diff --git a/lib/Auth/Logger.php b/lib/Auth/Logger.php
index ad8d3973ea889bc444cdeb18f9a910ebb24bb133..0de89a15f8fad73b7b604b34a020422974688d20 100644
--- a/lib/Auth/Logger.php
+++ b/lib/Auth/Logger.php
@@ -1,5 +1,8 @@
<?php
+requre_once((dirname(__FILE__, 3)) . '/php-client/src/Client-Autoloader.php');
+
+
class Logger implements PILog
{
/**
diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php
index 7529f79018b9f08a1916719a9528e6119fb2cd4b..0e350f3a620d675b534f0b5603ea5c24ca2185d9 100644
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -1,6 +1,6 @@
<?php
-require_once((dirname(__FILE__, 3)) . '/php-client/src/SDK-Autoloader.php');
+require_once((dirname(__FILE__, 3)) . '/php-client/src/Client-Autoloader.php');
/**
* This authentication processing filter allows you to add a second step
@@ -255,7 +255,7 @@ class sspmod_privacyidea_Auth_Process_PrivacyideaAuthProc extends SimpleSAML_Aut
* and we can't implement separate SSO for different IdP, SP etc.
* So we delete single SSO data.
*/
- Session::getSessionFromRequest()->deleteData('privacyidea:privacyidea:sso', 'data');
+ SimpleSAML_Session::getSessionFromRequest()->deleteData('privacyidea:privacyidea:sso', 'data');
}
/**
diff --git a/lib/Auth/Source/AuthSourceLoginHandler.php b/lib/Auth/Source/AuthSourceLoginHandler.php
index a3dea55c482928acd5a3230e4f9c7cbf2325d984..d2a00dfb572a593bb09adca84c604f9e18984eca 100644
--- a/lib/Auth/Source/AuthSourceLoginHandler.php
+++ b/lib/Auth/Source/AuthSourceLoginHandler.php
@@ -1,6 +1,6 @@
<?php
-require_once((dirname(__FILE__, 3)) . '/php-client/src/SDK-Autoloader.php');
+require_once((dirname(__FILE__, 3)) . '/php-client/src/Client-Autoloader.php');
/**
* This is the helper class for PrivacyideaAuthSource.php
diff --git a/lib/Auth/Source/PrivacyideaAuthSource.php b/lib/Auth/Source/PrivacyideaAuthSource.php
index ab27fd456ee1a62b07a2230f166e7f4cf8a4d68d..96c3276432a316939ca78a4050aa14d142a99222 100644
--- a/lib/Auth/Source/PrivacyideaAuthSource.php
+++ b/lib/Auth/Source/PrivacyideaAuthSource.php
@@ -1,6 +1,6 @@
<?php
-require_once((dirname(__FILE__, 3)) . '/php-client/src/SDK-Autoloader.php');
+require_once((dirname(__FILE__, 3)) . '/php-client/src/Client-Autoloader.php');
const DEFAULT_UID_KEYS = array("username", "surname", "email", "givenname", "mobile", "phone", "realm", "resolver");
diff --git a/lib/Auth/utils.php b/lib/Auth/utils.php
index 05c799d85bc657cbf0e8a571c6616b04d8d5477e..8d639345dd0e5386622280624a359ada15cd1bff 100644
--- a/lib/Auth/utils.php
+++ b/lib/Auth/utils.php
@@ -1,6 +1,6 @@
<?php
-require_once((dirname(__FILE__, 2)) . '/php-client/src/SDK-Autoloader.php');
+require_once((dirname(__FILE__, 2)) . '/php-client/src/Client-Autoloader.php');
class sspmod_privacyidea_Auth_utils
{
diff --git a/lib/php-client/.gitignore b/lib/php-client/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..e7e2eeb14a565d508ce9c2d02145eb012e224d9b
--- /dev/null
+++ b/lib/php-client/.gitignore
@@ -0,0 +1,4 @@
+/.idea/
+/vendor/
+/composer.lock
+/.phpunit.result.cache
\ No newline at end of file
diff --git a/lib/php-client/Changelog.md b/lib/php-client/Changelog.md
new file mode 100644
index 0000000000000000000000000000000000000000..ca229777041a03e45776e9e47f63b1b687cfe9d9
--- /dev/null
+++ b/lib/php-client/Changelog.md
@@ -0,0 +1,2 @@
+## Version 0.9.0 16-06-2021
+* First Version supporting /validate/check and /validate/triggerchallenge endpoints
diff --git a/lib/php-client/LICENSE b/lib/php-client/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..0ad25db4bd1d86c452db3f9602ccdbe172438f52
--- /dev/null
+++ b/lib/php-client/LICENSE
@@ -0,0 +1,661 @@
+ GNU AFFERO GENERAL PUBLIC LICENSE
+ Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+ A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate. Many developers of free software are heartened and
+encouraged by the resulting cooperation. However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+ The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community. It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server. Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+ An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals. This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU Affero General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Remote Network Interaction; Use with the GNU General Public License.
+
+ Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software. This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Affero General Public License as published
+ by the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source. For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code. There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
diff --git a/lib/php-client/README.md b/lib/php-client/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..d560c1a4c1a1cd96a6e3029c78e1e24120268866
--- /dev/null
+++ b/lib/php-client/README.md
@@ -0,0 +1,29 @@
+## This is the privacyIDEA PHP Client
+
+This library will help you to connect your plugin to the privacyIDEA server using REST APIs.
+
+## Requirements
+
+To use our client lib you have to install curl on your machine. If you have installed our client
+with Composer you don't need to think about it, because Composer will do it for you automatically.
+To avoid bugs we also advise you to install PHP >=7.3.
+
+## Connecting & Composer
+
+You can add our library to your repository as a submodule or install it using Composer.
+
+To install our repository with Composer, run this command in Terminal:
+
+`composer require privacyidea/privacyidea-php-client`
+
+Next, you have to run:
+
+`composer update`
+
+You can also decide which version of our package you want to install.
+For more information read the Composer documentation.
