-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathMWOAuthClient.php
More file actions
289 lines (236 loc) · 8.48 KB
/
MWOAuthClient.php
File metadata and controls
289 lines (236 loc) · 8.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
<?php
include_once __DIR__ . '/OAuth.php'; // reference php library from oauth.net
function wfDebugLog( $method, $msg) {
// Uncomment this if you want debuggging info from the OAuth library
//echo "[$method] $msg\n";
}
class MWOAuthClientConfig {
// Url to the OAuth special page
public $endpointURL;
// Canonical server url, used to check /identify's iss
public $canonicalServerUrl;
// Url that the user is sent to. Can be different from
// $endpointURL to play nice with MobileFrontend, etc.
public $redirURL = null;
// Use https when calling the server.
// TODO: detect this from $endpointURL
public $useSSL = true;
// If you're testing against a server with self-signed certificates, you
// can turn this off but don't do this in production.
public $verifySSL = true;
function __construct( $url, $useSSL, $verifySSL ) {
$this->endpointURL = $url;
$this->useSSL = $useSSL;
$this->verifySSL = $verifySSL;
}
}
class MWOAuthClient {
// MWOAuthClientConfig
private $config;
// TODO: move this to $config
private $consumerToken;
// Any extra params in the call that need to be signed
private $extraParams = array();
// url, defaults to oob
private $callbackUrl = 'oob';
// Track the last random nonce generated by the OAuth lib, used to
// verify /identity response isn't a replay
private $lastNonce;
function __construct( MWOAuthClientConfig $config, OAuthToken $cmrToken ) {
$this->consumerToken = $cmrToken;
$this->config = $config;
}
public static function newFromKeyAndSecret( $url, $key, $secret ) {
$cmrToken = new OAuthToken( $key, $secret );
$config = new MWOAuthClientConfig( $url, true, true );
return new self( $config, $cmrToken );
}
public function setExtraParam( $key, $value ) {
$this->extraParams[$key] = $value;
}
public function setExtraParams( $params ) {
$this->extraParams = $params;
}
public function setCallback( $url ) {
$this->callbackUrl = $url;
}
/**
* First part of 3-legged OAuth, get the request Token.
* Redirect your authorizing users to the redirect url, and keep
* track of the request token since you need to pass it into complete()
*
* @return array (redirect, request/temp token)
*/
public function initiate() {
$initUrl = $this->config->endpointURL . '/initiate&format=json&oauth_callback=' . urlencode( $this->callbackUrl );
$data = $this->makeOAuthCall( null, $initUrl );
$return = json_decode( $data );
if ( $return->oauth_callback_confirmed !== 'true' ) {
throw new Exception( "Callback wasn't confirmed" );
}
$requestToken = new OAuthToken( $return->key, $return->secret );
$url = $this->config->redirURL ?: $this->config->endpointURL . "/authorize&";
$url .= "oauth_token={$requestToken->key}&oauth_consumer_key={$this->consumerToken->key}";
return array( $url, $requestToken );
}
/**
* The final leg of the OAuth handshake. Exchange the request Token from
* initiate() and the verification code that the user submitted back to you
* for an access token, which you'll use for all API calls.
*
* @param the authorization code sent to the callback url
* @param the temp/request token obtained from initiate, or null if this
* object was used and the token is already set.
* @return OAuthToken The access token
*/
public function complete( OAuthToken $requestToken, $verifyCode ) {
$tokenUrl = $this->config->endpointURL . '/token&format=json';
$this->setExtraParam( 'oauth_verifier', $verifyCode );
$data = $this->makeOAuthCall( $requestToken , $tokenUrl );
$return = json_decode( $data );
$accessToken = new OAuthToken( $return->key, $return->secret );
$this->setExtraParams = array(); // cleanup after ourselves
return $accessToken;
}
/**
* Optional step. This call the MediaWiki specific /identify method, which
* returns a signed statement of the authorizing user's identity. Use this
* if you are authenticating users in your application, and you need to
* know their username, groups, rights, etc in MediaWiki.
