From db8a49333464b69db46ca8745d7312e9e29393be Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 27 Oct 2020 04:16:10 -0700
Subject: [PATCH] dev/core#2141 - APIv4 - Validate OAuthClient.provider
 property

---
 .../CRM/OAuth/BAO/OAuthClient.php             | 23 ++++++++
 .../Civi/Api4/Action/OAuthClient/Create.php   | 20 +++++++
 .../Civi/Api4/Action/OAuthClient/Update.php   | 23 ++++++++
 ext/oauth-client/Civi/Api4/OAuthClient.php    | 13 +++++
 .../tests/phpunit/api/v4/OAuthClientTest.php  | 53 +++++++++++++++++++
 .../phpunit/api/v4/OAuthSysTokenTest.php      |  2 +
 6 files changed, 134 insertions(+)
 create mode 100644 ext/oauth-client/Civi/Api4/Action/OAuthClient/Create.php
 create mode 100644 ext/oauth-client/Civi/Api4/Action/OAuthClient/Update.php

diff --git a/ext/oauth-client/CRM/OAuth/BAO/OAuthClient.php b/ext/oauth-client/CRM/OAuth/BAO/OAuthClient.php
index 2a70e189b5..cc96ff399f 100644
--- a/ext/oauth-client/CRM/OAuth/BAO/OAuthClient.php
+++ b/ext/oauth-client/CRM/OAuth/BAO/OAuthClient.php
@@ -36,4 +36,27 @@ class CRM_OAuth_BAO_OAuthClient extends CRM_OAuth_DAO_OAuthClient {
    * return $instance;
    * } */
 
+  /**
+   * @return array
+   *   ~~Ex: ['my_provider' => 'My Provider']~~
+   *   Ex: ['my_provider' => 'my_provider']
+   */
+  public static function getProviders() {
+    if (!isset(Civi::$statics[__FUNCTION__])) {
+      if (!class_exists('\Civi\Api4\OAuthProvider')) {
+        return [];
+      }
+      $ps = Civi\Api4\OAuthProvider::get(FALSE)
+        ->setSelect(['name', 'title'])
+        ->execute();
+      $titles = [];
+      foreach ($ps as $p) {
+        $titles[$p['name']] = $p['name'];
+        // $titles[$p['name']] = $p['title'];
+      }
+      Civi::$statics[__FUNCTION__] = $titles;
+    }
+    return Civi::$statics[__FUNCTION__];
+  }
+
 }
diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthClient/Create.php b/ext/oauth-client/Civi/Api4/Action/OAuthClient/Create.php
new file mode 100644
index 0000000000..89175a75d0
--- /dev/null
+++ b/ext/oauth-client/Civi/Api4/Action/OAuthClient/Create.php
@@ -0,0 +1,20 @@
+<?php
+namespace Civi\Api4\Action\OAuthClient;
+
+class Create extends \Civi\Api4\Generic\DAOCreateAction {
+
+  /**
+   * @inheritdoc
+   */
+  protected function validateValues() {
+    // Hrm, parent doesn't validate <callback> PC's by default.
+    if (isset($this->values['provider'])) {
+      $ps = \CRM_OAuth_BAO_OAuthClient::getProviders();
+      if (!isset($ps[$this->values['provider']])) {
+        throw new \API_Exception("Invalid provider name: " . $this->values['provider']);
+      }
+    }
+    parent::validateValues();
+  }
+
+}
diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthClient/Update.php b/ext/oauth-client/Civi/Api4/Action/OAuthClient/Update.php
new file mode 100644
index 0000000000..8131f6f0c9
--- /dev/null
+++ b/ext/oauth-client/Civi/Api4/Action/OAuthClient/Update.php
@@ -0,0 +1,23 @@
+<?php
+namespace Civi\Api4\Action\OAuthClient;
+
+class Update extends \Civi\Api4\Generic\DAOUpdateAction {
+
+  /**
+   * @inheritdoc
+   */
+  protected function formatWriteValues(&$record) {
+    $result = parent::formatWriteValues($record);
+
+    // Hrm, parent doesn't validate <callback> PC's by default.
+    if (isset($this->values['provider'])) {
+      $ps = \CRM_OAuth_BAO_OAuthClient::getProviders();
+      if (!isset($ps[$this->values['provider']])) {
+        throw new \API_Exception("Invalid provider name: " . $this->values['provider']);
+      }
+    }
+
+    return $result;
+  }
+
+}
diff --git a/ext/oauth-client/Civi/Api4/OAuthClient.php b/ext/oauth-client/Civi/Api4/OAuthClient.php
index b79d1b9b9c..ab34267e4f 100644
--- a/ext/oauth-client/Civi/Api4/OAuthClient.php
+++ b/ext/oauth-client/Civi/Api4/OAuthClient.php
@@ -1,6 +1,9 @@
 <?php
 namespace Civi\Api4;
 
