/** * Start an impersonated session with Kaltura's server. * The result KS is the session key that you should pass to all services that requires a ticket. * * @action impersonate * @param string $secret Remember to provide the correct secret according to the sessionType you want * @param int $impersonatedPartnerId * @param string $userId * @param KalturaSessionType $type Regular session or Admin session * @param int $partnerId * @param int $expiry KS expiry time in seconds * @param string $privileges * @return string * * @throws APIErrors::START_SESSION_ERROR */ function impersonateAction($secret, $impersonatedPartnerId, $userId = "", $type = 0, $partnerId = null, $expiry = 86400, $privileges = null) { KalturaResponseCacher::disableCache(); // verify that partnerId exists and is in correspondence with given secret $result = myPartnerUtils::isValidSecret($partnerId, $secret, "", $expiry, $type); if ($result !== true) { throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId); } // verify partner is allowed to start session for another partner if (!myPartnerUtils::allowPartnerAccessPartner($partnerId, $this->partnerGroup(), $impersonatedPartnerId)) { throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId); } // get impersonated partner $impersonatedPartner = PartnerPeer::retrieveByPK($impersonatedPartnerId); if (!$impersonatedPartner) { // impersonated partner could not be fetched from the DB throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId); } // set the correct secret according to required session type if ($type == KalturaSessionType::ADMIN) { $impersonatedSecret = $impersonatedPartner->getAdminSecret(); } else { $impersonatedSecret = $impersonatedPartner->getSecret(); } // make sure the secret fits the one in the partner's table $ks = ""; $result = kSessionUtils::startKSession($impersonatedPartner->getId(), $impersonatedSecret, $userId, $ks, $expiry, $type, "", $privileges, $partnerId); if ($result >= 0) { return $ks; } else { throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $partnerId); } }
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str) { if ($ks_str) { // 1. crack the ks - $ks = kSessionUtils::crackKs($ks_str); // 2. extract partner_id $ks_partner_id = $ks->partner_id; $master_partner_id = $ks->master_partner_id; if (!$master_partner_id) { $master_partner_id = $ks_partner_id; } if (!$partner_id) { $partner_id = $ks_partner_id; } // use the user from the ks if not explicity set if (!$puser_id) { $puser_id = $ks->user; } kCurrentContext::$ks = $ks_str; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = $ks_partner_id; kCurrentContext::$master_partner_id = $master_partner_id; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = $ks->user; // 3. retrieve partner $ks_partner = PartnerPeer::retrieveByPK($ks_partner_id); // the service_confgi is assumed to be the one of the operating_partner == ks_partner if (!$ks_partner) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id); } $this->setServiceConfigFromPartner($ks_partner); if ($ks_partner && !$ks_partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } // 4. validate ticket per service for the ticket's partner $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // TODO - which user is this ? from the ks ? from the puser_id ? $ks_puser_id = $ks->user; //$ks = null; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if (0 >= $res) { // chaned this to be an exception rather than an error $this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res)); } $this->ks = $ks; } elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) { $ks_puser_id = $ks->user; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if ($res > 0) { $this->ks = $ks; } } // 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup) $allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id); if (!$allow_access) { $this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id); } // 6. set the partner to be the desired partner and the operating_partner to be the one from the ks $this->partner = PartnerPeer::retrieveByPK($partner_id); $this->operating_partner = $ks_partner; // the config is that of the ks_partner NOT of the partner // $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks // TODO - should change service_config to be the one of the partner_id ?? // 7. if ok - return the partner_id to be used from this point onwards return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } else { // no ks_str // 1. extract partner by partner_id + // 2. retrieve partner $this->partner = PartnerPeer::retrieveByPK($partner_id); if (!$this->partner) { $this->partner = null; // go to the default config $this->setServiceConfigFromPartner(null); if ($this->requirePartner2()) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id); } } if ($this->partner && !$this->partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } kCurrentContext::$ks = null; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = null; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = null; // 3. make sure the service can be accessed with no ticket $this->setServiceConfigFromPartner($this->partner); $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // NEW: 2008-12-28 // Instead of throwing an exception, see if the service allows KN. // If so - a relativly week partner access if ($this->kalturaNetwork2()) { // if the service supports KN - continue without private data return array($partner_id, $subp_id, $puser_id, false); // DONT allow private_partner_data } // chaned this to be an exception rather than an error $this->addException(APIErrors::MISSING_KS); } // 4. set the partner & operating_partner to be the one-and-only partner of this session $this->operating_partner = $this->partner; return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } }
private static function isPartnerAccessAllowed($service, $action) { if (is_null(self::$operatingPartnerId) || is_null(self::$requestedPartnerId)) { return true; } $partnerGroup = self::getPartnerGroup($service, $action); $accessAllowed = myPartnerUtils::allowPartnerAccessPartner(self::$operatingPartnerId, $partnerGroup, self::$requestedPartnerId); if (!$accessAllowed) { KalturaLog::debug("Operating partner [" . self::$operatingPartnerId . "] not allowed using requested partner [" . self::$requestedPartnerId . "] with partner group [{$partnerGroup}]"); } return $accessAllowed; }
/** * Start an impersonated session with Kaltura's server. * The result KS info contains the session key that you should pass to all services that requires a ticket. * Type, expiry and privileges won't be changed if they're not set * * @action impersonateByKs * @param string $session The old KS of the impersonated partner * @param KalturaSessionType $type Type of the new KS * @param int $expiry Expiry time in seconds of the new KS * @param string $privileges Privileges of the new KS * @return KalturaSessionInfo * * @throws APIErrors::START_SESSION_ERROR */ function impersonateByKsAction($session, $type = null, $expiry = null, $privileges = null) { KalturaResponseCacher::disableCache(); $oldKS = null; try { $oldKS = ks::fromSecureString($session); } catch (Exception $e) { KalturaLog::err($e->getMessage()); throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId()); } $impersonatedPartnerId = $oldKS->partner_id; $impersonatedUserId = $oldKS->user; $impersonatedType = $oldKS->type; $impersonatedExpiry = $oldKS->valid_until - time(); $impersonatedPrivileges = $oldKS->privileges; if (!is_null($type)) { $impersonatedType = $type; } if (!is_null($expiry)) { $impersonatedExpiry = $expiry; } if ($privileges) { $impersonatedPrivileges = $privileges; } // verify partner is allowed to start session for another partner $impersonatedPartner = null; if (!myPartnerUtils::allowPartnerAccessPartner($this->getPartnerId(), $this->partnerGroup(), $impersonatedPartnerId)) { $c = PartnerPeer::getDefaultCriteria(); $c->addAnd(PartnerPeer::ID, $impersonatedPartnerId); $impersonatedPartner = PartnerPeer::doSelectOne($c); } else { // get impersonated partner $impersonatedPartner = PartnerPeer::retrieveByPK($impersonatedPartnerId); } if (!$impersonatedPartner) { KalturaLog::err("Impersonated partner [{$impersonatedPartnerId} ]could not be fetched from the DB"); throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId()); } // set the correct secret according to required session type if ($impersonatedType == KalturaSessionType::ADMIN) { $impersonatedSecret = $impersonatedPartner->getAdminSecret(); } else { $impersonatedSecret = $impersonatedPartner->getSecret(); } $sessionInfo = new KalturaSessionInfo(); $result = kSessionUtils::startKSession($impersonatedPartnerId, $impersonatedSecret, $impersonatedUserId, $sessionInfo->ks, $impersonatedExpiry, $impersonatedType, '', $impersonatedPrivileges, $this->getPartnerId()); if ($result < 0) { KalturaLog::err("Failed starting a session with result [{$result}]"); throw new KalturaAPIException(APIErrors::START_SESSION_ERROR, $this->getPartnerId()); } $sessionInfo->partnerId = $impersonatedPartnerId; $sessionInfo->userId = $impersonatedUserId; $sessionInfo->expiry = $impersonatedExpiry; $sessionInfo->sessionType = $impersonatedType; $sessionInfo->privileges = $impersonatedPrivileges; return $sessionInfo; }
private static function isPartnerAccessAllowed($service, $action) { if (is_null(self::$operatingPartnerId) || is_null(self::$requestedPartnerId)) { return true; } $accessAllowed = myPartnerUtils::allowPartnerAccessPartner(self::$operatingPartnerId, self::getPartnerGroup($service, $action), self::$requestedPartnerId); return $accessAllowed; }
/** * Parse session key and return its info * * @action get * @param string $session The KS to be parsed, keep it empty to use current session. * @return KalturaSessionInfo * * @throws APIErrors::START_SESSION_ERROR */ function getAction($session = null) { KalturaResponseCacher::disableCache(); if (!$session) { $session = kCurrentContext::$ks; } $ks = ks::fromSecureString($session); if (!myPartnerUtils::allowPartnerAccessPartner($this->getPartnerId(), $this->partnerGroup(), $ks->partner_id)) { throw new KalturaAPIException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $this->getPartnerId(), $ks->partner_id); } $sessionInfo = new KalturaSessionInfo(); $sessionInfo->partnerId = $ks->partner_id; $sessionInfo->userId = $ks->user; $sessionInfo->expiry = $ks->valid_until; $sessionInfo->sessionType = $ks->type; $sessionInfo->privileges = $ks->privileges; return $sessionInfo; }