Merge pull request #22 from Staffbase/NFS-000-jwt-upgrade

Nfs 000 jwt upgrade

Author: Ninerian

.github/workflows/php.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       matrix:
         operating-system: ['ubuntu-latest']
-        php-versions: ['7.3', '7.4']
+        php-versions: ['7.4']
         phpunit-versions: ['latest']
     steps:
     - name: Checkout
@@ -24,12 +24,12 @@ jobs:
         php-version: ${{ matrix.php-versions }}
         extensions: mbstring, intl
         ini-values: post_max_size=256M, max_execution_time=180
-        coverage: none        
+        coverage: none
         tools: php-cs-fixer, phpunit:${{ matrix.phpunit-versions }}
-        
+
     - name: Install dependencies
       if: steps.composer-cache.outputs.cache-hit != 'true'
       run: composer update --prefer-dist --no-progress
 
     - name: Run test suite
-      run: composer test  
+      run: composer test

README.md

@@ -17,8 +17,8 @@ composer require staffbase/plugins-sdk-php
 
 Dependencies are also managed by Composer. When using this repository keep the following dependencies in mind (cf. [composer.json](composer.json)):
 
-* php: >=7.3
-* lcobucci/jwt: ^3.2
+* php: >=7.4.0
+* lcobucci/jwt: ^4.1
 
 ## API Reference
 

composer.json

@@ -1,6 +1,6 @@
 {
 	"name": "staffbase/plugins-sdk-php",
-	"version": "1.5.4",
+	"version": "2.0.0",
 	"type": "library",
 	"description": "Staffbase PHP SDK library for plugins.",
 	"keywords": ["staffbase", "plugins", "library", "php", "sdk"],
@@ -13,8 +13,8 @@
 		}
 	],
 	"require": {
-		"php": "^7.3",
-		"lcobucci/jwt": "^3.2"
+		"php": "^7.4",
+		"lcobucci/jwt": "^4.1"
 
 	},
 	"require-dev": {
@@ -29,6 +29,8 @@
 		}
 	},
 	"scripts": {
-        "test": "phpunit"
-    }
+		"test": "phpunit --colors='always' --debug $PHPUNIT_ARGS",
+		"lint": "phpcs --standard=PSR2 --extensions=php --ignore=*/vendor/* src test",
+		"fix": "phpcbf --standard=PSR2 --extensions=php --ignore=*/vendor/* src test"
+	}
 }

src/PluginSession.php

@@ -195,20 +195,6 @@ protected function closeSession() {
 		session_write_close();
 	}
 
-	/**
-	 * (DEPRECATED) Translate a base64 string to PEM encoded public key.
-	 *
-	 * @param string $data base64 encoded key
-	 * @deprecated
-	 * @return string PEM encoded key
-	 */
-	public static function base64ToPEMPublicKey($data) {
-
-		error_log("Warning: PluginSession::base64ToPEMPublicKey() is deprecated. Please switch over to	SSOToken::base64ToPEMPublicKey().");
-
-		return SSOToken::base64ToPEMPublicKey($data);
-	}
-
 	/**
 	 * Test if a claim is set.
 	 *

src/SSOData.php

@@ -14,6 +14,8 @@
 
 namespace Staffbase\plugins\sdk;
 
+use DateTimeImmutable;
+
 /**
  * A container for the data transmitted from Staffbase app to a plugin
  * using the Staffbase single-sign-on.
@@ -91,19 +93,22 @@ protected function getClaimSafe($name) {
     }
 
     /**
-     * Get targeted audience of the token.
+     * Get targeted audience of the token. Currently only
+     * one audience is supported.
      *
      * @return null|string
      */
     public function getAudience() {
 
-        return $this->getClaimSafe(self::CLAIM_AUDIENCE);
+       $audience = $this->getClaimSafe(self::CLAIM_AUDIENCE);
+
+       return !is_array($audience) ? $audience : $audience[0] ?? null;
     }
 
     /**
      * Get the time when the token expires.
      *
-     * @return int
+     * @return DateTimeImmutable
      */
     public function getExpireAtTime() {
 
@@ -113,7 +118,7 @@ public function getExpireAtTime() {
     /**
      * Get the time when the token starts to be valid.
      *
-     * @return int
+     * @return DateTimeImmutable
      */
     public function getNotBeforeTime() {
 
