Completed
Push — master ( 276d5b...a0cabb )
by
unknown
33:04
created

AbstractGrant::validateScopes()   A

Complexity

Conditions 3
Paths 3

Size

Total Lines 20
Code Lines 10

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
dl 0
loc 20
rs 9.4285
c 0
b 0
f 0
cc 3
eloc 10
nc 3
nop 2
1
<?php
2
/**
3
 * OAuth 2.0 Abstract grant.
4
 *
5
 * @author      Alex Bilbie <[email protected]>
6
 * @copyright   Copyright (c) Alex Bilbie
7
 * @license     http://mit-license.org/
8
 *
9
 * @link        https://github.com/thephpleague/oauth2-server
10
 */
11
namespace League\OAuth2\Server\Grant;
12
13
use League\Event\EmitterAwareTrait;
14
use League\OAuth2\Server\CryptKey;
15
use League\OAuth2\Server\CryptTrait;
16
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
17
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
18
use League\OAuth2\Server\Entities\ClientEntityInterface;
19
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
20
use League\OAuth2\Server\Entities\ScopeEntityInterface;
21
use League\OAuth2\Server\Exception\OAuthServerException;
22
use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
23
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
24
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
25
use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
26
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
27
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
28
use League\OAuth2\Server\Repositories\UserRepositoryInterface;
29
use League\OAuth2\Server\RequestEvent;
30
use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
31
use Psr\Http\Message\ServerRequestInterface;
32
33
/**
34
 * Abstract grant class.
35
 */
36
abstract class AbstractGrant implements GrantTypeInterface
37
{
38
    use EmitterAwareTrait, CryptTrait;
39
40
    const SCOPE_DELIMITER_STRING = ' ';
41
42
    const MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS = 10;
43
44
    /**
45
     * @var ClientRepositoryInterface
46
     */
47
    protected $clientRepository;
48
49
    /**
50
     * @var AccessTokenRepositoryInterface
51
     */
52
    protected $accessTokenRepository;
53
54
    /**
55
     * @var ScopeRepositoryInterface
56
     */
57
    protected $scopeRepository;
58
59
    /**
60
     * @var AuthCodeRepositoryInterface
61
     */
62
    protected $authCodeRepository;
63
64
    /**
65
     * @var RefreshTokenRepositoryInterface
66
     */
67
    protected $refreshTokenRepository;
68
69
    /**
70
     * @var UserRepositoryInterface
71
     */
72
    protected $userRepository;
73
74
    /**
75
     * @var \DateInterval
76
     */
77
    protected $refreshTokenTTL;
78
79
    /**
80
     * @var \League\OAuth2\Server\CryptKey
81
     */
82
    protected $privateKey;
83
84
    /**
85
     * @string
86
     */
87
    protected $defaultScope;
88
89
    /**
90
     * @param ClientRepositoryInterface $clientRepository
91
     */
92
    public function setClientRepository(ClientRepositoryInterface $clientRepository)
93
    {
94
        $this->clientRepository = $clientRepository;
95
    }
96
97
    /**
98
     * @param AccessTokenRepositoryInterface $accessTokenRepository
99
     */
100
    public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository)
101
    {
102
        $this->accessTokenRepository = $accessTokenRepository;
103
    }
104
105
    /**
106
     * @param ScopeRepositoryInterface $scopeRepository
107
     */
108
    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
109
    {
110
        $this->scopeRepository = $scopeRepository;
111
    }
112
113
    /**
114
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
115
     */
116
    public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
117
    {
118
        $this->refreshTokenRepository = $refreshTokenRepository;
119
    }
120
121
    /**
122
     * @param AuthCodeRepositoryInterface $authCodeRepository
123
     */
124
    public function setAuthCodeRepository(AuthCodeRepositoryInterface $authCodeRepository)
125
    {
126
        $this->authCodeRepository = $authCodeRepository;
127
    }
128
129
    /**
130
     * @param UserRepositoryInterface $userRepository
131
     */
132
    public function setUserRepository(UserRepositoryInterface $userRepository)
133
    {
134
        $this->userRepository = $userRepository;
135
    }
136
137
    /**
138
     * {@inheritdoc}
139
     */
140
    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL)
141
    {
142
        $this->refreshTokenTTL = $refreshTokenTTL;
143
    }
144
145
    /**
146
     * Set the private key
147
     *
148
     * @param \League\OAuth2\Server\CryptKey $key
149
     */
150
    public function setPrivateKey(CryptKey $key)
151
    {
152
        $this->privateKey = $key;
153
    }
154
155
    /**
156
     * @param string $scope
157
     */
158
    public function setDefaultScope($scope)
159
    {
160
        $this->defaultScope = $scope;
161
    }
162
163
    /**
164
     * Validate the client.
165
     *
166
     * @param ServerRequestInterface $request
167
     *
168
     * @throws OAuthServerException
169
     *
170
     * @return ClientEntityInterface
171
     */
172
    protected function validateClient(ServerRequestInterface $request)
173
    {
174
        list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
175
176
        $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
177
        if (is_null($clientId)) {
178
            throw OAuthServerException::invalidRequest('client_id');
179
        }
180
181
        // If the client is confidential require the client secret
182
        $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
183
184
        $client = $this->clientRepository->getClientEntity(
185
            $clientId,
186
            $this->getIdentifier(),
187
            $clientSecret,
188
            true
189
        );
190
191
