Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
P
php-client
Manage
Activity
Members
Labels
Plan
Jira
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Perun
Perun ProxyIdP
php-client
Commits
b0465701
Commit
b0465701
authored
3 years ago
by
lukasmatusiewicz
Browse files
Options
Downloads
Patches
Plain Diff
formatting
parent
6bee3f6b
No related branches found
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
src/PIResponse.php
+44
-22
44 additions, 22 deletions
src/PIResponse.php
src/PrivacyIDEA.php
+80
-40
80 additions, 40 deletions
src/PrivacyIDEA.php
src/SDK-Autoloader.php
+4
-2
4 additions, 2 deletions
src/SDK-Autoloader.php
with
128 additions
and
64 deletions
src/PIResponse.php
+
44
−
22
View file @
b0465701
...
...
@@ -31,7 +31,8 @@ class PIResponse
{
assert
(
'string'
===
gettype
(
$json
));
if
(
$json
==
null
||
$json
==
""
)
{
if
(
$json
==
null
||
$json
==
""
)
{
$privacyIDEA
->
errorLog
(
"PrivacyIDEA - PIResponse: No response from PI."
);
return
null
;
}
...
...
@@ -41,7 +42,8 @@ class PIResponse
$map
=
json_decode
(
$json
,
true
);
// If wrong response format - throw error
if
(
$map
==
null
)
{
if
(
$map
==
null
)
{
$privacyIDEA
->
errorLog
(
"PrivacyIDEA - PIResponse: Response from PI was in wrong format. JSON expected."
);
return
null
;
}
...
...
@@ -50,28 +52,33 @@ class PIResponse
$ret
->
raw
=
$json
;
// Possibility to show an error message from PI server if no value
if
(
!
isset
(
$map
[
'result'
][
'value'
]))
{
if
(
!
isset
(
$map
[
'result'
][
'value'
]))
{
$ret
->
errorCode
=
$map
[
'result'
][
'error'
][
'code'
];
$ret
->
errorMessage
=
$map
[
'result'
][
'error'
][
'message'
];
return
$ret
;
}
// Set information from PI response to property
if
(
isset
(
$map
[
'detail'
][
'messages'
]))
{
if
(
isset
(
$map
[
'detail'
][
'messages'
]))
{
$ret
->
messages
=
implode
(
", "
,
array_unique
(
$map
[
'detail'
][
'messages'
]))
?:
""
;
}
if
(
isset
(
$map
[
'detail'
][
'transaction_id'
]))
{
if
(
isset
(
$map
[
'detail'
][
'transaction_id'
]))
{
$ret
->
transactionID
=
$map
[
'detail'
][
'transaction_id'
];
}
$ret
->
status
=
$map
[
'result'
][
'status'
]
?:
false
;
$ret
->
value
=
$map
[
'result'
][
'value'
]
?:
false
;
// Prepare attributes and detail
if
(
!
empty
(
$map
[
'detail'
][
'user'
]))
{
if
(
!
empty
(
$map
[
'detail'
][
'user'
]))
{
$attributes
=
$map
[
'detail'
][
'user'
];
$detail
=
$map
[
'detail'
];
if
(
isset
(
$attributes
[
'username'
]))
{
if
(
isset
(
$attributes
[
'username'
]))
{
$attributes
[
'realm'
]
=
$map
[
'detail'
][
'user-realm'
]
?:
""
;
$attributes
[
'resolver'
]
=
$map
[
'detail'
][
'user-resolver'
]
?:
""
;
}
...
...
@@ -79,9 +86,11 @@ class PIResponse
}
// Set all challenges to objects and set it all to one array
if
(
isset
(
$map
[
'detail'
][
'multi_challenge'
]))
{
if
(
isset
(
$map
[
'detail'
][
'multi_challenge'
]))
{
$mc
=
$map
[
'detail'
][
'multi_challenge'
];
foreach
(
$mc
as
$challenge
)
{
foreach
(
$mc
as
$challenge
)
{
$tmp
=
new
PIChallenge
();
$tmp
->
transactionID
=
$challenge
[
'transaction_id'
];
$tmp
->
message
=
$challenge
[
'message'
];
...
...
