/**
* Start an impersonated session with Kaltura's server.
* The result KS is the session key that you should pass to all services that requires a ticket.
*
* @action impersonate
* @param string $secret Remember to provide the correct secret according to the sessionType you want
* @param int $impersonatedPartnerId
* @param string $userId
* @param KalturaSessionType $type Regular session or Admin session
* @param int $partnerId
* @param int $expiry KS expiry time in seconds
* @param string $privileges
* @return string
*
* @throws APIErrors::START_SESSION_ERROR
*/
function impersonateAction($secret, $impersonatedPartnerId, $userId = "", $type = 0, $partnerId = null, $expiry = 86400, $privileges = null)
{
KalturaResponseCacher::disableCache();
// verify that partnerId exists and is in correspondence with given secret
$result = myPartnerUtils::isValidSecret($partnerId, $secret, "", $expiry, $type);
if ($result !== true) {
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId);
}
// verify partner is allowed to start session for another partner
if (!myPartnerUtils::allowPartnerAccessPartner($partnerId, $this->partnerGroup(), $impersonatedPartnerId)) {
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId);
}
// get impersonated partner
$impersonatedPartner = PartnerPeer::retrieveByPK($impersonatedPartnerId);
if (!$impersonatedPartner) {
// impersonated partner could not be fetched from the DB
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId);
}
// set the correct secret according to required session type
if ($type == KalturaSessionType::ADMIN) {
$impersonatedSecret = $impersonatedPartner->getAdminSecret();
} else {
$impersonatedSecret = $impersonatedPartner->getSecret();
}
// make sure the secret fits the one in the partner's table
$ks = "";
$result = kSessionUtils::startKSession($impersonatedPartner->getId(), $impersonatedSecret, $userId, $ks, $expiry, $type, "", $privileges, $partnerId);
if ($result >= 0) {
return $ks;
} else {
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId);
}
}
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str)
{
if ($ks_str) {
// 1. crack the ks -
$ks = kSessionUtils::crackKs($ks_str);
// 2. extract partner_id
$ks_partner_id = $ks->partner_id;
$master_partner_id = $ks->master_partner_id;
if (!$master_partner_id) {
$master_partner_id = $ks_partner_id;
}
if (!$partner_id) {
$partner_id = $ks_partner_id;
}
// use the user from the ks if not explicity set
if (!$puser_id) {
$puser_id = $ks->user;
}
kCurrentContext::$ks = $ks_str;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = $ks_partner_id;
kCurrentContext::$master_partner_id = $master_partner_id;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = $ks->user;
// 3. retrieve partner
$ks_partner = PartnerPeer::retrieveByPK($ks_partner_id);
// the service_confgi is assumed to be the one of the operating_partner == ks_partner
if (!$ks_partner) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id);
}
$this->setServiceConfigFromPartner($ks_partner);
if ($ks_partner && !$ks_partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
// 4. validate ticket per service for the ticket's partner
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// TODO - which user is this ? from the ks ? from the puser_id ?
$ks_puser_id = $ks->user;
//$ks = null;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
$this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res));
}
$this->ks = $ks;
} elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) {
$ks_puser_id = $ks->user;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if ($res > 0) {
$this->ks = $ks;
}
}
// 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup)
$allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id);
if (!$allow_access) {
$this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id);
}
// 6. set the partner to be the desired partner and the operating_partner to be the one from the ks
$this->partner = PartnerPeer::retrieveByPK($partner_id);
$this->operating_partner = $ks_partner;
// the config is that of the ks_partner NOT of the partner
// $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks
// TODO - should change service_config to be the one of the partner_id ??
// 7. if ok - return the partner_id to be used from this point onwards
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
} else {
// no ks_str
// 1. extract partner by partner_id +
// 2. retrieve partner
$this->partner = PartnerPeer::retrieveByPK($partner_id);
if (!$this->partner) {
$this->partner = null;
// go to the default config
$this->setServiceConfigFromPartner(null);
if ($this->requirePartner2()) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id);
}
}
if ($this->partner && !$this->partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
kCurrentContext::$ks = null;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = null;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = null;
// 3. make sure the service can be accessed with no ticket
$this->setServiceConfigFromPartner($this->partner);
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// NEW: 2008-12-28
// Instead of throwing an exception, see if the service allows KN.
// If so - a relativly week partner access
if ($this->kalturaNetwork2()) {
// if the service supports KN - continue without private data
return array($partner_id, $subp_id, $puser_id, false);
// DONT allow private_partner_data
}
// chaned this to be an exception rather than an error
$this->addException(APIErrors::MISSING_KS);
}
// 4. set the partner & operating_partner to be the one-and-only partner of this session
$this->operating_partner = $this->partner;
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
}
}
private static function isPartnerAccessAllowed($service, $action)
{
if (is_null(self::$operatingPartnerId) || is_null(self::$requestedPartnerId)) {
return true;
}
$partnerGroup = self::getPartnerGroup($service, $action);
$accessAllowed = myPartnerUtils::allowPartnerAccessPartner(self::$operatingPartnerId, $partnerGroup, self::$requestedPartnerId);
if (!$accessAllowed) {
KalturaLog::debug("Operating partner [" . self::$operatingPartnerId . "] not allowed using requested partner [" . self::$requestedPartnerId . "] with partner group [{$partnerGroup}]");
}
return $accessAllowed;
}
/**
* Start an impersonated session with Kaltura's server.
