/**
  * Sets isAuthenticated to TRUE for all tokens.
  *
  * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
  * @return void
  * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
  */
 public function authenticate(TokenInterface $authenticationToken)
 {
     if (!$authenticationToken instanceof Typo3OrgSsoToken) {
         throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
     }
     /** @var $account \TYPO3\Flow\Security\Account */
     $account = null;
     $credentials = $authenticationToken->getCredentials();
     if (is_array($credentials) && isset($credentials['username'])) {
         $providerName = $this->name;
         $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) {
             $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
         });
     }
     if (is_object($account)) {
         $authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata'];
         if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) {
             $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
             $authenticationToken->setAccount($account);
         } else {
             $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
         }
     } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
         $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
     }
 }
 /**
  * Matches the current request for an unverified signed request.
  *
  * This pattern will return TRUE if the request is not signed or
  * the signature of the request is invalid.
  *
  * @param \TYPO3\Flow\Mvc\RequestInterface $request The request that should be matched
  * @return boolean TRUE if the pattern matched, FALSE otherwise
  */
 public function matchRequest(\TYPO3\Flow\Mvc\RequestInterface $request)
 {
     /** @var \TYPO3\Flow\Http\Request $httpRequest */
     $httpRequest = $request->getHttpRequest();
     if ($httpRequest->hasHeader('X-Request-Signature')) {
         $identifierAndSignature = explode(':', $httpRequest->getHeader('X-Request-Signature'), 2);
         if (count($identifierAndSignature) !== 2) {
             throw new \TYPO3\Flow\Exception('Invalid signature header format, expected "identifier:base64(signature)"', 1354287886);
         }
         $identifier = $identifierAndSignature[0];
         $signature = base64_decode($identifierAndSignature[1]);
         $signData = $this->requestSigner->getSignatureContent($httpRequest);
         $publicKeyFingerprint = $this->publicKeyResolver->resolveFingerprintByIdentifier($identifier);
         if ($publicKeyFingerprint === NULL) {
             throw new \TYPO3\Flow\Exception('Cannot resolve identifier "' . $identifier . '"', 1354288898);
         }
         if ($this->rsaWalletService->verifySignature($signData, $signature, $publicKeyFingerprint)) {
             return FALSE;
         } else {
             $this->emitSignatureNotVerified($request, $identifier, $signData, $signature, $publicKeyFingerprint);
         }
     } else {
         $this->emitSignatureHeaderMissing($request);
     }
     return TRUE;
 }
 /**
  * @param \TYPO3\Flow\Http\Request $request
  * @param string $identifier
  * @param string $publicKeyFingerprint
  * @return \TYPO3\Flow\Http\Request
  */
 public function signRequest(\TYPO3\Flow\Http\Request $request, $identifier, $publicKeyFingerprint)
 {
     $signedRequest = clone $request;
     $signedRequest->setHeader('Date', gmdate(DATE_RFC2822));
     $signData = $this->getSignatureContent($signedRequest);
     $signature = $this->rsaWalletService->sign($signData, $publicKeyFingerprint);
     $signedRequest->setHeader('X-Request-Signature', $identifier . ':' . base64_encode($signature));
     return $signedRequest;
 }
 /**
  * Export a public key
  *
  * @param string $publicKeyFingerprint
  * @return void
  */
 public function exportPublicKeyCommand($publicKeyFingerprint)
 {
     $publicKey = $this->rsaWalletService->getPublicKey($publicKeyFingerprint);
     $this->output($publicKey->getKeyString());
 }
 /**
  * Verify the signature of a callback redirect to the client
  *
  * @param string $accessTokenCipher
  * @param string $signature
  * @return boolean
  */
 public function verifyCallbackSignature($accessTokenCipher, $signature)
 {
     return $this->rsaWalletService->verifySignature($accessTokenCipher, $signature, $this->publicKey);
 }
 /**
  * Decrypt the access token cipher on callback to the client
  *
  * @param string $accessTokenCipher The access token ciphertext from the callback URI arguments
  * @return string The decrypted access token or an empty string if the access token could not be decrypted
  */
 public function decryptCallbackAccessToken($accessTokenCipher)
 {
     return $this->rsaWalletService->decrypt($accessTokenCipher, $this->publicKeyFingerprint);
 }