AppIdentityCredentials extends CredentialsLoader
{
private $scope;
public function __construct($scope = array())
{
$this->scope = $scope;
}
/**
* Determines if this an App Engine instance, by accessing the SERVER_SOFTWARE
* environment variable.
*
* @return true if this an App Engine Instance, false otherwise
*/
public static function onAppEngine()
{
return (isset($_SERVER['SERVER_SOFTWARE']) &&
strpos($_SERVER['SERVER_SOFTWARE'], 'Google App Engine') !== false);
}
/**
* Implements FetchAuthTokenInterface#fetchAuthToken.
*
* Fetches the auth tokens using the AppIdentityService if available.
* As the AppIdentityService uses protobufs to fetch the access token,
* the GuzzleHttp\ClientInterface instance passed in will not be used.
*
* @param $client GuzzleHttp\ClientInterface optional client.
* @return array the auth metadata:
* array(2) {
* ["access_token"]=>
* string(3) "xyz"
* ["expiration_time"]=>
* string(10) "1444339905"
* }
*/
public function fetchAuthToken(ClientInterface $unusedClient = null)
{
if (!self::onAppEngine()) {
return array();
}
if (!class_exists('google\appengine\api\app_identity\AppIdentityService')) {
throw new \Exception(
'This class must be run in App Engine, or you must include the AppIdentityService '
. 'mock class defined in tests/mocks/AppIdentityService.php'
);
}
$token = AppIdentityService::getAccessToken($this->scope);
return $token;
}
/**
* Implements FetchAuthTokenInterface#getCacheKey.
*
* @return 'GOOGLE_AUTH_PHP_APPIDENTITY'
*/
public function getCacheKey()
{
return 'GOOGLE_AUTH_PHP_APPIDENTITY';
}
}
src/ServiceAccountCredentials.php 0000666 00000011554 13436751451 0013162 0 ustar 00 ));
* $sa = new ServiceAccountCredentials(
* 'https://www.googleapis.com/auth/taskqueue',
* $stream);
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'google_auth'] // authorize all requests
* ]);
* $client->getEmitter()->attach(new AuthTokenFetcher($sa));
*
* $res = $client->get('myproject/taskqueues/myqueue');
*/
class ServiceAccountCredentials extends CredentialsLoader
{
/**
* Create a new ServiceAccountCredentials.
*
* @param string|array scope the scope of the access request, expressed
* either as an Array or as a space-delimited String.
*
* @param array jsonKey JSON credentials.
*
* @param string jsonKeyPath the path to a file containing JSON credentials. If
* jsonKeyStream is set, it is ignored.
*
* @param string sub an email address account to impersonate, in situations when
* the service account has been delegated domain wide access.
*/
public function __construct($scope, $jsonKey,
$jsonKeyPath = null, $sub = null)
{
if (is_null($jsonKey)) {
$jsonKeyStream = Stream::factory(file_get_contents($jsonKeyPath));
$jsonKey = json_decode($jsonKeyStream->getContents(), true);
}
if (!array_key_exists('client_email', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the client_email field');
}
if (!array_key_exists('private_key', $jsonKey)) {
throw new \InvalidArgumentException(
'json key is missing the private_key field');
}
$this->auth = new OAuth2([
'audience' => self::TOKEN_CREDENTIAL_URI,
'issuer' => $jsonKey['client_email'],
'scope' => $scope,
'signingAlgorithm' => 'RS256',
'signingKey' => $jsonKey['private_key'],
'sub' => $sub,
'tokenCredentialUri' => self::TOKEN_CREDENTIAL_URI
]);
}
/**
* Implements FetchAuthTokenInterface#fetchAuthToken.
*/
public function fetchAuthToken(ClientInterface $client = null)
{
return $this->auth->fetchAuthToken($client);
}
/**
* Implements FetchAuthTokenInterface#getCacheKey.
*/
public function getCacheKey()
{
$key = $this->auth->getIssuer() . ':' . $this->auth->getCacheKey();
if ($sub = $this->auth->getSub()) {
$key .= ':' . $sub;
}
return $key;
}
/**
* Updates metadata with the authorization token
*
* @param $metadata array metadata hashmap
* @param $authUri string optional auth uri
* @param $client optional client interface
*
* @return array updated metadata hashmap
*/
public function updateMetadata($metadata,
$authUri = null,
ClientInterface $client = null)
{
// scope exists. use oauth implementation
$scope = $this->auth->getScope();
if (!is_null($scope)) {
return parent::updateMetadata($metadata, $authUri, $client);
}
// no scope found. create jwt with the auth uri
$credJson = array(
'private_key' => $this->auth->getSigningKey(),
'client_email' => $this->auth->getIssuer(),
);
$jwtCreds = new ServiceAccountJwtAccessCredentials($credJson);
return $jwtCreds->updateMetadata($metadata, $authUri, $client);
}
/**
* @param string sub an email address account to impersonate, in situations when
* the service account has been delegated domain wide access.
*/
public function setSub($sub)
{
$this->auth->setSub($sub);
}
}
src/AuthTokenFetcher.php 0000666 00000011674 13436751451 0011275 0 ustar 00 '
*/
class AuthTokenFetcher implements SubscriberInterface
{
const DEFAULT_CACHE_LIFETIME = 1500;
/** @var An implementation of CacheInterface */
private $cache;
/** @var An implementation of ClientInterface */
private $client;
/** @var An implementation of FetchAuthTokenInterface */
private $fetcher;
/** @var cache configuration */
private $cacheConfig;
/**
* Creates a new AuthTokenFetcher plugin.
*
* @param FetchAuthTokenInterface $fetcher is used to fetch the auth token
* @param array $cacheConfig configures the cache
* @param CacheInterface $cache (optional) caches the token.
* @param ClientInterface $client (optional) http client to fetch the token.
*/
public function __construct(FetchAuthTokenInterface $fetcher,
array $cacheConfig = null,
CacheInterface $cache = null,
ClientInterface $client = null)
{
$this->fetcher = $fetcher;
$this->client = $client;
if (!is_null($cache)) {
$this->cache = $cache;
$this->cacheConfig = Collection::fromConfig($cacheConfig, [
'lifetime' => self::DEFAULT_CACHE_LIFETIME,
'prefix' => ''
], []);
}
}
/* Implements SubscriberInterface */
public function getEvents()
{
return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]];
}
/**
* Updates the request with an Authorization header when auth is 'fetched_auth_token'.
*
* use GuzzleHttp\Client;
* use Google\Auth\OAuth2;
* use Google\Auth\AuthTokenFetcher;
*
* $config = [...];
* $oauth2 = new OAuth2($config)
* $scoped = new AuthTokenFetcher($oauth2,
* $cache = new Memcache(),
* [ 'prefix' => 'OAuth2::' ]);
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'google_auth']
* ]);
*
* $res = $client->get('myproject/taskqueues/myqueue');
*/
public function onBefore(BeforeEvent $event)
{
// Requests using "auth"="google_auth" will be authorized.
$request = $event->getRequest();
if ($request->getConfig()['auth'] != 'google_auth') {
return;
}
// Use the cached value if its available.
//
// TODO: correct caching; update the call to setCachedValue to set the expiry
// to the value returned with the auth token.
//
// TODO: correct caching; enable the cache to be cleared.
$cached = $this->getCachedValue();
if (!empty($cached)) {
$request->setHeader('Authorization', 'Bearer ' . $cached);
return;
}
// Fetch the auth token.
$auth_tokens = $this->fetcher->fetchAuthToken($this->client);
if (array_key_exists('access_token', $auth_tokens)) {
$request->setHeader('Authorization', 'Bearer ' . $auth_tokens['access_token']);
$this->setCachedValue($auth_tokens['access_token']);
}
}
/**
* Gets the cached value if it is present in the cache when that is
* available.
*/
protected function getCachedValue()
{
if (is_null($this->cache)) {
return null;
}
$fetcherKey = $this->fetcher->getCacheKey();
if (is_null($fetcherKey)) {
return null;
}
$key = $this->cacheConfig['prefix'] . $fetcherKey;
return $this->cache->get($key, $this->cacheConfig['lifetime']);
}
/**
* Saves the value in the cache when that is available.
