233 lines
8.3 KiB
PHP
233 lines
8.3 KiB
PHP
<?php namespace App\Models\ResourceServer;
|
|
|
|
/**
|
|
* Copyright 2015 OpenStack Foundation
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
**/
|
|
|
|
use GuzzleHttp\Client;
|
|
use GuzzleHttp\Exception\RequestException;
|
|
use Illuminate\Support\Facades\Config;
|
|
use libs\oauth2\InvalidGrantTypeException;
|
|
use libs\oauth2\OAuth2InvalidIntrospectionResponse;
|
|
use libs\oauth2\OAuth2Protocol;
|
|
use libs\utils\ConfigurationException;
|
|
use libs\utils\ICacheService;
|
|
use models\oauth2\AccessToken;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
/**
|
|
* Class AccessTokenService
|
|
* @package App\Models\ResourceServer
|
|
*/
|
|
final class AccessTokenService implements IAccessTokenService
|
|
{
|
|
|
|
/**
|
|
* @var ICacheService
|
|
*/
|
|
private $cache_service;
|
|
|
|
/**
|
|
* @param ICacheService $cache_service
|
|
*/
|
|
public function __construct(ICacheService $cache_service)
|
|
{
|
|
$this->cache_service = $cache_service;
|
|
}
|
|
|
|
/**
|
|
* @param string $token_value
|
|
* @return AccessToken
|
|
* @throws \Exception
|
|
*/
|
|
public function get($token_value)
|
|
{
|
|
$token = null;
|
|
$cache_lifetime = intval(Config::get('server.access_token_cache_lifetime', 300));
|
|
|
|
if($this->cache_service->exists(md5($token_value).'.revoked'))
|
|
{
|
|
Log::debug(sprintf('token marked as revoked on cache (%s)',md5($token_value) ));
|
|
throw new InvalidGrantTypeException(OAuth2Protocol::OAuth2Protocol_Error_InvalidToken);
|
|
}
|
|
|
|
$token_info = $this->cache_service->getHash(md5($token_value),[
|
|
'access_token',
|
|
'scope',
|
|
'client_id',
|
|
'audience',
|
|
'user_id',
|
|
'user_external_id',
|
|
'expires_in',
|
|
'application_type',
|
|
'allowed_return_uris',
|
|
'allowed_origins'
|
|
]);
|
|
|
|
if (count($token_info) === 0)
|
|
{
|
|
$token_info = $this->doIntrospection($token_value);
|
|
}
|
|
else
|
|
{
|
|
$cache_remaining_lifetime = intval($this->cache_service->ttl(md5($token_value)));
|
|
$expires_in = intval($token_info['expires_in']);
|
|
$token_info['expires_in'] = $expires_in - ( $cache_lifetime - $cache_remaining_lifetime);
|
|
Log::debug
|
|
(
|
|
sprintf
|
|
(
|
|
"original token life time %s - current token life time %s - token cache remaining lifetime %s",
|
|
$expires_in,
|
|
$token_info['expires_in'],
|
|
$cache_remaining_lifetime
|
|
)
|
|
);
|
|
}
|
|
|
|
$token = $this->unSerializeToken($token_info);
|
|
|
|
if($token->getLifetime() <= 0)
|
|
{
|
|
Log::debug("token lifetime is <= 0 ... retrieving from IDP");
|
|
$this->cache_service->delete(md5($token_value));
|
|
$token_info = $this->doIntrospection($token_value);
|
|
$token = $this->unSerializeToken($token_info);
|
|
}
|
|
return $token;
|
|
}
|
|
|
|
/**
|
|
* @param array $token_info
|
|
* @return AccessToken
|
|
*/
|
|
private function unSerializeToken(array $token_info){
|
|
$token = AccessToken::createFromParams
|
|
(
|
|
$token_info['access_token'],
|
|
$token_info['scope'],
|
|
$token_info['client_id'],
|
|
$token_info['audience'],
|
|
isset($token_info['user_id'])? intval($token_info['user_id']):null,
|
|
isset($token_info['user_external_id'])? intval($token_info['user_external_id']) : null,
|
|
(int)$token_info['expires_in'],
|
|
$token_info['application_type'],
|
|
isset($token_info['allowed_return_uris']) ? $token_info['allowed_return_uris'] : null,
|
|
isset($token_info['allowed_origins']) ? $token_info['allowed_origins'] : null
|
|
);
|
|
|
|
$str_token_info = "";
|
|
