openinfra
/
openstackid
Code Issues Proposed changes

Implements: blueprint openid-oauth2-admin.backend-client-administration 

[smarcet] - #5033 - Client Administration

Change-Id: If87a611f5f25646480478d7799339a6d5186a37f
This commit is contained in:
smarcet 2014-02-03 20:40:31 -03:00
parent 1523ed3225
commit ebeb5d2dbf
170 changed files with 4007 additions and 1703 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
app/controllers/AdminController.php
View File

@ -6,11 +6,15 @@ use oauth2\services\IClientService;
use oauth2\services\ITokenService;
use oauth2\services\IResourceServerService;
use oauth2\services\IApiEndpointService;
use utils\services\IAuthService;;
use utils\services\IAuthService;
use openid\services\IUserService;
use utils\services\IServerConfigurationService;
use \utils\services\IBannedIPService;
/**
* Class AdminController
*/
class AdminController extends BaseController {
private $client_service;
private $scope_service;
private $token_service;
@ -18,6 +22,9 @@ class AdminController extends BaseController {
private $api_service;
private $endpoint_service;
private $auth_service;
private $user_service;
private $configuration_service;
private $banned_ips_service;
public function __construct( IClientService $client_service,
IApiScopeService $scope_service,
@ -25,7 +32,10 @@ class AdminController extends BaseController {
IResourceServerService $resource_server_service,
IApiService $api_service,
IApiEndpointService $endpoint_service,
IAuthService $auth_service){
IAuthService $auth_service,
IUserService $user_service,
IServerConfigurationService $configuration_service,
IBannedIPService $banned_ips_service){
$this->client_service = $client_service;
$this->scope_service = $scope_service;
@ -34,9 +44,12 @@ class AdminController extends BaseController {
$this->api_service = $api_service;
$this->endpoint_service = $endpoint_service;
$this->auth_service = $auth_service;
$this->user_service = $user_service;
$this->configuration_service = $configuration_service;
$this->banned_ips_service = $banned_ips_service;
}
public function getEditRegisteredClient($id)
public function editRegisteredClient($id)
{
$user = $this->auth_service->getCurrentUser();
$client = $this->client_service->getClientByIdentifier($id);
@ -54,7 +67,7 @@ class AdminController extends BaseController {
array_push($aux_scopes, $scope->id);
}
$scopes = $this->scope_service->getAvailableScopes($user->canUseSystemScopes());
$scopes = $this->scope_service->getAvailableScopes($user->canUseSystemScopes());
$access_tokens = $this->token_service->getAccessTokenByClient($client->client_id);
@ -77,47 +90,226 @@ class AdminController extends BaseController {
'selected_scopes' => $aux_scopes,
'scopes' => $scopes,
'access_tokens' => $access_tokens,
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
"use_system_scopes" => $user->canUseSystemScopes(),
'refresh_tokens' => $refresh_tokens,
));
}
public function listResourceServers() {
$user = $this->auth_service->getCurrentUser();
$resource_servers = $this->resource_server_service->getAll(1,1000);
return View::make("oauth2.profile.admin.resource-servers",array('resource_servers'=>$resource_servers));
return View::make("oauth2.profile.admin.resource-servers",array(
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'resource_servers'=>$resource_servers));
}
public function editResourceServer($id){
$resource_server = $this->resource_server_service->get($id);
if(is_null($resource_server))
return View::make('404');
return View::make("oauth2.profile.admin.edit-resource-server",array('resource_server'=>$resource_server));
$user = $this->auth_service->getCurrentUser();
return View::make("oauth2.profile.admin.edit-resource-server",array(
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'resource_server'=>$resource_server
));
}
public function editApi($id){
$api = $this->api_service->get($id);
if(is_null($api))
return View::make('404');
return View::make("oauth2.profile.admin.edit-api",array('api'=>$api));
$user = $this->auth_service->getCurrentUser();
return View::make("oauth2.profile.admin.edit-api",array(
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'api'=>$api));
}
public function editScope($id){
$scope = $this->scope_service->get($id);
if(is_null($scope))
return View::make('404');
return View::make("oauth2.profile.admin.edit-scope",array('scope'=>$scope));
$user = $this->auth_service->getCurrentUser();
return View::make("oauth2.profile.admin.edit-scope",array(
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'scope'=>$scope));
}
public function editEndpoint($id){
$endpoint = $this->endpoint_service->get($id);
if(is_null($endpoint))
return View::make('404');
$user = $this->auth_service->getCurrentUser();
$selected_scopes = array();
$list = $endpoint->scopes()->get(array('id'));
foreach($list as $selected_scope){
array_push($selected_scopes,$selected_scope->id);
}
return View::make("oauth2.profile.admin.edit-endpoint",array(
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'endpoint' => $endpoint ,
'selected_scopes' => $selected_scopes));
}
public function editIssuedGrants(){
$user = $this->auth_service->getCurrentUser();
$access_tokens = $this->token_service->getAccessTokenByUserId($user->getId());
$refresh_tokens = $this->token_service->getRefreshTokeByUserId($user->getId());
foreach($access_tokens as $access_token){
$friendly_scopes = $this->scope_service->getFriendlyScopesByName(explode(' ',$access_token->scope));
$access_token->setFriendlyScopes(implode(', ',$friendly_scopes));
}
foreach($refresh_tokens as $refresh_token){
$friendly_scopes = $this->scope_service->getFriendlyScopesByName(explode(' ',$refresh_token->scope));
$refresh_token->setFriendlyScopes(implode(', ',$friendly_scopes));
}
return View::make("oauth2.profile.edit-user-grants",array(
'user_id' => $user->getId(),
'access_tokens' => $access_tokens ,
'refresh_tokens' => $refresh_tokens ,
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
));
}
public function listOAuth2Clients(){
$user = $this->auth_service->getCurrentUser();
$clients = $user->getClients();
return View::make("oauth2.profile.clients", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
"use_system_scopes" => $user->canUseSystemScopes(),
'clients' => $clients,
));
}
public function listLockedClients(){
$user = $this->auth_service->getCurrentUser();
$clients = $this->client_service->getAll(1,1000,array(
array(
'name'=>'locked',
'op' => '=',
'value'=> true
)
));
return View::make("oauth2.profile.admin.clients", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'clients' => $clients,
));
}
public function listLockedUsers(){
$user = $this->auth_service->getCurrentUser();
$users = $this->user_service->getAll(1,1000,array(
array(
'name'=>'lock',
'op' => '=',
'value'=> true
)
));
return View::make("admin.users", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'users' => $users,
));
}
public function listServerConfig(){
$user = $this->auth_service->getCurrentUser();
$config_values = array();
$config_values['MaxFailed.Login.Attempts'] = $this->configuration_service->getConfigValue('MaxFailed.Login.Attempts');
$config_values['MaxFailed.LoginAttempts.2ShowCaptcha'] = $this->configuration_service->getConfigValue('MaxFailed.LoginAttempts.2ShowCaptcha');
$config_values['OpenId.Private.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Private.Association.Lifetime');
$config_values['OpenId.Session.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Session.Association.Lifetime');
$config_values['OpenId.Nonce.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Nonce.Lifetime');
$config_values['OAuth2.AuthorizationCode.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AuthorizationCode.Lifetime');
$config_values['OAuth2.AccessToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AccessToken.Lifetime');
$config_values['OAuth2.RefreshToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.RefreshToken.Lifetime');
return View::make("admin.server-config", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
'config_values' => $config_values,
));
}
public function saveServerConfig(){
$values = Input::all();
$rules = array(
'general-max-failed-login-attempts' => 'required|integer',
'general-max-failed-login-attempts-captcha' => 'required|integer',
'openid-private-association-lifetime' => 'required|integer',
'openid-session-association-lifetime' => 'required|integer',
'openid-nonce-lifetime' => 'required|integer',
'oauth2-auth-code-lifetime' => 'required|integer',
'oauth2-refresh-token-lifetime' => 'required|integer',
'oauth2-access-token-lifetime' => 'required|integer',
);
$dictionary = array(
'general-max-failed-login-attempts' => 'MaxFailed.Login.Attempts',
'general-max-failed-login-attempts-captcha' => 'MaxFailed.LoginAttempts.2ShowCaptcha',
'openid-private-association-lifetime' => 'OpenId.Private.Association.Lifetime',
'openid-session-association-lifetime' => 'OpenId.Session.Association.Lifetime',
'openid-nonce-lifetime' => 'OpenId.Nonce.Lifetime',
'oauth2-auth-code-lifetime' => 'OAuth2.AuthorizationCode.Lifetime',
'oauth2-access-token-lifetime' => 'OAuth2.AccessToken.Lifetime',
'oauth2-refresh-token-lifetime' => 'OAuth2.RefreshToken.Lifetime',
);
// Creates a Validator instance and validates the data.
$validation = Validator::make($values, $rules);
if ($validation->fails()) {
return Redirect::action("AdminController@listServerConfig")->withErrors($validation);
}
foreach($values as $field=>$value){
if(array_key_exists($field,$dictionary))
$this->configuration_service->saveConfigValue($dictionary[$field],$value);
}
return Redirect::action("AdminController@listServerConfig");
}
public function listBannedIPs(){
$user = $this->auth_service->getCurrentUser();
$ips = $this->banned_ips_service->getByPage(1,1000);
return View::make("admin.banned-ips", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
"ips" =>$ips
));
}
}

2
app/controllers/OpenIdProviderController.php
View File

@ -17,7 +17,7 @@ class OpenIdProviderController extends BaseController
$this->memento_service = $memento_service;
}
public function op_endpoint()
public function endpoint()
{
$msg = $this->memento_service->getCurrentRequest();
if (is_null($msg) || !$msg->isValid())

5
app/controllers/UserController.php
View File

@ -212,12 +212,12 @@ class UserController extends BaseController
$user = $this->auth_service->getCurrentUser();
$sites = $this->trusted_sites_service->getAllTrustedSitesByUser($user);
$actions = $user->getActions();
$clients = $user->getClients();
return View::make("profile", array(
"username" => $user->getFullName(),
"user_id" => $user->getId(),
"is_server_admin" => $user->IsServerAdmin(),
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
"use_system_scopes" => $user->canUseSystemScopes(),
"openid_url" => $this->server_configuration_service->getUserIdentityEndpointURL($user->getIdentifier()),
"identifier " => $user->getIdentifier(),
@ -226,7 +226,6 @@ class UserController extends BaseController
"show_full_name" => $user->getShowProfileFullName(),
"show_email" => $user->getShowProfileEmail(),
'actions' => $actions,
'clients' => $clients,
));
}

52
app/controllers/apis/AbstractRESTController.php
View File

@ -5,43 +5,41 @@ use utils\services\ILogService;
abstract class AbstractRESTController extends JsonController {
protected $allowed_filter_fields;
protected $allowed_filter_op;
protected $allowed_filter_value;
protected $allowed_projection_fields;
private $filter_delimiter;
private $field_delimiter;
public function __construct(ILogService $log_service){
parent::__construct($log_service);
$this->filter_delimiter = '|';
$this->field_delimiter = ':';
$this->filter_delimiter = '+';
$this->field_delimiter = ',';
}
protected function getProjection($fields){
if(!is_string($fields)) return array('*');
if(empty($fields)) return array('*');
$fields_args = explode($this->field_delimiter,$fields);
$res = array();
foreach($fields_args as $exp){
if(in_array($exp,$this->allowed_projection_fields)){
array_push($res,$exp);
}
}
if(!count($res))
$res = array('*');
return $res;
}
/**
* @param $filters
* @return array
*/
protected function getFilters($filters){
if(!is_string($filters)) return array();
if(empty($filters)) return array();
$filter_args = explode($this->filter_delimiter,$filters);
if(!is_array($filters)) return array();
$res = array();
foreach($filter_args as $exp){
$exp = explode($this->field_delimiter,$exp);
if(!is_array($exp) || count($exp)!=3) continue;
if(!in_array($exp[0],$this->allowed_filter_fields)) continue;
if(!in_array($exp[1],$this->allowed_filter_op[$exp[0]])) continue;
if(preg_match($this->allowed_filter_value[$exp[0]],$exp[2])!=1) continue;
array_push($res,array(
'name' => $exp[0],
'op' => $exp[1],
'value' => $exp[2],
));
foreach($filters as $fieldname=>$value){
if(in_array($fieldname,$this->allowed_filter_fields)){
array_push($res,array('name'=>$fieldname,'op'=>'=','value'=>$value));
}
}
return $res;
}

95
app/controllers/apis/ApiBannedIPController.php Normal file
View File

@ -0,0 +1,95 @@
<?php
use utils\services\IBannedIPService;
use utils\services\ILogService;
class ApiBannedIPController extends AbstractRESTController implements ICRUDController
{
private $banned_ip_service;
public function __construct(IBannedIPService $banned_ip_service, ILogService $log_service)
{
parent::__construct($log_service);
$this->banned_ip_service = $banned_ip_service;
$this->allowed_filter_fields = array();
$this->allowed_projection_fields = array('*');
}
public function get($id)
{
try {
$ip = Input::get("ip", null);
if (!is_null($ip)) {
$banned_ip = $this->banned_ip_service->getByIP($ip);
} else {
$banned_ip = $this->banned_ip_service->get($id);
}
if (is_null($banned_ip)) {
return $this->error404(array('error' => 'banned ip not found'));
}
$data = $banned_ip->toArray();
return $this->ok($data);
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function create()
{
// TODO: Implement create() method.
}
public function getByPage()
{
try {
//check for optional filters param on querystring
$fields = $this->getProjection(Input::get('fields', null));
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
$page_nbr = intval(Input::get('offset', 1));
$page_size = intval(Input::get('limit', 10));
$list = $this->banned_ip_service->getByPage($page_nbr, $page_size, $filters, $fields);
$items = array();
foreach ($list->getItems() as $ip) {
array_push($items, $ip->toArray());
}
return $this->ok(array(
'page' => $items,
'total_items' => $list->getTotal()
));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function delete($id = null)
{
try {
if (is_null($id)) {
$ip = Input::get("ip", null);
} else {
$banned_ip = $this->banned_ip_service->get($id);
$ip = $banned_ip->ip;
}
if (is_null($ip))
return $this->error400('invalid request');
$res = $this->banned_ip_service->delete($ip);
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function update()
{
// TODO: Implement update() method.
}
}

30
app/controllers/apis/ApiController.php
View File

@ -1,28 +1,25 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
use oauth2\services\IApiService;
use oauth2\exceptions\InvalidApi;
use oauth2\exceptions\InvalidApi;
/**
* Class ApiController
* REST controller for Api entity CRUD Ops
*/
class ApiController extends AbstractRESTController implements IRESTController
class ApiController extends AbstractRESTController implements ICRUDController
{
private $api_service;
public function __construct(IApiService $api_service, ILogService $log_service)
public function __construct(IApiService $api_service, ILogService $log_service)
{
parent::__construct($log_service);
$this->api_service = $api_service;
//set filters allowed values
$this->allowed_filter_fields = array('resource_server_id');
$this->allowed_filter_op = array('resource_server_id' => array('='));
$this->allowed_filter_value = array('resource_server_id' => '/^\d+$/');
$this->allowed_filter_fields = array('resource_server_id');
$this->allowed_projection_fields = array('*');
}
public function get($id)
@ -44,12 +41,15 @@ class ApiController extends AbstractRESTController implements IRESTController
}
}
public function getByPage($page_nbr, $page_size)
public function getByPage()
{
try {
//check for optional filters param on querystring
$filters = Input::get('filters',null);
$list = $this->api_service->getAll($page_nbr,$page_size, $this->getFilters($filters));
$fields = $this->getProjection(Input::get('fields',null));
$filters = $this->getFilters(Input::except('fields','limit','offset'));
$page_nbr = intval(Input::get('offset',1));
$page_size = intval(Input::get('limit',10));
$list = $this->api_service->getAll($page_nbr,$page_size, $filters,$fields);
$items = array();
foreach ($list->getItems() as $api) {
array_push($items, $api->toArray());
@ -91,7 +91,7 @@ class ApiController extends AbstractRESTController implements IRESTController
$new_api['resource_server_id']
);
return $this->ok(array('api_id' => $new_api_model->id));
return $this->created(array('api_id' => $new_api_model->id));
}
catch (InvalidApi $ex1) {
$this->log_service->error($ex1);
@ -107,7 +107,7 @@ class ApiController extends AbstractRESTController implements IRESTController
{
try {
$res = $this->api_service->delete($id);
return $res?Response::json('ok',200):$this->error404(array('error'=>'operation failed'));
return $res?$this->deleted():$this->error404(array('error'=>'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -136,7 +136,7 @@ class ApiController extends AbstractRESTController implements IRESTController
$res = $this->api_service->update(intval($values['id']),$values);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch(InvalidApi $ex1){
@ -153,7 +153,7 @@ class ApiController extends AbstractRESTController implements IRESTController
try {
$active = is_string($active)?( strtoupper(trim($active))==='TRUE'?true:false ):$active;
$res = $this->api_service->setStatus($id,$active);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch(InvalidApi $ex1){
$this->log_service->error($ex1);