*/
protected function setCachedValue($v)
{
if (is_null($this->cache)) {
return;
}
$fetcherKey = $this->fetcher->getCacheKey();
if (is_null($fetcherKey)) {
return;
}
$key = $this->cacheConfig['prefix'] . $fetcherKey;
$this->cache->set($key, $v);
}
}
composer.json 0000666 00000001043 13436751451 0007301 0 ustar 00 {
"name": "google/auth",
"type": "library",
"description": "Google Auth Library for PHP",
"keywords": ["google", "oauth2", "authentication"],
"homepage": "http://github.com/google/google-auth-library-php",
"license": "Apache-2.0",
"require": {
"firebase/php-jwt": "2.0.0",
"guzzlehttp/guzzle": "5.2.*",
"php": ">=5.4"
},
"require-dev": {
"phpunit/phpunit": "3.7.*",
"phplint/phplint": "0.0.1"
},
"autoload": {
"classmap": [
"src/"
],
"psr-4": {
"Google\\Auth\\": "src"
}
}
}
.travis.yml 0000666 00000000301 13436751451 0006664 0 ustar 00 language: php
sudo: false
php:
- 5.4
- 5.5
- 5.6
- hhvm
before_script:
- composer install
script:
- vendor/bin/phpunit
- vendor/bin/phplint src/
- vendor/bin/phplint tests/
COPYING 0000666 00000026116 13436751451 0005622 0 ustar 00
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2015 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
phpunit.xml.dist 0000666 00000000673 13436751451 0007742 0 ustar 00
tests
src
src/
CHANGELOG.md 0000666 00000000355 13436751451 0006375 0 ustar 00 ## 0.4.0 (23/04/2015)
### Changes
* Export callback function to update auth metadata ([@stanley-cheung][])
* Adds an implementation of User Refresh Token auth ([@stanley-cheung][])
[@stanley-cheung]: https://github.com/stanley-cheung
tests/ScopedAccessTokenTest.php 0000666 00000015526 13436751451 0012645 0 ustar 00 assertArrayHasKey('before', $s->getEvents());
}
public function testAddsTheTokenAsAnAuthorizationHeader()
{
$fakeAuthFunc = function ($unused_scopes) {
return '1/abcdef1234567890';
};
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE, array());
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'scoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 1/abcdef1234567890');
}
public function testUsesCachedAuthToken()
{
$cachedValue = '2/abcdef1234567890';
$fakeAuthFunc = function ($unused_scopes) {
return '';
};
$mockCache = $this
->getMockBuilder('Google\Auth\CacheInterface')
->getMock();
$mockCache
->expects($this->once())
->method('get')
->will($this->returnValue($cachedValue));
// Run the test
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE, array(),
$mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'scoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testGetsCachedAuthTokenUsingCacheOptions()
{
$prefix = 'test_prefix:';
$lifetime = '70707';
$cachedValue = '2/abcdef1234567890';
$fakeAuthFunc = function ($unused_scopes) {
return '';
};
$mockCache = $this
->getMockBuilder('Google\Auth\CacheInterface')
->getMock();
$mockCache
->expects($this->once())
->method('get')
->with($this->equalTo($prefix . self::TEST_SCOPE),
$this->equalTo($lifetime))
->will($this->returnValue($cachedValue));
// Run the test
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE,
array('prefix' => $prefix,
'lifetime' => $lifetime),
$mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'scoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testShouldSaveValueInCache()
{
$token = '2/abcdef1234567890';
$fakeAuthFunc = function ($unused_scopes) {
return '2/abcdef1234567890';
};
$mockCache = $this
->getMockBuilder('Google\Auth\CacheInterface')
->getMock();
$mockCache
->expects($this->once())
->method('get')
->will($this->returnValue(false));
$mockCache
->expects($this->once())
->method('set')
->with($this->equalTo(self::TEST_SCOPE), $this->equalTo($token))
->will($this->returnValue(false));
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE, array(),
$mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'scoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testShouldSaveValueInCacheWithSpecifiedPrefix()
{
$token = '2/abcdef1234567890';
$prefix = 'test_prefix:';
$fakeAuthFunc = function ($unused_scopes) {
return '2/abcdef1234567890';
};
$mockCache = $this
->getMockBuilder('Google\Auth\CacheInterface')
->getMock();
$mockCache
->expects($this->once())
->method('get')
->will($this->returnValue(false));
$mockCache
->expects($this->once())
->method('set')
->with($this->equalTo($prefix . self::TEST_SCOPE),
$this->equalTo($token))
->will($this->returnValue(false));
// Run the test
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE,
array('prefix' => $prefix),
$mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'scoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testOnlyTouchesWhenAuthConfigScoped()
{
$fakeAuthFunc = function ($unused_scopes) {
return '1/abcdef1234567890';
};
$s = new ScopedAccessToken($fakeAuthFunc, self::TEST_SCOPE, array());
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'notscoped']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'), '');
}
}
tests/SimpleTest.php 0000666 00000004023 13436751451 0010524 0 ustar 00 'a test key']);
}
public function testSubscribesToEvents()
{
$events = (new Simple(['key' => 'a test key']))->getEvents();
$this->assertArrayHasKey('before', $events);
}
public function testAddsTheKeyToTheQuery()
{
$s = new Simple(['key' => 'test_key']);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'simple']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertCount(1, $request->getQuery());
$this->assertTrue($request->getQuery()->hasKey('key'));
$this->assertSame($request->getQuery()->get('key'), 'test_key');
}
public function testOnlyTouchesWhenAuthConfigIsSimple()
{
$s = new Simple(['key' => 'test_key']);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'notsimple']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertCount(0, $request->getQuery());
}
}
tests/UserRefreshCredentialsTest.php 0000666 00000013561 13436751451 0013715 0 ustar 00 'client123',
'client_secret' => 'clientSecret123',
'refresh_token' => 'refreshToken123',
'type' => 'authorized_user'
];
}
class URCGetCacheKeyTest extends \PHPUnit_Framework_TestCase
{
public function testShouldBeTheSameAsOAuth2WithTheSameScope()
{
$testJson = createURCTestJson();
$scope = ['scope/1', 'scope/2'];
$sa = new UserRefreshCredentials(
$scope,
$testJson);
$o = new OAuth2(['scope' => $scope]);
$this->assertSame(
$testJson['client_id'] . ':' . $o->getCacheKey(),
$sa->getCacheKey()
);
}
}
class URCConstructorTest extends \PHPUnit_Framework_TestCase
{
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfScopeIsNotAValidType()
{
$testJson = createURCTestJson();
$notAnArrayOrString = new \stdClass();
$sa = new UserRefreshCredentials(
$notAnArrayOrString,
$testJson
);
}
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfJsonDoesNotHaveClientSecret()
{
$testJson = createURCTestJson();
unset($testJson['client_secret']);
$scope = ['scope/1', 'scope/2'];
$sa = new UserRefreshCredentials(
$scope,
$testJson
);
}
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfJsonDoesNotHaveRefreshToken()
{
$testJson = createURCTestJson();
unset($testJson['refresh_token']);
$scope = ['scope/1', 'scope/2'];
$sa = new UserRefreshCredentials(
$scope,
$testJson
);
}
/**
* @expectedException PHPUnit_Framework_Error_Warning
*/
public function testFailsToInitalizeFromANonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
new UserRefreshCredentials('scope/1', null, $keyFile);
}
public function testInitalizeFromAFile()
{
$keyFile = __DIR__ . '/fixtures2' . '/private.json';
$this->assertNotNull(
new UserRefreshCredentials('scope/1', null, $keyFile)
);
}
}
class URCFromEnvTest extends \PHPUnit_Framework_TestCase
{
protected function tearDown()
{
putenv(UserRefreshCredentials::ENV_VAR); // removes it from
}
public function testIsNullIfEnvVarIsNotSet()
{
$this->assertNull(UserRefreshCredentials::fromEnv('a scope'));
}
/**
* @expectedException DomainException
*/
public function testFailsIfEnvSpecifiesNonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
putenv(UserRefreshCredentials::ENV_VAR . '=' . $keyFile);
UserRefreshCredentials::fromEnv('a scope');
}
public function testSucceedIfFileExists()
{
$keyFile = __DIR__ . '/fixtures2' . '/private.json';
putenv(UserRefreshCredentials::ENV_VAR . '=' . $keyFile);
$this->assertNotNull(ApplicationDefaultCredentials::getCredentials('a scope'));
}
}
class URCFromWellKnownFileTest extends \PHPUnit_Framework_TestCase
{
private $originalHome;
protected function setUp()
{
$this->originalHome = getenv('HOME');
}
protected function tearDown()
{
if ($this->originalHome != getenv('HOME')) {
putenv('HOME=' . $this->originalHome);
}
}
public function testIsNullIfFileDoesNotExist()
{
putenv('HOME=' . __DIR__ . '/not_exist_fixtures');
$this->assertNull(
UserRefreshCredentials::fromWellKnownFile('a scope')
);
}
public function testSucceedIfFileIsPresent()
{
putenv('HOME=' . __DIR__ . '/fixtures2');
$this->assertNotNull(
ApplicationDefaultCredentials::getCredentials('a scope')
);
}
}
class URCFetchAuthTokenTest extends \PHPUnit_Framework_TestCase
{
/**
* @expectedException GuzzleHttp\Exception\ClientException
*/
public function testFailsOnClientErrors()
{
$testJson = createURCTestJson();
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(400)]));
$sa = new UserRefreshCredentials(
$scope,
$testJson
);
$sa->fetchAuthToken($client);
}
/**
* @expectedException GuzzleHttp\Exception\ServerException
*/
public function testFailsOnServerErrors()
{
$testJson = createURCTestJson();
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$sa = new UserRefreshCredentials(
$scope,
$testJson
);
$sa->fetchAuthToken($client);
}
public function testCanFetchCredsOK()
{
$testJson = createURCTestJson();
$testJsonText = json_encode($testJson);
