harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'oauth2' of https://github.com/anaqreon/hubzilla into oauth2

Browse Source
This commit is contained in:
zotlabs 2018-03-31 14:00:09 -07:00
commit 3bd3686acf
8 changed files with 373 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
Zotlabs/Module/Authorize.php
View File

@ -4,59 +4,90 @@ namespace Zotlabs\Module;
use Zotlabs\Identity\OAuth2Storage; use Zotlabs\Identity\OAuth2Storage;
class Authorize extends \Zotlabs\Web\Controller { class Authorize extends \Zotlabs\Web\Controller {
function init() { function get() {
if (!local_channel()) {
return login();
} else {
// TODO: Fully implement the dynamic client registration protocol:
// OpenID Connect Dynamic Client Registration 1.0 Client Metadata
// http://openid.net/specs/openid-connect-registration-1_0.html
$app = array(
'name' => (x($_REQUEST, 'client_name') ? urldecode($_REQUEST['client_name']) : 'Unknown App'),
'icon' => (x($_REQUEST, 'logo_uri') ? urldecode($_REQUEST['logo_uri']) : z_root() . '/images/icons/plugin.png'),
'url' => (x($_REQUEST, 'client_uri') ? urldecode($_REQUEST['client_uri']) : ''),
);
$o .= replace_macros(get_markup_template('oauth_authorize.tpl'), array(
'$title' => '',
'$authorize' => 'Do you authorize the app <a style="float: none;" href="' . $app['url'] . '">' . $app['name'] . '</a> to access your channel data?',
'$app' => $app,
'$yes' => t('Allow'),
'$no' => t('Deny'),
'$client_id' => (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : ''),
'$redirect_uri' => (x($_REQUEST, 'redirect_uri') ? $_REQUEST['redirect_uri'] : ''),
'$state' => (x($_REQUEST, 'state') ? $_REQUEST['state'] : ''),
));
return $o;
}
}
// workaround for HTTP-auth in CGI mode function post() {
if (x($_SERVER, 'REDIRECT_REMOTE_USER')) { if (!local_channel()) {
$userpass = base64_decode(substr($_SERVER["REDIRECT_REMOTE_USER"], 6)) ; return $this->get();
if(strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
} }
if (x($_SERVER, 'HTTP_AUTHORIZATION')) { $storage = new OAuth2Storage(\DBA::$dba->db);
$userpass = base64_decode(substr($_SERVER["HTTP_AUTHORIZATION"], 6)) ; $s = new \Zotlabs\Identity\OAuth2Server($storage);
if(strlen($userpass)) {
list($name, $password) = explode(':', $userpass);
$_SERVER['PHP_AUTH_USER'] = $name;
$_SERVER['PHP_AUTH_PW'] = $password;
}
}
$s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db)); // TODO: The automatic client registration protocol below should adhere more
// closely to "OAuth 2.0 Dynamic Client Registration Protocol" defined
// at https://tools.ietf.org/html/rfc7591
// If no client_id was provided, generate a new one.
if (x($_POST, 'client_id')) {
$client_id = $_POST['client_id'];
} else {
$client_id = $_POST['client_id'] = random_string(16);
}
// If no redirect_uri was provided, generate a fake one.
if (x($_POST, 'redirect_uri')) {
$redirect_uri = $_POST['redirect_uri'];
} else {
$redirect_uri = $_POST['redirect_uri'] = 'https://fake.example.com/oauth';
}
$request = \OAuth2\Request::createFromGlobals(); $request = \OAuth2\Request::createFromGlobals();
$response = new \OAuth2\Response(); $response = new \OAuth2\Response();
// If the client is not registered, add to the database
if (!$client = $storage->getClientDetails($client_id)) {
$client_secret = random_string(16);
// Client apps are registered per channel
$user_id = local_channel();
$storage->setClientDetails($client_id, $client_secret, $redirect_uri, 'authorization_code', null, $user_id);
}
if (!$client = $storage->getClientDetails($client_id)) {
// There was an error registering the client.
$response->send();
killme();
}
$response->setParameter('client_secret', $client['client_secret']);
// validate the authorize request // validate the authorize request
if (! $s->validateAuthorizeRequest($request, $response)) { if (!$s->validateAuthorizeRequest($request, $response)) {
$response->send(); $response->send();
killme(); killme();
} }
// display an authorization form
if (empty($_POST)) {
return '
<form method="post">
<label>Do You Authorize TestClient?</label><br />
<input type="submit" name="authorized" value="yes">
<input type="submit" name="authorized" value="no">
</form>';
}
// print the authorization code if the user has authorized your client // print the authorization code if the user has authorized your client
$is_authorized = ($_POST['authorized'] === 'yes'); $is_authorized = ($_POST['authorize'] === 'allow');
$s->handleAuthorizeRequest($request, $response, $is_authorized, local_channel()); $s->handleAuthorizeRequest($request, $response, $is_authorized, local_channel());
if ($is_authorized) { if ($is_authorized) {
// this is only here so that you get to see your code in the cURL request. Otherwise, // this is only here so that you get to see your code in the cURL request. Otherwise,
// we'd redirect back to the client // we'd redirect back to the client
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40); $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=') + 5, 40);
echo("SUCCESS! Authorization Code: $code"); echo("SUCCESS! Authorization Code: $code");
} }

