public static function validateDeleteApprovalRequest(Request $request)
{
// REQUIRED client_id
$clientId = $request->getUrl()->getQueryParameter('client_id');
if (is_null($clientId)) {
throw new BadRequestException('missing client_id');
}
if (false === InputValidation::clientId($clientId)) {
throw new BadRequestException('invalid client_id');
}
// REQUIRED response_type
$responseType = $request->getUrl()->getQueryParameter('response_type');
if (is_null($responseType)) {
throw new BadRequestException('missing response_type');
}
if (false === InputValidation::responseType($responseType)) {
throw new BadRequestException('invalid response_type');
}
// REQUIRED scope
$scope = $request->getUrl()->getQueryParameter('scope');
if (is_null($scope)) {
throw new BadRequestException('missing scope');
}
if (false === InputValidation::scope($scope)) {
throw new BadRequestException('invalid scope');
}
return array('client_id' => $clientId, 'response_type' => $responseType, 'scope' => $scope);
}
public function __construct(ClientData $clientData, Request $request, $redirectUri, array $urlParams)
{
$clientType = $clientData->getType();
$urlParams['state'] = $request->getUrl()->getQueryParameter('state');
// remove empty parameters
foreach ($urlParams as $key => $value) {
if (empty($value)) {
unset($urlParams[$key]);
}
}
if ('token' === $clientType) {
$separator = '#';
} else {
$separator = false === strpos($redirectUri, '?') ? '?' : '&';
}
parent::__construct(sprintf('%s%s%s', $redirectUri, $separator, http_build_query($urlParams)), 302);
}
public function execute(Request $request, array $routeConfig)
{
// only relevant if the request comes from a browser
if (false === mb_strpos($request->getHeader('Accept'), 'text/html')) {
return;
}
// these methods do not require CSRF protection as they are not
// supposed to have side effects on the server
$safeMethods = ['GET', 'HEAD', 'OPTIONS'];
if (!in_array($request->getMethod(), $safeMethods)) {
$referrer = $request->getHeader('HTTP_REFERER');
$rootUrl = $request->getUrl()->getRootUrl();
if (null === $referrer) {
throw new BadRequestException('HTTP_REFERER header missing');
}
if (0 !== mb_strpos($referrer, $rootUrl)) {
throw new BadRequestException('HTTP_REFERER has unexpected value');
}
}
}
public function __construct(Request $request)
{
$this->setClientId($request->getUrl()->getQueryParameter('client_id'));
$this->setResponseType($request->getUrl()->getQueryParameter('response_type'));
$this->setRedirectUri($request->getUrl()->getQueryParameter('redirect_uri'));
$this->setScope($request->getUrl()->getQueryParameter('scope'));
$this->setState($request->getUrl()->getQueryParameter('state'));
}
public function getTokenIntrospection(Request $request, $tokenValue)
{
if (null === $tokenValue) {
throw new BadRequestException('invalid_token', 'the token parameter is missing');
}
// FIXME: validate token format
$accessToken = $this->db->getAccessToken($tokenValue);
if (false === $accessToken) {
// token does not exist
$tokenInfo = array('active' => false);
} elseif ($this->io->getTime() > $accessToken['issue_time'] + $accessToken['expires_in']) {
// token expired
$tokenInfo = array('active' => false);
} else {
// token exists and did not expire
$tokenInfo = array('active' => true, 'exp' => intval($accessToken['issue_time'] + $accessToken['expires_in']), 'iat' => intval($accessToken['issue_time']), 'scope' => $accessToken['scope'], 'iss' => $request->getUrl()->getHost(), 'client_id' => $accessToken['client_id'], 'sub' => $accessToken['resource_owner_id'], 'user_id' => $accessToken['resource_owner_id'], 'token_type' => 'bearer');
// as long as we have no RS registration we cannot set the audience...
