diff options
| author | François Kooman <fkooman@tuxed.net> | 2013-08-18 17:11:35 +0400 |
|---|---|---|
| committer | François Kooman <fkooman@tuxed.net> | 2013-08-18 17:11:35 +0400 |
| commit | 9f2c060be0272c9b511131e6383a7f24016dab0f (patch) | |
| tree | af5aca976e4078ee16ac9ccde6f47e6781ea8242 /user_oauth | |
| parent | 7ce7436f82f9312bd85e7ce64f9da5d02a7c0030 (diff) | |
update user_oauth to use composer for dependencies, update php-oauth-lib-rs to latest version
Diffstat (limited to 'user_oauth')
30 files changed, 993 insertions, 502 deletions
diff --git a/user_oauth/3rdparty/autoload.php b/user_oauth/3rdparty/autoload.php new file mode 100644 index 000000000..d0bb84212 --- /dev/null +++ b/user_oauth/3rdparty/autoload.php @@ -0,0 +1,7 @@ +<?php + +// autoload.php generated by Composer + +require_once __DIR__ . '/composer' . '/autoload_real.php'; + +return ComposerAutoloaderInita5069f942a5e5c655ec0afb42faf74f6::getLoader(); diff --git a/user_oauth/3rdparty/composer/ClassLoader.php b/user_oauth/3rdparty/composer/ClassLoader.php new file mode 100644 index 000000000..1db8d9a0b --- /dev/null +++ b/user_oauth/3rdparty/composer/ClassLoader.php @@ -0,0 +1,246 @@ +<?php + +/* + * This file is part of Composer. + * + * (c) Nils Adermann <naderman@naderman.de> + * Jordi Boggiano <j.boggiano@seld.be> + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Composer\Autoload; + +/** + * ClassLoader implements a PSR-0 class loader + * + * See https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md + * + * $loader = new \Composer\Autoload\ClassLoader(); + * + * // register classes with namespaces + * $loader->add('Symfony\Component', __DIR__.'/component'); + * $loader->add('Symfony', __DIR__.'/framework'); + * + * // activate the autoloader + * $loader->register(); + * + * // to enable searching the include path (eg. for PEAR packages) + * $loader->setUseIncludePath(true); + * + * In this example, if you try to use a class in the Symfony\Component + * namespace or one of its children (Symfony\Component\Console for instance), + * the autoloader will first look for the class under the component/ + * directory, and it will then fallback to the framework/ directory if not + * found before giving up. + * + * This class is loosely based on the Symfony UniversalClassLoader. + * + * @author Fabien Potencier <fabien@symfony.com> + * @author Jordi Boggiano <j.boggiano@seld.be> + */ +class ClassLoader +{ + private $prefixes = array(); + private $fallbackDirs = array(); + private $useIncludePath = false; + private $classMap = array(); + + public function getPrefixes() + { + return call_user_func_array('array_merge', $this->prefixes); + } + + public function getFallbackDirs() + { + return $this->fallbackDirs; + } + + public function getClassMap() + { + return $this->classMap; + } + + /** + * @param array $classMap Class to filename map + */ + public function addClassMap(array $classMap) + { + if ($this->classMap) { + $this->classMap = array_merge($this->classMap, $classMap); + } else { + $this->classMap = $classMap; + } + } + + /** + * Registers a set of classes, merging with any others previously set. + * + * @param string $prefix The classes prefix + * @param array|string $paths The location(s) of the classes + * @param bool $prepend Prepend the location(s) + */ + public function add($prefix, $paths, $prepend = false) + { + if (!$prefix) { + if ($prepend) { + $this->fallbackDirs = array_merge( + (array) $paths, + $this->fallbackDirs + ); + } else { + $this->fallbackDirs = array_merge( + $this->fallbackDirs, + (array) $paths + ); + } + + return; + } + + $first = $prefix[0]; + if (!isset($this->prefixes[$first][$prefix])) { + $this->prefixes[$first][$prefix] = (array) $paths; + + return; + } + if ($prepend) { + $this->prefixes[$first][$prefix] = array_merge( + (array) $paths, + $this->prefixes[$first][$prefix] + ); + } else { + $this->prefixes[$first][$prefix] = array_merge( + $this->prefixes[$first][$prefix], + (array) $paths + ); + } + } + + /** + * Registers a set of classes, replacing any others previously set. + * + * @param string $prefix The classes prefix + * @param array|string $paths The location(s) of the classes + */ + public function set($prefix, $paths) + { + if (!$prefix) { + $this->fallbackDirs = (array) $paths; + + return; + } + $this->prefixes[substr($prefix, 0, 1)][$prefix] = (array) $paths; + } + + /** + * Turns on searching the include path for class files. + * + * @param bool $useIncludePath + */ + public function setUseIncludePath($useIncludePath) + { + $this->useIncludePath = $useIncludePath; + } + + /** + * Can be used to check if the autoloader uses the include path to check + * for classes. + * + * @return bool + */ + public function getUseIncludePath() + { + return $this->useIncludePath; + } + + /** + * Registers this instance as an autoloader. + * + * @param bool $prepend Whether to prepend the autoloader or not + */ + public function register($prepend = false) + { + spl_autoload_register(array($this, 'loadClass'), true, $prepend); + } + + /** + * Unregisters this instance as an autoloader. + */ + public function unregister() + { + spl_autoload_unregister(array($this, 'loadClass')); + } + + /** + * Loads the given class or interface. + * + * @param string $class The name of the class + * @return bool|null True if loaded, null otherwise + */ + public function loadClass($class) + { + if ($file = $this->findFile($class)) { + include $file; + + return true; + } + } + + /** + * Finds the path to the file where the class is defined. + * + * @param string $class The name of the class + * + * @return string|false The path if found, false otherwise + */ + public function findFile($class) + { + // work around for PHP 5.3.0 - 5.3.2 https://bugs.php.net/50731 + if ('\\' == $class[0]) { + $class = substr($class, 1); + } + + if (isset($this->classMap[$class])) { + return $this->classMap[$class]; + } + + if (false !== $pos = strrpos($class, '\\')) { + // namespaced class name + $classPath = strtr(substr($class, 0, $pos), '\\', DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR; + $className = substr($class, $pos + 1); + } else { + // PEAR-like class name + $classPath = null; + $className = $class; + } + + $classPath .