/**
* Creates an association for OpenID versions 1 and 2.
*
* This function calls {@link DiffieHellman::associateAsServer()} where required, to
* generate the cryptographic values required for an association response.
*
* @param int $mode either ASSOCIATION_SHARED or ASSOCIATION_PRIVATE
* @param string $assoc_type a valid OpenID association type
* @link http://openid.net/specs/openid-authentication-1_1.html#anchor14, http://openid.net/specs/openid-authentication-2_0.html#anchor20
*/
function __construct($mode = self::ASSOCIATION_SHARED, $assoc_type = 'HMAC-SHA1')
{
$rand = new Random();
$assoc_types = self::getAssociationTypes();
$this->assoc_handle = $rand->id();
$this->assoc_type = $assoc_type;
$mac_size = $assoc_types[$assoc_type]['mac_size'];
$this->mac_key = base64_encode($rand->bytes($mac_size));
$this->created = time();
if ($mode == self::ASSOCIATION_PRIVATE) {
$this->private = true;
}
}
/**
* Creates a auto login cookie. The login cookie will be based on the
* current log in user.
*
* @param string $id the ID of the series of auto login cookies, Cookies
* belonging to the same user and computer have the same ID. If none is specified,
* one will be generated
* @param int $expires the time at which the cookie will expire. If none is specified
* the time specified in {@link SIMPLEID_REMEMBERME_EXPIRES_IN} will be
* used
*
*/
protected function createCookie($id = NULL, $expires = NULL)
{
$user = $this->auth->getUser();
$rand = new Random();
if ($expires == NULL) {
$this->logger->log(LogLevel::DEBUG, 'Automatic login token created for ' . $user['uid']);
} else {
$this->logger->log(LogLevel::DEBUG, 'Automatic login token renewed for ' . $user['uid']);
}
if ($id == NULL) {
$id = $rand->id();
}
if ($expires == NULL) {
$expires = time() + SIMPLEID_LONG_TOKEN_EXPIRES_IN;
}
$data = array('typ' => 'rememberme', 'id' => $id, 'uid' => $user['uid'], 'exp' => $expires, 'uaid' => $this->auth->assignUAID());
$token = new SecurityToken();
$cookie = $token->generate($data);
$this->f3->set('COOKIE.' . $this->cookie_name, $cookie, SIMPLEID_LONG_TOKEN_EXPIRES_IN);
}
/**
* Detects the current installed version of SimpleID, selects the individual upgrade
* functions applicable to this upgrade and displays the upgrade
* selection page.
*/
function select()
{
global $upgrade_access_check;
$token = new SecurityToken();
if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'upgrade_info')) {
$this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.'));
$this->info();
return;
}
$tpl = new \Template();
$cache = \Cache::instance();
$cache->reset('.upgrade');
$list = $this->getUpgradeList();
if (count($list) == 0) {
$this->f3->set('script_complete', $this->t('Your SimpleID installation is up-to-date. This script is complete.'));
} else {
$rand = new Random();
$upgid = $rand->id();
$cache->set($upgid . '.upgrade', array('list' => $list, 'results' => ''));
$this->f3->set('upgid', $upgid);
$this->f3->set('tk', $token->generate('upgrade_selection', SecurityToken::OPTION_BIND_SESSION));
$this->f3->set('click_continue', $this->t('Click <strong>Continue</strong> to proceed with the upgrade.'));
$this->f3->set('continue_button', $this->t('Continue'));
}
$this->f3->set('original_version', $this->getVersion());
$this->f3->set('this_version', SIMPLEID_VERSION);
$this->f3->set('version_detected', $this->t('The version of SimpleID you are updating from has been automatically detected.'));
$this->f3->set('original_version_label', $this->t('Original version'));
$this->f3->set('this_version_label', $this->t('Upgrade version'));
$this->f3->set('edit_upgrade_php', $this->t('Remember to edit upgrade.php to check <code>$upgrade_access_check</code> back to <code>FALSE</code>.'));
$this->f3->set('title', $this->t('Upgrade'));
$this->f3->set('page_class', 'dialog-page');
$this->f3->set('layout', 'upgrade_selection.html');
print $tpl->render('page.html');
}
public function __construct($data = array())
{
parent::__construct($data);
$rand = new Random();
$this->cid = '_' . $rand->id() . '.oauth';
}
/**
* Initialises a token.
*
* @param Authorization $authorization the underlying authorisation
* @param array|string $scope the scope of the token
* @param int $expires_in the validity of the token, in seconds, or
* {@link TTL_PERPETUAL}
* @param TokenSource $source the token source
* @param array $additional additional data to be stored on the
* server
*/
protected function init($authorization, $scope = array(), $expires_in = self::TTL_PERPETUAL, $source = NULL, $additional = array())
{
$rand = new Random();
$this->id = $rand->id();
$this->authorization = $authorization;
if (count($scope) == 0) {
$this->scope = $authorization->getScope();
} else {
$this->scope = $authorization->filterScope($scope);
}
if ($source != null) {
$this->source_ref = $source->getSourceRef();
}
if ($expires_in > 0) {
$this->expire = time() + $expires_in;
}
$this->additional = $additional;
}
/**
* Creates an authorization code.
