Merge pull request #20 from pdsinterop/feature/nextcloud24

Feature/nextcloud24

Author: Potherca

composer.json

@@ -20,13 +20,13 @@
   "license": "MIT",
   "name": "pdsinterop/solid-auth",
   "require": {
-    "php": "^7.3",
+    "php": "^8.0",
     "ext-json": "*",
     "ext-mbstring": "*",
     "ext-openssl": "*",
     "laminas/laminas-diactoros": "^2.8",
-    "lcobucci/jwt": "3.3.3",
-    "league/oauth2-server": "^8.1",
+    "lcobucci/jwt": "^4.1",
+    "league/oauth2-server": "^8.3.5",
     "web-token/jwt-core": "^2.2"
   },
   "require-dev": {

src/Config/Keys.php

@@ -3,7 +3,7 @@
 namespace Pdsinterop\Solid\Auth\Config;
 
 use Defuse\Crypto\Key as CryptoKey;
-use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Key\InMemory as Key;
 use League\OAuth2\Server\CryptKey;
 
 class Keys

src/Factory/ConfigFactory.php

@@ -2,7 +2,7 @@
 
 namespace Pdsinterop\Solid\Auth\Factory;
 
-use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Key\InMemory;
 use League\OAuth2\Server\CryptKey;
 use Pdsinterop\Solid\Auth\Config;
 use Pdsinterop\Solid\Auth\Enum\OAuth2\GrantType;
@@ -53,7 +53,7 @@ final public function create() : Config
 
         $keys = new Config\Keys(
             new CryptKey($privateKey),
-            new Key($publicKey),
+            InMemory::plainText($publicKey),
             $encryptionKey
         );
 

src/TokenGenerator.php

@@ -7,6 +7,11 @@
 use Laminas\Diactoros\Response\JsonResponse as JsonResponse;
 use League\OAuth2\Server\CryptTrait;
 
+use DateTimeImmutable;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+
 class TokenGenerator
 {
     use CryptTrait;
@@ -28,48 +33,47 @@ public function generateRegistrationAccessToken($clientId, $privateKey) {
 		$issuer = $this->config->getServer()->get(OidcMeta::ISSUER);
 
 		// Create JWT
-		$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
-		$keychain = new \Lcobucci\JWT\Signer\Keychain();				
-		$builder = new \Lcobucci\JWT\Builder();
-		$token = $builder
-			->setIssuer($issuer)
-            ->permittedFor($clientId)
-			->set("sub", $clientId)
-			->sign($signer, $keychain->getPrivateKey($privateKey))
-			->getToken();
-		return $token->__toString();
+		$jwtConfig = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText($privateKey));
+		$token = $jwtConfig->builder()
+			->issuedBy($issuer)
+			->permittedFor($clientId)
+			->relatedTo($clientId)
+			->getToken($jwtConfig->signer(), $jwtConfig->signingKey());
+
+		return $token->toString();
 	}
 
 	public function generateIdToken($accessToken, $clientId, $subject, $nonce, $privateKey, $dpopKey=null) {
 		$issuer = $this->config->getServer()->get(OidcMeta::ISSUER);
 
-        $jwks = $this->getJwks();
+		$jwks = $this->getJwks();
 		$tokenHash = $this->generateTokenHash($accessToken);
 
-		// Create JWT
-		$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
-		$keychain = new \Lcobucci\JWT\Signer\Keychain();
-		$builder = new \Lcobucci\JWT\Builder();
-		$token = $builder
-			->setIssuer($issuer)
-            ->permittedFor($clientId)
-			->setIssuedAt(time())
-			->setNotBefore(time() - 1)
-			->setExpiration(time() + 14*24*60*60)
-			->set("azp", $clientId)
-			->set("sub", $subject)
-			->set("jti", $this->generateJti())
-			->set("nonce", $nonce)
-			->set("at_hash", $tokenHash) //FIXME: at_hash should only be added if the response_type is a token
-			->set("c_hash", $tokenHash) // FIXME: c_hash should only be added if the response_type is a code
-			->set("cnf", array(
-				"jkt" => $dpopKey,
-			//	"jwk" => $jwks['keys'][0]
-			))
-			->withHeader('kid', $jwks['keys'][0]['kid'])
-			->sign($signer, $keychain->getPrivateKey($privateKey))
-			->getToken();
-		return $token->__toString();
+                // Create JWT
+                $jwtConfig = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText($privateKey));
+                $now = new DateTimeImmutable();
+                $useAfter = $now->sub(new \DateInterval('PT1S'));
+                $expire = $now->add(new \DateInterval('PT' . 14*24*60*60 . 'S'));
+
+                $token = $jwtConfig->builder()
+                        ->issuedBy($issuer)
+                        ->permittedFor($clientId)
+                        ->issuedAt($now)
+                        ->canOnlyBeUsedAfter($useAfter)
+                        ->expiresAt($expire)
+                        ->withClaim("azp", $clientId)
+                        ->relatedTo($subject)
+                        ->identifiedBy($this->generateJti())
+                        ->withClaim("nonce", $nonce)
+                        ->withClaim("at_hash", $tokenHash) //FIXME: at_hash should only be added if the response_type is a token
+                        ->withClaim("c_hash", $tokenHash) // FIXME: c_hash should only be added if the response_type is a code
+                        ->withClaim("cnf", array(
+                                "jkt" => $dpopKey,
+                        //      "jwk" => $jwks['keys'][0]
+                        ))
+                        ->withHeader('kid', $jwks['keys'][0]['kid'])
+                        ->getToken($jwtConfig->signer(), $jwtConfig->signingKey());
+                return $token->toString();
 	}
 