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$testResponse = new Response(200, [], Stream::factory($testJsonText));
$client->getEmitter()->attach(new Mock([$testResponse]));
$sa = new UserRefreshCredentials(
$scope,
$testJson
);
$tokens = $sa->fetchAuthToken($client);
$this->assertEquals($testJson, $tokens);
}
}
tests/ServiceAccountCredentialsTest.php 0000666 00000034377 13436751451 0014405 0 ustar 00 'key123',
'private_key' => 'privatekey',
'client_email' => 'test@example.com',
'client_id' => 'client123',
'type' => 'service_account'
];
}
class SACGetCacheKeyTest extends \PHPUnit_Framework_TestCase
{
public function testShouldBeTheSameAsOAuth2WithTheSameScope()
{
$testJson = createTestJson();
$scope = ['scope/1', 'scope/2'];
$sa = new ServiceAccountCredentials(
$scope,
$testJson);
$o = new OAuth2(['scope' => $scope]);
$this->assertSame(
$testJson['client_email'] . ':' . $o->getCacheKey(),
$sa->getCacheKey()
);
}
public function testShouldBeTheSameAsOAuth2WithTheSameScopeWithSub()
{
$testJson = createTestJson();
$scope = ['scope/1', 'scope/2'];
$sub = 'sub123';
$sa = new ServiceAccountCredentials(
$scope,
$testJson,
null,
$sub);
$o = new OAuth2(['scope' => $scope]);
$this->assertSame(
$testJson['client_email'] . ':' . $o->getCacheKey() . ':' . $sub,
$sa->getCacheKey()
);
}
public function testShouldBeTheSameAsOAuth2WithTheSameScopeWithSubAddedLater()
{
$testJson = createTestJson();
$scope = ['scope/1', 'scope/2'];
$sub = 'sub123';
$sa = new ServiceAccountCredentials(
$scope,
$testJson,
null);
$sa->setSub($sub);
$o = new OAuth2(['scope' => $scope]);
$this->assertSame(
$testJson['client_email'] . ':' . $o->getCacheKey() . ':' . $sub,
$sa->getCacheKey()
);
}
}
class SACConstructorTest extends \PHPUnit_Framework_TestCase
{
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfScopeIsNotAValidType()
{
$testJson = createTestJson();
$notAnArrayOrString = new \stdClass();
$sa = new ServiceAccountCredentials(
$notAnArrayOrString,
$testJson
);
}
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfJsonDoesNotHaveClientEmail()
{
$testJson = createTestJson();
unset($testJson['client_email']);
$scope = ['scope/1', 'scope/2'];
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
}
/**
* @expectedException InvalidArgumentException
*/
public function testShouldFailIfJsonDoesNotHavePrivateKey()
{
$testJson = createTestJson();
unset($testJson['private_key']);
$scope = ['scope/1', 'scope/2'];
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
}
/**
* @expectedException PHPUnit_Framework_Error_Warning
*/
public function testFailsToInitalizeFromANonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
new ServiceAccountCredentials('scope/1', null, $keyFile);
}
public function testInitalizeFromAFile()
{
$keyFile = __DIR__ . '/fixtures' . '/private.json';
$this->assertNotNull(
new ServiceAccountCredentials('scope/1', null, $keyFile)
);
}
}
class SACFromEnvTest extends \PHPUnit_Framework_TestCase
{
protected function tearDown()
{
putenv(ServiceAccountCredentials::ENV_VAR); // removes it from
}
public function testIsNullIfEnvVarIsNotSet()
{
$this->assertNull(ServiceAccountCredentials::fromEnv('a scope'));
}
/**
* @expectedException DomainException
*/
public function testFailsIfEnvSpecifiesNonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
ApplicationDefaultCredentials::getCredentials('a scope');
}
public function testSucceedIfFileExists()
{
$keyFile = __DIR__ . '/fixtures' . '/private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
$this->assertNotNull(ApplicationDefaultCredentials::getCredentials('a scope'));
}
}
class SACFromWellKnownFileTest extends \PHPUnit_Framework_TestCase
{
private $originalHome;
protected function setUp()
{
$this->originalHome = getenv('HOME');
}
protected function tearDown()
{
if ($this->originalHome != getenv('HOME')) {
putenv('HOME=' . $this->originalHome);
}
}
public function testIsNullIfFileDoesNotExist()
{
putenv('HOME=' . __DIR__ . '/not_exists_fixtures');
$this->assertNull(
ServiceAccountCredentials::fromWellKnownFile('a scope')
);
}
public function testSucceedIfFileIsPresent()
{
putenv('HOME=' . __DIR__ . '/fixtures');
$this->assertNotNull(
ApplicationDefaultCredentials::getCredentials('a scope')
);
}
}
class SACFetchAuthTokenTest extends \PHPUnit_Framework_TestCase
{
private $privateKey;
public function setUp()
{
$this->privateKey =
file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
}
private function createTestJson()
{
$testJson = createTestJson();
$testJson['private_key'] = $this->privateKey;
return $testJson;
}
/**
* @expectedException GuzzleHttp\Exception\ClientException
*/
public function testFailsOnClientErrors()
{
$testJson = $this->createTestJson();
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(400)]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$sa->fetchAuthToken($client);
}
/**
* @expectedException GuzzleHttp\Exception\ServerException
*/
public function testFailsOnServerErrors()
{
$testJson = $this->createTestJson();
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$sa->fetchAuthToken($client);
}
public function testCanFetchCredsOK()
{
$testJson = $this->createTestJson();
$testJsonText = json_encode($testJson);
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$testResponse = new Response(200, [], Stream::factory($testJsonText));
$client->getEmitter()->attach(new Mock([$testResponse]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$tokens = $sa->fetchAuthToken($client);
$this->assertEquals($testJson, $tokens);
}
public function testUpdateMetadataFunc()
{
$testJson = $this->createTestJson();
$scope = ['scope/1', 'scope/2'];
$client = new Client();
$access_token = 'accessToken123';
$responseText = json_encode(array('access_token' => $access_token));
$testResponse = new Response(200, [], Stream::factory($responseText));
$client->getEmitter()->attach(new Mock([$testResponse]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$update_metadata = $sa->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = null,
$client);
$this->assertTrue(
isset($actual_metadata[CredentialsLoader::AUTH_METADATA_KEY]));
$this->assertEquals(
$actual_metadata[CredentialsLoader::AUTH_METADATA_KEY],
array('Bearer ' . $access_token));
}
}
class SACJwtAccessTest extends \PHPUnit_Framework_TestCase
{
private $privateKey;
public function setUp()
{
$this->privateKey =
file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
}
private function createTestJson()
{
$testJson = createTestJson();
$testJson['private_key'] = $this->privateKey;
return $testJson;
}
/**
* @expectedException InvalidArgumentException
*/
public function testFailsOnMissingClientEmail()
{
$testJson = $this->createTestJson();
unset($testJson['client_email']);
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
}
/**
* @expectedException InvalidArgumentException
*/
public function testFailsOnMissingPrivateKey()
{
$testJson = $this->createTestJson();
unset($testJson['private_key']);
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
}
public function testCanInitializeFromJson()
{
$testJson = $this->createTestJson();
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
$this->assertNotNull($sa);
}
public function testNoOpOnFetchAuthToken()
{
$testJson = $this->createTestJson();
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
$this->assertNotNull($sa);
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(200)]));
$result = $sa->fetchAuthToken($client); // authUri has not been set
$this->assertNull($result);
}
public function testAuthUriIsNotSet()
{
$testJson = $this->createTestJson();
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
$this->assertNotNull($sa);
$update_metadata = $sa->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = null);
$this->assertTrue(
!isset($actual_metadata[CredentialsLoader::AUTH_METADATA_KEY]));
}
public function testUpdateMetadataFunc()
{
$testJson = $this->createTestJson();
$sa = new ServiceAccountJwtAccessCredentials(
$testJson
);
$this->assertNotNull($sa);
$update_metadata = $sa->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = 'https://example.com/service');
$this->assertTrue(
isset($actual_metadata[CredentialsLoader::AUTH_METADATA_KEY]));
$authorization = $actual_metadata[CredentialsLoader::AUTH_METADATA_KEY];
$this->assertTrue(is_array($authorization));
$bearer_token = current($authorization);
$this->assertTrue(is_string($bearer_token));
$this->assertTrue(strpos($bearer_token, 'Bearer ') == 0);
$this->assertTrue(strlen($bearer_token) > 30);
$actual_metadata2 = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = 'https://example.com/anotherService');
$this->assertTrue(
isset($actual_metadata2[CredentialsLoader::AUTH_METADATA_KEY]));
$authorization2 = $actual_metadata2[CredentialsLoader::AUTH_METADATA_KEY];
$this->assertTrue(is_array($authorization2));
$bearer_token2 = current($authorization2);
$this->assertTrue(is_string($bearer_token2));
$this->assertTrue(strpos($bearer_token2, 'Bearer ') == 0);
$this->assertTrue(strlen($bearer_token2) > 30);
$this->assertTrue($bearer_token != $bearer_token2);
}
}
class SACJwtAccessComboTest extends \PHPUnit_Framework_TestCase
{
private $privateKey;
public function setUp()
{
$this->privateKey =
file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
}
private function createTestJson()
{
$testJson = createTestJson();
$testJson['private_key'] = $this->privateKey;
return $testJson;
}
public function testNoScopeUseJwtAccess()
{
$testJson = $this->createTestJson();
// no scope, jwt access should be used, no outbound
// call should be made
$scope = null;
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$this->assertNotNull($sa);