+
+To install Composer follow this link:
+https://getcomposer.org/doc/00-intro.md
+
+Required Composer version is >=2.0.
diff --git a/lib/php-client/composer.json b/lib/php-client/composer.json
new file mode 100644
index 0000000000000000000000000000000000000000..d200a9e4ab9c96f4c644235d88f6a56784afe20e
--- /dev/null
+++ b/lib/php-client/composer.json
@@ -0,0 +1,31 @@
+{
+ "name": "privacyidea/privacyidea-php-client",
+ "description": "This is the privacyIDEA-PHP-Client. The library that will help you to connect your plugin to the privacyIDEA server using REST APIs.",
+ "license": "AGPL-3.0-or-later",
+ "minimum-stability": "stable",
+ "authors": [
+ {
+ "name": "Lukas Matusiewicz",
+ "email": "lukas.matusiewicz@netknights.it"
+ }
+ ],
+ "autoload": {
+ "psr-4": {
+ "": "src"
+ }
+ },
+ "repositories": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/privacyidea/sdk-client"
+ }
+ ],
+ "require": {
+ "php": ">=5.6",
+ "phpunit/phpunit": "^9.5",
+ "internations/http-mock": ">=0.14.0",
+ "curl/curl": "*",
+ "ext-json": "*",
+ "ext-curl": "*"
+ }
+}
diff --git a/lib/php-client/src/Client-Autoloader.php b/lib/php-client/src/Client-Autoloader.php
new file mode 100644
index 0000000000000000000000000000000000000000..d727a6f02ec1057135e05417e05ea4f39c4118e5
--- /dev/null
+++ b/lib/php-client/src/Client-Autoloader.php
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * Include all files you need to authenticate against privacyIDEA
+ * All that files are placed in privacyIDEA-PHP-SDK direction
+ */
+
+spl_autoload_register('autoLoader');
+
+function autoLoader($className)
+{
+ $fullPath = dirname(__FILE__) . "/" . $className . ".php";
+ if (file_exists($fullPath))
+ {
+ require_once $fullPath;
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+}
\ No newline at end of file
diff --git a/lib/php-client/src/PIBadRequestException.php b/lib/php-client/src/PIBadRequestException.php
new file mode 100644
index 0000000000000000000000000000000000000000..f042d16e2f2422a903e0793da75a9420a341d552
--- /dev/null
+++ b/lib/php-client/src/PIBadRequestException.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace PrivacyIdea\PHPClient;
+
+class PIBadRequestException extends \Exception {}
+{
+
+}
\ No newline at end of file
diff --git a/lib/php-client/src/PIChallenge.php b/lib/php-client/src/PIChallenge.php
new file mode 100644
index 0000000000000000000000000000000000000000..14f294ebeb71220bfe82a984337f57e7ae2c2d3f
--- /dev/null
+++ b/lib/php-client/src/PIChallenge.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace PrivacyIdea\PHPClient;
+
+class PIChallenge
+{
+ /* @var string Token's type. */
+ public $type = "";
+ /* @var string Message from single challenge. */
+ public $message = "";
+ /* @var string */
+ public $transactionID = "";
+ /* @var string Token's serial. */
+ public $serial = "";
+ /* @var string */
+ public $attributes = "";
+ /* @var string JSON format */
+ public $webAuthnSignRequest = "";
+ /* @var string JSON format */
+ public $u2fSignRequest = "";
+}
\ No newline at end of file
diff --git a/lib/php-client/src/PILog.php b/lib/php-client/src/PILog.php
new file mode 100644
index 0000000000000000000000000000000000000000..1809fb2fa0aa379dddfa0c471e32a1a7fdbc4896
--- /dev/null
+++ b/lib/php-client/src/PILog.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace PrivacyIdea\PHPClient;
+
+/**
+ * Interface PILog
+ * Call the functions that collect debug and error messages
+ */
+interface PILog
+{
+ public function piDebug($message);
+
+ public function piError($message);
+}
\ No newline at end of file
diff --git a/lib/php-client/src/PIResponse.php b/lib/php-client/src/PIResponse.php
new file mode 100644
index 0000000000000000000000000000000000000000..39f4728ce2ccea6e9d58ae24f01d92dd0c09ba45
--- /dev/null
+++ b/lib/php-client/src/PIResponse.php
@@ -0,0 +1,224 @@
+<?php
+
+namespace PrivacyIdea\PHPClient;
+
+class PIResponse
+{
+ /* @var string All tokens messages which are sent by PI and can be used in UI to help user interact with service. */
+ public $messages = "";
+ /* @var string Transaction ID which is needed by some PI API requests. */
+ public $transactionID = "";
+ /* @var string This is the raw PI response in JSON format. */
+ public $raw = "";
+ /* @var array Here are all triggered challenges delivered as object of PIChallenge class. */
+ public $multiChallenge = array();
+ /* @var bool The status indicates if the request was processed correctly by the server. */
+ public $status = false;
+ /* @var bool The value tell us if authentication was successful. */
+ public $value = false;
+ /* @var array All interesting details about user which can be shown in the UI at the end of the authentication. */
+ public $detailAndAttributes = array();
+ /* @var string PI error code will be delivered here. */
+ public $errorCode;
+ /* @var string PI error message will be delivered here. */
+ public $errorMessage;
+
+ /**
+ * Prepare a good readable PI response and return it as an object
+ * @param $json
+ * @param PrivacyIDEA $privacyIDEA
+ * @return PIResponse|null
+ */
+ public static function fromJSON($json, PrivacyIDEA $privacyIDEA)
+ {
+ assert('string' === gettype($json));
+
+ if ($json == null || $json == "")
+ {
+ $privacyIDEA->errorLog("PrivacyIDEA - PIResponse: No response from PI.");
+ return null;
+ }
+
+ // Build an PIResponse object and decode the response from JSON to PHP
+ $ret = new PIResponse();
+ $map = json_decode($json, true);
+
+ // If wrong response format - throw error
+ if ($map == null)
+ {
+ $privacyIDEA->errorLog("PrivacyIDEA - PIResponse: Response from PI was in wrong format. JSON expected.");
+ return null;
+ }
+
+ // Prepare raw JSON Response if needed
+ $ret->raw = $json;
+
+ // Possibility to show an error message from PI server if no value
+ if (!isset($map['result']['value']))
+ {
+ $ret->errorCode = $map['result']['error']['code'];
+ $ret->errorMessage = $map['result']['error']['message'];
+ return $ret;
+ }
+
+ // Set information from PI response to property
+ if (isset($map['detail']['messages']))
+ {
+ $ret->messages = implode(", ", array_unique($map['detail']['messages'])) ?: "";
+ }
+ if (isset($map['detail']['transaction_id']))
+ {
+ $ret->transactionID = $map['detail']['transaction_id'];
+ }
+ $ret->status = $map['result']['status'] ?: false;
+ $ret->value = $map['result']['value'] ?: false;
+
+ // Prepare attributes and detail
+ if (!empty($map['detail']['user']))
+ {
+ $attributes = $map['detail']['user'];
+ $detail = $map['detail'];
+
+ if (isset($attributes['username']))
+ {
+ $attributes['realm'] = $map['detail']['user-realm'] ?: "";
+ $attributes['resolver'] = $map['detail']['user-resolver'] ?: "";
+ }
+ $ret->detailAndAttributes = array("detail" => $detail, "attributes" => $attributes);
+ }
+
+ // Set all challenges to objects and set it all to one array
+ if (isset($map['detail']['multi_challenge']))
+ {
+ $mc = $map['detail']['multi_challenge'];
+ foreach ($mc as $challenge)
+ {
+ $tmp = new PIChallenge();
+ $tmp->transactionID = $challenge['transaction_id'];
+ $tmp->message = $challenge['message'];
+ $tmp->serial = $challenge['serial'];
+ $tmp->type = $challenge['type'];
+ if (isset($challenge['attributes']))
+ {
+ $tmp->attributes = $challenge['attributes'];
+ }
+
+ if ($tmp->type === "webauthn")
+ {
+ $t = $challenge['attributes']['webAuthnSignRequest'];
+ $tmp->webAuthnSignRequest = json_encode($t);
+ }
+
+ if ($tmp->type === "u2f")
+ {
+ $t = $challenge['attributes']['u2fSignRequest'];
+ $tmp->u2fSignRequest = json_encode($t);
+ }
+
+ array_push($ret->multiChallenge, $tmp);
+ }
+ }
+ return $ret;
+ }
+
+ /**
+ * Get array with all triggered token types.
