openinfra
/
openstackid
Code Issues Proposed changes

Integration Testing 

updated some classes dependencies to allow xunit

added DI by contructor on some classes

Change-Id: I50e0043d1b2ceb845cd1803233a107e3186c1a59
Implements: blueprint openid-oauth2-integration-testing
This commit is contained in:
Sebastian Marcet 2014-02-17 11:27:13 -03:00
parent 7dae6fa886
commit cfb6ddbd41
59 changed files with 471 additions and 313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/config/app.php
View File

@ -106,8 +106,8 @@ return array(
'Illuminate\Workbench\WorkbenchServiceProvider', 'Illuminate\Workbench\WorkbenchServiceProvider',
'Illuminate\Redis\RedisServiceProvider', 'Illuminate\Redis\RedisServiceProvider',
'services\utils\UtilsProvider', 'services\utils\UtilsProvider',
'services\oauth2\OAuth2ServiceProvider',
'services\openid\OpenIdProvider', 'services\openid\OpenIdProvider',
'services\oauth2\OAuth2ServiceProvider',
'auth\AuthenticationServiceProvider', 'auth\AuthenticationServiceProvider',
'services\ServicesProvider', 'services\ServicesProvider',
'strategies\StrategyProvider', 'strategies\StrategyProvider',

2
app/config/local/app.php
View File

@ -106,8 +106,8 @@ return array(
'Illuminate\Workbench\WorkbenchServiceProvider', 'Illuminate\Workbench\WorkbenchServiceProvider',
'Illuminate\Redis\RedisServiceProvider', 'Illuminate\Redis\RedisServiceProvider',
'services\utils\UtilsProvider', 'services\utils\UtilsProvider',
'services\oauth2\OAuth2ServiceProvider',
'services\openid\OpenIdProvider', 'services\openid\OpenIdProvider',
'services\oauth2\OAuth2ServiceProvider',
'auth\AuthenticationServiceProvider', 'auth\AuthenticationServiceProvider',
'services\ServicesProvider', 'services\ServicesProvider',
'strategies\StrategyProvider', 'strategies\StrategyProvider',

20
app/controllers/UserController.php
View File

@ -5,21 +5,18 @@ use oauth2\services\IClientService;
use oauth2\services\IMementoOAuth2AuthenticationRequestService; use oauth2\services\IMementoOAuth2AuthenticationRequestService;
use oauth2\services\ITokenService; use oauth2\services\ITokenService;
use oauth2\services\IResourceServerService; use oauth2\services\IResourceServerService;
use openid\requests\OpenIdAuthenticationRequest;
use openid\services\IMementoOpenIdRequestService; use openid\services\IMementoOpenIdRequestService;
use openid\services\IServerConfigurationService;
use openid\services\ITrustedSitesService; use openid\services\ITrustedSitesService;
use openid\services\IUserService; use openid\services\IUserService;
use openid\services\IServerConfigurationService;
use openid\XRDS\XRDSDocumentBuilder; use openid\XRDS\XRDSDocumentBuilder;
use utils\IPHelper; use utils\IPHelper;
use services\IUserActionService; use services\IUserActionService;
use strategies\DefaultLoginStrategy; use strategies\DefaultLoginStrategy;
use strategies\OAuth2ConsentStrategy; use strategies\OAuth2ConsentStrategy;
use strategies\OAuth2LoginStrategy; use strategies\OAuth2LoginStrategy;
use strategies\OpenIdConsentStrategy;
use strategies\OpenIdLoginStrategy;
use utils\services\IAuthService; use utils\services\IAuthService;
use utils\services\IServerConfigurationService as IUtilsServerConfigurationService;
class UserController extends BaseController class UserController extends BaseController
{ {
@ -37,6 +34,7 @@ class UserController extends BaseController
private $scope_service; private $scope_service;
private $token_service; private $token_service;
private $resource_server_service; private $resource_server_service;
private $utils_configuration_service;
public function __construct(IMementoOpenIdRequestService $openid_memento_service, public function __construct(IMementoOpenIdRequestService $openid_memento_service,
IMementoOAuth2AuthenticationRequestService $oauth2_memento_service, IMementoOAuth2AuthenticationRequestService $oauth2_memento_service,
@ -49,7 +47,9 @@ class UserController extends BaseController
IClientService $client_service, IClientService $client_service,
IApiScopeService $scope_service, IApiScopeService $scope_service,
ITokenService $token_service, ITokenService $token_service,
IResourceServerService $resource_server_service) IResourceServerService $resource_server_service,
IUtilsServerConfigurationService $utils_configuration_service
)
{ {
$this->openid_memento_service = $openid_memento_service; $this->openid_memento_service = $openid_memento_service;
$this->oauth2_memento_service = $oauth2_memento_service; $this->oauth2_memento_service = $oauth2_memento_service;
@ -63,6 +63,7 @@ class UserController extends BaseController
$this->scope_service = $scope_service; $this->scope_service = $scope_service;
$this->token_service = $token_service; $this->token_service = $token_service;
$this->resource_server_service = $resource_server_service; $this->resource_server_service = $resource_server_service;
$this->utils_configuration_service = $utils_configuration_service;
//filters //filters
$this->beforeFilter('csrf', array('only' => array('postLogin', 'postConsent'))); $this->beforeFilter('csrf', array('only' => array('postLogin', 'postConsent')));
@ -183,6 +184,11 @@ class UserController extends BaseController
if ($current_user && $current_user->getIdentifier() != $user->getIdentifier()) { if ($current_user && $current_user->getIdentifier() != $user->getIdentifier()) {
$another_user = true; $another_user = true;
} }
$assets_url = $this->utils_configuration_service->getConfigValue("Assets.Url");
$pic_url = $user->getPic();
$pic_url = str_contains($pic_url,'http')?$pic_url:$assets_url.$pic_url;
$params = array( $params = array(
'show_fullname' => $user->getShowProfileFullName(), 'show_fullname' => $user->getShowProfileFullName(),
'username' => $user->getFullName(), 'username' => $user->getFullName(),
@ -190,7 +196,7 @@ class UserController extends BaseController
'email' => $user->getEmail(), 'email' => $user->getEmail(),
'identifier' => $user->getIdentifier(), 'identifier' => $user->getIdentifier(),
'show_pic' => $user->getShowProfilePic(), 'show_pic' => $user->getShowProfilePic(),
'pic' => $user->getPic(), 'pic' => $pic_url,
'another_user' => $another_user, 'another_user' => $another_user,
); );
return View::make("identity", $params); return View::make("identity", $params);

56
app/database/seeds/TestSeeder.php
View File

@ -819,7 +819,7 @@ class TestSeeder extends Seeder {
'name' => 'create-resource-server', 'name' => 'create-resource-server',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers', 'route' => '/api/v1/resource-servers',
'http_method' => 'POST' 'http_method' => 'POST'
) )
); );
@ -829,7 +829,7 @@ class TestSeeder extends Seeder {
'name' => 'get-resource-server', 'name' => 'get-resource-server',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers/{id}', 'route' => '/api/v1/resource-servers/{id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -839,7 +839,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-regenerate-secret', 'name' => 'resource-server-regenerate-secret',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers/{id}/client-secret', 'route' => '/api/v1/resource-servers/{id}/client-secret',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -849,7 +849,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-get-page', 'name' => 'resource-server-get-page',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers', 'route' => '/api/v1/resource-servers',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -859,7 +859,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-delete', 'name' => 'resource-server-delete',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers/{id}', 'route' => '/api/v1/resource-servers/{id}',
'http_method' => 'DELETE' 'http_method' => 'DELETE'
) )
); );
@ -869,7 +869,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-update', 'name' => 'resource-server-update',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers', 'route' => '/api/v1/resource-servers',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -879,7 +879,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-update-status', 'name' => 'resource-server-update-status',
'active' => true, 'active' => true,
'api_id' => $resource_server->id, 'api_id' => $resource_server->id,
'route' => 'api/v1/resource-servers/{id}/status/{active}', 'route' => '/api/v1/resource-servers/{id}/status/{active}',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -941,7 +941,7 @@ class TestSeeder extends Seeder {
'name' => 'get-api', 'name' => 'get-api',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api/{id}', 'route' => '/api/v1/api/{id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -952,7 +952,7 @@ class TestSeeder extends Seeder {
'name' => 'delete-api', 'name' => 'delete-api',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api/{id}', 'route' => '/api/v1/api/{id}',
'http_method' => 'DELETE' 'http_method' => 'DELETE'
) )
); );
@ -962,7 +962,7 @@ class TestSeeder extends Seeder {
'name' => 'create-api', 'name' => 'create-api',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api', 'route' => '/api/v1/api',
'http_method' => 'POST' 'http_method' => 'POST'
) )
); );
@ -972,7 +972,7 @@ class TestSeeder extends Seeder {
'name' => 'update-api', 'name' => 'update-api',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api', 'route' => '/api/v1/api',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -982,7 +982,7 @@ class TestSeeder extends Seeder {
'name' => 'update-api-status', 'name' => 'update-api-status',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api/status/{id}/{active}', 'route' => '/api/v1/api/status/{id}/{active}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -992,7 +992,7 @@ class TestSeeder extends Seeder {
'name' => 'api-get-page', 'name' => 'api-get-page',
'active' => true, 'active' => true,
'api_id' => $api_api->id, 'api_id' => $api_api->id,
'route' => 'api/v1/api/{page_nbr}/{page_size}', 'route' => '/api/v1/api/{page_nbr}/{page_size}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1037,7 +1037,7 @@ class TestSeeder extends Seeder {
'name' => 'get-api-endpoint', 'name' => 'get-api-endpoint',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/{id}', 'route' => '/api/v1/api-endpoint/{id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1047,7 +1047,7 @@ class TestSeeder extends Seeder {
'name' => 'delete-api-endpoint', 'name' => 'delete-api-endpoint',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/{id}', 'route' => '/api/v1/api-endpoint/{id}',
'http_method' => 'DELETE' 'http_method' => 'DELETE'
) )
); );
@ -1057,7 +1057,7 @@ class TestSeeder extends Seeder {
'name' => 'create-api-endpoint', 'name' => 'create-api-endpoint',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint', 'route' => '/api/v1/api-endpoint',
'http_method' => 'POST' 'http_method' => 'POST'
) )
); );
@ -1067,7 +1067,7 @@ class TestSeeder extends Seeder {
'name' => 'update-api-endpoint', 'name' => 'update-api-endpoint',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint', 'route' => '/api/v1/api-endpoint',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -1077,7 +1077,7 @@ class TestSeeder extends Seeder {
'name' => 'update-api-endpoint-status', 'name' => 'update-api-endpoint-status',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/status/{id}/{active}', 'route' => '/api/v1/api-endpoint/status/{id}/{active}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1087,7 +1087,7 @@ class TestSeeder extends Seeder {
'name' => 'api-endpoint-get-page', 'name' => 'api-endpoint-get-page',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/{page_nbr}/{page_size}', 'route' => '/api/v1/api-endpoint/{page_nbr}/{page_size}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1098,7 +1098,7 @@ class TestSeeder extends Seeder {
'name' => 'add-api-endpoint-scope', 'name' => 'add-api-endpoint-scope',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/scope/add/{id}/{scope_id}', 'route' => '/api/v1/api-endpoint/scope/add/{id}/{scope_id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1108,7 +1108,7 @@ class TestSeeder extends Seeder {
'name' => 'remove-api-endpoint-scope', 'name' => 'remove-api-endpoint-scope',
'active' => true, 'active' => true,
'api_id' => $api_api_endpoint->id, 'api_id' => $api_api_endpoint->id,
'route' => 'api/v1/api-endpoint/scope/remove/{id}/{scope_id}', 'route' => '/api/v1/api-endpoint/scope/remove/{id}/{scope_id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1165,7 +1165,7 @@ class TestSeeder extends Seeder {
'name' => 'get-scope', 'name' => 'get-scope',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope/{id}', 'route' => '/api/v1/api-scope/{id}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1176,7 +1176,7 @@ class TestSeeder extends Seeder {
'name' => 'delete-scope', 'name' => 'delete-scope',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope/{id}', 'route' => '/api/v1/api-scope/{id}',
'http_method' => 'DELETE' 'http_method' => 'DELETE'
) )
); );
@ -1186,7 +1186,7 @@ class TestSeeder extends Seeder {
'name' => 'create-scope', 'name' => 'create-scope',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope', 'route' => '/api/v1/api-scope',
'http_method' => 'POST' 'http_method' => 'POST'
) )
); );
@ -1196,7 +1196,7 @@ class TestSeeder extends Seeder {
'name' => 'update-scope', 'name' => 'update-scope',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope', 'route' => '/api/v1/api-scope',
'http_method' => 'PUT' 'http_method' => 'PUT'
) )
); );
@ -1206,7 +1206,7 @@ class TestSeeder extends Seeder {
'name' => 'update-scope-status', 'name' => 'update-scope-status',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope/status/{id}/{active}', 'route' => '/api/v1/api-scope/status/{id}/{active}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1216,7 +1216,7 @@ class TestSeeder extends Seeder {
'name' => 'scope-get-page', 'name' => 'scope-get-page',
'active' => true, 'active' => true,
'api_id' => $api_scope->id, 'api_id' => $api_scope->id,
'route' => 'api/v1/api-scope/{page_nbr}/{page_size}', 'route' => '/api/v1/api-scope/{page_nbr}/{page_size}',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );
@ -1260,7 +1260,7 @@ class TestSeeder extends Seeder {
'name' => 'get-user-info', 'name' => 'get-user-info',
'active' => true, 'active' => true,
'api_id' => $users->id, 'api_id' => $users->id,
'route' => 'api/v1/users/me', 'route' => '/api/v1/users/me',
'http_method' => 'GET' 'http_method' => 'GET'
) )
); );