 	public function respondToRegistration($registration, $privateKey) {

src/Utils/DPop.php

@@ -2,17 +2,22 @@
 
 namespace Pdsinterop\Solid\Auth\Utils;
 
-use Lcobucci\JWT\Parser;
-use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\ValidationData;
+use Lcobucci\JWT\Configuration;
+use Lcobucci\Clock\SystemClock;
+use DateTimeImmutable;
+use DateInterval;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
+
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\ECKey;
 use Jose\Component\Core\Util\RSAKey;
 
 class DPop {
 	public function getWebId($request) {
 		$auth = explode(" ", $request->getServerParams()['HTTP_AUTHORIZATION']);
-		$jwt = $auth[1];
+		$jwt = $auth[1] ?? false;
 
 		if (strtolower($auth[0]) == "dpop") {
 			$dpop = $request->getServerParams()['HTTP_DPOP'];
@@ -37,22 +42,22 @@ public function getDpopKey($dpop, $request) {
 		//error_log("11");
 		$this->validateDpop($dpop, $request);
 		//error_log("22");
-		
-		$parser = new \Lcobucci\JWT\Parser();
+
 		// 1.  the string value is a well-formed JWT,
-		$dpop = $parser->parse($dpop);
-		$jwk = $dpop->getHeader("jwk");
+		$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
+		$dpop = $jwtConfig->parser()->parse($dpop);
+		$jwk = $dpop->headers()->get("jwk");
 		//error_log(print_r($jwk, true));
 
-		return $jwk->kid;		
+		return $jwk['kid'];
 	}
 
 	private function validateJwtDpop($jwt, $dpopKey) {
-		$parser = new \Lcobucci\JWT\Parser();
-		$jwt = $parser->parse($jwt);
-		$cnf = $jwt->getClaim("cnf");
+		$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
+		$jwt = $jwtConfig->parser()->parse($jwt);
+		$cnf = $jwt->claims()->get("cnf");
 
-		if ($cnf->jkt == $dpopKey) {
+		if ($cnf['jkt'] == $dpopKey) {
 			//error_log("dpopKey matches");
 			return true;
 		}
@@ -88,17 +93,16 @@ private function validateDpop($dpop, $request) {
 				   received previously (see Section 9.1).
 		*/
 		//error_log("1");
-
-		$parser = new \Lcobucci\JWT\Parser();
 		// 1.  the string value is a well-formed JWT,
-		$dpop = $parser->parse($dpop);
+		$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
+		$dpop = $jwtConfig->parser()->parse($dpop);
 
 		//error_log("2");
 	    // 2.  all required claims are contained in the JWT,
-		$htm = $dpop->getClaim("htm"); // http method
-		$htu = $dpop->getClaim("htu"); // http uri
-		$typ = $dpop->getHeader("typ");
-		$alg = $dpop->getHeader("alg");
+		$htm = $dpop->claims()->get("htm"); // http method
+		$htu = $dpop->claims()->get("htu"); // http uri
+		$typ = $dpop->headers()->get("typ");
+		$alg = $dpop->headers()->get("alg");
 
