added required all option to routes to require all scopes for oauth2

pulkitjalan · pulkitjalan · commit 481c9ad3ff3a · 2015-11-03T05:46:11.000Z
diff --git a/src/Auth/Provider/OAuth2.php b/src/Auth/Provider/OAuth2.php
@@ -79,7 +79,13 @@ public function authenticate(Request $request, Route $route)
         try {
             $this->resource->isValidRequest($this->httpHeadersOnly);
 
-            $this->validateRouteScopes($token = $this->resource->getAccessToken(), $route);
+            $token = $this->resource->getAccessToken();
+
+            if ($route->requiresAllScopes()) {
+                $this->validateAllRouteScopes($token, $route);
+            } else {
+                $this->validateAnyRouteScopes($token, $route);
+            }
 
             return $this->resolveResourceOwner($token);
         } catch (OAuthException $exception) {
@@ -106,7 +112,7 @@ protected function resolveResourceOwner(AccessTokenEntity $token)
     }
 
     /**
-     * Validate a routes scopes.
+     * Validate a route has any scopes.
      *
      * @param \League\OAuth2\Server\Entity\AccessTokenEntity $token
      * @param \Dingo\Api\Routing\Route                       $route
@@ -115,7 +121,7 @@ protected function resolveResourceOwner(AccessTokenEntity $token)
      *
      * @return bool
      */
-    protected function validateRouteScopes(AccessTokenEntity $token, Route $route)
+    protected function validateAnyRouteScopes(AccessTokenEntity $token, Route $route)
     {
         $scopes = $route->scopes();
 
@@ -132,6 +138,29 @@ protected function validateRouteScopes(AccessTokenEntity $token, Route $route)
         throw new InvalidScopeException($scope);
     }
 
+    /**
+     * Validate a route has all scopes.
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $token
+     * @param \Dingo\Api\Routing\Route                       $route
+     *
+     * @throws \League\OAuth2\Server\Exception\InvalidScopeException
+     *
+     * @return bool
+     */
+    protected function validateAllRouteScopes(AccessTokenEntity $token, Route $route)
+    {
+        $scopes = $route->scopes();
+
+        foreach ($scopes as $scope) {
+            if (! $token->hasScope($scope)) {
+                throw new InvalidScopeException($scope);
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Set the resolver to fetch a user.
      *
diff --git a/src/Routing/Route.php b/src/Routing/Route.php
@@ -352,6 +352,16 @@ public function getScopes()
         return $this->scopes;
     }
 
+    /**
+     * Check if route requires any or all scopes
+     *
+     * @return bool
+     */
+    public function requiresAllScopes()
+    {
+        return array_get($this->action, 'requireAll', false);
+    }
+
     /**
      * Get the route authentication providers.
      *
diff --git a/tests/Auth/Provider/OAuth2Test.php b/tests/Auth/Provider/OAuth2Test.php
@@ -36,11 +36,12 @@ public function testExceptionThrownWhenNoScopesProvided()
 
         $route = m::mock('Dingo\Api\Routing\Route');
         $route->shouldReceive('scopes')->once()->andReturn(['foo']);
+        $route->shouldReceive('requiresAllScopes')->once()->andReturn(false);
 
         $this->provider->authenticate($request, $route);
     }
 
-    public function testOnlyOneScopeRequiredToValidateCorrectly()
+    public function testOnlyOneScopeRequiredToValidateCorrectlyIfRequiredAllSetToFalse()
     {
         $request = Request::create('GET', '/', [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer 12345']);
 
@@ -62,10 +63,36 @@ public function testOnlyOneScopeRequiredToValidateCorrectly()
 
         $route = m::mock('Dingo\Api\Routing\Route');
         $route->shouldReceive('scopes')->once()->andReturn(['foo', 'bar']);
+        $route->shouldReceive('requiresAllScopes')->once()->andReturn(false);
 
         $this->assertNull($this->provider->authenticate($request, $route));
     }
 
+    /**
+     * @expectedException \Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException
+     */
+    public function testAllScopeRequiredToValidateCorrectlyIfRequiredAllSetToTrue()
+    {
+        $request = Request::create('GET', '/', [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer 12345']);
+
+        $this->server->shouldReceive('isValidRequest')->once()->andReturn(true);
+        
+        $token = m::mock('League\OAuth2\Server\Entity\AccessTokenEntity');
+        $token->shouldReceive('hasScope')->once()->with('foo')->andReturn(true);
+        $token->shouldReceive('hasScope')->once()->with('bar')->andReturn(false);
+        $this->server->shouldReceive('getAccessToken')->once()->andReturn($token);
+        
+        $this->provider->setClientResolver(function ($id) {
+            //
+        });
+        
+        $route = m::mock('Dingo\Api\Routing\Route');
+        $route->shouldReceive('scopes')->once()->andReturn(['foo', 'bar']);
+        $route->shouldReceive('requiresAllScopes')->once()->andReturn(true);
+
+        $this->provider->authenticate($request, $route);
+    }
+
     public function testClientIsResolved()
     {
         $request = Request::create('GET', '/', [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer 12345']);
@@ -87,6 +114,7 @@ public function testClientIsResolved()
 
         $route = m::mock('Dingo\Api\Routing\Route');
         $route->shouldReceive('scopes')->once()->andReturn([]);
+        $route->shouldReceive('requiresAllScopes')->once()->andReturn(false);
 
         $this->assertEquals('foo', $this->provider->authenticate($request, $route));
     }
@@ -112,6 +140,7 @@ public function testUserIsResolved()
 
         $route = m::mock('Dingo\Api\Routing\Route');
         $route->shouldReceive('scopes')->once()->andReturn([]);
+        $route->shouldReceive('requiresAllScopes')->once()->andReturn(false);
 
         $this->assertEquals('foo', $this->provider->authenticate($request, $route));
     }