24
app/filters/OAuth2RequestAccessTokenValidator.php
View File

@ -19,20 +19,28 @@ use oauth2\IResourceServerContext;
class OAuth2BearerAccessTokenRequestValidator { class OAuth2BearerAccessTokenRequestValidator {
protected function headers() protected function getHeaders()
{ {
$headers = array();
if (function_exists('getallheaders')) { if (function_exists('getallheaders')) {
// @codeCoverageIgnoreStart // @codeCoverageIgnoreStart
$headers = getallheaders(); foreach(getallheaders() as $name => $value){
$headers[strtolower($name)] = $value;
}
} else { } else {
// @codeCoverageIgnoreEnd // @codeCoverageIgnoreEnd
$headers = array(); foreach ($_SERVER as $name => $value) {
foreach ($this->server() as $name => $value) {
if (substr($name, 0, 5) == 'HTTP_') { if (substr($name, 0, 5) == 'HTTP_') {
$name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5))))); $name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
$headers[$name] = $value; $headers[strtolower($name)] = $value;
} }
} }
foreach(Request::header() as $name => $value){
if(!array_key_exists($name,$headers))
$headers[strtolower($name)] = $value[0];
}
} }
return $headers; return $headers;
} }
@ -50,7 +58,7 @@ class OAuth2BearerAccessTokenRequestValidator {
$this->log_service = $log_service; $this->log_service = $log_service;
$this->checkpoint_service = $checkpoint_service; $this->checkpoint_service = $checkpoint_service;
$this->resource_server_context = $resource_server_context; $this->resource_server_context = $resource_server_context;
$this->headers = $this->headers(); $this->headers = $this->getHeaders();
} }
/** /**
@ -76,7 +84,7 @@ class OAuth2BearerAccessTokenRequestValidator {
} }
//check first http basic auth header //check first http basic auth header
$auth_header = isset($this->headers['Authorization'])?$this->headers['Authorization']:null; $auth_header = isset($this->headers['authorization'])?$this->headers['authorization']:null;
if(!is_null($auth_header) && !empty($auth_header)) if(!is_null($auth_header) && !empty($auth_header))
$access_token_value = BearerAccessTokenAuthorizationHeaderParser::getInstance()->parse($auth_header); $access_token_value = BearerAccessTokenAuthorizationHeaderParser::getInstance()->parse($auth_header);
else{ else{
@ -103,7 +111,7 @@ class OAuth2BearerAccessTokenRequestValidator {
$endpoint_scopes = explode(' ',$endpoint->getScope()); $endpoint_scopes = explode(' ',$endpoint->getScope());
$token_scopes = explode(' ',$access_token->getScope()); $token_scopes = explode(' ',$access_token->getScope());
//check token available scopes vs. endpoint scopes //check token available scopes vs. endpoint scopes
if (count(array_intersect($endpoint_scopes, $token_scopes)) === 0) if (count(array_intersect($endpoint_scopes, $token_scopes)) == 0)
{ {
$this->log_service->error_msg(sprintf('access token scopes (%s) does not allow to access to api url %s , needed scopes %s',$access_token->getScope(),$url,implode(' OR ',$endpoint_scopes) )); $this->log_service->error_msg(sprintf('access token scopes (%s) does not allow to access to api url %s , needed scopes %s',$access_token->getScope(),$url,implode(' OR ',$endpoint_scopes) ));

2
app/libs/auth/AuthHelper.php
View File

@ -35,6 +35,6 @@ class AuthHelper
{ {
// Due to flawed base_convert() floating poing precision, // Due to flawed base_convert() floating poing precision,
// only the first 10 characters are consistently useful for comparisons. // only the first 10 characters are consistently useful for comparisons.
return (substr($hash1, 0, 10) === substr($hash2, 0, 10)); return (substr($hash1, 0, 10) == substr($hash2, 0, 10));
} }
} }

5
app/libs/auth/User.php
View File

@ -6,8 +6,6 @@ use Illuminate\Auth\UserInterface;
use Member; use Member;
use MemberPhoto; use MemberPhoto;
use openid\model\IOpenIdUser; use openid\model\IOpenIdUser;
use openid\services\OpenIdServiceCatalog;
use utils\services\ServiceLocator;
use oauth2\models\IOAuth2User; use oauth2\models\IOAuth2User;
use Eloquent; use Eloquent;
use utils\model\BaseModelEloquent; use utils\model\BaseModelEloquent;
@ -214,8 +212,7 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
if (!is_null($photoId) && is_numeric($photoId) && $photoId > 0) { if (!is_null($photoId) && is_numeric($photoId) && $photoId > 0) {
$photo = MemberPhoto::where('ID', '=', $photoId)->first(); $photo = MemberPhoto::where('ID', '=', $photoId)->first();
if(!is_null($photo)){ if(!is_null($photo)){
$server_configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::ServerConfigurationService); $url = $photo->Filename;
$url = $server_configuration_service->getConfigValue("Assets.Url").$photo->Filename;
} }
} }
return $url; return $url;

4
app/libs/oauth2/BearerAccessTokenAuthorizationHeaderParser.php
View File

@ -22,7 +22,7 @@ class BearerAccessTokenAuthorizationHeaderParser
public static function getInstance() public static function getInstance()
{ {
if (self::$instance === null) { if (self::$instance == null) {
self::$instance = new BearerAccessTokenAuthorizationHeaderParser(); self::$instance = new BearerAccessTokenAuthorizationHeaderParser();
} }
return self::$instance; return self::$instance;
@ -49,7 +49,7 @@ class BearerAccessTokenAuthorizationHeaderParser
} else { } else {
$accessTokenValue = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $http_auth_header_value)); $accessTokenValue = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $http_auth_header_value));
} }
$accessTokenValue = ($accessTokenValue === 'Bearer') ? '' : $accessTokenValue; $accessTokenValue = ($accessTokenValue == 'Bearer') ? '' : $accessTokenValue;
} }
if (empty($accessTokenValue)) { if (empty($accessTokenValue)) {

4
app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php
View File

@ -62,8 +62,8 @@ class AuthorizationCodeGrantType extends AbstractGrantType
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
return return
($class_name == 'oauth2\requests\OAuth2AuthorizationRequest' && $request->isValid() && $request->getResponseType() === $this->getResponseType()) || ($class_name == 'oauth2\requests\OAuth2AuthorizationRequest' && $request->isValid() && $request->getResponseType() == $this->getResponseType()) ||
($class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() === $this->getType()); ($class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() == $this->getType());
} }
/** /**

2
app/libs/oauth2/grant_types/ClientCredentialsGrantType.php
View File

@ -53,7 +53,7 @@ class ClientCredentialsGrantType extends AbstractGrantType
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
return return
($class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() === $this->getType()); ($class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() == $this->getType());
} }

2
app/libs/oauth2/grant_types/ImplicitGrantType.php
View File

@ -76,7 +76,7 @@ class ImplicitGrantType extends AbstractGrantType
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
return return
($class_name == 'oauth2\requests\OAuth2AuthorizationRequest' && $request->isValid() && $request->getResponseType() === $this->getResponseType()); ($class_name == 'oauth2\requests\OAuth2AuthorizationRequest' && $request->isValid() && $request->getResponseType() == $this->getResponseType());
} }
/** get grant type response type /** get grant type response type

2
app/libs/oauth2/grant_types/RefreshBearerTokenGrantType.php
View File

@ -39,7 +39,7 @@ class RefreshBearerTokenGrantType extends AbstractGrantType {
{ {
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
return $class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() === $this->getType(); return $class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() == $this->getType();
} }
/** Not implemented , there is no first process phase on this grant type /** Not implemented , there is no first process phase on this grant type

2
app/libs/oauth2/grant_types/RevokeBearerTokenGrantType.php
View File

@ -82,7 +82,7 @@ class RevokeBearerTokenGrantType extends AbstractGrantType
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
if ($class_name === 'oauth2\requests\OAuth2TokenRevocationRequest') { if ($class_name == 'oauth2\requests\OAuth2TokenRevocationRequest') {
parent::completeFlow($request); parent::completeFlow($request);
$token_value = $request->getToken(); $token_value = $request->getToken();

8
app/libs/oauth2/models/AccessToken.php
View File

@ -27,7 +27,7 @@ class AccessToken extends Token {
$instance->client_id = $auth_code->getClientId(); $instance->client_id = $auth_code->getClientId();
$instance->auth_code = $auth_code->getValue(); $instance->auth_code = $auth_code->getValue();
$instance->audience = $auth_code->getAudience(); $instance->audience = $auth_code->getAudience();
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->is_hashed = false; $instance->is_hashed = false;
return $instance; return $instance;
} }
@ -41,7 +41,7 @@ class AccessToken extends Token {
$instance->auth_code = null; $instance->auth_code = null;
$instance->audience = $audience; $instance->audience = $audience;
$instance->refresh_token = null; $instance->refresh_token = null;
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->is_hashed = false; $instance->is_hashed = false;
return $instance; return $instance;
} }
@ -56,7 +56,7 @@ class AccessToken extends Token {
$instance->auth_code = null; $instance->auth_code = null;
$instance->refresh_token = $refresh_token; $instance->refresh_token = $refresh_token;
$instance->audience = $refresh_token->getAudience(); $instance->audience = $refresh_token->getAudience();
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->is_hashed = false; $instance->is_hashed = false;
return $instance; return $instance;
} }
@ -71,7 +71,7 @@ class AccessToken extends Token {
$instance->audience = $auth_code->getAudience(); $instance->audience = $auth_code->getAudience();
$instance->from_ip = $auth_code->getFromIp(); $instance->from_ip = $auth_code->getFromIp();
$instance->issued = $issued; $instance->issued = $issued;
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->is_hashed = $is_hashed; $instance->is_hashed = $is_hashed;
return $instance; return $instance;
} }