$update_metadata = $sa->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = 'https://example.com/service');
$this->assertTrue(
isset($actual_metadata[CredentialsLoader::AUTH_METADATA_KEY]));
$authorization = $actual_metadata[CredentialsLoader::AUTH_METADATA_KEY];
$this->assertTrue(is_array($authorization));
$bearer_token = current($authorization);
$this->assertTrue(is_string($bearer_token));
$this->assertTrue(strpos($bearer_token, 'Bearer ') == 0);
$this->assertTrue(strlen($bearer_token) > 30);
}
public function testNoScopeAndNoAuthUri()
{
$testJson = $this->createTestJson();
// no scope, jwt access should be used, no outbound
// call should be made
$scope = null;
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$sa = new ServiceAccountCredentials(
$scope,
$testJson
);
$this->assertNotNull($sa);
$update_metadata = $sa->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'),
$authUri = null);
// no access_token is added to the metadata hash
// but also, no error should be thrown
$this->assertTrue(is_array($actual_metadata));
$this->assertTrue(
!isset($actual_metadata[CredentialsLoader::AUTH_METADATA_KEY]));
}
}
tests/mocks/AppIdentityService.php 0000666 00000000431 13436751451 0013321 0 ustar 00 'xyz',
'expiration_time' => '2147483646',
);
public static function getAccessToken($scope)
{
return self::$accessToken;
}
}
tests/IAMCredentialsTest.php 0000666 00000004220 13436751451 0012056 0 ustar 00 assertNotNull(
new IAMCredentials("iam-selector", "iam-token")
);
}
}
class IAMUpdateMetadataCallbackTest extends \PHPUnit_Framework_TestCase
{
public function testUpdateMetadataFunc()
{
$selector = 'iam-selector';
$token = 'iam-token';
$iam = new IAMCredentials(
$selector,
$token
);
$update_metadata = $iam->getUpdateMetadataFunc();
$this->assertTrue(is_callable($update_metadata));
$actual_metadata = call_user_func($update_metadata,
$metadata = array('foo' => 'bar'));
$this->assertTrue(
isset($actual_metadata[IAMCredentials::SELECTOR_KEY]));
$this->assertEquals(
$actual_metadata[IAMCredentials::SELECTOR_KEY],
$selector);
$this->assertTrue(
isset($actual_metadata[IAMCredentials::TOKEN_KEY]));
$this->assertEquals(
$actual_metadata[IAMCredentials::TOKEN_KEY],
$token);
}
} tests/ApplicationDefaultCredentialsTest.php 0000666 00000012213 13436751451 0015221 0 ustar 00 originalHome = getenv('HOME');
}
protected function tearDown()
{
if ($this->originalHome != getenv('HOME')) {
putenv('HOME=' . $this->originalHome);
}
putenv(ServiceAccountCredentials::ENV_VAR); // removes it from
}
/**
* @expectedException DomainException
*/
public function testIsFailsEnvSpecifiesNonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
ApplicationDefaultCredentials::getCredentials('a scope');
}
public function testLoadsOKIfEnvSpecifiedIsValid()
{
$keyFile = __DIR__ . '/fixtures' . '/private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
$this->assertNotNull(
ApplicationDefaultCredentials::getCredentials('a scope')
);
}
public function testLoadsDefaultFileIfPresentAndEnvVarIsNotSet()
{
putenv('HOME=' . __DIR__ . '/fixtures');
$this->assertNotNull(
ApplicationDefaultCredentials::getCredentials('a scope')
);
}
/**
* @expectedException DomainException
*/
public function testFailsIfNotOnGceAndNoDefaultFileFound()
{
putenv('HOME=' . __DIR__ . '/not_exist_fixtures');
$client = new Client();
// simulate not being GCE by return 500
$client->getEmitter()->attach(new Mock([new Response(500)]));
ApplicationDefaultCredentials::getCredentials('a scope', $client);
}
public function testSuccedsIfNoDefaultFilesButIsOnGCE()
{
$client = new Client();
// simulate the response from GCE.
$wantedTokens = [
'access_token' => '1/abdef1234567890',
'expires_in' => '57',
'token_type' => 'Bearer',
];
$jsonTokens = json_encode($wantedTokens);
$plugin = new Mock([
new Response(200, [GCECredentials::FLAVOR_HEADER => 'Google']),
new Response(200, [], Stream::factory($jsonTokens)),
]);
$client->getEmitter()->attach($plugin);
$this->assertNotNull(
ApplicationDefaultCredentials::getCredentials('a scope', $client)
);
}
}
class ADCGetFetcherTest extends \PHPUnit_Framework_TestCase
{
private $originalHome;
protected function setUp()
{
$this->originalHome = getenv('HOME');
}
protected function tearDown()
{
if ($this->originalHome != getenv('HOME')) {
putenv('HOME=' . $this->originalHome);
}
putenv(ServiceAccountCredentials::ENV_VAR); // removes it if assigned
}
/**
* @expectedException DomainException
*/
public function testIsFailsEnvSpecifiesNonExistentFile()
{
$keyFile = __DIR__ . '/fixtures' . '/does-not-exist-private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
ApplicationDefaultCredentials::getFetcher('a scope');
}
public function testLoadsOKIfEnvSpecifiedIsValid()
{
$keyFile = __DIR__ . '/fixtures' . '/private.json';
putenv(ServiceAccountCredentials::ENV_VAR . '=' . $keyFile);
$this->assertNotNull(ApplicationDefaultCredentials::getFetcher('a scope'));
}
public function testLoadsDefaultFileIfPresentAndEnvVarIsNotSet()
{
putenv('HOME=' . __DIR__ . '/fixtures');
$this->assertNotNull(ApplicationDefaultCredentials::getFetcher('a scope'));
}
/**
* @expectedException DomainException
*/
public function testFailsIfNotOnGceAndNoDefaultFileFound()
{
putenv('HOME=' . __DIR__ . '/not_exist_fixtures');
$client = new Client();
// simulate not being GCE by return 500
$client->getEmitter()->attach(new Mock([new Response(500)]));
ApplicationDefaultCredentials::getFetcher('a scope', $client);
}
public function testSuccedsIfNoDefaultFilesButIsOnGCE()
{
$client = new Client();
// simulate the response from GCE.
$wantedTokens = [
'access_token' => '1/abdef1234567890',
'expires_in' => '57',
'token_type' => 'Bearer',
];
$jsonTokens = json_encode($wantedTokens);
$plugin = new Mock([
new Response(200, [GCECredentials::FLAVOR_HEADER => 'Google']),
new Response(200, [], Stream::factory($jsonTokens)),
]);
$client->getEmitter()->attach($plugin);
$this->assertNotNull(
ApplicationDefaultCredentials::getFetcher('a scope', $client));
}
}
tests/GCECredentialsTest.php 0000666 00000006517 13436751451 0012061 0 ustar 00 getEmitter()->attach(new Mock([new Response(400)]));
$this->assertFalse(GCECredentials::onGCE($client));
}
public function testIsFalseOnServerErrorStatus()
{
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$this->assertFalse(GCECredentials::onGCE($client));
}
public function testIsFalseOnOkStatusWithoutExpectedHeader()
{
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(200)]));
$this->assertFalse(GCECredentials::onGCE($client));
}
public function testIsOkIfGoogleIsTheFlavor()
{
$client = new Client();
$plugin = new Mock([new Response(200, [GCECredentials::FLAVOR_HEADER => 'Google'])]);
$client->getEmitter()->attach($plugin);
$this->assertTrue(GCECredentials::onGCE($client));
}
}
class GCECredentialsGetCacheKeyTest extends \PHPUnit_Framework_TestCase
{
public function testShouldNotBeEmpty()
{
$g = new GCECredentials();
$this->assertNotEmpty($g->getCacheKey());
}
}
class GCECredentialsFetchAuthTokenTest extends \PHPUnit_Framework_TestCase
{
public function testShouldBeEmptyIfNotOnGCE()
{
$client = new Client();
$client->getEmitter()->attach(new Mock([new Response(500)]));
$g = new GCECredentials();
$this->assertEquals(array(), $g->fetchAuthToken($client));
}
/**
* @expectedException GuzzleHttp\Exception\ParseException
*/
public function testShouldFailIfResponseIsNotJson()
{
$notJson = '{"foo": , this is cannot be passed as json" "bar"}';
$client = new Client();
$plugin = new Mock([
new Response(200, [GCECredentials::FLAVOR_HEADER => 'Google']),
new Response(200, [], Stream::factory($notJson)),
]);
$client->getEmitter()->attach($plugin);
$g = new GCECredentials();
$this->assertEquals(array(), $g->fetchAuthToken($client));
}
public function testShouldReturnTokenInfo()
{
$wantedTokens = [
'access_token' => '1/abdef1234567890',
'expires_in' => '57',
'token_type' => 'Bearer',
];
$jsonTokens = json_encode($wantedTokens);
$client = new Client();
$plugin = new Mock([
new Response(200, [GCECredentials::FLAVOR_HEADER => 'Google']),
new Response(200, [], Stream::factory($jsonTokens)),
]);
$client->getEmitter()->attach($plugin);
$g = new GCECredentials();
$this->assertEquals($wantedTokens, $g->fetchAuthToken($client));
}
}
tests/fixtures2/.config/gcloud/application_default_credentials.json 0000666 00000000210 13436751451 0021726 0 ustar 00 {
"client_id": "client123",
"client_secret": "clientSecret123",
"refresh_token": "refreshToken123",
"type": "authorized_user"
}
tests/fixtures2/private.json 0000666 00000000210 13436751451 0012214 0 ustar 00 {
"client_id": "client123",
"client_secret": "clientSecret123",
"refresh_token": "refreshToken123",
"type": "authorized_user"
}
tests/AuthTokenFetcherTest.php 0000666 00000015253 13436751451 0012505 0 ustar 00 mockFetcher =
$this
->getMockBuilder('Google\Auth\FetchAuthTokenInterface')
->getMock();
$this->mockCache =
$this
->getMockBuilder('Google\Auth\CacheInterface')
->getMock();
}
public function testSubscribesToEvents()
{
$a = new AuthTokenFetcher($this->mockFetcher, array());
$this->assertArrayHasKey('before', $a->getEvents());
}
public function testOnlyTouchesWhenAuthConfigScoped()
{
$s = new AuthTokenFetcher($this->mockFetcher, array());
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'not_google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$s->onBefore($before);
$this->assertSame($request->getHeader('Authorization'), '');
}
public function testAddsTheTokenAsAnAuthorizationHeader()
{
$authResult = ['access_token' => '1/abcdef1234567890'];
$this->mockFetcher
->expects($this->once())
->method('fetchAuthToken')
->will($this->returnValue($authResult));
// Run the test.
