/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof Typo3OrgSsoToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account \TYPO3\Flow\Security\Account */
$account = null;
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['username'])) {
$providerName = $this->name;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) {
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
}
if (is_object($account)) {
$authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata'];
if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* Matches the current request for an unverified signed request.
*
* This pattern will return TRUE if the request is not signed or
* the signature of the request is invalid.
*
* @param \TYPO3\Flow\Mvc\RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
*/
public function matchRequest(\TYPO3\Flow\Mvc\RequestInterface $request)
{
/** @var \TYPO3\Flow\Http\Request $httpRequest */
$httpRequest = $request->getHttpRequest();
if ($httpRequest->hasHeader('X-Request-Signature')) {
$identifierAndSignature = explode(':', $httpRequest->getHeader('X-Request-Signature'), 2);
if (count($identifierAndSignature) !== 2) {
throw new \TYPO3\Flow\Exception('Invalid signature header format, expected "identifier:base64(signature)"', 1354287886);
}
$identifier = $identifierAndSignature[0];
$signature = base64_decode($identifierAndSignature[1]);
$signData = $this->requestSigner->getSignatureContent($httpRequest);
$publicKeyFingerprint = $this->publicKeyResolver->resolveFingerprintByIdentifier($identifier);
if ($publicKeyFingerprint === NULL) {
throw new \TYPO3\Flow\Exception('Cannot resolve identifier "' . $identifier . '"', 1354288898);
}
if ($this->rsaWalletService->verifySignature($signData, $signature, $publicKeyFingerprint)) {
return FALSE;
} else {
$this->emitSignatureNotVerified($request, $identifier, $signData, $signature, $publicKeyFingerprint);
}
} else {
$this->emitSignatureHeaderMissing($request);
}
return TRUE;
}
/**
* @param \TYPO3\Flow\Http\Request $request
* @param string $identifier
* @param string $publicKeyFingerprint
* @return \TYPO3\Flow\Http\Request
*/
public function signRequest(\TYPO3\Flow\Http\Request $request, $identifier, $publicKeyFingerprint)
{
$signedRequest = clone $request;
$signedRequest->setHeader('Date', gmdate(DATE_RFC2822));
$signData = $this->getSignatureContent($signedRequest);
$signature = $this->rsaWalletService->sign($signData, $publicKeyFingerprint);
$signedRequest->setHeader('X-Request-Signature', $identifier . ':' . base64_encode($signature));
return $signedRequest;
}
/**
* Export a public key
*
* @param string $publicKeyFingerprint
* @return void
*/
public function exportPublicKeyCommand($publicKeyFingerprint)
{
$publicKey = $this->rsaWalletService->getPublicKey($publicKeyFingerprint);
$this->output($publicKey->getKeyString());
}
/**
* Verify the signature of a callback redirect to the client
*
* @param string $accessTokenCipher
* @param string $signature
* @return boolean
*/
public function verifyCallbackSignature($accessTokenCipher, $signature)
{
return $this->rsaWalletService->verifySignature($accessTokenCipher, $signature, $this->publicKey);
}
/**
* Decrypt the access token cipher on callback to the client
*
* @param string $accessTokenCipher The access token ciphertext from the callback URI arguments
* @return string The decrypted access token or an empty string if the access token could not be decrypted
*/
public function decryptCallbackAccessToken($accessTokenCipher)
{
return $this->rsaWalletService->decrypt($accessTokenCipher, $this->publicKeyFingerprint);
}