From af5414cce11670cbc0a8a8dc84dba9c79b936e1b Mon Sep 17 00:00:00 2001
From: Bojan Bogdanovic <info@bojanbogdanovic.nl>
Date: Tue, 18 Feb 2025 15:53:37 +0100
Subject: [PATCH 1/3] Issue #3507450: Introduce access policy + cache context
for oauth2 scopes
---
simple_oauth.services.yml | 13 ++-
.../SimpleOauthAuthenticationProvider.php | 79 ++++++-------------
src/Authentication/TokenAuthUser.php | 39 +++++----
src/Entity/Oauth2Scope.php | 9 +++
src/Oauth2AccessPolicy.php | 47 +++++++++++
src/Oauth2ScopeCacheContext.php | 57 +++++++++++++
src/Oauth2ScopeInterface.php | 8 ++
src/Oauth2ScopeProvider.php | 19 +++++
src/Oauth2ScopeProviderInterface.php | 8 ++
src/Plugin/ScopeGranularity/Permission.php | 7 ++
src/Plugin/ScopeGranularity/Role.php | 28 +++++++
src/Plugin/ScopeGranularityInterface.php | 8 ++
.../ScopeGranularity/TestGranularity.php | 7 ++
.../SimpleOauthAuthenticationTest.php | 6 ++
14 files changed, 263 insertions(+), 72 deletions(-)
create mode 100644 src/Oauth2AccessPolicy.php
create mode 100644 src/Oauth2ScopeCacheContext.php
diff --git a/simple_oauth.services.yml b/simple_oauth.services.yml
index 1ac7cda..81649e7 100644
--- a/simple_oauth.services.yml
+++ b/simple_oauth.services.yml
@@ -24,6 +24,8 @@ services:
- '@simple_oauth.page_cache_request_policy.disallow_oauth2_token_requests'
- '@psr7.http_message_factory'
- '@psr7.http_foundation_factory'
+ - '@request_stack'
+ - '@permission_checker'
tags:
- { name: authentication_provider, provider_id: oauth2, global: TRUE, priority: 35 }
simple_oauth.page_cache_request_policy.disallow_oauth2_token_requests:
@@ -36,7 +38,16 @@ services:
arguments:
- '@Drupal\simple_oauth\EventSubscriber\ExceptionLoggingSubscriber.inner'
- '@logger.channel.simple_oauth'
-
+ cache_context.oauth2_scopes:
+ class: Drupal\simple_oauth\Oauth2ScopeCacheContext
+ arguments: [ '@current_user' ]
+ tags:
+ - { name: cache.context }
+ access_policy.simple_oauth:
+ class: Drupal\simple_oauth\Oauth2AccessPolicy
+ arguments: [ '@simple_oauth.oauth2_scope.provider' ]
+ tags:
+ - { name: access_policy }
simple_oauth.normalizer.oauth2_token:
class: Drupal\simple_oauth\Normalizer\TokenEntityNormalizer
arguments: [ '@entity_type.manager' ]
diff --git a/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php b/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
index fb03015..6187c6a 100644
--- a/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
+++ b/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
@@ -4,6 +4,7 @@ namespace Drupal\simple_oauth\Authentication\Provider;
use Drupal\Core\Authentication\AuthenticationProviderInterface;
use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Session\PermissionCheckerInterface;
use Drupal\Core\StringTranslation\StringTranslationTrait;
use Drupal\simple_oauth\Authentication\TokenAuthUser;
use Drupal\simple_oauth\Exception\OAuthUnauthorizedHttpException;
@@ -13,6 +14,7 @@ use League\OAuth2\Server\Exception\OAuthServerException;
use Symfony\Bridge\PsrHttpMessage\HttpFoundationFactoryInterface;
use Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface;
use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
/**
* OAuth2 authentication provider.
@@ -23,68 +25,33 @@ class SimpleOauthAuthenticationProvider implements AuthenticationProviderInterfa
use StringTranslationTrait;
- /**
- * The resource server factory.
- *
- * @var \Drupal\simple_oauth\Server\ResourceServerFactoryInterface
- */
- protected ResourceServerFactoryInterface $resourceServerFactory;
-
- /**
- * The entity type manager.
- *
- * @var \Drupal\Core\Entity\EntityTypeManagerInterface
- */
- protected EntityTypeManagerInterface $entityTypeManager;
-
- /**
- * The request policy.
