diff --git a/lib/Controller/ConfigController.php b/lib/Controller/ConfigController.php index 2765eece9..129befd03 100755 --- a/lib/Controller/ConfigController.php +++ b/lib/Controller/ConfigController.php @@ -301,9 +301,7 @@ private function setIntegrationConfig(array $values): array { ); $runningOIDCReset = false; - if (array_key_exists('authorization_method', $values) && - $values['authorization_method'] === OpenProjectAPIService::AUTH_METHOD_OAUTH && - !$runningFullReset && + if ( array_key_exists('oidc_provider', $values) && array_key_exists('targeted_audience_client_id', $values) ) { @@ -361,11 +359,11 @@ private function setIntegrationConfig(array $values): array { $this->config->deleteAppValue(Application::APP_ID, 'oPOAuthTokenRevokeStatus'); if ( // when the OP client information has changed - !$runningFullResetWithOIDC && ((array_key_exists('openproject_client_id', $values) && $values['openproject_client_id'] !== $oldClientId) || - (array_key_exists('openproject_client_secret', $values) && $values['openproject_client_secret'] !== $oldClientSecret)) || - // when the OP client information is for reset - $runningFullResetWithOAuth2 || - $runningOauth2Reset + (!$runningFullResetWithOIDC && ((array_key_exists('openproject_client_id', $values) && $values['openproject_client_id'] !== $oldClientId) || + (array_key_exists('openproject_client_secret', $values) && $values['openproject_client_secret'] !== $oldClientSecret))) || + // when the OP client information is for reset + $runningFullResetWithOAuth2 || + $runningOauth2Reset ) { $this->userManager->callForAllUsers(function (IUser $user) use ( $oldOpenProjectOauthUrl, $oldClientId, $oldClientSecret diff --git a/tests/lib/Controller/ConfigControllerTest.php b/tests/lib/Controller/ConfigControllerTest.php index 2acfc196c..77dfbf335 100644 --- a/tests/lib/Controller/ConfigControllerTest.php +++ b/tests/lib/Controller/ConfigControllerTest.php @@ -643,6 +643,8 @@ public function testSetAdminConfigForDifferentAdminConfigStatusForOIDC($credsToU ->withConsecutive( ['integration_openproject', 'openproject_instance_url', ''], ['integration_openproject', 'authorization_method', ''], + ['integration_openproject', 'oidc_provider'], + ['integration_openproject', 'targeted_audience_client_id'], ['integration_openproject', 'nc_oauth_client_id', ''], ['integration_openproject', 'oPOAuthTokenRevokeStatus', ''], ['integration_openproject', 'authorization_method'], @@ -653,6 +655,8 @@ public function testSetAdminConfigForDifferentAdminConfigStatusForOIDC($credsToU ->willReturnOnConsecutiveCalls( 'http://localhost:3000', OpenProjectAPIService::AUTH_METHOD_OAUTH, + '', + '', '123', '', OpenProjectAPIService::AUTH_METHOD_OIDC, @@ -1602,4 +1606,268 @@ public function testSignTOSForUserOpenProjectError():void { $data = $result->getData(); $this->assertEquals("Database Error!", $data['error']); } + + /** + * @return array + */ + public function setAdminConfigForOIDCAuthSettingProvider() { + return [ + [ // set info if the authorization settings are changed + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old-oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'oidc_provider', + 'targeted_audience_client_id' => 'targeted_audience_client_id', + 'openproject_instance_url' => 'http://openproject.com', + ], + false, + 'change' + ], + [ // set info even if only 'targeted_audience_client_id' authorization settings are changed + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old-oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old_oidc_provider', + 'targeted_audience_client_id' => 'new_targeted_audience_client_id', + 'openproject_instance_url' => 'http://openproject.com', + ], + false, + 'change' + ], + [ // setinfo even if only 'oidc_provider' authorization settings are changed + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old-oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'new_oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://openproject.com', + ] + ], + [ // set if authorization settings are empty string + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old-oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => '', + 'targeted_audience_client_id' => '', + 'openproject_instance_url' => 'http://openproject.com', + ] + ], + [ // set if authorization settings are null + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => 'old-oidc_provider', + 'targeted_audience_client_id' => 'old-targeted_audience_client_id', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'oidc_provider' => null, + 'targeted_audience_client_id' => null, + 'openproject_instance_url' => 'http://openproject.com', + ] + ], + ]; + } + + /** + * @group ignoreWithPHP8.0 + * @param array $oldCreds + * @param array $credsToUpdate + * @param bool $deleteUserValues + * @param bool|string $updateNCOAuthClient false => don't touch the client, 'change' => update it, 'delete' => remove it + * @return void + * @dataProvider setAdminConfigForOIDCAuthSettingProvider + */ + public function testSetAdminConfigOIDCAuthSetting( + $oldCreds, $credsToUpdate + ) { + $userManager = $this->checkForUsersCountBeforeTest(); + $configMock = $this->getMockBuilder(IConfig::class)->getMock(); + $oauthServiceMock = $this->createMock(OauthService::class); + $oauthSettingsControllerMock = $this->getMockBuilder(SettingsController::class) + ->disableOriginalConstructor() + ->getMock(); + $configMock + ->method('getAppValue') + ->withConsecutive( + ['integration_openproject', 'openproject_instance_url', ''], + ['integration_openproject', 