vendor/hwi/oauth-bundle/Security/OAuthUtils.php line 101

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the HWIOAuthBundle package.
  5.  *
  6.  * (c) Hardware Info <opensource@hardware.info>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace HWI\Bundle\OAuthBundle\Security;
  14. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwnerInterface;
  15. use HWI\Bundle\OAuthBundle\OAuth\State\State;
  16. use HWI\Bundle\OAuthBundle\Security\Http\ResourceOwnerMapInterface;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  19. use Symfony\Component\Security\Http\HttpUtils;
  21. /**
  22.  * @author Alexander <iam.asm89@gmail.com>
  23.  * @author Joseph Bielawski <stloyd@gmail.com>
  24.  * @author Francisco Facioni <fran6co@gmail.com>
  25.  *
  26.  * @final since 1.4
  27.  */
  28. class OAuthUtils
  29. {
  30.     public const SIGNATURE_METHOD_HMAC 'HMAC-SHA1';
  31.     public const SIGNATURE_METHOD_RSA 'RSA-SHA1';
  32.     public const SIGNATURE_METHOD_PLAINTEXT 'PLAINTEXT';
  34.     /**
  35.      * @var bool
  36.      */
  37.     protected $connect;
  39.     /**
  40.      * @var string
  41.      */
  42.     protected $grantRule;
  44.     /**
  45.      * @var HttpUtils
  46.      */
  47.     protected $httpUtils;
  49.     /**
  50.      * @var ResourceOwnerMapInterface[]
  51.      */
  52.     protected $ownerMaps = [];
  54.     /**
  55.      * @var AuthorizationCheckerInterface
  56.      */
  57.     protected $authorizationChecker;
  59.     /**
  60.      * @param bool   $connect
  61.      * @param string $grantRule
  62.      */
  63.     public function __construct(
  64.         HttpUtils $httpUtils,
  65.         AuthorizationCheckerInterface $authorizationChecker,
  66.         $connect,
  67.         $grantRule
  68.     ) {
  69.         $this->httpUtils $httpUtils;
  70.         $this->authorizationChecker $authorizationChecker;
  71.         $this->connect $connect;
  72.         $this->grantRule $grantRule;
  73.     }
  75.     public function addResourceOwnerMap(ResourceOwnerMapInterface $ownerMap)
  76.     {
  77.         $this->ownerMaps[] = $ownerMap;
  78.     }
  80.     /**
  81.      * @return array
  82.      */
  83.     public function getResourceOwners()
  84.     {
  85.         $resourceOwners = [];
  87.         foreach ($this->ownerMaps as $ownerMap) {
  88.             $resourceOwners array_merge($resourceOwners$ownerMap->getResourceOwners());
  89.         }
  91.         return array_keys($resourceOwners);
  92.     }
  94.     /**
  95.      * @param string $name
  96.      * @param string $redirectUrl     Optional
  97.      * @param array  $extraParameters Optional
  98.      *
  99.      * @return string
  100.      */
  101.     public function getAuthorizationUrl(Request $request$name$redirectUrl null, array $extraParameters = [])
  102.     {
  103.         $resourceOwner $this->getResourceOwner($name);
  105.         if (null === $redirectUrl) {
  106.             if (!$this->connect || !$this->authorizationChecker->isGranted($this->grantRule)) {
  107.                 $redirectUrl $this->httpUtils->generateUri($request$this->getResourceOwnerCheckPath($name));
  108.             } else {
  109.                 $redirectUrl $this->getServiceAuthUrl($request$resourceOwner);
  110.             }
  111.         }
  113.         if ($request->query->has('state')) {
  114.             $this->addQueryParameterToState($request->query->get('state'), $resourceOwner);
  115.         }
  117.         return $resourceOwner->getAuthorizationUrl($redirectUrl$extraParameters);
  118.     }
  120.     /**
  121.      * @return string
  122.      */
  123.     public function getServiceAuthUrl(Request $requestResourceOwnerInterface $resourceOwner)
  124.     {
  125.         if ($resourceOwner->getOption('auth_with_one_url')) {
  126.             return $this->httpUtils->generateUri($request$this->getResourceOwnerCheckPath($resourceOwner->getName()));
  127.         }
  129.         $request->attributes->set('service'$resourceOwner->getName());
  130.         if ($request->query->has('state')) {
  131.             $this->addQueryParameterToState($request->query->get('state'), $resourceOwner);
  132.         }
  134.         return $this->httpUtils->generateUri($request'hwi_oauth_connect_service');
  135.     }
  137.     /**
  138.      * @param string $name
  139.      *
  140.      * @return string
  141.      */
  142.     public function getLoginUrl(Request $request$name)
  143.     {
  144.         // Just to check that this resource owner exists
  145.         $this->getResourceOwner($name);
  147.         $request->attributes->set('service'$name);
  149.         $url $this->httpUtils->generateUri($request'hwi_oauth_service_redirect');
  151.         if ($request->query->has('state')) {
  152.             $data = ['state' => $request->query->all()['state']];
  153.             $url .= '?'.http_build_query($data);
  154.         }
  156.         return $url;
  157.     }
  159.     /**
  160.      * Sign the request parameters.