= strtr($className, '_', DIRECTORY_SEPARATOR) . '.php'; + + $first = $class[0]; + if (isset($this->prefixes[$first])) { + foreach ($this->prefixes[$first] as $prefix => $dirs) { + if (0 === strpos($class, $prefix)) { + foreach ($dirs as $dir) { + if (file_exists($dir . DIRECTORY_SEPARATOR . $classPath)) { + return $dir . DIRECTORY_SEPARATOR . $classPath; + } + } + } + } + } + + foreach ($this->fallbackDirs as $dir) { + if (file_exists($dir . DIRECTORY_SEPARATOR . $classPath)) { + return $dir . DIRECTORY_SEPARATOR . $classPath; + } + } + + if ($this->useIncludePath && $file = stream_resolve_include_path($classPath)) { + return $file; + } + + return $this->classMap[$class] = false; + } +} diff --git a/user_oauth/3rdparty/composer/autoload_classmap.php b/user_oauth/3rdparty/composer/autoload_classmap.php new file mode 100644 index 000000000..391fccb4c --- /dev/null +++ b/user_oauth/3rdparty/composer/autoload_classmap.php @@ -0,0 +1,10 @@ +<?php + +// autoload_classmap.php generated by Composer + +$vendorDir = dirname(dirname(__FILE__)); +$baseDir = dirname($vendorDir); + +return array( + 'OC_Connector_Sabre_OAuth' => $baseDir . '/src/OC_Connector_Sabre_OAuth.php', +); diff --git a/user_oauth/3rdparty/composer/autoload_namespaces.php b/user_oauth/3rdparty/composer/autoload_namespaces.php new file mode 100644 index 000000000..b17cc08d2 --- /dev/null +++ b/user_oauth/3rdparty/composer/autoload_namespaces.php @@ -0,0 +1,10 @@ +<?php + +// autoload_namespaces.php generated by Composer + +$vendorDir = dirname(dirname(__FILE__)); +$baseDir = dirname($vendorDir); + +return array( + 'fkooman\\oauth\\rs\\' => array($vendorDir . '/fkooman/php-oauth-lib-rs/src'), +); diff --git a/user_oauth/3rdparty/composer/autoload_real.php b/user_oauth/3rdparty/composer/autoload_real.php new file mode 100644 index 000000000..d2de900f7 --- /dev/null +++ b/user_oauth/3rdparty/composer/autoload_real.php @@ -0,0 +1,43 @@ +<?php + +// autoload_real.php generated by Composer + +class ComposerAutoloaderInita5069f942a5e5c655ec0afb42faf74f6 +{ + private static $loader; + + public static function loadClassLoader($class) + { + if ('Composer\Autoload\ClassLoader' === $class) { + require __DIR__ . '/ClassLoader.php'; + } + } + + public static function getLoader() + { + if (null !== self::$loader) { + return self::$loader; + } + + spl_autoload_register(array('ComposerAutoloaderInita5069f942a5e5c655ec0afb42faf74f6', 'loadClassLoader'), true, true); + self::$loader = $loader = new \Composer\Autoload\ClassLoader(); + spl_autoload_unregister(array('ComposerAutoloaderInita5069f942a5e5c655ec0afb42faf74f6', 'loadClassLoader')); + + $vendorDir = dirname(__DIR__); + $baseDir = dirname($vendorDir); + + $map = require __DIR__ . '/autoload_namespaces.php'; + foreach ($map as $namespace => $path) { + $loader->set($namespace, $path); + } + + $classMap = require __DIR__ . '/autoload_classmap.php'; + if ($classMap) { + $loader->addClassMap($classMap); + } + + $loader->register(true); + + return $loader; + } +} diff --git a/user_oauth/3rdparty/composer/installed.json b/user_oauth/3rdparty/composer/installed.json new file mode 100644 index 000000000..45bb5a380 --- /dev/null +++ b/user_oauth/3rdparty/composer/installed.json @@ -0,0 +1,41 @@ +[ + { + "name": "fkooman/php-oauth-lib-rs", + "version": "0.1.0", + "version_normalized": "0.1.0.0", + "source": { + "type": "git", + "url": "https://github.com/fkooman/php-oauth-lib-rs.git", + "reference": "0.1.0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/fkooman/php-oauth-lib-rs/zipball/0.1.0", + "reference": "0.1.0", + "shasum": "" + }, + "require": { + "php": ">=5.3.3" + }, + "time": "2013-08-18 12:09:22", + "type": "library", + "installation-source": "dist", + "autoload": { + "psr-0": { + "fkooman\\oauth\\rs\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "Apache-2.0" + ], + "authors": [ + { + "name": "François Kooman", + "email": "fkooman@tuxed.net", + "role": "Developer" + } + ], + "description": "Library for implementing OAuth 2.0 resource servers" + } +] diff --git a/user_oauth/3rdparty/fetch_3rdparty_libs.sh b/user_oauth/3rdparty/fetch_3rdparty_libs.sh deleted file mode 100644 index 5b97c8033..000000000 --- a/user_oauth/3rdparty/fetch_3rdparty_libs.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -rm -rf php-oauth-lib-rs/ -git clone https://github.com/fkooman/php-oauth-lib-rs.git -rm -rf php-oauth-lib-rs/.git diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/.gitignore b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/.gitignore new file mode 100644 index 000000000..61ead8666 --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/.gitignore @@ -0,0 +1 @@ +/vendor diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/CHANGES.md b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/CHANGES.md new file mode 100644 index 000000000..3f3bcc575 --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/CHANGES.md @@ -0,0 +1,4 @@ +# Release History + +## 0.1.0 +* Initial release diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/README.md b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/README.md index 584255ac1..842957504 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/README.md +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/README.md @@ -11,12 +11,13 @@ Licensed under the Apache License, Version 2.0; http://www.apache.org/licenses/LICENSE-2.0 # API -Using the library is straightforward: +Using the library is straightforward, you can install it in your project using +[Composer](http://www.getcomposer.org). <?php - require_once 'lib/OAuth/RemoteResourceServer.php'; + require_once 'vendor/autoload.php'; - use \OAuth\RemoteResourceServer as RemoteResourceServer; + use fkooman\oauth\rs\RemoteResourceServer; $config = array( "introspectionEndpoint" => "http://localhost/php-oauth/introspect.php", @@ -100,10 +101,10 @@ a `JSON` formatted response you can send back to the client, this is OPTIONAL. Here is an example on how to use this library with your own exception handling: <?php - require_once 'lib/OAuth/RemoteResourceServer.php'; + require_once 'vendor/autoload.php'; - use \OAuth\RemoteResourceServer as RemoteResourceServer; - use \OAuth\RemoteResourceServerException as RemoteResourceServerException; + use fkooman\oauth\rs\RemoteResourceServer; + use fkooman\oauth\rs\RemoteResourceServerException; $config = array( "introspectionEndpoint" => "http://localhost/php-oauth/introspect.php", diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/composer.