From d2316251d5c0cad1f83d5bfe6468684cacb6e74d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?= Date: Mon, 25 Mar 2024 11:08:41 +0000 Subject: [PATCH] Fix FLEXIAPI-143 Implement JWT authentification in the API --- .gitlab-ci-files/package.yml | 6 + .gitlab-ci-files/test.yml | 2 +- .gitlab-ci.yml | 2 +- CHANGELOG.md | 1 + Makefile | 1 + flexiapi/.env.example | 5 +- flexiapi/app/Http/Kernel.php | 1 + .../Middleware/AuthenticateDigestOrKey.php | 4 + .../app/Http/Middleware/AuthenticateJWT.php | 73 ++++++ flexiapi/composer.json | 1 + flexiapi/composer.lock | 222 ++++++++++++++++-- flexiapi/config/services.php | 4 + .../api/documentation_markdown.blade.php | 14 ++ .../documentation_markdown.blade.php | 4 + flexiapi/routes/api.php | 2 +- flexiapi/routes/web.php | 7 +- .../Feature/AccountJWTAuthenticationTest.php | 142 +++++++++++ flexisip-account-manager.spec | 2 +- 18 files changed, 465 insertions(+), 28 deletions(-) create mode 100644 flexiapi/app/Http/Middleware/AuthenticateJWT.php create mode 100644 flexiapi/tests/Feature/AccountJWTAuthenticationTest.php diff --git a/.gitlab-ci-files/package.yml b/.gitlab-ci-files/package.yml index a80d56a..6e5cc77 100644 --- a/.gitlab-ci-files/package.yml +++ b/.gitlab-ci-files/package.yml @@ -2,6 +2,12 @@ rocky8-package: extends: .package image: gitlab.linphone.org:4567/bc/public/docker/rocky8-php:$ROCKY_8_IMAGE_VERSION script: + # We install this dependency only for the pipeline + - dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm + - dnf -y module reset php + - dnf -y module enable php:remi-8.0 + - dnf -y update php\* + - dnf -y install php-sodium - make rpm-el8 rocky9-package: diff --git a/.gitlab-ci-files/test.yml b/.gitlab-ci-files/test.yml index 66642be..eb8a3e4 100644 --- a/.gitlab-ci-files/test.yml +++ b/.gitlab-ci-files/test.yml @@ -15,7 +15,7 @@ rocky9-test: script: - yum -y localinstall build/*.rpm - cd /opt/belledonne-communications/share/flexisip-account-manager/flexiapi - - composer install + - composer install --ignore-platform-req=ext-sodium # Rocky 8 use the external library - vendor/bin/phpcs - vendor/bin/phpmd . ansi phpmd.xml - php artisan key:generate diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3f06491..501208e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,6 @@ variables: ROCKY_8_IMAGE_VERSION: 20230330_163028_remove_remi - ROCKY_9_IMAGE_VERSION: 20231019_170719_rocky9_php80_cleanup + ROCKY_9_IMAGE_VERSION: 20240314_163316_add_php_sodium DEBIAN_11_IMAGE_VERSION: 20240221_140459_package_upgrade_02_24 DEBIAN_12_IMAGE_VERSION: 20230925_143235_enable_debian12_packaging PHP_REDIS_REMI_VERSION: php-pecl-redis5-5.3.6-1 diff --git a/CHANGELOG.md b/CHANGELOG.md index e30ce57..c92b2ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ v1.5 - FIX FLEXIAPI-146 Allow users to manage their own devices - Fix FLEXIAPI-145 Put back the 'code' parameter as an alias for the 'confirmation_key' for the activateEmail and activatePhone endpoints - Fix FLEXIAPI-144 Introduce APP_FLEXISIP_PUSHER_FIREBASE_KEYSMAP as a replacement for APP_FLEXISIP_PUSHER_FIREBASE_KEY +- Fix FLEXIAPI-143 JWT Authentication layer on the API - Fix FLEXIAPI-142 PUT /accounts endpoint doesn't allow overiding values anymore - Fix FLEXIAPI-140 Fix the display_name attribute in the Vcard4 render - Fix FLEXIAPI-139 Refactor the email and phone API documentation diff --git a/Makefile b/Makefile index e491328..9a0c120 100644 --- a/Makefile +++ b/Makefile @@ -57,6 +57,7 @@ package-end-common: rm -rf $(OUTPUT_DIR)/rpmbuild/SPECS $(OUTPUT_DIR)/rpmbuild/SOURCES $(OUTPUT_DIR)/rpmbuild/SRPMS $(OUTPUT_DIR)/rpmbuild/BUILD $(OUTPUT_DIR)/rpmbuild/BUILDROOT rpm-el8-only: + sed -i 's/Requires:.