public function handleRequest(HttpRequest $request)
{
$response = new HttpResponse(200, "application/json");
try {
if ("POST" !== $request->getRequestMethod()) {
// method not allowed
$response->setStatusCode(405);
$response->setHeader("Allow", "POST");
} else {
$response->setHeader('Content-Type', 'application/json');
$response->setHeader('Cache-Control', 'no-store');
$response->setHeader('Pragma', 'no-cache');
$response->setContent(Json::enc($this->_handleToken($request->getPostParameters(), $request->getBasicAuthUser(), $request->getBasicAuthPass())));
}
} catch (TokenException $e) {
if ($e->getResponseCode() === 401) {
$response->setHeader("WWW-Authenticate", 'Basic realm="OAuth Server"');
}
$response->setStatusCode($e->getResponseCode());
$response->setHeader('Cache-Control', 'no-store');
$response->setHeader('Pragma', 'no-cache');
$response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
}
return $response;
}
public function handleRequest(HttpRequest $request)
{
$response = NULL;
try {
$requestMethod = $request->getRequestMethod();
if ("GET" !== $requestMethod && "POST" !== $requestMethod) {
throw new TokenIntrospectionException("method_not_allowed", "invalid request method");
}
$parameters = "GET" === $requestMethod ? $request->getQueryParameters() : $request->getPostParameters();
$response = new HttpResponse(200, "application/json");
$response->setHeader('Cache-Control', 'no-store');
$response->setHeader('Pragma', 'no-cache');
$response->setContent(Json::enc($this->_introspectToken($parameters)));
} catch (TokenIntrospectionException $e) {
$response = new HttpResponse($e->getResponseCode(), "application/json");
$response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
if ("method_not_allowed" === $e->getMessage()) {
$response->setHeader("Allow", "GET,POST");
}
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
}
return $response;
}
public function testAddAuthorizationsUnsupportedScope()
{
$h = new HttpRequest("http://www.example.org/api.php");
$h->setRequestMethod("POST");
$h->setPathInfo("/authorizations/");
$h->setHeader("Authorization", "Bearer 12345abc");
$h->setContent(Json::enc(array("client_id" => "testcodeclient", "scope" => "UNSUPPORTED SCOPE")));
$response = $this->_api->handleRequest($h);
$this->assertEquals(400, $response->getStatusCode());
$this->assertEquals('{"error":"invalid_request","error_description":"invalid scope for this client"}', $response->getContent());
}
$request->matchRest("POST", "/hello/:str", function ($str) use(&$response) {
if ("foo" === $str) {
// it would make more sense to create something like an ApiException
// class that would return the code 400 "Bad Request" instead of
// internal server error as this is a 'mistake' by the client...
throw new Exception("you cannot say 'foo'!'");
}
$response = new HttpResponse(200, "application/json");
$response->setContent(Json::enc(array("type" => "POST", "response" => "hello " . $str)));
});
$request->matchRestDefault(function ($methodMatch, $patternMatch) use($request, &$response) {
// methodMatch contains all the used request methods 'registrered'
// through the matchRest method calls above, in this case GET and POST
//
// patternMatch indicates (boolean) whether or not the request URL
// matches any of the patterns 'registered' through the matchRest
// methods above...
if (!in_array($request->getRequestMethod(), $methodMatch)) {
$response = new HttpResponse(405, "application/json");
$response->setHeader("Allow", implode(",", $methodMatch));
$response->setContent(Json::enc(array("error" => "method_not_allowed", "error_description" => "request method not allowed")));
} elseif (!$patternMatch) {
$response = new HttpResponse(404, "application/json");
$response->setContent(Json::enc(array("error" => "not_found", "error_description" => "resource not found")));
}
});
} catch (Exception $e) {
$response = new HttpResponse(500, "application/json");
$response->setContent(Json::enc(array("error" => "internal_server_error", "error_description" => $e->getMessage())));
}
$response->sendResponse();
public function handleRequest(HttpRequest $request)
{
$response = new HttpResponse(200, "application/json");
try {
if (!$this->_config->getSectionValue("Api", "enableApi")) {
throw new ApiException("forbidden", "api disabled");
}
$this->_rs->verifyAuthorizationHeader($request->getHeader("Authorization"));
$storage = $this->_storage;
// FIXME: can this be avoided??
$rs = $this->_rs;
// FIXME: can this be avoided??