+ * @return array
+ */
+ public function triggeredTokenTypes()
+ {
+ $ret = array();
+ foreach ($this->multiChallenge as $challenge)
+ {
+ array_push($ret, $challenge->type);
+ }
+ return array_unique($ret);
+ }
+
+ /**
+ * Get OTP message if OTP token(s) triggered.
+ * @return string
+ */
+ public function otpMessage()
+ {
+ foreach ($this->multiChallenge as $challenge)
+ {
+ if ($challenge->type !== "push" && $challenge->type !== "webauthn")
+ {
+ return $challenge->message;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Get push message if push token triggered.
+ * @return string
+ */
+ public function pushMessage()
+ {
+ foreach ($this->multiChallenge as $challenge)
+ {
+ if ($challenge->type === "push")
+ {
+ return $challenge->message;
+ }
+ }
+ return "";
+ }
+
+ /**
+ * Get WebAuthn message if that kind of token triggered.
+ * @return string
+ */
+ public function webauthnMessage()
+ {
+ foreach ($this->multiChallenge as $challenge)
+ {
+ if ($challenge->type === "webauthn")
+ {
+ return $challenge->message;
+ }
+ }
+ return "";
+ }
+
+ /**
+ * Get WebAuthn Sign Request which comes in PIResponse if WebAuthn token is triggered.
+ * @return string
+ */
+ public function webAuthnSignRequest()
+ {
+ $arr = [];
+ $webauthn = "";
+ foreach ($this->multiChallenge as $challenge)
+ {
+ if ($challenge->type === "webauthn")
+ {
+ $t = json_decode($challenge->webAuthnSignRequest);
+ if (empty($webauthn))
+ {
+ $webauthn = $t;
+ }
+ $arr[] = $challenge->attributes['webAuthnSignRequest']['allowCredentials'][0];
+ }
+ }
+ $webauthn->allowCredentials = $arr;
+
+ return json_encode($webauthn);
+ }
+
+ public function u2fSignRequest()
+ {
+ $ret = "";
+ foreach ($this->multiChallenge as $challenge)
+ {
+ if ($challenge->type === "u2f")
+ {
+ $ret = $challenge->u2fSignRequest;
+ break;
+ }
+ }
+ return $ret;
+ }
+}
diff --git a/lib/php-client/src/PrivacyIDEA.php b/lib/php-client/src/PrivacyIDEA.php
new file mode 100644
index 0000000000000000000000000000000000000000..6c4b868198ce0d7c44a3aa74a248653c3ed3493d
--- /dev/null
+++ b/lib/php-client/src/PrivacyIDEA.php
@@ -0,0 +1,527 @@
+<?php
+
+namespace PrivacyIdea\PHPClient;
+
+const AUTHENTICATORDATA = "authenticatordata";
+const CLIENTDATA = "clientdata";
+const SIGNATUREDATA = "signaturedata";
+const CREDENTIALID = "credentialid";
+const USERHANDLE = "userhandle";
+const ASSERTIONCLIENTEXTENSIONS = "assertionclientextensions";
+
+/**
+ * All the API requests which you need are already done and set to methods in this class.
+ * All you have to do is include the SDK-Autoloader to your PHP file
+ * and call the methods adding the needed parameters.
+ *
+ * @author Lukas Matusiewicz <lukas.matusiewicz@netknights.it>
+ */
+class PrivacyIDEA
+{
+ /* @var string Plugins name which must to be verified in privacyIDEA. */
+ public $userAgent = "";
+ /* @var string This is the URL to your privacyIDEA server. */
+ public $serverURL = "";
+ /* @var string Here is realm of users account. */
+ public $realm = "";
+ /* @var bool You can decide if you want to verify your ssl certificate. */
+ public $sslVerifyHost = true;
+ /* @var bool You can decide if you want to verify your ssl certificate. */
+ public $sslVerifyPeer = true;
+ /* @var string Username to your service account. You need it to get auth token which is needed by some PI API requests. */
+ public $serviceAccountName = "";
+ /* @var string Password to your service account. You need it to get auth token which is needed by some PI API requests. */
+ public $serviceAccountPass = "";
+ /* @var string If needed you can add it too. */
+ public $serviceAccountRealm = "";
+ /* @var object This object will deliver PI debug and error messages to your plugin so you can log it wherever you want. */
+ public $logger = null;
+
+ /**
+ * PrivacyIDEA constructor.
+ * @param $userAgent string the user agent that should set in the http header
+ * @param $serverURL string the url of the privacyIDEA server
+ */
+ public function __construct($userAgent, $serverURL)
+ {
+ $this->userAgent = $userAgent;
+ $this->serverURL = $serverURL;
+ }
+
+ /**
+ * This function collect the debug messages and send it to PILog.php
+ * @param $message
+ */
+ function debugLog($message)
+ {
+ if ($this->logger != null)
+ {
+ $this->logger->piDebug($message);
+ }
+ }
+
+ /**
+ * This function collect the error messages and send it to PILog.php
+ * @param $message
+ */
+ function errorLog($message)
+ {
+ if ($this->logger != null)
+ {
+ $this->logger->piError($message);
+ }
+ }
+
+ /**
+ * Handle validateCheck using user's username, password and if challenge response - transaction_id.
+ *
+ * @param $username string Must be set
+ * @param $pass string Must be set
+ * @param null $transactionID Optional transaction ID. Used to reference a challenge that was triggered beforehand.
+ * @return PIResponse|null This method returns an PIResponse object which contains all the useful information from the PI server. In case of error returns null.
+ * @throws PIBadRequestException
+ */
+ public function validateCheck($username, $pass, $transactionID = null)
+ {
+ assert('string' === gettype($username));
+ assert('string' === gettype($pass));
+
+ // Log entry of the validateCheck()
+ $this->debugLog("validateCheck() with user=" . $username . ", pass=" . $pass . " and if is set transactionID " . $transactionID);
+
+ //Check if parameters are set
+ if (!empty($username) || !empty($pass))
+ {
+ $params["user"] = $username;
+ $params["pass"] = $pass;
+ if (!empty($transactionID))
+ {
+ //Add transaction ID in case of challenge response
+ $params["transaction_id"] = $transactionID;
+ }
+ if ($this->realm)
+ {
+ $params["realm"] = $this->realm;
+ }
+
+ //Call send_request function to handle an API Request using $parameters and return it.