*/Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring/g' $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec rpmbuild -v -bb --define 'dist .el8' --define '_topdir $(OUTPUT_DIR)/rpmbuild' --define "_rpmdir $(OUTPUT_DIR)/rpmbuild" $(OUTPUT_DIR)/rpmbuild/SPECS/flexisip-account-manager.spec @echo "📦✅ RPM el8 Package Created" diff --git a/flexiapi/.env.example b/flexiapi/.env.example index 3086ea3..3e4a203 100644 --- a/flexiapi/.env.example +++ b/flexiapi/.env.example @@ -110,4 +110,7 @@ OVH_APP_SENDER= # HCaptcha HCAPTCHA_SECRET=secret-key -HCAPTCHA_SITEKEY=site-key \ No newline at end of file +HCAPTCHA_SITEKEY=site-key + +# JWT +JWT_RSA_PUBLIC_KEY_PEM= diff --git a/flexiapi/app/Http/Kernel.php b/flexiapi/app/Http/Kernel.php index 9530eed..7470fe9 100644 --- a/flexiapi/app/Http/Kernel.php +++ b/flexiapi/app/Http/Kernel.php @@ -72,6 +72,7 @@ class Kernel extends HttpKernel 'auth.admin' => \App\Http\Middleware\AuthenticateAdmin::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'auth.digest_or_key' => \App\Http\Middleware\AuthenticateDigestOrKey::class, + 'auth.jwt' => \App\Http\Middleware\AuthenticateJWT::class, 'auth.check_blocked' => \App\Http\Middleware\CheckBlocked::class, 'web_panel_enabled' => \App\Http\Middleware\IsWebPanelEnabled::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, diff --git a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php index 26f6e09..32b27d4 100644 --- a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php +++ b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php @@ -39,6 +39,10 @@ class AuthenticateDigestOrKey */ public function handle($request, Closure $next) { + if ($request->bearerToken() && Auth::check()) { + return $next($request); + } + // Key authentication if ($request->header('x-api-key') || $request->cookie('x-api-key')) { diff --git a/flexiapi/app/Http/Middleware/AuthenticateJWT.php b/flexiapi/app/Http/Middleware/AuthenticateJWT.php new file mode 100644 index 0000000..6009c6c --- /dev/null +++ b/flexiapi/app/Http/Middleware/AuthenticateJWT.php @@ -0,0 +1,73 @@ +bearerToken() && config('services.jwt.rsa_public_key_pem')) { + if (!extension_loaded('sodium')) { + abort(403, "Your PHP setup doesn't have the Sodium extension loaded"); + } + + $publicKey = InMemory::plainText(config('services.jwt.rsa_public_key_pem')); + $token = (new Parser(new JoseEncoder()))->parse($request->bearerToken()); + + $signer = null; + + switch ($token->headers()->get('alg')) { + case 'RS256': + $signer = new Sha256; + break; + + case 'RS384': + $signer = new Sha384; + break; + + case 'RS512': + $signer = new Sha512; + break; + } + + if ($signer == null) { + abort(403, 'Unsupported RSA signature'); + } + + if (!(new Validator())->validate($token, new SignedWith($signer, $publicKey))) { + abort(403, 'Invalid JWT token signature'); + } + + if ($token->isExpired(new DateTimeImmutable())) { + abort(403, 'Expired JWT token'); + } + + $account = Account::withoutGlobalScopes() + ->where('email', $token->claims()->get('email')) + ->first(); + + if (!$account) { + abort(403, 'The JWT token is not related to someone in the system'); + } + + Auth::login($account); + } + + return $next($request); + } +} diff --git a/flexiapi/composer.json b/flexiapi/composer.json index 5120c28..687bcec 100644 --- a/flexiapi/composer.json +++ b/flexiapi/composer.json @@ -15,6 +15,7 @@ "fakerphp/faker": "^1.23", "laravel/framework": "^9.52", "laravel/tinker": "^2.8", + "lcobucci/jwt": "^4.3", "namoshek/laravel-redis-sentinel": "^0.1", "ovh/ovh": "^3.2", "parsedown/laravel": "^1.2", diff --git a/flexiapi/composer.lock b/flexiapi/composer.lock index be65384..831dbae 100644 --- a/flexiapi/composer.lock +++ b/flexiapi/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "255a77afa50eaa780b140f0b760339af", + "content-hash": "daf1c028cc9a6eb9b5d28ba1bd25cec5", "packages": [ { "name": "awobaz/compoships", @@ -2186,6 +2186,141 @@ }, "time": "2024-01-04T16:10:04+00:00" }, + { + "name": "lcobucci/clock", + "version": "2.2.