From 5933d4390107224071f8265afd81222b69f98de7 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Mon, 30 Jul 2012 10:25:41 +0000 Subject: Basic template for authorising exernal apps with OAuth --- settings/oauth.php | 41 +++++++++++++++++++++++++++++++++++++++++ settings/templates/oauth.php | 19 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 settings/oauth.php create mode 100644 settings/templates/oauth.php (limited to 'settings') diff --git a/settings/oauth.php b/settings/oauth.php new file mode 100644 index 00000000000..bcf34b04af6 --- /dev/null +++ b/settings/oauth.php @@ -0,0 +1,41 @@ + + * This file is licensed under the Affero General Public License version 3 or later. + * See the COPYING-README file. + */ + +require_once('../lib/base.php'); + +// Logic +$operation = isset($_GET['operation']) ? $_GET['operation'] : ''; +switch($operation){ + + case 'register': + + break; + + case 'request_token': + break; + + case 'authorise'; + // Example + $consumer = array( + 'name' => 'Firefox Bookmark Sync', + 'scopes' => array('bookmarks'), + ); + + $t = new OC_Template('settings', 'oauth', 'guest'); + $t->assign('consumer', $consumer); + $t->printPage(); + break; + + case 'access_token'; + break; + + default: + // Something went wrong + header('Location: /'); + break; + +} diff --git a/settings/templates/oauth.php b/settings/templates/oauth.php new file mode 100644 index 00000000000..ce2584365b9 --- /dev/null +++ b/settings/templates/oauth.php @@ -0,0 +1,19 @@ + + * This file is licensed under the Affero General Public License version 3 or later. + * See the COPYING-README file. + */ +?> + +

is requesting permission to read, write, modify and delete data from the following apps:

+ + + \ No newline at end of file -- cgit v1.2.3 From 138c66a2ba1fdc7b44297bfe8498c200d6d2f250 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Mon, 30 Jul 2012 10:51:00 +0000 Subject: Improve styling of permission request page --- settings/css/oauth.css | 2 ++ settings/templates/oauth.php | 25 +++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 settings/css/oauth.css (limited to 'settings') diff --git a/settings/css/oauth.css b/settings/css/oauth.css new file mode 100644 index 00000000000..8bc8c8d428b --- /dev/null +++ b/settings/css/oauth.css @@ -0,0 +1,2 @@ +.guest-container{ width:35%; margin: 2em auto 0 auto; } +#oauth-request button{ float: right; } \ No newline at end of file diff --git a/settings/templates/oauth.php b/settings/templates/oauth.php index ce2584365b9..b9fa67d8a35 100644 --- a/settings/templates/oauth.php +++ b/settings/templates/oauth.php @@ -5,15 +5,16 @@ * See the COPYING-README file. */ ?> - -

is requesting permission to read, write, modify and delete data from the following apps:

- - - \ No newline at end of file +
+

is requesting permission to read, write, modify and delete data from the following apps:

+
    + '.$app.''; + } + ?> +
+ + +
-- cgit v1.2.3 From cbc0f0c1c5c5ad9ecc1b20c0f0aee7b4ea564579 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Mon, 30 Jul 2012 10:51:48 +0000 Subject: Include the css for the OAuth page --- settings/oauth.php | 1 + 1 file changed, 1 insertion(+) (limited to 'settings') diff --git a/settings/oauth.php b/settings/oauth.php index bcf34b04af6..fc158afe26e 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -26,6 +26,7 @@ switch($operation){ ); $t = new OC_Template('settings', 'oauth', 'guest'); + OC_Util::addStyle('settings', 'oauth'); $t->assign('consumer', $consumer); $t->printPage(); break; -- cgit v1.2.3 From e47a8a9f0937051c17d5f95652098b53610f8cb6 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Mon, 30 Jul 2012 13:14:29 +0000 Subject: Authorisation requires you to be logged in --- settings/oauth.php | 1 + 1 file changed, 1 insertion(+) (limited to 'settings') diff --git a/settings/oauth.php b/settings/oauth.php index fc158afe26e..5fe21940b04 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -19,6 +19,7 @@ switch($operation){ break; case 'authorise'; + OC_Util::checkLoggedIn(); // Example $consumer = array( 'name' => 'Firefox Bookmark Sync', -- cgit v1.2.3 From 91daf54d7c1ad009843d28a7791e67f4dc37f56d Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Mon, 30 Jul 2012 16:41:07 +0000 Subject: Check if required apps are installed --- settings/css/oauth.css | 4 +++- settings/oauth.php | 33 +++++++++++++++++++++++++----- settings/templates/oauth-required-apps.php | 19 +++++++++++++++++ settings/templates/oauth.php | 6 +++--- 4 files changed, 53 insertions(+), 9 deletions(-) create mode 100644 settings/templates/oauth-required-apps.php (limited to 'settings') diff --git a/settings/css/oauth.css b/settings/css/oauth.css index 8bc8c8d428b..ccdb98cfa39 100644 --- a/settings/css/oauth.css +++ b/settings/css/oauth.css @@ -1,2 +1,4 @@ .guest-container{ width:35%; margin: 2em auto 0 auto; } -#oauth-request button{ float: right; } \ No newline at end of file +#oauth-request a.button{ float: right; } +#oauth-request ul li{ list-style: disc; } +#oauth-request ul { margin-left: 2em; margin-top: 1em; } diff --git a/settings/oauth.php b/settings/oauth.php index 5fe21940b04..2592b926d17 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -23,13 +23,36 @@ switch($operation){ // Example $consumer = array( 'name' => 'Firefox Bookmark Sync', - 'scopes' => array('bookmarks'), + 'scopes' => array('ookmarks'), ); - $t = new OC_Template('settings', 'oauth', 'guest'); - OC_Util::addStyle('settings', 'oauth'); - $t->assign('consumer', $consumer); - $t->printPage(); + // Check that the scopes are real and installed + $apps = OC_App::getEnabledApps(); + $notfound = array(); + foreach($consumer['scopes'] as $requiredapp){ + if(!in_array($requiredapp, $apps)){ + $notfound[] = $requiredapp; + } + } + if(!empty($notfound)){ + // We need more apps :( Show error + if(count($notfound)==1){ + $message = 'requires that you have an extra app installed on your ownCloud. Please contact your ownCloud administrator and ask them to install the app below.'; + } else { + $message = 'requires that you have some extra apps installed on your ownCloud. Please contract your ownCloud administrator and ask them to install the apps below.'; + } + $t = new OC_Template('settings', 'oauth-required-apps', 'guest'); + OC_Util::addStyle('settings', 'oauth'); + $t->assign('requiredapps', $notfound); + $t->assign('consumer', $consumer); + $t->assign('message', $message); + $t->printPage(); + } else { + $t = new OC_Template('settings', 'oauth', 'guest'); + OC_Util::addStyle('settings', 'oauth'); + $t->assign('consumer', $consumer); + $t->printPage(); + } break; case 'access_token'; diff --git a/settings/templates/oauth-required-apps.php b/settings/templates/oauth-required-apps.php new file mode 100644 index 00000000000..d4fce54c59c --- /dev/null +++ b/settings/templates/oauth-required-apps.php @@ -0,0 +1,19 @@ + + * This file is licensed under the Affero General Public License version 3 or later. + * See the COPYING-README file. + */ +?> +
+

'.$_['message']; ?>

+
    + '.$requiredapp.''; + } + ?> +
+ Back to ownCloud +