$a = new AuthTokenFetcher($this->mockFetcher, array());
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$a->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 1/abcdef1234567890');
}
public function testDoesNotAddAnAuthorizationHeaderOnNoAccessToken()
{
$authResult = ['not_access_token' => '1/abcdef1234567890'];
$this->mockFetcher
->expects($this->once())
->method('fetchAuthToken')
->will($this->returnValue($authResult));
// Run the test.
$a = new AuthTokenFetcher($this->mockFetcher, array());
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$a->onBefore($before);
$this->assertSame($request->getHeader('Authorization'), '');
}
public function testUsesCachedAuthToken()
{
$cacheKey = 'myKey';
$cachedValue = '2/abcdef1234567890';
$this->mockCache
->expects($this->once())
->method('get')
->with($this->equalTo($cacheKey),
$this->equalTo(AuthTokenFetcher::DEFAULT_CACHE_LIFETIME))
->will($this->returnValue($cachedValue));
$this->mockFetcher
->expects($this->never())
->method('fetchAuthToken');
$this->mockFetcher
->expects($this->any())
->method('getCacheKey')
->will($this->returnValue($cacheKey));
// Run the test.
$a = new AuthTokenFetcher($this->mockFetcher, array(), $this->mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$a->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testGetsCachedAuthTokenUsingCacheOptions()
{
$prefix = 'test_prefix:';
$lifetime = '70707';
$cacheKey = 'myKey';
$cachedValue = '2/abcdef1234567890';
$this->mockCache
->expects($this->once())
->method('get')
->with($this->equalTo($prefix . $cacheKey),
$this->equalTo($lifetime))
->will($this->returnValue($cachedValue));
$this->mockFetcher
->expects($this->never())
->method('fetchAuthToken');
$this->mockFetcher
->expects($this->any())
->method('getCacheKey')
->will($this->returnValue($cacheKey));
// Run the test
$a = new AuthTokenFetcher($this->mockFetcher,
array('prefix' => $prefix,
'lifetime' => $lifetime),
$this->mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$a->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 2/abcdef1234567890');
}
public function testShouldSaveValueInCacheWithSpecifiedPrefix()
{
$token = '1/abcdef1234567890';
$authResult = ['access_token' => $token];
$cacheKey = 'myKey';
$prefix = 'test_prefix:';
$this->mockCache
->expects($this->any())
->method('get')
->will($this->returnValue(null));
$this->mockCache
->expects($this->once())
->method('set')
->with($this->equalTo($prefix . $cacheKey),
$this->equalTo($token))
->will($this->returnValue(false));
$this->mockFetcher
->expects($this->any())
->method('getCacheKey')
->will($this->returnValue($cacheKey));
$this->mockFetcher
->expects($this->once())
->method('fetchAuthToken')
->will($this->returnValue($authResult));
// Run the test
$a = new AuthTokenFetcher($this->mockFetcher,
array('prefix' => $prefix),
$this->mockCache);
$client = new Client();
$request = $client->createRequest('GET', 'http://testing.org',
['auth' => 'google_auth']);
$before = new BeforeEvent(new Transaction($client, $request));
$a->onBefore($before);
$this->assertSame($request->getHeader('Authorization'),
'Bearer 1/abcdef1234567890');
}
}
tests/OAuth2Test.php 0000666 00000057602 13436751451 0010410 0 ustar 00 'https://accounts.test.org/insecure/url',
'redirectUri' => 'https://accounts.test.org/redirect/url',
'clientId' => 'aClientID'
];
/**
* @expectedException InvalidArgumentException
*/
public function testIsNullIfAuthorizationUriIsNull()
{
$o = new OAuth2([]);
$this->assertNull($o->buildFullAuthorizationUri());
}
/**
* @expectedException InvalidArgumentException
*/
public function testRequiresTheClientId()
{
$o = new OAuth2([
'authorizationUri' => 'https://accounts.test.org/auth/url',
'redirectUri' => 'https://accounts.test.org/redirect/url'
]);
$o->buildFullAuthorizationUri();
}
/**
* @expectedException InvalidArgumentException
*/
public function testRequiresTheRedirectUri()
{
$o = new OAuth2([
'authorizationUri' => 'https://accounts.test.org/auth/url',
'clientId' => 'aClientID'
]);
$o->buildFullAuthorizationUri();
}
/**
* @expectedException InvalidArgumentException
*/
public function testCannotHavePromptAndApprovalPrompt()
{
$o = new OAuth2([
'authorizationUri' => 'https://accounts.test.org/auth/url',
'clientId' => 'aClientID'
]);
$o->buildFullAuthorizationUri([
'approval_prompt' => 'an approval prompt',
'prompt' => 'a prompt',
]);
}
/**
* @expectedException InvalidArgumentException
*/
public function testCannotHaveInsecureAuthorizationUri()
{
$o = new OAuth2([
'authorizationUri' => 'http://accounts.test.org/insecure/url',
'redirectUri' => 'https://accounts.test.org/redirect/url',
'clientId' => 'aClientID'
]);
$o->buildFullAuthorizationUri();
}
/**
* @expectedException InvalidArgumentException
*/
public function testCannotHaveRelativeRedirectUri()
{
$o = new OAuth2([
'authorizationUri' => 'http://accounts.test.org/insecure/url',
'redirectUri' => '/redirect/url',
'clientId' => 'aClientID'
]);
$o->buildFullAuthorizationUri();
}
public function testHasDefaultXXXTypeParams()
{
$o = new OAuth2($this->minimal);
$q = $o->buildFullAuthorizationUri()->getQuery();
$this->assertEquals('code', $q->get('response_type'));
$this->assertEquals('offline', $q->get('access_type'));
}
public function testCanBeUrlObject()
{
$config = array_merge($this->minimal, [
'authorizationUri' => Url::fromString('https://another/uri')
]);
$o = new OAuth2($config);
$this->assertEquals('/uri', $o->buildFullAuthorizationUri()->getPath());
}
public function testCanOverrideParams()
{
$overrides = [
'access_type' => 'o_access_type',
'client_id' => 'o_client_id',
'redirect_uri' => 'o_redirect_uri',
'response_type' => 'o_response_type',
'state' => 'o_state',
];
$config = array_merge($this->minimal, ['state' => 'the_state']);
$o = new OAuth2($config);
$q = $o->buildFullAuthorizationUri($overrides)->getQuery();
$this->assertEquals('o_access_type', $q->get('access_type'));
$this->assertEquals('o_client_id', $q->get('client_id'));
$this->assertEquals('o_redirect_uri', $q->get('redirect_uri'));
$this->assertEquals('o_response_type', $q->get('response_type'));
$this->assertEquals('o_state', $q->get('state'));
}
public function testIncludesTheScope()
{
$with_strings = array_merge($this->minimal, ['scope' => 'scope1 scope2']);
$o = new OAuth2($with_strings);
$q = $o->buildFullAuthorizationUri()->getQuery();
$this->assertEquals('scope1 scope2', $q->get('scope'));
$with_array = array_merge($this->minimal, [
'scope' => ['scope1', 'scope2']
]);
$o = new OAuth2($with_array);
$q = $o->buildFullAuthorizationUri()->getQuery();
$this->assertEquals('scope1 scope2', $q->get('scope'));
}
}
class OAuth2GrantTypeTest extends \PHPUnit_Framework_TestCase
{
private $minimal = [
'authorizationUri' => 'https://accounts.test.org/insecure/url',
'redirectUri' => 'https://accounts.test.org/redirect/url',
'clientId' => 'aClientID'
];
public function testReturnsNullIfCannotBeInferred()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getGrantType());
}
public function testInfersAuthorizationCode()
{
$o = new OAuth2($this->minimal);
$o->setCode('an auth code');
$this->assertEquals('authorization_code', $o->getGrantType());
}
public function testInfersRefreshToken()
{
$o = new OAuth2($this->minimal);
$o->setRefreshToken('a refresh token');
$this->assertEquals('refresh_token', $o->getGrantType());
}
public function testInfersPassword()
{
$o = new OAuth2($this->minimal);
$o->setPassword('a password');
$o->setUsername('a username');