* The result KS info contains the session key that you should pass to all services that requires a ticket.
* Type, expiry and privileges won't be changed if they're not set
*
* @action impersonateByKs
* @param string $session The old KS of the impersonated partner
* @param KalturaSessionType $type Type of the new KS
* @param int $expiry Expiry time in seconds of the new KS
* @param string $privileges Privileges of the new KS
* @return KalturaSessionInfo
*
* @throws APIErrors::START_SESSION_ERROR
*/
function impersonateByKsAction($session, $type = null, $expiry = null, $privileges = null)
{
KalturaResponseCacher::disableCache();
$oldKS = null;
try {
$oldKS = ks::fromSecureString($session);
} catch (Exception $e) {
KalturaLog::err($e->getMessage());
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId());
}
$impersonatedPartnerId = $oldKS->partner_id;
$impersonatedUserId = $oldKS->user;
$impersonatedType = $oldKS->type;
$impersonatedExpiry = $oldKS->valid_until - time();
$impersonatedPrivileges = $oldKS->privileges;
if (!is_null($type)) {
$impersonatedType = $type;
}
if (!is_null($expiry)) {
$impersonatedExpiry = $expiry;
}
if ($privileges) {
$impersonatedPrivileges = $privileges;
}
// verify partner is allowed to start session for another partner
$impersonatedPartner = null;
if (!myPartnerUtils::allowPartnerAccessPartner($this->getPartnerId(), $this->partnerGroup(), $impersonatedPartnerId)) {
$c = PartnerPeer::getDefaultCriteria();
$c->addAnd(PartnerPeer::ID, $impersonatedPartnerId);
$impersonatedPartner = PartnerPeer::doSelectOne($c);
} else {
// get impersonated partner
$impersonatedPartner = PartnerPeer::retrieveByPK($impersonatedPartnerId);
}
if (!$impersonatedPartner) {
KalturaLog::err("Impersonated partner [{$impersonatedPartnerId} ]could not be fetched from the DB");
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId());
}
// set the correct secret according to required session type
if ($impersonatedType == KalturaSessionType::ADMIN) {
$impersonatedSecret = $impersonatedPartner->getAdminSecret();
} else {
$impersonatedSecret = $impersonatedPartner->getSecret();
}
$sessionInfo = new KalturaSessionInfo();
$result = kSessionUtils::startKSession($impersonatedPartnerId, $impersonatedSecret, $impersonatedUserId, $sessionInfo->ks, $impersonatedExpiry, $impersonatedType, '', $impersonatedPrivileges, $this->getPartnerId());
if ($result < 0) {
KalturaLog::err("Failed starting a session with result [{$result}]");
throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId());
}
$sessionInfo->partnerId = $impersonatedPartnerId;
$sessionInfo->userId = $impersonatedUserId;
$sessionInfo->expiry = $impersonatedExpiry;
$sessionInfo->sessionType = $impersonatedType;
$sessionInfo->privileges = $impersonatedPrivileges;
return $sessionInfo;
}
private static function isPartnerAccessAllowed($service, $action)
{
if (is_null(self::$operatingPartnerId) || is_null(self::$requestedPartnerId)) {
return true;
}
$accessAllowed = myPartnerUtils::allowPartnerAccessPartner(self::$operatingPartnerId, self::getPartnerGroup($service, $action), self::$requestedPartnerId);
return $accessAllowed;
}
/**
* Parse session key and return its info
*
* @action get
* @param string $session The KS to be parsed, keep it empty to use current session.
* @return KalturaSessionInfo
*
* @throws APIErrors::START_SESSION_ERROR
*/
function getAction($session = null)
{
KalturaResponseCacher::disableCache();
if (!$session) {
$session = kCurrentContext::$ks;
}
$ks = ks::fromSecureString($session);
if (!myPartnerUtils::allowPartnerAccessPartner($this->getPartnerId(), $this->partnerGroup(), $ks->partner_id)) {
throw new KalturaAPIException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $this->getPartnerId(), $ks->partner_id);
}
$sessionInfo = new KalturaSessionInfo();
$sessionInfo->partnerId = $ks->partner_id;
$sessionInfo->userId = $ks->user;
$sessionInfo->expiry = $ks->valid_until;
$sessionInfo->sessionType = $ks->type;
$sessionInfo->privileges = $ks->privileges;
return $sessionInfo;
}