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/clock.git", + "reference": "fb533e093fd61321bfcbac08b131ce805fe183d3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/clock/zipball/fb533e093fd61321bfcbac08b131ce805fe183d3", + "reference": "fb533e093fd61321bfcbac08b131ce805fe183d3", + "shasum": "" + }, + "require": { + "php": "^8.0", + "stella-maris/clock": "^0.1.4" + }, + "require-dev": { + "infection/infection": "^0.26", + "lcobucci/coding-standard": "^8.0", + "phpstan/extension-installer": "^1.1", + "phpstan/phpstan": "^0.12", + "phpstan/phpstan-deprecation-rules": "^0.12", + "phpstan/phpstan-phpunit": "^0.12", + "phpstan/phpstan-strict-rules": "^0.12", + "phpunit/phpunit": "^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\Clock\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com" + } + ], + "description": "Yet another clock abstraction", + "support": { + "issues": "https://github.com/lcobucci/clock/issues", + "source": "https://github.com/lcobucci/clock/tree/2.2.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2022-04-19T19:34:17+00:00" + }, + { + "name": "lcobucci/jwt", + "version": "4.3.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/jwt.git", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "shasum": "" + }, + "require": { + "ext-hash": "*", + "ext-json": "*", + "ext-mbstring": "*", + "ext-openssl": "*", + "ext-sodium": "*", + "lcobucci/clock": "^2.0 || ^3.0", + "php": "^7.4 || ^8.0" + }, + "require-dev": { + "infection/infection": "^0.21", + "lcobucci/coding-standard": "^6.0", + "mikey179/vfsstream": "^1.6.7", + "phpbench/phpbench": "^1.2", + "phpstan/extension-installer": "^1.0", + "phpstan/phpstan": "^1.4", + "phpstan/phpstan-deprecation-rules": "^1.0", + "phpstan/phpstan-phpunit": "^1.0", + "phpstan/phpstan-strict-rules": "^1.0", + "phpunit/php-invoker": "^3.1", + "phpunit/phpunit": "^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\JWT\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com", + "role": "Developer" + } + ], + "description": "A simple library to work with JSON Web Token and JSON Web Signature", + "keywords": [ + "JWS", + "jwt" + ], + "support": { + "issues": "https://github.com/lcobucci/jwt/issues", + "source": "https://github.com/lcobucci/jwt/tree/4.3.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2023-01-02T13:28:00+00:00" + }, { "name": "league/commonmark", "version": "2.4.2", @@ -3826,16 +3961,16 @@ }, { "name": "phpunit/phpunit", - "version": "9.6.17", + "version": "9.6.18", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd" + "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/1a156980d78a6666721b7e8e8502fe210b587fcd", - "reference": "1a156980d78a6666721b7e8e8502fe210b587fcd", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04", + "reference": "32c2c2d6580b1d8ab3c10b1e9e4dc263cc69bb04", "shasum": "" }, "require": { @@ -3909,7 +4044,7 @@ "support": { "issues": "https://github.com/sebastianbergmann/phpunit/issues", "security": "https://github.com/sebastianbergmann/phpunit/security/policy", - "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.17" + "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.18" }, "funding": [ { @@ -3925,7 +4060,7 @@ "type": "tidelift" } ], - "time": "2024-02-23T13:14:51+00:00" + "time": "2024-03-21T12:07:32+00:00" }, { "name": "psr/cache", @@ -6287,6 +6422,53 @@ ], "time": "2020-09-28T06:39:44+00:00" }, + { + "name": "stella-maris/clock", + "version": "0.1.7", + "source": { + "type": "git", + "url": "https://github.com/stella-maris-solutions/clock.git", + "reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/stella-maris-solutions/clock/zipball/fa23ce16019289a18bb3446fdecd45befcdd94f8", + "reference": "fa23ce16019289a18bb3446fdecd45befcdd94f8", + "shasum": "" + }, + "require": { + "php": "^7.0|^8.0", + "psr/clock": "^1.