dj_discourse_sso/Classes/Controller/SsoController.php

<?php
namespace Jahnke\DjDiscourseSso\Controller;

/***************************************************************
 *  Copyright notice
 *
 *  (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
 *
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
 *  free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  The GNU General Public License can be found at
 *  http://www.gnu.org/copyleft/gpl.html.
 *
 *  This script is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  This copyright notice MUST APPEAR in all copies of the script!
 ***************************************************************/

use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility;

/**
 * Controller for the Member object
 */
class SsoController extends ActionController
{


    /**
     * Compare if signed data matches given signature.
     *
     * @param string $data Signed data to be compared with.
     * @param string $sig  Signature to be compared with.
     *
     * @return boolean
     */
    private function _hashsAreEqual($data, $sig)
    {
        if ($data === null || $sig === null || is_string($data) === false || is_string($sig) === false) {
            return false;
        }

        if (strlen($data) !== strlen($sig)) {
            return false;
        }

        if (strcmp($data, $sig) === 0) {
            return true;
        }

        return false;

    }//end _hashsAreEqual()


    /**
     * Authenticate action.
     *
     * @return string
     */
    public function authenticateAction()
    {
        $extKey = $_EXTKEY; //'dj_discourse_sso';

        /** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */
        $configurationUtility   = $this->objectManager->get(ConfigurationUtility::class);
        $extensionConfiguration = $configurationUtility->getCurrentConfiguration($extKey);

        GeneralUtility::devLog('authenticateAction-0', $extKey, 0, array('extKey' => $extKey));
        GeneralUtility::devLog('authenticateAction-1', $extKey, 0, array('config' => $extensionConfiguration));
        // Check mandatory settings.
        if (isset($extensionConfiguration['redirect_url']) === false) {
            $errorText = '<div><b>ERROR!</b> '
                .'You should not see this message!<br />'
                .'Could not find extension configuration for parameter redirect_url! '
                .'Please configure the plugin.';
            return $errorText;
        } else {
            $redirectUrlRoot = $extensionConfiguration['redirect_url'];
        }

        if (isset($extensionConfiguration['shared_key']) === false) {
            $errorText = '<div><b>ERROR!</b> '
                .'You should not see this message!<br />'
                .'Could not find extension configuration for parameter shared_key! '
                .'Please configure the plugin.';
            return $errorText;
        } else {
            $sharedKey = $extensionConfiguration['shared_key'];
        }

        // Set some defaults.
        if (isset($extensionConfiguration['redirect_status']) === true) {
            $redirectStatus = $extensionConfiguration['redirect_status'];
        }

        if ($redirectStatus === false || ($redirectStatus < 300 || $redirectStatus > 308)) {
            // Set default.
            $redirectStatus = 303;
        }

        $sso  = urldecode(GeneralUtility::_GP('sso'));
        $sig  = GeneralUtility::_GP('sig');
        $hmac = hash_hmac('sha256', $sso, $sharedKey);
        if ($this->_hashsAreEqual($hmac, $sig) === false) {
            GeneralUtility::devLog('authenticateAction bad request', $extKey, 0, array('sso' => $sso, 'sig' => $sig, 'hmac' => $hmac));
            header('HTTP/1.1 403 Forbidden');
            $this->throwStatus(403, 'Bad SSO request');
        } else {
            // Valid $sso string available, convert it.
            parse_str(base64_decode($sso), $receivedPayload);
            $user = null;
            if (isset($GLOBALS['TSFE']) === true
                && isset($GLOBALS['TSFE']->fe_user) === true
                && isset($GLOBALS['TSFE']->fe_user->user) === true
            ) {
                $user = $GLOBALS['TSFE']->fe_user->user;
            }