$this->assertEquals('password', $o->getGrantType());
}
public function testInfersJwtBearer()
{
$o = new OAuth2($this->minimal);
$o->setIssuer('an issuer');
$o->setSigningKey('a key');
$this->assertEquals('urn:ietf:params:oauth:grant-type:jwt-bearer',
$o->getGrantType());
}
public function testSetsKnownTypes()
{
$o = new OAuth2($this->minimal);
foreach (OAuth2::$knownGrantTypes as $t) {
$o->setGrantType($t);
$this->assertEquals($t, $o->getGrantType());
}
}
public function testSetsUrlAsGrantType()
{
$o = new OAuth2($this->minimal);
$o->setGrantType('http://a/grant/url');
$this->assertInstanceOf('GuzzleHttp\Url', $o->getGrantType());
$this->assertEquals('http://a/grant/url', strval($o->getGrantType()));
}
}
class OAuth2GetCacheKeyTest extends \PHPUnit_Framework_TestCase
{
private $minimal = [
'clientID' => 'aClientID'
];
public function testIsNullWithNoScopes()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getCacheKey());
}
public function testIsScopeIfSingleScope()
{
$o = new OAuth2($this->minimal);
$o->setScope('test/scope/1');
$this->assertEquals('test/scope/1', $o->getCacheKey());
}
public function testIsAllScopesWhenScopeIsArray()
{
$o = new OAuth2($this->minimal);
$o->setScope(['test/scope/1', 'test/scope/2']);
$this->assertEquals('test/scope/1:test/scope/2', $o->getCacheKey());
}
}
class OAuth2TimingTest extends \PHPUnit_Framework_TestCase
{
private $minimal = [
'authorizationUri' => 'https://accounts.test.org/insecure/url',
'redirectUri' => 'https://accounts.test.org/redirect/url',
'clientId' => 'aClientID'
];
public function testIssuedAtDefaultsToNull()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getIssuedAt());
}
public function testExpiresAtDefaultsToNull()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getExpiresAt());
}
public function testExpiresInDefaultsToNull()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getExpiresIn());
}
public function testSettingExpiresInSetsIssuedAt()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getIssuedAt());
$aShortWhile = 5;
$o->setExpiresIn($aShortWhile);
$this->assertEquals($aShortWhile, $o->getExpiresIn());
$this->assertNotNull($o->getIssuedAt());
}
public function testSettingExpiresInSetsExpireAt()
{
$o = new OAuth2($this->minimal);
$this->assertNull($o->getExpiresAt());
$aShortWhile = 5;
$o->setExpiresIn($aShortWhile);
$this->assertNotNull($o->getExpiresAt());
$this->assertEquals($aShortWhile, $o->getExpiresAt() - $o->getIssuedAt());
}
public function testIsNotExpiredByDefault()
{
$o = new OAuth2($this->minimal);
$this->assertFalse($o->isExpired());
}
public function testIsNotExpiredIfExpiresAtIsOld()
{
$o = new OAuth2($this->minimal);
$o->setExpiresAt(time() - 2);
$this->assertTrue($o->isExpired());
}
}
class OAuth2GeneralTest extends \PHPUnit_Framework_TestCase
{
private $minimal = [
'authorizationUri' => 'https://accounts.test.org/insecure/url',
'redirectUri' => 'https://accounts.test.org/redirect/url',
'clientId' => 'aClientID'
];
/**
* @expectedException InvalidArgumentException
*/
public function testFailsOnUnknownSigningAlgorithm()
{
$o = new OAuth2($this->minimal);
$o->setSigningAlgorithm('this is definitely not an algorithm name');
}
public function testAllowsKnownSigningAlgorithms()
{
$o = new OAuth2($this->minimal);
foreach (OAuth2::$knownSigningAlgorithms as $a) {
$o->setSigningAlgorithm($a);
$this->assertEquals($a, $o->getSigningAlgorithm());
}
}
/**
* @expectedException InvalidArgumentException
*/
public function testFailsOnRelativeRedirectUri()
{
$o = new OAuth2($this->minimal);
$o->setRedirectUri('/relative/url');
}
public function testAllowsUrnRedirectUri()
{
$urn = 'urn:ietf:wg:oauth:2.0:oob';
$o = new OAuth2($this->minimal);
$o->setRedirectUri($urn);
$this->assertEquals($urn, $o->getRedirectUri());
}
}
class OAuth2JwtTest extends \PHPUnit_Framework_TestCase
{
private $signingMinimal = [
'signingKey' => 'example_key',
'signingAlgorithm' => 'HS256',
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
'issuer' => 'app@example.com',
'audience' => 'accounts.google.com',
'clientId' => 'aClientID'
];
/**
* @expectedException DomainException
*/
public function testFailsWithMissingAudience()
{
$testConfig = $this->signingMinimal;
unset($testConfig['audience']);
$o = new OAuth2($testConfig);
$o->toJwt();
}
/**
* @expectedException DomainException
*/
public function testFailsWithMissingIssuer()
{
$testConfig = $this->signingMinimal;
unset($testConfig['issuer']);
$o = new OAuth2($testConfig);
$o->toJwt();
}
/**
*/
public function testCanHaveNoScope()
{
$testConfig = $this->signingMinimal;
unset($testConfig['scope']);
$o = new OAuth2($testConfig);
$o->toJwt();
}
/**
* @expectedException DomainException
*/
public function testFailsWithMissingSigningKey()
{
$testConfig = $this->signingMinimal;
unset($testConfig['signingKey']);
$o = new OAuth2($testConfig);
$o->toJwt();
}
/**
* @expectedException DomainException
*/
public function testFailsWithMissingSigningAlgorithm()
{
$testConfig = $this->signingMinimal;
unset($testConfig['signingAlgorithm']);
$o = new OAuth2($testConfig);
$o->toJwt();
}
public function testCanHS256EncodeAValidPayload()
{
$testConfig = $this->signingMinimal;
$o = new OAuth2($testConfig);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $testConfig['signingKey'], array('HS256')) ;
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
}
public function testCanRS256EncodeAValidPayload()
{
$publicKey = file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
$privateKey = file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
$testConfig = $this->signingMinimal;
$o = new OAuth2($testConfig);
$o->setSigningAlgorithm('RS256');
$o->setSigningKey($privateKey);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $publicKey, array('RS256')) ;
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
}
}
class OAuth2GenerateAccessTokenRequestTest extends \PHPUnit_Framework_TestCase
{
private $tokenRequestMinimal = [
'tokenCredentialUri' => 'https://tokens_r_us/test',
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
'issuer' => 'app@example.com',
'audience' => 'accounts.google.com',
'clientId' => 'aClientID'
];
/**
* @expectedException DomainException
*/
public function testFailsIfNoTokenCredentialUri()
{
$testConfig = $this->tokenRequestMinimal;
unset($testConfig['tokenCredentialUri']);
$o = new OAuth2($testConfig);
$o->generateCredentialsRequest();
}
/**
* @expectedException DomainException
*/
public function testFailsIfAuthorizationCodeIsMissing()
{
$testConfig = $this->tokenRequestMinimal;
$testConfig['redirectUri'] = 'https://has/redirect/uri';
$o = new OAuth2($testConfig);
$o->generateCredentialsRequest();
}
public function testGeneratesAuthorizationCodeRequests()
{
$testConfig = $this->tokenRequestMinimal;
$testConfig['redirectUri'] = 'https://has/redirect/uri';
$o = new OAuth2($testConfig);
$o->setCode('an_auth_code');
// Generate the request and confirm that it's correct.
$req = $o->generateCredentialsRequest();
$this->assertInstanceOf('GuzzleHttp\Message\RequestInterface', $req);
$this->assertEquals('POST', $req->getMethod());
$fields = $req->getBody()->getFields();
$this->assertEquals('authorization_code', $fields['grant_type']);
$this->assertEquals('an_auth_code', $fields['code']);
}
public function testGeneratesPasswordRequests()
{
$testConfig = $this->tokenRequestMinimal;
$o = new OAuth2($testConfig);
$o->setUsername('a_username');
$o->setPassword('a_password');
// Generate the request and confirm that it's correct.
