From 3ae19bb4725a97620afc74d8b7d1197ca117eb04 Mon Sep 17 00:00:00 2001
From: Brent Shaffer <betterbrent@google.com>
Date: Fri, 16 Oct 2015 13:13:10 -0700
Subject: [PATCH] adds tests + fixes bugs for multiple issuers

---
 src/Google/Auth/OAuth2.php |  2 +-
 tests/general/AuthTest.php | 47 ++++++++++++++++++++++++++++++++++++--
 2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/src/Google/Auth/OAuth2.php b/src/Google/Auth/OAuth2.php
index 0f556e14d..40f2076ba 100644
--- a/src/Google/Auth/OAuth2.php
+++ b/src/Google/Auth/OAuth2.php
@@ -609,7 +609,7 @@ public function verifySignedJwtWithCerts(
           sprintf(
               "Invalid issuer, %s not in %s: %s",
               $iss,
-              "[".implode(",", $issuers)."]",
+              "[".implode(",", (array) $issuer)."]",
               $json_body
           )
       );
diff --git a/tests/general/AuthTest.php b/tests/general/AuthTest.php
index 9832a34dc..86cd8312f 100644
--- a/tests/general/AuthTest.php
+++ b/tests/general/AuthTest.php
@@ -149,18 +149,61 @@ public function testVerifySignedJwtWithCerts()
   }
 
   // Checks that the id token fails to verify with the expected message.
-  private function checkIdTokenFailure($id_token, $msg)
+  private function checkIdTokenFailure($id_token, $msg, $issuer = null)
   {
     $certs = $this->getSignonCerts();
     $oauth2 = new Google_Auth_OAuth2($this->getClient());
     try {
-      $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id");
+      $oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id", $issuer);
       $this->fail("Should have thrown for $id_token");
     } catch (Google_Auth_Exception $e) {
       $this->assertContains($msg, $e->getMessage());
     }
   }
 
+  public function testVerifySignedJwtWithMultipleIssuers()
+  {
+    $id_token = $this->makeSignedJwt(
+        array(
+          "iss" => "system.gserviceaccount.com",
+          "aud" => "client_id",
+          "sub" => self::USER_ID,
+          "iat" => time(),
+          "exp" => time() + 3600
+        )
+    );
+    $certs = $this->getSignonCerts();
+    $oauth2 = new Google_Auth_OAuth2($this->getClient());
+    $ticket = $oauth2->verifySignedJwtWithCerts(
+      $id_token,
+      $certs,
+      "client_id",
+      ['system.gserviceaccount.com', 'https://system.gserviceaccount.com']
+    );
+    $this->assertEquals(self::USER_ID, $ticket->getUserId());
+    // Check that payload and envelope got filled in.
+    $attributes = $ticket->getAttributes();
+    $this->assertEquals("JWT", $attributes["envelope"]["typ"]);
+    $this->assertEquals("client_id", $attributes["payload"]["aud"]);
+  }
+
+  public function testVerifySignedJwtWithBadIssuer()
+  {
+    $id_token = $this->makeSignedJwt(
+        array(
+          "iss" => "fake.gserviceaccount.com",
+          "aud" => "client_id",
+          "sub" => self::USER_ID,
+          "iat" => time(),
+          "exp" => time() + 3600
+        )
+    );
+
+    $issuers = ['system.gserviceaccount.com', 'https://system.gserviceaccount.com'];
+    $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers[0]);
+    $this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers);
+  }
+
   public function testVerifySignedJwtWithBadJwt()
   {
     $this->checkIdTokenFailure("foo", "Wrong number of segments");