        if ($client instanceof ClientEntityInterface === false) {
192
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
193
            throw OAuthServerException::invalidClient();
194
        }
195
196
        // If a redirect URI is provided ensure it matches what is pre-registered
197
        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
198
        if ($redirectUri !== null) {
199
            if (
200
                is_string($client->getRedirectUri())
201
                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
202
            ) {
203
                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
204
                throw OAuthServerException::invalidClient();
205
            } elseif (
206
                is_array($client->getRedirectUri())
207
                && in_array($redirectUri, $client->getRedirectUri()) === false
208
            ) {
209
                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
210
                throw OAuthServerException::invalidClient();
211
            }
212
        }
213
214
        return $client;
215
    }
216
217
    /**
218
     * Validate scopes in the request.
219
     *
220
     * @param string $scopes
221
     * @param string $redirectUri
222
     *
223
     * @throws OAuthServerException
224
     *
225
     * @return ScopeEntityInterface[]
226
     */
227
    public function validateScopes($scopes, $redirectUri = null)
228
    {
229
        $scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
230
            return !empty($scope);
231
        });
232
233
        $validScopes = [];
234
235
        foreach ($scopesList as $scopeItem) {
236
            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
237
238
            if ($scope instanceof ScopeEntityInterface === false) {
239
                throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
240
            }
241
242
            $validScopes[] = $scope;
243
        }
244
245
        return $validScopes;
246
    }
247
248
    /**
249
     * Retrieve request parameter.
250
     *
251
     * @param string                 $parameter
252
     * @param ServerRequestInterface $request
253
     * @param mixed                  $default
254
     *
255
     * @return null|string
256
     */
257
    protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null)
258
    {
259
        $requestParameters = (array) $request->getParsedBody();
260
261
        return isset($requestParameters[$parameter]) ? $requestParameters[$parameter] : $default;
262
    }
263
264
    /**
265
     * Retrieve HTTP Basic Auth credentials with the Authorization header
266
     * of a request. First index of the returned array is the username,
267
     * second is the password (so list() will work). If the header does
268
     * not exist, or is otherwise an invalid HTTP Basic header, return
269
     * [null, null].
270
     *
271
     * @param ServerRequestInterface $request
272
     *
273
     * @return string[]|null[]
274
     */
275
    protected function getBasicAuthCredentials(ServerRequestInterface $request)
276
    {
277
        if (!$request->hasHeader('Authorization')) {
278
            return [null, null];
279
        }
280
281
        $header = $request->getHeader('Authorization')[0];
282
        if (strpos($header, 'Basic ') !== 0) {
283
            return [null, null];
284
        }
285
286
        if (!($decoded = base64_decode(substr($header, 6)))) {
287
            return [null, null];
288
        }
289
290
        if (strpos($decoded, ':') === false) {
291
            return [null, null]; // HTTP Basic header without colon isn't valid
292
        }
293
294
        return explode(':', $decoded, 2);
295
    }
296
297
    /**
298
     * Retrieve query string parameter.
299
     *
300
     * @param string                 $parameter
301
     * @param ServerRequestInterface $request
302
     * @param mixed                  $default
303
     *
304
     * @return null|string
305
     */
306
    protected function getQueryStringParameter($parameter, ServerRequestInterface $request, $default = null)
307
    {
308
        return isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : $default;
309
    }
310
311
    /**
312
     * Retrieve cookie parameter.
313
     *
314
     * @param string                 $parameter
315
     * @param ServerRequestInterface $request
316
     * @param mixed                  $default
317
     *
318
     * @return null|string
319
     */
320
    protected function getCookieParameter($parameter, ServerRequestInterface $request, $default = null)
321
    {
322
        return isset($request->getCookieParams()[$parameter]) ? $request->getCookieParams()[$parameter] : $default;
323
    }
324
325
    /**
326
     * Retrieve server parameter.
327
     *
328
     * @param string                 $parameter
329
     * @param ServerRequestInterface $request
330
     * @param mixed                  $default
331
     *
332
     * @return null|string
333
     */
334
    protected function getServerParameter($parameter, ServerRequestInterface $request, $default = null)
335
    {
336
        return isset($request->getServerParams()[$parameter]) ? $request->getServerParams()[$parameter] : $default;
337
    }
338
339
    /**
340
     * Issue an access token.
341
     *
342
     * @param \DateInterval          $accessTokenTTL
343
     * @param ClientEntityInterface  $client
344
     * @param string                 $userIdentifier
345
     * @param ScopeEntityInterface[] $scopes
346
     *
347
     * @throws OAuthServerException
348
     * @throws UniqueTokenIdentifierConstraintViolationException
349
     *
350
     * @return AccessTokenEntityInterface
351
     */
352
    protected function issueAccessToken(
353
        \DateInterval $accessTokenTTL,
354
        ClientEntityInterface $client,