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "StellaMaris\\Clock\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Andreas Heigl", + "role": "Maintainer" + } + ], + "description": "A pre-release of the proposed PSR-20 Clock-Interface", + "homepage": "https://gitlab.com/stella-maris/clock", + "keywords": [ + "clock", + "datetime", + "point in time", + "psr20" + ], + "support": { + "source": "https://github.com/stella-maris-solutions/clock/tree/0.1.7" + }, + "time": "2022-11-25T16:15:06+00:00" + }, { "name": "symfony/console", "version": "v6.0.19", @@ -8916,16 +9098,16 @@ }, { "name": "composer/pcre", - "version": "3.1.2", + "version": "3.1.3", "source": { "type": "git", "url": "https://github.com/composer/pcre.git", - "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace" + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/pcre/zipball/4775f35b2d70865807c89d32c8e7385b86eb0ace", - "reference": "4775f35b2d70865807c89d32c8e7385b86eb0ace", + "url": "https://api.github.com/repos/composer/pcre/zipball/5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", "shasum": "" }, "require": { @@ -8967,7 +9149,7 @@ ], "support": { "issues": "https://github.com/composer/pcre/issues", - "source": "https://github.com/composer/pcre/tree/3.1.2" + "source": "https://github.com/composer/pcre/tree/3.1.3" }, "funding": [ { @@ -8983,7 +9165,7 @@ "type": "tidelift" } ], - "time": "2024-03-07T15:38:35+00:00" + "time": "2024-03-19T10:26:25+00:00" }, { "name": "composer/xdebug-handler", @@ -9241,16 +9423,16 @@ }, { "name": "mockery/mockery", - "version": "1.6.9", + "version": "1.6.10", "source": { "type": "git", "url": "https://github.com/mockery/mockery.git", - "reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06" + "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/mockery/mockery/zipball/0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06", - "reference": "0cc058854b3195ba21dc6b1f7b1f60f4ef3a9c06", + "url": "https://api.github.com/repos/mockery/mockery/zipball/47065d1be1fa05def58dc14c03cf831d3884ef0b", + "reference": "47065d1be1fa05def58dc14c03cf831d3884ef0b", "shasum": "" }, "require": { @@ -9262,8 +9444,8 @@ "phpunit/phpunit": "<8.0" }, "require-dev": { - "phpunit/phpunit": "^8.5 || ^9.6.10", - "symplify/easy-coding-standard": "^12.0.8" + "phpunit/phpunit": "^8.5 || ^9.6.17", + "symplify/easy-coding-standard": "^12.1.14" }, "type": "library", "autoload": { @@ -9320,7 +9502,7 @@ "security": "https://github.com/mockery/mockery/security/advisories", "source": "https://github.com/mockery/mockery" }, - "time": "2023-12-10T02:24:34+00:00" + "time": "2024-03-19T16:15:45+00:00" }, { "name": "nunomaduro/collision", diff --git a/flexiapi/config/services.php b/flexiapi/config/services.php index 2a1d616..0750948 100644 --- a/flexiapi/config/services.php +++ b/flexiapi/config/services.php @@ -30,4 +30,8 @@ return [ 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), ], + 'jwt' => [ + 'rsa_public_key_pem' => env('JWT_RSA_PUBLIC_KEY_PEM'), + ], + ]; diff --git a/flexiapi/resources/views/api/documentation_markdown.blade.php b/flexiapi/resources/views/api/documentation_markdown.blade.php index cec7f03..fcd6a90 100644 --- a/flexiapi/resources/views/api/documentation_markdown.blade.php +++ b/flexiapi/resources/views/api/documentation_markdown.blade.php @@ -45,6 +45,20 @@ Or using a cookie: > … ``` +### Using a JWT token + +You can use a JWT token to authenticate on the API. + +To do so you MUST inject it as an `Authorization: Bearer` header and configure the API with the public key of the token emitter. + +``` +> GET /api/{endpoint} +> Authorization: Bearer {your-jwt-token} +> … +``` + +The API will then check if the token was signed properly, is still valid and authenticate a user that is actually available in the system. + ### Using DIGEST To discover the available hashing algorythm you MUST send an unauthenticated request to one of the restricted endpoints.
