/** * Sets isAuthenticated to TRUE for all tokens. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof Typo3OrgSsoToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } /** @var $account \TYPO3\Flow\Security\Account */ $account = null; $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username'])) { $providerName = $this->name; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, &$account) { $account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); } if (is_object($account)) { $authenticationData = 'version=' . $credentials['version'] . '&user='******'username'] . '&tpa_id=' . $credentials['tpaId'] . '&expires=' . $credentials['expires'] . '&action=' . $credentials['action'] . '&flags=' . $credentials['flags'] . '&userdata=' . $credentials['userdata']; if ($this->rsaWalletService->verifySignature($authenticationData, $credentials['signature'], $this->options['rsaKeyUuid']) && $credentials['expires'] > time()) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Matches the current request for an unverified signed request. * * This pattern will return TRUE if the request is not signed or * the signature of the request is invalid. * * @param \TYPO3\Flow\Mvc\RequestInterface $request The request that should be matched * @return boolean TRUE if the pattern matched, FALSE otherwise */ public function matchRequest(\TYPO3\Flow\Mvc\RequestInterface $request) { /** @var \TYPO3\Flow\Http\Request $httpRequest */ $httpRequest = $request->getHttpRequest(); if ($httpRequest->hasHeader('X-Request-Signature')) { $identifierAndSignature = explode(':', $httpRequest->getHeader('X-Request-Signature'), 2); if (count($identifierAndSignature) !== 2) { throw new \TYPO3\Flow\Exception('Invalid signature header format, expected "identifier:base64(signature)"', 1354287886); } $identifier = $identifierAndSignature[0]; $signature = base64_decode($identifierAndSignature[1]); $signData = $this->requestSigner->getSignatureContent($httpRequest); $publicKeyFingerprint = $this->publicKeyResolver->resolveFingerprintByIdentifier($identifier); if ($publicKeyFingerprint === NULL) { throw new \TYPO3\Flow\Exception('Cannot resolve identifier "' . $identifier . '"', 1354288898); } if ($this->rsaWalletService->verifySignature($signData, $signature, $publicKeyFingerprint)) { return FALSE; } else { $this->emitSignatureNotVerified($request, $identifier, $signData, $signature, $publicKeyFingerprint); } } else { $this->emitSignatureHeaderMissing($request); } return TRUE; }
/** * @param \TYPO3\Flow\Http\Request $request * @param string $identifier * @param string $publicKeyFingerprint * @return \TYPO3\Flow\Http\Request */ public function signRequest(\TYPO3\Flow\Http\Request $request, $identifier, $publicKeyFingerprint) { $signedRequest = clone $request; $signedRequest->setHeader('Date', gmdate(DATE_RFC2822)); $signData = $this->getSignatureContent($signedRequest); $signature = $this->rsaWalletService->sign($signData, $publicKeyFingerprint); $signedRequest->setHeader('X-Request-Signature', $identifier . ':' . base64_encode($signature)); return $signedRequest; }
/** * Export a public key * * @param string $publicKeyFingerprint * @return void */ public function exportPublicKeyCommand($publicKeyFingerprint) { $publicKey = $this->rsaWalletService->getPublicKey($publicKeyFingerprint); $this->output($publicKey->getKeyString()); }
/** * Verify the signature of a callback redirect to the client * * @param string $accessTokenCipher * @param string $signature * @return boolean */ public function verifyCallbackSignature($accessTokenCipher, $signature) { return $this->rsaWalletService->verifySignature($accessTokenCipher, $signature, $this->publicKey); }
/** * Decrypt the access token cipher on callback to the client * * @param string $accessTokenCipher The access token ciphertext from the callback URI arguments * @return string The decrypted access token or an empty string if the access token could not be decrypted */ public function decryptCallbackAccessToken($accessTokenCipher) { return $this->rsaWalletService->decrypt($accessTokenCipher, $this->publicKeyFingerprint); }