Commit 1ff5e0c5 authored by Steve Johnson's avatar Steve Johnson

added generic service provider (our mockup oauth service)

parent 6653ea7f
<?php
/*
Here to get an access token. This communicates with our mockup oauth2 service.
User must have previously authenticated with oauth2 service through the MSE user portal. The access
token is valid until revoked (no refresh token)
Called from xxxxxx/php/login_token.php
This also provides a remote login method for login service types.
*/
function auth_generic($uid, $appid) {
// Token is static, no refresh required.
$auth = load_userapp($uid, $appid);
if (!$auth) {
header('HTTP/1.0 404 Not Found');
dbg_log("auth_generic - userapp not found for user/app: ".$uid." - ".$appid);
echo "<h4>404 Not Found.</h4>";
echo "<p>uid: ".$uid." appid: ".$appid;
exit(1);
}
dbg_log("auth record: ".$auth);
// Add our application identifier (informational)
$auth['appid'] = $appid;
// Return token to caller
$auth_json = json_encode($auth);
// Return token to caller
header('HTTP/1.0 200 OK');
header('Content-type: application/json');
echo $auth_json;
}
function login_generic($uid, $appid, $ccode) {
dbg_log("login_generic: ".$uid." - ".$appid." - ".$ccode);
$realm = 'MSE User Authentication';
// Token is static, no refresh required.
$auth = load_userapp($uid, $appid);
if (!$auth) {
header("WWW-Authenticate: Basic/MSE realm=$realm");
header("HTTP/1.0 401 Unauthorized");
dbg_log("login_generic - user not authorized for service: ".$uid." - ".$appid);
echo "<h4>login_generic - user not authorized for service: ".$uid." - ".$appid."</h4>";
exit(1);
}
$app = load_application($appid);
$relative_uri = "../../../".$app['remoteLoginUrl'];
$url = full_uri_from_relative($relative_uri);
//$url = base_uri().$app['remoteLoginUrl'];
$fields = array('token' => $auth['access_token'], 'code' => $ccode);
dbg_log(" - ".$url." - fields: ".json_encode($fields));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 1);
$response = exec_curl_log($ch);
//$response = curl_exec($ch);
$message = parse_response($ch, $response);
curl_close($ch);
dbg_log(" - response: ".json_encode($message));
}
// Don't think this is needed.
/*
function logout_generic() {
unset($_SESSION['access_token']);
}
*/
// Here to generate a generic access token.
function authurl_generic($appid, $redirect_uri) {
$app = load_application($appid);
$client_id = $app['clientId'];
// Example of relative url in config file: mse/qrc/php/oauth2/authorize
$relative_uri = "../../../".$app['authorizeUrl'];
$url = full_uri_from_relative($relative_uri)."?response_type=code&client_id=".$client_id."&redirect_uri=".$redirect_uri;
//$url = "../../../".$app['authorizeUrl']."?response_type=code&client_id=".$client_id."&redirect_uri=".$redirect_uri;
dbg_log("authurl_generic: ".$url);
return $url;
}
// Here to redeem an access code for an access token. We pass the redirect_uri only
// for validation - no redirect occurs.
function access_token_generic($appid, $code, $redirect_uri) {
dbg_log("access_token_generic(".$appid.", ".$code.", ".$redirect_uri);
global $client_id, $client_secret;
$app = load_application($appid);
$client_id = $app['clientId'];
$client_secret = $app['clientSecret'];
// Example of relative url in config file: mse/qrc/php/oauth2/token
$relative_uri = "../../../".$app['tokenUrl'];
$url = full_uri_from_relative($relative_uri)."?code=".$code."&grant_type=authorization_code";
$fields = array('client_id' => $client_id, 'client_secret' => $client_secret, 'redirect_uri' => $redirect_uri);
dbg_log(" - uri: ".$url);
dbg_log(" - fields: ".json_encode($fields));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 1);
$response = exec_curl_log($ch);
//$response = curl_exec($ch);
$message = parse_response($ch, $response);
curl_close($ch);
dbg_log("access_token_generic - POST (token) response: ".$message['http_status']);
dbg_log("body: ".$message['body']);
if ($message['http_status'] == 200) {
$token = json_decode($message['body'], true);
// TODO: add any additional fields here.