// $tokenInfo['aud'] => 'foo';
}
$response = new JsonResponse();
$response->setHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache'));
$response->setBody($tokenInfo);
return $response;
}
public function __construct(Request $request)
{
$this->setGrantType($request->getPostParameter('grant_type'));
$this->setCode($request->getPostParameter('code'));
$this->setRedirectUri($request->getPostParameter('redirect_uri'));
$this->setClientId($request->getPostParameter('client_id'));
$this->setRefreshToken($request->getPostParameter('refresh_token'));
$this->setScope($request->getPostParameter('scope'));
// some additional validation
if ('authorization_code' === $this->getGrantType() && null === $this->getCode()) {
throw new BadRequestException('invalid_requst', 'for authorization_code grant type a code must be provided');
}
if ('refresh_token' === $this->getGrantType() && null === $this->getRefreshToken()) {
throw new BadRequestException('invalid_request', 'for refresh_token grant type a refresh_token must be provided');
}
}
use fkooman\OAuth\Storage\PdoAuthorizationCodeStorage;
use fkooman\OAuth\Storage\PdoApprovalStorage;
use fkooman\RemoteStorage\RemoteStorageClientStorage;
use fkooman\RemoteStorage\DbTokenValidator;
use fkooman\RemoteStorage\DocumentStorage;
use fkooman\RemoteStorage\MetadataStorage;
use fkooman\RemoteStorage\RemoteStorage;
use fkooman\RemoteStorage\RemoteStorageResourceServer;
use fkooman\RemoteStorage\RemoteStorageService;
use fkooman\RemoteStorage\ApprovalManagementStorage;
use fkooman\Rest\Plugin\Authentication\AuthenticationPlugin;
use fkooman\Rest\Plugin\Authentication\Bearer\BearerAuthentication;
use fkooman\Rest\Plugin\Authentication\Form\FormAuthentication;
use fkooman\Tpl\Twig\TwigTemplateManager;
try {
$request = new Request($_SERVER);
$configReader = new Reader(new YamlFile(dirname(__DIR__) . '/config/server.yaml'));
$serverMode = $configReader->v('serverMode', false, 'production');
$document = new DocumentStorage($configReader->v('storageDir', false, sprintf('%s/data/storage', dirname(__DIR__))));
$dbDsn = $configReader->v('Db', 'dsn', false, sprintf('sqlite:%s/data/rs.sqlite', dirname(__DIR__)));
// if we use sqlite, and database is not initialized we will initialize
// all tables here. No need to manually initialize the database then!
$initDb = false;
if (0 === strpos($dbDsn, 'sqlite:')) {
// sqlite
if (!file_exists(substr($dbDsn, 7))) {
// sqlite file does not exist
$initDb = true;
}
}
$db = new PDO($dbDsn, $configReader->v('Db', 'username', false), $configReader->v('Db', 'password', false));
public function deleteDocument(Request $request, TokenInfo $tokenInfo)
{
$path = new Path($request->getUrl()->getPathInfo());
if ($path->getUserId() !== $tokenInfo->getUserId()) {
throw new ForbiddenException('path does not match authorized subject');
}
if (!$this->hasWriteScope($tokenInfo->getScope(), $path->getModuleName())) {
throw new ForbiddenException('path does not match authorized scope');
}
// need to get the version before the delete
$documentVersion = $this->remoteStorage->getVersion($path);
$ifMatch = $this->stripQuotes($request->getHeader('If-Match'));
// if document does not exist, and we have If-Match header set we should
// return a 412 instead of a 404
if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) {
throw new PreconditionFailedException('version mismatch');
}
if (null === $documentVersion) {
throw new NotFoundException(sprintf('document "%s" not found', $path->getPath()));
}
$ifMatch = $this->stripQuotes($request->getHeader('If-Match'));
if (null !== $ifMatch && !in_array($documentVersion, $ifMatch)) {
throw new PreconditionFailedException('version mismatch');
}
$x = $this->remoteStorage->deleteDocument($path, $ifMatch);
$rsr = new Response();
$rsr->setHeader('ETag', '"' . $documentVersion . '"');
$rsr->setBody($x);
return $rsr;
}
* See the License for the specific language governing permissions and
* limitations under the License.