30
app/controllers/apis/ApiEndpointController.php
View File

@ -1,9 +1,7 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
use oauth2\services\IApiEndpointService;
use oauth2\exceptions\InvalidApi;
use oauth2\exceptions\InvalidApiEndpoint;
use oauth2\exceptions\InvalidApiScope;
@ -11,7 +9,7 @@ use oauth2\exceptions\InvalidApiScope;
* Class ApiEndpointController
* REST Controller for Api endpoint entity CRUD ops
*/
class ApiEndpointController extends AbstractRESTController implements IRESTController {
class ApiEndpointController extends AbstractRESTController implements ICRUDController {
private $api_endpoint_service;
@ -20,9 +18,8 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
parent::__construct($log_service);
$this->api_endpoint_service = $api_endpoint_service;
//set filters allowed values
$this->allowed_filter_fields = array('api_id');
$this->allowed_filter_op = array('api_id' => array('='));
$this->allowed_filter_value = array('api_id' => '/^\d+$/');
$this->allowed_filter_fields = array('api_id');
$this->allowed_projection_fields = array('*');
}
public function get($id)
@ -42,12 +39,15 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
}
}
public function getByPage($page_nbr, $page_size)
public function getByPage()
{
try {
//check for optional filters param on querystring
$filters = Input::get('filters',null);
$list = $this->api_endpoint_service->getAll($page_nbr, $page_size, $this->getFilters($filters));
$fields = $this->getProjection(Input::get('fields',null));
$filters = $this->getFilters(Input::except('fields','limit','offset'));
$page_nbr = intval(Input::get('offset',1));
$page_size = intval(Input::get('limit',10));
$list = $this->api_endpoint_service->getAll($page_nbr, $page_size, $filters,$fields);
$items = array();
foreach ($list->getItems() as $api_endpoint) {
array_push($items, $api_endpoint->toArray());
@ -92,7 +92,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
$new_api_endpoint['http_method'],
$new_api_endpoint['api_id']
);
return $this->ok(array('api_endpoint_id' => $new_api_endpoint_model->id));
return $this->created(array('api_endpoint_id' => $new_api_endpoint_model->id));
}
catch (InvalidApiEndpoint $ex1) {
$this->log_service->error($ex1);
@ -108,7 +108,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
{
try {
$res = $this->api_endpoint_service->delete($id);
return $res?Response::json('ok',200):$this->error404(array('error'=>'operation failed'));
return $res?$this->deleted():$this->error404(array('error'=>'operation failed'));
}
catch (InvalidApiEndpoint $ex1) {
$this->log_service->error($ex1);
@ -144,7 +144,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
$res = $this->api_endpoint_service->update(intval($values['id']),$values);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch(InvalidApiEndpoint $ex1){
$this->log_service->error($ex1);
@ -159,7 +159,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
public function updateStatus($id, $active){
try {
$res = $this->api_endpoint_service->setStatus($id,$active);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch (InvalidApiEndpoint $ex1) {
$this->log_service->error($ex1);
@ -174,7 +174,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
public function addRequiredScope($id, $scope_id){
try {
$res = $this->api_endpoint_service->addRequiredScope($id,$scope_id);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch (InvalidApiEndpoint $ex1) {
$this->log_service->error($ex1);
@ -193,7 +193,7 @@ class ApiEndpointController extends AbstractRESTController implements IRESTContr
public function removeRequiredScope($id, $scope_id){
try {
$res = $this->api_endpoint_service->removeRequiredScope($id,$scope_id);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch (InvalidApiEndpoint $ex1) {
$this->log_service->error($ex1);

33
app/controllers/apis/ApiResourceServerController.php
View File

@ -6,7 +6,7 @@ use oauth2\exceptions\InvalidResourceServer;
/**
* Class ApiResourceServerController
*/
class ApiResourceServerController extends JsonController implements IRESTController
class ApiResourceServerController extends AbstractRESTController implements ICRUDController
{
/**
* @var IResourceServerService $resource_service
@ -17,6 +17,8 @@ class ApiResourceServerController extends JsonController implements IRESTControl
{
parent::__construct($log_service);
$this->resource_server_service = $resource_server_service;
$this->allowed_filter_fields = array('');
$this->allowed_projection_fields = array('*');
}
public function get($id)
@ -43,10 +45,15 @@ class ApiResourceServerController extends JsonController implements IRESTControl
}
}
public function getByPage($page_nbr, $page_size)
public function getByPage()
{
try {
$list = $this->resource_server_service->getAll($page_nbr, $page_size);
$fields = $this->getProjection(Input::get('fields',null));
$filters = $this->getFilters(Input::except('fields','limit','offset'));
$page_nbr = intval(Input::get('offset',1));
$page_size = intval(Input::get('limit',10));
$list = $this->resource_server_service->getAll($page_nbr, $page_size,$filters,$fields);
$items = array();
foreach ($list->getItems() as $rs) {
array_push($items, $rs->toArray());
@ -86,7 +93,7 @@ class ApiResourceServerController extends JsonController implements IRESTControl
$values['friendly_name'],
$values['active']);
return $this->ok(array('resource_server_id' => $new_resource_server_model->id));
return $this->created(array('resource_server_id' => $new_resource_server_model->id));
}
catch(InvalidResourceServer $ex1){
$this->log_service->error($ex1);
@ -102,7 +109,7 @@ class ApiResourceServerController extends JsonController implements IRESTControl
{
try {
$res = $this->resource_server_service->delete($id);
return $res?Response::json('ok',200):$this->error404(array('error'=>'operation failed'));
return $res?$this->deleted():$this->error404(array('error'=>'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -113,7 +120,7 @@ class ApiResourceServerController extends JsonController implements IRESTControl
{
try {
$res = $this->resource_server_service->regenerateClientSecret($id);
return !is_null($res)?Response::json(array('new_secret'=>$res),200):$this->error404(array('error'=>'operation failed'));
return !is_null($res)?$this->ok(array('new_secret'=>$res)):$this->error404(array('error'=>'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -134,16 +141,12 @@ class ApiResourceServerController extends JsonController implements IRESTControl
);
// Creates a Validator instance and validates the data.
$validation = Validator::make($values, $rules);
if ($validation->fails()) {
$messages = $validation->messages()->toArray();
return $this->error400(array('error'=>'validation','messages' => $messages));
}
$res = $this->resource_server_service->update(intval($values['id']),$values);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch(InvalidResourceServer $ex1){
$this->log_service->error($ex1);
@ -155,10 +158,16 @@ class ApiResourceServerController extends JsonController implements IRESTControl
}
}
/**
* @param $id
* @param $active
* @return mixed
*/
public function updateStatus($id, $active){
try {
$active = is_string($active)?(strtoupper(trim($active))==='TRUE'?true:false ):$active;
$res = $this->resource_server_service->setStatus($id,$active);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);

30
app/controllers/apis/ApiScopeController.php
View File

@ -8,7 +8,7 @@ use oauth2\exceptions\InvalidApiScope;
/**
* Class ApiScopeController
*/
class ApiScopeController extends AbstractRESTController implements IRESTController {
class ApiScopeController extends AbstractRESTController implements ICRUDController {
private $api_scope_service;
@ -17,9 +17,8 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
parent::__construct($log_service);
$this->api_scope_service = $api_scope_service;
//set filters allowed values
$this->allowed_filter_fields = array('api_id');
$this->allowed_filter_op = array('api_id' => array('='));
$this->allowed_filter_value = array('api_id' => '/^\d+$/');
$this->allowed_filter_fields = array('api_id');
$this->allowed_projection_fields = array('*');
}
public function get($id)
@ -37,12 +36,16 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
}
}
public function getByPage($page_nbr, $page_size)
public function getByPage()
{
try {
//check for optional filters param on querystring
$filters = Input::get('filters',null);
$list = $this->api_scope_service->getAll($page_nbr, $page_size, $this->getFilters($filters));
$fields = $this->getProjection(Input::get('fields',null));
$filters = $this->getFilters(Input::except('fields','limit','offset'));
$page_nbr = intval(Input::get('offset',1));
$page_size = intval(Input::get('limit',10));
$list = $this->api_scope_service->getAll($page_nbr, $page_size, $filters,$fields);
$items = array();
foreach ($list->getItems() as $scope) {
array_push($items, $scope->toArray());
@ -91,7 +94,7 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
$values['api_id']
);
return $this->ok(array('scope_id' => $new_scope->id));
return $this->created(array('scope_id' => $new_scope->id));
}
catch(InvalidApi $ex1){
$this->log_service->error($ex1);
@ -111,7 +114,7 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
{
try {
$res = $this->api_scope_service->delete($id);
return $res?Response::json('ok',200):$this->error404(array('error'=>'operation failed'));
return $res?$this->deleted():$this->error404(array('error'=>'operation failed'));
}
catch(InvalidApiScope $ex1){
$this->log_service->error($ex1);
@ -149,7 +152,7 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
$res = $this->api_scope_service->update(intval($values['id']),$values);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
}
catch(InvalidApiScope $ex1){
@ -162,10 +165,15 @@ class ApiScopeController extends AbstractRESTController implements IRESTControll
}
}
/**
* @param $id
* @param $active
* @return mixed
*/
public function updateStatus($id, $active){
try {
$res = $this->api_scope_service->setStatus($id,$active);
return $res?Response::json('ok',200):$this->error400(array('error'=>'operation failed'));
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);

152
app/controllers/apis/ClientApiController.php
View File

@ -1,7 +1,7 @@
<?php
use oauth2\exceptions\AllowedClientUriAlreadyExistsException;
use oauth2\exceptions\InvalidClientException;
use oauth2\exceptions\AbsentClientException;
use oauth2\services\IApiScopeService;
use oauth2\services\IClientService;
use oauth2\services\ITokenService;
@ -11,13 +11,19 @@ use utils\services\ILogService;
* Class ClientApiController
* Client REST API
*/
class ClientApiController extends AbstractRESTController implements IRESTController
class ClientApiController extends AbstractRESTController implements ICRUDController
{
private $client_service;
private $scope_service;
private $token_service;
/**
* @param IApiScopeService $scope_service
* @param ITokenService $token_service
* @param IClientService $client_service
* @param ILogService $log_service
*/
public function __construct(IApiScopeService $scope_service, ITokenService $token_service, IClientService $client_service, ILogService $log_service)
{
parent::__construct($log_service);
@ -27,9 +33,8 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
$this->token_service = $token_service;
//set filters allowed values
$this->allowed_filter_fields = array('user_id');
$this->allowed_filter_op = array('user_id' => array('='));
$this->allowed_filter_value = array('user_id' => '/^\d+$/');
$this->allowed_filter_fields = array('user_id');
$this->allowed_projection_fields = array('*');
}
/**
@ -41,7 +46,7 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
{
try {
$res = $this->client_service->deleteClientByIdentifier($id);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -59,10 +64,10 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
// Build the validation constraint set.
$rules = array(
'user_id' => 'required|integer',
'app_name' => 'required|alpha_dash|max:255',
'app_desc' => 'required|text',
'app_type' => 'required|integer|applicationtype',
'user_id' => 'required|integer',
'application_name' => 'required|alpha_dash|max:255',
'application_description' => 'required|text',
'application_type' => 'required|applicationtype',
);
// Create a new validator instance.
@ -73,14 +78,13 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
return $this->error400(array('error'=>'validation','messages' => $messages));
}
if ($this->client_service->existClientAppName($values['app_name'])) {
if ($this->client_service->existClientAppName($values['application_name'])) {
return $this->error400(array('error' => 'application Name already exists!.'));
}
$new_client = $this->client_service->addClient(intval($values['app_type']), intval($values['user_id']), trim($values['app_name']), trim($values['app_desc']));
$new_client = $this->client_service->addClient($values['application_type'], intval($values['user_id']), trim($values['application_name']), trim($values['application_description']));
return $this->ok(array('client_id' => $new_client->id));
return $this->created(array('client_id' => $new_client->id));
} catch (Exception $ex) {
$this->log_service->error($ex);
@ -88,6 +92,10 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
}
}
/**
* @param $id
* @return mixed
*/
public function get($id)
{
try {
@ -103,15 +111,24 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
}
}
public function getByPage($page_nbr, $page_size)
/**
* @return mixed
*/
public function getByPage()
{
try {
//check for optional filters param on querystring
$filters = Input::get('filters',null);
$list = $this->client_service->getAll($page_nbr, $page_size,$this->getFilters($filters));
$fields = $this->getProjection(Input::get('fields',null));
$filters = $this->getFilters(Input::except('fields','limit','offset'));
$page_nbr = intval(Input::get('offset',1));
$page_size = intval(Input::get('limit',10));
$list = $this->client_service->getAll($page_nbr, $page_size,$filters,$fields);
$items = array();
foreach ($list->getItems() as $client) {
array_push($items, $client->toArray());
$data = $client->toArray();
$data['application_type'] = $client->getFriendlyApplicationType();
array_push($items, $data);
}
return $this->ok(array(
'page' => $items,
@ -123,6 +140,9 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
}
}
/**
* @return mixed
*/
public function update()
{
try {
@ -149,9 +169,9 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
$res = $this->client_service->update(intval($values['id']), $values);
return $res ? Response::json('ok', 200) : $this->error400(array('error' => 'operation failed'));
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
} catch (InvalidClientException $ex1) {
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
@ -193,13 +213,13 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
return $this->error400(array('error' => $messages));
}
$res = $this->client_service->addClientAllowedUri($id, $values['redirect_uri']);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->ok(): $this->error404(array('error' => 'operation failed'));
} catch (AllowedClientUriAlreadyExistsException $ex1) {
$this->log_service->error($ex1);
return $this->error400(array('error' => $ex1->getMessage()));
} catch (InvalidClientException $ex2) {
} catch (AbsentClientException $ex2) {
$this->log_service->error($ex2);
return $this->error400(array('error' => $ex2->getMessage()));
return $this->error404(array('error' => $ex2->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -210,54 +230,52 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
{
try {
$res = $this->client_service->deleteClientAllowedUri($id, $uri_id);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function addAllowedScope($id)
{
public function addAllowedScope($id,$scope_id){
try {
$values = Input::All();
// Build the validation constraint set.
$rules = array(
'scope_id' => 'required|integer',
'checked' => 'required|boolean',
);
// Creates a Validator instance and validates the data.
$validation = Validator::make($values, $rules);
if ($validation->fails()) {
$messages = $validation->messages()->toArray();
return $this->error400(array('error' => $messages));
}
$checked = $values['checked'];
$scope_id = $values['scope_id'];
$res = $checked ? $this->client_service->addClientScope($id, $scope_id) : $this->client_service->deleteClientScope($id, $scope_id);
return Response::json('ok', 200);
} catch (InvalidClientException $ex1) {
$this->client_service->addClientScope($id, $scope_id);
return $this->ok();
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error400(array('error' => $ex1->getMessage()));
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function removeAllowedScope($id,$scope_id){
try {
$res = $this->client_service->deleteClientScope($id, $scope_id);
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function updateStatus($id,$active)
{
try {
$res = $this->client_service->activateClient($id, $active);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (InvalidClientException $ex1) {
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error400(array('error' => $ex1->getMessage()));
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -268,7 +286,8 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
{
try {
$res = $this->client_service->regenerateClientSecret($id);
return !empty($res) ? Response::json(array('new_secret' => $res), 200) : $this->error404(array('error' => 'operation failed'));
return !empty($res) ?
$this->ok(array('new_secret' => $res)): $this->error404(array('error' => 'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -294,11 +313,11 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
$res = $this->client_service->setRefreshTokenUsage($id, $values['use_refresh_token']);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (InvalidClientException $ex1) {
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error400(array('error' => $ex1->getMessage()));
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -322,11 +341,10 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
}
$res = $this->client_service->setRotateRefreshTokenPolicy($id, $values['rotate_refresh_token']);
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
} catch (InvalidClientException $ex1) {
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error400(array('error' => $ex1->getMessage()));
return $this->error404(array('error' => $ex1->getMessage()));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -367,7 +385,7 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
break;
}
return $res ? Response::json('ok', 200) : $this->error404(array('error' => 'operation failed'));
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
} catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
@ -418,4 +436,22 @@ class ClientApiController extends AbstractRESTController implements IRESTControl
}
}
/**
* @param $id
* @return mixed
*/
public function unlock($id){
try {
$res = $this->client_service->unlockClient($id);
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
}
catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error404(array('error' => $ex1->getMessage()));
}
catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
}

6
app/controllers/apis/IRESTController.php → app/controllers/apis/ICRUDController.php
View File

@ -1,12 +1,12 @@
<?php
interface IRESTController {
interface ICRUDController {
public function get($id);
public function create();
public function getByPage($page_nbr, $page_size);
public function getByPage();
public function delete($id);
public function update();
}
}

10
app/controllers/apis/JsonController.php
View File

@ -19,7 +19,15 @@ class JsonController extends BaseController {
return Response::json(array('error' => 'server error'), 500);
}
protected function ok($data){
protected function created($data='ok'){
return Response::json($data, 201);
}
protected function deleted($data='ok'){
return Response::json($data, 204);
}
protected function ok($data='ok'){
return Response::json($data, 200);
}

