/**
* {@inheritdoc}
*/
public function apply(base $appbox, Application $app)
{
try {
\API_OAuth2_Application::load_from_client_id($app, \API_OAuth2_Application_OfficePlugin::CLIENT_ID);
} catch (NotFoundHttpException $e) {
$client = \API_OAuth2_Application::create($app, null, \API_OAuth2_Application_OfficePlugin::CLIENT_NAME);
$client->set_activated(true);
$client->set_grant_password(true);
$client->set_website("http://www.phraseanet.com");
$client->set_client_id(\API_OAuth2_Application_OfficePlugin::CLIENT_ID);
$client->set_client_secret(\API_OAuth2_Application_OfficePlugin::CLIENT_SECRET);
$client->set_type(\API_OAuth2_Application::DESKTOP_TYPE);
$client->set_redirect_uri(\API_OAuth2_Application::NATIVE_APP_REDIRECT_URI);
}
return true;
}
public function testLoad_app_by_user()
{
$apps = API_OAuth2_Application::load_app_by_user(self::$DI['app'], self::$DI['user']);
$this->assertTrue(is_array($apps));
$this->assertTrue(count($apps) > 0);
$found = false;
foreach ($apps as $app) {
if ($app->get_id() === self::$DI['oauth2-app-user']->get_id()) {
$found = true;
}
$this->assertInstanceOf('API_OAuth2_Application', $app);
}
if (!$found) {
$this->fail();
}
}
protected function checkUserCredentials($client_id, $username, $password)
{
try {
$this->setClient(API_OAuth2_Application::load_from_client_id($this->app, $client_id));
$usr_id = $this->app['auth.native']->getUsrId($username, $password, Request::createFromGlobals());
if (!$usr_id) {
return false;
}
if (null === ($user = $this->app['manipulator.user']->getRepository()->find($usr_id))) {
return false;
}
$account = $this->updateAccount($user);
return ['redirect_uri' => $this->client->get_redirect_uri(), 'client_id' => $this->client->get_client_id(), 'account_id' => $account->get_id()];
} catch (AccountLockedException $e) {
return false;
} catch (RequireCaptchaException $e) {
return false;
} catch (\Exception $e) {
return false;
}
}
private function insertOauthApps(\Pimple $DI)
{
$DI['app-user'] = \API_OAuth2_Application::create($this->container, $DI['user'], 'test application for user');
$DI['app-user']->set_redirect_uri('http://callback.com/callback/');
$DI['app-user']->set_website('http://website.com/');
$DI['app-user']->set_type(\API_OAuth2_Application::WEB_TYPE);
$DI['app-user_notAdmin'] = \API_OAuth2_Application::create($this->container, $DI['user_notAdmin'], 'test application for user not admin');
$DI['app-user_notAdmin']->set_redirect_uri('http://callback.com/callback/');
$DI['app-user_notAdmin']->set_website('http://website.com/');
$DI['app-user_notAdmin']->set_type(\API_OAuth2_Application::WEB_TYPE);
}
public function testAuthorizeRedirect()
{
//session off
$apps = \API_OAuth2_Application::load_authorized_app_by_user(self::$DI['app'], self::$DI['user']);
foreach ($apps as $app) {
if ($app->get_client_id() == self::$DI['oauth2-app-user']->get_client_id()) {
$authorize = true;
self::$DI['client']->followRedirects();
}
}
}
public function connect(Application $app)
{
$app['controller.oauth2'] = $this;
$controllers = $app['controllers_factory'];
$app['oauth'] = $app->share(function ($app) {
return new \API_OAuth2_Adapter($app);
});
/**
* AUTHORIZE ENDPOINT
*
* Authorization endpoint - used to obtain authorization from the
* resource owner via user-agent redirection.
*/
$authorize_func = function () use($app) {
$request = $app['request'];
$oauth2_adapter = $app['oauth'];
$context = new Context(Context::CONTEXT_OAUTH2_NATIVE);
$app['dispatcher']->dispatch(PhraseaEvents::PRE_AUTHENTICATE, new PreAuthenticate($request, $context));
//Check for auth params, send error or redirect if not valid
$params = $oauth2_adapter->getAuthorizationRequestParameters($request);
$app_authorized = false;
$errorMessage = false;
$client = \API_OAuth2_Application::load_from_client_id($app, $params['client_id']);
$oauth2_adapter->setClient($client);
$action_accept = $request->get("action_accept");
$action_login = $request->get("action_login");
$template = "api/auth/end_user_authorization.html.twig";
$custom_template = sprintf("%s/config/templates/web/api/auth/end_user_authorization/%s.html.twig", $app['root.path'], $client->get_id());
if (file_exists($custom_template)) {
$template = sprintf('api/auth/end_user_authorization/%s.html.twig', $client->get_id());
}
if (!$app['authentication']->isAuthenticated()) {
if ($action_login !== null) {
try {
$usr_id = $app['auth.native']->getUsrId($request->get("login"), $request->get("password"), $request);
if (null === $usr_id) {
$app['session']->getFlashBag()->set('error', $app->trans('login::erreur: Erreur d\'authentification'));
return $app->redirectPath('oauth2_authorize');
}
} catch (RequireCaptchaException $e) {
return $app->redirectPath('oauth2_authorize', ['error' => 'captcha']);
} catch (AccountLockedException $e) {
return $app->redirectPath('oauth2_authorize', ['error' => 'account-locked']);
}
$app['authentication']->openAccount($app['manipulator.user']->getRepository()->find($usr_id));
}
return new Response($app['twig']->render($template, ["auth" => $oauth2_adapter]));
}
//check if current client is already authorized by current user
$user_auth_clients = \API_OAuth2_Application::load_authorized_app_by_user($app, $app['authentication']->getUser());
foreach ($user_auth_clients as $auth_client) {
if ($client->get_client_id() == $auth_client->get_client_id()) {
$app_authorized = true;
}
}
$account = $oauth2_adapter->updateAccount($app['authentication']->getUser());
$params['account_id'] = $account->get_id();
if (!$app_authorized && $action_accept === null) {
$params = ["auth" => $oauth2_adapter, "errorMessage" => $errorMessage];
return new Response($app['twig']->render($template, $params));
} elseif (!$app_authorized && $action_accept !== null) {
$app_authorized = (bool) $action_accept;
$account->set_revoked(!$app_authorized);
}
//if native app show template
if ($oauth2_adapter->isNativeApp($params['redirect_uri'])) {
$params = $oauth2_adapter->finishNativeClientAuthorization($app_authorized, $params);
return new Response($app['twig']->render("api/auth/native_app_access_token.html.twig", $params));
}
$oauth2_adapter->finishClientAuthorization($app_authorized, $params);
// As OAuth2 library already outputs response content, we need to send an empty
// response to avoid breaking silex controller
return '';
};
$controllers->match('/authorize', $authorize_func)->method('GET|POST')->bind('oauth2_authorize');
/**
* TOKEN ENDPOINT
* Token endpoint - used to exchange an authorization grant for an access token.
