/** * @return string * @throws \TYPO3\Flow\Security\Exception\InvalidArgumentForHashGenerationException */ public function getJWTToken() { /** @var \TYPO3\Flow\Security\Account $account */ $account = $this->securityContext->getAccount(); $this->apiToken = $this->securityContext->getAuthenticationTokensOfType('RFY\\JWT\\Security\\Authentication\\Token\\JwtToken')[0]; if ($account->getAuthenticationProviderName() !== $this->apiToken->getAuthenticationProviderName()) { // TODO: Currently you can get only 1 tokenAccount because of the duplication restraint based on accountIdentifier & AuthenticationProviderName $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($account->getAccountIdentifier(), $this->apiToken->getAuthenticationProviderName()); if ($account === NULL) { $account = $this->generateTokenAccount(); } } $payload = array(); $payload['identifier'] = $account->getAccountIdentifier(); $payload['partyIdentifier'] = $this->persistenceManager->getIdentifierByObject($account->getParty()); $payload['user_agent'] = $this->request->getHeader('User-Agent'); $payload['ip_address'] = $this->request->getClientIpAddress(); if ($account->getCreationDate() instanceof \DateTime) { $payload['creationDate'] = $account->getCreationDate()->getTimestamp(); } if ($account->getExpirationDate() instanceof \DateTime) { $payload['expirationDate'] = $account->getExpirationDate()->getTimestamp(); } // Add hmac $hmac = $this->hashService->generateHmac($this->signature); return JWT::encode($payload, $hmac); }
/** * This returns the (first) *authenticated* OAuth token which doesn't have a party attached. * *@return AbstractClientToken */ public function getChargedAuthenticatedTokenHavingNoPartyAttached() { /** @var $token AbstractClientToken */ foreach ((array) $this->securityContext->getAuthenticationTokensOfType($this->getTokenClassName()) as $token) { if ($token->getAuthenticationStatus() === TokenInterface::AUTHENTICATION_SUCCESSFUL && ($token->getAccount() === NULL || $token->getAccount()->getParty() === NULL)) { return $token; } } return NULL; }
/** * Notify SSO servers about the logged out client * * All active authentication tokens of type SingleSignOnToken will be * used to get the registered global session id and send a request * to the session service on the SSO server. * * @return void */ public function logout() { $allConfiguration = $this->configurationManager->getConfiguration(\TYPO3\Flow\Configuration\ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow'); $tokens = $this->securityContext->getAuthenticationTokensOfType('Flowpack\\SingleSignOn\\Client\\Security\\SingleSignOnToken'); foreach ($tokens as $token) { $providerName = $token->getAuthenticationProviderName(); $serverIdentifier = \TYPO3\Flow\Utility\Arrays::getValueByPath($allConfiguration, 'security.authentication.providers.' . $providerName . '.providerOptions.server'); if ($serverIdentifier !== NULL) { $ssoClient = $this->ssoClientFactory->create(); $ssoServer = $this->ssoServerFactory->create($serverIdentifier); $ssoServer->destroySession($ssoClient, $token->getGlobalSessionId()); } } }
/** * Description. * * @param string $providerName * * @return void */ public function finalizeAuthenticationByNewUser($providerName) { $casTokens = $this->securityContext->getAuthenticationTokensOfType(\RafaelKa\JasigPhpCas\Service\CasManager::DEFAULT_CAS_TOKEN); /* @var $casToken \RafaelKa\JasigPhpCas\Security\Authentication\Token\PhpCasToken */ foreach ($casTokens as $casToken) { if ($casToken->getAuthenticationProviderName() === $providerName && !empty($this->miscellaneous[$providerName]['Account'])) { $casToken->setAccount($this->miscellaneous[$providerName]['Account']); $casToken->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL); $mapper = $this->getMapperByProviderName($providerName); $mapper->finalizePersistingNewUser($this->miscellaneous[$providerName]['Account']); } } }
/** * Executes this finisher * @see AbstractFinisher::execute() * * @return void * @throws \TYPO3\Flow\Mvc\Exception\StopActionException(); */ protected function executeInternal() { /** @var \TYPO3\Form\Core\Runtime\FormRuntime $formRuntime */ $formRuntime = $this->finisherContext->getFormRuntime(); $formValueArray = $formRuntime->getFormState()->getFormValues(); if ($formRuntime->getRequest()->getParentRequest()->getControllerActionName() == 'editDataSheet') { // we need to update the data sheet, we assume that the person is authenticated because a data sheet can only be edited by a authenticated user /** @var \GIB\GradingTool\Domain\Model\Project $project */ $project = $this->projectRepository->findByIdentifier($formRuntime->getRequest()->getParentRequest()->getArgument('project')); // make a HTML representation of a diff of the old and new data $diffContent = DiffUtility::arrayDiffRecursive($project->getDataSheetContentArray(), $formValueArray); // store changes to project $project->setDataSheetContent($formValueArray); $project->setLastUpdated(new \TYPO3\Flow\Utility\Now()); // update e-mail address (could have changed in the data sheet) $projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress(); $projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']); $projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL); $project->getProjectManager()->setPrimaryElectronicAddress($projectManagerElectronicAddress); $this->partyRepository->update($project->getProjectManager()); $this->projectRepository->update($project); $this->persistenceManager->persistAll(); // send a notification mail to the Administrator containing the changes $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('editDataSheetNotification', $project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, NULL, '', '', $diffContent); // add a flash message $message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully edited.