Comments addressed

Spomky · Spomky · commit 33af1e024473 · 2023-05-14T10:13:00.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
@@ -65,11 +65,11 @@
 
         // OAuth2 Introspection (RFC 7662)
         ->set('security.access_token_handler.oauth2', Oauth2TokenHandler::class)
-        ->abstract()
-        ->args([
-            abstract_arg('http client'),
-            service('logger')->nullOnInvalid(),
-            'sub',
-        ])
+            ->abstract()
+            ->args([
+                abstract_arg('http client'),
+                service('logger')->nullOnInvalid(),
+                'sub',
+            ])
     ;
 };
diff --git a/src/Symfony/Component/Security/Core/Tests/User/OAuth2UserTest.php b/src/Symfony/Component/Security/Core/Tests/User/OAuth2UserTest.php
@@ -19,7 +19,7 @@ class OAuth2UserTest extends TestCase
     public function testCannotCreateUserWithoutSubProperty()
     {
         $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessage('The "sub" and "username" claims cannot be empty.');
+        $this->expectExceptionMessage('The "sub" or "username" claims must be provided.');
 
         new OAuth2User();
     }
diff --git a/src/Symfony/Component/Security/Core/User/OAuth2User.php b/src/Symfony/Component/Security/Core/User/OAuth2User.php
@@ -18,22 +18,22 @@
  */
 class OAuth2User implements UserInterface
 {
-    private array $additionalClaims = [];
+    public readonly array $additionalClaims;
 
     public function __construct(
         private array $roles = ['ROLE_USER'],
         // Standard Claims (https://datatracker.ietf.org/doc/html/rfc7662#section-2.2)
-        private ?string $scope = null,
-        private ?string $clientId = null,
-        private ?string $username = null,
-        private ?string $tokenType = null,
-        private ?int $exp = null,
-        private ?int $iat = null,
-        private ?int $nbf = null,
-        private ?string $sub = null,
-        private ?string $aud = null,
-        private ?string $iss = null,
-        private ?string $jti = null,
+        public readonly ?string $scope = null,
+        public readonly ?string $clientId = null,
+        public readonly ?string $username = null,
+        public readonly ?string $tokenType = null,
+        public readonly ?int $exp = null,
+        public readonly ?int $iat = null,
+        public readonly ?int $nbf = null,
+        public readonly ?string $sub = null,
+        public readonly ?string $aud = null,
+        public readonly ?string $iss = null,
+        public readonly ?string $jti = null,
 
         // Additional Claims ("
         //    Specific implementations MAY extend this structure with
@@ -43,7 +43,7 @@ public function __construct(
         ...$additionalClaims
     ) {
         if ((null === $sub || '' === $sub) && (null === $username || '' === $username)) {
-            throw new \InvalidArgumentException('The "sub" and "username" claims cannot be empty.');
+            throw new \InvalidArgumentException('The "sub" or "username" claims must be provided.');
         }
 
         $this->additionalClaims = $additionalClaims['additionalClaims'] ?? $additionalClaims;
@@ -63,70 +63,10 @@ public function getRoles(): array
 
     public function getUserIdentifier(): string
     {
-        return (string) ($this->getSub() ?? $this->getUsername());
+        return (string) ($this->sub ?? $this->username);
     }
 
     public function eraseCredentials(): void
     {
     }
-
-    public function getScope(): ?string
-    {
-        return $this->scope;
-    }
-
-    public function getClientId(): ?string
-    {
-        return $this->clientId;
-    }
-
-    public function getUsername(): ?string
-    {
-        return $this->username;
-    }
-
-    public function getTokenType(): ?string
-    {
-        return $this->tokenType;
-    }
-
-    public function getExp(): ?int
-    {
-        return $this->exp;
-    }
-
-    public function getIat(): ?int
-    {
-        return $this->iat;
-    }
-
-    public function getNbf(): ?int
-    {
-        return $this->nbf;
-    }
-
-    public function getSub(): ?string
-    {
-        return $this->sub;
-    }
-
-    public function getAud(): ?string
-    {
-        return $this->aud;
-    }
-
-    public function getIss(): ?string
-    {
-        return $this->iss;
-    }
-
-    public function getJti(): ?string
-    {
-        return $this->jti;
-    }
-
-    public function getAdditionalClaims(): array
-    {
-        return $this->additionalClaims;
-    }
 }
diff --git a/src/Symfony/Component/Security/Http/AccessToken/OAuth2/OAuth2Trait.php b/src/Symfony/Component/Security/Http/AccessToken/OAuth2/OAuth2Trait.php
diff --git a/src/Symfony/Component/Security/Http/AccessToken/OAuth2/Oauth2TokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/OAuth2/Oauth2TokenHandler.php
@@ -13,28 +13,29 @@
 
