OIDC - OpenId Connect Implementation
DB refactoring Client Admin Rectoring upgraded layout to use latest bootstrap Added bower support Added Behat support OIDC Discovery suuport added OIDC JWKS endpoint added Refactored OpenId workflows Refactored OAuth2 workflows Server Keys Admin Added Authorization Code Flow refactored to support OIDC Allow native apps to use auth code grant Allow native apps to use "TokenEndpoint_AuthMethod_PrivateKeyJwt" Filter on UI public/private keys algs based on the key usage Set as default auth protocol for private clients "client_secret_basic" Added feature client_secret_expired Filtered content of Token Endpoint Authorization Signed Algorithm based on Token Endpoint Authorization Method Implemented OAuth 2.0 Multiple Response Type Encoding Practices Implemented OAuth 2.0 Form Post Response Mode Implicit Flow refactored to support OIDC UserInfo Endpoint (OIDC/Claims) Hybrid Flow OIDC Session Management Change-Id: If3d38666f3f7f56bd8c94b9df2e6340554512612
This commit is contained in:
parent
1ee300d9bb
commit
ea98eff8cf
4
.bowerrc
Normal file
4
.bowerrc
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{
|
||||||
|
"directory": "public/bower_assets",
|
||||||
|
"interactive": false
|
||||||
|
}
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -21,3 +21,5 @@ ChangeLog
|
|||||||
doc/build
|
doc/build
|
||||||
*.egg
|
*.egg
|
||||||
*.egg-info
|
*.egg-info
|
||||||
|
public/bower_assets
|
||||||
|
public/bower_assets/*
|
@ -26,7 +26,7 @@ return array(
|
|||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'url' => 'http://localhost',
|
'url' => '',
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
@ -65,7 +65,7 @@ return array(
|
|||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'key' => '2mikPhsqqnw9qfEtp3XxHmtkZqoTTvWl',
|
'key' => '',
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
@ -1,124 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
return array(
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Mail Driver
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Laravel supports both SMTP and PHP's "mail" function as drivers for the
|
|
||||||
| sending of e-mail. You may specify which one you're using throughout
|
|
||||||
| your application here. By default, Laravel is setup for SMTP mail.
|
|
||||||
|
|
|
||||||
| Supported: "smtp", "mail", "sendmail"
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'driver' => 'mail',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Host Address
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may provide the host address of the SMTP server used by your
|
|
||||||
| applications. A default option is provided that is compatible with
|
|
||||||
| the Postmark mail service, which will provide reliable delivery.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'host' => 'smtp.mailgun.org',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Host Port
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| This is the SMTP port used by your application to delivery e-mails to
|
|
||||||
| users of your application. Like the host we have set this value to
|
|
||||||
| stay compatible with the Postmark e-mail application by default.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'port' => 587,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Global "From" Address
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| You may wish for all e-mails sent by your application to be sent from
|
|
||||||
| the same address. Here, you may specify a name and address that is
|
|
||||||
| used globally for all e-mails that are sent by your application.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'from' => array('address' => null, 'name' => null),
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| E-Mail Encryption Protocol
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may specify the encryption protocol that should be used when
|
|
||||||
| the application send e-mail messages. A sensible default using the
|
|
||||||
| transport layer security protocol should provide great security.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'encryption' => 'tls',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Server Username
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| If your SMTP server requires a username for authentication, you should
|
|
||||||
| set it here. This will get used to authenticate with your server on
|
|
||||||
| connection. You may also set the "password" value below this one.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'username' => null,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Server Password
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may set the password required by your SMTP server to send out
|
|
||||||
| messages from your application. This will be given to the server on
|
|
||||||
| connection so that the application will be able to send messages.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'password' => null,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Sendmail System Path
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| When using the "sendmail" driver to send e-mails, we will need to know
|
|
||||||
| the path to where Sendmail lives on this server. A default path has
|
|
||||||
| been provided here, which will work well on most of your systems.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'sendmail' => '/usr/sbin/sendmail -bs',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Mail "Pretend"
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| When this option is enabled, e-mail will not actually be sent over the
|
|
||||||
| web and will instead be written to your application's logs files so
|
|
||||||
| you may inspect the message. This is great for local development.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'pretend' => true,
|
|
||||||
|
|
||||||
);
|
|
@ -1,187 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
return array(
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Application Debug Mode
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| When your application is in debug mode, detailed error messages with
|
|
||||||
| stack traces will be shown on every error that occurs within your
|
|
||||||
| application. If disabled, a simple generic error page is shown.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'debug' => true,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Application URL
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| This URL is used by the console to properly generate URLs when using
|
|
||||||
| the Artisan command line tool. You should set this to the root of
|
|
||||||
| your application so that it is used when running Artisan tasks.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'url' => 'https://local.openstackid.openstack.org',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Application Timezone
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may specify the default timezone for your application, which
|
|
||||||
| will be used by the PHP date and date-time functions. We have gone
|
|
||||||
| ahead and set this to a sensible default for you out of the box.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'timezone' => 'UTC',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Application Locale Configuration
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| The application locale determines the default locale that will be used
|
|
||||||
| by the translation service provider. You are free to set this value
|
|
||||||
| to any of the locales which will be supported by the application.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'locale' => 'en',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Encryption Key
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| This key is used by the Illuminate encrypter service and should be set
|
|
||||||
| to a random, 32 character string, otherwise these encrypted strings
|
|
||||||
| will not be safe. Please do this before deploying an application!
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'key' => '2mikPhsqqnw9qfEtp3XxHmtkZqoTTvWl',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Autoloaded Service Providers
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| The service providers listed here will be automatically loaded on the
|
|
||||||
| request to your application. Feel free to add your own services to
|
|
||||||
| this array to grant expanded functionality to your applications.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'providers' => array(
|
|
||||||
'Illuminate\Foundation\Providers\ArtisanServiceProvider',
|
|
||||||
'Illuminate\Auth\AuthServiceProvider',
|
|
||||||
'Illuminate\Cache\CacheServiceProvider',
|
|
||||||
'Illuminate\Session\CommandsServiceProvider',
|
|
||||||
'Illuminate\Foundation\Providers\ConsoleSupportServiceProvider',
|
|
||||||
'Illuminate\Routing\ControllerServiceProvider',
|
|
||||||
'Illuminate\Cookie\CookieServiceProvider',
|
|
||||||
'Illuminate\Database\DatabaseServiceProvider',
|
|
||||||
'Illuminate\Encryption\EncryptionServiceProvider',
|
|
||||||
'Illuminate\Filesystem\FilesystemServiceProvider',
|
|
||||||
'Illuminate\Hashing\HashServiceProvider',
|
|
||||||
'Illuminate\Html\HtmlServiceProvider',
|
|
||||||
'Illuminate\Log\LogServiceProvider',
|
|
||||||
'Illuminate\Mail\MailServiceProvider',
|
|
||||||
'Illuminate\Database\MigrationServiceProvider',
|
|
||||||
'Illuminate\Pagination\PaginationServiceProvider',
|
|
||||||
'Illuminate\Queue\QueueServiceProvider',
|
|
||||||
'Illuminate\Remote\RemoteServiceProvider',
|
|
||||||
'Illuminate\Auth\Reminders\ReminderServiceProvider',
|
|
||||||
'Illuminate\Database\SeedServiceProvider',
|
|
||||||
'Illuminate\Session\SessionServiceProvider',
|
|
||||||
'Illuminate\Translation\TranslationServiceProvider',
|
|
||||||
'Illuminate\Validation\ValidationServiceProvider',
|
|
||||||
'Illuminate\View\ViewServiceProvider',
|
|
||||||
'Illuminate\Workbench\WorkbenchServiceProvider',
|
|
||||||
'Illuminate\Redis\RedisServiceProvider',
|
|
||||||
'services\utils\UtilsProvider',
|
|
||||||
'repositories\RepositoriesProvider',
|
|
||||||
'services\oauth2\OAuth2ServiceProvider',
|
|
||||||
'services\openid\OpenIdProvider',
|
|
||||||
'auth\AuthenticationServiceProvider',
|
|
||||||
'services\ServicesProvider',
|
|
||||||
'strategies\StrategyProvider',
|
|
||||||
'oauth2\OAuth2ServiceProvider',
|
|
||||||
'openid\OpenIdServiceProvider',
|
|
||||||
'Greggilbert\Recaptcha\RecaptchaServiceProvider',
|
|
||||||
'services\oauth2\CORS\CORSProvider',
|
|
||||||
),
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Service Provider Manifest
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| The service provider manifest is used by Laravel to lazy load service
|
|
||||||
| providers which are not needed for each request, as well to keep a
|
|
||||||
| list of all of the services. Here, you may set its storage spot.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'manifest' => storage_path().'/meta',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Class Aliases
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| This array of class aliases will be registered when this application
|
|
||||||
| is started. However, feel free to register as many as you wish as
|
|
||||||
| the aliases are "lazy" loaded so they don't hinder performance.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'aliases' => array(
|
|
||||||
|
|
||||||
'App' => 'Illuminate\Support\Facades\App',
|
|
||||||
'Artisan' => 'Illuminate\Support\Facades\Artisan',
|
|
||||||
'Auth' => 'Illuminate\Support\Facades\Auth',
|
|
||||||
'Blade' => 'Illuminate\Support\Facades\Blade',
|
|
||||||
'Cache' => 'Illuminate\Support\Facades\Cache',
|
|
||||||
'ClassLoader' => 'Illuminate\Support\ClassLoader',
|
|
||||||
'Config' => 'Illuminate\Support\Facades\Config',
|
|
||||||
'Controller' => 'Illuminate\Routing\Controller',
|
|
||||||
'Cookie' => 'Illuminate\Support\Facades\Cookie',
|
|
||||||
'Crypt' => 'Illuminate\Support\Facades\Crypt',
|
|
||||||
'DB' => 'Illuminate\Support\Facades\DB',
|
|
||||||
'Eloquent' => 'Illuminate\Database\Eloquent\Model',
|
|
||||||
'Event' => 'Illuminate\Support\Facades\Event',
|
|
||||||
'File' => 'Illuminate\Support\Facades\File',
|
|
||||||
'Form' => 'Illuminate\Support\Facades\Form',
|
|
||||||
'Hash' => 'Illuminate\Support\Facades\Hash',
|
|
||||||
'HTML' => 'Illuminate\Support\Facades\HTML',
|
|
||||||
'Input' => 'Illuminate\Support\Facades\Input',
|
|
||||||
'Lang' => 'Illuminate\Support\Facades\Lang',
|
|
||||||
'Log' => 'Illuminate\Support\Facades\Log',
|
|
||||||
'Mail' => 'Illuminate\Support\Facades\Mail',
|
|
||||||
'Paginator' => 'Illuminate\Support\Facades\Paginator',
|
|
||||||
'Password' => 'Illuminate\Support\Facades\Password',
|
|
||||||
'Queue' => 'Illuminate\Support\Facades\Queue',
|
|
||||||
'Redirect' => 'Illuminate\Support\Facades\Redirect',
|
|
||||||
'Request' => 'Illuminate\Support\Facades\Request',
|
|
||||||
'Response' => 'Illuminate\Support\Facades\Response',
|
|
||||||
'Route' => 'Illuminate\Support\Facades\Route',
|
|
||||||
'Schema' => 'Illuminate\Support\Facades\Schema',
|
|
||||||
'Seeder' => 'Illuminate\Database\Seeder',
|
|
||||||
'Session' => 'Illuminate\Support\Facades\Session',
|
|
||||||
'SSH' => 'Illuminate\Support\Facades\SSH',
|
|
||||||
'Str' => 'Illuminate\Support\Str',
|
|
||||||
'URL' => 'Illuminate\Support\Facades\URL',
|
|
||||||
'Validator' => 'Illuminate\Support\Facades\Validator',
|
|
||||||
'View' => 'Illuminate\Support\Facades\View',
|
|
||||||
'RedisLV4' => 'Illuminate\Support\Facades\Redis',
|
|
||||||
|
|
||||||
),
|
|
||||||
|
|
||||||
);
|
|
@ -1,124 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
return array(
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Mail Driver
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Laravel supports both SMTP and PHP's "mail" function as drivers for the
|
|
||||||
| sending of e-mail. You may specify which one you're using throughout
|
|
||||||
| your application here. By default, Laravel is setup for SMTP mail.
|
|
||||||
|
|
|
||||||
| Supported: "smtp", "mail", "sendmail"
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'driver' => 'mail',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Host Address
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may provide the host address of the SMTP server used by your
|
|
||||||
| applications. A default option is provided that is compatible with
|
|
||||||
| the Postmark mail service, which will provide reliable delivery.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'host' => 'smtp.mailgun.org',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Host Port
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| This is the SMTP port used by your application to delivery e-mails to
|
|
||||||
| users of your application. Like the host we have set this value to
|
|
||||||
| stay compatible with the Postmark e-mail application by default.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'port' => 587,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Global "From" Address
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| You may wish for all e-mails sent by your application to be sent from
|
|
||||||
| the same address. Here, you may specify a name and address that is
|
|
||||||
| used globally for all e-mails that are sent by your application.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'from' => array('address' => null, 'name' => null),
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| E-Mail Encryption Protocol
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may specify the encryption protocol that should be used when
|
|
||||||
| the application send e-mail messages. A sensible default using the
|
|
||||||
| transport layer security protocol should provide great security.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'encryption' => 'tls',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Server Username
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| If your SMTP server requires a username for authentication, you should
|
|
||||||
| set it here. This will get used to authenticate with your server on
|
|
||||||
| connection. You may also set the "password" value below this one.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'username' => null,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| SMTP Server Password
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| Here you may set the password required by your SMTP server to send out
|
|
||||||
| messages from your application. This will be given to the server on
|
|
||||||
| connection so that the application will be able to send messages.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'password' => null,
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Sendmail System Path
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| When using the "sendmail" driver to send e-mails, we will need to know
|
|
||||||
| the path to where Sendmail lives on this server. A default path has
|
|
||||||
| been provided here, which will work well on most of your systems.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'sendmail' => '/usr/sbin/sendmail -bs',
|
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Mail "Pretend"
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| When this option is enabled, e-mail will not actually be sent over the
|
|
||||||
| web and will instead be written to your application's logs files so
|
|
||||||
| you may inspect the message. This is great for local development.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'pretend' => true,
|
|
||||||
|
|
||||||
);
|
|
@ -17,6 +17,7 @@ return array(
|
|||||||
*/
|
*/
|
||||||
'BlacklistSecurityPolicy_BannedIpLifeTimeSeconds' => 21600,
|
'BlacklistSecurityPolicy_BannedIpLifeTimeSeconds' => 21600,
|
||||||
'BlacklistSecurityPolicy_MinutesWithoutExceptions' => 5,
|
'BlacklistSecurityPolicy_MinutesWithoutExceptions' => 5,
|
||||||
|
'BlacklistSecurityPolicy_MaxReplayAttackExceptionAttempts' => 3,
|
||||||
'BlacklistSecurityPolicy_ReplayAttackExceptionInitialDelay' => 10,
|
'BlacklistSecurityPolicy_ReplayAttackExceptionInitialDelay' => 10,
|
||||||
'BlacklistSecurityPolicy_MaxInvalidNonceAttempts' => 10,
|
'BlacklistSecurityPolicy_MaxInvalidNonceAttempts' => 10,
|
||||||
'BlacklistSecurityPolicy_InvalidNonceInitialDelay' => 10,
|
'BlacklistSecurityPolicy_InvalidNonceInitialDelay' => 10,
|
||||||
@ -41,6 +42,8 @@ return array(
|
|||||||
//oauth2 default config values
|
//oauth2 default config values
|
||||||
'OAuth2_AuthorizationCode_Lifetime' => 240,
|
'OAuth2_AuthorizationCode_Lifetime' => 240,
|
||||||
'OAuth2_AccessToken_Lifetime' => 3600,
|
'OAuth2_AccessToken_Lifetime' => 3600,
|
||||||
|
// in seconds , should be equal to session.lifetime (120 minutes)
|
||||||
|
'OAuth2_IdToken_Lifetime' => 7200,
|
||||||
'OAuth2_RefreshToken_Lifetime' => 0,
|
'OAuth2_RefreshToken_Lifetime' => 0,
|
||||||
'OAuth2_Enable' => true,
|
'OAuth2_Enable' => true,
|
||||||
//oauth2 security policy configuration
|
//oauth2 security policy configuration
|
||||||
@ -49,4 +52,5 @@ return array(
|
|||||||
'OAuth2SecurityPolicy_MaxInvalidClientExceptionAttempts' => 10,
|
'OAuth2SecurityPolicy_MaxInvalidClientExceptionAttempts' => 10,
|
||||||
'OAuth2SecurityPolicy_MaxInvalidRedeemAuthCodeAttempts' => 10,
|
'OAuth2SecurityPolicy_MaxInvalidRedeemAuthCodeAttempts' => 10,
|
||||||
'OAuth2SecurityPolicy_MaxInvalidInvalidClientCredentialsAttempts' => 5,
|
'OAuth2SecurityPolicy_MaxInvalidInvalidClientCredentialsAttempts' => 5,
|
||||||
|
'Banning_Enable' => true,
|
||||||
);
|
);
|
@ -16,6 +16,6 @@ return array(
|
|||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'driver' => 'array',
|
'driver' => 'redis',
|
||||||
|
|
||||||
);
|
);
|
@ -9,23 +9,64 @@ use oauth2\services\IApiEndpointService;
|
|||||||
use utils\services\IAuthService;
|
use utils\services\IAuthService;
|
||||||
use openid\services\IUserService;
|
use openid\services\IUserService;
|
||||||
use utils\services\IServerConfigurationService;
|
use utils\services\IServerConfigurationService;
|
||||||
use \utils\services\IBannedIPService;
|
use utils\services\IBannedIPService;
|
||||||
|
use oauth2\repositories\IServerPrivateKeyRepository;
|
||||||
|
use oauth2\repositories\IApiScopeGroupRepository;
|
||||||
|
use auth\User;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class AdminController
|
* Class AdminController
|
||||||
*/
|
*/
|
||||||
class AdminController extends BaseController {
|
class AdminController extends BaseController {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
private $client_service;
|
private $client_service;
|
||||||
|
/**
|
||||||
|
* @var IApiScopeService
|
||||||
|
*/
|
||||||
private $scope_service;
|
private $scope_service;
|
||||||
|
/**
|
||||||
|
* @var ITokenService
|
||||||
|
*/
|
||||||
private $token_service;
|
private $token_service;
|
||||||
|
/**
|
||||||
|
* @var IResourceServerService
|
||||||
|
*/
|
||||||
private $resource_server_service;
|
private $resource_server_service;
|
||||||
|
/**
|
||||||
|
* @var IApiService
|
||||||
|
*/
|
||||||
private $api_service;
|
private $api_service;
|
||||||
|
/**
|
||||||
|
* @var IApiEndpointService
|
||||||
|
*/
|
||||||
private $endpoint_service;
|
private $endpoint_service;
|
||||||
|
/**
|
||||||
|
* @var IAuthService
|
||||||
|
*/
|
||||||
private $auth_service;
|
private $auth_service;
|
||||||
|
/**
|
||||||
|
* @var IUserService
|
||||||
|
*/
|
||||||
private $user_service;
|
private $user_service;
|
||||||
|
/**
|
||||||
|
* @var IServerConfigurationService
|
||||||
|
*/
|
||||||
private $configuration_service;
|
private $configuration_service;
|
||||||
|
/**
|
||||||
|
* @var IBannedIPService
|
||||||
|
*/
|
||||||
private $banned_ips_service;
|
private $banned_ips_service;
|
||||||
|
|
||||||
|
private $private_keys_repository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiScopeGroupRepository
|
||||||
|
*/
|
||||||
|
private $group_repository;
|
||||||
|
|
||||||
public function __construct( IClientService $client_service,
|
public function __construct( IClientService $client_service,
|
||||||
IApiScopeService $scope_service,
|
IApiScopeService $scope_service,
|
||||||
ITokenService $token_service,
|
ITokenService $token_service,
|
||||||
@ -35,7 +76,10 @@ class AdminController extends BaseController {
|
|||||||
IAuthService $auth_service,
|
IAuthService $auth_service,
|
||||||
IUserService $user_service,
|
IUserService $user_service,
|
||||||
IServerConfigurationService $configuration_service,
|
IServerConfigurationService $configuration_service,
|
||||||
IBannedIPService $banned_ips_service){
|
IBannedIPService $banned_ips_service,
|
||||||
|
IServerPrivateKeyRepository $private_keys_repository,
|
||||||
|
IApiScopeGroupRepository $group_repository)
|
||||||
|
{
|
||||||
|
|
||||||
$this->client_service = $client_service;
|
$this->client_service = $client_service;
|
||||||
$this->scope_service = $scope_service;
|
$this->scope_service = $scope_service;
|
||||||
@ -47,6 +91,8 @@ class AdminController extends BaseController {
|
|||||||
$this->user_service = $user_service;
|
$this->user_service = $user_service;
|
||||||
$this->configuration_service = $configuration_service;
|
$this->configuration_service = $configuration_service;
|
||||||
$this->banned_ips_service = $banned_ips_service;
|
$this->banned_ips_service = $banned_ips_service;
|
||||||
|
$this->private_keys_repository = $private_keys_repository;
|
||||||
|
$this->group_repository = $group_repository;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function editRegisteredClient($id)
|
public function editRegisteredClient($id)
|
||||||
@ -59,8 +105,6 @@ class AdminController extends BaseController {
|
|||||||
return View::make("404");
|
return View::make("404");
|
||||||
}
|
}
|
||||||
|
|
||||||
$allowed_uris = $client->getClientRegisteredUris();
|
|
||||||
$allowed_origins = $client->getClientAllowedOrigins();
|
|
||||||
$selected_scopes = $client->getClientScopes();
|
$selected_scopes = $client->getClientScopes();
|
||||||
$aux_scopes = array();
|
$aux_scopes = array();
|
||||||
|
|
||||||
@ -68,7 +112,8 @@ class AdminController extends BaseController {
|
|||||||
array_push($aux_scopes, $scope->id);
|
array_push($aux_scopes, $scope->id);
|
||||||
}
|
}
|
||||||
|
|
||||||
$scopes = $this->scope_service->getAvailableScopes($user->canUseSystemScopes());
|
$scopes = $this->scope_service->getAvailableScopes();
|
||||||
|
$group_scopes = $user->getGroupScopes();
|
||||||
|
|
||||||
$access_tokens = $this->token_service->getAccessTokenByClient($client->client_id);
|
$access_tokens = $this->token_service->getAccessTokenByClient($client->client_id);
|
||||||
|
|
||||||
@ -86,32 +131,69 @@ class AdminController extends BaseController {
|
|||||||
|
|
||||||
return View::make("oauth2.profile.edit-client",
|
return View::make("oauth2.profile.edit-client",
|
||||||
array(
|
array(
|
||||||
'client' => $client,
|
'client' => $client,
|
||||||
'allowed_uris' => $allowed_uris,
|
'selected_scopes' => $aux_scopes,
|
||||||
'allowed_origins' => $allowed_origins,
|
'scopes' => array_merge($scopes, $group_scopes),
|
||||||
'selected_scopes' => $aux_scopes,
|
'access_tokens' => $access_tokens,
|
||||||
'scopes' => $scopes,
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
'access_tokens' => $access_tokens,
|
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
|
||||||
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
||||||
"use_system_scopes" => $user->canUseSystemScopes(),
|
"use_system_scopes" => $user->canUseSystemScopes(),
|
||||||
'refresh_tokens' => $refresh_tokens,
|
'refresh_tokens' => $refresh_tokens,
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function listResourceServers() {
|
// Api Scope Groups
|
||||||
|
|
||||||
|
public function listApiScopeGroups()
|
||||||
|
{
|
||||||
|
$user = $this->auth_service->getCurrentUser();
|
||||||
|
$groups = $this->group_repository->getAll(1,1000);
|
||||||
|
$non_selected_scopes = $this->scope_service->getAssignedByGroups();
|
||||||
|
$non_selected_users = User::where('active', '=', true)->get();
|
||||||
|
return View::make("oauth2.profile.admin.api-scope-groups",array
|
||||||
|
(
|
||||||
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
|
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
||||||
|
'groups' => $groups,
|
||||||
|
'non_selected_scopes' => $non_selected_scopes,
|
||||||
|
'non_selected_users' => $non_selected_users,
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function editApiScopeGroup($id){
|
||||||
|
$group = $this->group_repository->get($id);
|
||||||
|
|
||||||
|
if(is_null($group))
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
|
$non_selected_scopes = $this->scope_service->getAssignedByGroups();
|
||||||
|
$non_selected_users = User::where('active', '=', true)->get();
|
||||||
|
return View::make("oauth2.profile.admin.edit-api-scope-group",
|
||||||
|
array
|
||||||
|
(
|
||||||
|
'is_oauth2_admin' => $user->isOAuth2ServerAdmin(),
|
||||||
|
'is_openstackid_admin' => $user->isOpenstackIdAdmin(),
|
||||||
|
'group' => $group,
|
||||||
|
'non_selected_scopes' => $non_selected_scopes,
|
||||||
|
'non_selected_users' => $non_selected_users,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Resource servers
|
||||||
|
public function listResourceServers() {
|
||||||
|
$user = $this->auth_service->getCurrentUser();
|
||||||
$resource_servers = $this->resource_server_service->getAll(1,1000);
|
$resource_servers = $this->resource_server_service->getAll(1,1000);
|
||||||
return View::make("oauth2.profile.admin.resource-servers",array(
|
return View::make("oauth2.profile.admin.resource-servers",array(
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
||||||
'resource_servers'=>$resource_servers));
|
'resource_servers' => $resource_servers));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function editResourceServer($id){
|
public function editResourceServer($id){
|
||||||
$resource_server = $this->resource_server_service->get($id);
|
$resource_server = $this->resource_server_service->get($id);
|
||||||
if(is_null($resource_server))
|
if(is_null($resource_server))
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
return View::make("oauth2.profile.admin.edit-resource-server",array(
|
return View::make("oauth2.profile.admin.edit-resource-server",array(
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
@ -123,7 +205,7 @@ class AdminController extends BaseController {
|
|||||||
public function editApi($id){
|
public function editApi($id){
|
||||||
$api = $this->api_service->get($id);
|
$api = $this->api_service->get($id);
|
||||||
if(is_null($api))
|
if(is_null($api))
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
return View::make("oauth2.profile.admin.edit-api",array(
|
return View::make("oauth2.profile.admin.edit-api",array(
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
@ -134,7 +216,7 @@ class AdminController extends BaseController {
|
|||||||
public function editScope($id){
|
public function editScope($id){
|
||||||
$scope = $this->scope_service->get($id);
|
$scope = $this->scope_service->get($id);
|
||||||
if(is_null($scope))
|
if(is_null($scope))
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
return View::make("oauth2.profile.admin.edit-scope",array(
|
return View::make("oauth2.profile.admin.edit-scope",array(
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
@ -145,7 +227,7 @@ class AdminController extends BaseController {
|
|||||||
public function editEndpoint($id){
|
public function editEndpoint($id){
|
||||||
$endpoint = $this->endpoint_service->get($id);
|
$endpoint = $this->endpoint_service->get($id);
|
||||||
if(is_null($endpoint))
|
if(is_null($endpoint))
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
$selected_scopes = array();
|
$selected_scopes = array();
|
||||||
$list = $endpoint->scopes()->get(array('id'));
|
$list = $endpoint->scopes()->get(array('id'));
|
||||||
@ -235,31 +317,32 @@ class AdminController extends BaseController {
|
|||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
public function listServerConfig(){
|
public function listServerConfig(){
|
||||||
|
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
$config_values = array();
|
$config_values = array();
|
||||||
|
|
||||||
$config_values['MaxFailed.Login.Attempts'] = $this->configuration_service->getConfigValue('MaxFailed.Login.Attempts');
|
$config_values['MaxFailed.Login.Attempts'] = $this->configuration_service->getConfigValue('MaxFailed.Login.Attempts');
|
||||||
$config_values['MaxFailed.LoginAttempts.2ShowCaptcha'] = $this->configuration_service->getConfigValue('MaxFailed.LoginAttempts.2ShowCaptcha');
|
$config_values['MaxFailed.LoginAttempts.2ShowCaptcha'] = $this->configuration_service->getConfigValue('MaxFailed.LoginAttempts.2ShowCaptcha');
|
||||||
|
|
||||||
$config_values['OpenId.Private.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Private.Association.Lifetime');
|
$config_values['OpenId.Private.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Private.Association.Lifetime');
|
||||||
$config_values['OpenId.Session.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Session.Association.Lifetime');
|
$config_values['OpenId.Session.Association.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Session.Association.Lifetime');
|
||||||
$config_values['OpenId.Nonce.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Nonce.Lifetime');
|
$config_values['OpenId.Nonce.Lifetime'] = $this->configuration_service->getConfigValue('OpenId.Nonce.Lifetime');
|
||||||
|
|
||||||
$config_values['OAuth2.AuthorizationCode.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AuthorizationCode.Lifetime');
|
$config_values['OAuth2.AuthorizationCode.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AuthorizationCode.Lifetime');
|
||||||
$config_values['OAuth2.AccessToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AccessToken.Lifetime');
|
$config_values['OAuth2.AccessToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.AccessToken.Lifetime');
|
||||||
$config_values['OAuth2.RefreshToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.RefreshToken.Lifetime');
|
$config_values['OAuth2.IdToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.IdToken.Lifetime');
|
||||||
|
$config_values['OAuth2.RefreshToken.Lifetime'] = $this->configuration_service->getConfigValue('OAuth2.RefreshToken.Lifetime');
|
||||||
|
|
||||||
return View::make("admin.server-config", array(
|
return View::make("admin.server-config", array
|
||||||
"username" => $user->getFullName(),
|
(
|
||||||
"user_id" => $user->getId(),
|
"username" => $user->getFullName(),
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"user_id" => $user->getId(),
|
||||||
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
'config_values' => $config_values,
|
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
||||||
));
|
'config_values' => $config_values,
|
||||||
|
)
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function saveServerConfig(){
|
public function saveServerConfig(){
|
||||||
@ -275,6 +358,7 @@ class AdminController extends BaseController {
|
|||||||
'oauth2-auth-code-lifetime' => 'required|integer',
|
'oauth2-auth-code-lifetime' => 'required|integer',
|
||||||
'oauth2-refresh-token-lifetime' => 'required|integer',
|
'oauth2-refresh-token-lifetime' => 'required|integer',
|
||||||
'oauth2-access-token-lifetime' => 'required|integer',
|
'oauth2-access-token-lifetime' => 'required|integer',
|
||||||
|
'oauth2-id-token-lifetime' => 'required|integer',
|
||||||
);
|
);
|
||||||
|
|
||||||
$dictionary = array(
|
$dictionary = array(
|
||||||
@ -285,6 +369,7 @@ class AdminController extends BaseController {
|
|||||||
'openid-nonce-lifetime' => 'OpenId.Nonce.Lifetime',
|
'openid-nonce-lifetime' => 'OpenId.Nonce.Lifetime',
|
||||||
'oauth2-auth-code-lifetime' => 'OAuth2.AuthorizationCode.Lifetime',
|
'oauth2-auth-code-lifetime' => 'OAuth2.AuthorizationCode.Lifetime',
|
||||||
'oauth2-access-token-lifetime' => 'OAuth2.AccessToken.Lifetime',
|
'oauth2-access-token-lifetime' => 'OAuth2.AccessToken.Lifetime',
|
||||||
|
'oauth2-id-token-lifetime' => 'OAuth2.IdToken.Lifetime',
|
||||||
'oauth2-refresh-token-lifetime' => 'OAuth2.RefreshToken.Lifetime',
|
'oauth2-refresh-token-lifetime' => 'OAuth2.RefreshToken.Lifetime',
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -314,4 +399,15 @@ class AdminController extends BaseController {
|
|||||||
"ips" =>$ips
|
"ips" =>$ips
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function listServerPrivateKeys(){
|
||||||
|
|
||||||
|
$user = $this->auth_service->getCurrentUser();
|
||||||
|
|
||||||
|
return View::make("oauth2.profile.admin.server-private-keys", array(
|
||||||
|
'private_keys' => $this->private_keys_repository->getAll(1,4294967296),
|
||||||
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
|
"is_openstackid_admin" => $user->isOpenstackIdAdmin(),
|
||||||
|
));
|
||||||
|
}
|
||||||
}
|
}
|
@ -2,23 +2,30 @@
|
|||||||
|
|
||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
|
|
||||||
abstract class AbstractRESTController extends JsonController {
|
/**
|
||||||
|
* Class AbstractRESTController
|
||||||
|
*/
|
||||||
|
abstract class AbstractRESTController extends JsonController
|
||||||
|
{
|
||||||
|
|
||||||
|
|
||||||
protected $allowed_filter_fields;
|
protected $allowed_filter_fields;
|
||||||
protected $allowed_projection_fields;
|
protected $allowed_projection_fields;
|
||||||
|
|
||||||
private $filter_delimiter;
|
protected $filter_delimiter;
|
||||||
private $field_delimiter;
|
protected $field_delimiter;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
public function __construct(ILogService $log_service){
|
public function __construct(ILogService $log_service)
|
||||||
|
{
|
||||||
parent::__construct($log_service);
|
parent::__construct($log_service);
|
||||||
$this->filter_delimiter = '+';
|
$this->filter_delimiter = '+';
|
||||||
$this->field_delimiter = ',';
|
$this->field_delimiter = ',';
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getProjection($fields){
|
protected function getProjection($fields)
|
||||||
|
{
|
||||||
if(!is_string($fields)) return array('*');
|
if(!is_string($fields)) return array('*');
|
||||||
if(empty($fields)) return array('*');
|
if(empty($fields)) return array('*');
|
||||||
$fields_args = explode($this->field_delimiter,$fields);
|
$fields_args = explode($this->field_delimiter,$fields);
|
||||||
@ -33,7 +40,8 @@ abstract class AbstractRESTController extends JsonController {
|
|||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getFilters($filters){
|
protected function getFilters($filters)
|
||||||
|
{
|
||||||
if(!is_array($filters)) return array();
|
if(!is_array($filters)) return array();
|
||||||
$res = array();
|
$res = array();
|
||||||
foreach($filters as $fieldname=>$value){
|
foreach($filters as $fieldname=>$value){
|
||||||
|
@ -1,8 +1,9 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
use oauth2\exceptions\InvalidResourceServer;
|
||||||
use oauth2\services\IResourceServerService;
|
use oauth2\services\IResourceServerService;
|
||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
use oauth2\exceptions\InvalidResourceServer;
|
|
||||||
/**
|
/**
|
||||||
* Class ApiResourceServerController
|
* Class ApiResourceServerController
|
||||||
*/
|
*/
|
||||||
@ -17,7 +18,7 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
{
|
{
|
||||||
parent::__construct($log_service);
|
parent::__construct($log_service);
|
||||||
$this->resource_server_service = $resource_server_service;
|
$this->resource_server_service = $resource_server_service;
|
||||||
$this->allowed_filter_fields = array('');
|
$this->allowed_filter_fields = array('');
|
||||||
$this->allowed_projection_fields = array('*');
|
$this->allowed_projection_fields = array('*');
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -29,18 +30,20 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
return $this->error404(array('error' => 'resource server not found'));
|
return $this->error404(array('error' => 'resource server not found'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$data = $resource_server->toArray();
|
$data = $resource_server->toArray();
|
||||||
$apis = $resource_server->apis()->get(array('id','name'));
|
$apis = $resource_server->apis()->get(array('id', 'name'));
|
||||||
$data['apis'] = $apis->toArray();
|
$data['apis'] = $apis->toArray();
|
||||||
|
|
||||||
$client = $resource_server->getClient();
|
$client = $resource_server->getClient();
|
||||||
if(!is_null($client)){
|
if (!is_null($client)) {
|
||||||
$data['client_id'] = $client->getClientId();
|
$data['client_id'] = $client->getClientId();
|
||||||
$data['client_secret'] = $client->getClientSecret();
|
$data['client_secret'] = $client->getClientSecret();
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->ok($data);
|
return $this->ok($data);
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -48,22 +51,24 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
public function getByPage()
|
public function getByPage()
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$fields = $this->getProjection(Input::get('fields',null));
|
$fields = $this->getProjection(Input::get('fields', null));
|
||||||
$filters = $this->getFilters(Input::except('fields','limit','offset'));
|
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
|
||||||
$page_nbr = intval(Input::get('offset',1));
|
$page_nbr = intval(Input::get('offset', 1));
|
||||||
$page_size = intval(Input::get('limit',10));
|
$page_size = intval(Input::get('limit', 10));
|
||||||
|
|
||||||
$list = $this->resource_server_service->getAll($page_nbr, $page_size,$filters,$fields);
|
$list = $this->resource_server_service->getAll($page_nbr, $page_size, $filters, $fields);
|
||||||
$items = array();
|
$items = array();
|
||||||
foreach ($list->getItems() as $rs) {
|
foreach ($list->getItems() as $rs) {
|
||||||
array_push($items, $rs->toArray());
|
array_push($items, $rs->toArray());
|
||||||
}
|
}
|
||||||
return $this->ok( array(
|
|
||||||
|
return $this->ok(array(
|
||||||
'page' => $items,
|
'page' => $items,
|
||||||
'total_items' => $list->getTotal()
|
'total_items' => $list->getTotal()
|
||||||
));
|
));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -74,17 +79,18 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
$values = Input::all();
|
$values = Input::all();
|
||||||
|
|
||||||
$rules = array(
|
$rules = array(
|
||||||
'host' => 'required|host|max:255',
|
'host' => 'required|host|max:255',
|
||||||
'ip' => 'required|ip|max:16',
|
'ip' => 'required|ip|max:16',
|
||||||
'friendly_name' => 'required|text|max:512',
|
'friendly_name' => 'required|text|max:512',
|
||||||
'active' => 'required|boolean',
|
'active' => 'required|boolean',
|
||||||
);
|
);
|
||||||
// Creates a Validator instance and validates the data.