$request->matchRest("POST", "/authorizations/", function () use($request, $response, $storage, $rs) {
$rs->requireScope("authorizations");
$data = Json::dec($request->getContent());
if (NULL === $data || !is_array($data) || !array_key_exists("client_id", $data) || !array_key_exists("scope", $data)) {
throw new ApiException("invalid_request", "missing required parameters");
}
// client needs to exist
$clientId = $data['client_id'];
$client = $storage->getClient($clientId);
if (FALSE === $client) {
throw new ApiException("invalid_request", "client is not registered");
}
// scope should be part of "allowed_scope" of client registration
$clientAllowedScope = new Scope($client['allowed_scope']);
$requestedScope = new Scope($data['scope']);
if (!$requestedScope->isSubSetOf($clientAllowedScope)) {
throw new ApiException("invalid_request", "invalid scope for this client");
}
$refreshToken = array_key_exists("refresh_token", $data) && $data['refresh_token'] ? Utils::randomHex(16) : NULL;
// check to see if an authorization for this client/resource_owner already exists
if (FALSE === $storage->getApprovalByResourceOwnerId($clientId, $rs->getResourceOwnerId())) {
if (FALSE === $storage->addApproval($clientId, $rs->getResourceOwnerId(), $data['scope'], $refreshToken)) {
throw new ApiException("invalid_request", "unable to add authorization");
}
} else {
throw new ApiException("invalid_request", "authorization already exists for this client and resource owner");
}
$response->setStatusCode(201);
$response->setContent(Json::enc(array("ok" => true)));
});
$request->matchRest("GET", "/authorizations/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("authorizations");
$data = $storage->getApprovalByResourceOwnerId($id, $rs->getResourceOwnerId());
if (FALSE === $data) {
throw new ApiException("not_found", "the resource you are trying to retrieve does not exist");
}
$response->setContent(Json::enc($data));
});
$request->matchRest("GET", "/authorizations/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("authorizations");
$data = $storage->getApprovalByResourceOwnerId($id, $rs->getResourceOwnerId());
if (FALSE === $data) {
throw new ApiException("not_found", "the resource you are trying to retrieve does not exist");
}
$response->setContent(Json::enc($data));
});
$request->matchRest("DELETE", "/authorizations/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("authorizations");
if (FALSE === $storage->deleteApproval($id, $rs->getResourceOwnerId())) {
throw new ApiException("not_found", "the resource you are trying to delete does not exist");
}
$response->setContent(Json::enc(array("ok" => true)));
});
$request->matchRest("GET", "/authorizations/", function () use($request, $response, $storage, $rs) {
$rs->requireScope("authorizations");
$data = $storage->getApprovals($rs->getResourceOwnerId());
$response->setContent(Json::enc($data));
});
$request->matchRest("GET", "/applications/", function () use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
// $rs->requireEntitlement("urn:x-oauth:entitlement:applications"); // do not require entitlement to list clients...
$data = $storage->getClients();
$response->setContent(Json::enc($data));
});
$request->matchRest("DELETE", "/applications/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
$rs->requireEntitlement("urn:x-oauth:entitlement:applications");
if (FALSE === $storage->deleteClient($id)) {
throw new ApiException("not_found", "the resource you are trying to delete does not exist");
}
$response->setContent(Json::enc(array("ok" => true)));
});
$request->matchRest("GET", "/applications/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
$rs->requireEntitlement("urn:x-oauth:entitlement:applications");
// FIXME: for now require entitlement as long as password hashing is not
// implemented...