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\User\OAuth2User;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\OAuth2\Exception\InactiveAccessTokenException;
 use Symfony\Component\Security\Http\AccessToken\OAuth2\Exception\MissingClaimException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
+use function Symfony\Component\String\u;
 
 /**
  * The token handler validates the token on the authorization server.
+ *
  * It uses the Introspection Endpoint as per the RFC7662
  *
  * @see https://tools.ietf.org/html/rfc7662
  *
- * @experimental
+ * @internal
  */
 final class Oauth2TokenHandler implements AccessTokenHandlerInterface
 {
-    use OAuth2Trait;
-
     public function __construct(
-        private HttpClientInterface $client,
-        private ?LoggerInterface $logger = null,
-        private string $claim = 'sub'
+        private readonly HttpClientInterface $client,
+        private readonly ?LoggerInterface $logger = null,
+        private readonly string $claim = 'sub'
     ) {
     }
 
@@ -43,7 +44,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
         try {
             // Call the Introspection Endpoint to retrieve the user info
             // If the token is invalid or expired, the Introspection Endpoint will return 'active' => false
-            $claims = $this->client->request('POST', '',[
+            $claims = $this->client->request('POST', '', [
                 'headers' => [
                     'Content-Type' => 'application/x-www-form-urlencoded',
                 ],
@@ -53,13 +54,10 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
                 ],
             ])->toArray();
 
-            if (empty($claims['active'])) {
-                throw new MissingClaimException(sprintf('"%s" claim not found on the authorization server response.', 'active'));
+            if (!($claims['active'] ?? false)) {
+                throw new InactiveAccessTokenException('The "active" claim was not found on the authorization server response or is set to false.');
             }
-            if ($claims['active'] !== true) {
-                throw new InactiveAccessTokenException('The access token is not active.');
-            }
-            if (empty($claims[$this->claim])) {
+            if (!($claims[$this->claim] ?? false)) {
                 throw new MissingClaimException(sprintf('"%s" claim not found on the authorization server response.', 'active'));
             }
 
@@ -73,4 +71,33 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
         }
     }
+
+    private function createUser(array $claims): OAuth2User
+    {
+        if (!\function_exists(\Symfony\Component\String\u::class)) {
+            throw new \LogicException('You cannot use the "OAuth2TokenHandler" since the String component is not installed. Try running "composer require symfony/string".');
+        }
+
+        foreach ($claims as $claim => $value) {
+            unset($claims[$claim]);
+            if ('' === $value || null === $value) {
+                continue;
+            }
+            $claims[u($claim)->camel()->toString()] = $value;
+        }
+
+        if ('' !== ($claims['updatedAt'] ?? '')) {
+            $claims['updatedAt'] = (new \DateTimeImmutable())->setTimestamp($claims['updatedAt']);
+        }
+
+        if ('' !== ($claims['emailVerified'] ?? '')) {
+            $claims['emailVerified'] = (bool) $claims['emailVerified'];
+        }
+
+        if ('' !== ($claims['phoneNumberVerified'] ?? '')) {
+            $claims['phoneNumberVerified'] = (bool) $claims['phoneNumberVerified'];
+        }
+
+        return new OAuth2User(...$claims);
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTrait.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTrait.php
@@ -36,15 +36,15 @@ private function createUser(array $claims): OidcUser
             $claims[u($claim)->camel()->toString()] = $value;
         }
 
-        if (isset($claims['updatedAt']) && '' !== $claims['updatedAt']) {
+        if ('' !== ($claims['updatedAt'] ?? '')) {
             $claims['updatedAt'] = (new \DateTimeImmutable())->setTimestamp($claims['updatedAt']);
         }
 
-        if (\array_key_exists('emailVerified', $claims) && null !== $claims['emailVerified'] && '' !== $claims['emailVerified']) {
+        if ('' !== ($claims['emailVerified'] ?? '')) {
             $claims['emailVerified'] = (bool) $claims['emailVerified'];
         }
 
