Merge branch 'main' of https://github.com/pdsinterop/php-solid-auth into main

Conflicts:
	src/WAC.php

Author: ylebre

CHANGELOG.md

@@ -0,0 +1,98 @@
+# Changelog
+
+## [v0.6.3](https://github.com/pdsinterop/php-solid-auth/tree/v0.6.3) (2021-12-08)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.6.2...v0.6.3)
+
+## [v0.6.2](https://github.com/pdsinterop/php-solid-auth/tree/v0.6.2) (2021-11-25)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.6.1...v0.6.2)
+
+**Merged pull requests:**
+
+- Require write on parent for DELETE [\#18](https://github.com/pdsinterop/php-solid-auth/pull/18) ([michielbdejong](https://github.com/michielbdejong))
+- Fix for origin grants, allow registered clients [\#16](https://github.com/pdsinterop/php-solid-auth/pull/16) ([ylebre](https://github.com/ylebre))
+- replacing codercats jwk converter with web-token to support EC tokens [\#15](https://github.com/pdsinterop/php-solid-auth/pull/15) ([ylebre](https://github.com/ylebre))
+- remove debugging [\#14](https://github.com/pdsinterop/php-solid-auth/pull/14) ([ylebre](https://github.com/ylebre))
+- Set the base url to the url where the acl file was found [\#13](https://github.com/pdsinterop/php-solid-auth/pull/13) ([ylebre](https://github.com/ylebre))
+- add option to check Origin in acl [\#12](https://github.com/pdsinterop/php-solid-auth/pull/12) ([ylebre](https://github.com/ylebre))
+- Adding WAC / Dpop [\#11](https://github.com/pdsinterop/php-solid-auth/pull/11) ([ylebre](https://github.com/ylebre))
+- WIP: dpop handling [\#10](https://github.com/pdsinterop/php-solid-auth/pull/10) ([ylebre](https://github.com/ylebre))
+
+## [v0.6.1](https://github.com/pdsinterop/php-solid-auth/tree/v0.6.1) (2020-10-19)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/0.6...v0.6.1)
+
+**Merged pull requests:**
+
+- Add function to decrypt 'code' for ID token generation [\#9](https://github.com/pdsinterop/php-solid-auth/pull/9) ([ylebre](https://github.com/ylebre))
+
+## [0.6](https://github.com/pdsinterop/php-solid-auth/tree/0.6) (2020-10-03)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/0.5.1...0.6)
+
+**Merged pull requests:**
+
+- added id\_token option for token endpoint response [\#8](https://github.com/pdsinterop/php-solid-auth/pull/8) ([ylebre](https://github.com/ylebre))
+- typofix [\#7](https://github.com/pdsinterop/php-solid-auth/pull/7) ([ylebre](https://github.com/ylebre))
+- Added token generation code to support id\_token [\#6](https://github.com/pdsinterop/php-solid-auth/pull/6) ([ylebre](https://github.com/ylebre))
+
+## [0.5.1](https://github.com/pdsinterop/php-solid-auth/tree/0.5.1) (2020-09-21)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.5.0...0.5.1)
+
+## [v0.5.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.5.0) (2020-09-21)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.4.0...v0.5.0)
+
+**Merged pull requests:**
+
+- Change Client config to support Redirect URIs and Name [\#4](https://github.com/pdsinterop/php-solid-auth/pull/4) ([Potherca](https://github.com/Potherca))
+
+## [v0.4.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.4.0) (2020-09-21)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.3.0...v0.4.0)
+
+**Merged pull requests:**
+
+- Rename response methods [\#3](https://github.com/pdsinterop/php-solid-auth/pull/3) ([Potherca](https://github.com/Potherca))
+
+## [v0.3.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.3.0) (2020-09-15)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.2.1...v0.3.0)
+
+**Closed issues:**
+
+- Log in to Slack  [\#1](https://github.com/pdsinterop/php-solid-auth/issues/1)
+
+**Merged pull requests:**
+
+- Add JWKs request response. [\#2](https://github.com/pdsinterop/php-solid-auth/pull/2) ([Potherca](https://github.com/Potherca))
+
+## [v0.2.1](https://github.com/pdsinterop/php-solid-auth/tree/v0.2.1) (2020-09-12)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.2.0...v0.2.1)
+
+## [v0.2.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.2.0) (2020-09-12)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.1.2...v0.2.0)
+
+## [v0.1.2](https://github.com/pdsinterop/php-solid-auth/tree/v0.1.2) (2020-09-12)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.1.1...v0.1.2)
+
+## [v0.1.1](https://github.com/pdsinterop/php-solid-auth/tree/v0.1.1) (2020-09-11)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.1.0...v0.1.1)
+
+## [v0.1.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.1.0) (2020-09-10)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/v0.0.0...v0.1.0)
+
+## [v0.0.0](https://github.com/pdsinterop/php-solid-auth/tree/v0.0.0) (2020-08-27)
+
+[Full Changelog](https://github.com/pdsinterop/php-solid-auth/compare/a408a4ae017c0c6aa36306cd98be22ff41805ecb...v0.0.0)
+
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# gem "rails"
+
+gem "jekyll", "~> 3.8"
+gem "github-pages"

