/**
* The 3 legged oauth class needs a way to store the access key and token
* it uses the apiCache class to do so.
*
* Constructing this class will initiate the 3 legged oauth work flow, including redirecting
* to the OAuth provider's site if required(!)
*
* @param string $consumerKey
* @param string $consumerSecret
* @param apiCache $cache cache class to use (file,apc,memcache)
* @return apiOAuth3Legged the logged-in provider instance
*/
public function authenticate(apiCache $cache, apiIO $io, $service)
{
global $apiConfig;
$this->service = $service;
$this->io = $io;
$this->cache = $cache;
$this->service['authorization_token_url'] .= '?scope=' . OAuthUtil::urlencodeRFC3986($service['scope']) . '&domain=' . OAuthUtil::urlencodeRFC3986($apiConfig['site_name']) . '&oauth_token=';
if (isset($_GET['oauth_verifier']) && isset($_GET['oauth_token']) && isset($_GET['uid'])) {
$uid = $_GET['uid'];
$secret = $this->cache->get($this->cacheKey . ":nonce:" . $uid);
$this->cache->delete($this->cacheKey . ":nonce:" . $uid);
$token = $this->upgradeRequestToken($_GET['oauth_token'], $secret, $_GET['oauth_verifier']);
return json_encode($token, true);
} else {
// Initialize the OAuth dance, first request a request token, then kick the client to the authorize URL
// First we store the current URL in our cache, so that when the oauth dance is completed we can return there
$callbackUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
$uid = uniqid();
$token = $this->obtainRequestToken($callbackUrl, $uid);
$this->cache->set($this->cacheKey . ":nonce:" . $uid, $token->secret);
$this->redirectToAuthorization($token);
}
}
/**
* builds the Authorization: header
*/
public function to_header()
{
/*{{{*/
$out = '"Authorization: OAuth realm="",';
$total = array();
foreach ($this->parameters as $k => $v) {
if (substr($k, 0, 5) != "oauth") {
continue;
}
$total[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"';
}
$out = implode(",", $total);
return $out;
}
/**
* creates an url encoded param array from an associative array
* -use for OAuth query parameters
* -use for OAuth application/x-www-form-urlencoded body contents that are signed
*
* @param array $params
* @return string an url encoded key value string
*/
public static function encodeUrlEncodedArray($params){
$paramsArr = array();
$paramsStr = '';
if(!is_array($params)){
return $paramStr;
}
foreach($params as $key => $value){
//push new key value pair to array
$paramsArr[] = OAuthUtil::urlencodeRFC3986($key) . '=' . OAuthUtil::urlencodeRFC3986($value);
}
$paramsStr = implode("&", $paramsArr);
return $paramsStr;
}
/**
* builds the Authorization: header
*/
function to_header()
{
/*{{{*/
$headerParams = array();
foreach ($this->parameters as $k => $v) {
if (substr($k, 0, 5) != "oauth") {
continue;
}
$headerParams[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"';
}
return sprintf("Authorization: OAuth %s", implode(",", $headerParams));
}
/**
* Parse the parameters from an OAuth Authorization or WWW-Authenticate
* header. The realm is included as a parameter. If the given header doesn't
* start with "OAuth ", return an empty list.
*/
public static function decodeAuthorization($authorization)
{
$into = array();
if ($authorization != null) {
$m = ereg(self::$AUTHORIZATION, $authorization);
if ($m !== false) {
if (strpos($authorization, OAuthUtil::$AUTH_SCHEME) == 0) {
$authorization = str_replace("OAuth ", "", $authorization);
$authParams = explode(", ", $authorization);
foreach ($authParams as $params) {
$m = ereg(OAuthUtil::$NVP, $params);
if ($m == 1) {
$keyValue = explode("=", $params);
$name = OAuthUtil::urlencodeRFC3986($keyValue[0]);
$value = OAuthUtil::urlencodeRFC3986(str_replace("\"", "", $keyValue[1]));
$into[$name] = $value;
}
}
}
}
}
return $into;
}
/**
* builds the Authorization: header
*/
public function to_header($realm = "")
{
$out = 'Authorization: OAuth realm="' . $realm . '"';
$total = array();
foreach ($this->parameters as $k => $v) {
if (substr($k, 0, 5) != "oauth") {
continue;
}
$out .= ',' . OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"';
}
return $out;
}
/**
* Builds the URL the client needs to visit to approve access.
