AuthHelper.php

Go to the documentation of this file.

<?php
/***************************************************************
 * Copyright (C) 2018 Siemens AG
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 ***************************************************************/

namespace Fossology\UI\Api\Helper;

use Symfony\Component\HttpFoundation\Session\Session;
use Fossology\Lib\Dao\UserDao;
use Firebase\JWT\JWT;
use Fossology\UI\Api\Models\Info;
use Fossology\UI\Api\Models\InfoType;

class AuthHelper
{
  private $session;
  private $userDao;
  private $dbHelper;

  public function __construct(UserDao $userDao, Session $session,
    DbHelper $dbhelper)
  {
    $this->userDao = $userDao;
    $this->session = $session;
    $this->dbHelper = $dbhelper;
    if (!$this->session->isStarted()) {
      $this->session->setName('Login');
      $this->session->start();
    }
  }

  public function checkUsernameAndPassword($userName, $password)
  {
    $authPlugin = $GLOBALS["container"]->get("helper.restHelper")->getPlugin('auth');
    return $authPlugin->checkUsernameAndPassword($userName, $password);
  }

  public function verifyAuthToken($authHeader, &$userId, &$tokenScope)
  {
    $jwtTokenMatch = null;
    $headerValid = preg_match(
      "/^bearer (([a-zA-Z0-9\-\_\+\/\=]+)\.([a-zA-Z0-9\-\_\+\/\=]+)\.([a-zA-Z0-9\-\_\+\/\=]+))$/i",
      $authHeader, $jwtTokenMatch);
    $returnValue = true;
    if (! $headerValid) {
      $returnValue = new Info(400, "Authorization header is malformed or empty.",
        InfoType::ERROR);
    } else {
      $jwtToken           = $jwtTokenMatch[1];
      $jwtTokenPayload    = $jwtTokenMatch[3];
      $jwtTokenPayloadDecoded = JWT::jsonDecode(
        JWT::urlsafeB64Decode($jwtTokenPayload));

      if ($jwtTokenPayloadDecoded->{'jti'} === null) {
        return new Info(403, "Invalid token sent.", InfoType::ERROR);
      }
      $jwtJti = $jwtTokenPayloadDecoded->{'jti'};
      $jwtJti = base64_decode($jwtJti, true);
      list ($tokenId, $userId) = explode(".", $jwtJti);

      $dbRows = $this->dbHelper->getTokenKey($tokenId);
      $isTokenActive = $this->isTokenActive($dbRows, $tokenId);
      if (empty($dbRows)) {
        $returnValue = new Info(403, "Invalid token sent.", InfoType::ERROR);
      } elseif ($isTokenActive !== true) {
        $returnValue = $isTokenActive;
      } else {
        try {
          $jwtTokenDecoded = JWT::decode($jwtToken, $dbRows["token_key"], ['HS256']);
          $tokenScope = $jwtTokenDecoded->{'scope'};
        } catch (\UnexpectedValueException $e) {
          $returnValue = new Info(403, $e->getMessage(), InfoType::ERROR);
        }
      }
    }
    return $returnValue;
  }

  private function isDateExpired($date)
  {
    return strtotime("today") > strtotime($date);
  }

  public function isTokenActive($valuesFromDb, $tokenId)
  {
    $isPayloadValid = true;
    if ($valuesFromDb['active'] == "f") {
      $isPayloadValid = new Info(403, "Token expired.", InfoType::ERROR);
    } elseif ($this->isDateExpired($valuesFromDb['expire_on']) &&
      $valuesFromDb['active'] == "t") {
      $this->dbHelper->invalidateToken($tokenId);
      $isPayloadValid = new Info(403, "Token expired.", InfoType::ERROR);
    }
    return $isPayloadValid;
  }

  public function getSession()
  {
    return $this->session;
  }

  public function updateUserSession($userId, $scope, $groupName = null)
  {
    $authPlugin = $GLOBALS["container"]->get("helper.restHelper")->getPlugin('auth');
    $user = $this->userDao->getUserByPk($userId);
    $row = $this->userDao->getUserAndDefaultGroupByUserName($user["user_name"]);
    if ($groupName !== null) {
      $row['group_fk'] = $this->userDao->getGroupIdByName($groupName);
      $row['group_name'] = $groupName;
    }
    $authPlugin->updateSession($row);
    $this->getSession()->set('token_scope', $scope);
  }

  public function generateJwtToken($expire, $created, $jti, $scope, $key)
  {
    $newJwtToken = [
      "exp" => strtotime($expire . " +1 day -1 second"),  // To allow day level granularity
      "nbf" => strtotime($created),
      "jti" => base64_encode($jti),
      "scope" => $scope
    ];
    return JWT::encode($newJwtToken, $key, 'HS256');
  }

  public function getMaxTokenValidity()
  {
    return $this->dbHelper->getMaxTokenValidity();
  }

  public function userHasGroupAccess($userId, $groupName)
  {
    $isGroupExisting = $this->isGroupExisting($groupName);
    if ($isGroupExisting === true) {
      $groupMap = $this->userDao->getUserGroupMap($userId);
      $userHasGroupAccess = in_array($groupName, $groupMap, true);
    } else {
      return $isGroupExisting;
    }

    if (!$userHasGroupAccess) {
        $userHasGroupAccess = new Info(403, "User has no access to " . $groupName . " group", InfoType::ERROR);
    }
    return $userHasGroupAccess;
  }

  public function isGroupExisting($groupName)
  {
    if (! empty($this->userDao->getGroupIdByName($groupName))) {
      return true;
    } else {
      return new Info(403, "Provided group:" . $groupName . " does not exist", InfoType::ERROR);
    }
  }
}