- *
- * @var \Drupal\simple_oauth\PageCache\SimpleOauthRequestPolicyInterface
- */
- protected SimpleOauthRequestPolicyInterface $oauthPageCacheRequestPolicy;
-
- /**
- * The HTTP message factory.
- *
- * @var \Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface
- */
- protected HttpMessageFactoryInterface $httpMessageFactory;
-
- /**
- * The HTTP foundation factory.
- *
- * @var \Symfony\Bridge\PsrHttpMessage\HttpFoundationFactoryInterface
- */
- protected HttpFoundationFactoryInterface $httpFoundationFactory;
-
/**
* Constructs an HTTP basic authentication provider object.
*
- * @param \Drupal\simple_oauth\Server\ResourceServerFactoryInterface $resource_server_factory
+ * @param \Drupal\simple_oauth\Server\ResourceServerFactoryInterface $resourceServerFactory
* The resource server factory.
- * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
+ * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
* The entity type manager service.
- * @param \Drupal\simple_oauth\PageCache\SimpleOauthRequestPolicyInterface $page_cache_request_policy
+ * @param \Drupal\simple_oauth\PageCache\SimpleOauthRequestPolicyInterface $oauthPageCacheRequestPolicy
* The page cache request policy.
- * @param \Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface $http_message_factory
+ * @param \Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface $httpMessageFactory
* The HTTP message factory.
- * @param \Symfony\Bridge\PsrHttpMessage\HttpFoundationFactoryInterface $http_foundation_factory
+ * @param \Symfony\Bridge\PsrHttpMessage\HttpFoundationFactoryInterface $httpFoundationFactory
* The HTTP foundation factory.
+ * @param \Symfony\Component\HttpFoundation\RequestStack $requestStack
+ * The request stack.
+ * @param \Drupal\Core\Session\PermissionCheckerInterface $permissionChecker
+ * The permission checker service.
*/
public function __construct(
- ResourceServerFactoryInterface $resource_server_factory,
- EntityTypeManagerInterface $entity_type_manager,
- SimpleOauthRequestPolicyInterface $page_cache_request_policy,
- HttpMessageFactoryInterface $http_message_factory,
- HttpFoundationFactoryInterface $http_foundation_factory,
- ) {
- $this->resourceServerFactory = $resource_server_factory;
- $this->entityTypeManager = $entity_type_manager;
- $this->oauthPageCacheRequestPolicy = $page_cache_request_policy;
- $this->httpMessageFactory = $http_message_factory;
- $this->httpFoundationFactory = $http_foundation_factory;
- }
+ protected readonly ResourceServerFactoryInterface $resourceServerFactory,
+ protected readonly EntityTypeManagerInterface $entityTypeManager,
+ protected readonly SimpleOauthRequestPolicyInterface $oauthPageCacheRequestPolicy,
+ protected readonly HttpMessageFactoryInterface $httpMessageFactory,
+ protected readonly HttpFoundationFactoryInterface $httpFoundationFactory,
+ protected readonly RequestStack $requestStack,
+ protected readonly PermissionCheckerInterface $permissionChecker,
+ ) {}
/**
* {@inheritdoc}
@@ -129,8 +96,12 @@ class SimpleOauthAuthenticationProvider implements AuthenticationProviderInterfa
'value' => $auth_request->get('oauth_access_token_id'),
]);
$token = reset($tokens);
-
- $account = new TokenAuthUser($token);
+ $account = new TokenAuthUser(
+ $this->permissionChecker,
+ $token,
+ $this->httpMessageFactory,
+ $this->requestStack
+ );
// Revoke the access token for the blocked user.
if ($account->isBlocked() && $account->isAuthenticated()) {
diff --git a/src/Authentication/TokenAuthUser.php b/src/Authentication/TokenAuthUser.php
index 36853ea..f93f3a7 100644
--- a/src/Authentication/TokenAuthUser.php
+++ b/src/Authentication/TokenAuthUser.php
@@ -7,10 +7,13 @@ use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\consumers\Entity\Consumer;
+use Drupal\Core\Session\PermissionCheckerInterface;
use Drupal\simple_oauth\Entity\Oauth2TokenInterface;
use Drupal\user\Entity\User;
use Drupal\user\UserInterface;
use League\OAuth2\Server\Exception\OAuthServerException;
+use Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
/**
* The decorated user class with token information.
@@ -26,13 +29,6 @@ class TokenAuthUser implements TokenAuthUserInterface {
*/
protected $subject;
- /**
- * The bearer token.
- *
- * @var \Drupal\simple_oauth\Entity\Oauth2TokenInterface
- */
- protected Oauth2TokenInterface $token;
-
/**
* The activated consumer instance.