+ $response = $this->sendRequest($params, array(''), 'POST', '/validate/check');
+
+ //Return the response from /validate/check as PIResponse object
+ $ret = PIResponse::fromJSON($response, $this);
+ if ($ret == null)
+ {
+ $this->debugLog("privacyIDEA - Validate Check: no response from PI-server");
+ }
+ return $ret;
+ } else
+ {
+ //Handle debug message if $username is empty
+ $this->debugLog("privacyIDEA - Validate Check: params incomplete!");
+ }
+ return null;
+ }
+
+ /**
+ * Trigger all challenges for the given username.
+ * This function requires a service account to be set.
+ *
+ * @param string $username
+ * @return PIResponse|null This method returns an PIResponse object which contains all the useful information from the PI server.
+ * @throws PIBadRequestException
+ */
+ public function triggerChallenge($username)
+ {
+ assert('string' === gettype($username));
+
+ // Log entry of the pollTransaction()
+ $this->debugLog("triggerChallenge() with username=" . $username);
+
+ if ($username)
+ {
+ $authToken = $this->getAuthToken();
+ // If error occurred in getAuthToken() - return this error in PIResponse object
+ $header = array("authorization:" . $authToken);
+
+ $parameter = array("user" => $username);
+
+ //Call /validate/triggerchallenge with username as parameter and return it.
+ $response = $this->sendRequest($parameter, $header, 'POST', '/validate/triggerchallenge');
+
+ //Return the response from /validate/triggerchallenge as PIResponse object
+ $ret = PIResponse::fromJSON($response, $this);
+
+ if ($ret == null)
+ {
+ $this->debugLog("privacyIDEA - Trigger Challenge: no response from PI-server");
+ }
+ return $ret;
+
+ } else
+ {
+ //Handle debug message if empty $username
+ $this->debugLog("privacyIDEA - Trigger Challenge: no username");
+ }
+ return null;
+ }
+
+ /**
+ * Call /validate/polltransaction using transaction_id
+ *
+ * @param $transactionID string An unique ID which is needed by some API requests.
+ * @return bool Returns true if PUSH is accepted, false otherwise.
+ * @throws PIBadRequestException
+ */
+ public function pollTransaction($transactionID)
+ {
+ assert('string' === gettype($transactionID));
+
+ // Log entry of the pollTransaction()
+ $this->debugLog("pollTransaction() with transaction ID=" . $transactionID);
+
+ if (!empty($transactionID))
+ {
+ $params = array("transaction_id" => $transactionID);
+ // Call /validate/polltransaction using transactionID and decode it from JSON
+ $responseJSON = $this->sendRequest($params, array(''), 'GET', '/validate/polltransaction');
+ $response = json_decode($responseJSON, true);
+ //Return the response from /validate/polltransaction
+ return $response['result']['value'];
+
+ } else
+ {
+ //Handle debug message if $transactionID is empty
+ $this->debugLog("privacyIDEA - Poll Transaction: No transaction ID");
+ }
+ return false;
+ }
+
+ /**
+ * Check if user already has token
+ * Enroll a new token
+ *
+ * @param string $username
+ * @param string $genkey
+ * @param string $type
+ * @param string $description
+ * @return mixed
+ * @throws PIBadRequestException
+ */
+ public function enrollToken($username, $genkey, $type, $description = "") // No return type because mixed not allowed yet
+ {
+ assert('string' === gettype($username));
+ assert('string' === gettype($type));
+ assert('string' === gettype($genkey));
+ if (isset($description))
+ {
+ assert('string' === gettype($description));
+ }
+
+ // Log entry of the enrollToken()
+ $this->debugLog("privacyIDEA - enrollToken() with user=" . $username . ", genkey=" . $genkey . ", type=" . $type . ", description=" . $description);
+
+ // Check if parameters contain the required keys
+ if (empty($username) || empty($type))
+ {
+ $this->debugLog("privacyIDEA - Enroll Token: Token enrollment not possible because params are not complete");
+ return array();
+ }
+
+ $params["user"] = $username;
+ $params["genkey"] = $genkey;
+ $params["type"] = $type;
+ $params["description"] = in_array("description", $params) ? $description : "";
+
+ $authToken = $this->getAuthToken();
+
+ // If error occurred in getAuthToken() - return this error in PIResponse object
+ $header = array("authorization:" . $authToken);
+
+ // Check if user has token
+ $tokenInfo = json_decode($this->sendRequest(array("user" => $params['user']), $header, 'GET', '/token/'));
+
+ if (!empty($tokenInfo->result->value->tokens))
+ {
+ $this->debugLog("privacyIDEA - Enroll Token: User already has a token. No need to enroll a new one.");
+ return array();
+
+ } else
+ {
+ // Call /token/init endpoint and return the PI response
+ return json_decode($this->sendRequest($params, $header, 'POST', '/token/init'));
+ }
+ }
+
+ /**
+ * Sends a request to /validate/check with the data required to authenticate a WebAuthn token.
+ *
+ * @param string $username
+ * @param string $transactionID
+ * @param string $webAuthnSignResponse
+ * @param string $origin
+ * @return PIResponse|null
+ * @throws PIBadRequestException
+ */
+ public function validateCheckWebAuthn($username, $transactionID, $webAuthnSignResponse, $origin)
+ {
+ assert('string' === gettype($username));
+ assert('string' === gettype($transactionID));
+ assert('string' === gettype($webAuthnSignResponse));
+ assert('string' === gettype($origin));
+
+ // Log entry of the validateCheckWebAuthn()
+ $this->debugLog("ValidateCheckWebAuthn with user=" . $username . ", transactionID=" . $transactionID . ", WebAuthnSignResponse=" . $webAuthnSignResponse . ", origin=" . $origin);
+
+ // Check if parameters are set
+ if (!empty($username) || !empty($transactionID))
+ {
+
+ // Compose standard validate/check params
+ $params["user"] = $username;
+ $params["pass"] = "";
+ $params["transaction_id"] = $transactionID;
+
+ if ($this->realm)
+ {
+ $params["realm"] = $this->realm;
+ }
+
+ // Additional WebAuthn params
+ $tmp = json_decode($webAuthnSignResponse, true);
+
+ $params[CREDENTIALID] = $tmp[CREDENTIALID];
+ $params[CLIENTDATA] = $tmp[CLIENTDATA];
+ $params[SIGNATUREDATA] = $tmp[SIGNATUREDATA];
+ $params[AUTHENTICATORDATA] = $tmp[AUTHENTICATORDATA];
+
+ if (!empty($tmp[USERHANDLE]))
+ {
+ $params[USERHANDLE] = $tmp[USERHANDLE];
+ }
+ if (!empty($tmp[ASSERTIONCLIENTEXTENSIONS]))
+ {
+ $params[ASSERTIONCLIENTEXTENSIONS] = $tmp[ASSERTIONCLIENTEXTENSIONS];
+ }
+
+ $header = array("Origin:" . $origin);
+
+ $response = $this->sendRequest($params, $header, 'POST', '/validate/check');
+
+ //Return the response from /validate/check as PIResponse object
+ $ret = PIResponse::fromJSON($response, $this);
+
+ if ($ret == null)
+ {
+ $this->debugLog("privacyIDEA - WebAuthn: no response from PI-server");
+ }
+ return $ret;
+
+ } else
+ {
+ //Handle debug message if $username is empty
+ $this->debugLog("privacyIDEA - WebAuthn: params incomplete!");
+ }
+ return null;
+ }
+
+ /**
+ * Sends a request to /validate/check with the data required to authenticate a U2F token.