diff --git a/settings/templates/oauth.php b/settings/templates/oauth.php index b9fa67d8a35..053a8aee6d3 100644 --- a/settings/templates/oauth.php +++ b/settings/templates/oauth.php @@ -6,7 +6,7 @@ */ ?>
-

is requesting permission to read, write, modify and delete data from the following apps:

+

is requesting your permission to read, write, modify and delete data from the following apps:

- - + Allow + Disallow
-- cgit v1.2.3 From e3d88270cc0fcdfc667f0a120040864818b3b2a1 Mon Sep 17 00:00:00 2001 From: Michael Gapczynski Date: Thu, 2 Aug 2012 20:02:31 -0400 Subject: OAuth server implementation using oauth library --- 3rdparty/OAuth/LICENSE.TXT | 21 ++ 3rdparty/OAuth/OAuth.php | 895 +++++++++++++++++++++++++++++++++++++++++++++ lib/api.php | 11 +- lib/oauth.php | 136 ++----- settings/oauth.php | 23 +- 5 files changed, 980 insertions(+), 106 deletions(-) create mode 100644 3rdparty/OAuth/LICENSE.TXT create mode 100644 3rdparty/OAuth/OAuth.php (limited to 'settings') diff --git a/3rdparty/OAuth/LICENSE.TXT b/3rdparty/OAuth/LICENSE.TXT new file mode 100644 index 00000000000..8891c7ddc90 --- /dev/null +++ b/3rdparty/OAuth/LICENSE.TXT @@ -0,0 +1,21 @@ +The MIT License + +Copyright (c) 2007 Andy Smith + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/3rdparty/OAuth/OAuth.php b/3rdparty/OAuth/OAuth.php new file mode 100644 index 00000000000..64b7007ab9d --- /dev/null +++ b/3rdparty/OAuth/OAuth.php @@ -0,0 +1,895 @@ +key = $key; + $this->secret = $secret; + $this->callback_url = $callback_url; + } + + function __toString() { + return "OAuthConsumer[key=$this->key,secret=$this->secret]"; + } +} + +class OAuthToken { + // access tokens and request tokens + public $key; + public $secret; + + /** + * key = the token + * secret = the token secret + */ + function __construct($key, $secret) { + $this->key = $key; + $this->secret = $secret; + } + + /** + * generates the basic string serialization of a token that a server + * would respond to request_token and access_token calls with + */ + function to_string() { + return "oauth_token=" . + OAuthUtil::urlencode_rfc3986($this->key) . + "&oauth_token_secret=" . + OAuthUtil::urlencode_rfc3986($this->secret); + } + + function __toString() { + return $this->to_string(); + } +} + +/** + * A class for implementing a Signature Method + * See section 9 ("Signing Requests") in the spec + */ +abstract class OAuthSignatureMethod { + /** + * Needs to return the name of the Signature Method (ie HMAC-SHA1) + * @return string + */ + abstract public function get_name(); + + /** + * Build up the signature + * NOTE: The output of this function MUST NOT be urlencoded. + * the encoding is handled in OAuthRequest when the final + * request is serialized + * @param OAuthRequest $request + * @param OAuthConsumer $consumer + * @param OAuthToken $token + * @return string + */ + abstract public function build_signature($request, $consumer, $token); + + /** + * Verifies that a given signature is correct + * @param OAuthRequest $request + * @param OAuthConsumer $consumer + * @param OAuthToken $token + * @param string $signature + * @return bool + */ + public function check_signature($request, $consumer, $token, $signature) { + $built = $this->build_signature($request, $consumer, $token); + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + // Avoid a timing leak with a (hopefully) time insensitive compare + $result = 0; + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; + } +} + +/** + * The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] + * where the Signature Base String is the text and the key is the concatenated values (each first + * encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' + * character (ASCII code 38) even if empty. + * - Chapter 9.2 ("HMAC-SHA1") + */ +class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod { + function get_name() { + return "HMAC-SHA1"; + } + + public function build_signature($request, $consumer, $token) { + $base_string = $request->get_signature_base_string(); + $request->base_string = $base_string; + + $key_parts = array( + $consumer->secret, + ($token) ? $token->secret : "" + ); + + $key_parts = OAuthUtil::urlencode_rfc3986($key_parts); + $key = implode('&', $key_parts); + + return base64_encode(hash_hmac('sha1', $base_string, $key, true)); + } +} + +/** + * The PLAINTEXT method does not provide any security protection and SHOULD only be used + * over a secure channel such as HTTPS. It does not use the Signature Base String. + * - Chapter 9.4 ("PLAINTEXT") + */ +class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod { + public function get_name() { + return "PLAINTEXT"; + } + + /** + * oauth_signature is set to the concatenated encoded values of the Consumer Secret and + * Token Secret, separated by a '&' character (ASCII code 38), even if either secret is + * empty. The result MUST be encoded again. + * - Chapter 9.4.1 ("Generating Signatures") + * + * Please note that the second encoding MUST NOT happen in the SignatureMethod, as + * OAuthRequest handles this! + */ + public function build_signature($request, $consumer, $token) { + $key_parts = array( + $consumer->secret, + ($token) ? $token->secret : "" + ); + + $key_parts = OAuthUtil::urlencode_rfc3986($key_parts); + $key = implode('&', $key_parts); + $request->base_string = $key; + + return $key; + } +} + +/** + * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in + * [RFC3447] section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for + * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a + * verified way to the Service Provider, in a manner which is beyond the scope of this + * specification. + * - Chapter 9.3 ("RSA-SHA1") + */ +abstract class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod { + public function get_name() { + return "RSA-SHA1"; + } + + // Up to the SP to implement this lookup of keys. Possible ideas are: + // (1) do a lookup in a table of trusted certs keyed off of consumer + // (2) fetch via http using a url provided by the requester + // (3) some sort of specific discovery code based on request + // + // Either way should return a string representation of the certificate + protected abstract function fetch_public_cert(&$request); + + // Up to the SP to implement this lookup of keys. Possible ideas are: + // (1) do a lookup in a table of trusted certs keyed off of consumer + // + // Either way should return a string representation of the certificate + protected abstract function fetch_private_cert(&$request); + + public function build_signature($request, $consumer, $token) { + $base_string = $request->get_signature_base_string(); + $request->base_string = $base_string; + + // Fetch the private key cert based on the request + $cert = $this->fetch_private_cert($request); + + // Pull the private key ID from the certificate + $privatekeyid = openssl_get_privatekey($cert); + + // Sign using the key + $ok = openssl_sign($base_string, $signature, $privatekeyid); + + // Release the key resource + openssl_free_key($privatekeyid); + + return base64_encode($signature); + } + + public