529 lines
17 KiB
PHP
529 lines
17 KiB
PHP
<?php
|
|
|
|
namespace OAuth2\Storage;
|
|
|
|
use Aws\DynamoDb\DynamoDbClient;
|
|
|
|
use OAuth2\OpenID\Storage\UserClaimsInterface;
|
|
use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
|
|
/**
|
|
* DynamoDB storage for all storage types
|
|
*
|
|
* To use, install "aws/aws-sdk-php" via composer
|
|
* <code>
|
|
* composer require aws/aws-sdk-php:dev-master
|
|
* </code>
|
|
*
|
|
* Once this is done, instantiate the DynamoDB client
|
|
* <code>
|
|
* $storage = new OAuth2\Storage\Dynamodb(array("key" => "YOURKEY", "secret" => "YOURSECRET", "region" => "YOURREGION"));
|
|
* </code>
|
|
*
|
|
* Table :
|
|
* - oauth_access_tokens (primary hash key : access_token)
|
|
* - oauth_authorization_codes (primary hash key : authorization_code)
|
|
* - oauth_clients (primary hash key : client_id)
|
|
* - oauth_jwt (primary hash key : client_id, primary range key : subject)
|
|
* - oauth_public_keys (primary hash key : client_id)
|
|
* - oauth_refresh_tokens (primary hash key : refresh_token)
|
|
* - oauth_scopes (primary hash key : scope, secondary index : is_default-index hash key is_default)
|
|
* - oauth_users (primary hash key : username)
|
|
*
|
|
* @author Frederic AUGUSTE <frederic.auguste at gmail dot com>
|
|
*/
|
|
class DynamoDB implements
|
|
AuthorizationCodeInterface,
|
|
AccessTokenInterface,
|
|
ClientCredentialsInterface,
|
|
UserCredentialsInterface,
|
|
RefreshTokenInterface,
|
|
JwtBearerInterface,
|
|
ScopeInterface,
|
|
PublicKeyInterface,
|
|
UserClaimsInterface,
|
|
OpenIDAuthorizationCodeInterface
|
|
{
|
|
protected $client;
|
|
protected $config;
|
|
|
|
public function __construct($connection, $config = array())
|
|
{
|
|
if (!($connection instanceof DynamoDbClient)) {
|
|
if (!is_array($connection)) {
|
|
throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region');
|
|
}
|
|
if (!array_key_exists("key",$connection) || !array_key_exists("secret",$connection) || !array_key_exists("region",$connection) ) {
|
|
throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region');
|
|
}
|
|
$this->client = DynamoDbClient::factory(array(
|
|
'key' => $connection["key"],
|
|
'secret' => $connection["secret"],
|
|
'region' =>$connection["region"]
|
|
));
|
|
} else {
|
|
$this->client = $connection;
|
|
}
|
|
|
|
$this->config = array_merge(array(
|
|
'client_table' => 'oauth_clients',
|
|
'access_token_table' => 'oauth_access_tokens',
|
|
'refresh_token_table' => 'oauth_refresh_tokens',
|
|
'code_table' => 'oauth_authorization_codes',
|
|
'user_table' => 'oauth_users',
|
|
'jwt_table' => 'oauth_jwt',
|
|
'scope_table' => 'oauth_scopes',
|
|
'public_key_table' => 'oauth_public_keys',
|
|
), $config);
|
|
}
|
|
|
|
/* OAuth2\Storage\ClientCredentialsInterface */
|
|
public function checkClientCredentials($client_id, $client_secret = null)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['client_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
|
|
return $result->count()==1 && $result["Item"]["client_secret"]["S"] == $client_secret;
|
|
}
|
|
|
|
public function isPublicClient($client_id)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['client_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
|
|
return empty($result["Item"]["client_secret"]);
|
|
}
|
|
|
|
/* OAuth2\Storage\ClientInterface */
|
|
public function getClientDetails($client_id)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['client_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$result = $this->dynamo2array($result);
|
|
foreach (array('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id') as $key => $val) {
|
|
if (!array_key_exists ($val, $result)) {
|
|
$result[$val] = null;
|
|
}
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
|
|
{
|
|
$clientData = compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id');
|
|
$clientData = array_filter($clientData, function ($value) { return !is_null($value); });
|
|
|
|
$result = $this->client->putItem(array(
|
|
'TableName' => $this->config['client_table'],
|
|
'Item' => $this->client->formatAttributes($clientData)
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
public function checkRestrictedGrantType($client_id, $grant_type)
|
|
{
|
|
$details = $this->getClientDetails($client_id);
|
|
if (isset($details['grant_types'])) {
|
|
$grant_types = explode(' ', $details['grant_types']);
|
|
|
|
return in_array($grant_type, (array) $grant_types);
|
|
}
|
|
|
|
// if grant_types are not defined, then none are restricted
|
|
return true;
|
|
}
|
|
|
|
/* OAuth2\Storage\AccessTokenInterface */
|
|
public function getAccessToken($access_token)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['access_token_table'],
|
|
"Key" => array('access_token' => array('S' => $access_token))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