*
@@ -43,24 +39,33 @@ class TokenAuthUser implements TokenAuthUserInterface {
/**
* Constructs a TokenAuthUser object.
*
+ * @param \Drupal\Core\Session\PermissionCheckerInterface $permissionChecker
+ * The permission checker service.
* @param \Drupal\simple_oauth\Entity\Oauth2TokenInterface $token
* The underlying token.
+ * @param \Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface $httpMessageFactory
+ * The HTTP message factory.
+ * @param \Symfony\Component\HttpFoundation\RequestStack $requestStack
+ * The request stack.
*
* @throws \League\OAuth2\Server\Exception\OAuthServerException
* When there is no user.
*/
- public function __construct(Oauth2TokenInterface $token) {
+ public function __construct(
+ protected readonly PermissionCheckerInterface $permissionChecker,
+ protected readonly Oauth2TokenInterface $token,
+ protected readonly HttpMessageFactoryInterface $httpMessageFactory,
+ protected readonly RequestStack $requestStack,
+ ) {
$this->consumer = $token->get('client')->entity;
if (!$this->subject = $token->get('auth_user_id')->entity) {
$this->subject = $this->consumer->get('user_id')->entity;
}
if (!$this->subject) {
- $server_request = \Drupal::service('psr7.http_message_factory')
- ->createRequest(\Drupal::request());
+ $server_request = $httpMessageFactory->createRequest($requestStack->getCurrentRequest());
throw OAuthServerException::invalidClient($server_request);
}
- $this->token = $token;
}
/**
@@ -81,18 +86,18 @@ class TokenAuthUser implements TokenAuthUserInterface {
* {@inheritdoc}
*/
public function hasPermission($permission) {
+ if (!is_string($permission)) {
+ @trigger_error('Calling ' . __METHOD__ . '() with a $permission parameter of type other than string is deprecated in drupal:10.3.0 and will cause an error in drupal:11.0.0. See https://www.drupal.org/node/3411485', E_USER_DEPRECATED);
+ return FALSE;
+ }
// When the 'auth_user_id' isn't available on the token (which can happen
// with the 'client credentials' grant type):
// has permission checks are then only performed on the scopes.
if ($this->token->get('auth_user_id')->isEmpty()) {
- return $this->token->hasPermission($permission);
- }
- // User #1 has all permissions.
- if ((int) $this->id() === 1) {
- return TRUE;
+ return $this->permissionChecker->hasPermission($permission, $this);
}
- return $this->token->hasPermission($permission) && $this->subject->hasPermission($permission);
+ return $this->permissionChecker->hasPermission($permission, $this) && $this->subject->hasPermission($permission);
}
/* ---------------------------------------------------------------------------
diff --git a/src/Entity/Oauth2Scope.php b/src/Entity/Oauth2Scope.php
index 618f318..7aeab01 100644
--- a/src/Entity/Oauth2Scope.php
+++ b/src/Entity/Oauth2Scope.php
@@ -257,6 +257,15 @@ class Oauth2Scope extends ConfigEntityBase implements Oauth2ScopeEntityInterface
return $granularityCollection->get($this->granularity_id);
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(): array {
+ $granularity = $this->getGranularity();
+ assert($granularity instanceof ScopeGranularityInterface);
+ return $granularity->getPermissions();
+ }
+
/**
* {@inheritdoc}
*/
diff --git a/src/Oauth2AccessPolicy.php b/src/Oauth2AccessPolicy.php
new file mode 100644
index 0000000..ec29edf
--- /dev/null
+++ b/src/Oauth2AccessPolicy.php
@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\simple_oauth;
+
+use Drupal\Core\Session\AccessPolicyBase;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Session\CalculatedPermissionsItem;
+use Drupal\Core\Session\RefinableCalculatedPermissionsInterface;
+use Drupal\simple_oauth\Authentication\TokenAuthUserInterface;
+
+/**
+ * Grants permissions based on OAuth2 scopes.
