mirror of
https://github.com/salesagility/SuiteCRM.git
synced 2024-11-22 07:52:36 +00:00
273 lines
9.1 KiB
PHP
273 lines
9.1 KiB
PHP
<?php
|
|
|
|
/**
|
|
*
|
|
* SugarCRM Community Edition is a customer relationship management program developed by
|
|
* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
|
|
*
|
|
* SuiteCRM is an extension to SugarCRM Community Edition developed by SalesAgility Ltd.
|
|
* Copyright (C) 2011 - 2018 SalesAgility Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under
|
|
* the terms of the GNU Affero General Public License version 3 as published by the
|
|
* Free Software Foundation with the addition of the following permission added
|
|
* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
|
|
* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
|
|
* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
* details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License along with
|
|
* this program; if not, see http://www.gnu.org/licenses or write to the Free
|
|
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301 USA.
|
|
*
|
|
* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
|
|
* SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
|
|
*
|
|
* The interactive user interfaces in modified source and object code versions
|
|
* of this program must display Appropriate Legal Notices, as required under
|
|
* Section 5 of the GNU Affero General Public License version 3.
|
|
*
|
|
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
|
|
* these Appropriate Legal Notices must retain the display of the "Powered by
|
|
* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
|
|
* reasonably feasible for technical reasons, the Appropriate Legal Notices must
|
|
* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
|
|
*/
|
|
|
|
namespace SuiteCRM\API\OAuth2\Middleware;
|
|
|
|
use League\Event\EmitterAwareInterface;
|
|
use League\Event\EmitterAwareTrait;
|
|
use League\OAuth2\Server\CryptKey;
|
|
use League\OAuth2\Server\Exception\OAuthServerException;
|
|
use League\OAuth2\Server\Grant\GrantTypeInterface;
|
|
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
|
|
use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
|
|
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
|
use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
|
|
use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
|
|
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
|
|
use Psr\Http\Message\ResponseInterface;
|
|
use Psr\Http\Message\ServerRequestInterface;
|
|
|
|
#[\AllowDynamicProperties]
|
|
class AuthorizationServer implements EmitterAwareInterface
|
|
{
|
|
use EmitterAwareTrait;
|
|
|
|
public const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/';
|
|
|
|
/**
|
|
* @var GrantTypeInterface[]
|
|
*/
|
|
protected $enabledGrantTypes = [];
|
|
|
|
/**
|
|
* @var \DateInterval[]
|
|
*/
|
|
protected $grantTypeAccessTokenTTL = [];
|
|
|
|
/**
|
|
* @var CryptKey
|
|
*/
|
|
protected $privateKey;
|
|
|
|
/**
|
|
* @var CryptKey
|
|
*/
|
|
protected $publicKey;
|
|
|
|
/**
|
|
* @var null|ResponseTypeInterface
|
|
*/
|
|
protected $responseType;
|
|
|
|
/**
|
|
* @var ClientRepositoryInterface
|
|
*/
|
|
private $clientRepository;
|
|
|
|
/**
|
|
* @var AccessTokenRepositoryInterface
|
|
*/
|
|
private $accessTokenRepository;
|
|
|
|
/**
|
|
* @var ScopeRepositoryInterface
|
|
*/
|
|
private $scopeRepository;
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
private $encryptionKey;
|
|
|
|
/**
|
|
* New server instance.
|
|
*
|
|
* @param ClientRepositoryInterface $clientRepository
|
|
* @param AccessTokenRepositoryInterface $accessTokenRepository
|
|
* @param ScopeRepositoryInterface $scopeRepository
|
|
* @param CryptKey|string $privateKey
|
|
* @param CryptKey|string $publicKey
|
|
* @param null|ResponseTypeInterface $responseType
|
|
*/
|
|
public function __construct(
|
|
ClientRepositoryInterface $clientRepository,
|
|
AccessTokenRepositoryInterface $accessTokenRepository,
|
|
ScopeRepositoryInterface $scopeRepository,
|
|
$privateKey,
|
|
$publicKey,
|
|
ResponseTypeInterface $responseType = null
|
|
) {
|
|
$this->clientRepository = $clientRepository;
|
|
$this->accessTokenRepository = $accessTokenRepository;
|
|
$this->scopeRepository = $scopeRepository;
|
|
|
|
if ($privateKey instanceof CryptKey === false) {
|
|
$privateKey = new CryptKey($privateKey);
|
|
}
|
|
$this->privateKey = $privateKey;
|
|
|
|
if ($publicKey instanceof CryptKey === false) {
|
|
$publicKey = new CryptKey($publicKey);
|
|
}
|
|
$this->publicKey = $publicKey;
|
|
|
|
$this->responseType = $responseType;
|
|
}
|
|
|
|
/**
|
|
* Set the encryption key
|
|
*
|
|
* @param string $key
|
|
*/
|
|
public function setEncryptionKey($key)
|
|
{
|
|
$this->encryptionKey = $key;
|
|
}
|
|
|
|
/**
|
|
* Enable a grant type on the server.
