public function execute()
{
$email = @$_GET['email'];
$screenName = @$_GET['screen_name'];
$partner_id = $this->getP('partner_id', null);
if ($partner_id === null) {
header("Location: /index.php/kmc/varlogin");
die;
}
sfView::SUCCESS;
$this->me = PartnerPeer::retrieveByPK($this->getP('partner_id', null));
if (!$this->me || $this->me->getPartnerGroupType() != PartnerGroupType::VAR_GROUP) {
die('You are not an wuthorized VAR. If you are a VAR, Please contact us at support@kaltura.com');
}
$ks = kSessionUtils::crackKs($this->getP('ks'));
$user = $ks->user;
$res = kSessionUtils::validateKSession2(kSessionUtils::REQUIED_TICKET_ADMIN, $partner_id, $user, $this->getP('ks'), $ks);
if ($res != ks::OK) {
header("Location: /index.php/kmc/varlogin");
die;
}
$c = new Criteria();
$c->addAnd(PartnerPeer::PARTNER_PARENT_ID, $this->me->getId());
// add extra filtering if required
//$c->addAnd(PartnerPeer::STATUS, 1);
$partners = PartnerPeer::doSelect($c);
$this->partners = array();
$partner_id_param_name = 'pid';
$subpid_param_name = 'subpid';
if ($this->me->getKmcVersion() == 1) {
$partner_id_param_name = 'partner_id';
$subpid_param_name = 'subp_id';
}
$kmc2Query = '?' . $partner_id_param_name . '=' . $this->me->getId() . '&' . $subpid_param_name . '=' . $this->me->getId() * 100 . '&ks=' . $_GET['ks'] . '&email=' . $email . '&screen_name=' . $screenName;
$this->varKmcUrl = 'http://' . kConf::get('www_host') . '/index.php/kmc/kmc' . $this->me->getKmcVersion() . $kmc2Query;
foreach ($partners as $partner) {
$ks = null;
kSessionUtils::createKSessionNoValidations($partner->getId(), $partner->getAdminUserId(), $ks, 30 * 86400, 2, "", "*");
$adminUser_email = $partner->getAdminEmail();
$partner_id_param_name = 'pid';
$subpid_param_name = 'subpid';
if ($partner->getKmcVersion() == 1) {
$partner_id_param_name = 'partner_id';
$subpid_param_name = 'subp_id';
}
$kmc2Query = '?' . $partner_id_param_name . '=' . $partner->getId() . '&' . $subpid_param_name . '=' . $partner->getId() * 100 . '&ks=' . $ks . '&email=' . $adminUser_email . '&screen_name=varAdmin';
//$kmcLink = url_for('index.php/kmc/kmc2'.$kmc2Query);
// $kmcLink = 'http://'.kConf::get('www_host').'/index.php/kmc/kmc'.$partner->getKmcVersion().$kmc2Query;
$kmcLink = 'http://' . kConf::get('www_host') . "/index.php/kmc/extlogin?ks={$ks}&partner_id=" . $partner->getId();
$this->partners[$partner->getId()] = array('name' => $partner->getPartnerName(), 'kmcLink' => $kmcLink);
}
}
public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser)
{
// make sure the secret fits the one in the partner's table
$ks_str = "";
$expiry = $this->getP("expiry", 86400);
$widget_id = $this->getPM("widget_id");
$widget = widgetPeer::retrieveByPK($widget_id);
if (!$widget) {
$this->addError(APIErrors::INVALID_WIDGET_ID, $widget_id);
return;
}
$partner_id = $widget->getPartnerId();
$partner = PartnerPeer::retrieveByPK($partner_id);
// TODO - see how to decide if the partner has a URL to redirect to
// according to the partner's policy and the widget's policy - define the privileges of the ks
// TODO - decide !! - for now only view - any kshow
$privileges = "view:*,widget:1";
if ($widget->getSecurityType() == widget::WIDGET_SECURITY_TYPE_FORCE_KS) {
if (!$this->ks) {
// the one from the defPartnerservices2Action
$this->addException(APIErrors::MISSING_KS);
}
$ks_str = $this->getP("ks");
$widget_partner_id = $widget->getPartnerId();
$res = kSessionUtils::validateKSession2(1, $widget_partner_id, $puser_id, $ks_str, $this->ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
$this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res));
}
} else {
// the session will be for NON admins and privileges of view only
$puser_id = 0;
$result = kSessionUtils::createKSessionNoValidations($partner_id, $puser_id, $ks_str, $expiry, false, "", $privileges);
}
if ($result >= 0) {
$this->addMsg("ks", $ks_str);
$this->addMsg("partner_id", $partner_id);
$this->addMsg("subp_id", $widget->getSubpId());
$this->addMsg("uid", "0");
} else {
