dj_discourse_sso/Classes/Controller/SsoController.php

176 lines
7.4 KiB
PHP
Raw Permalink Normal View History

<?php
2016-10-04 15:39:48 +00:00
namespace Jahnke\DjDiscourseSso\Controller;
/***************************************************************
* Copyright notice
*
* (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
*
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
use TYPO3\CMS\Core\Utility\GeneralUtility;
2016-10-04 14:25:18 +00:00
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility;
/**
* Controller for the Member object
*/
2016-10-04 14:25:18 +00:00
class SsoController extends ActionController
{
2016-10-04 14:25:18 +00:00
/**
* Compare if signed data matches given signature.
*
* @param string $data Signed data to be compared with.
* @param string $sig Signature to be compared with.
*
* @return boolean
*/
private function _hashsAreEqual($data, $sig)
{
if ($data === null || $sig === null || is_string($data) === false || is_string($sig) === false) {
return false;
2016-10-04 14:25:18 +00:00
}
if (strlen($data) !== strlen($sig)) {
return false;
2016-10-04 14:25:18 +00:00
}
if (strcmp($data, $sig) === 0) {
return true;
2016-10-04 14:25:18 +00:00
}
return false;
2016-10-04 14:25:18 +00:00
}//end _hashsAreEqual()
/**
2016-10-04 14:25:18 +00:00
* Authenticate action.
*
* @return string
*/
2016-10-04 14:25:18 +00:00
public function authenticateAction()
{
$extKey = 'dj_discourse_sso';
2016-10-04 14:25:18 +00:00
/** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */
$configurationUtility = $this->objectManager->get(ConfigurationUtility::class);
$extensionConfiguration = $configurationUtility->getCurrentConfiguration($extKey);
2016-10-04 14:25:18 +00:00
// GeneralUtility::devLog('authenticateAction-0', $extKey, 0, array('extKey' => $extKey));
// GeneralUtility::devLog('authenticateAction-1', $extKey, 0, array('config' => $extensionConfiguration));
2016-10-04 14:25:18 +00:00
// Check mandatory settings.
if (is_array($extensionConfiguration['redirect_url']) === false) {
2016-10-04 14:25:18 +00:00
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
2016-10-04 18:27:33 +00:00
.'Could not find extension configuration for parameter redirect_url! '
2016-10-04 14:25:18 +00:00
.'Please configure the plugin.';
return $errorText;
} else {
$redirectUrlRoot = $extensionConfiguration['redirect_url']['value'];
}
2016-10-04 14:25:18 +00:00
if (is_array($extensionConfiguration['shared_key']) === false) {
2016-10-04 14:25:18 +00:00
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
2016-10-04 18:27:33 +00:00
.'Could not find extension configuration for parameter shared_key! '
2016-10-04 14:25:18 +00:00
.'Please configure the plugin.';
return $errorText;
} else {
$sharedKey = $extensionConfiguration['shared_key']['value'];
2016-10-04 14:25:18 +00:00
}
// Set redirect status.
$redirectStatus = false;
if (is_array($extensionConfiguration['redirect_status']) === true) {
$redirectStatus = intval($extensionConfiguration['redirect_status']['value']);
2016-10-04 14:25:18 +00:00
}
if ($redirectStatus === false || ($redirectStatus < 300 || $redirectStatus > 308)) {
// Set default.
$redirectStatus = 303;
}
2016-10-04 14:25:18 +00:00
$sso = urldecode(GeneralUtility::_GP('sso'));
$sig = GeneralUtility::_GP('sig');
$hmac = hash_hmac('sha256', $sso, $sharedKey);
2016-10-04 14:25:18 +00:00
if ($this->_hashsAreEqual($hmac, $sig) === false) {
GeneralUtility::devLog('authenticateAction bad request', $extKey, 2, array('sso' => $sso, 'sig' => $sig, 'expected sig' => $hmac));
2016-10-04 14:25:18 +00:00
header('HTTP/1.1 403 Forbidden');
$this->throwStatus(403, 'Bad SSO request');
} else {
// Valid $sso string available, convert it.
parse_str(base64_decode($sso), $receivedPayload);
// Identify server entry in configuration.
$returnSsoUrl = $receivedPayload['return_sso_url'];
// GeneralUtility::devLog('authenticateAction valid sso request', $extKey, 0, array('payload' => $receivedPayload));
2016-10-04 14:25:18 +00:00
$user = null;
if (isset($GLOBALS['TSFE']) === true
&& isset($GLOBALS['TSFE']->fe_user) === true
&& isset($GLOBALS['TSFE']->fe_user->user) === true
) {
$user = $GLOBALS['TSFE']->fe_user->user;
}
if (is_array($user) === true) {
if (is_null($user['email']) || strlen($user['email']) < 4) {
$errorText = '<div><b>ERROR!</b><br>' .
'You did not enter your email address to your personal properties.<br>' .
'The forum cannot be used without a valid email address.<br>';
GeneralUtility::devLog('authenticateAction: email address not available', $extKey, 2, array('error' => $errorText));
return $errorText;
}
2016-10-04 14:25:18 +00:00
$userId = $user['uid'];
$userEmail = $user['email'];
$userName = $user['username'];
$name = $user['name'];
$nonce = $receivedPayload['nonce'];
$parameters = array(
'nonce' => $nonce,
'external_id' => $userId,
'email' => $userEmail,
'username' => $userName,
'name' => $name,
);
$payload = base64_encode(http_build_query($parameters));
$signature = hash_hmac('sha256', $payload, $sharedKey);
2016-10-04 14:25:18 +00:00
$query = http_build_query(array('sso' => $payload, 'sig' => $signature));
$redirectUrl = $returnSsoUrl.'?'.$query;
// GeneralUtility::devLog('authenticateAction successful, redirecting', $extKey, 0, array('redirectUrl' => $redirectUrl, 'status' => $redirectStatus, 'payload' => $payload, 'parameter' => $parameters));
2016-10-04 14:25:18 +00:00
$this->redirectToUri($redirectUrl, 0, $redirectStatus);
} else {
// No user logged in.
// Wrong setup! This plugin should be enabled only, if a user login exists.
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
.'This plugin should be made available only, if a Frontend User is logged in.<br />'
.'Please change this in the setup of this content element.';
GeneralUtility::devLog('authenticateAction: bad configuration', $extKey, 2, array('error' => $errorText));
2016-10-04 14:25:18 +00:00
return $errorText;
}//end if
}//end if
return '<div><b>Internal Error!</b><br>Unreachable code.</div>';
2016-10-04 14:25:18 +00:00
}//end authenticateAction()
}