|
|
@@ -0,0 +1,166 @@
|
|
|
+<?php
|
|
|
+
|
|
|
+namespace AuthBundle\Security;
|
|
|
+
|
|
|
+use Buzz\Listener\BasicAuthListener;
|
|
|
+use Symfony\Component\HttpFoundation\Request;
|
|
|
+use Symfony\Component\HttpFoundation\Response;
|
|
|
+use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
|
|
|
+use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticatedToken;
|
|
|
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
|
|
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
|
|
+use Symfony\Component\Security\Core\User\UserProviderInterface;
|
|
|
+use Symfony\Component\Security\Http\Authentication\SimplePreAuthenticatorInterface;
|
|
|
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
|
|
+
|
|
|
+class OAuthProxyAuthenticator implements SimplePreAuthenticatorInterface, AuthenticationFailureHandlerInterface
|
|
|
+{
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @var string
|
|
|
+ */
|
|
|
+ private $client_id;
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @var string
|
|
|
+ */
|
|
|
+ private $client_secret;
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @var string
|
|
|
+ */
|
|
|
+ private $access_token_url;
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @var string
|
|
|
+ */
|
|
|
+ private $user_info_url;
|
|
|
+
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @param string $client_id
|
|
|
+ * @param string $client_secret
|
|
|
+ * @param string $access_token_url
|
|
|
+ * @param string $user_info_url
|
|
|
+ */
|
|
|
+ public function __construct($client_id, $client_secret, $access_token_url, $user_info_url)
|
|
|
+ {
|
|
|
+ $this->client_id = $client_id;
|
|
|
+ $this->client_secret = $client_secret;
|
|
|
+ $this->access_token_url = $access_token_url;
|
|
|
+ $this->user_info_url = $user_info_url;
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @param Request $request
|
|
|
+ * @param string $providerKey
|
|
|
+ *
|
|
|
+ * @return AnonymousToken|PreAuthenticatedToken
|
|
|
+ */
|
|
|
+ public function createToken(Request $request, $providerKey)
|
|
|
+ {
|
|
|
+ if ($request->headers->has("php-auth-user") and $request->headers->has("php-auth-pw")) {
|
|
|
+ return new PreAuthenticatedToken($request->headers->get("php-auth-user"), $request->headers->get("php-auth-pw"), $providerKey);
|
|
|
+ }
|
|
|
+
|
|
|
+ return new AnonymousToken("anon.", "anon.");
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @param TokenInterface $token
|
|
|
+ * @param string $providerKey
|
|
|
+ *
|
|
|
+ * @return boolean
|
|
|
+ */
|
|
|
+ public function supportsToken(TokenInterface $token, $providerKey)
|
|
|
+ {
|
|
|
+ return $token instanceof PreAuthenticatedToken && $token->getProviderKey() === $providerKey;
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @param TokenInterface $token
|
|
|
+ * @param UserProviderInterface $userProvider
|
|
|
+ * @param string $providerKey
|
|
|
+ *
|
|
|
+ * @return PreAuthenticatedToken
|
|
|
+ */
|
|
|
+ public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
|
|
|
+ {
|
|
|
+ $password = $token->getCredentials();
|
|
|
+ $username = $token->getUsername();
|
|
|
+
|
|
|
+ $browser = new \Buzz\Browser();
|
|
|
+ $token = @json_decode(file_get_contents("/tmp/." . base64_encode($username . ":" . $password)), true);
|
|
|
+ if (!isset($token["access_token"])) {
|
|
|
+ $listener = new BasicAuthListener($this->client_id, $this->client_secret);
|
|
|
+ $browser->addListener($listener);
|
|
|
+ $body = ['grant_type' => 'password',
|
|
|
+ 'username' => $username,
|
|
|
+ 'password' => $password,
|
|
|
+ ];
|
|
|
+
|
|
|
+ $response = $browser->post($this->access_token_url, ['Content-Type' => 'application/x-www-form-urlencoded'], http_build_query($body));
|
|
|
+ $token = json_decode($response->getContent(), true);
|
|
|
+ if ($token['expires_in']) {
|
|
|
+ $token["expires_at"] = time() + $token['expires_in'];
|
|
|
+ } else {
|
|
|
+ $token["expires_at"] = time() + 3600;
|
|
|
+ }
|
|
|
+
|
|
|
+ file_put_contents("/tmp/." . base64_encode($username . ":" . $password), json_encode($token));
|
|
|
+ }
|
|
|
+
|
|
|
+ if (isset($token["expires_at"]) and $token["expires_at"] >= time()) {
|
|
|
+ $listener = new BasicAuthListener($this->client_id, $this->client_secret);
|
|
|
+ $browser->addListener($listener);
|
|
|
+ $body = [
|
|
|
+ 'grant_type' => 'refresh_token',
|
|
|
+ 'refresh_token' => $token['refresh_token'],
|
|
|
+ ];
|
|
|
+
|
|
|
+ $response = $browser->post($this->access_token_url, ['Content-Type' => 'application/x-www-form-urlencoded'], http_build_query($body));
|
|
|
+ $token = json_decode($response->getContent(), true);
|
|
|
+ if ($token['expires_in']) {
|
|
|
+ $token["expires_at"] = time() + $token['expires_in'];
|
|
|
+ } else {
|
|
|
+ $token["expires_at"] = time() + 3600;
|
|
|
+ }
|
|
|
+
|
|
|
+ file_put_contents("/tmp/." . base64_encode($username . ":" . $password), json_encode($token));
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!isset($token["user_info"])) {
|
|
|
+ $oauth_headers = [
|
|
|
+ "Authorization" => ucfirst($token["token_type"]) . " " . $token["access_token"],
|
|
|
+ ];
|
|
|
+ $response = $browser->get($this->user_info_url, $oauth_headers);
|
|
|
+ $auth_info = json_decode($response->getContent(), true);
|
|
|
+ $token["user_info"] = $auth_info;
|
|
|
+
|
|
|
+ file_put_contents("/tmp/." . base64_encode($username . ":" . $password), json_encode($token));
|
|
|
+ } else {
|
|
|
+ $auth_info = $token["user_info"];
|
|
|
+ }
|
|
|
+
|
|
|
+ $user = $userProvider->loadUserByUsername($auth_info["username"]);
|
|
|
+ $user->setRoles($auth_info["roles"]);
|
|
|
+ $user->setTenancyCurrent($auth_info["tenancyCurrent"]);
|
|
|
+
|
|
|
+ return new PreAuthenticatedToken($user, array(), $providerKey, $user->getRoles());
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * @param Request $request
|
|
|
+ * @param AuthenticationException $exception
|
|
|
+ *
|
|
|
+ * @return Response
|
|
|
+ */
|
|
|
+ public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
|
|
|
+ {
|
|
|
+ return new Response(
|
|
|
+ // this contains information about *why* authentication failed
|
|
|
+ // use it, or return your own message
|
|
|
+ strtr($exception->getMessageKey(), $exception->getMessageData()), 401);
|
|
|
+ }
|
|
|
+
|
|
|
+}
|
Guillermo Espinoza