26
app/libs/oauth2/models/AuthorizationCode.php
View File

@ -38,10 +38,10 @@ class AuthorizationCode extends Token {
$instance = new self(); $instance = new self();
$instance->value = Rand::getString($instance->len, OAuth2Protocol::VsChar, true); $instance->value = Rand::getString($instance->len, OAuth2Protocol::VsChar, true);
$instance->scope = $scope; $instance->scope = $scope;
$instance->user_id = $user_id; $instance->user_id = $user_id;
$instance->redirect_uri = $redirect_uri; $instance->redirect_uri = $redirect_uri;
$instance->client_id = $client_id; $instance->client_id = $client_id;
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->audience = $audience; $instance->audience = $audience;
$instance->is_hashed = false; $instance->is_hashed = false;
$instance->from_ip = IPHelper::getUserIp(); $instance->from_ip = IPHelper::getUserIp();
@ -69,17 +69,17 @@ class AuthorizationCode extends Token {
*/ */
public static function load($value, $user_id, $client_id, $scope,$audience='', $redirect_uri = null, $issued = null, $lifetime = 600, $from_ip = '127.0.0.1',$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online,$approval_prompt = OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto,$has_previous_user_consent=false,$is_hashed = false){ public static function load($value, $user_id, $client_id, $scope,$audience='', $redirect_uri = null, $issued = null, $lifetime = 600, $from_ip = '127.0.0.1',$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online,$approval_prompt = OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto,$has_previous_user_consent=false,$is_hashed = false){
$instance = new self(); $instance = new self();
$instance->value = $value; $instance->value = $value;
$instance->user_id = $user_id; $instance->user_id = $user_id;
$instance->scope = $scope; $instance->scope = $scope;
$instance->redirect_uri = $redirect_uri; $instance->redirect_uri = $redirect_uri;
$instance->client_id = $client_id; $instance->client_id = $client_id;
$instance->audience = $audience; $instance->audience = $audience;
$instance->issued = $issued; $instance->issued = $issued;
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->from_ip = $from_ip; $instance->from_ip = $from_ip;
$instance->is_hashed = $is_hashed; $instance->is_hashed = $is_hashed;
$instance->access_type = $access_type; $instance->access_type = $access_type;
$instance->approval_prompt = $approval_prompt; $instance->approval_prompt = $approval_prompt;
$instance->has_previous_user_consent = $has_previous_user_consent; $instance->has_previous_user_consent = $has_previous_user_consent;
return $instance; return $instance;

4
app/libs/oauth2/models/RefreshToken.php
View File

@ -41,7 +41,7 @@ class RefreshToken extends Token {
$instance->client_id = $access_token->getClientId(); $instance->client_id = $access_token->getClientId();
$instance->audience = $access_token->getAudience(); $instance->audience = $access_token->getAudience();
$instance->from_ip = IPHelper::getUserIp(); $instance->from_ip = IPHelper::getUserIp();
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
$instance->is_hashed = false; $instance->is_hashed = false;
return $instance; return $instance;
} }
@ -56,7 +56,7 @@ class RefreshToken extends Token {
$instance->from_ip = $params['from_ip']; $instance->from_ip = $params['from_ip'];
$instance->issued = $params['issued']; $instance->issued = $params['issued'];
$instance->is_hashed = isset($params['is_hashed'])?$params['is_hashed']:false; $instance->is_hashed = isset($params['is_hashed'])?$params['is_hashed']:false;
$instance->lifetime = $lifetime; $instance->lifetime = intval($lifetime);
return $instance; return $instance;
} }

6
app/libs/oauth2/models/Token.php
View File

@ -45,7 +45,7 @@ abstract class Token
public function getLifetime() public function getLifetime()
{ {
return $this->lifetime; return intval($this->lifetime);
} }
public function getScope() public function getScope()
@ -75,9 +75,9 @@ abstract class Token
public function getRemainingLifetime() public function getRemainingLifetime()
{ {
//check is refresh token is stills alive... (ZERO is infinite lifetime) //check is refresh token is stills alive... (ZERO is infinite lifetime)
if ($this->lifetime === 0) return 0; if (intval($this->lifetime) == 0) return 0;
$created_at = new DateTime($this->issued); $created_at = new DateTime($this->issued);
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
//check validity... //check validity...
if ($now > $created_at) if ($now > $created_at)

2
app/libs/oauth2/strategies/OAuth2IndirectErrorResponseFactoryMethod.php
View File

@ -22,7 +22,7 @@ class OAuth2IndirectErrorResponseFactoryMethod {
$response = null; $response = null;
$reflector = new ReflectionClass($request); $reflector = new ReflectionClass($request);
$class_name = $reflector->getName(); $class_name = $reflector->getName();
if($class_name ==='oauth2\requests\OAuth2AuthorizationRequest'){ if($class_name =='oauth2\requests\OAuth2AuthorizationRequest'){
$response_type = $request->getResponseType(); $response_type = $request->getResponseType();
switch($response_type){ switch($response_type){
case OAuth2Protocol::OAuth2Protocol_ResponseType_Token: case OAuth2Protocol::OAuth2Protocol_ResponseType_Token:

7
app/libs/openid/OpenIdProtocol.php
View File

@ -19,6 +19,8 @@ use openid\services\IServerConfigurationService;
use openid\services\INonceService; use openid\services\INonceService;
use utils\services\IAuthService; use utils\services\IAuthService;
use utils\services\ICheckPointService; use utils\services\ICheckPointService;
use utils\services\IServerConfigurationService as IUtilsServerConfigurationService;
@ -139,10 +141,11 @@ class OpenIdProtocol implements IOpenIdProtocol
IServerConfigurationService $server_config_service, IServerConfigurationService $server_config_service,
INonceService $nonce_service, INonceService $nonce_service,
ILogService $log_service, ILogService $log_service,
ICheckPointService $checkpoint_service) ICheckPointService $checkpoint_service,
IUtilsServerConfigurationService $utils_configuration_service)
{ {
//create chain of responsibility //create chain of responsibility
$check_auth = new OpenIdCheckAuthenticationRequestHandler($association_service, $nonce_service, $log_service,$checkpoint_service, null); $check_auth = new OpenIdCheckAuthenticationRequestHandler($association_service, $nonce_service, $log_service,$checkpoint_service,$utils_configuration_service,$server_config_service, null);
$session_assoc = new OpenIdSessionAssociationRequestHandler($log_service,$checkpoint_service, $check_auth); $session_assoc = new OpenIdSessionAssociationRequestHandler($log_service,$checkpoint_service, $check_auth);
$this->request_handlers = new OpenIdAuthenticationRequestHandler($auth_service, $memento_request_service, $auth_strategy, $server_extension_service, $association_service, $trusted_sites_service, $server_config_service, $nonce_service, $log_service,$checkpoint_service, $session_assoc); $this->request_handlers = new OpenIdAuthenticationRequestHandler($auth_service, $memento_request_service, $auth_strategy, $server_extension_service, $association_service, $trusted_sites_service, $server_config_service, $nonce_service, $log_service,$checkpoint_service, $session_assoc);
$this->server_extension_service = $server_extension_service; $this->server_extension_service = $server_extension_service;

22
app/libs/openid/extensions/OpenIdExtension.php
View File

@ -21,19 +21,21 @@ abstract class OpenIdExtension
protected $name; protected $name;
protected $description; protected $description;
protected $view; protected $view;
protected $log_service; protected $log_service;
/** /**
* @param $name * @param $name
* @param $namespace * @param $namespace
* @param $view * @param $view_name
* @param $description * @param $description
*/ * @param ILogService $log_service
public function __construct($name, $namespace, $view, $description, ILogService $log_service) */
public function __construct($name, $namespace, $view_name, $description, ILogService $log_service)
{ {
$this->namespace = $namespace; $this->namespace = $namespace;
$this->name = $name; $this->name = $name;
$this->view = $view; $this->view = $view_name;
$this->description = $description; $this->description = $description;
$this->log_service = $log_service; $this->log_service = $log_service;
} }

23
app/libs/openid/extensions/implementations/OpenIdAXExtension.php
View File

@ -10,9 +10,8 @@ use openid\requests\contexts\RequestContext;
use openid\requests\OpenIdRequest; use openid\requests\OpenIdRequest;
use openid\responses\contexts\ResponseContext; use openid\responses\contexts\ResponseContext;
use openid\responses\OpenIdResponse; use openid\responses\OpenIdResponse;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
use utils\services\ILogService; use utils\services\ILogService;
use utils\services\IAuthService;
/** /**
* Class OpenIdAXExtension * Class OpenIdAXExtension
* Implements * Implements
@ -36,9 +35,22 @@ class OpenIdAXExtension extends OpenIdExtension
const FetchRequest = "fetch_request"; const FetchRequest = "fetch_request";
public static $available_properties; public static $available_properties;
public function __construct($name, $namespace, $view, $description, ILogService $log_service) private $auth_service;
/**
* @param $name
* @param $namespace
* @param $view_name
* @param $description
* @param IAuthService $auth_service
* @param ILogService $log_service
*/
public function __construct($name, $namespace, $view_name, $description,
IAuthService $auth_service,
ILogService $log_service)
{ {
parent::__construct($name, $namespace, $view, $description, $log_service); parent::__construct($name, $namespace, $view_name, $description, $log_service);
$this->auth_service = $auth_service;
self::$available_properties[OpenIdAXExtension::Country] = "http://axschema.org/contact/country/home"; self::$available_properties[OpenIdAXExtension::Country] = "http://axschema.org/contact/country/home";
self::$available_properties[OpenIdAXExtension::Email] = "http://axschema.org/contact/email"; self::$available_properties[OpenIdAXExtension::Email] = "http://axschema.org/contact/email";
self::$available_properties[OpenIdAXExtension::FirstMame] = "http://axschema.org/namePerson/first"; self::$available_properties[OpenIdAXExtension::FirstMame] = "http://axschema.org/namePerson/first";
@ -74,8 +86,7 @@ class OpenIdAXExtension extends OpenIdExtension
$context->addSignParam(self::param(self::Mode)); $context->addSignParam(self::param(self::Mode));
$attributes = $ax_request->getRequiredAttributes(); $attributes = $ax_request->getRequiredAttributes();
$auth_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::AuthenticationService); $user = $this->auth_service->getCurrentUser();
$user = $auth_service->getCurrentUser();
foreach ($attributes as $attr) { foreach ($attributes as $attr) {
$response->addParam(self::param(self::Type) . "." . $attr, self::$available_properties[$attr]); $response->addParam(self::param(self::Type) . "." . $attr, self::$available_properties[$attr]);

41
app/libs/openid/extensions/implementations/OpenIdOAuth2Extension.php
View File

@ -2,8 +2,10 @@
namespace openid\extensions\implementations; namespace openid\extensions\implementations;
use oauth2\IOAuth2Protocol;
use oauth2\services\IApiScopeService;
use oauth2\services\IClientService;
use openid\requests\contexts\PartialView; use openid\requests\contexts\PartialView;
use oauth2\services\OAuth2ServiceCatalog;
use openid\extensions\OpenIdExtension; use openid\extensions\OpenIdExtension;
use openid\OpenIdProtocol; use openid\OpenIdProtocol;
use openid\requests\contexts\RequestContext; use openid\requests\contexts\RequestContext;
@ -12,8 +14,7 @@ use openid\responses\contexts\ResponseContext;
use openid\responses\OpenIdResponse; use openid\responses\OpenIdResponse;
use Exception; use Exception;
use utils\services\ServiceLocator; use utils\services\ICheckPointService;
use utils\services\UtilsServiceCatalog;
use utils\services\ILogService; use utils\services\ILogService;
use oauth2\requests\OAuth2AuthorizationRequest; use oauth2\requests\OAuth2AuthorizationRequest;
@ -48,20 +49,30 @@ class OpenIdOAuth2Extension extends OpenIdExtension
private $client_service; private $client_service;
private $scope_service; private $scope_service;
/** /**
* @param $name * @param $name
* @param $namespace * @param $namespace
* @param $view * @param $view_name
* @param $description * @param $description
*/ * @param IOAuth2Protocol $oauth2_protocol
public function __construct($name, $namespace, $view, $description, ILogService $log_service) * @param IClientService $client_service
* @param IApiScopeService $scope_service
* @param ICheckPointService $checkpoint_service
* @param ILogService $log_service
*/
public function __construct($name, $namespace, $view_name, $description,
IOAuth2Protocol $oauth2_protocol,
IClientService $client_service,
IApiScopeService $scope_service,
ICheckPointService $checkpoint_service,
ILogService $log_service)
{ {
parent::__construct($name, $namespace, $view, $description,$log_service); parent::__construct($name, $namespace, $view_name, $description,$log_service);
$this->oauth2_protocol = ServiceLocator::getInstance()->getService('oauth2\IOAuth2Protocol'); $this->oauth2_protocol = $oauth2_protocol;
$this->checkpoint_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::CheckPointService); $this->client_service = $client_service;
$this->client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService); $this->scope_service = $scope_service;
$this->scope_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ScopeService); $this->checkpoint_service = $checkpoint_service;
} }
/** /**