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($project->getProjectTitle())); $this->flashMessageContainer->addMessage($message); } else { // we need to add a new data sheet /** @var \GIB\GradingTool\Domain\Model\Project $project */ $project = new \GIB\GradingTool\Domain\Model\Project(); $project->setProjectTitle($formValueArray['projectTitle']); $project->setDataSheetFormIdentifier($this->settings['forms']['dataSheet']['default']); $project->setSubmissionFormIdentifier($this->settings['forms']['submission']['default']); // store identifier=userName and password for later usage $identifier = $formValueArray['userName']; $password = $formValueArray['password']; // remove userName and password from data array so it doesn't get saved unencrypted unset($formValueArray['userName']); unset($formValueArray['password']); $project->setDataSheetContent($formValueArray); $project->setCreated(new \TYPO3\Flow\Utility\Now()); $this->projectRepository->add($project); // add a flash message $message = new \TYPO3\Flow\Error\Message('Your data sheet for project "%s" was successfully submitted.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($formValueArray['projectTitle'])); $this->flashMessageContainer->addMessage($message); if (!$this->authenticationManager->isAuthenticated() || $this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { // the product manager (supposedly) doesn't have an account yet, so we create one $projectManager = new \GIB\GradingTool\Domain\Model\ProjectManager(); $projectManagerName = new \TYPO3\Party\Domain\Model\PersonName('', $formValueArray['projectManagerFirstName'], '', $formValueArray['projectManagerLastName']); $projectManager->setName($projectManagerName); $projectManagerElectronicAddress = new \TYPO3\Party\Domain\Model\ElectronicAddress(); $projectManagerElectronicAddress->setIdentifier($formValueArray['projectManagerEmail']); $projectManagerElectronicAddress->setType(\TYPO3\Party\Domain\Model\ElectronicAddress::TYPE_EMAIL); $projectManager->addElectronicAddress($projectManagerElectronicAddress); $projectManager->setPrimaryElectronicAddress($projectManagerElectronicAddress); // add account $roles = array('GIB.GradingTool:ProjectManager'); $authenticationProviderName = 'DefaultProvider'; $account = $this->accountFactory->createAccountWithPassword($identifier, $password, $roles, $authenticationProviderName); $this->accountRepository->add($account); // add account to ProjectManager $projectManager->addAccount($account); // add project to ProjectManager $projectManager->addProject($project); // finally add the complete ProjectManager $this->partyRepository->add($projectManager); if (!$this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:Administrator')) { // authenticate user if no Administrator is authenticated $authenticationTokens = $this->securityContext->getAuthenticationTokensOfType('TYPO3\\Flow\\Security\\Authentication\\Token\\UsernamePassword'); if (count($authenticationTokens) === 1) { $authenticationTokens[0]->setAccount($account); $authenticationTokens[0]->setAuthenticationStatus(\TYPO3\Flow\Security\Authentication\TokenInterface::AUTHENTICATION_SUCCESSFUL); } // add a flash message $message = new \TYPO3\Flow\Error\Message('The account "%s" was created and you were successfully logged in.', \TYPO3\Flow\Error\Message::SEVERITY_OK, array($identifier)); $this->flashMessageContainer->addMessage($message); } } elseif ($this->authenticationManager->isAuthenticated() && $this->authenticationManager->getSecurityContext()->hasRole('GIB.GradingTool:ProjectManager')) { // a productManager is adding a new project to his account /** @var \GIB\GradingTool\Domain\Model\ProjectManager $projectManager */ $projectManager = $this->authenticationManager->getSecurityContext()->getParty(); $projectManager->addProject($project); $this->partyRepository->update($projectManager); } $this->persistenceManager->persistAll(); // send notification mail to project manager (bcc to team) $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetProjectManagerNotification', $project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, $formValueArray['projectManagerFirstName'] . ' ' . $formValueArray['projectManagerLastName'], $formValueArray['projectManagerEmail']); // send notification mail to the GIB team $templateIdentifierOverlay = $this->templateService->getTemplateIdentifierOverlay('newDataSheetTeamNotification', $project); $dataSheetArray = $this->dataSheetService->getProcessedDataSheet($project); $this->notificationMailService->sendNotificationMail($templateIdentifierOverlay, $project, $projectManager, '', '', $dataSheetArray); } $this->persistenceManager->persistAll(); // redirect to dashboard $formRuntime = $this->finisherContext->getFormRuntime(); $request = $formRuntime->getRequest()->getMainRequest(); $uriBuilder = new \TYPO3\Flow\Mvc\Routing\UriBuilder(); $uriBuilder->setRequest($request); $uriBuilder->reset(); $uri = $uriBuilder->uriFor('editDatasheet', array('project' => $project), 'Project'); $response = $formRuntime->getResponse(); $mainResponse = $response; while ($response = $response->getParentResponse()) { $mainResponse = $response; } $mainResponse->setStatus(303); $mainResponse->setHeader('Location', (string) $uri); throw new \TYPO3\Flow\Mvc\Exception\StopActionException(); }
/** * If authentication status is set to AUTHENTICATION_NEEDED by some token, then each action that calls some security method returns blank/white screen. * * This method sets authentication status to NO_CREDENTIALS_GIVEN by tokens, where authentication status was set to AUTHENTICATION_NEEDED by aborting authenticaion. * * @param string $providerName * * @return void */ private function fixWhiteScreenByAbortingAuthentication($providerName) { $casTokens = $this->securityContext->getAuthenticationTokensOfType(CasManager::DEFAULT_CAS_TOKEN); /* @var $casToken \RafaelKa\JasigPhpCas\Security\Authentication\Token\PhpCasToken */ foreach ($casTokens as $casToken) { if ($casToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_NEEDED || $casToken->getAuthenticationProviderName() !== $providerName) { continue; } $casToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }