public function getPerson($id)
{
$person_row = db_get_user($id);
// get facebook data
global $facebook;
$fb_userdata = $facebook->api('/' . $id . '?fields=id,name,first_name,link,gender,location');
if ($person_row == False) {
$this->createPerson($id, $fb_userdata['name']);
$person_row = db_get_user($id);
if ($person_row == False) {
return Null;
}
}
// create person object and fill its data
$person = new Person($person_row);
$person->fb_link = $fb_userdata['link'];
$person->fb_logoutURL = $facebook->getLogoutUrl(array('next' => getAbsoluteBaseURL() . '/logout.php'));
$person->gender = $fb_userdata['gender'];
$person->first_name = $fb_userdata['first_name'];
if (array_key_exists('location', $fb_userdata)) {
$person->location = $fb_userdata['location']['name'];
$location_data = $facebook->api('/' . $fb_userdata['location']['id']);
$person->geo_location = array("lat" => $location_data['location']['latitude'], "long" => $location_data['location']['longitude']);
}
/*
$fb_feed_response = $facebook->api('/'.$id.'/feed?limit=1&access_token='.$person_row['access_code']);
try {
$person->status = $fb_feed_response['data'][0]['message'];
} catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), "\n";
}*/
return $person;
}
public function getPerson($id)
{
// we use the previous function to get all the books and then we return the requested one.
// in a real life scenario this will be done through a db select command
//$allBooks = $this->getBookList();
//return $allBooks[$title];
$person_row = db_get_user($id);
if ($person_row == False) {
return Null;
}
// get facebook data
global $facebook;
$fb_userdata = $facebook->api('/' . $id);
// create person object and fill its data
$person = new Person($person_row);
$person->fb_link = $fb_userdata['link'];
$person->gender = $fb_userdata['gender'];
$person->first_name = $fb_userdata['first_name'];
/*
$fb_feed_response = $facebook->api('/'.$id.'/feed?limit=1&access_token='.$person_row['access_code']);
try {
$person->status = $fb_feed_response['data'][0]['message'];
} catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), "\n";
}*/
return $person;
}
function send_response($username, $authorize = false)
{
$GET = $_SESSION['get'];
$rpfA = $_SESSION['rpfA'];
$rpep = $GET['redirect_uri'];
$state = isset($GET['state']) ? $GET['state'] : NULL;
$error_page = isset($GET['redirect_uri']) ? $GET['redirect_uri'] : OP_INDEX_PAGE;
$response_mode = get_response_mode($GET);
try {
$client_id = $GET['client_id'];
$response_types = explode(' ', $GET['response_type']);
$scopes = explode(' ', $GET['scope']);
$prompts = explode(' ', $GET['prompt']);
$is_code_flow = in_array('code', $response_types);
$is_token_flow = in_array('token', $response_types);
$is_id_token = in_array('id_token', $response_types);
$offline_access = $is_code_flow && !$is_token_flow && in_array('consent', $prompts) && in_array('offline_access', $scopes);
$issue_at = strftime('%G-%m-%d %T');
$expiration_at = strftime('%G-%m-%d %T', time() + 2 * 60);
$response_params = array();
if (!$authorize) {
throw new OidcException('access_denied', 'User denied access');
}
$rpfA['session_id'] = session_id();
$rpfA['auth_time'] = $_SESSION['auth_time'];
$confirmed_attribute_list = get_all_requested_claims($rpfA, $GET['scope']);
if ($is_code_flow) {
$code_info = create_token_info($username, $confirmed_attribute_list, $GET, $rpfA);
$code = $code_info['name'];
unset($code_info['name']);
$fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $code, 'details' => '', 'token_type' => TOKEN_TYPE_AUTH_CODE, 'info' => json_encode($code_info));
db_save_user_token($username, $code, $fields);
}
if ($is_token_flow) {
$code_info = create_token_info($username, $confirmed_attribute_list, $GET, $rpfA);
$token = $code_info['name'];
unset($code_info['name']);
$issue_at = strftime('%G-%m-%d %T');
$expiration_at = strftime('%G-%m-%d %T', time() + 2 * 60);
$fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $token, 'details' => '', 'token_type' => TOKEN_TYPE_ACCESS, 'info' => json_encode($code_info));
db_save_user_token($username, $token, $fields);
}
if ($offline_access) {
while (true) {
$refresh_token_name = base64url_encode(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
if (!db_find_token($refresh_token_name)) {
break;
}
}
$fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $refresh_token_name, 'details' => '', 'token_type' => TOKEN_TYPE_REFRESH, 'info' => json_encode($code_info));
$fields['expiration_at'] = strftime('%G-%m-%d %T', time() + 24 * 60 * 60);
db_save_user_token($username, $refresh_token_name, $fields);
}