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/composer.json new file mode 100644 index 000000000..dbe50ebec --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/composer.json @@ -0,0 +1,20 @@ +{ + "authors": [ + { + "email": "fkooman@tuxed.net", + "name": "Fran\u00e7ois Kooman", + "role": "Developer" + } + ], + "autoload": { + "psr-0": { + "fkooman\\oauth\\rs\\": "src/" + } + }, + "description": "Library for implementing OAuth 2.0 resource servers", + "license": "Apache-2.0", + "name": "fkooman/php-oauth-lib-rs", + "require": { + "php": ">=5.3.3" + } +} diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/docs/specifications/draft-richer-oauth-introspection-03.txt b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/docs/specifications/draft-richer-oauth-introspection-03.txt index 8cad751e9..8cad751e9 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/docs/specifications/draft-richer-oauth-introspection-03.txt +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/docs/specifications/draft-richer-oauth-introspection-03.txt diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/docs/specifications/rfc6750.txt b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/docs/specifications/rfc6750.txt index b433c72a2..b433c72a2 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/docs/specifications/rfc6750.txt +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/docs/specifications/rfc6750.txt diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServer.php b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServer.php new file mode 100644 index 000000000..d326b2320 --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServer.php @@ -0,0 +1,204 @@ +<?php + +/** + * Copyright 2013 François Kooman <fkooman@tuxed.net> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +namespace fkooman\oauth\rs; + +class RemoteResourceServer +{ + private $_config; + + public function __construct(array $c) + { + $this->_config = $c; + } + + public function verifyAndHandleRequest() + { + try { + $headerBearerToken = NULL; + $queryBearerToken = NULL; + + // look for headers + if (function_exists("apache_request_headers")) { + $headers = apache_request_headers(); + } elseif (isset($_SERVER)) { + $headers = $_SERVER; + } else { + $headers = array(); + } + + // look for query parameters + $query = (isset($_GET) && is_array($_GET)) ? $_GET : array(); + + return $this->verifyRequest($headers, $query); + + } catch (RemoteResourceServerException $e) { + // send response directly to client, halt execution of calling script as well + $e->setRealm($this->_getConfigParameter("realm", FALSE, "Resource Server")); + header("HTTP/1.1 " . $e->getResponseCode()); + if (NULL !== $e->getAuthenticateHeader()) { + // for "internal_server_error" responses no WWW-Authenticate header is set + header("WWW-Authenticate: " . $e->getAuthenticateHeader()); + } + header("Content-Type: application/json"); + die($e->getContent()); + } + } + + public function verifyRequest(array $headers, array $query) + { + // extract token from authorization header + $authorizationHeader = self::_getAuthorizationHeader($headers); + $ah = FALSE !== $authorizationHeader ? self::_getTokenFromHeader($authorizationHeader) : FALSE; + + // extract token from query parameters + $aq = self::_getTokenFromQuery($query); + + if (FALSE === $ah && FALSE === $aq) { + // no token at all provided + throw new RemoteResourceServerException("no_token", "missing token"); + } + if (FALSE !== $ah && FALSE !== $aq) { + // two tokens provided + throw new RemoteResourceServerException("invalid_request", "more than one method for including an access token used"); + } + if (FALSE !== $ah) { + return $this->verifyBearerToken($ah); + } + if (FALSE !== $aq) { + return $this->verifyBearerToken($aq); + } + } + + private static function _getAuthorizationHeader(array $headers) + { + $headerKeys = array_keys($headers); + foreach (array("X-Authorization", "Authorization") as $h) { + $keyPositionInArray = array_search(strtolower($h), array_map('strtolower', $headerKeys)); + if (FALSE === $keyPositionInArray) { + continue; + } + + return $headers[$headerKeys[$keyPositionInArray]]; + } + + return FALSE; + } + + private static function _getTokenFromHeader($authorizationHeader) + { + if (0 !== strpos($authorizationHeader, "Bearer ")) { + return FALSE; + } + + return substr($authorizationHeader, 7); + } + + private static function _getTokenFromQuery(array $queryParameters) + { + if (!isset($queryParameters) || empty($queryParameters['access_token'])) { + return FALSE; + } + + return $queryParameters['access_token']; + } + + public function verifyBearerToken($token) + { + // b64token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" + if ( 1 !== preg_match('|^[[:alpha:][:digit:]-._~+/]+=*$|', $token)) { + throw new RemoteResourceServerException("invalid_token", "the access token is not a valid b64token"); + } + + $introspectionEndpoint = $this->_getConfigParameter("introspectionEndpoint"); + $get = array("token" => $token); + + if (!function_exists("curl_init")) { + throw new RemoteResourceServerException("internal_server_error", "php curl module not available"); + } + + $curlChannel = curl_init(); + if (FALSE === $curlChannel) { + throw new RemoteResourceServerException("internal_server_error", "unable to initialize curl"); + } + + if (0 !== strpos($introspectionEndpoint, "file://")) { + $separator = (FALSE === strpos($introspectionEndpoint, "?")) ? "?" : "&"; + $introspectionEndpoint .= $separator . http_build_query($get, null, "&"); + } else { + // file cannot have query parameter, use accesstoken as JSON file instead + $introspectionEndpoint .= $token . ".json"; + } + + $disableCertCheck = $this->_getConfigParameter("disableCertCheck", false, false); + if (FALSE === curl_setopt_array($curlChannel, array ( + CURLOPT_URL => $introspectionEndpoint, + //CURLOPT_FOLLOWLOCATION => 1, + CURLOPT_RETURNTRANSFER => 1, + CURLOPT_SSL_VERIFYPEER => $disableCertCheck ? 0 : 1, + CURLOPT_SSL_VERIFYHOST => $disableCertCheck ? 