feat(auth/oidc): wider key algorithm support

.gitignore

@@ -8,10 +8,10 @@ Homestead.yaml
 .idea
 npm-debug.log
 yarn-error.log
-/public/dist/*.map
+/public/dist
 /public/plugins
-/public/css/*.map
-/public/js/*.map
+/public/css
+/public/js
 /public/bower
 /public/build/
 /public/favicon.ico

app/Access/Oidc/OidcJwtSigningKey.php

@@ -2,6 +2,7 @@
 
 namespace BookStack\Access\Oidc;
 
+use Illuminate\Support\Facades\Log;
 use phpseclib3\Crypt\Common\PublicKey;
 use phpseclib3\Crypt\PublicKeyLoader;
 use phpseclib3\Crypt\RSA;
@@ -63,8 +64,9 @@ class OidcJwtSigningKey
         // 'alg' is optional for a JWK, but we will still attempt to validate if
         // it exists otherwise presume it will be compatible.
         $alg = $jwk['alg'] ?? null;
-        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
+        $algorithm = OidcJwtSigningKeyAlgorithm::tryFrom($alg ?? OidcJwtSigningKeyAlgorithm::RS256->value);
+        if ($jwk['kty'] !== 'RSA' || $algorithm === null) {
+            throw new OidcInvalidKeyException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " keys are currently supported. Found key using {$alg}");
         }
 
         // 'use' is optional for a JWK but we assume 'sig' where no value exists since that's what
@@ -97,7 +99,16 @@ class OidcJwtSigningKey
             throw new OidcInvalidKeyException('Key loaded from file path is not an RSA key as expected');
         }
 
-        $this->key = $key->withPadding(RSA::SIGNATURE_PKCS1);
+        // apply key-algorithm depending hash
+        $key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256 => $key->withHash('sha256'),
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withHash('sha512'),
+        };
+        // apply key-algorithm depending padding
+        $this->key = match ($algorithm) {
+            OidcJwtSigningKeyAlgorithm::RS256,
+            OidcJwtSigningKeyAlgorithm::RS512 => $key->withPadding(RSA::SIGNATURE_PKCS1),
+        };
     }
 
     /**

app/Access/Oidc/OidcJwtSigningKeyAlgorithm.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace BookStack\Access\Oidc;
+
+use UnitEnum;
+
+enum OidcJwtSigningKeyAlgorithm: string
+{
+    case RS256 = 'RS256';
+    case RS512 = 'RS512';
+
+    public static function getSupportedAlgorithms(): string
+    {
+        return join(',', array_map(static fn (UnitEnum $enum) => $enum->value, self::cases()));
+    }
+}

app/Access/Oidc/OidcJwtWithClaims.php

@@ -119,8 +119,8 @@ class OidcJwtWithClaims implements ProvidesClaims
      */
     protected function validateTokenSignature(): void
     {
-        if ($this->header['alg'] !== 'RS256') {
-            throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
+        if (OidcJwtSigningKeyAlgorithm::tryFrom($this->header['alg']) === null) {
+            throw new OidcInvalidTokenException("Only " . OidcJwtSigningKeyAlgorithm::getSupportedAlgorithms() . " signature validation is supported. Token reports using {$this->header['alg']}");
         }
 
         $parsedKeys = array_map(function ($key) {

app/Access/Oidc/OidcProviderSettings.php

@@ -158,10 +158,10 @@ class OidcProviderSettings
     protected function filterKeys(array $keys): array
     {
         return array_filter($keys, function (array $key) {
-            $alg = $key['alg'] ?? 'RS256';
+            $alg = $key['alg'] ?? OidcJwtSigningKeyAlgorithm::RS256->value;
             $use = $key['use'] ?? 'sig';
 
-            return $key['kty'] === 'RSA' && $use === 'sig' && $alg === 'RS256';
+            return $key['kty'] === 'RSA' && $use === 'sig' && OidcJwtSigningKeyAlgorithm::tryFrom($alg) !== null;
         });
     }
 

app/Entities/Models/Book.php

@@ -67,7 +67,8 @@ class Book extends Entity implements HasDescriptionInterface, HasCoverInterface,
      */
     public function chapters(): HasMany
     {
-        return $this->hasMany(Chapter::class);
+        return $this->hasMany(Chapter::class)
+            ->where('type', '=', 'chapter');
     }
 