*/
$controllers->post('/token', function (\Silex\Application $app, Request $request) {
if (!$request->isSecure()) {
throw new HttpException(400, 'This route requires the use of the https scheme', null, ['content-type' => 'application/json']);
}
$app['oauth']->grantAccessToken($request);
ob_flush();
flush();
// As OAuth2 library already outputs response content, we need to send an empty
// response to avoid breaking silex controller
return '';
});
return $controllers;
}
/**
* @cover \Alchemy\Phrasea\Controller\Root\Developers::authorizeGrantpassword
*/
public function testAuthorizeGrantpasswordToken()
{
$oauthApp = self::$DI['oauth2-app-user'];
$this->XMLHTTPRequest('POST', '/developers/application/' . $oauthApp->get_id() . '/authorize_grant_password/', ['grant' => '1']);
$this->assertTrue(self::$DI['client']->getResponse()->isOk());
$content = json_decode(self::$DI['client']->getResponse()->getContent());
$this->assertTrue($content->success);
$oauthApp = new \API_OAuth2_Application(self::$DI['app'], $oauthApp->get_id());
$this->assertTrue($oauthApp->is_password_granted());
}
/**
* Display authorized applications that can access user informations
*
* @param Application $app A Silex application where the controller is mounted on
* @param Request $request The current request
* @return Response
*/
public function accountAuthorizedApps(Application $app, Request $request)
{
return $app['twig']->render('account/authorized_apps.html.twig', ["applications" => \API_OAuth2_Application::load_app_by_user($app, $app['authentication']->getUser())]);
}
public static function load_with_user(Application $app, API_OAuth2_Application $application, User $user)
{
$sql = 'SELECT api_account_id FROM api_accounts
WHERE usr_id = :usr_id AND application_id = :application_id';
$params = [":usr_id" => $user->getId(), ":application_id" => $application->get_id()];
$stmt = $app['phraseanet.appbox']->get_connection()->prepare($sql);
$stmt->execute($params);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$stmt->closeCursor();
if (!$row) {
throw new NotFoundHttpException('Account nof found.');
}
return new self($app, $row['api_account_id']);
}
/**
* Get application information
*
* @param Application $app A Silex application where the controller is mounted on
* @param Request $request The current request
* @param integer $id The application id
* @return Response
*/
public function getApp(Application $app, Request $request, $id)
{
try {
$client = new \API_OAuth2_Application($app, $id);
} catch (NotFoundHttpException $e) {
$app->abort(404);
}
$token = $client->get_user_account($app['authentication']->getUser())->get_token()->get_value();
return $app['twig']->render('developers/application.html.twig', ["application" => $client, "user" => $app['authentication']->getUser(), "token" => $token]);
}
public function testCheckNativeApp()
{
$value = self::$DI['app']['conf']->get(['registry', 'api-clients', 'navigator-enabled']);
self::$DI['app']['conf']->set(['registry', 'api-clients', 'navigator-enabled'], false);
$fail = null;
try {
$nativeApp = \API_OAuth2_Application::load_from_client_id(self::$DI['app'], \API_OAuth2_Application_Navigator::CLIENT_ID);
$account = \API_OAuth2_Account::create(self::$DI['app'], self::$DI['user'], $nativeApp);
$token = $account->get_token()->get_value();
$this->setToken($token);
self::$DI['client']->request('GET', '/api/v1/databoxes/list/', $this->getParameters(), [], ['HTTP_Accept' => $this->getAcceptMimeType()]);
$content = $this->unserialize(self::$DI['client']->getResponse()->getContent());
if (403 != $content['meta']['http_code']) {
$fail = new \Exception('Result does not match expected 403, returns ' . $content['meta']['http_code']);
}
} catch (\Exception $e) {
$fail = $e;
}
self::$DI['app']['conf']->set(['registry', 'api-clients', 'navigator-enabled'], false);
if ($fail) {
throw $fail;
}
}