$req = $o->generateCredentialsRequest();
$this->assertInstanceOf('GuzzleHttp\Message\RequestInterface', $req);
$this->assertEquals('POST', $req->getMethod());
$fields = $req->getBody()->getFields();
$this->assertEquals('password', $fields['grant_type']);
$this->assertEquals('a_password', $fields['password']);
$this->assertEquals('a_username', $fields['username']);
}
public function testGeneratesRefreshTokenRequests()
{
$testConfig = $this->tokenRequestMinimal;
$o = new OAuth2($testConfig);
$o->setRefreshToken('a_refresh_token');
// Generate the request and confirm that it's correct.
$req = $o->generateCredentialsRequest();
$this->assertInstanceOf('GuzzleHttp\Message\RequestInterface', $req);
$this->assertEquals('POST', $req->getMethod());
$fields = $req->getBody()->getFields();
$this->assertEquals('refresh_token', $fields['grant_type']);
$this->assertEquals('a_refresh_token', $fields['refresh_token']);
}
public function testClientSecretAddedIfSetForAuthorizationCodeRequests()
{
$testConfig = $this->tokenRequestMinimal;
$testConfig['clientSecret'] = 'a_client_secret';
$testConfig['redirectUri'] = 'https://has/redirect/uri';
$o = new OAuth2($testConfig);
$o->setCode('an_auth_code');
$request = $o->generateCredentialsRequest();
$this->assertEquals('a_client_secret', $request->getBody()->getField('client_secret'));
}
public function testClientSecretAddedIfSetForRefreshTokenRequests()
{
$testConfig = $this->tokenRequestMinimal;
$testConfig['clientSecret'] = 'a_client_secret';
$o = new OAuth2($testConfig);
$o->setRefreshToken('a_refresh_token');
$request = $o->generateCredentialsRequest();
$this->assertEquals('a_client_secret', $request->getBody()->getField('client_secret'));
}
public function testClientSecretAddedIfSetForPasswordRequests()
{
$testConfig = $this->tokenRequestMinimal;
$testConfig['clientSecret'] = 'a_client_secret';
$o = new OAuth2($testConfig);
$o->setUsername('a_username');
$o->setPassword('a_password');
$request = $o->generateCredentialsRequest();
$this->assertEquals('a_client_secret', $request->getBody()->getField('client_secret'));
}
public function testGeneratesAssertionRequests()
{
$testConfig = $this->tokenRequestMinimal;
$o = new OAuth2($testConfig);
$o->setSigningKey('a_key');
$o->setSigningAlgorithm('HS256');
// Generate the request and confirm that it's correct.
$req = $o->generateCredentialsRequest();
$this->assertInstanceOf('GuzzleHttp\Message\RequestInterface', $req);
$this->assertEquals('POST', $req->getMethod());
$fields = $req->getBody()->getFields();
$this->assertEquals(OAuth2::JWT_URN, $fields['grant_type']);
$this->assertTrue(array_key_exists('assertion', $fields));
}
public function testGeneratesExtendedRequests()
{
$testConfig = $this->tokenRequestMinimal;
$o = new OAuth2($testConfig);
$o->setGrantType('urn:my_test_grant_type');
$o->setExtensionParams(['my_param' => 'my_value']);
// Generate the request and confirm that it's correct.
$req = $o->generateCredentialsRequest();
$this->assertInstanceOf('GuzzleHttp\Message\RequestInterface', $req);
$this->assertEquals('POST', $req->getMethod());
$fields = $req->getBody()->getFields();
$this->assertEquals('my_value', $fields['my_param']);
$this->assertEquals('urn:my_test_grant_type', $fields['grant_type']);
}
}
class OAuth2FetchAuthTokenTest extends \PHPUnit_Framework_TestCase
{
private $fetchAuthTokenMinimal = [
'tokenCredentialUri' => 'https://tokens_r_us/test',
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
'signingKey' => 'example_key',
'signingAlgorithm' => 'HS256',
'issuer' => 'app@example.com',
'audience' => 'accounts.google.com',
'clientId' => 'aClientID'
];
private function mockPluginWithCode($code)
{
$plugin = new Mock();
$plugin->addResponse(new Response($code));
return $plugin;
}
/**
* @expectedException GuzzleHttp\Exception\ClientException
*/
public function testFailsOn400()
{
$testConfig = $this->fetchAuthTokenMinimal;
$client = new Client();
$client->getEmitter()->attach($this->mockPluginWithCode(400));
$o = new OAuth2($testConfig);
$o->fetchAuthToken($client);
}
/**
* @expectedException GuzzleHttp\Exception\ServerException
*/
public function testFailsOn500()
{
$testConfig = $this->fetchAuthTokenMinimal;
$client = new Client();
$client->getEmitter()->attach($this->mockPluginWithCode(500));
$o = new OAuth2($testConfig);
$o->fetchAuthToken($client);
}
/**
* @expectedException GuzzleHttp\Exception\ParseException
*/
public function testFailsOnNoContentTypeIfResponseIsNotJSON()
{
$testConfig = $this->fetchAuthTokenMinimal;
$notJson = '{"foo": , this is cannot be passed as json" "bar"}';
$client = new Client();
$plugin = new Mock();
$plugin->addResponse(new Response(200, [], Stream::factory($notJson)));
$client->getEmitter()->attach($plugin);
$o = new OAuth2($testConfig);
$o->fetchAuthToken($client);
}
public function testFetchesJsonResponseOnNoContentTypeOK()
{
$testConfig = $this->fetchAuthTokenMinimal;
$json = '{"foo": "bar"}';
$client = new Client();
$plugin = new Mock();
$plugin->addResponse(new Response(200, [], Stream::factory($json)));
$client->getEmitter()->attach($plugin);
$o = new OAuth2($testConfig);
$tokens = $o->fetchAuthToken($client);
$this->assertEquals($tokens['foo'], 'bar');
}
public function testFetchesFromFormEncodedResponseOK()
{
$testConfig = $this->fetchAuthTokenMinimal;
$json = 'foo=bar&spice=nice';
$client = new Client();
$plugin = new Mock();
$plugin->addResponse(new Response(
200,
['Content-Type' => 'application/x-www-form-urlencoded'],
Stream::factory($json)));
$client->getEmitter()->attach($plugin);
$o = new OAuth2($testConfig);
$tokens = $o->fetchAuthToken($client);
$this->assertEquals($tokens['foo'], 'bar');
$this->assertEquals($tokens['spice'], 'nice');
}
public function testUpdatesTokenFieldsOnFetch()
{
$testConfig = $this->fetchAuthTokenMinimal;
$wanted_updates = [
'expires_at' => '1',
'expires_in' => '57',
'issued_at' => '2',
'access_token' => 'an_access_token',
'id_token' => 'an_id_token',
'refresh_token' => 'a_refresh_token',
];
$json = json_encode($wanted_updates);
$client = new Client();
$plugin = new Mock();
$plugin->addResponse(new Response(200, [], Stream::factory($json)));
$client->getEmitter()->attach($plugin);
$o = new OAuth2($testConfig);
$this->assertNull($o->getExpiresAt());
$this->assertNull($o->getExpiresIn());
$this->assertNull($o->getIssuedAt());
$this->assertNull($o->getAccessToken());
$this->assertNull($o->getIdToken());
$this->assertNull($o->getRefreshToken());
$tokens = $o->fetchAuthToken($client);
$this->assertEquals(1, $o->getExpiresAt());
$this->assertEquals(57, $o->getExpiresIn());
$this->assertEquals(2, $o->getIssuedAt());
$this->assertEquals('an_access_token', $o->getAccessToken());
$this->assertEquals('an_id_token', $o->getIdToken());
$this->assertEquals('a_refresh_token', $o->getRefreshToken());
}
}
class OAuth2VerifyIdTokenTest extends \PHPUnit_Framework_TestCase
{
private $publicKey;
private $privateKey;
private $verifyIdTokenMinimal = [
'scope' => 'https://www.googleapis.com/auth/userinfo.profile',
'audience' => 'myaccount.on.host.issuer.com',
'issuer' => 'an.issuer.com',
'clientId' => 'myaccount.on.host.issuer.com'
];
public function setUp()
{
$this->publicKey =
file_get_contents(__DIR__ . '/fixtures' . '/public.pem');
$this->privateKey =
file_get_contents(__DIR__ . '/fixtures' . '/private.pem');
}
/**
* @expectedException UnexpectedValueException
*/
public function testFailsIfIdTokenIsInvalid()
{
$testConfig = $this->verifyIdTokenMinimal;
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken($this->publicKey);
}
/**
* @expectedException DomainException
*/
public function testFailsIfAudienceIsMissing()
{
$testConfig = $this->verifyIdTokenMinimal;
$now = time();
$origIdToken = [
'issuer' => $testConfig['issuer'],
'exp' => $now + 65, // arbitrary
'iat' => $now,
];
$o = new OAuth2($testConfig);
$jwtIdToken = JWT::encode($origIdToken, $this->privateKey, 'RS256');
$o->setIdToken($jwtIdToken);
$o->verifyIdToken($this->publicKey);
