fernando/luos
1
0
Fork 0
Code Releases Activity

PMCORE-1181 Is possible to get an access token without send a valid 'client_id' and 'client_secret'

Browse Source
This commit is contained in:
Roly Rudy Gutierrez Pinto
2020-04-15 02:33:51 -04:00
parent 349f4be85a
commit 85e3f191b1
7 changed files with 722 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
database/factories/LicenseManagerFactory.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
use Faker\Generator as Faker;
$factory->define(\ProcessMaker\Model\LicenseManager::class, function(Faker $faker) {
return [
"LICENSE_UID" => $faker->regexify("/[a-zA-Z]{32}/"),
"LICENSE_USER" => $faker->name,
"LICENSE_START" => 0,
"LICENSE_END" => 0,
"LICENSE_SPAN" => 0,
"LICENSE_STATUS" => 'ACTIVE',
"LICENSE_DATA" => '',
"LICENSE_PATH" => '',
"LICENSE_WORKSPACE" => '',
"LICENSE_TYPE" => 'ONPREMISE'
];
});

17
database/factories/OauthClientsFactory.php Normal file
View File

@@ -0,0 +1,17 @@
<?php
use Faker\Generator as Faker;
$factory->define(\ProcessMaker\Model\OauthClients::class, function(Faker $faker) {
return [
"CLIENT_ID" => $faker->word,
"CLIENT_SECRET" => $faker->regexify("/[a-zA-Z]{6}/"),
"CLIENT_NAME" => $faker->regexify("/[a-zA-Z]{6}/"),
"CLIENT_DESCRIPTION" => $faker->text,
"CLIENT_WEBSITE" => $faker->url,
"REDIRECT_URI" => $faker->url,
"USR_UID" => function() {
return factory(\ProcessMaker\Model\User::class)->create()->USR_UID;
}
];
});

121
tests/MockPhpStream.php Normal file
View File

@@ -0,0 +1,121 @@
<?php
namespace Tests;
class MockPhpStream
{
protected $index = 0;
protected $length = null;
protected $data = '';
public $context;
/**
* Constructor of the class.
*/
function __construct()
{
if (file_exists($this->buffer_filename())) {
$this->data = file_get_contents($this->buffer_filename());
} else {
$this->data = '';
}
$this->index = 0;
$this->length = strlen($this->data);
}
/**
* Override buffer filename.
* @return string
*/
protected function buffer_filename()
{
return sys_get_temp_dir() . '/php_input';
}
/**
* Override stream open.
* @param string $path
* @param string $mode
* @param string $options
* @param string $opened_path
* @return boolean
*/
public function stream_open($path, $mode, $options, &$opened_path)
{
return true;
}
/**
* Override stream close.
*/
public function stream_close()
{
}
/**
* Override stream stat.
* @return array
*/
public function stream_stat()
{
return [];
}
/**
* Override stream flush.
* @return boolean
*/
public function stream_flush()
{
return true;
}
/**
* Override stream read.
* @param integer $count
* @return integer
*/
public function stream_read($count)
{
if (is_null($this->length) === true) {
$this->length = strlen($this->data);
}
$length = min($count, $this->length - $this->index);
$data = substr($this->data, $this->index);
$this->index = $this->index + $length;
return $data;
}
/**
* Override stream eof.
* @return boolean
*/
public function stream_eof()
{
return ($this->index >= $this->length ? true : false);
}
/**
* Override stream write.
* @param string $data
* @return string
*/
public function stream_write($data)
{
return file_put_contents($this->buffer_filename(), $data);
}
/**
* Override unlink method.
*/
public function unlink()
{
if (file_exists($this->buffer_filename())) {
unlink($this->buffer_filename());
}
$this->data = '';
$this->index = 0;
$this->length = 0;
}
}

512
tests/unit/workflow/engine/src/ProcessMaker/Services/OAuth2/ServerTest.php Normal file
View File

File diff suppressed because it is too large Load Diff

14
workflow/engine/src/ProcessMaker/Model/LicenseManager.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
namespace ProcessMaker\Model;
use Illuminate\Database\Eloquent\Model;
class LicenseManager extends Model
{
protected $table = "LICENSE_MANAGER";
protected $primaryKey = "LICENSE_UID";
public $incrementing = false;
public $timestamps = false;
}

14
workflow/engine/src/ProcessMaker/Model/OauthClients.php Normal file
View File

@@ -0,0 +1,14 @@
<?php
namespace ProcessMaker\Model;
use Illuminate\Database\Eloquent\Model;
class OauthClients extends Model
{
protected $table = "OAUTH_CLIENTS";
protected $primaryKey = "CLIENT_ID";
public $incrementing = false;
public $timestamps = false;
}

43
workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
View File

@@ -4,10 +4,13 @@ namespace ProcessMaker\Services\OAuth2;
use Luracast\Restler\iAuthenticate;
use Luracast\Restler\RestException;
use OAuth2\Request;
use OAuth2\Response;
use PmoauthUserAccessTokens;
/*----------------------------------********---------------------------------*/
use ProcessMaker\ChangeLog\ChangeLog;
/*----------------------------------********---------------------------------*/
use ProcessMaker\Core\System;
use ProcessMaker\Policies\ControlUnderUpdating;
class Server implements iAuthenticate
{
@@ -271,30 +274,41 @@ class Server implements iAuthenticate
}
}
/**
* Stage 3: Client directly calls this api to exchange access token
*
* It can then use this access token to make calls to protected api
*
* It can then use this access token to make calls to protected api.
* @format JsonFormat,UploadFormat
* @param object $request
* @param boolean $returnResponse
* @return mixed
*/
public function postToken($request = null, $returnResponse = false)
{
\ProcessMaker\Policies\ControlUnderUpdating::verifyUnderUpgrading();
ControlUnderUpdating::verifyUnderUpgrading();
// Handle a request for an OAuth2.0 Access Token and send the response to the client
if ($request == null) {
$request = \OAuth2\Request::createFromGlobals();
$request = Request::createFromGlobals();
}
$grantTypeIdentifier = $request->request('grant_type');
if ($grantTypeIdentifier === 'password') {
$clientId = $request->request('client_id');
$clientSecret = $request->request('client_secret');
if (empty($clientId) || empty($clientSecret)) {
$message = "Invalid REST API credentials, please send a valid client_id and client_secret.";
$res = new Response();
$res->setError(400, 'invalid_client', $message);
$res->send();
return;
}
}
$response = $this->server->handleTokenRequest($request); //Set/Get token //PmPdo->setAccessToken()
$token = $response->getParameters();
if (array_key_exists('access_token', $token)
&& array_key_exists('refresh_token', $token)
) {
if (array_key_exists('access_token', $token) && array_key_exists('refresh_token', $token)) {
if ($request == null) {
session_start();
}
@@ -302,16 +316,12 @@ class Server implements iAuthenticate
// verify if the client is our local PM Designer client
if ($data['client_id'] == self::getPmClientId()) {
//error_log('do stuff - is a request from local pm client');
//require_once "classes/model/PmoauthUserAccessTokens.php";
$userToken = new \PmoauthUserAccessTokens();
$userToken = new PmoauthUserAccessTokens();
$userToken->setAccessToken($token['access_token']);
$userToken->setRefreshToken($token['refresh_token']);
$userToken->setUserId($data['user_id']);
$userToken->setSessionId(session_id());
$userToken->setSessionName(session_name());
$userToken->save();
}
}
@@ -320,8 +330,7 @@ class Server implements iAuthenticate
return $response;
} else {
$response->send();
exit(0);
return;
}
}