use dedicated 'insecure' param

do not rely on the `debug=>true` setting in config php to avoid side effects Signed-off-by: Jörn Friedrich Dreyer <[email protected]> update tests Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
owncloud · Jul 27, 2020 · faea507 · faea507
1 parent f7476bc
commit faea507
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -8,9 +8,9 @@ For development purpose APCu is reasonable as well.
 Please follow the [documentation on how to set up caching](https://doc.owncloud.org/server/admin_manual/configuration/server/caching_configuration.html#supported-caching-backends).
 
 ### Setup config.php
-The OpenId integration is established by entering the parameters below to the 
+The OpenId integration is established by entering the parameters below to the
 ownCloud configuration file.
-_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId 
+_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId
 Provider setup.
 _loginButtonName_ can be chosen freely depending on the installation.
 
@@ -55,12 +55,12 @@ $CONFIG = [
 ### Setup within the OpenId Provider
 When registering ownCloud as OpenId Client use ```https://cloud.example.net/index.php/apps/openidconnect/redirect``` as redirect url .
 
-In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) 
+In case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
 is supported please enter ```https://cloud.example.net/index.php/apps/openidconnect/logout``` as logout url within the client registration of the OpenId Provider.
 We require ```frontchannel_logout_session_required``` to be true.
 
 ### Setup service discovery
-In order to allow other clients to use OpenID Connect when talking to ownCloud please setup 
+In order to allow other clients to use OpenID Connect when talking to ownCloud please setup
 a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config
 
 This is an .htaccess example
@@ -104,14 +104,16 @@ To set it up locally do the following:
           'loginButtonName' => 'node-oidc-provider',
           'mode' => 'userid',
           'search-attribute' => 'sub',
-          'use-token-introspection-endpoint' => true
+          'use-token-introspection-endpoint' => true,
+          // do not verify tls host or peer
+          'insecure' => true
       ],
     ];
-    
+
     ```
 8. Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary
 to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.
-9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.  
+9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.
 Keep in mind that by default, oidc app will search for the `email` attribute - which is hardcoded to `[email protected]` [ref](https://github.com/panva/node-oidc-provider/blob/master/example/support/account.js#L32)
 If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:
 ```

diff --git a/lib/Client.php b/lib/Client.php
@@ -66,7 +66,8 @@ public function __construct(IConfig $config,
 		$scopes = $openIdConfig['scopes'] ?? ['openid', 'profile', 'email'];
 		$this->addScope($scopes);
 
-		if ($this->config->getSystemValue('debug', false)) {
+		$insecure = $openIdConfig['insecure'] ?? false;
+		if ($insecure) {
 			$this->setVerifyHost(false);
 			$this->setVerifyPeer(false);
 		}

diff --git a/tests/unit/ClientTest.php b/tests/unit/ClientTest.php
@@ -75,21 +75,44 @@ public function testGetWellKnown(): void {
 
 	public function testCtor(): void {
 		$providerUrl = 'https://example.net';
-		$debug = true;
 
-		$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($debug, $providerUrl) {
+		$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
 			if ($key === 'openid-connect') {
 				return [
 					'provider-url' => $providerUrl,
 					'client-id' => 'client-id',
 					'client-secret' => 'secret',
 					'scopes' => ['openid', 'profile'],
 					'provider-params' => ['bar'],
-					'auth-params' => ['foo']
+					'auth-params' => ['foo'],
 				];
 			}
-			if ($key === 'debug') {
-				return $debug;
+			throw new \InvalidArgumentException("Unexpected key: $key");
+		});
+		$this->client = $this->getMockBuilder(Client::class)
+			->setConstructorArgs([$this->config, $this->urlGenerator, $this->session])
+			->setMethods(['fetchURL'])
+			->getMock();
+
+		self::assertEquals($providerUrl, $this->client->getProviderURL());
+		self::assertEquals(true, $this->client->getVerifyHost());
+		self::assertEquals(true, $this->client->getVerifyPeer());
+	}
+
+	public function testCtorInsecure(): void {
+		$providerUrl = 'https://example.net';
+
+		$this->config->method('getSystemValue')->willReturnCallback(static function ($key) use ($providerUrl) {
+			if ($key === 'openid-connect') {
+				return [
+					'provider-url' => $providerUrl,
+					'client-id' => 'client-id',
+					'client-secret' => 'secret',
+					'scopes' => ['openid', 'profile'],
+					'provider-params' => ['bar'],
+					'auth-params' => ['foo'],
+					'insecure' => true
+				];
 			}
 			throw new \InvalidArgumentException("Unexpected key: $key");
 		});