26
app/libs/openid/extensions/implementations/OpenIdSREGExtension.php
View File

@ -9,11 +9,9 @@ use openid\requests\contexts\RequestContext;
use openid\requests\OpenIdRequest; use openid\requests\OpenIdRequest;
use openid\responses\contexts\ResponseContext; use openid\responses\contexts\ResponseContext;
use openid\responses\OpenIdResponse; use openid\responses\OpenIdResponse;
use utils\services\ServiceLocator; use utils\services\IAuthService;
use utils\services\UtilsServiceCatalog;
use Exception;
use utils\services\ILogService; use utils\services\ILogService;
use Exception;
/** /**
* Class OpenIdSREGExtension * Class OpenIdSREGExtension
* Implements http://openid.net/specs/openid-simple-registration-extension-1_0.html * Implements http://openid.net/specs/openid-simple-registration-extension-1_0.html
@ -42,9 +40,22 @@ class OpenIdSREGExtension extends OpenIdExtension
public static $available_properties; public static $available_properties;
public function __construct($name, $namespace, $view, $description, ILogService $log_service) private $auth_service;
/**
* @param $name
* @param $namespace
* @param $view_name
* @param $description
* @param IAuthService $auth_service
* @param ILogService $log_service
*/
public function __construct($name, $namespace, $view_name , $description,
IAuthService $auth_service,
ILogService $log_service)
{ {
parent::__construct($name, $namespace, $view, $description,$log_service); parent::__construct($name, $namespace, $view_name, $description,$log_service);
$this->auth_service = $auth_service;
self::$available_properties[OpenIdSREGExtension::Nickname] = OpenIdSREGExtension::Nickname; self::$available_properties[OpenIdSREGExtension::Nickname] = OpenIdSREGExtension::Nickname;
self::$available_properties[OpenIdSREGExtension::Email] = OpenIdSREGExtension::Email; self::$available_properties[OpenIdSREGExtension::Email] = OpenIdSREGExtension::Email;
self::$available_properties[OpenIdSREGExtension::FullName] = OpenIdSREGExtension::FullName; self::$available_properties[OpenIdSREGExtension::FullName] = OpenIdSREGExtension::FullName;
@ -91,8 +102,7 @@ class OpenIdSREGExtension extends OpenIdExtension
$opt_attributes = $simple_reg_request->getOptionalAttributes(); $opt_attributes = $simple_reg_request->getOptionalAttributes();
$attributes = array_merge($attributes, $opt_attributes); $attributes = array_merge($attributes, $opt_attributes);
$auth_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::AuthenticationService); $user = $this->auth_service->getCurrentUser();
$user = $auth_service->getCurrentUser();
foreach ($attributes as $attr => $value) { foreach ($attributes as $attr => $value) {
$context->addSignParam(self::param($attr)); $context->addSignParam(self::param($attr));

5
app/libs/openid/handlers/OpenIdAuthenticationRequestHandler.php
View File

@ -86,7 +86,8 @@ class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler
{ {
$this->current_request = null; $this->current_request = null;
try { try {
$this->current_request = new OpenIdAuthenticationRequest($message);
$this->current_request = new OpenIdAuthenticationRequest($message,$this->server_configuration_service->getUserIdentityEndpointURL('@identifier'));
if (!$this->current_request->isValid()){ if (!$this->current_request->isValid()){
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdAuthenticationRequestMessage); throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdAuthenticationRequestMessage);
@ -189,7 +190,7 @@ class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler
$requested_data = $this->current_request_context->getTrustedData(); $requested_data = $this->current_request_context->getTrustedData();
$sites = $this->trusted_sites_service->getTrustedSites($currentUser, $this->current_request->getRealm(), $requested_data); $sites = $this->trusted_sites_service->getTrustedSites($currentUser, $this->current_request->getRealm(), $requested_data);
//check trusted sites //check trusted sites
if (is_null($sites) || count($sites) === 0) if (is_null($sites) || count($sites) == 0)
return $this->doConsentProcess(); return $this->doConsentProcess();
//there are trusted sites ... check the former authorization decision //there are trusted sites ... check the former authorization decision
$site = $sites[0]; $site = $sites[0];

29
app/libs/openid/handlers/OpenIdCheckAuthenticationRequestHandler.php
View File

@ -17,8 +17,10 @@ use openid\responses\OpenIdCheckAuthenticationResponse;
use openid\responses\OpenIdDirectGenericErrorResponse; use openid\responses\OpenIdDirectGenericErrorResponse;
use openid\services\IAssociationService; use openid\services\IAssociationService;
use openid\services\INonceService; use openid\services\INonceService;
use openid\services\IServerConfigurationService as IOpenIdServerConfigurationService;
use utils\services\ILogService; use utils\services\ILogService;
use utils\services\ICheckPointService; use utils\services\ICheckPointService;
use utils\services\IServerConfigurationService;
/** /**
* Class OpenIdCheckAuthenticationRequestHandler * Class OpenIdCheckAuthenticationRequestHandler
@ -34,24 +36,40 @@ class OpenIdCheckAuthenticationRequestHandler extends OpenIdMessageHandler
private $association_service; private $association_service;
private $nonce_service; private $nonce_service;
private $configuration_service;
private $openid_configuration_service;
public function __construct(IAssociationService $association_service, /**
* @param IAssociationService $association_service
* @param INonceService $nonce_service
* @param ILogService $log_service
* @param ICheckPointService $checkpoint_service
* @param IServerConfigurationService $configuration_service
* @param IOpenIdServerConfigurationService $openid_configuration_service
* @param $successor
*/
public function __construct(IAssociationService $association_service,
INonceService $nonce_service, INonceService $nonce_service,
ILogService $log_service, ILogService $log_service,
ICheckPointService $checkpoint_service, ICheckPointService $checkpoint_service,
IServerConfigurationService $configuration_service,
IOpenIdServerConfigurationService $openid_configuration_service,
$successor) $successor)
{ {
parent::__construct($successor, $log_service, $checkpoint_service); parent::__construct($successor, $log_service, $checkpoint_service);
$this->association_service = $association_service;
$this->nonce_service = $nonce_service; $this->association_service = $association_service;
$this->nonce_service = $nonce_service;
$this->configuration_service = $configuration_service;
$this->openid_configuration_service = $openid_configuration_service;
} }
protected function internalHandle(OpenIdMessage $message) protected function internalHandle(OpenIdMessage $message)
{ {
$this->current_request = null; $this->current_request = null;
try { try {
$this->current_request = new OpenIdCheckAuthenticationRequest($message);
$this->current_request = new OpenIdCheckAuthenticationRequest($message,$this->openid_configuration_service->getOPEndpointURL());
if (!$this->current_request->isValid()) if (!$this->current_request->isValid())
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdCheckAuthenticationRequestMessage); throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdCheckAuthenticationRequestMessage);
@ -76,6 +94,9 @@ class OpenIdCheckAuthenticationRequestHandler extends OpenIdMessageHandler
$claimed_nonce = new OpenIdNonce($this->current_request->getNonce()); $claimed_nonce = new OpenIdNonce($this->current_request->getNonce());
if(!$claimed_nonce->isValid(intval($this->configuration_service->getConfigValue('Nonce.Lifetime'))))
throw new InvalidNonce();
$this->nonce_service->lockNonce($claimed_nonce); $this->nonce_service->lockNonce($claimed_nonce);
$claimed_sig = $this->current_request->getSig(); $claimed_sig = $this->current_request->getSig();

4
app/libs/openid/handlers/OpenIdSessionAssociationRequestHandler.php
View File

@ -22,7 +22,9 @@ use utils\services\ICheckPointService;
class OpenIdSessionAssociationRequestHandler extends OpenIdMessageHandler class OpenIdSessionAssociationRequestHandler extends OpenIdMessageHandler
{ {
public function __construct(ILogService $log,ICheckPointService $checkpoint_service, $successor) public function __construct(ILogService $log,
ICheckPointService $checkpoint_service,
$successor)
{ {
parent::__construct($successor, $log,$checkpoint_service); parent::__construct($successor, $log,$checkpoint_service);
} }

12
app/libs/openid/handlers/factories/SessionAssociationRequestFactory.php
View File

@ -8,6 +8,9 @@ use openid\handlers\strategies\ISessionAssociationStrategy;
use openid\OpenIdMessage; use openid\OpenIdMessage;
use openid\requests\OpenIdAssociationSessionRequest; use openid\requests\OpenIdAssociationSessionRequest;
use openid\requests\OpenIdDHAssociationSessionRequest; use openid\requests\OpenIdDHAssociationSessionRequest;
use openid\services\OpenIdServiceCatalog;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
class SessionAssociationRequestFactory class SessionAssociationRequestFactory
{ {
@ -25,10 +28,15 @@ class SessionAssociationRequestFactory
*/ */
public static function buildSessionAssociationStrategy(OpenIdMessage $message) public static function buildSessionAssociationStrategy(OpenIdMessage $message)
{ {
$association_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::AssociationService);
$configuration_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::ServerConfigurationService);
$log_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::LogService);
if (OpenIdDHAssociationSessionRequest::IsOpenIdDHAssociationSessionRequest($message)) if (OpenIdDHAssociationSessionRequest::IsOpenIdDHAssociationSessionRequest($message))
return new SessionAssociationDHStrategy(new OpenIdDHAssociationSessionRequest($message)); return new SessionAssociationDHStrategy(new OpenIdDHAssociationSessionRequest($message),$association_service,$configuration_service,$log_service);
if (OpenIdAssociationSessionRequest::IsOpenIdAssociationSessionRequest($message)) if (OpenIdAssociationSessionRequest::IsOpenIdAssociationSessionRequest($message))
return new SessionAssociationUnencryptedStrategy(new OpenIdAssociationSessionRequest($message)); return new SessionAssociationUnencryptedStrategy(new OpenIdAssociationSessionRequest($message),$association_service,$configuration_service,$log_service);
return null; return null;
} }
} }

37
app/libs/openid/handlers/strategies/session_association/implementations/SessionAssociationDHStrategy.php
View File

@ -8,10 +8,11 @@ use openid\helpers\OpenIdCryptoHelper;
use openid\model\IAssociation; use openid\model\IAssociation;
use openid\requests\OpenIdDHAssociationSessionRequest; use openid\requests\OpenIdDHAssociationSessionRequest;
use openid\responses\OpenIdDiffieHellmanAssociationSessionResponse; use openid\responses\OpenIdDiffieHellmanAssociationSessionResponse;
use openid\services\OpenIdServiceCatalog;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
use Zend\Crypt\PublicKey\DiffieHellman; use Zend\Crypt\PublicKey\DiffieHellman;
//services
use openid\services\IAssociationService;
use openid\services\IServerConfigurationService;
use utils\services\ILogService;
class SessionAssociationDHStrategy implements ISessionAssociationStrategy class SessionAssociationDHStrategy implements ISessionAssociationStrategy
{ {
@ -19,17 +20,23 @@ class SessionAssociationDHStrategy implements ISessionAssociationStrategy
private $association_service; private $association_service;
private $server_configuration_service; private $server_configuration_service;
private $current_request; private $current_request;
private $log; private $log_service;
/** /**
* @param OpenIdDHAssociationSessionRequest $request * @param OpenIdDHAssociationSessionRequest $request
*/ * @param IAssociationService $association_service
public function __construct(OpenIdDHAssociationSessionRequest $request) * @param IServerConfigurationService $server_configuration_service
* @param ILogService $log_service
*/
public function __construct(OpenIdDHAssociationSessionRequest $request,
IAssociationService $association_service,
IServerConfigurationService $server_configuration_service,
ILogService $log_service)
{ {
$this->current_request = $request; $this->current_request = $request;
$this->association_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::AssociationService); $this->association_service = $association_service;
$this->server_configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog:: ServerConfigurationService); $this->server_configuration_service = $server_configuration_service;
$this->log = ServiceLocator::getInstance()->getService(UtilsServiceCatalog:: LogService); $this->log_service = $log_service;
} }
/** /**
@ -64,14 +71,14 @@ class SessionAssociationDHStrategy implements ISessionAssociationStrategy
} catch (InvalidDHParam $exDH) { } catch (InvalidDHParam $exDH) {
$response = new OpenIdDirectGenericErrorResponse($exDH->getMessage()); $response = new OpenIdDirectGenericErrorResponse($exDH->getMessage());
$this->log->error($exDH); $this->log_service->error($exDH);
} catch (InvalidArgumentException $exDH1) { } catch (InvalidArgumentException $exDH1) {
$response = new OpenIdDirectGenericErrorResponse($exDH1->getMessage()); $response = new OpenIdDirectGenericErrorResponse($exDH1->getMessage());
$this->log->error($exDH1); $this->log_service->error($exDH1);
} catch (RuntimeException $exDH2) { } catch (RuntimeException $exDH2) {
$response = new OpenIdDirectGenericErrorResponse($exDH2->getMessage()); $response = new OpenIdDirectGenericErrorResponse($exDH2->getMessage());
$this->log->error($exDH2); $this->log_service->error($exDH2);
} }
return $response; return $response;
} }