+ *
+ * @param string $username
+ * @param string $transactionID
+ * @param string $u2fSignResponse
+ * @return PIResponse|null
+ * @throws PIBadRequestException
+ */
+ public function validateCheckU2F($username, $transactionID, $u2fSignResponse)
+ {
+ assert('string' === gettype($username));
+ assert('string' === gettype($transactionID));
+ assert('string' === gettype($u2fSignResponse));
+
+ // Log entry of validateCheckU2F
+ $this->debugLog("ValidateCheckU2F with user=" . $username . ", transactionID=" . $transactionID . ", u2fSignResponse=" . $u2fSignResponse);
+
+ // Check if parameters are set
+ if (!empty($username) || !empty($transactionID) || !empty($u2fSignResponse))
+ {
+
+ // Compose standard validate/check params
+ $params["user"] = $username;
+ $params["pass"] = "";
+ $params["transaction_id"] = $transactionID;
+
+ if ($this->realm)
+ {
+ $params["realm"] = $this->realm;
+ }
+
+ // Additional U2F params from $u2fSignResponse
+ $tmp = json_decode($u2fSignResponse, true);
+ $params[CLIENTDATA] = $tmp["clientData"];
+ $params[SIGNATUREDATA] = $tmp["signatureData"];
+
+ $response = $this->sendRequest($params, array(), 'POST', '/validate/check');
+
+ //Return the response from /validate/check as PIResponse object
+ $ret = PIResponse::fromJSON($response, $this);
+
+ if ($ret == null)
+ {
+ $this->debugLog("privacyIDEA - U2F: no response from PI-server");
+ }
+ return $ret;
+
+ } else
+ {
+ //Handle debug message if $username is empty
+ $this->debugLog("privacyIDEA - U2F: params incomplete!");
+ }
+ return null;
+ }
+
+ /**
+ * Check if service account and pass are set
+ * @return bool
+ */
+ public function serviceAccountAvailable()
+ {
+ return (!empty($this->serviceAccountName) && !empty($this->serviceAccountPass));
+ }
+
+ /**
+ * Retrieves an auth token from the server using the service account. The auth token is required to make certain requests to privacyIDEA.
+ * If no service account is set or an error occurred, this function returns false.
+ *
+ * @return string|bool|PIResponse the auth token or false.
+ * @throws PIBadRequestException
+ */
+ public function getAuthToken()
+ {
+ if (!$this->serviceAccountAvailable())
+ {
+ $this->errorLog("Cannot retrieve auth token without service account");
+ return false;
+ }
+
+ // To get auth token from server use API Request: /auth with added service account and service pass
+ $params = array(
+ "username" => $this->serviceAccountName,
+ "password" => $this->serviceAccountPass
+ );
+
+ if ($this->serviceAccountRealm != null && $this->serviceAccountRealm != "")
+ {
+ $params["realm"] = $this->serviceAccountRealm;
+ }
+
+ // Call /auth endpoint and decode the response from JSON to PHP
+ $response = json_decode($this->sendRequest($params, array(''), 'POST', '/auth'), true);
+
+ if (!empty($response['result']['value']))
+ {
+ // Get auth token from response->result->value->token and return the token
+ return $response['result']['value']['token'];
+ }
+
+ // If no response return false
+ $this->debugLog("privacyIDEA - getAuthToken: No response from PI-Server");
+ return false;
+ }
+
+ /**
+ * Prepare send_request and make curl_init.
+ *
+ * @param $params array request parameters in an array
+ * @param $headers array headers fields in array
+ * @param $httpMethod string
+ * @param $endpoint string endpoint of the privacyIDEA API (e.g. /validate/check)
+ * @return string returns string with response from server or an empty string if error occurs
+ * @throws PIBadRequestException
+ */
+ public function sendRequest(array $params, array $headers, $httpMethod, $endpoint)
+ {
+ assert('array' === gettype($params));
+ assert('array' === gettype($headers));
+ assert('string' === gettype($httpMethod));
+ assert('string' === gettype($endpoint));
+
+ $this->debugLog("Sending HEADER: " . http_build_query($headers, '', ', ') . ", with " . $httpMethod . " to " . $endpoint);
+ $this->debugLog("And PARAMS: " . http_build_query($params, '', ', '));
+
+ $curlInstance = curl_init();
+
+ // Compose an API Request using privacyIDEA's URL from config and endpoint created in function
+ $completeUrl = $this->serverURL . $endpoint;
+
+ curl_setopt($curlInstance, CURLOPT_URL, $completeUrl);
+ curl_setopt($curlInstance, CURLOPT_HEADER, true);
+ if ($headers)
+ {
+ curl_setopt($curlInstance, CURLOPT_HTTPHEADER, $headers);
+ }
+ curl_setopt($curlInstance, CURLOPT_RETURNTRANSFER, true);
+ curl_setopt($curlInstance, CURLOPT_USERAGENT, $this->userAgent);
+ if ($httpMethod === "POST")
+ {
+ curl_setopt($curlInstance, CURLOPT_POST, true);
+ curl_setopt($curlInstance, CURLOPT_POSTFIELDS, $params);
+
+ } elseif ($httpMethod === "GET")
+ {
+ $paramsStr = '?';
+ if (!empty($params))
+ {
+ foreach ($params as $key => $value)
+ {
+ $paramsStr .= $key . "=" . $value . "&";
+ }
+ }
+ curl_setopt($curlInstance, CURLOPT_URL, $completeUrl . $paramsStr);
+ }
+
+ // Check if you should to verify privacyIDEA's SSL certificate in your config
+ // If true - do it, if false - don't verify
+ if ($this->sslVerifyHost === true)
+ {
+ curl_setopt($curlInstance, CURLOPT_SSL_VERIFYHOST, 2);
+ } else
+ {
+ curl_setopt($curlInstance, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
+ if ($this->sslVerifyPeer === true)
+ {
+ curl_setopt($curlInstance, CURLOPT_SSL_VERIFYPEER, 2);
+ } else
+ {
+ curl_setopt($curlInstance, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ //Store response in the variable