@@ -123,7 +128,7 @@ public function getNotBeforeTime() {
     /**
      * Get the time when the token was issued.
      *
-     * @return int
+     * @return DateTimeImmutable
      */
     public function getIssuedAtTime() {
 

src/SSOToken.php

@@ -14,14 +14,19 @@
 
 namespace Staffbase\plugins\sdk;
 
-use Lcobucci\JWT\Token;
-use Lcobucci\JWT\Parser;
+use DateInterval;
+use Lcobucci\Clock\SystemClock;
+use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\ValidationData;
-use Lcobucci\JWT\Claim\Validatable;
+use Lcobucci\JWT\Token;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
+use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
+use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Staffbase\plugins\sdk\Exceptions\SSOException;
 use Staffbase\plugins\sdk\Exceptions\SSOAuthenticationException;
+use Staffbase\plugins\sdk\Validation\HasInstanceId;
 
 /**
  * A container which is able to decrypt and store the data transmitted
@@ -32,8 +37,17 @@ class SSOToken extends SSOData
 	/**
 	 * @var Token $token
 	 */
-	private $token = null;
+	private ?Token $token = null;
+
+	/**
+	 * @var Key $key
+	 */
+	private Key $key;
 
+	/**
+	 * @var Configuration $config
+	 */
+	private Configuration $config;
 	/**
 	 * Constructor
 	 *
@@ -43,55 +57,75 @@ class SSOToken extends SSOData
 	 *
 	 * @throws SSOException on invalid parameters.
 	 */
-	public function __construct($appSecret, $tokenData, $leeway = 0) {
+	public function __construct(string $appSecret, string $tokenData, ?int $leeway = 0) {
 
 		if (!trim($appSecret))
 			throw new SSOException('Parameter appSecret for SSOToken is empty.');
 
 		if (!trim($tokenData))
 			throw new SSOException('Parameter tokenData for SSOToken is empty.');
 
-		if (!is_numeric($leeway))
-			throw new SSOException('Parameter leeway has to be numeric.');
-
-		// convert secret to PEM if its a plain base64 string and does not yield an url
-		if(strpos(trim($appSecret),'-----') !== 0 && strpos(trim($appSecret), 'file://') !==0 )
-			$appSecret = self::base64ToPEMPublicKey($appSecret);
+		$this->key = $this->getKey(trim($appSecret));
+		$this->config = Configuration::forSymmetricSigner(new Sha256(), $this->key);
 
-		$this->parseToken($appSecret, $tokenData, $leeway);
+		$this->parseToken($tokenData, $leeway);
 	}
 
 	/**
 	 * Creates and validates an SSO token.
 	 *
-	 * @param string $appSecret Either a PEM formatted key or a file:// URL of the same.
 	 * @param string $tokenData The token text.
 	 * @param int $leeway count of seconds added to current timestamp
 	 *
 	 * @throws SSOAuthenticationException if the parsing/verification/validation of the token fails.
 	 */
-	protected function parseToken($appSecret, $tokenData, $leeway) {
-
+	protected function parseToken(string $tokenData, int $leeway) {
 		// parse text
-		$this->token = (new Parser())->parse((string) $tokenData);
-
-		// verify signature
-		$signer = new Sha256();
-		$key = new Key($appSecret);
+		$this->token = $this->config->parser()->parse($tokenData);
+
+		$constrains = [
+			new StrictValidAt(SystemClock::fromUTC(), $this->getLeewayInterval($leeway)),
+			new SignedWith(new Sha256(),$this->key),
+			new HasInstanceId()
+		];
+
+		try {
+			$this->config->validator()->assert($this->token, ...$constrains);
+		} catch (RequiredConstraintsViolated $violation) {
+			throw new SSOAuthenticationException($violation->getMessage());
+		}
+	}
 
-		if (!$this->token->verify($signer, $key))
-			throw new SSOAuthenticationException('Token verification failed.');
+	/**
+	 * Test if a claim is set.
+	 *
+	 * @param string $claim name.
+	 *
+	 * @return boolean
+	 */
+	protected function hasClaim($claim) {
+		return $this->token->claims()->has($claim);
+	}
 