215
Zotlabs/Module/Oauth2testvehicle.php Normal file
View File

@ -0,0 +1,215 @@
<?php
namespace Zotlabs\Module;
/**
* The OAuth2TestVehicle class is a way to test the registration of an OAuth2
* client app. It allows you to walk through the steps of registering a client,
* requesting an authorization code for that client, and then requesting an
* access token for use in authentication against the Hubzilla API endpoints.
*/
class OAuth2TestVehicle extends \Zotlabs\Web\Controller {
function init() {
// If there is a 'code' and 'state' parameter then this is a client app
// callback issued after the authorization code request
// TODO: Check state value and compare to original sent value
// "You should first compare this state value to ensure it matches the
// one you started with. You can typically store the state value in a
// cookie, and compare it when the user comes back. This ensures your
// redirection endpoint isn't able to be tricked into attempting to
// exchange arbitrary authorization codes."
$_SESSION['redirect_uri'] = 'http://hub.localhost/oauth2testvehicle';
$_SESSION['authorization_code'] = (x($_REQUEST, 'code') ? $_REQUEST['code'] : $_SESSION['authorization_code']);
$_SESSION['state'] = (x($_REQUEST, 'state') ? $_REQUEST['state'] : $_SESSION['state'] );
$_SESSION['client_id'] = (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : $_SESSION['client_id'] );
$_SESSION['client_secret'] = (x($_REQUEST, 'client_secret') ? $_REQUEST['client_secret'] : $_SESSION['client_secret']);
$_SESSION['access_token'] = (x($_REQUEST, 'access_token') ? $_REQUEST['access_token'] : $_SESSION['access_token'] );
$_SESSION['api_response'] = (x($_SESSION, 'api_response') ? $_SESSION['api_response'] : '');
}
function get() {
$o .= replace_macros(get_markup_template('oauth2testvehicle.tpl'), array(
'$baseurl' => z_root(),
'$api_response' => $_SESSION['api_response'],
/*
endpoints => array(
array(
'path_to_endpoint',
array(
array('field_name_1', 'value'),
array('field_name_2', 'value'),
...
),
'submit_button_name',
'Description of API action'
)
)
*/
'$endpoints' => array(
array(
'oauth2testvehicle',
array(
array(
'action', 'delete_db'
)
),
'oauth2test_delete_db',
'Delete the OAuth2 database tables',
'POST',
($_SESSION['success'] === 'delete_db'),
),
array(
'oauth2testvehicle',
array(
array(
'action', 'create_db'
)
),
'oauth2test_create_db',
'Create the OAuth2 database tables',
'POST',
($_SESSION['success'] === 'create_db'),
),
array(
'authorize',
array(
array('response_type', 'code'),
array('client_id', (x($_REQUEST, 'client_id') ? $_REQUEST['client_id'] : 'oauth2_test_app')),
array('redirect_uri', $_SESSION['redirect_uri']),
array('state', 'xyz'),
// OpenID Connect Dynamic Client Registration 1.0 Client Metadata
// http://openid.net/specs/openid-connect-registration-1_0.html
array('client_name', 'OAuth2 Test App'),
array('logo_uri', urlencode(z_root() . '/images/icons/plugin.png')),
array('client_uri', urlencode('https://client.example.com/website')),
array('application_type', 'web'), // would be 'native' for mobile app
),
'oauth_authorize',
'Authorize a test client app',
'GET',
(($_REQUEST['code'] && $_REQUEST['state']) ? true : false),
),
array(
'oauth2testvehicle',
array(
array('action', 'request_token'),
array('grant_type', 'authorization_code'),
array('code', $_SESSION['authorization_code']),
array('redirect_uri', $_SESSION['redirect_uri']),
array('client_id', ($_SESSION['client_id'] ? $_SESSION['client_id'] : 'oauth2_test_app')),
array('client_secret', $_SESSION['client_secret']),
),
'oauth_token_request',
'Request a token',
'POST',
($_SESSION['success'] === 'request_token'),
),
array(
'oauth2testvehicle',
array(
array('action', 'api_files'),
array('access_token', $_SESSION['access_token']),
),
'oauth_api_files',
'API: Get channel files',
'POST',
($_SESSION['success'] === 'api_files'),
)
)
));
$_SESSION['success'] = '';
return $o;
}
function post() {
switch ($_POST['action']) {
case 'api_files':
$access_token = $_SESSION['access_token'];
$url = z_root() . '/api/z/1.0/files/';
$headers = [];
$headers[] = 'Authorization: Bearer ' . $access_token;
$post = z_fetch_url($url, false, 0, array(
'custom' => 'GET',
'headers' => $headers,
));
logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
$response = json_decode($post['body'], true);
$_SESSION['api_response'] = json_encode($response, JSON_PRETTY_PRINT);
break;
case 'request_token':
$grant_type = (x($_POST, 'grant_type') ? $_POST['grant_type'] : '');
$redirect_uri = (x($_POST, 'redirect_uri') ? $_POST['redirect_uri'] : '');
$client_id = (x($_POST, 'client_id') ? $_POST['client_id'] : '');
$code = (x($_POST, 'code') ? $_POST['code'] : '');
$client_secret = (x($_POST, 'client_secret') ? $_POST['client_secret'] : '');
$url = z_root() . '/token/';
$params = http_build_query(array(
'grant_type' => $grant_type,
'redirect_uri' => urlencode($redirect_uri),
'client_id' => $client_id,
'code' => $code,
));
$post = z_post_url($url, $params, 0, array(
'http_auth' => $client_id . ':' . $client_secret,
));
logger(json_encode($post, JSON_PRETTY_PRINT), LOGGER_DEBUG);
$response = json_decode($post['body'], true);
logger(json_encode($response, JSON_PRETTY_PRINT), LOGGER_DEBUG);
if($response['access_token']) {
info('Access token received: ' . $response['access_token'] . EOL);
$_SESSION['success'] = 'request_token';
$_SESSION['access_token'] = $response['access_token'];
}
break;
case 'delete_db':
$status = true;
// Use the \OAuth2\Storage\Pdo class to create the OAuth2 tables
// by passing it the database connection
$pdo = \DBA::$dba->db;
$storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
foreach ($storage->getConfig() as $key => $table) {
$r = q("DROP TABLE %s;", dbesc($table));
if (!$r) {
$status = false;
}
}
if (!$status) {
notice('Errors encountered deleting database tables.' . EOL);
$_SESSION['success'] = '';
} else {
info('Database tables deleted successfully.' . EOL);
$_SESSION['success'] = 'delete_db';
}
break;
case 'create_db':
$status = true;
@include('.htconfig.php');
$pdo = \DBA::$dba->db;
$storage = new \Zotlabs\Storage\ZotOauth2Pdo($pdo);
foreach (explode(';', $storage->getBuildSql($db_data)) as $statement) {
try {
$result = $pdo->exec($statement);
} catch (\PDOException $e) {
$status = false;
}
}
if (!$status) {
notice('Errors encountered creating database tables.' . EOL);
$_SESSION['success'] = '';
} else {
info('Database tables created successfully.' . EOL);
$_SESSION['success'] = 'create_db';
}
break;
default:
break;
}
}
}

3
Zotlabs/Module/Token.php
View File

@ -29,7 +29,8 @@ class Token extends \Zotlabs\Web\Controller {
} }
$s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db)); $s = new \Zotlabs\Identity\OAuth2Server(new OAuth2Storage(\DBA::$dba->db));
$s->handleTokenRequest(\OAuth2\Request::createFromGlobals())->send(); $request = \OAuth2\Request::createFromGlobals();
$s->handleTokenRequest($request)->send();
killme(); killme();
} }

10
Zotlabs/Storage/ZotOauth2Pdo.php Normal file
View File

@ -0,0 +1,10 @@
<?php
namespace Zotlabs\Storage;
class ZotOauth2Pdo extends \OAuth2\Storage\Pdo {
public function getConfig()
{
return $this->config;
}
}

