public function execute() { $email = @$_GET['email']; $screenName = @$_GET['screen_name']; $partner_id = $this->getP('partner_id', null); if ($partner_id === null) { header("Location: /index.php/kmc/varlogin"); die; } sfView::SUCCESS; $this->me = PartnerPeer::retrieveByPK($this->getP('partner_id', null)); if (!$this->me || $this->me->getPartnerGroupType() != PartnerGroupType::VAR_GROUP) { die('You are not an wuthorized VAR. If you are a VAR, Please contact us at support@kaltura.com'); } $ks = kSessionUtils::crackKs($this->getP('ks')); $user = $ks->user; $res = kSessionUtils::validateKSession2(kSessionUtils::REQUIED_TICKET_ADMIN, $partner_id, $user, $this->getP('ks'), $ks); if ($res != ks::OK) { header("Location: /index.php/kmc/varlogin"); die; } $c = new Criteria(); $c->addAnd(PartnerPeer::PARTNER_PARENT_ID, $this->me->getId()); // add extra filtering if required //$c->addAnd(PartnerPeer::STATUS, 1); $partners = PartnerPeer::doSelect($c); $this->partners = array(); $partner_id_param_name = 'pid'; $subpid_param_name = 'subpid'; if ($this->me->getKmcVersion() == 1) { $partner_id_param_name = 'partner_id'; $subpid_param_name = 'subp_id'; } $kmc2Query = '?' . $partner_id_param_name . '=' . $this->me->getId() . '&' . $subpid_param_name . '=' . $this->me->getId() * 100 . '&ks=' . $_GET['ks'] . '&email=' . $email . '&screen_name=' . $screenName; $this->varKmcUrl = 'http://' . kConf::get('www_host') . '/index.php/kmc/kmc' . $this->me->getKmcVersion() . $kmc2Query; foreach ($partners as $partner) { $ks = null; kSessionUtils::createKSessionNoValidations($partner->getId(), $partner->getAdminUserId(), $ks, 30 * 86400, 2, "", "*"); $adminUser_email = $partner->getAdminEmail(); $partner_id_param_name = 'pid'; $subpid_param_name = 'subpid'; if ($partner->getKmcVersion() == 1) { $partner_id_param_name = 'partner_id'; $subpid_param_name = 'subp_id'; } $kmc2Query = '?' . $partner_id_param_name . '=' . $partner->getId() . '&' . $subpid_param_name . '=' . $partner->getId() * 100 . '&ks=' . $ks . '&email=' . $adminUser_email . '&screen_name=varAdmin'; //$kmcLink = url_for('index.php/kmc/kmc2'.$kmc2Query); // $kmcLink = 'http://'.kConf::get('www_host').'/index.php/kmc/kmc'.$partner->getKmcVersion().$kmc2Query; $kmcLink = 'http://' . kConf::get('www_host') . "/index.php/kmc/extlogin?ks={$ks}&partner_id=" . $partner->getId(); $this->partners[$partner->getId()] = array('name' => $partner->getPartnerName(), 'kmcLink' => $kmcLink); } }
public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser) { // make sure the secret fits the one in the partner's table $ks_str = ""; $expiry = $this->getP("expiry", 86400); $widget_id = $this->getPM("widget_id"); $widget = widgetPeer::retrieveByPK($widget_id); if (!$widget) { $this->addError(APIErrors::INVALID_WIDGET_ID, $widget_id); return; } $partner_id = $widget->getPartnerId(); $partner = PartnerPeer::retrieveByPK($partner_id); // TODO - see how to decide if the partner has a URL to redirect to // according to the partner's policy and the widget's policy - define the privileges of the ks // TODO - decide !! - for now only view - any kshow $privileges = "view:*,widget:1"; if ($widget->getSecurityType() == widget::WIDGET_SECURITY_TYPE_FORCE_KS) { if (!$this->ks) { // the one from the defPartnerservices2Action $this->addException(APIErrors::MISSING_KS); } $ks_str = $this->getP("ks"); $widget_partner_id = $widget->getPartnerId(); $res = kSessionUtils::validateKSession2(1, $widget_partner_id, $puser_id, $ks_str, $this->ks); if (0 >= $res) { // chaned this to be an exception rather than an error $this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res)); } } else { // the session will be for NON admins and privileges of view only $puser_id = 0; $result = kSessionUtils::createKSessionNoValidations($partner_id, $puser_id, $ks_str, $expiry, false, "", $privileges); } if ($result >= 0) { $this->addMsg("ks", $ks_str); $this->addMsg("partner_id", $partner_id); $this->addMsg("subp_id", $widget->getSubpId()); $this->addMsg("uid", "0"); } else { // TODO - see that there is a good error for when the invalid login count exceed s the max $this->addError(APIErrors::START_WIDGET_SESSION_ERROR, $widget_id); } }