355
        $userIdentifier,
356
        array $scopes = []
357
    ) {
358
        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
359
360
        $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
361
        $accessToken->setClient($client);
362
        $accessToken->setUserIdentifier($userIdentifier);
363
        $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL));
364
365
        foreach ($scopes as $scope) {
366
            $accessToken->addScope($scope);
367
        }
368
369
        while ($maxGenerationAttempts-- > 0) {
370
            $accessToken->setIdentifier($this->generateUniqueIdentifier());
371
            try {
372
                $this->accessTokenRepository->persistNewAccessToken($accessToken);
373
374
                return $accessToken;
375
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
376
                if ($maxGenerationAttempts === 0) {
377
                    throw $e;
378
                }
379
            }
380
        }
381
    }
382
383
    /**
384
     * Issue an auth code.
385
     *
386
     * @param \DateInterval          $authCodeTTL
387
     * @param ClientEntityInterface  $client
388
     * @param string                 $userIdentifier
389
     * @param string                 $redirectUri
390
     * @param ScopeEntityInterface[] $scopes
391
     *
392
     * @throws OAuthServerException
393
     * @throws UniqueTokenIdentifierConstraintViolationException
394
     *
395
     * @return AuthCodeEntityInterface
396
     */
397
    protected function issueAuthCode(
398
        \DateInterval $authCodeTTL,
399
        ClientEntityInterface $client,
400
        $userIdentifier,
401
        $redirectUri,
402
        array $scopes = []
403
    ) {
404
        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
405
406
        $authCode = $this->authCodeRepository->getNewAuthCode();
407
        $authCode->setExpiryDateTime((new \DateTime())->add($authCodeTTL));
408
        $authCode->setClient($client);
409
        $authCode->setUserIdentifier($userIdentifier);
410
        $authCode->setRedirectUri($redirectUri);
411
412
        foreach ($scopes as $scope) {
413
            $authCode->addScope($scope);
414
        }
415
416
        while ($maxGenerationAttempts-- > 0) {
417
            $authCode->setIdentifier($this->generateUniqueIdentifier());
418
            try {
419
                $this->authCodeRepository->persistNewAuthCode($authCode);
420
421
                return $authCode;
422
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
423
                if ($maxGenerationAttempts === 0) {
424
                    throw $e;
425
                }
426
            }
427
        }
428
    }
429
430
    /**
431
     * @param AccessTokenEntityInterface $accessToken
432
     *
433
     * @throws OAuthServerException
434
     * @throws UniqueTokenIdentifierConstraintViolationException
435
     *
436
     * @return RefreshTokenEntityInterface
437
     */
438
    protected function issueRefreshToken(AccessTokenEntityInterface $accessToken)
439
    {
440
        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
441
442
        $refreshToken = $this->refreshTokenRepository->getNewRefreshToken();
443
        $refreshToken->setExpiryDateTime((new \DateTime())->add($this->refreshTokenTTL));
444
        $refreshToken->setAccessToken($accessToken);
445
446
        while ($maxGenerationAttempts-- > 0) {
447
            $refreshToken->setIdentifier($this->generateUniqueIdentifier());
448
            try {
449
                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
450
451
                return $refreshToken;
452
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
453
                if ($maxGenerationAttempts === 0) {
454
                    throw $e;
455
                }
456
            }
457
        }
458
    }
459
460
    /**
461
     * Generate a new unique identifier.
462
     *
463
     * @param int $length
464
     *
465
     * @throws OAuthServerException
466
     *
467
     * @return string
468
     */
469
    protected function generateUniqueIdentifier($length = 40)
470
    {
471
        try {
472
            return bin2hex(random_bytes($length));
473
            // @codeCoverageIgnoreStart
474
        } catch (\TypeError $e) {
475
            throw OAuthServerException::serverError('An unexpected error has occurred');
476
        } catch (\Error $e) {
477
            throw OAuthServerException::serverError('An unexpected error has occurred');
478
        } catch (\Exception $e) {
479
            // If you get this message, the CSPRNG failed hard.
480
            throw OAuthServerException::serverError('Could not generate a random string');
481
        }
482
        // @codeCoverageIgnoreEnd
483
    }
484
485
    /**
486
     * {@inheritdoc}
487
     */
488
    public function canRespondToAccessTokenRequest(ServerRequestInterface $request)
489
    {
490
        $requestParameters = (array) $request->getParsedBody();
491
492
        return (
493
            array_key_exists('grant_type', $requestParameters)
494
            && $requestParameters['grant_type'] === $this->getIdentifier()
495
        );
496
    }
497
498
    /**
499
     * {@inheritdoc}
500
     */
501
    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
502
    {
503
        return false;
504
    }
505
506
    /**
507
     * {@inheritdoc}
508
     */
509
    public function validateAuthorizationRequest(ServerRequestInterface $request)
510
    {
511
        throw new \LogicException('This grant cannot validate an authorization request');
512
    }
513
514
    /**
515
     * {@inheritdoc}
516
     */
517
    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
518
    {
519
        throw new \LogicException('This grant cannot complete an authorization request');
520
    }
521
}
522