-		// validate claims
-		$data = new ValidationData(time(), $leeway); // iat, nbf and exp are validated by default
+	/**
+	 * Get a claim without checking for existence.
+	 *
+	 * @param string $claim name.
+	 *
+	 * @return mixed
+	 */
+	protected function getClaim($claim) {
+		return $this->token->claims()->get($claim);
+	}
 
-		if (!$this->token->validate($data)) {
-			$this->throwVerboseException($data);
-		}
+	/**
+	 * Get an array of all available claims and their values.
+	 *
+	 * @return array
+	 */
+	protected function getAllClaims() {
 
-		// its a security risk to work with tokens lacking instance id
-		if (!trim($this->getInstanceId()))
-			throw new SSOAuthenticationException('Token lacks instance id.');
+		return $this->token->claims()->all();
 	}
 
 	/**
@@ -101,7 +135,7 @@ protected function parseToken($appSecret, $tokenData, $leeway) {
 	 *
 	 * @return string PEM encoded key
 	 */
-	public static function base64ToPEMPublicKey($data) {
+	public static function base64ToPEMPublicKey(string $data): string {
 
 		$data = strtr($data, array(
 			"\r" => "",
@@ -115,80 +149,39 @@ public static function base64ToPEMPublicKey($data) {
 	}
 
 	/**
-	 * Validate the token with more verbose exceptions
+	 * Decides between the new key methods, the JWT library offers
 	 *
-	 * Due to minor shortcomings of the library we have to redo the validation
-	 * manually to get the reason for the failure and propagate it.
-	 * We emulate the validation process for the v3.x of the library.
-	 *
-	 * This will most likely have to change on library upgrade either
-	 * by using then supported verbosity or reimplementing validation
-	 * as done in the new flow.
-	 *
-	 * @param ValidationData $data to validate against
-	 *
-	 * @throws SSOAuthenticationException always.
+	 * @param string $appSecret
+	 * @return Key
 	 */
-	protected function throwVerboseException(ValidationData $data) {
-
-		foreach ($this->token->getClaims() as $claim) {
-			if ($claim instanceof Validatable) {
-				if (!$claim->validate($data)) {
-
-					$claimName  = $claim->getName();
-					$claimValue = $claim->getValue();
-
-					// get the short class-name of the validatable claim
-					$segments = explode('\\', get_class($claim));
-					$operator = array_pop($segments);
-					$operand  = $data->get($claimName);
-
-					throw new SSOAuthenticationException("Token Validation failed on claim '$claimName' $claimValue $operator $operand.");
-				}
-			}
+	private function getKey(string $appSecret): Key {
+		if(strpos($appSecret,'-----') === 0 ) {
+			$key = InMemory::plainText($appSecret);
+		} else if (strpos($appSecret, 'file://') === 0 ) {
+			$key = InMemory::file($appSecret);
+		} else {
+			$key = InMemory::plainText($this->base64ToPEMPublicKey($appSecret));
 		}
-
-		// unknown reason, probably an addition to used library
-		throw new SSOAuthenticationException('Token Validation failed.');
+		return $key;
 	}
 
 	/**
-	 * Test if a claim is set.
+	 * Formats the leeway integer value into a DateInterval as this is
+	 * needed by the JWT library
 	 *
-	 * @param string $claim name.
-	 *
-	 * @return boolean
-	 */
-	protected function hasClaim($claim) {
-
-		return $this->token->hasClaim($claim);
-	}
-
-	/**
-	 * Get a claim without checking for existence.
-	 *
-	 * @param string $claim name.
-	 *
-	 * @return mixed
-	 */
-	protected function getClaim($claim) {
-
-		return $this->token->getClaim($claim);
-	}
-
-	/**
-	 * Get an array of all available claims and their values.
-	 *
-	 * @return array
+	 * @param int $leeway count of seconds added to current timestamp
+	 * @return DateInterval DateInterval
 	 */
-	protected function getAllClaims() {
-
-		$res = [];
-		$claims = $this->token->getClaims();
-
-		foreach($claims as $claim)
-			$res[$claim->getName()] = $claim->getValue();
+	private function getLeewayInterval (int $leeway): DateInterval {
+		$leewayInterval = "PT{$leeway}S";
+
+		try {
+			$interval = new DateInterval($leewayInterval);
+		} catch (\Exception $e) {
+			error_log("Wrong date interval $leewayInterval");
+			$interval = new DateInterval('PT0S');
+		}
 
-		return $res;
+		return $interval;
 	}
 }