Merge pull request #5 from talis/asp_2543_account_for_client_id_on_login

Author: mikerudd

docker-compose.yml

@@ -1,35 +1,35 @@
 version: '3.7'
 services:
   composer:
-    image: composer:latest
+    image: composer:2.2
     environment:
       - COMPOSER_CACHE_DIR=/app/.cache/composer
     volumes:
       - .:/app
-    restart: never    
+    restart: never
   php55:
     image: php:5.5-cli
-    volumes: 
+    volumes:
       - .:/app
     working_dir: /app
     restart: never
   php70:
     image: php:7.0-cli
-    volumes: 
+    volumes:
       - .:/app
     working_dir: /app
-    restart: never    
+    restart: never
   phpunit55:
     image: php:5.5-cli
     restart: never
     volumes:
       - .:/app
     working_dir: /app
-    entrypoint: vendor/bin/phpunit    
+    entrypoint: vendor/bin/phpunit
   phpunit70:
     image: php:7.0-cli
     restart: never
     volumes:
       - .:/app
     working_dir: /app
-    entrypoint: vendor/bin/phpunit        
+    entrypoint: vendor/bin/phpunit

src/lti/LTI_OIDC_Login.php

@@ -1,4 +1,5 @@
 <?php
+
 namespace IMSGlobal\LTI;
 
 class LTI_OIDC_Login {
@@ -14,7 +15,8 @@ class LTI_OIDC_Login {
      * @param Cache    $cache    Instance of the Cache interface used to loading and storing launches. If non is provided launch data will be store in $_SESSION.
      * @param Cookie   $cookie   Instance of the Cookie interface used to set and read cookies. Will default to using $_COOKIE and setcookie.
      */
-    function __construct(Database $database, Cache $cache = null, Cookie $cookie = null) {
+    function __construct(Database $database, Cache $cache = null, Cookie $cookie = null)
+    {
         $this->db = $database;
         if ($cache === null) {
             $cache = new FileCache();
@@ -33,10 +35,11 @@ function __construct(Database $database, Cache $cache = null, Cookie $cookie = n
      * @param Database $database Instance of the database interface used for looking up registrations and deployments.
      * @param Cache    $cache    Instance of the Cache interface used to loading and storing launches. If non is provided launch data will be store in $_SESSION.
      * @param Cookie   $cookie   Instance of the Cookie interface used to set and read cookies. Will default to using $_COOKIE and setcookie.
-     * 
+     *
      * @return LTI_OIDC_Login
      */
-    public static function newInstance(Database $database, Cache $cache = null, Cookie $cookie = null) {
+    public static function newInstance(Database $database, Cache $cache = null, Cookie $cookie = null)
+    {
         return new LTI_OIDC_Login($database, $cache, $cookie);
     }
 
@@ -48,7 +51,8 @@ public static function newInstance(Database $database, Cache $cache = null, Cook
      *
      * @return Redirect Returns a redirect object containing the fully formed OIDC login URL.
      */
-    public function do_oidc_login_redirect($launch_url, array $request = null) {
+    public function do_oidc_login_redirect($launch_url, array $request = null)
+    {
 
         if ($request === null) {
             $request = $_REQUEST;
@@ -100,7 +104,8 @@ public function do_oidc_login_redirect($launch_url, array $request = null) {
 
     }
 
-    protected function validate_oidc_login($request) {
+    protected function validate_oidc_login($request)
+    {
 
         // Validate Issuer.
         if (empty($request['iss'])) {
@@ -112,7 +117,7 @@ protected function validate_oidc_login($request) {
             throw new OIDC_Exception("Could not find login hint", 1);
         }
 
-        $clientId = isset($request['aud']) ? $request['aud'] : null;
+        $clientId = $this->getClientIdFromRequest($request);
 
         // Fetch Registration Details.
         $registration = $this->db->find_registration_by_issuer($request['iss'], $clientId);
@@ -125,4 +130,24 @@ protected function validate_oidc_login($request) {
         // Return Registration.
         return $registration;
     }
+
+    /**
+     * Get the clientId from the request. If `client_id` and `aud` are present, then `client_id` has preference.
+     *
+     * @param array $request An array of request parameters.
+     *
+     * @return string|null
+     */
+    private function getClientIdFromRequest(array $request)
+    {
+        $clientId = null;
+
+        if (isset($request['client_id'])) {
+            $clientId = $request['client_id'];
+        } elseif (isset($request['aud'])) {
+            $clientId = $request['aud'];
+        }
+
+        return $clientId;
+    }
 }

tests/unit/LTI_OIDC_Login_Test.php

@@ -8,16 +8,17 @@
 use IMSGlobal\LTI\Tests\unit\helpers\DummyDatabase;
 use IMSGlobal\LTI\Tests\unit\helpers\InMemoryCache;
 