0 : 2, + ))) { + throw new RemoteResourceServerException("internal_server_error", "unable to set curl options"); + } + + $output = curl_exec($curlChannel); + + if (FALSE === $output) { + $error = curl_error($curlChannel); + throw new RemoteResourceServerException("internal_server_error", sprintf("unable to contact introspection endpoint [%s]", $error)); + } + + $httpCode = curl_getinfo($curlChannel, CURLINFO_HTTP_CODE); + curl_close($curlChannel); + + if (0 !== strpos($introspectionEndpoint, "file://")) { + // not a file + if (200 !== $httpCode) { + throw new RemoteResourceServerException("internal_server_error", "unexpected response code from introspection endpoint"); + } + } + + $data = json_decode($output, TRUE); + $jsonError = json_last_error(); + if (JSON_ERROR_NONE !== $jsonError) { + throw new RemoteResourceServerException("internal_server_error", "unable to decode response from introspection endpoint"); + } + if (!is_array($data) || !isset($data['active']) || !is_bool($data['active'])) { + throw new RemoteResourceServerException("internal_server_error", "unexpected response from introspection endpoint"); + } + + if (!$data['active']) { + throw new RemoteResourceServerException("invalid_token", "the token is not active"); + } + + return new TokenIntrospection($data); + } + + private function _getConfigParameter($key, $required = TRUE, $default = NULL) + { + if (!array_key_exists($key, $this->_config)) { + if ($required) { + throw new RemoteResourceServerException("internal_server_error", "missing required configuration parameter"); + } else { + return $default; + } + } + + return $this->_config[$key]; + } +} diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServerException.php b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServerException.php new file mode 100644 index 000000000..13cb5b618 --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/RemoteResourceServerException.php @@ -0,0 +1,89 @@ +<?php + +/** + * Copyright 2013 François Kooman <fkooman@tuxed.net> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +namespace fkooman\oauth\rs; + +class RemoteResourceServerException extends \Exception +{ + private $description; + private $responseCode; + private $realm; + + public function __construct($message, $description, $code = 0, Exception $previous = null) + { + switch ($message) { + case "no_token": + case "invalid_token": + $this->responseCode = 401; + break; + case "insufficient_scope": + case "insufficient_entitlement": + $this->responseCode = 403; + break; + case "internal_server_error": + $this->responseCode = 500; + break; + case "invalid_request": + default: + $this->responseCode = 400; + break; + } + + $this->description = $description; + $this->realm = "Resource Server"; + + parent::__construct($message, $code, $previous); + } + + public function getDescription() + { + return $this->description; + } + + public function setRealm($resourceServerRealm) + { + $this->realm = (is_string($resourceServerRealm) && !empty($resourceServerRealm)) ? $resourceServerRealm : "Resource Server"; + } + + public function getResponseCode() + { + return $this->responseCode; + } + + public function getAuthenticateHeader() + { + $authenticateHeader = NULL; + if (500 !== $this->responseCode) { + if ("no_token" === $this->message) { + // no authorization header is a special case, the client did not know + // authentication was required, so tell it now without giving error message + $authenticateHeader = sprintf('Bearer realm="%s"', $this->realm); + } else { + $authenticateHeader = sprintf('Bearer realm="%s",error="%s",error_description="%s"', $this->realm, $this->message, $this->description); + } + } + + return $authenticateHeader; + } + + public function getContent() + { + return json_encode(array("error" => $this->message, "error_description" => $this->description)); + } + +} diff --git a/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/TokenIntrospection.php b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/TokenIntrospection.php new file mode 100644 index 000000000..1d1e54411 --- /dev/null +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/src/fkooman/oauth/rs/TokenIntrospection.php @@ -0,0 +1,214 @@ +<?php + +/** + * Copyright 2013 François Kooman <fkooman@tuxed.net> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +namespace fkooman\oauth\rs; + +class TokenIntrospection +{ + private $_response; + + public function __construct(array $response) + { + if (!isset($response['active']) || !is_bool($response['active'])) { + throw new RemoteResourceServerException("internal_server_error", "active key should be set and its value a boolean"); + } + + if (isset($response['exp']) && (!is_int($response['exp']) || 0 > $response['exp'])) { + throw new RemoteResourceServerException("internal_server_error", "exp value must be positive integer"); + } + + if (isset($response['exp']) && (!is_int($response['iat']) || 0 > $response['iat'])) { + throw new RemoteResourceServerException("internal_server_error", "iat value must be positive integer"); + } + + if (isset($response['iat'])) { + if (time() < $response['iat']) { + throw new RemoteResourceServerException("internal_server_error", "token issued in the future"); + } + } + + if (isset($response['exp']) && isset($response['iat'])) { + if ($response['exp'] < $response['iat']) { + throw new RemoteResourceServerException("internal_server_error", "token expired before it was issued"); + } + } + + if (isset($response['exp'])) { + if (time() > $response['exp']) { + throw new RemoteResourceServerException("invalid_token", "the token expired"); + } + } + + if (isset($response['x-entitlement']) && !is_array($response['x-entitlement'])) { + throw new RemoteResourceServerException("internal_server_error", "x-entitlement value must be array"); + } + + $this->_response = $response; + } + + /** + * REQUIRED. Boolean indicator of whether or not the presented + * token is currently active. + */ + public function getActive() + { + return $this->_response['active']; + } + + /** + * OPTIONAL. Integer timestamp, measured in the number of + * seconds since January 1 1970 UTC, indicating when this token will + * expire. + */ + public function getExpiresAt() + { + return $this->_getKeyValue('exp'); + } + + /** + * OPTIONAL. Integer timestamp, measured in the number of + * seconds since January 1 1970 UTC, indicating when this token was + * originally issued. + */ + public function getIssuedAt() + { + return $this->_getKeyValue('iat'); + } + + /** + * OPTIONAL. A