if (array_key_exists ('expires', $token)) {
|
|
$token['expires'] = strtotime($token['expires']);
|
|
}
|
|
|
|
return $token;
|
|
}
|
|
|
|
public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
|
|
{
|
|
// convert expires to datestring
|
|
$expires = date('Y-m-d H:i:s', $expires);
|
|
|
|
$clientData = compact('access_token', 'client_id', 'user_id', 'expires', 'scope');
|
|
$clientData = array_filter($clientData, function ($value) { return !empty($value); });
|
|
|
|
$result = $this->client->putItem(array(
|
|
'TableName' => $this->config['access_token_table'],
|
|
'Item' => $this->client->formatAttributes($clientData)
|
|
));
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
public function unsetAccessToken($access_token)
|
|
{
|
|
$result = $this->client->deleteItem(array(
|
|
'TableName' => $this->config['access_token_table'],
|
|
'Key' => $this->client->formatAttributes(array("access_token" => $access_token))
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
/* OAuth2\Storage\AuthorizationCodeInterface */
|
|
public function getAuthorizationCode($code)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['code_table'],
|
|
"Key" => array('authorization_code' => array('S' => $code))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
if (!array_key_exists("id_token", $token )) {
|
|
$token['id_token'] = null;
|
|
}
|
|
$token['expires'] = strtotime($token['expires']);
|
|
|
|
return $token;
|
|
|
|
}
|
|
|
|
public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
|
|
{
|
|
// convert expires to datestring
|
|
$expires = date('Y-m-d H:i:s', $expires);
|
|
|
|
$clientData = compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'id_token', 'scope');
|
|
$clientData = array_filter($clientData, function ($value) { return !empty($value); });
|
|
|
|
$result = $this->client->putItem(array(
|
|
'TableName' => $this->config['code_table'],
|
|
'Item' => $this->client->formatAttributes($clientData)
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
public function expireAuthorizationCode($code)
|
|
{
|
|
|
|
$result = $this->client->deleteItem(array(
|
|
'TableName' => $this->config['code_table'],
|
|
'Key' => $this->client->formatAttributes(array("authorization_code" => $code))
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
/* OAuth2\Storage\UserCredentialsInterface */
|
|
public function checkUserCredentials($username, $password)
|
|
{
|
|
if ($user = $this->getUser($username)) {
|
|
return $this->checkPassword($user, $password);
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public function getUserDetails($username)
|
|
{
|
|
return $this->getUser($username);
|
|
}
|
|
|
|
/* UserClaimsInterface */
|
|
public function getUserClaims($user_id, $claims)
|
|
{
|
|
if (!$userDetails = $this->getUserDetails($user_id)) {
|
|
return false;
|
|
}
|
|
|
|
$claims = explode(' ', trim($claims));
|
|
$userClaims = array();
|
|
|
|
// for each requested claim, if the user has the claim, set it in the response
|
|
$validClaims = explode(' ', self::VALID_CLAIMS);
|
|
foreach ($validClaims as $validClaim) {
|
|
if (in_array($validClaim, $claims)) {
|
|
if ($validClaim == 'address') {
|
|
// address is an object with subfields
|
|
$userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails);
|
|
} else {
|
|
$userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails));
|
|
}
|
|
}
|
|
}
|
|
|
|
return $userClaims;
|
|
}
|
|
|
|
protected function getUserClaim($claim, $userDetails)
|
|
{
|
|
$userClaims = array();
|
|
$claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim)));
|
|
$claimValues = explode(' ', $claimValuesString);
|
|
|
|
foreach ($claimValues as $value) {
|
|
if ($value == 'email_verified') {
|
|
$userClaims[$value] = $userDetails[$value]=='true' ? true : false;
|
|
} else {
|
|
$userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null;
|
|
}
|
|
}
|
|
|
|
return $userClaims;
|
|
}
|
|
|
|
/* OAuth2\Storage\RefreshTokenInterface */
|
|
public function getRefreshToken($refresh_token)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['refresh_token_table'],
|
|
"Key" => array('refresh_token' => array('S' => $refresh_token))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
$token['expires'] = strtotime($token['expires']);
|
|
|
|
return $token;
|
|
}
|
|
|
|
public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
|
|
{
|
|
// convert expires to datestring
|
|
$expires = date('Y-m-d H:i:s', $expires);
|
|
|
|
$clientData = compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope');
|
|
$clientData = array_filter($clientData, function ($value) { return !empty($value); });
|
|
|
|
$result = $this->client->putItem(array(
|
|
'TableName' => $this->config['refresh_token_table'],
|
|
'Item' => $this->client->formatAttributes($clientData)