// Handle response_type for code or token
if (isset($GET['state'])) {
$response_params['state'] = $GET['state'];
}
if ($is_token_flow || $is_id_token) {
if (isset($token)) {
$response_params['access_token'] = $token;
$response_params['token_type'] = 'Bearer';
if ($offline_access) {
$response_params['refresh_token'] = $refresh_token_name;
}
$response_params['expires_in'] = '3600';
}
}
if ($is_id_token) {
$client_secret = null;
$nonce = isset($GET['nonce']) ? $GET['nonce'] : null;
$c_hash = null;
$at_hash = null;
$ops = null;
$auth_time = null;
$acr = null;
$idt_claims = array();
$sig = null;
$alg = null;
$enc = null;
$client_secret = null;
$jwk_uri = null;
$db_client = db_get_client($client_id);
if ($db_client) {
$sig = $db_client['id_token_signed_response_alg'];
if (!isset($sig)) {
$sig = 'RS256';
}
$alg = $db_client['id_token_encrypted_response_alg'];
$enc = $db_client['id_token_encrypted_response_enc'];
$client_secret = $db_client['client_secret'];
$jwk_uri = $db_client['jwks_uri'];
$jwks = $db_client['jwks'];
}
if (isset($rpfA['claims']) && isset($rpfA['claims']['id_token'])) {
if (array_key_exists('auth_time', $rpfA['claims']['id_token'])) {
$auth_time = (int) $_SESSION['auth_time'];
}
if (array_key_exists('acr', $rpfA['claims']['id_token'])) {
if (array_key_exists('values', $rpfA['claims']['id_token']['acr'])) {
if (is_array($rpfA['claims']['id_token']['acr']['values']) && count($rpfA['claims']['id_token']['acr']['values'])) {
$acr = $rpfA['claims']['id_token']['acr']['values'][0];
}
} else {
$acr = '0';
}
}
}
if ($sig) {
$bit_length = substr($sig, 2);
switch ($bit_length) {
case '384':
$hash_alg = 'sha384';
break;
case '512':
$hash_alg = 'sha512';
break;
case '256':
default:
$hash_alg = 'sha256';
break;
}
$hash_length = (int) ((int) $bit_length / 2) / 8;
if ($code) {
$c_hash = base64url_encode(substr(hash($hash_alg, $code, true), 0, $hash_length));
}
if ($token) {
$at_hash = base64url_encode(substr(hash($hash_alg, $token, true), 0, $hash_length));
}
}
$requested_id_token_claims = get_id_token_claims($rpfA);
if ($requested_id_token_claims) {
$db_user = db_get_user($username);
if ($db_user) {
$idt_claims = get_account_claims($db_user, $requested_id_token_claims);
} else {
throw new OidcException('access_denied', 'no such user');
}
}
$id_token_obj = make_id_token(wrap_userid($db_client, $username), SERVER_ID, $client_id, $idt_claims, $nonce, $c_hash, $at_hash, $auth_time, $ops, $acr);
log_debug('sen_response id_token_obj = %s', print_r($id_token_obj, true));
$cryptoError = null;
$id_token = sign_encrypt($id_token_obj, $sig, $alg, $enc, $jwk_uri, $jwks, $client_secret, $cryptoError);
if (!$id_token) {
log_error("Unable to sign encrypt response for ID Token %s", $cryptoError);
throw new OidcException('invalid_request', "idtoken crypto error {$cryptoError}");
}
$response_params['id_token'] = $id_token;
}
$url_parts = parse_url($rpep);
$origin = sprintf("%s://%s%s", $url_parts['scheme'], $url_parts['host'], isset($url_parts['port']) ? ':' . $url_parts['port'] : '');
$salt = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
log_debug("ss = sha256(%s%s%s%s).%s", $client_id, $origin, $_SESSION['ops'], $salt, $salt);
$session_state = hash('sha256', "{$client_id}{$origin}{$_SESSION['ops']}{$salt}") . '.' . $salt;
$response_params['session_state'] = $session_state;
if ($is_code_flow) {
$response_params['code'] = $code;
}
if ($_SESSION['persist'] == 'on') {
$username = $_SESSION['username'];
$auth_time = $_SESSION['auth_time'];
$ops = $_SESSION['ops'];
$login = $_SESSION['login'];
clean_session();
$_SESSION['lastlogin'] = time();
$_SESSION['username'] = $username;
$_SESSION['auth_time'] = $auth_time;
$_SESSION['ops'] = $ops;
$_SESSION['login'] = $login;
$_SESSION['persist'] = 'on';
} else {
session_destroy();
}
send_auth_response($rpep, $response_params, $response_mode);
} catch (OidcException $e) {
log_error("handle_auth exception : %s", $e->getTraceAsString());
send_error($error_page, $e->error_code, $e->desc, NULL, $state, $response_mode);
} catch (Exception $e) {
log_error("handle_auth exception : %s", $e->getTraceAsString());
send_error($error_page, 'invalid_request', $e->getMessage(), NULL, $state, $response_mode);
}
}
function authenticate_reviewer($dbh, $username, $password)
{
$uinfo = db_get_user($dbh, $username);
if ($uinfo) {
if ($uinfo['scope'] === 'LOCAL' && !empty($uinfo['password']) && $uinfo['password'] === $password) {
return $uinfo;
} else {
if ($uinfo['scope'] === 'LDAP' && auth_ldap_user($username, $password)) {
return $uinfo;
} else {
return null;
}
}
} else {
return null;
}
}
