openinfra
/
openstackid-resources
Code Issues Proposed changes
openstackid-resources/app/Http/Middleware/OAuth2BearerAccessTokenRequ...

276 lines
10 KiB
PHP
Raw Blame History

<?php namespace App\Http\Middleware;
/**
* Copyright 2015 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
use Closure;
use Illuminate\Support\Facades\Input;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Request;
use Illuminate\Support\Facades\Response;
use libs\oauth2\BearerAccessTokenAuthorizationHeaderParser;
use libs\oauth2\InvalidGrantTypeException;
use libs\oauth2\OAuth2Protocol;
use libs\oauth2\OAuth2ResourceServerException;
use libs\oauth2\OAuth2WWWAuthenticateErrorResponse;
use libs\utils\RequestUtils;
use models\oauth2\IResourceServerContext;
use App\Models\ResourceServer\IAccessTokenService;
use App\Models\ResourceServer\IApiEndpointRepository;
use URL\Normalizer;
/**
* Class OAuth2BearerAccessTokenRequestValidator
* http://tools.ietf.org/html/rfc6749#section-7
* @package App\Http\Middleware
*/
class OAuth2BearerAccessTokenRequestValidator
{
/**
* @var IResourceServerContext
*/
private $context;
/**
* @var array
*/
private $headers;
/**
* @var IApiEndpointRepository
*/
private $endpoint_repository;
/**
* @var IAccessTokenService
*/
private $token_service;
/**
* @param IResourceServerContext $context
* @param IApiEndpointRepository $endpoint_repository
* @param IAccessTokenService $token_service
*/
public function __construct(
IResourceServerContext $context,
IApiEndpointRepository $endpoint_repository,
IAccessTokenService $token_service
) {
$this->context = $context;
$this->headers = $this->getHeaders();
$this->endpoint_repository = $endpoint_repository;
$this->token_service = $token_service;
}
/**
* @param \Illuminate\Http\Request $request
* @param Closure $next
* @return OAuth2WWWAuthenticateErrorResponse
*/
public function handle($request, Closure $next)
{
$url = $request->getRequestUri();
$method = $request->getMethod();
$realm = $request->getHost();
try {
$route = RequestUtils::getCurrentRoutePath($request);
if (!$route) {
throw new OAuth2ResourceServerException(
400,
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
sprintf('API endpoint does not exits! (%s:%s)', $url, $method)
);
}
Log::debug($request->headers->__toString());
// http://tools.ietf.org/id/draft-abarth-origin-03.html
$origin = $request->headers->has('Origin') ? $request->headers->get('Origin') : null;
if (!empty($origin)) {
$nm = new Normalizer($origin);
$origin = $nm->normalize();
}
//check first http basic auth header
$auth_header = isset($this->headers['authorization']) ? $this->headers['authorization'] : null;
if (!is_null($auth_header) && !empty($auth_header)) {
$access_token_value = BearerAccessTokenAuthorizationHeaderParser::getInstance()->parse($auth_header);
} else {
// http://tools.ietf.org/html/rfc6750#section-2- 2
// if access token is not on authorization header check on POST/GET params
$access_token_value = Input::get(OAuth2Protocol::OAuth2Protocol_AccessToken, '');
}
if (is_null($access_token_value) || empty($access_token_value)) {
//if access token value is not set, then error
throw new OAuth2ResourceServerException(
400,
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
'missing access token'
);
}
$endpoint = $this->endpoint_repository->getApiEndpointByUrlAndMethod($route, $method);
//api endpoint must be registered on db and active
if (is_null($endpoint) || !$endpoint->isActive()) {
throw new OAuth2ResourceServerException(
400,
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
sprintf('API endpoint does not exits! (%s:%s)', $route, $method)
);
}
$token_info = $this->token_service->get($access_token_value);
if(!is_null($token_info))
Log::debug(sprintf("token lifetime %s", $token_info->getLifetime()));
//check lifetime
if (is_null($token_info)) {
