public function getPerson($id) { $person_row = db_get_user($id); // get facebook data global $facebook; $fb_userdata = $facebook->api('/' . $id . '?fields=id,name,first_name,link,gender,location'); if ($person_row == False) { $this->createPerson($id, $fb_userdata['name']); $person_row = db_get_user($id); if ($person_row == False) { return Null; } } // create person object and fill its data $person = new Person($person_row); $person->fb_link = $fb_userdata['link']; $person->fb_logoutURL = $facebook->getLogoutUrl(array('next' => getAbsoluteBaseURL() . '/logout.php')); $person->gender = $fb_userdata['gender']; $person->first_name = $fb_userdata['first_name']; if (array_key_exists('location', $fb_userdata)) { $person->location = $fb_userdata['location']['name']; $location_data = $facebook->api('/' . $fb_userdata['location']['id']); $person->geo_location = array("lat" => $location_data['location']['latitude'], "long" => $location_data['location']['longitude']); } /* $fb_feed_response = $facebook->api('/'.$id.'/feed?limit=1&access_token='.$person_row['access_code']); try { $person->status = $fb_feed_response['data'][0]['message']; } catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), "\n"; }*/ return $person; }
public function getPerson($id) { // we use the previous function to get all the books and then we return the requested one. // in a real life scenario this will be done through a db select command //$allBooks = $this->getBookList(); //return $allBooks[$title]; $person_row = db_get_user($id); if ($person_row == False) { return Null; } // get facebook data global $facebook; $fb_userdata = $facebook->api('/' . $id); // create person object and fill its data $person = new Person($person_row); $person->fb_link = $fb_userdata['link']; $person->gender = $fb_userdata['gender']; $person->first_name = $fb_userdata['first_name']; /* $fb_feed_response = $facebook->api('/'.$id.'/feed?limit=1&access_token='.$person_row['access_code']); try { $person->status = $fb_feed_response['data'][0]['message']; } catch (Exception $e) { echo 'Caught exception: ', $e->getMessage(), "\n"; }*/ return $person; }
function send_response($username, $authorize = false) { $GET = $_SESSION['get']; $rpfA = $_SESSION['rpfA']; $rpep = $GET['redirect_uri']; $state = isset($GET['state']) ? $GET['state'] : NULL; $error_page = isset($GET['redirect_uri']) ? $GET['redirect_uri'] : OP_INDEX_PAGE; $response_mode = get_response_mode($GET); try { $client_id = $GET['client_id']; $response_types = explode(' ', $GET['response_type']); $scopes = explode(' ', $GET['scope']); $prompts = explode(' ', $GET['prompt']); $is_code_flow = in_array('code', $response_types); $is_token_flow = in_array('token', $response_types); $is_id_token = in_array('id_token', $response_types); $offline_access = $is_code_flow && !$is_token_flow && in_array('consent', $prompts) && in_array('offline_access', $scopes); $issue_at = strftime('%G-%m-%d %T'); $expiration_at = strftime('%G-%m-%d %T', time() + 2 * 60); $response_params = array(); if (!$authorize) { throw new OidcException('access_denied', 'User denied access'); } $rpfA['session_id'] = session_id(); $rpfA['auth_time'] = $_SESSION['auth_time']; $confirmed_attribute_list = get_all_requested_claims($rpfA, $GET['scope']); if ($is_code_flow) { $code_info = create_token_info($username, $confirmed_attribute_list, $GET, $rpfA); $code = $code_info['name']; unset($code_info['name']); $fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $code, 'details' => '', 'token_type' => TOKEN_TYPE_AUTH_CODE, 'info' => json_encode($code_info)); db_save_user_token($username, $code, $fields); } if ($is_token_flow) { $code_info = create_token_info($username, $confirmed_attribute_list, $GET, $rpfA); $token = $code_info['name']; unset($code_info['name']); $issue_at = strftime('%G-%m-%d %T'); $expiration_at = strftime('%G-%m-%d %T', time() + 2 * 60); $fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $token, 'details' => '', 'token_type' => TOKEN_TYPE_ACCESS, 'info' => json_encode($code_info)); db_save_user_token($username, $token, $fields); } if ($offline_access) { while (true) { $refresh_token_name = base64url_encode(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); if (!db_find_token($refresh_token_name)) { break; } } $fields = array('client' => $GET['client_id'], 'issued_at' => $issue_at, 'expiration_at' => $expiration_at, 'token' => $refresh_token_name, 'details' => '', 'token_type' => TOKEN_TYPE_REFRESH, 'info' => json_encode($code_info)); $fields['expiration_at'] = strftime('%G-%m-%d %T', time() + 24 * 60 * 