*
* @param OAuthToken access token from complete()
* @return object containing attributes of the user
*/
public function identify( OAuthToken $accessToken ) {
$identifyUrl = $this->config->endpointURL . '/identify';
$data = $this->makeOAuthCall( $accessToken, $identifyUrl );
$identity = $this->decodeJWT( $data, $this->consumerToken->secret );
if ( !$this->validateJWT(
$identity,
$this->consumerToken->key,
$this->config->canonicalServerUrl,
$this->lastNonce
) ) {
throw new Exception( "JWT didn't validate" );
}
return $identity;
}
/**
* Make a signed request to MediaWiki
*
* @param OAuthToken $token additional token to use in signature, besides the consumer token.
* In most cases, this will be the access token you got from complete(), but we set it
* to the request token when finishing the handshake.
* @param $url string url to call
* @param $isPost bool true if this should be a POST request
* @param $postFields array of POST parameters, only if $isPost is also true
* @return body from the curl request
*/
public function makeOAuthCall( $token, $url, $isPost = false, $postFields = false ) {
$params = array();
// Get any params from the url
if ( strpos( $url, '?' ) ) {
$parsed = parse_url( $url );
parse_str($parsed['query'], $params);
}
$params += $this->extraParams;
if ( $isPost && $postFields ) {
$params += $postFields;
}
$method = $isPost ? 'POST' : 'GET';
$req = OAuthRequest::from_consumer_and_token(
$this->consumerToken,
$token,
$method,
$url,
$params
);
$req->sign_request(
new OAuthSignatureMethod_HMAC_SHA1(),
$this->consumerToken,
$token
);
$this->lastNonce = $req->get_parameter( 'oauth_nonce' );
return $this->makeCurlCall(
$url,
$req->to_header(),
$isPost,
$postFields,
$this->config
);
}
private function makeCurlCall( $url, $headers, $isPost, $postFields, MWOAuthClientConfig $config ) {
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, (string) $url );
curl_setopt( $ch, CURLOPT_HEADER, 0 );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array( $headers ) );
if ( $isPost ) {
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $postFields ) );
}
if ( $config->useSSL ) {
curl_setopt( $ch, CURLOPT_PORT , 443 );
}
if ( $config->verifySSL ) {
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, true );
curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, 2 );
} else {
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, 0 );
}
$data = curl_exec( $ch );
if( !$data ) {
throw new Exception ( 'Curl error: ' . curl_error( $ch ) );
}
return $data;
}
private function decodeJWT( $JWT, $secret ) {
$JWT = strtr( $JWT, '-_', '+/' );
list( $headb64, $bodyb64, $sigb64 ) = explode( '.', $JWT );
$header = json_decode( base64_decode( $headb64 ) );
$payload = json_decode( base64_decode( $bodyb64 ) );
$sig = base64_decode( $sigb64 );
// MediaWiki will only use sha256 hmac (HS256) for now. This check makes sure
// an attacker doesn't return a JWT with 'none' signature type.
$expectSig = hash_hmac( 'sha256', "$headb64.$bodyb64", $secret, true);
if ( $header->alg !== 'HS256' || !$this->compareHash( $sig, $expectSig ) ) {
throw new Exception( "Invalid JWT signature from /identify." );
}
return $payload;
}
protected function validateJWT( $identity, $consumerKey, $expectedConnonicalServer, $nonce ) {
// Verify the issuer is who we expect (server sends $wgCanonicalServer)
if ( $identity->iss !== $expectedConnonicalServer ) {
print "Invalid Issuer";
return false;
}
// Verify we are the intended audience
if ( $identity->aud !== $consumerKey ) {
print "Invalid Audience";
return false;
}
// Verify we are within the time limits of the token. Issued at (iat) should be
// in the past, Expiration (exp) should be in the future.
$now = time();
if ( $identity->iat > $now || $identity->exp < $now ) {
print "Invalid Time";
return false;
}
// Verify we haven't seen this nonce before, which would indicate a replay attack
if ( $identity->nonce !== $nonce ) {
print "Invalid Nonce";
return false;
}
return true;
}
// Constant time comparison
private function compareHash( $hash1, $hash2 ) {
$result = strlen( $hash1 ) ^ strlen( $hash2 );
$len = min( strlen( $hash1 ), strlen( $hash2 ) ) - 1;
for ( $i = 0; $i < $len; $i++ ) {
$result |= ord( $hash1{$i} ) ^ ord( $hash2{$i} );
}
return $result == 0;
}
}