Moved OpenID token verification to separate class and added tests

Author: marickvantuil

src/OpenIdVerificator.php

@@ -17,11 +17,33 @@ class OpenIdVerificator
 
     private $guzzle;
     private $rsa;
+    private $jwt;
 
-    public function __construct(Client $guzzle, RSA $rsa)
+    public function __construct(Client $guzzle, RSA $rsa, JWT $jwt)
     {
         $this->guzzle = $guzzle;
         $this->rsa = $rsa;
+        $this->jwt = $jwt;
+    }
+
+    public function guardAgainstInvalidOpenIdToken($token)
+    {
+        $kid = $this->getKidFromOpenIdToken($token);
+        $publicKey = $this->getPublicKey($kid);
+
+        $decodedToken = $this->jwt->decode($token, $publicKey, ['RS256']);
+
+        /**
+         * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
+         */
+
+        if (!in_array($decodedToken->iss, ['https://accounts.google.com', 'accounts.google.com'])) {
+            throw new CloudSchedulerException('The given OpenID token is not valid');
+        }
+
+        if ($decodedToken->exp < time()) {
+            throw new CloudSchedulerException('The given OpenID token has expired');
+        }
     }
 
     public function getPublicKey($kid = null)

src/TaskHandler.php

@@ -2,23 +2,21 @@
 
 namespace Stackkit\LaravelGoogleCloudScheduler;
 
-use Firebase\JWT\JWT;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Artisan;
+use Throwable;
 
 class TaskHandler
 {
     private $command;
     private $request;
     private $openId;
-    private $jwt;
 
-    public function __construct(Command $command, Request $request, OpenIdVerificator $openId, JWT $jwt)
+    public function __construct(Command $command, Request $request, OpenIdVerificator $openId)
     {
         $this->command = $command;
         $this->request = $request;
         $this->openId = $openId;
-        $this->jwt = $jwt;
     }
 
     /**
@@ -34,8 +32,6 @@ public function handle()
 
         $output = Artisan::output();
 
-        logger($output);
-
         return $this->cleanOutput($output);
     }
 
@@ -45,32 +41,15 @@ public function handle()
     private function authorizeRequest()
     {
         if (!$this->request->hasHeader('Authorization')) {
-            return;
+            throw new CloudSchedulerException('Unauthorized');
         }
 
         $openIdToken = $this->request->bearerToken();
-        $kid = $this->openId->getKidFromOpenIdToken($openIdToken);
-        $publicKey = $this->openId->getPublicKey($kid);
-
-        $decodedToken = $this->jwt->decode($openIdToken, $publicKey, ['RS256']);
-
-        $this->validateToken($decodedToken);
-    }
-
-    /**
-     * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
-     *
-     * @param $openIdToken
-     * @throws CloudSchedulerException
-     */
-    protected function validateToken($openIdToken)
-    {
-        if (!in_array($openIdToken->iss, ['https://accounts.google.com', 'accounts.google.com'])) {
-            throw new CloudSchedulerException('The given OpenID token is not valid');
-        }
 
-        if ($openIdToken->exp < time()) {
-            throw new CloudSchedulerException('The given OpenID token has expired');
+        try {
+            $this->openId->guardAgainstInvalidOpenIdToken($openIdToken);
+        } catch (Throwable $e) {
+            throw new CloudSchedulerException('Unauthorized');
         }
     }
 

tests/TaskHandlerTest.php

@@ -4,7 +4,9 @@
 
 use Firebase\JWT\JWT;
 use Illuminate\Console\Scheduling\Schedule;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Log;
+use Stackkit\LaravelGoogleCloudScheduler\CloudSchedulerException;
 use Stackkit\LaravelGoogleCloudScheduler\Command;
 use Stackkit\LaravelGoogleCloudScheduler\OpenIdVerificator;
 use Stackkit\LaravelGoogleCloudScheduler\TaskHandler;
@@ -13,17 +15,25 @@ class TaskHandlerTest extends TestCase
 {
     private $taskHandler;
     private $fakeCommand;
+    private $openId;
+    private $request;
 
     public function setUp(): void
     {
         parent::setUp();
 
         $this->fakeCommand = \Mockery::mock(Command::class)->makePartial();
 
+        // ensure we don't call Google services to validate the token
+        $this->openId = \Mockery::mock(app(OpenIdVerificator::class))->makePartial();
+
+        $this->request = new Request();
+        $this->request->headers->add(['Authorization' => 'test']);
+
         $this->taskHandler = new TaskHandler(
             $this->fakeCommand,
-            request(),
-            app(OpenIdVerificator::class),
+            $this->request,
+            $this->openId,
             app(JWT::class)
         );
     }
@@ -32,9 +42,38 @@ public function setUp(): void
     public function it_executes_the_incoming_command()
     {
         $this->fakeCommand->shouldReceive('capture')->andReturn('env');
+        $this->openId->shouldReceive('guardAgainstInvalidOpenIdToken')->andReturnNull();
 
         $output = $this->taskHandler->handle();
 
         $this->assertEquals('Current application environment: testing', $output);
     }
+
+    /** @test */
+    public function it_requires_a_jwt()
+    {
+        $this->fakeCommand->shouldReceive('capture')->andReturn('env');
+        $this->openId->shouldReceive('guardAgainstInvalidOpenIdToken')->andReturnNull();
+
+        $this->request->headers->remove('Authorization');
+
+        $this->expectException(CloudSchedulerException::class);
+
+        $this->taskHandler->handle();
+    }
+
+    /** @test */
+    public function it_requires_a_jwt_signed_by_google()
+    {
+        $this->fakeCommand->shouldReceive('capture')->andReturn('env');
+
+        $dummyJwt = JWT::encode('test', 'test');
+
+        $this->request->headers->add(['Authorization' => 'Bearer ' . $dummyJwt]);
+
+        $this->expectException(CloudSchedulerException::class);
+        $this->expectExceptionMessage('Unauthorized');
+
+        $this->taskHandler->handle();
+    }
 }