     /**

app/Entities/Models/EntityScope.php

@@ -15,12 +15,11 @@ class EntityScope implements Scope
     public function apply(Builder $builder, Model $model): void
     {
         $builder = $builder->where('type', '=', $model->getMorphClass());
-        $table = $model->getTable();
         if ($model instanceof Page) {
-            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', "{$table}.id");
+            $builder->leftJoin('entity_page_data', 'entity_page_data.page_id', '=', 'entities.id');
         } else {
-            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model, $table) {
-                $join->on('entity_container_data.entity_id', '=', "{$table}.id")
+            $builder->leftJoin('entity_container_data', function (JoinClause $join) use ($model) {
+                $join->on('entity_container_data.entity_id', '=', 'entities.id')
                     ->where('entity_container_data.entity_type', '=', $model->getMorphClass());
             });
         }

dev/checksums/vendor

@@ -1 +1 @@
-81365d3eef5263a8d55d49cab0077084dee6992a13714f6acdcb97aec5fd70c6
+22e02ee72d21ff719c1073abbec8302f8e2096ba6d072e133051064ed24b45b1

dev/docker/db-testing/Dockerfile

@@ -1,30 +0,0 @@
-FROM ubuntu:24.04
-
-# Install additional dependencies
-RUN apt-get update && \
-    apt-get install -y \
-        git \
-		wget \
-        zip \
-        unzip \
-		php \
-		php-bcmath php-curl php-mbstring php-gd php-xml php-zip php-mysql php-ldap \
-       && \
-    rm -rf /var/lib/apt/lists/*
-
-# Take branch as an argument so we can choose which BookStack
-# branch to test against
-ARG BRANCH=development
-
-# Download BookStack & install PHP deps
-RUN mkdir -p /var/www && \
-    git clone https://github.com/bookstackapp/bookstack.git --branch "$BRANCH" --single-branch /var/www/bookstack && \
-    cd /var/www/bookstack && \	
-   wget https://raw.githubusercontent.com/composer/getcomposer.org/f3108f64b4e1c1ce6eb462b159956461592b3e3e/web/installer -O - -q | php -- --quiet --filename=composer && \
-    php composer install
-
-# Set the BookStack dir as the default working dir
-WORKDIR /var/www/bookstack
-
-# Set the default action as running php
-ENTRYPOINT ["/bin/php"]

dev/docker/db-testing/run.sh

@@ -1,57 +0,0 @@
-#!/bin/bash
-
-BRANCH=${1:-development}
-
-# Build the container with a known name
-docker build --build-arg BRANCH="$BRANCH" -t bookstack:db-testing .
-if [ $? -eq 1 ]; then
-  echo "Failed to build app container for testing"
-  exit 1
-fi
-
-# List of database containers to test against
-containers=(
-  "mysql:5.7"
-  "mysql:8.0"
-  "mysql:8.4"
-  "mysql:9.5"
-  "mariadb:10.2"
-  "mariadb:10.6"
-  "mariadb:10.11"
-  "mariadb:11.4"
-  "mariadb:11.8"
-  "mariadb:12.0"
-)
-
-# Pre-clean-up from prior runs
-docker stop bs-dbtest-db
-docker network rm bs-dbtest-net
-
-# Cycle over each database image
-for img in "${containers[@]}"; do
-  echo "Starting tests with $img..."
-  docker network create bs-dbtest-net
-  docker run -d --rm --name "bs-dbtest-db" \
-    -e MYSQL_DATABASE=bookstack-test \
-    -e MYSQL_USER=bookstack \
-    -e MYSQL_PASSWORD=bookstack \
-    -e MYSQL_ROOT_PASSWORD=password \
-	  --network=bs-dbtest-net \
-    "$img"
-  sleep 20
-  APP_RUN='docker run -it --rm --network=bs-dbtest-net -e TEST_DATABASE_URL="mysql://bookstack:bookstack@bs-dbtest-db:3306" bookstack:db-testing'
-  $APP_RUN artisan migrate --force --database=mysql_testing
-  $APP_RUN artisan db:seed --force --class=DummyContentSeeder --database=mysql_testing
-  $APP_RUN vendor/bin/phpunit
-  if [ $? -eq 0 ]; then
-    echo "$img - Success"
-  else
-    echo "$img - Error"
-    read -p "Stop script? [y/N] " ans
-    [[ $ans == [yY] ]] && exit 0
-  fi
-
-  docker stop "bs-dbtest-db"
-  docker network rm bs-dbtest-net
-done
-