*
* Once the authorization code object has been created, the code can be retrieved using
* the {@link getCode()} method.
*
* @param Authorization $authorization the authorization that wishes to generate
* this code
* @param string|null $redirect_uri the redirect_uri parameter in the authorisation request, if
* present
* @param array $scope the allowed scope - this should be a subset of the scope provided by the
* authorization
* @param array $additional additional data to be stored in the authorization code
* @return Code the authorization code object
*/
public static function create($authorization, $redirect_uri, $scope, $additional = array())
{
$code = new Code();
$rand = new Random();
$cache = \Cache::instance();
$code->cid = $rand->id();
$code->aid = $authorization->getStoreID();
$code->auth_state = $authorization->getAuthState();
$code->redirect_uri = $redirect_uri;
$code->scope = !is_array($scope) ? explode(' ', $scope) : $scope;
$code->additional = $additional;
$code->expires = time() + SIMPLEID_INSTANT_TOKEN_EXPIRES_IN;
$cache->set($code->getCode() . '.code', $code, SIMPLEID_INSTANT_TOKEN_EXPIRES_IN);
$code->is_valid = true;
return $code;
}
/**
* Resets the current authorisation state
*
* @param string the new authorisation state
*/
public function resetAuthState()
{
$rand = new Random();
$this->auth_state = substr($rand->id(), -9);
return $this->auth_state;
}
/**
* Generates a token
*
* @param mixed $payload the payload to include in the token
* @param int $options the options for generating the token
* @return string the token string
*/
public function generate($payload, $options = self::OPTION_DEFAULT)
{
$rand = new Random();
$this->data = array('i' => $rand->id(), 'o' => $options, 'p' => $payload);
if (($options & self::OPTION_BIND_SESSION) == self::OPTION_BIND_SESSION) {
$this->data['s'] = session_id();
}
$token = $this->fernet->encode(gzcompress(serialize($this->data)));
if (($options & self::OPTION_NONCE) == self::OPTION_NONCE) {
$cache = \Cache::instance();
$cache->set($this->data['i'] . '.token', $token, SIMPLEID_HUMAN_TOKEN_EXPIRES_IN);
}
return $token;
}
/**
* Builds the JOSE response. This will return one of the following:
*
* - A JSON encoded string, if {@link $signed_response_alg} and
* {@link $encrypted_response_alg} are both null
* - A signed JWT (JWS), if {@link $signed_response_alg} is set
* - A JWE containing a nested JWT, if both {@link $signed_response_alg}
* and {@link $encrypted_response_alg} are set
*
* @param SimpleJWT\Keys\KeySet $set the key set used to sign and/or
* encrypt the token. If set to null, the default set of keys
* configured for the client and the server are loaded
* @return string the response body
*/
function buildJOSE($set = null)
{
$rand = new Random();
$typ = $this->getType();
if ($typ == 'json') {
return json_encode($this->container);
}
if ($set == null) {
$builder = new KeySetBuilder($client);
$set = $builder->addClientSecret()->addClientPublicKeys()->addServerPrivateKeys()->toKeySet();
}
$headers = array_merge($this->headers, array('alg' => $this->signed_response_alg));
$claims = array_merge($this->container, array('iss' => $this->issuer, 'aud' => $this->client->getStoreID(), 'jti' => $rand->id()));
$jwt = new JWT($headers, $claims);
try {
$token = $jwt->encode($set);
} catch (CryptException $e) {
return null;
}
if ($typ == 'jwt') {
return $token;
}
$headers = array('alg' => $this->encrypted_response_alg, 'enc' => $this->encrypted_response_enc, 'cty' => 'JWT');
$jwe = new JWE($headers, $token);
try {
return $jwe->encrypt($set);
} catch (CryptException $e) {
return null;
}
}
/**
* Assigns and returns a unique login state for the current
* authenticated session with user agent (UALS).
*
* A UALS uniquely identifies the current authenticated session with
* the user agent (e.g. browser). It is reset with each successful
* login and logout. The cookie associated with a UALS is only
* valid for the current session.
*
* This function will look for a cookie sent by the user agent with
* the name returned by {@link getCookieName()} with a suffix
* of uals. If the cookie does not exist, it will generate a
* UALS and return it to the user agent with a Set-Cookie
* response header.
*
* @param bool $reset true to reset the UALS
* @return string the UALS
*/
public function assignUALoginState($reset = false)
{
$name = $this->getCookieName('uals');
if ($this->f3->exists('COOKIE.' . $name) === true && !$reset) {
$this->ua_login_state = $this->f3->get('COOKIE.' . $name);
} else {
$rand = new Random();
$opaque = new OpaqueIdentifier();
$this->ua_login_state = $opaque->generate($this->assignUAID() . ':' . $rand->id());
// We don't use f3->set->COOKIE, as this automatically sets the cookie to be httponly
// We want this to be script readable.
setcookie($this->getCookieName('uals'), $this->ua_login_state, 0, $this->f3->get('BASE'), '', true, false);
}
return $this->ua_login_state;
}