@@ -89,12 +98,14 @@ class PIResponse
$tmp
->
type
=
$challenge
[
'type'
];
$tmp
->
attributes
=
$challenge
[
'attributes'
];
if
(
$tmp
->
type
===
"webauthn"
)
{
if
(
$tmp
->
type
===
"webauthn"
)
{
$t
=
$challenge
[
'attributes'
][
'webAuthnSignRequest'
];
$tmp
->
webAuthnSignRequest
=
json_encode
(
$t
);
}
if
(
$tmp
->
type
===
"u2f"
)
{
if
(
$tmp
->
type
===
"u2f"
)
{
$t
=
$challenge
[
'attributes'
][
'u2fSignRequest'
];
$tmp
->
u2fSignRequest
=
json_encode
(
$t
);
}
...
...
@@ -112,7 +123,8 @@ class PIResponse
public
function
triggeredTokenTypes
()
{
$ret
=
array
();
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
array_push
(
$ret
,
$challenge
->
type
);
}
return
array_unique
(
$ret
);
...
...
@@ -124,8 +136,10 @@ class PIResponse
*/
public
function
otpMessage
()
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
!==
"push"
&&
$challenge
->
type
!==
"webauthn"
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
!==
"push"
&&
$challenge
->
type
!==
"webauthn"
)
{
return
$challenge
->
message
;
}
}
...
...
@@ -138,8 +152,10 @@ class PIResponse
*/
public
function
pushMessage
()
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"push"
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"push"
)
{
return
$challenge
->
message
;
}
}
...
...
@@ -152,8 +168,10 @@ class PIResponse
*/
public
function
webauthnMessage
()
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"webauthn"
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"webauthn"
)
{
return
$challenge
->
message
;
}
}
...
...
@@ -167,8 +185,10 @@ class PIResponse
public
function
webAuthnSignRequest
()
{
$ret
=
""
;
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"webauthn"
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"webauthn"
)
{
$ret
=
$challenge
->
webAuthnSignRequest
;
break
;
}
...
...
@@ -179,8 +199,10 @@ class PIResponse
public
function
u2fSignRequest
()
{
$ret
=
""
;
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"u2f"
)
{
foreach
(
$this
->
multiChallenge
as
$challenge
)
{
if
(
$challenge
->
type
===
"u2f"
)
{
$ret
=
$challenge
->
u2fSignRequest
;
break
;
}
...
...
This diff is collapsed.
Click to expand it.
src/PrivacyIDEA.php
+
80
−
40
View file @
b0465701
...
...
@@ -51,7 +51,8 @@ class PrivacyIDEA
*/
function
debugLog
(
$message
)
{
if
(
$this
->
logger
!=
null
)
{
if
(
$this
->
logger
!=
null
)
{
$this
->
logger
->
piDebug
(
$message
);
}
}
...
...
@@ -62,7 +63,8 @@ class PrivacyIDEA
*/
function
errorLog
(
$message
)
{
if
(
$this
->
logger
!=
null
)
{
if
(
$this
->
logger
!=
null
)
{
$this
->
logger
->
piError
(
$message
);
}
}
...
...
@@ -85,14 +87,17 @@ class PrivacyIDEA
$this
->
debugLog
(
"validateCheck() with user="
.
$username
.
", pass="
.
$pass
.
" and if is set transactionID "
.
$transactionID
);
//Check if parameters are set
if
(
!
empty
(
$username
)
||
!
empty
(
$pass
))
{
if
(
!
empty
(
$username
)
||
!
empty
(
$pass
))
{
$params
[
"user"
]
=
$username
;
$params
[
"pass"
]
=
$pass
;
if
(
!
empty
(
$transactionID
))
{
if
(
!
empty
(
$transactionID
))
{
//Add transaction ID in case of challenge response
$params
[
"transaction_id"
]
=
$transactionID
;
}
if
(
$this
->
realm
)
{
if
(
$this
->
realm
)
{
$params
[
"realm"
]
=
$this
->
realm
;
}
...
...
@@ -101,11 +106,13 @@ class PrivacyIDEA
//Return the response from /validate/check as PIResponse object
$ret
=
PIResponse
::
fromJSON
(
$response
,
$this
);
if
(
$ret
==
null
)
{
if
(
$ret
==
null
)
{
$this
->
debugLog
(
"privacyIDEA - Validate Check: no response from PI-server"
);
}
return
$ret
;
}
else
{
}
else
{
//Handle debug message if $username is empty
$this
->
debugLog
(
"privacyIDEA - Validate Check: params incomplete!"