*/
require_once dirname(__DIR__) . "/vendor/autoload.php";
use fkooman\Config\Config;
use fkooman\Http\JsonResponse;
use fkooman\Http\Request;
use fkooman\Http\IncomingRequest;
use fkooman\Rest\Service;
use fkooman\Rest\Plugin\BasicAuthentication;
use fkooman\VootProvider\VootStorageException;
try {
$config = Config::fromIniFile(dirname(__DIR__) . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "voot.ini");
$vootStorageBackend = sprintf('fkooman\\VootProvider\\%s', $config->getValue('storageBackend'));
$vootStorage = new $vootStorageBackend($config);
$request = Request::fromIncomingRequest(new IncomingRequest());
$service = new Service($request);
// require authentication?
if (null !== $config->getValue('basicUser')) {
$basicAuthPlugin = new BasicAuthentication($config->getValue('basicUser'), $config->getValue('basicPass'), $config->getValue('serviceName'));
$service->registerBeforeMatchingPlugin($basicAuthPlugin);
}
// GROUPS
$service->match("GET", "/groups/:uid", function ($uid) use($request, $vootStorage) {
$groups = $vootStorage->isMemberOf($uid, $request->getQueryParameter("startIndex"), $request->getQueryParameter("count"));
$response = new JsonResponse(200);
$response->setContent($groups);
return $response;
});
// PEOPLE IN GROUP
$service->match("GET", "/people/:uid/:gid", function ($uid, $gid) use($request, $vootStorage) {
public function postAuthorization(Request $request, UserInfoInterface $userInfo)
{
$authorizeRequest = new AuthorizeRequest($request);
$clientId = $authorizeRequest->getClientId();
$responseType = $authorizeRequest->getResponseType();
$redirectUri = $authorizeRequest->getRedirectUri();
$scope = $authorizeRequest->getScope();
$state = $authorizeRequest->getState();
$clientData = $this->storage->getClient($clientId);
if (false === $clientData) {
throw new BadRequestException('client not registered');
}
// if no redirect_uri is part of the query parameter, use the one from
// the client registration
if (null === $redirectUri) {
$redirectUri = $clientData->getRedirectUri();
}
if ('approve' !== $request->getPostParameter('approval')) {
return new ClientResponse($clientData, $request, $redirectUri, array('error' => 'access_denied', 'error_description' => 'not authorized by resource owner'));
}
$this->addApproval($clientData, $userInfo->getUserId(), $scope);
// redirect to self
return new RedirectResponse($request->getUrl()->toString(), 302);
}
public function deleteApproval(Request $request, UserInfoInterface $userInfo)
{
$id = $request->getUrl()->getQueryParameter('id');
$this->db->deleteApproval($id, $userInfo->getUserId());
return new RedirectResponse($request->getUrl()->getRootUrl() . 'approvals.php', 302);
}
private function runService(Request $request)
{
// support method override when _METHOD is set in a form POST
if ('POST' === $request->getMethod()) {
$methodOverride = $request->getPostParameter('_METHOD');
if (null !== $methodOverride) {
$request->setMethod($methodOverride);
}
}
foreach ($this->routes as $route) {
if (false !== ($availableRouteCallbackParameters = $route->isMatch($request->getMethod(), $request->getUrl()->getPathInfo()))) {
return $this->executeCallback($request, $route, $availableRouteCallbackParameters);
}
}
// figure out all supported methods by all routes
$supportedMethods = [];
foreach ($this->routes as $route) {
$routeMethods = $route->getMethods();
foreach ($routeMethods as $method) {
if (!in_array($method, $supportedMethods)) {
$supportedMethods[] = $method;
}
}
}
// requested method supported, document is just not available
if (in_array($request->getMethod(), $supportedMethods)) {
throw new NotFoundException('url not found', $request->getUrl()->getRoot() . mb_substr($request->getUrl()->getPathInfo(), 1));
}
// requested method net supported...
throw new MethodNotAllowedException($request->getMethod(), $supportedMethods);
}
