/**
* @return string
* @throws \TYPO3\Flow\Security\Exception\InvalidArgumentForHashGenerationException
*/
public function getJWTToken()
{
/** @var \TYPO3\Flow\Security\Account $account */
$account = $this->securityContext->getAccount();
$this->apiToken = $this->securityContext->getAuthenticationTokensOfType('RFY\\JWT\\Security\\Authentication\\Token\\JwtToken')[0];
if ($account->getAuthenticationProviderName() !== $this->apiToken->getAuthenticationProviderName()) {
// TODO: Currently you can get only 1 tokenAccount because of the duplication restraint based on accountIdentifier & AuthenticationProviderName
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($account->getAccountIdentifier(), $this->apiToken->getAuthenticationProviderName());
if ($account === NULL) {
$account = $this->generateTokenAccount();
}
}
$payload = array();
$payload['identifier'] = $account->getAccountIdentifier();
$payload['partyIdentifier'] = $this->persistenceManager->getIdentifierByObject($account->getParty());
$payload['user_agent'] = $this->request->getHeader('User-Agent');
$payload['ip_address'] = $this->request->getClientIpAddress();
if ($account->getCreationDate() instanceof \DateTime) {
$payload['creationDate'] = $account->getCreationDate()->getTimestamp();
}
if ($account->getExpirationDate() instanceof \DateTime) {
$payload['expirationDate'] = $account->getExpirationDate()->getTimestamp();
}
// Add hmac
$hmac = $this->hashService->generateHmac($this->signature);
return JWT::encode($payload, $hmac);
}
/**
* This returns the (first) *authenticated* OAuth token which doesn't have a party attached.
*
*@return AbstractClientToken
*/
public function getChargedAuthenticatedTokenHavingNoPartyAttached()
{
/** @var $token AbstractClientToken */
foreach ((array) $this->securityContext->getAuthenticationTokensOfType($this->getTokenClassName()) as $token) {
if ($token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_SUCCESSFUL && ($token->getAccount() === NULL || $token->getAccount()->getParty() === NULL)) {
return $token;
}
}
return NULL;
}
/**
* Notify SSO servers about the logged out client
*
* All active authentication tokens of type SingleSignOnToken will be
* used to get the registered global session id and send a request
* to the session service on the SSO server.
*
* @return void
*/
public function logout()
{
$allConfiguration = $this->configurationManager->getConfiguration(\TYPO3\Flow\Configuration\ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow');
$tokens = $this->securityContext->getAuthenticationTokensOfType('Flowpack\\SingleSignOn\\Client\\Security\\SingleSignOnToken');
foreach ($tokens as $token) {
$providerName = $token->getAuthenticationProviderName();
$serverIdentifier = \TYPO3\Flow\Utility\Arrays::getValueByPath($allConfiguration, 'security.authentication.providers.' . $providerName . '.providerOptions.server');
if ($serverIdentifier !== NULL) {
$ssoClient = $this->ssoClientFactory->create();
$ssoServer = $this->ssoServerFactory->create($serverIdentifier);
$ssoServer->destroySession($ssoClient, $token->getGlobalSessionId());
}
}
}
/**
* Description.
*
* @param string $providerName
*
* @return void
*/
public function finalizeAuthenticationByNewUser($providerName)
{
$casTokens = $this->securityContext->getAuthenticationTokensOfType(\RafaelKa\JasigPhpCas\Service\CasManager::DEFAULT_CAS_TOKEN);
/* @var $casToken \RafaelKa\JasigPhpCas\Security\Authentication\Token\PhpCasToken */
foreach ($casTokens as $casToken) {
if ($casToken->getAuthenticationProviderName() === $providerName && !empty($this->miscellaneous[$providerName]['Account'])) {
$casToken->setAccount($this->miscellaneous[$providerName]['Account']);
$casToken->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL);
$mapper = $this->getMapperByProviderName($providerName);
$mapper->finalizePersistingNewUser($this->miscellaneous[$providerName]['Account']);
}
}
}
/**
* Executes this finisher
* @see AbstractFinisher::execute()
*
* @return void
* @throws \TYPO3\Flow\Mvc\Exception\StopActionException();
*/
protected function executeInternal()
{
/** @var \TYPO3\Form\Core\Runtime\FormRuntime $formRuntime */
$formRuntime = $this->finisherContext->getFormRuntime();
$formValueArray = $formRuntime->getFormState()->getFormValues();
if ($formRuntime->getRequest()->getParentRequest()->getControllerActionName() == 'editDataSheet') {
// we need to update the data sheet, we assume that the person is authenticated because a data sheet can only be edited by a authenticated user
/** @var \GIB\GradingTool\Domain\Model\Project $project */
$project = $this->projectRepository->findByIdentifier($formRuntime->getRequest()->getParentRequest()->getArgument('project'));
// make a HTML representation of a diff of the old and new data
$diffContent = DiffUtility::arrayDiffRecursive($project->getDataSheetContentArray(), $formValueArray);
// store changes to project
$project->setDataSheetContent($formValueArray);
$project->setLastUpdated(new \TYPO3\Flow\Utility\Now());
// update e-mail address (could have changed in the data sheet)
$projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress();
$projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']);
$projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL);
$project->getProjectManager()->setPrimaryElectronicAddress($projectManagerElectronicAddress);
$this->partyRepository->update($project->getProjectManager());
$this->projectRepository->update($project);
$this->persistenceManager->persistAll();
// send a notification mail to the Administrator containing the changes
$templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('editDataSheetNotification', $project);
$this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, NULL, '', '', $diffContent);
// add a flash message
$message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully edited.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($project->getProjectTitle()));