);
}
...
...
@@ -127,7 +134,8 @@ class PrivacyIDEA
// Log entry of the pollTransaction()
$this
->
debugLog
(
"triggerChallenge() with username="
.
$username
);
if
(
$username
)
{
if
(
$username
)
{
$authToken
=
$this
->
getAuthToken
();
// If error occurred in getAuthToken() - return this error in PIResponse object
$header
=
array
(
"authorization:"
.
$authToken
);
...
...
@@ -140,12 +148,14 @@ class PrivacyIDEA
//Return the response from /validate/triggerchallenge as PIResponse object
$ret
=
PIResponse
::
fromJSON
(
$response
,
$this
);
if
(
$ret
==
null
)
{
if
(
$ret
==
null
)
{
$this
->
debugLog
(
"privacyIDEA - Trigger Challenge: no response from PI-server"
);
}
return
$ret
;
}
else
{
}
else
{
//Handle debug message if empty $username
$this
->
debugLog
(
"privacyIDEA - Trigger Challenge: no username"
);
}
...
...
@@ -166,7 +176,8 @@ class PrivacyIDEA
// Log entry of the pollTransaction()
$this
->
debugLog
(
"pollTransaction() with transaction ID="
.
$transactionID
);
if
(
!
empty
(
$transactionID
))
{
if
(
!
empty
(
$transactionID
))
{
$params
=
array
(
"transaction_id"
=>
$transactionID
);
// Call /validate/polltransaction using transactionID and decode it from JSON
$responseJSON
=
$this
->
sendRequest
(
$params
,
array
(
''
),
'GET'
,
'/validate/polltransaction'
);
...
...
@@ -174,7 +185,8 @@ class PrivacyIDEA
//Return the response from /validate/polltransaction
return
$response
[
'result'
][
'value'
];
}
else
{
}
else
{
//Handle debug message if $transactionID is empty
$this
->
debugLog
(
"privacyIDEA - Poll Transaction: No transaction ID"
);
}
...
...
@@ -197,7 +209,8 @@ class PrivacyIDEA
assert
(
'string'
===
gettype
(
$username
));
assert
(
'string'
===
gettype
(
$type
));
assert
(
'string'
===
gettype
(
$genkey
));
if
(
isset
(
$description
))
{
if
(
isset
(
$description
))
{
assert
(
'string'
===
gettype
(
$description
));
}
...
...
@@ -205,7 +218,8 @@ class PrivacyIDEA
$this
->
debugLog
(
"privacyIDEA - enrollToken() with user="
.
$username
.
", genkey="
.
$genkey
.
", type="
.
$type
.
", description="
.
$description
);
// Check if parameters contain the required keys
if
(
empty
(
$username
)
||
empty
(
$type
))
{
if
(
empty
(
$username
)
||
empty
(
$type
))
{
$this
->
debugLog
(
"privacyIDEA - Enroll Token: Token enrollment not possible because params are not complete"
);
return
array
();
}
...
...
@@ -223,11 +237,13 @@ class PrivacyIDEA
// Check if user has token
$tokenInfo
=
json_decode
(
$this
->
sendRequest
(
array
(
"user"
=>
$params
[
'user'
]),
$header
,
'GET'
,
'/token/'
));
if
(
!
empty
(
$tokenInfo
->
result
->
value
->
tokens
))
{
if
(
!
empty
(
$tokenInfo
->
result
->
value
->
tokens
))
{
$this
->
debugLog
(
"privacyIDEA - Enroll Token: User already has a token. No need to enroll a new one."
);
return
array
();
}
else
{
}
else
{
// Call /token/init endpoint and return the PI response
return
json_decode
(
$this
->
sendRequest
(
$params
,
$header
,
'POST'
,
'/token/init'
));
}
...
...
@@ -254,14 +270,16 @@ class PrivacyIDEA
$this
->
debugLog
(
"ValidateCheckWebAuthn with user="
.
$username
.
", transactionID="
.
$transactionID
.
", WebAuthnSignResponse="
.
$webAuthnSignResponse
.
", origin="
.
