Reduced OpenID log noise

* added a base class for all openid exceptions
* moved invalid assoc exception from 500 to 400
* fixed bug on openid mememto request

Change-Id: I82d7c2077f1bd507b37ad3561fea924fb87d5353

app/Http/Controllers/OAuth2/OAuth2ProviderController.php

@@ -125,7 +125,7 @@ final class OAuth2ProviderController extends Controller
                 'errors.400',
                 array
                 (
-                    'error_code'        => "Generic Error",
+                    'error_code'        => "Bad Request",
                     'error_description' => "Generic Error"
                 ),
                 400

app/Http/Controllers/OpenId/OpenIdProviderController.php

@@ -15,7 +15,10 @@
 use App\Http\Controllers\Controller;
 use Exception;
 use Illuminate\Support\Facades\Input;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Response;
 use OpenId\Exceptions\InvalidOpenIdMessageException;
+use OpenId\Exceptions\OpenIdBaseException;
 use OpenId\Helpers\OpenIdErrorMessages;
 use OpenId\IOpenIdProtocol;
 use OpenId\OpenIdMessage;
@@ -55,22 +58,50 @@ class OpenIdProviderController extends Controller
      */
     public function endpoint()
     {
-        $msg = new OpenIdMessage(Input::all());
+        try {
+            $msg = new OpenIdMessage(Input::all());
 
-        if ($this->memento_service->exists()) {
-            $msg = OpenIdMessage::buildFromMemento($this->memento_service->load());
+            if (!$msg->isValid() && $this->memento_service->exists()) {
+                $msg = OpenIdMessage::buildFromMemento($this->memento_service->load());
+            }
+
+            if (!$msg->isValid())
+                throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
+
+            //get response and manage it taking in consideration its type (direct or indirect)
+            $response = $this->openid_protocol->handleOpenIdMessage($msg);
+
+            if ($response instanceof OpenIdResponse) {
+                $strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
+                return $strategy->handle($response);
+            }
+            return $response;
         }
-
-        if (!$msg->isValid())
-            throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
-
-        //get response and manage it taking in consideration its type (direct or indirect)
-        $response = $this->openid_protocol->handleOpenIdMessage($msg);
-
-        if ($response instanceof OpenIdResponse) {
-            $strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
-            return $strategy->handle($response);
+        catch(OpenIdBaseException $ex1){
+            Log::warning($ex1);
+            return Response::view
+            (
+                'errors.400',
+                array
+                (
+                    'error_code'        => "Bad Request",
+                    'error_description' => $ex1->getMessage()
+                ),
+                400
+            );
+        }
+        catch(Exception $ex){
+            Log::error($ex);
+            return Response::view
+            (
+                'errors.400',
+                array
+                (
+                    'error_code'        => "Bad Request",
+                    'error_description' => "Generic Error"
+                ),
+                400
+            );
         }
-        return $response;
     }
 }

app/libs/OpenId/Exceptions/InvalidAssociation.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidAssociation
  * @package OpenId\Exceptions
  */
-class InvalidAssociation extends Exception {
+class InvalidAssociation extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidAssociationTypeException.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidAssociationTypeException
  * @package OpenId\Exceptions
  */
-class InvalidAssociationTypeException extends Exception {
+class InvalidAssociationTypeException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidDHParam.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidDHParam
  * @package OpenId\Exceptions
  */
-class InvalidDHParam extends Exception {
+class InvalidDHParam extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidKVFormat.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidKVFormat
  * @package OpenId\Exceptions
  */
-class InvalidKVFormat extends Exception {
+class InvalidKVFormat extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidNonce.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidNonce
  * @package OpenId\Exceptions
  */
-class InvalidNonce extends Exception {
+class InvalidNonce extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidOpenIdAuthenticationRequestMode.php

@@ -11,23 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
- * Copyright 2016 OpenStack Foundation
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- **//**
  * Class InvalidOpenIdAuthenticationRequestMode
  * @package OpenId\Exceptions
  */
-class InvalidOpenIdAuthenticationRequestMode extends Exception {
+class InvalidOpenIdAuthenticationRequestMode extends OpenIdBaseException {
     public function __construct($message = "")
     {
         $message = "Invalid OpenId Authentication Request Mode : " . $message;

app/libs/OpenId/Exceptions/InvalidOpenIdMessageException.php

@@ -21,6 +21,6 @@ class InvalidOpenIdMessageException extends Exception {
     public function __construct($message = "")
     {
         $message = "Invalid OpenId Message : " . $message;
-        parent::__construct($message, 0, null);
+        parent::__construct($message, 400, null);
     }
 }

app/libs/OpenId/Exceptions/InvalidOpenIdMessageMode.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidOpenIdMessageMode
  * @package OpenId\Exceptions
  */
-class InvalidOpenIdMessageMode extends Exception {
+class InvalidOpenIdMessageMode extends OpenIdBaseException {
     public function __construct($message = "")
     {
         $message = "Invalid OpenId Message Mode : " . $message;

app/libs/OpenId/Exceptions/InvalidRequestContextException.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidRequestContextException
  * @package OpenId\Exceptions
  */
-class InvalidRequestContextException extends Exception {
+class InvalidRequestContextException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/InvalidSessionTypeException.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class InvalidSessionTypeException
  * @package OpenId\Exceptions
  */
-class InvalidSessionTypeException extends Exception {
+class InvalidSessionTypeException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/OpenIdBaseException.php

@@ -0,0 +1,19 @@
+<?php namespace OpenId\Exceptions;
+/**
+ * Copyright 2017 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+use Exception;
+
+class OpenIdBaseException extends Exception
+{
+
+}

app/libs/OpenId/Exceptions/OpenIdCryptoException.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class OpenIdCryptoException
  * @package OpenId\Exceptions
  */
-class OpenIdCryptoException extends Exception {
+class OpenIdCryptoException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/OpenIdInvalidRealmException.php

@@ -11,12 +11,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
 /**
  * Class OpenIdInvalidRealmException
  * @package OpenId\Exceptions
  */
-class OpenIdInvalidRealmException extends Exception {
+class OpenIdInvalidRealmException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Exceptions/ReplayAttackException.php

@@ -11,12 +11,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
-use Exception;
+
 /**
  * Class ReplayAttackException
  * @package OpenId\Exceptions
  */
-class ReplayAttackException extends Exception {
+class ReplayAttackException extends OpenIdBaseException {
 
     public function __construct($message = "")
     {

app/libs/OpenId/Handlers/OpenIdAuthenticationRequestHandler.php

@@ -12,6 +12,7 @@
  * limitations under the License.
  **/
 use Exception;
+use OpenId\Exceptions\InvalidAssociation;
 use OpenId\Exceptions\InvalidAssociationTypeException;
 use OpenId\Exceptions\InvalidOpenIdAuthenticationRequestMode;
 use OpenId\Exceptions\InvalidOpenIdMessageException;
@@ -194,7 +195,16 @@ final class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler
                 $this->log_service->warning_msg("current request: ".$this->current_request);;
             }
             return new OpenIdIndirectGenericErrorResponse($inv_msg_ex->getMessage(), null, null, $this->current_request);
-        } catch (Exception $ex) {
+        }
+        catch(InvalidAssociation $inv_assoc_ex){
+            $this->checkpoint_service->trackException($inv_assoc_ex);
+            $this->log_service->warning($inv_assoc_ex);
+            if (!is_null($this->current_request)) {
+                $this->log_service->warning_msg("current request: ".$this->current_request);;
+            }
+            return new OpenIdIndirectGenericErrorResponse($inv_assoc_ex->getMessage(), null, null, $this->current_request);
+        }
+        catch (Exception $ex) {
             $this->checkpoint_service->trackException($ex);
             $this->log_service->error($ex);
             if (!is_null($this->current_request)) {

app/libs/OpenId/Handlers/OpenIdCheckAuthenticationRequestHandler.php

@@ -12,6 +12,7 @@
  * limitations under the License.
  **/
 use Exception;
+use OpenId\Exceptions\InvalidAssociation;
 use OpenId\Exceptions\InvalidAssociationTypeException;
 use OpenId\Exceptions\InvalidNonce;
 use OpenId\Exceptions\InvalidOpenIdMessageException;
@@ -169,19 +170,28 @@ final class OpenIdCheckAuthenticationRequestHandler extends OpenIdMessageHandler
             return $response;
         } catch (InvalidNonce $inv_nonce_ex) {
             $this->checkpoint_service->trackException($inv_nonce_ex);
-            $this->log_service->error($inv_nonce_ex);
+            $this->log_service->warning($inv_nonce_ex);
             $response = new OpenIdDirectGenericErrorResponse($inv_nonce_ex->getMessage());
             if(!is_null($this->current_request))
                 $this->log_service->warning_msg("current request: ".$this->current_request);
             return $response;
         } catch (InvalidOpenIdMessageException $inv_msg_ex) {
             $this->checkpoint_service->trackException($inv_msg_ex);
-            $this->log_service->error($inv_msg_ex);
+            $this->log_service->warning($inv_msg_ex);
             $response = new OpenIdDirectGenericErrorResponse($inv_msg_ex->getMessage());
             if(!is_null($this->current_request))
                 $this->log_service->warning_msg("current request: ".$this->current_request);
             return $response;
-        } catch (Exception $ex) {
+        }
+        catch(InvalidAssociation $inv_assoc_ex){
+            $this->checkpoint_service->trackException($inv_assoc_ex);
+            $this->log_service->warning($inv_assoc_ex);
+            $response = new OpenIdDirectGenericErrorResponse($inv_assoc_ex->getMessage());
+            if(!is_null($this->current_request))
+                $this->log_service->warning_msg("current request: ".$this->current_request);
+            return $response;
+        }
+        catch (Exception $ex) {
             $this->checkpoint_service->trackException($ex);
             $this->log_service->error($ex);
             if(!is_null($this->current_request))

tests/OpenIdProtocolTest.php

@@ -1199,4 +1199,65 @@ class OpenIdProtocolTest extends OpenStackIDBaseTest
         $this->assertTrue(strpos($content, 'http://specs.openid.net/auth/2.0/server') !== false);
     }
 
+    public function testInvalidRequestK()
+    {
+        $params = [];
+
+        $response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
+
+        $this->assertResponseStatus(400);
+
+    }
+
+    public function testInvalidAssociation()
+    {
+        //set login info
+
+        $params = array(
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)        => OpenIdProtocol::OpenID2MessageType,
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)      => OpenIdProtocol::SetupMode,
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm)     => "https://www.newsite.com/",
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)  => "https://www.newsite.com/return_to/",
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity)  => "http://specs.openid.net/auth/2.0/identifier_select",
+            OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId) => "http://specs.openid.net/auth/2.0/identifier_select",
+        );
+
+        $response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
+
+        $this->assertResponseStatus(302);
+
+        $url = $response->getTargetUrl();
+
+        // post consent response ...
+
+        $consent_response = $this->call('POST', $url, array
+            (
+                'trust'  => array('AllowOnce'),
+                '_token' => Session::token()
+            )
+        );
+
+        $this->assertResponseStatus(302);
+
+        $auth_response = $this->action("GET", "OpenId\OpenIdProviderController@endpoint",
+            array(),
+            array(),
+            array(),
+            array());
+
+        $this->assertResponseStatus(302);
+
+        $openid_response = $this->parseOpenIdResponse($auth_response->getTargetUrl());
+
+        $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)]));
+        $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)]));
+        $this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)]));
+
+        //http://openid.net/specs/openid-authentication-2_0.html#check_auth
+        $params   = $this->prepareCheckAuthenticationParams($openid_response);
+        $params['openid.assoc_handle'] = "FAKE";
+        $response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
+        $openid_response = $this->getOpenIdResponseLineBreak($response->getContent());
+        $this->assertResponseStatus(400);
+    }
 }