function check_signature($request, $consumer, $token, $signature) { + $decoded_sig = base64_decode($signature); + + $base_string = $request->get_signature_base_string(); + + // Fetch the public key cert based on the request + $cert = $this->fetch_public_cert($request); + + // Pull the public key ID from the certificate + $publickeyid = openssl_get_publickey($cert); + + // Check the computed signature against the one passed in the query + $ok = openssl_verify($base_string, $decoded_sig, $publickeyid); + + // Release the key resource + openssl_free_key($publickeyid); + + return $ok == 1; + } +} + +class OAuthRequest { + protected $parameters; + protected $http_method; + protected $http_url; + // for debug purposes + public $base_string; + public static $version = '1.0'; + public static $POST_INPUT = 'php://input'; + + function __construct($http_method, $http_url, $parameters=NULL) { + $parameters = ($parameters) ? $parameters : array(); + $parameters = array_merge( OAuthUtil::parse_parameters(parse_url($http_url, PHP_URL_QUERY)), $parameters); + $this->parameters = $parameters; + $this->http_method = $http_method; + $this->http_url = $http_url; + } + + + /** + * attempt to build up a request from what was passed to the server + */ + public static function from_request($http_method=NULL, $http_url=NULL, $parameters=NULL) { + $scheme = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") + ? 'http' + : 'https'; + $http_url = ($http_url) ? $http_url : $scheme . + '://' . $_SERVER['SERVER_NAME'] . + ':' . + $_SERVER['SERVER_PORT'] . + $_SERVER['REQUEST_URI']; + $http_method = ($http_method) ? $http_method : $_SERVER['REQUEST_METHOD']; + + // We weren't handed any parameters, so let's find the ones relevant to + // this request. + // If you run XML-RPC or similar you should use this to provide your own + // parsed parameter-list + if (!$parameters) { + // Find request headers + $request_headers = OAuthUtil::get_headers(); + + // Parse the query-string to find GET parameters + $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); + + // It's a POST request of the proper content-type, so parse POST + // parameters and add those overriding any duplicates from GET + if ($http_method == "POST" + && isset($request_headers['Content-Type']) + && strstr($request_headers['Content-Type'], + 'application/x-www-form-urlencoded') + ) { + $post_data = OAuthUtil::parse_parameters( + file_get_contents(self::$POST_INPUT) + ); + $parameters = array_merge($parameters, $post_data); + } + + // We have a Authorization-header with OAuth data. Parse the header + // and add those overriding any duplicates from GET or POST + if (isset($request_headers['Authorization']) && substr($request_headers['Authorization'], 0, 6) == 'OAuth ') { + $header_parameters = OAuthUtil::split_header( + $request_headers['Authorization'] + ); + $parameters = array_merge($parameters, $header_parameters); + } + + } + + return new OAuthRequest($http_method, $http_url, $parameters); + } + + /** + * pretty much a helper function to set up the request + */ + public static function from_consumer_and_token($consumer, $token, $http_method, $http_url, $parameters=NULL) { + $parameters = ($parameters) ? $parameters : array(); + $defaults = array("oauth_version" => OAuthRequest::$version, + "oauth_nonce" => OAuthRequest::generate_nonce(), + "oauth_timestamp" => OAuthRequest::generate_timestamp(), + "oauth_consumer_key" => $consumer->key); + if ($token) + $defaults['oauth_token'] = $token->key; + + $parameters = array_merge($defaults, $parameters); + + return new OAuthRequest($http_method, $http_url, $parameters); + } + + public function set_parameter($name, $value, $allow_duplicates = true) { + if ($allow_duplicates && isset($this->parameters[$name])) { + // We have already added parameter(s) with this name, so add to the list + if (is_scalar($this->parameters[$name])) { + // This is the first duplicate, so transform scalar (string) + // into an array so we can add the duplicates + $this->parameters[$name] = array($this->parameters[$name]); + } + + $this->parameters[$name][] = $value; + } else { + $this->parameters[$name] = $value; + } + } + + public function get_parameter($name) { + return isset($this->parameters[$name]) ? $this->parameters[$name] : null; + } + + public function get_parameters() { + return $this->parameters; + } + + public function unset_parameter($name) { + unset($this->parameters[$name]); + } + + /** + * The request parameters, sorted and concatenated into a normalized string. + * @return string + */ + public function get_signable_parameters() { + // Grab all parameters + $params = $this->parameters; + + // Remove oauth_signature if present + // Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.") + if (isset($params['oauth_signature'])) { + unset($params['oauth_signature']); + } + + return OAuthUtil::build_http_query($params); + } + + /** + * Returns the base string of this request + * + * The base string defined as the method, the url + * and the parameters (normalized), each urlencoded + * and the concated with &. + */ + public function get_signature_base_string() { + $parts = array( + $this->get_normalized_http_method(), + $this->get_normalized_http_url(), + $this->get_signable_parameters() + ); + + $parts = OAuthUtil::urlencode_rfc3986($parts); + + return implode('&', $parts); + } + + /** + * just uppercases the http method + */ + public function get_normalized_http_method() { + return strtoupper($this->http_method); + } + + /** + * parses the url and rebuilds it to be + * scheme://host/path + */ + public function get_normalized_http_url() { + $parts = parse_url($this->http_url); + + $scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http'; + $port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80'); + $host = (isset($parts['host'])) ? strtolower($parts['host']) : ''; + $path = (isset($parts['path'])) ? $parts['path'] : ''; + + if (($scheme == 'https' && $port != '443') + || ($scheme == 'http' && $port != '80')) { + $host = "$host:$port"; + } + return "$scheme://$host$path"; + } + + /** + * builds a url usable for a GET request + */ + public function to_url() { + $post_data = $this->to_postdata(); + $out = $this->get_normalized_http_url(); + if ($post_data) { + $out .= '?'.$post_data; + } + return $out; + } + + /** + * builds the data one would send in a POST request + */ + public function to_postdata() { + return OAuthUtil::build_http_query($this->parameters); + } + + /** + * builds the Authorization: header + */ + public function to_header($realm=null) { + $first = true; + if($realm) { + $out = 'Authorization: OAuth realm="' . OAuthUtil::urlencode_rfc3986($realm) . '"'; + $first = false; + } else + $out = 'Authorization: OAuth'; + + $total = array(); + foreach ($this->parameters as $k => $v) { + if (substr($k, 0, 5) != "oauth") continue; + if (is_array($v)) { + throw new OAuthException('Arrays not supported in headers'); + } + $out .= ($first) ? ' ' : ','; + $out .