19
app/libs/openid/handlers/strategies/session_association/implementations/SessionAssociationUnencryptedStrategy.php
View File

@ -10,12 +10,14 @@ use openid\model\IAssociation;
use openid\requests\OpenIdAssociationSessionRequest; use openid\requests\OpenIdAssociationSessionRequest;
use openid\responses\OpenIdAssociationSessionResponse; use openid\responses\OpenIdAssociationSessionResponse;
use openid\responses\OpenIdUnencryptedAssociationSessionResponse; use openid\responses\OpenIdUnencryptedAssociationSessionResponse;
use openid\services\OpenIdServiceCatalog;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
use Zend\Crypt\Exception\InvalidArgumentException; use Zend\Crypt\Exception\InvalidArgumentException;
use Zend\Crypt\Exception\RuntimeException; use Zend\Crypt\Exception\RuntimeException;
//services
use openid\services\IAssociationService;
use openid\services\IServerConfigurationService;
use utils\services\ILogService;
class SessionAssociationUnencryptedStrategy implements ISessionAssociationStrategy { class SessionAssociationUnencryptedStrategy implements ISessionAssociationStrategy {
@ -24,12 +26,15 @@ class SessionAssociationUnencryptedStrategy implements ISessionAssociationStrate
private $current_request; private $current_request;
private $log_service; private $log_service;
public function __construct(OpenIdAssociationSessionRequest $request) public function __construct(OpenIdAssociationSessionRequest $request,
IAssociationService $association_service,
IServerConfigurationService $server_configuration_service,
ILogService $log_service)
{ {
$this->current_request = $request; $this->current_request = $request;
$this->association_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::AssociationService); $this->association_service = $association_service;
$this->server_configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog:: ServerConfigurationService); $this->server_configuration_service = $server_configuration_service;
$this->log_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog:: LogService); $this->log_service = $log_service;
} }
/** /**

4
app/libs/openid/helpers/OpenIdCryptoHelper.php
View File

@ -143,9 +143,9 @@ class OpenIdCryptoHelper
return openssl_digest($data, $func, true); return openssl_digest($data, $func, true);
} else if (function_exists('hash')) { } else if (function_exists('hash')) {
return hash($func, $data, true); return hash($func, $data, true);
} else if ($func === 'sha1') { } else if ($func == 'sha1') {
return sha1($data, true); return sha1($data, true);
} else if ($func === 'sha256') { } else if ($func == 'sha256') {
if (function_exists('mhash')) { if (function_exists('mhash')) {
return mhash(MHASH_SHA256, $data); return mhash(MHASH_SHA256, $data);
} }

2
app/libs/openid/helpers/OpenIdSignatureBuilder.php
View File

@ -56,7 +56,7 @@ class OpenIdSignatureBuilder
$params = $context->getSignParams(); $params = $context->getSignParams();
foreach ($params as $key) { foreach ($params as $key) {
if (strpos($key, 'openid.') === 0) { if (strpos($key, 'openid.') == 0) {
$val = $response[$key]; $val = $response[$key];
$key = substr($key, strlen('openid.')); $key = substr($key, strlen('openid.'));
if (!empty($signed)) { if (!empty($signed)) {

26
app/libs/openid/model/OpenIdNonce.php
View File

@ -4,8 +4,6 @@ namespace openid\model;
use openid\exceptions\InvalidNonce; use openid\exceptions\InvalidNonce;
use openid\helpers\OpenIdErrorMessages; use openid\helpers\OpenIdErrorMessages;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
class OpenIdNonce class OpenIdNonce
{ {
@ -39,7 +37,7 @@ class OpenIdNonce
$timestamp = @gmmktime($tm_hour, $tm_min, $tm_sec, $tm_mon, $tm_mday, $tm_year); $timestamp = @gmmktime($tm_hour, $tm_min, $tm_sec, $tm_mon, $tm_mday, $tm_year);
if ($timestamp === false || $timestamp < 0) { if ($timestamp == false || $timestamp < 0) {
throw new InvalidNonce(sprintf(OpenIdErrorMessages::InvalidNonceTimestampMessage, $nonce_str)); throw new InvalidNonce(sprintf(OpenIdErrorMessages::InvalidNonceTimestampMessage, $nonce_str));
} }
@ -63,18 +61,18 @@ class OpenIdNonce
return $this->$unique_id; return $this->$unique_id;
} }
/** /**
* The time-stamp MAY be used to reject responses that are too far away from the current time, * The time-stamp MAY be used to reject responses that are too far away from the current time,
* limiting the amount of time that nonces must be stored to prevent attacks. * limiting the amount of time that nonces must be stored to prevent attacks.
* The acceptable range is out of the scope of this specification. * The acceptable range is out of the scope of this specification.
* A larger range requires storing more nonces for a longer time. * A larger range requires storing more nonces for a longer time.
* A shorter range increases the chance that clock-skew and transaction time will cause * A shorter range increases the chance that clock-skew and transaction time will cause
* a spurious rejection. * a spurious rejection.
*/ * @param $allowed_skew
public function isValid() * @return bool
*/
public function isValid($allowed_skew)
{ {
$server_configuration_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::ServerConfigurationService);
$allowed_skew = $server_configuration_service->getConfigValue("Nonce.Lifetime");
$now = time(); $now = time();
// Time after which we should not use the nonce // Time after which we should not use the nonce
$past = $now - $allowed_skew; $past = $now - $allowed_skew;

73
app/libs/openid/requests/OpenIdAuthenticationRequest.php
View File

@ -2,22 +2,32 @@
namespace openid\requests; namespace openid\requests;
use openid\exceptions\InvalidOpenIdMessageException;
use openid\helpers\OpenIdUriHelper; use openid\helpers\OpenIdUriHelper;
use openid\OpenIdMessage; use openid\OpenIdMessage;
use openid\OpenIdProtocol; use openid\OpenIdProtocol;
/**
use openid\services\OpenIdServiceCatalog; * Class OpenIdAuthenticationRequest
use utils\services\ServiceLocator; * @package openid\requests
use Exception; */
class OpenIdAuthenticationRequest extends OpenIdRequest class OpenIdAuthenticationRequest extends OpenIdRequest
{ {
private $user_identity_endpoint;
public function __construct(OpenIdMessage $message) /**
* @param OpenIdMessage $message
* @param null $user_identity_endpoint
*/
public function __construct(OpenIdMessage $message, $user_identity_endpoint = null)
{ {
parent::__construct($message); parent::__construct($message);
$this->user_identity_endpoint = $user_identity_endpoint;
if(!empty($this->user_identity_endpoint)){
if(!str_contains($this->user_identity_endpoint,'@identifier')){
throw new InvalidOpenIdMessageException("user_identity_endpoint value must contain @identifier placeholder!.");
}
}
} }
public static function IsOpenIdAuthenticationRequest(OpenIdMessage $message) public static function IsOpenIdAuthenticationRequest(OpenIdMessage $message)
@ -34,24 +44,24 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
public function isValid() public function isValid()
{ {
$res = true;
try{
$return_to = $this->getReturnTo();
$claimed_id = $this->getClaimedId();
$identity = $this->getIdentity();
$mode = $this->getMode();
$realm = $this->getRealm();
$valid_realm = OpenIdUriHelper::checkRealm($realm, $return_to);
$valid_id = $this->isValidIdentifier($claimed_id, $identity);
$res = !empty($return_to) $return_to = $this->getReturnTo();
$claimed_id = $this->getClaimedId();
$identity = $this->getIdentity();
$mode = $this->getMode();
$realm = $this->getRealm();
$valid_id = $this->isValidIdentifier($claimed_id, $identity);
$valid_realm = OpenIdUriHelper::checkRealm($realm, $return_to);
$res = !empty($return_to)
&& !empty($realm) && !empty($realm)
&& $valid_realm && $valid_realm
&& !empty($claimed_id) && !empty($claimed_id)
&& !empty($identity) && !empty($identity)
&& $valid_id && $valid_id
&& !empty($mode) && ($mode == OpenIdProtocol::ImmediateMode || $mode == OpenIdProtocol::SetupMode); && !empty($mode) && ($mode == OpenIdProtocol::ImmediateMode || $mode == OpenIdProtocol::SetupMode);
if(!$res){
if(!$res){
$msg = sprintf("return_to is empty? %b.",empty($return_to)).PHP_EOL; $msg = sprintf("return_to is empty? %b.",empty($return_to)).PHP_EOL;
$msg = $msg.sprintf("realm is empty? %b.",empty($realm)).PHP_EOL; $msg = $msg.sprintf("realm is empty? %b.",empty($realm)).PHP_EOL;
$msg = $msg.sprintf("claimed_id is empty? %b.",empty($claimed_id)).PHP_EOL; $msg = $msg.sprintf("claimed_id is empty? %b.",empty($claimed_id)).PHP_EOL;
@ -59,13 +69,9 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
$msg = $msg.sprintf("mode is empty? %b.",empty($mode)).PHP_EOL; $msg = $msg.sprintf("mode is empty? %b.",empty($mode)).PHP_EOL;
$msg = $msg.sprintf("is valid realm? %b.",$valid_realm).PHP_EOL; $msg = $msg.sprintf("is valid realm? %b.",$valid_realm).PHP_EOL;
$msg = $msg.sprintf("is valid identifier? %b.",$valid_id).PHP_EOL; $msg = $msg.sprintf("is valid identifier? %b.",$valid_id).PHP_EOL;
$this->log_service->warning_msg($msg); throw new InvalidOpenIdMessageException($msg);
}
}
catch(Exception $ex){
$this->log_service->error($ex);
$res = false;
} }
return $res; return $res;
} }
@ -100,12 +106,13 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
return false; return false;
} }
/** /**
* @param $claimed_id The Claimed Identifier. * @param $claimed_id
* @param $identity The OP-Local Identifier. * @param $identity
* @return bool * @return bool
*/ * @throws \openid\exceptions\InvalidOpenIdMessageException
private function isValidIdentifier($claimed_id, $identity) */
private function isValidIdentifier($claimed_id, $identity)
{ {
/* /*
* openid.claimed_id" and "openid.identity" SHALL be either both present or both absent. * openid.claimed_id" and "openid.identity" SHALL be either both present or both absent.
@ -113,7 +120,9 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
* other information in its payload, using extensions. * other information in its payload, using extensions.
*/ */
$server_configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::ServerConfigurationService); if(empty($this->user_identity_endpoint))
throw new InvalidOpenIdMessageException("user_identity_endpoint is not set");
if (is_null($claimed_id) && is_null($identity)) if (is_null($claimed_id) && is_null($identity))
return false; return false;
//http://specs.openid.net/auth/2.0/identifier_select //http://specs.openid.net/auth/2.0/identifier_select
@ -121,7 +130,7 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
return true; return true;
if (OpenIdUriHelper::isValidUrl($claimed_id) && OpenIdUriHelper::isValidUrl($identity)) { if (OpenIdUriHelper::isValidUrl($claimed_id) && OpenIdUriHelper::isValidUrl($identity)) {
$identity_url_pattern = $server_configuration_service->getUserIdentityEndpointURL("@identifier"); $identity_url_pattern = $this->user_identity_endpoint;
$url_parts = explode("@", $identity_url_pattern, 2); $url_parts = explode("@", $identity_url_pattern, 2);
$base_identity_url = $url_parts[0]; $base_identity_url = $url_parts[0];
if (strpos($identity, $base_identity_url) !== false) if (strpos($identity, $base_identity_url) !== false)