-class LTI_OIDC_Login_Test extends TestBase {
+class LTI_OIDC_Login_Test extends TestBase
+{
     private $launchUrl = 'https://example.com/lti1p3/launch';
 
     public function testNewInstance()
     {
         $this->assertInstanceOf(LTI_OIDC_Login::class, LTI_OIDC_Login::newInstance(
             new DummyDatabase()
         ));
-    }  
-    
+    }
+
     public function testDoOidcLoginRedirectEmptyLaunchUrl()
     {
         $this->setExpectedException('IMSGlobal\LTI\OIDC_Exception', 'No launch URL configured');
@@ -31,7 +32,7 @@ public function testValidateOidcLoginNoIssuer()
         LTI_OIDC_Login::newInstance(new DummyDatabase())->do_oidc_login_redirect(
             $this->launchUrl,
             []
-        );        
+        );
     }
 
     public function testValidateOidcLoginNoPasswordHint()
@@ -40,9 +41,9 @@ public function testValidateOidcLoginNoPasswordHint()
         LTI_OIDC_Login::newInstance(new DummyDatabase())->do_oidc_login_redirect(
             $this->launchUrl,
             ['iss' => 'aaa']
-        );        
-    }   
-    
+        );
+    }
+
     public function testValidateOidcLoginRegistrationNotFound()
     {
         $this->setExpectedException('IMSGlobal\LTI\OIDC_Exception', 'Could not find registration details');
@@ -51,7 +52,7 @@ public function testValidateOidcLoginRegistrationNotFound()
         $registrationDatabase = $this->getMockBuilder(DummyDatabase::class)
             ->setMethods(['find_registration_by_issuer'])
             ->getMock();
-        
+
         $registrationDatabase->expects($this->atLeastOnce())
             ->method('find_registration_by_issuer')
             ->with('xyz', null)
@@ -63,25 +64,25 @@ public function testValidateOidcLoginRegistrationNotFound()
                 'iss' => 'xyz',
                 'login_hint' => 'password123'
             ]
-        );        
-    }  
-    
+        );
+    }
+
     public function testDoOidcLoginRedirect()
     {
         /** @var InMemoryCache|\PHPUnit_Framework_MockObject_MockObject */
         $cache = $this->getMockBuilder(InMemoryCache::class)
             ->setMethods(['cache_nonce'])
             ->getMock();
-        
+
         $cache->expects($this->once())->method('cache_nonce')->with(
             $this->stringStartsWith('nonce-')
         );
-        
+
         /** @var Cookie|\PHPUnit_Framework_MockObject_MockObject $cookie */
         $cookie = $this->getMockBuilder(Cookie::class)
             ->setMethods(['set_cookie'])
             ->getMock();
-        
+
         $cookie->expects($this->once())->method('set_cookie')->with(
             $this->stringStartsWith('lti1p3_state-'),
             $this->stringStartsWith('state-')
@@ -98,14 +99,14 @@ public function testDoOidcLoginRedirect()
                 'login_hint' => 'password123',
                 'lti_message_hint' => 'my message hint'
             ]
-        );   
-        
+        );
+
         $this->assertInstanceOf(Redirect::class, $redirect);
 
         $redirectUrl = parse_url($redirect->get_redirect_url());
 