README.md

@@ -1,8 +1,3 @@
-**@FIXME:** 
-
-- [ ] Generate a changelog
-      `github_changelog_generator -u pdsinterop -p {{project-slug}}`
-
 # Solid Auth
 
 [![Project stage: Development][project-stage-badge: Development]][project-stage-page]
@@ -98,7 +93,7 @@ All code created by PDS Interop is licensed under the [MIT License][license-link
 [keep-a-changelog-shield]: https://img.shields.io/badge/Keep%20a%20Changelog-f15d30.svg?logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9IiNmZmYiIHZpZXdCb3g9IjAgMCAxODcgMTg1Ij48cGF0aCBkPSJNNjIgN2MtMTUgMy0yOCAxMC0zNyAyMmExMjIgMTIyIDAgMDAtMTggOTEgNzQgNzQgMCAwMDE2IDM4YzYgOSAxNCAxNSAyNCAxOGE4OSA4OSAwIDAwMjQgNCA0NSA0NSAwIDAwNiAwbDMtMSAxMy0xYTE1OCAxNTggMCAwMDU1LTE3IDYzIDYzIDAgMDAzNS01MiAzNCAzNCAwIDAwLTEtNWMtMy0xOC05LTMzLTE5LTQ3LTEyLTE3LTI0LTI4LTM4LTM3QTg1IDg1IDAgMDA2MiA3em0zMCA4YzIwIDQgMzggMTQgNTMgMzEgMTcgMTggMjYgMzcgMjkgNTh2MTJjLTMgMTctMTMgMzAtMjggMzhhMTU1IDE1NSAwIDAxLTUzIDE2bC0xMyAyaC0xYTUxIDUxIDAgMDEtMTItMWwtMTctMmMtMTMtNC0yMy0xMi0yOS0yNy01LTEyLTgtMjQtOC0zOWExMzMgMTMzIDAgMDE4LTUwYzUtMTMgMTEtMjYgMjYtMzMgMTQtNyAyOS05IDQ1LTV6TTQwIDQ1YTk0IDk0IDAgMDAtMTcgNTQgNzUgNzUgMCAwMDYgMzJjOCAxOSAyMiAzMSA0MiAzMiAyMSAyIDQxLTIgNjAtMTRhNjAgNjAgMCAwMDIxLTE5IDUzIDUzIDAgMDA5LTI5YzAtMTYtOC0zMy0yMy01MWE0NyA0NyAwIDAwLTUtNWMtMjMtMjAtNDUtMjYtNjctMTgtMTIgNC0yMCA5LTI2IDE4em0xMDggNzZhNTAgNTAgMCAwMS0yMSAyMmMtMTcgOS0zMiAxMy00OCAxMy0xMSAwLTIxLTMtMzAtOS01LTMtOS05LTEzLTE2YTgxIDgxIDAgMDEtNi0zMiA5NCA5NCAwIDAxOC0zNSA5MCA5MCAwIDAxNi0xMmwxLTJjNS05IDEzLTEzIDIzLTE2IDE2LTUgMzItMyA1MCA5IDEzIDggMjMgMjAgMzAgMzYgNyAxNSA3IDI5IDAgNDJ6bS00My03M2MtMTctOC0zMy02LTQ2IDUtMTAgOC0xNiAyMC0xOSAzN2E1NCA1NCAwIDAwNSAzNGM3IDE1IDIwIDIzIDM3IDIyIDIyLTEgMzgtOSA0OC0yNGE0MSA0MSAwIDAwOC0yNCA0MyA0MyAwIDAwLTEtMTJjLTYtMTgtMTYtMzEtMzItMzh6bS0yMyA5MWgtMWMtNyAwLTE0LTItMjEtN2EyNyAyNyAwIDAxLTEwLTEzIDU3IDU3IDAgMDEtNC0yMCA2MyA2MyAwIDAxNi0yNWM1LTEyIDEyLTE5IDI0LTIxIDktMyAxOC0yIDI3IDIgMTQgNiAyMyAxOCAyNyAzM3MtMiAzMS0xNiA0MGMtMTEgOC0yMSAxMS0zMiAxMXptMS0zNHYxNGgtOFY2OGg4djI4bDEwLTEwaDExbC0xNCAxNSAxNyAxOEg5NnoiLz48L3N2Zz4K
 [license-link]: ./LICENSE
 [license-shield]: https://img.shields.io/github/license/pdsinterop/php-solid-auth.svg
-[maintained-shield]: https://img.shields.io/maintenance/yes/2020.svg
+[maintained-shield]: https://img.shields.io/maintenance/yes/2022.svg
 [pdsinterop-shield]: https://img.shields.io/badge/-PDS%20Interop-gray.svg?logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9Ii01IC01IDExMCAxMTAiIGZpbGw9IiNGRkYiIHN0cm9rZS13aWR0aD0iMCI+CiAgICA8cGF0aCBkPSJNLTEgNTJoMTdhMzcuNSAzNC41IDAgMDAyNS41IDMxLjE1di0xMy43NWEyMC43NSAyMSAwIDAxOC41LTQwLjI1IDIwLjc1IDIxIDAgMDE4LjUgNDAuMjV2MTMuNzVhMzcgMzQuNSAwIDAwMjUuNS0zMS4xNWgxN2EyMiAyMS4xNSAwIDAxLTEwMiAweiIvPgogICAgPHBhdGggZD0iTSAxMDEgNDhhMi43NyAyLjY3IDAgMDAtMTAyIDBoIDE3YTIuOTcgMi44IDAgMDE2OCAweiIvPgo8L3N2Zz4K
 [pdsinterop-site]: https://pdsinterop.org/
 [project-stage-badge: Development]: https://img.shields.io/badge/Project%20Stage-Development-yellowgreen.svg