= OAuthUtil::urlencode_rfc3986($k) . + '="' . + OAuthUtil::urlencode_rfc3986($v) . + '"'; + $first = false; + } + return $out; + } + + public function __toString() { + return $this->to_url(); + } + + + public function sign_request($signature_method, $consumer, $token) { + $this->set_parameter( + "oauth_signature_method", + $signature_method->get_name(), + false + ); + $signature = $this->build_signature($signature_method, $consumer, $token); + $this->set_parameter("oauth_signature", $signature, false); + } + + public function build_signature($signature_method, $consumer, $token) { + $signature = $signature_method->build_signature($this, $consumer, $token); + return $signature; + } + + /** + * util function: current timestamp + */ + private static function generate_timestamp() { + return time(); + } + + /** + * util function: current nonce + */ + private static function generate_nonce() { + $mt = microtime(); + $rand = mt_rand(); + + return md5($mt . $rand); // md5s look nicer than numbers + } +} + +class OAuthServer { + protected $timestamp_threshold = 300; // in seconds, five minutes + protected $version = '1.0'; // hi blaine + protected $signature_methods = array(); + + protected $data_store; + + function __construct($data_store) { + $this->data_store = $data_store; + } + + public function add_signature_method($signature_method) { + $this->signature_methods[$signature_method->get_name()] = + $signature_method; + } + + // high level functions + + /** + * process a request_token request + * returns the request token on success + */ + public function fetch_request_token(&$request) { + $this->get_version($request); + + $consumer = $this->get_consumer($request); + + // no token required for the initial token request + $token = NULL; + + $this->check_signature($request, $consumer, $token); + + // Rev A change + $callback = $request->get_parameter('oauth_callback'); + $new_token = $this->data_store->new_request_token($consumer, $callback); + + return $new_token; + } + + /** + * process an access_token request + * returns the access token on success + */ + public function fetch_access_token(&$request) { + $this->get_version($request); + + $consumer = $this->get_consumer($request); + + // requires authorized request token + $token = $this->get_token($request, $consumer, "request"); + + $this->check_signature($request, $consumer, $token); + + // Rev A change + $verifier = $request->get_parameter('oauth_verifier'); + $new_token = $this->data_store->new_access_token($token, $consumer, $verifier); + + return $new_token; + } + + /** + * verify an api call, checks all the parameters + */ + public function verify_request(&$request) { + $this->get_version($request); + $consumer = $this->get_consumer($request); + $token = $this->get_token($request, $consumer, "access"); + $this->check_signature($request, $consumer, $token); + return array($consumer, $token); + } + + // Internals from here + /** + * version 1 + */ + private function get_version(&$request) { + $version = $request->get_parameter("oauth_version"); + if (!$version) { + // Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present. + // Chapter 7.0 ("Accessing Protected Ressources") + $version = '1.0'; + } + if ($version !== $this->version) { + throw new OAuthException("OAuth version '$version' not supported"); + } + return $version; + } + + /** + * figure out the signature with some defaults + */ + private function get_signature_method($request) { + $signature_method = $request instanceof OAuthRequest + ? $request->get_parameter("oauth_signature_method") + : NULL; + + if (!$signature_method) { + // According to chapter 7 ("Accessing Protected Ressources") the signature-method + // parameter is required, and we can't just fallback to PLAINTEXT + throw new OAuthException('No signature method parameter. This parameter is required'); + } + + if (!in_array($signature_method, + array_keys($this->signature_methods))) { + throw new OAuthException( + "Signature method '$signature_method' not supported " . + "try one of the following: " . + implode(", ", array_keys($this->signature_methods)) + ); + } + return $this->signature_methods[$signature_method]; + } + + /** + * try to find the consumer for the provided request's consumer key + */ + private function get_consumer($request) { + $consumer_key = $request instanceof OAuthRequest + ? $request->get_parameter("oauth_consumer_key") + : NULL; + + if (!$consumer_key) { + throw new OAuthException("Invalid consumer key"); + } + + $consumer = $this->data_store->lookup_consumer($consumer_key); + if (!$consumer) { + throw new OAuthException("Invalid consumer"); + } + + return $consumer; + } + + /** + * try to find the token for the provided request's token key + */ + private function get_token($request, $consumer, $token_type="access") { + $token_field = $request instanceof OAuthRequest + ? $request->get_parameter('oauth_token') + : NULL; + + $token = $this->data_store->lookup_token( + $consumer, $token_type, $token_field + ); + if (!$token) { + throw new OAuthException("Invalid $token_type token: $token_field"); + } + return $token; + } + + /** + * all-in-one function to check the signature on a request + * should guess the signature method appropriately + */ + private function check_signature($request, $consumer, $token) { + // this should probably be in a different method + $timestamp = $request instanceof OAuthRequest + ? $request->get_parameter('oauth_timestamp') + : NULL; + $nonce = $request instanceof OAuthRequest + ? $request->get_parameter('oauth_nonce') + : NULL; + + $this->check_timestamp($timestamp); + $this->check_nonce($consumer, $token, $nonce, $timestamp); + + $signature_method = $this->get_signature_method($request); + + $signature = $request->get_parameter('oauth_signature'); + $valid_sig = $signature_method->check_signature( + $request, + $consumer, + $token, + $signature + ); + + if (!$valid_sig) { + throw new OAuthException("Invalid signature"); + } + } + + /** + * check that the timestamp is new enough + */ + private function check_timestamp($timestamp) { + if( ! $timestamp ) + throw new OAuthException( + 'Missing timestamp parameter. The parameter is required' + ); + + // verify that timestamp is recentish + $now = time(); + if (abs($now - $timestamp) > $this->timestamp_threshold) { + throw new OAuthException( + "Expired timestamp, yours $timestamp, ours $now" + ); + } + } + + /** + * check that the nonce is not repeated + */ + private function check_nonce($consumer, $token, $nonce, $timestamp) { + if( ! $nonce ) + throw new OAuthException( + 'Missing nonce parameter. The parameter is required' + ); + + // verify that the nonce is uniqueish + $found = $this->data_store->lookup_nonce( + $consumer, + $token, + $nonce, + $timestamp + ); + if ($found) { + throw new OAuthException("Nonce already used: $nonce"); + } + } + +} + +class OAuthDataStore { + function lookup_consumer($consumer_key) { + // implement me + } + + function lookup_token($consumer, $token_type, $token) { + // implement me + } + + function lookup_nonce($consumer, $token, $nonce, $timestamp) { + // implement me + } + + function new_request_token($consumer, $callback = null) { + // return a new token attached to this consumer + } + + function new_access_token($token, $consumer, $verifier = null) { + // return a new access token attached to this consumer + // for the user associated with this token if the request token + // is authorized + // should also invalidate the request token + } + +} + +class OAuthUtil { + public static function urlencode_rfc3986($input) { + if (is_array($input)) { + return array_map(array('OAuthUtil', 'urlencode_rfc3986'), $input); + } else if (is_scalar($input)) { + return str_replace( + '+', + ' ', + str_replace('%7E', '~', rawurlencode($input)) + ); + } else { + return ''; + } +} + + + // This decode function isn't taking into consideration the above + // modifications to the encoding process. However, this method doesn't + // seem to be used anywhere so leaving it as is. + public static function urldecode_rfc3986($string) { + return urldecode($string); + } + + // Utility function for turning the Authorization: header into + // parameters, has to do some unescaping + // Can filter out any non-oauth parameters if needed (default behaviour) + // May 28th, 2010 - method updated to tjerk.meesters for a speed improvement. + // see http://code.google.com/p/oauth/issues/detail?id=163 + public static function split_header($header, $only_allow_oauth_parameters = true) { + $params = array(); + if (preg_match_all('/('.($only_allow_oauth_parameters ? 'oauth_' : '').'[a-z_-]*)=(:?"([^"]*)"|([^,]*))/', $header, $matches)) { + foreach ($matches[1] as $i => $h) { + $params[$h] = OAuthUtil::urldecode_rfc3986(empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i]); + } + if (isset($params['realm'])) { + unset($params['realm']); + } + } + return $params; + } + + // helper to try to sort out headers for people who aren't running apache + public static function get_headers() { + if (function_exists('apache_request_headers')) { + // we need this to get the actual Authorization: header + // because apache tends to tell us it doesn't exist + $headers = apache_request_headers(); + + // sanitize the output of apache_request_headers because + // we always want the keys to be Cased-Like-This and arh() + // returns the headers in the same case as they are in the + // request + $out = array(); + foreach ($headers AS $key => $value) { + $key = str_replace( + " ", + "-", + ucwords(strtolower(str_replace("-", " ", $key))) + ); + $out[$key] = $value; + } + } else { + // otherwise we don't have apache and are just going to have to hope + // that $_SERVER actually contains what we need + $out = array(); + if( isset($_SERVER['CONTENT_TYPE']) ) + $out['Content-Type'] = $_SERVER['CONTENT_TYPE']; + if( isset($_ENV['CONTENT_TYPE']) ) + $out['Content-Type'] = $_ENV['CONTENT_TYPE']; + + foreach ($_SERVER as $key => $value) { + if (substr($key, 0, 5) == "HTTP_") { + // this is chaos, basically it is just there to capitalize the first + // letter of every word that is not an initial HTTP and strip HTTP + // code from przemek + $key = str_replace( + " ", + "-", + ucwords(strtolower(str_replace("_", " ", substr($key, 5)))) + ); + $out[$key] = $value; + } + } + } + return $out; + } + + // This function takes a input like a=b&a=c&d=e and returns the parsed + // parameters like this + // array('a' => array('b','c'), 'd' => 'e') + public static function parse_parameters( $input ) { + if (!isset($input) || !$input) return array(); + + $pairs = explode('&', $input); + + $parsed_parameters = array(); + foreach ($pairs as $pair) { + $split = explode('=', $pair, 2); + $parameter = OAuthUtil::urldecode_rfc3986($split[0]); + $value = isset($split[1]) ? OAuthUtil::urldecode_rfc3986($split[1]) : ''; + + if (isset($parsed_parameters[$parameter])) { + // We have already recieved parameter(s) with this name, so add to the list + // of parameters with this name + + if (is_scalar($parsed_parameters[$parameter])) { + // This is the first duplicate, so transform scalar (string) into an array + // so we can add the duplicates + $parsed_parameters[$parameter] = array($parsed_parameters[$parameter]); + } + + $parsed_parameters[$parameter][] = $value; + } else { + $parsed_parameters[$parameter] = $value; + } + } + return $parsed_parameters; + } + + public static function build_http_query($params) { + if (!$params) return ''; + + // Urlencode both keys and values + $keys = OAuthUtil::urlencode_rfc3986(array_keys($params)); + $values = OAuthUtil::urlencode_rfc3986(array_values($params)); + $params = array_combine($keys, $values); + + // Parameters are sorted by name, using lexicographical byte value ordering. + // Ref: Spec: 9.1.1 (1) + uksort($params, 'strcmp'); + + $pairs = array(); + foreach ($params as $parameter => $value) { + if (is_array($value)) { + // If two or more parameters share the same name, they are sorted by their value + // Ref: Spec: 9.1.1 (1) + // June 12th, 2010 - changed to sort because of issue 164 by hidetaka + sort($value, SORT_STRING); + foreach ($value as $duplicate_value) { + $pairs[] = $parameter . '=' . $duplicate_value; + } + } else { + $pairs[] = $parameter . '=' . $value; + } + } + // For each parameter, the name is separated from the corresponding value by an '=' character (ASCII code 61) + // Each name-value pair is separated by an '&' character (ASCII code 38) + return implode('&', $pairs); + } +} + +?> \ No newline at end of file diff --git a/lib/api.php b/lib/api.php index 05d34ffe870..c8bd0aec2fa 100644 --- a/lib/api.php +++ b/lib/api.php @@ -25,6 +25,15 @@ */ class OC_API { + + private static $server; + + /** + * initialises the OAuth store and server + */ + private static function init() { + self::$server = new OC_OAuthServer(new OC_OAuthStore()); + } /** * api actions @@ -151,7 +160,7 @@ class OC_API { */ public static function checkLoggedIn(){ // Check OAuth - if(!OC_OAuth::isAuthorised()){ + if(!OC_OAuthServer::isAuthorised()){ OC_Response::setStatus(401); die(); } diff --git a/lib/oauth.php b/lib/oauth.php index 0621a72a72b..b72d9aab446 100644 --- a/lib/oauth.php +++ b/lib/oauth.php @@ -2,8 +2,10 @@ /** * ownCloud * -* @author Tom Needham -* @copyright 2012 Tom Needham tom@owncloud.com +* @author Tom Needham +* @author Michael Gapczynski +* @copyright 2012 Tom Needham tom@owncloud.com +* @copyright 2012 Michael Gapczynski mtgap@owncloud.com * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE @@ -20,87 +22,25 @@ * */ -class OC_OAuth { - - /** - * the oauth-php server object - */ - private static $server; - - /** - * the oauth-php oauthstore object - */ - private static $store; - - /** - * initialises the OAuth store and server - */ - private static function init(){ - // Include the libraries - require_once(OC::$THIRDPARTYROOT.'/3rdparty/oauth-php/library/OAuthServer.php'); - require_once(OC::$THIRDPARTYROOT.'