94
app/controllers/apis/UserApiController.php
View File

@ -1,11 +1,97 @@
<?php
use utils\services\ILogService;
use openid\services\IUserService;
use oauth2\services\ITokenService;
class UserApiController extends AbstractRESTController implements ICRUDController {
class UserApiController extends JsonController{
private $user_service;
private $token_service;
public function __construct(ILogService $log_service)
{
public function __construct(ILogService $log_service, IUserService $user_service,ITokenService $token_service){
parent::__construct($log_service);
$this->user_service = $user_service;
$this->token_service = $token_service;
}
}
/**
* @param $id
* @return mixed
*/
public function unlock($id){
try {
$res = $this->user_service->unlockUser($id);
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
}
catch (AbsentClientException $ex1) {
$this->log_service->error($ex1);
return $this->error404(array('error' => $ex1->getMessage()));
}
catch (Exception $ex) {
$this->log_service->error($ex);
return $this->error500($ex);
}
}
/**
* @param $id
* @param $value
* @return mixed
*/
public function revokeToken($id,$value){
try{
$hint = Input::get('hint','none');
switch($hint){
case 'access_token':{
$token = $this->token_service->getAccessToken($value,true);
if(is_null($token->getUserId()) || intval($token->getUserId())!=intval($id))
throw new Exception(sprintf("access token %s does not belongs to user id %s!.",$value,$id));
$this->token_service->revokeAccessToken($value,true);
}
break;
case 'refresh_token':
$token = $this->token_service->getRefreshToken($value,true);
if(is_null($token->getUserId()) || intval($token->getUserId())!=intval($id))
throw new Exception(sprintf("refresh token %s does not belongs to user id %s!.",$value,$id));
$this->token_service->revokeRefreshToken($value,true);
break;
default:
throw new Exception(sprintf("hint %s not allowed",$hint));
break;
}
return $this->ok();
}
catch(Exception $ex){
$this->log_service->error($ex);
return $this->error500($ex);
}
}
public function get($id)
{
// TODO: Implement get() method.
}
public function create()
{
// TODO: Implement create() method.
}
public function getByPage()
{
// TODO: Implement getByPage() method.
}
public function delete($id)
{
// TODO: Implement delete() method.
}
public function update()
{
// TODO: Implement update() method.
}
}

54
app/controllers/apis/protected/OAuth2ProtectedApiController.php
View File

@ -1,54 +0,0 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
/**
* Class OAuth2ProtectedApiController
* OAuth2 Protected API
*/
class OAuth2ProtectedApiController extends OAuth2ProtectedController {
private $controller;
public function __construct(ApiController $controller, IResourceServerContext $resource_server_context, ILogService $log_service)
{
parent::__construct($resource_server_context,$log_service);
$this->controller = $controller;
}
public function get($id)
{
return $this->controller->get($id);
}
public function getByPage($page_nbr, $page_size)
{
return $this->controller->getByPage($page_nbr, $page_size);
}
public function create()
{
return $this->controller->create();
}
public function delete($id)
{
return $this->controller->delete($id);
}
public function regenerateClientSecret($id)
{
return $this->controller->regenerateClientSecret($id);
}
public function update()
{
return $this->controller->update();
}
public function updateStatus($id, $active){
return $this->controller->updateStatus($id, $active);
}
}

56
app/controllers/apis/protected/OAuth2ProtectedApiEndpointController.php
View File

@ -1,56 +0,0 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
/**
* Class OAuth2ProtectedApiEndpointController
* OAuth2 Protected API
*/
class OAuth2ProtectedApiEndpointController extends OAuth2ProtectedController
{
private $controller;
public function __construct(ApiEndpointController $controller, IResourceServerContext $resource_server_context, ILogService $log_service)
{
parent::__construct($resource_server_context,$log_service);
$this->controller = $controller;
}
public function get($id)
{
return $this->controller->get($id);
}
public function getByPage($page_nbr, $page_size)
{
return $this->controller->getByPage($page_nbr, $page_size);
}
public function create()
{
return $this->controller->create();
}
public function delete($id)
{
return $this->controller->delete($id);
}
public function update()
{
return $this->controller->update();
}
public function updateStatus($id, $active){
return $this->controller->updateStatus($id, $active);
}
public function addRequiredScope($id, $scope_id){
return $this->controller->addRequiredScope($id, $scope_id);
}
public function removeRequiredScope($id, $scope_id){
return $this->controller->removeRequiredScope($id, $scope_id);
}
}

54
app/controllers/apis/protected/OAuth2ProtectedApiResourceServerController.php
View File

@ -1,54 +0,0 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
/**
* Class OAuth2ProtectedApiResourceServerController
* OAuth2 Protected API
*/
class OAuth2ProtectedApiResourceServerController extends OAuth2ProtectedController {
private $controller;
public function __construct(ApiResourceServerController $controller, IResourceServerContext $resource_server_context, ILogService $log_service)
{
parent::__construct($resource_server_context,$log_service);
$this->controller = $controller;
}
public function get($id)
{
return $this->controller->get($id);
}
public function getByPage($page_nbr, $page_size)
{
return $this->controller->getByPage($page_nbr, $page_size);
}
public function create()
{
return $this->controller->create();
}
public function delete($id)
{
return $this->controller->delete($id);
}
public function regenerateClientSecret($id)
{
return $this->controller->regenerateClientSecret($id);
}
public function update()
{
return $this->controller->update();
}
public function updateStatus($id, $active){
return $this->controller->updateStatus($id, $active);
}
}

48
app/controllers/apis/protected/OAuth2ProtectedApiScopeController.php
View File

@ -1,48 +0,0 @@
<?php
use oauth2\IResourceServerContext;
use utils\services\ILogService;
/**
* Class OAuth2ProtectedApiScopeController
* OAuth2 Protected API
*/
class OAuth2ProtectedApiScopeController extends OAuth2ProtectedController {
private $controller;
public function __construct(ApiScopeController $controller, IResourceServerContext $resource_server_context, ILogService $log_service)
{
parent::__construct($resource_server_context,$log_service);
$this->controller = $controller;
}
public function get($id)
{
return $this->controller->get($id);
}
public function getByPage($page_nbr, $page_size)
{
return $this->controller->getByPage($page_nbr, $page_size);
}
public function create()
{
return $this->controller->create();
}
public function delete($id)
{
return $this->controller->delete($id);
}
public function update()
{
return $this->controller->update();
}
public function updateStatus($id, $active){
return $this->controller->controller($id, $active);
}
}

4
app/database/migrations/2013_12_04_181145_create_oauth2_clients_table.php
View File

@ -19,7 +19,7 @@ class CreateOauth2ClientsTable extends Migration {
$table->string('app_logo',255)->nullable();
$table->string('client_id',255)->unique();
$table->string('client_secret',255)->nullable();
$table->smallInteger('client_type');
$table->enum('client_type', array('PUBLIC', 'CONFIDENTIAL'));
$table->boolean('active')->default(true);
$table->boolean('locked')->default(false);
@ -38,7 +38,7 @@ class CreateOauth2ClientsTable extends Migration {
$table->integer('max_refresh_token_issuance_qty')->default(0);
$table->smallInteger('max_refresh_token_issuance_basis');
$table->boolean('use_refresh_token')->default(true);
$table->boolean('use_refresh_token')->default(false);
$table->boolean('rotate_refresh_token')->default(false);
});
}

2
app/database/migrations/2014_01_22_191553_create_table_oauth2_api_endpoints.php
View File

@ -19,7 +19,7 @@ class CreateTableOauth2ApiEndpoints extends Migration {
$table->string('name',255)->unique();
$table->timestamps();
$table->text("route");
$table->enum('http_method', array('GET', 'HEAD','POST','PUT','DELETE','TRACE','CONNECT','OPTIONS'));
$table->enum('http_method', array('GET', 'HEAD','POST','PUT','DELETE','TRACE','CONNECT','OPTIONS','PATCH'));
$table->bigInteger("api_id")->unsigned();
$table->index('api_id');

40
app/database/migrations/2014_02_03_125954_alter_table_oauth2_access_token.php Normal file
View File

@ -0,0 +1,40 @@
<?php
use Illuminate\Database\Migrations\Migration;
class AlterTableOauth2AccessToken extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('oauth2_access_token', function($table)
{
$table->bigInteger("user_id")->unsigned()->nullable();
$table->index('user_id');
$table->foreign('user_id')
->references('id')
->on('openid_users')
->onDelete('cascade')
->onUpdate('no action');;
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('oauth2_access_token', function($table)
{
$table->dropForeign('user_id');
$table->dropColumn('user_id');
});
}
}

40
app/database/migrations/2014_02_03_130006_alter_refresh_oauth2_access_token.php Normal file
View File

@ -0,0 +1,40 @@
<?php
use Illuminate\Database\Migrations\Migration;
class AlterRefreshOauth2AccessToken extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('oauth2_refresh_token', function($table)
{
$table->bigInteger("user_id")->unsigned()->nullable();
$table->index('user_id');
$table->foreign('user_id')
->references('id')
->on('openid_users')
->onDelete('cascade')
->onUpdate('no action');;
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('oauth2_refresh_token', function($table)
{
$table->dropForeign('user_id');
$table->dropColumn('user_id');
});
}
}

40
app/database/migrations/2014_02_03_130027_alter_user_exceptions_trail.php Normal file
View File

@ -0,0 +1,40 @@
<?php
use Illuminate\Database\Migrations\Migration;
class AlterUserExceptionsTrail extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('user_exceptions_trail', function($table)
{
$table->bigInteger("user_id")->unsigned()->nullable();
$table->index('user_id');
$table->foreign('user_id')
->references('id')
->on('openid_users')
->onDelete('cascade')
->onUpdate('no action');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('user_exceptions_trail', function($table)
{
$table->dropForeign('user_id');
$table->dropColumn('user_id');
});
}
}

40
app/database/migrations/2014_02_03_130043_alter_banned_ips.php Normal file
View File

@ -0,0 +1,40 @@
<?php
use Illuminate\Database\Migrations\Migration;
class AlterBannedIps extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('banned_ips', function($table)
{
$table->bigInteger("user_id")->unsigned()->nullable();
$table->index('user_id');
$table->foreign('user_id')
->references('id')
->on('openid_users')
->onDelete('cascade')
->onUpdate('no action');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('banned_ips', function($table)
{
$table->dropForeign('user_id');
$table->dropColumn('user_id');
});
}
}

45
app/database/migrations/2014_02_03_130201_create_table_oauth2_exceptions_trail.php Normal file
View File

@ -0,0 +1,45 @@
<?php
use Illuminate\Database\Migrations\Migration;
class CreateTableOauth2ExceptionsTrail extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::create('oauth2_exception_trail', function($table)
{
$table->bigIncrements('id')->unsigned();
$table->string('from_ip',254);
$table->string('exception_type',1024);
$table->timestamps();
$table->bigInteger("client_id")->unsigned()->nullable();
$table->index('client_id');
$table->foreign('client_id')
->references('id')
->on('oauth2_client')
->onDelete('cascade')
->onUpdate('no action');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('oauth2_exception_trail', function($table)
{
$table->dropForeign('client_id');
});
Schema::dropIfExists('oauth2_exception_trail');
}
}

35
app/database/migrations/2014_02_03_132103_update_oauth2_client.php Normal file
View File

@ -0,0 +1,35 @@
<?php
use Illuminate\Database\Migrations\Migration;
class UpdateOauth2Client extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('oauth2_client', function($table)
{
$table->enum('application_type', array('WEB_APPLICATION', 'JS_CLIENT','SERVICE'));
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('oauth2_client', function($table)
{
$table->dropColumn('application_type');
});
}
}

55
app/database/migrations/2014_02_04_000856_create_table_oauth2_user_consents.php Normal file
View File

@ -0,0 +1,55 @@
<?php
use Illuminate\Database\Migrations\Migration;
class CreateTableOauth2UserConsents extends Migration {
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::create('oauth2_user_consents', function($table)
{
$table->bigIncrements('id')->unsigned();
$table->text('scopes');
$table->bigInteger("client_id")->unsigned();
$table->index('client_id');
$table->foreign('client_id')
->references('id')
->on('oauth2_client')
->onDelete('cascade')
->onUpdate('no action');
$table->bigInteger("user_id")->unsigned();
$table->index('user_id');
$table->foreign('user_id')
->references('id')
->on('openid_users')
->onDelete('cascade')
->onUpdate('no action');
$table->timestamps();
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('oauth2_user_consents', function($table)
{
$table->dropForeign('client_id');
$table->dropForeign('openid_users');
});
Schema::dropIfExists('oauth2_user_consents');
}
}

42
app/database/seeds/TestSeeder.php
View File

@ -321,12 +321,31 @@ class TestSeeder extends Seeder {
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
'client_secret' => 'ITc/6Y5N7kOtGKhg',
'client_type' => IClient::ClientType_Confidential,
'application_type' => IClient::ApplicationType_Web_App,
'user_id' => $user->id,
'rotate_refresh_token' => true,
'use_refresh_token' => true
)
);
Client::create(
array(
'app_name' => 'oauth2.service',
'app_description' => 'oauth2.service',
'app_logo' => null,
'client_id' => '11z87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
'client_secret' => '11c/6Y5N7kOtGKhg',
'client_type' => IClient::ClientType_Confidential,
'application_type' => IClient::ApplicationType_Service,
'user_id' => $user->id,
'rotate_refresh_token' => true,
'use_refresh_token' => true
)
);
Client::create(
array(
'app_name' => 'oauth2_test_app_public',
@ -335,6 +354,7 @@ class TestSeeder extends Seeder {
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ3x.openstack.client',
'client_secret' => null,
'client_type' => IClient::ClientType_Public,
'application_type' => IClient::ApplicationType_JS_Client,
'user_id' => $user->id,
'rotate_refresh_token' => false,
'use_refresh_token' => false
@ -349,6 +369,7 @@ class TestSeeder extends Seeder {
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ2x.openstack.client',
'client_secret' => null,
'client_type' => IClient::ClientType_Public,
'application_type' => IClient::ApplicationType_JS_Client,
'user_id' => $user->id,
'rotate_refresh_token' => false,
'use_refresh_token' => false
@ -363,6 +384,7 @@ class TestSeeder extends Seeder {
'client_id' => 'resource.server.1.openstack.client',
'client_secret' => '123456789',
'client_type' => IClient::ClientType_Confidential,
'application_type' => IClient::ApplicationType_Service,
'resource_server_id' => $resource_server->id,
'rotate_refresh_token' => false,
'use_refresh_token' => false
@ -371,11 +393,13 @@ class TestSeeder extends Seeder {
$client_confidential = Client::where('app_name','=','oauth2_test_app')->first();
$client_public = Client::where('app_name','=','oauth2_test_app_public')->first();
$client_service = Client::where('app_name','=','oauth2.service')->first();
//attach scopes
$scopes = ApiScope::get();
foreach($scopes as $scope){
$client_confidential->scopes()->attach($scope->id);
$client_public->scopes()->attach($scope->id);
$client_service->scopes()->attach($scope->id);
}
//add uris
ClientAuthorizedUri::create(
@ -749,7 +773,7 @@ class TestSeeder extends Seeder {
'name' => 'create-resource-server',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server',
'route' => 'api/v1/resource-servers',
'http_method' => 'POST'
)
);
@ -759,7 +783,7 @@ class TestSeeder extends Seeder {
'name' => 'get-resource-server',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server/{id}',
'route' => 'api/v1/resource-servers/{id}',
'http_method' => 'GET'
)
);
@ -769,8 +793,8 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-regenerate-secret',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server/regenerate-client-secret/{id}',
'http_method' => 'GET'
'route' => 'api/v1/resource-servers/{id}/client-secret',
'http_method' => 'PUT'
)
);
@ -779,7 +803,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-get-page',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server/{page_nbr}/{page_size}',
'route' => 'api/v1/resource-servers',
'http_method' => 'GET'
)
);
@ -789,7 +813,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-delete',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server/{id}',
'route' => 'api/v1/resource-servers/{id}',
'http_method' => 'DELETE'
)
);
@ -799,7 +823,7 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-update',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server',
'route' => 'api/v1/resource-servers',
'http_method' => 'PUT'
)
);
@ -809,8 +833,8 @@ class TestSeeder extends Seeder {
'name' => 'resource-server-update-status',
'active' => true,
'api_id' => $resource_server->id,
'route' => 'api/v1/resource-server/status/{id}/{active}',
'http_method' => 'GET'
'route' => 'api/v1/resource-servers/{id}/status/{active}',
'http_method' => 'PUT'
)
);