space-separated list of strings representing the + * scopes associated with this token, in the format described in + * Section 3.3 of OAuth 2.0 [RFC6749]. + */ + public function getScope() + { + return $this->_getKeyValue('scope'); + } + + /** + * OPTIONAL. Client Identifier for the OAuth Client that + * requested this token. + */ + public function getClientId() + { + return $this->_getKeyValue('client_id'); + } + + /** + * OPTIONAL. Local identifier of the Resource Owner who authorized + * this token. + */ + public function getSub() + { + return $this->_getKeyValue('sub'); + } + + /** + * OPTIONAL. Service-specific string identifier or list of string + * identifiers representing the intended audience for this token. + */ + public function getAud() + { + return $this->_getKeyValue('aud'); + } + + /** + * OPTIONAL. Type of the token as defined in OAuth 2.0 + * section 5.1. + */ + public function getTokenType() + { + return $this->_getKeyValue('token_type'); + } + + private function _getKeyValue($key) + { + return isset($this->_response[$key]) ? $this->_response[$key] : FALSE; + } + + /* ADDITIONAL HELPER METHODS */ + public function getResourceOwnerId() + { + return $this->getSub(); + } + + public function getScopeAsArray() + { + return FALSE !== $this->getScope() ? explode(" ", $this->getScope()) : FALSE; + } + + public function hasScope($scope) + { + return FALSE !== $this->getScopeAsArray() ? in_array($scope, $this->getScopeAsArray()) : FALSE; + } + + public function requireScope($scope) + { + if (FALSE === $this->hasScope($scope)) { + throw new RemoteResourceServerException("insufficient_scope", "no permission for this call with granted scope"); + } + } + + public function requireAnyScope(array $scope) + { + if (FALSE === $this->hasAnyScope($scope)) { + throw new RemoteResourceServerException("insufficient_scope", "no permission for this call with granted scope"); + } + } + + /** + * At least one of the scopes should be granted. + * + * @param array $scope the list of scopes of which one should be granted + * @return TRUE when at least one of the requested scopes was granted, + * FALSE when none were granted. + */ + public function hasAnyScope(array $scope) + { + foreach ($scope as $s) { + if ($this->hasScope($s)) { + return TRUE; + } + } + + return FALSE; + } + + public function getEntitlement() + { + return $this->_getKeyValue('x-entitlement'); + } + + public function hasEntitlement($entitlement) + { + return FALSE !== $this->getEntitlement() ? in_array($entitlement, $this->getEntitlement()) : FALSE; + } + + public function requireEntitlement($entitlement) + { + if (FALSE === $this->hasEntitlement($entitlement)) { + throw new RemoteResourceServerException("insufficient_entitlement", "no permission for this call with granted entitlement"); + } + } + + public function getExt() + { + return $this->_getKeyValue('x-ext'); + } + +} diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/001.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/001.json index f844946a5..c67ec1d0b 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/001.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/001.json @@ -1,7 +1,7 @@ { "active": true, "client_id": "testclient", - "exp": 2366377846, + "exp": 1766377846, "iat": 1366376612, "scope": "foo bar", "sub": "fkooman", diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/002.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/002.json index a45f9ccee..c71abe464 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/002.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/002.json @@ -1,7 +1,7 @@ { "active": true, "client_id": "testclient", - "exp": 2366377846, + "exp": 1766377846, "iat": 1366376612, "scope": "a b c", "sub": "frko" diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/003.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/003.json index bba306789..bba306789 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/003.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/003.json diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/004.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/004.json index a1b9abf4f..2680ce21d 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/004.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/004.json @@ -1,7 +1,7 @@ { "active": true, "client_id": "html-manage-authorizations", - "exp": 2366844432, + "exp": 1766844432, "iat": 1366815632, "scope": "authorizations", "sub": "48a5788a56b3dc9035e981aa9c8924360c1906e4", diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/100.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/100.json index 357d63809..357d63809 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/100.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/100.json diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/101.json b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/101.json index 6089c5d95..6089c5d95 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/data/101.json +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/data/101.json diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/OAuth/RemoteResourceServerTest.php b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/fkooman/oauth/rs/RemoteResourceServerTest.php index b4041abaa..4b4ca0ff1 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/OAuth/RemoteResourceServerTest.php +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/fkooman/oauth/rs/RemoteResourceServerTest.php @@ -15,19 +15,18 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ -require_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "OAuth" . DIRECTORY_SEPARATOR . "RemoteResourceServer.php"; +require_once 'vendor/autoload.php'; -use \OAuth\RemoteResourceServer as RemoteResourceServer; -use \OAuth\RemoteResourceServerException as RemoteResourceServerException; +use fkooman\oauth\rs\RemoteResourceServer; +use fkooman\oauth\rs\RemoteResourceServerException; class RemoteResourceServerTest extends PHPUnit_Framework_TestCase { - private $_dataPath; public function setUp() { - $this->_dataPath = "file://" . dirname(__DIR__) . DIRECTORY_SEPARATOR . "data/"; + $this->_dataPath = "file://" . dirname(dirname(dirname(__DIR__))) . DIRECTORY_SEPARATOR . "data/"; } public function testBasicToken() @@ -39,7 +38,7 @@ class RemoteResourceServerTest