<?php
namespace Jahnke\DjDiscourseSso\Controller;
/***************************************************************
* Copyright notice
*
* (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
*
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility;
/**
* Controller for the Member object
*/
class SsoController extends ActionController
{
/**
* Compare if signed data matches given signature.
*
* @param string $data Signed data to be compared with.
* @param string $sig Signature to be compared with.
*
* @return boolean
*/
private function _hashsAreEqual($data, $sig)
{
if ($data === null || $sig === null || is_string($data) === false || is_string($sig) === false) {
return false;
}
if (strlen($data) !== strlen($sig)) {
return false;
}
if (strcmp($data, $sig) === 0) {
return true;
}
return false;
}//end _hashsAreEqual()
/**
* Authenticate action.
*
* @return string
*/
public function authenticateAction()
{
$extKey = $_EXTKEY; //'dj_discourse_sso';
/** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */
$configurationUtility = $this->objectManager->get(ConfigurationUtility::class);
$extensionConfiguration = $configurationUtility->getCurrentConfiguration($extKey);
GeneralUtility::devLog('authenticateAction', $extKey, 0, array('config' => $extensionConfiguration));
// Check mandatory settings.
if (isset($extensionConfiguration['redirect_url']) === false) {
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
.'Could not find typoscript setting plugins.tx_dj_discourse_sso.redirect_url! '
.'Please configure the plugin.';
return $errorText;
} else {
$redirectUrlRoot = $extensionConfiguration['redirect_url'];
}
if (isset($extensionConfiguration['shared_key']) === false) {
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
.'Could not find typoscript setting plugins.tx_dj_discourse_sso.shared_key! '
.'Please configure the plugin.';
return $errorText;
} else {
$sharedKey = $extensionConfiguration['shared_key'];
}
// Set some defaults.
if (isset($extensionConfiguration['redirect_status']) === true) {
$redirectStatus = $extensionConfiguration['redirect_status'];
}
if ($redirectStatus === false || ($redirectStatus < 300 || $redirectStatus > 308)) {
// Set default.
$redirectStatus = 303;
}
$sso = urldecode(GeneralUtility::_GP('sso'));
$sig = GeneralUtility::_GP('sig');
$hmac = hash_hmac('sha256', $sso, $sharedKey);
if ($this->_hashsAreEqual($hmac, $sig) === false) {
GeneralUtility::devLog('authenticateAction bad request', $extKey, 0, array('sso' => $sso, 'sig' => $sig, 'hmac' => $hmac));
header('HTTP/1.1 403 Forbidden');
$this->throwStatus(403, 'Bad SSO request');
} else {
// Valid $sso string available, convert it.
parse_str(base64_decode($sso), $receivedPayload);
$user = null;
if (isset($GLOBALS['TSFE']) === true
&& isset($GLOBALS['TSFE']->fe_user) === true
&& isset($GLOBALS['TSFE']->fe_user->user) === true
) {
$user = $GLOBALS['TSFE']->fe_user->user;
}
if (isset($user) === true) {
$userId = $user['uid'];
$userEmail = $user['email'];
$userName = $user['username'];
$name = $user['name'];
$nonce = $receivedPayload['nonce'];
$parameters = array(
'nonce' => $nonce,
'external_id' => $userId,
'email' => $userEmail,
'username' => $userName,
'name' => $name,
);
$payload = base64_encode(http_build_query($parameters));
$signature = hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key']);
$query = http_build_query(array('sso' => $payload, 'sig' => $signature));
$redirectUrl = $redirectUrlRoot.'/session/sso_login?'.$query;
GeneralUtility::devLog('authenticateAction successful, redirecting', $extKey, 0, array('redirectUrl' => $redirectUrl, 'status' => $redirectStatus));
$this->redirectToUri($redirectUrl, 0, $redirectStatus);
} else {
// No user logged in.
// Wrong setup! This plugin should be enabled only, if a user login exists.
$errorText = '<div><b>ERROR!</b> '
.'You should not see this message!<br />'
.'This plugin should be made available only, if a Frontend User is logged in.<br />'
.'Please change this in the setup of this content element.';
GeneralUtility::devLog('authenticateAction bad configuration', $extKey, 0, array('error' => $errorText));
return $errorText;
}//end if
}//end if
}//end authenticateAction()
}