示例#1
0
function IAuthVerify($pTmp)
{
    $ip = getAndCheck($pTmp, 'ip');
    $sig = getAndCheck($pTmp, 'sig');
    $url = getAndCheck($pTmp, 'url');
    $client = array('appid' => getAndCheck($pTmp, 'appid'), 'hash' => getAndCheck($pTmp, 'hash'), 'hashmethod' => getAndCheck($pTmp, 'hashmethod'), 'time' => getAndCheck($pTmp, 'time'), 'nonce' => getAndCheck($pTmp, 'nonce'), 'version' => getAndCheck($pTmp, 'version'), 'sigmethod' => getAndCheck($pTmp, 'sigmethod'), 'token' => getAndCheck($pTmp, 'token'));
    $apiInfo = GetAPI($url);
    $rpid = $apiInfo['owner_id'];
    $api_id = $apiInfo['api_id'];
    $rpSecret = GetAppInfo($rpid, 'app_secret');
    $accessInfo = GetAccessInfo($client['appid'], $client['token']);
    $accessSecret = $accessInfo['access_secret'];
    $faile_t = $accessInfo['faile_t'];
    $rights = $accessInfo['rights'];
    $uid = $accessInfo['user_id'];
    $appSecret = GetAppInfo($client['appid'], 'app_secret');
    $secret = $appSecret . '&' . $accessSecret;
    $base_str = 'POST&' . $url . '&' . CoString($client);
    if ($sig != signature($base_str, $secret, $client['sigmethod'])) {
        throw new IAuthException('sig not match', $base_str);
    }
    $client['limit_seconds'] = $apiInfo['limit_seconds'];
    $client['limit_counts'] = $apiInfo['limit_counts'];
    CheckReplayAttack($client, 'verify');
    VerifyAccessRight($api_id, $rights);
    newVerifier('verify', $client['appid'], $uid, $client['token'], date('Y-m-d H:i:s', $client['time']), $client['nonce'], $ip, $api_id);
    $rpRequest = $pTmp;
    $rpRequest['uid'] = $uid;
    $rpSig = signature(CoString($rpRequest), $rpid . '&' . $rpSecret, 'MD5');
    echo 'uid=' . $uid . '&sig=' . $rpSig;
    /* echo '<br />'; */
    /* echo CoString($rpRequest); */
}
示例#2
0
function GetLoginToken($pTmp)
{
    $sig = getAndCheck($pTmp, 'sig');
    $params = array('state' => getAndCheck($pTmp, 'state'), 'appid' => getAndCheck($pTmp, 'appid'), 'time' => getAndCheck($pTmp, 'time'), 'sigmethod' => getAndCheck($pTmp, 'sigmethod'), 'version' => getAndCheck($pTmp, 'version'), 'verifier' => getAndCheck($pTmp, 'verifier'));
    if (GetAppInfo($params['appid'], 'ip_check') == 'enable') {
        $params['ip'] = getAndCheck($pTmp, 'ip');
    }
    $appSecret = GetAppInfo($params['appid'], 'app_secret');
    VerifySignature($params, $appSecret, $sig);
    /* 确保对参数的签名是有效的 */
    $uid = CheckReplayAttack($params, 'login');
    /* 检查重放攻击并记录 */
    $accessToken = GetAccessToken($params['appid'], $uid);
    echo 'uid=' . $uid . '&access_token=' . $accessToken;
    exit;
}
示例#3
0
function SSOlogin($appid, $state, $uid)
{
    Check($appid, 'appid');
    if (!empty($state)) {
        Check($state, 'state');
        Check($uid, 'uid');
        $authed = CheckUserAuthed($appid, $uid);
        $appType = GetAppInfo($appid, 'app_type');
        $autoAuth = GetAppInfo($appid, 'auto_auth');
        if ($appType == 'WSC') {
            if ($authed == FALSE && $autoAuth == FALSE) {
                //用户没有授权,且应用不是自动授权,跳转到应用大厅
                if (!empty($_GET['s']) && $_GET['s'] == '1') {
                    /* 加参数跳转到精简版界面 */
                    return IAUTH_SIMPLE_AUTH_CONFIRM_PAGE . '&appsid=' . $appid . '&state=' . $state;
                }
                return URL(IAUTH_APP_INFO_PAGE) . 'appsid=' . $appid . '&state=' . $state . '&showconfirm=yes#confirm';
            }