extends PHPUnit_Framework_TestCase $introspection = $rs->verifyRequest(array("Authorization" => "Bearer 001"), array()); $this->assertEquals("fkooman", $introspection->getSub()); $this->assertEquals("testclient", $introspection->getClientId()); - $this->assertEquals(2366377846, $introspection->getExpiresAt()); + $this->assertEquals(1766377846, $introspection->getExpiresAt()); $this->assertEquals(1366376612, $introspection->getIssuedAt()); $this->assertEquals("foo bar", $introspection->getScope()); $this->assertEquals(array("urn:x-foo:service:access","urn:x-bar:privilege:admin"), $introspection->getEntitlement()); @@ -55,7 +54,7 @@ class RemoteResourceServerTest extends PHPUnit_Framework_TestCase $introspection = $rs->verifyRequest(array(), array("access_token" => "002")); $this->assertEquals("frko", $introspection->getSub()); $this->assertEquals("testclient", $introspection->getClientId()); - $this->assertEquals(2366377846, $introspection->getExpiresAt()); + $this->assertEquals(1766377846, $introspection->getExpiresAt()); $this->assertEquals(1366376612, $introspection->getIssuedAt()); $this->assertEquals("a b c", $introspection->getScope()); $this->assertFalse($introspection->getEntitlement()); diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/tests/OAuth/TokenIntrospectionTest.php b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/fkooman/oauth/rs/TokenIntrospectionTest.php index e0e274eb0..1072efe7f 100644 --- a/user_oauth/3rdparty/php-oauth-lib-rs/tests/OAuth/TokenIntrospectionTest.php +++ b/user_oauth/3rdparty/fkooman/php-oauth-lib-rs/tests/fkooman/oauth/rs/TokenIntrospectionTest.php @@ -15,14 +15,13 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ -require_once dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . "lib" . DIRECTORY_SEPARATOR . "OAuth" . DIRECTORY_SEPARATOR . "RemoteResourceServer.php"; +require_once 'vendor/autoload.php'; -use \OAuth\TokenIntrospection as TokenIntrospection; -use \OAuth\RemoteResourceServerException as RemoteResourceServerException; +use fkooman\oauth\rs\TokenIntrospection; +use fkooman\oauth\rs\RemoteResourceServerException; class TokenIntrospectionTest extends PHPUnit_Framework_TestCase { - /** * @dataProvider validTokenProvider */ diff --git a/user_oauth/3rdparty/php-oauth-lib-rs/lib/OAuth/RemoteResourceServer.php b/user_oauth/3rdparty/php-oauth-lib-rs/lib/OAuth/RemoteResourceServer.php deleted file mode 100644 index acb8c46b5..000000000 --- a/user_oauth/3rdparty/php-oauth-lib-rs/lib/OAuth/RemoteResourceServer.php +++ /dev/null @@ -1,467 +0,0 @@ -<?php - -/** - * Copyright 2013 François Kooman <fkooman@tuxed.net> - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -namespace OAuth; - -class RemoteResourceServer -{ - private $_config; - - public function __construct(array $c) - { - $this->_config = $c; - } - - public function verifyAndHandleRequest() - { - try { - $headerBearerToken = NULL; - $queryBearerToken = NULL; - - // look for headers - if (function_exists("apache_request_headers")) { - $headers = apache_request_headers(); - } elseif (isset($_SERVER)) { - $headers = $_SERVER; - } else { - $headers = array(); - } - - // look for query parameters - $query = (isset($_GET) && is_array($_GET)) ? $_GET : array(); - - return $this->verifyRequest($headers, $query); - - } catch (RemoteResourceServerException $e) { - // send response directly to client, halt execution of calling script as well - $e->setRealm($this->_getConfigParameter("realm", FALSE, "Resource Server")); - header("HTTP/1.1 " . $e->getResponseCode()); - if (NULL !== $e->getAuthenticateHeader()) { - // for "internal_server_error" responses no WWW-Authenticate header is set - header("WWW-Authenticate: " . $e->getAuthenticateHeader()); - } - header("Content-Type: application/json"); - die($e->getContent()); - } - } - - public function verifyRequest(array $headers, array $query) - { - // extract token from authorization header - $authorizationHeader = self::_getAuthorizationHeader($headers); - $ah = FALSE !== $authorizationHeader ? self::_getTokenFromHeader($authorizationHeader) : FALSE; - - // extract token from query parameters - $aq = self::_getTokenFromQuery($query); - - if (FALSE === $ah && FALSE === $aq) { - // no token at all provided - throw new RemoteResourceServerException("no_token", "missing token"); - } - if (FALSE !== $ah && FALSE !== $aq) { - // two tokens provided - throw new RemoteResourceServerException("invalid_request", "more than one method for including an access token used"); - } - if (FALSE !== $ah) { - return $this->verifyBearerToken($ah); - } - if (FALSE !== $aq) { - return $this->verifyBearerToken($aq); - } - } - - private static function _getAuthorizationHeader(array $headers) - { - $headerKeys = array_keys($headers); - foreach (array("X-Authorization", "Authorization") as $h) { - $keyPositionInArray = array_search(strtolower($h), array_map('strtolower', $headerKeys)); - if (FALSE === $keyPositionInArray) { - continue; - } - - return $headers[$headerKeys[$keyPositionInArray]]; - } - - return FALSE; - } - - private static function _getTokenFromHeader($authorizationHeader) - { - if (0 !== strpos($authorizationHeader, "Bearer ")) { - return FALSE; - } - - return substr($authorizationHeader, 7); - } - - private static function _getTokenFromQuery(array $queryParameters) - { - if (!isset($queryParameters) || empty($queryParameters['access_token'])) { - return FALSE; - } - - return $queryParameters['access_token']; - } - - public function verifyBearerToken($token) - { - // b64token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" - if ( 1 !== preg_match('|^[[:alpha:][:digit:]-._~+/]+=*$|', $token)) { - throw new RemoteResourceServerException("invalid_token", "the access token is not a valid b64token"); - } - - $introspectionEndpoint = $this->_getConfigParameter("introspectionEndpoint"); - $get = array("token" => $token); - - if (!function_exists("curl_init")) { - throw new RemoteResourceServerException("internal_server_error", "php curl module not available"); - } - - $curlChannel = curl_init(); - if (FALSE === $curlChannel) { - throw new RemoteResourceServerException("internal_server_error", "unable to initialize curl"); - } - - if (0 !== strpos($introspectionEndpoint, "file://")) { - $separator = (FALSE === strpos($introspectionEndpoint, "?")) ? "?" : "&"; - $introspectionEndpoint .