function db_get_account($username)
{
return db_get_user($username);
}
function handle_webfinger_discovery()
{
$principal = $_REQUEST['resource'];
$service = $_REQUEST['rel'];
if (!$principal && !$service) {
log_error('Discovery : no principal or service');
header('HTTP/1.0 400 Bad Request');
exit;
}
if ($service && $service != 'http://openid.net/specs/connect/1.0/issuer') {
log_error('Discovery : invalid service');
header('HTTP/1.0 400 Bad Request');
exit;
}
$hosts = array(OP_SERVER_NAME, OP_PROTOCOL . OP_SERVER_NAME, OP_PROTOCOL . OP_SERVER_NAME . OP_PORT);
$providers = db_get_providers();
if ($providers) {
foreach ($providers as $provider) {
array_push($hosts, $provider['issuer']);
}
}
if ($principal && substr($principal, 0, 5) == 'acct:') {
$principal = substr($principal, 5);
}
$at = strpos($principal, '@');
if ($at !== false) {
if ($at == 0) {
// XRI
header('HTTP/1.0 400 Bad Request');
log_error('Discovery : principal is a XRI');
exit;
}
// process email address
list($principal, $domain) = explode('@', $principal);
$port_pos = strpos($domain, ':');
if ($port_pos !== false) {
$domain = substr($domain, 0, $port_pos);
}
$domain_parts = explode('.', $domain);
$server_parts = explode('.', OP_SERVER_NAME);
// check to see domain matches
$domain_start = count($domain_parts) - 1;
$server_start = count($server_parts) - 1;
for ($i = $domain_start, $j = $server_start; $i >= 0 && $j >= 0; $i--, $j--) {
if (strcasecmp($domain_parts[$i], $server_parts[$j]) != 0) {
header('HTTP/1.0 400 Bad Request');
log_error('Discovery : email domains do not match');
exit;
}
}
} else {
// process URL
$pos = strpos($principal, '#');
if ($pos !== false) {
$principal = substr($principal, 0, $pos);
}
$parts = parse_url($principal);
if (!$parts) {
log_error('Discovery : unparseable URL');
header('HTTP/1.0 400 Bad Request');
exit;
}
$host = $parts['host'];
$port = $parts['port'] ? ':' . $parts['port'] : '';
$issuer = OP_PROTOCOL . "{$host}{$port}";
if (isset($parts['path'])) {
if ($parts['path'] == '/') {
$principal = $issuer;
} else {
$principal = substr($parts['path'], 1);
log_debug("principal = %s", $principal);
}
} else {
$principal = $issuer;
}
}
if (!in_array($principal, $hosts) && !db_get_user($principal)) {
log_error("Discovery : no such user or host\nprincipal = %s hosts = %s", $principal, print_r($hosts, true));
header('HTTP/1.0 400 Bad Request');
exit;
}
send_webfinger_discovery($_REQUEST['resource']);
}
function process_login($login_info, $username, $password, $sitename)
{
if (is_array($login_info)) {
// if an array is returned, then login was successful
$bapi = $login_info['binding'];
$sessionID = $login_info['sessionID'];
$accountID = $login_info['accountID'];
$isAgency = $login_info['isAgency'];
if ($isAgency == true) {
print_agency_login_form($username, $password, $sitename, "", $sessionID, $login_info['accounts']);
} else {
$dbh = open_db();
if ($dbh) {
$rc = db_save_user($dbh, $username, $password, 'BRONTO', 'REQUESTER', $sitename);
if ($rc == false) {
display_warnbox("Unable to save user information (user="******",sitename=" . $sitename . ")");
}
$rc = db_save_session($dbh, $sessionID, $username, $accountID);
if ($rc == false) {
display_warnbox("Unable to save session information (id=" . $sessionID . ",user="******")");
}
if (db_update_user_last_login($dbh, $username) == false) {
echo "Unable to record login date/time.";
}
// Confirm that user information is available.
$userinfo = db_get_user($dbh, $username);
if (empty($userinfo['firstname']) || empty($userinfo['lastname']) || empty($userinfo['email'])) {
print_user_info_form($sessionID, $userinfo);
} else {
if (print_message_select_form($bapi, $sessionID) == false) {
display_errorbox("Unable to connect to Bronto API.");
print_request_login_form($username, $password, $sitename);
}
}
} else {
display_errorbox("Unable to connect to database.");
print_request_login_form($username, $password, $sitename);
}
}
} else {
if ($login_info === false) {
// if "false" was returned, then login was unsuccessful (incorrect username, password, or sitename)
display_errorbox("Invalid username, password, or sitename.");
} else {
// otherwise, "null" is returned, meaning no connectivity to Bronto API
display_errorbox("Unable to connect to the Bronto API server.");
}
print_request_login_form($username, $password, $sitename);
}
}
function db_auth_local_user($dbh, $username, $password)
{
$uinfo = db_get_user($dbh, $username);
if ($uinfo && !empty($uinfo['password']) && $uinfo['password'] === $password & $uinfo['scope'] === 'LOCAL') {
return $uinfo;
} else {
return null;
}
}
