From 3ae19bb4725a97620afc74d8b7d1197ca117eb04 Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Fri, 16 Oct 2015 13:13:10 -0700 Subject: [PATCH] adds tests + fixes bugs for multiple issuers --- src/Google/Auth/OAuth2.php | 2 +- tests/general/AuthTest.php | 47 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/src/Google/Auth/OAuth2.php b/src/Google/Auth/OAuth2.php index 0f556e14d..40f2076ba 100644 --- a/src/Google/Auth/OAuth2.php +++ b/src/Google/Auth/OAuth2.php @@ -609,7 +609,7 @@ public function verifySignedJwtWithCerts( sprintf( "Invalid issuer, %s not in %s: %s", $iss, - "[".implode(",", $issuers)."]", + "[".implode(",", (array) $issuer)."]", $json_body ) ); diff --git a/tests/general/AuthTest.php b/tests/general/AuthTest.php index 9832a34dc..86cd8312f 100644 --- a/tests/general/AuthTest.php +++ b/tests/general/AuthTest.php @@ -149,18 +149,61 @@ public function testVerifySignedJwtWithCerts() } // Checks that the id token fails to verify with the expected message. - private function checkIdTokenFailure($id_token, $msg) + private function checkIdTokenFailure($id_token, $msg, $issuer = null) { $certs = $this->getSignonCerts(); $oauth2 = new Google_Auth_OAuth2($this->getClient()); try { - $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id"); + $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id", $issuer); $this->fail("Should have thrown for $id_token"); } catch (Google_Auth_Exception $e) { $this->assertContains($msg, $e->getMessage()); } } + public function testVerifySignedJwtWithMultipleIssuers() + { + $id_token = $this->makeSignedJwt( + array( + "iss" => "system.gserviceaccount.com", + "aud" => "client_id", + "sub" => self::USER_ID, + "iat" => time(), + "exp" => time() + 3600 + ) + ); + $certs = $this->getSignonCerts(); + $oauth2 = new Google_Auth_OAuth2($this->getClient()); + $ticket = $oauth2->verifySignedJwtWithCerts( + $id_token, + $certs, + "client_id", + ['system.gserviceaccount.com', 'https://system.gserviceaccount.com'] + ); + $this->assertEquals(self::USER_ID, $ticket->getUserId()); + // Check that payload and envelope got filled in. + $attributes = $ticket->getAttributes(); + $this->assertEquals("JWT", $attributes["envelope"]["typ"]); + $this->assertEquals("client_id", $attributes["payload"]["aud"]); + } + + public function testVerifySignedJwtWithBadIssuer() + { + $id_token = $this->makeSignedJwt( + array( + "iss" => "fake.gserviceaccount.com", + "aud" => "client_id", + "sub" => self::USER_ID, + "iat" => time(), + "exp" => time() + 3600 + ) + ); + + $issuers = ['system.gserviceaccount.com', 'https://system.gserviceaccount.com']; + $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers[0]); + $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers); + } + public function testVerifySignedJwtWithBadJwt() { $this->checkIdTokenFailure("foo", "Wrong number of segments");