= $separator . http_build_query($get); - } else { - // file cannot have query parameter, use accesstoken as JSON file instead - $introspectionEndpoint .= $token . ".json"; - } - if (FALSE === curl_setopt_array($curlChannel, array ( - CURLOPT_URL => $introspectionEndpoint, - //CURLOPT_FOLLOWLOCATION => 1, - CURLOPT_RETURNTRANSFER => 1, - CURLOPT_SSL_VERIFYPEER => 1, - CURLOPT_SSL_VERIFYHOST => 2, - ))) { - throw new RemoteResourceServerException("internal_server_error", "unable to set curl options"); - } - - $output = curl_exec($curlChannel); - - if (FALSE === $output) { - $error = curl_error($curlChannel); - throw new RemoteResourceServerException("internal_server_error", "unable to contact introspection endpoint"); - } - - $httpCode = curl_getinfo($curlChannel, CURLINFO_HTTP_CODE); - curl_close($curlChannel); - - if (0 !== strpos($introspectionEndpoint, "file://")) { - // not a file - if (200 !== $httpCode) { - throw new RemoteResourceServerException("internal_server_error", "unexpected response code from introspection endpoint"); - } - } - - $data = json_decode($output, TRUE); - $jsonError = json_last_error(); - if (JSON_ERROR_NONE !== $jsonError) { - throw new RemoteResourceServerException("internal_server_error", "unable to decode response from introspection endpoint"); - } - if (!is_array($data) || !isset($data['active']) || !is_bool($data['active'])) { - throw new RemoteResourceServerException("internal_server_error", "unexpected response from introspection endpoint"); - } - - if (!$data['active']) { - throw new RemoteResourceServerException("invalid_token", "the token is not active"); - } - - return new TokenIntrospection($data); - } - - private function _getConfigParameter($key, $required = TRUE, $default = NULL) - { - if (!array_key_exists($key, $this->_config)) { - if ($required) { - throw new RemoteResourceServerException("internal_server_error", "missing required configuration parameter"); - } else { - return $default; - } - } - - return $this->_config[$key]; - } -} - -class TokenIntrospection -{ - private $_response; - - public function __construct(array $response) - { - if (!isset($response['active']) || !is_bool($response['active'])) { - throw new RemoteResourceServerException("internal_server_error", "active key should be set and its value a boolean"); - } - - if (isset($response['exp']) && (!is_int($response['exp']) || 0 > $response['exp'])) { - throw new RemoteResourceServerException("internal_server_error", "exp value must be positive integer"); - } - - if (isset($response['exp']) && (!is_int($response['iat']) || 0 > $response['iat'])) { - throw new RemoteResourceServerException("internal_server_error", "iat value must be positive integer"); - } - - if (isset($response['iat'])) { - if (time() < $response['iat']) { - throw new RemoteResourceServerException("internal_server_error", "token issued in the future"); - } - } - - if (isset($response['exp']) && isset($response['iat'])) { - if ($response['exp'] < $response['iat']) { - throw new RemoteResourceServerException("internal_server_error", "token expired before it was issued"); - } - } - - if (isset($response['exp'])) { - if (time() > $response['exp']) { - throw new RemoteResourceServerException("invalid_token", "the token expired"); - } - } - - if (isset($response['x-entitlement']) && !is_array($response['x-entitlement'])) { - throw new RemoteResourceServerException("internal_server_error", "x-entitlement value must be array"); - } - - $this->_response = $response; - } - - /** - * REQUIRED. Boolean indicator of whether or not the presented - * token is currently active. - */ - public function getActive() - { - return $this->_response['active']; - } - - /** - * OPTIONAL. Integer timestamp, measured in the number of - * seconds since January 1 1970 UTC, indicating when this token will - * expire. - */ - public function getExpiresAt() - { - return $this->_getKeyValue('exp'); - } - - /** - * OPTIONAL. Integer timestamp, measured in the number of - * seconds since January 1 1970 UTC, indicating when this token was - * originally issued. - */ - public function getIssuedAt() - { - return $this->_getKeyValue('iat'); - } - - /** - * OPTIONAL. A space-separated list of strings representing the - * scopes associated with this token, in the format described in - * Section 3.3 of OAuth 2.0 [RFC6749]. - */ - public function getScope() - { - return $this->_getKeyValue('scope'); - } - - /** - * OPTIONAL. Client Identifier for the OAuth Client that - * requested this token. - */ - public function getClientId() - { - return $this->_getKeyValue('client_id'); - } - - /** - * OPTIONAL. Local identifier of the Resource Owner who authorized - * this token. - */ - public function getSub() - { - return $this->_getKeyValue('sub'); - } - - /** - * OPTIONAL. Service-specific string identifier or list of string - * identifiers representing the intended audience for this token. - */ - public function getAud() - { - return $this->_getKeyValue('aud'); - } - - /** - * OPTIONAL. Type of the token as defined in OAuth 2.0 - * section 5.1. - */ - public function getTokenType() - { - return $this->_getKeyValue('token_type'); - } - - private function _getKeyValue($key) - { - return isset($this->_response[$key]) ? $this->_response[$key] : FALSE; - } - - /* ADDITIONAL HELPER METHODS */ - public function getResourceOwnerId() - { - return $this->getSub(); - } - - public function getScopeAsArray() - { - return FALSE !== $this->getScope() ? explode(" ", $this->getScope()) : FALSE; - } - - public function hasScope($scope) - { - return FALSE !== $this->getScopeAsArray() ? in_array($scope, $this->getScopeAsArray()) : FALSE; - } - - public function requireScope($scope) - { - if (FALSE === $this->hasScope($scope)) { - throw new RemoteResourceServerException("insufficient_scope", "no permission for this call with granted scope"); - } - } - - public function requireAnyScope(array $scope) - { - if (FALSE === $this->hasAnyScope($scope)) { - throw new RemoteResourceServerException("insufficient_scope", "no permission for this call with granted scope"); - } - } - - /** - * At least one of the scopes should be granted. - * - * @param array $scope the list of scopes of which one should be granted - * @return TRUE when at least one of the requested scopes was granted, - * FALSE when none were granted. - */ - public function hasAnyScope(array $scope) - { - foreach ($scope as $s) { - if ($this->hasScope($s)) { - return TRUE; - } - } - - return FALSE; - } - - public function getEntitlement() - { - return $this->_getKeyValue('x-entitlement'); - } - - public function hasEntitlement($entitlement) - { - return FALSE !