|
// Creates a Validator instance and validates the data.
|
||||||
$validation = Validator::make($values, $rules);
|
$validation = Validator::make($values, $rules);
|
||||||
|
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
|
|
||||||
$new_resource_server_model = $this->resource_server_service->add(
|
$new_resource_server_model = $this->resource_server_service->add(
|
||||||
@ -94,13 +100,13 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
$values['active']);
|
$values['active']);
|
||||||
|
|
||||||
return $this->created(array('resource_server_id' => $new_resource_server_model->id));
|
return $this->created(array('resource_server_id' => $new_resource_server_model->id));
|
||||||
}
|
} catch (InvalidResourceServer $ex1) {
|
||||||
catch(InvalidResourceServer $ex1){
|
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
return $this->error400(array('error'=>$ex1->getMessage()));
|
|
||||||
}
|
return $this->error400(array('error' => $ex1->getMessage()));
|
||||||
catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -109,9 +115,11 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->resource_server_service->delete($id);
|
$res = $this->resource_server_service->delete($id);
|
||||||
return $res?$this->deleted():$this->error404(array('error'=>'operation failed'));
|
|
||||||
|
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -120,9 +128,11 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->resource_server_service->regenerateClientSecret($id);
|
$res = $this->resource_server_service->regenerateClientSecret($id);
|
||||||
return !is_null($res)?$this->ok(array('new_secret'=>$res)):$this->error404(array('error'=>'operation failed'));
|
|
||||||
|
return !is_null($res) ? $this->ok(array('new_secret' => $res)) : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -134,48 +144,55 @@ class ApiResourceServerController extends AbstractRESTController implements ICRU
|
|||||||
$values = Input::all();
|
$values = Input::all();
|
||||||
|
|
||||||
$rules = array(
|
$rules = array(
|
||||||
'id' => 'required|integer',
|
'id' => 'required|integer',
|
||||||
'host' => 'sometimes|required|host|max:255',
|
'host' => 'sometimes|required|host|max:255',
|
||||||
'ip' => 'sometimes|required|ip|max:16',
|
'ip' => 'sometimes|required|ip|max:16',
|
||||||
'friendly_name' => 'sometimes|required|text|max:512',
|
'friendly_name' => 'sometimes|required|text|max:512',
|
||||||
);
|
);
|
||||||
// Creates a Validator instance and validates the data.
|
// Creates a Validator instance and validates the data.
|
||||||
$validation = Validator::make($values, $rules);
|
$validation = Validator::make($values, $rules);
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
$res = $this->resource_server_service->update(intval($values['id']),$values);
|
$res = $this->resource_server_service->update(intval($values['id']), $values);
|
||||||
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
|
|
||||||
}
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
catch(InvalidResourceServer $ex1){
|
} catch (InvalidResourceServer $ex1) {
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
return $this->error404(array('error'=>$ex1->getMessage()));
|
|
||||||
}
|
|
||||||
catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
public function activate($id){
|
|
||||||
try {
|
|
||||||
$res = $this->resource_server_service->setStatus($id,true);
|
|
||||||
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
|
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deactivate($id){
|
public function activate($id)
|
||||||
try {
|
{
|
||||||
$res = $this->resource_server_service->setStatus($id,false);
|
try {
|
||||||
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
|
$res = $this->resource_server_service->setStatus($id, true);
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
return $this->error500($ex);
|
} catch (Exception $ex) {
|
||||||
}
|
$this->log_service->error($ex);
|
||||||
}
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function deactivate($id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$res = $this->resource_server_service->setStatus($id, false);
|
||||||
|
|
||||||
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
@ -10,6 +10,9 @@ use oauth2\exceptions\InvalidApiScope;
|
|||||||
*/
|
*/
|
||||||
class ApiScopeController extends AbstractRESTController implements ICRUDController {
|
class ApiScopeController extends AbstractRESTController implements ICRUDController {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiScopeService
|
||||||
|
*/
|
||||||
private $api_scope_service;
|
private $api_scope_service;
|
||||||
|
|
||||||
public function __construct(IApiScopeService $api_scope_service, ILogService $log_service)
|
public function __construct(IApiScopeService $api_scope_service, ILogService $log_service)
|
||||||
@ -74,6 +77,7 @@ class ApiScopeController extends AbstractRESTController implements ICRUDControll
|
|||||||
'default' => 'required|boolean',
|
'default' => 'required|boolean',
|
||||||
'system' => 'required|boolean',
|
'system' => 'required|boolean',
|
||||||
'api_id' => 'required|integer',
|
'api_id' => 'required|integer',
|
||||||
|
'assigned_by_groups' => 'required|boolean',
|
||||||
);
|
);
|
||||||
|
|
||||||
// Creates a Validator instance and validates the data.
|
// Creates a Validator instance and validates the data.
|
||||||
@ -91,7 +95,8 @@ class ApiScopeController extends AbstractRESTController implements ICRUDControll
|
|||||||
$values['active'],
|
$values['active'],
|
||||||
$values['default'],
|
$values['default'],
|
||||||
$values['system'],
|
$values['system'],
|
||||||
$values['api_id']
|
$values['api_id'],
|
||||||
|
$values['assigned_by_groups']
|
||||||
);
|
);
|
||||||
|
|
||||||
return $this->created(array('scope_id' => $new_scope->id));
|
return $this->created(array('scope_id' => $new_scope->id));
|
||||||
@ -140,6 +145,7 @@ class ApiScopeController extends AbstractRESTController implements ICRUDControll
|
|||||||
'active' => 'sometimes|required|boolean',
|
'active' => 'sometimes|required|boolean',
|
||||||
'system' => 'sometimes|required|boolean',
|
'system' => 'sometimes|required|boolean',
|
||||||
'default' => 'sometimes|required|boolean',
|
'default' => 'sometimes|required|boolean',
|
||||||
|
'assigned_by_groups' => 'sometimes|boolean',
|
||||||
);
|
);
|
||||||
|
|
||||||
// Creates a Validator instance and validates the data.
|
// Creates a Validator instance and validates the data.
|
||||||
|
278
app/controllers/apis/ApiScopeGroupController.php
Normal file
278
app/controllers/apis/ApiScopeGroupController.php
Normal file
@ -0,0 +1,278 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
use utils\services\ILogService;
|
||||||
|
use oauth2\repositories\IApiScopeGroupRepository;
|
||||||
|
use oauth2\exceptions\InvalidApiScopeGroup;
|
||||||
|
use oauth2\services\IApiScopeGroupService;
|
||||||
|
use auth\IUserRepository;
|
||||||
|
use oauth2\services\IApiScopeService;
|
||||||
|
use utils\exceptions\EntityNotFoundException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class ApiScopeGroupController
|
||||||
|
*/
|
||||||
|
final class ApiScopeGroupController extends AbstractRESTController implements ICRUDController
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiScopeGroupRepository
|
||||||
|
*/
|
||||||
|
private $repository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiScopeGroupService
|
||||||
|
*/
|
||||||
|
private $service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IUserRepository
|
||||||
|
*/
|
||||||
|
private $user_repository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiScopeService
|
||||||
|
*/
|
||||||
|
private $scope_service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ApiScopeGroupController constructor.
|
||||||
|
* @param IApiScopeGroupService $service
|
||||||
|
* @param IApiScopeGroupRepository $repository
|
||||||
|
* @param IUserRepository $user_repository
|
||||||
|
* @param IApiScopeService $scope_service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IApiScopeGroupService $service,
|
||||||
|
IApiScopeGroupRepository $repository,
|
||||||
|
IUserRepository $user_repository,
|
||||||
|
IApiScopeService $scope_service,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
|
{
|
||||||
|
parent::__construct($log_service);
|
||||||
|
|
||||||
|
$this->repository = $repository;
|
||||||
|
$this->user_repository = $user_repository;
|
||||||
|
$this->scope_service = $scope_service;
|
||||||
|
$this->service = $service;
|
||||||
|
$this->allowed_filter_fields = array('');
|
||||||
|
$this->allowed_projection_fields = array('*');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function get($id)
|
||||||
|
{
|
||||||
|
// TODO: Implement get() method.
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function create()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$values = Input::all();
|
||||||
|
|
||||||
|
$rules = array
|
||||||
|
(
|
||||||
|
'name' => 'required|text|max:512',
|
||||||
|
'active' => 'required|boolean',
|
||||||
|
'scopes' => 'required',
|
||||||
|
'users' => 'required',
|
||||||
|
);
|
||||||
|
// Creates a Validator instance and validates the data.
|
||||||
|
$validation = Validator::make($values, $rules);
|
||||||
|
|
||||||
|
if ($validation->fails()) {
|
||||||
|
$messages = $validation->messages()->toArray();
|
||||||
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
|
}
|
||||||
|
|
||||||
|
$new_group = $this->service->register
|
||||||
|
(
|
||||||
|
$values['name'],
|
||||||
|
$values['active'],
|
||||||
|
$values['scopes'],
|
||||||
|
$values['users']
|
||||||
|
);
|
||||||
|
|
||||||
|
return $this->created(array('group_id' => $new_group->id));
|
||||||
|
} catch (InvalidApiScopeGroup $ex1) {
|
||||||
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
|
return $this->error400(array('error' => $ex1->getMessage()));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function getByPage()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$fields = $this->getProjection(Input::get('fields', null));
|
||||||
|
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
|
||||||
|
$page_nbr = intval(Input::get('offset', 1));
|
||||||
|
$page_size = intval(Input::get('limit', 10));
|
||||||
|
|
||||||
|
$list = $this->repository->getAll($page_nbr, $page_size, $filters, $fields);
|
||||||
|
$items = array();
|
||||||
|
|
||||||
|
foreach ($list->getItems() as $g)
|
||||||
|
{
|
||||||
|
array_push($items, $g->toArray());
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->ok(
|
||||||
|
array
|
||||||
|
(
|
||||||
|
'page' => $items,
|
||||||
|
'total_items' => $list->getTotal()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function delete($id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$group = $this->repository->get(intval($id));
|
||||||
|
if(is_null($group)) return $this->error404();
|
||||||
|
foreach($group->users()->get() as $user)
|
||||||
|
{
|
||||||
|
foreach($user->clients()->get() as $client)
|
||||||
|
{
|
||||||
|
foreach($group->scopes()->get() as $scope)
|
||||||
|
$client->scopes()->detach(intval($scope->id));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$this->repository->delete($group);
|
||||||
|
return $this->deleted();
|
||||||
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function update()
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
|
||||||
|
$values = Input::all();
|
||||||
|
|
||||||
|
$rules = array
|
||||||
|
(
|
||||||
|
'id' => 'required|integer',
|
||||||
|
'name' => 'required|text|max:512',
|
||||||
|
'active' => 'required|boolean',
|
||||||
|
'scopes' => 'required',
|
||||||
|
'users' => 'required',
|
||||||
|
);
|
||||||
|
// Creates a Validator instance and validates the data.
|
||||||
|
$validation = Validator::make($values, $rules);
|
||||||
|
if ($validation->fails()) {
|
||||||
|
$messages = $validation->messages()->toArray();
|
||||||
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
|
}
|
||||||
|
|
||||||
|
$res = $this->service->update(intval($values['id']), $values);
|
||||||
|
|
||||||
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
|
}
|
||||||
|
catch (InvalidApiScopeGroup $ex1)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex1);
|
||||||
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
|
}
|
||||||
|
catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function activate($id){
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$res = $this->service->setStatus($id, true);
|
||||||
|
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
|
||||||
|
}
|
||||||
|
catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function deactivate($id){
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$res = $this->service->setStatus($id, false);
|
||||||
|
return $res?$this->ok():$this->error400(array('error'=>'operation failed'));
|
||||||
|
}
|
||||||
|
catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function fetchUsers()
|
||||||
|
{
|
||||||
|
$values = Input::all();
|
||||||
|
if(!isset($values['t'])) return $this->error404();
|
||||||
|
$term = $values['t'];
|
||||||
|
$users = $this->user_repository->getByEmailOrName($term);
|
||||||
|
if(count($users) > 0)
|
||||||
|
{
|
||||||
|
$list = array();
|
||||||
|
foreach($users as $u)
|
||||||
|
{
|
||||||
|
array_push($list, array
|
||||||
|
(
|
||||||
|
'id' => $u->id,
|
||||||
|
'value' => sprintf('%s (%s)', $u->getFullName(), $u->getEmail())
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return $this->ok($list);
|
||||||
|
}
|
||||||
|
return $this->updated();
|
||||||
|
}
|
||||||
|
}
|
131
app/controllers/apis/AssymetricKeyApiController.php
Normal file
131
app/controllers/apis/AssymetricKeyApiController.php
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
use oauth2\services\IAssymetricKeyService;
|
||||||
|
use utils\services\ILogService;
|
||||||
|
use oauth2\repositories\IAssymetricKeyRepository;
|
||||||
|
|
||||||
|
class AssymetricKeyApiController extends AbstractRESTController
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @var IAssymetricKeyService
|
||||||
|
*/
|
||||||
|
protected $service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IAssymetricKeyRepository
|
||||||
|
*/
|
||||||
|
protected $repository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param IAssymetricKeyRepository $repository
|
||||||
|
* @param IAssymetricKeyService $service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct(
|
||||||
|
IAssymetricKeyRepository $repository,
|
||||||
|
IAssymetricKeyService $service,
|
||||||
|
ILogService $log_service
|
||||||
|
) {
|
||||||
|
parent::__construct($log_service);
|
||||||
|
$this->repository = $repository;
|
||||||
|
$this->service = $service;
|
||||||
|
//set filters allowed values
|
||||||
|
$this->allowed_filter_fields = array('*');
|
||||||
|
$this->allowed_projection_fields = array('*');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
protected function _delete($id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$res = $this->service->delete($id);
|
||||||
|
|
||||||
|
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protected function _update($id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
|
||||||
|
$values = Input::all();
|
||||||
|
|
||||||
|
$rules = array(
|
||||||
|
'id' => 'required|integer',
|
||||||
|
'active' => 'required|boolean',
|
||||||
|
);
|
||||||
|
|
||||||
|
// Creates a Validator instance and validates the data.
|
||||||
|
$validation = Validator::make($values, $rules);
|
||||||
|
|
||||||
|
if ($validation->fails()) {
|
||||||
|
$messages = $validation->messages()->toArray();
|
||||||
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
|
}
|
||||||
|
|
||||||
|
$res = $this->service->update(intval($id), $values);
|
||||||
|
|
||||||
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
|
|
||||||
|
} catch (AbsentClientException $ex1) {
|
||||||
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
protected function _getByPage()
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
//check for optional filters param on querystring
|
||||||
|
$fields = $this->getProjection(Input::get('fields', null));
|
||||||
|
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
|
||||||
|
$page_nbr = intval(Input::get('offset', 1));
|
||||||
|
$page_size = intval(Input::get('limit', 10));
|
||||||
|
|
||||||
|
$list = $this->repository->getAll($page_nbr, $page_size, $filters, $fields);
|
||||||
|
$items = array();
|
||||||
|
foreach ($list->getItems() as $private_key) {
|
||||||
|
$data = $private_key->toArray();
|
||||||
|
$data['sha_256'] = $private_key->getSHA_256_Thumbprint();
|
||||||
|
array_push($items, $data);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->ok(array(
|
||||||
|
'page' => $items,
|
||||||
|
'total_items' => $list->getTotal()
|
||||||
|
));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -1,21 +1,32 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
use oauth2\exceptions\AllowedClientUriAlreadyExistsException;
|
|
||||||
use oauth2\exceptions\AbsentClientException;
|
use oauth2\exceptions\AbsentClientException;
|
||||||
|
use oauth2\exceptions\AllowedClientUriAlreadyExistsException;
|
||||||
use oauth2\services\IApiScopeService;
|
use oauth2\services\IApiScopeService;
|
||||||
use oauth2\services\IClientService;
|
use oauth2\services\IClientService;
|
||||||
use oauth2\services\ITokenService;
|
use oauth2\services\ITokenService;
|
||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
|
use utils\exceptions\EntityNotFoundException;
|
||||||
|
use oauth2\exceptions\InvalidApiScope;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class ClientApiController
|
* Class ClientApiController
|
||||||
* Client REST API
|
* Client REST API
|
||||||
*/
|
*/
|
||||||
class ClientApiController extends AbstractRESTController implements ICRUDController
|
final class ClientApiController extends AbstractRESTController implements ICRUDController
|
||||||
{
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
private $client_service;
|
private $client_service;
|
||||||
|
/**
|
||||||
|
* @var IApiScopeService
|
||||||
|
*/
|
||||||
private $scope_service;
|
private $scope_service;
|
||||||
|
/**
|
||||||
|
* @var ITokenService
|
||||||
|
*/
|
||||||
private $token_service;
|
private $token_service;
|
||||||
|
|
||||||
|
|
||||||
@ -25,31 +36,56 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
* @param IClientService $client_service
|
* @param IClientService $client_service
|
||||||
* @param ILogService $log_service
|
* @param ILogService $log_service
|
||||||
*/
|
*/
|
||||||
public function __construct(IApiScopeService $scope_service, ITokenService $token_service, IClientService $client_service, ILogService $log_service)
|
public function __construct
|
||||||
{
|
(
|
||||||
|
IApiScopeService $scope_service,
|
||||||
|
ITokenService $token_service,
|
||||||
|
IClientService $client_service,
|
||||||
|
ILogService $log_service
|
||||||
|
) {
|
||||||
parent::__construct($log_service);
|
parent::__construct($log_service);
|
||||||
|
|
||||||
$this->client_service = $client_service;
|
$this->client_service = $client_service;
|
||||||
$this->scope_service = $scope_service;
|
$this->scope_service = $scope_service;
|
||||||
$this->token_service = $token_service;
|
$this->token_service = $token_service;
|
||||||
|
|
||||||
//set filters allowed values
|
//set filters allowed values
|
||||||
$this->allowed_filter_fields = array('user_id');
|
$this->allowed_filter_fields = array('user_id');
|
||||||
$this->allowed_projection_fields = array('*');
|
$this->allowed_projection_fields = array('*');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function get($id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$client = $this->client_service->get($id);
|
||||||
|
if (is_null($client))
|
||||||
|
{
|
||||||
|
return $this->error404(array('error' => 'client not found'));
|
||||||
|
}
|
||||||
|
$data = $client->toArray();
|
||||||
|
|
||||||
|
return $this->ok($data);
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Deletes an existing client
|
* Deletes an existing client
|
||||||
* @param $id client id
|
* @param $id
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function delete($id)
|
public function delete($id)
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->client_service->deleteClientByIdentifier($id);
|
$res = $this->client_service->deleteClientByIdentifier($id);
|
||||||
|
|
||||||
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->deleted() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -65,11 +101,11 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
|
|
||||||
// Build the validation constraint set.
|
// Build the validation constraint set.
|
||||||
$rules = array(
|
$rules = array(
|
||||||
'user_id' => 'required|integer',
|
'user_id' => 'required|integer',
|
||||||
'app_name' => 'required|alpha_dash|max:255',
|
'app_name' => 'required|alpha_dash|max:255',
|
||||||
'app_description' => 'required|freetext',
|
'app_description' => 'required|freetext',
|
||||||
'website' => 'required|url',
|
'website' => 'url',
|
||||||
'application_type' => 'required|applicationtype',
|
'application_type' => 'required|applicationtype',
|
||||||
);
|
);
|
||||||
|
|
||||||
// Create a new validator instance.
|
// Create a new validator instance.
|
||||||
@ -77,41 +113,26 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
|
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->client_service->existClientAppName($values['app_name'])) {
|
if ($this->client_service->existClientAppName($values['app_name'])) {
|
||||||
return $this->error400(array('error' => 'application Name already exists!.'));
|
return $this->error400(array('error' => 'application Name already exists!.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$new_client = $this->client_service->addClient($values['application_type'], intval($values['user_id']), trim($values['app_name']), trim($values['app_description']), trim($values['website']));
|
$new_client = $this->client_service->addClient($values['application_type'], intval($values['user_id']),
|
||||||
|
trim($values['app_name']), trim($values['app_description']), trim($values['website']));
|
||||||
|
|
||||||
return $this->created(array('client_id' => $new_client->id));
|
return $this->created(array('client_id' => $new_client->id));
|
||||||
|
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function get($id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$client = $this->client_service->get($id);
|
|
||||||
if (is_null($client)) {
|
|
||||||
return $this->error404(array('error' => 'client not found'));
|
|
||||||
}
|
|
||||||
$data = $client->toArray();
|
|
||||||
return $this->ok($data);
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return mixed
|
* @return mixed
|
||||||
@ -120,24 +141,26 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
//check for optional filters param on querystring
|
//check for optional filters param on querystring
|
||||||
$fields = $this->getProjection(Input::get('fields',null));
|
$fields = $this->getProjection(Input::get('fields', null));
|
||||||
$filters = $this->getFilters(Input::except('fields','limit','offset'));
|
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
|
||||||
$page_nbr = intval(Input::get('offset',1));
|
$page_nbr = intval(Input::get('offset', 1));
|
||||||
$page_size = intval(Input::get('limit',10));
|
$page_size = intval(Input::get('limit', 10));
|
||||||
|
|
||||||
$list = $this->client_service->getAll($page_nbr, $page_size,$filters,$fields);
|
$list = $this->client_service->getAll($page_nbr, $page_size, $filters, $fields);
|
||||||
$items = array();
|
$items = array();
|
||||||
foreach ($list->getItems() as $client) {
|
foreach ($list->getItems() as $client) {
|
||||||
$data = $client->toArray();
|
$data = $client->toArray();
|
||||||
$data['application_type'] = $client->getFriendlyApplicationType();
|
$data['application_type'] = $client->getFriendlyApplicationType();
|
||||||
array_push($items, $data);
|
array_push($items, $data);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->ok(array(
|
return $this->ok(array(
|
||||||
'page' => $items,
|
'page' => $items,
|
||||||
'total_items' => $list->getTotal()
|
'total_items' => $list->getTotal()
|
||||||
));
|
));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -152,14 +175,38 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$values = Input::all();
|
$values = Input::all();
|
||||||
|
|
||||||
$rules = array(
|
$rules = array(
|
||||||
'id' => 'required|integer',
|
'id' => 'required|integer',
|
||||||
'app_name' => 'sometimes|required|alpha_dash|max:255',
|
'application_type' =>'required|application_type',
|
||||||
'app_description' => 'sometimes|required|freetext',
|
'app_name' => 'sometimes|required|alpha_dash|max:255',
|
||||||
'website' => 'sometimes|required|url',
|
'app_description' => 'sometimes|required|freetext',
|
||||||
'active' => 'sometimes|required|boolean',
|
'website' => 'url',
|
||||||
'locked' => 'sometimes|required|boolean',
|
'active' => 'sometimes|required|boolean',
|
||||||
'use_refresh_token' => 'sometimes|required|boolean',
|
'locked' => 'sometimes|required|boolean',
|
||||||
|
'use_refresh_token' => 'sometimes|required|boolean',
|
||||||
'rotate_refresh_token' => 'sometimes|required|boolean',
|
'rotate_refresh_token' => 'sometimes|required|boolean',
|
||||||
|
'contacts' => 'email_set',
|
||||||
|
'logo_uri' => 'url',
|
||||||
|
'tos_uri' => 'url',
|
||||||
|
'redirect_uris' => 'custom_url_set:application_type',
|
||||||
|
'post_logout_redirect_uris' => 'ssl_url_set',
|
||||||
|
'allowed_origins' => 'ssl_url_set',
|
||||||
|
'logout_uri' => 'url',
|
||||||
|
'logout_session_required' => 'sometimes|required|boolean',
|
||||||
|
'logout_use_iframe' => 'sometimes|required|boolean',
|
||||||
|
'policy_uri' => 'url',
|
||||||
|
'jwks_uri' => 'url',
|
||||||
|
'default_max_age' => 'sometimes|required|integer',
|
||||||
|
'logout_use_iframe' => 'sometimes|required|boolean',
|
||||||
|
'require_auth_time' => 'sometimes|required|boolean',
|
||||||
|
'token_endpoint_auth_method' => 'sometimes|required|token_endpoint_auth_method',
|
||||||
|
'token_endpoint_auth_signing_alg' => 'sometimes|required|signing_alg',
|
||||||
|
'subject_type' => 'sometimes|required|subject_type',
|
||||||
|
'userinfo_signed_response_alg' => 'sometimes|required|signing_alg',
|
||||||
|
'userinfo_encrypted_response_alg' => 'sometimes|required|encrypted_alg',
|
||||||
|
'userinfo_encrypted_response_enc' => 'sometimes|required|encrypted_enc',
|
||||||
|
'id_token_signed_response_alg' => 'sometimes|required|signing_alg',
|
||||||
|
'id_token_encrypted_response_alg' => 'sometimes|required|encrypted_alg',
|
||||||
|
'id_token_encrypted_response_enc' => 'sometimes|required|encrypted_enc',
|
||||||
);
|
);
|
||||||
|
|
||||||
// Creates a Validator instance and validates the data.
|
// Creates a Validator instance and validates the data.
|
||||||
@ -167,115 +214,70 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
|
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
|
|
||||||
$res = $this->client_service->update(intval($values['id']), $values);
|
$res = $this->client_service->update(intval($values['id']), $values);
|
||||||
|
|
||||||
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error400(array('error' => 'operation failed'));
|
||||||
|
|
||||||
} catch (AbsentClientException $ex1) {
|
}
|
||||||
|
catch (AbsentClientException $ex1)
|
||||||
|
{
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
}
|
||||||
}
|
catch(ValidationException $ex2)
|
||||||
|
{
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function getRegisteredUris($id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$client = $this->client_service->getClientByIdentifier($id);
|
|
||||||
$allowed_uris = $client->authorized_uris()->get(array('id', 'uri'));
|
|
||||||
|
|
||||||
$data = array();
|
|
||||||
foreach ($allowed_uris as $uri) {
|
|
||||||
array_push($data, $uri->toArray());
|
|
||||||
}
|
|
||||||
|
|
||||||
return $this->ok(array('allowed_uris' => $data));
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function addAllowedRedirectUri($id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$values = Input::All();
|
|
||||||
// Build the validation constraint set.
|
|
||||||
$rules = array(
|
|
||||||
'redirect_uri' => 'sslurl|required',
|
|
||||||
);
|
|
||||||
// Creates a Validator instance and validates the data.
|
|
||||||
$validation = Validator::make($values, $rules);
|
|
||||||
if ($validation->fails()) {
|
|
||||||
$messages = $validation->messages()->toArray();
|
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
}
|
|
||||||
$res = $this->client_service->addClientAllowedUri($id, $values['redirect_uri']);
|
|
||||||
return $res ? $this->ok(): $this->error404(array('error' => 'operation failed'));
|
|
||||||
} catch (AllowedClientUriAlreadyExistsException $ex1) {
|
|
||||||
$this->log_service->error($ex1);
|
|
||||||
return $this->error400(array('error' => $ex1->getMessage()));
|
|
||||||
} catch (AbsentClientException $ex2) {
|
|
||||||
$this->log_service->error($ex2);
|
$this->log_service->error($ex2);
|
||||||
return $this->error404(array('error' => $ex2->getMessage()));
|
return $this->error412(array($ex2->getMessage()));
|
||||||
} catch (Exception $ex) {
|
}
|
||||||
|
catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
public function addAllowedScope($id, $scope_id)
|
||||||
* @param $uri_id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function deleteClientAllowedUri($id, $uri_id)
|
|
||||||
{
|
{
|
||||||
try {
|
try
|
||||||
$res = $this->client_service->deleteClientAllowedUri($id, $uri_id);
|
{
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public function addAllowedScope($id,$scope_id){
|
|
||||||
try {
|
|
||||||
$this->client_service->addClientScope($id, $scope_id);
|
$this->client_service->addClientScope($id, $scope_id);
|
||||||
return $this->ok();
|
return $this->ok();
|
||||||
} catch (AbsentClientException $ex1) {
|
}
|
||||||
|
catch (EntityNotFoundException $ex1)
|
||||||
|
{
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
}
|
||||||
|
catch (InvalidApiScope $ex2)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex2);
|
||||||
|
return $this->error412(array('messages' => $ex2->getMessage()));
|
||||||
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function removeAllowedScope($id,$scope_id){
|
public function removeAllowedScope($id, $scope_id)
|
||||||
try {
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
$res = $this->client_service->deleteClientScope($id, $scope_id);
|
$res = $this->client_service->deleteClientScope($id, $scope_id);
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (AbsentClientException $ex1) {
|
} catch (AbsentClientException $ex1) {
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -285,39 +287,56 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->client_service->activateClient($id, true);
|
$res = $this->client_service->activateClient($id, true);
|
||||||
|
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (AbsentClientException $ex1) {
|
} catch (AbsentClientException $ex1) {
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deactivate($id)
|
public function deactivate($id)
|
||||||
{
|
|
||||||
try {
|
|
||||||
$res = $this->client_service->activateClient($id, false);
|
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
|
||||||
} catch (AbsentClientException $ex1) {
|
|
||||||
$this->log_service->error($ex1);
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
public function regenerateClientSecret($id)
|
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->client_service->regenerateClientSecret($id);
|
$res = $this->client_service->activateClient($id, false);
|
||||||
return !empty($res) ?
|
|
||||||
$this->ok(array('new_secret' => $res)): $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
|
} catch (AbsentClientException $ex1) {
|
||||||
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public function regenerateClientSecret($id)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$client = $this->client_service->regenerateClientSecret($id);
|
||||||
|
|
||||||
|
return !is_null($client) ?
|
||||||
|
$this->ok
|
||||||
|
(
|
||||||
|
array
|
||||||
|
(
|
||||||
|
'new_secret' => $client->getClientSecret(),
|
||||||
|
'new_expiration_date' => $client->getClientSecretExpiration(),
|
||||||
|
)
|
||||||
|
) : $this->error404(array('error' => 'operation failed'));
|
||||||
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex);
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -336,7 +355,8 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$validation = Validator::make($values, $rules);
|
$validation = Validator::make($values, $rules);
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
|
|
||||||
$res = $this->client_service->setRefreshTokenUsage($id, $values['use_refresh_token']);
|
$res = $this->client_service->setRefreshTokenUsage($id, $values['use_refresh_token']);
|
||||||
@ -345,9 +365,11 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
|
|
||||||
} catch (AbsentClientException $ex1) {
|
} catch (AbsentClientException $ex1) {
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -365,16 +387,20 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$validation = Validator::make($values, $rules);
|
$validation = Validator::make($values, $rules);
|
||||||
if ($validation->fails()) {
|
if ($validation->fails()) {
|
||||||
$messages = $validation->messages()->toArray();
|
$messages = $validation->messages()->toArray();
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
}
|
}
|
||||||
|
|
||||||
$res = $this->client_service->setRotateRefreshTokenPolicy($id, $values['rotate_refresh_token']);
|
$res = $this->client_service->setRotateRefreshTokenPolicy($id, $values['rotate_refresh_token']);
|
||||||
|
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (AbsentClientException $ex1) {
|
} catch (AbsentClientException $ex1) {
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -385,26 +411,28 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$res = false;
|
$res = false;
|
||||||
$client = $this->client_service->getClientByIdentifier($id);
|
$client = $this->client_service->getClientByIdentifier($id);
|
||||||
switch ($hint) {
|
switch ($hint) {
|
||||||
case 'access-token':
|
case 'access-token': {
|
||||||
{
|
$token = $this->token_service->getAccessToken($value, true);
|
||||||
$token = $this->token_service->getAccessToken($value,true);
|
|
||||||
if (is_null($token)) {
|
if (is_null($token)) {
|
||||||
return $this->error404(array('error' => sprintf('access token %s does not exists!', $value)));
|
return $this->error404(array('error' => sprintf('access token %s does not exists!', $value)));
|
||||||
}
|
}
|
||||||
if ($token->getClientId() !== $client->client_id) {
|
if ($token->getClientId() !== $client->client_id) {
|
||||||
return $this->error404(array('error' => sprintf('access token %s does not belongs to client id !', $value, $id)));
|
return $this->error404(array(
|
||||||
|
'error' => sprintf('access token %s does not belongs to client id !', $value, $id)
|
||||||
|
));
|
||||||
}
|
}
|
||||||
$res = $this->token_service->revokeAccessToken($value, true);
|
$res = $this->token_service->revokeAccessToken($value, true);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'refresh-token':
|
case 'refresh-token': {
|
||||||
{
|
$token = $this->token_service->getRefreshToken($value, true);
|
||||||
$token = $this->token_service->getRefreshToken($value,true);
|
|
||||||
if (is_null($token)) {
|
if (is_null($token)) {
|
||||||
return $this->error404(array('error' => sprintf('refresh token %s does not exists!', $value)));
|
return $this->error404(array('error' => sprintf('refresh token %s does not exists!', $value)));
|
||||||
}
|
}
|
||||||
if ($token->getClientId() !== $client->client_id) {
|
if ($token->getClientId() !== $client->client_id) {
|
||||||
return $this->error404(array('error' => sprintf('refresh token %s does not belongs to client id !', $value, $id)));
|
return $this->error404(array(
|
||||||
|
'error' => sprintf('refresh token %s does not belongs to client id !', $value, $id)
|
||||||
|
));
|
||||||
}
|
}
|
||||||
$res = $this->token_service->revokeRefreshToken($value, true);
|
$res = $this->token_service->revokeRefreshToken($value, true);
|
||||||
}
|
}
|
||||||
@ -416,6 +444,7 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -427,17 +456,18 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$access_tokens = $this->token_service->getAccessTokenByClient($client->client_id);
|
$access_tokens = $this->token_service->getAccessTokenByClient($client->client_id);
|
||||||
$res = array();
|
$res = array();
|
||||||
foreach ($access_tokens as $token) {
|
foreach ($access_tokens as $token) {
|
||||||
$friendly_scopes = $this->scope_service->getFriendlyScopesByName(explode(' ', $token->scope));
|
|
||||||
array_push($res, array(
|
array_push($res, array(
|
||||||
'value' => $token->value,
|
'value' => $token->value,
|
||||||
'scope' => implode(',', $friendly_scopes),
|
'scope' => $token->scope,
|
||||||
'lifetime' => $token->getRemainingLifetime(),
|
'lifetime' => $token->getRemainingLifetime(),
|
||||||
'issued' => $token->created_at->format('Y-m-d H:i:s')
|
'issued' => $token->created_at->format('Y-m-d H:i:s')
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->ok(array('access_tokens' => $res));
|
return $this->ok(array('access_tokens' => $res));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -449,17 +479,18 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
$refresh_tokens = $this->token_service->getRefreshTokenByClient($client->client_id);
|
$refresh_tokens = $this->token_service->getRefreshTokenByClient($client->client_id);
|
||||||
$res = array();
|
$res = array();
|
||||||
foreach ($refresh_tokens as $token) {
|
foreach ($refresh_tokens as $token) {
|
||||||
$friendly_scopes = $this->scope_service->getFriendlyScopesByName(explode(' ', $token->scope));
|
|
||||||
array_push($res, array(
|
array_push($res, array(
|
||||||
'value' => $token->value,
|
'value' => $token->value,
|
||||||
'scope' => implode(',', $friendly_scopes),
|
'scope' => $token->scope,
|
||||||
'lifetime' => $token->getRemainingLifetime(),
|
'lifetime' => $token->getRemainingLifetime(),
|
||||||
'issued' => $token->created_at->format('Y-m-d H:i:s')
|
'issued' => $token->created_at->format('Y-m-d H:i:s')
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->ok(array('refresh_tokens' => $res));
|
return $this->ok(array('refresh_tokens' => $res));
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -468,87 +499,19 @@ class ClientApiController extends AbstractRESTController implements ICRUDControl
|
|||||||
* @param $id
|
* @param $id
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function unlock($id){
|
public function unlock($id)
|
||||||
|
{
|
||||||
try {
|
try {
|
||||||
$res = $this->client_service->unlockClient($id);
|
$res = $this->client_service->unlockClient($id);
|
||||||
|
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
||||||
}
|
} catch (AbsentClientException $ex1) {
|
||||||
catch (AbsentClientException $ex1) {
|
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
|
|
||||||
return $this->error404(array('error' => $ex1->getMessage()));
|
return $this->error404(array('error' => $ex1->getMessage()));
|
||||||
}
|
|
||||||
catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function geAllowedOrigins($id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$client = $this->client_service->getClientByIdentifier($id);
|
|
||||||
$allowed_origins = $client->allowed_origins()->get(array('id', 'allowed_origin'));
|
|
||||||
$data = array();
|
|
||||||
foreach ($allowed_origins as $origin) {
|
|
||||||
array_push($data, $origin->toArray());
|
|
||||||
}
|
|
||||||
return $this->ok(array('allowed_origins' => $data));
|
|
||||||
} catch (Exception $ex) {
|
} catch (Exception $ex) {
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function addAllowedOrigin($id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$values = Input::All();
|
|
||||||
// Build the validation constraint set.
