Merge pull request #788 from lcobucci/4.0.x-merge-up-into-4.1.x_7QZpeQfq

Merge release 4.0.4 into 4.1.x

composer.json

@@ -29,7 +29,7 @@
         "infection/infection": "^0.21",
         "lcobucci/coding-standard": "^6.0",
         "mikey179/vfsstream": "^1.6.7",
-        "phpbench/phpbench": "^1.0@alpha",
+        "phpbench/phpbench": "^1.0",
         "phpstan/extension-installer": "^1.0",
         "phpstan/phpstan": "^0.12",
         "phpstan/phpstan-deprecation-rules": "^0.12",

docs/configuration.md

@@ -41,10 +41,8 @@ Or provide a file path:
 
 ```php
 use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Signer\Key\LocalFileReference;
 
 $key = InMemory::file(__DIR__ . '/path-to-my-key-stored-in-a-file.pem'); // this reads the file and keeps its contents in memory
-$key = LocalFileReference::file(__DIR__ . '/path-to-my-key-stored-in-a-file.pem'); // this just keeps a reference to file
 ```
 
 #### For symmetric algorithms
@@ -78,13 +76,12 @@ This means that it's fine to distribute your **public key**. However, the **priv
 ```php
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer;
-use Lcobucci\JWT\Signer\Key\LocalFileReference;
 use Lcobucci\JWT\Signer\Key\InMemory;
 
 $configuration = Configuration::forAsymmetricSigner(
     // You may use RSA or ECDSA and all their variations (256, 384, and 512) and EdDSA over Curve25519
     new Signer\Rsa\Sha256(),
-    LocalFileReference::file(__DIR__ . '/my-private-key.pem'),
+    InMemory::file(__DIR__ . '/my-private-key.pem'),
     InMemory::base64Encoded('mBC5v1sOKVvbdEitdSBenu59nfNfhwkedkJVNabosTw=')
     // You may also override the JOSE encoder/decoder if needed by providing extra arguments here
 );

docs/upgrading.md

@@ -96,9 +96,8 @@ You can find more information on how to use the configuration object, [here](con
 ### Use new `Key` objects
 
 `Lcobucci\JWT\Signer\Key` has been converted to an interface in `v4.0`.
-We provide two new implementations: `Lcobucci\JWT\Signer\Key\InMemory` and `Lcobucci\JWT\Signer\Key\LocalFileReference`.
 
-`Lcobucci\JWT\Signer\Key\InMemory` is a drop-in replacement of the behaviour for `Lcobucci\JWT\Signer\Key` in `v3.x`.
+We provide `Lcobucci\JWT\Signer\Key\InMemory`, a drop-in replacement of the behaviour for `Lcobucci\JWT\Signer\Key` in `v3.x`.
 You will need to pick the appropriated named constructor to migrate your code:
 
 ```diff

phpbench.json

@@ -1,8 +1,4 @@
 {
-    "bootstrap": "vendor/autoload.php",
-    "path": "test/performance",
-
-    "extensions": [
-        "PhpBench\\Extensions\\XDebug\\XDebugExtension"
-    ]
+    "runner.bootstrap": "vendor/autoload.php",
+    "runner.path": "test/performance"
 }

phpstan.neon.dist

@@ -6,3 +6,4 @@ parameters:
 
     ignoreErrors:
         - '#.*OpenSSLAsymmetricKey.*#'
+        - '#Call to method .* of deprecated class Lcobucci\\JWT\\Signer\\Key\\LocalFileReference#'

src/Signer/Key/LocalFileReference.php

@@ -9,12 +9,14 @@
 use function strpos;
 use function substr;
 
+/** @deprecated please use {@see InMemory} instead */
 final class LocalFileReference implements Key
 {
     private const PATH_PREFIX = 'file://';
 
     private string $path;
     private string $passphrase;
+    private string $contents;
 
     private function __construct(string $path, string $passphrase)
     {
@@ -38,7 +40,11 @@ public static function file(string $path, string $passphrase = ''): self
 
     public function contents(): string
     {
-        return self::PATH_PREFIX . $this->path;
+        if (! isset($this->contents)) {
+            $this->contents = InMemory::file($this->path)->contents();
+        }
+
+        return $this->contents;
     }
 
     public function passphrase(): string

test/functional/HmacTokenTest.php

@@ -7,12 +7,17 @@
 use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Lcobucci\JWT\Signer\Hmac\Sha512;
 use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Signer\Key\LocalFileReference;
 use Lcobucci\JWT\Token;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use PHPUnit\Framework\TestCase;
 
 use function assert;
+use function file_put_contents;
+use function is_string;
+use function sys_get_temp_dir;
+use function tempnam;
 
