Merge pull request #675 from systemli/unify-access-token-handlers

Unify Api Access Token Handlers

.env.test

@@ -24,17 +24,16 @@ WEBMAIL_URL="https://webmail.example.org"
 WKD_DIRECTORY="/tmp/.well-known/openpgpkey"
 WKD_FORMAT="advanced"
 RETENTION_API_ENABLED=true
-RETENTION_API_ACCESS_TOKEN="insecure"
+RETENTION_API_ACCESS_TOKEN="retention"
 RETENTION_API_IP_ALLOWLIST="127.0.0.1, ::1"
 KEYCLOAK_API_ENABLED=true
-KEYCLOAK_API_ACCESS_TOKEN="insecure"
+KEYCLOAK_API_ACCESS_TOKEN="keycloak"
 KEYCLOAK_API_IP_ALLOWLIST="127.0.0.1, ::1"
 POSTFIX_API_ENABLED=true
-POSTFIX_API_ACCESS_TOKEN="insecure"
+POSTFIX_API_ACCESS_TOKEN="postfix"
 POSTFIX_API_IP_ALLOWLIST="127.0.0.1, ::1"
 ROUNDCUBE_API_ENABLED=true
-ROUNDCUBE_API_ACCESS_TOKEN="insecure"
 ROUNDCUBE_API_IP_ALLOWLIST="127.0.0.1, ::1"
 DOVECOT_API_ENABLED=true
-DOVECOT_API_ACCESS_TOKEN="insecure"
+DOVECOT_API_ACCESS_TOKEN="dovecot"
 DOVECOT_API_IP_ALLOWLIST="127.0.0.1, ::1"

config/packages/security.yaml

@@ -130,31 +130,31 @@ security:
             stateless: true
             provider: retention
             access_token:
-                token_handler: App\Security\RetentionAccessTokenHandler
+                token_handler: App\Security\ApiAccessTokenHandler
         keycloak:
             pattern: ^/api/keycloak
             stateless: true
             provider: keycloak
             access_token:
-                token_handler: App\Security\KeycloakAccessTokenHandler
+                token_handler: App\Security\ApiAccessTokenHandler
         postfix:
             pattern: ^/api/postfix
             stateless: true
             provider: postfix
             access_token:
-                token_handler: App\Security\PostfixAccessTokenHandler
+                token_handler: App\Security\ApiAccessTokenHandler
+        dovecot:
+            pattern: ^/api/dovecot
+            stateless: true
+            provider: dovecot
+            access_token:
+                token_handler: App\Security\ApiAccessTokenHandler
         roundcube:
             pattern: ^/api/roundcube
             stateless: true
             provider: user
             http_basic:
                 realm: Roundcube API
-        dovecot:
-            pattern: ^/api/dovecot
-            stateless: true
-            provider: dovecot
-            access_token:
-                token_handler: App\Security\DovecotAccessTokenHandler
         main:
             pattern: ^/
             provider: user

config/services.yaml

@@ -171,21 +171,12 @@ services:
             - '@Doctrine\ORM\EntityManagerInterface'
         public: true
 
-    App\Security\RetentionAccessTokenHandler:
+    App\Security\ApiAccessTokenHandler:
         arguments:
-            $retentionAccessToken: "%env(RETENTION_API_ACCESS_TOKEN)%"
-
-    App\Security\KeycloakAccessTokenHandler:
-        arguments:
-            $keycloakApiAccessToken: "%env(KEYCLOAK_API_ACCESS_TOKEN)%"
-
-    App\Security\PostfixAccessTokenHandler:
-        arguments:
-            $postfixApiAccessToken: "%env(POSTFIX_API_ACCESS_TOKEN)%"
-
-    App\Security\DovecotAccessTokenHandler:
-        arguments:
-            $dovecotApiAccessToken: "%env(DOVECOT_API_ACCESS_TOKEN)%"
+            $accessTokenDovecot: '%env(DOVECOT_API_ACCESS_TOKEN)%'
+            $accessTokenKeycloak: '%env(KEYCLOAK_API_ACCESS_TOKEN)%'
+            $accessTokenRetention: '%env(RETENTION_API_ACCESS_TOKEN)%'
+            $accessTokenPostfix: '%env(POSTFIX_API_ACCESS_TOKEN)%'
 