44
app/libs/openid/requests/OpenIdCheckAuthenticationRequest.php
View File

@ -5,15 +5,20 @@ namespace openid\requests;
use openid\helpers\OpenIdUriHelper; use openid\helpers\OpenIdUriHelper;
use openid\OpenIdMessage; use openid\OpenIdMessage;
use openid\OpenIdProtocol; use openid\OpenIdProtocol;
use openid\services\OpenIdServiceCatalog;
use utils\services\ServiceLocator;
class OpenIdCheckAuthenticationRequest extends OpenIdAuthenticationRequest class OpenIdCheckAuthenticationRequest extends OpenIdAuthenticationRequest
{ {
public function __construct(OpenIdMessage $message) private $op_endpoint_url;
/**
* @param OpenIdMessage $message
* @param $op_endpoint_url
*/
public function __construct(OpenIdMessage $message, $op_endpoint_url)
{ {
parent::__construct($message); parent::__construct($message);
$this->op_endpoint_url = $op_endpoint_url;
} }
public static function IsOpenIdCheckAuthenticationRequest(OpenIdMessage $message) public static function IsOpenIdCheckAuthenticationRequest(OpenIdMessage $message)
@ -35,22 +40,27 @@ class OpenIdCheckAuthenticationRequest extends OpenIdAuthenticationRequest
$claimed_returnTo = $this->getReturnTo(); $claimed_returnTo = $this->getReturnTo();
$signed = $this->getSigned(); $signed = $this->getSigned();
$server_configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::ServerConfigurationService); $valid_realm = OpenIdUriHelper::checkRealm($claimed_realm, $claimed_returnTo);
if ( $res = !is_null($mode) && !empty($mode) && $mode == OpenIdProtocol::CheckAuthenticationMode
!is_null($mode) && !empty($mode) && $mode == OpenIdProtocol::CheckAuthenticationMode && !is_null($claimed_returnTo) && !empty($claimed_returnTo) && OpenIdUriHelper::checkReturnTo($claimed_returnTo)
&& !is_null($claimed_returnTo) && !empty($claimed_returnTo) && OpenIdUriHelper::checkReturnTo($claimed_returnTo) && !is_null($claimed_realm) && !empty($claimed_realm) && $valid_realm
&& !is_null($claimed_realm) && !empty($claimed_realm) && OpenIdUriHelper::checkRealm($claimed_realm, $claimed_returnTo) && !is_null($claimed_assoc) && !empty($claimed_assoc)
&& !is_null($claimed_assoc) && !empty($claimed_assoc) && !is_null($claimed_sig) && !empty($claimed_sig)
&& !is_null($claimed_sig) && !empty($claimed_sig) && !is_null($signed) && !empty($signed)
&& !is_null($signed) && !empty($signed) && !is_null($claimed_nonce) && !empty($claimed_nonce)
&& !is_null($claimed_nonce) && !empty($claimed_nonce) && !is_null($claimed_op_endpoint) && !empty($claimed_op_endpoint) && $claimed_op_endpoint == $this->op_endpoint_url
&& !is_null($claimed_op_endpoint) && !empty($claimed_op_endpoint) && $server_configuration_service->getOPEndpointURL() == $claimed_op_endpoint && !is_null($claimed_identity) && !empty($claimed_identity) && OpenIdUriHelper::isValidUrl($claimed_identity);
&& !is_null($claimed_identity) && !empty($claimed_identity) && OpenIdUriHelper::isValidUrl($claimed_identity) if (!$res) {
) { $msg = sprintf("return_to is empty? %b.",empty($claimed_returnTo)).PHP_EOL;
return true; $msg = $msg.sprintf("realm is empty? %b.",empty($claimed_realm)).PHP_EOL;
$msg = $msg.sprintf("claimed_id is empty? %b.",empty($claimed_id)).PHP_EOL;
$msg = $msg.sprintf("identity is empty? %b.",empty($claimed_identity)).PHP_EOL;
$msg = $msg.sprintf("mode is empty? %b.",empty($mode)).PHP_EOL;
$msg = $msg.sprintf("is valid realm? %b.",$valid_realm).PHP_EOL;
throw new InvalidOpenIdMessageException($msg);
} }
return false; return $res;
} }
public function getNonce() public function getNonce()

9
app/libs/openid/requests/OpenIdRequest.php
View File

@ -3,19 +3,18 @@
namespace openid\requests; namespace openid\requests;
use openid\OpenIdMessage; use openid\OpenIdMessage;
use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
/**
* Class OpenIdRequest
* @package openid\requests
*/
abstract class OpenIdRequest abstract class OpenIdRequest
{ {
protected $message; protected $message;
protected $log_service;
public function __construct(OpenIdMessage $message) public function __construct(OpenIdMessage $message)
{ {
$this->message = $message; $this->message = $message;
$this->log_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::LogService);
} }
public function getMessage() public function getMessage()

2
app/libs/utils/services/ServiceLocator.php
View File

@ -13,7 +13,7 @@ class ServiceLocator {
public static function getInstance() public static function getInstance()
{ {
if (self::$instance === null) { if (self::$instance == null) {
self::$instance = new ServiceLocator(); self::$instance = new ServiceLocator();
} }

6
app/models/oauth2/AccessToken.php
View File

@ -27,7 +27,7 @@ class AccessToken extends Eloquent {
public function isVoid(){ public function isVoid(){
//check lifetime... //check lifetime...
$created_at = $this->created_at; $created_at = $this->created_at;
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
return ($now > $created_at); return ($now > $created_at);
} }
@ -43,9 +43,9 @@ class AccessToken extends Eloquent {
public function getRemainingLifetime() public function getRemainingLifetime()
{ {
//check is refresh token is stills alive... (ZERO is infinite lifetime) //check is refresh token is stills alive... (ZERO is infinite lifetime)
if ($this->lifetime === 0) return 0; if (intval($this->lifetime) == 0) return 0;
$created_at = new DateTime($this->created_at); $created_at = new DateTime($this->created_at);
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
//check validity... //check validity...
if ($now > $created_at) if ($now > $created_at)

4
app/models/oauth2/Client.php
View File

@ -116,7 +116,7 @@ class Client extends BaseModelEloquent implements IClient {
{ {
if(!filter_var($uri, FILTER_VALIDATE_URL)) return false; if(!filter_var($uri, FILTER_VALIDATE_URL)) return false;
$parts = @parse_url($uri); $parts = @parse_url($uri);
if ($parts === false) { if ($parts == false) {
return false; return false;
} }
if($parts['scheme']!=='https') if($parts['scheme']!=='https')
@ -227,7 +227,7 @@ class Client extends BaseModelEloquent implements IClient {
{ {
if(!filter_var($origin, FILTER_VALIDATE_URL)) return false; if(!filter_var($origin, FILTER_VALIDATE_URL)) return false;
$parts = @parse_url($origin); $parts = @parse_url($origin);
if ($parts === false) { if ($parts == false) {
return false; return false;
} }
if($parts['scheme']!=='https') if($parts['scheme']!=='https')

8
app/models/oauth2/RefreshToken.php
View File

@ -26,10 +26,10 @@ class RefreshToken extends Eloquent {
} }
public function isVoid(){ public function isVoid(){
if($this->lifetime === 0) return false; if(intval($this->lifetime) == 0) return false;
//check lifetime... //check lifetime...
$created_at = $this->created_at; $created_at = $this->created_at;
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
return ($now > $created_at); return ($now > $created_at);
} }
@ -38,9 +38,9 @@ class RefreshToken extends Eloquent {
public function getRemainingLifetime() public function getRemainingLifetime()
{ {
//check is refresh token is stills alive... (ZERO is infinite lifetime) //check is refresh token is stills alive... (ZERO is infinite lifetime)
if ($this->lifetime === 0) return 0; if (intval($this->lifetime) == 0) return 0;
$created_at = new DateTime($this->created_at); $created_at = new DateTime($this->created_at);
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
//check validity... //check validity...
if ($now > $created_at) if ($now > $created_at)

4
app/models/openid/OpenIdAssociation.php
View File

@ -30,7 +30,7 @@ class OpenIdAssociation extends Eloquent implements IAssociation
public function getLifetime() public function getLifetime()
{ {
return $this->lifetime; return intval($this->lifetime);
} }
public function setLifetime($lifetime) public function setLifetime($lifetime)
@ -76,7 +76,7 @@ class OpenIdAssociation extends Eloquent implements IAssociation
public function getRemainingLifetime() public function getRemainingLifetime()
{ {
$created_at = new DateTime($this->issued); $created_at = new DateTime($this->issued);
$created_at->add(new DateInterval('PT' . $this->lifetime . 'S')); $created_at->add(new DateInterval('PT' . intval($this->lifetime) . 'S'));
$now = new DateTime(gmdate("Y-m-d H:i:s", time())); $now = new DateTime(gmdate("Y-m-d H:i:s", time()));
//check validity... //check validity...
if ($now > $created_at) if ($now > $created_at)

2
app/services/oauth2/ApiEndpointService.php
View File

@ -195,7 +195,7 @@ class ApiEndpointService implements IApiEndpointService {
$res = $api_endpoint->scopes()->where('id','=',$scope_id)->count(); $res = $api_endpoint->scopes()->where('id','=',$scope_id)->count();
if($res===0) if($res==0)
throw new InvalidApiScope(sprintf("api scope id %s does not belongs to endpoint id %s !.",$scope_id,$api_endpoint->id)); throw new InvalidApiScope(sprintf("api scope id %s does not belongs to endpoint id %s !.",$scope_id,$api_endpoint->id));
$api_endpoint->scopes()->detach($scope_id); $api_endpoint->scopes()->detach($scope_id);

2
app/services/oauth2/ApiService.php
View File

@ -53,7 +53,7 @@ class ApiService implements IApiService {
{ {
$instance = null; $instance = null;
if(is_string($active)){ if(is_string($active)){
$active = $active==='true'?true:false; $active = strtoupper($active) == 'TRUE'?true:false;
} }
DB::transaction(function () use ($name, $description, $active, $resource_server_id, &$instance) { DB::transaction(function () use ($name, $description, $active, $resource_server_id, &$instance) {

2
app/services/oauth2/AuthorizationCodeRedeemPolicy.php
View File

@ -35,7 +35,7 @@ class AuthorizationCodeRedeemPolicy extends AbstractBlacklistSecurityPolicy {
{ {
try { try {
$exception_class = get_class($ex); $exception_class = get_class($ex);
if($exception_class === 'oauth2\exceptions\ReplayAttackException'){ if($exception_class == 'oauth2\exceptions\ReplayAttackException'){
$auth_code = $ex->getAuthCode(); $auth_code = $ex->getAuthCode();
$this->counter_measure->trigger(array('auth_code'=>$auth_code)); $this->counter_measure->trigger(array('auth_code'=>$auth_code));
} }

2
app/services/oauth2/CORS/CORSMiddleware.php
View File

@ -185,7 +185,7 @@ class CORSMiddleware {
$preflight = false; $preflight = false;
//preflight checks //preflight checks
if ($method === 'OPTIONS') { if ($method == 'OPTIONS') {
$request_method = $request->headers->get('Access-Control-Request-Method'); $request_method = $request->headers->get('Access-Control-Request-Method');
if(!is_null($request_method)){ if(!is_null($request_method)){
// sets the original method on request in order to be able to find the // sets the original method on request in order to be able to find the