            if (isset($user) === true) {
                $userId      = $user['uid'];
                $userEmail   = $user['email'];
                $userName    = $user['username'];
                $name        = $user['name'];
                $nonce       = $receivedPayload['nonce'];
                $parameters  = array(
                                'nonce'       => $nonce,
                                'external_id' => $userId,
                                'email'       => $userEmail,
                                'username'    => $userName,
                                'name'        => $name,
                               );
                $payload     = base64_encode(http_build_query($parameters));
                $signature   = hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key']);
                $query       = http_build_query(array('sso' => $payload, 'sig' => $signature));
                $redirectUrl = $redirectUrlRoot.'/session/sso_login?'.$query;
                GeneralUtility::devLog('authenticateAction successful, redirecting', $extKey, 0, array('redirectUrl' => $redirectUrl, 'status' => $redirectStatus));
                $this->redirectToUri($redirectUrl, 0, $redirectStatus);
            } else {
                // No user logged in.
                // Wrong setup! This plugin should be enabled only, if a user login exists.
                $errorText = '<div><b>ERROR!</b> '
                    .'You should not see this message!<br />'
                    .'This plugin should be made available only, if a Frontend User is logged in.<br />'
                    .'Please change this in the setup of this content element.';
                GeneralUtility::devLog('authenticateAction bad configuration', $extKey, 0, array('error' => $errorText));
                return $errorText;
            }//end if
        }//end if

    }//end authenticateAction()


}
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`<?php`
Fixed namespace. 2016-10-04 15:39:48 +00:00			`namespace Jahnke\DjDiscourseSso\Controller;`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00
			`/***************************************************************`
			`* Copyright notice`
			`*`
			`* (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>`
			`*`
			`* All rights reserved`
			`*`
			`* This script is part of the TYPO3 project. The TYPO3 project is`
			`* free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* The GNU General Public License can be found at`
			`* http://www.gnu.org/copyleft/gpl.html.`
			`*`
			`* This script is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* This copyright notice MUST APPEAR in all copies of the script!`
			`***************************************************************/`

			`use TYPO3\CMS\Core\Utility\GeneralUtility;`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;`
			`use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility;`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00
			`/**`
			`* Controller for the Member object`
			`*/`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`class SsoController extends ActionController`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`{`
First version, ready for tests. 2016-10-04 14:25:18 +00:00

			`/**`
			`* Compare if signed data matches given signature.`
			`*`
			`* @param string $data Signed data to be compared with.`
			`* @param string $sig Signature to be compared with.`
			`*`
			`* @return boolean`
			`*/`
			`private function _hashsAreEqual($data, $sig)`
			`{`
			`if ($data === null \|\| $sig === null \|\| is_string($data) === false \|\| is_string($sig) === false) {`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`return false;`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`}`

			`if (strlen($data) !== strlen($sig)) {`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`return false;`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`}`

			`if (strcmp($data, $sig) === 0) {`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`return true;`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`}`

First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`return false;`
First version, ready for tests. 2016-10-04 14:25:18 +00:00
			`}//end _hashsAreEqual()`

First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00
			`/**`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`* Authenticate action.`
			`*`
			`* @return string`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`*/`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`public function authenticateAction()`
			`{`
Fixed namespace. 2016-10-04 15:39:48 +00:00			`$extKey = $_EXTKEY; //'dj_discourse_sso';`
Added some debugging output to debugLog. 2016-10-04 15:04:52 +00:00
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`/** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */`
Changed configuration utility to be accessed in method instead by automatic dependency injection (as this seems not to be possible) 2016-10-04 15:45:37 +00:00			`$configurationUtility = $this->objectManager->get(ConfigurationUtility::class);`
			`$extensionConfiguration = $configurationUtility->getCurrentConfiguration($extKey);`
First version, ready for tests. 2016-10-04 14:25:18 +00:00
Added debug statement. 2016-10-04 18:27:33 +00:00			`GeneralUtility::devLog('authenticateAction-0', $extKey, 0, array('extKey' => $extKey));`
			`GeneralUtility::devLog('authenticateAction-1', $extKey, 0, array('config' => $extensionConfiguration));`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`// Check mandatory settings.`
			`if (isset($extensionConfiguration['redirect_url']) === false) {`
			`$errorText = '<div><b>ERROR!</b> '`
			`.'You should not see this message!<br />'`
Added debug statement. 2016-10-04 18:27:33 +00:00			`.'Could not find extension configuration for parameter redirect_url! '`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`.'Please configure the plugin.';`
			`return $errorText;`
			`} else {`
			`$redirectUrlRoot = $extensionConfiguration['redirect_url'];`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`}`
First version, ready for tests. 2016-10-04 14:25:18 +00:00
			`if (isset($extensionConfiguration['shared_key']) === false) {`
			`$errorText = '<div><b>ERROR!</b> '`
			`.'You should not see this message!<br />'`
Added debug statement. 2016-10-04 18:27:33 +00:00			`.'Could not find extension configuration for parameter shared_key! '`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`.'Please configure the plugin.';`
			`return $errorText;`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`} else {`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`$sharedKey = $extensionConfiguration['shared_key'];`
			`}`