private static function validateKs($ks_str) { if (!$ks_str) { return null; } // 1. crack the ks - $ks = kSessionUtils::crackKs($ks_str); // 2. extract partner_id $ks_partner_id = $ks->partner_id; $partner_id = $ks_partner_id; // use the user from the ks if not explicity set $puser_id = $ks->user; // 4. validate ticket per service for the ticket's partner $ticket_type = 2; $ks_puser_id = $ks->user; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if (0 >= $res) { // chaned this to be an exception rather than an error return null; } return $partner_id; }
/** * Will forward to the regular swf player according to the widget_id */ public function execute() { $entry_id = $this->getRequestParameter("entry_id"); $entry = null; $widget_id = null; $partner_id = null; if ($entry_id) { $entry = entryPeer::retrieveByPK($entry_id); if (!$entry) { KExternalErrors::dieError(KExternalErrors::ENTRY_NOT_FOUND); } $partner_id = $entry->getPartnerId(); $widget_id = '_' . $partner_id; } $widget_id = $this->getRequestParameter("widget_id", $widget_id); $widget = widgetPeer::retrieveByPK($widget_id); if (!$widget) { KExternalErrors::dieError(KExternalErrors::WIDGET_NOT_FOUND); } $subp_id = $widget->getSubpId(); if (!$subp_id) { $subp_id = 0; } if (!$entry_id) { $entry_id = $widget->getEntryId(); if (!$entry_id) { KExternalErrors::dieError(KExternalErrors::MISSING_PARAMETER, 'entry_id'); } $entry = entryPeer::retrieveByPK($entry_id); if (!$entry) { KExternalErrors::dieError(KExternalErrors::ENTRY_NOT_FOUND); } } $allowCache = true; $securityType = $widget->getSecurityType(); switch ($securityType) { case widget::WIDGET_SECURITY_TYPE_TIMEHASH: // TODO - I don't know what should be validated here break; case widget::WIDGET_SECURITY_TYPE_MATCH_IP: $allowCache = false; // here we'll attemp to match the ip of the request with that from the customData of the widget $custom_data = $widget->getCustomData(); $valid_country = false; if ($custom_data) { // in this case the custom_data should be of format: // valid_county_1,valid_country_2,...,valid_country_n;falback_entry_id $arr = explode(";", $custom_data); $countries_str = $arr[0]; $fallback_entry_id = isset($arr[1]) ? $arr[1] : null; $fallback_kshow_id = isset($arr[2]) ? $arr[2] : null; $current_country = ""; $valid_country = requestUtils::matchIpCountry($countries_str, $current_country); if (!$valid_country) { KalturaLog::log("Attempting to access widget [{$widget_id}] and entry [{$entry_id}] from country [{$current_country}]. Retrning entry_id: [{$fallback_entry_id}] kshow_id [{$fallback_kshow_id}]"); $entry_id = $fallback_entry_id; } } break; case widget::WIDGET_SECURITY_TYPE_FORCE_KS: $ks_str = $this->getRequestParameter('ks'); try { $ks = kSessionUtils::crackKs($ks_str); } catch (Exception $e) { KExternalErrors::dieError(KExternalErrors::INVALID_KS); } $res = kSessionUtils::validateKSession2(1, $partner_id, 0, $ks_str, $ks); if ($res <= 0) { KExternalErrors::dieError(KExternalErrors::INVALID_KS); } break; default: break; } $requestKey = $_SERVER["REQUEST_URI"]; // check if we cached the redirect url $cache = new myCache("embedIframe", 10 * 60); // 10 minutes $cachedResponse = $cache->get($requestKey); if ($allowCache && $cachedResponse) { header("X-Kaltura: cached-action"); header("Expires: Sun, 19 Nov 2000 08:52:00 GMT"); header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0"); header("Pragma: no-cache"); header("Location:{$cachedResponse}"); die; } $uiconf_id = $this->getRequestParameter('uiconf_id'); if (!$uiconf_id) { $uiconf_id = $widget->getUiConfId(); } if (!$uiconf_id) { KExternalErrors::dieError(KExternalErrors::MISSING_PARAMETER, 'uiconf_id'); } $partner_host = myPartnerUtils::getHost($partner_id); $partner_cdnHost = myPartnerUtils::getCdnHost($partner_id); $uiConf = uiConfPeer::retrieveByPK($uiconf_id); if (!$uiConf) { KExternalErrors::dieError(KExternalErrors::UI_CONF_NOT_FOUND); } $partner_host = myPartnerUtils::getHost($partner_id); $partner_cdnHost = myPartnerUtils::getCdnHost($partner_id); $html5_version = kConf::get('html5_version'); $use_cdn = $uiConf->getUseCdn(); $host = $use_cdn ? $partner_cdnHost : $partner_host; $url = $host; $url .= "/html5/html5lib/v{$html5_version}/mwEmbedFrame.php"; $url .= "/entry_id/{$entry_id}/wid/{$widget_id}/uiconf_id/{$uiconf_id}"; if ($allowCache) { $cache->put($requestKey, $url); } $this->redirect($url); }
