src/applications/oauthserver/PhabricatorOAuthServer.php

   1 <?php
   2
   3 /**
   4  * Implements core OAuth 2.0 Server logic.
   5  *
   6  * This class should be used behind business logic that parses input to
   7  * determine pertinent @{class:PhabricatorUser} $user,
   8  * @{class:PhabricatorOAuthServerClient} $client(s),
   9  * @{class:PhabricatorOAuthServerAuthorizationCode} $code(s), and.
  10  * @{class:PhabricatorOAuthServerAccessToken} $token(s).
  11  *
  12  * For an OAuth 2.0 server, there are two main steps:
  13  *
  14  * 1) Authorization - the user authorizes a given client to access the data
  15  * the OAuth 2.0 server protects. Once this is achieved / if it has
  16  * been achived already, the OAuth server sends the client an authorization
  17  * code.
  18  * 2) Access Token - the client should send the authorization code received in
  19  * step 1 along with its id and secret to the OAuth server to receive an
  20  * access token. This access token can later be used to access Phabricator
  21  * data on behalf of the user.
  22  *
  23  * @task auth Authorizing @{class:PhabricatorOAuthServerClient}s and
  24  *            generating @{class:PhabricatorOAuthServerAuthorizationCode}s
  25  * @task token Validating @{class:PhabricatorOAuthServerAuthorizationCode}s
  26  *             and generating @{class:PhabricatorOAuthServerAccessToken}s
  27  * @task internal Internals
  28  */
  29 final class PhabricatorOAuthServer extends Phobject {
  30
  31   const AUTHORIZATION_CODE_TIMEOUT = 300;
  32
  33   private $user;
  34   private $client;
  35
  36   private function getUser() {
  37     if (!$this->user) {
  38       throw new PhutilInvalidStateException('setUser');
  39     }
  40     return $this->user;
  41   }
  42
  43   public function setUser(PhabricatorUser $user) {
  44     $this->user = $user;
  45     return $this;
  46   }
  47
  48   private function getClient() {
  49     if (!$this->client) {
  50       throw new PhutilInvalidStateException('setClient');
  51     }
  52     return $this->client;
  53   }
  54
  55   public function setClient(PhabricatorOAuthServerClient $client) {
  56     $this->client = $client;
  57     return $this;
  58   }
  59
  60   /**
  61    * @task auth
  62    * @return tuple <bool hasAuthorized, ClientAuthorization or null>
  63    */
  64   public function userHasAuthorizedClient(array $scope) {
  65
  66     $authorization = id(new PhabricatorOAuthClientAuthorization())
  67       ->loadOneWhere(
  68         'userPHID = %s AND clientPHID = %s',
  69         $this->getUser()->getPHID(),
  70         $this->getClient()->getPHID());
  71     if (empty($authorization)) {
  72       return array(false, null);
  73     }
  74
  75     if ($scope) {
  76       $missing_scope = array_diff_key($scope, $authorization->getScope());
  77     } else {
  78       $missing_scope = false;
  79     }
  80
  81     if ($missing_scope) {
  82       return array(false, $authorization);
  83     }
  84
  85     return array(true, $authorization);
  86   }
  87
  88   /**
  89    * @task auth
  90    */
  91   public function authorizeClient(array $scope) {
  92     $authorization = new PhabricatorOAuthClientAuthorization();
  93     $authorization->setUserPHID($this->getUser()->getPHID());
  94     $authorization->setClientPHID($this->getClient()->getPHID());
  95     $authorization->setScope($scope);
  96     $authorization->save();
  97
  98     return $authorization;
  99   }
 100
 101   /**
 102    * @task auth
 103    */
 104   public function generateAuthorizationCode(PhutilURI $redirect_uri) {
 105
 106     $code   = Filesystem::readRandomCharacters(32);
 107     $client = $this->getClient();
 108
 109     $authorization_code = new PhabricatorOAuthServerAuthorizationCode();
 110     $authorization_code->setCode($code);
 111     $authorization_code->setClientPHID($client->getPHID());
 112     $authorization_code->setClientSecret($client->getSecret());
 113     $authorization_code->setUserPHID($this->getUser()->getPHID());
 114     $authorization_code->setRedirectURI((string)$redirect_uri);
 115     $authorization_code->save();
 116
 117     return $authorization_code;
 118   }
 119
 120   /**
 121    * @task token
 122    */
 123   public function generateAccessToken() {
 124
 125     $token = Filesystem::readRandomCharacters(32);
 126
 127     $access_token = new PhabricatorOAuthServerAccessToken();
 128     $access_token->setToken($token);
 129     $access_token->setUserPHID($this->getUser()->getPHID());
 130     $access_token->setClientPHID($this->getClient()->getPHID());
 131     $access_token->save();
 132
 133     return $access_token;
 134   }
 135
 136   /**
 137    * @task token
 138    */
 139   public function validateAuthorizationCode(
 140     PhabricatorOAuthServerAuthorizationCode $test_code,