+ $response = curl_exec($curlInstance);
+
+ if (!$response)
+ {
+ //Handle error if no response and return an empty string
+ $curlErrno = curl_errno($curlInstance);
+ $this->errorLog("privacyIDEA-SDK: Bad request to PI server. " . curl_error($curlInstance) . " errno: " . $curlErrno);
+ throw new PIBadRequestException("Unable to reach the authentication server (" . $curlErrno . ")");
+ }
+
+ $headerSize = curl_getinfo($curlInstance, CURLINFO_HEADER_SIZE);
+ $ret = substr($response, $headerSize);
+
+ // Log the response
+ if ($endpoint != "/auth")
+ {
+ $retJson = json_decode($ret, true);
+ $this->debugLog($endpoint . " returned " . json_encode($retJson, JSON_PRETTY_PRINT));
+ }
+
+ curl_close($curlInstance);
+
+ //Return decoded response from API Request
+ return $ret;
+ }
+}
\ No newline at end of file
diff --git a/lib/php-client/test/privacyidea-php-client/TestEnrollToken.php b/lib/php-client/test/privacyidea-php-client/TestEnrollToken.php
new file mode 100644
index 0000000000000000000000000000000000000000..802e5f8f6105de4850218137ef2441a85604b611
--- /dev/null
+++ b/lib/php-client/test/privacyidea-php-client/TestEnrollToken.php
@@ -0,0 +1,205 @@
+<?php
+
+require_once('../../src/Client-Autoloader.php');
+require_once('../../vendor/autoload.php');
+
+use PHPUnit\Framework\TestCase;
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+
+class PrivacyIDEATest extends TestCase
+{
+ private $pi;
+
+ use HttpMockTrait;
+
+ public static function setUpBeforeClass()
+ {
+ static::setUpHttpMockBeforeClass('8082', 'localhost');
+ }
+
+ public static function tearDownAfterClass()
+ {
+ static::tearDownHttpMockAfterClass();
+ }
+
+ public function setUp()
+ {
+ $this->setUpHttpMock();
+ $this->pi = new PrivacyIDEA('testUserAgent', "http://127.0.0.1:8082");
+ }
+
+ public function tearDown()
+ {
+ $this->tearDownHttpMock();
+ }
+
+ public function testEnrollToken()
+ {
+ // Test case if user already have a token
+ $respAuthToken = '{
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": {
+ "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
+ }
+ },
+ "version": "privacyIDEA unknown"
+ }';
+
+ $respTokenInfo = '{
+ "id":1,
+ "jsonrpc":"2.0",
+ "result":{
+ "status":true,
+ "value":{
+ "count":3,
+ "current":1,
+ "tokens":[
+ {
+ "active":true,
+ "count":37,
+ "info":{
+ "count_auth":"126",
+ "tokenkind":"software"
+ },
+ "locked":false,
+ "realms":[
+ "testRealm"
+ ],
+ "resolver":"testResolver",
+ "revoked":false
+ }
+ ]
+ }
+ },
+ "version":"privacyIDEA 3.5.2",
+ "versionnumber":"3.5.2",
+ "signature":"rsa_sha256_pss:12345"
+ }';
+
+ $respTokenInit = '{
+ "detail":{
+ "googleurl":{
+ "description":"URL for google Authenticator",
+ "img":"data:image/png;base64,iVBORw0",
+ "value":"otpauth://totp/TOTP0002A944?secret=Y5D5IM4H274ZI6NRO347QGQ4NPTIOHKL&period=30&digits=6&issuer=privacyIDEA"
+ },
+ "oathurl":{
+ "description":"URL for OATH token",
+ "img":"data:image/png;base64,iVBORw0",
+ "value":"oathtoken:///addToken?name=TOTP0002A944&lockdown=true&key=c747d43387d7f99479b176f9f81a1c6be6871d4b&timeBased=true"
+ },
+ "otpkey":{
+ "description":"OTP seed",
+ "img":"data:image/png;base64,iVBORw0",
+ "value":"seed://c747d43387d7f99479b176f9f81a1c6be6871d4b",
+ "value_b32":"Y5D5IM4H274ZI6NRO347QGQ4NPTIOHKL"
+ },
+ "rollout_state":"",
+ "serial":"TOTP0002A944",
+ "threadid":140286414018304
+ },
+ "id":1,
+ "jsonrpc":"2.0",
+ "result":{
+ "status":true,
+ "value":true
+ },
+ "version":"privacyIDEA 3.5.2",
+ "versionnumber":"3.5.2",
+ "signature":"rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/auth')
+ ->then()
+ ->body($respAuthToken)
+ ->end();
+ $this->http->setUp();
+
+ $this->http->mock
+ ->when()
+ ->methodIs('GET')
+ ->pathIs('/token/')
+ ->then()
+ ->body($respTokenInfo)
+ ->end();
+ $this->http->setUp();
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/token/init')
+ ->then()
+ ->body($respTokenInit)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->enrollToken([
+ "user" => "testUser",
+ "genkey" => "1",
+ "type" => "totp",
+ "description" => "Enrolled for Test"]);
+ $this->assertNotNull($response, "Response is NULL.");
+ $this->assertEmpty($response);
+
+ // Test case if user have no token and we should enroll a new one
+ $respTokenInfo = '{
+ "id":1,
+ "jsonrpc":"2.0",
+ "result":{
+ "status":true,
+ "value":{
+ "count":3,
+ "current":1,
+ "tokens":[]
+ }
+ },
+ "version":"privacyIDEA 3.5.2",
+ "versionnumber":"3.5.2",
+ "signature":"rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('GET')
+ ->pathIs('/token/')
+ ->then()
+ ->body($respTokenInfo)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->enrollToken([
+ "user" => "",
+ "genkey" => "1",
+ "type" => "totp",
+ "description" => "Enrolled for Test"]);
+ $this->assertEmpty($response, "Without user given enrollToken() should return an empty array.");
+
+ $response = $this->pi->enrollToken([
+ "user" => "testUser",
+ "genkey" => "",
+ "type" => "totp"]);
+ $this->assertEmpty($response, "Without genkey given enrollToken() should return an empty array.");
+
+ $response = $this->pi->enrollToken([
+ "user" => "testUser",
+ "genkey" => "1",
+ "type" => ""]);
+ $this->assertEmpty($response, "Without type given enrollToken() should return an empty array.");
+
+ $response = $this->pi->enrollToken([
+ "user" => "testUser",
+ "genkey" => "1",
+ "type" => "totp",
+ "description" => "Enrolled for Test"]);
+ $this->assertNotNull($response, "Response is NULL.");