  161.      *
  162.      * @param string $method          Request method
  163.      * @param string $url             Request url
  164.      * @param array  $parameters      Parameters for the request
  165.      * @param string $clientSecret    Client secret to use as key part of signing
  166.      * @param string $tokenSecret     Optional token secret to use with signing
  167.      * @param string $signatureMethod Optional signature method used to sign token
  168.      *
  169.      * @return string
  170.      *
  171.      * @throws \RuntimeException
  172.      */
  173.     public static function signRequest($method$url$parameters$clientSecret$tokenSecret ''$signatureMethod self::SIGNATURE_METHOD_HMAC)
  174.     {
  175.         // Validate required parameters
  176.         foreach (['oauth_consumer_key''oauth_timestamp''oauth_nonce''oauth_version''oauth_signature_method'] as $parameter) {
  177.             if (!isset($parameters[$parameter])) {
  178.                 throw new \RuntimeException(sprintf('Parameter "%s" must be set.'$parameter));
  179.             }
  180.         }
  182.         // Remove oauth_signature if present
  183.         // Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
  184.         if (isset($parameters['oauth_signature'])) {
  185.             unset($parameters['oauth_signature']);
  186.         }
  188.         // Parse & add query params as base string parameters if they exists
  189.         $url parse_url($url);
  190.         if (isset($url['query'])) {
  191.             parse_str($url['query'], $queryParams);
  192.             $parameters += $queryParams;
  193.         }
  195.         // Remove default ports
  196.         // Ref: Spec: 9.1.2
  197.         $explicitPort $url['port'] ?? null;
  198.         if (('https' === $url['scheme'] && 443 === $explicitPort) || ('http' === $url['scheme'] && 80 === $explicitPort)) {
  199.             $explicitPort null;
  200.         }
  202.         // Remove query params from URL
  203.         // Ref: Spec: 9.1.2
  204.         $url sprintf('%s://%s%s%s'$url['scheme'], $url['host'], ($explicitPort ':'.$explicitPort ''), $url['path'] ?? '');
  206.         // Parameters are sorted by name, using lexicographical byte value ordering.
  207.         // Ref: Spec: 9.1.1 (1)
  208.         uksort($parameters'strcmp');
  210.         // http_build_query should use RFC3986
  211.         $parts = [
  212.             // HTTP method name must be uppercase
  213.             // Ref: Spec: 9.1.3 (1)
  214.             strtoupper($method),
  215.             rawurlencode($url),
  216.             rawurlencode(str_replace(['%7E''+'], ['~''%20'], http_build_query($parameters'''&'))),
  217.         ];
  219.         $baseString implode('&'$parts);
  221.         switch ($signatureMethod) {
  222.             case self::SIGNATURE_METHOD_HMAC:
  223.                 $keyParts = [
  224.                     rawurlencode($clientSecret),
  225.                     rawurlencode($tokenSecret),
  226.                 ];
  228.                 $signature hash_hmac('sha1'$baseStringimplode('&'$keyParts), true);
  229.                 break;
  231.             case self::SIGNATURE_METHOD_RSA:
  232.                 if (!\function_exists('openssl_pkey_get_private')) {
  233.                     throw new \RuntimeException('RSA-SHA1 signature method requires the OpenSSL extension.');
  234.                 }
  236.                 if (=== strpos($clientSecret'-----BEGIN')) {
  237.                     $privateKey openssl_pkey_get_private($clientSecret$tokenSecret);
  238.                 } else {
  239.                     $privateKey openssl_pkey_get_private(file_get_contents($clientSecret), $tokenSecret);
  240.                 }
  242.                 $signature false;
  244.                 openssl_sign($baseString$signature$privateKey);
  245.                 openssl_free_key($privateKey);
  246.                 break;
  248.             case self::SIGNATURE_METHOD_PLAINTEXT:
  249.                 $signature $baseString;
  250.                 break;
  252.             default:
  253.                 throw new \RuntimeException(sprintf('Unknown signature method selected %s.'$signatureMethod));
  254.         }
  256.         return base64_encode($signature);
  257.     }
  259.     /**
  260.      * @param string $name
  261.      *
  262.      * @return ResourceOwnerInterface
  263.      *
  264.      * @throws \RuntimeException
  265.      */
  266.     protected function getResourceOwner($name)
  267.     {
  268.         foreach ($this->ownerMaps as $ownerMap) {
  269.             $resourceOwner $ownerMap->getResourceOwnerByName($name);
  270.             if ($resourceOwner instanceof ResourceOwnerInterface) {
  271.                 return $resourceOwner;
  272.             }
  273.         }
  275.         throw new \RuntimeException(sprintf("No resource owner with name '%s'."$name));
  276.     }
  278.     /**
  279.      * @param string $name
  280.      *
  281.      * @return string|null
  282.      */
  283.     protected function getResourceOwnerCheckPath($name)
  284.     {
  285.         foreach ($this->ownerMaps as $ownerMap) {
  286.             if ($potentialResourceOwnerCheckPath $ownerMap->getResourceOwnerCheckPath($name)) {
  287.                 return $potentialResourceOwnerCheckPath;
  288.             }
  289.         }
  291.         return null;
  292.     }
  294.     /**
  295.      * @param string|array<string, string>|null $queryParameter The query parameter to parse and add to the State
  296.      * @param ResourceOwnerInterface            $resourceOwner  The resource owner holding the state to be added to
  297.      */
  298.     private function addQueryParameterToState($queryParameterResourceOwnerInterface $resourceOwner): void
  299.     {
  300.         if (null === $queryParameter) {
  301.             return;
  302.         }
  304.         $additionalState = new State($queryParameter);
  305.         foreach ($additionalState->getAll() as $key => $value) {
  306.             $resourceOwner->addStateParameter($key$value);
  307.         }
  308.     }
  309. }