// TODO - see that there is a good error for when the invalid login count exceed s the max
$this->addError(APIErrors::START_WIDGET_SESSION_ERROR, $widget_id);
}
}
private static function validateKs($ks_str)
{
if (!$ks_str) {
return null;
}
// 1. crack the ks -
$ks = kSessionUtils::crackKs($ks_str);
// 2. extract partner_id
$ks_partner_id = $ks->partner_id;
$partner_id = $ks_partner_id;
// use the user from the ks if not explicity set
$puser_id = $ks->user;
// 4. validate ticket per service for the ticket's partner
$ticket_type = 2;
$ks_puser_id = $ks->user;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
return null;
}
return $partner_id;
}
/**
* Will forward to the regular swf player according to the widget_id
*/
public function execute()
{
$entry_id = $this->getRequestParameter("entry_id");
$entry = null;
$widget_id = null;
$partner_id = null;
if ($entry_id) {
$entry = entryPeer::retrieveByPK($entry_id);
if (!$entry) {
KExternalErrors::dieError(KExternalErrors::ENTRY_NOT_FOUND);
}
$partner_id = $entry->getPartnerId();
$widget_id = '_' . $partner_id;
}
$widget_id = $this->getRequestParameter("widget_id", $widget_id);
$widget = widgetPeer::retrieveByPK($widget_id);
if (!$widget) {
KExternalErrors::dieError(KExternalErrors::WIDGET_NOT_FOUND);
}
$subp_id = $widget->getSubpId();
if (!$subp_id) {
$subp_id = 0;
}
if (!$entry_id) {
$entry_id = $widget->getEntryId();
if (!$entry_id) {
KExternalErrors::dieError(KExternalErrors::MISSING_PARAMETER, 'entry_id');
}
$entry = entryPeer::retrieveByPK($entry_id);
if (!$entry) {
KExternalErrors::dieError(KExternalErrors::ENTRY_NOT_FOUND);
}
}
$allowCache = true;
$securityType = $widget->getSecurityType();
switch ($securityType) {
case widget::WIDGET_SECURITY_TYPE_TIMEHASH:
// TODO - I don't know what should be validated here
break;
case widget::WIDGET_SECURITY_TYPE_MATCH_IP:
$allowCache = false;
// here we'll attemp to match the ip of the request with that from the customData of the widget
$custom_data = $widget->getCustomData();
$valid_country = false;
if ($custom_data) {
// in this case the custom_data should be of format:
// valid_county_1,valid_country_2,...,valid_country_n;falback_entry_id
$arr = explode(";", $custom_data);
$countries_str = $arr[0];
$fallback_entry_id = isset($arr[1]) ? $arr[1] : null;
$fallback_kshow_id = isset($arr[2]) ? $arr[2] : null;
$current_country = "";
$valid_country = requestUtils::matchIpCountry($countries_str, $current_country);
if (!$valid_country) {
KalturaLog::log("Attempting to access widget [{$widget_id}] and entry [{$entry_id}] from country [{$current_country}]. Retrning entry_id: [{$fallback_entry_id}] kshow_id [{$fallback_kshow_id}]");
$entry_id = $fallback_entry_id;
}
}
break;
case widget::WIDGET_SECURITY_TYPE_FORCE_KS:
$ks_str = $this->getRequestParameter('ks');
try {
$ks = kSessionUtils::crackKs($ks_str);
} catch (Exception $e) {
KExternalErrors::dieError(KExternalErrors::INVALID_KS);
}
$res = kSessionUtils::validateKSession2(1, $partner_id, 0, $ks_str, $ks);
if ($res <= 0) {
KExternalErrors::dieError(KExternalErrors::INVALID_KS);
}
break;
default:
break;
}
$requestKey = $_SERVER["REQUEST_URI"];
// check if we cached the redirect url
$cache = new myCache("embedIframe", 10 * 60);
// 10 minutes
$cachedResponse = $cache->get($requestKey);
if ($allowCache && $cachedResponse) {
header("X-Kaltura: cached-action");
header("Expires: Sun, 19 Nov 2000 08:52:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
header("Location:{$cachedResponse}");
die;
}
$uiconf_id = $this->getRequestParameter('uiconf_id');
if (!$uiconf_id) {
$uiconf_id = $widget->getUiConfId();
}
if (!$uiconf_id) {
KExternalErrors::dieError(KExternalErrors::MISSING_PARAMETER, 'uiconf_id');
}
$partner_host = myPartnerUtils::getHost($partner_id);
$partner_cdnHost = myPartnerUtils::getCdnHost($partner_id);
$uiConf = uiConfPeer::retrieveByPK($uiconf_id);
if (!$uiConf) {
KExternalErrors::dieError(KExternalErrors::UI_CONF_NOT_FOUND);
}
$partner_host = myPartnerUtils::getHost($partner_id);
$partner_cdnHost = myPartnerUtils::getCdnHost($partner_id);