9
app/services/oauth2/ClientService.php
View File

@ -19,11 +19,10 @@ use oauth2\services\IApiScopeService;
use oauth2\services\IApiScope; use oauth2\services\IApiScope;
use oauth2\services\IClientService; use oauth2\services\IClientService;
use oauth2\services\id; use oauth2\services\id;
use oauth2\services\OAuth2ServiceCatalog;
use Request; use Request;
use utils\services\IAuthService; use utils\services\IAuthService;
use utils\services\ServiceLocator;
use Zend\Math\Rand; use Zend\Math\Rand;
use Event;
/** /**
* Class ClientService * Class ClientService
@ -176,8 +175,7 @@ class ClientService implements IClientService
if (!is_null($client)) { if (!is_null($client)) {
$client->authorized_uris()->delete(); $client->authorized_uris()->delete();
$client->scopes()->detach(); $client->scopes()->detach();
$token_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::TokenService); Event::fire('oauth2.client.delete', array($client->client_id));
$token_service->revokeClientRelatedTokens($client->client_id);
$res = $client->delete(); $res = $client->delete();
} }
}); });
@ -205,8 +203,7 @@ class ClientService implements IClientService
$client_secret = Rand::getString(24, OAuth2Protocol::VsChar, true); $client_secret = Rand::getString(24, OAuth2Protocol::VsChar, true);
$client->client_secret = $client_secret; $client->client_secret = $client_secret;
$client->Save(); $client->Save();
$token_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::TokenService); Event::fire('oauth2.client.regenerate.secret', array($client->client_id));
$token_service->revokeClientRelatedTokens($client->client_id);
$new_secret = $client->client_secret; $new_secret = $client->client_secret;
}); });

8
app/services/oauth2/MementoOAuth2AuthenticationRequestService.php
View File

@ -21,7 +21,7 @@ class MementoOAuth2AuthenticationRequestService implements IMementoOAuth2Authent
$input = Input::all(); $input = Input::all();
$oauth2_params = array(); $oauth2_params = array();
foreach ($input as $key => $value) { foreach ($input as $key => $value) {
if (array_key_exists($key, OAuth2AuthorizationRequest::$params) === true) { if (array_key_exists($key, OAuth2AuthorizationRequest::$params) == true) {
array_push($oauth2_params, $key); array_push($oauth2_params, $key);
} }
} }
@ -33,7 +33,7 @@ class MementoOAuth2AuthenticationRequestService implements IMementoOAuth2Authent
$old_data = Input::old(); $old_data = Input::old();
$oauth2_params = array(); $oauth2_params = array();
foreach ($old_data as $key => $value) { foreach ($old_data as $key => $value) {
if (array_key_exists($key, OAuth2AuthorizationRequest::$params) === true) { if (array_key_exists($key, OAuth2AuthorizationRequest::$params) == true) {
array_push($oauth2_params, $key); array_push($oauth2_params, $key);
} }
} }
@ -59,7 +59,7 @@ class MementoOAuth2AuthenticationRequestService implements IMementoOAuth2Authent
$old_data = Input::old(); $old_data = Input::old();
$oauth2_params = array(); $oauth2_params = array();
foreach ($old_data as $key => $value) { foreach ($old_data as $key => $value) {
if (array_key_exists($key, OAuth2AuthorizationRequest::$params) === true) { if (array_key_exists($key, OAuth2AuthorizationRequest::$params) == true) {
$oauth2_params[$key] = $value; $oauth2_params[$key] = $value;
} }
} }
@ -76,7 +76,7 @@ class MementoOAuth2AuthenticationRequestService implements IMementoOAuth2Authent
$oauth2_params = array(); $oauth2_params = array();
foreach ($old_data as $key => $value) { foreach ($old_data as $key => $value) {
if (array_key_exists($key, OAuth2AuthorizationRequest::$params) === true){ if (array_key_exists($key, OAuth2AuthorizationRequest::$params) == true){
array_push($oauth2_params, $key); array_push($oauth2_params, $key);
} }
} }

2
app/services/oauth2/ResourceServerService.php
View File

@ -145,7 +145,7 @@ class ResourceServerService implements IResourceServerService {
$client_service = $this->client_service; $client_service = $this->client_service;
if(is_string($active)){ if(is_string($active)){
$active = $active ==='true'?true:false; $active = strtoupper($active) =='TRUE' ?true:false;
} }
DB::transaction(function () use ($host, $ip, $friendly_name, $active, &$instance, &$client_service) { DB::transaction(function () use ($host, $ip, $friendly_name, $active, &$instance, &$client_service) {

26
app/services/oauth2/RevokeAuthorizationCodeRelatedTokens.php
View File

@ -4,8 +4,7 @@ namespace services\oauth2;
use Exception; use Exception;
use Log; use Log;
use oauth2\services\OAuth2ServiceCatalog; use oauth2\services\ITokenService;
use utils\services\ServiceLocator;
use utils\services\ISecurityPolicyCounterMeasure; use utils\services\ISecurityPolicyCounterMeasure;
@ -22,23 +21,22 @@ use utils\services\ISecurityPolicyCounterMeasure;
*/ */
class RevokeAuthorizationCodeRelatedTokens implements ISecurityPolicyCounterMeasure { class RevokeAuthorizationCodeRelatedTokens implements ISecurityPolicyCounterMeasure {
private $token_service;
/**
* @param ITokenService $token_service
*/
public function __construct(ITokenService $token_service){
$this->token_service = $token_service;
}
public function trigger(array $params = array()) public function trigger(array $params = array())
{ {
try { try {
if (!isset($params["auth_code"])) return; if (!isset($params["auth_code"])) return;
//if (!isset($params["client_id"])) return;
$auth_code = $params["auth_code"]; $auth_code = $params["auth_code"];
//$client_id = $params["client_id"]; $this->token_service->revokeAuthCodeRelatedTokens($auth_code);
$token_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::TokenService);
//$client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService);
$token_service->revokeAuthCodeRelatedTokens($auth_code);
//$client_service->lockClient($client_id);
} catch (Exception $ex) { } catch (Exception $ex) {
Log::error($ex); Log::error($ex);
} }

18
app/services/oauth2/TokenService.php
View File

@ -32,6 +32,8 @@ use Zend\Crypt\Hash;
use utils\services\ICacheService; use utils\services\ICacheService;
use utils\services\IAuthService; use utils\services\IAuthService;
use Event;
/** /**
* Class TokenService * Class TokenService
* Provides all Tokens related operations (create, get and revoke) * Provides all Tokens related operations (create, get and revoke)
@ -68,6 +70,18 @@ class TokenService implements ITokenService
$this->cache_service = $cache_service; $this->cache_service = $cache_service;
$this->auth_service = $auth_service; $this->auth_service = $auth_service;
$this->user_consent_service = $user_consent_service; $this->user_consent_service = $user_consent_service;
$this_var = $this;
Event::listen('oauth2.client.delete', function($client_id) use (&$this_var)
{
$this_var->revokeClientRelatedTokens($client_id);
});
Event::listen('oauth2.client.regenerate.secret', function($client_id) use (&$this_var)
{
$this_var->revokeClientRelatedTokens($client_id);
});
} }
/** /**
@ -410,7 +424,7 @@ class TokenService implements ITokenService
'audience' => $access_token->audience, 'audience' => $access_token->audience,
'refresh_token' => $refresh_token_value 'refresh_token' => $refresh_token_value
) )
,$access_token->lifetime); ,intval($access_token->lifetime));
} }
@ -596,7 +610,7 @@ class TokenService implements ITokenService
'from_ip' => $refresh_token_db->from_ip, 'from_ip' => $refresh_token_db->from_ip,
'issued' => $refresh_token_db->created_at, 'issued' => $refresh_token_db->created_at,
'is_hashed' => $is_hashed 'is_hashed' => $is_hashed
), $refresh_token_db->lifetime); ), intval($refresh_token_db->lifetime));
return $refresh_token; return $refresh_token;
} }

18
app/services/oauth2/resource_server/UserService.php
View File

@ -8,7 +8,7 @@ use oauth2\IResourceServerContext;
use utils\services\ILogService; use utils\services\ILogService;
use openid\services\IUserService as IAPIUserService; use openid\services\IUserService as IAPIUserService;
use Exception; use Exception;
use utils\services\IServerConfigurationService;
/** /**
* Class UserService * Class UserService
* OAUTH2 Protected Endpoint * OAUTH2 Protected Endpoint
@ -17,10 +17,15 @@ use Exception;
class UserService extends OAuth2ProtectedService implements IUserService { class UserService extends OAuth2ProtectedService implements IUserService {
private $user_service; private $user_service;
private $configuration_service;
public function __construct(IAPIUserService $user_service, IResourceServerContext $resource_server_context, ILogService $log_service){ public function __construct(IAPIUserService $user_service,
IResourceServerContext $resource_server_context,
IServerConfigurationService $configuration_service,
ILogService $log_service){
parent::__construct($resource_server_context,$log_service); parent::__construct($resource_server_context,$log_service);
$this->user_service = $user_service; $this->user_service = $user_service;
$this->configuration_service = $configuration_service;
} }
/** /**
@ -52,10 +57,13 @@ class UserService extends OAuth2ProtectedService implements IUserService {
} }
if(in_array(self::UserProfileScope_Profile, $scopes)){ if(in_array(self::UserProfileScope_Profile, $scopes)){
// Address Claim // Address Claim
$data['name'] = $current_user->getFirstName(); $assets_url = $this->configuration_service->getConfigValue('Assets.Url');
$pic_url = $current_user->getPic();
$pic_url = str_contains($pic_url,'http')?$pic_url:$assets_url.$pic_url;
$data['name'] = $current_user->getFirstName();
$data['family_name'] = $current_user->getLastName(); $data['family_name'] = $current_user->getLastName();
$data['nickname'] = $current_user->getNickName(); $data['nickname'] = $current_user->getNickName();
$data['picture'] = $current_user->getPic(); $data['picture'] = $pic_url;
$data['birthdate'] = $current_user->getDateOfBirth(); $data['birthdate'] = $current_user->getDateOfBirth();
$data['gender'] = $current_user->getGender(); $data['gender'] = $current_user->getGender();
} }

12
app/services/openid/AssociationService.php
View File

@ -67,8 +67,7 @@ class AssociationService implements IAssociationService
"mac_function" => $assoc->mac_function, "mac_function" => $assoc->mac_function,
"issued" => $assoc->issued, "issued" => $assoc->issued,
"lifetime" => $assoc->lifetime, "lifetime" => $assoc->lifetime,
//"secret" => \bin2hex($assoc->secret), "secret" => \unpack('H*',$secret_unpack ),
"secret" => \unpack('H*',$secret_unpack ),
"realm" => $assoc->realm), "realm" => $assoc->realm),
$remaining_lifetime); $remaining_lifetime);
} }
@ -96,8 +95,7 @@ class AssociationService implements IAssociationService
$assoc->type = $cache_values['type']; $assoc->type = $cache_values['type'];
$assoc->mac_function = $cache_values['mac_function']; $assoc->mac_function = $cache_values['mac_function'];
$assoc->issued = $cache_values['issued']; $assoc->issued = $cache_values['issued'];
$assoc->lifetime = $cache_values['lifetime']; $assoc->lifetime = intval($cache_values['lifetime']);
//$assoc->secret = \hex2bin($cache_values['secret']);
$assoc->secret = $secret; $assoc->secret = $secret;
$realm = $cache_values['realm']; $realm = $cache_values['realm'];
if (!empty($realm)) if (!empty($realm))
@ -146,7 +144,7 @@ class AssociationService implements IAssociationService
$assoc->secret = $secret; $assoc->secret = $secret;
$assoc->type = $type; $assoc->type = $type;
$assoc->mac_function = $mac_function; $assoc->mac_function = $mac_function;
$assoc->lifetime = $lifetime; $assoc->lifetime = intval($lifetime);
$assoc->issued = $issued; $assoc->issued = $issued;
if (!is_null($realm)) if (!is_null($realm))
@ -159,14 +157,14 @@ class AssociationService implements IAssociationService
if (is_null($realm)) if (is_null($realm))
$realm = ''; $realm = '';
$secret_unpack = \unpack('H*', $secret); $secret_unpack = \unpack('H*', $secret);
$secret_unpack = array_shift($secret_unpack); $secret_unpack = array_shift($secret_unpack);
$this->cache_service->storeHash($handle, array( $this->cache_service->storeHash($handle, array(
"type" => $type, "type" => $type,
"mac_function" => $mac_function, "mac_function" => $mac_function,
"issued" => $issued, "issued" => $issued,
"lifetime" => $lifetime, "lifetime" => $lifetime,
//"secret" => \bin2hex($secret),
"secret" => $secret_unpack, "secret" => $secret_unpack,
"realm" => $realm),$lifetime); "realm" => $realm),$lifetime);