			`// Set some defaults.`
			`if (isset($extensionConfiguration['redirect_status']) === true) {`
			`$redirectStatus = $extensionConfiguration['redirect_status'];`
			`}`

			`if ($redirectStatus === false \|\| ($redirectStatus < 300 \|\| $redirectStatus > 308)) {`
			`// Set default.`
			`$redirectStatus = 303;`
First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`}`
First version, ready for tests. 2016-10-04 14:25:18 +00:00
Added some debugging output to debugLog. 2016-10-04 15:04:52 +00:00			`$sso = urldecode(GeneralUtility::_GP('sso'));`
			`$sig = GeneralUtility::_GP('sig');`
			`$hmac = hash_hmac('sha256', $sso, $sharedKey);`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`if ($this->_hashsAreEqual($hmac, $sig) === false) {`
Added some debugging output to debugLog. 2016-10-04 15:04:52 +00:00			`GeneralUtility::devLog('authenticateAction bad request', $extKey, 0, array('sso' => $sso, 'sig' => $sig, 'hmac' => $hmac));`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`header('HTTP/1.1 403 Forbidden');`
			`$this->throwStatus(403, 'Bad SSO request');`
			`} else {`
			`// Valid $sso string available, convert it.`
			`parse_str(base64_decode($sso), $receivedPayload);`
			`$user = null;`
			`if (isset($GLOBALS['TSFE']) === true`
			`&& isset($GLOBALS['TSFE']->fe_user) === true`
			`&& isset($GLOBALS['TSFE']->fe_user->user) === true`
			`) {`
			`$user = $GLOBALS['TSFE']->fe_user->user;`
			`}`

			`if (isset($user) === true) {`
			`$userId = $user['uid'];`
			`$userEmail = $user['email'];`
			`$userName = $user['username'];`
			`$name = $user['name'];`
			`$nonce = $receivedPayload['nonce'];`
			`$parameters = array(`
			`'nonce' => $nonce,`
			`'external_id' => $userId,`
			`'email' => $userEmail,`
			`'username' => $userName,`
			`'name' => $name,`
			`);`
			`$payload = base64_encode(http_build_query($parameters));`
			`$signature = hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key']);`
			`$query = http_build_query(array('sso' => $payload, 'sig' => $signature));`
			`$redirectUrl = $redirectUrlRoot.'/session/sso_login?'.$query;`
Added some debugging output to debugLog. 2016-10-04 15:04:52 +00:00			`GeneralUtility::devLog('authenticateAction successful, redirecting', $extKey, 0, array('redirectUrl' => $redirectUrl, 'status' => $redirectStatus));`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`$this->redirectToUri($redirectUrl, 0, $redirectStatus);`
			`} else {`
			`// No user logged in.`
			`// Wrong setup! This plugin should be enabled only, if a user login exists.`
			`$errorText = '<div><b>ERROR!</b> '`
			`.'You should not see this message!<br />'`
			`.'This plugin should be made available only, if a Frontend User is logged in.<br />'`
			`.'Please change this in the setup of this content element.';`
Added some debugging output to debugLog. 2016-10-04 15:04:52 +00:00			`GeneralUtility::devLog('authenticateAction bad configuration', $extKey, 0, array('error' => $errorText));`
First version, ready for tests. 2016-10-04 14:25:18 +00:00			`return $errorText;`
			`}//end if`
			`}//end if`

			`}//end authenticateAction()`


First revision of purse SSO without additional features 2016-09-22 18:41:57 +00:00			`}`