}
/**
* @expectedException DomainException
*/
public function testFailsIfAudienceIsWrong()
{
$now = time();
$testConfig = $this->verifyIdTokenMinimal;
$origIdToken = [
'aud' => 'a different audience',
'iss' => $testConfig['issuer'],
'exp' => $now + 65, // arbitrary
'iat' => $now,
];
$o = new OAuth2($testConfig);
$jwtIdToken = JWT::encode($origIdToken, $this->privateKey, 'RS256');
$o->setIdToken($jwtIdToken);
$o->verifyIdToken($this->publicKey);
}
public function testShouldReturnAValidIdToken()
{
$testConfig = $this->verifyIdTokenMinimal;
$now = time();
$origIdToken = [
'aud' => $testConfig['audience'],
'iss' => $testConfig['issuer'],
'exp' => $now + 65, // arbitrary
'iat' => $now,
];
$o = new OAuth2($testConfig);
$alg = 'RS256';
$jwtIdToken = JWT::encode($origIdToken, $this->privateKey, $alg);
$o->setIdToken($jwtIdToken);
$roundTrip = $o->verifyIdToken($this->publicKey, array($alg));
$this->assertEquals($origIdToken['aud'], $roundTrip->aud);
}
}
tests/bootstrap.php 0000666 00000001322 13436751451 0010447 0 ustar 00 assertFalse(AppIdentityCredentials::onAppEngine());
}
public function testIsTrueWhenServerSoftwareIsGoogleAppEngine()
{
$_SERVER['SERVER_SOFTWARE'] = 'Google App Engine';
$this->assertTrue(AppIdentityCredentials::onAppEngine());
}
}
class AppIdentityCredentialsGetCacheKeyTest extends \PHPUnit_Framework_TestCase
{
public function testShouldNotBeEmpty()
{
$g = new AppIdentityCredentials();
$this->assertNotEmpty($g->getCacheKey());
}
}
class AppIdentityCredentialsFetchAuthTokenTest extends \PHPUnit_Framework_TestCase
{
public function testShouldBeEmptyIfNotOnAppEngine()
{
$g = new AppIdentityCredentials();
$this->assertEquals(array(), $g->fetchAuthToken());
}
/* @expectedException */
public function testTHrowsExceptionIfClassDoesntExist()
{
$_SERVER['SERVER_SOFTWARE'] = 'Google App Engine';
$g = new AppIdentityCredentials();
}
public function testReturnsExpectedToken()
{
// include the mock AppIdentityService class
require_once __DIR__ . '/mocks/AppIdentityService.php';
$wantedToken = [
'access_token' => '1/abdef1234567890',
'expires_in' => '57',
'token_type' => 'Bearer',
];
AppIdentityService::$accessToken = $wantedToken;
// AppIdentityService::$accessToken = $wantedToken;
$_SERVER['SERVER_SOFTWARE'] = 'Google App Engine';
$g = new AppIdentityCredentials();
$this->assertEquals($wantedToken, $g->fetchAuthToken());
}
}
tests/fixtures/public.pem 0000666 00000000420 13436751451 0011551 0 ustar 00 -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzU+jLTzW6154Joezxrd2+5pCN
YP0HcaMoYqEyXfNRpkNE7wrQUEG830o4Qcaae2BhqZoujwSW7RkR6h0Fkd0WTR8h
5J8rSGNHv/1jJoUUjP9iZ/5SFAyIIyEYfDPqtnA4iF1QWO2lXWlEFSuZjwM/8jBm
eGzoiw17akNThIw8NwIDAQAB
-----END PUBLIC KEY-----
tests/fixtures/.config/gcloud/application_default_credentials.json 0000666 00000000242 13436751451 0021651 0 ustar 00 {
"private_key_id": "key123",
"private_key": "privatekey",
"client_email": "hello@youarecool.com",
"client_id": "client123",
"type": "service_account"
} tests/fixtures/private.pem 0000666 00000001567 13436751451 0011762 0 ustar 00 -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDzU+jLTzW6154Joezxrd2+5pCNYP0HcaMoYqEyXfNRpkNE7wrQ
UEG830o4Qcaae2BhqZoujwSW7RkR6h0Fkd0WTR8h5J8rSGNHv/1jJoUUjP9iZ/5S
FAyIIyEYfDPqtnA4iF1QWO2lXWlEFSuZjwM/8jBmeGzoiw17akNThIw8NwIDAQAB
AoGATpboVloEAY/IdFX/QGOmfhTb1T3hG3lheBa695iOkO2BRo9qT7PMN6NqxlbA
PX7ht0lfCfCZS+HSOg4CR50/6WXHMSmwlvcjGuDIDKWjviQTTYE77MlVBQHw9WzY
PfiRBbtouyPGQtO4rk42zkIILC6exBZ1vKpRPOmTAnxrjCECQQD+56r6hYcS6GNp
NOWyv0eVFMBX4iNWAsRf9JVVvGDz2rVuhnkNiN73vfffDWvSXkCydL1jFmalgdQD
gm77UZQHAkEA9F+CauU0aZsJ1SthQ6H0sDQ+eNRUgnz4itnkSC2C20fZ3DaSpCMC
0go81CcZOhftNO730ILqiS67C3d3rqLqUQJBAP10ROHMmz4Fq7MUUcClyPtHIuk/
hXskTTZL76DMKmrN8NDxDLSUf38+eJRkt+z4osPOp/E6eN3gdXr32nox50kCQCl8
hXGMU+eR0IuF/88xkY7Qb8KnmWlFuhQohZ7TSyHbAttl0GNZJkNuRYFm2duI8FZK
M3wMnbCIZGy/7WuScOECQQCV+0yrf5dL1M2GHjJfwuTb00wRKalKQEH1v/kvE5vS
FmdN7BPK5Ra50MaecMNoYqu9rmtyWRBn93dcvKrL57nY
-----END RSA PRIVATE KEY-----
tests/fixtures/private.json 0000666 00000000242 13436751451 0012137 0 ustar 00 {
"private_key_id": "key123",
"private_key": "privatekey",
"client_email": "hello@youarecool.com",
"client_id": "client123",
"type": "service_account"
} CONTRIBUTING.md 0000666 00000007107 13436751451 0007017 0 ustar 00 # How to become a contributor and submit your own code
## Contributor License Agreements
We'd love to accept your sample apps and patches! Before we can take them, we
have to jump a couple of legal hurdles.
Please fill out either the individual or corporate Contributor License Agreement
(CLA).
* If you are an individual writing original source code and you're sure you
own the intellectual property, then you'll need to sign an [individual CLA]
(http://code.google.com/legal/individual-cla-v1.0.html).
* If you work for a company that wants to allow you to contribute your work,
then you'll need to sign a [corporate CLA]
(http://code.google.com/legal/corporate-cla-v1.0.html).
Follow either of the two links above to access the appropriate CLA and
instructions for how to sign and return it. Once we receive it, we'll be able to
accept your pull requests.
## Issue reporting
* Check that the issue has not already been reported.
* Check that the issue has not already been fixed in the latest code
(a.k.a. `master`).
* Be clear, concise and precise in your description of the problem.
* Open an issue with a descriptive title and a summary in grammatically correct,
complete sentences.
* Include any relevant code to the issue summary.
## Pull requests
* Read [how to properly contribute to open source projects on Github][2].
* Fork the project.
* Use a topic/feature branch to easily amend a pull request later, if necessary.
* Write [good commit messages][3].
* Use the same coding conventions as the rest of the project.
* Commit and push until you are happy with your contribution.
* Make sure to add tests for it. This is important so I don't break it
in a future version unintentionally.
* Add an entry to the [Changelog](CHANGELOG.md) accordingly. See [changelog entry format](#changelog-entry-format).
* Please try not to mess with the Rakefile, version, or history. If you want to
have your own version, or is otherwise necessary, that is fine, but please
isolate to its own commit so I can cherry-pick around it.
* Make sure the test suite is passing and the code you wrote doesn't produce
phpunit or phplint offenses.
* [Squash related commits together][5].
* Open a [pull request][4] that relates to *only* one subject with a clear title
and description in grammatically correct, complete sentences.
### Changelog entry format
Here are a few examples:
```
* ADC Support for User Refresh Tokens (@tbetbetbe[])
* [#16](https://github.com/google/google-auth-library-php/issues/16): ADC Support for User Refresh Tokens ([@tbetbetbe][])
```
* Mark it up in [Markdown syntax][6].
* The entry line should start with `* ` (an asterisk and a space).
* If the change has a related GitHub issue (e.g. a bug fix for a reported issue), put a link to the issue as `[#16](https://github.com/google/google-auth-library-php/issues/16): `.
* Describe the brief of the change. The sentence should end with a punctuation.
* At the end of the entry, add an implicit link to your GitHub user page as `([@username][])`.
* If this is your first contribution to google-auth-library-php project, add a link definition for the implicit link to the bottom of the changelog as `[@username]: https://github.com/username`.
[1]: https://github.com/google/google-auth-php-library/issues
[2]: http://gun.io/blog/how-to-github-fork-branch-and-pull-request
[3]: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
[4]: https://help.github.com/articles/using-pull-requests
[5]: http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html
[6]: http://daringfireball.net/projects/markdown/syntax
.gitignore 0000666 00000000030 13436751451 0006542 0 ustar 00 *~
vendor
composer.lock