diff --git a/flexiapi/resources/views/provisioning/documentation_markdown.blade.php b/flexiapi/resources/views/provisioning/documentation_markdown.blade.php index 65f8514..41fe3e2 100644 --- a/flexiapi/resources/views/provisioning/documentation_markdown.blade.php +++ b/flexiapi/resources/views/provisioning/documentation_markdown.blade.php @@ -2,6 +2,10 @@ Provisioning is a core concept of the FlexiAPI - Linphone clients flow. +## Authentication + +Please check the About & Auth section of the API. + ## About To request the following URLs client MUST add a specific `x-linphone-provisioning` header. diff --git a/flexiapi/routes/api.php b/flexiapi/routes/api.php index 5656622..b94b363 100644 --- a/flexiapi/routes/api.php +++ b/flexiapi/routes/api.php @@ -56,7 +56,7 @@ Route::post('accounts/auth_token', 'Api\Account\AuthTokenController@store'); Route::get('accounts/me/api_key/{auth_token}', 'Api\Account\ApiKeyController@generateFromToken')->middleware('cookie', 'cookie.encrypt'); -Route::group(['middleware' => ['auth.digest_or_key', 'auth.check_blocked']], function () { +Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key', 'auth.check_blocked']], function () { Route::get('accounts/auth_token/{auth_token}/attach', 'Api\Account\AuthTokenController@attach'); Route::prefix('accounts/me')->group(function () { diff --git a/flexiapi/routes/web.php b/flexiapi/routes/web.php index 6367231..0157cef 100644 --- a/flexiapi/routes/web.php +++ b/flexiapi/routes/web.php @@ -39,13 +39,14 @@ use App\Http\Controllers\Admin\AccountStatisticsController; use App\Http\Controllers\Admin\ContactsListController; use App\Http\Controllers\Admin\ContactsListContactController; use App\Http\Controllers\Admin\StatisticsController; +use Laravel\Socialite\Facades\Socialite; use Illuminate\Support\Facades\Route; Route::redirect('/', 'login')->name('account.home'); Route::get('documentation', 'Account\AccountController@documentation')->name('account.documentation'); Route::get('about', 'AboutController@about')->name('about'); -Route::middleware(['web_panel_enabled'])->group(function () { +Route::group(['middleware' => 'web_panel_enabled'], function () { Route::get('login', 'Account\AuthenticateController@login')->name('account.login'); Route::post('authenticate', 'Account\AuthenticateController@authenticate')->name('account.authenticate'); Route::get('authenticate/qrcode/{token?}', 'Account\AuthenticateController@loginAuthToken')->name('account.authenticate.auth_token'); @@ -56,7 +57,7 @@ Route::middleware(['web_panel_enabled'])->group(function () { }); }); -Route::group(['middleware' => 'auth.digest_or_key'], function () { +Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key']], function () { Route::get('provisioning/me', 'Account\ProvisioningController@me')->name('provisioning.me'); // Vcard 4.0 @@ -72,7 +73,7 @@ Route::name('provisioning.')->prefix('provisioning')->controller(ProvisioningCon Route::get('/', 'show')->name('show'); }); -Route::middleware(['web_panel_enabled'])->group(function () { +Route::group(['middleware' => 'web_panel_enabled'], function () { if (config('app.public_registration')) { Route::redirect('register', 'register/email')->name('account.register'); diff --git a/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php b/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php new file mode 100644 index 0000000..2777c09 --- /dev/null +++ b/flexiapi/tests/Feature/AccountJWTAuthenticationTest.php @@ -0,0 +1,142 @@ + 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA)); + $this->serverPublicKeyPem = openssl_pkey_get_details($keys)['key']; + openssl_pkey_export($keys, $this->serverPrivateKeyPem); + } + + public function testBaseProvisioning() + { + # JWT is disabled if Sodium is not loaded + if (!extension_loaded('sodium')) return; + + $password = Password::factory()->create(); + + config()->set('services.jwt.rsa_public_key_pem', $this->serverPublicKeyPem); + + $this->get($this->route)->assertStatus(400); + + $clock = new FrozenClock(new DateTimeImmutable()); + + $token = (new JwtFacade(null, $clock))->issue( + new Sha256(), + InMemory::plainText($this->serverPrivateKeyPem), + static fn ( + Builder $builder, + DateTimeImmutable $issuedAt + ): Builder => $builder->withClaim('email', $password->account->email) + ); + + $this->withHeaders([ + 'Authorization' => 'Bearer ' . $token->toString(), + 'x-linphone-provisioning' => true, + ]) + ->get($this->accountRoute) + ->assertStatus(200) + ->assertHeader('Content-Type', 'application/xml') + ->assertSee('ha1'); + + // Sha512 + $token = (new JwtFacade(null, $clock))->issue( + new Sha512(), + InMemory::plainText($this->serverPrivateKeyPem), + static fn ( + Builder $builder, + DateTimeImmutable $issuedAt + ): Builder => $builder->withClaim('email', $password->account->email) + ); + + $this->withHeaders([ + 'Authorization' => 'Bearer ' . $token->toString(), + 'x-linphone-provisioning' => true, + ]) + ->get($this->accountRoute) + ->assertStatus(200) + ->assertHeader('Content-Type', 'application/xml') + ->assertSee('ha1'); + + // Expired token + + $oldClock = new FrozenClock(new DateTimeImmutable('2022-06-24 22:51:10')); + + $token = (new JwtFacade(null, $oldClock))->issue( + new Sha256(), + InMemory::plainText($this->serverPrivateKeyPem), + static fn ( + Builder $builder, + DateTimeImmutable $issuedAt + ): Builder => $builder->withClaim('email', $password->account->email) + ); + + $this->withHeaders([ + 'Authorization' => 'Bearer ' . $token->toString(), + 'x-linphone-provisioning' => true, + ]) + ->get($this->accountRoute) + ->assertStatus(403); + + // Expired token + + $token = (new JwtFacade(null, $clock))->issue( + new Sha256(), + InMemory::plainText($this->serverPrivateKeyPem), + static fn ( + Builder $builder, + DateTimeImmutable $issuedAt + ): Builder => $builder->withClaim('email', 'unknow@man.org') + ); + + $this->withHeaders([ + 'Authorization' => 'Bearer ' . $token->toString(), + 'x-linphone-provisioning' => true, + ]) + ->get($this->accountRoute) + ->assertStatus(403); + + // Wrong signature key + + $keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA)); + openssl_pkey_export($keys, $wrongServerPrivateKeyPem); + + $wrongToken = (new JwtFacade(null, $clock))->issue( + new Sha256(), + InMemory::plainText($wrongServerPrivateKeyPem), + static fn ( + Builder $builder, + DateTimeImmutable $issuedAt + ): Builder => $builder->withClaim('email', $password->account->email) + ); + + $this->withHeaders([ + 'Authorization' => 'Bearer ' . $wrongToken->toString(), + 'x-linphone-provisioning' => true, + ]) + ->get($this->accountRoute) + ->assertStatus(403); + } +} diff --git a/flexisip-account-manager.spec b/flexisip-account-manager.spec index 4b518a6..9e2b274 100644 --- a/flexisip-account-manager.spec +++ b/flexisip-account-manager.spec @@ -33,7 +33,7 @@ License: GPL URL: http://www.linphone.org Source0: flexisip-account-manager.tar.gz -Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring +Requires: php >= 8.0, php-gd, php-pdo, php-redis, php-mysqlnd, php-mbstring, php-sodium %description PHP server for Linphone and Flexisip providing module for account creation.