+ $this->assertIsObject($response);
+ $this->assertObjectHasAttribute('detail', $response, "Object have no detail attribute.");
+ $this->assertEquals("data:image/png;base64,iVBORw0", $response->detail->googleurl->img, "Object have no image data.");
+ }
+}
diff --git a/lib/php-client/test/privacyidea-php-client/TestGetAuthToken.php b/lib/php-client/test/privacyidea-php-client/TestGetAuthToken.php
new file mode 100644
index 0000000000000000000000000000000000000000..3ea6e1e9a3b75fb8773dfddf8ffa2c58341928f7
--- /dev/null
+++ b/lib/php-client/test/privacyidea-php-client/TestGetAuthToken.php
@@ -0,0 +1,80 @@
+<?php
+
+require_once('../../src/Client-Autoloader.php');
+require_once('../../vendor/autoload.php');
+
+use PHPUnit\Framework\TestCase;
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+
+class PrivacyIDEATest extends TestCase
+{
+ private $pi;
+
+ use HttpMockTrait;
+
+ public static function setUpBeforeClass()
+ {
+ static::setUpHttpMockBeforeClass('8082', 'localhost');
+ }
+
+ public static function tearDownAfterClass()
+ {
+ static::tearDownHttpMockAfterClass();
+ }
+
+ public function setUp()
+ {
+ $this->setUpHttpMock();
+ $this->pi = new PrivacyIDEA('testUserAgent', "http://127.0.0.1:8082");
+ }
+
+ public function tearDown()
+ {
+ $this->tearDownHttpMock();
+ }
+
+ public function testGetAuthToken()
+ {
+ $respAuthToken = '{
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": {
+ "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
+ }
+ },
+ "version": "privacyIDEA unknown"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/auth')
+ ->then()
+ ->body($respAuthToken)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->getAuthToken();
+ $this->assertFalse($response, "Response is not false.");
+
+ $this->pi->serviceAccountPass = "testPass";
+ $this->pi->serviceAccountName = "testAdmin";
+ $this->pi->serviceAccountRealm = "testRealm";
+
+ $response = $this->pi->getAuthToken();
+ $this->assertEquals('eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM', $response, "Auth token did not match.");
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/auth')
+ ->then()
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->getAuthToken();
+ $this->assertFalse($response);
+ }
+}
diff --git a/lib/php-client/test/privacyidea-php-client/TestPollTransaction.php b/lib/php-client/test/privacyidea-php-client/TestPollTransaction.php
new file mode 100644
index 0000000000000000000000000000000000000000..4e46d0a4bc09723c1ac71bef5d7f6a2ea89c32e0
--- /dev/null
+++ b/lib/php-client/test/privacyidea-php-client/TestPollTransaction.php
@@ -0,0 +1,67 @@
+<?php
+
+require_once('../../src/Client-Autoloader.php');
+require_once('../../vendor/autoload.php');
+
+use PHPUnit\Framework\TestCase;
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+
+class PrivacyIDEATest extends TestCase
+{
+ private $pi;
+
+ use HttpMockTrait;
+
+ public static function setUpBeforeClass()
+ {
+ static::setUpHttpMockBeforeClass('8082', 'localhost');
+ }
+
+ public static function tearDownAfterClass()
+ {
+ static::tearDownHttpMockAfterClass();
+ }
+
+ public function setUp()
+ {
+ $this->setUpHttpMock();
+ $this->pi = new PrivacyIDEA('testUserAgent', "http://127.0.0.1:8082");
+ }
+
+ public function tearDown()
+ {
+ $this->tearDownHttpMock();
+ }
+
+ public function testPollTransaction()
+ {
+ $respPolling = '{
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": true
+ },
+ "version": "privacyIDEA 3.5.2",
+ "versionnumber": "3.5.2",
+ "signature": "rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('GET')
+ ->pathIs('/validate/polltransaction')
+ ->then()
+ ->body($respPolling)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->pollTransaction("");
+ $this->assertNotNull($response, "Response is not NULL without transaction_id given.");
+
+ $response = $this->pi->pollTransaction("1234567890");
+ $this->assertNotNull($response, "Response is NULL.");
+
+ $this->assertTrue($response, "Value is not true as expected.");
+ }
+}
diff --git a/lib/php-client/test/privacyidea-php-client/TestTriggerChallenge.php b/lib/php-client/test/privacyidea-php-client/TestTriggerChallenge.php
new file mode 100644
index 0000000000000000000000000000000000000000..a880a9ff102bbe19616fead8cfa373a00b62e615
--- /dev/null
+++ b/lib/php-client/test/privacyidea-php-client/TestTriggerChallenge.php
@@ -0,0 +1,142 @@
+<?php
+
+require_once('../../src/Client-Autoloader.php');
+require_once('../../vendor/autoload.php');
+
+use PHPUnit\Framework\TestCase;
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+
+class PrivacyIDEATest extends TestCase
+{
+ private $pi;
+
+ use HttpMockTrait;
+
+ public static function setUpBeforeClass()
+ {
+ static::setUpHttpMockBeforeClass('8082', 'localhost');
+ }
+
+ public static function tearDownAfterClass()
+ {
+ static::tearDownHttpMockAfterClass();
+ }
+
+ public function setUp()
+ {
+ $this->setUpHttpMock();
+ $this->pi = new PrivacyIDEA('testUserAgent', "http://127.0.0.1:8082");
+ }
+
+ public function tearDown()
+ {
+ $this->tearDownHttpMock();
+ }
+
+ public function testTriggerChallenge()
+ {
+ $respAuthToken = '{
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": {
+ "token": "eyJhbGciOiJIUz....jdpn9kIjuGRnGejmbFbM"
+ }
+ },
+ "version": "privacyIDEA unknown"
+ }';
+
+ $respTriggerChallenge = '{
+ "detail":{
+ "attributes":null,
+ "messages":[
+ "Please confirm the authentication on your mobile device!"