throw new InvalidGrantTypeException(OAuth2Protocol::OAuth2Protocol_Error_InvalidToken);
}
//check token audience
Log::debug('checking token audience ...');
$audience = explode(' ', $token_info->getAudience());
if ((!in_array($realm, $audience))) {
throw new InvalidGrantTypeException(OAuth2Protocol::OAuth2Protocol_Error_InvalidToken);
}
if ($token_info->getApplicationType() === 'JS_CLIENT' && str_contains($token_info->getAllowedOrigins(),
$origin) === false
) {
//check origins
throw new OAuth2ResourceServerException(
403,
OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient,
sprintf('invalid origin %s - allowed ones (%s)', $origin, $token_info->getAllowedOrigins())
);
}
//check scopes
Log::debug('checking token scopes ...');
$endpoint_scopes = explode(' ', $endpoint->getScope());
$token_scopes = explode(' ', $token_info->getScope());
//check token available scopes vs. endpoint scopes
if (count(array_intersect($endpoint_scopes, $token_scopes)) == 0) {
Log::warning(
sprintf(
'access token scopes (%s) does not allow to access to api url %s , needed scopes %s',
$token_info->getScope(),
$url,
implode(' OR ', $endpoint_scopes)
)
);
throw new OAuth2ResourceServerException(
403,
OAuth2Protocol::OAuth2Protocol_Error_InsufficientScope,
'the request requires higher privileges than provided by the access token',
implode(' ', $endpoint_scopes)
);
}
Log::debug('setting resource server context ...');
//set context for api and continue processing
$context = array
(
'access_token' => $access_token_value,
'expires_in' => $token_info->getLifetime(),
'client_id' => $token_info->getClientId(),
'scope' => $token_info->getScope(),
'application_type' => $token_info->getApplicationType()
);
if (!is_null($token_info->getUserId()))
{
$context['user_id'] = $token_info->getUserId();
$context['user_external_id'] = $token_info->getUserExternalId();
}
$this->context->setAuthorizationContext($context);
}
catch (OAuth2ResourceServerException $ex1)
{
Log::warning($ex1);
$response = new OAuth2WWWAuthenticateErrorResponse(
$realm,
$ex1->getError(),
$ex1->getErrorDescription(),
$ex1->getScope(),
$ex1->getHttpCode()
);
$http_response = Response::json($response->getContent(), $response->getHttpCode());
$http_response->header('WWW-Authenticate', $response->getWWWAuthenticateHeaderValue());
return $http_response;
}
catch (InvalidGrantTypeException $ex2)
{
Log::warning($ex2);
$response = new OAuth2WWWAuthenticateErrorResponse(
$realm,
OAuth2Protocol::OAuth2Protocol_Error_InvalidToken,
'the access token provided is expired, revoked, malformed, or invalid for other reasons.',
null,
401
);
$http_response = Response::json($response->getContent(), $response->getHttpCode());
$http_response->header('WWW-Authenticate', $response->getWWWAuthenticateHeaderValue());
return $http_response;
} catch (\Exception $ex) {
Log::error($ex);
$response = new OAuth2WWWAuthenticateErrorResponse(
$realm,
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
'invalid request',
null,
400
);
$http_response = Response::json($response->getContent(), $response->getHttpCode());
$http_response->header('WWW-Authenticate', $response->getWWWAuthenticateHeaderValue());
return $http_response;
}
$response = $next($request);
return $response;
}
/**
* @return array
*/
protected function getHeaders()
{
$headers = array();
if (function_exists('getallheaders')) {
foreach (getallheaders() as $name => $value) {
$headers[strtolower($name)] = $value;
}
} else {
// @codeCoverageIgnoreEnd
foreach ($_SERVER as $name => $value) {
if (substr($name, 0, 5) == 'HTTP_') {
$name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
$headers[strtolower($name)] = $value;
}
}
foreach (Request::header() as $name => $value) {
if (!array_key_exists($name, $headers)) {
$headers[strtolower($name)] = $value[0];
}
}
}
return $headers;
}
}
View Git Blame Copy Permalink