_config.yml

@@ -12,11 +12,16 @@ exclude:
   - "bin/"
   - "src/"
   - "tests/"
+  - "vendor/"
+  - "Gemfile"
   - "*.json"
   - "*.lock"
 
 plugins:
   - github-pages
+  - jekyll-github-metadata
+  - jekyll-remote-theme
+  - jekyll-seo-tag
 
 # Extend the Docs settings (see https://pother.ca/extend-the-docs/)
 nav:
@@ -38,7 +43,7 @@ nav:
 aux_links:
   "PDS Interop on GitHub":
     - https://github.com/pdsinterop
-footer_content: Copyright © 2020 PDS Interop. Distributed under a <a href="https://pdsinterop.org/license/">MIT license.</a>
+footer_content: '<p xmlns:dct="http://purl.org/dc/terms/" property="dct:rights">Copyright © <span property="dct:dateCopyrighted">2020-2021</span> <span property="dct:publisher">PDS Interop</span>. Distributed under a <a rel="license" href="https://pdsinterop.org/license/">MIT license</a>.</p>'
 gh_edit_link: true
 gh_edit_repository: https://github.com/pdsinterop/php-solid-auth
 logo: https://avatars3.githubusercontent.com/u/65920341

composer.json

@@ -14,31 +14,25 @@
   },
   "config": {
     "bin-dir": "./bin",
-    "platform": {
-      "php": "7.2",
-      "ext-json": "1",
-      "ext-mbstring": "1",
-      "ext-openssl": "1"
-    },
     "sort-packages": true
   },
   "description": "OAuth2, OpenID and OIDC for Solid Server implementations.",
   "license": "MIT",
   "name": "pdsinterop/solid-auth",
   "require": {
-    "php": ">=7.2",
+    "php": "^7.3",
     "ext-json": "*",
     "ext-mbstring": "*",
     "ext-openssl": "*",
+    "laminas/laminas-diactoros": "^2.8",
+    "lcobucci/jwt": "3.3.3",
     "league/oauth2-server": "^8.1",
     "web-token/jwt-core": "^2.2"
   },
   "require-dev": {
     "ext-xdebug": "*",
     "ext-xml": "*",
-    "laminas/laminas-diactoros": "^2.3",
-    "lcobucci/jwt": "^3.3",
-    "phpunit/phpunit": "^8.5"
+    "phpunit/phpunit": "^8.5 | ^9.5"
   },
   "scripts": {
     "tests:example": "php -S localhost:8080 -t ./tests/ ./tests/example.php",