41
app/services/openid/ServerExtensionsService.php
View File

@ -4,24 +4,47 @@ namespace services\openid;
use openid\services\IServerExtensionsService; use openid\services\IServerExtensionsService;
use utils\services\ServiceLocator; use utils\services\ServiceLocator;
use utils\services\UtilsServiceCatalog;
use ServerExtension; use ServerExtension;
use ReflectionClass;
/**
* Class ServerExtensionsService
* @package services\openid
*/
class ServerExtensionsService implements IServerExtensionsService class ServerExtensionsService implements IServerExtensionsService
{ {
public function getAllActiveExtensions() /**
* @return array
*/
public function getAllActiveExtensions()
{ {
$extensions = ServerExtension::where('active', '=', true)->get(); $extensions = ServerExtension::where('active', '=', true)->get();
$res = array(); $res = array();
foreach ($extensions as $extension) { foreach ($extensions as $extension) {
$class = $extension->extension_class; $class_name = $extension->extension_class;
if (empty($class) /*|| !class_exists($class)*/) continue; if (empty($class_name)) continue;
$implementation = new $class($extension->name,
$extension->namespace, $class = new ReflectionClass($class_name);
$extension->view_name, $constructor = $class->getConstructor();
$extension->description, $constructor_params = $constructor->getParameters();
ServiceLocator::getInstance()->getService(UtilsServiceCatalog::LogService));
$deps = array();
foreach($constructor_params as $constructor_param){
$param_class = $constructor_param->getClass();
$name = $constructor_param->getName();
if(is_null($param_class)){
array_push($deps,$extension->$name);
}
else{
$service = ServiceLocator::getInstance()->getService($param_class->getName());
array_push($deps,$service);
}
}
$implementation = $class->newInstanceArgs($deps);
array_push($res, $implementation); array_push($res, $implementation);
} }
return $res; return $res;

19
app/services/security_policies/LockUserCounterMeasure.php
View File

@ -5,12 +5,19 @@ namespace services;
use auth\User; use auth\User;
use Exception; use Exception;
use Log; use Log;
use openid\services\OpenIdServiceCatalog; use openid\services\IUserService;
use utils\services\ServiceLocator; use utils\services\IServerConfigurationService;
use utils\services\ISecurityPolicyCounterMeasure; use utils\services\ISecurityPolicyCounterMeasure;
class LockUserCounterMeasure implements ISecurityPolicyCounterMeasure class LockUserCounterMeasure implements ISecurityPolicyCounterMeasure
{ {
private $server_configuration;
private $user_service;
public function __construct(IUserService $user_service, IServerConfigurationService $server_configuration){
$this->user_service = $user_service;
$this->server_configuration = $server_configuration;
}
public function trigger(array $params = array()) public function trigger(array $params = array())
{ {
@ -18,17 +25,15 @@ class LockUserCounterMeasure implements ISecurityPolicyCounterMeasure
if (!isset($params["user_identifier"])) return; if (!isset($params["user_identifier"])) return;
$user_identifier = $params["user_identifier"]; $user_identifier = $params["user_identifier"];
$server_configuration = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::ServerConfigurationService);
$user_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::UserService);
$user = User::where('external_id', '=', $user_identifier)->first(); $user = User::where('external_id', '=', $user_identifier)->first();
if(is_null($user)) if(is_null($user))
return; return;
//apply lock policy //apply lock policy
if (intval($user->login_failed_attempt) < intval($server_configuration->getConfigValue("MaxFailed.Login.Attempts"))) if (intval($user->login_failed_attempt) < intval($this->server_configuration->getConfigValue("MaxFailed.Login.Attempts")))
$user_service->updateFailedLoginAttempts($user->id); $this->user_service->updateFailedLoginAttempts($user->id);
else { else {
$user_service->lockUser($user->id); $this->user_service->lockUser($user->id);
} }
} catch (Exception $ex) { } catch (Exception $ex) {
Log::error($ex); Log::error($ex);

17
app/services/security_policies/OAuth2LockClientCounterMeasure.php
View File

@ -4,26 +4,29 @@ namespace services;
use Exception; use Exception;
use Log; use Log;
use oauth2\services\OAuth2ServiceCatalog; use oauth2\services\IClientService;
use utils\services\ServiceLocator;
use utils\services\ISecurityPolicyCounterMeasure; use utils\services\ISecurityPolicyCounterMeasure;
use Client as OAuth2Client;
class OAuth2LockClientCounterMeasure implements ISecurityPolicyCounterMeasure{ class OAuth2LockClientCounterMeasure implements ISecurityPolicyCounterMeasure{
private $client_service;
public function __construct(IClientService $client_service){
$this->client_service = $client_service;
}
public function trigger(array $params = array()) public function trigger(array $params = array())
{ {
try{ try{
if (!isset($params["client_id"])) return; if (!isset($params["client_id"])) return;
$client_id = $params['client_id']; $client_id = $params['client_id'];
$client = $this->client_service->getClientByIdentifier($client_id);
$client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService);
$client = OAuth2Client::where('id', '=', client_id)->first();
if(is_null($client)) if(is_null($client))
return; return;
//apply lock policy //apply lock policy
$client_service->lockClient($client->id); $this->client_service->lockClient($client->id);
} }
catch(Exception $ex){ catch(Exception $ex){
Log::error($ex); Log::error($ex);

7
app/services/security_policies/OAuth2SecurityPolicy.php
View File

@ -5,6 +5,7 @@ namespace services;
use DB; use DB;
use Exception; use Exception;
use Log; use Log;
use oauth2\services\IClientService;
use oauth2\services\OAuth2ServiceCatalog; use oauth2\services\OAuth2ServiceCatalog;
use utils\services\ISecurityPolicy; use utils\services\ISecurityPolicy;
use utils\services\ISecurityPolicyCounterMeasure; use utils\services\ISecurityPolicyCounterMeasure;
@ -24,10 +25,11 @@ class OAuth2SecurityPolicy implements ISecurityPolicy{
private $server_configuration_service; private $server_configuration_service;
private $client_service; private $client_service;
public function __construct(IServerConfigurationService $server_configuration_service) public function __construct(IServerConfigurationService $server_configuration_service, IClientService $client_service)
{ {
$this->server_configuration_service = $server_configuration_service; $this->server_configuration_service = $server_configuration_service;
; $this->client_service = $client_service;
$this->exception_dictionary = array( $this->exception_dictionary = array(
'auth2\exceptions\BearerTokenDisclosureAttemptException' => array('OAuth2SecurityPolicy.MaxBearerTokenDisclosureAttempts'), 'auth2\exceptions\BearerTokenDisclosureAttemptException' => array('OAuth2SecurityPolicy.MaxBearerTokenDisclosureAttempts'),
'auth2\exceptions\InvalidClientException' => array('OAuth2SecurityPolicy.MaxInvalidClientExceptionAttempts'), 'auth2\exceptions\InvalidClientException' => array('OAuth2SecurityPolicy.MaxInvalidClientExceptionAttempts'),
@ -53,7 +55,6 @@ class OAuth2SecurityPolicy implements ISecurityPolicy{
{ {
try { try {
if(get_parent_class($ex)=='oauth2\\exceptions\\OAuth2ClientBaseException'){ if(get_parent_class($ex)=='oauth2\\exceptions\\OAuth2ClientBaseException'){
$this->client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService);
$client_id = $ex->getClientId(); $client_id = $ex->getClientId();
//save oauth2 exception by client id //save oauth2 exception by client id
if (!is_null($client_id) && !empty($client_id)){ if (!is_null($client_id) && !empty($client_id)){

2
app/strategies/IndirectResponseQueryStringStrategy.php
View File

@ -27,7 +27,7 @@ class IndirectResponseQueryStringStrategy implements IHttpResponseStrategy
if (is_null($return_to) || empty($return_to)) { if (is_null($return_to) || empty($return_to)) {
return \View::make('404'); return \View::make('404');
} }
$return_to = (strpos($return_to, "?") === false) ? $return_to . "?" . $query_string : $return_to . "&" . $query_string; $return_to = (strpos($return_to, "?") == false) ? $return_to . "?" . $query_string : $return_to . "&" . $query_string;
return Redirect::to($return_to); return Redirect::to($return_to);
} }
} }

2
app/strategies/IndirectResponseUrlFragmentStrategy.php
View File

@ -27,7 +27,7 @@ class IndirectResponseUrlFragmentStrategy implements IHttpResponseStrategy
return \View::make('404'); return \View::make('404');
} }
$return_to = (strpos($return_to, "#") === false) ? $return_to . "#" . $fragment : $return_to . "&" . $fragment; $return_to = (strpos($return_to, "#") == false) ? $return_to . "#" . $fragment : $return_to . "&" . $fragment;
return Redirect::to($return_to); return Redirect::to($return_to);
} }
} }

9
app/tests/OAuth2UserServiceApiTest.php
View File

@ -22,6 +22,12 @@ class OAuth2UserServiceApiTest extends TestCase {
$this->current_realm = Config::get('app.url'); $this->current_realm = Config::get('app.url');
$user = User::where('external_id', '=', 'smarcet@gmail.com')->first();
$this->be($user);
Session::start();
$scope = array( $scope = array(
IUserService::UserProfileScope_Address, IUserService::UserProfileScope_Address,
IUserService::UserProfileScope_Email, IUserService::UserProfileScope_Email,
@ -39,9 +45,6 @@ class OAuth2UserServiceApiTest extends TestCase {
OAuth2Protocol::OAuth2Protocol_AccessType =>OAuth2Protocol::OAuth2Protocol_AccessType_Offline, OAuth2Protocol::OAuth2Protocol_AccessType =>OAuth2Protocol::OAuth2Protocol_AccessType_Offline,
); );
$user = User::where('external_id', '=', 'smarcet@gmail.com')->first();
Auth::login($user);
Session::set("openid.authorization.response", IAuthService::AuthorizationResponse_AllowOnce); Session::set("openid.authorization.response", IAuthService::AuthorizationResponse_AllowOnce);

6
app/validators/CustomValidator.php
View File

@ -23,7 +23,7 @@ class CustomValidator extends Validator {
return true; return true;
if(is_int($value)) if(is_int($value))
return true; return true;
return strtoupper(trim($value))==='TRUE' || strtoupper(trim($value))==='FALSE' || strtoupper(trim($value))==='1' || strtoupper(trim($value))==='0' ; return strtoupper(trim($value)) =='TRUE' || strtoupper(trim($value))=='FALSE' || strtoupper(trim($value))=='1' || strtoupper(trim($value))=='0' ;
} }
public function validateText($attribute, $value, $parameters) public function validateText($attribute, $value, $parameters)
@ -81,11 +81,11 @@ class CustomValidator extends Validator {
if(filter_var($value, FILTER_VALIDATE_URL)){ if(filter_var($value, FILTER_VALIDATE_URL)){
$parts = @parse_url($value); $parts = @parse_url($value);
if ($parts === false) { if ($parts == false) {
return false; return false;
} }
if($parts['scheme']!=='https') if($parts['scheme']!= 'https')
return false; return false;
if(isset($parts['query'])) if(isset($parts['query']))