/3rdparty/oauth-php/library/OAuthStore.php'); - // Initialise the OAuth store - self::$store = OAuthStore::instance('Session'); - // Create the server object - self::$server = new OAuthServer(); - } - - /** - * gets a request token - * TODO save the scopes in the database with this token - */ - public static function getRequestToken(){ - self::init(); - self::$server->requestToken(); - } - - /** - * get the scopes requested by this token - * @param string $requesttoken - * @return array scopes - */ - public static function getScopes($requesttoken){ - // TODO - } - - /** - * exchanges authorised request token for access token - */ - public static function getAccessToken(){ - self::init(); - self::$server->accessToken(); - } - - /** - * registers a new consumer - * @param array $details consumer details, keys requester_name and requester_email required - * @param string $user the owncloud user adding the consumer - * @return array the consumers details including secret and key - */ - public static function registerConsumer($details, $user){ - self::init(); - $consumer = self::$store->updateConsumer($details, $user, OC_Group::inGroup($user, 'admin')); - return $consumer; - } - - /** - * gets a list of consumers - * @param string $user - */ - public static function getConsumers($user=null){ - $user = is_null($user) ? OC_User::getUser() : $user; - return self::$store->listConsumers($user); +class OC_OAuthServer extends OAuthServer { + + public function fetch_request_token(&$request) { + $this->get_version($request); + $consumer = $this->get_consumer($request); + $this->check_signature($request, $consumer, null); + $callback = $request->get_parameter('oauth_callback'); + $scope = $request->get_parameter('scope'); + // TODO Validate scopes + return $this->data_store->new_request_token($consumer, $scope, $callback); } - /** - * authorises a request token - redirects to callback - * @param string $user - * @param bool $authorised - */ - public static function authoriseToken($user=null){ - $user = is_null($user) ? OC_User::getUser() : $user; - self::$server->authorizeVerify(); - self::$server->authorize($authorised, $user); + public function authoriseRequestToken(&$request) { + $this->get_version($request); + $consumer = $this->get_consumer($request); + $this->check_signature($request, $consumer, null); + $token = $this->get_token($request, $consumer, 'request'); + $this->check_signature($request, $consumer, $token); + return $this->data_store->authorise_request_token($token, $consumer, OC_User::getUser()); } /** @@ -108,28 +48,22 @@ class OC_OAuth { * TODO distinguish between failures as one is a 400 error and other is 401 * @return string|int */ - public static function isAuthorised(){ - self::init(); - if(OAuthRequestVerifier::requestIsSigned()){ - try{ - $req = new OAuthRequestVerifier(); - $user = $req->verify(); - $run = true; - OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $user )); - if(!$run){ - return false; - } - OC_User::setUserId($user); - OC_Hook::emit( "OC_User", "post_login", array( "uid" => $user )); - return $user; - } catch(OAuthException $e) { - // 401 Unauthorised - return false; - } - } else { - // Bad request + public static function isAuthorised($scope) { + try { + $request = OAuthRequest::from_request(); + $this->verify_request(); + } catch (OAuthException $exception) { return false; } + // TODO Get user out of token? May have to write own verify_request() +// $run = true; +// OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $user )); +// if(!$run){ +// return false; +// } +// OC_User::setUserId($user); +// OC_Hook::emit( "OC_User", "post_login", array( "uid" => $user )); +// return $user; } } \ No newline at end of file diff --git a/settings/oauth.php b/settings/oauth.php index 2592b926d17..9e7a3c04935 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -9,6 +9,7 @@ require_once('../lib/base.php'); // Logic $operation = isset($_GET['operation']) ? $_GET['operation'] : ''; +$server = new OC_OAuthServer(new OC_OAuthStore()); switch($operation){ case 'register': @@ -16,8 +17,15 @@ switch($operation){ break; case 'request_token': - break; - + try { + $request = OAuthRequest::from_request(); + $token = $server->fetch_request_token($request); + echo $token; + } catch (OAuthException $exception) { + OC_Log::write('OC_OAuthServer', $exception->getMessage(), OC_LOG::ERROR); + echo $exception->getMessage(); + } + break; case 'authorise'; OC_Util::checkLoggedIn(); // Example @@ -56,8 +64,15 @@ switch($operation){ break; case 'access_token'; - break; - + try { + $request = OAuthRequest::from_request(); + $token = $server->fetch_access_token($request); + echo $token; + } catch (OAuthException $exception) { + OC_Log::write('OC_OAuthServer', $exception->getMessage(), OC_LOG::ERROR); + echo $exception->getMessage(); + } + break; default: // Something went wrong header('Location: /'); -- cgit v1.2.3 From 88c6928bade99676ab44dd43519dd40d470515c6 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Fri, 3 Aug 2012 11:36:01 +0000 Subject: API: Use OC_API::checkLoggedIn() and OAuth scopes are app_$appname --- settings/oauth.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'settings') diff --git a/settings/oauth.php b/settings/oauth.php index 9e7a3c04935..b04c798b1b0 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -27,7 +27,7 @@ switch($operation){ } break; case 'authorise'; - OC_Util::checkLoggedIn(); + OC_API::checkLoggedIn(); // Example $consumer = array( 'name' => 'Firefox Bookmark Sync', @@ -38,6 +38,8 @@ switch($operation){ $apps = OC_App::getEnabledApps(); $notfound = array(); foreach($consumer['scopes'] as $requiredapp){ + // App scopes are in this format: app_$appname + $requiredapp = end(explode('_', $requiredapp)); if(!in_array($requiredapp, $apps)){ $notfound[] = $requiredapp; } -- cgit v1.2.3 From a7906d813ad342f06d4834c10c1200002f7342d2 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Fri, 3 Aug 2012 11:47:05 +0000 Subject: Move OAuth classes into lib/oauth --- lib/api.php | 4 +-- lib/oauth.php | 69 ----------------------------------------------- lib/oauth/server.php | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/oauth/store.php | 29 ++++++++++++++++++++ settings/oauth.php | 2 +- 5 files changed, 108 insertions(+), 72 deletions(-) delete mode 100644 lib/oauth.php create mode 100644 lib/oauth/server.php create mode 100644 lib/oauth/store.php (limited to 'settings') diff --git a/lib/api.php b/lib/api.php index c8bd0aec2fa..8fdfc63070b 100644 --- a/lib/api.php +++ b/lib/api.php @@ -23,7 +23,7 @@ * License along with this library. If not, see . * */ - + class OC_API { private static $server; @@ -32,7 +32,7 @@ class OC_API { * initialises the OAuth store and server */ private static function init() { - self::$server = new OC_OAuthServer(new OC_OAuthStore()); + self::$server = new OC_OAuth_Server(new OC_OAuth_Store()); } /** diff --git a/lib/oauth.php b/lib/oauth.php deleted file mode 100644 index b72d9aab446..00000000000 --- a/lib/oauth.php +++ /dev/null @@ -1,69 +0,0 @@ -. -* -*/ - -class OC_OAuthServer extends OAuthServer { - - public function fetch_request_token(&$request) { - $this->get_version($request); - $consumer = $this->get_consumer($request); - $this->check_signature($request, $consumer, null); - $callback = $request->get_parameter('oauth_callback'); - $scope = $request->get_parameter('scope'); - // TODO Validate scopes - return $this->data_store->new_request_token($consumer, $scope, $callback); - } - - public function authoriseRequestToken(&$request) { - $this->get_version($request); - $consumer = $this->get_consumer($request); - $this->check_signature($request, $consumer, null); - $token = $this->get_token($request, $consumer, 'request'); - $this->check_signature($request, $consumer, $token); - return $this->data_store->authorise_request_token($token, $consumer, OC_User::getUser()); - } - - /** - * checks if request is authorised - * TODO distinguish between failures as one is a 400 error and other is 401 - * @return string|int - */ - public static function isAuthorised($scope) { - try { - $request = OAuthRequest::from_request(); - $this->verify_request(); - } catch (OAuthException $exception) { - return false; - } - // TODO Get user out of token? May have to write own verify_request() -// $run = true; -// OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $user )); -// if(!