 		//error_log("3");
 		// 3.  the "typ" field in the header has the value "dpop+jwt",
@@ -117,7 +121,7 @@ private function validateDpop($dpop, $request) {
 		//error_log("5");
 		// 5.  that the JWT is signed using the public key contained in the
 		//     "jwk" header of the JWT,
-		$jwk = $dpop->getHeader("jwk");
+		$jwk = $dpop->headers()->get("jwk");
 		$webTokenJwk = \Jose\Component\Core\JWK::createFromJson(json_encode($jwk));
 		switch ($alg) {
 			case "RS256":
@@ -126,16 +130,21 @@ private function validateDpop($dpop, $request) {
 			break;
 			case "ES256":
 				$pem = \Jose\Component\Core\Util\ECKey::convertToPEM($webTokenJwk);
-				$signer = new \Lcobucci\JWT\Signer\Ecdsa\Sha256();
+                                $signer = \Lcobucci\JWT\Signer\Ecdsa\Sha256::create();
 			break;
 			default:
 				throw new \Exception("unsupported algorithm");
 			break;
 		}
-		$key = new \Lcobucci\JWT\Signer\Key($pem);
-		if (!$dpop->verify($signer, $key)) {
-			throw new \Exception("invalid signature");
-		}
+		$key = InMemory::plainText($pem);
+		$jwtConfig = Configuration::forSymmetricSigner($signer, InMemory::plainText($pem));
+
+// FIXME: Add constraints;
+//		$constraint = new LooseValidAt($clock, $leeway); // It will use the current time to validate (iat, nbf and exp)
+//		$jwtConfig->setValidationConstraints($constraint);
+//		if (!$jwtConfig->validator()->validate($dpop, ...$jwtConfig->validationConstraints())) {
+//			throw new \Exception("invalid signature");
+//		}
 
 		//error_log("6");
 		// 6.  the "htm" claim matches the HTTP method value of the HTTP request
@@ -162,9 +171,12 @@ private function validateDpop($dpop, $request) {
 
 		//error_log("8");
 		// 8.  the token was issued within an acceptable timeframe (see Section 9.1), and
-		$leeway = 5; // allow 5 seconds clock skew
-		$validationData = new ValidationData(time() + $leeway); // It will use the current time to validate (iat, nbf and exp)
-		if (!$dpop->validate($validationData)) {
+
+		$leeway = new \DateInterval("PT60S"); // allow 60 seconds clock skew
+		$clock = SystemClock::fromUTC();
+		$constraint = new LooseValidAt($clock, $leeway); // It will use the current time to validate (iat, nbf and exp)
+		$jwtConfig->setValidationConstraints($constraint);
+		if (!$jwtConfig->validator()->validate($dpop, ...$jwtConfig->validationConstraints())) {
 			throw new \Exception("token timing is invalid");
 		}
 
@@ -176,14 +188,14 @@ private function validateDpop($dpop, $request) {
 	}
 
 	private function getSubjectFromJwt($jwt) {
-		$parser = new \Lcobucci\JWT\Parser();
+		$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
 		try {
-			$jwt = $parser->parse($jwt);
+			$jwt = $jwtConfig->parser()->parse($jwt);
 		} catch(\Exception $e) {
 			return $this->server->getResponse()->withStatus(409, "Invalid JWT token");
 		}
 
-		$sub = $jwt->getClaim("sub");
+		$sub = $jwt->claims()->get("sub");
 		return $sub;
 	}
 }

src/Utils/Jwks.php

@@ -3,20 +3,20 @@
 namespace Pdsinterop\Solid\Auth\Utils;
 
 use JsonSerializable;
-use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Key\InMemory;
 use Pdsinterop\Solid\Auth\Enum\Jwk\Parameter as JwkParameter;
 use Pdsinterop\Solid\Auth\Enum\Rsa\Parameter as RsaParameter;
 
 class Jwks implements JsonSerializable
 {
     ////////////////////////////// CLASS PROPERTIES \\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
-    /** @var Key */
+    /** @var InMemory */
     private $publicKey;
 
     //////////////////////////////// PUBLIC API \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
-    final public function __construct(Key $publicKey)
+    final public function __construct(InMemory $publicKey)
     {
         $this->publicKey = $publicKey;
     }
@@ -64,8 +64,8 @@ private function create() : array
 
         $publicKeys = [$this->publicKey];
 
-        array_walk($publicKeys, function (Key $publicKey) use (&$jwks) {
-            $certificate = $publicKey->getContent();
+        array_walk($publicKeys, function (InMemory $publicKey) use (&$jwks) {
+            $certificate = $publicKey->contents();
 
             $key = openssl_pkey_get_public($certificate);
             $keyInfo = openssl_pkey_get_details($key);