== $this->getEntitlement() ? in_array($entitlement, $this->getEntitlement()) : FALSE; - } - - public function requireEntitlement($entitlement) - { - if (FALSE === $this->hasEntitlement($entitlement)) { - throw new RemoteResourceServerException("insufficient_entitlement", "no permission for this call with granted entitlement"); - } - } - - public function getExt() - { - return $this->_getKeyValue('x-ext'); - } - -} - -class RemoteResourceServerException extends \Exception -{ - private $description; - private $responseCode; - private $realm; - - public function __construct($message, $description, $code = 0, Exception $previous = null) - { - switch ($message) { - case "no_token": - case "invalid_token": - $this->responseCode = 401; - break; - case "insufficient_scope": - case "insufficient_entitlement": - $this->responseCode = 403; - break; - case "internal_server_error": - $this->responseCode = 500; - break; - case "invalid_request": - default: - $this->responseCode = 400; - break; - } - - $this->description = $description; - $this->realm = "Resource Server"; - - parent::__construct($message, $code, $previous); - } - - public function getDescription() - { - return $this->description; - } - - public function setRealm($resourceServerRealm) - { - $this->realm = (is_string($resourceServerRealm) && !empty($resourceServerRealm)) ? $resourceServerRealm : "Resource Server"; - } - - public function getResponseCode() - { - return $this->responseCode; - } - - public function getAuthenticateHeader() - { - $authenticateHeader = NULL; - if (500 !== $this->responseCode) { - if ("no_token" === $this->message) { - // no authorization header is a special case, the client did not know - // authentication was required, so tell it now without giving error message - $authenticateHeader = sprintf('Bearer realm="%s"', $this->realm); - } else { - $authenticateHeader = sprintf('Bearer realm="%s",error="%s",error_description="%s"', $this->realm, $this->message, $this->description); - } - } - - return $authenticateHeader; - } - - public function getContent() - { - return json_encode(array("error" => $this->message, "error_description" => $this->description)); - } - -} diff --git a/user_oauth/README.md b/user_oauth/README.md index 43b007fa4..17285baf3 100644 --- a/user_oauth/README.md +++ b/user_oauth/README.md @@ -13,15 +13,16 @@ Install this code in the directory `user_oauth` in the `apps` directory of your ownCloud installation. This module needs an external library to verify the OAuth tokens at the OAuth -authorization server. A script can be used to install this dependency, by -default is in included in the `3rdparty` directory. So you only need this if -you want to download the library again or update it. +authorization server. [Composer](http://www.getcomposer.org) can be used to +install this dependency, by default is in included in the `3rdparty` directory. +So you only need this if you want to download the library again or update it. $ cd /path/to/owncloud/apps/user_oauth - $ cd 3rdparty - $ sh fetch_3rdparty_libs.sh + $ php composer.phar install -You need Git installed on your server to fetch the 3rd party dependency. +Or to update: + + $ php composer.phar update You can enable the `user_oauth` app after login with the `admin` account. Go to `Settings`, then `Apps` and finally select the `OAuth` module from the list of diff --git a/user_oauth/composer.json b/user_oauth/composer.json new file mode 100644 index 000000000..dfadebc9c --- /dev/null +++ b/user_oauth/composer.json @@ -0,0 +1,13 @@ +{ + "autoload": { + "classmap": [ + "src/" + ] + }, + "config": { + "vendor-dir": "3rdparty" + }, + "require": { + "fkooman/php-oauth-lib-rs": "0.1.*" + } +} diff --git a/user_oauth/composer.lock b/user_oauth/composer.lock new file mode 100644 index 000000000..ad10bbe20 --- /dev/null +++ b/user_oauth/composer.lock @@ -0,0 +1,62 @@ +{ + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file" + ], + "hash": "73e094aca03053aa630f0870a1c53abc", + "packages": [ + { + "name": "fkooman/php-oauth-lib-rs", + "version": "0.1.0", + "source": { + "type": "git", + "url": "https://github.com/fkooman/php-oauth-lib-rs.git", + "reference": "0.1.0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/fkooman/php-oauth-lib-rs/zipball/0.1.0", + "reference": "0.1.0", + "shasum": "" + }, + "require": { + "php": ">=5.3.3" + }, + "type": "library", + "autoload": { + "psr-0": { + "fkooman\\oauth\\rs\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "Apache-2.0" + ], + "authors": [ + { + "name": "François Kooman", + "email": "fkooman@tuxed.net", + "role": "Developer" + } + ], + "description": "Library for implementing OAuth 2.0 resource servers", + "time": "2013-08-18 12:09:22" + } + ], + "packages-dev": [ + + ], + "aliases": [ + + ], + "minimum-stability": "stable", + "stability-flags": [ + + ], + "platform": [ + + ], + "platform-dev": [ + + ] +} diff --git a/user_oauth/remote.php b/user_oauth/remote.php index 3cbba7f1c..92083fdea 100644 --- a/user_oauth/remote.php +++ b/user_oauth/remote.php @@ -28,7 +28,7 @@ OC_App::loadApps($RUNTIME_APPTYPES); $introspectionEndpoint = \OCP\Config::getSystemValue( "introspectionEndpoint", "https://frko.surfnetlabs.nl/workshop/php-oauth/introspect.php" ); -require_once 'oauth.php'; +require_once '3rdparty/autoload.php'; // Backends $authBackend = new OC_Connector_Sabre_OAuth($introspectionEndpoint); diff --git a/user_oauth/oauth.php b/user_oauth/src/OC_Connector_Sabre_OAuth.php index f5f0133d9..e8baafa29 100644 --- a/user_oauth/oauth.php +++ b/user_oauth/src/OC_Connector_Sabre_OAuth.php @@ -1,9 +1,7 @@ <?php -require_once '3rdparty/php-oauth-lib-rs/lib/OAuth/RemoteResourceServer.php'; - -use \OAuth\RemoteResourceServer as RemoteResourceServer; -use \OAuth\RemoteResourceServerException as RemoteResourceServerException; +use fkooman\oauth\rs\RemoteResourceServer; +use fkooman\oauth\rs\RemoteResourceServerException; class OC_Connector_Sabre_OAuth implements Sabre_DAV_Auth_IBackend { |