$data = $storage->getClient($id);
if (FALSE === $data) {
throw new ApiException("not_found", "the resource you are trying to retrieve does not exist");
}
$response->setContent(Json::enc($data));
});
$request->matchRest("POST", "/applications/", function () use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
$rs->requireEntitlement("urn:x-oauth:entitlement:applications");
try {
$client = ClientRegistration::fromArray(Json::dec($request->getContent()));
$data = $client->getClientAsArray();
// check to see if an application with this id already exists
if (FALSE === $storage->getClient($data['id'])) {
if (FALSE === $storage->addClient($data)) {
throw new ApiException("invalid_request", "unable to add application");
}
} else {
throw new ApiException("invalid_request", "application already exists");
}
$response->setStatusCode(201);
$response->setContent(Json::enc(array("ok" => true)));
} catch (ClientRegistrationException $e) {
throw new ApiException("invalid_request", $e->getMessage());
}
});
$request->matchRest("GET", "/stats/", function () use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
$rs->requireEntitlement("urn:x-oauth:entitlement:applications");
$data = $storage->getStats();
$response->setContent(Json::enc($data));
});
$request->matchRest("PUT", "/applications/:id", function ($id) use($request, $response, $storage, $rs) {
$rs->requireScope("applications");
$rs->requireEntitlement("urn:x-oauth:entitlement:applications");
try {
$client = ClientRegistration::fromArray(Json::dec($request->getContent()));
$data = $client->getClientAsArray();
if ($data['id'] !== $id) {
throw new ApiException("invalid_request", "resource does not match client id value");
}
if (FALSE === $storage->updateClient($id, $data)) {
throw new ApiException("invalid_request", "unable to update application");
}
} catch (ClientRegistrationException $e) {
throw new ApiException("invalid_request", $e->getMessage());
}
$response->setContent(Json::enc(array("ok" => true)));
});
$request->matchRestDefault(function ($methodMatch, $patternMatch) use($request, $response) {
if (in_array($request->getRequestMethod(), $methodMatch)) {
if (!$patternMatch) {
throw new ApiException("not_found", "resource not found");
}
} else {
$response->setStatusCode(405);
$response->setHeader("Allow", implode(",", $methodMatch));
}
});
} catch (ResourceServerException $e) {
$response->setStatusCode($e->getResponseCode());
if ("no_token" === $e->getMessage()) {
// no authorization header is a special case, the client did not know
// authentication was required, so tell it now without giving error message
$hdr = 'Bearer realm="Resource Server"';
} else {
$hdr = sprintf('Bearer realm="Resource Server",error="%s",error_description="%s"', $e->getMessage(), $e->getDescription());
}
$response->setHeader("WWW-Authenticate", $hdr);
$response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
} catch (ApiException $e) {
$response->setStatusCode($e->getResponseCode());
$response->setContent(Json::enc(array("error" => $e->getMessage(), "error_description" => $e->getDescription())));
if (NULL !== $this->_logger) {
$this->_logger->logFatal($e->getLogMessage(TRUE) . PHP_EOL . $request . PHP_EOL . $response);
}
}
return $response;
}
use RestService\Utils\Config;
use RestService\Http\IncomingHttpRequest;
use RestService\Http\HttpRequest;
use OAuth\Token;
use RestService\Utils\Logger;
use RestService\Utils\Json;
$logger = NULL;
$request = NULL;
$response = NULL;
try {
$config = new Config(dirname(__DIR__) . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "oauth.ini");
$logger = new Logger($config->getSectionValue('Log', 'logLevel'), $config->getValue('serviceName'), $config->getSectionValue('Log', 'logFile'), $config->getSectionValue('Log', 'logMail', FALSE));
$t = new Token($config, $logger);
$request = HttpRequest::fromIncomingHttpRequest(new IncomingHttpRequest());
$response = $t->handleRequest($request);
} catch (Exception $e) {
$response = new HttpResponse(500, "application/json");
$response->setContent(Json::enc(array("error" => $e->getMessage())));
if (NULL !== $logger) {
$logger->logFatal($e->getMessage() . PHP_EOL . $request . PHP_EOL . $response);
}
}
if (NULL !== $logger) {
$logger->logDebug($request);
}
if (NULL !== $logger) {
$logger->logDebug($response);
}
if (NULL !== $response) {
$response->sendResponse();
}
/**
* @expectedException \RestService\Utils\JsonException
* @expectedExceptionMessage Malformed UTF-8 characters, possibly incorrectly encoded
*/
public function testBrokenEncode()
{
$e = Json::enc(array(iconv("UTF-8", "ISO-8859-1", "îïêëì")));
}
public function updateResourceOwner(IResourceOwner $resourceOwner)
{
$result = $this->getResourceOwner($resourceOwner->getId());
if (FALSE === $result) {
$stmt = $this->_pdo->prepare("INSERT INTO resource_owner (id, entitlement, ext) VALUES(:id, :entitlement, :ext)");
$stmt->bindValue(":id", $resourceOwner->getId(), PDO::PARAM_STR);
$stmt->bindValue(":entitlement", Json::enc($resourceOwner->getEntitlement()), PDO::PARAM_STR);
$stmt->bindValue(":ext", Json::enc($resourceOwner->getExt()), PDO::PARAM_STR);
$stmt->execute();
return 1 === $stmt->rowCount();
} else {
$stmt = $this->_pdo->prepare("UPDATE resource_owner SET entitlement = :entitlement, ext = :ext WHERE id = :id");
$stmt->bindValue(":id", $resourceOwner->getId(), PDO::PARAM_STR);
$stmt->bindValue(":entitlement", Json::enc($resourceOwner->getEntitlement()), PDO::PARAM_STR);
$stmt->bindValue(":ext", Json::enc($resourceOwner->getExt()), PDO::PARAM_STR);
$stmt->execute();
return 1 === $stmt->rowCount();
}
}
