From 57908586bdeb9f6840ff7493223a0aab933b1d19 Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Wed, 17 Jun 2020 19:00:11 +0100
Subject: [PATCH] more jsonmapper models for login

---
 src/network/mcpe/auth/ProcessLoginTask.php    | 36 ++++++++++++---
 .../protocol/types/login/JwtBodyRfc7519.php   | 45 +++++++++++++++++++
 .../protocol/types/login/JwtChainLinkBody.php | 33 ++++++++++++++
 .../mcpe/protocol/types/login/JwtHeader.php   | 37 +++++++++++++++
 4 files changed, 146 insertions(+), 5 deletions(-)
 create mode 100644 src/network/mcpe/protocol/types/login/JwtBodyRfc7519.php
 create mode 100644 src/network/mcpe/protocol/types/login/JwtChainLinkBody.php
 create mode 100644 src/network/mcpe/protocol/types/login/JwtHeader.php

diff --git a/src/network/mcpe/auth/ProcessLoginTask.php b/src/network/mcpe/auth/ProcessLoginTask.php
index 9fd706582..b92015560 100644
--- a/src/network/mcpe/auth/ProcessLoginTask.php
+++ b/src/network/mcpe/auth/ProcessLoginTask.php
@@ -29,6 +29,8 @@ use Mdanter\Ecc\Serializer\PublicKey\DerPublicKeySerializer;
 use pocketmine\network\mcpe\JwtException;
 use pocketmine\network\mcpe\JwtUtils;
 use pocketmine\network\mcpe\protocol\LoginPacket;
+use pocketmine\network\mcpe\protocol\types\login\JwtChainLinkBody;
+use pocketmine\network\mcpe\protocol\types\login\JwtHeader;
 use pocketmine\scheduler\AsyncTask;
 use function base64_decode;
 use function time;
@@ -106,18 +108,30 @@ class ProcessLoginTask extends AsyncTask{
 	 */
 	private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
 		try{
-			[$headers, $claims, ] = JwtUtils::parse($jwt);
+			[$headersArray, $claimsArray, ] = JwtUtils::parse($jwt);
 		}catch(JwtException $e){
 			throw new VerifyLoginException("Failed to parse JWT: " . $e->getMessage(), 0, $e);
 		}
 
+		$mapper = new \JsonMapper();
+		$mapper->bExceptionOnMissingData = true;
+		$mapper->bExceptionOnUndefinedProperty = true;
+		$mapper->bEnforceMapType = false;
+
+		try{
+			/** @var JwtHeader $headers */
+			$headers = $mapper->map($headersArray, new JwtHeader());
+		}catch(\JsonMapper_Exception $e){
+			throw new VerifyLoginException("Invalid JWT header: " . $e->getMessage(), 0, $e);
+		}
+
 		if($currentPublicKey === null){
 			if(!$first){
 				throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.missingKey");
 			}
 
 			//First link, check that it is self-signed
-			$currentPublicKey = $headers["x5u"];
+			$currentPublicKey = $headers->x5u;
 		}
 
 		$derPublicKeySerializer = new DerPublicKeySerializer();
@@ -143,16 +157,28 @@ class ProcessLoginTask extends AsyncTask{
 			$this->authenticated = true; //we're signed into xbox live
 		}
 
+		$mapper = new \JsonMapper();
+		$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
+		$mapper->bExceptionOnMissingData = true;
+		$mapper->bEnforceMapType = false;
+		$mapper->bRemoveUndefinedAttributes = true;
+		try{
+			/** @var JwtChainLinkBody $claims */
+			$claims = $mapper->map($claimsArray, new JwtChainLinkBody());
+		}catch(\JsonMapper_Exception $e){
+			throw new VerifyLoginException("Invalid chain link body: " . $e->getMessage(), 0, $e);
+		}
+
 		$time = time();
-		if(isset($claims["nbf"]) and $claims["nbf"] > $time + self::CLOCK_DRIFT_MAX){
+		if(isset($claims->nbf) and $claims->nbf > $time + self::CLOCK_DRIFT_MAX){
 			throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooEarly");
 		}
 
-		if(isset($claims["exp"]) and $claims["exp"] < $time - self::CLOCK_DRIFT_MAX){
+		if(isset($claims->exp) and $claims->exp < $time - self::CLOCK_DRIFT_MAX){
 			throw new VerifyLoginException("%pocketmine.disconnect.invalidSession.tooLate");
 		}
 
-		$currentPublicKey = $claims["identityPublicKey"] ?? null; //if there are further links, the next link should be signed with this
+		$currentPublicKey = $claims->identityPublicKey ?? null; //if there are further links, the next link should be signed with this
 	}
 
 	public function onCompletion() : void{
diff --git a/src/network/mcpe/protocol/types/login/JwtBodyRfc7519.php b/src/network/mcpe/protocol/types/login/JwtBodyRfc7519.php
new file mode 100644
index 000000000..301779401
--- /dev/null
+++ b/src/network/mcpe/protocol/types/login/JwtBodyRfc7519.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ *
+ *  ____            _        _   __  __ _                  __  __ ____
+ * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \
+ * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
+ * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/
+ * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * @author PocketMine Team
+ * @link http://www.pocketmine.net/
+ *
+ *
+*/
+
+declare(strict_types=1);
+
+namespace pocketmine\network\mcpe\protocol\types\login;
+
+/**
+ * Model class for JsonMapper which describes the RFC7519 standard fields in a JWT. Any of these fields might not be
+ * provided.
+ */
+class JwtBodyRfc7519{
+	/** @var string */
+	public $iss;
+	/** @var string */
+	public $sub;
+	/** @var string|string[] */
+	public $aud;
+	/** @var int */
+	public $exp;
+	/** @var int */
+	public $nbf;
+	/** @var int */
+	public $iat;
+	/** @var string */
+	public $jti;
+}
\ No newline at end of file
diff --git a/src/network/mcpe/protocol/types/login/JwtChainLinkBody.php b/src/network/mcpe/protocol/types/login/JwtChainLinkBody.php
new file mode 100644
index 000000000..e3c0c5f18
--- /dev/null
+++ b/src/network/mcpe/protocol/types/login/JwtChainLinkBody.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ *
+ *  ____            _        _   __  __ _                  __  __ ____
+ * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \
+ * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
+ * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/
+ * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * @author PocketMine Team
+ * @link http://www.pocketmine.net/
+ *
+ *
+*/
+
+declare(strict_types=1);
+
+namespace pocketmine\network\mcpe\protocol\types\login;
+
+/**
+ * Model for JsonMapper exposing the data in the login JWT chain links.
+ * TODO: extend this with more complete models
+ */
+final class JwtChainLinkBody extends JwtBodyRfc7519{
+	/** @var string */
+	public $identityPublicKey;
+}
\ No newline at end of file
diff --git a/src/network/mcpe/protocol/types/login/JwtHeader.php b/src/network/mcpe/protocol/types/login/JwtHeader.php
new file mode 100644
index 000000000..285f4ca78
--- /dev/null
+++ b/src/network/mcpe/protocol/types/login/JwtHeader.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ *
+ *  ____            _        _   __  __ _                  __  __ ____
+ * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \
+ * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
+ * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/
+ * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * @author PocketMine Team
+ * @link http://www.pocketmine.net/
+ *
+ *
+*/
+
+declare(strict_types=1);
+
+namespace pocketmine\network\mcpe\protocol\types\login;
+
+final class JwtHeader{
+	/**
+	 * @var string
+	 * @required
+	 */
+	public $alg;
+	/**
+	 * @var string
+	 * @required
+	 */
+	public $x5u;
+}
\ No newline at end of file