60); db_save_user_token($username, $refresh_token_name, $fields); } // Handle response_type for code or token if (isset($GET['state'])) { $response_params['state'] = $GET['state']; } if ($is_token_flow || $is_id_token) { if (isset($token)) { $response_params['access_token'] = $token; $response_params['token_type'] = 'Bearer'; if ($offline_access) { $response_params['refresh_token'] = $refresh_token_name; } $response_params['expires_in'] = '3600'; } } if ($is_id_token) { $client_secret = null; $nonce = isset($GET['nonce']) ? $GET['nonce'] : null; $c_hash = null; $at_hash = null; $ops = null; $auth_time = null; $acr = null; $idt_claims = array(); $sig = null; $alg = null; $enc = null; $client_secret = null; $jwk_uri = null; $db_client = db_get_client($client_id); if ($db_client) { $sig = $db_client['id_token_signed_response_alg']; if (!isset($sig)) { $sig = 'RS256'; } $alg = $db_client['id_token_encrypted_response_alg']; $enc = $db_client['id_token_encrypted_response_enc']; $client_secret = $db_client['client_secret']; $jwk_uri = $db_client['jwks_uri']; $jwks = $db_client['jwks']; } if (isset($rpfA['claims']) && isset($rpfA['claims']['id_token'])) { if (array_key_exists('auth_time', $rpfA['claims']['id_token'])) { $auth_time = (int) $_SESSION['auth_time']; } if (array_key_exists('acr', $rpfA['claims']['id_token'])) { if (array_key_exists('values', $rpfA['claims']['id_token']['acr'])) { if (is_array($rpfA['claims']['id_token']['acr']['values']) && count($rpfA['claims']['id_token']['acr']['values'])) { $acr = $rpfA['claims']['id_token']['acr']['values'][0]; } } else { $acr = '0'; } } } if ($sig) { $bit_length = substr($sig, 2); switch ($bit_length) { case '384': $hash_alg = 'sha384'; break; case '512': $hash_alg = 'sha512'; break; case '256': default: $hash_alg = 'sha256'; break; } $hash_length = (int) ((int) $bit_length / 2) / 8; if ($code) { $c_hash = base64url_encode(substr(hash($hash_alg, $code, true), 0, $hash_length)); } if ($token) { $at_hash = base64url_encode(substr(hash($hash_alg, $token, true), 0, $hash_length)); } } $requested_id_token_claims = get_id_token_claims($rpfA); if ($requested_id_token_claims) { $db_user = db_get_user($username); if ($db_user) { $idt_claims = get_account_claims($db_user, $requested_id_token_claims); } else { throw new OidcException('access_denied', 'no such user'); } } $id_token_obj = make_id_token(wrap_userid($db_client, $username), SERVER_ID, $client_id, $idt_claims, $nonce, $c_hash, $at_hash, $auth_time, $ops, $acr); log_debug('sen_response id_token_obj = %s', print_r($id_token_obj, true)); $cryptoError = null; $id_token = sign_encrypt($id_token_obj, $sig, $alg, $enc, $jwk_uri, $jwks, $client_secret, $cryptoError); if (!$id_token) { log_error("Unable to sign encrypt response for ID Token %s", $cryptoError); throw new OidcException('invalid_request', "idtoken crypto error {$cryptoError}"); } $response_params['id_token'] = $id_token; } $url_parts = parse_url($rpep); $origin = sprintf("%s://%s%s", $url_parts['scheme'], $url_parts['host'], isset($url_parts['port']) ? ':' . $url_parts['port'] : ''); $salt = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)); log_debug("ss = sha256(%s%s%s%s).%s", $client_id, $origin, $_SESSION['ops'], $salt, $salt); $session_state = hash('sha256', "{$client_id}{$origin}{$_SESSION['ops']}{$salt}") . '.' . $salt; $response_params['session_state'] = $session_state; if ($is_code_flow) { $response_params['code'] = $code; } if ($_SESSION['persist'] == 'on') { $username = $_SESSION['username']; $auth_time = $_SESSION['auth_time']; $ops = $_SESSION['ops']; $login = $_SESSION['login']; clean_session(); $_SESSION['lastlogin'] = time(); $_SESSION['username'] = $username; $_SESSION['auth_time'] = $auth_time; $_SESSION['ops'] = $ops; $_SESSION['login'] = $login; $_SESSION['persist'] = 'on'; } else { session_destroy(); } send_auth_response($rpep, $response_params, $response_mode); } catch (OidcException $e) { log_error("handle_auth exception : %s", $e->getTraceAsString()); send_error($error_page, $e->error_code, $e->desc, NULL, $state, $response_mode); } catch (Exception $e) { log_error("handle_auth exception : %s", $e->getTraceAsString()); send_error($error_page, 'invalid_request', $e->getMessage(), NULL, $state, $response_mode); } }
function authenticate_reviewer($dbh, $username, $password) { $uinfo = db_get_user($dbh, $username); if ($uinfo) { if ($uinfo['scope'] === 'LOCAL' && !empty($uinfo['password']) && $uinfo['password'] === $password) { return $uinfo; } else { if ($uinfo['scope'] === 'LDAP' && auth_ldap_user($username, $password)) { return $uinfo; } else { return null; } } } else { return null; } }