$this->flashMessageContainer->addMessage($message);
} else {
// we need to add a new data sheet
/** @var \GIB\GradingTool\Domain\Model\Project $project */
$project = new \GIB\GradingTool\Domain\Model\Project();
$project->setProjectTitle($formValueArray['projectTitle']);
$project->setDataSheetFormIdentifier($this->settings['forms']['dataSheet']['default']);
$project->setSubmissionFormIdentifier($this->settings['forms']['submission']['default']);
// store identifier=userName and password for later usage
$identifier = $formValueArray['userName'];
$password = $formValueArray['password'];
// remove userName and password from data array so it doesn't get saved unencrypted
unset($formValueArray['userName']);
unset($formValueArray['password']);
$project->setDataSheetContent($formValueArray);
$project->setCreated(new \TYPO3\Flow\Utility\Now());
$this->projectRepository->add($project);
// add a flash message
$message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully submitted.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($formValueArray['projectTitle']));
$this->flashMessageContainer->addMessage($message);
if (!$this->authenticationManager->isAuthenticated() || $this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) {
// the product manager (supposedly) doesn't have an account yet, so we create one
$projectManager = new \GIB\GradingTool\Domain\Model\ProjectManager();
$projectManagerName = new \TYPO3\Party\Domain\Model\PersonName('', $formValueArray['projectManagerFirstName'], '', $formValueArray['projectManagerLastName']);
$projectManager->setName($projectManagerName);
$projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress();
$projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']);
$projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL);
$projectManager->addElectronicAddress($projectManagerElectronicAddress);
$projectManager->setPrimaryElectronicAddress($projectManagerElectronicAddress);
// add account
$roles = array('GIB.GradingTool:ProjectManager');
$authenticationProviderName = 'DefaultProvider';
$account = $this->accountFactory->createAccountWithPassword($identifier, $password, $roles, $authenticationProviderName);
$this->accountRepository->add($account);
// add account to ProjectManager
$projectManager->addAccount($account);
// add project to ProjectManager
$projectManager->addProject($project);
// finally add the complete ProjectManager
$this->partyRepository->add($projectManager);
if (!$this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) {
// authenticate user if no Administrator is authenticated
$authenticationTokens = $this->securityContext->getAuthenticationTokensOfType('TYPO3\\Flow\\Security\\Authentication\\Token\\UsernamePassword');
if (count($authenticationTokens) === 1) {
$authenticationTokens[0]->setAccount($account);
$authenticationTokens[0]->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL);
}
// add a flash message
$message = new \TYPO3\Flow\Error\Message('The account "%s" was created and you were successfully logged in.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($identifier));
$this->flashMessageContainer->addMessage($message);
}
} elseif ($this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:ProjectManager')) {
// a productManager is adding a new project to his account
/** @var \GIB\GradingTool\Domain\Model\ProjectManager $projectManager */
$projectManager = $this->authenticationManager->getSecurityContext()->getParty();
$projectManager->addProject($project);
$this->partyRepository->update($projectManager);
}
$this->persistenceManager->persistAll();
// send notification mail to project manager (bcc to team)
$templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetProjectManagerNotification', $project);
$this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, $formValueArray['projectManagerFirstName'] . ' ' . $formValueArray['projectManagerLastName'], $formValueArray['projectManagerEmail']);
// send notification mail to the GIB team
$templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetTeamNotification', $project);
$dataSheetArray = $this->dataSheetService->getProcessedDataSheet($project);
$this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, '', '', $dataSheetArray);
}
$this->persistenceManager->persistAll();
// redirect to dashboard
$formRuntime = $this->finisherContext->getFormRuntime();
$request = $formRuntime->getRequest()->getMainRequest();
$uriBuilder = new \TYPO3\Flow\Mvc\Routing\UriBuilder();
$uriBuilder->setRequest($request);
$uriBuilder->reset();
$uri = $uriBuilder->uriFor('editDatasheet', array('project' => $project), 'Project');
$response = $formRuntime->getResponse();
$mainResponse = $response;
while ($response = $response->getParentResponse()) {
$mainResponse = $response;
}
$mainResponse->setStatus(303);
$mainResponse->setHeader('Location', (string) $uri);
throw new \TYPO3\Flow\Mvc\Exception\StopActionException();
}
/**
* If authentication status is set to AUTHENTICATION_NEEDED by some token, then each action that calls some security method returns blank/white screen.
*
* This method sets authentication status to NO_CREDENTIALS_GIVEN by tokens, where authentication status was set to AUTHENTICATION_NEEDED by aborting authenticaion.
*
* @param string $providerName
*
* @return void
*/
private function fixWhiteScreenByAbortingAuthentication($providerName)
{
$casTokens = $this->securityContext->getAuthenticationTokensOfType(CasManager::DEFAULT_CAS_TOKEN);
/* @var $casToken \RafaelKa\JasigPhpCas\Security\Authentication\Token\PhpCasToken */
foreach ($casTokens as $casToken) {
if ($casToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_NEEDED || $casToken->getAuthenticationProviderName() !== $providerName) {
continue;
}
$casToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