-        if (\array_key_exists('phoneNumberVerified', $claims) && null !== $claims['phoneNumberVerified'] && '' !== $claims['phoneNumberVerified']) {
+        if ('' !== ($claims['phoneNumberVerified'] ?? '')) {
             $claims['phoneNumberVerified'] = (bool) $claims['phoneNumberVerified'];
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/OAuth2/OAuth2TokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/OAuth2/OAuth2TokenHandlerTest.php
@@ -63,11 +63,11 @@ public function testGetsUserIdentifierFromOAuth2ServerResponse(string $expected)
 
         $this->assertEquals(new UserBadge($expected, fn () => $expectedUser, $claims), $userBadge);
         $this->assertInstanceOf(OAuth2User::class, $actualUser);
-        $this->assertEquals($claims, $userBadge->getAttributes());
-        $this->assertEquals($claims['sub'], $actualUser->getUserIdentifier());
+        $this->assertSame($claims, $userBadge->getAttributes());
+        $this->assertSame($claims['sub'], $actualUser->getUserIdentifier());
     }
 
-    public function getClaims(): iterable
+    public static function getClaims(): iterable
     {
         yield ['Z5O3upPC88QrAjx00dis'];
     }

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class OAuth2UserTest extends TestCase`
`19`	`19`	`public function testCannotCreateUserWithoutSubProperty()`
`20`	`20`	`{`
`21`	`21`	`$this->expectException(\InvalidArgumentException::class);`
`22`		`- $this->expectExceptionMessage('The "sub" and "username" claims cannot be empty.');`
	`22`	`+ $this->expectExceptionMessage('The "sub" or "username" claims must be provided.');`
`23`	`23`
`24`	`24`	`new OAuth2User();`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,15 +36,15 @@ private function createUser(array $claims): OidcUser`
`36`	`36`	`$claims[u($claim)->camel()->toString()] = $value;`
`37`	`37`	`}`
`38`	`38`
`39`		`- if (isset($claims['updatedAt']) && '' !== $claims['updatedAt']) {`
	`39`	`+ if ('' !== ($claims['updatedAt'] ?? '')) {`
`40`	`40`	`$claims['updatedAt'] = (new \DateTimeImmutable())->setTimestamp($claims['updatedAt']);`
`41`	`41`	`}`
`42`	`42`
`43`		`- if (\array_key_exists('emailVerified', $claims) && null !== $claims['emailVerified'] && '' !== $claims['emailVerified']) {`
	`43`	`+ if ('' !== ($claims['emailVerified'] ?? '')) {`
`44`	`44`	`$claims['emailVerified'] = (bool) $claims['emailVerified'];`
`45`	`45`	`}`
`46`	`46`
`47`		`- if (\array_key_exists('phoneNumberVerified', $claims) && null !== $claims['phoneNumberVerified'] && '' !== $claims['phoneNumberVerified']) {`
	`47`	`+ if ('' !== ($claims['phoneNumberVerified'] ?? '')) {`
`48`	`48`	`$claims['phoneNumberVerified'] = (bool) $claims['phoneNumberVerified'];`
`49`	`49`	`}`
`50`	`50`
Original file line number	Diff line number	Diff line change
`@@ -63,11 +63,11 @@ public function testGetsUserIdentifierFromOAuth2ServerResponse(string $expected)`
`63`	`63`
`64`	`64`	`$this->assertEquals(new UserBadge($expected, fn () => $expectedUser, $claims), $userBadge);`
`65`	`65`	`$this->assertInstanceOf(OAuth2User::class, $actualUser);`
`66`		`- $this->assertEquals($claims, $userBadge->getAttributes());`
`67`		`- $this->assertEquals($claims['sub'], $actualUser->getUserIdentifier());`
	`66`	`+ $this->assertSame($claims, $userBadge->getAttributes());`
	`67`	`+ $this->assertSame($claims['sub'], $actualUser->getUserIdentifier());`
`68`	`68`	`}`
`69`	`69`
`70`		`- public function getClaims(): iterable`
	`70`	`+ public static function getClaims(): iterable`
`71`	`71`	`{`
`72`	`72`	`yield ['Z5O3upPC88QrAjx00dis'];`
`73`	`73`	`}`