78
app/filters.php
View File

@ -53,37 +53,17 @@ Route::filter('auth', function () {
Session::put('url.intended', URL::full());
return Redirect::action('HomeController@index');
}
if ($redirect = Session::get('url.intended')) {
$redirect = Session::get('url.intended');
if (!empty($redirect)) {
Session::forget('url.intended');
return Redirect::to($redirect);
}
});
Route::filter('auth.server.admin.json',function(){
if (Auth::guest()) {
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
if(!Auth::user()->IsServerAdmin()){
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
});
Route::filter('auth.server.admin',function(){
if (Auth::guest()) {
return View::make('404');
}
if(!Auth::user()->IsServerAdmin()){
return View::make('404');
}
});
Route::filter('auth.basic', function () {
return Auth::basic();
});
/*
|--------------------------------------------------------------------------
| Guest Filter
@ -191,8 +171,16 @@ Route::filter('is.current.user',function($route, $request){
try{
$authentication_service = App::make(UtilsServiceCatalog::AuthenticationService);
$used_id = Input::get('user_id',null);
if(is_null($used_id))
$used_id = Input::get('id',null);
if(is_null($used_id))
$used_id = $route->getParameter('user_id');
if(is_null($used_id))
$used_id = $route->getParameter('id');
$user = $authentication_service->getCurrentUser();
if (is_null($used_id) || intval($used_id) !== intval($user->getId()))
throw new Exception(sprintf('user id %s does not match with current user id %s',$used_id,$user->getId()));
@ -207,4 +195,48 @@ Route::filter('is.current.user',function($route, $request){
// filter to protect an api endpoint with oauth2
Route::filter('oauth2.protected.endpoint','OAuth2BearerAccessTokenRequestValidator');
Route::filter('oauth2.protected.endpoint','OAuth2BearerAccessTokenRequestValidator');
//oauth2 server admin filter
Route::filter('oauth2.server.admin.json',function(){
if (Auth::guest()) {
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
if(!Auth::user()->isOAuth2ServerAdmin()){
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
});
Route::filter('oauth2.server.admin',function(){
if (Auth::guest()) {
return View::make('404');
}
if(!Auth::user()->isOAuth2ServerAdmin()){
return View::make('404');
}
});
//openstackid server admin
Route::filter('openstackid.server.admin.json',function(){
if (Auth::guest()) {
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
if(!Auth::user()->isOpenstackIdAdmin()){
return Response::json(array('error' => 'you are not allowed to perform this operation'));
}
});
Route::filter('openstackid.server.admin',function(){
if (Auth::guest()) {
return View::make('404');
}
if(!Auth::user()->isOpenstackIdAdmin()){
return View::make('404');
}
});

16
app/filters/OAuth2RequestAccessTokenValidator.php
View File

@ -38,13 +38,12 @@ class OAuth2BearerAccessTokenRequestValidator {
*/
public function filter($route, $request)
{
$url = $route->getPath();
$method = $request->getMethod();
$realm = $request->getHost();
try{
$url = $route->getPath();
$method = $request->getMethod();
$endpoint = $this->api_endpoint_service->getApiEndpointByUrlAndMethod($url, $method);
$realm = $request->getHost();
//api endpoint must be registered on db and active
if(is_null($endpoint) || !$endpoint->isActive()){
@ -88,12 +87,17 @@ class OAuth2BearerAccessTokenRequestValidator {
implode(' ',$endpoint_scopes));
}
$this->resource_server_context->setAuthorizationContext(array(
$context = array(
'access_token' => $access_token_value,
'expires_in' => $access_token->getRemainingLifetime(),
'client_id' => $access_token->getClientId(),
'scope' => $access_token->getScope()
));
);
if(!is_null($access_token>getUserId()))
$context['user_id'] = $access_token>getUserId();
$this->resource_server_context->setAuthorizationContext($context);
}
catch(OAuth2ResourceServerException $ex1){

8
app/libs/auth/AuthHelper.php
View File

@ -16,9 +16,11 @@ class AuthHelper
);
/**
* @param $password user password
* @param $salt password salt
* @param string $algorithm Name of selected hashing algorithm (i.e. "md5", "sha256", "haval160,4", etc..)
* @param $password
* @param $salt
* @param string $algorithm
* @return string
* @throws \Exception
*/
public static function encrypt_password($password, $salt, $algorithm = "sha1")
{

1
app/libs/auth/AuthenticationServiceProvider.php
View File

@ -3,7 +3,6 @@
namespace auth;
use Illuminate\Support\ServiceProvider;
use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use utils\services\UtilsServiceCatalog;

40
app/libs/auth/User.php
View File

@ -10,10 +10,13 @@ use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use oauth2\models\IOAuth2User;
use Eloquent;
class User extends Eloquent implements UserInterface, IOpenIdUser, IOAuth2User
use utils\model\BaseModelEloquent;
/**
* Class User
* @package auth
*/
class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAuth2User
{
protected $table = 'openid_users';
private $member;
@ -23,6 +26,21 @@ class User extends Eloquent implements UserInterface, IOpenIdUser, IOAuth2User
return $this->hasMany("OpenIdTrustedSite", 'user_id');
}
public function access_tokens()
{
return $this->hasMany('AccessToken','user_id');
}
public function refresh_tokens()
{
return $this->hasMany('RefreshToken','user_id');
}
public function consents()
{
return $this->hasMany('UserConsent','user_id');
}
public function clients()
{
return $this->hasMany("Client", 'user_id');
@ -207,8 +225,6 @@ class User extends Eloquent implements UserInterface, IOpenIdUser, IOAuth2User
{
return $this->clients()->get();
}
/**
* Could use system scopes on registered clients
* @return bool
@ -226,7 +242,7 @@ class User extends Eloquent implements UserInterface, IOpenIdUser, IOAuth2User
* Is Server Administrator
* @return bool
*/
public function IsServerAdmin()
public function isOAuth2ServerAdmin()
{
if (is_null($this->member)) {
$this->member = Member::where('Email', '=', $this->external_id)->first();
@ -234,4 +250,16 @@ class User extends Eloquent implements UserInterface, IOpenIdUser, IOAuth2User
$group = $this->member->groups()->where('code','=',IOAuth2User::OAuth2ServerAdminGroup)->first();
return !is_null($group);
}
/**
* @return bool
*/
public function isOpenstackIdAdmin()
{
if (is_null($this->member)) {
$this->member = Member::where('Email', '=', $this->external_id)->first();
}
$group = $this->member->groups()->where('code','=',IOpenIdUser::OpenstackIdServerAdminGroup)->first();
return !is_null($group);
}
}

1
app/libs/oauth2/IOAuth2Protocol.php
View File

@ -2,7 +2,6 @@
namespace oauth2;
use oauth2\requests\OAuth2Request;
use oauth2\OAuth2Message;
interface IOAuth2Protocol {
/**

1
app/libs/oauth2/IResourceServerContext.php
View File

@ -10,4 +10,5 @@ interface IResourceServerContext {
public function getCurrentAccessTokenLifetime();
public function getCurrentClientId();
public function setAuthorizationContext($auth_context);
public function getCurrentUserId();
}

110
app/libs/oauth2/OAuth2Protocol.php
View File

@ -15,16 +15,22 @@ use oauth2\exceptions\AccessDeniedException;
use oauth2\exceptions\BearerTokenDisclosureAttemptException;
use oauth2\exceptions\ExpiredAuthorizationCodeException;
use oauth2\exceptions\InvalidAccessTokenException;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\InvalidAuthorizationCodeException;
use oauth2\exceptions\InvalidClientException;
use oauth2\exceptions\InvalidClientType;
use oauth2\exceptions\InvalidGrantTypeException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\LockedClientException;
use oauth2\exceptions\MissingClientIdParam;
use oauth2\exceptions\OAuth2GenericException;
use oauth2\exceptions\ReplayAttackException;
use oauth2\exceptions\ScopeNotAllowedException;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\UnsupportedResponseTypeException;
use oauth2\exceptions\UriNotAllowedException;
use oauth2\exceptions\MissingClientAuthorizationInfo;
use oauth2\exceptions\InvalidRedeemAuthCodeException;
//grant types
use oauth2\grant_types\AuthorizationCodeGrantType;
@ -44,6 +50,7 @@ use oauth2\services\IMementoOAuth2AuthenticationRequestService;
use oauth2\services\ITokenService;
use oauth2\strategies\IOAuth2AuthenticationStrategy;
use oauth2\strategies\OAuth2IndirectErrorResponseFactoryMethod;
use oauth2\services\IUserConsentService;
use utils\services\IAuthService;
use utils\services\ICheckPointService;
use utils\services\ILogService;
@ -65,6 +72,7 @@ class OAuth2Protocol implements IOAuth2Protocol
const OAuth2Protocol_ResponseType_Token = 'token';
const OAuth2Protocol_ResponseType = 'response_type';
const OAuth2Protocol_ClientId = 'client_id';
const OAuth2Protocol_UserId = 'user_id';
const OAuth2Protocol_ClientSecret = 'client_secret';
const OAuth2Protocol_Token = 'token';
const OAuth2Protocol_TokenType = 'token_type';
@ -77,6 +85,26 @@ class OAuth2Protocol implements IOAuth2Protocol
const OAuth2Protocol_Scope = 'scope';
const OAuth2Protocol_Audience = 'audience';
const OAuth2Protocol_State = 'state';
/**
* Indicates whether the user should be re-prompted for consent. The default is auto,
* so a given user should only see the consent page for a given set of scopes the first time
* through the sequence. If the value is force, then the user sees a consent page even if they
* previously gave consent to your application for a given set of scopes.
*/
const OAuth2Protocol_Approval_Prompt = 'approval_prompt';
const OAuth2Protocol_Approval_Prompt_Force = 'force';
const OAuth2Protocol_Approval_Prompt_Auto = 'auto';
/**
* Indicates whether your application needs to access an API when the user is not present at
* the browser. This parameter defaults to online. If your application needs to refresh access tokens
* when the user is not present at the browser, then use offline. This will result in your application
* obtaining a refresh token the first time your application exchanges an authorization code for a user.
*/
const OAuth2Protocol_AccessType = 'access_type';
const OAuth2Protocol_AccessType_Online = 'online';
const OAuth2Protocol_AccessType_Offline = 'offline';
const OAuth2Protocol_GrantType = 'grant_type';
const OAuth2Protocol_Error = 'error';
const OAuth2Protocol_ErrorDescription = 'error_description';
@ -138,11 +166,12 @@ class OAuth2Protocol implements IOAuth2Protocol
IMementoOAuth2AuthenticationRequestService $memento_service,
IOAuth2AuthenticationStrategy $auth_strategy,
ICheckPointService $checkpoint_service,
IApiScopeService $scope_service)
IApiScopeService $scope_service,
IUserConsentService $user_consent_service)
{
$authorization_code_grant_type = new AuthorizationCodeGrantType($scope_service, $client_service, $token_service, $auth_service, $memento_service, $auth_strategy, $log_service);
$implicit_grant_type = new ImplicitGrantType($scope_service, $client_service, $token_service, $auth_service, $memento_service, $auth_strategy, $log_service);
$authorization_code_grant_type = new AuthorizationCodeGrantType($scope_service, $client_service, $token_service, $auth_service, $memento_service, $auth_strategy, $log_service,$user_consent_service);
$implicit_grant_type = new ImplicitGrantType($scope_service, $client_service, $token_service, $auth_service, $memento_service, $auth_strategy, $log_service,$user_consent_service);
$refresh_bearer_token_grant_type = new RefreshBearerTokenGrantType($client_service, $token_service, $log_service);
$client_credential_grant_type = new ClientCredentialsGrantType($scope_service,$client_service, $token_service, $log_service);
@ -241,7 +270,48 @@ class OAuth2Protocol implements IOAuth2Protocol
throw $ex8;
return OAuth2IndirectErrorResponseFactoryMethod::buildResponse($request, OAuth2Protocol::OAuth2Protocol_Error_ServerError, $redirect_uri);
} catch (Exception $ex) {
}
catch(InvalidApplicationType $ex9){
$this->log_service->error($ex9);
$this->checkpoint_service->trackException($ex9);
$redirect_uri = $this->validateRedirectUri($request);
if (is_null($redirect_uri))
throw $ex9;
return OAuth2IndirectErrorResponseFactoryMethod::buildResponse($request, OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient, $redirect_uri);
}
catch(LockedClientException $ex10){
$this->log_service->error($ex10);
$this->checkpoint_service->trackException($ex10);
$redirect_uri = $this->validateRedirectUri($request);
if (is_null($redirect_uri))
throw $ex10;
return OAuth2IndirectErrorResponseFactoryMethod::buildResponse($request, OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient, $redirect_uri);
}
catch(MissingClientIdParam $ex11){
$this->log_service->error($ex11);
$this->checkpoint_service->trackException($ex11);
$redirect_uri = $this->validateRedirectUri($request);
if (is_null($redirect_uri))
throw $ex11;
return OAuth2IndirectErrorResponseFactoryMethod::buildResponse($request, OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient, $redirect_uri);
}
catch(InvalidClientType $ex12){
$this->log_service->error($ex12);
$this->checkpoint_service->trackException($ex12);
$redirect_uri = $this->validateRedirectUri($request);
if (is_null($redirect_uri))
throw $ex12;
return OAuth2IndirectErrorResponseFactoryMethod::buildResponse($request, OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient, $redirect_uri);
}
catch (Exception $ex) {
$this->log_service->error($ex);
$this->checkpoint_service->trackException($ex);
@ -325,7 +395,37 @@ class OAuth2Protocol implements IOAuth2Protocol
catch(ScopeNotAllowedException $ex11){
$this->log_service->error($ex11);
$this->checkpoint_service->trackException($ex11);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_InvalidScope);
}
catch(InvalidApplicationType $ex12){
$this->log_service->error($ex12);
$this->checkpoint_service->trackException($ex12);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch(LockedClientException $ex13){
$this->log_service->error($ex13);
$this->checkpoint_service->trackException($ex13);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch(MissingClientIdParam $ex14){
$this->log_service->error($ex14);
$this->checkpoint_service->trackException($ex14);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch(InvalidClientType $ex15){
$this->log_service->error($ex15);
$this->checkpoint_service->trackException($ex15);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch(MissingClientAuthorizationInfo $ex16){
$this->log_service->error($ex16);
$this->checkpoint_service->trackException($ex16);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch(InvalidRedeemAuthCodeException $ex17){
$this->log_service->error($ex17);
$this->checkpoint_service->trackException($ex17);
return new OAuth2DirectErrorResponse(OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient);
}
catch (Exception $ex) {
$this->log_service->error($ex);

1
app/libs/oauth2/endpoints/AuthorizationEndpoint.php
View File

@ -5,7 +5,6 @@ namespace oauth2\endpoints;
use oauth2\requests\OAuth2Request;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\IOAuth2Protocol;
use oauth2\exceptions\InvalidGrantTypeException;
/**
* Class AuthorizationEndpoint

2
app/libs/oauth2/endpoints/TokenIntrospectionEndpoint.php
View File

@ -2,8 +2,6 @@
namespace oauth2\endpoints;
use oauth2\exceptions\InvalidGrantTypeException;
use oauth2\requests\OAuth2Request;
use oauth2\IOAuth2Protocol;
use oauth2\services\IClientService;

2
app/libs/oauth2/endpoints/TokenRevocationEndpoint.php
View File

@ -2,8 +2,6 @@
namespace oauth2\endpoints;
use oauth2\exceptions\InvalidGrantTypeException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\requests\OAuth2Request;
use oauth2\IOAuth2Protocol;

15
app/libs/oauth2/exceptions/AbsentClientException.php Normal file
View File

@ -0,0 +1,15 @@
<?php
namespace oauth2\exceptions;
use Exception;
class AbsentClientException extends Exception
{
public function __construct($message = "")
{
$message = "Absent Client Exception: " . $message;
parent::__construct($message, 0, null);
}
}

10
app/libs/oauth2/exceptions/BearerTokenDisclosureAttemptException.php
View File

@ -2,15 +2,11 @@
namespace oauth2\exceptions;
use Exception;
class BearerTokenDisclosureAttemptException extends Exception
class BearerTokenDisclosureAttemptException extends OAuth2ClientBaseException
{
public function __construct($message = "")
public function __construct($client_id,$message = "")
{
$message = "Bearer Token Disclosure Attempt Attack: " . $message;
parent::__construct($message, 0, null);
parent::__construct($client_id,$message);
}
}

13
app/libs/oauth2/exceptions/InvalidApplicationType.php Normal file
View File

@ -0,0 +1,13 @@
<?php
namespace oauth2\exceptions;
class InvalidApplicationType extends OAuth2ClientBaseException
{
public function __construct($client_id, $message = "")
{
$message = "Invalid Application Type: " . $message;
parent::__construct($client_id,$message);
}
}

8
app/libs/oauth2/exceptions/InvalidClientException.php
View File

@ -1,14 +1,12 @@
<?php
namespace oauth2\exceptions;
use Exception;
class InvalidClientException extends Exception
class InvalidClientException extends OAuth2ClientBaseException
{
public function __construct($message = "")
public function __construct($client_id, $message = "")
{
$message = "Invalid OAuth2 Client : " . $message;
parent::__construct($message, 0, null);
parent::__construct($client_id, $message);
}
}

