mirror of
https://gitlab.linphone.org/BC/public/flexisip-account-manager.git
synced 2026-01-17 01:58:07 +00:00
247 lines
8.6 KiB
PHP
247 lines
8.6 KiB
PHP
<?php
|
|
/*
|
|
Flexisip Account Manager is a set of tools to manage SIP accounts.
|
|
Copyright (C) 2021 Belledonne Communications SARL, All rights reserved.
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as
|
|
published by the Free Software Foundation, either version 3 of the
|
|
License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use App\Account;
|
|
use App\Password;
|
|
use DateTimeImmutable;
|
|
use Lcobucci\Clock\FrozenClock;
|
|
use Lcobucci\JWT\Builder;
|
|
use Lcobucci\JWT\JwtFacade;
|
|
use Lcobucci\JWT\UnencryptedToken;
|
|
use Lcobucci\JWT\Signer\Key\InMemory;
|
|
use Lcobucci\JWT\Signer\Rsa\Sha256;
|
|
use Lcobucci\JWT\Signer\Rsa\Sha512;
|
|
use Tests\TestCase;
|
|
|
|
class AccountJWTAuthenticationTest extends TestCase
|
|
{
|
|
protected $route = '/provisioning';
|
|
protected $accountRoute = '/provisioning/me';
|
|
protected $method = 'GET';
|
|
protected $serverPrivateKeyPem = null;
|
|
protected $serverPublicKeyPem = null;
|
|
|
|
protected $routeAccountMe = '/api/accounts/me';
|
|
|
|
public function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
$keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
|
|
$this->serverPublicKeyPem = openssl_pkey_get_details($keys)['key'];
|
|
openssl_pkey_export($keys, $this->serverPrivateKeyPem);
|
|
}
|
|
|
|
public function testBaseProvisioning()
|
|
{
|
|
# JWT is disabled if Sodium is not loaded
|
|
if (!extension_loaded('sodium')) return;
|
|
|
|
$password = Password::factory()->create();
|
|
$domain = 'sip_provisioning.example.com';
|
|
$bearer = 'authz_server="https://sso.test/", realm="sip.test.org"';
|
|
|
|
\App\Space::where('domain', $password->account->domain)->update(['host' => $domain]);
|
|
config()->set('app.sip_domain', $domain);
|
|
config()->set('services.jwt.rsa_public_key_pem', $this->serverPublicKeyPem);
|
|
|
|
$this->get($this->route)->assertStatus(400);
|
|
|
|
$clock = new FrozenClock(new DateTimeImmutable());
|
|
|
|
$token = (new JwtFacade(null, $clock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('email', $password->account->email)
|
|
);
|
|
|
|
$this->checkToken($token);
|
|
|
|
// SIP identifier
|
|
|
|
// This line shoudn't be required, but the pipeline doesn't get the default value somehow
|
|
config()->set('services.jwt.sip_identifier', 'sip_identity');
|
|
|
|
$token = (new JwtFacade(null, $clock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('sip_identity', 'sip:' . $password->account->username . '@' . $password->account->domain)
|
|
);
|
|
|
|
$this->checkToken($token);
|
|
|
|
// Custom SIP identifier
|
|
$otherIdentifier = 'sip_other_identifier';
|
|
config()->set('services.jwt.sip_identifier', $otherIdentifier);
|
|
|
|
$token = (new JwtFacade(null, $clock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim($otherIdentifier, 'sip:' . $password->account->username . '@' . $password->account->domain)
|
|
);
|
|
|
|
$this->checkToken($token);
|
|
|
|
// Sha512
|
|
$token = (new JwtFacade(null, $clock))->issue(
|
|
new Sha512(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('email', $password->account->email)
|
|
);
|
|
|
|
$this->checkToken($token);
|
|
|
|
// Expired token
|
|
$oldClock = new FrozenClock(new DateTimeImmutable('2022-06-24 22:51:10'));
|
|
|
|