         $this->assertEquals('https', $redirectUrl['scheme']);
-        $this->assertEquals('example.com', $redirectUrl['host']);   
+        $this->assertEquals('example.com', $redirectUrl['host']);
         $this->assertEquals('/lti1p3/aaa/12345/auth_login_url', $redirectUrl['path']);
         parse_str($redirectUrl['query'], $query);
         $this->assertEquals('openid', $query['scope']);
@@ -119,4 +120,79 @@ public function testDoOidcLoginRedirect()
         $this->assertEquals('password123', $query['login_hint']);
         $this->assertEquals('my message hint', $query['lti_message_hint']);
     }
+
+    /**
+     * @dataProvider clientIdProvider
+     * @param array $request The request array to use for the test
+     */
+    public function testClientIdIsSetOnOidcLogin(array $request)
+    {
+        /** @var InMemoryCache|\PHPUnit_Framework_MockObject_MockObject */
+        $cache = $this->getMockBuilder(InMemoryCache::class)
+            ->setMethods(['cache_nonce'])
+            ->getMock();
+
+        $cache->expects($this->once())->method('cache_nonce')->with(
+            $this->stringStartsWith('nonce-')
+        );
+
+        /** @var Cookie|\PHPUnit_Framework_MockObject_MockObject $cookie */
+        $cookie = $this->getMockBuilder(Cookie::class)
+            ->setMethods(['set_cookie'])
+            ->getMock();
+
+        $cookie->expects($this->once())->method('set_cookie')->with(
+            $this->stringStartsWith('lti1p3_state-'),
+            $this->stringStartsWith('state-')
+        )->willReturn($cookie);
+
+        $redirect = LTI_OIDC_Login::newInstance(
+            new DummyDatabase(),
+            $cache,
+            $cookie
+        )->do_oidc_login_redirect(
+            $this->launchUrl,
+            $request
+        );
+
+        $expectedId = isset($request['client_id']) ? $request['client_id'] : $request['aud'];
+
+        $this->assertInstanceOf(Redirect::class, $redirect);
+
+        $redirectUrl = parse_url($redirect->get_redirect_url());
+
+        parse_str($redirectUrl['query'], $query);
+        $this->assertEquals($expectedId, $query['client_id']);
+    }
+
+    public function clientIdProvider()
+    {
+        return [
+            'clientId as client_id' => [
+                [
+                    'iss' => 'aaa',
+                    'login_hint' => 'password123',
+                    'lti_message_hint' => 'my message hint',
+                    'client_id' => '12345'
+                ]
+            ],
+            'clientId as aud' => [
+                [
+                    'iss' => 'bbb',
+                    'login_hint' => 'password123',
+                    'lti_message_hint' => 'my message hint',
+                    'aud' => 'aud_12345'
+                ]
+            ],
+            'clientId and aud present' => [
+                [
+                    'iss' => 'ccc',
+                    'login_hint' => 'password123',
+                    'lti_message_hint' => 'my message hint',
+                    'aud' => 'aud_12345',
+                    'client_id' => '12345'
+                ]
+            ]
+        ];
+    }
 }

tests/unit/fixtures/registration_db.json

@@ -5,6 +5,23 @@
         "deployment_id": "aaa-12345",
         "auth_login_url": "https://example.com/lti1p3/aaa/12345/auth_login_url",
         "auth_token_url": "https://example.com/lti1p3/aaa/12345/auth_token_url",
-        "key_set_url": "https://example.com/lti1p3/aaa/12345/key_set_url"                
+        "key_set_url": "https://example.com/lti1p3/aaa/12345/key_set_url"
+    },
+    {
+        "issuer": "bbb",
+        "aud": "aud_12345",
+        "deployment_id": "bbb-12345",
+        "auth_login_url": "https://example.com/lti1p3/bbb/aud_12345/auth_login_url",
+        "auth_token_url": "https://example.com/lti1p3/bbb/aud_12345/auth_token_url",
+        "key_set_url": "https://example.com/lti1p3/bbb/aud_12345/key_set_url"
+    },
+    {
+        "issuer": "ccc",
+        "aud": "aud_12345",
+        "client_id": "12345",
+        "deployment_id": "bbb-12345",
+        "auth_login_url": "https://example.com/lti1p3/bbb/aud_12345/auth_login_url",
+        "auth_token_url": "https://example.com/lti1p3/bbb/aud_12345/auth_token_url",
+        "key_set_url": "https://example.com/lti1p3/bbb/aud_12345/key_set_url"
     }
-]
+]

tests/unit/helpers/DummyDatabase.php

@@ -6,7 +6,8 @@
 use IMSGlobal\LTI\LTI_Registration;
 use IMSGlobal\LTI\LTI_Deployment;
 
-class DummyDatabase implements Database {
+class DummyDatabase implements Database
+{
     public function find_registration_by_issuer($iss, $clientId = null)
     {
         $privateKeyFileContents = file_get_contents(dirname(dirname(__FILE__)) . '/fixtures/private.key');
@@ -16,24 +17,27 @@ public function find_registration_by_issuer($iss, $clientId = null)
             $registrations = json_decode($registrationDBFile, true);
             foreach ($registrations as $registrationDetails) {
                 if ($registrationDetails['issuer'] === $iss) {
-                    if (empty($clientId) || $registrationDetails['client_id'] === $clientId) {
+                    if (empty($clientId)
+                        || $registrationDetails['client_id'] === $clientId
+                        || $registrationDetails['aud'] === $clientId
+                    ) {
                         $details = $registrationDetails;
                         break;
                     }
                 }
             }
             if (!empty($details)) {
                 if (empty($clientId)) {
-                    $clientId = $details['client_id'];                    
+                    $clientId = isset($details['client_id'])? $details['client_id'] : $details['aud'];
                 }
 
                 $registration = LTI_Registration::newInstance()
                     ->set_auth_login_url($details['auth_login_url'])
                     ->set_auth_token_url($details['auth_token_url'])
                     ->set_key_set_url($details['key_set_url'])
                     ->set_kid("key_{$iss}_{$clientId}")
-                    ->set_tool_private_key($privateKeyFileContents);                
-                
+                    ->set_tool_private_key($privateKeyFileContents);
+
 
                 $registration->set_client_id($clientId);
                 return $registration;