$run){ -// return false; -// } -// OC_User::setUserId($user); -// OC_Hook::emit( "OC_User", "post_login", array( "uid" => $user )); -// return $user; - } - -} \ No newline at end of file diff --git a/lib/oauth/server.php b/lib/oauth/server.php new file mode 100644 index 00000000000..c563c527601 --- /dev/null +++ b/lib/oauth/server.php @@ -0,0 +1,76 @@ +. +* +*/ + +require_once(OC::$THIRDPARTYROOT.'/3rdparty/OAuth/OAuth.php'); + +class OC_OAuth_Server extends OAuthServer { + + public function fetch_request_token(&$request) { + $this->get_version($request); + $consumer = $this->get_consumer($request); + $this->check_signature($request, $consumer, null); + $callback = $request->get_parameter('oauth_callback'); + $scope = $request->get_parameter('scope'); + // TODO Validate scopes + return $this->data_store->new_request_token($consumer, $scope, $callback); + } + + /** + * authorises a request token + * @param string $request the request token to authorise + * @return What does it return? + */ + public function authoriseRequestToken(&$request) { + $this->get_version($request); + $consumer = $this->get_consumer($request); + $this->check_signature($request, $consumer, null); + $token = $this->get_token($request, $consumer, 'request'); + $this->check_signature($request, $consumer, $token); + return $this->data_store->authorise_request_token($token, $consumer, OC_User::getUser()); + } + + /** + * checks if request is authorised + * TODO distinguish between failures as one is a 400 error and other is 401 + * @return string|int + */ + public static function isAuthorised($scope) { + try { + $request = OAuthRequest::from_request(); + $this->verify_request(); + } catch (OAuthException $exception) { + return false; + } + // TODO Get user out of token? May have to write own verify_request() +// $run = true; +// OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $user )); +// if(!$run){ +// return false; +// } +// OC_User::setUserId($user); +// OC_Hook::emit( "OC_User", "post_login", array( "uid" => $user )); +// return $user; + } + +} \ No newline at end of file diff --git a/lib/oauth/store.php b/lib/oauth/store.php new file mode 100644 index 00000000000..2f58e46b5b0 --- /dev/null +++ b/lib/oauth/store.php @@ -0,0 +1,29 @@ +. +* +*/ + +class OC_OAuth_Store extends OAuthDataStore { + + // To follow. + +} \ No newline at end of file diff --git a/settings/oauth.php b/settings/oauth.php index b04c798b1b0..7f30161d852 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -9,7 +9,7 @@ require_once('../lib/base.php'); // Logic $operation = isset($_GET['operation']) ? $_GET['operation'] : ''; -$server = new OC_OAuthServer(new OC_OAuthStore()); +$server = new OC_OAuth_Server(new OC_OAuth_Store()); switch($operation){ case 'register': -- cgit v1.2.3 From 21f8646ffc9057bd15fe8a30b781ee20766b5656 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Fri, 3 Aug 2012 15:20:01 +0000 Subject: API: Fix merging of responses. Return 400 error when no OAuth operation sent. --- lib/api.php | 10 +++++----- settings/oauth.php | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'settings') diff --git a/lib/api.php b/lib/api.php index 90f36aefbcd..c91216179e2 100644 --- a/lib/api.php +++ b/lib/api.php @@ -107,16 +107,16 @@ class OC_API { $numresponses = count($responses); foreach($responses as $response){ - if(is_int($response) && empty($finalresponse)){ - $finalresponse = $response; + if(is_int($response['response']) && empty($finalresponse)){ + $finalresponse = $response['response']; continue; } - if(is_array($response)){ + if(is_array($response['response'])){ // Shipped apps win if(OC_App::isShipped($response['app'])){ - $finalresponse = array_merge_recursive($finalresponse, $response); + $finalresponse = array_merge_recursive($finalresponse, $response['response']); } else { - $finalresponse = array_merge_recursive($response, $finalresponse); + $finalresponse = array_merge_recursive($response['response'], $finalresponse); } } } diff --git a/settings/oauth.php b/settings/oauth.php index 7f30161d852..f088453a26a 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -76,8 +76,8 @@ switch($operation){ } break; default: - // Something went wrong - header('Location: /'); + // Something went wrong, we need an operation! + OC_Response::setStatus(400); break; } -- cgit v1.2.3 From 0d1d2c0b61a4a0bcbc4b08a927fa815f4673d31e Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Thu, 30 Aug 2012 14:01:27 +0000 Subject: Fix class name --- lib/api.php | 2 +- settings/oauth.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'settings') diff --git a/lib/api.php b/lib/api.php index c91216179e2..55de438f429 100644 --- a/lib/api.php +++ b/lib/api.php @@ -166,7 +166,7 @@ class OC_API { */ public static function checkLoggedIn(){ // Check OAuth - if(!OC_OAuthServer::isAuthorised()){ + if(!OC_OAuth_Server::isAuthorised()){ OC_Response::setStatus(401); die(); } diff --git a/settings/oauth.php b/settings/oauth.php index f088453a26a..c6c9be515bf 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -22,7 +22,7 @@ switch($operation){ $token = $server->fetch_request_token($request); echo $token; } catch (OAuthException $exception) { - OC_Log::write('OC_OAuthServer', $exception->getMessage(), OC_LOG::ERROR); + OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR); echo $exception->getMessage(); } break; @@ -71,7 +71,7 @@ switch($operation){ $token = $server->fetch_access_token($request); echo $token; } catch (OAuthException $exception) { - OC_Log::write('OC_OAuthServer', $exception->getMessage(), OC_LOG::ERROR); + OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR); echo $exception->getMessage(); } break; -- cgit v1.2.3 From 37bb16becb11caf80fd2e4f608e16f7642c76137 Mon Sep 17 00:00:00 2001 From: Tom Needham Date: Tue, 4 Sep 2012 11:10:42 +0000 Subject: API: Add callback_fail, add OC_OAuth::init and bespoke request token method --- lib/oauth/server.php | 50 ++++++++++++++++++++++++++++++++++++++++++-------- lib/oauth/store.php | 22 ++++++++++++---------- settings/oauth.php | 27 +++++++++++++++++++++------ 3 files changed, 75 insertions(+), 24 deletions(-) (limited to 'settings') diff --git a/lib/oauth/server.php b/lib/oauth/server.php index b14277afea1..a82a1e2fb0e 100644 --- a/lib/oauth/server.php +++ b/lib/oauth/server.php @@ -26,16 +26,31 @@ require_once(OC::$THIRDPARTYROOT.'