 141     PhabricatorOAuthServerAuthorizationCode $valid_code) {
 142
 143     // check that all the meta data matches
 144     if ($test_code->getClientPHID() != $valid_code->getClientPHID()) {
 145       return false;
 146     }
 147     if ($test_code->getClientSecret() != $valid_code->getClientSecret()) {
 148       return false;
 149     }
 150
 151     // check that the authorization code hasn't timed out
 152     $created_time = $test_code->getDateCreated();
 153     $must_be_used_by = $created_time + self::AUTHORIZATION_CODE_TIMEOUT;
 154     return (time() < $must_be_used_by);
 155   }
 156
 157   /**
 158    * @task token
 159    */
 160   public function authorizeToken(
 161     PhabricatorOAuthServerAccessToken $token) {
 162
 163     $user_phid = $token->getUserPHID();
 164     $client_phid = $token->getClientPHID();
 165
 166     $authorization = id(new PhabricatorOAuthClientAuthorizationQuery())
 167       ->setViewer(PhabricatorUser::getOmnipotentUser())
 168       ->withUserPHIDs(array($user_phid))
 169       ->withClientPHIDs(array($client_phid))
 170       ->executeOne();
 171     if (!$authorization) {
 172       return null;
 173     }
 174
 175     $application = $authorization->getClient();
 176     if ($application->getIsDisabled()) {
 177       return null;
 178     }
 179
 180     return $authorization;
 181   }
 182
 183   public function validateRedirectURI($uri) {
 184     try {
 185       $this->assertValidRedirectURI($uri);
 186       return true;
 187     } catch (Exception $ex) {
 188       return false;
 189     }
 190   }
 191
 192   /**
 193    * See http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2
 194    * for details on what makes a given redirect URI "valid".
 195    */
 196   public function assertValidRedirectURI($raw_uri) {
 197     // This covers basics like reasonable formatting and the existence of a
 198     // protocol.
 199     PhabricatorEnv::requireValidRemoteURIForLink($raw_uri);
 200
 201     $uri = new PhutilURI($raw_uri);
 202
 203     $fragment = $uri->getFragment();
 204     if (strlen($fragment)) {
 205       throw new Exception(
 206         pht(
 207           'OAuth application redirect URIs must not contain URI '.
 208           'fragments, but the URI "%s" has a fragment ("%s").',
 209           $raw_uri,
 210           $fragment));
 211     }
 212
 213     $protocol = $uri->getProtocol();
 214     switch ($protocol) {
 215       case 'http':
 216       case 'https':
 217         break;
 218       default:
 219         throw new Exception(
 220           pht(
 221             'OAuth application redirect URIs must only use the "http" or '.
 222             '"https" protocols, but the URI "%s" uses the "%s" protocol.',
 223             $raw_uri,
 224             $protocol));
 225     }
 226   }
 227
 228   /**
 229    * If there's a URI specified in an OAuth request, it must be validated in
 230    * its own right. Further, it must have the same domain, the same path, the
 231    * same port, and (at least) the same query parameters as the primary URI.
 232    */
 233   public function validateSecondaryRedirectURI(
 234     PhutilURI $secondary_uri,
 235     PhutilURI $primary_uri) {
 236
 237     // The secondary URI must be valid.
 238     if (!$this->validateRedirectURI($secondary_uri)) {
 239       return false;
 240     }
 241
 242     // Both URIs must point at the same domain.
 243     if ($secondary_uri->getDomain() != $primary_uri->getDomain()) {
 244       return false;
 245     }
 246
 247     // Both URIs must have the same path
 248     if ($secondary_uri->getPath() != $primary_uri->getPath()) {
 249       return false;
 250     }
 251
 252     // Both URIs must have the same port
 253     if ($secondary_uri->getPort() != $primary_uri->getPort()) {
 254       return false;
 255     }
 256
 257     // Any query parameters present in the first URI must be exactly present
 258     // in the second URI.
 259     $need_params = $primary_uri->getQueryParamsAsMap();
 260     $have_params = $secondary_uri->getQueryParamsAsMap();
 261
 262     foreach ($need_params as $key => $value) {
 263       if (!array_key_exists($key, $have_params)) {
 264         return false;
 265       }
 266       if ((string)$have_params[$key] != (string)$value) {
 267         return false;
 268       }
 269     }
 270
 271     // If the first URI is HTTPS, the second URI must also be HTTPS. This
 272     // defuses an attack where a third party with control over the network
 273     // tricks you into using HTTP to authenticate over a link which is supposed
 274     // to be HTTPS only and sniffs all your token cookies.
 275     if (strtolower($primary_uri->getProtocol()) == 'https') {
 276       if (strtolower($secondary_uri->getProtocol()) != 'https') {
 277         return false;
 278       }
 279     }
 280
 281     return true;
 282   }
 283
 284 }