 /**
  * @covers \Lcobucci\JWT\Configuration
@@ -132,4 +137,39 @@ public function everythingShouldWorkWhenUsingATokenGeneratedByOtherLibs(): void
         self::assertTrue($this->config->validator()->validate($token, $constraint));
         self::assertEquals('world', $token->claims()->get('hello'));
     }
+
+    /** @test */
+    public function signatureValidationWithLocalFileKeyReferenceWillOperateWithKeyContents(): void
+    {
+        $key = tempnam(sys_get_temp_dir(), 'key');
+        assert(is_string($key));
+
+        file_put_contents($key, 'just a dummy key');
+
+        $validKey      = LocalFileReference::file($key);
+        $invalidKey    = InMemory::plainText('file://' . $key);
+        $signer        = new Sha256();
+        $configuration = Configuration::forSymmetricSigner($signer, $validKey);
+        $validator     = $configuration->validator();
+
+        $token = $configuration->builder()
+            ->withClaim('foo', 'bar')
+            ->getToken($configuration->signer(), $configuration->signingKey());
+
+        self::assertFalse(
+            $validator->validate(
+                $token,
+                new SignedWith($signer, $invalidKey)
+            ),
+            'Token cannot be validated against the **path** of the key'
+        );
+
+        self::assertTrue(
+            $validator->validate(
+                $token,
+                new SignedWith($signer, $validKey)
+            ),
+            'Token can be validated against the **contents** of the key'
+        );
+    }
 }

test/unit/Signer/EcdsaTest.php

@@ -56,6 +56,7 @@ private function getSigner(): Ecdsa
      *
      * @uses \Lcobucci\JWT\Signer\Ecdsa::__construct
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function signShouldReturnTheAHashBasedOnTheOpenSslSignature(): void
     {
@@ -88,6 +89,7 @@ public function signShouldReturnTheAHashBasedOnTheOpenSslSignature(): void
      *
      * @uses \Lcobucci\JWT\Signer\Ecdsa::__construct
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function verifyShouldDelegateToEcdsaSignerUsingPublicKey(): void
     {

test/unit/Signer/Key/LocalFileReferenceTest.php

@@ -6,7 +6,11 @@
 use org\bovigo\vfs\vfsStream;
 use PHPUnit\Framework\TestCase;
 
-/** @coversDefaultClass \Lcobucci\JWT\Signer\Key\LocalFileReference */
+/**
+ * @coversDefaultClass \Lcobucci\JWT\Signer\Key\LocalFileReference
+ *
+ * @uses \Lcobucci\JWT\Signer\Key\InMemory
+ */
 final class LocalFileReferenceTest extends TestCase
 {
     /** @before */
@@ -33,20 +37,6 @@ public function thereShouldBeNoReferenceToAFileThatDoesNotExist(): void
         LocalFileReference::file(vfsStream::url('root/test2.pem'));
     }
 
-    /**
-     * @test
-     *
-     * @covers ::file
-     * @covers ::__construct
-     * @covers ::contents
-     */
-    public function pathShouldBeNormalised(): void
-    {
-        $key = LocalFileReference::file('file://' . vfsStream::url('root/test.pem'));
-
-        self::assertSame('file://vfs://root/test.pem', $key->contents());
-    }
-
     /**
      * @test
      *
@@ -55,11 +45,11 @@ public function pathShouldBeNormalised(): void
      * @covers ::contents
      * @covers ::passphrase
      */
-    public function contentsShouldReturnOnlyTheReferenceToTheFile(): void
+    public function pathShouldBeNormalised(): void
     {
-        $key = LocalFileReference::file(vfsStream::url('root/test.pem'), 'test');
+        $key = LocalFileReference::file('file://' . vfsStream::url('root/test.pem'), 'test');
 
-        self::assertSame('file://vfs://root/test.pem', $key->contents());
+        self::assertSame('testing', $key->contents());
         self::assertSame('test', $key->passphrase());
     }
 }

test/unit/Signer/RsaTest.php

@@ -30,6 +30,7 @@ final class RsaTest extends TestCase
      * @covers \Lcobucci\JWT\Signer\OpenSSL
      *
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function signShouldReturnAValidOpensslSignature(): void
     {
@@ -100,6 +101,7 @@ public function signShouldRaiseAnExceptionWhenKeyIsNotParseable(): void
      * @covers \Lcobucci\JWT\Signer\InvalidKeyProvided
      *
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function signShouldRaiseAnExceptionWhenKeyTypeIsNotRsa(): void
     {
@@ -119,6 +121,7 @@ public function signShouldRaiseAnExceptionWhenKeyTypeIsNotRsa(): void
      * @covers \Lcobucci\JWT\Signer\OpenSSL
      *
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function verifyShouldReturnTrueWhenSignatureIsValid(): void
     {
@@ -161,6 +164,7 @@ public function verifyShouldRaiseAnExceptionWhenKeyIsNotParseable(): void
      * @covers \Lcobucci\JWT\Signer\InvalidKeyProvided
      *
      * @uses \Lcobucci\JWT\Signer\Key\LocalFileReference
+     * @uses \Lcobucci\JWT\Signer\Key\InMemory
      */
     public function verifyShouldRaiseAnExceptionWhenKeyTypeIsNotRsa(): void
     {