/3rdparty/OAuth/OAuth.php'); class OC_OAuth_Server extends OAuthServer { - public function fetch_request_token(&$request) { - $this->get_version($request); - $consumer = $this->get_consumer($request); - $this->check_signature($request, $consumer, null); - $callback = $request->get_parameter('oauth_callback'); - $scope = $request->get_parameter('scope'); - // TODO Validate scopes - return $this->data_store->new_request_token($consumer, $scope, $callback); + /** + * sets up the server object + */ + public static function init(){ + $server = new OC_OAuth_Server(new OC_OAuth_Store()); + $server->add_signature_method(new OAuthSignatureMethod_HMAC_SHA1()); + return $server; + } + + public function get_request_token(&$request){ + // Check the signature + $token = $this->fetch_request_token($request); + $scopes = $request->get_parameter('scopes'); + // Add scopes to request token + $this->saveScopes($token, $scopes); + + return $token; } + public function saveScopes($token, $scopes){ + $query = OC_DB::prepare("INSERT INTO `*PREFIX*oauth_scopes` (`key`, `scopes`) VALUES (?, ?)"); + $result = $query->execute(array($token->key, $scopes)); + } + + /** * authorises a request token * @param string $request the request token to authorise @@ -74,4 +89,23 @@ class OC_OAuth_Server extends OAuthServer { // return $user; } + /** + * registers a consumer with the ownCloud Instance + * @param string $name the name of the external app + * @param string $url the url to find out more info on the external app + * @param string $callbacksuccess the url to redirect to after autorisation success + * @param string $callbackfail the url to redirect to if the user does not authorise the application + * @return false|OAuthConsumer object + */ + static function register_consumer($name, $url, $callbacksuccess=null, $callbackfail=null){ + // TODO validation + // Check callback url is outside of ownCloud for security + // Generate key and secret + $key = sha1(md5(uniqid(rand(), true))); + $secret = sha1(md5(uniqid(rand(), true))); + $query = OC_DB::prepare("INSERT INTO `*PREFIX*oauth_consumers` (`key`, `secret`, `name`, `url`, `callback_success`, `callback_fail`) VALUES (?, ?, ?, ?, ?, ?)"); + $result = $query->execute(array($key, $secret, $name, $url, $callbacksuccess, $callbackfail)); + return new OAuthConsumer($key, $secret, $callbacksuccess); + } + } \ No newline at end of file diff --git a/lib/oauth/store.php b/lib/oauth/store.php index f1df7d49b93..aa68d38957d 100644 --- a/lib/oauth/store.php +++ b/lib/oauth/store.php @@ -22,16 +22,18 @@ * */ -class OC_OAuth_Store { +class OC_OAuth_Store extends OAuthDataStore { + + static private $MAX_TIMESTAMP_DIFFERENCE = 300; function lookup_consumer($consumer_key) { - $query = OC_DB::prepare("SELECT `key`, `secret`, `callback` FROM `*PREFIX*oauth_consumers` WHERE `key` = ?"); + $query = OC_DB::prepare("SELECT `key`, `secret`, `callback_success` FROM `*PREFIX*oauth_consumers` WHERE `key` = ?"); $results = $query->execute(array($consumer_key)); if($results->numRows()==0){ return NULL; } else { $details = $results->fetchRow(); - $callback = !empty($details['callback']) ? $details['callback'] : NULL; + $callback = !empty($details['callback_success']) ? $details['callback_success'] : NULL; return new OAuthConsumer($details['key'], $details['secret'], $callback); } } @@ -49,24 +51,24 @@ class OC_OAuth_Store { function lookup_nonce($consumer, $token, $nonce, $timestamp) { $query = OC_DB::prepare("INSERT INTO `*PREFIX*oauth_nonce` (`consumer_key`, `token`, `timestamp`, `nonce`) VALUES (?, ?, ?, ?)"); - $affectedrows = $query->exec(array($consumer->key, $token->key, $timestamp, $nonce)); + $affectedrows = $query->execute(array($consumer->key, $token, $timestamp, $nonce)); // Delete all timestamps older than the one passed $query = OC_DB::prepare("DELETE FROM `*PREFIX*oauth_nonce` WHERE `consumer_key` = ? AND `token` = ? AND `timestamp` < ?"); - $query->execute(array($consumer->key, $token->key, $timestamp - self::MAX_TIMESTAMP_DIFFERENCE)); + $result = $query->exec(array($consumer->key, $token, $timestamp - self::$MAX_TIMESTAMP_DIFFERENCE)); return $result; } - function new_token($consumer, $token_type, $scope = null) { + function new_token($consumer, $token_type) { $key = md5(time()); $secret = time() + time(); $token = new OAuthToken($key, md5(md5($secret))); - $query = OC_DB::prepare("INSERT INTO `*PREFIX*oauth_tokens` (`consumer_key`, `key`, `secret`, `type`, `scope`, `timestamp`) VALUES (?, ?, ?, ?, ?, ?)"); - $result = $query->execute(array($consumer->key, $key, $secret, $token_type, $scope, time())); + $query = OC_DB::prepare("INSERT INTO `*PREFIX*oauth_tokens` (`consumer_key`, `key`, `secret`, `type`, `timestamp`) VALUES (?, ?, ?, ?, ?, ?)"); + $result = $query->execute(array($consumer->key, $key, $secret, $token_type, time())); return $token; } - function new_request_token($consumer, $scope, $callback = null) { - return $this->new_token($consumer, 'request', $scope); + function new_request_token($consumer, $callback = null) { + return $this->new_token($consumer, 'request'); } function authorise_request_token($token, $consumer, $uid) { diff --git a/settings/oauth.php b/settings/oauth.php index c6c9be515bf..8dba9b33a53 100644 --- a/settings/oauth.php +++ b/settings/oauth.php @@ -6,27 +6,41 @@ */ require_once('../lib/base.php'); - // Logic $operation = isset($_GET['operation']) ? $_GET['operation'] : ''; -$server = new OC_OAuth_Server(new OC_OAuth_Store()); +$server = OC_OAuth_server::init(); + switch($operation){ case 'register': - + + // Here external apps can register with an ownCloud + if(empty($_GET['name']) || empty($_GET['url'])){ + // Invalid request + echo 401; + } else { + $callbacksuccess = empty($_GET['callback_success']) ? null : $_GET['callback_success']; + $callbackfail = empty($_GET['callback_fail']) ? null : $_GET['callback_fail']; + $consumer = OC_OAuth_Server::register_consumer($_GET['name'], $_GET['url'], $callbacksuccess, $callbackfail); + + echo 'Registered consumer successfully!

Key: ' . $consumer->key . '
Secret: ' . $consumer->secret; + } break; case 'request_token': + try { $request = OAuthRequest::from_request(); - $token = $server->fetch_request_token($request); + $token = $server->get_request_token($request); echo $token; } catch (OAuthException $exception) { OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR); echo $exception->getMessage(); } - break; + + break; case 'authorise'; + OC_API::checkLoggedIn(); // Example $consumer = array( @@ -74,7 +88,8 @@ switch($operation){ OC_Log::write('OC_OAuth_Server', $exception->getMessage(), OC_LOG::ERROR); echo $exception->getMessage(); } - break; + + break; default: // Something went wrong, we need an operation! OC_Response::setStatus(400); -- cgit v1.2.3