     App\Sender\WelcomeMessageSender:
         public: true

src/Security/ApiAccessTokenHandler.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace App\Security;
+
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+class ApiAccessTokenHandler implements AccessTokenHandlerInterface
+{
+    public function __construct(
+        private string $accessTokenDovecot,
+        private string $accessTokenKeycloak,
+        private string $accessTokenPostfix,
+        private string $accessTokenRetention,
+    ) {}
+
+    public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge
+    {
+        switch ($accessToken) {
+            case $this->accessTokenDovecot:
+                return new UserBadge('dovecot');
+            case $this->accessTokenKeycloak:
+                return new UserBadge('keycloak');
+            case $this->accessTokenRetention:
+                return new UserBadge('retention');
+            case $this->accessTokenPostfix:
+                return new UserBadge('postfix');
+            default:
+                throw new BadCredentialsException('Invalid access token');
+        }
+    }
+}

tests/Controller/DovecotControllerTest.php

@@ -9,7 +9,7 @@ class DovecotControllerTest extends WebTestCase
     public function testStatus(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('GET', '/api/dovecot/status');
 
@@ -29,7 +29,7 @@ public function testStatusWrongApiToken(): void
     public function testPassdbUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('POST', '/api/dovecot/[email protected]', ['password' => 'password']);
 
@@ -39,7 +39,7 @@ public function testPassdbUser(): void
     public function testPassdbUserWrongPassword(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('POST', '/api/dovecot/[email protected]', ['password' => 'wrong']);
 
@@ -49,7 +49,7 @@ public function testPassdbUserWrongPassword(): void
     public function testPassdbNonexistentUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('POST', '/api/dovecot/[email protected]', ['password' => 'password']);
 
@@ -59,7 +59,7 @@ public function testPassdbNonexistentUser(): void
     public function testPassdbSpamUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('POST', '/api/dovecot/[email protected]', ['password' => 'password']);
 
@@ -69,7 +69,7 @@ public function testPassdbSpamUser(): void
     public function testPassdbMailCrypt(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('POST', '/api/dovecot/[email protected]', ['password' => 'password']);
 
@@ -82,7 +82,7 @@ public function testPassdbMailCrypt(): void
     public function testUserdbUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('GET', '/api/dovecot/[email protected]');
 
@@ -96,13 +96,12 @@ public function testUserdbUser(): void
         self::assertIsInt($data['body']['gid']);
         self::assertIsInt($data['body']['uid']);
         self::assertNotEquals($data['body']['home'], '');
-
     }
 
     public function testUserdbMailcrypt(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('GET', '/api/dovecot/[email protected]');
 
@@ -119,7 +118,7 @@ public function testUserdbMailcrypt(): void
     public function testUserdbNonexistentUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('GET', '/api/dovecot/[email protected]');
 
@@ -130,7 +129,7 @@ public function testUserdbNonexistentUser(): void
     public function testUserdbSpamUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer dovecot',
         ]);
         $client->request('GET', '/api/dovecot/[email protected]');
 

tests/Controller/KeycloakControllerTest.php

@@ -20,7 +20,7 @@ public function testGetUsersSearchWrongApiToken(): void
     public function testGetUsersSearch(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/example.org?search=example&max=2');
 
@@ -37,7 +37,7 @@ public function testGetUsersSearch(): void
     public function testGetUsersSearchNonexistentDomain(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/nonexistent.org?search=example&max=2');
 
@@ -47,7 +47,7 @@ public function testGetUsersSearchNonexistentDomain(): void
     public function testGetUsersCount(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/example.org/count');
 
@@ -60,7 +60,7 @@ public function testGetUsersCount(): void
     public function testGetOneUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/example.org/user/[email protected]');
 
@@ -74,7 +74,7 @@ public function testGetOneUser(): void
     public function testGetOneNonexistentUser(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/example.org/user/[email protected]');
 
@@ -84,7 +84,7 @@ public function testGetOneNonexistentUser(): void
     public function testPostUserValidate(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('POST', '/api/keycloak/example.org/validate/[email protected]', ['credentialType' => 'password', 'password' => 'password']);
 
@@ -114,7 +114,7 @@ public function testPostUserValidate(): void
     public function testPostUserValidateOTP(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('POST', '/api/keycloak/example.org/validate/[email protected]', ['credentialType' => 'otp', 'password' => '123456']);
         self::assertResponseStatusCodeSame(403);
@@ -131,7 +131,7 @@ public function testPostUserValidateOTP(): void
     public function testGetIsConfiguredFor(): void
     {
         $client = static::createClient([], [
-            'HTTP_Authorization' => 'Bearer insecure',
+            'HTTP_Authorization' => 'Bearer keycloak',
         ]);
         $client->request('GET', '/api/keycloak/example.org/configured/otp/[email protected]');
         self::assertResponseStatusCodeSame(404);