            if ($authed == FALSE && $autoAuth == TRUE) {
                //用户没有授权,但是应用是自动授权,直接跳回应用的auth_call_back
                $authCallBack = GetAppInfo($appid, 'call_back');
                $rights = Check('2:3:7:11', 'rights');
                /* 由于没有应用大厅,权限被写死 */
                $faile_t = '2036-12-31 23:59:59';
                $verifier = newVerifier('auth', $appid, $uid, $rights, $faile_t, '', '', $state);
                accessLog('AUTH ' . $appid . ' ' . $uid . ' 2:3:7:11 ' . $faile_t . ' ' . $state);
                return URL($authCallBack) . 'verifier=' . $verifier . '&state=' . $state;
            }
            if ($authed == TRUE) {
                /* 用户已经授权,直接跳转回login_call_back */
                $loginCallBack = GetAppInfo($appid, 'login_url');
                $verifier = newVerifier('login', $appid, $uid, 'FROM_CLIENT', '', '', '', $state);
                return URL($loginCallBack) . 'verifier=' . $verifier . '&state=' . $state;
            }
        }
        /* END WSC */
    }
    /* END !EMPTY state */
    /* 其他情况,跳到应用大厅 */
    return URL(IAUTH_APP_INFO_PAGE) . 'appsid=' . $appid;
}
示例#4
0
function NewAuthToken($pTmp)
{
    $sig = getAndCheck($pTmp, 'sig');
    $params = array('state' => getAndCheck($pTmp, 'state'), 'appid' => getAndCheck($pTmp, 'appid'), 'time' => getAndCheck($pTmp, 'time'), 'sigmethod' => getAndCheck($pTmp, 'sigmethod'), 'version' => getAndCheck($pTmp, 'version'), 'verifier' => getAndCheck($pTmp, 'verifier'));
    if (GetAppInfo($params['appid'], 'ip_check') == 'enable') {
        $params['ip'] = getAndCheck($pTmp, 'ip');
    }
    /* print_r($params); */
    /* echo $params['appid'];exit(); */
    $appSecret = GetAppInfo($params['appid'], 'app_secret');
    VerifySignature($params, $appSecret, $sig);
    /* 确保对参数的签名是有效的 */
    $authInfo = CheckReplayAttack($params, 'auth');
    /* 检查重放攻击并记录 */
    /* print_r($pTmp); */
    $uid = $authInfo['uid'];
    $rights = $authInfo['rights'];
    $faile_t = $authInfo['faile_t'];
    $accessInfo = newAccessToken($uid, $params['appid'], $rights, $faile_t);
    echo 'uid=' . $uid . '&access_token=' . $accessInfo['accessToken'] . '&' . 'access_secret=' . $accessInfo['accessSecret'];
    exit;
}
示例#5
0
function autoAuth($iauth_id)
{
    define("IAUTH_DB_USER", "root");
    define("IAUTH_DB_HOST", "211.71.14.65");
    define("IAUTH_DB_PASSWD", "devihome");
    define("IAUTH_DB_DB", "iauthServer2");
    define("IAUTH_VERSION", 2.0);
    define("IAUTH_TIME_OFFSET", 120);
    define("IAUTH_UAC_AUTH_DELAY_TIME", 120);
    define("IAUTH_WSC_AUTH_DELAY_TIME", 60);
    define("IAUTH_WSC_LOGIN_DELAY_TIME", 60);
    define("IAUTH_ERROR_LOG_FILE", dirname(__FILE__) . "/debug/IAuthErrorLog");
    define("IAUTH_ACCESS_LOG_FILE", dirname(__FILE__) . "/debug/IAuthAccessLog");
    //define("IAUTH_APP_INFO_PAGE",'http://211.71.14.65/plugin/iauth/debug/appcenter.php?ac=auth');
    define("IAUTH_APP_INFO_PAGE", 'http://i.buaa.edu.cn/plugin.php?pluginid=apps&ac=detail');
    define("IAUTH_SIMPLE_AUTH_CONFIRM_PAGE", 'http://i.buaa.edu.cn/plugin.php?pluginid=apps&ac=detail&isConfirm=1');
    if (!@(include_once S_ROOT . './plugin/iauth/IAuthCommon.php')) {
        header("Location:plugin.php?pluginid=apps&ac=detail&appsid={$appsid}");
        exit;
    }
    $autoAuth = 0;
    if ($iauth_id) {
        try {
            $autoAuth = GetAppInfo($iauth_id . '', 'auto_auth');