+ */
+final class Oauth2AccessPolicy extends AccessPolicyBase {
+
+ public function __construct(protected Oauth2ScopeProviderInterface $scopeProvider) {}
+
+ /**
+ * {@inheritdoc}
+ */
+ public function calculatePermissions(AccountInterface $account, string $scope): RefinableCalculatedPermissionsInterface {
+ $calculated_permissions = parent::calculatePermissions($account, $scope);
+
+ if (!$account instanceof TokenAuthUserInterface) {
+ return $calculated_permissions;
+ }
+
+ $token = $account->getToken();
+ foreach ($token->get('scopes')->getScopes() as $oauth2_scope) {
+ $calculated_permissions
+ ->addItem(new CalculatedPermissionsItem($this->scopeProvider->getPermissions($oauth2_scope)))
+ ->addCacheableDependency($oauth2_scope);
+ }
+
+ return $calculated_permissions;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getPersistentCacheContexts(): array {
+ return ['oauth2_scopes'];
+ }
+
+}
diff --git a/src/Oauth2ScopeCacheContext.php b/src/Oauth2ScopeCacheContext.php
new file mode 100644
index 0000000..d89ca2e
--- /dev/null
+++ b/src/Oauth2ScopeCacheContext.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Drupal\simple_oauth;
+
+use Drupal\Core\Cache\CacheableMetadata;
+use Drupal\Core\Cache\Context\CalculatedCacheContextInterface;
+use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\simple_oauth\Authentication\TokenAuthUserInterface;
+
+/**
+ * Defines the Oauth2ScopeCacheContext service, for "per scope" caching.
+ */
+class Oauth2ScopeCacheContext implements CalculatedCacheContextInterface {
+
+ /**
+ * Constructs a new Oauth2ScopeCacheContext class.
+ *
+ * @param \Drupal\Core\Session\AccountProxyInterface $account
+ * The current user.
+ */
+ public function __construct(protected AccountProxyInterface $account) {}
+
+ /**
+ * {@inheritdoc}
+ */
+ public static function getLabel() {
+ return t("OAuth2 scopes");
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getContext($oauth2_scope = NULL) {
+ $account = $this->account->getAccount();
+ if (!$account instanceof TokenAuthUserInterface) {
+ return '';
+ }
+
+ $token = $account->getToken();
+ $scope_names = array_map(function (Oauth2ScopeInterface $scope) {
+ return $scope->getName();
+ }, $token->get('scopes')->getScopes());
+
+ if ($oauth2_scope === NULL) {
+ return implode(',', $scope_names);
+ }
+ return (in_array($oauth2_scope, $scope_names) ? 'true' : 'false');
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getCacheableMetadata($scope = NULL) {
+ return (new CacheableMetadata())->setCacheTags(['user:' . $this->account->id()]);
+ }
+
+}
diff --git a/src/Oauth2ScopeInterface.php b/src/Oauth2ScopeInterface.php
index 2c66196..d0e8125 100644
--- a/src/Oauth2ScopeInterface.php
+++ b/src/Oauth2ScopeInterface.php
@@ -99,4 +99,12 @@ interface Oauth2ScopeInterface {
*/
public function getGranularity(): ?ScopeGranularityInterface;
+ /**
+ * Get the referenced permissions.
+ *
+ * @return array
+ * Returns the permissions.
+ */
+ public function getPermissions(): array;
+
}
diff --git a/src/Oauth2ScopeProvider.php b/src/Oauth2ScopeProvider.php
index fb64182..4b8913e 100644
--- a/src/Oauth2ScopeProvider.php
+++ b/src/Oauth2ScopeProvider.php
@@ -94,6 +94,25 @@ class Oauth2ScopeProvider implements Oauth2ScopeProviderInterface {
return FALSE;
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(Oauth2ScopeInterface $scope): array {
+ if (!$scope->isUmbrella()) {
+ $granularity = $scope->getGranularity();
+ assert($granularity instanceof ScopeGranularityInterface);
+ return $granularity->getPermissions();
+ }
+
+ $permissions = [];
+ $children = $this->loadChildren($scope->id());
+ foreach ($children as $child) {
+ $permissions = array_unique(array_merge($permissions, $child->getPermissions()));
+ }
+
+ return $permissions;
+ }
+
/**
* Adds a permission to the flatten permission tree.
*
diff --git a/src/Oauth2ScopeProviderInterface.php b/src/Oauth2ScopeProviderInterface.php
index 2b09874..53adc01 100644
--- a/src/Oauth2ScopeProviderInterface.php
+++ b/src/Oauth2ScopeProviderInterface.php
@@ -20,4 +20,12 @@ interface Oauth2ScopeProviderInterface extends Oauth2ScopeAdapterInterface {
*/
public function scopeHasPermission(string $permission, Oauth2ScopeInterface $scope): bool;
+ /**
+ * Get the referenced permissions.
+ *
+ * @return array
+ * Returns the permissions.
