From 6c641b1834539c65edb35dd43a6afa7620e73e1c Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 14 Mar 2017 09:09:05 +1100 Subject: move oauth2 to vendor --- .../test/OAuth2/Encryption/FirebaseJwtTest.php | 102 --------------------- library/oauth2/test/OAuth2/Encryption/JwtTest.php | 102 --------------------- 2 files changed, 204 deletions(-) delete mode 100644 library/oauth2/test/OAuth2/Encryption/FirebaseJwtTest.php delete mode 100644 library/oauth2/test/OAuth2/Encryption/JwtTest.php (limited to 'library/oauth2/test/OAuth2/Encryption') diff --git a/library/oauth2/test/OAuth2/Encryption/FirebaseJwtTest.php b/library/oauth2/test/OAuth2/Encryption/FirebaseJwtTest.php deleted file mode 100644 index d34136767..000000000 --- a/library/oauth2/test/OAuth2/Encryption/FirebaseJwtTest.php +++ /dev/null @@ -1,102 +0,0 @@ -privateKey = << $client_id, - 'exp' => time() + 1000, - 'iat' => time(), - 'sub' => 'testuser@ourdomain.com', - 'aud' => 'http://myapp.com/oauth/auth', - 'scope' => null, - ); - - $encoded = $jwtUtil->encode($params, $this->privateKey, 'RS256'); - - // test BC behaviour of trusting the algorithm in the header - $payload = $jwtUtil->decode($encoded, $client_key, array('RS256')); - $this->assertEquals($params, $payload); - - // test BC behaviour of not verifying by passing false - $payload = $jwtUtil->decode($encoded, $client_key, false); - $this->assertEquals($params, $payload); - - // test the new restricted algorithms header - $payload = $jwtUtil->decode($encoded, $client_key, array('RS256')); - $this->assertEquals($params, $payload); - } - - public function testInvalidJwt() - { - $jwtUtil = new FirebaseJwt(); - - $this->assertFalse($jwtUtil->decode('goob')); - $this->assertFalse($jwtUtil->decode('go.o.b')); - } - - /** @dataProvider provideClientCredentials */ - public function testInvalidJwtHeader($client_id, $client_key) - { - $jwtUtil = new FirebaseJwt(); - - $params = array( - 'iss' => $client_id, - 'exp' => time() + 1000, - 'iat' => time(), - 'sub' => 'testuser@ourdomain.com', - 'aud' => 'http://myapp.com/oauth/auth', - 'scope' => null, - ); - - // testing for algorithm tampering when only RSA256 signing is allowed - // @see https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ - $tampered = $jwtUtil->encode($params, $client_key, 'HS256'); - - $payload = $jwtUtil->decode($tampered, $client_key, array('RS256')); - - $this->assertFalse($payload); - } - - public function provideClientCredentials() - { - $storage = Bootstrap::getInstance()->getMemoryStorage(); - $client_id = 'Test Client ID'; - $client_key = $storage->getClientKey($client_id, "testuser@ourdomain.com"); - - return array( - array($client_id, $client_key), - ); - } -} diff --git a/library/oauth2/test/OAuth2/Encryption/JwtTest.php b/library/oauth2/test/OAuth2/Encryption/JwtTest.php deleted file mode 100644 index 214eebac8..000000000 --- a/library/oauth2/test/OAuth2/Encryption/JwtTest.php +++ /dev/null @@ -1,102 +0,0 @@ -privateKey = << $client_id, - 'exp' => time() + 1000, - 'iat' => time(), - 'sub' => 'testuser@ourdomain.com', - 'aud' => 'http://myapp.com/oauth/auth', - 'scope' => null, - ); - - $encoded = $jwtUtil->encode($params, $this->privateKey, 'RS256'); - - // test BC behaviour of trusting the algorithm in the header - $payload = $jwtUtil->decode($encoded, $client_key); - $this->assertEquals($params, $payload); - - // test BC behaviour of not verifying by passing false - $payload = $jwtUtil->decode($encoded, $client_key, false); - $this->assertEquals($params, $payload); - - // test the new restricted algorithms header - $payload = $jwtUtil->decode($encoded, $client_key, array('RS256')); - $this->assertEquals($params, $payload); - } - - public function testInvalidJwt() - { - $jwtUtil = new Jwt(); - - $this->assertFalse($jwtUtil->decode('goob')); - $this->assertFalse($jwtUtil->decode('go.o.b')); - } - - /** @dataProvider provideClientCredentials */ - public function testInvalidJwtHeader($client_id, $client_key) - { - $jwtUtil = new Jwt(); - - $params = array( - 'iss' => $client_id, - 'exp' => time() + 1000, - 'iat' => time(), - 'sub' => 'testuser@ourdomain.com', - 'aud' => 'http://myapp.com/oauth/auth', - 'scope' => null, - ); - - // testing for algorithm tampering when only RSA256 signing is allowed - // @see https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ - $tampered = $jwtUtil->encode($params, $client_key, 'HS256'); - - $payload = $jwtUtil->decode($tampered, $client_key, array('RS256')); - - $this->assertFalse($payload); - } - - public function provideClientCredentials() - { - $storage = Bootstrap::getInstance()->getMemoryStorage(); - $client_id = 'Test Client ID'; - $client_key = $storage->getClientKey($client_id, "testuser@ourdomain.com"); - - return array( - array($client_id, $client_key), - ); - } -} -- cgit v1.2.3