            // showmessage($autoAuth);
        } catch (IAuthException $e) {
            $autoAuth = 0;
            // echo $e->getMessage();
            // exit();
        }
    }
    return $autoAuth;
}
示例#6
0
function IAUTH_new_API($rpid, $name, $url)
{
    Check($rpid, 'appid');
    Check($url, 'url');
    Check($name, 'name');
    if (GetAppInfo($rpid, 'app_type') != 'RP') {
        throw new IAuthException('only RP can add API!');
    }
    $hash = sha1($url);
    $sql = mysql_fetch_assoc(SQL("SELECT api_url,api_id FROM api_info WHERE owner_id='{$rpid}' AND hash='{$hash}'"));
    if (!$sql) {
        $status = 'disable';
        SQL("INSERT INTO api_info (hash,api_url,owner_id,status,api_name)\n                     values ('{$hash}','{$url}','{$rpid}','disable','{$name}')");
        accessLog('API(new) ' . $rpid . ' ' . $url . ' ' . $status);
        return mysql_insert_id();
    } else {
        if ($sql['api_url'] == $url) {
            throw new IAuthException('already has a same API as ' . $sql['api_name']);
        }
        if ($sql['api_name'] == $name) {
            throw new IAuthException('api name conflict');
        } else {
            throw new IAuthException('FATAL! hash conflict!!!');
        }
    }
}
示例#7
0
function CheckReplayAttack($params, $type = 'verify')
{
    switch ($type) {
        case 'verify':
            /* 这个是正常数据访问校验使用 */
            $time = $params['time'];
            $appid = $params['appid'];
            $verifier = $params['nonce'];
            $accessToken = $params['token'];
            if ($params['limit_counts'] > 0 && $params['limit_seconds'] > 0) {
                $limit_counts = $params['limit_counts'];
                $last_access_time = date('Y-m-d H:i:s', $params['time'] - $params['limit_seconds']);
                $sqlResult = mysql_fetch_assoc(SQL("SELECT count(target_id) FROM request_nonce WHERE client_id='{$appid}' AND rtype='verify' AND faile_t>'{$last_access_time}' AND content='{$accessToken}'"));
                if (!empty($sqlResult) && $sqlResult['count(target_id)'] >= $limit_counts) {
                    throw new IAuthException('too frequently, please wait ' . $params['limit_seconds'] . ' seconds', $appid, $accessToken);
                }
            }
            $sqlTmp = SQL("SELECT target_id FROM request_nonce WHERE client_id='{$appid}' AND rtype='verify' AND nonce='{$verifier}'AND faile_t='{$time}' AND content='{$accessToken}'");
            $sqlResult = mysql_fetch_assoc($sqlTmp);
            if ($sqlResult == '') {
                return true;
            } else {
                throw new IAuthException('replay request', $appid, $accessToken, $verifier, $time);
            }
            break;
        case 'auth':
            /* 这个是授权时使用的 */
            $appid = $params['appid'];
            if (GetAppInfo($appid, 'app_type') == 'WSC') {
                $time = date('Y-m-d H:i:s', $params['time'] - IAUTH_WSC_AUTH_DELAY_TIME);
            } else {
                $time = date('Y-m-d H:i:s', $params['time'] - IAUTH_UAC_AUTH_DELAY_TIME);
            }
            $verifier = $params['verifier'];
            $sqlTmp = SQL("SELECT id,content,status,create_t,target_id,faile_t,ip FROM request_nonce WHERE client_id='{$appid}' AND rtype='auth' AND nonce='{$verifier}' LIMIT 1");
            $sqlResult = mysql_fetch_assoc($sqlTmp);
