diff --git a/composer.json b/composer.json index 7aeaa63..f4b7c00 100644 --- a/composer.json +++ b/composer.json @@ -25,7 +25,7 @@ "prefer-stable": true, "require": { "php": "^8.0", - "minvws/puzi-php": "^1.1", + "minvws/puzi-php": "^2.0", "laravel/framework": "^8.0|^9.0" }, "require-dev": { diff --git a/src/Middleware/AuthenticateWithUzi.php b/src/Middleware/AuthenticateWithUzi.php index 8a37b9b..77bcf57 100644 --- a/src/Middleware/AuthenticateWithUzi.php +++ b/src/Middleware/AuthenticateWithUzi.php @@ -61,11 +61,14 @@ public function handle($request, Closure $next, $guard = null) } try { - $uziUser = $this->uziReader->getDataFromRequest($request); - if (!$this->uziValidator->isValid($uziUser)) { + if (!$this->uziValidator->isValid($request)) { throw new AuthenticationException('Unauthenticated.'); } + $uziUser = $this->uziReader->getDataFromRequest($request); + if (! $uziUser) { + throw new AuthenticationException('Unauthenticated.'); + } $this->auth->guard($guard)->login(AuthenticatableUziUser::fromUziUser($uziUser), false); return $next($request); diff --git a/src/UziServiceProvider.php b/src/UziServiceProvider.php index 3533c02..59125f8 100644 --- a/src/UziServiceProvider.php +++ b/src/UziServiceProvider.php @@ -3,6 +3,7 @@ namespace MinVWS\PUZI\Laravel; use Illuminate\Support\ServiceProvider; +use MinVWS\PUZI\UziReader; use MinVWS\PUZI\UziValidator; /** @@ -26,10 +27,37 @@ public function boot() public function register() { $this->app->bind(UziValidator::class, function () { + + // Split certificates from file + $caCerts = []; + $path = config('uzi.ca_certs_path', null); + if ($path) { + $fileContent = @file_get_contents($path); + if ($fileContent === false) { + throw new \RuntimeException("Could not read CA certificates from $path"); + } + + $caCerts = preg_split('/-----BEGIN CERTIFICATE-----/', $fileContent); + if ($caCerts === false) { + $caCerts = []; + } else { + // remove empty first element + array_shift($caCerts); + } + + foreach ($caCerts as &$cert) { + $cert = trim($cert); + $cert = str_replace('-----END CERTIFICATE-----', '', $cert); + $cert = str_replace("\n", '', $cert); + } + } + return new UziValidator( + new UziReader(), config("uzi.strict_ca_check", true), config("uzi.allowed_types", []), - config("uzi.allowed_roles", []) + config("uzi.allowed_roles", []), + $caCerts ); }); } diff --git a/src/config/uzi.php b/src/config/uzi.php index 49118e7..d3d5f65 100644 --- a/src/config/uzi.php +++ b/src/config/uzi.php @@ -9,4 +9,7 @@ // Which roles are allowed to log in 'allowed_roles' => [], + + // The CA certificates to use for validating the UZI certificate. Must be concatenated in a single file. + 'ca_certs_path' => env('UZI_CA_CERTS_PATH', null), ]; diff --git a/tests/Middleware/AuthenticateWithUziTest.php b/tests/Middleware/AuthenticateWithUziTest.php index 3e0b573..33593a4 100644 --- a/tests/Middleware/AuthenticateWithUziTest.php +++ b/tests/Middleware/AuthenticateWithUziTest.php @@ -76,7 +76,22 @@ public function testExceptionDuringValidation(): void $middleware = $this->getMiddleware(); - $this->mockReader->shouldReceive('getDataFromRequest')->andThrow(new UziException()); + $this->mockValidator->shouldReceive('isValid')->andReturnFalse(); + $this->expectException(AuthenticationException::class); + + $middleware->handle($request, function () { + }); + } + + public function testNoUziInfo(): void + { + $request = new Request(); + $request->server->set('HTTPS', 'on'); + + $middleware = $this->getMiddleware(); + + $this->mockValidator->shouldReceive('isValid')->andReturnFalse(); + $this->mockReader->shouldReceive('getDataFromRequest')->andReturnNull(); $this->expectException(AuthenticationException::class); $middleware->handle($request, function () {