Added more tests

Author: marickvantuil

src/GooglePublicKey.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Stackkit\LaravelGoogleCloudTasksQueue;
+
+use Firebase\JWT\JWT;
+use GuzzleHttp\Client;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Cache;
+use phpseclib\Crypt\RSA;
+use phpseclib\Math\BigInteger;
+
+class GooglePublicKey
+{
+    private const CACHE_KEY = 'GooglePublicKey';
+
+    private $guzzle;
+
+    public function __construct(Client $guzzle)
+    {
+        $this->guzzle = $guzzle;
+    }
+
+    public function get()
+    {
+        return Cache::rememberForever(self::CACHE_KEY, function () {
+            return $this->fetch();
+        });
+    }
+
+    private function fetch()
+    {
+        $jwksUri = $this->getJwksUri();
+
+        $keys = $this->getCertificateKeys($jwksUri);
+
+        $firstKey = $keys[1];
+
+        $modulus = $firstKey['n'];
+        $exponent = $firstKey['e'];
+
+        $rsa = app(RSA::class);
+
+        $modulus = new BigInteger(JWT::urlsafeB64Decode($modulus), 256);
+        $exponent = new BigInteger(JWT::urlsafeB64Decode($exponent), 256);
+
+        $rsa->loadKey([
+            'n' => $modulus,
+            'e' => $exponent
+        ]);
+        $rsa->setPublicKey();
+
+        return $rsa->getPublicKey();
+    }
+
+    private function getJwksUri()
+    {
+        $discoveryEndpoint = 'https://accounts.google.com/.well-known/openid-configuration';
+
+        $configurationJson = $this->guzzle->get($discoveryEndpoint);
+
+        $configurations = json_decode($configurationJson->getBody(), true);
+
+        return Arr::get($configurations, 'jwks_uri');
+    }
+
+    private function getCertificateKeys($jwksUri)
+    {
+        $json = $this->guzzle->get($jwksUri);
+
+        $certificates = json_decode($json->getBody(), true);
+
+        return Arr::get($certificates, 'keys');
+    }
+
+    public function isCached()
+    {
+        return Cache::has(self::CACHE_KEY);
+    }
+}

src/TaskHandler.php

@@ -3,29 +3,24 @@
 namespace Stackkit\LaravelGoogleCloudTasksQueue;
 
 use Google\Cloud\Tasks\V2\CloudTasksClient;
-use GuzzleHttp\Client;
 use Illuminate\Http\Request;
 use Illuminate\Queue\Worker;
 use Illuminate\Queue\WorkerOptions;
-use Illuminate\Support\Arr;
-use phpseclib\Crypt\RSA;
-use phpseclib\Math\BigInteger;
-use Throwable;
 use Firebase\JWT\JWT;
 
 class TaskHandler
 {
-    private $client;
     private $request;
     private $guzzle;
     private $jwt;
+    private $publicKey;
 
-    public function __construct(CloudTasksClient $client, Request $request, Client $guzzle, JWT $jwt)
+    public function __construct(CloudTasksClient $client, Request $request, JWT $jwt, GooglePublicKey $publicKey)
     {
         $this->client = $client;
         $this->request = $request;
-        $this->guzzle = $guzzle;
         $this->jwt = $jwt;
+        $this->publicKey = $publicKey;
     }
 
     /**
@@ -50,64 +45,14 @@ public function authorizeRequest()
             throw new CloudTasksException('Missing [Authorization] header');
         }
 
-        // @todo - kill this check with a Mock
-        if (app()->environment('testing')) {
-            return;
-        }
-
         $openIdToken = $this->request->bearerToken();
-        $pubKey = $this->getGooglePublicKey();
+        $publicKey = $this->publicKey->get();
 
-        $decodedToken = $this->jwt->decode($openIdToken, $pubKey, ['RS256']);
+        $decodedToken = $this->jwt->decode($openIdToken, $publicKey, ['RS256']);
 
         $this->validateToken($decodedToken);
     }
 
-    private function getGooglePublicKey()
-    {
-        $jwksUri = $this->getJwksUri();
-
-        $keys = $this->getCertificateKeys($jwksUri);
-
-        $firstKey = $keys[1];
-
-        $modulus = $firstKey['n'];
-        $exponent = $firstKey['e'];
-
-        $rsa = new RSA();
-
-        $modulus = new BigInteger(JWT::urlsafeB64Decode($modulus), 256);
-        $exponent = new BigInteger(JWT::urlsafeB64Decode($exponent), 256);
-
-        $rsa->loadKey([
-            'n' => $modulus,
-            'e' => $exponent
-        ]);
-        $rsa->setPublicKey();
-
-        return $rsa->getPublicKey();
-    }
-
-    private function getJwksUri()
-    {
-        $discoveryEndpoint = 'https://accounts.google.com/.well-known/openid-configuration';
-
-        $configurationJson = $this->guzzle->get($discoveryEndpoint);
-
-        $configurations = json_decode($configurationJson->getBody(), true);
-
-        return Arr::get($configurations, 'jwks_uri');
-    }
-
-    private function getCertificateKeys($jwksUri)
-    {
-        $json = $this->guzzle->get($jwksUri);
-
-        $certificates = json_decode($json->getBody(), true);
-
-        return Arr::get($certificates, 'keys');
-    }
-
     /**
      * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
      *