$origin
);
// Check if parameters are set
if
(
!
empty
(
$username
)
||
!
empty
(
$transactionID
))
{
if
(
!
empty
(
$username
)
||
!
empty
(
$transactionID
))
{
// Compose standard validate/check params
$params
[
"user"
]
=
$username
;
$params
[
"pass"
]
=
""
;
$params
[
"transaction_id"
]
=
$transactionID
;
if
(
$this
->
realm
)
{
if
(
$this
->
realm
)
{
$params
[
"realm"
]
=
$this
->
realm
;
}
...
...
@@ -273,10 +291,12 @@ class PrivacyIDEA
$params
[
SIGNATUREDATA
]
=
$tmp
[
SIGNATUREDATA
];
$params
[
AUTHENTICATORDATA
]
=
$tmp
[
AUTHENTICATORDATA
];
if
(
!
empty
(
$tmp
[
USERHANDLE
]))
{
if
(
!
empty
(
$tmp
[
USERHANDLE
]))
{
$params
[
USERHANDLE
]
=
$tmp
[
USERHANDLE
];
}
if
(
!
empty
(
$tmp
[
ASSERTIONCLIENTEXTENSIONS
]))
{
if
(
!
empty
(
$tmp
[
ASSERTIONCLIENTEXTENSIONS
]))
{
$params
[
ASSERTIONCLIENTEXTENSIONS
]
=
$tmp
[
ASSERTIONCLIENTEXTENSIONS
];
}
...
...
@@ -287,12 +307,14 @@ class PrivacyIDEA
//Return the response from /validate/check as PIResponse object
$ret
=
PIResponse
::
fromJSON
(
$response
,
$this
);
if
(
$ret
==
null
)
{
if
(
$ret
==
null
)
{
$this
->
debugLog
(
"privacyIDEA - WebAuthn: no response from PI-server"
);
}
return
$ret
;
}
else
{
}
else
{
//Handle debug message if $username is empty
$this
->
debugLog
(
"privacyIDEA - WebAuthn: params incomplete!"
);
}
...
...
@@ -318,14 +340,16 @@ class PrivacyIDEA
$this
->
debugLog
(
"ValidateCheckU2F with user="
.
$username
.
", transactionID="
.
$transactionID
.
", u2fSignResponse="
.
$u2fSignResponse
);
// Check if parameters are set
if
(
!
empty
(
$username
)
||
!
empty
(
$transactionID
)
||
!
empty
(
$u2fSignResponse
))
{
if
(
!
empty
(
$username
)
||
!
empty
(
$transactionID
)
||
!
empty
(
$u2fSignResponse
))
{
// Compose standard validate/check params
$params
[
"user"
]
=
$username
;
$params
[
"pass"
]
=
""
;
$params
[
"transaction_id"
]
=
$transactionID
;
if
(
$this
->
realm
)
{
if
(
$this
->
realm
)
{
$params
[
"realm"
]
=
$this
->
realm
;
}
...
...
@@ -339,12 +363,14 @@ class PrivacyIDEA
//Return the response from /validate/check as PIResponse object
$ret
=
PIResponse
::
fromJSON
(
$response
,
$this
);
if
(
$ret
==
null
)
{
if
(
$ret
==
null
)
{
$this
->
debugLog
(
"privacyIDEA - U2F: no response from PI-server"
);
}
return
$ret
;
}
else
{
}
else
{
//Handle debug message if $username is empty
$this
->
debugLog
(
"privacyIDEA - U2F: params incomplete!"
);
}
...
...
@@ -369,7 +395,8 @@ class PrivacyIDEA
*/
public
function
getAuthToken
()
{
if
(
!
$this
->
serviceAccountAvailable
())
{
if
(
!
$this
->
serviceAccountAvailable
())
{
$this
->
errorLog
(
"Cannot retrieve auth token without service account"
);
return
false
;
}
...
...
@@ -380,14 +407,16 @@ class PrivacyIDEA
"password"
=>
$this
->
serviceAccountPass
);
if
(
$this
->
serviceAccountRealm
!=
null
&&
$this
->
serviceAccountRealm
!=
""
)
{
if
(
$this
->
serviceAccountRealm
!=
null
&&
$this
->
serviceAccountRealm
!=
""
)
{
$params
[
"realm"
]
=
$this
->
serviceAccountRealm
;
}
// Call /auth endpoint and decode the response from JSON to PHP
$response
=
json_decode
(
$this
->
sendRequest
(
$params
,
array
(
''
),
'POST'
,
'/auth'
),
true
);
if
(
!
empty
(
$response
[
'result'
][
'value'
]))
{
if
(
!
empty
(
$response
[
'result'
][
'value'
]))
{
// Get auth token from response->result->value->token and return the token
return
$response
[
'result'
][
'value'
][
'token'
];
}
...