|
|
||||||
$rules = array(
|
|
||||||
'origin' => 'sslorigin|required',
|
|
||||||
);
|
|
||||||
// Creates a Validator instance and validates the data.
|
|
||||||
$validation = Validator::make($values, $rules);
|
|
||||||
if ($validation->fails()) {
|
|
||||||
$messages = $validation->messages()->toArray();
|
|
||||||
return $this->error400(array('error'=>'validation','messages' => $messages));
|
|
||||||
}
|
|
||||||
$res = $this->client_service->addClientAllowedOrigin($id, $values['origin']);
|
|
||||||
return $res ? $this->ok(): $this->error404(array('error' => 'operation failed'));
|
|
||||||
} catch (AllowedClientUriAlreadyExistsException $ex1) {
|
|
||||||
$this->log_service->error($ex1);
|
|
||||||
return $this->error400(array('error' => $ex1->getMessage()));
|
|
||||||
} catch (AbsentClientException $ex2) {
|
|
||||||
$this->log_service->error($ex2);
|
|
||||||
return $this->error404(array('error' => $ex2->getMessage()));
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param $id
|
|
||||||
* @param $origin_id
|
|
||||||
* @return mixed
|
|
||||||
*/
|
|
||||||
public function deleteClientAllowedOrigin($id, $origin_id)
|
|
||||||
{
|
|
||||||
try {
|
|
||||||
$res = $this->client_service->deleteClientAllowedOrigin($id, $origin_id);
|
|
||||||
return $res ? $this->ok() : $this->error404(array('error' => 'operation failed'));
|
|
||||||
} catch (Exception $ex) {
|
|
||||||
$this->log_service->error($ex);
|
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
154
app/controllers/apis/ClientPublicKeyApiController.php
Normal file
154
app/controllers/apis/ClientPublicKeyApiController.php
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
use oauth2\services\IClienPublicKeyService;
|
||||||
|
use utils\services\ILogService;
|
||||||
|
use oauth2\repositories\IClientPublicKeyRepository;
|
||||||
|
/**
|
||||||
|
* Class ClientPublicKeyApiController
|
||||||
|
*/
|
||||||
|
final class ClientPublicKeyApiController extends AssymetricKeyApiController
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param IClientPublicKeyRepository $repository
|
||||||
|
* @param IClienPublicKeyService $service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IClientPublicKeyRepository $repository,
|
||||||
|
IClienPublicKeyService $service,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
|
{
|
||||||
|
parent::__construct($repository, $service, $log_service);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function get($id)
|
||||||
|
{
|
||||||
|
return $this->error404();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $client_id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function create($client_id)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
|
||||||
|
$values = Input::All();
|
||||||
|
$values['client_id'] = $client_id;
|
||||||
|
// Build the validation constraint set.
|
||||||
|
$rules = array(
|
||||||
|
'client_id' => 'required|integer',
|
||||||
|
'kid' => 'required|text|max:255',
|
||||||
|
'active' => 'required|boolean',
|
||||||
|
'valid_from' => 'date_format:m/d/Y',
|
||||||
|
'valid_to' => 'date_format:m/d/Y|after:valid_from',
|
||||||
|
'pem_content' => 'required|public_key_pem|public_key_pem_length',
|
||||||
|
'usage' => 'required|public_key_usage',
|
||||||
|
'type' => 'required|public_key_type',
|
||||||
|
'alg' => 'required|key_alg:usage',
|
||||||
|
);
|
||||||
|
|
||||||
|
// Create a new validator instance.
|
||||||
|
$validation = Validator::make($values, $rules);
|
||||||
|
|
||||||
|
if ($validation->fails())
|
||||||
|
{
|
||||||
|
$messages = $validation->messages()->toArray();
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
|
}
|
||||||
|
|
||||||
|
$public_key = $this->service->register($values);
|
||||||
|
|
||||||
|
return $this->created(array('id' => $public_key->getId()));
|
||||||
|
|
||||||
|
}
|
||||||
|
catch(ValidationException $ex1)
|
||||||
|
{
|
||||||
|
return $this->error400(array('error' => $ex1->getMessage()));
|
||||||
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function getByPage($client_id)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
//check for optional filters param on querystring
|
||||||
|
$fields = $this->getProjection(Input::get('fields', null));
|
||||||
|
$filters = $this->getFilters(Input::except('fields', 'limit', 'offset'));
|
||||||
|
$page_nbr = intval(Input::get('offset', 1));
|
||||||
|
$page_size = intval(Input::get('limit', 10));
|
||||||
|
array_push($filters, array
|
||||||
|
(
|
||||||
|
'name' => 'oauth2_client_id',
|
||||||
|
'op' => '=',
|
||||||
|
'value' => $client_id
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$list = $this->repository->getAll($page_nbr, $page_size, $filters, $fields);
|
||||||
|
$items = array();
|
||||||
|
foreach ($list->getItems() as $private_key) {
|
||||||
|
$data = $private_key->toArray();
|
||||||
|
$data['sha_256'] = $private_key->getSHA_256_Thumbprint();
|
||||||
|
array_push($items, $data);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $this->ok(array(
|
||||||
|
'page' => $items,
|
||||||
|
'total_items' => $list->getTotal()
|
||||||
|
));
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $client_id
|
||||||
|
* @param int $public_key_id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function update($client_id, $public_key_id)
|
||||||
|
{
|
||||||
|
return $this->_update($public_key_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $client_id
|
||||||
|
* @param int $public_key_id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function delete($client_id, $public_key_id){
|
||||||
|
return $this->_delete($public_key_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -1,12 +1,35 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interface ICRUDController
|
||||||
|
*/
|
||||||
interface ICRUDController {
|
interface ICRUDController {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function get($id);
|
public function get($id);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function create();
|
public function create();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function getByPage();
|
public function getByPage();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function delete($id);
|
public function delete($id);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function update();
|
public function update();
|
||||||
|
|
||||||
}
|
}
|
@ -16,7 +16,7 @@ abstract class JsonController extends BaseController {
|
|||||||
|
|
||||||
protected function error500(Exception $ex){
|
protected function error500(Exception $ex){
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
return Response::json(array('message' => 'server error'), 500);
|
return Response::json(array( 'error' => 'server error'), 500);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function created($data='ok'){
|
protected function created($data='ok'){
|
||||||
@ -27,6 +27,15 @@ abstract class JsonController extends BaseController {
|
|||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function updated()
|
||||||
|
{
|
||||||
|
$res = Response::json($data, 204);
|
||||||
|
//jsonp
|
||||||
|
if(Input::has('callback'))
|
||||||
|
$res->setCallback(Input::get('callback'));
|
||||||
|
return $res;
|
||||||
|
}
|
||||||
|
|
||||||
protected function deleted($data='ok'){
|
protected function deleted($data='ok'){
|
||||||
$res = Response::json($data, 204);
|
$res = Response::json($data, 204);
|
||||||
//jsonp
|
//jsonp
|
||||||
@ -35,7 +44,7 @@ abstract class JsonController extends BaseController {
|
|||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function ok($data='ok'){
|
protected function ok($data = 'ok'){
|
||||||
$res = Response::json($data, 200);
|
$res = Response::json($data, 200);
|
||||||
//jsonp
|
//jsonp
|
||||||
if(Input::has('callback'))
|
if(Input::has('callback'))
|
||||||
@ -67,6 +76,6 @@ abstract class JsonController extends BaseController {
|
|||||||
*/
|
*/
|
||||||
protected function error412($messages){
|
protected function error412($messages){
|
||||||
|
|
||||||
return Response::json(array('message' => 'Validation Failed', 'errors' => $messages), 412);
|
return Response::json(array('error'=>'validation' , 'messages' => $messages), 412);
|
||||||
}
|
}
|
||||||
}
|
}
|
110
app/controllers/apis/ServerPrivateKeyApiController.php
Normal file
110
app/controllers/apis/ServerPrivateKeyApiController.php
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
use oauth2\services\IServerPrivateKeyService;
|
||||||
|
use oauth2\repositories\IServerPrivateKeyRepository;
|
||||||
|
use utils\services\ILogService;
|
||||||
|
/**
|
||||||
|
* Class ServerPrivateKeyApiController
|
||||||
|
*/
|
||||||
|
final class ServerPrivateKeyApiController extends AssymetricKeyApiController
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param IServerPrivateKeyRepository $repository
|
||||||
|
* @param IServerPrivateKeyService $service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IServerPrivateKeyRepository $repository,
|
||||||
|
IServerPrivateKeyService $service,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
|
{
|
||||||
|
parent::__construct($repository, $service, $log_service);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function create()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
|
||||||
|
$values = Input::All();
|
||||||
|
// Build the validation constraint set.
|
||||||
|
$rules = array(
|
||||||
|
'kid' => 'required|text|min:5|max:255',
|
||||||
|
'active' => 'required|boolean',
|
||||||
|
'valid_from' => 'date_format:m/d/Y',
|
||||||
|
'valid_to' => 'date_format:m/d/Y|after:valid_from',
|
||||||
|
'pem_content' => 'sometimes|required|private_key_pem:password|private_key_pem_length:password',
|
||||||
|
'usage' => 'required|public_key_usage',
|
||||||
|
'type' => 'required|public_key_type',
|
||||||
|
'alg' => 'required|key_alg:usage',
|
||||||
|
'password' => 'min:5|max:255|private_key_password:pem_content',
|
||||||
|
);
|
||||||
|
|
||||||
|
// Create a new validator instance.
|
||||||
|
$validation = Validator::make($values, $rules);
|
||||||
|
|
||||||
|
if ($validation->fails())
|
||||||
|
{
|
||||||
|
$messages = $validation->messages()->toArray();
|
||||||
|
return $this->error400(array('error' => 'validation', 'messages' => $messages));
|
||||||
|
}
|
||||||
|
|
||||||
|
$private_key = $this->service->register($values);
|
||||||
|
|
||||||
|
return $this->created(array('id' => $private_key->getId()));
|
||||||
|
|
||||||
|
}
|
||||||
|
catch(ValidationException $ex1)
|
||||||
|
{
|
||||||
|
return $this->error400(array('error' => $ex1->getMessage()));
|
||||||
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getByPage()
|
||||||
|
{
|
||||||
|
return $this->_getByPage();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function update($id)
|
||||||
|
{
|
||||||
|
return $this->_update($id);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $id
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function delete($id)
|
||||||
|
{
|
||||||
|
return $this->_delete($id);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -7,13 +7,24 @@ use utils\services\ILogService;
|
|||||||
* Class OAuth2ProtectedController
|
* Class OAuth2ProtectedController
|
||||||
* OAuth2 Protected Base API
|
* OAuth2 Protected Base API
|
||||||
*/
|
*/
|
||||||
abstract class OAuth2ProtectedController extends JsonController {
|
abstract class OAuth2ProtectedController extends JsonController
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IResourceServerContext
|
||||||
|
*/
|
||||||
protected $resource_server_context;
|
protected $resource_server_context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var
|
||||||
|
*/
|
||||||
protected $repository;
|
protected $repository;
|
||||||
|
|
||||||
public function __construct(IResourceServerContext $resource_server_context, ILogService $log_service)
|
public function __construct
|
||||||
|
(
|
||||||
|
IResourceServerContext $resource_server_context,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
{
|
{
|
||||||
parent::__construct($log_service);
|
parent::__construct($log_service);
|
||||||
$this->resource_server_context = $resource_server_context;
|
$this->resource_server_context = $resource_server_context;
|
||||||
|
@ -3,30 +3,111 @@
|
|||||||
use oauth2\IResourceServerContext;
|
use oauth2\IResourceServerContext;
|
||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
use oauth2\resource_server\IUserService;
|
use oauth2\resource_server\IUserService;
|
||||||
|
use oauth2\services\IClientService;
|
||||||
|
use oauth2\heuristics\SigningKeyFinder;
|
||||||
|
use oauth2\heuristics\EncryptionKeyFinder;
|
||||||
|
use oauth2\builders\IdTokenBuilder;
|
||||||
|
use utils\http\HttpContentType;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class OAuth2UserApiController
|
* Class OAuth2UserApiController
|
||||||
* OAUTH2 Protected User REST API
|
* OAUTH2 Protected User REST API
|
||||||
*/
|
*/
|
||||||
class OAuth2UserApiController extends OAuth2ProtectedController {
|
class OAuth2UserApiController extends OAuth2ProtectedController
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @var IUserService
|
||||||
|
*/
|
||||||
|
private $user_service;
|
||||||
|
|
||||||
public function __construct (IUserService $user_service, IResourceServerContext $resource_server_context, ILogService $log_service){
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
|
private $client_service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IdTokenBuilder
|
||||||
|
*/
|
||||||
|
private $id_token_builder;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param IUserService $user_service
|
||||||
|
* @param IResourceServerContext $resource_server_context
|
||||||
|
* @param ILogService $log_service
|
||||||
|
* @param IClientService $client_service
|
||||||
|
* @param IdTokenBuilder $id_token_builder
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IUserService $user_service,
|
||||||
|
IResourceServerContext $resource_server_context,
|
||||||
|
ILogService $log_service,
|
||||||
|
IClientService $client_service,
|
||||||
|
IdTokenBuilder $id_token_builder
|
||||||
|
)
|
||||||
|
{
|
||||||
parent::__construct($resource_server_context,$log_service);
|
parent::__construct($resource_server_context,$log_service);
|
||||||
$this->user_service = $user_service;
|
|
||||||
|
$this->user_service = $user_service;
|
||||||
|
$this->client_service = $client_service;
|
||||||
|
$this->id_token_builder = $id_token_builder;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets User Basic Info
|
* Gets User Basic Info
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function me(){
|
public function me()
|
||||||
try{
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
$data = $this->user_service->getCurrentUserInfo();
|
$data = $this->user_service->getCurrentUserInfo();
|
||||||
return $this->ok($data);
|
return $this->ok($data);
|
||||||
}
|
}
|
||||||
catch(Exception $ex){
|
catch(Exception $ex)
|
||||||
|
{
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
return $this->error500($ex);
|
return $this->error500($ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function userInfo()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
$claims = $this->user_service->getCurrentUserInfoClaims();
|
||||||
|
$client_id = $this->resource_server_context->getCurrentClientId();
|
||||||
|
$client = $this->client_service->getClientById($client_id);
|
||||||
|
|
||||||
|
// The UserInfo Claims MUST be returned as the members of a JSON object unless a signed or encrypted response
|
||||||
|
// was requested during Client Registration.
|
||||||
|
$user_info_response_info = $client->getUserInfoResponseInfo();
|
||||||
|
|
||||||
|
$sig_alg = $user_info_response_info->getSigningAlgorithm();
|
||||||
|
$enc_alg = $user_info_response_info->getEncryptionKeyAlgorithm();
|
||||||
|
$enc = $user_info_response_info->getEncryptionContentAlgorithm();
|
||||||
|
|
||||||
|
if($sig_alg || ($enc_alg && $enc) )
|
||||||
|
{
|
||||||
|
$jwt = $this->id_token_builder->buildJWT($claims, $user_info_response_info, $client);
|
||||||
|
$http_response = Response::make($jwt->toCompactSerialization(), 200);
|
||||||
|
$http_response->header('Content-Type', HttpContentType::JWT);
|
||||||
|
$http_response->header('Cache-Control','no-cache, no-store, max-age=0, must-revalidate');
|
||||||
|
$http_response->header('Pragma','no-cache');
|
||||||
|
return $http_response;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// return plain json
|
||||||
|
return $this->ok( $claims->toArray() );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch(Exception $ex)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex);
|
||||||
|
return $this->error500($ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
@ -1,56 +1,132 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
use oauth2\IOAuth2Protocol;
|
use oauth2\IOAuth2Protocol;
|
||||||
use oauth2\services\IMementoOAuth2AuthenticationRequestService;
|
|
||||||
use oauth2\requests\OAuth2TokenRequest;
|
use oauth2\requests\OAuth2TokenRequest;
|
||||||
use oauth2\strategies\OAuth2ResponseStrategyFactoryMethod;
|
use oauth2\strategies\OAuth2ResponseStrategyFactoryMethod;
|
||||||
use oauth2\OAuth2Message;
|
use oauth2\OAuth2Message;
|
||||||
use oauth2\requests\OAuth2TokenRevocationRequest;
|
use oauth2\requests\OAuth2TokenRevocationRequest;
|
||||||
use oauth2\requests\OAuth2AccessTokenValidationRequest;
|
use oauth2\requests\OAuth2AccessTokenValidationRequest;
|
||||||
|
use oauth2\responses\OAuth2Response;
|
||||||
|
use oauth2\factories\OAuth2AuthorizationRequestFactory;
|
||||||
|
use oauth2\services\IMementoOAuth2SerializerService;
|
||||||
|
use oauth2\exceptions\InvalidAuthorizationRequestException;
|
||||||
|
use utils\services\IAuthService;
|
||||||
|
use utils\http\HttpContentType;
|
||||||
|
use oauth2\requests\OAuth2LogoutRequest;
|
||||||
|
use oauth2\exceptions\UriNotAllowedException;
|
||||||
|
use \oauth2\services\IClientService;
|
||||||
/**
|
/**
|
||||||
* Class OAuth2ProviderController
|
* Class OAuth2ProviderController
|
||||||
*/
|
*/
|
||||||
class OAuth2ProviderController extends BaseController {
|
final class OAuth2ProviderController extends BaseController
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @var IOAuth2Protocol
|
||||||
|
*/
|
||||||
private $oauth2_protocol;
|
private $oauth2_protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IMementoOAuth2SerializerService
|
||||||
|
*/
|
||||||
private $memento_service;
|
private $memento_service;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param IOAuth2Protocol $oauth2_protocol
|
* @var IAuthService
|
||||||
* @param IMementoOAuth2AuthenticationRequestService $memento_service
|
|
||||||
*/
|
*/
|
||||||
public function __construct(IOAuth2Protocol $oauth2_protocol, IMementoOAuth2AuthenticationRequestService $memento_service){
|
private $auth_service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
|
private $client_service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param IOAuth2Protocol $oauth2_protocol
|
||||||
|
* @param IMementoOAuth2SerializerService $memento_service
|
||||||
|
* @param IClientService $client_service
|
||||||
|
* @param IAuthService $auth_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IOAuth2Protocol $oauth2_protocol,
|
||||||
|
IMementoOAuth2SerializerService $memento_service,
|
||||||
|
IClientService $client_service,
|
||||||
|
IAuthService $auth_service
|
||||||
|
)
|
||||||
|
{
|
||||||
$this->oauth2_protocol = $oauth2_protocol;
|
$this->oauth2_protocol = $oauth2_protocol;
|
||||||
$this->memento_service = $memento_service;
|
$this->memento_service = $memento_service;
|
||||||
|
$this->auth_service = $auth_service;
|
||||||
|
$this->client_service = $client_service;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authorize HTTP Endpoint
|
* Authorize HTTP Endpoint
|
||||||
|
* The authorization server MUST support the use of the HTTP "GET"
|
||||||
|
* method [RFC2616] for the authorization endpoint and MAY support the
|
||||||
|
* use of the "POST" method as well.
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function authorize(){
|
public function authorize()
|
||||||
$request = $this->memento_service->getCurrentAuthorizationRequest();
|
{
|
||||||
$response = $this->oauth2_protocol->authorize($request);
|
try
|
||||||
$reflector = new ReflectionClass($response);
|
{
|
||||||
if ($reflector->isSubclassOf('oauth2\\responses\\OAuth2Response')) {
|
$msg = new OAuth2Message(Input::all());
|
||||||
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($response);
|
|
||||||
return $strategy->handle($response);
|
if ($this->memento_service->exists()) {
|
||||||
|
$msg = OAuth2Message::buildFromMemento($this->memento_service->load());
|
||||||
|
}
|
||||||
|
|
||||||
|
$request = OAuth2AuthorizationRequestFactory::getInstance()->build($msg);
|
||||||
|
|
||||||
|
$response = $this->oauth2_protocol->authorize($request);
|
||||||
|
|
||||||
|
if ($response instanceof OAuth2Response) {
|
||||||
|
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($request, $response);
|
||||||
|
|
||||||
|
return $strategy->handle($response);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
catch(UriNotAllowedException $ex1)
|
||||||
|
{
|
||||||
|
return Response::view
|
||||||
|
(
|
||||||
|
'400',
|
||||||
|
array
|
||||||
|
(
|
||||||
|
'error_code' => $ex1->getError(),
|
||||||
|
'error_description' => $ex1->getMessage()
|
||||||
|
),
|
||||||
|
400
|
||||||
|
);
|
||||||
}
|
}
|
||||||
return $response;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Token HTTP Endpoint
|
* Token HTTP Endpoint
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function token(){
|
public function token()
|
||||||
$response = $this->oauth2_protocol->token(new OAuth2TokenRequest(new OAuth2Message(Input::all())));
|
{
|
||||||
$reflector = new ReflectionClass($response);
|
|
||||||
if ($reflector->isSubclassOf('oauth2\\responses\\OAuth2Response')) {
|
$request = new OAuth2TokenRequest
|
||||||
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($response);
|
(
|
||||||
|
new OAuth2Message
|
||||||
|
(
|
||||||
|
Input::all()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$response = $this->oauth2_protocol->token($request);
|
||||||
|
|
||||||
|
if ($response instanceof OAuth2Response)
|
||||||
|
{
|
||||||
|
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($request, $response);
|
||||||
return $strategy->handle($response);
|
return $strategy->handle($response);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,13 +134,24 @@ class OAuth2ProviderController extends BaseController {
|
|||||||
* Revoke Token HTTP Endpoint
|
* Revoke Token HTTP Endpoint
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function revoke(){
|
public function revoke()
|
||||||
$response = $this->oauth2_protocol->revoke(new OAuth2TokenRevocationRequest(new OAuth2Message(Input::all())));
|
{
|
||||||
$reflector = new ReflectionClass($response);
|
$request = new OAuth2TokenRevocationRequest
|
||||||
if ($reflector->isSubclassOf('oauth2\\responses\\OAuth2Response')) {
|
(
|
||||||
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($response);
|
new OAuth2Message
|
||||||
|
(
|
||||||
|
Input::all()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$response = $this->oauth2_protocol->revoke($request);
|
||||||
|
|
||||||
|
if ($response instanceof OAuth2Response)
|
||||||
|
{
|
||||||
|
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($request, $response);
|
||||||
return $strategy->handle($response);
|
return $strategy->handle($response);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -73,13 +160,124 @@ class OAuth2ProviderController extends BaseController {
|
|||||||
* Introspection Token HTTP Endpoint
|
* Introspection Token HTTP Endpoint
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function introspection(){
|
public function introspection()
|
||||||
$response = $this->oauth2_protocol->introspection(new OAuth2AccessTokenValidationRequest(new OAuth2Message(Input::all())));
|
{
|
||||||
$reflector = new ReflectionClass($response);
|
$request = new OAuth2AccessTokenValidationRequest
|
||||||
if ($reflector->isSubclassOf('oauth2\\responses\\OAuth2Response')) {
|
(
|
||||||
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($response);
|
new OAuth2Message
|
||||||
|
(
|
||||||
|
Input::all()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$response = $this->oauth2_protocol->introspection($request);
|
||||||
|
|
||||||
|
if ($response instanceof OAuth2Response)
|
||||||
|
{
|
||||||
|
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($request, $response);
|
||||||
return $strategy->handle($response);
|
return $strategy->handle($response);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OP's JSON Web Key Set [JWK] document.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function certs()
|
||||||
|
{
|
||||||
|
|
||||||
|
$doc = $this->oauth2_protocol->getJWKSDocument();
|
||||||
|
$response = Response::make($doc, 200);
|
||||||
|
$response->header('Content-Type', HttpContentType::Json);
|
||||||
|
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function discovery()
|
||||||
|
{
|
||||||
|
|
||||||
|
$doc = $this->oauth2_protocol->getDiscoveryDocument();
|
||||||
|
$response = Response::make($doc, 200);
|
||||||
|
$response->header('Content-Type', HttpContentType::Json);
|
||||||
|
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* http://openid.net/specs/openid-connect-session-1_0.html#OPiframe
|
||||||
|
*/
|
||||||
|
public function checkSessionIFrame()
|
||||||
|
{
|
||||||
|
$data = array();
|
||||||
|
return View::make("oauth2.session.check-session", $data);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
|
||||||
|
*/
|
||||||
|
public function endSession()
|
||||||
|
{
|
||||||
|
if(!$this->auth_service->isUserLogged())
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
|
|
||||||
|
$request = new OAuth2LogoutRequest
|
||||||
|
(
|
||||||
|
new OAuth2Message
|
||||||
|
(
|
||||||
|
Input::all()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
if(!$request->isValid())
|
||||||
|
{
|
||||||
|
Log::error('invalid OAuth2LogoutRequest!');
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(Request::isMethod('get') )
|
||||||
|
{
|
||||||
|
$rps = $this->auth_service->getLoggedRPs();
|
||||||
|
$clients = array();
|
||||||
|
foreach($this->auth_service->getLoggedRPs() as $client_id)
|
||||||
|
{
|
||||||
|
$client = $this->client_service->getClientById($client_id);
|
||||||
|
if(!is_null($client)) array_push($clients, $client);
|
||||||
|
}
|
||||||
|
|
||||||
|
// At the logout endpoint, the OP SHOULD ask the End-User whether he wants to log out of the OP as well.
|
||||||
|
// If the End-User says "yes", then the OP MUST log out the End-User.
|
||||||
|
return View::make('oauth2.session.session-logout', array
|
||||||
|
(
|
||||||
|
'clients' => $clients,
|
||||||
|
'id_token_hint' => $request->getIdTokenHint(),
|
||||||
|
'post_logout_redirect_uri' => $request->getPostLogoutRedirectUri(),
|
||||||
|
'state' => $request->getState(),
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
$consent = Input::get('oidc_endsession_consent');
|
||||||
|
|
||||||
|
if($consent === '1')
|
||||||
|
{
|
||||||
|
$response = $this->oauth2_protocol->endSession($request);
|
||||||
|
|
||||||
|
if (!is_null($response) && $response instanceof OAuth2Response) {
|
||||||
|
$strategy = OAuth2ResponseStrategyFactoryMethod::buildStrategy($request, $response);
|
||||||
|
|
||||||
|
return $strategy->handle($response);
|
||||||
|
}
|
||||||
|
|
||||||
|
return View::make('oauth2.session.session-ended');
|
||||||
|
}
|
||||||
|
|
||||||
|
Log::error('invalid consent response!');
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function cancelLogout()
|
||||||
|
{
|
||||||
|
return Redirect::action('HomeController@index');
|
||||||
|
}
|
||||||
}
|
}
|
@ -3,34 +3,54 @@
|
|||||||
use openid\exceptions\InvalidOpenIdMessageException;
|
use openid\exceptions\InvalidOpenIdMessageException;
|
||||||
use openid\helpers\OpenIdErrorMessages;
|
use openid\helpers\OpenIdErrorMessages;
|
||||||
use openid\IOpenIdProtocol;
|
use openid\IOpenIdProtocol;
|
||||||
use openid\services\IMementoOpenIdRequestService;
|
use openid\services\IMementoOpenIdSerializerService;
|
||||||
use openid\strategies\OpenIdResponseStrategyFactoryMethod;
|
use openid\strategies\OpenIdResponseStrategyFactoryMethod;
|
||||||
|
use openid\OpenIdMessage;
|
||||||
|
use openid\responses\OpenIdResponse;
|
||||||
/**
|
/**
|
||||||
* Class OpenIdProviderController
|
* Class OpenIdProviderController
|
||||||
*/
|
*/
|
||||||
class OpenIdProviderController extends BaseController
|
class OpenIdProviderController extends BaseController
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* @var IOpenIdProtocol
|
||||||
|
*/
|
||||||
private $openid_protocol;
|
private $openid_protocol;
|
||||||
|
/**
|
||||||
|
* @var IMementoOpenIdSerializerService
|
||||||
|
*/
|
||||||
private $memento_service;
|
private $memento_service;
|
||||||
|
|
||||||
public function __construct(IOpenIdProtocol $openid_protocol, IMementoOpenIdRequestService $memento_service)
|
/**
|
||||||
|
* @param IOpenIdProtocol $openid_protocol
|
||||||
|
* @param IMementoOpenIdSerializerService $memento_service
|
||||||
|
*/
|
||||||
|
public function __construct(IOpenIdProtocol $openid_protocol, IMementoOpenIdSerializerService $memento_service)
|
||||||
{
|
{
|
||||||
$this->openid_protocol = $openid_protocol;
|
$this->openid_protocol = $openid_protocol;
|
||||||
$this->memento_service = $memento_service;
|
$this->memento_service = $memento_service;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return OpenIdResponse
|
||||||
|
* @throws Exception
|
||||||
|
* @throws InvalidOpenIdMessageException
|
||||||
|
*/
|
||||||
public function endpoint()
|
public function endpoint()
|
||||||
{
|
{
|
||||||
$input = Input::all();
|
$msg = new OpenIdMessage( Input::all() );
|
||||||
Log::debug(print_r($input, true));
|
|
||||||
$msg = $this->memento_service->getCurrentRequest();
|
if($this->memento_service->exists()){
|
||||||
if (is_null($msg) || !$msg->isValid())
|
$msg = OpenIdMessage::buildFromMemento( $this->memento_service->load());
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$msg->isValid())
|
||||||
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
|
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
|
||||||
|
|
||||||
//get response and manage it taking in consideration its type (direct or indirect)
|
//get response and manage it taking in consideration its type (direct or indirect)
|
||||||
$response = $this->openid_protocol->handleOpenIdMessage($msg);
|
$response = $this->openid_protocol->handleOpenIdMessage($msg);
|
||||||
$reflector = new ReflectionClass($response);
|
|
||||||
if ($reflector->isSubclassOf('openid\\responses\\OpenIdResponse')) {
|
if ($response instanceof OpenIdResponse) {
|
||||||
$strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
|
$strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
|
||||||
return $strategy->handle($response);
|
return $strategy->handle($response);
|
||||||
}
|
}
|
||||||
|
@ -2,24 +2,24 @@
|
|||||||
|
|
||||||
use oauth2\services\IApiScopeService;
|
use oauth2\services\IApiScopeService;
|
||||||
use oauth2\services\IClientService;
|
use oauth2\services\IClientService;
|
||||||
use oauth2\services\IMementoOAuth2AuthenticationRequestService;
|
|
||||||
use oauth2\services\ITokenService;
|
|
||||||
use oauth2\services\IResourceServerService;
|
use oauth2\services\IResourceServerService;
|
||||||
use openid\services\IMementoOpenIdRequestService;
|
use oauth2\services\ITokenService;
|
||||||
|
use openid\requests\OpenIdAuthenticationRequest;
|
||||||
|
use openid\services\IMementoOpenIdSerializerService;
|
||||||
|
use openid\services\IServerConfigurationService;
|
||||||
use openid\services\ITrustedSitesService;
|
use openid\services\ITrustedSitesService;
|
||||||
use openid\services\IUserService;
|
use openid\services\IUserService;
|
||||||
use openid\services\IServerConfigurationService;
|
|
||||||
use openid\requests\OpenIdAuthenticationRequest;
|
|
||||||
use openid\XRDS\XRDSDocumentBuilder;
|
|
||||||
use strategies\OpenIdLoginStrategy;
|
|
||||||
use strategies\OpenIdConsentStrategy;
|
|
||||||
use utils\IPHelper;
|
|
||||||
use services\IUserActionService;
|
use services\IUserActionService;
|
||||||
use strategies\DefaultLoginStrategy;
|
use strategies\DefaultLoginStrategy;
|
||||||
use strategies\OAuth2ConsentStrategy;
|
use strategies\OAuth2ConsentStrategy;
|
||||||
use strategies\OAuth2LoginStrategy;
|
use strategies\OAuth2LoginStrategy;
|
||||||
|
use strategies\OpenIdConsentStrategy;
|
||||||
|
use strategies\OpenIdLoginStrategy;
|
||||||
|
use utils\IPHelper;
|
||||||
use utils\services\IAuthService;
|
use utils\services\IAuthService;
|
||||||
use utils\services\IServerConfigurationService as IUtilsServerConfigurationService;
|
use utils\services\IServerConfigurationService as IUtilsServerConfigurationService;
|
||||||
|
use oauth2\services\IMementoOAuth2SerializerService;
|
||||||
|
use oauth2\services\ISecurityContextService;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class UserController
|
* Class UserController
|
||||||
@ -27,36 +27,97 @@ use utils\services\IServerConfigurationService as IUtilsServerConfigurationServi
|
|||||||
class UserController extends OpenIdController
|
class UserController extends OpenIdController
|
||||||
{
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IMementoOpenIdSerializerService
|
||||||
|
*/
|
||||||
private $openid_memento_service;
|
private $openid_memento_service;
|
||||||
|
/**
|
||||||
|
* @var IMementoOAuth2SerializerService
|
||||||
|
*/
|
||||||
private $oauth2_memento_service;
|
private $oauth2_memento_service;
|
||||||
|
/**
|
||||||
|
* @var IAuthService
|
||||||
|
*/
|
||||||
private $auth_service;
|
private $auth_service;
|
||||||
|
/**
|
||||||
|
* @var IServerConfigurationService
|
||||||
|
*/
|
||||||
private $server_configuration_service;
|
private $server_configuration_service;
|
||||||
|
/**
|
||||||
|
* @var DiscoveryController
|
||||||
|
*/
|
||||||
private $discovery;
|
private $discovery;
|
||||||
|
/**
|
||||||
|
* @var IUserService
|
||||||
|
*/
|
||||||
private $user_service;
|
private $user_service;
|
||||||
|
/**
|
||||||
|
* @var IUserActionService
|
||||||
|
*/
|
||||||
private $user_action_service;
|
private $user_action_service;
|
||||||
|
/**
|
||||||
|
* @var DefaultLoginStrategy
|
||||||
|
*/
|
||||||
private $login_strategy;
|
private $login_strategy;
|
||||||
|
/**
|
||||||
|
* @var null
|
||||||
|
*/
|
||||||
private $consent_strategy;
|
private $consent_strategy;
|
||||||
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
private $client_service;
|
private $client_service;
|
||||||
|
/**
|
||||||
|
* @var IApiScopeService
|
||||||
|
*/
|
||||||
private $scope_service;
|
private $scope_service;
|
||||||
|
/**
|
||||||
|
* @var ITokenService
|
||||||
|
*/
|
||||||
private $token_service;
|
private $token_service;
|
||||||
|
/**
|
||||||
|
* @var IResourceServerService
|
||||||
|
*/
|
||||||
private $resource_server_service;
|
private $resource_server_service;
|
||||||
private $utils_configuration_service;
|
/**
|
||||||
|
* @var IUtilsServerConfigurationService
|
||||||
|
*/
|
||||||
|
private $utils_configuration_service;
|
||||||
|
|
||||||
public function __construct(IMementoOpenIdRequestService $openid_memento_service,
|
/**
|
||||||
IMementoOAuth2AuthenticationRequestService $oauth2_memento_service,
|
* @param IMementoOpenIdSerializerService $openid_memento_service
|
||||||
IAuthService $auth_service,
|
* @param IMementoOAuth2SerializerService $oauth2_memento_service
|
||||||
IServerConfigurationService $server_configuration_service,
|
* @param IAuthService $auth_service
|
||||||
ITrustedSitesService $trusted_sites_service,
|
* @param IServerConfigurationService $server_configuration_service
|
||||||
DiscoveryController $discovery,
|
* @param ITrustedSitesService $trusted_sites_service
|
||||||
IUserService $user_service,
|
* @param DiscoveryController $discovery
|
||||||
IUserActionService $user_action_service,
|
* @param IUserService $user_service
|
||||||
IClientService $client_service,
|
* @param IUserActionService $user_action_service
|
||||||
IApiScopeService $scope_service,
|
* @param IClientService $client_service
|
||||||
ITokenService $token_service,
|
* @param IApiScopeService $scope_service
|
||||||
IResourceServerService $resource_server_service,
|
* @param ITokenService $token_service
|
||||||
IUtilsServerConfigurationService $utils_configuration_service
|
* @param IResourceServerService $resource_server_service
|
||||||
)
|
* @param IUtilsServerConfigurationService $utils_configuration_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IMementoOpenIdSerializerService $openid_memento_service,
|
||||||
|
IMementoOAuth2SerializerService $oauth2_memento_service,
|
||||||
|
IAuthService $auth_service,
|
||||||
|
IServerConfigurationService $server_configuration_service,
|
||||||
|
ITrustedSitesService $trusted_sites_service,
|
||||||
|
DiscoveryController $discovery,
|
||||||
|
IUserService $user_service,
|
||||||
|
IUserActionService $user_action_service,
|
||||||
|
IClientService $client_service,
|
||||||
|
IApiScopeService $scope_service,
|
||||||
|
ITokenService $token_service,
|
||||||
|
IResourceServerService $resource_server_service,
|
||||||
|
IUtilsServerConfigurationService $utils_configuration_service,
|
||||||
|
ISecurityContextService $security_context_service
|
||||||
|
)
|
||||||
{
|
{
|
||||||
|
|
||||||
$this->openid_memento_service = $openid_memento_service;
|
$this->openid_memento_service = $openid_memento_service;
|
||||||
$this->oauth2_memento_service = $oauth2_memento_service;
|
$this->oauth2_memento_service = $oauth2_memento_service;
|
||||||
$this->auth_service = $auth_service;
|
$this->auth_service = $auth_service;
|
||||||
@ -69,25 +130,50 @@ class UserController extends OpenIdController
|
|||||||
$this->scope_service = $scope_service;
|
$this->scope_service = $scope_service;
|
||||||
$this->token_service = $token_service;
|
$this->token_service = $token_service;
|
||||||
$this->resource_server_service = $resource_server_service;
|
$this->resource_server_service = $resource_server_service;
|
||||||
$this->utils_configuration_service = $utils_configuration_service;
|
$this->utils_configuration_service = $utils_configuration_service;
|
||||||
//filters
|
//filters
|
||||||
$this->beforeFilter('csrf', array('only' => array('postLogin', 'postConsent')));
|
$this->beforeFilter('csrf', array('only' => array('postLogin', 'postConsent')));
|
||||||
|
|
||||||
$openid_msg = $this->openid_memento_service->getCurrentRequest();
|
if ($this->openid_memento_service->exists())
|
||||||
$oauth2_msg = $this->oauth2_memento_service->getCurrentAuthorizationRequest();
|
{
|
||||||
|
|
||||||
if (!is_null($openid_msg) && $openid_msg->isValid() && OpenIdAuthenticationRequest::IsOpenIdAuthenticationRequest($openid_msg)) {
|
|
||||||
//openid stuff
|
//openid stuff
|
||||||
$this->beforeFilter('openid.save.request');
|
$this->login_strategy = new OpenIdLoginStrategy
|
||||||
$this->beforeFilter('openid.needs.auth.request', array('only' => array('getConsent')));
|
(
|
||||||
$this->login_strategy = new OpenIdLoginStrategy($openid_memento_service, $user_action_service, $auth_service);
|
$openid_memento_service,
|
||||||
$this->consent_strategy = new OpenIdConsentStrategy($openid_memento_service, $auth_service, $server_configuration_service, $user_action_service);
|
$user_action_service,
|
||||||
} else if (!is_null($oauth2_msg) && $oauth2_msg->isValid()) {
|
$auth_service
|
||||||
$this->beforeFilter('oauth2.save.request');
|
);
|
||||||
$this->beforeFilter('oauth2.needs.auth.request', array('only' => array('getConsent')));
|
|
||||||
$this->login_strategy = new OAuth2LoginStrategy($auth_service, $oauth2_memento_service ,$user_action_service);
|
$this->consent_strategy = new OpenIdConsentStrategy
|
||||||
$this->consent_strategy = new OAuth2ConsentStrategy($auth_service, $oauth2_memento_service, $scope_service, $client_service);
|
(
|
||||||
} else {
|
$openid_memento_service,
|
||||||
|
$auth_service,
|
||||||
|
$server_configuration_service,
|
||||||
|
$user_action_service
|
||||||
|
);
|
||||||
|
|
||||||
|
}
|
||||||
|
else if ($this->oauth2_memento_service->exists())
|
||||||
|
{
|
||||||
|
|
||||||
|
$this->login_strategy = new OAuth2LoginStrategy
|
||||||
|
(
|
||||||
|
$auth_service,
|
||||||
|
$oauth2_memento_service,
|
||||||
|
$user_action_service,
|
||||||
|
$security_context_service
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->consent_strategy = new OAuth2ConsentStrategy
|
||||||
|
(
|
||||||
|
$auth_service,
|
||||||
|
$oauth2_memento_service,
|
||||||
|
$scope_service,
|
||||||
|
$client_service
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
//default stuff
|
//default stuff
|
||||||
$this->login_strategy = new DefaultLoginStrategy($user_action_service, $auth_service);
|
$this->login_strategy = new DefaultLoginStrategy($user_action_service, $auth_service);
|
||||||
$this->consent_strategy = null;
|
$this->consent_strategy = null;
|
||||||
@ -106,46 +192,54 @@ class UserController extends OpenIdController
|
|||||||
|
|
||||||
public function postLogin()
|
public function postLogin()
|
||||||
{
|
{
|
||||||
try {
|
try
|
||||||
|
{
|
||||||
$max_login_attempts_2_show_captcha = $this->server_configuration_service->getConfigValue("MaxFailed.LoginAttempts.2ShowCaptcha");
|
$max_login_attempts_2_show_captcha = $this->server_configuration_service->getConfigValue("MaxFailed.LoginAttempts.2ShowCaptcha");
|
||||||
$data = Input::all();
|
$data = Input::all();
|
||||||
$login_attempts = intval(Input::get('login_attempts'));
|
$login_attempts = intval(Input::get('login_attempts'));
|
||||||
// Build the validation constraint set.