13
app/libs/oauth2/exceptions/InvalidClientType.php Normal file
View File

@ -0,0 +1,13 @@
<?php
namespace oauth2\exceptions;
class InvalidClientType extends OAuth2ClientBaseException
{
public function __construct($client_id, $message = "")
{
$message = "Invalid Client Type: " . $message;
parent::__construct($client_id,$message);
}
}

12
app/libs/oauth2/exceptions/InvalidRedeemAuthCodeException.php Normal file
View File

@ -0,0 +1,12 @@
<?php
namespace oauth2\exceptions;
class InvalidRedeemAuthCodeException extends OAuth2ClientBaseException{
public function __construct($client_id, $message = "")
{
$message = "Invalid Redeem AuthCode Exception: " . $message;
parent::__construct($client_id,$message);
}
}

13
app/libs/oauth2/exceptions/LockedClientException.php Normal file
View File

@ -0,0 +1,13 @@
<?php
namespace oauth2\exceptions;
class LockedClientException extends OAuth2ClientBaseException
{
public function __construct($client_id, $message = "")
{
$message = "Locked Client Exception: " . $message;
parent::__construct($client_id,$message);
}
}

16
app/libs/oauth2/exceptions/MissingClientAuthorizationInfo.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace oauth2\exceptions;
use Exception;
class MissingClientAuthorizationInfo extends Exception
{
public function __construct($message = "")
{
$message = "Missing Client Authorization Info: " . $message;
parent::__construct($message, 0, null);
}
}

15
app/libs/oauth2/exceptions/MissingClientIdParam.php Normal file
View File

@ -0,0 +1,15 @@
<?php
namespace oauth2\exceptions;
use Exception;
class MissingClientIdParam extends Exception
{
public function __construct($message = "")
{
$message = "Missing ClientId Param: " . $message;
parent::__construct($message, 0, null);
}
}

22
app/libs/oauth2/exceptions/OAuth2ClientBaseException.php Normal file
View File

@ -0,0 +1,22 @@
<?php
namespace oauth2\exceptions;
use Exception;
class OAuth2ClientBaseException extends Exception
{
protected $client_id;
public function __construct($client_id, $message = "")
{
$this->client_id = $client_id;
$message = "OAuth2 Client Base Exception : " . $message;
parent::__construct($message, 0, null);
}
public function getClientId(){
return $this->client_id;
}
}

2
app/libs/oauth2/exceptions/ReplayAttackException.php
View File

@ -6,7 +6,6 @@ use Exception;
class ReplayAttackException extends Exception
{
private $auth_code;
public function getAuthCode(){
@ -19,5 +18,4 @@ class ReplayAttackException extends Exception
$message = "Possible Replay Attack : " . $message;
parent::__construct($message, 0, null);
}
}

7
app/libs/oauth2/exceptions/UnAuthorizedClientException.php
View File

@ -1,13 +1,12 @@
<?php
namespace oauth2\exceptions;
use \Exception;
class UnAuthorizedClientException extends Exception
class UnAuthorizedClientException extends OAuth2ClientBaseException
{
public function __construct($message = "")
public function __construct($client_id, $message = "")
{
$message = "UnAuthorized Client: " . $message;
parent::__construct($message, 0, null);
parent::__construct($client_id,$message);
}
}

16
app/libs/oauth2/exceptions/UseRefreshTokenException.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace oauth2\exceptions;
use Exception;
class UseRefreshTokenException extends Exception
{
public function __construct($message = "")
{
$message = "Use Refresh Token Exception: " . $message;
parent::__construct($message, 0, null);
}
}

18
app/libs/oauth2/grant_types/AbstractGrantType.php
View File

@ -3,7 +3,10 @@
namespace oauth2\grant_types;
use oauth2\exceptions\InvalidClientException;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\InvalidClientType;
use oauth2\exceptions\MissingClientIdParam;
use oauth2\exceptions\LockedClientException;
use oauth2\models\IClient;
use oauth2\requests\OAuth2Request;
use oauth2\services\IClientService;
@ -34,8 +37,11 @@ abstract class AbstractGrantType implements IGrantType
/**
* @param OAuth2Request $request
* @return mixed|void
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @throws \oauth2\exceptions\MissingClientIdParam
* @throws \oauth2\exceptions\InvalidClientType
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\LockedClientException
* @throws \oauth2\exceptions\MissingClientAuthorizationInfo
*/
public function completeFlow(OAuth2Request $request)
{
@ -44,21 +50,21 @@ abstract class AbstractGrantType implements IGrantType
//check if we have at least a client id
if (empty($this->current_client_id))
throw new InvalidClientException;
throw new MissingClientIdParam();
//retrieve client from storage..
$this->current_client = $this->client_service->getClientById($this->current_client_id);
if (is_null($this->current_client))
throw new InvalidClientException;
throw new InvalidClientException($this->current_client_id,sprintf("client id %s does not exists!",$this->current_client_id));
if (!$this->current_client->isActive() || $this->current_client->isLocked()) {
throw new UnAuthorizedClientException(sprintf('client id %s',$this->current_client_id));
throw new LockedClientException($this->current_client_id, sprintf('client id %s',$this->current_client_id));
}
//verify client credentials (only for confidential clients )
if ($this->current_client->getClientType() == IClient::ClientType_Confidential && $this->current_client->getClientSecret() !== $this->current_client_secret)
throw new UnAuthorizedClientException(sprintf('client id %s',$this->current_client_id));
throw new InvalidClientType($this->current_client_id,sprintf('client id %s',$this->current_client_id));
}
}

185
app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php
View File

@ -7,10 +7,12 @@ use oauth2\exceptions\AccessDeniedException;
use oauth2\exceptions\InvalidAuthorizationCodeException;
use oauth2\exceptions\InvalidClientException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\LockedClientException;
use oauth2\exceptions\OAuth2GenericException;
use oauth2\exceptions\ScopeNotAllowedException;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\InvalidRedeemAuthCodeException;
use oauth2\exceptions\UnsupportedResponseTypeException;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\UriNotAllowedException;
use oauth2\models\IClient;
@ -29,6 +31,7 @@ use oauth2\services\IApiScopeService;
use ReflectionClass;
use utils\services\IAuthService;
use utils\services\ILogService;
use oauth2\services\IUserConsentService;
/**
* Class AuthorizationCodeGrantType
@ -48,16 +51,12 @@ class AuthorizationCodeGrantType extends AbstractGrantType
private $auth_strategy;
private $memento_service;
private $scope_service;
private $user_consent_service;
public function __construct(IApiScopeService $scope_service ,IClientService $client_service, ITokenService $token_service, IAuthService $auth_service, IMementoOAuth2AuthenticationRequestService $memento_service, IOAuth2AuthenticationStrategy $auth_strategy, ILogService $log_service)
{
parent::__construct($client_service, $token_service,$log_service);
$this->scope_service = $scope_service;
$this->auth_service = $auth_service;
$this->memento_service = $memento_service;
$this->auth_strategy = $auth_strategy;
}
/**
* @param OAuth2Request $request
* @return bool
*/
public function canHandle(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);
@ -67,22 +66,46 @@ class AuthorizationCodeGrantType extends AbstractGrantType
($class_name == 'oauth2\requests\OAuth2TokenRequest' && $request->isValid() && $request->getGrantType() === $this->getType());
}
/**
* @param IApiScopeService $scope_service
* @param IClientService $client_service
* @param ITokenService $token_service
* @param IAuthService $auth_service
* @param IMementoOAuth2AuthenticationRequestService $memento_service
* @param IOAuth2AuthenticationStrategy $auth_strategy
* @param ILogService $log_service
* @param IUserConsentService $user_consent_service
*/
public function __construct(IApiScopeService $scope_service ,IClientService $client_service, ITokenService $token_service, IAuthService $auth_service, IMementoOAuth2AuthenticationRequestService $memento_service, IOAuth2AuthenticationStrategy $auth_strategy, ILogService $log_service, IUserConsentService $user_consent_service)
{
parent::__construct($client_service, $token_service,$log_service);
$this->user_consent_service = $user_consent_service;
$this->scope_service = $scope_service;
$this->auth_service = $auth_service;
$this->memento_service = $memento_service;
$this->auth_strategy = $auth_strategy;
}
/**
* @return mixed|string
*/
public function getType()
{
return OAuth2Protocol::OAuth2Protocol_GrantType_AuthCode;
}
/** Implements first request processing for Authorization code (Authorization Request processing)
/** Implements first request processing for Authorization code (Authorization Request processing)
* http://tools.ietf.org/html/rfc6749#section-4.1.1 and
* http://tools.ietf.org/html/rfc6749#section-4.1.2
* @param OAuth2Request $request
* @return mixed|OAuth2AuthorizationResponse
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\UnsupportedResponseTypeException
* @throws \oauth2\exceptions\AccessDeniedException
* @throws \oauth2\exceptions\LockedClientException
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\ScopeNotAllowedException
* @throws \oauth2\exceptions\OAuth2GenericException
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\AccessDeniedException
* @throws \oauth2\exceptions\UriNotAllowedException
* @throws \oauth2\exceptions\InvalidOAuth2Request
*/
@ -102,10 +125,15 @@ class AuthorizationCodeGrantType extends AbstractGrantType
$client = $this->client_service->getClientById($client_id);
if (is_null($client))
throw new InvalidClientException(sprintf("client_id %s", $client_id));
throw new InvalidClientException($client_id, sprintf("client_id %s does not exists!", $client_id));
if (!$client->isActive() || $client->isLocked()) {
throw new LockedClientException(sprintf($client,'client id %s is locked',$client));
}
if ($client->getApplicationType() != IClient::ApplicationType_Web_App)
throw new InvalidApplicationType($client_id,sprintf("client id %s - Application type must be WEB_APPLICATION",$client_id));
if ($client->getClientType() !== IClient::ClientType_Confidential)
throw new UnAuthorizedClientException();
//check redirect uri
$redirect_uri = $request->getRedirectUri();
if (!$client->isUriAllowed($redirect_uri))
@ -123,19 +151,34 @@ class AuthorizationCodeGrantType extends AbstractGrantType
return $this->auth_strategy->doLogin($this->memento_service->getCurrentAuthorizationRequest());
}
$approval_prompt = $request->getApprovalPrompt();
$access_type = $request->getAccessType();
$user = $this->auth_service->getCurrentUser();
if(is_null($user))
throw new OAuth2GenericException("Invalid Current User");
$authorization_response = $this->auth_service->getUserAuthorizationResponse();
if ($authorization_response === IAuthService::AuthorizationResponse_None) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest());
} else if ($authorization_response === IAuthService::AuthorizationResponse_DenyOnce) {
throw new AccessDeniedException;
}
//check for former user consents
$former_user_consent = $this->user_consent_service->get($user->getId(),$client->getId(),$scope);
if( !(!is_null($former_user_consent) && $approval_prompt == OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto)){
if ($authorization_response == IAuthService::AuthorizationResponse_None) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest());
}
else if ($authorization_response == IAuthService::AuthorizationResponse_DenyOnce) {
throw new AccessDeniedException;
}
//save possitive consent
if(is_null($former_user_consent)){
$this->user_consent_service->add($user->getId(),$client->getId(),$scope);
}
}
// build current audience ...
$audience = $this->scope_service->getStrAudienceByScopeNames(explode(' ',$scope));
$auth_code = $this->token_service->createAuthorizationCode($client_id, $scope, $audience, $redirect_uri);
$auth_code = $this->token_service->createAuthorizationCode($user->getId(), $client_id, $scope, $audience, $redirect_uri,$access_type,$approval_prompt,!is_null($former_user_consent));
if (is_null($auth_code))
throw new OAuth2GenericException("Invalid Auth Code");
@ -147,6 +190,9 @@ class AuthorizationCodeGrantType extends AbstractGrantType
throw new InvalidOAuth2Request;
}
/**
* @return mixed|string
*/
public function getResponseType()
{
return OAuth2Protocol::OAuth2Protocol_ResponseType_Code;
@ -167,61 +213,66 @@ class AuthorizationCodeGrantType extends AbstractGrantType
*/
public function completeFlow(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);
$class_name = $reflector->getName();
if ($class_name == 'oauth2\requests\OAuth2AccessTokenRequestAuthCode') {
try{
if ($class_name == 'oauth2\requests\OAuth2AccessTokenRequestAuthCode') {
parent::completeFlow($request);
parent::completeFlow($request);
//only confidential clients could use this grant type
if ($this->current_client->getClientType() !== IClient::ClientType_Confidential)
throw new UnAuthorizedClientException();
//only confidential clients could use this grant type
if ($this->current_client->getApplicationType() != IClient::ApplicationType_Web_App)
throw new InvalidApplicationType($this->current_client_id,sprintf("client id %s - Application type must be WEB_APPLICATION",$this->current_client_id));
$current_redirect_uri = $request->getRedirectUri();
//verify redirect uri
if (!$this->current_client->isUriAllowed($current_redirect_uri))
throw new UriNotAllowedException();
$current_redirect_uri = $request->getRedirectUri();
//verify redirect uri
if (!$this->current_client->isUriAllowed($current_redirect_uri))
throw new UriNotAllowedException(sprintf('redirect url %s is not allowed for cliend id %s',$current_redirect_uri,$this->current_client_id));
$code = $request->getCode();
// verify that the authorization code is valid
// The client MUST NOT use the authorization code
// more than once. If an authorization code is used more than
// once, the authorization server MUST deny the request and SHOULD
// revoke (when possible) all tokens previously issued based on
// that authorization code. The authorization code is bound to
// the client identifier and redirection URI.
$auth_code = $this->token_service->getAuthorizationCode($code);
// verify that the authorization code is valid
if (is_null($auth_code)) {
throw new InvalidAuthorizationCodeException();
$code = $request->getCode();
// verify that the authorization code is valid
// The client MUST NOT use the authorization code
// more than once. If an authorization code is used more than
// once, the authorization server MUST deny the request and SHOULD
// revoke (when possible) all tokens previously issued based on
// that authorization code. The authorization code is bound to
// the client identifier and redirection URI.
$auth_code = $this->token_service->getAuthorizationCode($code);
$client_id = $auth_code->getClientId();
//ensure that the authorization code was issued to the authenticated
//confidential client, or if the client is public, ensure that the
//code was issued to "client_id" in the request
if ($client_id != $this->current_client_id)
throw new InvalidRedeemAuthCodeException($this->current_client_id,sprintf("auth code was issued for another client id!."));
// ensure that the "redirect_uri" parameter is present if the
// "redirect_uri" parameter was included in the initial authorization
// and if included ensure that their values are identical.
$redirect_uri = $auth_code->getRedirectUri();
if (!empty($redirect_uri) && $redirect_uri !== $current_redirect_uri)
throw new UriNotAllowedException();
$access_token = $this->token_service->createAccessToken($auth_code, $current_redirect_uri);
$refresh_token = $access_token->getRefreshToken();
$response = new OAuth2AccessTokenResponse($access_token->getValue(), $access_token->getLifetime(), !is_null($refresh_token) ? $refresh_token->getValue() : null);
return $response;
}
$client_id = $auth_code->getClientId();
//ensure that the authorization code was issued to the authenticated
//confidential client, or if the client is public, ensure that the
//code was issued to "client_id" in the request
if ($client_id !== $this->current_client_id)
throw new UnAuthorizedClientException;
// ensure that the "redirect_uri" parameter is present if the
// "redirect_uri" parameter was included in the initial authorization
// and if included ensure that their values are identical.
$redirect_uri = $auth_code->getRedirectUri();
if (!empty($redirect_uri) && $redirect_uri !== $current_redirect_uri)
throw new UriNotAllowedException();
$access_token = $this->token_service->createAccessToken($auth_code, $current_redirect_uri);
$refresh_token = $access_token->getRefreshToken();
$response = new OAuth2AccessTokenResponse($access_token->getValue(), $access_token->getLifetime(), !is_null($refresh_token) ? $refresh_token->getValue() : null);
return $response;
}
catch(InvalidAuthorizationCodeException $ex){
$this->log_service->error($ex);
throw new InvalidRedeemAuthCodeException($this->current_client_id,$ex->getMessage());
}
throw new InvalidOAuth2Request;
}
/**
* @param OAuth2Request $request
* @return mixed|null|OAuth2AccessTokenRequestAuthCode
*/
public function buildTokenRequest(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);