$html5_version = kConf::get('html5_version');
$use_cdn = $uiConf->getUseCdn();
$host = $use_cdn ? $partner_cdnHost : $partner_host;
$url = $host;
$url .= "/html5/html5lib/v{$html5_version}/mwEmbedFrame.php";
$url .= "/entry_id/{$entry_id}/wid/{$widget_id}/uiconf_id/{$uiconf_id}";
if ($allowCache) {
$cache->put($requestKey, $url);
}
$this->redirect($url);
}
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str)
{
if ($ks_str) {
// 1. crack the ks -
$ks = kSessionUtils::crackKs($ks_str);
// 2. extract partner_id
$ks_partner_id = $ks->partner_id;
$master_partner_id = $ks->master_partner_id;
if (!$master_partner_id) {
$master_partner_id = $ks_partner_id;
}
if (!$partner_id) {
$partner_id = $ks_partner_id;
}
// use the user from the ks if not explicity set
if (!$puser_id) {
$puser_id = $ks->user;
}
kCurrentContext::$ks = $ks_str;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = $ks_partner_id;
kCurrentContext::$master_partner_id = $master_partner_id;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = $ks->user;
// 3. retrieve partner
$ks_partner = PartnerPeer::retrieveByPK($ks_partner_id);
// the service_confgi is assumed to be the one of the operating_partner == ks_partner
if (!$ks_partner) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id);
}
$this->setServiceConfigFromPartner($ks_partner);
if ($ks_partner && !$ks_partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
// 4. validate ticket per service for the ticket's partner
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// TODO - which user is this ? from the ks ? from the puser_id ?
$ks_puser_id = $ks->user;
//$ks = null;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
$this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res));
}
$this->ks = $ks;
} elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) {
$ks_puser_id = $ks->user;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if ($res > 0) {
$this->ks = $ks;
}
}
// 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup)
$allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id);
if (!$allow_access) {
$this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id);
}
// 6. set the partner to be the desired partner and the operating_partner to be the one from the ks
$this->partner = PartnerPeer::retrieveByPK($partner_id);
$this->operating_partner = $ks_partner;
// the config is that of the ks_partner NOT of the partner
// $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks
// TODO - should change service_config to be the one of the partner_id ??
// 7. if ok - return the partner_id to be used from this point onwards
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
} else {
// no ks_str
// 1. extract partner by partner_id +
// 2. retrieve partner
$this->partner = PartnerPeer::retrieveByPK($partner_id);
if (!$this->partner) {
$this->partner = null;
// go to the default config
$this->setServiceConfigFromPartner(null);
if ($this->requirePartner2()) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id);
}
}
if ($this->partner && !$this->partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
kCurrentContext::$ks = null;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = null;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = null;
// 3. make sure the service can be accessed with no ticket
$this->setServiceConfigFromPartner($this->partner);
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// NEW: 2008-12-28
// Instead of throwing an exception, see if the service allows KN.
// If so - a relativly week partner access
if ($this->kalturaNetwork2()) {
// if the service supports KN - continue without private data
return array($partner_id, $subp_id, $puser_id, false);
// DONT allow private_partner_data
}
// chaned this to be an exception rather than an error
$this->addException(APIErrors::MISSING_KS);
}
// 4. set the partner & operating_partner to be the one-and-only partner of this session
$this->operating_partner = $this->partner;
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
}
}