|
// Build the validation constraint set.
|
||||||
$rules = array(
|
$rules = array
|
||||||
|
(
|
||||||
'username' => 'required|email',
|
'username' => 'required|email',
|
||||||
'password' => 'required',
|
'password' => 'required',
|
||||||
);
|
);
|
||||||
if ($login_attempts >= $max_login_attempts_2_show_captcha) {
|
if ($login_attempts >= $max_login_attempts_2_show_captcha)
|
||||||
$rules['recaptcha_response_field'] = 'required|recaptcha';
|
{
|
||||||
|
$rules['g-recaptcha-response'] = 'required|recaptcha';
|
||||||
}
|
}
|
||||||
// Create a new validator instance.
|
// Create a new validator instance.
|
||||||
$validator = Validator::make($data, $rules);
|
$validator = Validator::make($data, $rules);
|
||||||
|
|
||||||
|
if ($validator->passes())
|
||||||
|
{
|
||||||
if ($validator->passes()) {
|
$username = Input::get("username");
|
||||||
$username = Input::get("username");
|
$password = Input::get("password");
|
||||||
$password = Input::get("password");
|
$remember = Input::get("remember");
|
||||||
$remember = Input::get("remember");
|
|
||||||
|
|
||||||
$remember = !is_null($remember);
|
$remember = !is_null($remember);
|
||||||
if ($this->auth_service->login($username, $password, $remember)) {
|
if ($this->auth_service->login($username, $password, $remember))
|
||||||
|
{
|
||||||
return $this->login_strategy->postLogin();
|
return $this->login_strategy->postLogin();
|
||||||
}
|
}
|
||||||
//failed login attempt...
|
//failed login attempt...
|
||||||
$user = $this->auth_service->getUserByUsername($username);
|
$user = $this->auth_service->getUserByUsername($username);
|
||||||
if ($user) {
|
if ($user)
|
||||||
|
{
|
||||||
$login_attempts = $user->login_failed_attempt;
|
$login_attempts = $user->login_failed_attempt;
|
||||||
}
|
}
|
||||||
|
|
||||||
return Redirect::action('UserController@getLogin')
|
return Redirect::action('UserController@getLogin')
|
||||||
->with('max_login_attempts_2_show_captcha', $max_login_attempts_2_show_captcha)
|
->with('max_login_attempts_2_show_captcha', $max_login_attempts_2_show_captcha)
|
||||||
->with('login_attempts', $login_attempts)
|
->with('login_attempts', $login_attempts)
|
||||||
->with('username',$username)
|
->with('username', $username)
|
||||||
->with('flash_notice', "We're sorry, your username or password does not match an existing record.");
|
->with('flash_notice', "We're sorry, your username or password does not match an existing record.");
|
||||||
}
|
}
|
||||||
|
|
||||||
return Redirect::action('UserController@getLogin')
|
return Redirect::action('UserController@getLogin')
|
||||||
->withErrors($validator);
|
->withErrors($validator);
|
||||||
} catch (Exception $ex) {
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
Log::error($ex);
|
Log::error($ex);
|
||||||
return Redirect::action('UserController@getLogin');
|
return Redirect::action('UserController@getLogin');
|
||||||
}
|
}
|
||||||
@ -154,19 +248,26 @@ class UserController extends OpenIdController
|
|||||||
public function getConsent()
|
public function getConsent()
|
||||||
{
|
{
|
||||||
if (is_null($this->consent_strategy))
|
if (is_null($this->consent_strategy))
|
||||||
|
{
|
||||||
return View::make("404");
|
return View::make("404");
|
||||||
|
}
|
||||||
|
|
||||||
return $this->consent_strategy->getConsent();
|
return $this->consent_strategy->getConsent();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function postConsent()
|
public function postConsent()
|
||||||
{
|
{
|
||||||
try {
|
try
|
||||||
|
{
|
||||||
$trust_action = input::get("trust");
|
$trust_action = input::get("trust");
|
||||||
if (!is_null($trust_action) && !is_null($this->consent_strategy)) {
|
if (!is_null($trust_action) && !is_null($this->consent_strategy))
|
||||||
|
{
|
||||||
return $this->consent_strategy->postConsent($trust_action);
|
return $this->consent_strategy->postConsent($trust_action);
|
||||||
}
|
}
|
||||||
return Redirect::action('UserController@getConsent');
|
return Redirect::action('UserController@getConsent');
|
||||||
} catch (Exception $ex) {
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
Log::error($ex);
|
Log::error($ex);
|
||||||
return Redirect::action('UserController@getConsent');
|
return Redirect::action('UserController@getConsent');
|
||||||
}
|
}
|
||||||
@ -174,12 +275,16 @@ class UserController extends OpenIdController
|
|||||||
|
|
||||||
public function getIdentity($identifier)
|
public function getIdentity($identifier)
|
||||||
{
|
{
|
||||||
try {
|
try
|
||||||
|
{
|
||||||
$user = $this->auth_service->getUserByOpenId($identifier);
|
$user = $this->auth_service->getUserByOpenId($identifier);
|
||||||
if (is_null($user))
|
if (is_null($user))
|
||||||
|
{
|
||||||
return View::make("404");
|
return View::make("404");
|
||||||
|
}
|
||||||
|
|
||||||
if ($this->isDiscoveryRequest()) {
|
if ($this->isDiscoveryRequest())
|
||||||
|
{
|
||||||
/*
|
/*
|
||||||
* If the Claimed Identifier was not previously discovered by the Relying Party
|
* If the Claimed Identifier was not previously discovered by the Relying Party
|
||||||
* (the "openid.identity" in the request was "http://specs.openid.net/auth/2.0/identifier_select"
|
* (the "openid.identity" in the request was "http://specs.openid.net/auth/2.0/identifier_select"
|
||||||
@ -191,15 +296,17 @@ class UserController extends OpenIdController
|
|||||||
}
|
}
|
||||||
$current_user = $this->auth_service->getCurrentUser();
|
$current_user = $this->auth_service->getCurrentUser();
|
||||||
$another_user = false;
|
$another_user = false;
|
||||||
if ($current_user && $current_user->getIdentifier() != $user->getIdentifier()) {
|
if ($current_user && $current_user->getIdentifier() != $user->getIdentifier())
|
||||||
|
{
|
||||||
$another_user = true;
|
$another_user = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
$assets_url = $this->utils_configuration_service->getConfigValue("Assets.Url");
|
$assets_url = $this->utils_configuration_service->getConfigValue("Assets.Url");
|
||||||
$pic_url = $user->getPic();
|
$pic_url = $user->getPic();
|
||||||
$pic_url = str_contains($pic_url,'http')?$pic_url:$assets_url.$pic_url;
|
$pic_url = str_contains($pic_url, 'http') ? $pic_url : $assets_url . $pic_url;
|
||||||
|
|
||||||
$params = array(
|
$params = array
|
||||||
|
(
|
||||||
'show_fullname' => $user->getShowProfileFullName(),
|
'show_fullname' => $user->getShowProfileFullName(),
|
||||||
'username' => $user->getFullName(),
|
'username' => $user->getFullName(),
|
||||||
'show_email' => $user->getShowProfileEmail(),
|
'show_email' => $user->getShowProfileEmail(),
|
||||||
@ -209,8 +316,11 @@ class UserController extends OpenIdController
|
|||||||
'pic' => $pic_url,
|
'pic' => $pic_url,
|
||||||
'another_user' => $another_user,
|
'another_user' => $another_user,
|
||||||
);
|
);
|
||||||
|
|
||||||
return View::make("identity", $params);
|
return View::make("identity", $params);
|
||||||
} catch (Exception $ex) {
|
}
|
||||||
|
catch (Exception $ex)
|
||||||
|
{
|
||||||
Log::error($ex);
|
Log::error($ex);
|
||||||
return View::make("404");
|
return View::make("404");
|
||||||
}
|
}
|
||||||
@ -218,8 +328,15 @@ class UserController extends OpenIdController
|
|||||||
|
|
||||||
public function logout()
|
public function logout()
|
||||||
{
|
{
|
||||||
$this->user_action_service->addUserAction($this->auth_service->getCurrentUser(), IPHelper::getUserIp(), IUserActionService::LogoutAction);
|
$this->user_action_service->addUserAction
|
||||||
Auth::logout();
|
(
|
||||||
|
$this->auth_service->getCurrentUser(),
|
||||||
|
IPHelper::getUserIp(),
|
||||||
|
IUserActionService::LogoutAction
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->auth_service->logout();
|
||||||
|
|
||||||
return Redirect::action("UserController@getLogin");
|
return Redirect::action("UserController@getLogin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -229,7 +346,8 @@ class UserController extends OpenIdController
|
|||||||
$sites = $user->getTrustedSites();
|
$sites = $user->getTrustedSites();
|
||||||
$actions = $user->getActions();
|
$actions = $user->getActions();
|
||||||
|
|
||||||
return View::make("profile", array(
|
return View::make("profile", array
|
||||||
|
(
|
||||||
"username" => $user->getFullName(),
|
"username" => $user->getFullName(),
|
||||||
"user_id" => $user->getId(),
|
"user_id" => $user->getId(),
|
||||||
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
"is_oauth2_admin" => $user->isOAuth2ServerAdmin(),
|
||||||
@ -252,13 +370,15 @@ class UserController extends OpenIdController
|
|||||||
$show_pic = Input::get("show_pic");
|
$show_pic = Input::get("show_pic");
|
||||||
$user = $this->auth_service->getCurrentUser();
|
$user = $this->auth_service->getCurrentUser();
|
||||||
$this->user_service->saveProfileInfo($user->getId(), $show_pic, $show_full_name, $show_email);
|
$this->user_service->saveProfileInfo($user->getId(), $show_pic, $show_full_name, $show_email);
|
||||||
|
|
||||||
return Redirect::action("UserController@getProfile");
|
return Redirect::action("UserController@getProfile");
|
||||||
}
|
}
|
||||||
|
|
||||||
public function deleteTrustedSite($id)
|
public function deleteTrustedSite($id)
|
||||||
{
|
{
|
||||||
$this->trusted_sites_service->delTrustedSite($id);
|
$this->trusted_sites_service->delTrustedSite($id);
|
||||||
|
|
||||||
return Redirect::action("UserController@getProfile");
|
return Redirect::action("UserController@getProfile");
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -24,7 +24,7 @@ class InsertMarketplaceApiEndpointsScopes extends Migration {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Public Clouds',
|
'Description' => 'Marketplace Public Clouds',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// private clouds
|
// private clouds
|
||||||
@ -35,7 +35,7 @@ class InsertMarketplaceApiEndpointsScopes extends Migration {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Private Clouds',
|
'Description' => 'Marketplace Private Clouds',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// consultants
|
// consultants
|
||||||
@ -46,7 +46,7 @@ class InsertMarketplaceApiEndpointsScopes extends Migration {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Consultants',
|
'Description' => 'Marketplace Consultants',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -0,0 +1,95 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
use oauth2\models\IClient;
|
||||||
|
use jwa\JSONWebSignatureAndEncryptionAlgorithms;
|
||||||
|
/**
|
||||||
|
* Class UpdateOauth2Client
|
||||||
|
*/
|
||||||
|
class UpdateOauth2ClientOIDC extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
|
||||||
|
Schema::table('oauth2_client', function($table) {
|
||||||
|
$table->dateTime('client_secret_expires_at')->nullable();
|
||||||
|
$table->text('contacts')->nullable();
|
||||||
|
$table->text('allowed_origins')->nullable();
|
||||||
|
$table->text('redirect_uris')->nullable();
|
||||||
|
$table->string('logo_uri')->nullable();
|
||||||
|
$table->string('tos_uri')->nullable();
|
||||||
|
// http://openid.net/specs/openid-connect-session-1_0.html#ClientMetadata
|
||||||
|
$table->text('post_logout_redirect_uris')->nullable();
|
||||||
|
|
||||||
|
$table->text('logout_uri')->nullable();
|
||||||
|
$table->boolean('logout_session_required')->default(false);
|
||||||
|
$table->boolean('logout_use_iframe')->default(false);
|
||||||
|
|
||||||
|
$table->string('policy_uri')->nullable();
|
||||||
|
$table->string('jwks_uri')->nullable();
|
||||||
|
$table->integer('default_max_age')->default(-1);
|
||||||
|
$table->boolean('require_auth_time')->default(false);
|
||||||
|
// http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
|
||||||
|
$table->enum('token_endpoint_auth_method', array_merge(OAuth2Protocol::$token_endpoint_auth_methods, array (
|
||||||
|
OAuth2Protocol::TokenEndpoint_AuthMethod_None)))->default(OAuth2Protocol::TokenEndpoint_AuthMethod_None);
|
||||||
|
$table->enum("token_endpoint_auth_signing_alg", OAuth2Protocol::$supported_signing_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
$table->enum('subject_type', Client::$valid_subject_types)->default(IClient::SubjectType_Public);
|
||||||
|
|
||||||
|
$table->enum("userinfo_signed_response_alg", OAuth2Protocol::$supported_signing_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
// encryption
|
||||||
|
$table->enum("userinfo_encrypted_response_alg", OAuth2Protocol::$supported_key_management_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
$table->enum("userinfo_encrypted_response_enc", OAuth2Protocol::$supported_content_encryption_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
|
||||||
|
$table->enum("id_token_signed_response_alg", OAuth2Protocol::$supported_signing_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
// encryption
|
||||||
|
$table->enum("id_token_encrypted_response_alg", OAuth2Protocol::$supported_key_management_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
$table->enum("id_token_encrypted_response_enc", OAuth2Protocol::$supported_content_encryption_algorithms)->default(JSONWebSignatureAndEncryptionAlgorithms::None);
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
|
DB::statement("ALTER TABLE oauth2_client MODIFY COLUMN client_type ENUM('PUBLIC','CONFIDENTIAL') default 'CONFIDENTIAL';");
|
||||||
|
DB::statement("ALTER TABLE oauth2_client MODIFY COLUMN application_type ENUM('WEB_APPLICATION','JS_CLIENT','SERVICE', 'NATIVE') default 'WEB_APPLICATION';");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::table('oauth2_client', function($table) {
|
||||||
|
$table->dropColumn('client_secret_expires_at');
|
||||||
|
$table->dropColumn('contacts');
|
||||||
|
$table->dropColumn('allowed_origins');
|
||||||
|
$table->dropColumn('redirect_uris');
|
||||||
|
$table->dropColumn('logo_uri');
|
||||||
|
$table->dropColumn('tos_uri');
|
||||||
|
$table->dropColumn('post_logout_redirect_uris');
|
||||||
|
$table->dropColumn('logout_uri');
|
||||||
|
$table->dropColumn('logout_session_required');
|
||||||
|
$table->dropColumn('logout_use_iframe');
|
||||||
|
$table->dropColumn('policy_uri');
|
||||||
|
$table->dropColumn('jwks_uri');
|
||||||
|
$table->dropColumn('default_max_age');
|
||||||
|
$table->dropColumn('require_auth_time');
|
||||||
|
$table->dropColumn('token_endpoint_auth_method');
|
||||||
|
$table->dropColumn('token_endpoint_auth_signing_alg');
|
||||||
|
$table->dropColumn('subject_type');
|
||||||
|
$table->dropColumn('userinfo_signed_response_alg');
|
||||||
|
$table->dropColumn('userinfo_encrypted_response_alg');
|
||||||
|
$table->dropColumn('userinfo_encrypted_response_enc');
|
||||||
|
$table->dropColumn('id_token_signed_response_alg');
|
||||||
|
$table->dropColumn('id_token_encrypted_response_alg');
|
||||||
|
$table->dropColumn('id_token_encrypted_response_enc');
|
||||||
|
});
|
||||||
|
|
||||||
|
DB::statement("ALTER TABLE oauth2_client MODIFY COLUMN application_type ENUM('WEB_APPLICATION','JS_CLIENT','SERVICE') default 'WEB_APPLICATION';");
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,87 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use jwk\JSONWebKeyPublicKeyUseValues;
|
||||||
|
use jwk\JSONWebKeyTypes;
|
||||||
|
use jwa\JSONWebSignatureAndEncryptionAlgorithms;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class CreateAssymetricKeys
|
||||||
|
*/
|
||||||
|
final class CreateAssymetricKeys extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
Schema::create('oauth2_assymetric_keys', function ($table) {
|
||||||
|
$table->bigIncrements('id');
|
||||||
|
$table->timestamps();
|
||||||
|
$table->text('pem_content');
|
||||||
|
$table->string('kid');
|
||||||
|
$table->boolean('active')->default(true);
|
||||||
|
|
||||||
|
$table->enum
|
||||||
|
(
|
||||||
|
'usage',
|
||||||
|
JSONWebKeyPublicKeyUseValues::$valid_uses
|
||||||
|
)->default(JSONWebKeyPublicKeyUseValues::Signature);
|
||||||
|
|
||||||
|
$table->enum('class_name', array('ClientPublicKey', 'ServerPrivateKey'))->default('ClientPublicKey');
|
||||||
|
|
||||||
|
$table->enum(
|
||||||
|
'type',
|
||||||
|
array
|
||||||
|
(
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyTypes::EllipticCurve
|
||||||
|
)
|
||||||
|
)->default(JSONWebKeyTypes::RSA);
|
||||||
|
|
||||||
|
$table->dateTime('last_use')->nullable();
|
||||||
|
$table->text('password')->nullable();
|
||||||
|
$table->dateTime('valid_from');
|
||||||
|
$table->dateTime('valid_to');
|
||||||
|
|
||||||
|
$table->enum
|
||||||
|
(
|
||||||
|
'alg',
|
||||||
|
array_merge
|
||||||
|
(
|
||||||
|
OAuth2Protocol::$supported_signing_algorithms_rsa,
|
||||||
|
OAuth2Protocol::$supported_key_management_algorithms
|
||||||
|
)
|
||||||
|
)
|
||||||
|
->default
|
||||||
|
(
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::None
|
||||||
|
);
|
||||||
|
|
||||||
|
// FK
|
||||||
|
$table->bigInteger("oauth2_client_id")->unsigned()->nullable();
|
||||||
|
$table->index('oauth2_client_id');
|
||||||
|
$table->foreign('oauth2_client_id')
|
||||||
|
->references('id')
|
||||||
|
->on('oauth2_client')
|
||||||
|
->onDelete('cascade')
|
||||||
|
->onUpdate('no action');
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::table('oauth2_assymetric_keys', function ($table) {
|
||||||
|
$table->dropForeign('oauth2_client_id');
|
||||||
|
});
|
||||||
|
Schema::dropIfExists('oauth2_assymetric_keys');
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,54 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
|
||||||
|
class MigrateRedirectUris extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
$uris = DB::table('oauth2_client_authorized_uri')->orderBy('client_id', 'desc')->get();
|
||||||
|
foreach($uris as $uri)
|
||||||
|
{
|
||||||
|
$client = Client::find($uri->client_id);
|
||||||
|
$redirect_uris = $client->redirect_uris;
|
||||||
|
if(!empty($redirect_uris))
|
||||||
|
$redirect_uris = $redirect_uris.','.$uri->uri;
|
||||||
|
else
|
||||||
|
$redirect_uris = $uri->uri;
|
||||||
|
|
||||||
|
$client->redirect_uris = $redirect_uris;
|
||||||
|
|
||||||
|
$client->save();
|
||||||
|
}
|
||||||
|
|
||||||
|
$uris = DB::table('oauth2_client_allowed_origin')->orderBy('client_id', 'desc')->get();
|
||||||
|
foreach($uris as $uri)
|
||||||
|
{
|
||||||
|
$client = Client::find($uri->client_id);
|
||||||
|
$allowed_origins = $client->allowed_origins;
|
||||||
|
if(!empty($allowed_origins))
|
||||||
|
$allowed_origins = $redirect_uris.','.$uri->allowed_origin;
|
||||||
|
else
|
||||||
|
$allowed_origins = $uri->allowed_origin;
|
||||||
|
|
||||||
|
$client->allowed_origins = $allowed_origins;
|
||||||
|
|
||||||
|
$client->save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
//
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,50 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
class AddNewDefaultScopes extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OpenIdConnect_Scope,
|
||||||
|
'short_description' => 'OpenId Connect Protocol',
|
||||||
|
'description' => 'OpenId Connect Protocol',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OfflineAccess_Scope,
|
||||||
|
'short_description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
ApiScope::where('name', '=', OAuth2Protocol::OpenIdConnect_Scope)->first()-delete();
|
||||||
|
ApiScope::where('name', '=', OAuth2Protocol::OfflineAccess_Scope)->first()-delete();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,43 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
use oauth2\models\IClient;
|
||||||
|
|
||||||
|
class UpdateOauth2ClientScopes extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
$clients = Client::get();
|
||||||
|
$scope_openid = ApiScope::where('name', '=', OAuth2Protocol::OpenIdConnect_Scope)->first();
|
||||||
|
$scope_offline = ApiScope::where('name', '=', OAuth2Protocol::OfflineAccess_Scope)->first();
|
||||||
|
|
||||||
|
foreach($clients as $client)
|
||||||
|
{
|
||||||
|
$client->scopes()->attach($scope_openid->id);
|
||||||
|
if($client->application_type === IClient::ApplicationType_Native || $client->application_type === IClient::ApplicationType_Web_App)
|
||||||
|
$client->scopes()->attach($scope_offline->id);
|
||||||
|
|
||||||
|
if ($client->client_type === IClient::ClientType_Confidential)
|
||||||
|
{
|
||||||
|
$client->token_endpoint_auth_method = OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic;
|
||||||
|
$client->save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
//
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,36 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use oauth2\models\IClient;
|
||||||
|
|
||||||
|
class Oauth2ClientsUpdateSecretExpirationDate extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
$clients = Client::get();
|
||||||
|
$now = new \DateTime();
|
||||||
|
|
||||||
|
foreach ($clients as $client)
|
||||||
|
{
|
||||||
|
if ($client->client_type !== IClient::ClientType_Confidential) continue;
|
||||||
|
// default 6 months
|
||||||
|
$client->client_secret_expires_at = $now->add(new \DateInterval('P6M'));
|
||||||
|
$client->save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
//
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,66 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
|
||||||
|
class AddUserInfoOIDCEndpoint extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
|
||||||
|
$users = Api::where('name', '=', 'users')->first();
|
||||||
|
|
||||||
|
if(is_null($users)) return;
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-get',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'GET',
|
||||||
|
'allow_cors' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-post',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'POST',
|
||||||
|
'allow_cors' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$profile_scope = ApiScope::where('name', '=', 'profile')->first();
|
||||||
|
$email_scope = ApiScope::where('name', '=', 'email')->first();
|
||||||
|
$address_scope = ApiScope::where('name', '=', 'address')->first();
|
||||||
|
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name', '=', 'get-user-claims-get')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name', '=', 'get-user-claims-post')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
//
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,75 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
|
||||||
|
class AddApiScopesGroups extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
Schema::create('oauth2_api_scope_group', function ($table) {
|
||||||
|
$table->bigIncrements('id')->unsigned();
|
||||||
|
$table->string('name', 512);
|
||||||
|
$table->text('description');
|
||||||
|
$table->boolean('active')->default(true);
|
||||||
|
$table->timestamps();
|
||||||
|
});
|
||||||
|
|
||||||
|
Schema::create('oauth2_api_scope_group_scope', function($table)
|
||||||
|
{
|
||||||
|
$table->timestamps();
|
||||||
|
|
||||||
|
$table->bigInteger("group_id")->unsigned();
|
||||||
|
$table->index('group_id');
|
||||||
|
$table->foreign('group_id')
|
||||||
|
->references('id')
|
||||||
|
->on('oauth2_api_scope_group')
|
||||||
|
->onDelete('cascade')
|
||||||
|
->onUpdate('no action'); ;
|
||||||
|
|
||||||
|
$table->bigInteger("scope_id")->unsigned();
|
||||||
|
$table->index('scope_id');
|
||||||
|
$table->foreign('scope_id')
|
||||||
|
->references('id')
|
||||||
|
->on('oauth2_api_scope')
|
||||||
|
->onDelete('cascade')
|
||||||
|
->onUpdate('no action');
|
||||||
|
});
|
||||||
|
|
||||||
|
Schema::create('oauth2_api_scope_group_users', function($table)
|
||||||
|
{
|
||||||
|
$table->timestamps();
|
||||||
|
|
||||||
|
$table->bigInteger("group_id")->unsigned();
|
||||||
|
$table->index('group_id');
|
||||||
|
$table->foreign('group_id')
|
||||||
|
->references('id')
|
||||||
|
->on('oauth2_api_scope_group')
|
||||||
|
->onDelete('cascade')
|
||||||
|
->onUpdate('no action'); ;
|
||||||
|
|
||||||
|
$table->bigInteger("user_id")->unsigned();
|
||||||
|
$table->index('user_id');
|
||||||
|
$table->foreign('user_id')
|
||||||
|
->references('id')
|
||||||
|
->on('openid_users')
|
||||||
|
->onDelete('cascade')
|
||||||
|
->onUpdate('no action');
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::dropIfExists('oauth2_api_scope_group');
|
||||||
|
Schema::dropIfExists('oauth2_api_scope_group_scope');
|
||||||
|
Schema::dropIfExists('oauth2_api_scope_group_users');
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,26 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
|
||||||
|
class UpdateApiScope extends Migration
|
||||||
|
{
|
||||||
|
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
Schema::table('oauth2_api_scope', function ($table) {
|
||||||
|
$table->boolean('assigned_by_groups')->default(false);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::table('oauth2_api_scope', function ($table) {
|
||||||
|
$table->dropColumn('assigned_by_groups');
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -37,6 +37,36 @@ class ApiEndpointSeeder extends Seeder
|
|||||||
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-get',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'GET'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-post',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'POST'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name','=','get-user-claims-get')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name','=','get-user-claims-post')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class ApiScopeSeeder
|
* Class ApiScopeSeeder
|
||||||
*/
|
*/
|
||||||
@ -47,6 +49,31 @@ class ApiScopeSeeder extends Seeder {
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OpenIdConnect_Scope,
|
||||||
|
'short_description' => 'OpenId Connect Protocol',
|
||||||
|
'description' => 'OpenId Connect Protocol',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OfflineAccess_Scope,
|
||||||
|
'short_description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -22,7 +22,7 @@ class ApiSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'User Info',
|
'Description' => 'User Info',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
@ -3,17 +3,248 @@
|
|||||||
use oauth2\models\IClient;
|
use oauth2\models\IClient;
|
||||||
use auth\User;
|
use auth\User;
|
||||||
use utils\services\IAuthService;
|
use utils\services\IAuthService;
|
||||||
|
use \jwk\JSONWebKeyPublicKeyUseValues;
|
||||||
|
use \jwk\JSONWebKeyTypes;
|
||||||
|
use \oauth2\OAuth2Protocol;
|
||||||
|
use \jwa\JSONWebSignatureAndEncryptionAlgorithms;
|
||||||
/**
|
/**
|
||||||
* Class OAuth2ApplicationSeeder
|
* Class OAuth2ApplicationSeeder
|
||||||
* This seeder is only for testing purposes
|
* This seeder is only for testing purposes
|
||||||
*/
|
*/
|
||||||
class TestSeeder extends Seeder {
|
class TestSeeder extends Seeder {
|
||||||
|
|
||||||
|
static $client_private_key_1 = <<<PPK
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIJJwIBAAKCAgEAkjiUI6n3Fq140AipaLxNIPCzEItQFcY8G5Xd17u7InM3H542
|
||||||
|
+34PdBpwR66miQUgJK+rtfaot/v4QPj4/0BnYc78BhI0Mp3tVEH95jjIrhDMZoRF
|
||||||
|
fSQsAhiom5NTP1B5XiiyRjzkO1+7a29JST5tIQUIS2U345DMWyf3GNlC1cBAfgI+
|
||||||
|
PrRo3gLby/iW5EF/Mqq0ZUIOuggZ7r8kU2aUhXILFx2w9V/y90DwruJdzZ0Tesbs
|
||||||
|
Fit2nM3Axie7HX2wIpbl2hyvvhX/AxZ0NPudVh58wNogsKOMUN6guU+RzL5L6vF+
|
||||||
|
QjfzBCtOE+CRmUD60E0LdQHzElBcF0tbc2cj2YelZ0Dp+4NEBDjCNsSv//5hHacU
|
||||||
|
xxXQdwwotLUV85iErEZgcGyMNnTMsw7JIh39UBgOEmQgfpfOUlH+/5WmRO+kskvP
|
||||||
|
CACz1SR8gzAKz9Nu9r3UyE+gWaZzM2+CpQ1szEd94MIapHxJw9vHogL7sNkjmZ34
|
||||||
|
Y9eQmoCVevqDVpYEdTtLsg9H49+pEndQHI6lGAB7QlsPLN8A17L2l3p68BFcYkSZ
|
||||||
|
R4GuXAyQguq3KzWYDZ9PjWAV5lhVg6K3GaV7fvn2pKCk4P5Y5hZt08fholt3k/5G
|
||||||
|
c82CP6rfgQFi7HnpBJKRauoIdsvUPvXZYTLlTaE5jLBAwxm+wF6Ue/nRPJMCAwEA
|
||||||
|
AQKCAgBj6pOX9zmn3mwyw+h3cEzIGJJT2M6lwmsqcnNASsEqXk6ppWRu4ApRTQuy
|
||||||
|
f+6+rKj1SLFuSxmpd12BkGAdk/XRCS6AO4o9mFsne1yzJ9RB1arG1tXhGImV+SGm
|
||||||
|
BbsaBbSZmfeQNWXECLu6QzZx/V129chgNM9HCpgKJjocWcHo7FFlicTc9ky+gHeP
|
||||||
|
XtRFL1hq1+kjVEtZ5dVKpoR9FRiiQ3a+mgRk9+a//Dk7V+W/bfl0qV+EGrkXlyWG
|
||||||
|
gnnDQjLMwA5ax8Vzf/ZdNse7uMAfq/+VjLhP28IzNJ3hYzT/En4wEkszlqXSEIFu
|
||||||
|
5cK4VYXONweAMg/WUOFM7aqVJkKBAifM2panOPW0cQX+dd9dJp0xT/7+7EvHkpYj
|
||||||
|
Pm0giGv9ktvYHm7loYowAqpDdZzcd9WMd4O/7XlG+ZM275mOLBjrV/xi7FPT7daI
|
||||||
|
RCsAOf2GbVC71q90UaNuotSKqojAGhmkYl89jCvxuaEE1bCAlqVaTyCRH2gGH+fX
|
||||||
|
Q4LW6nCONgkkWGqBG/yCU3bezaRnGedaSyqWBawA8w8MP8c20Jo83mnbEczjDf5o
|
||||||
|
p6UYAAfWgF1TdBCBCaVWEKjzNl1NIA7PwKOB89a/nXyecNkr6CFf8FwXbXvuYpHA
|
||||||
|
l52whE1W6ZRrtViSqV8RdA91yICM1sDVVeictHhl8ZC1hOg7aQKCAQEA691dZ469
|
||||||
|
d5E19yv/eQMxcRWHNheUzHrQPN1YLligaP/F3Uia4r8tiiL04YcMzbzT9wa4ON3p
|
||||||
|
VIwKcqn8/NXOOp0UUT759H/AImGC16yIK3KdUeYwBZ6sDYcKj5DG3K8EOHSFuTIB
|
||||||
|
RUe0qgJGGA3Qjx7hoEudVBis18kF7LvLSvwJeySnGh82qNdkXov5YyPVA/iuKOhJ
|
||||||
|
+m3b1OQ00ZtnxW2zO/8v68ABV1EYP9w2qpsShOw5kx1vTorYlKlDu597AzRvJWke
|
||||||
|
E7yznoorl8GFQgrb4K9lKCaKzfpO4wlJCq9xGAjF3rCBvjWF/2dMpoleCK8A9Xz5
|
||||||
|
DHMJcWIXyKPhpQKCAQEAnrQfTnAdPb2f6KLhgnCOJoXbHK/NQ3uNbTUXUdfToCFc
|
||||||
|
BBkdYBlq8J7iWfKkFp9azcem7GgL0hsx3WkGuDTOUcwbNa2ZGKqvg7TQO0On95JX
|
||||||
|
SlAH7damfE03wNLKWpbQgi3Ip0kHZLVSfyZ8FIO1YuQcwIs5YVFJrXO5t8ZaR1Nw
|
||||||
|
n5QAgTlttQ1P9VQn/eAAfxx/wDq3Md81kDPI7ZOb2RJCn366/J2yK6ICp/ywqMiG
|
||||||
|
DUIfGqnEFuinE4ZMl04f4wC/fb3RnIlY7tjteAAqcg0NzogEuAgmWsDyYjnJGyAP
|
||||||
|
9HVIC21/LiMCC/xYVY8tIETT0jyjKB3lEepl2iDf1wKCAQBivpk1Gqgtn4h1Q2FA
|
||||||
|
G1semcGynqq39I6rfItHU+lMLBB9NMFLPnhlRX85z91HYM9ostJ7VEQ0FjDlkk8M
|
||||||
|
1sHw/gQcg34Ho1gfzK0Hd/7GGcTNHc5q++PSAgAk3Jq0lzzwGbBGOS4ZAA0dw7fu
|
||||||
|
qBHxaR9SiXWDWJU7/bfSRUi1ytB5Un32zKyIgSxO/NDadYzfjcPz8lPOWSHYffWy
|
||||||
|
7xnBqMyJyKsaSpcFJDk/uwTT5foZ1f/AnGkV+8Dyc+6cZQcN72y8v8ZMwwp7zCK1
|
||||||
|
9NnCLWOiLCvwZDpmQ221VRTUOWDijAGy2jhnFmdT5r5LVmUcw49mNvzY/mwsoMGO
|
||||||
|
STXVAoIBAClpXOXt0WOD8I8WuXt8/UrGEOfKY+hg/AVsHhqoE7usGMOk/gpOd540
|
||||||
|
B2JrMzAIAvzBRShY+gSoPfnFZxB4DwI/HTaDhvhtyYC3lMJyJAkw8YAdpAQGx8iV
|
||||||
|
qZ+yIUVEJ0JgygQExV4dBlrRYv1DZPhaB7qiWaWwPWZ6VRLEOlh0SGYLi5osrxjY
|
||||||
|
UW31uL3BTr/cYuV5LMZhtStcp+h+ZONepW3S9t3mFFDYZJMLF9njAT/CajVd6SIF
|
||||||
|
MVuh5qhwpVdpoY4hEuoi2MbyafyvJmQ+TcT/ryOKVN/HizfgVj6yvhcO52678rzK
|
||||||
|
O8V+4lnpE2BhNVidpAFa06Q6Irupal8CggEAVnyezf7hb0MK2zlKYc9FeRnt8iqe
|
||||||
|
+LTzTn9dCpKap7+dh2kKefx55+zY4SzmPRD7p0mofUlMUPAfuXZQcHux8QpV8qOj
|
||||||
|
iSAuUYqr7wOlQa7ok0AEc6+OuSwrdS5ztpx9H8S1ulh8Sk+FyEjfR9+9lSuE8Zwx
|
||||||
|
65EGSILsE/YBtdfO4UVl/6V3ZI8kBAUSKOGJr7qNwIPUUPEO/uo3zSp1ZKR87O5I
|
||||||
|
sMxkIDGm1b1YX3BHbuF55yApF6w9hBrkHx3s6J8DrbYjML/R31dZaBMzPXd/fdZl
|
||||||
|
6mWz6D9w9b62peOJ7hhZqMWWhvPzM6tw9UGBpb/XeCVA4udl6lrDgXZFcA==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
PPK;
|
||||||
|
|
||||||
|
static $client_public_key_1 = <<<PPK
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkjiUI6n3Fq140AipaLxN
|
||||||
|
IPCzEItQFcY8G5Xd17u7InM3H542+34PdBpwR66miQUgJK+rtfaot/v4QPj4/0Bn
|
||||||
|
Yc78BhI0Mp3tVEH95jjIrhDMZoRFfSQsAhiom5NTP1B5XiiyRjzkO1+7a29JST5t
|
||||||
|
IQUIS2U345DMWyf3GNlC1cBAfgI+PrRo3gLby/iW5EF/Mqq0ZUIOuggZ7r8kU2aU
|
||||||
|
hXILFx2w9V/y90DwruJdzZ0TesbsFit2nM3Axie7HX2wIpbl2hyvvhX/AxZ0NPud