$token_json = json_encode($token);
dbg_log("token: ".$token_json);
return $token_json;
}
else {
dbg_log("error: ".$response);
}
return NULL;
}
?>
<?php
/*
Here to get an access token. This communicates with our mockup oauth2 service.
User must have previously authenticated with oauth2 service through the MSE user portal. The access
token is valid until revoked (no refresh token)
Called from xxxxxx/php/login_token.php
*/
function auth_generic($uid, $appid) {
// Token is static, no refresh required.
$auth = load_userapp($uid, $appid);
if (!$auth) {
header('HTTP/1.0 404 Not Found');
dbg_log("auth_usps - userapp not found for user/app: ".$uid." - ".$appid);
echo "<h4>404 Not Found.</h4>";
echo "<p>uid: ".$uid." appid: ".$appid;
exit(1);
}
dbg_log("auth record: ".$auth);
// Add our application identifier (informational)
$auth['appid'] = $appid;
// Return token to caller
$auth_json = json_encode($auth);
// Return token to caller
header('HTTP/1.0 200 OK');
header('Content-type: application/json');
echo $auth_json;
}
function login_generic($uid, $appid, $ccode) {
dbg_log("login_generic: ".$uid." - ".$appid." - ".$ccode);
$realm = 'MSE User Authentication';
// Token is static, no refresh required.
$auth = load_userapp($uid, $appid);
if (!$auth) {
header("WWW-Authenticate: Basic/MSE realm=$realm");
header("HTTP/1.0 401 Unauthorized");
dbg_log("login_generic - user not authorized for service: ".$uid." - ".$appid);
echo "<h4>login_generic - user not authorized for service: ".$uid." - ".$appid."</h4>";
exit(1);
}
$app = load_application($appid);
$url = base_uri().$app['remoteLoginUrl'];
$fields = array('token' => $auth['access_token'], 'code' => $ccode);
dbg_log(" - ".$url." - fields: ".json_encode($fields));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 1);
$response = exec_curl_log($ch);
//$response = curl_exec($ch);
$message = parse_response($ch, $response);
curl_close($ch);
dbg_log(" - response: ".json_encode($message));
}
// Don't think this is needed.
/*
function logout_usps() {
unset($_SESSION['access_token']);
}
*/
// Here to generate a USPS access token.
function authurl_usps($appid, $redirect_uri) {
$app = load_application($appid);
$client_id = $app['clientId'];
// FIX THIS - Make Relative
//$url = base_uri()."/mse/test/usps/php/oauth2/authorize?response_type=code&client_id=".$client_id."&redirect_uri=".$redirect_uri;
$url = base_uri()."/atg/mse/usps/php/oauth2/authorize?response_type=code&client_id=".$client_id."&redirect_uri=".$redirect_uri;
dbg_log("authurl_usps: ".$url);
return $url;
}
/*
function parse_response($ch,$response) {
$result = array();
$header_size = curl_getinfo($ch,CURLINFO_HEADER_SIZE);
$result['header'] = substr($response, 0, $header_size);
$result['body'] = substr( $response, $header_size );
$result['http_status'] = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$result['last_url'] = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
return $result;
}
*/
/*
// This is only used for debugging (commented out below)
function exec_curl_log($ch) {
if (!isset($_SESSION['request_num'])) {
$_SESSION['request_num'] = 0;
}
$log_dir = dirname(__FILE__).'/log';
if (!file_exists($log_dir)) {
mkdir($log_dir, 0777, true);
}
$f = fopen($log_dir.'/request_'.$_SESSION['request_num'].'.txt', 'w');
curl_setopt_array($ch, array(
//CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_FOLLOWLOCATION => 1,
CURLOPT_VERBOSE => 1,
CURLOPT_STDERR => $f,
));
$response = curl_exec($ch);
fclose($f);
$_SESSION['request_num'] = $_SESSION['request_num']+1;
return $response;
}
*/
// Here to redeem an access code for an access token. We pass the redirect_uri only
// for validation - no redirect occurs.
