Initial import
This commit is contained in:
Admin Nasledstvo
@@ -0,0 +1,154 @@
|
||||
<?php
|
||||
|
||||
namespace app\services\openid;
|
||||
|
||||
use app\models\CmsRoles;
|
||||
use app\models\UserAdminGlobal;
|
||||
use app\models\UserPartner;
|
||||
use app\models\UserSession;
|
||||
use app\services\Auth;
|
||||
|
||||
class OpenIdService
|
||||
{
|
||||
|
||||
private $client_id;
|
||||
private $client_secret;
|
||||
private $redirect_uri;
|
||||
private $metadata_url;
|
||||
private $locale_from_portal;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->locale_from_portal = !empty($_GET['lg']) ? '?lg=' . $_GET['lg'] : '' ;
|
||||
$this->redirect_uri = \Yii::$app->params['cms'] . '/partner-register-login/'.$this->locale_from_portal;
|
||||
$this->metadata_url = \Yii::$app->params['id_server'] . '/realms/nasledstvo.bg/.well-known/openid-configuration';
|
||||
$this->client_id = \Yii::$app->params['id_server_client_id'];
|
||||
$this->client_secret = \Yii::$app->params['id_server_client_secret'];
|
||||
}
|
||||
|
||||
public function authenticationServerCheckout($isAdmin = false)
|
||||
{
|
||||
if ($isAdmin) {
|
||||
$this->redirect_uri = \Yii::$app->params['cms'] . '/admin-register-login/'.$this->locale_from_portal;
|
||||
}
|
||||
$metadata = $this->http($this->metadata_url);
|
||||
if (!isset($_GET['code'])) {
|
||||
$_SESSION['state'] = bin2hex(random_bytes(5));
|
||||
$_SESSION['code_verifier'] = bin2hex(random_bytes(50));
|
||||
$code_challenge = $this->base64_urlencode(hash('sha256', $_SESSION['code_verifier'], true));
|
||||
$authorize_url = $metadata->authorization_endpoint . '?' . http_build_query([
|
||||
'response_type' => 'code',
|
||||
'client_id' => $this->client_id,
|
||||
'redirect_uri' => $this->redirect_uri,
|
||||
'state' => $_SESSION['state'],
|
||||
'scope' => 'openid profile',
|
||||
'code_challenge' => $code_challenge,
|
||||
'code_challenge_method' => 'S256',
|
||||
]);
|
||||
header("Location: $authorize_url");
|
||||
exit;
|
||||
} else {
|
||||
|
||||
if ($_SESSION['state'] != $_GET['state']) {
|
||||
die('Authorization server returned an invalid state parameter');
|
||||
}
|
||||
|
||||
if (isset($_GET['error'])) {
|
||||
die('Authorization server returned an error: ' . htmlspecialchars($_GET['error']));
|
||||
}
|
||||
|
||||
$response = $this->http($metadata->token_endpoint, [
|
||||
'grant_type' => 'authorization_code',
|
||||
'code' => $_GET['code'],
|
||||
'redirect_uri' => $this->redirect_uri,
|
||||
'client_id' => $this->client_id,
|
||||
'client_secret' => $this->client_secret,
|
||||
'code_verifier' => $_SESSION['code_verifier'],
|
||||
]);
|
||||
|
||||
if (!isset($response->access_token)) {
|
||||
die('Error fetching access token');
|
||||
}
|
||||
|
||||
$userinfo = $this->http($metadata->userinfo_endpoint, [
|
||||
'access_token' => $response->access_token,
|
||||
]);
|
||||
|
||||
if (!empty($userinfo->groups_user) && in_array('public_user', $userinfo->groups_user)) {
|
||||
header('Location: ' . \Yii::$app->params['portal'] . '/bg/user/wrong-user/');
|
||||
exit;
|
||||
}
|
||||
if(!empty($_GET['lg'])) {
|
||||
setcookie('cookie_lg', $_GET['lg'], time() + (86400 * 30), "/");
|
||||
} else {
|
||||
if (!empty($userinfo->locale)) {
|
||||
if ($userinfo->locale == 'bg' || $userinfo->locale == 'en') {
|
||||
setcookie('cookie_lg', $userinfo->locale, time() + (86400 * 30), "/");
|
||||
}
|
||||
} else {
|
||||
setcookie('cookie_lg', 'bg', time() + (86400 * 30), "/");
|
||||
}
|
||||
}
|
||||
//echo json_encode($userinfo);
|
||||
// exit;
|
||||
|
||||
|
||||
if (empty($userinfo->sub))
|
||||
die('sub is empty');
|
||||
|
||||
//echo json_encode($response);
|
||||
//exit;
|
||||
|
||||
if (!empty($userinfo->sub)) {
|
||||
|
||||
if (!empty($userinfo->realm_access)) {
|
||||
if (!empty($userinfo->realm_access->roles)) {
|
||||
if (in_array('cms-partner-admin', $userinfo->realm_access->roles)) {
|
||||
//exit;
|
||||
if (empty($userinfo->partner_id))
|
||||
die('missing parameter: partner_id');
|
||||
$_SESSION['id_token_hint'] = $response->id_token;
|
||||
//Login as partner user
|
||||
UserSession::log('partner-admin', 2, $userinfo->sub);
|
||||
UserPartner::prepareRegisterUser($userinfo, 1);
|
||||
} else if (in_array('cms-partner-editor', $userinfo->realm_access->roles)) {
|
||||
//exit;
|
||||
if (empty($userinfo->partner_id))
|
||||
die('missing parameter: partner_id');
|
||||
$_SESSION['id_token_hint'] = $response->id_token;
|
||||
//Login as partner user
|
||||
UserSession::log('partner-editor', 2, $userinfo->sub);
|
||||
UserPartner::prepareRegisterUser($userinfo, 2);
|
||||
} else if (in_array('cms-super-admin', $userinfo->realm_access->roles)) {
|
||||
|
||||
$_SESSION['id_token_hint'] = $response->id_token;
|
||||
//Login as global administrator
|
||||
UserSession::log('admin', 2, $userinfo->sub);
|
||||
UserAdminGlobal::prepareRegisterUser($userinfo);
|
||||
} else {
|
||||
require_once __DIR__ . '/access_denied_page.php';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
echo 'Error: Some parameters are missing';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private function http($url, $params = false)
|
||||
{
|
||||
$ch = curl_init($url);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
if ($params)
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
|
||||
return json_decode(curl_exec($ch));
|
||||
}
|
||||
|
||||
private function base64_urlencode($string)
|
||||
{
|
||||
return rtrim(strtr(base64_encode($string), '+/', '-_'), '=');
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user