|
||||||
|
Vh58wNogsKOMUN6guU+RzL5L6vF+QjfzBCtOE+CRmUD60E0LdQHzElBcF0tbc2cj
|
||||||
|
2YelZ0Dp+4NEBDjCNsSv//5hHacUxxXQdwwotLUV85iErEZgcGyMNnTMsw7JIh39
|
||||||
|
UBgOEmQgfpfOUlH+/5WmRO+kskvPCACz1SR8gzAKz9Nu9r3UyE+gWaZzM2+CpQ1s
|
||||||
|
zEd94MIapHxJw9vHogL7sNkjmZ34Y9eQmoCVevqDVpYEdTtLsg9H49+pEndQHI6l
|
||||||
|
GAB7QlsPLN8A17L2l3p68BFcYkSZR4GuXAyQguq3KzWYDZ9PjWAV5lhVg6K3GaV7
|
||||||
|
fvn2pKCk4P5Y5hZt08fholt3k/5Gc82CP6rfgQFi7HnpBJKRauoIdsvUPvXZYTLl
|
||||||
|
TaE5jLBAwxm+wF6Ue/nRPJMCAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
|
PPK;
|
||||||
|
|
||||||
|
|
||||||
|
static $client_private_key_2 = <<<PPK
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIJJwIBAAKCAgBHhlSRoBMo9uYJyHPr0g54EzzKrpjNBUDqnTztggsIfXR3A73T
|
||||||
|
olGmeXTECu+QIAyEtGGDylp4cJhyworIwzdAfMCY9Xux5B+Vo0Kyte2JMvwzanNL
|
||||||
|
hiT21rVw56ZfyxkCJKUxz3wba0kIWQyW+kvwLhvbQzmexHnQs15qsfP4o2MEFVTC
|
||||||
|
H2ohQ57OJ8BOSU8XfddCWommmFAQcQwGXYh9woky4NOpGBqbnGBXgWF2rnbD0GYL
|
||||||
|
1Sd3OSrgTHG3WrG95UizOcV9uijI8vWxczVlP7sriaY7Xetcbh+Z5AbAf9TMOucc
|
||||||
|
RFaM/KlovR7sOcQDO1NzqlL/PRzCfzcNId22Q6uV3QE2hzRKfd+lKI1YmFrVJ0Sn
|
||||||
|
WlSdeX7kkWn/+eQ4WfkK9hmv4/0bzQYo1XCopEpjefZoWiErCAt4nEt2wr6f6BmS
|
||||||
|
jTGVajGlhn7q8wwBBHfjAUfCgIAk8uGNGWkegvytTYywLnyNEF8tHcdg+We+W6it
|
||||||
|
qJ5bQNFHa9uxX+haURoTOcGqxN8n2LPcLoLU7xqZY23wpeXO7anzqheGSQUHb56r
|
||||||
|
WqcCRQ9jF/1RLCyyVd9eOEZF6Ke53qpLQxibhqnZfba0zOKqhbxod6RSOswSF3ww
|
||||||
|
HoIj+6SRNKgui4DDcMMc+bsndr/KUDxaYpiuIn2KVE6kd5a0t8BHgdu/yQIDAQAB
|
||||||
|
AoICADyfO3COZ47x7Tnff3kh+geF7qGvaG1lBYeVK/32mdlhU+RH9I2650+dY/2B
|
||||||
|
c1kKAPI9XOVyDkpEzMF/6FePNnZfBnLepi+5tZeD39VO43zFDQObNwuNMClTBEgk
|
||||||
|
31wT7Sdm3ekg/gTTYvxDVatljBWPTycBjIXn64Obc+wk1i8odJUSa1t5et+ky6Xa
|
||||||
|
BWGVOwcjLt7blA3yzPGSj2mZv0UwLE9GRb/tYSgBW5rvWydXaew/5y4iRSgE+TVR
|
||||||
|
NZT9tubHvl3CGoSc01K2ss3rYxdk9ARLz+xDh2g5Immx3pMsBbXwOtA3j9BBmmje
|
||||||
|
2qXHtD40+19uvpf9OTIU1xk3Wg3rXIWzi8cE8uSo9L9JiiSNyTb7XA3wLUAYWFtO
|
||||||
|
g5UU3OeHLBtxhBa/gEn71RKZ6gUNUiwk7eygCbO/N71NZNY9L2NDOLLsBUjVTdei
|
||||||
|
ggnmsg7HIi9ydHKjCQPg+DdbqmZFWNXearNDdqWHumUvRt2xkB/t4N4znd8LAsqV
|
||||||
|
R2Cfr/pr9VMCbWUHdgq0AnyaFr8oRxXkNhekg1jR/INz3UwCfAa9OIyPYdIEm4zy
|
||||||
|
/a2n0ZcM4IcGlc/KZSE1R5MxQgP5T2cn+LFZ1XiAWl8ToMcqZQ/o00PlVE7LScZS
|
||||||
|
yrYul1UKwQCyHursJegnJveK8dR/Mh24bubYi2S0Gg2l4ILxAoIBAQCIGDm/zupU
|
||||||
|
5r+V7uccuL4r5NNdMr3Bmo9dZElbrjI5/5VuqQUhfUbDpSJ3B8aXA30ZQO/utW/u
|
||||||
|
Q9cpvdcsx+66qfBdeCAKlebeDNvZtWCVJ786MVsJgVpyNBwd9KwJ7vDqp6cXQsgb
|
||||||
|
7cjDbWVXB+uY1MWFnsmUxGM++wWlxE8Jc9h/ssYgi8kl6HdgC3INJdWHlOQhZhGp
|
||||||
|
5LADaEiNlSailH5aNkinxRYTmQkoiKbde1vpHisHu+PKZkezrTpfySfsVfZlCdOx
|
||||||
|
GdfMj7eOmWTjXEToWAW9DP4obY86pYkLHQxAvRjFj/U5C8X/ndwQJZa+nO7obwxq
|
||||||
|
5jeVuSyuY1rlAoIBAQCGionYkOOIsY2sBB3DX/5DMhW7sfsXFmc3aJBwn8xm24Xv
|
||||||
|
Re1G7EdDcFVX+HbUvcNDzusobvsvzpSqzaPFh7Vj8E/MITt6l7bi8Oc5cSXuLTvV
|
||||||
|
tbtkvT5yOYMymfxByqo3OeMexJBv5yS45jL3nSIKYzD2AD/Hh+cuavHrGXaOSp0J
|
||||||
|
jXdOYkePyW0ri0e0iUSO1oxzd+xbJ+Wb3F8d2f/mjkie1pElSZDpQBvc3toAKe4A
|
||||||
|
zV4OAO5vG0rTerc1M5meW8siTIq/g6nNrLlAiPxJa6uyoa4xELIchxFBqDzQM2ZJ
|
||||||
|
MQN7+DgYAmQkv42ZsHV7P/rqefYdqrL5ZNVRXG8VAoIBACqdu2euuX5Ai3m9x60c
|
||||||
|
xKAmFXG3s+fuKDqMbtRApgW3XOm8D5k/C2u0SCiRzMP5GbFQvlE3i4dGwxeVFM43
|
||||||
|
BTB6ioQaW5409ohN6oIv48CRI7ZrQiCl2tasLqnKthyeL96rBQ2podPtD9LybKtm
|
||||||
|
FYZUCk4fPOxS2ukb3dbctAs3tXG3X4dNfn1aYBc5PkuTr1u3agBzX9CdhehrPVzo
|
||||||
|
eaKrcS16liHC+3jDkTSaJfZw7IUBJ2RSl7AHeyhudDsOWGwPNwrImvt4JjUuQ8Jp
|
||||||
|
kkgH2qQO/C0I5oVuWU16DIHoZK/ZBurGe3mTkDrNCd4chynFJqKuM2s+D+XYiH9L
|
||||||
|
KWkCggEBAIKYcau9IJAsQSerKzTdthKFyGDUJ7XGclRvdF1OT/u7tOuIhgTlD1uf
|
||||||
|
68ejj717odHtRYiPCdXjAZ42VHVGAMXMm7i6vWCHaegqDVhNw5LJZ55PdGIZ7Ea2
|
||||||
|
GusAW8OFNOq8jwDrroRg6t1r3idK6KMKm5j+rupAuh/tgXxC0DjYpkyCfD+i2HHz
|
||||||
|
BLxSyzysTdcU3WqsCsqFFLTRGacBWAv1Kvq7rlJycW5oY2NnElc8XCF9N4ICV2+U
|
||||||
|
H3LeWH4U41W7JpfZkojKBgZ2VbAWCEZAdH7FwC8yVKGqXg7MfpNegTgkkoxAajqr
|
||||||
|
/4dIROvdRHxpo2b9EfDEJEw/G22Jeu0CggEAY5RvSLR91s+QR8sg8/y3GEUPfdEB
|
||||||
|
bUzdAf7TaJAzER4rhlWliC//aNHEC9JO+wCNMbCdV56F6ajDbrGXYiSDfZrB2nnA
|
||||||
|
XgPCIPgyy92NDMzSKGvCHwNXvJRrG5OmK02qLP4akmz2ZyAw+xWaudNxoZR5aqlN
|
||||||
|
bgZP149ecpJTiQVkfT4U2IID2Lj7nSaAn0BS9c6dKfh28yFO+wB8a1A5YFKWRgf0
|
||||||
|
SzdaPvasTSwmstL2Q7fm2d+PsRchnc+u8B+TlDVkHPI0K2ALC92Mhl7Tw4KwENds
|
||||||
|
pedgcMaklTsqGgEkbCKQ9VlJUWQuhkSRGhYzg4qucl1uoU2VU2d2X/qOWg==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
PPK;
|
||||||
|
|
||||||
|
static $client_public_key_2 = <<<PPK
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgBHhlSRoBMo9uYJyHPr0g54
|
||||||
|
EzzKrpjNBUDqnTztggsIfXR3A73TolGmeXTECu+QIAyEtGGDylp4cJhyworIwzdA
|
||||||
|
fMCY9Xux5B+Vo0Kyte2JMvwzanNLhiT21rVw56ZfyxkCJKUxz3wba0kIWQyW+kvw
|
||||||
|
LhvbQzmexHnQs15qsfP4o2MEFVTCH2ohQ57OJ8BOSU8XfddCWommmFAQcQwGXYh9
|
||||||
|
woky4NOpGBqbnGBXgWF2rnbD0GYL1Sd3OSrgTHG3WrG95UizOcV9uijI8vWxczVl
|
||||||
|
P7sriaY7Xetcbh+Z5AbAf9TMOuccRFaM/KlovR7sOcQDO1NzqlL/PRzCfzcNId22
|
||||||
|
Q6uV3QE2hzRKfd+lKI1YmFrVJ0SnWlSdeX7kkWn/+eQ4WfkK9hmv4/0bzQYo1XCo
|
||||||
|
pEpjefZoWiErCAt4nEt2wr6f6BmSjTGVajGlhn7q8wwBBHfjAUfCgIAk8uGNGWke
|
||||||
|
gvytTYywLnyNEF8tHcdg+We+W6itqJ5bQNFHa9uxX+haURoTOcGqxN8n2LPcLoLU
|
||||||
|
7xqZY23wpeXO7anzqheGSQUHb56rWqcCRQ9jF/1RLCyyVd9eOEZF6Ke53qpLQxib
|
||||||
|
hqnZfba0zOKqhbxod6RSOswSF3wwHoIj+6SRNKgui4DDcMMc+bsndr/KUDxaYpiu
|
||||||
|
In2KVE6kd5a0t8BHgdu/yQIDAQAB
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
|
PPK;
|
||||||
|
|
||||||
|
|
||||||
public function run()
|
public function run()
|
||||||
{
|
{
|
||||||
|
|
||||||
Eloquent::unguard();
|
Eloquent::unguard();
|
||||||
|
|
||||||
|
$member_table = <<<SQL
|
||||||
|
CREATE TABLE Member
|
||||||
|
(
|
||||||
|
ID integer primary key,
|
||||||
|
FirstName varchar(50),
|
||||||
|
Surname varchar(50),
|
||||||
|
Email varchar(254),
|
||||||
|
Password varchar(254),
|
||||||
|
PasswordEncryption varchar(50),
|
||||||
|
Salt varchar(50),
|
||||||
|
Locale varchar(6),
|
||||||
|
Address varchar(255),
|
||||||
|
City varchar(64),
|
||||||
|
Suburb varchar(64),
|
||||||
|
State varchar(64),
|
||||||
|
Postcode varchar(64),
|
||||||
|
Country varchar(2),
|
||||||
|
Gender varchar(32)
|
||||||
|
);
|
||||||
|
SQL;
|
||||||
|
|
||||||
|
DB::connection('os_members')->statement($member_table);
|
||||||
|
|
||||||
|
Member::create(
|
||||||
|
array(
|
||||||
|
'ID' => 1,
|
||||||
|
'FirstName' => 'Sebastian',
|
||||||
|
'Surname' => 'Marcet',
|
||||||
|
'Email' => 'sebastian@tipit.net',
|
||||||
|
'Password' => '1qaz2wsx',
|
||||||
|
'PasswordEncryption' => 'none',
|
||||||
|
'Salt' => 'none',
|
||||||
|
'Gender' => 'male',
|
||||||
|
'Address' => 'Av. Siempre Viva 111',
|
||||||
|
'Suburb' => 'Lanus Este',
|
||||||
|
'State' => 'Buenos Aires',
|
||||||
|
'City' => 'Lanus',
|
||||||
|
'Postcode' => '1824',
|
||||||
|
'Country' => 'AR',
|
||||||
|
'Locale' => 'ESP',
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Member::create(
|
||||||
|
array(
|
||||||
|
'ID' => 2,
|
||||||
|
'FirstName' => 'Sebastian',
|
||||||
|
'Surname' => 'Marcet',
|
||||||
|
'Email' => 'sebastian+1@tipit.net',
|
||||||
|
'Password' => '1qaz2wsx',
|
||||||
|
'PasswordEncryption' => 'none',
|
||||||
|
'Salt' => 'none',
|
||||||
|
'Gender' => 'male',
|
||||||
|
'Address' => 'Av. Siempre Viva 111',
|
||||||
|
'Suburb' => 'Lanus Este',
|
||||||
|
'State' => 'Buenos Aires',
|
||||||
|
'City' => 'Lanus',
|
||||||
|
'Postcode' => '1824',
|
||||||
|
'Country' => 'AR',
|
||||||
|
'Locale' => 'ESP',
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Member::create(
|
||||||
|
array(
|
||||||
|
'ID' => 3,
|
||||||
|
'FirstName' => 'Sebastian',
|
||||||
|
'Surname' => 'Marcet',
|
||||||
|
'Email' => 'sebastian+2@tipit.net',
|
||||||
|
'Password' => '1qaz2wsx',
|
||||||
|
'PasswordEncryption' => 'none',
|
||||||
|
'Salt' => 'none',
|
||||||
|
'Gender' => 'male',
|
||||||
|
'Address' => 'Av. Siempre Viva 111',
|
||||||
|
'Suburb' => 'Lanus Este',
|
||||||
|
'State' => 'Buenos Aires',
|
||||||
|
'City' => 'Lanus',
|
||||||
|
'Postcode' => '1824',
|
||||||
|
'Country' => 'AR',
|
||||||
|
'Locale' => 'ESP',
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
DB::table('banned_ips')->delete();
|
DB::table('banned_ips')->delete();
|
||||||
DB::table('user_exceptions_trail')->delete();
|
DB::table('user_exceptions_trail')->delete();
|
||||||
DB::table('server_configuration')->delete();
|
DB::table('server_configuration')->delete();
|
||||||
@ -23,10 +254,12 @@ class TestSeeder extends Seeder {
|
|||||||
DB::table('oauth2_client_authorized_uri')->delete();
|
DB::table('oauth2_client_authorized_uri')->delete();
|
||||||
DB::table('oauth2_access_token')->delete();
|
DB::table('oauth2_access_token')->delete();
|
||||||
DB::table('oauth2_refresh_token')->delete();
|
DB::table('oauth2_refresh_token')->delete();
|
||||||
|
DB::table('oauth2_assymetric_keys')->delete();
|
||||||
DB::table('oauth2_client')->delete();
|
DB::table('oauth2_client')->delete();
|
||||||
|
|
||||||
DB::table('openid_trusted_sites')->delete();
|
DB::table('openid_trusted_sites')->delete();
|
||||||
DB::table('openid_associations')->delete();
|
DB::table('openid_associations')->delete();
|
||||||
|
DB::table('user_actions')->delete();
|
||||||
DB::table('openid_users')->delete();
|
DB::table('openid_users')->delete();
|
||||||
|
|
||||||
DB::table('oauth2_api_endpoint_api_scope')->delete();
|
DB::table('oauth2_api_endpoint_api_scope')->delete();
|
||||||
@ -53,6 +286,31 @@ class TestSeeder extends Seeder {
|
|||||||
|
|
||||||
$this->seedApis();
|
$this->seedApis();
|
||||||
//scopes
|
//scopes
|
||||||
|
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OpenIdConnect_Scope,
|
||||||
|
'short_description' => 'OIDC',
|
||||||
|
'description' => 'OIDC',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiScope::create(
|
||||||
|
array(
|
||||||
|
'name' => OAuth2Protocol::OfflineAccess_Scope,
|
||||||
|
'short_description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'description' => 'allow to emit refresh tokens (offline access without user presence)',
|
||||||
|
'api_id' => null,
|
||||||
|
'system' => true,
|
||||||
|
'default' => true,
|
||||||
|
'active' => true,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
$this->seedResourceServerScopes();
|
$this->seedResourceServerScopes();
|
||||||
$this->seedApiScopes();
|
$this->seedApiScopes();
|
||||||
$this->seedApiEndpointScopes();
|
$this->seedApiEndpointScopes();
|
||||||
@ -308,7 +566,7 @@ class TestSeeder extends Seeder {
|
|||||||
User::create(
|
User::create(
|
||||||
array(
|
array(
|
||||||
'identifier' => 'sebastian.marcet',
|
'identifier' => 'sebastian.marcet',
|
||||||
'external_identifier' => 13867,
|
'external_identifier' => 1,
|
||||||
'last_login_date' => gmdate("Y-m-d H:i:s", time())
|
'last_login_date' => gmdate("Y-m-d H:i:s", time())
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
@ -323,18 +581,72 @@ class TestSeeder extends Seeder {
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$now = new \DateTime();
|
||||||
|
|
||||||
Client::create(
|
Client::create(
|
||||||
array(
|
array(
|
||||||
'app_name' => 'oauth2_test_app',
|
'app_name' => 'oauth2_test_app',
|
||||||
'app_description' => 'oauth2_test_app',
|
'app_description' => 'oauth2_test_app',
|
||||||
'app_logo' => null,
|
'app_logo' => null,
|
||||||
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
|
||||||
'client_secret' => 'ITc/6Y5N7kOtGKhg',
|
'client_secret' => 'ITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhg',
|
||||||
'client_type' => IClient::ClientType_Confidential,
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
'application_type' => IClient::ApplicationType_Web_App,
|
'application_type' => IClient::ApplicationType_Web_App,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic,
|
||||||
'user_id' => $user->id,
|
'user_id' => $user->id,
|
||||||
'rotate_refresh_token' => true,
|
'rotate_refresh_token' => true,
|
||||||
'use_refresh_token' => true
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2,https://op.certification.openid.net:60393/authz_cb',
|
||||||
|
'id_token_signed_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::HS512,
|
||||||
|
'id_token_encrypted_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::RSA_OAEP_256,
|
||||||
|
'id_token_encrypted_response_enc' => JSONWebSignatureAndEncryptionAlgorithms::A256CBC_HS512,
|
||||||
|
'client_secret_expires_at' => $now->add(new \DateInterval('P6M')),
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Client::create(
|
||||||
|
array
|
||||||
|
(
|
||||||
|
'app_name' => 'oauth2_test_app2',
|
||||||
|
'app_description' => 'oauth2_test_app2',
|
||||||
|
'app_logo' => null,
|
||||||
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x2.openstack.client',
|
||||||
|
'client_secret' => 'ITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhg',
|
||||||
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
|
'application_type' => IClient::ApplicationType_Web_App,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretJwt,
|
||||||
|
'token_endpoint_auth_signing_alg' => JSONWebSignatureAndEncryptionAlgorithms::HS512,
|
||||||
|
'subject_type' => IClient::SubjectType_Pairwise,
|
||||||
|
'user_id' => $user->id,
|
||||||
|
'rotate_refresh_token' => true,
|
||||||
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2',
|
||||||
|
'id_token_signed_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::HS512,
|
||||||
|
'id_token_encrypted_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::RSA_OAEP_256,
|
||||||
|
'id_token_encrypted_response_enc' => JSONWebSignatureAndEncryptionAlgorithms::A256CBC_HS512,
|
||||||
|
|
||||||
|
'client_secret_expires_at' => $now->add(new \DateInterval('P6M')),
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Client::create
|
||||||
|
(
|
||||||
|
array(
|
||||||
|
'app_name' => 'oauth2_test_app3',
|
||||||
|
'app_description' => 'oauth2_test_app3',
|
||||||
|
'app_logo' => null,
|
||||||
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwTlfSyQ33.openstack.client',
|
||||||
|
'client_secret' => 'ITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N7kOtGKhgITc/6Y5N585OtGKhg55',
|
||||||
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
|
'application_type' => IClient::ApplicationType_Web_App,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic,
|
||||||
|
'user_id' => $user->id,
|
||||||
|
'rotate_refresh_token' => true,
|
||||||
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2',
|
||||||
|
'id_token_signed_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::HS512,
|
||||||
|
'userinfo_signed_response_alg' => JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
'client_secret_expires_at' => $now->add(new \DateInterval('P6M')),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -344,12 +656,15 @@ class TestSeeder extends Seeder {
|
|||||||
'app_description' => 'oauth2.service',
|
'app_description' => 'oauth2.service',
|
||||||
'app_logo' => null,
|
'app_logo' => null,
|
||||||
'client_id' => '11z87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
|
'client_id' => '11z87D8/Vcvr6fvQbH4HyNgwTlfSyQ3x.openstack.client',
|
||||||
'client_secret' => '11c/6Y5N7kOtGKhg',
|
'client_secret' => '11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg',
|
||||||
'client_type' => IClient::ClientType_Confidential,
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
'application_type' => IClient::ApplicationType_Service,
|
'application_type' => IClient::ApplicationType_Service,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic,
|
||||||
'user_id' => $user->id,
|
'user_id' => $user->id,
|
||||||
'rotate_refresh_token' => true,
|
'rotate_refresh_token' => true,
|
||||||
'use_refresh_token' => true
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2',
|
||||||
|
'client_secret_expires_at' => $now->add(new \DateInterval('P6M')),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -360,11 +675,49 @@ class TestSeeder extends Seeder {
|
|||||||
'app_logo' => null,
|
'app_logo' => null,
|
||||||
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ3x.openstack.client',
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ3x.openstack.client',
|
||||||
'client_secret' => null,
|
'client_secret' => null,
|
||||||
'client_type' => IClient::ClientType_Public,
|
|
||||||
'application_type' => IClient::ApplicationType_JS_Client,
|
'application_type' => IClient::ApplicationType_JS_Client,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_PrivateKeyJwt,
|
||||||
|
'token_endpoint_auth_signing_alg' => JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
'user_id' => $user->id,
|
'user_id' => $user->id,
|
||||||
'rotate_refresh_token' => false,
|
'rotate_refresh_token' => false,
|
||||||
'use_refresh_token' => false
|
'use_refresh_token' => false,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2',
|
||||||
|
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Client::create(
|
||||||
|
array(
|
||||||
|
'app_name' => 'oauth2_native_app',
|
||||||
|
'app_description' => 'oauth2_native_app',
|
||||||
|
'app_logo' => null,
|
||||||
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ3x.android.openstack.client',
|
||||||
|
'client_secret' => '11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhgfdfdfdf',
|
||||||
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
|
'application_type' => IClient::ApplicationType_Native,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic,
|
||||||
|
'user_id' => $user->id,
|
||||||
|
'rotate_refresh_token' => true,
|
||||||
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'androipapp://oidc_endpoint_callback',
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
Client::create(
|
||||||
|
array(
|
||||||
|
'app_name' => 'oauth2_native_app2',
|
||||||
|
'app_description' => 'oauth2_native_app2',
|
||||||
|
'app_logo' => null,
|
||||||
|
'client_id' => 'Jiz87D8/Vcvr6fvQbH4HyNgwKlfSyQ3x.android2.openstack.client',
|
||||||
|
'client_secret' => '11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhg11c/6Y5N7kOtGKhgfdfdfdf',
|
||||||
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
|
'application_type' => IClient::ApplicationType_Native,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_PrivateKeyJwt,
|
||||||
|
'token_endpoint_auth_signing_alg' => JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
'user_id' => $user->id,
|
||||||
|
'rotate_refresh_token' => true,
|
||||||
|
'use_refresh_token' => true,
|
||||||
|
'redirect_uris' => 'androipapp://oidc_endpoint_callback2',
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -379,7 +732,8 @@ class TestSeeder extends Seeder {
|
|||||||
'application_type' => IClient::ApplicationType_JS_Client,
|
'application_type' => IClient::ApplicationType_JS_Client,
|
||||||
'user_id' => $user->id,
|
'user_id' => $user->id,
|
||||||
'rotate_refresh_token' => false,
|
'rotate_refresh_token' => false,
|
||||||
'use_refresh_token' => false
|
'use_refresh_token' => false,
|
||||||
|
'redirect_uris' => 'https://www.test.com/oauth2'
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -389,47 +743,158 @@ class TestSeeder extends Seeder {
|
|||||||
'app_description' => 'resource_server_client',
|
'app_description' => 'resource_server_client',
|
||||||
'app_logo' => null,
|
'app_logo' => null,
|
||||||
'client_id' => 'resource.server.1.openstack.client',
|
'client_id' => 'resource.server.1.openstack.client',
|
||||||
'client_secret' => '123456789',
|
'client_secret' => '123456789123456789123456789123456789123456789',
|
||||||
'client_type' => IClient::ClientType_Confidential,
|
'client_type' => IClient::ClientType_Confidential,
|
||||||
'application_type' => IClient::ApplicationType_Service,
|
'application_type' => IClient::ApplicationType_Service,
|
||||||
|
'token_endpoint_auth_method' => OAuth2Protocol::TokenEndpoint_AuthMethod_ClientSecretBasic,
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'rotate_refresh_token' => false,
|
'rotate_refresh_token' => false,
|
||||||
'use_refresh_token' => false
|
'use_refresh_token' => false,
|
||||||
|
'client_secret_expires_at' => $now->add(new \DateInterval('P6M')),
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
$client_confidential = Client::where('app_name','=','oauth2_test_app')->first();
|
$client_confidential = Client::where('app_name','=','oauth2_test_app')->first();
|
||||||
$client_public = Client::where('app_name','=','oauth2_test_app_public')->first();
|
$client_confidential2 = Client::where('app_name','=','oauth2_test_app2')->first();
|
||||||
$client_service = Client::where('app_name','=','oauth2.service')->first();
|
$client_confidential3 = Client::where('app_name','=','oauth2_test_app3')->first();
|
||||||
//attach scopes
|
$client_public = Client::where('app_name','=','oauth2_test_app_public')->first();
|
||||||
|
$client_service = Client::where('app_name','=','oauth2.service')->first();
|
||||||
|
$client_native = Client::where('app_name','=','oauth2_native_app')->first();
|
||||||
|
$client_native2 = Client::where('app_name','=','oauth2_native_app2')->first();
|
||||||
|
|
||||||
|
//attach all scopes
|
||||||
$scopes = ApiScope::get();
|
$scopes = ApiScope::get();
|
||||||
foreach($scopes as $scope){
|
foreach($scopes as $scope)
|
||||||
|
{
|
||||||
$client_confidential->scopes()->attach($scope->id);
|
$client_confidential->scopes()->attach($scope->id);
|
||||||
|
$client_confidential2->scopes()->attach($scope->id);
|
||||||
|
$client_confidential3->scopes()->attach($scope->id);
|
||||||
$client_public->scopes()->attach($scope->id);
|
$client_public->scopes()->attach($scope->id);
|
||||||
$client_service->scopes()->attach($scope->id);
|
$client_service->scopes()->attach($scope->id);
|
||||||
|
$client_native->scopes()->attach($scope->id);
|
||||||
|
$client_native2->scopes()->attach($scope->id);
|
||||||
}
|
}
|
||||||
//add uris
|
|
||||||
ClientAuthorizedUri::create(
|
$now = new \DateTime('now');
|
||||||
array(
|
$to = new \DateTime('now');
|
||||||
'uri' => 'https://www.test.com/oauth2',
|
$to->add(new \DateInterval('P31D'));
|
||||||
'client_id' => $client_confidential->id
|
|
||||||
)
|
$public_key_1 = ClientPublicKey::buildFromPEM(
|
||||||
|
'public_key_1',
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Encryption,
|
||||||
|
self::$client_public_key_1,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RSA_OAEP_256,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
);
|
);
|
||||||
|
|
||||||
//add uris
|
$public_key_1->oauth2_client_id = $client_confidential->id;
|
||||||
ClientAllowedOrigin::create(
|
$public_key_1->save();
|
||||||
array(
|
|
||||||
'allowed_origin' => 'https://www.test.com/oauth2',
|
$public_key_2 = ClientPublicKey::buildFromPEM(
|
||||||
'client_id' => $client_confidential->id
|
'public_key_2',
|
||||||
)
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Signature,
|
||||||
|
self::$client_public_key_2,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
);
|
);
|
||||||
|
|
||||||
ClientAuthorizedUri::create(
|
$public_key_2->oauth2_client_id = $client_confidential->id;
|
||||||
array(
|
$public_key_2->save();
|
||||||
'uri'=>'https://www.test.com/oauth2',
|
|
||||||
'client_id'=>$client_public->id
|
// confidential client 2
|
||||||
)
|
$public_key_11 = ClientPublicKey::buildFromPEM(
|
||||||
|
'public_key_1',
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Encryption,
|
||||||
|
self::$client_public_key_1,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RSA_OAEP_256,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$public_key_11->oauth2_client_id = $client_confidential2->id;
|
||||||
|
$public_key_11->save();
|
||||||
|
|
||||||
|
$public_key_22 = ClientPublicKey::buildFromPEM(
|
||||||
|
'public_key_2',
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Signature,
|
||||||
|
self::$client_public_key_2,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
|
);
|
||||||
|
|
||||||
|
$public_key_22->oauth2_client_id = $client_confidential2->id;
|
||||||
|
$public_key_22->save();
|
||||||
|
|
||||||
|
// public native client
|
||||||
|
$public_key_33 = ClientPublicKey::buildFromPEM(
|
||||||
|
'public_key_33',
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Encryption,
|
||||||
|
self::$client_public_key_1,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RSA_OAEP_256,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
|
);
|
||||||
|
|
||||||
|
$public_key_33->oauth2_client_id = $client_native2->id;
|
||||||
|
$public_key_33->save();
|
||||||
|
|
||||||
|
$public_key_44 = ClientPublicKey::buildFromPEM(
|
||||||
|
'public_key_44',
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Signature,
|
||||||
|
self::$client_public_key_2,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
true,
|
||||||
|
$now,
|
||||||
|
$to
|
||||||
|
);
|
||||||
|
|
||||||
|
$public_key_44->oauth2_client_id = $client_native2->id;
|
||||||
|
$public_key_44->save();
|
||||||
|
|
||||||
|
// server private keys
|
||||||
|
|
||||||
|
$pkey_1 = ServerPrivateKey::build
|
||||||
|
(
|
||||||
|
'server_key_enc',
|
||||||
|
$now,
|
||||||
|
$to,
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Encryption,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RSA1_5,
|
||||||
|
true,
|
||||||
|
TestKeys::$private_key_pem
|
||||||
|
);
|
||||||
|
|
||||||
|
$pkey_1->save();
|
||||||
|
|
||||||
|
|
||||||
|
$pkey_2 = ServerPrivateKey::build
|
||||||
|
(
|
||||||
|
'server_key_sig',
|
||||||
|
$now,
|
||||||
|
$to,
|
||||||
|
JSONWebKeyTypes::RSA,
|
||||||
|
JSONWebKeyPublicKeyUseValues::Signature,
|
||||||
|
JSONWebSignatureAndEncryptionAlgorithms::RS512,
|
||||||
|
true,
|
||||||
|
TestKeys::$private_key_pem
|
||||||
|
);
|
||||||
|
|
||||||
|
$pkey_2->save();
|
||||||
}
|
}
|
||||||
|
|
||||||
private function seedApis(){
|
private function seedApis(){
|
||||||
@ -442,7 +907,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Resource Server CRUD operations',
|
'Description' => 'Resource Server CRUD operations',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -453,7 +918,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Api CRUD operations',
|
'Description' => 'Api CRUD operations',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -465,7 +930,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Api Endpoints CRUD operations',
|
'Description' => 'Api Endpoints CRUD operations',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -476,7 +941,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Api Scopes CRUD operations',
|
'Description' => 'Api Scopes CRUD operations',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -487,7 +952,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'User Info',
|
'Description' => 'User Info',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -498,7 +963,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Public Clouds',
|
'Description' => 'Marketplace Public Clouds',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -509,7 +974,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Private Clouds',
|
'Description' => 'Marketplace Private Clouds',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -520,7 +985,7 @@ class TestSeeder extends Seeder {
|
|||||||
'active' => true,
|
'active' => true,
|
||||||
'Description' => 'Marketplace Consultants',
|
'Description' => 'Marketplace Consultants',
|
||||||
'resource_server_id' => $resource_server->id,
|
'resource_server_id' => $resource_server->id,
|
||||||
'logo' => asset('img/apis/server.png')
|
'logo' => asset('/assets/img/apis/server.png')
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -667,6 +1132,7 @@ class TestSeeder extends Seeder {
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private function seedApiEndpointScopes(){
|
private function seedApiEndpointScopes(){
|
||||||
@ -1363,6 +1829,27 @@ class TestSeeder extends Seeder {
|
|||||||
'http_method' => 'GET'
|
'http_method' => 'GET'
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-get',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'GET'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ApiEndpoint::create(
|
||||||
|
array(
|
||||||
|
'name' => 'get-user-claims-post',
|
||||||
|
'active' => true,
|
||||||
|
'api_id' => $users->id,
|
||||||
|
'route' => '/api/v1/users/info',
|
||||||
|
'http_method' => 'POST'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
$profile_scope = ApiScope::where('name','=','profile')->first();
|
$profile_scope = ApiScope::where('name','=','profile')->first();
|
||||||
$email_scope = ApiScope::where('name','=','email')->first();
|
$email_scope = ApiScope::where('name','=','email')->first();
|
||||||
$address_scope = ApiScope::where('name','=','address')->first();
|
$address_scope = ApiScope::where('name','=','address')->first();
|
||||||
@ -1371,6 +1858,16 @@ class TestSeeder extends Seeder {
|
|||||||
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name','=','get-user-claims-get')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
|
|
||||||
|
$get_user_info_endpoint = ApiEndpoint::where('name','=','get-user-claims-post')->first();
|
||||||
|
$get_user_info_endpoint->scopes()->attach($profile_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($email_scope->id);
|
||||||
|
$get_user_info_endpoint->scopes()->attach($address_scope->id);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function seedPublicCloudsEndpoints(){
|
private function seedPublicCloudsEndpoints(){
|
||||||
|
109
app/filters.php
109
app/filters.php
@ -1,4 +1,5 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
use openid\exceptions\InvalidOpenIdMessageException;
|
use openid\exceptions\InvalidOpenIdMessageException;
|
||||||
use openid\requests\OpenIdAuthenticationRequest;
|
use openid\requests\OpenIdAuthenticationRequest;
|
||||||
use openid\services\OpenIdServiceCatalog;
|
use openid\services\OpenIdServiceCatalog;
|
||||||
@ -6,6 +7,9 @@ use utils\services\ServiceLocator;
|
|||||||
use utils\services\UtilsServiceCatalog;
|
use utils\services\UtilsServiceCatalog;
|
||||||
use oauth2\services\OAuth2ServiceCatalog;
|
use oauth2\services\OAuth2ServiceCatalog;
|
||||||
use oauth2\exceptions\InvalidAuthorizationRequestException;
|
use oauth2\exceptions\InvalidAuthorizationRequestException;
|
||||||
|
use oauth2\strategies\ClientAuthContextValidatorFactory;
|
||||||
|
use services\oauth2\HttpIClientJWKSetReader;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Application & Route Filters
|
| Application & Route Filters
|
||||||
@ -19,15 +23,30 @@ use oauth2\exceptions\InvalidAuthorizationRequestException;
|
|||||||
|
|
||||||
//SAP (single access point)
|
//SAP (single access point)
|
||||||
App::before(function($request){
|
App::before(function($request){
|
||||||
try {
|
|
||||||
//checkpoint security pattern entry point
|
ClientAuthContextValidatorFactory::setTokenEndpointUrl
|
||||||
$checkpoint_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::CheckPointService);
|
(
|
||||||
if (!$checkpoint_service->check()) {
|
URL::action("OAuth2ProviderController@token")
|
||||||
return View::make('404');
|
);
|
||||||
|
|
||||||
|
ClientAuthContextValidatorFactory::setJWKSetReader