+ ],
+ "multi_challenge":[
+ {
+ "attributes":null,
+ "message":"please enter otp: ",
+ "serial":"OATH00016327",
+ "transaction_id":"08282050332563531714",
+ "type":"hotp"
+ },
+ {
+ "attributes":null,
+ "message":"please verify push",
+ "serial":"PIPU1092340Ăź1231",
+ "transaction_id":"08282050332563531714",
+ "type":"push"
+ }
+ ],
+ "serial":"TOTP0002A944",
+ "transaction_id":"08282050332563531714",
+ "type":"totp"
+ },
+ "result":{
+ "status":true,
+ "value":1
+ },
+ "version":"privacyIDEA 3.5.2",
+ "versionnumber":"3.5.2",
+ "signature":"rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/auth')
+ ->then()
+ ->body($respAuthToken)
+ ->end();
+ $this->http->setUp();
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/validate/triggerchallenge')
+ ->then()
+ ->body(null)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->triggerChallenge("testUser");
+ $this->assertNull($response, "Response is not NULL.");
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/validate/triggerchallenge')
+ ->then()
+ ->body($respTriggerChallenge)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->triggerChallenge("");
+ $this->assertNull($response, "Response not NULL even if the username not given.");
+
+ $response = $this->pi->triggerChallenge("testUser");
+ $this->assertNotNull($response, "Response is NULL.");
+
+ $this->assertEquals("Please confirm the authentication on your mobile device!", $response->messages, "Message did not match.");
+ $this->assertEquals("08282050332563531714", $response->transaction_id, "Transaction id did not match.");
+ $this->assertEquals($respTriggerChallenge, $response->raw, "Cannot to get the raw response in JSON format!");
+ $this->assertTrue($response->status, "Status is not true as expected.");
+ $this->assertEquals("1", $response->value, "Value is not false as expected.");
+ $this->assertEmpty($response->detailAndAttributes, "detailAndAttributes is not empty as expected.");
+ $this->assertNull($response->error, "Error is not null as expected.");
+
+ $this->assertEquals("08282050332563531714", $response->multi_challenge[0]->transaction_id, "Transaction id did not match.");
+ $this->assertEquals("please enter otp: ", $response->multi_challenge[0]->message, "Message did not match.");
+ $this->assertEquals("OATH00016327", $response->multi_challenge[0]->serial, "Serial did not match.");
+ $this->assertEquals("hotp", $response->multi_challenge[0]->type, "Type did not match.");
+ $this->assertNull($response->multi_challenge[0]->attributes, "attributes did not match.");
+
+ // Test PIResponse methods: triggeredTokenTypes, pushAvailability, pushMessage, otpMessage
+ $this->assertIsArray($response->triggeredTokenTypes());
+ $this->assertEquals(["hotp","push"], $response->triggeredTokenTypes());
+ $this->assertTrue($response->pushAvailability());
+ $this->assertEquals("please verify push", $response->pushMessage());
+ $this->assertEquals("please enter otp: ", $response->otpMessage());
+ }
+}
diff --git a/lib/php-client/test/privacyidea-php-client/TestValidateCheck.php b/lib/php-client/test/privacyidea-php-client/TestValidateCheck.php
new file mode 100644
index 0000000000000000000000000000000000000000..6e0b4e743565f1afa9ebaa44d67d431a163492c6
--- /dev/null
+++ b/lib/php-client/test/privacyidea-php-client/TestValidateCheck.php
@@ -0,0 +1,169 @@
+<?php
+
+require_once('../../src/Client-Autoloader.php');
+require_once('../../vendor/autoload.php');
+
+use PHPUnit\Framework\TestCase;
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+
+class PrivacyIDEATest extends TestCase
+{
+ private $pi;
+
+ use HttpMockTrait;
+
+ public static function setUpBeforeClass()
+ {
+ static::setUpHttpMockBeforeClass('8082', 'localhost');
+ }
+
+ public static function tearDownAfterClass()
+ {
+ static::tearDownHttpMockAfterClass();
+ }
+
+ public function setUp()
+ {
+ $this->setUpHttpMock();
+ $this->pi = new PrivacyIDEA('testUserAgent', "http://127.0.0.1:8082");
+ }
+
+ public function tearDown()
+ {
+ $this->tearDownHttpMock();
+ }
+
+ public function testValidateCheck()
+ {
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/validate/check')
+ ->then()
+ ->body(null)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->validateCheck(['user' => 'testUser', 'pass' => 'testPass'], "1234567890");
+ $this->assertNull($response, "Response is not NULL.");
+
+ $respValidateCheck = '{
+ "detail": {
+ "attributes": null,
+ "message": "Please enter OTP: ",
+ "messages": [
+ "Please enter OTP: "
+ ],
+ "multi_challenge": [
+ {
+ "attributes": null,
+ "message": "Please enter OTP: ",
+ "serial": "OATH00016327",
+ "transaction_id": "10254108800156191660",
+ "type": "hotp"
+ }
+ ],
+ "serial": "OATH00016327",
+ "threadid": 139868461995776,
+ "transaction_id": "10254108800156191660",
+ "transaction_ids": [
+ "10254108800156191660"
+ ],
+ "type": "hotp"
+ },
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": false
+ },
+ "version": "privacyIDEA 3.5.2",
+ "versionnumber": "3.5.2",
+ "signature": "rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/validate/check')
+ ->then()
+ ->body($respValidateCheck)
+ ->end();
+ $this->http->setUp();
+
+ $this->pi->sslVerifyHost = false;
+ $this->pi->sslVerifyPeer = false;
+
+ $response = $this->pi->validateCheck(array());
+ $this->assertNull($response, "No user or pass added to params.");
+
+ $this->pi->realm = "testRealm";
+ $response = $this->pi->validateCheck(['user' => 'testUser', 'pass' => 'testPass'], "1234567890");
+ $this->assertNotNull($response, "Response is NULL.");
+
+ $this->assertEquals('Please enter OTP: ', $response->messages, "Message did not match.");
+ $this->assertEquals("10254108800156191660", $response->transaction_id, "Transaction id did not match.");
+ $this->assertEquals($respValidateCheck, $response->raw, "Cannot to get the raw response in JSON format!");
+ $this->assertTrue($response->status, "Status is not true as expected.");
+ $this->assertFalse($response->value, "Value is not false as expected.");
+ $this->assertEmpty($response->detailAndAttributes, "detailAndAttributes is not empty as expected.");
+ $this->assertNull($response->error, "Error is not null as expected.");
+
+ $this->assertEquals("10254108800156191660", $response->multi_challenge[0]->transaction_id, "Transaction id did not match.");
+ $this->assertEquals("Please enter OTP: ", $response->multi_challenge[0]->message, "Message did not match.");
+ $this->assertEquals("OATH00016327", $response->multi_challenge[0]->serial, "Serial did not match.");
+ $this->assertEquals("hotp", $response->multi_challenge[0]->type, "Type did not match.");
+ $this->assertNull($response->multi_challenge[0]->attributes, "attributes did not match.");
+
+ // Test PIResponse methods: pushAvailability, pushMessage, otpMessage
+ $this->assertFalse($response->pushAvailability());
+ $this->assertFalse($response->pushMessage());
+
+ $respValidateCheck = '{
+ "detail": {
+ "attributes": null,
+ "message": "Please enter OTP: ",
+ "messages": [
+ "Please enter OTP: "
+ ],
+ "multi_challenge": [
+ {
+ "attributes":null,
+ "message":"please verify push",
+ "serial":"PIPU1092340Ăź1231",
+ "transaction_id":"08282050332563531714",
+ "type":"push"
+ }
+ ],
+ "serial": "OATH00016327",
+ "threadid": 139868461995776,
+ "transaction_id": "10254108800156191660",
+ "transaction_ids": [
+ "10254108800156191660"
+ ],
+ "type": "hotp"
+ },
+ "id": 1,
+ "jsonrpc": "2.0",
+ "result": {
+ "status": true,
+ "value": false
+ },
+ "version": "privacyIDEA 3.5.2",
+ "versionnumber": "3.5.2",
+ "signature": "rsa_sha256_pss:12345"
+ }';
+
+ $this->http->mock
+ ->when()
+ ->methodIs('POST')
+ ->pathIs('/validate/check')
+ ->then()
+ ->body($respValidateCheck)
+ ->end();
+ $this->http->setUp();
+
+ $response = $this->pi->validateCheck(['user' => 'testUser', 'pass' => 'testPass'], "1234567890");
+ $this->assertFalse($response->otpMessage());
+ }
+}