*/
private function buildAznUrl()
{
// At some point we can be clever and use a callback URL to improve
// the user experience, but that's too complex for now.
$accessor = $this->accessorInfo->getAccessor();
$azn = $accessor->consumer->callback_url->userAuthorizationURL;
$authUrl = $azn->url;
if (strstr($authUrl, "?") != -1) {
$authUrl .= "?";
} else {
$authUrl .= "&";
}
$authUrl .= OAuth::$OAUTH_TOKEN;
$authUrl .= "=";
$authUrl .= OAuthUtil::urlencodeRFC3986($accessor->requestToken);
$this->aznUrl = $authUrl;
}
private function _generate_authorization_header($http_method, $realm, $base_url, $args)
{
$authorization_header = 'OAuth realm="' . $realm . '",';
$params = array();
foreach ($this->_generate_oauth_parameters($http_method, $base_url, $args) as $k => $v) {
if (substr($k, 0, 5) == 'oauth' || substr($k, 0, 6) == 'xoauth') {
$params[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"';
}
}
$authorization_header .= implode(',', $params);
return $authorization_header;
}
public function signRequest($url, $method)
{
try {
// Parse the request into parameters for OAuth signing, stripping out
// any OAuth or OpenSocial parameters injected by the client
$parsedUri = parse_url($url);
$resource = $url;
$queryParams = $this->sanitize($_GET);
$postParams = $this->sanitize($_POST);
// The data that is supposed to be posted to the target page is contained in the postData field
// in the $_POST to the Shindig proxy server
// Here we parse it and put it into the $postDataParams array which then is merged into the postParams
// to be used for the GET/POST request and the building of the signature
$postDataParams = array();
if (isset($_POST['postData']) && count($postDataParts = split('&', urldecode($_POST['postData']))) > 0) {
foreach ($postDataParts as $postDataPart) {
$position = strpos($postDataPart, '=');
$key = substr($postDataPart, 0, $position);
$value = substr($postDataPart, $position + 1);
$postDataParams[$key] = $value;
}
}
$postParams = array_merge($postParams, $this->sanitize($postDataParams));
$msgParams = array();
$msgParams = array_merge($msgParams, $queryParams);
$msgParams = array_merge($msgParams, $postParams);
$this->addOpenSocialParams($msgParams);
$this->addOAuthParams($msgParams);
$consumer = new OAuthConsumer(NULL, NULL, NULL);
$consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject);
$signatureMethod = new OAuthSignatureMethod_RSA_SHA1();
$req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams);
$req_req->sign_request($signatureMethod, $consumer, NULL);
// Rebuild the query string, including all of the parameters we added.
// We have to be careful not to copy POST parameters into the query.
// If post and query parameters share a name, they end up being removed
// from the query.
$forPost = array();
$postData = false;
if ($method == 'POST') {
foreach ($postParams as $key => $param) {
$forPost[$key] = $param;
if ($postData === false) {
$postData = array();
}
$postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param);
}
if ($postData !== false) {
$postData = implode("&", $postData);
}
}
$newQuery = '';
foreach ($req_req->get_parameters() as $key => $param) {
if (!isset($forPost[$key])) {
$newQuery .= urlencode($key) . '=' . urlencode($param) . '&';
}
}
// and stick on the original query params too
if (isset($parsedUri['query']) && !empty($parsedUri['query'])) {
$oldQuery = array();
parse_str($parsedUri['query'], $oldQuery);
foreach ($oldQuery as $key => $val) {
$newQuery .= urlencode($key) . '=' . urlencode($val) . '&';
}
}
// Careful here; the OAuth form encoding scheme is slightly different than
// the normal form encoding scheme, so we have to use the OAuth library
// formEncode method.