foreach($token_info as $k => $v){
|
|
$str_token_info .= sprintf("-%s=%s-", $k, $v);
|
|
}
|
|
|
|
Log::debug("token info : ". $str_token_info);
|
|
|
|
return $token;
|
|
}
|
|
/**
|
|
* @param string $token_value
|
|
* @return array
|
|
*/
|
|
private function doIntrospection($token_value){
|
|
Log::debug("getting token from remote call ...");
|
|
$cache_lifetime = intval(Config::get('server.access_token_cache_lifetime', 300));
|
|
$token_info = $this->doIntrospectionRequest($token_value);
|
|
$this->cache_service->storeHash(md5($token_value), $token_info, $cache_lifetime );
|
|
return $token_info;
|
|
}
|
|
|
|
/**
|
|
* @param $token_value
|
|
* @return mixed
|
|
* @throws ConfigurationException
|
|
* @throws InvalidGrantTypeException
|
|
* @throws OAuth2InvalidIntrospectionResponse
|
|
* @throws \Exception
|
|
*/
|
|
private function doIntrospectionRequest($token_value)
|
|
{
|
|
|
|
try {
|
|
$client = new Client([
|
|
'defaults' => [
|
|
'timeout' => Config::get('curl.timeout', 60),
|
|
'allow_redirects' => Config::get('curl.allow_redirects', false),
|
|
'verify' => Config::get('curl.verify_ssl_cert', true)
|
|
]
|
|
]);
|
|
|
|
$client_id = Config::get('app.openstackid_client_id', '');
|
|
$client_secret = Config::get('app.openstackid_client_secret', '');
|
|
$auth_server_url = Config::get('app.openstackid_base_url', '');
|
|
|
|
if (empty($client_id)) {
|
|
throw new ConfigurationException('app.openstackid_client_id param is missing!');
|
|
}
|
|
|
|
if (empty($client_secret)) {
|
|
throw new ConfigurationException('app.openstackid_client_secret param is missing!');
|
|
}
|
|
|
|
if (empty($auth_server_url)) {
|
|
throw new ConfigurationException('app.openstackid_base_url param is missing!');
|
|
}
|
|
|
|
$response = $client->post(
|
|
$auth_server_url . '/oauth2/token/introspection',
|
|
[
|
|
'body' => ['token' => $token_value],
|
|
'headers' => ['Authorization' => " Basic " . base64_encode($client_id . ':' . $client_secret)]
|
|
]
|
|
);
|
|
|
|
$content_type = $response->getHeader('content-type');
|
|
if(!str_contains($content_type, 'application/json'))
|
|
{
|
|
// invalid content type
|
|
throw new \Exception($response->getBody());
|
|
}
|
|
$token_info = $response->json();
|
|
|
|
return $token_info;
|
|
|
|
}
|
|
catch (RequestException $ex)
|
|
{
|
|
Log::warning($ex->getMessage());
|
|
$response = $ex->getResponse();
|
|
if(is_null($response))
|
|
throw new OAuth2InvalidIntrospectionResponse(sprintf('http code %s', $ex->getCode()));
|
|
|
|
$content_type = $response->getHeader('content-type');
|
|
$is_json = str_contains($content_type, 'application/json');
|
|
$body = ($is_json) ? $response->json(): $response->getBody();
|
|
|
|
$code = $response->getStatusCode();
|
|
if ($code === 400 && $is_json && isset($body['error'])
|
|
&& (
|
|
$body['error'] === OAuth2Protocol::OAuth2Protocol_Error_InvalidToken ||
|
|
$body['error'] === OAuth2Protocol::OAuth2Protocol_Error_InvalidGrant
|
|
))
|
|
{
|
|
$this->cache_service->setSingleValue(md5($token_value).'.revoked', md5($token_value));
|
|
throw new InvalidGrantTypeException($body['error']);
|
|
}
|
|
if($code == 503 ){
|
|
// service went online temporally ... revoke token
|
|
$this->cache_service->setSingleValue(md5($token_value).'.revoked', md5($token_value));
|
|
throw new InvalidGrantTypeException(OAuth2Protocol::OAuth2Protocol_Error_InvalidToken);
|
|
}
|
|
throw new OAuth2InvalidIntrospectionResponse(sprintf('http code %s - body %s', $ex->getCode(), $response->getBody()));
|
|
}
|
|
}
|
|
} |