...
@@ -424,19 +453,24 @@ class PrivacyIDEA
curl_setopt
(
$curlInstance
,
CURLOPT_URL
,
$completeUrl
);
curl_setopt
(
$curlInstance
,
CURLOPT_HEADER
,
true
);
if
(
$headers
)
{
if
(
$headers
)
{
curl_setopt
(
$curlInstance
,
CURLOPT_HTTPHEADER
,
$headers
);
}
curl_setopt
(
$curlInstance
,
CURLOPT_RETURNTRANSFER
,
true
);
curl_setopt
(
$curlInstance
,
CURLOPT_USERAGENT
,
$this
->
userAgent
);
if
(
$httpMethod
===
"POST"
)
{
if
(
$httpMethod
===
"POST"
)
{
curl_setopt
(
$curlInstance
,
CURLOPT_POST
,
true
);
curl_setopt
(
$curlInstance
,
CURLOPT_POSTFIELDS
,
$params
);
}
elseif
(
$httpMethod
===
"GET"
)
{
}
elseif
(
$httpMethod
===
"GET"
)
{
$paramsStr
=
'?'
;
if
(
!
empty
(
$params
))
{
foreach
(
$params
as
$key
=>
$value
)
{
if
(
!
empty
(
$params
))
{
foreach
(
$params
as
$key
=>
$value
)
{
$paramsStr
.
=
$key
.
"="
.
$value
.
"&"
;
}
}
...
...
@@ -445,22 +479,27 @@ class PrivacyIDEA
// Check if you should to verify privacyIDEA's SSL certificate in your config
// If true - do it, if false - don't verify
if
(
$this
->
sslVerifyHost
===
true
)
{
if
(
$this
->
sslVerifyHost
===
true
)
{
curl_setopt
(
$curlInstance
,
CURLOPT_SSL_VERIFYHOST
,
2
);
}
else
{
}
else
{
curl_setopt
(
$curlInstance
,
CURLOPT_SSL_VERIFYHOST
,
0
);
}
if
(
$this
->
sslVerifyPeer
===
true
)
{
if
(
$this
->
sslVerifyPeer
===
true
)
{
curl_setopt
(
$curlInstance
,
CURLOPT_SSL_VERIFYPEER
,
2
);
}
else
{
}
else
{
curl_setopt
(
$curlInstance
,
CURLOPT_SSL_VERIFYPEER
,
0
);
}
//Store response in the variable
$response
=
curl_exec
(
$curlInstance
);
if
(
!
$response
)
{
if
(
!
$response
)
{
//Handle error if no response and return an empty string
$curlErrno
=
curl_errno
(
$curlInstance
);
$this
->
errorLog
(
"privacyIDEA-SDK: Bad request to PI server. "
.
curl_error
(
$curlInstance
)
.
" errno: "
.
$curlErrno
);
...
...
@@ -471,7 +510,8 @@ class PrivacyIDEA
$ret
=
substr
(
$response
,
$headerSize
);
// Log the response
if
(
$endpoint
!=
"/auth"
)
{
if
(
$endpoint
!=
"/auth"
)
{
$retJson
=
json_decode
(
$ret
,
true
);
$this
->
debugLog
(
$endpoint
.
" returned "
.
json_encode
(
$retJson
,
JSON_PRETTY_PRINT
));
}
...
...
This diff is collapsed.
Click to expand it.
src/SDK-Autoloader.php
+
4
−
2
View file @
b0465701
...
...
@@ -10,10 +10,12 @@ spl_autoload_register('autoLoader');
function
autoLoader
(
$className
)
{
$fullPath
=
dirname
(
__FILE__
)
.
"/"
.
$className
.
".php"
;
if
(
file_exists
(
$fullPath
))
{
if
(
file_exists
(
$fullPath
))
{
require_once
$fullPath
;
return
true
;
}
else
{
}
else
{
return
false
;
}
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment