Merge pull request #1180 from RunSignUp-Team/keyStr

Use key as string without a temporary file

Author: Sephster

src/AuthorizationValidators/BearerTokenValidator.php

@@ -13,7 +13,6 @@
 use Lcobucci\Clock\SystemClock;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\Key\LocalFileReference;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
@@ -78,7 +77,10 @@ private function initJwtConfiguration()
             \class_exists(StrictValidAt::class)
                 ? new StrictValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
                 : new ValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get()))),
-            new SignedWith(new Sha256(), LocalFileReference::file($this->publicKey->getKeyPath()))
+            new SignedWith(
+                new Sha256(),
+                InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
+            )
         );
     }
 

src/CryptKey.php

@@ -12,7 +12,6 @@
 namespace League\OAuth2\Server;
 
 use LogicException;
-use RuntimeException;
 
 class CryptKey
 {
@@ -22,6 +21,11 @@ class CryptKey
 
     private const FILE_PREFIX = 'file://';
 
+    /**
+     * @var string Key contents
+     */
+    protected $keyContents;
+
     /**
      * @var string
      */
@@ -41,21 +45,26 @@ public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck =
     {
         $this->passPhrase = $passPhrase;
 
-        if (\is_file($keyPath)) {
+        if (\strpos($keyPath, self::FILE_PREFIX) !== 0 && $this->isValidKey($keyPath, $this->passPhrase ?? '')) {
+            $this->keyContents = $keyPath;
+            $this->keyPath = '';
+            // There's no file, so no need for permission check.
+            $keyPermissionsCheck = false;
+        } elseif (\is_file($keyPath)) {
             if (\strpos($keyPath, self::FILE_PREFIX) !== 0) {
                 $keyPath = self::FILE_PREFIX . $keyPath;
             }
 
             if (!\is_readable($keyPath)) {
                 throw new LogicException(\sprintf('Key path "%s" does not exist or is not readable', $keyPath));
             }
-            $isFileKey = true;
-            $contents = \file_get_contents($keyPath);
+            $this->keyContents = \file_get_contents($keyPath);
             $this->keyPath = $keyPath;
+            if (!$this->isValidKey($this->keyContents, $this->passPhrase ?? '')) {
+                throw new LogicException('Unable to read key from file ' . $keyPath);
+            }
         } else {
-            $isFileKey = false;
-            $contents = $keyPath;
-            $this->keyPath = $this->saveKeyToFile($keyPath);
+            throw new LogicException('Unable to read key from file ' . $keyPath);
         }
 
         if ($keyPermissionsCheck === true) {
@@ -72,41 +81,16 @@ public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck =
                 );
             }
         }
-
-        if (!$this->isValidKey($contents, $this->passPhrase ?? '')) {
-            throw new LogicException('Unable to read key' . ($isFileKey ? " from file $keyPath" : ''));
-        }
     }
 
     /**
-     * @param string $key
+     * Get key contents
      *
-     * @throws RuntimeException
-     *
-     * @return string
+     * @return string Key contents
      */
-    private function saveKeyToFile($key)
+    public function getKeyContents(): string
     {
-        $tmpDir = \sys_get_temp_dir();
-        $keyPath = $tmpDir . '/' . \sha1($key) . '.key';
-
-        if (\file_exists($keyPath)) {
-            return self::FILE_PREFIX . $keyPath;
-        }
-
-        if (\file_put_contents($keyPath, $key) === false) {
-            // @codeCoverageIgnoreStart
-            throw new RuntimeException(\sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
-            // @codeCoverageIgnoreEnd
-        }
-
-        if (\chmod($keyPath, 0600) === false) {
-            // @codeCoverageIgnoreStart
-            throw new RuntimeException(\sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
-            // @codeCoverageIgnoreEnd
-        }
-
-        return self::FILE_PREFIX . $keyPath;
+        return $this->keyContents;
     }
 
     /**

src/Entities/Traits/AccessTokenTrait.php

@@ -12,7 +12,6 @@
 use DateTimeImmutable;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\Key\LocalFileReference;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKey;
@@ -46,7 +45,7 @@ public function initJwtConfiguration()
     {
         $this->jwtConfiguration = Configuration::forAsymmetricSigner(
             new Sha256(),
-            LocalFileReference::file($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase() ?? ''),
+            InMemory::plainText($this->privateKey->getKeyContents(), $this->privateKey->getPassPhrase() ?? ''),
             InMemory::plainText('')
         );
     }

tests/Utils/CryptKeyTest.php

@@ -23,7 +23,7 @@ public function testKeyCreation()
         $this->assertEquals('secret', $key->getPassPhrase());
     }
 
-    public function testKeyFileCreation()
+    public function testKeyString()
     {
         $keyContent = \file_get_contents(__DIR__ . '/../Stubs/public.key');
 
@@ -33,7 +33,10 @@ public function testKeyFileCreation()
 
         $key = new CryptKey($keyContent);
 
-        $this->assertEquals(self::generateKeyPath($keyContent), $key->getKeyPath());
+        $this->assertEquals(
+            $keyContent,
+            $key->getKeyContents()
+        );
 
         $keyContent = \file_get_contents(__DIR__ . '/../Stubs/private.key.crlf');
 
@@ -43,7 +46,10 @@ public function testKeyFileCreation()
 
         $key = new CryptKey($keyContent);
 
-        $this->assertEquals(self::generateKeyPath($keyContent), $key->getKeyPath());
+        $this->assertEquals(
+            $keyContent,
+            $key->getKeyContents()
+        );
     }
 
     public function testUnsupportedKeyType()
@@ -83,9 +89,8 @@ public function testECKeyType()
             \openssl_pkey_export($res, $keyContent, 'mystrongpassword');
 
             $key = new CryptKey($keyContent, 'mystrongpassword');
-            $path = self::generateKeyPath($keyContent);
 
-            $this->assertEquals($path, $key->getKeyPath());
+            $this->assertEquals('', $key->getKeyPath());
             $this->assertEquals('mystrongpassword', $key->getPassPhrase());
         } catch (\Throwable $e) {
             $this->fail('The EC key was not created');
@@ -109,9 +114,8 @@ public function testRSAKeyType()
             \openssl_pkey_export($res, $keyContent, 'mystrongpassword');
 
             $key = new CryptKey($keyContent, 'mystrongpassword');
-            $path = self::generateKeyPath($keyContent);
 
-            $this->assertEquals($path, $key->getKeyPath());
+            $this->assertEquals('', $key->getKeyPath());
             $this->assertEquals('mystrongpassword', $key->getPassPhrase());
         } catch (\Throwable $e) {
             $this->fail('The RSA key was not created');