'authorization_method', ''], + ['integration_openproject', 'oidc_provider'], + ['integration_openproject', 'targeted_audience_client_id'], + ['integration_openproject', 'nc_oauth_client_id', ''], + ['integration_openproject', 'oPOAuthTokenRevokeStatus', ''], + ['integration_openproject', 'authorization_method', ''], + ['integration_openproject', 'oidc_provider'], + ['integration_openproject', 'targeted_audience_client_id'], + ['integration_openproject', 'openproject_instance_url'], + ) + ->willReturnOnConsecutiveCalls( + $oldCreds['openproject_instance_url'], + $oldCreds['authorization_method'], + $oldCreds['oidc_provider'], + $oldCreds['targeted_audience_client_id'], + '123', + '', + OpenProjectAPIService::AUTH_METHOD_OAUTH, + $credsToUpdate['oidc_provider'], + $credsToUpdate['targeted_audience_client_id'], + $credsToUpdate['openproject_instance_url'] + ); + + $apiService = $this->getMockBuilder(OpenProjectAPIService::class) + ->disableOriginalConstructor() + ->getMock(); + $configController = new ConfigController( + 'integration_openproject', + $this->createMock(IRequest::class), + $configMock, + $this->createMock(IURLGenerator::class), + $userManager, + $this->l, + $apiService, + $this->createMock(LoggerInterface::class), + $oauthServiceMock, + $oauthSettingsControllerMock, + $this->createMock(IGroupManager::class), + $this->createMock(ISecureRandom::class), + $this->createMock(ISubAdmin::class), + 'test101' + ); + $configController->setAdminConfig($credsToUpdate); + } + + + /** + * @return array + */ + public function setAdminConfigSwitchFromOauth2ToOIDCAuthDataProvider() { + return [ + [ // when switching from oauth2 to oidc, userdata gets deleted along with the nc client information + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OAUTH, + 'openproject_client_id' => 'old-openproject_client_id', + 'openproject_client_secret' => 'old-openproject_client_secret', + 'openproject_instance_url' => 'http://old-openproject.com', + ], + [ + 'authorization_method' => OpenProjectAPIService::AUTH_METHOD_OIDC, + 'openproject_client_id' => '', + 'openproject_client_secret' => '', + 'openproject_instance_url' => 'http://openproject.com', + ] + ] + ]; + } + + /** + * @group ignoreWithPHP8.0 + * @param array $oldCreds + * @param array $credsToUpdate + * @return void + * @dataProvider setAdminConfigSwitchFromOauth2ToOIDCAuthDataProvider + */ + public function testSetAdminConfigSwitchFromOauth2ToOIDCAuth( + $oldCreds, $credsToUpdate + ) { + $userManager = $this->checkForUsersCountBeforeTest(); + $this->user1 = $userManager->createUser('test101', 'test101'); + + $configMock = $this->getMockBuilder(IConfig::class)->getMock(); + $oauthServiceMock = $this->createMock(OauthService::class); + $oauthSettingsControllerMock = $this->getMockBuilder(SettingsController::class) + ->disableOriginalConstructor() + ->getMock(); + $configMock + ->method('getAppValue') + ->withConsecutive( + ['integration_openproject', 'openproject_instance_url', ''], + ['integration_openproject', 'authorization_method', ''], + ['integration_openproject', 'openproject_client_id'], + ['integration_openproject', 'openproject_client_secret'], + ['integration_openproject', 'nc_oauth_client_id', ''], + ['integration_openproject', 'nc_oauth_client_id', ''], + ['integration_openproject', 'oPOAuthTokenRevokeStatus', ''], + ['integration_openproject', 'authorization_method', ''], + ['integration_openproject', 'openproject_client_id'], + ['integration_openproject', 'openproject_client_secret'], + ['integration_openproject', 'openproject_instance_url'], + ) + ->willReturnOnConsecutiveCalls( + $oldCreds['openproject_instance_url'], + $oldCreds['authorization_method'], + $oldCreds['openproject_client_id'], + $oldCreds['openproject_client_secret'], + '123', + '123', + '', + OpenProjectAPIService::AUTH_METHOD_OAUTH, + $credsToUpdate['openproject_client_id'], + $credsToUpdate['openproject_client_secret'], + $credsToUpdate['openproject_instance_url'] + ); + $oauthServiceMock + ->expects($this->once()) + ->method('setClientRedirectUri') + ->with(123, $credsToUpdate['openproject_instance_url']); + $oauthSettingsControllerMock + ->expects($this->once()) + ->method('deleteClient') + ->with(123); + $configMock + ->expects($this->exactly(10)) // 5 times for each user + ->method('deleteUserValue') + ->withConsecutive( + ['admin', 'integration_openproject', 'token'], + ['admin', 'integration_openproject', 'login'], + ['admin', 'integration_openproject', 'user_id'], + ['admin', 'integration_openproject', 'user_name'], + ['admin', 'integration_openproject', 'refresh_token'], + [$this->user1->getUID(), 'integration_openproject', 'token'], + [$this->user1->getUID(), 'integration_openproject', 'login'], + [$this->user1->getUID(), 'integration_openproject', 'user_id'], + [$this->user1->getUID(), 'integration_openproject', 'user_name'], + [$this->user1->getUID(), 'integration_openproject', 'refresh_token'], + ); + + $apiService = $this->getMockBuilder(OpenProjectAPIService::class) + ->disableOriginalConstructor() + ->getMock(); + $configController = new ConfigController( + 'integration_openproject', + $this->createMock(IRequest::class), + $configMock, + $this->createMock(IURLGenerator::class), + $userManager, + $this->l, + $apiService, + $this->createMock(LoggerInterface::class), + $oauthServiceMock, + $oauthSettingsControllerMock, + $this->createMock(IGroupManager::class), + $this->createMock(ISecureRandom::class), + $this->createMock(ISubAdmin::class), + 'test101' + ); + $configController->setAdminConfig($credsToUpdate); + } }