$url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . $parsedUri['path'] . '?' . $newQuery;
// The headers are transmitted in the POST-data array in the field 'headers'
// if no post should be made, the value should be false for this parameter
$postHeaders = isset($_POST['headers']) && $method == 'POST' ? $_POST['headers'] : false;
return new RemoteContentRequest($url, $postHeaders, $postData);
} catch (Exception $e) {
throw new GadgetException($e);
}
}
/**
* builds the Authorization: header
*/
public function to_header()
{
/*{{{*/
$out = 'Authorization: OAuth ';
$total = array();
/*
$sig = $this->parameters['oauth_signature'];
unset($this->parameters['oauth_signature']);
uksort($this->parameters, 'strnatcmp');
$this->parameters['oauth_signature'] = $sig;
*/
foreach ($this->parameters as $k => $v) {
if (substr($k, 0, 5) != "oauth") {
continue;
}
$out .= OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '", ';
}
$out = substr_replace($out, '', strlen($out) - 2);
return $out;
}
private function signRequest(RemoteContentRequest $request)
{
$url = $request->getUrl();
$method = $request->getMethod();
try {
// Parse the request into parameters for OAuth signing, stripping out
// any OAuth or OpenSocial parameters injected by the client
$parsedUri = parse_url($url);
$resource = $url;
$queryParams = array();
if (isset($parsedUri['query'])) {
parse_str($parsedUri['query'], $queryParams);
// strip out all opensocial_* and oauth_* params so they can't be spoofed by the client
foreach ($queryParams as $key => $val) {
if (strtolower(substr($key, 0, strlen('opensocial_'))) == 'opensocial_' || strtolower(substr($key, 0, strlen('oauth_'))) == 'oauth_') {
unset($queryParams[$key]);
}
}
$queryParams = $this->sanitize($queryParams);
}
$contentType = $request->getHeader('Content-Type');
$signBody = stripos($contentType, 'application/x-www-form-urlencoded') !== false || $contentType == null;
if ($request->getPostBody()) {
if ($signBody) {
$postParams = array();
// on normal application/x-www-form-urlencoded type post's encode and parse the post vars
parse_str($request->getPostBody(), $postParams);
$postParams = $this->sanitize($postParams);
} else {
// on any other content-type of post (application/{json,xml,xml+atom}) use the body signing hash
// see http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html for details
$queryParams['oauth_body_hash'] = base64_encode(sha1($request->getPostBody(), true));
}
}
$msgParams = array();
$msgParams = array_merge($msgParams, $queryParams);
if ($signBody && isset($postParams)) {
$msgParams = array_merge($msgParams, $postParams);
}
$this->addOpenSocialParams($msgParams, $request->getToken(), $request->getOptions()->ownerSigned, $request->getOptions()->viewerSigned);
$this->addOAuthParams($msgParams, $request->getToken());
$consumer = new OAuthConsumer(NULL, NULL, NULL);
$consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject);
$signatureMethod = new OAuthSignatureMethod_RSA_SHA1();
$req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams);
$req_req->sign_request($signatureMethod, $consumer, NULL);
// Rebuild the query string, including all of the parameters we added.
// We have to be careful not to copy POST parameters into the query.
// If post and query parameters share a name, they end up being removed
// from the query.
$forPost = array();
$postData = false;
if ($method == 'POST' && $signBody) {
foreach ($postParams as $key => $param) {
$forPost[$key] = $param;
if ($postData === false) {
$postData = array();
}
$postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param);
}
if ($postData !== false) {
$postData = implode("&", $postData);
}
}
$newQuery = '';
foreach ($req_req->get_parameters() as $key => $param) {
if (!isset($forPost[$key])) {
$newQuery .= urlencode($key) . '=' . urlencode($param) . '&';
}
}
// and stick on the original query params too
if (isset($parsedUri['query']) && !empty($parsedUri['query'])) {
$oldQuery = array();
parse_str($parsedUri['query'], $oldQuery);
foreach ($oldQuery as $key => $val) {
$newQuery .= urlencode($key) . '=' . urlencode($val) . '&';
}
}
// Careful here; the OAuth form encoding scheme is slightly different than
// the normal form encoding scheme, so we have to use the OAuth library
// formEncode method.
$url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . (isset($parsedUri['path']) ? $parsedUri['path'] : '') . '?' . $newQuery;
$request->setUri($url);
if ($signBody) {
$request->setPostBody($postData);
}
} catch (Exception $e) {
throw new GadgetException($e);
}
}