13
app/libs/oauth2/grant_types/ClientCredentialsGrantType.php
View File

@ -6,8 +6,8 @@ namespace oauth2\grant_types;
use oauth2\exceptions\InvalidGrantTypeException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\ScopeNotAllowedException;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\models\IClient;
use oauth2\OAuth2Protocol;
use oauth2\requests\OAuth2AccessTokenRequestClientCredentials;
@ -80,9 +80,10 @@ class ClientCredentialsGrantType extends AbstractGrantType
/**
* @param OAuth2Request $request
* @return mixed|OAuth2AccessTokenResponse|void
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @throws \oauth2\exceptions\InvalidOAuth2Request
* @throws \oauth2\exceptions\ScopeNotAllowedException
* @throws \oauth2\exceptions\InvalidOAuth2Request
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\InvalidGrantTypeException
*/
public function completeFlow(OAuth2Request $request)
{
@ -96,8 +97,8 @@ class ClientCredentialsGrantType extends AbstractGrantType
parent::completeFlow($request);
//only confidential clients could use this grant type
if ($this->current_client->getClientType() !== IClient::ClientType_Confidential)
throw new UnAuthorizedClientException();
if ($this->current_client->getApplicationType() != IClient::ApplicationType_Service)
throw new InvalidApplicationType($this->current_client_id,sprintf('client id %s client type must be SERVICE',$this->current_client_id));
//check requested scope
$scope = $request->getScope();
@ -108,7 +109,7 @@ class ClientCredentialsGrantType extends AbstractGrantType
$audience = $this->scope_service->getStrAudienceByScopeNames(explode(' ', $scope));
//build access token
$access_token = $this->token_service->createAccessTokenFromParams($scope, $this->current_client_id, $audience);
$access_token = $this->token_service->createAccessTokenFromParams($this->current_client_id,$scope, $audience);
$response = new OAuth2AccessTokenResponse($access_token->getValue(), $access_token->getLifetime(), null);
return $response;

70
app/libs/oauth2/grant_types/ImplicitGrantType.php
View File

@ -6,7 +6,9 @@ use oauth2\exceptions\AccessDeniedException;
use oauth2\exceptions\InvalidClientException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\ScopeNotAllowedException;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\OAuth2GenericException;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\LockedClientException;
use oauth2\exceptions\UnsupportedResponseTypeException;
use oauth2\exceptions\UriNotAllowedException;
@ -24,7 +26,7 @@ use oauth2\strategies\IOAuth2AuthenticationStrategy;
use ReflectionClass;
use utils\services\IAuthService;
use utils\services\ILogService;
use oauth2\services\IUserConsentService;
/**
* Class ImplicitGrantType
* http://tools.ietf.org/html/rfc6749#section-4.2
@ -55,13 +57,14 @@ class ImplicitGrantType extends AbstractGrantType
private $auth_strategy;
private $scope_service;
public function __construct(IApiScopeService $scope_service, IClientService $client_service, ITokenService $token_service, IAuthService $auth_service, IMementoOAuth2AuthenticationRequestService $memento_service, IOAuth2AuthenticationStrategy $auth_strategy, ILogService $log_service)
public function __construct(IApiScopeService $scope_service, IClientService $client_service, ITokenService $token_service, IAuthService $auth_service, IMementoOAuth2AuthenticationRequestService $memento_service, IOAuth2AuthenticationStrategy $auth_strategy, ILogService $log_service, IUserConsentService $user_consent_service)
{
parent::__construct($client_service, $token_service, $log_service);
$this->scope_service = $scope_service;
$this->auth_service = $auth_service;
$this->memento_service = $memento_service;
$this->auth_strategy = $auth_strategy;
$this->user_consent_service = $user_consent_service;
$this->scope_service = $scope_service;
$this->auth_service = $auth_service;
$this->memento_service = $memento_service;
$this->auth_strategy = $auth_strategy;
}
/** Given an OAuth2Request, returns true if it can handle it, false otherwise
@ -87,13 +90,15 @@ class ImplicitGrantType extends AbstractGrantType
/**
* @param OAuth2Request $request
* @return mixed|OAuth2AccessTokenFragmentResponse
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\UnsupportedResponseTypeException
* @throws \oauth2\exceptions\AccessDeniedException
* @throws \oauth2\exceptions\LockedClientException
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\ScopeNotAllowedException
* @throws \oauth2\exceptions\InvalidOAuth2Request
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @throws \oauth2\exceptions\OAuth2GenericException
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\AccessDeniedException
* @throws \oauth2\exceptions\UriNotAllowedException
* @throws \oauth2\exceptions\InvalidOAuth2Request
*/
public function handle(OAuth2Request $request)
{
@ -109,13 +114,18 @@ class ImplicitGrantType extends AbstractGrantType
throw new UnsupportedResponseTypeException(sprintf("response_type %s", $response_type));
$client = $this->client_service->getClientById($client_id);
if (is_null($client))
throw new InvalidClientException(sprintf("client_id %s", $client_id));
throw new InvalidClientException($client_id, sprintf("client_id %s", $client_id));
if (!$client->isActive() || $client->isLocked()) {
throw new LockedClientException($client,sprintf('client id %s',$client));
}
//check client type
// only public clients could use this grant type
if ($client->getClientType() !== IClient::ClientType_Public)
throw new UnAuthorizedClientException();
if ($client->getApplicationType() != IClient::ApplicationType_JS_Client)
throw new InvalidApplicationType($client_id,sprintf('client id %s client type must be JS CLIENT',$client_id));
//check redirect uri
$redirect_uri = $request->getRedirectUri();
@ -135,19 +145,34 @@ class ImplicitGrantType extends AbstractGrantType
return $this->auth_strategy->doLogin($this->memento_service->getCurrentAuthorizationRequest());
}
$approval_prompt = $request->getApprovalPrompt();
$user = $this->auth_service->getCurrentUser();
if(is_null($user))
throw new OAuth2GenericException("Invalid Current User");
//validate authorization
//check for former user consents
$authorization_response = $this->auth_service->getUserAuthorizationResponse();
if ($authorization_response === IAuthService::AuthorizationResponse_None) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest());
} else if ($authorization_response === IAuthService::AuthorizationResponse_DenyOnce) {
throw new AccessDeniedException;
$former_user_consent = $this->user_consent_service->get($user->getId(),$client->getId(),$scope);
if( !(!is_null($former_user_consent) && $approval_prompt == OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto)){
if ($authorization_response == IAuthService::AuthorizationResponse_None) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest());
}
else if ($authorization_response == IAuthService::AuthorizationResponse_DenyOnce) {
throw new AccessDeniedException;
}
//save possitive consent
if(is_null($former_user_consent))
$this->user_consent_service->add($user->getId(),$client->getId(),$scope);
}
// build current audience ...
$audience = $this->scope_service->getStrAudienceByScopeNames(explode(' ',$scope));
//build access token
$access_token = $this->token_service->createAccessTokenFromParams($scope, $client_id, $audience);
$access_token = $this->token_service->createAccessTokenFromParams($client_id,$scope, $audience,$user->getId());
//clear saved data ...
$this->memento_service->clearCurrentRequest();
$this->auth_service->clearUserAuthorizationResponse();
@ -169,9 +194,10 @@ class ImplicitGrantType extends AbstractGrantType
return OAuth2Protocol::OAuth2Protocol_GrantType_Implicit;
}
/** builds specific Token request
/**
* @param OAuth2Request $request
* @return mixed
* @return mixed|void
* @throws \oauth2\exceptions\InvalidOAuth2Request
*/
public function buildTokenRequest(OAuth2Request $request)
{

15
app/libs/oauth2/grant_types/RefreshBearerTokenGrantType.php
View File

@ -3,7 +3,7 @@
namespace oauth2\grant_types;
use Exception;
use oauth2\models\IClient;
use oauth2\requests\OAuth2Request;
use oauth2\OAuth2Protocol;
use oauth2\services\IClientService;
@ -13,7 +13,8 @@ use oauth2\requests\OAuth2RefreshAccessTokenRequest;
use ReflectionClass;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\UseRefreshTokenException;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\InvalidGrantTypeException;
@ -66,9 +67,10 @@ class RefreshBearerTokenGrantType extends AbstractGrantType {
* o validate the refresh token.
*
* @param OAuth2Request $request
* @return OAuth2AccessTokenResponse|void
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @return mixed|OAuth2AccessTokenResponse|void
* @throws \oauth2\exceptions\UseRefreshTokenException
* @throws \oauth2\exceptions\InvalidOAuth2Request
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\InvalidGrantTypeException
*/
public function completeFlow(OAuth2Request $request)
@ -79,8 +81,11 @@ class RefreshBearerTokenGrantType extends AbstractGrantType {
parent::completeFlow($request);
if($this->current_client->getApplicationType()!=IClient::ApplicationType_Web_App)
throw new InvalidApplicationType($this->current_client_id,sprintf('client id %s client type must be WEB_APPLICATION',$this->current_client_id));
if(!$this->current_client->use_refresh_token)
throw new UnAuthorizedClientException("current client could not use refresh tokens");
throw new UseRefreshTokenException("current client id %s could not use refresh tokens",$this->current_client_id);
$refresh_token_value = $request->getRefreshToken();
$scope = $request->getScope();

10
app/libs/oauth2/grant_types/RevokeBearerTokenGrantType.php
View File

@ -97,7 +97,7 @@ class RevokeBearerTokenGrantType extends AbstractGrantType
//check ownership
$access_token = $this->token_service->getAccessToken($token_value);
if ($access_token->getClientId() !== $this->current_client_id)
throw new BearerTokenDisclosureAttemptException(sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
$this->token_service->revokeAccessToken($token_value, false);
}
@ -107,7 +107,7 @@ class RevokeBearerTokenGrantType extends AbstractGrantType
//check ownership
$refresh_token = $this->token_service->getRefreshToken($token_value);
if ($refresh_token->getClientId() !== $this->current_client_id)
throw new BearerTokenDisclosureAttemptException(sprintf('refresh token %s does not belongs to client id %s',$token_value, $this->current_client_id));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('refresh token %s does not belongs to client id %s',$token_value, $this->current_client_id));
$this->token_service->revokeRefreshToken($token_value, false);
}
@ -126,7 +126,7 @@ class RevokeBearerTokenGrantType extends AbstractGrantType
//check ownership
$access_token = $this->token_service->getAccessToken($token_value);
if ($access_token->getClientId() !== $this->current_client_id)
throw new BearerTokenDisclosureAttemptException(sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
$this->token_service->revokeAccessToken($token_value, false);
}
catch(UnAuthorizedClientException $ex1){
@ -139,14 +139,14 @@ class RevokeBearerTokenGrantType extends AbstractGrantType
//check ownership
$refresh_token = $this->token_service->getRefreshToken($token_value);
if ($refresh_token->getClientId() !== $this->current_client_id)
throw new BearerTokenDisclosureAttemptException(sprintf('refresh token %s does not belongs to client id %s',$token_value, $this->current_client_id));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('refresh token %s does not belongs to client id %s',$token_value, $this->current_client_id));
$this->token_service->revokeRefreshToken($token_value, false);
}
}
return new OAuth2TokenRevocationResponse;
}
catch(InvalidGrantTypeException $ex){
throw new BearerTokenDisclosureAttemptException($ex->getMessage());
throw new BearerTokenDisclosureAttemptException($this->current_client_id,$ex->getMessage());
}
}
throw new InvalidOAuth2Request;

22
app/libs/oauth2/grant_types/ValidateBearerTokenGrantType.php
View File

@ -2,10 +2,11 @@
namespace oauth2\grant_types;
use oauth2\exceptions\InvalidApplicationType;
use oauth2\exceptions\InvalidOAuth2Request;
use oauth2\exceptions\InvalidAccessTokenException;
use oauth2\exceptions\BearerTokenDisclosureAttemptException;
use oauth2\exceptions\UnAuthorizedClientException;
use oauth2\exceptions\LockedClientException;
use oauth2\exceptions\InvalidGrantTypeException;
use oauth2\requests\OAuth2Request;
@ -83,8 +84,9 @@ class ValidateBearerTokenGrantType extends AbstractGrantType
/**
* @param OAuth2Request $request
* @return mixed|OAuth2AccessTokenValidationResponse|void
* @throws \oauth2\exceptions\UnAuthorizedClientException
* @throws \oauth2\exceptions\InvalidOAuth2Request
* @throws \oauth2\exceptions\LockedClientException
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\BearerTokenDisclosureAttemptException
*/
public function completeFlow(OAuth2Request $request)
@ -104,35 +106,35 @@ class ValidateBearerTokenGrantType extends AbstractGrantType
if(!$this->current_client->isResourceServerClient()){
// if current client is not a resource server, then we could only access to our own tokens
if($access_token->getClientId()!== $this->current_client_id)
throw new BearerTokenDisclosureAttemptException(sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('access token %s does not belongs to client id %s',$token_value, $this->current_client_id));
}
else{
// current client is a resource server, validate client type (must be confidential)
if($this->current_client->getClientType()!== IClient::ClientType_Confidential)
throw new UnAuthorizedClientException('resource server client is not of confidential type!');
throw new InvalidApplicationType($this->current_client_id,'resource server client is not of confidential type!');
//validate resource server IP address
$current_ip = IPHelper::getUserIp();
$resource_server = $this->current_client->getResourceServer();
//check if resource server is active
if(!$resource_server->active)
throw new UnAuthorizedClientException('resource server is disabled!');
throw new LockedClientException($this->current_client_id,'resource server is disabled!');
//check resource server ip address
if($current_ip !== $resource_server->ip)
throw new BearerTokenDisclosureAttemptException(sprintf('resource server ip (%s) differs from current request ip %s',$resource_server->ip,$current_ip));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('resource server ip (%s) differs from current request ip %s',$resource_server->ip,$current_ip));
// check if current ip belongs to a registered resource server audience
if(!$this->token_service->checkAccessTokenAudience($access_token,$current_ip))
throw new BearerTokenDisclosureAttemptException(sprintf('access token current audience does not match with current request ip %s', $current_ip));
throw new BearerTokenDisclosureAttemptException($this->current_client_id,sprintf('access token current audience does not match with current request ip %s', $current_ip));
}
return new OAuth2AccessTokenValidationResponse($token_value, $access_token->getScope(), $access_token->getAudience(),$access_token->getClientId(),$access_token->getRemainingLifetime());
return new OAuth2AccessTokenValidationResponse($token_value, $access_token->getScope(), $access_token->getAudience(),$access_token->getClientId(),$access_token->getRemainingLifetime(),$access_token->getUserId());
}
catch(InvalidAccessTokenException $ex1){
$this->log_service->error($ex1);
throw new BearerTokenDisclosureAttemptException($ex1->getMessage());
throw new BearerTokenDisclosureAttemptException($this->current_client_id,$ex1->getMessage());
}
catch(InvalidGrantTypeException $ex2){
$this->log_service->error($ex2);
throw new BearerTokenDisclosureAttemptException($ex2->getMessage());
throw new BearerTokenDisclosureAttemptException($this->current_client_id,$ex2->getMessage());
}
}
throw new InvalidOAuth2Request;

6
app/libs/oauth2/models/AccessToken.php
View File

@ -22,6 +22,7 @@ class AccessToken extends Token {
public static function create(AuthorizationCode $auth_code, $lifetime = 3600){
$instance = new self();
$instance->value = Rand::getString($instance->len, OAuth2Protocol::VsChar, true);
$instance->user_id = $auth_code->getUserId();
$instance->scope = $auth_code->getScope();
$instance->client_id = $auth_code->getClientId();
$instance->auth_code = $auth_code->getValue();
@ -31,11 +32,12 @@ class AccessToken extends Token {
return $instance;
}
public static function createFromParams($scope, $client_id, $audience,$lifetime){
public static function createFromParams($scope, $client_id, $audience,$user_id,$lifetime){
$instance = new self();
$instance->value = Rand::getString($instance->len,OAuth2Protocol::VsChar,true);
$instance->scope = $scope;
$instance->client_id = $client_id;
$instance->user_id = $user_id;
$instance->auth_code = null;
$instance->audience = $audience;
$instance->refresh_token = null;
@ -49,6 +51,7 @@ class AccessToken extends Token {
$instance->value = Rand::getString($instance->len,OAuth2Protocol::VsChar,true);
$instance->scope = $scope;
$instance->from_ip = $refresh_token->getFromIp();
$instance->user_id = $refresh_token->getUserId();
$instance->client_id = $refresh_token->getClientId();
$instance->auth_code = null;
$instance->refresh_token = $refresh_token;
@ -63,6 +66,7 @@ class AccessToken extends Token {
$instance->value = $value;
$instance->scope = $auth_code->getScope();
$instance->client_id = $auth_code->getClientId();
$instance->user_id = $auth_code->getUserId();
$instance->auth_code = $auth_code->getValue();
$instance->audience = $auth_code->getAudience();
$instance->from_ip = $auth_code->getFromIp();

