|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Copyright (C) 2016 SURFnet. |
|
4
|
|
|
* |
|
5
|
|
|
* This program is free software: you can redistribute it and/or modify |
|
6
|
|
|
* it under the terms of the GNU Affero General Public License as |
|
7
|
|
|
* published by the Free Software Foundation, either version 3 of the |
|
8
|
|
|
* License, or (at your option) any later version. |
|
9
|
|
|
* |
|
10
|
|
|
* This program is distributed in the hope that it will be useful, |
|
11
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
12
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
13
|
|
|
* GNU Affero General Public License for more details. |
|
14
|
|
|
* |
|
15
|
|
|
* You should have received a copy of the GNU Affero General Public License |
|
16
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace fkooman\RemoteStorage\OAuth; |
|
20
|
|
|
|
|
21
|
|
|
use fkooman\RemoteStorage\Http\Exception\HttpException; |
|
22
|
|
|
use fkooman\RemoteStorage\Http\HtmlResponse; |
|
23
|
|
|
use fkooman\RemoteStorage\Http\RedirectResponse; |
|
24
|
|
|
use fkooman\RemoteStorage\Http\Request; |
|
25
|
|
|
use fkooman\RemoteStorage\Http\Service; |
|
26
|
|
|
use fkooman\RemoteStorage\Http\ServiceModuleInterface; |
|
27
|
|
|
use fkooman\RemoteStorage\RandomInterface; |
|
28
|
|
|
use fkooman\RemoteStorage\TplInterface; |
|
29
|
|
|
|
|
30
|
|
|
class OAuthModule implements ServiceModuleInterface |
|
31
|
|
|
{ |
|
32
|
|
|
/** @var \fkooman\RemoteStorage\TplInterface */ |
|
33
|
|
|
private $tpl; |
|
34
|
|
|
|
|
35
|
|
|
/** @var \fkooman\RemoteStorage\RandomInterface */ |
|
36
|
|
|
private $random; |
|
37
|
|
|
|
|
38
|
|
|
/** @var TokenStorage */ |
|
39
|
|
|
private $tokenStorage; |
|
40
|
|
|
|
|
41
|
|
|
public function __construct(TplInterface $tpl, RandomInterface $random, TokenStorage $tokenStorage) |
|
42
|
|
|
{ |
|
43
|
|
|
$this->tpl = $tpl; |
|
44
|
|
|
$this->random = $random; |
|
45
|
|
|
$this->tokenStorage = $tokenStorage; |
|
46
|
|
|
} |
|
47
|
|
|
|
|
48
|
|
|
public function init(Service $service) |
|
49
|
|
|
{ |
|
50
|
|
|
$service->get( |
|
51
|
|
|
'/_oauth/authorize', |
|
52
|
|
|
function (Request $request) { |
|
53
|
|
|
$this->validateRequest($request); |
|
54
|
|
|
$this->validateClient($request); |
|
55
|
|
|
|
|
56
|
|
|
// ask for approving this client/scope |
|
57
|
|
|
return new HtmlResponse( |
|
58
|
|
|
$this->tpl->render( |
|
59
|
|
|
'authorizeOAuthClient', |
|
60
|
|
|
[ |
|
61
|
|
|
'client_id' => $request->getQueryParameter('client_id'), |
|
62
|
|
|
'scope' => $request->getQueryParameter('scope'), |
|
63
|
|
|
'redirect_uri' => $request->getQueryParameter('redirect_uri'), |
|
64
|
|
|
] |
|
65
|
|
|
) |
|
66
|
|
|
); |
|
67
|
|
|
} |
|
68
|
|
|
); |
|
69
|
|
|
|
|
70
|
|
|
$service->post( |
|
71
|
|
|
'/_oauth/authorize', |
|
72
|
|
|
function (Request $request, array $hookData) { |
|
73
|
|
|
$userId = $hookData['auth']; |
|
74
|
|
|
|
|
75
|
|
|
$this->validateRequest($request); |
|
76
|
|
|
$this->validateClient($request); |
|
77
|
|
|
|
|
78
|
|
|
// state is OPTIONAL in remoteStorage specification |
|
79
|
|
|
$state = $request->getQueryParameter('state', false, null); |
|
80
|
|
|
$returnUriPattern = '%s#%s'; |
|
81
|
|
|
|
|
82
|
|
|
if ('no' === $request->getPostParameter('approve')) { |
|
83
|
|
|
$redirectParameters = [ |
|
84
|
|
|
'error' => 'access_denied', |
|
85
|
|
|
'error_description' => 'user refused authorization', |
|
86
|
|
|
]; |
|
87
|
|
|
if (!is_null($state)) { |
|
88
|
|
|
$redirectParameters['state'] = $state; |
|
89
|
|
|
} |
|
90
|
|
|
$redirectQuery = http_build_query($redirectParameters); |
|
91
|
|
|
|
|
92
|
|
|
$redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery); |
|
93
|
|
|
|
|
94
|
|
|
return new RedirectResponse($redirectUri, 302); |
|
95
|
|
|
} |
|
96
|
|
|
|
|
97
|
|
|
$accessToken = $this->getAccessToken( |
|
98
|
|
|
$userId, |
|
99
|
|
|
$request->getQueryParameter('client_id'), |
|
100
|
|
|
$request->getQueryParameter('scope') |
|
101
|
|
|
); |
|
102
|
|
|
|
|
103
|
|
|
// add access_token (and optionally state) to redirect_uri |
