174 lines
5.7 KiB
PHP
174 lines
5.7 KiB
PHP
<?php
|
|
/*
|
|
* Copyright (C) 2023 Xibo Signage Ltd
|
|
*
|
|
* Xibo - Digital Signage - https://xibosignage.com
|
|
*
|
|
* This file is part of Xibo.
|
|
*
|
|
* Xibo is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* any later version.
|
|
*
|
|
* Xibo is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with Xibo. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
namespace Xibo\OAuth;
|
|
|
|
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
|
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
|
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
|
|
use Stash\Interfaces\PoolInterface;
|
|
use Xibo\Factory\ApplicationFactory;
|
|
|
|
/**
|
|
* Class AccessTokenRepository
|
|
* @package Xibo\Storage
|
|
*/
|
|
class AccessTokenRepository implements AccessTokenRepositoryInterface
|
|
{
|
|
/** @var \Xibo\Service\LogServiceInterface*/
|
|
private $logger;
|
|
/**
|
|
* @var ApplicationFactory
|
|
*/
|
|
private $applicationFactory;
|
|
/**
|
|
* @var PoolInterface
|
|
*/
|
|
private $pool;
|
|
|
|
/**
|
|
* AccessTokenRepository constructor.
|
|
* @param \Xibo\Service\LogServiceInterface $logger
|
|
*/
|
|
public function __construct($logger, PoolInterface $pool, ApplicationFactory $applicationFactory)
|
|
{
|
|
$this->logger = $logger;
|
|
$this->pool = $pool;
|
|
$this->applicationFactory = $applicationFactory;
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)
|
|
{
|
|
$this->logger->debug('Getting new Access Token');
|
|
|
|
$accessToken = new AccessTokenEntity();
|
|
$accessToken->setClient($clientEntity);
|
|
|
|
foreach ($scopes as $scope) {
|
|
$accessToken->addScope($scope);
|
|
}
|
|
|
|
// client credentials, we take user from the client entity
|
|
// authentication code, we have userIdentifier already
|
|
$userIdentifier = $userIdentifier ?? $clientEntity->userId;
|
|
|
|
$accessToken->setUserIdentifier($userIdentifier);
|
|
|
|
// set user and log to audit
|
|
$this->logger->setUserId($userIdentifier);
|
|
$this->logger->audit(
|
|
'Auth',
|
|
0,
|
|
'Access Token issued',
|
|
[
|
|
'Application identifier ends with' => substr($clientEntity->getIdentifier(), -8),
|
|
'Application Name' => $clientEntity->getName()
|
|
]
|
|
);
|
|
|
|
return $accessToken;
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function isAccessTokenRevoked($tokenId)
|
|
{
|
|
$cache = $this->pool->getItem('C_' . $tokenId);
|
|
$data = $cache->get();
|
|
|
|
// if cache is expired
|
|
if ($cache->isMiss() || empty($data)) {
|
|
return true;
|
|
}
|
|
|
|
$cache2 = $this->pool->getItem('C_' . $data['client'] . '/' . $data['userIdentifier']);
|
|
$data2 = $cache2->get();
|
|
|
|
// cache manually removed (revoke access, changed secret)
|
|
if ($cache2->isMiss() || empty($data2)) {
|
|
return true;
|
|
}
|
|
|
|
if ($data['client'] !== $data2['client'] || $data['userIdentifier'] !== $data2['userIdentifier']) {
|
|
return true;
|
|
}
|
|
|
|
// if it is correctly cached, double check that it is still authorized at the request time
|
|
// edge case being new access code requested with not yet expired code,
|
|
// otherwise one of the previous conditions will be met.
|
|
// Note: we can only do this if one grant type is selected on the client.
|
|
$client = $this->applicationFactory->getClientEntity($data['client']);
|
|
if ($client->clientCredentials === 0
|
|
&& $client->authCode === 1
|
|
&& !$this->applicationFactory->checkAuthorised($data['client'], $data['userIdentifier'])
|
|
) {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
|
|
{
|
|
$date = clone $accessTokenEntity->getExpiryDateTime();
|
|
// since stash cache sets expiresAt at up to provided date
|
|
// with up to 15% less than the provided date
|
|
// add more time to normal token expire, to ensure cache does not expire before the token.
|
|
$date = $date->add(new \DateInterval('PT30M'));
|
|
|
|
// cache with token identifier
|
|
$cache = $this->pool->getItem('C_' . $accessTokenEntity->getIdentifier());
|
|
|
|
$cache->set(
|
|
[
|
|
'userIdentifier' => $accessTokenEntity->getUserIdentifier(),
|
|
'client' => $accessTokenEntity->getClient()->getIdentifier()
|
|
]
|
|
);
|
|
$cache->expiresAt($date);
|
|
$this->pool->saveDeferred($cache);
|
|
|
|
// double cache with client identifier and user identifier
|
|
// this will allow us to revoke access to client or for specific client/user combination in the backend
|
|
$cache2 = $this->pool->getItem(
|
|
'C_' . $accessTokenEntity->getClient()->getIdentifier() . '/' . $accessTokenEntity->getUserIdentifier()
|
|
);
|
|
|
|
$cache2->set(
|
|
[
|
|
'userIdentifier' => $accessTokenEntity->getUserIdentifier(),
|
|
'client' => $accessTokenEntity->getClient()->getIdentifier()
|
|
]
|
|
);
|
|
|
|
$cache2->expiresAt($date);
|
|
$this->pool->saveDeferred($cache2);
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function revokeAccessToken($tokenId)
|
|
{
|
|
$this->pool->getItem('C_' . $tokenId)->clear();
|
|
}
|
|
}
|