tests/GooglePublicKeyTest.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace Tests;
+
+use Illuminate\Support\Facades\Cache;
+use Mockery;
+use phpseclib\Crypt\RSA;
+use Stackkit\LaravelGoogleCloudTasksQueue\GooglePublicKey;
+
+class GooglePublicKeyTest extends TestCase
+{
+    /**
+     * @var GooglePublicKey
+     */
+    private $publicKey;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->publicKey = app(GooglePublicKey::class);
+    }
+
+    /** @test */
+    public function it_fetches_the_gcloud_public_key()
+    {
+        $this->assertStringContainsString('-----BEGIN PUBLIC KEY-----', $this->publicKey->get());
+    }
+
+    /** @test */
+    public function it_caches_the_gcloud_public_key()
+    {
+        $this->assertFalse($this->publicKey->isCached());
+
+        $this->publicKey->get();
+
+        $this->assertTrue($this->publicKey->isCached());
+    }
+
+    /** @test */
+    public function it_will_return_the_cached_gcloud_public_key()
+    {
+        $this->app->instance(RSA::class, ($rsa = Mockery::mock(new RSA())->byDefault()));
+
+        $this->publicKey->get();
+
+        $this->publicKey->get();
+
+        $rsa->shouldHaveReceived('loadKey')->once();
+    }
+}

tests/TaskHandlerTest.php

@@ -5,8 +5,12 @@
 use Firebase\JWT\JWT;
 use Google\Cloud\Tasks\V2\CloudTasksClient;
 use GuzzleHttp\Client;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Mail;
+use Mockery;
+use phpseclib\Crypt\RSA;
 use Stackkit\LaravelGoogleCloudTasksQueue\CloudTasksException;
+use Stackkit\LaravelGoogleCloudTasksQueue\GooglePublicKey;
 use Stackkit\LaravelGoogleCloudTasksQueue\TaskHandler;
 use Tests\Support\TestMailable;
 
@@ -17,54 +21,116 @@ class TaskHandlerTest extends TestCase
      */
     private $handler;
 
-    private $client;
-
     private $jwt;
 
+    private $request;
+
     protected function setUp(): void
     {
         parent::setUp();
 
-        $this->client = \Mockery::mock(CloudTasksClient::class)->makePartial();
+        $this->request = request();
 
-        $this->jwt = \Mockery::mock(JWT::class)->makePartial();
+        // We don't have a valid token to test with, so for now act as if its always valid
+        $this->app->instance(JWT::class, ($this->jwt = Mockery::mock(new JWT())->byDefault()->makePartial()));
+        $this->jwt->shouldReceive('decode')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'aud' => 'https://localhost/my-handler',
+            'exp' => time() + 10
+        ])->byDefault();
 
-        $this->handler = \Mockery::mock(new TaskHandler(
-            $this->client,
+        // Ensure we don't fetch the Google public key each test...
+        $googlePublicKey = Mockery::mock(app(GooglePublicKey::class));
+        $googlePublicKey->shouldReceive('get')->andReturnNull();
+
+        $this->handler = new TaskHandler(
+            new CloudTasksClient([
+                'credentials' => __DIR__ . '/Support/gcloud-key-valid.json'
+            ]),
             request(),
-            new Client(),
-            $this->jwt
-        ))->shouldAllowMockingProtectedMethods();
-        $this->app->instance(TaskHandler::class, $this->handler);
+            $this->jwt,
+            $googlePublicKey
+        );
 
-        $this->jwt->shouldReceive('decode')->andReturnNull();
-        $this->handler->shouldReceive('authorizeRequest')->andReturnNull();
+        $this->request->headers->add(['Authorization' => 'Bearer 123']);
     }
 
     /** @test */
     public function it_needs_an_authorization_header()
     {
+        $this->request->headers->remove('Authorization');
+
         $this->expectException(CloudTasksException::class);
         $this->expectExceptionMessage('Missing [Authorization] header');
 
-        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
-        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
         $this->handler->handle();
     }
 
+    /** @test */
+    public function the_authorization_header_must_contain_a_valid_gcloud_token()
+    {
+        request()->headers->add([
+            'Authorization' => 'Bearer 123',
+        ]);
+
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('Could not decode incoming task');
+
+        $this->handler->handle();
+
+        // @todo - test with a valid token, not sure how to do that right now
+    }
+
+    /** @test */
+    public function it_will_validate_the_token_iss()
+    {
+        $this->jwt->shouldReceive('decode')->andReturn((object) [
+            'iss' => 'test',
+        ]);
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('The given OpenID token is not valid');
+        $this->handler->handle($this->simpleJob());
+    }
+
+    /** @test */
+    public function it_will_validate_the_token_handler()
+    {
+        $this->jwt->shouldReceive('decode')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'aud' => '__incorrect_aud__'
+        ]);
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('The given OpenID token is not valid');
+        $this->handler->handle($this->simpleJob());
+    }
+
+    /** @test */
+    public function it_will_validate_the_token_expiration()
+    {
+        $this->jwt->shouldReceive('decode')->andReturn((object) [
+            'iss' => 'accounts.google.com',
+            'aud' => 'https://localhost/my-handler',
+            'exp' => time() - 1
+        ]);
+        $this->expectException(CloudTasksException::class);
+        $this->expectExceptionMessage('The given OpenID token has expired');
+        $this->handler->handle($this->simpleJob());
+    }
+
     /** @test */
     public function it_runs_the_incoming_job()
     {
         Mail::fake();
 
-        request()->headers->add(['X-Cloudtasks-Taskname' => 'test']);
-        request()->headers->add(['X-Cloudtasks-Queuename' => 'test']);
         request()->headers->add(['Authorization' => 'Bearer 123']);
 
-        $this->client->shouldReceive('getTask')->andReturnNull();
-
-        $this->handler->handle(json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true));
+        $this->handler->handle($this->simpleJob());
 
         Mail::assertSent(TestMailable::class);
     }
+
+    private function simpleJob()
+    {
+        return json_decode(file_get_contents(__DIR__ . '/Support/test-job-payload.json'), true);
+    }
 }