Curl Resource Request Test

src/OAuth2Demo/Server/Controllers/Resource.php

@@ -26,7 +26,9 @@ public function resource(Application $app)
         // get the oauth response (configured in src/OAuth2Demo/Server/Server.php)
         $response = $app['oauth_response'];
 
-        if (!$server->verifyResourceRequest($app['request'], $response)) {
+        $requiredScope = $app['request']->get("required_scope");
+
+        if (!$server->verifyResourceRequest($app['request'], $response, $requiredScope)) {
             return $server->getResponse();
         } else {
             // return a fake API response - not that exciting

src/OAuth2Demo/Server/Server.php

@@ -9,6 +9,8 @@
 use OAuth2\Storage\Pdo;
 use OAuth2\GrantType\AuthorizationCode;
 use OAuth2\GrantType\UserCredentials;
+use OAuth2\Storage\Memory;
+use OAuth2\Scope;
 
 class Server implements ControllerProviderInterface
 {
@@ -32,7 +34,20 @@ public function setup(Application $app)
         );
 
         // instantiate the oauth server
-        $server = new OAuth2Server($storage, array('enforce_state' => true, 'allow_implicit' => true), $grantTypes);
+        $server = new OAuth2Server ($storage, array('enforce_state' => true, 'allow_implicit' => true), $grantTypes);
+
+        $defaultScope = 'basic';
+        $supportedScopes = array(
+            "HIGH_PRIVILEGED_SCOPE",
+            "LOW_PRIVILEGED_SCOPE"
+        );
+
+        $memory = new Memory(array(
+            'default_scope' => $defaultScope,
+            'supported_scopes' => $supportedScopes
+        ));
+        $scopeUtil = new Scope($memory);
+        $server->setScopeUtil($scopeUtil);
 
         // add the server to the silex "container" so we can use it in our controllers (see src/OAuth2Demo/Server/Controllers/.*)
         $app['oauth_server'] = $server;

test/ResourceRequestTest.php

@@ -0,0 +1,68 @@
+<?php
+
+/**
+ * @author Marovelo
+ */
+class ResourceRequestTest extends \PHPUnit_Framework_TestCase {
+
+    // adjust these adresses to your local oauth server
+    const TOKEN_REQUEST_URL = "http://oauth.demo.local/lockdin/token";
+    const RESOURCE_REQUEST_URL = "http://oauth.demo.local/lockdin/resource";
+
+    /** @test */
+    public function resourceRequestFails(){
+        /* ------------ obtain Access Token -------------------------- */
+        $url = self::TOKEN_REQUEST_URL;
+        $post = true;
+        $postfields = "grant_type=password&client_id=demoapp&client_secret=demopass&username=demouser&password=testpass" .
+            "&scope=LOW_PRIVILEGED_SCOPE";
+        $user="demoapp";
+        $password="demopass";
+        $https = false;
+
+        $response = $this->request ($url, $post, $postfields, $user, $password, $https);
+        $jsonResponse = json_decode($response["content"]);
+
+        /* ------------ Resource Request -------------------------- */
+        $url = self::RESOURCE_REQUEST_URL . "?access_token=" . $jsonResponse->access_token . "&required_scope=HIGH_PRIVILEGED_SCOPE";
+        $post = false;
+        $https = false;
+
+        $response = $this->request ($url, $post, null, null, null, $https);
+        $result = $response["httpCode"];
+
+        $expected = 403;
+        $this->assertEquals($expected, $result);
+    }
+
+    public function request($url, $post = false, $postFields = "", $user = null, $password = null, $https = true){
+        $ch = curl_init();
+
+        curl_setopt($ch, CURLOPT_URL, $url);
+
+        if ($post) {
+            curl_setopt($ch, CURLOPT_POST, 1);
+            curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
+        }
+
+        if (isset($user)){
+            curl_setopt($ch, CURLOPT_USERPWD, $user . ":" . $password);
+        }
+
+        if ($https) {
+            // HTTPS settings
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        }
+
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+
+        $response = curl_exec($ch);
+
+        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+        curl_close($ch);
+
+        return array("httpCode" => $httpCode, "content" => $response);
+    }
+}