|
|
*
|
|
* @param GrantTypeInterface $grantType
|
|
* @param null|\DateInterval $accessTokenTTL
|
|
* @throws \Exception
|
|
*/
|
|
public function enableGrantType(GrantTypeInterface $grantType, \DateInterval $accessTokenTTL = null)
|
|
{
|
|
if ($accessTokenTTL instanceof \DateInterval === false) {
|
|
$accessTokenTTL = new \DateInterval('PT1H');
|
|
}
|
|
|
|
$grantType->setAccessTokenRepository($this->accessTokenRepository);
|
|
$grantType->setClientRepository($this->clientRepository);
|
|
$grantType->setScopeRepository($this->scopeRepository);
|
|
$grantType->setPrivateKey($this->privateKey);
|
|
$grantType->setPublicKey($this->publicKey);
|
|
$grantType->setEmitter($this->getEmitter());
|
|
|
|
if ($this->encryptionKey === null) {
|
|
// @codeCoverageIgnoreStart
|
|
trigger_error(self::ENCRYPTION_KEY_ERROR, E_USER_DEPRECATED);
|
|
// @codeCoverageIgnoreEnd
|
|
}
|
|
$grantType->setEncryptionKey($this->encryptionKey);
|
|
|
|
$this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
|
|
$this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
|
|
}
|
|
|
|
/**
|
|
* Validate an authorization request
|
|
*
|
|
* @param ServerRequestInterface $request
|
|
*
|
|
* @throws OAuthServerException
|
|
*
|
|
* @return AuthorizationRequest
|
|
*/
|
|
public function validateAuthorizationRequest(ServerRequestInterface $request)
|
|
{
|
|
if ($this->encryptionKey === null) {
|
|
// @codeCoverageIgnoreStart
|
|
trigger_error(self::ENCRYPTION_KEY_ERROR, E_USER_DEPRECATED);
|
|
// @codeCoverageIgnoreEnd
|
|
}
|
|
|
|
foreach ($this->enabledGrantTypes as $grantType) {
|
|
if ($grantType->canRespondToAuthorizationRequest($request)) {
|
|
return $grantType->validateAuthorizationRequest($request);
|
|
}
|
|
}
|
|
|
|
throw OAuthServerException::unsupportedGrantType();
|
|
}
|
|
|
|
/**
|
|
* Complete an authorization request
|
|
*
|
|
* @param AuthorizationRequest $authRequest
|
|
* @param ResponseInterface $response
|
|
*
|
|
* @return ResponseInterface
|
|
*/
|
|
public function completeAuthorizationRequest(AuthorizationRequest $authRequest, ResponseInterface $response)
|
|
{
|
|
return $this->enabledGrantTypes[$authRequest->getGrantTypeId()]
|
|
->completeAuthorizationRequest($authRequest)
|
|
->generateHttpResponse($response);
|
|
}
|
|
|
|
/**
|
|
* Return an access token response.
|
|
*
|
|
* @param ServerRequestInterface $request
|
|
* @param ResponseInterface $response
|
|
*
|
|
* @throws OAuthServerException
|
|
*
|
|
* @return ResponseInterface
|
|
*/
|
|
public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseInterface $response)
|
|
{
|
|
foreach ($this->enabledGrantTypes as $grantType) {
|
|
if ($grantType->canRespondToAccessTokenRequest($request)) {
|
|
$tokenResponse = $grantType->respondToAccessTokenRequest(
|
|
$request,
|
|
$this->getResponseType(),
|
|
$this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
|
|
);
|
|
|
|
if ($tokenResponse instanceof ResponseTypeInterface) {
|
|
return $tokenResponse->generateHttpResponse($response);
|
|
}
|
|
}
|
|
}
|
|
|
|
throw OAuthServerException::unsupportedGrantType();
|
|
}
|
|
|
|
/**
|
|
* Get the token type that grants will return in the HTTP response.
|
|
*
|
|
* @return ResponseTypeInterface
|
|
*/
|
|
protected function getResponseType()
|
|
{
|
|
if ($this->responseType instanceof ResponseTypeInterface === false) {
|
|
$this->responseType = new BearerTokenResponse();
|
|
}
|
|
|
|
$this->responseType->setPrivateKey($this->privateKey);
|
|
$this->responseType->setEncryptionKey($this->encryptionKey);
|
|
|
|
return $this->responseType;
|
|
}
|
|
}
|