src/Utils/DPop.php

@@ -162,7 +162,8 @@ private function validateDpop($dpop, $request) {
 
 		//error_log("8");
 		// 8.  the token was issued within an acceptable timeframe (see Section 9.1), and
-		$validationData = new ValidationData(); // It will use the current time to validate (iat, nbf and exp)
+		$leeway = 5; // allow 5 seconds clock skew
+		$validationData = new ValidationData(time() + $leeway); // It will use the current time to validate (iat, nbf and exp)
 		if (!$dpop->validate($validationData)) {
 			throw new \Exception("token timing is invalid");
 		}

src/WAC.php

@@ -51,7 +51,10 @@ public function isAllowed($request, $webId, $origin=false, $allowedOrigins=[]) {
 		$uri = $request->getUri();
 		$parentUri = $this->getParentUri($uri);
 
-		foreach ($requestedGrants as $requestedGrant) {
+        // @FIXME: $origin can be anything at this point, null, string, array, bool
+        //         This causes trouble downstream where an unchecked `parse_url($origin)['host'];` occurs
+
+        foreach ($requestedGrants as $requestedGrant) {
 			switch ($requestedGrant['type']) {
 				case "resource":
 					if ($this->isPublicGranted($requestedGrant['grants'], $uri)) {
@@ -93,9 +96,9 @@ private function checkGrants($requestedGrants, $uri, $grants) {
 		}
 		if (is_array($grants)) {
 			foreach ($requestedGrants as $requestedGrant) {
-				if ($grants['accessTo'] && $grants['accessTo'][$requestedGrant] && $this->arePathsEqual($grants['accessTo'][$requestedGrant], $uri)) {
+				if (isset($grants['accessTo']) && isset($grants['accessTo'][$requestedGrant]) && $this->arePathsEqual($grants['accessTo'][$requestedGrant], $uri)) {
 					return true;
-				} else if ($grants['default'][$requestedGrant]) {
+				} else if (isset($grants['default']) && isset($grants['default'][$requestedGrant])) {
 					if ($this->arePathsEqual($grants['default'][$requestedGrant], $uri)) {
 						return false; // only use default for children, not for an exact match;
 					}
@@ -121,9 +124,14 @@ private function isUserGranted($requestedGrants, $uri, $webId) {
 	}
 
 	private function isOriginGranted($requestedGrants, $uri, $origin, $allowedOrigins) {
+        if (is_array($origin)) {
+            $origin = reset($origin);
+        }
+
 		if (!$origin) {
 			return true;
 		}
+
 		$parsedOrigin = parse_url($origin)['host'];
 		if (
 			in_array($parsedOrigin, $allowedOrigins, true) ||
@@ -298,6 +306,7 @@ private function getAclPath($path) {
 		foreach ($aclOptions as $aclPath) {
 			if (
 				$this->filesystem->has($aclPath)
+                && $this->filesystem->read($aclPath) !== false
 			) {
 				return $aclPath;
 			}
@@ -383,6 +392,10 @@ public function getRequestedGrants($request) {
 					array(
 						"type" => "resource",
 						"grants" => array('http://www.w3.org/ns/auth/acl#Write')
+					),
+					array(
+						"type" => "parent",
+						"grants" => array('http://www.w3.org/ns/auth/acl#Write')
 					)
 				);
 			break;
@@ -500,7 +513,12 @@ private function getParentUri($uri) {
 	}
 	private function getWACGrants($grants, $uri) {
 		$wacGrants = array();
-		
+                if (!isset($grants['accessTo'])) {
+                        $grants['accessTo'] = [];
+                }
+                if (!isset($grants['default'])) {
+                        $grants['default'] = [];
+                }		
 		foreach ((array)$grants['accessTo'] as $grant => $grantedUri) {
 			if ($this->arePathsEqual($grantedUri, $uri)) {
 				$wacGrants[] = $this->grantToWac($grant);