Check for undefined variables.
1 | <?php |
||
2 | |||
3 | use ChamiloSession as Session; |
||
4 | |||
5 | /** |
||
6 | * Used to authenticate user with an access token. By default this method is disabled. |
||
7 | * Method used primarily to make API calls: Rss, file upload. |
||
8 | * |
||
9 | * Access is granted only for the services that are enabled. |
||
10 | * |
||
11 | * To be secured this method must |
||
12 | * |
||
13 | * 1) be called through httpS to avoid sniffing (note that this is the case anyway with other methods such as cookies) |
||
14 | * 2) the url/access token must be secured |
||
15 | * |
||
16 | * This authentication method is session less. This is to ensure that the navigator |
||
17 | * do not receive an access cookie that will grant it access to other parts of the |
||
18 | * application. |
||
19 | * |
||
20 | * |
||
21 | * Usage: |
||
22 | * |
||
23 | * Enable KeyAuth for a specific service. Add the following lines so that |
||
24 | * the key authentication method is enabled for a specific service before |
||
25 | * calling global.inc.php. |
||
26 | * |
||
27 | * include_once '.../main/inc/autoload.inc.php'; |
||
28 | * KeyAuth::enable_services('my_service'); |
||
29 | * include_once '.../main/inc/global.inc.php'; |
||
30 | * |
||
31 | * |
||
32 | * Enable url access for a short period of time: |
||
33 | * |
||
34 | * token = KeyAuth::create_temp_token(); |
||
35 | * url = '...?access_token=' . $token ; |
||
36 | * |
||
37 | * @see AccessToken |
||
38 | * |
||
39 | * @license see /license.txt |
||
40 | * @author Laurent Opprecht <[email protected]> for the Univesity of Geneva |
||
41 | */ |
||
42 | class KeyAuth |
||
43 | { |
||
44 | const PARAM_ACCESS_TOKEN = 'access_token'; |
||
45 | |||
46 | protected static $services = []; |
||
47 | |||
48 | protected function __construct() |
||
49 | { |
||
50 | } |
||
51 | |||
52 | public static function create_temp_token($service = null, $duration = 60, $user_id = null) |
||
53 | { |
||
54 | return UserApiKeyManager::create_temp_token($service, $duration, $user_id); |
||
55 | } |
||
56 | |||
57 | /** |
||
58 | * Returns enabled services. |
||
59 | * |
||
60 | * @return array |
||
61 | */ |
||
62 | public static function get_services() |
||
63 | { |
||
64 | return self::$services; |
||
65 | } |
||
66 | |||
67 | /** |
||
68 | * Name of the service for which we are goint to check the API Key. |
||
69 | * If empty it disables authentication. |
||
70 | * |
||
71 | * !! 10 chars max !! |
||
72 | * |
||
73 | * @param string $_ |
||
74 | */ |
||
75 | public static function enable_services($_) |
||
76 | { |
||
77 | $args = func_get_args(); |
||
78 | $names = []; |
||
79 | foreach ($args as $arg) { |
||
80 | if (is_object($arg)) { |
||
81 | $f = [$arg, 'get_service_name']; |
||
82 | $name = call_user_func($f); |
||
83 | } else { |
||
84 | $name = $arg; |
||
85 | } |
||
86 | $name = substr($name, 0, 10); |
||
87 | self::$services[$name] = $name; |
||
88 | } |
||
89 | } |
||
90 | |||
91 | public static function disable_services($_) |
||
92 | { |
||
93 | $args = func_get_args(); |
||
94 | $names = []; |
||
95 | foreach ($args as $name) { |
||
96 | $name = substr($name, 0, 10); |
||
97 | unset(self::$services[$name]); |
||
98 | } |
||
99 | } |
||
100 | |||
101 | public static function is_service_enabled($service) |
||
102 | { |
||
103 | $services = self::get_services(); |
||
104 | foreach ($services as $s) { |
||
105 | if ($s == $service) { |
||
106 | return true; |
||
107 | } |
||
108 | } |
||
109 | |||
110 | return false; |
||
111 | } |
||
112 | |||
113 | public static function clear_services() |
||
114 | { |
||
115 | self::$services[$name] = []; |
||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
Loading history...