|
104
|
|
|
$redirectParameters = [ |
|
105
|
|
|
'access_token' => $accessToken, |
|
106
|
|
|
]; |
|
107
|
|
|
if (!is_null($state)) { |
|
108
|
|
|
$redirectParameters['state'] = $state; |
|
109
|
|
|
} |
|
110
|
|
|
$redirectQuery = http_build_query($redirectParameters); |
|
111
|
|
|
$redirectUri = sprintf($returnUriPattern, $request->getQueryParameter('redirect_uri'), $redirectQuery); |
|
112
|
|
|
|
|
113
|
|
|
return new RedirectResponse($redirectUri, 302); |
|
114
|
|
|
} |
|
115
|
|
|
); |
|
116
|
|
|
} |
|
117
|
|
|
|
|
118
|
|
|
private function getAccessToken($userId, $clientId, $scope) |
|
119
|
|
|
{ |
|
120
|
|
|
$existingToken = $this->tokenStorage->getExistingToken( |
|
121
|
|
|
$userId, |
|
122
|
|
|
$clientId, |
|
123
|
|
|
$scope |
|
124
|
|
|
); |
|
125
|
|
|
|
|
126
|
|
|
if (false !== $existingToken) { |
|
127
|
|
|
// if the user already has an access_token for this client and |
|
128
|
|
|
// scope, reuse it |
|
129
|
|
|
$accessTokenKey = $existingToken['access_token_key']; |
|
130
|
|
|
$accessToken = $existingToken['access_token']; |
|
131
|
|
|
} else { |
|
132
|
|
|
// generate a new one |
|
133
|
|
|
$accessTokenKey = $this->random->get(8); |
|
134
|
|
|
$accessToken = $this->random->get(16); |
|
135
|
|
|
// store it |
|
136
|
|
|
$this->tokenStorage->store( |
|
137
|
|
|
$userId, |
|
138
|
|
|
$accessTokenKey, |
|
139
|
|
|
$accessToken, |
|
140
|
|
|
$clientId, |
|
141
|
|
|
$scope |
|
142
|
|
|
); |
|
143
|
|
|
} |
|
144
|
|
|
|
|
145
|
|
|
return sprintf('%s.%s', $accessTokenKey, $accessToken); |
|
146
|
|
|
} |
|
147
|
|
|
|
|
148
|
|
|
private function validateRequest(Request $request) |
|
149
|
|
|
{ |
|
150
|
|
|
// we enforce that all parameter are set, nothing is "OPTIONAL" |
|
151
|
|
|
$clientId = $request->getQueryParameter('client_id'); |
|
152
|
|
|
if (1 !== preg_match('/^[\x20-\x7E]+$/', $clientId)) { |
|
153
|
|
|
throw new HttpException('invalid client_id', 400); |
|
154
|
|
|
} |
|
155
|
|
|
|
|
156
|
|
|
// XXX we also should enforce HTTPS |
|
157
|
|
|
$redirectUri = $request->getQueryParameter('redirect_uri'); |
|
158
|
|
View Code Duplication |
if (false === filter_var($redirectUri, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED | FILTER_FLAG_PATH_REQUIRED)) { |
|
|
|
|
|
|
159
|
|
|
throw new HttpException('invalid redirect_uri', 400); |
|
160
|
|
|
} |
|
161
|
|
|
if (false !== strpos($redirectUri, '?')) { |
|
162
|
|
|
throw new HttpException('invalid redirect_uri', 400); |
|
163
|
|
|
} |
|
164
|
|
|
$responseType = $request->getQueryParameter('response_type'); |
|
165
|
|
|
if ('token' !== $responseType) { |
|
166
|
|
|
throw new HttpException('invalid response_type', 400); |
|
167
|
|
|
} |
|
168
|
|
|
// XXX make sure this regexp/code is actually correct! |
|
169
|
|
|
$scope = $request->getQueryParameter('scope'); |
|
170
|
|
|
$scopeTokens = explode(' ', $scope); |
|
171
|
|
|
foreach ($scopeTokens as $scopeToken) { |
|
172
|
|
|
if (1 !== preg_match('/^\x21|[\x23-\x5B]|[\x5D-\x7E]+$/', $scopeToken)) { |
|
173
|
|
|
throw new HttpException('invalid scope', 400); |
|
174
|
|
|
} |
|
175
|
|
|
} |
|
176
|
|
|
|
|
177
|
|
|
// state is OPTIONAL in remoteStorage |
|
178
|
|
|
$state = $request->getQueryParameter('state', false, null); |
|
179
|
|
|
if (!is_null($state)) { |
|
180
|
|
|
if (1 !== preg_match('/^[\x20-\x7E]+$/', $state)) { |
|
181
|
|
|
throw new HttpException('invalid state', 400); |
|
182
|
|
|
} |
|
183
|
|
|
} |
|
184
|
|
|
} |
|
185
|
|
|
|
|
186
|
|
|
private function validateClient(Request $request) |
|
187
|
|
|
{ |
|
188
|
|
|
$clientId = $request->getQueryParameter('client_id'); |
|
189
|
|
|
$redirectUri = $request->getQueryParameter('redirect_uri'); |
|
190
|
|
|
|
|
191
|
|
|
// redirectUri has to start with clientId (or be equal) |
|
192
|
|
|
if (0 !== strpos($redirectUri, $clientId)) { |
|
193
|
|
|
throw new HttpException('"redirect_uri" does not match "client_id"', 400); |
|
194
|
|
|
} |
|
195
|
|
|
} |
|
196
|
|
|
} |
|
197
|
|
|
|
fkooman /
php-remote-storage
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.