function access_token_usps($appid, $code, $redirect_uri) {
dbg_log("access_token_usps(".$appid.", ".$code.", ".$redirect_uri);
global $client_id, $client_secret;
$app = load_application($appid);
$client_id = $app['clientId'];
$client_secret = $app['clientSecret'];
// FIX THIS - Make relative
$url = base_uri()."/atg/mse/usps/php/oauth2/token?code=".$code."&grant_type=authorization_code";
$fields = array('client_id' => $client_id, 'client_secret' => $client_secret, 'redirect_uri' => $redirect_uri);
dbg_log(" - uri: ".$url);
dbg_log(" - fields: ".json_encode($fields));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 1);
$response = exec_curl_log($ch);
//$response = curl_exec($ch);
$message = parse_response($ch, $response);
curl_close($ch);
dbg_log("access_token_usps - POST (token) response: ".$message['http_status']);
dbg_log("body: ".$message['body']);
if ($message['http_status'] == 200) {
$token = json_decode($message['body'], true);
// TODO: add any additional fields here.
$token_json = json_encode($token);
dbg_log("token: ".$token_json);
return $token_json;
}
else {
dbg_log("error: ".$response);
}
return NULL;
}
/*
function base_uri() {
$protocol = 'http://';
if (isset($_SERVER['HTTPS'])
&& ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1)
|| isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
{
$protocol = 'https://';
}
return $protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
}
*/
?>
......@@ -23,7 +23,7 @@
// Ensure directory exists for user cookies
if (!file_exists($mse_cookie_dir)) {
mkdir($mse_cookie_dir, 0777, true);
create_dir($mse_cookie_dir);
}
// required by all subsequent time() calls
......@@ -278,6 +278,11 @@
function login($username, $password) {
$user = fetch_user($username, $password);
if ($user) {
create_dir(dirname(__FILE__).'/log');
create_dir(dirname(__FILE__).'/cookies');
create_dir(dirname(__FILE__).'/userapps/'.$username);
$token = array();
//set_user_cookie($username, $user['duration'], $token);
set_user_cookie($user, $token);
......@@ -286,7 +291,7 @@
purge_aged_cookies();
return true;
}
auth_log("Login Failed");
auth_log("Login Failed: ".$username."/".$password);
return false;
}
......@@ -481,10 +486,7 @@
else {
$dir = dirname(__FILE__).'/userapps/'.$uid;
// 2014/10/9
if (!file_exists($dir)) {
mkdir($dir, 0777, true);
}
//create_dir($dir);
$file = $dir.'/'.$appid.'_auth.json'; // eg. ./userapps/fred/drive_auth.json
$json = json_encode($auth);
......@@ -553,4 +555,17 @@
return $response;
}
function create_dir($dir) {
try {
if (!file_exists($dir)) {
dbg_log("create_dir: ".$dir);
$oldmask = umask(0);
mkdir($dir, 0777, true);
umask($oldmask);
}
}
catch(Exception $e) {}
}
?>
......@@ -20,6 +20,7 @@
require 'auth_google.php';
require 'auth_dropbox.php';
require 'auth_usps.php';
require 'auth_generic.php';
if (isset($_GET['reset'])) {
......@@ -50,7 +51,7 @@
auth_init_portal();
// Only a prototype - a real app would have a DB with SP records..