$token = (new JwtFacade(null, $oldClock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('email', $password->account->email)
|
|
);
|
|
|
|
$response = $this->withHeaders([
|
|
'Authorization' => 'Bearer ' . $token->toString(),
|
|
'x-linphone-provisioning' => true,
|
|
])
|
|
->get($this->accountRoute)
|
|
->assertStatus(401);
|
|
|
|
$this->assertStringContainsString('invalid_token', $response->headers->get('WWW-Authenticate'));
|
|
|
|
// ...with the bearer
|
|
config()->set('app.account_authentication_bearer', $bearer);
|
|
|
|
$response = $this->withHeaders([
|
|
'Authorization' => 'Bearer ' . $token->toString(),
|
|
'x-linphone-provisioning' => true,
|
|
])
|
|
->get($this->accountRoute)
|
|
->assertStatus(401);
|
|
|
|
$this->assertStringContainsString($bearer . ', ', $response->headers->get('WWW-Authenticate'));
|
|
$this->assertStringContainsString('invalid_token', $response->headers->get('WWW-Authenticate'));
|
|
|
|
// Wrong email
|
|
$token = (new JwtFacade(null, $clock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($this->serverPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('email', 'unknow@man.org')
|
|
);
|
|
|
|
$this->withHeaders([
|
|
'Authorization' => 'Bearer ' . $token->toString(),
|
|
'x-linphone-provisioning' => true,
|
|
])
|
|
->get($this->accountRoute)
|
|
->assertStatus(403);
|
|
|
|
// Wrong signature key
|
|
$keys = openssl_pkey_new(array("private_key_bits" => 4096,"private_key_type" => OPENSSL_KEYTYPE_RSA));
|
|
openssl_pkey_export($keys, $wrongServerPrivateKeyPem);
|
|
|
|
$wrongToken = (new JwtFacade(null, $clock))->issue(
|
|
new Sha256(),
|
|
InMemory::plainText($wrongServerPrivateKeyPem),
|
|
static fn (
|
|
Builder $builder,
|
|
DateTimeImmutable $issuedAt
|
|
): Builder => $builder->withClaim('email', $password->account->email)
|
|
);
|
|
|
|
$this->withHeaders([
|
|
'Authorization' => 'Bearer ' . $wrongToken->toString(),
|
|
'x-linphone-provisioning' => true,
|
|
])
|
|
->get($this->accountRoute)
|
|
->assertStatus(401);
|
|
}
|
|
|
|
public function testAuthBearerUrl()
|
|
{
|
|
$value = 'authz_server="https://auth_bearer.com/" realm="realm"';
|
|
config()->set('app.account_authentication_bearer', $value);
|
|
|
|
$password = Password::factory()->create();
|
|
|
|
$response = $this->json($this->method, $this->routeAccountMe)
|
|
->assertStatus(401);
|
|
|
|
$this->assertStringContainsString(
|
|
'Bearer ' . $value,
|
|
$response->headers->all()['www-authenticate'][0]
|
|
);
|
|
|
|
// Wrong From
|
|
$reponse = $this
|
|
->withHeaders(['From' => 'sip:missing@username'])
|
|
->json($this->method, $this->routeAccountMe)
|
|
->assertStatus(401);
|
|
|
|
$this->assertStringContainsString(
|
|
'Bearer ' . $value,
|
|
$response->headers->all()['www-authenticate'][0]
|
|
);
|
|
|
|
// Wrong bearer message
|
|
$reponse = $this
|
|
->withHeaders([
|
|
'Authorization' => 'Bearer 1234'
|
|
])
|
|
->json($this->method, $this->routeAccountMe)
|
|
->assertStatus(401);
|
|
|
|
$this->assertStringContainsString(
|
|
'Bearer ' . $value,
|
|
$response->headers->all()['www-authenticate'][0]
|
|
);
|
|
}
|
|
|
|
private function checkToken(UnencryptedToken $token): void
|
|
{
|
|
$this->withHeaders([
|
|
'Authorization' => 'Bearer ' . $token->toString(),
|
|
'x-linphone-provisioning' => true,
|
|
])
|
|
->get($this->accountRoute)
|
|
->assertStatus(200)
|
|
->assertHeader('Content-Type', 'application/xml')
|
|
->assertSee('ha1');
|
|
}
|
|
}
|