| 1 | <?php |
|---|
| 2 | |
|---|
| 3 | /** |
|---|
| 4 | * @file |
|---|
| 5 | * Include file for services_oauth module. |
|---|
| 6 | */ |
|---|
| 7 | |
|---|
| 8 | /** |
|---|
| 9 | * Authenticates a call using OAuth to verify the request. |
|---|
| 10 | * |
|---|
| 11 | * @param array $settings |
|---|
| 12 | * The settings for the authentication module. |
|---|
| 13 | * @param array $method |
|---|
| 14 | * The method that's being called |
|---|
| 15 | * @param array $args |
|---|
| 16 | * The arguments that are being used to call the method |
|---|
| 17 | * @return void|string |
|---|
| 18 | * Returns nothing, or a error message if authentication fails |
|---|
| 19 | */ |
|---|
| 20 | function _services_oauth_authenticate_call($settings, $method, $args) { |
|---|
| 21 | $endpoint = $method['endpoint']['services_oauth']; |
|---|
| 22 | $cred = isset($endpoint['credentials']) ? $endpoint['credentials'] : 'token'; |
|---|
| 23 | $auth_level = isset($endpoint['authorization']) ? $endpoint['authorization'] : '*'; |
|---|
| 24 | |
|---|
| 25 | // If no credentials are needed we'll pass this one through |
|---|
| 26 | if ($cred == 'none') { |
|---|
| 27 | return FALSE; |
|---|
| 28 | } |
|---|
| 29 | |
|---|
| 30 | try { |
|---|
| 31 | module_load_include('inc', 'oauth_common'); |
|---|
| 32 | |
|---|
| 33 | list($signed, $consumer, $token) = oauth_common_verify_request(); |
|---|
| 34 | |
|---|
| 35 | if (!$signed && ($cred == 'consumer' || $cred == 'token')) { |
|---|
| 36 | throw new OAuthException('The request must be signed'); |
|---|
| 37 | } |
|---|
| 38 | if ($consumer == NULL) { |
|---|
| 39 | throw new OAuthException('Missing consumer token'); |
|---|
| 40 | } |
|---|
| 41 | if ($consumer->context !== $settings['oauth_context']) { |
|---|
| 42 | throw new OAuthException('The consumer is not valid in the current context'); |
|---|
| 43 | } |
|---|
| 44 | |
|---|
| 45 | // Validate the token, if it's required by the method |
|---|
| 46 | if ($cred == 'token') { |
|---|
| 47 | if (empty($token->key)) { |
|---|
| 48 | throw new OAuthException('Missing access token'); |
|---|
| 49 | } |
|---|
| 50 | if (!$token->authorized) { |
|---|
| 51 | throw new OAuthException('The access token is not authorized'); |
|---|
| 52 | } |
|---|
| 53 | // Check that the consumer has been granted the required authorization level |
|---|
| 54 | if (!in_array('*', $token->services) && !in_array($auth_level, $token->services)) { |
|---|
| 55 | throw new OAuthException('The consumer is not authorized to access this service'); |
|---|
| 56 | } |
|---|
| 57 | } |
|---|
| 58 | |
|---|
| 59 | // Add the oauth authentication info to server info |
|---|
| 60 | services_set_server_info('oauth_consumer', $consumer); |
|---|
| 61 | services_set_server_info('oauth_token', $token); |
|---|
| 62 | |
|---|
| 63 | // Load the user if the request was authenticated using a token |
|---|
| 64 | // that's associated with a account. |
|---|
| 65 | if ($token->uid) { |
|---|
| 66 | global $user; |
|---|
| 67 | $user = user_load($token->uid); |
|---|
| 68 | } |
|---|
| 69 | } |
|---|
| 70 | catch (OAuthException $e) { |
|---|
| 71 | drupal_set_header(sprintf('WWW-Authenticate: OAuth realm="%s"', url('', array('absolute' => TRUE)))); |
|---|
| 72 | return $e->getMessage(); |
|---|
| 73 | } |
|---|
| 74 | } |
|---|
| 75 | |
|---|
| 76 | function _services_oauth_security_settings($settings) { |
|---|
| 77 | $form = array(); |
|---|
| 78 | $form['oauth_context'] = array( |
|---|
| 79 | '#type' => 'select', |
|---|
| 80 | '#options' => array('' => t('-- Select an OAuth context')), |
|---|
| 81 | '#default_value' => isset($settings['oauth_context']) ? $settings['oauth_context'] : '', |
|---|
| 82 | '#title' => t('OAuth context'), |
|---|
| 83 | '#required' => TRUE, |
|---|
| 84 | '#description' => t('The OAuth contexts provides a scope for consumers and authorizations and have their own authorization levels. Different services endpoints may share OAuth contexts and thereby allow the use of consumers and tokens across the services endpoint boundraries.'), |
|---|
| 85 | ); |
|---|
| 86 | |
|---|
| 87 | $contexts = oauth_common_context_load_all(); |
|---|
| 88 | foreach ($contexts as $context) { |
|---|
| 89 | $form['oauth_context']['#options'][$context->name] = $context->title; |
|---|
| 90 | } |
|---|
| 91 | |
|---|
| 92 | return $form; |
|---|
| 93 | } |
|---|
| 94 | |
|---|
| 95 | function _services_oauth_controller_settings($settings, $controller, $endpoint, $class, $name) { |
|---|
| 96 | $form = array(); |
|---|
| 97 | |
|---|
| 98 | $cc = $controller['endpoint']['services_oauth']; |
|---|
| 99 | $auth_levels = array(); |
|---|
| 100 | $context = oauth_common_context_load($settings['oauth_context']); |
|---|
| 101 | foreach ($context->authorization_levels as $name => $level) { |
|---|
| 102 | $auth_levels[$name] = t($level['title']); |
|---|
| 103 | } |
|---|
| 104 | |
|---|
| 105 | $form['credentials'] = array( |
|---|
| 106 | '#type' => 'select', |
|---|
| 107 | '#options' => array( |
|---|
| 108 | 'none' => t('None'), |
|---|
| 109 | 'unsigned_consumer' => t('Unsigned with consumer key'), |
|---|
| 110 | 'consumer' => t('Consumer key'), |
|---|
| 111 | 'token' => t('Consumer key and access token'), |
|---|
| 112 | ), |
|---|
| 113 | '#default_value' => !empty($cc['credentials']) ? $cc['credentials'] : 'token', |
|---|
| 114 | '#title' => t('Required authentication'), |
|---|
| 115 | '#description' => t('Authorization levels will <em>not</em> be applied if the consumer isn\'t required to supply a access token.'), |
|---|
| 116 | ); |
|---|
| 117 | |
|---|
| 118 | $form['authorization'] = array( |
|---|
| 119 | '#type' => 'select', |
|---|
| 120 | '#options' => $auth_levels, |
|---|
| 121 | '#default_value' => !empty($cc['authorization']) ? $cc['authorization'] : '*', |
|---|
| 122 | '#title' => t('Required authorization'), |
|---|
| 123 | ); |
|---|
| 124 | |
|---|
| 125 | return $form; |
|---|
| 126 | } |
|---|
