* * All rights reserved * * This script is part of the TYPO3 project. The TYPO3 project is * free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * The GNU General Public License can be found at * http://www.gnu.org/copyleft/gpl.html. * * This script is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * This copyright notice MUST APPEAR in all copies of the script! ***************************************************************/ use TYPO3\CMS\Core\Utility\GeneralUtility; use TYPO3\CMS\Extbase\Mvc\Controller\ActionController; use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility; /** * Controller for the Member object */ class SsoController extends ActionController { /** * Compare if signed data matches given signature. * * @param string $data Signed data to be compared with. * @param string $sig Signature to be compared with. * * @return boolean */ private function _hashsAreEqual($data, $sig) { if ($data === null || $sig === null || is_string($data) === false || is_string($sig) === false) { return false; } if (strlen($data) !== strlen($sig)) { return false; } if (strcmp($data, $sig) === 0) { return true; } return false; }//end _hashsAreEqual() /** * Authenticate action. * * @return string */ public function authenticateAction() { $extKey = 'dj_discourse_sso'; /** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */ $configurationUtility = $this->objectManager->get(ConfigurationUtility::class); $extensionConfiguration = $configurationUtility->getCurrentConfiguration($extKey); // GeneralUtility::devLog('authenticateAction-0', $extKey, 0, array('extKey' => $extKey)); // GeneralUtility::devLog('authenticateAction-1', $extKey, 0, array('config' => $extensionConfiguration)); // Check mandatory settings. if (is_array($extensionConfiguration['redirect_url']) === false) { $errorText = '
ERROR! ' .'You should not see this message!
' .'Could not find extension configuration for parameter redirect_url! ' .'Please configure the plugin.'; return $errorText; } else { $redirectUrlRoot = $extensionConfiguration['redirect_url']['value']; } if (is_array($extensionConfiguration['shared_key']) === false) { $errorText = '
ERROR! ' .'You should not see this message!
' .'Could not find extension configuration for parameter shared_key! ' .'Please configure the plugin.'; return $errorText; } else { $sharedKey = $extensionConfiguration['shared_key']['value']; } // Set redirect status. $redirectStatus = false; if (is_array($extensionConfiguration['redirect_status']) === true) { $redirectStatus = intval($extensionConfiguration['redirect_status']['value']); } if ($redirectStatus === false || ($redirectStatus < 300 || $redirectStatus > 308)) { // Set default. $redirectStatus = 303; } $sso = urldecode(GeneralUtility::_GP('sso')); $sig = GeneralUtility::_GP('sig'); $hmac = hash_hmac('sha256', $sso, $sharedKey); if ($this->_hashsAreEqual($hmac, $sig) === false) { GeneralUtility::devLog('authenticateAction bad request', $extKey, 2, array('sso' => $sso, 'sig' => $sig, 'expected sig' => $hmac)); header('HTTP/1.1 403 Forbidden'); $this->throwStatus(403, 'Bad SSO request'); } else { // Valid $sso string available, convert it. parse_str(base64_decode($sso), $receivedPayload); // GeneralUtility::devLog('authenticateAction valid sso request', $extKey, 0, array('payload' => $receivedPayload)); $user = null; if (isset($GLOBALS['TSFE']) === true && isset($GLOBALS['TSFE']->fe_user) === true && isset($GLOBALS['TSFE']->fe_user->user) === true ) { $user = $GLOBALS['TSFE']->fe_user->user; } if (is_array($user) === true) { $userId = $user['uid']; $userEmail = $user['email']; $userName = $user['username']; $name = $user['name']; $nonce = $receivedPayload['nonce']; $parameters = array( 'nonce' => $nonce, 'external_id' => $userId, 'email' => $userEmail, 'username' => $userName, 'name' => $name, ); $payload = base64_encode(http_build_query($parameters)); $signature = hash_hmac('sha256', $payload, $sharedKey); $query = http_build_query(array('sso' => $payload, 'sig' => $signature)); $redirectUrl = $redirectUrlRoot.'/session/sso_login?'.$query; // GeneralUtility::devLog('authenticateAction successful, redirecting', $extKey, 0, array('redirectUrl' => $redirectUrl, 'status' => $redirectStatus, 'payload' => $payload, 'parameter' => $parameters)); $this->redirectToUri($redirectUrl, 0, $redirectStatus); } else { // No user logged in. // Wrong setup! This plugin should be enabled only, if a user login exists. $errorText = '
ERROR! ' .'You should not see this message!
' .'This plugin should be made available only, if a Frontend User is logged in.
' .'Please change this in the setup of this content element.'; GeneralUtility::devLog('authenticateAction bad configuration', $extKey, 2, array('error' => $errorText)); return $errorText; }//end if }//end if }//end authenticateAction() }