tests/Entity/EntityQueryTest.php

@@ -1,44 +0,0 @@
-<?php
-
-namespace Entity;
-
-use BookStack\Entities\Models\Book;
-use Illuminate\Database\Eloquent\Builder;
-use Tests\TestCase;
-
-class EntityQueryTest extends TestCase
-{
-    public function test_basic_entity_query_has_join_and_type_applied()
-    {
-        $query = Book::query();
-        $expected = 'select * from `entities` left join `entity_container_data` on `entity_container_data`.`entity_id` = `entities`.`id` and `entity_container_data`.`entity_type` = ? where `type` = ? and `entities`.`deleted_at` is null';
-        $this->assertEquals($expected, $query->toSql());
-        $this->assertEquals(['book', 'book'], $query->getBindings());
-    }
-
-    public function test_joins_in_sub_queries_use_alias_names()
-    {
-        $query = Book::query()->whereHas('chapters', function (Builder $query) {
-            $query->where('name', '=', 'a');
-        });
-
-        // Probably from type limits on relation where not needed?
-        $expected = 'select * from `entities` left join `entity_container_data` on `entity_container_data`.`entity_id` = `entities`.`id` and `entity_container_data`.`entity_type` = ? where exists (select * from `entities` as `laravel_reserved_%d` left join `entity_container_data` on `entity_container_data`.`entity_id` = `laravel_reserved_%d`.`id` and `entity_container_data`.`entity_type` = ? where `entities`.`id` = `laravel_reserved_%d`.`book_id` and `name` = ? and `type` = ? and `laravel_reserved_%d`.`deleted_at` is null) and `type` = ? and `entities`.`deleted_at` is null';
-        $this->assertStringMatchesFormat($expected, $query->toSql());
-        $this->assertEquals(['book', 'chapter', 'a', 'chapter', 'book'], $query->getBindings());
-    }
-
-    public function test_book_chapter_relation_applies_type_condition()
-    {
-        $book = $this->entities->book();
-        $query = $book->chapters();
-        $expected = 'select * from `entities` left join `entity_container_data` on `entity_container_data`.`entity_id` = `entities`.`id` and `entity_container_data`.`entity_type` = ? where `entities`.`book_id` = ? and `entities`.`book_id` is not null and `type` = ? and `entities`.`deleted_at` is null';
-        $this->assertEquals($expected, $query->toSql());
-        $this->assertEquals(['chapter', $book->id, 'chapter'], $query->getBindings());
-
-        $query = Book::query()->whereHas('chapters');
-        $expected = 'select * from `entities` left join `entity_container_data` on `entity_container_data`.`entity_id` = `entities`.`id` and `entity_container_data`.`entity_type` = ? where exists (select * from `entities` as `laravel_reserved_%d` left join `entity_container_data` on `entity_container_data`.`entity_id` = `laravel_reserved_%d`.`id` and `entity_container_data`.`entity_type` = ? where `entities`.`id` = `laravel_reserved_%d`.`book_id` and `type` = ? and `laravel_reserved_%d`.`deleted_at` is null) and `type` = ? and `entities`.`deleted_at` is null';
-        $this->assertStringMatchesFormat($expected, $query->toSql());
-        $this->assertEquals(['book', 'chapter', 'chapter', 'book'], $query->getBindings());
-    }
-}

tests/Uploads/ImageTest.php

@@ -73,10 +73,6 @@ class ImageTest extends TestCase
 
     public function test_image_display_thumbnail_generation_for_animated_avif_images_uses_original_file()
     {
-        if (! function_exists('imageavif')) {
-            $this->markTestSkipped('imageavif() is not available');
-        }
-
         $page = $this->entities->page();
         $admin = $this->users->admin();
         $this->actingAs($admin);

version

@@ -1 +1 @@
-v25.11.1
+v25.02-dev