68
app/libs/oauth2/models/AuthorizationCode.php
View File

@ -13,35 +13,64 @@ use oauth2\OAuth2Protocol;
class AuthorizationCode extends Token {
private $redirect_uri;
private $access_type;
private $approval_prompt;
private $has_previous_user_consent;
public function __construct(){
parent::__construct(64);
}
/**
* @param $user_id
* @param $client_id
* @param $scope
* @param $redirect_uri
* @param string $audience
* @param null $redirect_uri
* @param string $access_type
* @param string $approval_prompt
* @param bool $has_previous_user_consent
* @param int $lifetime
* @return AuthorizationCode
*/
public static function create($client_id, $scope, $audience='' ,$redirect_uri = null, $lifetime = 600){
public static function create($user_id, $client_id, $scope, $audience='' ,$redirect_uri = null,$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online,$approval_prompt =OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto,$has_previous_user_consent=false, $lifetime = 600){
$instance = new self();
$instance->value = Rand::getString($instance->len, OAuth2Protocol::VsChar, true);
$instance->scope = $scope;
$instance->user_id = $user_id;
$instance->redirect_uri = $redirect_uri;
$instance->client_id = $client_id;
$instance->lifetime = $lifetime;
$instance->audience = $audience;
$instance->is_hashed = false;
$instance->from_ip = IPHelper::getUserIp();
$instance->access_type = $access_type;
$instance->approval_prompt = $approval_prompt;
$instance->has_previous_user_consent = $has_previous_user_consent;
return $instance;
}
public static function load($value, $client_id, $scope,$audience='', $redirect_uri = null, $issued = null, $lifetime = 600, $from_ip = '127.0.0.1',$is_hashed = false){
/**
* @param $value
* @param $user_id
* @param $client_id
* @param $scope
* @param string $audience
* @param null $redirect_uri
* @param null $issued
* @param int $lifetime
* @param string $from_ip
* @param string $access_type
* @param string $approval_prompt
* @param bool $has_previous_user_consent
* @param bool $is_hashed
* @return AuthorizationCode
*/
public static function load($value, $user_id, $client_id, $scope,$audience='', $redirect_uri = null, $issued = null, $lifetime = 600, $from_ip = '127.0.0.1',$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online,$approval_prompt = OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto,$has_previous_user_consent=false,$is_hashed = false){
$instance = new self();
$instance->value = $value;
$instance->user_id = $user_id;
$instance->scope = $scope;
$instance->redirect_uri = $redirect_uri;
$instance->client_id = $client_id;
@ -50,6 +79,9 @@ class AuthorizationCode extends Token {
$instance->lifetime = $lifetime;
$instance->from_ip = $from_ip;
$instance->is_hashed = $is_hashed;
$instance->access_type = $access_type;
$instance->approval_prompt = $approval_prompt;
$instance->has_previous_user_consent = $has_previous_user_consent;
return $instance;
}
@ -58,25 +90,25 @@ class AuthorizationCode extends Token {
return $this->redirect_uri;
}
public function getAccessType(){
return $this->access_type;
}
public function getApprovalPrompt(){
return $this->approval_prompt;
}
public function getHasPreviousUserConsent(){
return $this->has_previous_user_consent;
}
public function toJSON()
{
$o = array(
'value' => $this->value,
'redirect_uri' => $this->redirect_uri,
'client_id' => $this->client_id,
'scope' => $this->scope,
);
return json_encode($o);
return '{}';
}
public function fromJSON($json)
{
$o = json_decode($json);
$this->value = $o->value;
$this->scope = $o->scope;
$this->client_id = $o->client_id;
$this->scope = $o->redirect_uri;
}
}

19
app/libs/oauth2/models/IClient.php
View File

@ -2,17 +2,24 @@
namespace oauth2\models;
/**
* Interface IClient
* @package oauth2\models
*/
interface IClient {
const ClientType_Public = 1;
const ClientType_Confidential = 2;
const ClientType_Public = 'PUBLIC';
const ClientType_Confidential = 'CONFIDENTIAL';
const ApplicationType_Web_App = 'WEB_APPLICATION';
const ApplicationType_JS_Client = 'JS_CLIENT';
const ApplicationType_Service = 'SERVICE';
public function getId();
public function getClientId();
public function getClientSecret();
public function getClientType();
public function getFriendlyClientType();
public function getApplicationType();
public function getClientAuthorizedRealms();
public function getClientScopes();
public function getClientRegisteredUris();
@ -28,5 +35,5 @@ interface IClient {
public function isActive();
public function isResourceServerClient();
public function getResourceServer();
}
public function getFriendlyApplicationType();
}

2
app/libs/oauth2/models/IOAuth2User.php
View File

@ -34,5 +34,5 @@ interface IOAuth2User {
* Is Server Administrator
* @return bool
*/
public function IsServerAdmin();
public function isOAuth2ServerAdmin();
}

12
app/libs/oauth2/models/IUserConsent.php Normal file
View File

@ -0,0 +1,12 @@
<?php
namespace oauth2\models;
/**
* Interface IUserConsent
* @package oauth2\models
*/
interface IUserConsent {
public function getScope();
public function getClient();
public function getUser();
}

4
app/libs/oauth2/models/RefreshToken.php
View File

@ -37,6 +37,7 @@ class RefreshToken extends Token {
$instance = new self();
$instance->value = Rand::getString($instance->len,OAuth2Protocol::VsChar,true);
$instance->scope = $access_token->getScope();
$instance->user_id = $access_token->getUserId();
$instance->client_id = $access_token->getClientId();
$instance->audience = $access_token->getAudience();
$instance->from_ip = IPHelper::getUserIp();
@ -50,6 +51,7 @@ class RefreshToken extends Token {
$instance->value = $params['value'];
$instance->scope = $params['scope'];
$instance->client_id = $params['client_id'];
$instance->user_id = $params['user_id'];
$instance->audience = $params['audience'];
$instance->from_ip = $params['from_ip'];
$instance->issued = $params['issued'];
@ -60,7 +62,7 @@ class RefreshToken extends Token {
public function toJSON()
{
// TODO: Implement toJSON() method.
return '{}';
}
public function fromJSON($json)

6
app/libs/oauth2/models/Token.php
View File

@ -14,6 +14,7 @@ abstract class Token
{
const DefaultByteLength = 32;
protected $value;
protected $lifetime;
protected $issued;
@ -23,6 +24,7 @@ abstract class Token
protected $audience;
protected $from_ip;
protected $is_hashed;
protected $user_id;
public function __construct($len = self::DefaultByteLength)
{
@ -66,6 +68,10 @@ abstract class Token
return $this->from_ip;
}
public function getUserId(){
return $this->user_id;
}
public function getRemainingLifetime()
{
//check is refresh token is stills alive... (ZERO is infinite lifetime)

61
app/libs/oauth2/requests/OAuth2AuthorizationRequest.php
View File

@ -25,26 +25,81 @@ class OAuth2AuthorizationRequest extends OAuth2Request {
OAuth2Protocol::OAuth2Protocol_State => OAuth2Protocol::OAuth2Protocol_State
);
/**
* @return null|string
*/
public function getResponseType(){
return $this->getParam(OAuth2Protocol::OAuth2Protocol_ResponseType);
}
/**
* Identifies the client that is making the request.
* The value passed in this parameter must exactly match the value shown in the Admin Console.
* @return null|string
*/
public function getClientId(){
return $this->getParam(OAuth2Protocol::OAuth2Protocol_ClientId);
}
/**
* One of the redirect_uri values registered
* @return null|string
*/
public function getRedirectUri(){
return $this->getParam(OAuth2Protocol::OAuth2Protocol_RedirectUri);
}
/**
* Space-delimited set of permissions that the application requests.
* @return null|string
*/
public function getScope(){
return $this->getParam(OAuth2Protocol::OAuth2Protocol_Scope);
}
/**
* Provides any state that might be useful to your application upon receipt of the response.
* The Authorization Server roundtrips this parameter, so your application receives the same value it sent.
* Possible uses include redirecting the user to the correct resource in your site, nonces, and
* cross-site-request-forgery mitigations.
* @return null|string
*/
public function getState(){
return $this->getParam(OAuth2Protocol::OAuth2Protocol_State);
}
/**
* Indicates whether the user should be re-prompted for consent. The default is auto,
* so a given user should only see the consent page for a given set of scopes the first time
* through the sequence. If the value is force, then the user sees a consent page even if they
* previously gave consent to your application for a given set of scopes.
* @return null|string
*/
public function getApprovalPrompt(){
$approval = $this->getParam(OAuth2Protocol::OAuth2Protocol_Approval_Prompt);
if(is_null($approval))
$approval = OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto;
return $approval;
}
/**
* Indicates whether your application needs to access an API when the user is not present at the browser.
* This parameter defaults to online. If your application needs to refresh access tokens when the user is
* not present at the browser, then use offline. This will result in your application obtaining a refresh
* token the first time your application exchanges an authorization code for a user.
* @return null|string
*/
public function getAccessType(){
$access_type = $this->getParam(OAuth2Protocol::OAuth2Protocol_AccessType);
if(is_null($access_type))
$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online;
return $access_type;
}
/**
* Validates current request
* @return bool
*/
public function isValid()
{
if(is_null($this->getResponseType()))
@ -55,7 +110,11 @@ class OAuth2AuthorizationRequest extends OAuth2Request {
if(is_null($this->getRedirectUri()))
return false;
//approval_prompt
$valid_approvals = array(OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto,OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Force);
if(!in_array($this->getApprovalPrompt(),$valid_approvals)){
return false;
}
return true;
}
}

5
app/libs/oauth2/responses/OAuth2AccessTokenValidationResponse.php
View File

@ -6,7 +6,7 @@ use oauth2\OAuth2Protocol;
class OAuth2AccessTokenValidationResponse extends OAuth2DirectResponse {
public function __construct($access_token,$scope, $audience,$client_id,$expires_in)
public function __construct($access_token,$scope, $audience,$client_id,$expires_in, $user_id = null)
{
// Successful Responses: A server receiving a valid request MUST send a
// response with an HTTP status code of 200.
@ -17,5 +17,8 @@ class OAuth2AccessTokenValidationResponse extends OAuth2DirectResponse {
$this[OAuth2Protocol::OAuth2Protocol_Scope] = $scope;
$this[OAuth2Protocol::OAuth2Protocol_Audience] = $audience;
$this[OAuth2Protocol::OAuth2Protocol_AccessToken_ExpiresIn] = $expires_in;
if(!is_null($user_id)){
$this[OAuth2Protocol::OAuth2Protocol_UserId] = $user_id;
}
}
}

1
app/libs/oauth2/responses/OAuth2IndirectErrorResponse.php
View File

@ -3,7 +3,6 @@
namespace oauth2\responses;
use oauth2\OAuth2Protocol;
use openid\responses\OpenIdIndirectResponse;
class OAuth2IndirectErrorResponse extends OAuth2IndirectResponse {

5
app/libs/oauth2/services/IApiEndpointService.php
View File

@ -20,12 +20,13 @@ interface IApiEndpointService {
public function get($id);
/**
* @param int $page_size
* @param int $page_nbr
* @param int $page_size
* @param array $filters
* @param array $fields
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10,array $filters);
public function getAll($page_nbr=1,$page_size=10,array $filters=array(),array $fields=array('*'));
/**

17
app/libs/oauth2/services/IApiScopeService.php
View File

@ -8,8 +8,6 @@ use oauth2\models\IApiScope;
* @package oauth2\services
*/
interface IApiScopeService {
/**
* gets an api scope by id
* @param $id id of api scope
@ -18,13 +16,13 @@ interface IApiScopeService {
public function get($id);
/**
* Gets a paginated list of api scopes
* @param int $page_size
* @param int $page_nbr
* @param int $page_size
* @param array $filters
* @param array $fields
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10, array $filters);
public function getAll($page_nbr=1,$page_size=10, array $filters=array(), array $fields=array('*'));
/**
* @param IApiScope $scope
@ -95,7 +93,16 @@ interface IApiScopeService {
*/
public function getAudienceByScopeNames(array $scopes_names);
/**
* gets audience string for a given scopes sets (resource servers)
* @param array $scopes_names
* @return mixed
*/
public function getStrAudienceByScopeNames(array $scopes_names);
/**
* gets a list of default scopes
* @return mixed
*/
public function getDefaultScopes();
}

3
app/libs/oauth2/services/IApiService.php
View File

@ -58,8 +58,9 @@ interface IApiService {
* @param int $page_nbr
* @param int $page_size
* @param array $filters
* @param array $fields
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10,array $filters);
public function getAll($page_nbr=1,$page_size=10,array $filters=array(),array $fields=array('*'));
}

17
app/libs/oauth2/services/IClientService.php
View File

@ -3,7 +3,6 @@
namespace oauth2\services;
use oauth2\models\IClient;
/**
* Interface IClientService
* @package oauth2\services
@ -32,14 +31,14 @@ interface IClientService {
/**
* Creates a new client
* @param $client_type
* @param $application_type
* @param $user_id
* @param $app_name
* @param $app_description
* @param string $app_logo
* @return IClient
*/
public function addClient($client_type, $user_id, $app_name, $app_description, $app_logo='');
public function addClient($application_type, $user_id, $app_name, $app_description, $app_logo='');
public function addClientScope($id,$scope_id);
public function deleteClientScope($id,$scope_id);
@ -74,6 +73,13 @@ interface IClientService {
*/
public function lockClient($client_id);
/**
* unLock a client application by client id
* @param $client_id client id
* @return mixed
*/
public function unlockClient($client_id);
/**
* Activate/Deactivate given client
* @param $id
@ -115,13 +121,13 @@ interface IClientService {
public function get($id);
/**
* Gets a paginated list of clients
* @param int $page_nbr
* @param int $page_size
* @param array $filters
* @param array $fields
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10,array $filters);
public function getAll($page_nbr=1,$page_size=10,array $filters=array(), array $fields=array('*'));
/**
* @param IClient $client
@ -136,4 +142,5 @@ interface IClientService {
* @throws \oauth2\exceptions\InvalidClientException
*/
public function update($id, array $params);
}

2
app/libs/oauth2/services/IResourceServerService.php
View File

@ -22,7 +22,7 @@ interface IResourceServerService {
* @param int $page_nbr
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10);
public function getAll($page_nbr=1,$page_size=10,array $filters = array(), array $fields=array('*'));
/**
* @param IResourceServer $resource_server

22
app/libs/oauth2/services/ITokenService.php
View File

@ -5,6 +5,7 @@ namespace oauth2\services;
use oauth2\models\AuthorizationCode;
use oauth2\models\AccessToken;
use oauth2\models\RefreshToken;
use oauth2\OAuth2Protocol;
/**
* Interface ITokenService
@ -14,14 +15,19 @@ use oauth2\models\RefreshToken;
*/
interface ITokenService {
/** Creates a brand new authorization code
/**
* Creates a brand new authorization code
* @param $user_id
* @param $client_id
* @param $scope
* @param string $audience
* @param null $redirect_uri
* @return mixed
* @param string $access_type
* @param string $approval_prompt
* @param bool $has_previous_user_consent
* @return AuthorizationCode
*/
public function createAuthorizationCode($client_id, $scope, $audience='' , $redirect_uri = null);
public function createAuthorizationCode($user_id, $client_id, $scope, $audience='' , $redirect_uri = null,$access_type = OAuth2Protocol::OAuth2Protocol_AccessType_Online,$approval_prompt = OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto, $has_previous_user_consent=false);
/**
@ -43,12 +49,13 @@ interface ITokenService {
/**
* Create a brand new Access Token by params
* @param $scope
* @param $client_id
* @param $scope
* @param $audience
* @return mixed
* @param null $user_id
* @return AccessToken
*/
public function createAccessTokenFromParams($scope, $client_id, $audience);
public function createAccessTokenFromParams($client_id,$scope, $audience,$user_id=null);
/** Creates a new Access Token from a given refresh token, and invalidate former associated
@ -113,6 +120,9 @@ interface ITokenService {
public function getRefreshTokenByClient($client_id);
public function getAccessTokenByUserId($user_id);
public function getRefreshTokeByUserId($user_id);
/**
* Revokes a given access token

27
app/libs/oauth2/services/IUserConsentService.php Normal file
View File

@ -0,0 +1,27 @@
<?php
namespace oauth2\services;
use oauth2\models\IUserConsent;
/**
* Interface IUserConsentService
* @package oauth2\services
*/
interface IUserConsentService {
/**
* @param $user_id
* @param $client_id
* @param $scopes
* @return IUserConsent
*/
public function get($user_id,$client_id,$scopes);
/**
* @param $user_id
* @param $client_id
* @param $scopes
* @return IUserConsent
*/
public function add($user_id,$client_id,$scopes);
}

1
app/libs/oauth2/services/OAuth2ServiceCatalog.php
View File

@ -11,4 +11,5 @@ class OAuth2ServiceCatalog {
const ResourceServerService = 'oauth2\\services\\IResourceServerService';
const ApiService = 'oauth2\\services\\IApiService';
const ApiEndpointService = 'oauth2\\services\\IApiEndpointService';
const UserConsentService = 'oauth2\\services\\IUserConsentService';
}

3
app/libs/oauth2/strategies/OAuth2IndirectErrorResponseFactoryMethod.php
View File

@ -15,7 +15,8 @@ class OAuth2IndirectErrorResponseFactoryMethod {
* @param OAuth2Request $request
* @param $error
* @param $return_url
* @return OAuth2IndirectResponse
* @return null|OAuth2IndirectErrorResponse|OAuth2IndirectFragmentErrorResponse
* @throws Exception
*/
public static function buildResponse(OAuth2Request $request = null,$error, $return_url){
$response = null;

2
app/libs/openid/IOpenIdProtocol.php
View File

@ -16,6 +16,8 @@ interface IOpenIdProtocol
* With OpenID 2.0, the relying party discovers the OpenID provider URL by requesting
* the XRDS document (also called the Yadis document) with the content type application/xrds+xml;
* this document may be available at the target URL and is always available for a target XRI.
* @param $mode
* @param null $canonical_id
* @return mixed
*/
public function getXRDSDiscovery($mode, $canonical_id = null);