+ */
+ public function getPermissions(Oauth2ScopeInterface $scope): array;
+
}
diff --git a/src/Plugin/ScopeGranularity/Permission.php b/src/Plugin/ScopeGranularity/Permission.php
index ba7c4e9..467cf1d 100644
--- a/src/Plugin/ScopeGranularity/Permission.php
+++ b/src/Plugin/ScopeGranularity/Permission.php
@@ -76,6 +76,13 @@ class Permission extends ScopeGranularityBase implements ContainerFactoryPluginI
return $this->getConfiguration()['permission'] === $permission;
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(): array {
+ return [$this->getConfiguration()['permission']];
+ }
+
/**
* {@inheritdoc}
*/
diff --git a/src/Plugin/ScopeGranularity/Role.php b/src/Plugin/ScopeGranularity/Role.php
index 924a736..805adc5 100644
--- a/src/Plugin/ScopeGranularity/Role.php
+++ b/src/Plugin/ScopeGranularity/Role.php
@@ -11,6 +11,7 @@ use Drupal\Core\StringTranslation\TranslatableMarkup;
use Drupal\simple_oauth\Attribute\ScopeGranularity;
use Drupal\simple_oauth\Oauth2ScopeInterface;
use Drupal\simple_oauth\Plugin\ScopeGranularityBase;
+use Drupal\user\RoleInterface;
use Drupal\user\RoleStorage;
use Symfony\Component\DependencyInjection\ContainerInterface;
@@ -87,6 +88,33 @@ class Role extends ScopeGranularityBase implements ContainerFactoryPluginInterfa
return $role_storage->isPermissionInRoles($permission, $rolesToCheck);
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(): array {
+ $role = $this->getConfiguration()['role'];
+
+ $lockedRoles = [
+ AccountInterface::AUTHENTICATED_ROLE,
+ AccountInterface::ANONYMOUS_ROLE,
+ ];
+ $rolesToCheck = !in_array($role, $lockedRoles)
+ ? [AccountInterface::AUTHENTICATED_ROLE, $role]
+ : [$role];
+
+ $role_storage = $this->entityTypeManager->getStorage('user_role');
+ assert($role_storage instanceof RoleStorage);
+
+ $permissions = [];
+ foreach ($rolesToCheck as $roleToCheck) {
+ $role = $role_storage->load($roleToCheck);
+ assert($role instanceof RoleInterface);
+ $permissions = array_unique(array_merge($permissions, $role->getPermissions()));
+ }
+
+ return $permissions;
+ }
+
/**
* {@inheritdoc}
*/
diff --git a/src/Plugin/ScopeGranularityInterface.php b/src/Plugin/ScopeGranularityInterface.php
index eb94b9b..36d6b3f 100644
--- a/src/Plugin/ScopeGranularityInterface.php
+++ b/src/Plugin/ScopeGranularityInterface.php
@@ -32,4 +32,12 @@ interface ScopeGranularityInterface extends ConfigurableInterface, PluginFormInt
*/
public function hasPermission(string $permission): bool;
+ /**
+ * Returns a list of permissions assigned to the scope.
+ *
+ * @return array
+ * The permissions assigned to the scope.
+ */
+ public function getPermissions(): array;
+
}
diff --git a/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php b/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
index e483fdb..619c0d9 100644
--- a/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
+++ b/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
@@ -58,6 +58,13 @@ class TestGranularity extends ScopeGranularityBase {
return TRUE;
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(): array {
+
+ }
+
/**
* {@inheritdoc}
*/
diff --git a/tests/src/Unit/Authentication/Provider/SimpleOauthAuthenticationTest.php b/tests/src/Unit/Authentication/Provider/SimpleOauthAuthenticationTest.php
index 6671ac7..6f2762d 100644
--- a/tests/src/Unit/Authentication/Provider/SimpleOauthAuthenticationTest.php
+++ b/tests/src/Unit/Authentication/Provider/SimpleOauthAuthenticationTest.php
@@ -5,6 +5,7 @@ namespace Drupal\Tests\simple_oauth\Unit\Authentication\Provider;
use Drupal\Core\Authentication\AuthenticationProviderInterface;
use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\PageCache\RequestPolicyInterface;
+use Drupal\Core\Session\PermissionCheckerInterface;
use Drupal\TestTools\Random;
use Drupal\Tests\UnitTestCase;
use Drupal\simple_oauth\Authentication\Provider\SimpleOauthAuthenticationProvider;