+use Civi\Api4\Action\OAuthClient\Create;
+use Civi\Api4\Action\OAuthClient\Update;
+
 /**
  * OAuthClient entity.
  *
@@ -10,6 +13,16 @@ namespace Civi\Api4;
  */
 class OAuthClient extends Generic\DAOEntity {
 
+  public static function create($checkPermissions = TRUE) {
+    $action = new Create(static::class, __FUNCTION__);
+    return $action->setCheckPermissions($checkPermissions);
+  }
+
+  public static function update($checkPermissions = TRUE) {
+    $action = new Update(static::class, __FUNCTION__);
+    return $action->setCheckPermissions($checkPermissions);
+  }
+
   public static function permissions() {
     return [
       'meta' => ['access CiviCRM'],
diff --git a/ext/oauth-client/tests/phpunit/api/v4/OAuthClientTest.php b/ext/oauth-client/tests/phpunit/api/v4/OAuthClientTest.php
index d9edf4041c..d4107ea386 100644
--- a/ext/oauth-client/tests/phpunit/api/v4/OAuthClientTest.php
+++ b/ext/oauth-client/tests/phpunit/api/v4/OAuthClientTest.php
@@ -39,6 +39,7 @@ class api_v4_OAuthClientTest extends \PHPUnit\Framework\TestCase implements Head
 
     $usePerms(['manage OAuth client']);
     $create = Civi\Api4\OAuthClient::create()->setValues([
+      'provider' => 'test_example_1',
       'guid' => "example-id-$random" ,
       'secret' => "example-secret-$random",
     ])->execute();
@@ -61,4 +62,56 @@ class api_v4_OAuthClientTest extends \PHPUnit\Framework\TestCase implements Head
     $this->assertEquals(0, $get->count());
   }
 
+  public function testCreateBadProvider() {
+    $random = CRM_Utils_String::createRandom(16, CRM_Utils_String::ALPHANUMERIC);
+    $usePerms = function($ps) {
+      $base = ['access CiviCRM'];
+      \CRM_Core_Config::singleton()->userPermissionClass->permissions = array_merge($base, $ps);
+    };
+
+    $usePerms(['manage OAuth client']);
+    try {
+      Civi\Api4\OAuthClient::create()->setValues([
+        'provider' => 'test_example_does_not_exist',
+        'guid' => "example-id-$random" ,
+        'secret' => "example-secret-$random",
+      ])->execute();
+      $this->fail("Expected exception: invalid provider");
+    }
+    catch (API_Exception $e) {
+      $this->assertRegExp(';Invalid provider;', $e->getMessage());
+    }
+  }
+
+  public function testUpdateBadProvider() {
+    $random = CRM_Utils_String::createRandom(16, CRM_Utils_String::ALPHANUMERIC);
+    $usePerms = function($ps) {
+      $base = ['access CiviCRM'];
+      \CRM_Core_Config::singleton()->userPermissionClass->permissions = array_merge($base, $ps);
+    };
+
+    $usePerms(['manage OAuth client']);
+    $created = Civi\Api4\OAuthClient::create()->setValues([
+      'provider' => 'test_example_1',
+      'guid' => "example-id-$random" ,
+      'secret' => "example-secret-$random",
+    ])->execute();
+
+    try {
+      Civi\Api4\OAuthClient::update()
+        ->addWhere('id', '=', $created->first()['id'])
+        ->setValues(['provider' => 'test_example_does_not_exist'])
+        ->execute();
+      $this->fail("Expected exception: invalid provider");
+    }
+    catch (API_Exception $e) {
+      $this->assertRegExp(';Invalid provider;', $e->getMessage());
+    }
+
+    Civi\Api4\OAuthClient::update()
+      ->addWhere('id', '=', $created->first()['id'])
+      ->setValues(['provider:name' => 'test_example_2'])
+      ->execute();
+  }
+
 }
diff --git a/ext/oauth-client/tests/phpunit/api/v4/OAuthSysTokenTest.php b/ext/oauth-client/tests/phpunit/api/v4/OAuthSysTokenTest.php
index 7bb058a11b..1904e4ae10 100644
--- a/ext/oauth-client/tests/phpunit/api/v4/OAuthSysTokenTest.php
+++ b/ext/oauth-client/tests/phpunit/api/v4/OAuthSysTokenTest.php
@@ -40,6 +40,7 @@ class api_v4_OAuthSysTokenTest extends \PHPUnit\Framework\TestCase implements He
 
     $usePerms(['manage OAuth client', 'manage OAuth client secrets']);
     $createClient = Civi\Api4\OAuthClient::create()->setValues([
+      'provider' => 'test_example_1',
       'guid' => "example-id-$random" ,
       'secret' => "example-secret-$random",
     ])->execute();
@@ -94,6 +95,7 @@ class api_v4_OAuthSysTokenTest extends \PHPUnit\Framework\TestCase implements He
 
     $usePerms(['manage OAuth client']);
     $createClient = Civi\Api4\OAuthClient::create()->setValues([
+      'provider' => 'test_example_1',
       'guid' => "example-id-$random" ,
       'secret' => "example-secret-$random",
     ])->execute();
-- 
2.25.1