1
app/libs/openid/extensions/OpenIdExtension.php
View File

@ -13,7 +13,6 @@ use openid\requests\contexts\RequestContext;
use openid\requests\OpenIdRequest;
use openid\responses\contexts\ResponseContext;
use openid\responses\OpenIdResponse;
use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use utils\services\UtilsServiceCatalog;

63
app/libs/openid/extensions/implementations/OpenIdOAuth2Extension.php
View File

@ -47,6 +47,12 @@ class OpenIdOAuth2Extension extends OpenIdExtension
private $client_service;
private $scope_service;
/**
* @param $name
* @param $namespace
* @param $view
* @param $description
*/
public function __construct($name, $namespace, $view, $description)
{
parent::__construct($name, $namespace, $view, $description);
@ -57,36 +63,63 @@ class OpenIdOAuth2Extension extends OpenIdExtension
$this->scope_service = Registry::getInstance()->get(OAuth2ServiceCatalog::ScopeService);
}
/**
* @param $param
* @param string $separator
* @return string
*/
public static function param($param, $separator = '.')
{
return OpenIdProtocol::OpenIdPrefix . $separator . self::Prefix . $separator . $param;
}
/**
* @param string $separator
* @return string
*/
public static function paramNamespace($separator = '.')
{
return OpenIdProtocol::OpenIdPrefix . $separator . OpenIdProtocol::OpenIDProtocol_NS . $separator . self::Prefix;
}
/**
* @param OpenIdRequest $request
* @param RequestContext $context
* @return mixed|void
*/
public function parseRequest(OpenIdRequest $request, RequestContext $context)
{
try {
$oauth2_request = new OpenIdOAuth2Request($request->getMessage());
if (!$oauth2_request->isValid()) return;
if (!$oauth2_request->isValid()){
$this->log_service->warning_msg('OpenIdOAuth2Extension: Invalid OAuth2 Request');
return;
}
$scopes = $oauth2_request->getScope();
$client_id = $oauth2_request->getClientId();
$client = $this->client_service->getClientById($client_id);
// do some validations to allow show the oauth2 sub view...
if(is_null($client)) return;
if(is_null($client)){
$this->log_service->warning_msg(sprintf("OpenIdOAuth2Extension: client id %s not found!.",$client_id));
return;
}
//check is redirect uri is allowed for client
$redirect_uri = $request->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo);
if (!$client->isUriAllowed($redirect_uri)) return;
if (!$client->isUriAllowed($redirect_uri)){
$this->log_service->warning_msg(sprintf("OpenIdOAuth2Extension: url %s not allowed for client id %s ",$redirect_uri,$client_id));
return;
}
//check if requested client is allowed to use this scopes
if(!$client->isScopeAllowed($scopes)) return;
if(!$client->isScopeAllowed($scopes)){
$this->log_service->warning_msg(sprintf("OpenIdOAuth2Extension: scope %s not allowed for client id %s ",$scopes,$client_id));
return;
}
$scopes = explode(' ', $scopes);
//get scopes entities
@ -112,6 +145,12 @@ class OpenIdOAuth2Extension extends OpenIdExtension
}
}
/**
* @param OpenIdRequest $request
* @param OpenIdResponse $response
* @param ResponseContext $context
* @return mixed|void
*/
public function prepareResponse(OpenIdRequest $request, OpenIdResponse $response, ResponseContext $context)
{
try{
@ -120,11 +159,13 @@ class OpenIdOAuth2Extension extends OpenIdExtension
//get auth code
$oauth2_msg = new OAuth2Message(
array(
OAuth2Protocol::OAuth2Protocol_ClientId => $oauth2_request->getClientId(),
OAuth2Protocol::OAuth2Protocol_Scope => $oauth2_request->getScope(),
OAuth2Protocol::OAuth2Protocol_RedirectUri => $request->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo),
OAuth2Protocol::OAuth2Protocol_State => $oauth2_request->getState(),
OAuth2Protocol::OAuth2Protocol_ResponseType => OAuth2Protocol::OAuth2Protocol_ResponseType_Code
OAuth2Protocol::OAuth2Protocol_ClientId => $oauth2_request->getClientId(),
OAuth2Protocol::OAuth2Protocol_Scope => $oauth2_request->getScope(),
OAuth2Protocol::OAuth2Protocol_RedirectUri => $request->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo),
OAuth2Protocol::OAuth2Protocol_State => $oauth2_request->getState(),
OAuth2Protocol::OAuth2Protocol_Approval_Prompt => $oauth2_request->getApprovalPrompt(),
OAuth2Protocol::OAuth2Protocol_AccessType => $oauth2_request->getAccessType(),
OAuth2Protocol::OAuth2Protocol_ResponseType => OAuth2Protocol::OAuth2Protocol_ResponseType_Code
)
);
// do oauth2 Authorization Code Grant 1st step (get auth code to exchange for an access token)
@ -163,6 +204,10 @@ class OpenIdOAuth2Extension extends OpenIdExtension
}
}
/**
* @param OpenIdRequest $request
* @return array|mixed
*/
public function getTrustedData(OpenIdRequest $request)
{
$data = array();

44
app/libs/openid/extensions/implementations/OpenIdOAuth2Request.php
View File

@ -8,13 +8,24 @@ use openid\OpenIdMessage;
use openid\requests\OpenIdRequest;
use oauth2\OAuth2Protocol;
/**
* Class OpenIdOAuth2Request
* @package openid\extensions\implementations
*/
class OpenIdOAuth2Request extends OpenIdRequest {
/**
* @param OpenIdMessage $message
*/
public function __construct(OpenIdMessage $message)
{
parent::__construct($message);
}
/**
* @return bool
* @throws \openid\exceptions\InvalidOpenIdMessageException
*/
public function isValid()
{
//check identifier
@ -33,16 +44,49 @@ class OpenIdOAuth2Request extends OpenIdRequest {
return false;
}
/**
* Indicates whether the user should be re-prompted for consent. The default is auto,
* so a given user should only see the consent page for a given set of scopes the first time
* through the sequence. If the value is force, then the user sees a consent page even if they
* previously gave consent to your application for a given set of scopes.
* @return null|string
*/
public function getApprovalPrompt(){
return isset($this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_Approval_Prompt, '_')])?
$this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_Approval_Prompt, '_')]:OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto;
}
/**
* Indicates whether your application needs to access an API when the user is not present at the browser.
* This parameter defaults to online. If your application needs to refresh access tokens when the user is
* not present at the browser, then use offline. This will result in your application obtaining a refresh
* token the first time your application exchanges an authorization code for a user.
* @return null|string
*/
public function getAccessType(){
return isset($this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_AccessType, '_')])?
$this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_AccessType, '_')]:OAuth2Protocol::OAuth2Protocol_AccessType_Online;
}
/**
* @return null|string
*/
public function getClientId(){
return isset($this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_ClientId, '_')])?
$this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_ClientId, '_')]:null;
}
/**
* @return null|string
*/
public function getScope(){
return isset($this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_Scope, '_')])?
$this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_Scope, '_')]:null;
}
/**
* @return null|string
*/
public function getState(){
return isset($this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_State, '_')])?
$this->message[OpenIdOAuth2Extension::param(OAuth2Protocol::OAuth2Protocol_State, '_')]:null;

1
app/libs/openid/extensions/implementations/OpenIdSREGExtension.php
View File

@ -9,7 +9,6 @@ use openid\requests\contexts\RequestContext;
use openid\requests\OpenIdRequest;
use openid\responses\contexts\ResponseContext;
use openid\responses\OpenIdResponse;
use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use utils\services\UtilsServiceCatalog;
use Exception;

1
app/libs/openid/extensions/implementations/OpenIdSREGRequest.php
View File

@ -11,7 +11,6 @@ namespace openid\extensions\implementations;
use Exception;
use openid\OpenIdMessage;
use openid\requests\OpenIdRequest;
use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use utils\services\UtilsServiceCatalog;

4
app/libs/openid/handlers/factories/SessionAssociationRequestFactory.php
View File

@ -20,8 +20,8 @@ class SessionAssociationRequestFactory
}
/**
* @param OpenIdAssociationSessionRequest $message
* @return null|ISessionAssociationStrategy
* @param OpenIdMessage $message
* @return null|SessionAssociationDHStrategy|SessionAssociationUnencryptedStrategy
*/
public static function buildSessionAssociationStrategy(OpenIdMessage $message)
{

1
app/libs/openid/helpers/OpenIdUriHelper.php
View File

@ -323,6 +323,7 @@ class OpenIdUriHelper
*
* @static
* @param string $trust_root The trust root to check
* @throws \openid\exceptions\InvalidTLDException
* @return bool $sanity Whether the trust root looks OK
*/
private static function _isSane($trust_root)

15
app/libs/openid/model/IOpenIdUser.php
View File

@ -1,8 +1,21 @@
<?php
namespace openid\model;
/**
* Interface IOpenIdUser
* @package openid\model
*/
interface IOpenIdUser {
/**
*
*/
const OpenstackIdServerAdminGroup = 'openstackid-server-admin';
/**
* @return bool
*/
public function isOpenstackIdAdmin();
public function getId();
public function getIdentifier();
public function getEmail();

1
app/libs/openid/model/OpenIdNonce.php
View File

@ -17,6 +17,7 @@ class OpenIdNonce
/**
* @param $nonce_str
* @throws InvalidNonce
*/
public function __construct($nonce_str)
{

22
app/libs/openid/requests/OpenIdAuthenticationRequest.php
View File

@ -9,11 +9,12 @@ use openid\OpenIdProtocol;
use openid\services\OpenIdServiceCatalog;
use utils\services\Registry;
use Exception;
use utils\services\UtilsServiceCatalog;
class OpenIdAuthenticationRequest extends OpenIdRequest
{
public function __construct(OpenIdMessage $message)
{
parent::__construct($message);
@ -33,6 +34,7 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
public function isValid()
{
$res = true;
try{
$return_to = $this->getReturnTo();
$claimed_id = $this->getClaimedId();
@ -42,19 +44,29 @@ class OpenIdAuthenticationRequest extends OpenIdRequest
$valid_realm = OpenIdUriHelper::checkRealm($realm, $return_to);
$valid_id = $this->isValidIdentifier($claimed_id, $identity);
return !empty($return_to)
$res = !empty($return_to)
&& !empty($realm)
&& $valid_realm
&& !empty($claimed_id)
&& !empty($identity)
&& $valid_id
&& !empty($mode) && ($mode == OpenIdProtocol::ImmediateMode || $mode == OpenIdProtocol::SetupMode);
if(!$res){
$msg = sprintf("return_to is empty? %b.",empty($return_to)).PHP_EOL;
$msg = $msg.sprintf("realm is empty? %b.",empty($realm)).PHP_EOL;
$msg = $msg.sprintf("claimed_id is empty? %b.",empty($claimed_id)).PHP_EOL;
$msg = $msg.sprintf("identity is empty? %b.",empty($identity)).PHP_EOL;
$msg = $msg.sprintf("mode is empty? %b.",empty($mode)).PHP_EOL;
$msg = $msg.sprintf("is valid realm? %b.",$valid_realm).PHP_EOL;
$msg = $msg.sprintf("is valid identifier? %b.",$valid_id).PHP_EOL;
$this->log_service->warning_msg($msg);
}
}
catch(Exception $ex){
$log = Registry::getInstance()->get(UtilsServiceCatalog::LogService);
$log->error($ex);
return false;
$this->log_service->error($ex);
$res = false;
}
return $res;
}
public function getReturnTo()

6
app/libs/openid/requests/OpenIdRequest.php
View File

@ -3,15 +3,19 @@
namespace openid\requests;
use openid\OpenIdMessage;
use utils\services\Registry;
use utils\services\UtilsServiceCatalog;
abstract class OpenIdRequest
{
protected $message;
protected $log_service;
public function __construct(OpenIdMessage $message)
{
$this->message = $message;
$this->message = $message;
$this->log_service = Registry::getInstance()->get(UtilsServiceCatalog::LogService);
}
public function getMessage()

4
app/libs/openid/services/INonceService.php
View File

@ -23,9 +23,9 @@ interface INonceService
* To prevent replay attacks, the OP MUST NOT issue more than one verification response
* for each authentication response it had previously issued. An authentication response
* and its matching verification request may be identified by their "openid.response_nonce" values.
* @param $nonce
* @param OpenIdNonce $nonce
* @param $signature
* @throws ReplayAttackException
* @param $realm
* @return mixed
*/
public function markNonceAsInvalid(OpenIdNonce $nonce, $signature, $realm);

4
app/libs/openid/services/IServerConfigurationService.php
View File

@ -13,11 +13,9 @@ interface IServerConfigurationService
public function getOPEndpointURL();
/**
*
* @param $identifier
* @return mixed
*/
public function getUserIdentityEndpointURL($identifier);
}

5
app/libs/openid/services/ITrustedSitesService.php
View File

@ -13,8 +13,9 @@ interface ITrustedSitesService
/**
* @param IOpenIdUser $user
* @param $return_to
* @return \array
* @param $realm
* @param array $data
* @return mixed
*/
public function getTrustedSites(IOpenIdUser $user, $realm, $data = array());

50
app/libs/openid/services/IUserService.php
View File

@ -2,23 +2,71 @@
namespace openid\services;
/**
* Interface IUserService
* @package openid\services
*/
interface IUserService
{
/**
* @param $id
* @param $proposed_username
* @return mixed
*/
public function associateUser($id, $proposed_username);
/**
* @param $identifier
* @return mixed
*/
public function updateLastLoginDate($identifier);
/**
* @param $identifier
* @return mixed
*/
public function updateFailedLoginAttempts($identifier);
/**
* @param $identifier
* @return mixed
*/
public function lockUser($identifier);
/**
* @param $identifier
* @return mixed
*/
public function unlockUser($identifier);
/**
* @param $identifier
* @return mixed
*/
public function activateUser($identifier);
/**
* @param $identifier
* @return mixed
*/
public function deActivateUser($identifier);
/**
* @param $identifier
* @param $show_pic
* @param $show_full_name
* @param $show_email
* @return mixed
*/
public function saveProfileInfo($identifier, $show_pic, $show_full_name, $show_email);
/**
* @param int $page_nbr
* @param int $page_size
* @param array $filters
* @param array $fields
* @return mixed
*/
public function getAll($page_nbr=1,$page_size=10,array $filters=array(), array $fields=array('*'));
}

11
app/models/BaseModelEloquent.php → app/libs/utils/model/BaseModelEloquent.php
View File

@ -1,8 +1,19 @@
<?php
namespace utils\model;
use Eloquent;
/**
* Class BaseModelEloquent
* @package utils\model
*/
abstract class BaseModelEloquent extends Eloquent {
/**
* @param $query
* @param array $filters
* @return mixed
*/
public function scopeFilter($query, array $filters){
foreach($filters as $filter){
$query = $query->where($filter['name'],$filter['op'], $filter['value']);

16
app/libs/utils/services/IBannedIPService.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace utils\services;
/**
* Interface IBannedIPService
* @package utils\services
*/
interface IBannedIPService {
public function add($initial_hits, $exception_type);
public function delete($ip);
public function get($id);
public function getByIP($ip);
public function getByPage($page_nbr=1,$page_size=10,array $filters=array(),array $fields=array('*'));
}

4
app/libs/utils/services/IServerConfigurationService.php
View File

@ -10,4 +10,8 @@ interface IServerConfigurationService {
* @return mixed
*/
public function getConfigValue($key);
public function getAllConfigValues();
public function saveConfigValue($key,$value);
}

1
app/libs/utils/services/UtilsServiceCatalog.php
View File

@ -10,4 +10,5 @@ class UtilsServiceCatalog {
const LockManagerService = 'utils\\services\\ILockManagerService';
const ServerConfigurationService = 'utils\\services\\IServerConfigurationService';
const CacheService = 'utils\\services\\ICacheService';
const BannedIpService = 'utils\\services\\IBannedIPService';
}

8
app/models/BannedIP.php
View File

@ -1,6 +1,12 @@
<?php
use utils\model\BaseModelEloquent;
class BannedIP extends Eloquent
class BannedIP extends BaseModelEloquent
{
protected $table = 'banned_ips';
public function user()
{
return $this->belongsTo('auth\User');
}
}

3
app/models/Member.php
View File

@ -1,11 +1,12 @@
<?php
use auth\AuthHelper;
use utils\model\BaseModelEloquent;
/**
* Class Member
*/
class Member extends Eloquent
class Member extends BaseModelEloquent
{
protected $primaryKey ='ID';

4
app/models/MemberPhoto.php
View File

@ -1,6 +1,8 @@
<?php
class MemberPhoto extends Eloquent
use utils\model\BaseModelEloquent;
class MemberPhoto extends BaseModelEloquent
{
protected $table = 'File';
//external os members db (SS)

Some files were not shown because too many files have changed in this diff Show More