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str) { if ($ks_str) { // 1. crack the ks - $ks = kSessionUtils::crackKs($ks_str); // 2. extract partner_id $ks_partner_id = $ks->partner_id; $master_partner_id = $ks->master_partner_id; if (!$master_partner_id) { $master_partner_id = $ks_partner_id; } if (!$partner_id) { $partner_id = $ks_partner_id; } // use the user from the ks if not explicity set if (!$puser_id) { $puser_id = $ks->user; } kCurrentContext::$ks = $ks_str; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = $ks_partner_id; kCurrentContext::$master_partner_id = $master_partner_id; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = $ks->user; // 3. retrieve partner $ks_partner = PartnerPeer::retrieveByPK($ks_partner_id); // the service_confgi is assumed to be the one of the operating_partner == ks_partner if (!$ks_partner) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id); } $this->setServiceConfigFromPartner($ks_partner); if ($ks_partner && !$ks_partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } // 4. validate ticket per service for the ticket's partner $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // TODO - which user is this ? from the ks ? from the puser_id ? $ks_puser_id = $ks->user; //$ks = null; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if (0 >= $res) { // chaned this to be an exception rather than an error $this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res)); } $this->ks = $ks; } elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) { $ks_puser_id = $ks->user; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if ($res > 0) { $this->ks = $ks; } } // 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup) $allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id); if (!$allow_access) { $this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id); } // 6. set the partner to be the desired partner and the operating_partner to be the one from the ks $this->partner = PartnerPeer::retrieveByPK($partner_id); $this->operating_partner = $ks_partner; // the config is that of the ks_partner NOT of the partner // $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks // TODO - should change service_config to be the one of the partner_id ?? // 7. if ok - return the partner_id to be used from this point onwards return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } else { // no ks_str // 1. extract partner by partner_id + // 2. retrieve partner $this->partner = PartnerPeer::retrieveByPK($partner_id); if (!$this->partner) { $this->partner = null; // go to the default config $this->setServiceConfigFromPartner(null); if ($this->requirePartner2()) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id); } } if ($this->partner && !$this->partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } kCurrentContext::$ks = null; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = null; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = null; // 3. make sure the service can be accessed with no ticket $this->setServiceConfigFromPartner($this->partner); $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // NEW: 2008-12-28 // Instead of throwing an exception, see if the service allows KN. // If so - a relativly week partner access if ($this->kalturaNetwork2()) { // if the service supports KN - continue without private data return array($partner_id, $subp_id, $puser_id, false); // DONT allow private_partner_data } // chaned this to be an exception rather than an error $this->addException(APIErrors::MISSING_KS); } // 4. set the partner & operating_partner to be the one-and-only partner of this session $this->operating_partner = $this->partner; return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } }