/**
* Creates a signed JWT.
* @param array $payload
* @return string The signed JWT.
*/
private function makeSignedJwt($payload)
{
$header = array('typ' => 'JWT', 'alg' => 'RS256');
$payload = json_encode($payload);
// Handle some overzealous escaping in PHP json that seemed to cause some errors
// with claimsets.
$payload = str_replace('\\/', '/', $payload);
$segments = array(Utils::urlSafeB64Encode(json_encode($header)), Utils::urlSafeB64Encode($payload));
$signingInput = implode('.', $segments);
$signer = new P12($this->privateKey, $this->privateKeyPassword);
$signature = $signer->sign($signingInput);
$segments[] = Utils::urlSafeB64Encode($signature);
return implode(".", $segments);
}
/**
* @param array $headers The HTTP request headers
* to be set and normalized.
*/
public function setRequestHeaders($headers)
{
$headers = Utils::normalize($headers);
if ($this->requestHeaders) {
$headers = array_merge($this->requestHeaders, $headers);
}
$this->requestHeaders = $headers;
}
private function getResumeUri()
{
$result = null;
$body = $this->request->getPostBody();
if ($body) {
$headers = array('content-type' => 'application/json; charset=UTF-8', 'content-length' => Utils::getStrLen($body), 'x-upload-content-type' => $this->mimeType, 'x-upload-content-length' => $this->size, 'expect' => '');
$this->request->setRequestHeaders($headers);
}
$response = $this->client->getIo()->makeRequest($this->request);
$location = $response->getResponseHeader('location');
$code = $response->getResponseHttpCode();
if (200 == $code && true == $location) {
return $location;
}
$message = $code;
$body = @json_decode($response->getResponseBody());
if (!empty($body->error->errors)) {
$message .= ': ';
foreach ($body->error->errors as $error) {
$message .= "{$error->domain}, {$error->message};";
}
$message = rtrim($message, ';');
}
$error = "Failed to start the resumable upload (HTTP {$message})";
$this->client->getLogger()->error($error);
throw new Exception($error);
}
/**
* Verifies the id token, returns the verified token contents.
*
* @param $jwt string the token
* @param $certs array of certificates
* @param $required_audience string the expected consumer of the token
* @param [$issuer] the expected issues, defaults to Google
* @param [$max_expiry] the max lifetime of a token, defaults to MAX_TOKEN_LIFETIME_SECS
* @throws Google\Auth\Exception
* @return mixed token information if valid, false if not
*/
public function verifySignedJwtWithCerts($jwt, $certs, $required_audience, $issuer = null, $max_expiry = null)
{
if (!$max_expiry) {
// Set the maximum time we will accept a token for.
$max_expiry = self::MAX_TOKEN_LIFETIME_SECS;
}
$segments = explode(".", $jwt);
if (count($segments) != 3) {
throw new Exception("Wrong number of segments in token: {$jwt}");
}
$signed = $segments[0] . "." . $segments[1];
$signature = Utils::urlSafeB64Decode($segments[2]);
// Parse envelope.
$envelope = json_decode(Utils::urlSafeB64Decode($segments[0]), true);
if (!$envelope) {
throw new Exception("Can't parse token envelope: " . $segments[0]);
}
// Parse token
$json_body = Utils::urlSafeB64Decode($segments[1]);
$payload = json_decode($json_body, true);
if (!$payload) {
throw new Exception("Can't parse token payload: " . $segments[1]);
}
// Check signature
$verified = false;
foreach ($certs as $keyName => $pem) {
$public_key = new Pem($pem);
if ($public_key->verify($signed, $signature)) {
$verified = true;
break;
}
}
if (!$verified) {
throw new Exception("Invalid token signature: {$jwt}");
}
// Check issued-at timestamp
$iat = 0;
if (array_key_exists("iat", $payload)) {
$iat = $payload["iat"];
}
if (!$iat) {
throw new Exception("No issue time in token: {$json_body}");
}
$earliest = $iat - self::CLOCK_SKEW_SECS;
// Check expiration timestamp
$now = time();
$exp = 0;
if (array_key_exists("exp", $payload)) {
$exp = $payload["exp"];
}
if (!$exp) {
throw new Exception("No expiration time in token: {$json_body}");
}
if ($exp >= $now + $max_expiry) {
throw new Exception(sprintf("Expiration time too far in future: %s", $json_body));
}
$latest = $exp + self::CLOCK_SKEW_SECS;
if ($now < $earliest) {
throw new Exception(sprintf("Token used too early, %s < %s: %s", $now, $earliest, $json_body));
}
if ($now > $latest) {
throw new Exception(sprintf("Token used too late, %s > %s: %s", $now, $latest, $json_body));
}
$iss = $payload['iss'];
if ($issuer && $iss != $issuer) {
throw new Exception(sprintf("Invalid issuer, %s != %s: %s", $iss, $issuer, $json_body));
}
// Check audience
$aud = $payload["aud"];
if ($aud != $required_audience) {
throw new Exception(sprintf("Wrong recipient, %s != %s:", $aud, $required_audience, $json_body));
}
// All good.
return new LoginTicket($envelope, $payload);
}
/**
* Initialize this object's properties from an array.
*
* @param array $array Used to seed this object's properties.
* @return void
*/
protected function mapTypes($array)
{
// Hard initialise simple types, lazy load more complex ones.
foreach ($array as $key => $val) {
if (!property_exists($this, $this->keyType($key)) && property_exists($this, $key)) {
$this->{$key} = $val;
unset($array[$key]);
} elseif (property_exists($this, $camelKey = Utils::camelCase($key))) {
// This checks if property exists as camelCase, leaving it in array as snake_case
// in case of backwards compatibility issues.
$this->{$camelKey} = $val;
}
}
$this->modelData = $array;
}