|
||||||
|
(
|
||||||
|
App::make('oauth2\services\IClientJWKSetReader')
|
||||||
|
);
|
||||||
|
|
||||||
|
if(Config::get('server.Banning_Enable', true))
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
//checkpoint security pattern entry point
|
||||||
|
$checkpoint_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::CheckPointService);
|
||||||
|
if (!$checkpoint_service->check()) {
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
|
}
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
Log::error($ex);
|
||||||
|
|
||||||
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
} catch (Exception $ex) {
|
|
||||||
Log::error($ex);
|
|
||||||
return View::make('404');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$cors = ServiceLocator::getInstance()->getService('CORSMiddleware');
|
$cors = ServiceLocator::getInstance()->getService('CORSMiddleware');
|
||||||
@ -39,15 +58,6 @@ App::after(function($request, $response){
|
|||||||
// https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
// https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
||||||
$response->headers->set('X-content-type-options','nosniff');
|
$response->headers->set('X-content-type-options','nosniff');
|
||||||
$response->headers->set('X-xss-protection','1; mode=block');
|
$response->headers->set('X-xss-protection','1; mode=block');
|
||||||
// http://tools.ietf.org/html/rfc6797
|
|
||||||
/**
|
|
||||||
* The HSTS header field below stipulates that the HSTS Policy is to
|
|
||||||
* remain in effect for one year (there are approximately 31536000
|
|
||||||
* seconds in a year)
|
|
||||||
* applies to the domain of the issuing HSTS Host and all of its
|
|
||||||
* subdomains:
|
|
||||||
*/
|
|
||||||
$response->headers->set('Strict-Transport-Security','max-age=31536000; includeSubDomains');
|
|
||||||
//cache
|
//cache
|
||||||
$response->headers->set('pragma','no-cache');
|
$response->headers->set('pragma','no-cache');
|
||||||
$response->headers->set('Expires','-1');
|
$response->headers->set('Expires','-1');
|
||||||
@ -70,11 +80,13 @@ App::after(function($request, $response){
|
|||||||
Route::filter('auth', function () {
|
Route::filter('auth', function () {
|
||||||
if (Auth::guest()) {
|
if (Auth::guest()) {
|
||||||
Session::put('url.intended', URL::full());
|
Session::put('url.intended', URL::full());
|
||||||
|
Session::save();
|
||||||
return Redirect::action('HomeController@index');
|
return Redirect::action('HomeController@index');
|
||||||
}
|
}
|
||||||
$redirect = Session::get('url.intended');
|
$redirect = Session::get('url.intended');
|
||||||
if (!empty($redirect)) {
|
if (!empty($redirect)) {
|
||||||
Session::forget('url.intended');
|
Session::forget('url.intended');
|
||||||
|
Session::save();
|
||||||
return Redirect::to($redirect);
|
return Redirect::to($redirect);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@ -120,57 +132,15 @@ Route::filter('ajax', function()
|
|||||||
if (!Request::ajax()) App::abort(404);
|
if (!Request::ajax()) App::abort(404);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
||||||
Route::filter("openid.needs.auth.request", function () {
|
|
||||||
|
|
||||||
$memento_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::MementoService);
|
|
||||||
$openid_message = $memento_service->getCurrentRequest();
|
|
||||||
|
|
||||||
if ($openid_message == null || !$openid_message->isValid())
|
|
||||||
throw new InvalidOpenIdMessageException();
|
|
||||||
$configuration_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::ServerConfigurationService);
|
|
||||||
$auth_request = new OpenIdAuthenticationRequest($openid_message, $configuration_service->getUserIdentityEndpointURL('@identifier'));
|
|
||||||
if (!$auth_request->isValid())
|
|
||||||
throw new InvalidOpenIdMessageException();
|
|
||||||
});
|
|
||||||
|
|
||||||
Route::filter("openid.save.request", function () {
|
|
||||||
|
|
||||||
$memento_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::MementoService);
|
|
||||||
$memento_service->saveCurrentRequest();
|
|
||||||
|
|
||||||
});
|
|
||||||
|
|
||||||
Route::filter("oauth2.save.request", function () {
|
|
||||||
|
|
||||||
$memento_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::MementoService);
|
|
||||||
$memento_service->saveCurrentAuthorizationRequest();
|
|
||||||
});
|
|
||||||
|
|
||||||
Route::filter("oauth2.needs.auth.request", function () {
|
|
||||||
|
|
||||||
$memento_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::MementoService);
|
|
||||||
$oauth2_message = $memento_service->getCurrentAuthorizationRequest();
|
|
||||||
|
|
||||||
if ($oauth2_message == null || !$oauth2_message->isValid())
|
|
||||||
throw new InvalidAuthorizationRequestException();
|
|
||||||
});
|
|
||||||
|
|
||||||
Route::filter("ssl", function () {
|
Route::filter("ssl", function () {
|
||||||
if ((!Request::secure()) && (ServerConfigurationService::getConfigValue("SSL.Enable"))) {
|
if ((!Request::secure()) && (ServerConfigurationService::getConfigValue("SSL.Enable"))) {
|
||||||
$openid_memento_service = ServiceLocator::getInstance()->getService(OpenIdServiceCatalog::MementoService);
|
|
||||||
$openid_memento_service->saveCurrentRequest();
|
|
||||||
|
|
||||||
$oauth2_memento_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::MementoService);
|
|
||||||
$oauth2_memento_service->saveCurrentAuthorizationRequest();
|
|
||||||
|
|
||||||
return Redirect::secure(Request::getRequestUri());
|
return Redirect::secure(Request::getRequestUri());
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
Route::filter("oauth2.enabled",function(){
|
Route::filter("oauth2.enabled",function(){
|
||||||
if(!ServerConfigurationService::getConfigValue("OAuth2.Enable")){
|
if(!ServerConfigurationService::getConfigValue("OAuth2.Enable")){
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -179,6 +149,13 @@ Route::filter('user.owns.client.policy',function($route, $request){
|
|||||||
$authentication_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::AuthenticationService);
|
$authentication_service = ServiceLocator::getInstance()->getService(UtilsServiceCatalog::AuthenticationService);
|
||||||
$client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService);
|
$client_service = ServiceLocator::getInstance()->getService(OAuth2ServiceCatalog::ClientService);
|
||||||
$client_id = $route->getParameter('id');
|
$client_id = $route->getParameter('id');
|
||||||
|
|
||||||
|
if(is_null($client_id))
|
||||||
|
$client_id = $route->getParameter('client_id');
|
||||||
|
|
||||||
|
if(is_null($client_id))
|
||||||
|
$client_id =Input::get('client_id',null);;
|
||||||
|
|
||||||
$client = $client_service->getClientByIdentifier($client_id);
|
$client = $client_service->getClientByIdentifier($client_id);
|
||||||
$user = $authentication_service->getCurrentUser();
|
$user = $authentication_service->getCurrentUser();
|
||||||
if (is_null($client) || intval($client->getUserId()) !== intval($user->getId()))
|
if (is_null($client) || intval($client->getUserId()) !== intval($user->getId()))
|
||||||
@ -215,8 +192,6 @@ Route::filter('is.current.user',function($route, $request){
|
|||||||
});
|
});
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
// filter to protect an api endpoint with oauth2
|
// filter to protect an api endpoint with oauth2
|
||||||
|
|
||||||
Route::filter('oauth2.protected.endpoint','OAuth2BearerAccessTokenRequestValidator');
|
Route::filter('oauth2.protected.endpoint','OAuth2BearerAccessTokenRequestValidator');
|
||||||
@ -235,10 +210,10 @@ Route::filter('oauth2.server.admin.json',function(){
|
|||||||
|
|
||||||
Route::filter('oauth2.server.admin',function(){
|
Route::filter('oauth2.server.admin',function(){
|
||||||
if (Auth::guest()) {
|
if (Auth::guest()) {
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
if(!Auth::user()->isOAuth2ServerAdmin()){
|
if(!Auth::user()->isOAuth2ServerAdmin()){
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -257,9 +232,9 @@ Route::filter('openstackid.server.admin.json',function(){
|
|||||||
|
|
||||||
Route::filter('openstackid.server.admin',function(){
|
Route::filter('openstackid.server.admin',function(){
|
||||||
if (Auth::guest()) {
|
if (Auth::guest()) {
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
if(!Auth::user()->isOpenstackIdAdmin()){
|
if(!Auth::user()->isOpenstackIdAdmin()){
|
||||||
return View::make('404');
|
return Response::view('404', array(), 404);
|
||||||
}
|
}
|
||||||
});
|
});
|
@ -13,6 +13,8 @@ use utils\services\ICheckPointService;
|
|||||||
use oauth2\IResourceServerContext;
|
use oauth2\IResourceServerContext;
|
||||||
use oauth2\services\IClientService;
|
use oauth2\services\IClientService;
|
||||||
use oauth2\models\IClient;
|
use oauth2\models\IClient;
|
||||||
|
use utils\http\HttpContentType;
|
||||||
|
use oauth2\exceptions\RevokedAccessTokenException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class OAuth2BearerAccessTokenRequestValidator
|
* Class OAuth2BearerAccessTokenRequestValidator
|
||||||
@ -20,8 +22,7 @@ use oauth2\models\IClient;
|
|||||||
* http://tools.ietf.org/html/rfc6750
|
* http://tools.ietf.org/html/rfc6750
|
||||||
* http://tools.ietf.org/html/rfc6749#section-7
|
* http://tools.ietf.org/html/rfc6749#section-7
|
||||||
*/
|
*/
|
||||||
class OAuth2BearerAccessTokenRequestValidator {
|
final class OAuth2BearerAccessTokenRequestValidator {
|
||||||
|
|
||||||
|
|
||||||
protected function getHeaders()
|
protected function getHeaders()
|
||||||
{
|
{
|
||||||
@ -49,15 +50,53 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
return $headers;
|
return $headers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IApiEndpointService
|
||||||
|
*/
|
||||||
private $api_endpoint_service;
|
private $api_endpoint_service;
|
||||||
|
/**
|
||||||
|
* @var ITokenService
|
||||||
|
*/
|
||||||
private $token_service;
|
private $token_service;
|
||||||
|
/**
|
||||||
|
* @var ILogService
|
||||||
|
*/
|
||||||
private $log_service;
|
private $log_service;
|
||||||
|
/**
|
||||||
|
* @var ICheckPointService
|
||||||
|
*/
|
||||||
private $checkpoint_service;
|
private $checkpoint_service;
|
||||||
|
/**
|
||||||
|
* @var IResourceServerContext
|
||||||
|
*/
|
||||||
private $resource_server_context;
|
private $resource_server_context;
|
||||||
|
/**
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
private $headers;
|
private $headers;
|
||||||
|
/**
|
||||||
|
* @var IClientService
|
||||||
|
*/
|
||||||
private $client_service;
|
private $client_service;
|
||||||
|
|
||||||
public function __construct(IResourceServerContext $resource_server_context, IApiEndpointService $api_endpoint_service, ITokenService $token_service, ILogService $log_service, ICheckPointService $checkpoint_service, IClientService $client_service){
|
/**
|
||||||
|
* @param IResourceServerContext $resource_server_context
|
||||||
|
* @param IApiEndpointService $api_endpoint_service
|
||||||
|
* @param ITokenService $token_service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
* @param ICheckPointService $checkpoint_service
|
||||||
|
* @param IClientService $client_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IResourceServerContext $resource_server_context,
|
||||||
|
IApiEndpointService $api_endpoint_service,
|
||||||
|
ITokenService $token_service,
|
||||||
|
ILogService $log_service,
|
||||||
|
ICheckPointService $checkpoint_service,
|
||||||
|
IClientService $client_service
|
||||||
|
)
|
||||||
|
{
|
||||||
$this->api_endpoint_service = $api_endpoint_service;
|
$this->api_endpoint_service = $api_endpoint_service;
|
||||||
$this->token_service = $token_service;
|
$this->token_service = $token_service;
|
||||||
$this->log_service = $log_service;
|
$this->log_service = $log_service;
|
||||||
@ -75,7 +114,8 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
{
|
{
|
||||||
$url = $route->getPath();
|
$url = $route->getPath();
|
||||||
|
|
||||||
if(strpos($url, '/') != 0){
|
if(strpos($url, '/') != 0)
|
||||||
|
{
|
||||||
$url = '/'.$url;
|
$url = '/'.$url;
|
||||||
}
|
}
|
||||||
$method = $request->getMethod();
|
$method = $request->getMethod();
|
||||||
@ -83,28 +123,54 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
// http://tools.ietf.org/id/draft-abarth-origin-03.html
|
// http://tools.ietf.org/id/draft-abarth-origin-03.html
|
||||||
$origin = $request->headers->has('Origin') ? $request->headers->get('Origin') : null;
|
$origin = $request->headers->has('Origin') ? $request->headers->get('Origin') : null;
|
||||||
|
|
||||||
try{
|
try
|
||||||
|
{
|
||||||
$endpoint = $this->api_endpoint_service->getApiEndpointByUrlAndMethod($url, $method);
|
$endpoint = $this->api_endpoint_service->getApiEndpointByUrlAndMethod($url, $method);
|
||||||
|
|
||||||
//api endpoint must be registered on db and active
|
//api endpoint must be registered on db and active
|
||||||
if(is_null($endpoint) || !$endpoint->isActive()){
|
if(is_null($endpoint) || !$endpoint->isActive())
|
||||||
throw new OAuth2ResourceServerException(400,OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,sprintf('API endpoint does not exits! (%s:%s)',$url,$method));
|
{
|
||||||
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
400,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
|
||||||
|
sprintf
|
||||||
|
(
|
||||||
|
'API endpoint does not exits! (%s:%s)',
|
||||||
|
$url,
|
||||||
|
$method
|
||||||
|
)
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
//check first http basic auth header
|
//check first http basic auth header
|
||||||
$auth_header = isset($this->headers['authorization'])?$this->headers['authorization']:null;
|
$auth_header = isset($this->headers['authorization'])?$this->headers['authorization']:null;
|
||||||
|
|
||||||
if(!is_null($auth_header) && !empty($auth_header))
|
if(!is_null($auth_header) && !empty($auth_header))
|
||||||
$access_token_value = BearerAccessTokenAuthorizationHeaderParser::getInstance()->parse($auth_header);
|
$access_token_value = BearerAccessTokenAuthorizationHeaderParser::getInstance()->parse($auth_header);
|
||||||
else{
|
else
|
||||||
|
{
|
||||||
// http://tools.ietf.org/html/rfc6750#section-2- 2
|
// http://tools.ietf.org/html/rfc6750#section-2- 2
|
||||||
// if access token is not on authorization header check on POST/GET params
|
// if access token is not on authorization header check on POST/GET params
|
||||||
|
if($request->headers->get('content-type') !== HttpContentType::Form)
|
||||||
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
400,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
|
||||||
|
'invalid content-type'
|
||||||
|
);
|
||||||
$access_token_value = Input::get(OAuth2Protocol::OAuth2Protocol_AccessToken, '');
|
$access_token_value = Input::get(OAuth2Protocol::OAuth2Protocol_AccessToken, '');
|
||||||
}
|
}
|
||||||
|
|
||||||
if(is_null($access_token_value) || empty($access_token_value))
|
if(is_null($access_token_value) || empty($access_token_value))
|
||||||
{
|
{
|
||||||
//if access token value is not set, then error
|
//if access token value is not set, then error
|
||||||
throw new OAuth2ResourceServerException(400,OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,'missing access token');
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
400,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
|
||||||
|
'missing access token'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// get access token from service
|
// get access token from service
|
||||||
@ -112,36 +178,68 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
if(is_null($access_token))
|
if(is_null($access_token))
|
||||||
throw new ExpiredAccessTokenException(sprintf('Access token %s is expired!', $access_token_value));
|
throw new ExpiredAccessTokenException(sprintf('Access token %s is expired!', $access_token_value));
|
||||||
//check token audience
|
//check token audience
|
||||||
$audience = explode(' ',$access_token->getAudience());
|
$audience = explode(' ', $access_token->getAudience());
|
||||||
if((!in_array($realm,$audience)))
|
|
||||||
throw new OAuth2ResourceServerException(401,OAuth2Protocol::OAuth2Protocol_Error_InvalidToken,'access token audience does not match');
|
if((!in_array($realm , $audience)))
|
||||||
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
401,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidToken,
|
||||||
|
sprintf('access token audience does not match - current_realm %s - access token audience %s',$realm, $access_token->getAudience())
|
||||||
|
);
|
||||||
|
|
||||||
//check client existence
|
//check client existence
|
||||||
$client_id = $access_token->getClientId();
|
$client_id = $access_token->getClientId();
|
||||||
$client = $this->client_service->getClientById($client_id);
|
$client = $this->client_service->getClientById($client_id);
|
||||||
|
|
||||||
if(is_null($client))
|
if(is_null($client))
|
||||||
throw new OAuth2ResourceServerException(400,OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest, 'invalid client');
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
400,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest,
|
||||||
|
'invalid client'
|
||||||
|
);
|
||||||
|
|
||||||
//if js client , then check if the origin is allowed ....
|
//if js client , then check if the origin is allowed ....
|
||||||
if($client->getApplicationType() == IClient::ApplicationType_JS_Client){
|
if($client->getApplicationType() == IClient::ApplicationType_JS_Client)
|
||||||
|
{
|
||||||
if(!$client->isOriginAllowed($origin))
|
if(!$client->isOriginAllowed($origin))
|
||||||
throw new OAuth2ResourceServerException(403,OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient, 'invalid origin');
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
403,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient,
|
||||||
|
'invalid origin'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
//check scopes
|
//check scopes
|
||||||
$endpoint_scopes = explode(' ',$endpoint->getScope());
|
$endpoint_scopes = explode(' ',$endpoint->getScope());
|
||||||
$token_scopes = explode(' ',$access_token->getScope());
|
$token_scopes = explode(' ',$access_token->getScope());
|
||||||
|
|
||||||
//check token available scopes vs. endpoint scopes
|
//check token available scopes vs. endpoint scopes
|
||||||
if (count(array_intersect($endpoint_scopes, $token_scopes)) == 0)
|
if (count(array_intersect($endpoint_scopes, $token_scopes)) == 0)
|
||||||
{
|
{
|
||||||
$this->log_service->error_msg(sprintf('access token scopes (%s) does not allow to access to api url %s , needed scopes %s',$access_token->getScope(),$url,implode(' OR ',$endpoint_scopes) ));
|
$this->log_service->error_msg
|
||||||
|
(
|
||||||
|
sprintf
|
||||||
|
(
|
||||||
|
'access token scopes (%s) does not allow to access to api url %s , needed scopes %s',
|
||||||
|
$access_token->getScope(),
|
||||||
|
$url,
|
||||||
|
implode(' OR ',$endpoint_scopes)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
throw new OAuth2ResourceServerException(403,OAuth2Protocol::OAuth2Protocol_Error_InsufficientScope,
|
throw new OAuth2ResourceServerException
|
||||||
|
(
|
||||||
|
403,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InsufficientScope,
|
||||||
'the request requires higher privileges than provided by the access token',
|
'the request requires higher privileges than provided by the access token',
|
||||||
implode(' ',$endpoint_scopes));
|
implode(' ',$endpoint_scopes)
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
$context = array(
|
$context = array
|
||||||
|
(
|
||||||
'access_token' => $access_token_value,
|
'access_token' => $access_token_value,
|
||||||
'expires_in' => $access_token->getRemainingLifetime(),
|
'expires_in' => $access_token->getRemainingLifetime(),
|
||||||
'client_id' => $client_id,
|
'client_id' => $client_id,
|
||||||
@ -154,7 +252,8 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
$this->resource_server_context->setAuthorizationContext($context);
|
$this->resource_server_context->setAuthorizationContext($context);
|
||||||
|
|
||||||
}
|
}
|
||||||
catch(OAuth2ResourceServerException $ex1){
|
catch(OAuth2ResourceServerException $ex1)
|
||||||
|
{
|
||||||
$this->log_service->error($ex1);
|
$this->log_service->error($ex1);
|
||||||
$this->checkpoint_service->trackException($ex1);
|
$this->checkpoint_service->trackException($ex1);
|
||||||
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
||||||
@ -167,7 +266,8 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
||||||
return $http_response;
|
return $http_response;
|
||||||
}
|
}
|
||||||
catch(InvalidGrantTypeException $ex2){
|
catch(InvalidGrantTypeException $ex2)
|
||||||
|
{
|
||||||
$this->log_service->error($ex2);
|
$this->log_service->error($ex2);
|
||||||
$this->checkpoint_service->trackException($ex2);
|
$this->checkpoint_service->trackException($ex2);
|
||||||
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
||||||
@ -180,7 +280,8 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
||||||
return $http_response;
|
return $http_response;
|
||||||
}
|
}
|
||||||
catch(ExpiredAccessTokenException $ex3){
|
catch(ExpiredAccessTokenException $ex3)
|
||||||
|
{
|
||||||
$this->log_service->error($ex3);
|
$this->log_service->error($ex3);
|
||||||
$this->checkpoint_service->trackException($ex3);
|
$this->checkpoint_service->trackException($ex3);
|
||||||
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
||||||
@ -193,7 +294,22 @@ class OAuth2BearerAccessTokenRequestValidator {
|
|||||||
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
||||||
return $http_response;
|
return $http_response;
|
||||||
}
|
}
|
||||||
catch(Exception $ex){
|
catch(RevokedAccessTokenException $ex4)
|
||||||
|
{
|
||||||
|
$this->log_service->error($ex4);
|
||||||
|
$this->checkpoint_service->trackException($ex4);
|
||||||
|
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
||||||
|
OAuth2Protocol::OAuth2Protocol_Error_InvalidToken,
|
||||||
|
'the access token provided is expired, revoked, malformed, or invalid for other reasons.',
|
||||||
|
null,
|
||||||
|
401
|
||||||
|
);
|
||||||
|
$http_response = Response::json($response->getContent(), $response->getHttpCode());
|
||||||
|
$http_response->header('WWW-Authenticate',$response->getWWWAuthenticateHeaderValue());
|
||||||
|
return $http_response;
|
||||||
|
}
|
||||||
|
catch(Exception $ex)
|
||||||
|
{
|
||||||
$this->log_service->error($ex);
|
$this->log_service->error($ex);
|
||||||
$this->checkpoint_service->trackException($ex);
|
$this->checkpoint_service->trackException($ex);
|
||||||
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
$response = new OAuth2WWWAuthenticateErrorResponse($realm,
|
||||||
|
@ -2,107 +2,113 @@
|
|||||||
|
|
||||||
return array(
|
return array(
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Validation Language Lines
|
| Validation Language Lines
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| The following language lines contain the default error messages used by
|
| The following language lines contain the default error messages used by
|
||||||
| the validator class. Some of these rules have multiple versions such
|
| the validator class. Some of these rules have multiple versions such
|
||||||
| such as the size rules. Feel free to tweak each of these messages.
|
| such as the size rules. Feel free to tweak each of these messages.
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
"accepted" => "The :attribute must be accepted.",
|
"accepted" => "The :attribute must be accepted.",
|
||||||
"active_url" => "The :attribute is not a valid URL.",
|
"active_url" => "The :attribute is not a valid URL.",
|
||||||
"after" => "The :attribute must be a date after :date.",
|
"after" => "The :attribute must be a date after :date.",
|
||||||
"alpha" => "The :attribute may only contain letters.",
|
"alpha" => "The :attribute may only contain letters.",
|
||||||
"alpha_dash" => "The :attribute may only contain letters, numbers, and dashes.",
|
"alpha_dash" => "The :attribute may only contain letters, numbers, and dashes.",
|
||||||
"alpha_num" => "The :attribute may only contain letters and numbers.",
|
"alpha_num" => "The :attribute may only contain letters and numbers.",
|
||||||
"array" => "The :attribute must be an array.",
|
"array" => "The :attribute must be an array.",
|
||||||
"before" => "The :attribute must be a date before :date.",
|
"before" => "The :attribute must be a date before :date.",
|
||||||
"between" => array(
|
"between" => array(
|
||||||
"numeric" => "The :attribute must be between :min - :max.",
|
"numeric" => "The :attribute must be between :min - :max.",
|
||||||
"file" => "The :attribute must be between :min - :max kilobytes.",
|
"file" => "The :attribute must be between :min - :max kilobytes.",
|
||||||
"string" => "The :attribute must be between :min - :max characters.",
|
"string" => "The :attribute must be between :min - :max characters.",
|
||||||
"array" => "The :attribute must have between :min - :max items.",
|
"array" => "The :attribute must have between :min - :max items.",
|
||||||
),
|
),
|
||||||
"confirmed" => "The :attribute confirmation does not match.",
|
"confirmed" => "The :attribute confirmation does not match.",
|
||||||
"date" => "The :attribute is not a valid date.",
|
"date" => "The :attribute is not a valid date.",
|
||||||
"date_format" => "The :attribute does not match the format :format.",
|
"date_format" => "The :attribute does not match the format :format.",
|
||||||
"different" => "The :attribute and :other must be different.",
|
"different" => "The :attribute and :other must be different.",
|
||||||
"digits" => "The :attribute must be :digits digits.",
|
"digits" => "The :attribute must be :digits digits.",
|
||||||
"digits_between" => "The :attribute must be between :min and :max digits.",
|
"digits_between" => "The :attribute must be between :min and :max digits.",
|
||||||
"email" => "The :attribute format is invalid.",
|
"email" => "The :attribute format is invalid.",
|
||||||
"exists" => "The selected :attribute is invalid.",
|
"exists" => "The selected :attribute is invalid.",
|
||||||
"image" => "The :attribute must be an image.",
|
"image" => "The :attribute must be an image.",
|
||||||
"in" => "The selected :attribute is invalid.",
|
"in" => "The selected :attribute is invalid.",
|
||||||
"integer" => "The :attribute must be an integer.",
|
"integer" => "The :attribute must be an integer.",
|
||||||
"ip" => "The :attribute must be a valid IP address.",
|
"ip" => "The :attribute must be a valid IP address.",
|
||||||
"max" => array(
|
"max" => array(
|
||||||
"numeric" => "The :attribute may not be greater than :max.",
|
"numeric" => "The :attribute may not be greater than :max.",
|
||||||
"file" => "The :attribute may not be greater than :max kilobytes.",
|
"file" => "The :attribute may not be greater than :max kilobytes.",
|
||||||
"string" => "The :attribute may not be greater than :max characters.",
|
"string" => "The :attribute may not be greater than :max characters.",
|
||||||
"array" => "The :attribute may not have more than :max items.",
|
"array" => "The :attribute may not have more than :max items.",
|
||||||
),
|
),
|
||||||
"mimes" => "The :attribute must be a file of type: :values.",
|
"mimes" => "The :attribute must be a file of type: :values.",
|
||||||
"min" => array(
|
"min" => array(
|
||||||
"numeric" => "The :attribute must be at least :min.",
|
"numeric" => "The :attribute must be at least :min.",
|
||||||
"file" => "The :attribute must be at least :min kilobytes.",
|
"file" => "The :attribute must be at least :min kilobytes.",
|
||||||
"string" => "The :attribute must be at least :min characters.",
|
"string" => "The :attribute must be at least :min characters.",
|
||||||
"array" => "The :attribute must have at least :min items.",
|
"array" => "The :attribute must have at least :min items.",
|
||||||
),
|
),
|
||||||
"not_in" => "The selected :attribute is invalid.",
|
"not_in" => "The selected :attribute is invalid.",
|
||||||
"numeric" => "The :attribute must be a number.",
|
"numeric" => "The :attribute must be a number.",
|
||||||
"regex" => "The :attribute format is invalid.",
|
"regex" => "The :attribute format is invalid.",
|
||||||
"required" => "The :attribute field is required.",
|
"required" => "The :attribute field is required.",
|
||||||
"required_if" => "The :attribute field is required when :other is :value.",
|
"required_if" => "The :attribute field is required when :other is :value.",
|
||||||
"required_with" => "The :attribute field is required when :values is present.",
|
"required_with" => "The :attribute field is required when :values is present.",
|
||||||
"required_without" => "The :attribute field is required when :values is not present.",
|
"required_without" => "The :attribute field is required when :values is not present.",
|
||||||
"same" => "The :attribute and :other must match.",
|
"same" => "The :attribute and :other must match.",
|
||||||
"size" => array(
|
"size" => array(
|
||||||
"numeric" => "The :attribute must be :size.",
|
"numeric" => "The :attribute must be :size.",
|
||||||
"file" => "The :attribute must be :size kilobytes.",
|
"file" => "The :attribute must be :size kilobytes.",
|
||||||
"string" => "The :attribute must be :size characters.",
|
"string" => "The :attribute must be :size characters.",
|
||||||
"array" => "The :attribute must contain :size items.",
|
"array" => "The :attribute must contain :size items.",
|
||||||
),
|
),
|
||||||
"unique" => "The :attribute has already been taken.",
|
"unique" => "The :attribute has already been taken.",
|
||||||
"url" => "The :attribute format is invalid.",
|
"url" => "The :attribute format is invalid.",
|
||||||
|
/*
|
||||||
|
|--------------------------------------------------------------------------
|
||||||
|
| Custom Validation Language Lines
|
||||||
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
||||||
|
| Here you may specify custom validation messages for attributes using the
|
||||||
|
| convention "attribute.rule" to name the lines. This makes it quick to
|
||||||
|
| specify a specific custom language line for a given attribute rule.
|
||||||
|
|
|
||||||
|
*/
|
||||||
|
|
||||||
/*
|
'custom' => array(),
|
||||||
|--------------------------------------------------------------------------
|
/*
|
||||||
| Custom Validation Language Lines
|
|--------------------------------------------------------------------------
|
||||||
|--------------------------------------------------------------------------
|
| Custom Validation Attributes
|
||||||
|
|
|--------------------------------------------------------------------------
|
||||||
| Here you may specify custom validation messages for attributes using the
|
|
|
||||||
| convention "attribute.rule" to name the lines. This makes it quick to
|
| The following language lines are used to swap attribute place-holders
|
||||||
| specify a specific custom language line for a given attribute rule.
|
| with something more reader friendly such as E-Mail Address instead
|
||||||
|
|
| of "email". This simply helps us make messages a little cleaner.
|
||||||
*/
|
|
|
||||||
|
*/
|
||||||
|
|
||||||
'custom' => array(),
|
'attributes' => array(),
|
||||||
|
|
||||||
/*
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
| Custom Validation Attributes
|
|
||||||
|--------------------------------------------------------------------------
|
|
||||||
|
|
|
||||||
| The following language lines are used to swap attribute place-holders
|
|
||||||
| with something more reader friendly such as E-Mail Address instead
|
|
||||||
| of "email". This simply helps us make messages a little cleaner.
|
|
||||||
|
|
|
||||||
*/
|
|
||||||
|
|
||||||
'attributes' => array(),
|
|
||||||
//custom messages
|
//custom messages
|
||||||
'boolean' => "The :attribute must be a boolean.",
|
'boolean' => "The :attribute must be a boolean.",
|
||||||
'text' => "The :attribute may only contain text.",
|
'text' => "The :attribute may only contain text.",
|
||||||
'httpmethod' => "The :attribute must be one of the following values 'GET', 'HEAD','POST','PUT','DELETE','TRACE','CONNECT' OR 'OPTIONS'.",
|
'httpmethod' => "The :attribute must be one of the following values 'GET', 'HEAD','POST','PUT','DELETE','TRACE','CONNECT' OR 'OPTIONS'.",
|
||||||
'route' => "The :attribute may be a valid http route.",
|
'route' => "The :attribute may be a valid http route.",
|
||||||
'host' => "The :attribute may be a valid host name.",
|
'host' => "The :attribute may be a valid host name.",
|
||||||
'scopename' => "The :attribute may be a valid scope name.",
|
'scopename' => "The :attribute may be a valid scope name.",
|
||||||
'applicationtype' => "The :attribute may be a valid application type.",
|
'applicationtype' => "The :attribute may be a valid application type.",
|
||||||
'sslurl' => "The :attribute may be a valid URL under ssl schema.",
|
'sslurl' => "The :attribute may be a valid URL under ssl schema.",
|
||||||
'sslorigin' => "The :attribute may be a valid HTTP origin under ssl schema.",
|
'sslorigin' => "The :attribute may be a valid HTTP origin under ssl schema.",
|
||||||
'freetext' => "The :attribute may only contain text."
|
'freetext' => "The :attribute may only contain text.",
|
||||||
|
'public_key_pem' => "The :attribute has not a valid PCK#1/PCK#8 public key format.",
|
||||||
|
'private_key_pem' => "The :attribute has not a valid PCK#1/PCK#8 private key format.",
|
||||||
|
'public_key_usage' => "The :attribute has not a valid key usage (enc, sig).",
|
||||||
|
'public_key_type'=> "The :attribute has not a valid key type (RSA).",
|
||||||
|
'private_key_password' => "The :attribute is not the right password of the PEM private key.",
|
||||||
|
'private_key_pem_length'=> "The :attribute has not a valid private key length ( at least 2048 bits ).",
|
||||||
|
'public_key_pem_length'=> "The :attribute has not a valid public key length ( at least 2048 bits ).",
|
||||||
|
'key_alg' => "The :attribute has not a valid alg parameter for the key usage.",
|
||||||
);
|
);
|
||||||
|
@ -3,42 +3,69 @@
|
|||||||
namespace auth;
|
namespace auth;
|
||||||
|
|
||||||
use Auth;
|
use Auth;
|
||||||
|
use Config;
|
||||||
|
use Crypt;
|
||||||
|
use Cookie;
|
||||||
|
use jwe\compression_algorithms\CompressionAlgorithms_Registry;
|
||||||
|
use jwe\compression_algorithms\CompressionAlgorithmsNames;
|
||||||
use Member;
|
use Member;
|
||||||
|
use oauth2\models\IClient;
|
||||||
|
use oauth2\services\IPrincipalService;
|
||||||
|
use openid\model\IOpenIdUser;
|
||||||
|
use openid\services\IUserService;
|
||||||
use Session;
|
use Session;
|
||||||
|
use utils\Base64UrlRepresentation;
|
||||||
use utils\services\IAuthService;
|
use utils\services\IAuthService;
|
||||||
|
use utils\services\ICacheService;
|
||||||
|
|
||||||
class AuthService implements IAuthService
|
/**
|
||||||
|
* Class AuthService
|
||||||
|
* @package auth
|
||||||
|
*/
|
||||||
|
final class AuthService implements IAuthService
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* @var IPrincipalService
|
||||||
|
*/
|
||||||
|
private $principal_service;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IUserService
|
||||||
|
*/
|
||||||
|
private $user_service;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var ICacheService
|
||||||
|
*/
|
||||||
|
private $cache_service;
|
||||||
|
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IPrincipalService $principal_service,
|
||||||
|
IUserService $user_service,
|
||||||
|
ICacheService $cache_service
|
||||||
|
)
|
||||||
|
{
|
||||||
|
$this->principal_service = $principal_service;
|
||||||
|
$this->user_service = $user_service;
|
||||||
|
$this->cache_service = $cache_service;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function isUserLogged()
|
public function isUserLogged()
|
||||||
{
|
{
|
||||||
$res = Auth::check();
|
return Auth::check();
|
||||||
if ($res) {
|
|
||||||
$user = $this->getCurrentUser();
|
|
||||||
if (!$user->hasAssociatedMember()) {
|
|
||||||
$this->logout();
|
|
||||||
$res = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return $res;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return mixed
|
* @return IOpenIdUser
|
||||||
*/
|
*/
|
||||||
public function getCurrentUser()
|
public function getCurrentUser()
|
||||||
{
|
{
|
||||||
$user = Auth::user();
|
return Auth::user();
|
||||||
if (!is_null($user) && !$user->hasAssociatedMember()) {
|
|
||||||
$this->logout();
|
|
||||||
$user = null;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $user;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -49,12 +76,26 @@ class AuthService implements IAuthService
|
|||||||
*/
|
*/
|
||||||
public function login($username, $password, $remember_me)
|
public function login($username, $password, $remember_me)
|
||||||
{
|
{
|
||||||
return Auth::attempt(array('username' => $username, 'password' => $password), $remember_me);
|
$res = Auth::attempt(array('username' => $username, 'password' => $password), $remember_me);
|
||||||
|
|
||||||
|
if ($res)
|
||||||
|
{
|
||||||
|
$this->principal_service->clear();
|
||||||
|
$this->principal_service->register
|
||||||
|
(
|
||||||
|
$this->getCurrentUser()->getId(),
|
||||||
|
time()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function logout()
|
public function logout()
|
||||||
{
|
{
|
||||||
Auth::logout();
|
Auth::logout();
|
||||||
|
$this->principal_service->clear();
|
||||||
|
Cookie::queue('rps', null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -62,7 +103,8 @@ class AuthService implements IAuthService
|
|||||||
*/
|
*/
|
||||||
public function getUserAuthorizationResponse()
|
public function getUserAuthorizationResponse()
|
||||||
{
|
{
|
||||||
if (Session::has("openid.authorization.response")) {
|
if (Session::has("openid.authorization.response"))
|
||||||
|
{
|
||||||
$value = Session::get("openid.authorization.response");
|
$value = Session::get("openid.authorization.response");
|
||||||
|
|
||||||
return $value;
|
return $value;
|
||||||
@ -73,16 +115,23 @@ class AuthService implements IAuthService
|
|||||||
|
|
||||||
public function clearUserAuthorizationResponse()
|
public function clearUserAuthorizationResponse()
|
||||||
{
|
{
|
||||||
if (Session::has("openid.authorization.response")) {
|
if (Session::has("openid.authorization.response"))
|
||||||
|
{
|
||||||
Session::remove("openid.authorization.response");
|
Session::remove("openid.authorization.response");
|
||||||
|
Session::save();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setUserAuthorizationResponse($auth_response)
|
public function setUserAuthorizationResponse($auth_response)
|
||||||
{
|
{
|
||||||
Session::set("openid.authorization.response", $auth_response);
|
Session::set("openid.authorization.response", $auth_response);
|
||||||
|
Session::save();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $openid
|
||||||
|
* @return IOpenIdUser
|
||||||
|
*/
|
||||||
public function getUserByOpenId($openid)
|
public function getUserByOpenId($openid)
|
||||||
{
|
{
|
||||||
$user = User::where('identifier', '=', $openid)->first();
|
$user = User::where('identifier', '=', $openid)->first();
|
||||||
@ -90,16 +139,32 @@ class AuthService implements IAuthService
|
|||||||
return $user;
|
return $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $username
|
||||||
|
* @return bool|IOpenIdUser
|
||||||
|
*/
|
||||||
public function getUserByUsername($username)
|
public function getUserByUsername($username)
|
||||||
{
|
{
|
||||||
$member = Member::where('Email', '=', $username)->first();
|
$member = Member::where('Email', '=', $username)->first();
|
||||||
if (!is_null($member)) {
|
if (!is_null($member))
|
||||||
return User::where('external_identifier', '=', $member->ID)->first();
|
{
|
||||||
|
$user = User::where('external_identifier', '=', $member->ID)->first();
|
||||||
|
|
||||||
|
if(!$user)
|
||||||
|
{
|
||||||
|
$user = $this->user_service->buildUser($member);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $id
|
||||||
|
* @return IOpenIdUser
|
||||||
|
*/
|
||||||
public function getUserById($id)
|
public function getUserById($id)
|
||||||
{
|
{
|
||||||
return User::find($id);
|
return User::find($id);
|
||||||
@ -111,22 +176,164 @@ class AuthService implements IAuthService
|
|||||||
{
|
{
|
||||||
if (Session::has("openstackid.authentication.response")) {
|
if (Session::has("openstackid.authentication.response")) {
|
||||||
$value = Session::get("openstackid.authentication.response");
|
$value = Session::get("openstackid.authentication.response");
|
||||||
|
|
||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
return IAuthService::AuthenticationResponse_None;
|
return IAuthService::AuthenticationResponse_None;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setUserAuthenticationResponse($auth_response)
|
public function setUserAuthenticationResponse($auth_response)
|
||||||
{
|
{
|
||||||
Session::set("openstackid.authentication.response", $auth_response);
|
Session::set("openstackid.authentication.response", $auth_response);
|
||||||
|
Session::save();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function clearUserAuthenticationResponse()
|
public function clearUserAuthenticationResponse()
|
||||||
{
|
{
|
||||||
if (Session::has("openstackid.authentication.response")) {
|
if (Session::has("openstackid.authentication.response"))
|
||||||
|
{
|
||||||
Session::remove("openstackid.authentication.response");
|
Session::remove("openstackid.authentication.response");
|
||||||
|
Session::save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $user_id
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function unwrapUserId($user_id)
|
||||||
|
{
|
||||||
|
$user = $this->getUserByExternaldId($user_id);
|
||||||
|
if(!is_null($user))
|
||||||
|
return $user_id;
|
||||||
|
|
||||||
|
$unwrapped_name = $this->decrypt($user_id);
|
||||||
|
$parts = explode(':', $unwrapped_name);
|
||||||
|
return intval($parts[1]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $user_id
|
||||||
|
* @param IClient $client
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function wrapUserId($user_id, IClient $client)
|
||||||
|
{
|
||||||
|
if($client->getSubjectType() === IClient::SubjectType_Public)
|
||||||
|
return $user_id;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$wrapped_name = sprintf('%s:%s', $client->getClientId(), $user_id);
|
||||||
|
return $this->encrypt($wrapped_name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $value
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
private function encrypt($value)
|
||||||
|
{
|
||||||
|
return base64_encode(Crypt::encrypt($value));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $value
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
private function decrypt($value)
|
||||||
|
{
|
||||||
|
$value = base64_decode($value);
|
||||||
|
return Crypt::decrypt($value);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param int $external_id
|
||||||
|
* @return IOpenIdUser
|
||||||
|
*/
|
||||||
|
public function getUserByExternaldId($external_id)
|
||||||
|
{
|
||||||
|
$member = Member::where('ID', '=', $external_id)->first();
|
||||||
|
if (!is_null($member))
|
||||||
|
{
|
||||||
|
$user = User::where('external_identifier', '=', $member->ID)->first();
|
||||||
|
|
||||||
|
if(!$user)
|
||||||
|
{
|
||||||
|
$user = $this->user_service->buildUser($member);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $user;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getSessionId()
|
||||||
|
{
|
||||||
|
return Session::getId();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $client_id
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function registerRPLogin($client_id)
|
||||||
|
{
|
||||||
|
$rps = Cookie::get('rps');
|
||||||
|
$zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
|
||||||
|
|
||||||
|
if(!empty($rps))
|
||||||
|
{
|
||||||
|
$rps = $this->decrypt($rps);
|
||||||
|
$rps = $zlib->uncompress($rps);
|
||||||
|
$rps .= '|';
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!str_contains($rps, $client_id))
|
||||||
|
$rps .= $client_id;
|
||||||
|
|
||||||
|
$rps = $zlib->compress($rps);
|
||||||
|
$rps = $this->encrypt($rps);
|
||||||
|
|
||||||
|
Cookie::queue('rps', $rps, $minutes = 2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string[]
|
||||||
|
*/
|
||||||
|
public function getLoggedRPs()
|
||||||
|
{
|
||||||
|
$rps = Cookie::get('rps');
|
||||||
|
$zlib = CompressionAlgorithms_Registry::getInstance()->get(CompressionAlgorithmsNames::ZLib);
|
||||||
|
|
||||||
|
if(!empty($rps))
|
||||||
|
{
|
||||||
|
$rps = $this->decrypt($rps);
|
||||||
|
$rps = $zlib->uncompress($rps);
|
||||||
|
return explode('|', $rps);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $jti
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function reloadSession($jti)
|
||||||
|
{
|
||||||
|
$session_id = $this->cache_service->getSingleValue($jti);
|
||||||
|
if(empty($session_id)) throw new \Exception('session not found!');
|
||||||
|
Session::setId(Crypt::decrypt($session_id));
|
||||||
|
Session::start();
|
||||||
|
if(!Auth::check())
|
||||||
|
{
|
||||||
|
$user_id = $this->principal_service->get()->getUserId();
|
||||||
|
$user = $this->getUserById($user_id);
|
||||||
|
if(is_null($user)) throw new \Exception('user not found!');
|
||||||
|
Auth::login($user);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -2,9 +2,9 @@
|
|||||||
|
|
||||||
namespace auth;
|
namespace auth;
|
||||||
|
|
||||||
|
use App;
|
||||||
use Illuminate\Support\ServiceProvider;
|
use Illuminate\Support\ServiceProvider;
|
||||||
use utils\services\UtilsServiceCatalog;
|
use utils\services\UtilsServiceCatalog;
|
||||||
use App;
|
|
||||||
|
|
||||||
class AuthenticationServiceProvider extends ServiceProvider
|
class AuthenticationServiceProvider extends ServiceProvider
|
||||||
{
|
{
|
||||||
@ -16,7 +16,7 @@ class AuthenticationServiceProvider extends ServiceProvider
|
|||||||
public function register()
|
public function register()
|
||||||
{
|
{
|
||||||
App::singleton(UtilsServiceCatalog::AuthenticationService, 'auth\\AuthService');
|
App::singleton(UtilsServiceCatalog::AuthenticationService, 'auth\\AuthService');
|
||||||
App::singleton('auth\\IAuthenticationExtensionService', 'auth\\AuthenticationExtensionService');
|
App::singleton('auth\\IAuthenticationExtensionService', 'auth\\AuthenticationExtensionService');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function provides()
|
public function provides()
|
||||||
|
@ -86,11 +86,10 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
//here we do the manuel join between 2 DB, (openid and SS db)
|
//here we do the manuel join between 2 DB, (openid and SS db)
|
||||||
$user = $this->user_repository->getByExternalId($identifier);
|
$user = $this->user_repository->getByExternalId($identifier);
|
||||||
$member = $this->member_repository->get($identifier);
|
$member = $this->member_repository->get($identifier);
|
||||||
if (!is_null($member) && !is_null($user)) {
|
if (!is_null($member) && $member->canLogin() && !is_null($user)) {
|
||||||
$user->setMember($member);
|
$user->setMember($member);
|
||||||
|
|
||||||
return $user;
|
return $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -110,27 +109,35 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
*/
|
*/
|
||||||
public function retrieveByCredentials(array $credentials)
|
public function retrieveByCredentials(array $credentials)
|
||||||
{
|
{
|
||||||
$user_service = $this->user_service;
|
$user_service = $this->user_service;
|
||||||
$auth_extension_service = $this->auth_extension_service;
|
$auth_extension_service = $this->auth_extension_service;
|
||||||
$user_repository = $this->user_repository;
|
$user_repository = $this->user_repository;
|
||||||
$member_repository = $this->member_repository;
|
$member_repository = $this->member_repository;
|
||||||
|
$log_service = $this->log_service;
|
||||||
try {
|
$checkpoint_service = $this->checkpoint_service;
|
||||||
|
|
||||||
|
|
||||||
$user = $this->tx_service->transaction(function () use (
|
return $this->tx_service->transaction(function () use (
|
||||||
$credentials,
|
$credentials,
|
||||||
$user_repository,
|
$user_repository,
|
||||||
$member_repository,
|
$member_repository,
|
||||||
$user_service,
|
$user_service,
|
||||||
$auth_extension_service
|
$auth_extension_service,
|
||||||
) {
|
$log_service,
|
||||||
|
$checkpoint_service
|
||||||
|
) {
|
||||||
|
|
||||||
if (!isset($credentials['username']) || !isset($credentials['password'])) {
|
$user = null;
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
|
||||||
|
if (!isset($credentials['username']) || !isset($credentials['password']))
|
||||||
|
{
|
||||||
throw new AuthenticationException("invalid crendentials");
|
throw new AuthenticationException("invalid crendentials");
|
||||||
}
|
}
|
||||||
|
|
||||||
$email = $credentials['username'];
|
$email = $credentials['username'];
|
||||||
$password = $credentials['password'];
|
$password = $credentials['password'];
|
||||||
|
|
||||||
//get SS member
|
//get SS member
|
||||||
@ -142,10 +149,15 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
throw new AuthenticationException(sprintf("member %s does not exists!", $email));
|
throw new AuthenticationException(sprintf("member %s does not exists!", $email));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(!$member->canLogin())
|
||||||
|
{
|
||||||
|
throw new AuthenticationException(sprintf("member %s does not exists!", $email));
|
||||||
|
}
|
||||||
|
|
||||||
$valid_password = $member->checkPassword($password);
|
$valid_password = $member->checkPassword($password);
|
||||||
|
|
||||||
if (!$valid_password) {
|
if (!$valid_password)
|
||||||
|
{
|
||||||
throw new AuthenticationInvalidPasswordAttemptException($email,
|
throw new AuthenticationInvalidPasswordAttemptException($email,
|
||||||
sprintf("invalid login attempt for user %s ", $email));
|
sprintf("invalid login attempt for user %s ", $email));
|
||||||
}
|
}
|
||||||
@ -153,54 +165,44 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
|
|
||||||
$user = $user_repository->getByExternalId($member->ID);
|
$user = $user_repository->getByExternalId($member->ID);
|
||||||
|
|
||||||
//if user does not exists, then create it
|
if (!$user) {
|
||||||
if (is_null($user)) {
|
$user = $user_service->buildUser($member);
|
||||||
//create user
|
|
||||||
$user = new User();
|
|
||||||
$user->external_identifier = $member->ID;
|
|
||||||
$user->identifier = $member->ID;
|
|
||||||
$user->last_login_date = gmdate("Y-m-d H:i:s", time());
|
|
||||||
$user->active = true;
|
|
||||||
$user->lock = false;
|
|
||||||
$user->login_failed_attempt = 0;
|
|
||||||
$user_repository->add($user);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//check user status...
|
//check user status...
|
||||||
if ($user->lock || !$user->active) {
|
if ($user->lock || !$user->active) {
|
||||||
Log::warning(sprintf("user %s is on lock state", $email));
|
Log::warning(sprintf("user %s is on lock state", $email));
|
||||||
throw new AuthenticationLockedUserLoginAttempt($email, sprintf("user %s is on lock state", $email));
|
throw new AuthenticationLockedUserLoginAttempt($email,
|
||||||
|
sprintf("user %s is on lock state", $email));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
$user_name = strtolower($member->FirstName . "." . $member->Surname);
|
|
||||||
//do association between user and member
|
|
||||||
$user_service->associateUser($user, $user_name);
|
|
||||||
|
|
||||||
//update user fields
|
//update user fields
|
||||||
$user->last_login_date = gmdate("Y-m-d H:i:s", time());
|
$user->last_login_date = gmdate("Y-m-d H:i:s", time());
|
||||||
$user->login_failed_attempt = 0;
|
$user->login_failed_attempt = 0;
|
||||||
$user->active = true;
|
$user->active = true;
|
||||||
$user->lock = false;
|
$user->lock = false;
|
||||||
$user_repository->update($user);
|
$user_repository->update($user);
|
||||||
$user->setMember($member);
|
$user->setMember($member);
|
||||||
|
|
||||||
$auth_extensions = $auth_extension_service->getExtensions();
|
$auth_extensions = $auth_extension_service->getExtensions();
|
||||||
|
|
||||||
foreach ($auth_extensions as $auth_extension) {
|
foreach ($auth_extensions as $auth_extension)
|
||||||
|
{
|
||||||
$auth_extension->process($user);
|
$auth_extension->process($user);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $user;
|
|
||||||
|
|
||||||
});
|
}
|
||||||
} catch (Exception $ex) {
|
catch (Exception $ex)
|
||||||
$this->checkpoint_service->trackException($ex);
|
{
|
||||||
$this->log_service->error($ex);
|
$checkpoint_service->trackException($ex);
|
||||||
$user = null;
|
$log_service->error($ex);
|
||||||
}
|
$user = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $user;
|
||||||
|
});
|
||||||
|
|
||||||
return $user;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -217,12 +219,12 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
throw new AuthenticationException("invalid crendentials");
|
throw new AuthenticationException("invalid crendentials");
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
$email = $credentials['username'];
|
$email = $credentials['username'];
|
||||||
$password = $credentials['password'];
|
$password = $credentials['password'];
|
||||||
|
|
||||||
$member = $this->member_repository->getByEmail($email);
|
$member = $this->member_repository->getByEmail($email);
|
||||||
|
|
||||||
if (!$member || !$member->checkPassword($password)) {
|
if (!$member || !$member->canLogin() || !$member->checkPassword($password)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -248,7 +250,6 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
*/
|
*/
|
||||||
public function retrieveByToken($identifier, $token)
|
public function retrieveByToken($identifier, $token)
|
||||||
{
|
{
|
||||||
|
|
||||||
return $this->user_repository->getByToken($identifier, $token);
|
return $this->user_repository->getByToken($identifier, $token);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -263,5 +264,5 @@ class CustomAuthProvider implements UserProviderInterface
|
|||||||
$user->setAttribute($user->getRememberTokenName(), $token);
|
$user->setAttribute($user->getRememberTokenName(), $token);
|
||||||
|
|
||||||
$user->save();
|
$user->save();
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -1,17 +1,24 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
namespace auth;
|
namespace auth;
|
||||||
|
|
||||||
use Member;
|
use Member;
|
||||||
|
|
||||||
interface IMemberRepository {
|
/**
|
||||||
/**
|
* Interface IMemberRepository
|
||||||
* @param $id
|
* @package auth
|
||||||
* @return Member
|
*/
|
||||||
*/
|
interface IMemberRepository
|
||||||
public function get($id);
|
{
|
||||||
|
/**
|
||||||
|
* @param $id
|
||||||
|
* @return Member
|
||||||
|
*/
|
||||||
|
public function get($id);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param $email
|
* @param $email
|
||||||
* @return Member
|
* @return Member
|
||||||
*/
|
*/
|
||||||
public function getByEmail($email);
|
public function getByEmail($email);
|
||||||
}
|
}
|
@ -2,69 +2,51 @@
|
|||||||
|
|
||||||
namespace auth;
|
namespace auth;
|
||||||
|
|
||||||
|
use utils\db\IBaseRepository;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Interface IUserRepository
|
* Interface IUserRepository
|
||||||
* @package auth
|
* @package auth
|
||||||
*/
|
*/
|
||||||
interface IUserRepository {
|
interface IUserRepository extends IBaseRepository
|
||||||
/**
|
{
|
||||||
* @param $id
|
|
||||||
* @return User
|
/**
|
||||||
*/
|
* @param $external_id
|
||||||
public function get($id);
|
* @return User
|
||||||
|
*/
|
||||||
|
public function getByExternalId($external_id);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $filters
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
public function getByCriteria($filters);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param $filters
|
||||||
|
* @return User
|
||||||
|
*/
|
||||||
|
public function getOneByCriteria($filters);
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param $external_id
|
* @param array $filters
|
||||||
* @return User
|
* @return int
|
||||||
*/
|
*/
|
||||||
public function getByExternalId($external_id);
|
public function getCount(array $filters = array());
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param $filters
|
* @param mixed $identifier
|
||||||
* @return array
|
* @param string $token
|
||||||
*/
|
* @return User
|
||||||
public function getByCriteria($filters);
|
*/
|
||||||
|
public function getByToken($identifier, $token);
|
||||||
/**
|
|
||||||
* @param $filters
|
|
||||||
* @return User
|
|
||||||
*/
|
|
||||||
public function getOneByCriteria($filters);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param User $u
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public function update(User $u);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param User $u
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public function add(User $u);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param int $page_nbr
|
|
||||||
* @param int $page_size
|
|
||||||
* @param array $filters
|
|
||||||
* @param array $fields
|
|
||||||
* @return array
|
|
||||||
*/
|
|
||||||
public function getByPage($page_nbr = 1, $page_size = 10, array $filters = array(), array $fields = array('*'));
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param array $filters
|
* @param string $term
|
||||||
* @return int
|
* @return array
|
||||||
*/
|
*/
|
||||||
public function getCount(array $filters = array());
|
public function getByEmailOrName($term);
|
||||||
|
|
||||||
/**
|
|
||||||
* @param mixed $identifier
|
|
||||||
* @param string $token
|
|
||||||
* @return User
|
|
||||||
*/
|
|
||||||
public function getByToken($identifier, $token);
|
|
||||||
|
|
||||||
}
|
}
|
@ -6,15 +6,18 @@ use Eloquent;
|
|||||||
use Illuminate\Auth\UserInterface;
|
use Illuminate\Auth\UserInterface;
|
||||||
use Member;
|
use Member;
|
||||||
use MemberPhoto;
|
use MemberPhoto;
|
||||||
|
use oauth2\models\IApiScope;
|
||||||
|
use oauth2\models\IApiScopeGroup;
|
||||||
use oauth2\models\IOAuth2User;
|
use oauth2\models\IOAuth2User;
|
||||||
use openid\model\IOpenIdUser;
|
use openid\model\IOpenIdUser;
|
||||||
use utils\model\BaseModelEloquent;
|
use utils\model\BaseModelEloquent;
|
||||||
|
use utils\model\IEntity;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class User
|
* Class User
|
||||||
* @package auth
|
* @package auth
|
||||||
*/
|
*/
|
||||||
class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAuth2User
|
class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAuth2User, IEntity
|
||||||
{
|
{
|
||||||
protected $table = 'openid_users';
|
protected $table = 'openid_users';
|
||||||
|
|
||||||
@ -60,7 +63,6 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
$this->member = $member;
|
$this->member = $member;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function getAssociatedMember()
|
private function getAssociatedMember()
|
||||||
{
|
{
|
||||||
if (is_null($this->member)) {
|
if (is_null($this->member)) {
|
||||||
@ -70,15 +72,6 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
return $this->member;
|
return $this->member;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @return bool
|
|
||||||
*/
|
|
||||||
public function hasAssociatedMember()
|
|
||||||
{
|
|
||||||
$this->getAssociatedMember();
|
|
||||||
return !is_null($this->member);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the unique identifier for the user.
|
* Get the unique identifier for the user.
|
||||||
* the one that is saved as session id on vendor/laravel/framework/src/Illuminate/Auth/Guard.php
|
* the one that is saved as session id on vendor/laravel/framework/src/Illuminate/Auth/Guard.php
|
||||||
@ -110,10 +103,18 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
public function getEmail()
|
public function getEmail()
|
||||||
{
|
{
|
||||||
$this->getAssociatedMember();
|
$this->getAssociatedMember();
|
||||||
|
if(is_null($this->member)) return false;
|
||||||
return $this->member->Email;
|
return $this->member->Email;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getEmailAttribute()
|
||||||
|
{
|
||||||
|
return $this->getEmail();
|
||||||
|
}
|
||||||
|
|
||||||
public function getFullName()
|
public function getFullName()
|
||||||
{
|
{
|
||||||
return $this->getFirstName() . " " . $this->getLastName();
|
return $this->getFirstName() . " " . $this->getLastName();
|
||||||
@ -175,7 +176,7 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
|
|
||||||
public function getId()
|
public function getId()
|
||||||
{
|
{
|
||||||
return $this->id;
|
return (int)$this->id;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getShowProfileFullName()
|
public function getShowProfileFullName()
|
||||||
@ -264,7 +265,11 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
{
|
{
|
||||||
$this->getAssociatedMember();
|
$this->getAssociatedMember();
|
||||||
|
|
||||||
return sprintf("%s, %s ", $this->member->Address, $this->member->Suburb);
|
$street_address = $this->member->Address;
|
||||||
|
$suburb = $this->member->Suburb;
|
||||||
|
if(!empty($suburb))
|
||||||
|
$street_address .= ', '.$suburb;
|
||||||
|
return $street_address;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getRegion()
|
public function getRegion()
|
||||||
@ -307,4 +312,73 @@ class User extends BaseModelEloquent implements UserInterface, IOpenIdUser, IOAu
|
|||||||
{
|
{
|
||||||
return 'remember_token';
|
return 'remember_token';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return int
|
||||||
|
*/
|
||||||
|
public function getExternalIdentifier()
|
||||||
|
{
|
||||||
|
return $this->getAuthIdentifier();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getFormattedAddress()
|
||||||
|
{
|
||||||
|
$street = $this->getStreetAddress();
|
||||||
|
$region = $this->getRegion();
|
||||||
|
$city = $this->getLocality();
|
||||||
|
$zip_code = $this->getPostalCode();
|
||||||
|
$country = $this->getCountry();
|
||||||
|
|
||||||
|
$complete = $street;
|
||||||
|
|
||||||
|
if(!empty($city))
|
||||||
|
$complete .= ', '.$city;
|
||||||
|
|
||||||
|
if(!empty($region))
|
||||||
|
$complete .= ', '.$region;
|
||||||
|
|
||||||
|
if(!empty($zip_code))
|
||||||
|
$complete .= ', '.$zip_code;
|
||||||
|
|
||||||
|
if(!empty($country))
|
||||||
|
$complete .= ', '.$country;
|
||||||
|
|
||||||
|
return $complete;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return IApiScopeGroup[]
|
||||||
|
*/
|
||||||
|
public function getGroups()
|
||||||
|
{
|
||||||
|
return $this->groups()->where('active','=',true)->get();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
public function groups()
|
||||||
|
{
|
||||||
|
return $this->belongsToMany('ApiScopeGroup','oauth2_api_scope_group_users','user_id', 'group_id');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return IApiScope[]
|
||||||
|
*/
|
||||||
|
public function getGroupScopes()
|
||||||
|
{
|
||||||
|
$scopes = array();
|
||||||
|
$map = array();
|
||||||
|
foreach($this->groups()->where('active','=',true)->get() as $group){
|
||||||
|
foreach($group->scopes()->get() as $scope)
|
||||||
|
{
|
||||||
|
if(!isset($map[$scope->id]))
|
||||||
|
array_push($scopes, $scope);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $scopes;
|
||||||
|
}
|
||||||
}
|
}
|
66
app/libs/oauth2/AddressClaim.php
Normal file
66
app/libs/oauth2/AddressClaim.php
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class AddressClaim
|
||||||
|
* @package oauth2
|
||||||
|
* http://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
|
||||||
|
*
|
||||||
|
* The Address Claim represents a physical mailing address. Implementations MAY return only a subset of the fields of an
|
||||||
|
* address, depending upon the information available and the End-User's privacy preferences. For example, the country
|
||||||
|
* and region might be returned without returning more fine-grained address information.
|
||||||
|
* Implementations MAY return just the full address as a single string in the formatted sub-field, or they MAY return
|
||||||
|
* just the individual component fields using the other sub-fields, or they MAY return both. If both variants are
|
||||||
|
* returned, they SHOULD be describing the same address, with the formatted address indicating how the component fields
|
||||||
|
* are combined.
|
||||||
|
*/
|
||||||
|
abstract class AddressClaim
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines,
|
||||||
|
* separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a
|
||||||
|
* single line feed character ("\n").
|
||||||
|
*/
|
||||||
|
const Formatted = 'formatted';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Full street address component, which MAY include house number, street name, Post Office Box, and multi-line
|
||||||
|
* extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines
|
||||||
|
* can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
|
||||||
|
*/
|
||||||
|
const StreetAddress = 'street_address';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* City or locality component.
|
||||||
|
*/
|
||||||
|
const Locality = 'locality';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* State, province, prefecture, or region component.
|
||||||
|
*/
|
||||||
|
const Region = 'region';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Zip code or postal code component.
|
||||||
|
*/
|
||||||
|
const PostalCode = 'postal_code';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Country name component.
|
||||||
|
*/
|
||||||
|
const Country = 'country';
|
||||||
|
|
||||||
|
}
|
@ -41,11 +41,27 @@ interface IOAuth2Protocol {
|
|||||||
*/
|
*/
|
||||||
public function introspection(OAuth2Request $request = null);
|
public function introspection(OAuth2Request $request = null);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get all available grant types set on the protocol
|
* Get all available grant types set on the protocol
|
||||||
* @return mixed
|
* @return mixed
|
||||||
*/
|
*/
|
||||||
public function getAvailableGrants();
|
public function getAvailableGrants();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getJWKSDocument();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* http://openid.net/specs/openid-connect-discovery-1_0.html
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getDiscoveryDocument();
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
|
||||||
|
*/
|
||||||
|
public function endSession(OAuth2Request $request = null);
|
||||||
|
|
||||||
}
|
}
|
@ -3,6 +3,7 @@
|
|||||||
namespace oauth2;
|
namespace oauth2;
|
||||||
|
|
||||||
use utils\http\HttpMessage;
|
use utils\http\HttpMessage;
|
||||||
|
use oauth2\requests\OAuth2RequestMemento;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class OAuth2Message
|
* Class OAuth2Message
|
||||||
@ -10,7 +11,7 @@ use utils\http\HttpMessage;
|
|||||||
*/
|
*/
|
||||||
class OAuth2Message extends HttpMessage
|
class OAuth2Message extends HttpMessage
|
||||||
{
|
{
|
||||||
public function __construct(array $values)
|
public function __construct(array $values = array())
|
||||||
{
|
{
|
||||||
parent::__construct($values);
|
parent::__construct($values);
|
||||||
}
|
}
|
||||||
@ -23,7 +24,44 @@ class OAuth2Message extends HttpMessage
|
|||||||
|
|
||||||
public function getParam($param)
|
public function getParam($param)
|
||||||
{
|
{
|
||||||
return isset($this->container[$param])?$this->container[$param]:null;
|
return isset($this->container[$param])? $this->container[$param] : null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $param
|
||||||
|
* @param mixed $value
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setParam($param, $value)
|
||||||
|
{
|
||||||
|
$this->container[$param] = $value;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return OAuth2RequestMemento
|
||||||
|
*/
|
||||||
|
public function createMemento(){
|
||||||
|
return OAuth2RequestMemento::buildFromRequest($this);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param OAuth2RequestMemento $memento
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setMemento(OAuth2RequestMemento $memento){
|
||||||
|
$this->container = $memento->getState();
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param OAuth2RequestMemento $memento
|
||||||
|
* @return OAuth2Message
|
||||||
|
*/
|
||||||
|
static public function buildFromMemento(OAuth2RequestMemento $memento){
|
||||||
|
$msg = new self;
|
||||||
|
$msg->setMemento($memento);
|
||||||
|
return $msg;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
File diff suppressed because it is too large
Load Diff
157
app/libs/oauth2/StandardClaims.php
Normal file
157
app/libs/oauth2/StandardClaims.php
Normal file
@ -0,0 +1,157 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class StandardClaims
|
||||||
|
* @package oauth2
|
||||||
|
* http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
|
||||||
|
*/
|
||||||
|
abstract class StandardClaims
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Subject - Identifier for the End-User at the Issuer.
|
||||||
|
*/
|
||||||
|
const SubjectIdentifier = 'sub';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's full name in displayable form including all name parts, possibly including titles and suffixes,
|
||||||
|
* ordered according to the End-User's locale and preferences.
