158 lines
5.9 KiB
PHP
158 lines
5.9 KiB
PHP
<?php
|
|
namespace Jahnke\DiscourseSso\Controller;
|
|
|
|
/***************************************************************
|
|
* Copyright notice
|
|
*
|
|
* (c) 2016 Dirk Jahnke <dirk.jahnke@mailbox.org>
|
|
*
|
|
* All rights reserved
|
|
*
|
|
* This script is part of the TYPO3 project. The TYPO3 project is
|
|
* free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* The GNU General Public License can be found at
|
|
* http://www.gnu.org/copyleft/gpl.html.
|
|
*
|
|
* This script is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* This copyright notice MUST APPEAR in all copies of the script!
|
|
***************************************************************/
|
|
|
|
use TYPO3\CMS\Core\Utility\GeneralUtility;
|
|
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
|
|
use \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility;
|
|
|
|
/**
|
|
* Controller for the Member object
|
|
*/
|
|
class SsoController extends ActionController
|
|
{
|
|
|
|
|
|
/**
|
|
* Compare if signed data matches given signature.
|
|
*
|
|
* @param string $data Signed data to be compared with.
|
|
* @param string $sig Signature to be compared with.
|
|
*
|
|
* @return boolean
|
|
*/
|
|
private function _hashsAreEqual($data, $sig)
|
|
{
|
|
if ($data === null || $sig === null || is_string($data) === false || is_string($sig) === false) {
|
|
return false;
|
|
}
|
|
|
|
if (strlen($data) !== strlen($sig)) {
|
|
return false;
|
|
}
|
|
|
|
if (strcmp($data, $sig) === 0) {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
|
|
}//end _hashsAreEqual()
|
|
|
|
|
|
/**
|
|
* Authenticate action.
|
|
*
|
|
* @return string
|
|
*/
|
|
public function authenticateAction()
|
|
{
|
|
/** @var \TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility $configurationUtility */
|
|
$configurationUtility = $this->objectManager->get(\TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility::class);
|
|
$extensionConfiguration = $configurationUtility->getCurrentConfiguration('tx_dj_discourse_sso');
|
|
|
|
// Check mandatory settings.
|
|
if (isset($extensionConfiguration['redirect_url']) === false) {
|
|
$errorText = '<div><b>ERROR!</b> '
|
|
.'You should not see this message!<br />'
|
|
.'Could not find typoscript setting plugins.tx_dj_discourse_sso.redirect_url! '
|
|
.'Please configure the plugin.';
|
|
return $errorText;
|
|
} else {
|
|
$redirectUrlRoot = $extensionConfiguration['redirect_url'];
|
|
}
|
|
|
|
if (isset($extensionConfiguration['shared_key']) === false) {
|
|
$errorText = '<div><b>ERROR!</b> '
|
|
.'You should not see this message!<br />'
|
|
.'Could not find typoscript setting plugins.tx_dj_discourse_sso.shared_key! '
|
|
.'Please configure the plugin.';
|
|
return $errorText;
|
|
} else {
|
|
$sharedKey = $extensionConfiguration['shared_key'];
|
|
}
|
|
|
|
// Set some defaults.
|
|
if (isset($extensionConfiguration['redirect_status']) === true) {
|
|
$redirectStatus = $extensionConfiguration['redirect_status'];
|
|
}
|
|
|
|
if ($redirectStatus === false || ($redirectStatus < 300 || $redirectStatus > 308)) {
|
|
// Set default.
|
|
$redirectStatus = 303;
|
|
}
|
|
|
|
$hmac = hash_hmac('sha256', $sso, $this->settings['discourse_sso_shared_key']);
|
|
if ($this->_hashsAreEqual($hmac, $sig) === false) {
|
|
header('HTTP/1.1 403 Forbidden');
|
|
$this->throwStatus(403, 'Bad SSO request');
|
|
} else {
|
|
// Valid $sso string available, convert it.
|
|
parse_str(base64_decode($sso), $receivedPayload);
|
|
$user = null;
|
|
if (isset($GLOBALS['TSFE']) === true
|
|
&& isset($GLOBALS['TSFE']->fe_user) === true
|
|
&& isset($GLOBALS['TSFE']->fe_user->user) === true
|
|
) {
|
|
$user = $GLOBALS['TSFE']->fe_user->user;
|
|
}
|
|
|
|
if (isset($user) === true) {
|
|
$sso = urldecode(GeneralUtility::_GP('sso'));
|
|
$sig = GeneralUtility::_GP('sig');
|
|
$userId = $user['uid'];
|
|
$userEmail = $user['email'];
|
|
$userName = $user['username'];
|
|
$name = $user['name'];
|
|
$nonce = $receivedPayload['nonce'];
|
|
$parameters = array(
|
|
'nonce' => $nonce,
|
|
'external_id' => $userId,
|
|
'email' => $userEmail,
|
|
'username' => $userName,
|
|
'name' => $name,
|
|
);
|
|
$payload = base64_encode(http_build_query($parameters));
|
|
$signature = hash_hmac('sha256', $payload, $this->settings['discourse_sso_shared_key']);
|
|
$query = http_build_query(array('sso' => $payload, 'sig' => $signature));
|
|
$redirectUrl = $redirectUrlRoot.'/session/sso_login?'.$query;
|
|
$this->redirectToUri($redirectUrl, 0, $redirectStatus);
|
|
} else {
|
|
// No user logged in.
|
|
// Wrong setup! This plugin should be enabled only, if a user login exists.
|
|
$errorText = '<div><b>ERROR!</b> '
|
|
.'You should not see this message!<br />'
|
|
.'This plugin should be made available only, if a Frontend User is logged in.<br />'
|
|
.'Please change this in the setup of this content element.';
|
|
return $errorText;
|
|
}//end if
|
|
}//end if
|
|
|
|
}//end authenticateAction()
|
|
|
|
|
|
}
|