            if ($sqlResult == '') {
                throw new IAuthException('verifier not exist', $verifier);
            }
            if ($sqlResult['create_t'] < $time || strstr($sqlResult['content'], 'forbidden')) {
                throw new IAuthException('verifier expired', $verifier, 'create_t=', $sqlResult['create_t']);
            }
            if (GetAppInfo($appid, 'ip_check') == 'enable') {
                if ($sqlResult['ip'] != $params['ip']) {
                    throw new IAuthException('ip not match', $sqlResult['ip'], $params['ip']);
                }
            }
            if ($sqlResult['status'] == 'exchanged') {
                throw new IAuthException('replay request', $appid, $verifier, $time);
            }
            if ($sqlResult['status'] == 'failed') {
                throw new IAuthException('verifier failed', $appid, $verifier, $rqTime);
            } else {
                $uid = $sqlResult['target_id'];
                $rights = $sqlResult['content'];
                $time = date('Y-m-d H:i:s', $params['time']);
                SQL("UPDATE request_nonce SET status='exchanged',faile_t='{$time}' WHERE id=" . $sqlResult['id']);
                /* $content = substr('exchanged='.$rights,0,255); */
                /* SQL("UPDATE request_nonce SET content='$content' WHERE client_id='$appid' AND rtype='auth' AND nonce='$verifier'"); */
                return array('uid' => $uid, 'rights' => $rights, 'faile_t' => $sqlResult['faile_t']);
            }
            break;
        case 'login':
            /* 这个是登录时使用的 */
            $appid = $params['appid'];
            $verifier = $params['verifier'];
            $sqlTmp = SQL("SELECT id,status,create_t,ip,target_id FROM request_nonce WHERE client_id='{$appid}' AND rtype='login' AND nonce='{$verifier}' LIMIT 1");
            $sqlResult = mysql_fetch_assoc($sqlTmp);
            if ($sqlResult == '') {
                throw new IAuthException('verifier not exist ', $verifier);
            }
            $rqTime = $params['time'];
            $faileTime = date('Y-m-d H:i:s', $rqTime - IAUTH_WSC_LOGIN_DELAY_TIME);
            if ($sqlResult['create_t'] < $faileTime) {
                throw new IAuthException('verifier expired', $verifier, 'create_t=', $sqlResult['create_t']);
            }
            if (GetAppInfo($appid, 'ip_check') == 'enable') {
                if ($sqlResult['ip'] != $params['ip']) {
                    throw new IAuthException('ip not match', $sqlResult['ip'], $params['ip']);
                }
            }
            if ($sqlResult['status'] == 'exchanged') {
                throw new IAuthException('replay request', $appid, $verifier, $rqTime);
            }
            if ($sqlResult['status'] == 'failed') {
                throw new IAuthException('verifier failed', $appid, $verifier, $rqTime);
            } else {
                $uid = $sqlResult['target_id'];
                $time = date('Y-m-d H:i:s', $rqTime);
                /* SQL("UPDATE request_nonce SET content='$content',faile_t='$time' WHERE client_id='$appid' AND rtype='login' AND nonce='$verifier'"); */
                SQL("UPDATE request_nonce SET status='exchanged',faile_t='{$time}' WHERE id=" . $sqlResult['id']);
                return $uid;
            }
            break;
        default:
            throw new IAuthException('invalid type');
    }
}