|
||||||
|
*/
|
||||||
|
const Name = 'name';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names;
|
||||||
|
* all can be present, with the names being separated by space characters.
|
||||||
|
*/
|
||||||
|
const GivenName = 'given_name';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or
|
||||||
|
* no family name; all can be present, with the names being separated by space characters.
|
||||||
|
*/
|
||||||
|
const FamilyName = 'family_name';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can
|
||||||
|
* be present, with the names being separated by space characters. Also note that in some cultures, middle names are
|
||||||
|
* not used.
|
||||||
|
*/
|
||||||
|
const MiddleName = 'middle_name';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of
|
||||||
|
* Mike might be returned alongside a given_name value of Michael.
|
||||||
|
*/
|
||||||
|
const NickName = 'nickname';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* string Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe.
|
||||||
|
* This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST
|
||||||
|
* NOT rely upon this value being unique, as discussed in Section 5.7.
|
||||||
|
*/
|
||||||
|
const PreferredUserName = 'preferred_username';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
|
||||||
|
*/
|
||||||
|
const Profile = 'profile';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF
|
||||||
|
* image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a
|
||||||
|
* profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary
|
||||||
|
* photo taken by the End-User.
|
||||||
|
*/
|
||||||
|
const Picture = 'picture';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an
|
||||||
|
* organization that the End-User is affiliated with.
|
||||||
|
*/
|
||||||
|
const Website = 'website';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The RP
|
||||||
|
* MUST NOT rely upon this value being unique, as discussed in Section 5.7.
|
||||||
|
*/
|
||||||
|
const Email = 'email';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this
|
||||||
|
* means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at
|
||||||
|
* the time the verification was performed. The means by which an e-mail address is verified is context-specific,
|
||||||
|
* and dependent upon the trust framework or contractual agreements within which the parties are operating.
|
||||||
|
*/
|
||||||
|
const EmailVerified = 'email_verified';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's gender. Values defined by this specification are female and male. Other values MAY be used when
|
||||||
|
* neither of the defined values are applicable.
|
||||||
|
*/
|
||||||
|
const Gender = 'gender';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000,
|
||||||
|
* indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the
|
||||||
|
* underlying platform's date related function, providing just year can result in varying month and day, so the
|
||||||
|
* implementers need to take this factor into account to correctly process the dates.
|
||||||
|
*/
|
||||||
|
const Birthdate = 'birthdate';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example,
|
||||||
|
* Europe/Paris or America/Los_Angeles.
|
||||||
|
*/
|
||||||
|
const ZoneInfo = 'zoneinfo';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2
|
||||||
|
* [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated
|
||||||
|
* by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as
|
||||||
|
* the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as
|
||||||
|
* well.
|
||||||
|
*/
|
||||||
|
const Locale = 'locale';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example,
|
||||||
|
* +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the
|
||||||
|
* extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
|
||||||
|
*/
|
||||||
|
const PhoneNumber = 'phone_number';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this
|
||||||
|
* means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the
|
||||||
|
* time the verification was performed. The means by which a phone number is verified is context-specific, and
|
||||||
|
* dependent upon the trust framework or contractual agreements within which the parties are operating. When true,
|
||||||
|
* the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
|
||||||
|
*/
|
||||||
|
const PhoneNumberVerified = 'phone_number_verified';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* JSON object
|
||||||
|
* End-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing
|
||||||
|
* some or all of the members defined in Section 5.1.1.
|
||||||
|
*/
|
||||||
|
const Address = 'address';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Time the End-User's information was last updated. Its value is a JSON number representing the number of
|
||||||
|
* seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
|
||||||
|
*/
|
||||||
|
const UpdatedAt = 'updated_at';
|
||||||
|
}
|
35
app/libs/oauth2/builders/IdTokenBuilder.php
Normal file
35
app/libs/oauth2/builders/IdTokenBuilder.php
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\builders;
|
||||||
|
|
||||||
|
use jwt\IBasicJWT;
|
||||||
|
use jwt\impl\JWTClaimSet;
|
||||||
|
use oauth2\models\IClient;
|
||||||
|
use oauth2\models\JWTResponseInfo;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interface IdTokenBuilder
|
||||||
|
* @package oauth2\builders
|
||||||
|
*/
|
||||||
|
interface IdTokenBuilder
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param JWTClaimSet $claim_set
|
||||||
|
* @param JWTResponseInfo $info
|
||||||
|
* @param IClient $client
|
||||||
|
* @return IBasicJWT
|
||||||
|
*/
|
||||||
|
public function buildJWT(JWTClaimSet $claim_set, JWTResponseInfo $info, IClient $client);
|
||||||
|
}
|
260
app/libs/oauth2/discovery/DiscoveryDocumentBuilder.php
Normal file
260
app/libs/oauth2/discovery/DiscoveryDocumentBuilder.php
Normal file
@ -0,0 +1,260 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\discovery;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class DiscoveryDocumentBuilder
|
||||||
|
* @package oauth2\discovery
|
||||||
|
*/
|
||||||
|
final class DiscoveryDocumentBuilder
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
private $set = array();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $issuer
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setIssuer($issuer)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::Issuer] = $issuer;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $auth_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setAuthEndpoint($auth_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::AuthEndpoint] = $auth_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $token_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setTokenEndpoint($token_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::TokenEndpoint] = $token_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $user_info_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setUserInfoEndpoint($user_info_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::UserInfoEndpoint] = $user_info_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $end_session_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setEndSessionEndpoint($end_session_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::EndSessionEndPoint] = $end_session_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $check_session_iframe
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setCheckSessionIframe($check_session_iframe)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::CheckSessionIFrame] = $check_session_iframe;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $jwks_url
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setJWKSUrl($jwks_url)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::JWKSUrl] = $jwks_url;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $revocation_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setRevocationEndpoint($revocation_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::RevocationEndpoint] = $revocation_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $introspection_endpoint
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setIntrospectionEndpoint($introspection_endpoint)
|
||||||
|
{
|
||||||
|
$this->set[OpenIDProviderMetadata::IntrospectionEndpoint] = $introspection_endpoint;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $key
|
||||||
|
* @param string $value
|
||||||
|
*/
|
||||||
|
private function addArrayValue($key, $value)
|
||||||
|
{
|
||||||
|
|
||||||
|
if( !isset($this->set[$key]))
|
||||||
|
$this->set[$key] = array();
|
||||||
|
|
||||||
|
array_push($this->set[$key], $value);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $response_type
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addResponseTypeSupported($response_type)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::ResponseTypesSupported, $response_type);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $response_mode
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addResponseModeSupported($response_mode)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::ResponseModesSupported, $response_mode);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $subject_type
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addSubjectTypeSupported($subject_type)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::SubjectTypesSupported, $subject_type);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $scope
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addScopeSupported($scope){
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::ScopesSupported, $scope);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $claim
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addClaimSupported($claim)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::ClaimsSupported, $claim);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $auth_method
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addTokenEndpointAuthMethodSupported($auth_method)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::TokenEndpointAuthMethodsSupported, $auth_method);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $alg
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addIdTokenSigningAlgSupported($alg)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::IdTokenSigningAlgValuesSupported, $alg);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $alg
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addIdTokenEncryptionAlgSupported($alg)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::IdTokenEncryptionAlgValuesSupported, $alg);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $enc
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addIdTokenEncryptionEncSupported($enc)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::IdTokenEncryptionEncValuesSupported, $enc);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $alg
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addUserInfoSigningAlgSupported($alg)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::UserInfoSigningAlgValuesSupported, $alg);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $alg
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addUserInfoEncryptionAlgSupported($alg)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::UserInfoEncryptionAlgValuesSupported, $alg);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $enc
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function addUserInfoEncryptionEncSupported($enc)
|
||||||
|
{
|
||||||
|
$this->addArrayValue(OpenIDProviderMetadata::UserInfoEncryptionEncValuesSupported, $enc);
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function render()
|
||||||
|
{
|
||||||
|
$json = json_encode($this->set);
|
||||||
|
$json = str_replace('\/','/', $json);
|
||||||
|
return $json;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,67 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\discovery;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interface IOpenIDProviderConfigurationService
|
||||||
|
* @package oauth2\discovery
|
||||||
|
*/
|
||||||
|
interface IOpenIDProviderConfigurationService
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getIssuerUrl();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getAuthEndpoint();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getTokenEndpoint();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getUserInfoEndpoint();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getJWKSUrl();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getRevocationEndpoint();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getIntrospectionEndpoint();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getCheckSessionIFrame();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getEndSessionEndpoint();
|
||||||
|
}
|
276
app/libs/oauth2/discovery/OpenIDProviderMetadata.php
Normal file
276
app/libs/oauth2/discovery/OpenIDProviderMetadata.php
Normal file
@ -0,0 +1,276 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\discovery;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class OpenIDProviderMetadata
|
||||||
|
* @package oauth2\discovery
|
||||||
|
* http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
||||||
|
*/
|
||||||
|
abstract class OpenIDProviderMetadata
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer
|
||||||
|
* Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value
|
||||||
|
* returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
|
||||||
|
*/
|
||||||
|
const Issuer = 'issuer';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
|
||||||
|
*/
|
||||||
|
const AuthEndpoint = 'authorization_endpoint';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
|
||||||
|
*/
|
||||||
|
const TokenEndpoint = 'token_endpoint';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain
|
||||||
|
* port, path, and query parameter components.
|
||||||
|
*/
|
||||||
|
const UserInfoEndpoint = 'userinfo_endpoint';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to
|
||||||
|
* validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by
|
||||||
|
* RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
|
||||||
|
* parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
|
||||||
|
* Although some algorithms allow the same key to be used for both signatures and encryption,
|
||||||
|
* doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509
|
||||||
|
* representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
|
||||||
|
*/
|
||||||
|
const JWKSUrl = 'jwks_uri';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration].
|
||||||
|
*/
|
||||||
|
const RegistrationEndpoint = 'registration_endpoint';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
|
||||||
|
* The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values
|
||||||
|
* even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
|
||||||
|
*/
|
||||||
|
const ScopesSupported = 'scopes_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic
|
||||||
|
* OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
|
||||||
|
*/
|
||||||
|
const ResponseTypesSupported = 'response_types_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified
|
||||||
|
* in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
|
||||||
|
* OpenID Providers is ["query", "fragment"].
|
||||||
|
*/
|
||||||
|
const ResponseModesSupported = 'response_modes_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
|
||||||
|
* Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types.
|
||||||
|
* If omitted, the default value is ["authorization_code", "implicit"].
|
||||||
|
*/
|
||||||
|
const GrantTypesSupported = 'grant_types_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
|
||||||
|
*/
|
||||||
|
const AcrValuesSupported = 'acr_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports.
|
||||||
|
* Valid types include pairwise and public.
|
||||||
|
*/
|
||||||
|
const SubjectTypesSupported = 'subject_types_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the
|
||||||
|
* ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be
|
||||||
|
* supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
|
||||||
|
* (such as when using the Authorization Code Flow).
|
||||||
|
*/
|
||||||
|
const IdTokenSigningAlgValuesSupported = 'id_token_signing_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the
|
||||||
|
* ID Token to encode the Claims in a JWT [JWT].
|
||||||
|
*/
|
||||||
|
const IdTokenEncryptionAlgValuesSupported = 'id_token_encryption_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the
|
||||||
|
* ID Token to encode the Claims in a JWT [JWT].
|
||||||
|
*/
|
||||||
|
const IdTokenEncryptionEncValuesSupported = 'id_token_encryption_enc_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
|
||||||
|
* UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.
|
||||||
|
*/
|
||||||
|
const UserInfoSigningAlgValuesSupported = 'userinfo_signing_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by
|
||||||
|
* the UserInfo Endpoint to encode the Claims in a JWT [JWT].
|
||||||
|
*/
|
||||||
|
const UserInfoEncryptionAlgValuesSupported = 'userinfo_encryption_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the
|
||||||
|
* UserInfo Endpoint to encode the Claims in a JWT [JWT].
|
||||||
|
*/
|
||||||
|
const UserInfoEncryptionEncValuesSupported = 'userinfo_encryption_enc_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
|
||||||
|
* Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used
|
||||||
|
* both when the Request Object is passed by value (using the request parameter) and when it is passed by reference
|
||||||
|
* (using the request_uri parameter). Servers SHOULD support none and RS256.
|
||||||
|
*/
|
||||||
|
const RequestObjectSigningAlgValuesSupported = 'request_object_signing_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for
|
||||||
|
* Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
|
||||||
|
* by reference.
|
||||||
|
*/
|
||||||
|
const RequestObjectEncryptionAlgValuesSupported = 'request_object_encryption_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for
|
||||||
|
* Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed
|
||||||
|
* by reference.
|
||||||
|
*/
|
||||||
|
const RequestObjectEncryptionEncValuesSupported = 'request_object_encryption_enc_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
|
||||||
|
* The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described
|
||||||
|
* in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions.
|
||||||
|
* If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1
|
||||||
|
* of OAuth 2.0 [RFC6749].
|
||||||
|
*/
|
||||||
|
const TokenEndpointAuthMethodsSupported = 'token_endpoint_auth_methods_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
|
||||||
|
* for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
|
||||||
|
* and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
|
||||||
|
*/
|
||||||
|
const TokenEndpointAuthSigningAlgValuesSupported = 'token_endpoint_auth_signing_alg_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These
|
||||||
|
* values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
|
||||||
|
*/
|
||||||
|
const DisplayValuesSupported = 'display_values_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types
|
||||||
|
* are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
|
||||||
|
* normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.
|
||||||
|
*/
|
||||||
|
const ClaimTypesSupported = 'claim_types_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able
|
||||||
|
* to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
|
||||||
|
*/
|
||||||
|
const ClaimsSupported = 'claims_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when
|
||||||
|
* using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
|
||||||
|
* then information on how to register Clients needs to be provided in this documentation.
|
||||||
|
*/
|
||||||
|
const ServiceDocumentation = 'service_documentation';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of
|
||||||
|
* BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
|
||||||
|
*/
|
||||||
|
const ClaimsLocalesSupported = 'claims_locales_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
|
||||||
|
* language tag values.
|
||||||
|
*/
|
||||||
|
const UILocalesSupported = 'ui_locales_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating
|
||||||
|
* support. If omitted, the default value is false.
|
||||||
|
*/
|
||||||
|
const ClaimsParameterSupported = 'claims_parameter_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating
|
||||||
|
* support. If omitted, the default value is false.
|
||||||
|
*/
|
||||||
|
const RequestParameterSupported = 'request_parameter_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
|
||||||
|
* support. If omitted, the default value is true.
|
||||||
|
*/
|
||||||
|
const RequestUrlParameterSupported = 'request_uri_parameter_supported';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using
|
||||||
|
* the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
|
||||||
|
* default value is false.
|
||||||
|
*/
|
||||||
|
const RequireRequestUrlRegistration = 'require_request_uri_registration';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's
|
||||||
|
* requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
|
||||||
|
* display this URL to the person registering the Client if it is given.
|
||||||
|
*/
|
||||||
|
const PolicyUrl = 'op_policy_uri';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about
|
||||||
|
* OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering
|
||||||
|
* the Client if it is given.
|
||||||
|
*/
|
||||||
|
const TOSUrl = 'op_tos_uri';
|
||||||
|
|
||||||
|
// http://openid.net/specs/openid-connect-session-1_0.html#OPMetadata
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the
|
||||||
|
* RP Client, using the HTML5 postMessage API. The page is loaded from an invisible iframe embedded in an RP page
|
||||||
|
* so that it can run in the OP's security context. It accepts postMessage requests from the relevant RP iframe and
|
||||||
|
* uses postMessage to post back the login status of the End-User at the OP.
|
||||||
|
*/
|
||||||
|
const CheckSessionIFrame = 'check_session_iframe';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
|
||||||
|
*/
|
||||||
|
const EndSessionEndPoint = 'end_session_endpoint';
|
||||||
|
|
||||||
|
// extensions
|
||||||
|
|
||||||
|
|
||||||
|
const RevocationEndpoint = 'revocation_endpoint';
|
||||||
|
|
||||||
|
|
||||||
|
const IntrospectionEndpoint = 'introspection_endpoint';
|
||||||
|
}
|
@ -18,11 +18,19 @@ use oauth2\IOAuth2Protocol;
|
|||||||
* http://tools.ietf.org/html/rfc6749#section-3.1
|
* http://tools.ietf.org/html/rfc6749#section-3.1
|
||||||
* @package oauth2\endpoints
|
* @package oauth2\endpoints
|
||||||
*/
|
*/
|
||||||
class AuthorizationEndpoint implements IOAuth2Endpoint {
|
class AuthorizationEndpoint implements IOAuth2Endpoint
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IOAuth2Protocol
|
||||||
|
*/
|
||||||
private $protocol;
|
private $protocol;
|
||||||
public function __construct(IOAuth2Protocol $protocol){
|
|
||||||
|
/**
|
||||||
|
* @param IOAuth2Protocol $protocol
|
||||||
|
*/
|
||||||
|
public function __construct(IOAuth2Protocol $protocol)
|
||||||
|
{
|
||||||
$this->protocol = $protocol;
|
$this->protocol = $protocol;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -8,6 +8,11 @@ use oauth2\requests\OAuth2Request;
|
|||||||
* Interface IOAuth2Endpoint
|
* Interface IOAuth2Endpoint
|
||||||
* @package oauth2\endpoints
|
* @package oauth2\endpoints
|
||||||
*/
|
*/
|
||||||
interface IOAuth2Endpoint {
|
interface IOAuth2Endpoint
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param OAuth2Request $request
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
public function handle(OAuth2Request $request);
|
public function handle(OAuth2Request $request);
|
||||||
}
|
}
|
@ -20,13 +20,24 @@ use oauth2\requests\OAuth2Request;
|
|||||||
class TokenEndpoint implements IOAuth2Endpoint
|
class TokenEndpoint implements IOAuth2Endpoint
|
||||||
{
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IOAuth2Protocol
|
||||||
|
*/
|
||||||
private $protocol;
|
private $protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param IOAuth2Protocol $protocol
|
||||||
|
*/
|
||||||
public function __construct(IOAuth2Protocol $protocol)
|
public function __construct(IOAuth2Protocol $protocol)
|
||||||
{
|
{
|
||||||
$this->protocol = $protocol;
|
$this->protocol = $protocol;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param OAuth2Request $request
|
||||||
|
* @return mixed
|
||||||
|
* @throws InvalidGrantTypeException
|
||||||
|
*/
|
||||||
public function handle(OAuth2Request $request)
|
public function handle(OAuth2Request $request)
|
||||||
{
|
{
|
||||||
foreach ($this->protocol->getAvailableGrants() as $key => $grant) {
|
foreach ($this->protocol->getAvailableGrants() as $key => $grant) {
|
||||||
|
@ -6,22 +6,58 @@ use oauth2\requests\OAuth2Request;
|
|||||||
use oauth2\IOAuth2Protocol;
|
use oauth2\IOAuth2Protocol;
|
||||||
use oauth2\services\IClientService;
|
use oauth2\services\IClientService;
|
||||||
use oauth2\services\ITokenService;
|
use oauth2\services\ITokenService;
|
||||||
|
use utils\services\IAuthService;
|
||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
use oauth2\grant_types\ValidateBearerTokenGrantType;
|
use oauth2\grant_types\ValidateBearerTokenGrantType;
|
||||||
|
use oauth2\exceptions\InvalidOAuth2Request;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class TokenIntrospectionEndpoint
|
||||||
|
* @package oauth2\endpoints
|
||||||
|
*/
|
||||||
|
class TokenIntrospectionEndpoint implements IOAuth2Endpoint
|
||||||
|
{
|
||||||
|
|
||||||
class TokenIntrospectionEndpoint implements IOAuth2Endpoint {
|
/**
|
||||||
|
* @var IOAuth2Protocol
|
||||||
|
*/
|
||||||
private $protocol;
|
private $protocol;
|
||||||
|
/**
|
||||||
|
* @var ValidateBearerTokenGrantType
|
||||||
|
*/
|
||||||
private $grant_type;
|
private $grant_type;
|
||||||
|
|
||||||
public function __construct(IOAuth2Protocol $protocol, IClientService $client_service, ITokenService $token_service, ILogService $log_service)
|
/**
|
||||||
|
* @param IOAuth2Protocol $protocol
|
||||||
|
* @param IClientService $client_service
|
||||||
|
* @param ITokenService $token_service
|
||||||
|
* @param IAuthService $auth_service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct
|
||||||
|
(
|
||||||
|
IOAuth2Protocol $protocol,
|
||||||
|
IClientService $client_service,
|
||||||
|
ITokenService $token_service,
|
||||||
|
IAuthService $auth_service,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
{
|
{
|
||||||
$this->protocol = $protocol;
|
$this->protocol = $protocol;
|
||||||
$this->grant_type = new ValidateBearerTokenGrantType($client_service, $token_service, $log_service);
|
$this->grant_type = new ValidateBearerTokenGrantType($client_service, $token_service, $auth_service, $log_service);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param OAuth2Request $request
|
||||||
|
* @return mixed|\oauth2\responses\OAuth2AccessTokenValidationResponse|void
|
||||||
|
* @throws InvalidOAuth2Request
|
||||||
|
* @throws \oauth2\exceptions\BearerTokenDisclosureAttemptException
|
||||||
|
* @throws \oauth2\exceptions\ExpiredAccessTokenException
|
||||||
|
* @throws \oauth2\exceptions\InvalidApplicationType
|
||||||
|
* @throws \oauth2\exceptions\InvalidOAuth2Request
|
||||||
|
* @throws \oauth2\exceptions\LockedClientException
|
||||||
|
*/
|
||||||
public function handle(OAuth2Request $request)
|
public function handle(OAuth2Request $request)
|
||||||
{
|
{
|
||||||
if($this->grant_type->canHandle($request))
|
if($this->grant_type->canHandle($request))
|
||||||
|
@ -10,18 +10,48 @@ use oauth2\services\ITokenService;
|
|||||||
use utils\services\ILogService;
|
use utils\services\ILogService;
|
||||||
use oauth2\grant_types\RevokeBearerTokenGrantType;
|
use oauth2\grant_types\RevokeBearerTokenGrantType;
|
||||||
|
|
||||||
class TokenRevocationEndpoint implements IOAuth2Endpoint {
|
/**
|
||||||
|
* Class TokenRevocationEndpoint
|
||||||
|
* @package oauth2\endpoints
|
||||||
|
*/
|
||||||
|
class TokenRevocationEndpoint implements IOAuth2Endpoint
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var IOAuth2Protocol
|
||||||
|
*/
|
||||||
private $protocol;
|
private $protocol;
|
||||||
|
/**
|
||||||
|
* @var RevokeBearerTokenGrantType
|
||||||
|
*/
|
||||||
private $grant_type;
|
private $grant_type;
|
||||||
|
|
||||||
public function __construct(IOAuth2Protocol $protocol, IClientService $client_service, ITokenService $token_service, ILogService $log_service)
|
/**
|
||||||
|
* @param IOAuth2Protocol $protocol
|
||||||
|
* @param IClientService $client_service
|
||||||
|
* @param ITokenService $token_service
|
||||||
|
* @param ILogService $log_service
|
||||||
|
*/
|
||||||
|
public function __construct(
|
||||||
|
IOAuth2Protocol $protocol,
|
||||||
|
IClientService $client_service,
|
||||||
|
ITokenService $token_service,
|
||||||
|
ILogService $log_service
|
||||||
|
)
|
||||||
{
|
{
|
||||||
$this->protocol = $protocol;
|
$this->protocol = $protocol;
|
||||||
$this->grant_type = new RevokeBearerTokenGrantType($client_service, $token_service, $log_service);
|
$this->grant_type = new RevokeBearerTokenGrantType($client_service, $token_service, $log_service);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param OAuth2Request $request
|
||||||
|
* @return \oauth2\responses\OAuth2TokenRevocationResponse
|
||||||
|
* @throws InvalidOAuth2Request
|
||||||
|
* @throws \Exception
|
||||||
|
* @throws \oauth2\exceptions\BearerTokenDisclosureAttemptException
|
||||||
|
* @throws \oauth2\exceptions\ExpiredAccessTokenException
|
||||||
|
* @throws \oauth2\exceptions\UnAuthorizedClientException
|
||||||
|
*/
|
||||||
public function handle(OAuth2Request $request)
|
public function handle(OAuth2Request $request)
|
||||||
{
|
{
|
||||||
if($this->grant_type->canHandle($request))
|
if($this->grant_type->canHandle($request))
|
||||||
|
32
app/libs/oauth2/exceptions/AbsentCurrentUserException.php
Normal file
32
app/libs/oauth2/exceptions/AbsentCurrentUserException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class AbsentCurrentUserException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
class AbsentCurrentUserException extends Exception
|
||||||
|
{
|
||||||
|
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Absent Current User Exception: " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -2,15 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class AccessDeniedException extends Exception
|
/**
|
||||||
|
* Class AccessDeniedException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class AccessDeniedException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Access Denied : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_AccessDenied;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class BearerTokenDisclosureAttemptException extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class BearerTokenDisclosureAttemptException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class BearerTokenDisclosureAttemptException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id,$message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Bearer Token Disclosure Attempt Attack: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
33
app/libs/oauth2/exceptions/ConsentRequiredException.php
Normal file
33
app/libs/oauth2/exceptions/ConsentRequiredException.php
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InteractionRequiredException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class ConsentRequiredException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_Consent_Required;
|
||||||
|
}
|
||||||
|
}
|
@ -14,19 +14,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class ExpiredAccessTokenException
|
* Class ExpiredAccessTokenException
|
||||||
* @package oauth2\exceptions
|
* @package oauth2\exceptions
|
||||||
*/
|
*/
|
||||||
class ExpiredAccessTokenException extends Exception
|
final class ExpiredAccessTokenException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Expired Access Token: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidToken;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -3,14 +3,20 @@
|
|||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class ExpiredAuthorizationCodeException extends Exception
|
/**
|
||||||
|
* Class ExpiredAuthorizationCodeException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class ExpiredAuthorizationCodeException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
|
||||||
public function __construct($message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Expired Authorization Code : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/InteractionRequiredException.php
Normal file
32
app/libs/oauth2/exceptions/InteractionRequiredException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InteractionRequiredException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InteractionRequiredException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_Interaction_Required;
|
||||||
|
}
|
||||||
|
}
|
@ -2,15 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class InvalidAccessTokenException extends Exception
|
/**
|
||||||
|
* Class InvalidAccessTokenException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidAccessTokenException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Access Token : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -1,6 +1,6 @@
|
|||||||
<?php
|
<?php
|
||||||
/**
|
/**
|
||||||
* Copyright 2015 Openstack Foundation
|
* Copyright 2015 OpenStack Foundation
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
* You may obtain a copy of the License at
|
* You may obtain a copy of the License at
|
||||||
@ -12,13 +12,13 @@
|
|||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
**/
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Interface IBaseRepository
|
* Class InvalidApiScopeGroup
|
||||||
|
* @package oauth2\exceptions
|
||||||
*/
|
*/
|
||||||
interface IBaseRepository {
|
final class InvalidApiScopeGroup extends \Exception
|
||||||
/**
|
{
|
||||||
* @param int $id
|
|
||||||
* @return IEntity
|
|
||||||
*/
|
|
||||||
public function getById($id);
|
|
||||||
}
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class InvalidApplicationType extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidApplicationType
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidApplicationType extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Application Type: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidAuthenticationRequestException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidAuthenticationRequestException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest;
|
||||||
|
}
|
||||||
|
}
|
@ -2,15 +2,20 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class InvalidAuthorizationCodeException extends Exception
|
/**
|
||||||
|
* Class InvalidAuthorizationCodeException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidAuthorizationCodeException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
|
||||||
public function __construct($message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Authorization Code : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientAssertionAlgorithmException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientAssertionAlgorithmException extends Exception
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param string $message
|
||||||
|
*/
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Invalid Client Assertion Algorithm : " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientAssertionException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientAssertionException extends Exception
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param string $message
|
||||||
|
*/
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Invalid Client Assertion : " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientAssertionTypeException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientAssertionTypeException extends Exception
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param string $message
|
||||||
|
*/
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Invalid Client Assertion Type : " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientAuthMethodException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientAuthMethodException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientAuthenticationContextException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientAuthenticationContextException extends Exception
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @param string $message
|
||||||
|
*/
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Invalid Client Authentication Context : " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class InvalidClientCredentials extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientCredentials
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientCredentials extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Client Credentials : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id, $message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -2,11 +2,20 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class InvalidClientException extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid OAuth2 Client : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id, $message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class InvalidClientType extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidClientType
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidClientType extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Client Type: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -1,15 +1,20 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
use Exception;
|
|
||||||
|
|
||||||
class InvalidGrantTypeException extends Exception
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidGrantTypeException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidGrantTypeException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Grant Type : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/InvalidLoginHint.php
Normal file
32
app/libs/oauth2/exceptions/InvalidLoginHint.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/***
|
||||||
|
* Class InvalidLoginHint
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidLoginHint extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest;
|
||||||
|
}
|
||||||
|
}
|
@ -2,15 +2,21 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class InvalidOAuth2Request extends Exception
|
/**
|
||||||
|
* Class InvalidOAuth2Request
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidOAuth2Request extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
|
||||||
public function __construct($message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid OAuth2 Request : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidRequest;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class InvalidRedeemAuthCodeException extends OAuth2ClientBaseException{
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* Class InvalidRedeemAuthCodeException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidRedeemAuthCodeException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Invalid Redeem AuthCode Exception: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -0,0 +1,30 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InvalidTokenEndpointAuthMethodException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class InvalidTokenEndpointAuthMethodException extends Exception
|
||||||
|
{
|
||||||
|
public function __construct($message = "")
|
||||||
|
{
|
||||||
|
$message = "Invalid Token Endpoint Auth Method : " . $message;
|
||||||
|
parent::__construct($message, 0, null);
|
||||||
|
}
|
||||||
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class LockedClientException extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class LockedClientException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class LockedClientException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Locked Client Exception: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/LoginRequiredException.php
Normal file
32
app/libs/oauth2/exceptions/LoginRequiredException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class InteractionRequiredException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class LoginRequiredException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_Login_Required;
|
||||||
|
}
|
||||||
|
}
|
@ -3,14 +3,19 @@
|
|||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class MissingClientAuthorizationInfo extends Exception
|
/**
|
||||||
|
* Class MissingClientAuthorizationInfo
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class MissingClientAuthorizationInfo extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Missing Client Authorization Info: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -3,14 +3,19 @@
|
|||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class MissingClientIdParam extends Exception
|
/**
|
||||||
|
* Class MissingClientIdParam
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class MissingClientIdParam extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Missing ClientId Param: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
39
app/libs/oauth2/exceptions/OAuth2BaseException.php
Normal file
39
app/libs/oauth2/exceptions/OAuth2BaseException.php
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use Exception;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class OAuth2BaseException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
abstract class OAuth2BaseException extends Exception
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $description
|
||||||
|
*/
|
||||||
|
public function __construct($description = null)
|
||||||
|
{
|
||||||
|
parent::__construct($description);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
abstract public function getError();
|
||||||
|
|
||||||
|
}
|
@ -2,15 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class OAuth2GenericException extends Exception
|
/**
|
||||||
|
* Class OAuth2GenericException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class OAuth2GenericException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
public function __construct($message = "")
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "OAuth2 Generic Exception : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_ServerError;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -4,13 +4,36 @@ namespace oauth2\exceptions;
|
|||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
|
|
||||||
class OAuth2ResourceServerException extends Exception{
|
/**
|
||||||
|
* Class OAuth2ResourceServerException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
class OAuth2ResourceServerException extends Exception
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
private $http_code;
|
private $http_code;
|
||||||
|
/**
|
||||||
|
* @var int
|
||||||
|
*/
|
||||||
private $error;
|
private $error;
|
||||||
|
/**
|
||||||
|
* @var Exception
|
||||||
|
*/
|
||||||
private $error_description;
|
private $error_description;
|
||||||
|
/**
|
||||||
|
* @var null
|
||||||
|
*/
|
||||||
private $scope;
|
private $scope;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $http_code
|
||||||
|
* @param int $error
|
||||||
|
* @param Exception $error_description
|
||||||
|
* @param null $scope
|
||||||
|
*/
|
||||||
public function __construct($http_code,$error,$error_description,$scope = null)
|
public function __construct($http_code,$error,$error_description,$scope = null)
|
||||||
{
|
{
|
||||||
$this->http_code = $http_code;
|
$this->http_code = $http_code;
|
||||||
@ -21,19 +44,23 @@ class OAuth2ResourceServerException extends Exception{
|
|||||||
parent::__construct($message, 0, null);
|
parent::__construct($message, 0, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getError(){
|
public function getError()
|
||||||
|
{
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getErrorDescription(){
|
public function getErrorDescription()
|
||||||
|
{
|
||||||
return $this->error_description;
|
return $this->error_description;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getScope(){
|
public function getScope()
|
||||||
|
{
|
||||||
return $this->scope;
|
return $this->scope;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getHttpCode(){
|
public function getHttpCode()
|
||||||
|
{
|
||||||
return $this->http_code;
|
return $this->http_code;
|
||||||
}
|
}
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/RecipientKeyNotFoundException.php
Normal file
32
app/libs/oauth2/exceptions/RecipientKeyNotFoundException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class RecipientKeyNotFoundException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class RecipientKeyNotFoundException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_Invalid_Recipient_Keys;
|
||||||
|
}
|
||||||
|
}
|
@ -2,20 +2,41 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class ReplayAttackException extends Exception
|
/**
|
||||||
|
* Class ReplayAttackException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class ReplayAttackException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
private $auth_code;
|
|
||||||
|
|
||||||
public function getAuthCode(){
|
/**
|
||||||
return $this->auth_code;
|
* @param null|string $code
|
||||||
}
|
* @param null $description
|
||||||
|
*/
|
||||||
public function __construct($auth_code,$message = "")
|
public function __construct($token, $description = null)
|
||||||
{
|
{
|
||||||
$this->auth_code = $auth_code;
|
$this->token = $token;
|
||||||
$message = "Possible Replay Attack : " . $message;
|
parent::__construct($description);
|
||||||
parent::__construct($message, 0, null);
|
}
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
private $token;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getToken()
|
||||||
|
{
|
||||||
|
return $this->token;
|
||||||
|
}
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant;
|
||||||
}
|
}
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/RevokedAccessTokenException.php
Normal file
32
app/libs/oauth2/exceptions/RevokedAccessTokenException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class RevokedAccessTokenException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class RevokedAccessTokenException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidToken;
|
||||||
|
}
|
||||||
|
}
|
32
app/libs/oauth2/exceptions/RevokedRefreshTokenException.php
Normal file
32
app/libs/oauth2/exceptions/RevokedRefreshTokenException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class RevokedRefreshTokenException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
class RevokedRefreshTokenException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidToken;
|
||||||
|
}
|
||||||
|
}
|
@ -2,13 +2,20 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
use Exception;
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
class ScopeNotAllowedException extends Exception
|
/**
|
||||||
|
* Class ScopeNotAllowedException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class ScopeNotAllowedException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($message = "")
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "Scope Not Allowed : " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_InvalidScope;
|
||||||
parent::__construct($message, 0, null);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
32
app/libs/oauth2/exceptions/ServerKeyNotFoundException.php
Normal file
32
app/libs/oauth2/exceptions/ServerKeyNotFoundException.php
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Copyright 2015 OpenStack Foundation
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
**/
|
||||||
|
|
||||||
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class ServerKeyNotFoundException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class ServerKeyNotFoundException extends OAuth2BaseException
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
|
{
|
||||||
|
return OAuth2Protocol::OAuth2Protocol_Error_Invalid_Server_Keys;
|
||||||
|
}
|
||||||
|
}
|
@ -2,11 +2,19 @@
|
|||||||
|
|
||||||
namespace oauth2\exceptions;
|
namespace oauth2\exceptions;
|
||||||
|
|
||||||
class UnAuthorizedClientException extends OAuth2ClientBaseException
|
use oauth2\OAuth2Protocol;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class UnAuthorizedClientException
|
||||||
|
* @package oauth2\exceptions
|
||||||
|
*/
|
||||||
|
final class UnAuthorizedClientException extends OAuth2BaseException
|
||||||
{
|
{
|
||||||
public function __construct($client_id, $message = "")
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getError()
|
||||||
{
|
{
|
||||||
$message = "UnAuthorized Client: " . $message;
|
return OAuth2Protocol::OAuth2Protocol_Error_UnauthorizedClient;
|
||||||
parent::__construct($client_id,$message);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user