57
include/api_auth.php
View File

@ -14,25 +14,58 @@ function api_login(&$a){
// login with oauth // login with oauth
try { try {
$oauth = new ZotOAuth1(); // OAuth 2.0
$req = OAuth1Request::from_request(); $storage = new \Zotlabs\Identity\OAuth2Storage(\DBA::$dba->db);
$server = new \Zotlabs\Identity\OAuth2Server($storage);
$request = \OAuth2\Request::createFromGlobals();
if ($server->verifyResourceRequest($request)) {
$token = $server->getAccessTokenData($request);
$uid = $token['user_id'];
$r = q("SELECT * FROM channel WHERE channel_id = %d LIMIT 1",
intval($uid)
);
if (count($r)) {
$record = $r[0];
} else {
header('HTTP/1.0 401 Unauthorized');
echo('This api requires login');
killme();
}
list($consumer,$token) = $oauth->verify_request($req); $_SESSION['uid'] = $record['channel_id'];
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
if (!is_null($token)){ $x = q("select * from account where account_id = %d LIMIT 1",
$oauth->loginUser($token->uid); intval($record['channel_account_id'])
);
if ($x) {
require_once('include/security.php');
authenticate_success($x[0], null, true, false, true, true);
$_SESSION['allow_api'] = true;
call_hooks('logged_in', App::$user);
return;
}
} else {
// OAuth 1.0
$oauth = new ZotOAuth1();
$req = OAuth1Request::from_request();
App::set_oauth_key($consumer->key); list($consumer, $token) = $oauth->verify_request($req);
call_hooks('logged_in', App::$user); if (!is_null($token)) {
return; $oauth->loginUser($token->uid);
App::set_oauth_key($consumer->key);
call_hooks('logged_in', App::$user);
return;
}
killme();
} }
killme(); } catch (Exception $e) {
}
catch(Exception $e) {
logger($e->getMessage()); logger($e->getMessage());
} }
// workarounds for HTTP-auth in CGI mode // workarounds for HTTP-auth in CGI mode
foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {

4
view/css/mod_oauth2testvehicle.css Normal file
View File

@ -0,0 +1,4 @@
.oath2test-form-box {
border: #ccc thin solid;
padding: 1em;
}

21
view/tpl/oauth2testvehicle.tpl Normal file
View File

@ -0,0 +1,21 @@
<h1>OAuth 2.0 Test Vehicle</h1>
{{foreach $endpoints as $ept}}
<div class="oath2test-form-box">
<form action="{{$baseurl}}/{{$ept.0}}/" method="{{$ept.4}}">
<h3>{{$ept.3}}</h3>
{{$baseurl}}/{{$ept.0}}/?{{foreach $ept.1 as $field}}{{$field.0}}={{$field.1}}&<input type="hidden" name="{{$field.0}}" value="{{$field.1}}" />{{/foreach}}
<br>
<button type="submit" name="{{$ept.2}}_submit" value="submit" class="btn btn-med" title="">Submit</button>
<span style="display: {{if $ept.5}}inline{{else}}none{{/if}}; font-size: 2em;">&nbsp;<i class="fa fa-check"></i></span>
</form>
</div>
{{/foreach}}
<div>
<h3>API response</h3>
<pre style="display: inline-block; overflow-x: auto; white-space: nowrap; width: 100%;">
<code>
{{$api_response}}
</code>
</pre>
</div>

18
view/tpl/oauth_authorize.tpl
View File

@ -2,9 +2,15 @@
<div class='oauthapp'> <div class='oauthapp'>
<img src='{{$app.icon}}'> <img src='{{$app.icon}}'>
<h4>{{$app.name}}</h4> <h3>{{$app.name}}</h3>
</div> <p class="descriptive-paragraph">{{$authorize}}</p>
<h3>{{$authorize}}</h3> <form method="POST">
<form method="POST"> <div class="settings-submit-wrapper">
<div class="settings-submit-wrapper"><input class="settings-submit" type="submit" name="oauth_yes" value="{{$yes}}" /></div> <input type="hidden" name="client_id" value="{{$client_id}}" />
</form> <input type="hidden" name="redirect_uri" value="{{$redirect_uri}}" />
<input type="hidden" name="state" value="{{$state}}" />
<button class="btn btn-lg btn-danger" name="authorize" value="deny" type="submit">{{$no}}</button>
<button class="btn btn-lg btn-success" name="authorize" value="allow" type="submit">{{$yes}}</button>
</div>
</form>
</div>