$spLabels = array("google" => "Google", "dropbox" => "DropBox", "youtube" => "YouTube", "cablelabs" => "CableLabs", "usps" => "USPS");
$spLabels = array("generic" => "Generic", "google" => "Google", "dropbox" => "DropBox", "youtube" => "YouTube", "cablelabs" => "CableLabs", "usps" => "USPS");
// Constants
$realm = 'MSE User Portal Authentication';
......@@ -241,6 +242,9 @@
else if ($_SESSION['serviceProvider'] == 'usps') {
$access_token = access_token_usps($_SESSION['appid'], $_GET['code'], location_uri());
}
else if ($_SESSION['serviceProvider'] == 'generic') {
$access_token = access_token_generic($_SESSION['appid'], $_GET['code'], location_uri());
}
dbg_log("access_token: ".$access_token);
......@@ -286,7 +290,7 @@
<script type="text/javascript" src="https://code.jquery.com/jquery-1.8.2.min.js"></script>
<script type="text/javascript" src="../../../sdom/js/xhr.js" ></script>
<script type="text/javascript" src="../../html/js/url.js" ></script>
<script type="text/javascript" src="../../js/url.js" ></script>
<script type="text/javascript" src="user_portal.js" ></script>
<link href='https://fonts.googleapis.com/css?family=Paprika' rel='stylesheet' type='text/css'>
......@@ -702,6 +706,14 @@ function enable_app($appid) {
header('HTTP/1.0 200 OK'); // should this be here?
header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
}
else if ($app['serviceProvider'] == 'generic') {
// Generate authorization url
$auth_url = authurl_generic($appid, location_uri());
// And redirect user to generic service provider
dbg_log("200 - enable_app - redirecting to (generic): ".$appid);
header('HTTP/1.0 200 OK'); // should this be here?
header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
}
exit(0);
}
else if ($app['authType'] == 'saml') {
......@@ -765,6 +777,8 @@ function app_logout_url($appid) {
if (isset($applist[$appid])) {
$app = $applist[$appid];
$sp = $app['serviceProvider'];
// TODO: These urls should come from the auth_xxxx.php. In the case of auth_generic, should come from config (.json) file.
if ($sp == 'dropbox') {
// TODO: check auth type and handle SAML differently.
$url = "https://dropbox.com/logout";
......@@ -775,6 +789,9 @@ function app_logout_url($appid) {
else if ($sp == 'usps') {
$url = "/atg/mse/usps/php/logout.php";
}
else if ($sp == 'generic') {
//$url = "/atg/mse/usps/php/logout.php";
}
else {
// add other service provider logouts
}
......
......@@ -2,6 +2,7 @@
if [ ! -f ../mse/tools/upload_config ]; then
echo " - Please clone mse repository into sibling directory of $PWD"
echo " - Then edit mse/tools/upload_config for your site settings"
exit 0
fi
......@@ -11,15 +12,18 @@ echo " "
echo " * Uploading ${PWD##*/} repository contents to: $REPO_HOST:$REPO_DEST"
echo " "
rsync --recursive \
chmod a+w .
chmod a+w ./auth
rsync --recursive --perms \
--exclude '*~*' \
--exclude '*.log' \
--exclude '*_auth.json' \
--exclude 'userapps' \
--exclude 'cookies' \
--exclude 'log' \
--exclude 'auth/userapps' \
--exclude 'auth/cookies' \
--exclude 'auth/log' \
--exclude 'upload' \
--exclude 'MSE_AUTHORIZED*' \
* $REPO_USERHOST:$REPO_DEST
* $REPO_USERHOST$REPO_SEP$REPO_DEST
check_rcode $?
......@@ -8,9 +8,15 @@
//$log_dir = base_uri().'/log';
// Ensure directory exists for user cookies
if (!file_exists($log_dir)) {
mkdir($log_dir, 0777, true);
try {
if (!file_exists($log_dir)) {
$oldmask = umask(0);
mkdir($log_dir, 0777, true);
umask($oldmask);
}
}
catch(Exception $e) {}
$log_file = $log_dir."/php.log";
$time = @date('Y-M-d H:i:s - ');
......@@ -43,6 +49,12 @@
return $protocol.$_SERVER['HTTP_HOST'];
}
// Gag this is awful. Just need to generate a full url knowing the current request uri and the relative suffix.
function full_uri_from_relative($relative_uri) {
$parent_dir = dirname(dirname(base_uri().$_SERVER['REQUEST_URI']));
return $parent_dir.$relative_uri;
}
function remote_ipaddress() {
$ip = getenv('HTTP_CLIENT_IP')?:
getenv('HTTP_X_FORWARDED_FOR')?:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment