/**
* Ensure the current connection with the user agent is secure with HTTPS.
*
* This function uses {@link isHttps()} to determine whether the connection
* is via HTTPS. If it is, this function will return successfully.
*
* If it is not, what happens next is determined by the following steps.
*
* 1. If $allow_override is true and allow_plaintext is also true,
* then the function will return successfully
* 2. Otherwise, then it will either redirect (if $action is
* redirect) or return an error (if $action is error)
*
* @param string $action what to do if connection is not secure - either
* 'redirect' or 'error'
* @param boolean $allow_override whether allow_plaintext is checked
* to see if an unencrypted connection is allowed
* @param string $redirect_url if $action is redirect, what URL to redirect to.
* If null, this will redirect to the same page (albeit with an HTTPS connection)
* @param boolean $strict whether HTTP Strict Transport Security is active
*/
protected function checkHttps($action = 'redirect', $allow_override = false, $redirect_url = null, $strict = true)
{
if ($this->isHttps()) {
if ($strict) {
header('Strict-Transport-Security: max-age=3600');
}
return;
}
$config = $this->f3->get('config');
if ($allow_override && $config['allow_plaintext']) {
return;
}
if ($action == 'error') {
$this->f3->status(426);
header('Upgrade: TLS/1.2, HTTP/1.1');
header('Connection: Upgrade');
$this->fatalError($this->t('An encrypted connection (HTTPS) is required for this page.'));
exit;
return;
}
if ($redirect_url == null) {
$redirect_url = $this->getCanonicalURL($this->f3->get('PATH'), $this->f3->get('SERVER.QUERY_STRING'), 'https');
}
$this->f3->status(301);
header('Location: ' . $redirect_url);
exit;
}
/**
* redirect user to CCP SSO page and request authorization
* -> cf. Controller->getCookieCharacters() ( equivalent cookie based login)
* @param \Base $f3
*/
public function requestAuthorization($f3)
{
if (!empty($ssoCcpClientId = Controller\Controller::getEnvironmentData('SSO_CCP_CLIENT_ID'))) {
$params = $f3->get('GET');
if (isset($params['characterId']) && ($activeCharacter = $this->getCharacter(0))) {
// authentication restricted to a characterId -----------------------------------------------
// restrict login to this characterId e.g. for character switch on map page
$characterId = (int) trim($params['characterId']);
/**
* @var Model\CharacterModel $character
*/
$character = Model\BasicModel::getNew('CharacterModel');
$character->getById($characterId, 0);
// check if character is valid and exists
if (!$character->dry() && $character->hasUserCharacter() && $activeCharacter->getUser()->_id === $character->getUser()->_id) {
// requested character belongs to current user
// -> update character vom CREST (e.g. corp changed,..)
$updateStatus = $character->updateFromCrest();
if (empty($updateStatus)) {
// make sure character data is up2date!
// -> this is not the case if e.g. userCharacters was removed "ownerHash" changed...
$character->getById($character->_id);
if ($character->hasUserCharacter() && $character->isAuthorized()) {
$loginCheck = $this->loginByCharacter($character);
if ($loginCheck) {
// set "login" cookie
$this->setLoginCookie($character);
// route to "map"
$f3->reroute('@map');
}
}
}
}
// redirect to map map page on successful login
$f3->set(self::SESSION_KEY_SSO_FROM_MAP, true);
}
// redirect to CCP SSO ----------------------------------------------------------------------
// used for "state" check between request and callback
$state = bin2hex(mcrypt_create_iv(12, MCRYPT_DEV_URANDOM));
$f3->set(self::SESSION_KEY_SSO_STATE, $state);
$urlParams = ['response_type' => 'code', 'redirect_uri' => Controller\Controller::getEnvironmentData('URL') . $f3->build('/sso/callbackAuthorization'), 'client_id' => Controller\Controller::getEnvironmentData('SSO_CCP_CLIENT_ID'), 'scope' => implode(' ', $this->requestScopes), 'state' => $state];
$ssoAuthUrl = self::getAuthorizationEndpoint() . '?' . http_build_query($urlParams, '', '&', PHP_QUERY_RFC3986);
$f3->status(302);
$f3->reroute($ssoAuthUrl);
} else {
// SSO clientId missing
$f3->set(self::SESSION_KEY_SSO_ERROR, self::ERROR_CCP_CLIENT_ID);
self::getCrestLogger()->write(self::ERROR_CCP_CLIENT_ID);
$f3->reroute('@login');
}
}