|
|||
116 | } |
||
117 | |||
118 | /** |
||
119 | * Enable key authentication for the default service - i.e. chamilo. |
||
120 | */ |
||
121 | public static function enable() |
||
122 | { |
||
123 | self::enable_services(UserApiKeyManager::default_service()); |
||
124 | } |
||
125 | |||
126 | public static function disable() |
||
127 | { |
||
128 | self::$services[$name] = []; |
||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
|
|||
129 | } |
||
130 | |||
131 | /** |
||
132 | * Returns true if the key authentication method is enabled. False otherwise. |
||
133 | * Default to false. |
||
134 | * |
||
135 | * @return bool |
||
136 | */ |
||
137 | public static function is_enabled() |
||
138 | { |
||
139 | return !empty(self::$services); |
||
140 | } |
||
141 | |||
142 | /** |
||
143 | * @return KeyAuth |
||
144 | */ |
||
145 | public static function instance() |
||
146 | { |
||
147 | static $result = null; |
||
148 | if (empty($result)) { |
||
149 | $result = new self(); |
||
150 | } |
||
151 | |||
152 | return $result; |
||
153 | } |
||
154 | |||
155 | /** |
||
156 | * Returns true if authentication accepts to run otherwise returns false. |
||
157 | * |
||
158 | * @return bool |
||
159 | */ |
||
160 | public function accept() |
||
161 | { |
||
162 | /** |
||
163 | * Authentication method must be enabled. |
||
164 | */ |
||
165 | if (!self::is_enabled()) { |
||
166 | return false; |
||
167 | } |
||
168 | |||
169 | $token = $this->get_access_token(); |
||
170 | if ($token->is_empty()) { |
||
171 | return false; |
||
172 | } |
||
173 | |||
174 | $key = UserApiKeyManager::get_by_id($token->get_id()); |
||
175 | if (empty($key)) { |
||
176 | return false; |
||
177 | } |
||
178 | |||
179 | /** |
||
180 | * The service corresponding to the key must be enabled. |
||
181 | */ |
||
182 | $service = $key['api_service']; |
||
183 | if (!self::is_service_enabled($service)) { |
||
184 | return false; |
||
185 | } |
||
186 | |||
187 | /** |
||
188 | * User associated with the key must be active. |
||
189 | */ |
||
190 | $user = api_get_user_info($token->get_user_id()); |
||
191 | if (empty($user)) { |
||
192 | return false; |
||
193 | } |
||
194 | if (!$user['active']) { |
||
195 | return false; |
||
196 | } |
||
197 | |||
198 | /** |
||
199 | * Token must be valid. |
||
200 | */ |
||
201 | return $token->is_valid(); |
||
202 | } |
||
203 | |||
204 | /** |
||
205 | * If accepted tear down session, log in user and returns true. |
||
206 | * If not accepted do nothing and returns false. |
||
207 | * |
||
208 | * @return bool |
||
209 | */ |
||
210 | public function login() |
||
211 | { |
||
212 | if (!$this->accept()) { |
||
213 | return false; |
||
214 | } |
||
215 | /** |
||
216 | * ! important this is to ensure we don't grant access for other parts. |
||
217 | */ |
||
218 | Session::destroy(); |
||
219 | |||
220 | /** |
||
221 | * We don't allow redirection since access is granted only for this call. |
||
222 | */ |
||
223 | global $no_redirection, $noredirection; |
||
224 | $no_redirection = true; |
||
225 | $noredirection = true; |
||
226 | Session::write('noredirection', $noredirection); |
||
227 | |||
228 | $user_id = $this->get_user_id(); |
||
229 | $course_code = $this->get_course_code(); |
||
230 | $group_id = $this->get_group_id(); |
||
231 | |||
232 | Login::init_user($user_id, true); |
||
233 | Login::init_course($course_code, true); |
||
234 | Login::init_group($group_id, true); |
||
235 | |||
236 | return true; |
||
237 | } |
||
238 | |||
239 | /** |
||
240 | * Returns the request access token. |
||
241 | * |
||
242 | * @return AccessToken |
||
243 | */ |
||
244 | public function get_access_token() |
||
245 | { |
||
246 | $string = Request::get(self::PARAM_ACCESS_TOKEN); |
||
247 | |||
248 | return AccessToken::parse($string); |
||
249 | } |
||
250 | |||
251 | public function get_user_id() |
||
252 | { |
||
253 | return $this->get_access_token()->get_user_id(); |
||
254 | } |
||
255 | |||
256 | public function get_course_code() |
||
257 | { |
||
258 | return Request::get('cidReq', 0); |
||
259 | } |
||
260 | |||
261 | /** |
||
262 | * @return int |
||
263 | */ |
||
264 | public function get_group_id() |
||
265 | { |
||
266 | return Request::get('gidReq', 0); |
||
267 | } |
||
268 | } |
||
269 |