@@ -15,6 +16,7 @@ use Prophecy\PhpUnit\ProphecyTrait;
use Symfony\Bridge\PsrHttpMessage\HttpFoundationFactoryInterface;
use Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface;
use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
/**
* @coversDefaultClass \Drupal\simple_oauth\Authentication\Provider\SimpleOauthAuthenticationProvider
@@ -48,12 +50,16 @@ class SimpleOauthAuthenticationTest extends UnitTestCase {
$this->oauthPageCacheRequestPolicy = new DisallowSimpleOauthRequests();
$http_message_factory = $this->prophesize(HttpMessageFactoryInterface::class);
$http_foundation_factory = $this->prophesize(HttpFoundationFactoryInterface::class);
+ $request_stack = $this->prophesize(RequestStack::class);
+ $permission_checker = $this->prophesize(PermissionCheckerInterface::class);
$this->provider = new SimpleOauthAuthenticationProvider(
$resource_server_factory->reveal(),
$entity_type_manager->reveal(),
$this->oauthPageCacheRequestPolicy,
$http_message_factory->reveal(),
$http_foundation_factory->reveal(),
+ $request_stack->reveal(),
+ $permission_checker->reveal()
);
}
--
GitLab
From 7ef47e2517af1eb68d1ed2a5c0690fec8e469200 Mon Sep 17 00:00:00 2001
From: Bojan Bogdanovic <info@bojanbogdanovic.nl>
Date: Tue, 18 Feb 2025 16:01:17 +0100
Subject: [PATCH 2/3] Increase minimum core requirement
---
.../simple_oauth_static_scope.info.yml | 2 +-
simple_oauth.info.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/simple_oauth_static_scope/simple_oauth_static_scope.info.yml b/modules/simple_oauth_static_scope/simple_oauth_static_scope.info.yml
index 4442743..53f8553 100644
--- a/modules/simple_oauth_static_scope/simple_oauth_static_scope.info.yml
+++ b/modules/simple_oauth_static_scope/simple_oauth_static_scope.info.yml
@@ -1,7 +1,7 @@
name: Simple OAuth static scope
type: module
description: 'Makes static (YAML) defined scopes available.'
-core_version_requirement: ^10.2 || ^11
+core_version_requirement: ^10.3 || ^11
package: Authentication
dependencies:
- simple_oauth:simple_oauth
diff --git a/simple_oauth.info.yml b/simple_oauth.info.yml
index 346c0f0..4527812 100644
--- a/simple_oauth.info.yml
+++ b/simple_oauth.info.yml
@@ -1,7 +1,7 @@
name: Simple OAuth & OpenID Connect
type: module
description: 'The OAuth 2.0 Authorization Framework'
-core_version_requirement: ^10.2 || ^11
+core_version_requirement: ^10.3 || ^11
package: Authentication
configure: oauth2_token.settings
dependencies:
--
GitLab
From ee02eae7c6ea03703ff690865bb70d0dbc8d27c1 Mon Sep 17 00:00:00 2001
From: Bojan Bogdanovic <info@bojanbogdanovic.nl>
Date: Wed, 19 Feb 2025 10:21:54 +0100
Subject: [PATCH 3/3] Update static scope + granularity test plugin
---
.../simple_oauth_static_scope/src/Plugin/Oauth2Scope.php | 9 +++++++++
.../src/Plugin/ScopeGranularity/TestGranularity.php | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/modules/simple_oauth_static_scope/src/Plugin/Oauth2Scope.php b/modules/simple_oauth_static_scope/src/Plugin/Oauth2Scope.php
index 1424a88..608ec31 100644
--- a/modules/simple_oauth_static_scope/src/Plugin/Oauth2Scope.php
+++ b/modules/simple_oauth_static_scope/src/Plugin/Oauth2Scope.php
@@ -108,4 +108,13 @@ class Oauth2Scope extends PluginBase implements Oauth2ScopePluginInterface, Cont
);
}
+ /**
+ * {@inheritdoc}
+ */
+ public function getPermissions(): array {
+ $granularity = $this->getGranularity();
+ assert($granularity instanceof ScopeGranularityInterface);
+ return $granularity->getPermissions();
+ }
+
}
diff --git a/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php b/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
index 619c0d9..f6843ef 100644
--- a/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
+++ b/tests/modules/simple_oauth_test/src/Plugin/ScopeGranularity/TestGranularity.php
@@ -62,7 +62,7 @@ class TestGranularity extends ScopeGranularityBase {
* {@inheritdoc}
*/
public function getPermissions(): array {
-
+ return [];
}
/**
--
GitLab