function db_get_account($username) { return db_get_user($username); }
function handle_webfinger_discovery() { $principal = $_REQUEST['resource']; $service = $_REQUEST['rel']; if (!$principal && !$service) { log_error('Discovery : no principal or service'); header('HTTP/1.0 400 Bad Request'); exit; } if ($service && $service != 'http://openid.net/specs/connect/1.0/issuer') { log_error('Discovery : invalid service'); header('HTTP/1.0 400 Bad Request'); exit; } $hosts = array(OP_SERVER_NAME, OP_PROTOCOL . OP_SERVER_NAME, OP_PROTOCOL . OP_SERVER_NAME . OP_PORT); $providers = db_get_providers(); if ($providers) { foreach ($providers as $provider) { array_push($hosts, $provider['issuer']); } } if ($principal && substr($principal, 0, 5) == 'acct:') { $principal = substr($principal, 5); } $at = strpos($principal, '@'); if ($at !== false) { if ($at == 0) { // XRI header('HTTP/1.0 400 Bad Request'); log_error('Discovery : principal is a XRI'); exit; } // process email address list($principal, $domain) = explode('@', $principal); $port_pos = strpos($domain, ':'); if ($port_pos !== false) { $domain = substr($domain, 0, $port_pos); } $domain_parts = explode('.', $domain); $server_parts = explode('.', OP_SERVER_NAME); // check to see domain matches $domain_start = count($domain_parts) - 1; $server_start = count($server_parts) - 1; for ($i = $domain_start, $j = $server_start; $i >= 0 && $j >= 0; $i--, $j--) { if (strcasecmp($domain_parts[$i], $server_parts[$j]) != 0) { header('HTTP/1.0 400 Bad Request'); log_error('Discovery : email domains do not match'); exit; } } } else { // process URL $pos = strpos($principal, '#'); if ($pos !== false) { $principal = substr($principal, 0, $pos); } $parts = parse_url($principal); if (!$parts) { log_error('Discovery : unparseable URL'); header('HTTP/1.0 400 Bad Request'); exit; } $host = $parts['host']; $port = $parts['port'] ? ':' . $parts['port'] : ''; $issuer = OP_PROTOCOL . "{$host}{$port}"; if (isset($parts['path'])) { if ($parts['path'] == '/') { $principal = $issuer; } else { $principal = substr($parts['path'], 1); log_debug("principal = %s", $principal); } } else { $principal = $issuer; } } if (!in_array($principal, $hosts) && !db_get_user($principal)) { log_error("Discovery : no such user or host\nprincipal = %s hosts = %s", $principal, print_r($hosts, true)); header('HTTP/1.0 400 Bad Request'); exit; } send_webfinger_discovery($_REQUEST['resource']); }
function process_login($login_info, $username, $password, $sitename) { if (is_array($login_info)) { // if an array is returned, then login was successful $bapi = $login_info['binding']; $sessionID = $login_info['sessionID']; $accountID = $login_info['accountID']; $isAgency = $login_info['isAgency']; if ($isAgency == true) { print_agency_login_form($username, $password, $sitename, "", $sessionID, $login_info['accounts']); } else { $dbh = open_db(); if ($dbh) { $rc = db_save_user($dbh, $username, $password, 'BRONTO', 'REQUESTER', $sitename); if ($rc == false) { display_warnbox("Unable to save user information (user="******",sitename=" . $sitename . ")"); } $rc = db_save_session($dbh, $sessionID, $username, $accountID); if ($rc == false) { display_warnbox("Unable to save session information (id=" . $sessionID . ",user="******")"); } if (db_update_user_last_login($dbh, $username) == false) { echo "Unable to record login date/time."; } // Confirm that user information is available. $userinfo = db_get_user($dbh, $username); if (empty($userinfo['firstname']) || empty($userinfo['lastname']) || empty($userinfo['email'])) { print_user_info_form($sessionID, $userinfo); } else { if (print_message_select_form($bapi, $sessionID) == false) { display_errorbox("Unable to connect to Bronto API."); print_request_login_form($username, $password, $sitename); } } } else { display_errorbox("Unable to connect to database."); print_request_login_form($username, $password, $sitename); } } } else { if ($login_info === false) { // if "false" was returned, then login was unsuccessful (incorrect username, password, or sitename) display_errorbox("Invalid username, password, or sitename."); } else { // otherwise, "null" is returned, meaning no connectivity to Bronto API display_errorbox("Unable to connect to the Bronto API server."); } print_request_login_form($username, $password, $sitename); } }
function db_auth_local_user($dbh, $username, $password) { $uinfo = db_get_user($dbh, $username); if ($uinfo && !empty($uinfo['password']) && $uinfo['password'] === $password & $uinfo['scope'] === 'LOCAL') { return $uinfo; } else { return null; } }