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
public function unsetRefreshToken($refresh_token)
|
|
{
|
|
$result = $this->client->deleteItem(array(
|
|
'TableName' => $this->config['refresh_token_table'],
|
|
'Key' => $this->client->formatAttributes(array("refresh_token" => $refresh_token))
|
|
));
|
|
|
|
return true;
|
|
}
|
|
|
|
// plaintext passwords are bad! Override this for your application
|
|
protected function checkPassword($user, $password)
|
|
{
|
|
return $user['password'] == sha1($password);
|
|
}
|
|
|
|
public function getUser($username)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['user_table'],
|
|
"Key" => array('username' => array('S' => $username))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
$token['user_id'] = $username;
|
|
|
|
return $token;
|
|
}
|
|
|
|
public function setUser($username, $password, $first_name = null, $last_name = null)
|
|
{
|
|
// do not store in plaintext
|
|
$password = sha1($password);
|
|
|
|
$clientData = compact('username', 'password', 'first_name', 'last_name');
|
|
$clientData = array_filter($clientData, function ($value) { return !is_null($value); });
|
|
|
|
$result = $this->client->putItem(array(
|
|
'TableName' => $this->config['user_table'],
|
|
'Item' => $this->client->formatAttributes($clientData)
|
|
));
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/* ScopeInterface */
|
|
public function scopeExists($scope)
|
|
{
|
|
$scope = explode(' ', $scope);
|
|
$scope_query = array();
|
|
$count = 0;
|
|
foreach ($scope as $key => $val) {
|
|
$result = $this->client->query(array(
|
|
'TableName' => $this->config['scope_table'],
|
|
'Select' => 'COUNT',
|
|
'KeyConditions' => array(
|
|
'scope' => array(
|
|
'AttributeValueList' => array(array('S' => $val)),
|
|
'ComparisonOperator' => 'EQ'
|
|
)
|
|
)
|
|
));
|
|
$count += $result['Count'];
|
|
}
|
|
|
|
return $count == count($scope);
|
|
}
|
|
|
|
public function getDefaultScope($client_id = null)
|
|
{
|
|
|
|
$result = $this->client->query(array(
|
|
'TableName' => $this->config['scope_table'],
|
|
'IndexName' => 'is_default-index',
|
|
'Select' => 'ALL_ATTRIBUTES',
|
|
'KeyConditions' => array(
|
|
'is_default' => array(
|
|
'AttributeValueList' => array(array('S' => 'true')),
|
|
'ComparisonOperator' => 'EQ',
|
|
),
|
|
)
|
|
));
|
|
$defaultScope = array();
|
|
if ($result->count() > 0) {
|
|
$array = $result->toArray();
|
|
foreach ($array["Items"] as $item) {
|
|
$defaultScope[] = $item['scope']['S'];
|
|
}
|
|
|
|
return empty($defaultScope) ? null : implode(' ', $defaultScope);
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/* JWTBearerInterface */
|
|
public function getClientKey($client_id, $subject)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['jwt_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id), 'subject' => array('S' => $subject))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
|
|
return $token['public_key'];
|
|
}
|
|
|
|
public function getClientScope($client_id)
|
|
{
|
|
if (!$clientDetails = $this->getClientDetails($client_id)) {
|
|
return false;
|
|
}
|
|
|
|
if (isset($clientDetails['scope'])) {
|
|
return $clientDetails['scope'];
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
public function getJti($client_id, $subject, $audience, $expires, $jti)
|
|
{
|
|
//TODO not use.
|
|
}
|
|
|
|
public function setJti($client_id, $subject, $audience, $expires, $jti)
|
|
{
|
|
//TODO not use.
|
|
}
|
|
|
|
/* PublicKeyInterface */
|
|
public function getPublicKey($client_id = '0')
|
|
{
|
|
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['public_key_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
|
|
return $token['public_key'];
|
|
|
|
}
|
|
|
|
public function getPrivateKey($client_id = '0')
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['public_key_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
if ($result->count()==0) {
|
|
return false ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
|
|
return $token['private_key'];
|
|
}
|
|
|
|
public function getEncryptionAlgorithm($client_id = null)
|
|
{
|
|
$result = $this->client->getItem(array(
|
|
"TableName"=> $this->config['public_key_table'],
|
|
"Key" => array('client_id' => array('S' => $client_id))
|
|
));
|
|
if ($result->count()==0) {
|
|
return 'RS256' ;
|
|
}
|
|
$token = $this->dynamo2array($result);
|
|
|
|
return $token['encryption_algorithm'];
|
|
}
|
|
|
|
/**
|
|
* Transform dynamodb resultset to an array.
|
|
* @param $dynamodbResult
|
|
* @return $array
|
|
*/
|
|
private function dynamo2array($dynamodbResult)
|
|
{
|
|
$result = array();
|
|
foreach ($dynamodbResult["Item"] as $key => $val) {
|
|
$result[$key] = $val["S"];
|
|
$result[] = $val["S"];
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
}
|