babolivier
/
moodle_macaroons
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
Moodle authentication plugin for Macaroons
3 提交
1 分支
目录树: 429555b62d
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '429555b62d'
${ noResults }
moodle_macaroons/Macaroons/Verifier.php

Verifier.php 7.0KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226 
  1. <?php

  2. 

  3. namespace Macaroons;

  4. 

  5. use Macaroons\Exceptions\SignatureMismatchException;

  6. use Macaroons\Exceptions\CaveatUnsatisfiedException;

  7. 

  8. class Verifier

  9. {

  10.   private $predicates = array();

  11.   private $callbacks = array();

  12.   private $calculatedSignature;

  13. 

  14.   /**

  15.    * return predicates to verify

  16.    * @return Array|array

  17.    */

  18.   public function getPredicates()

  19.   {

  20.     return $this->predicates;

  21.   }

  22. 

  23.   /**

  24.    * returns verifier callbacks

  25.    * @return Array|array

  26.    */

  27.   public function getCallbacks()

  28.   {

  29.     return $this->callbacks;

  30.   }

  31. 

  32.   /**

  33.    * sets array of predicates

  34.    * @param Array $predicates

  35.    */

  36.   public function setPredicates(Array $predicates)

  37.   {

  38.     $this->predicates = $predicates;

  39.   }

  40. 

  41.   /**

  42.    * set array of callbacks

  43.    * @param Array $callbacks

  44.    */

  45.   public function setCallbacks(Array $callbacks)

  46.   {

  47.     $this->callbacks = $callbacks;

  48.   }

  49. 

  50.   /**

  51.    * adds a predicate to the verifier

  52.    * @param string

  53.    */

  54.   public function satisfyExact($predicate)

  55.   {

  56.     if (!isset($predicate))

  57.       throw new \InvalidArgumentException('Must provide predicate');

  58.     array_push($this->predicates, $predicate);

  59.   }

  60. 

  61.   /**

  62.    * adds a callback to array of callbacks

  63.    * $callback can be anything that is callable including objects

  64.    * that implement __invoke

  65.    * See http://php.net/manual/en/language.types.callable.php for more details

  66.    * @param function|object|array

  67.    */

  68.   public function satisfyGeneral($callback)

  69.   {

  70.     if (!isset($callback))

  71.       throw new \InvalidArgumentException('Must provide a callback function');

  72.     if (!is_callable($callback))

  73.       throw new \InvalidArgumentException('Callback must be a function');

  74.     array_push($this->callbacks, $callback);

  75.   }

  76. 

  77.   /**

  78.    * [verify description]

  79.    * @param  Macaroon $macaroon

  80.    * @param  string   $key

  81.    * @param  Array    $dischargeMacaroons

  82.    * @return boolean

  83.    */

  84.   public function verify(Macaroon $macaroon, $key, Array $dischargeMacaroons = array())

  85.   {

  86.     $key = Utils::generateDerivedKey($key);

  87.     return $this->verifyDischarge(

  88.                                   $macaroon,

  89.                                   $macaroon,

  90.                                   $key,

  91.                                   $dischargeMacaroons

  92.                                   );

  93.   }

  94. 

  95.   /**

  96.    * [verifyDischarge description]

  97.    * @param  Macaroon    $rootMacaroon

  98.    * @param  Macaroon    $macaroon

  99.    * @param  string      $key

  100.    * @param  Array|array $dischargeMacaroons

  101.    * @return boolean|throws SignatureMismatchException

  102.    */

  103.   public function verifyDischarge(Macaroon $rootMacaroon, Macaroon $macaroon, $key, Array $dischargeMacaroons = array())

  104.   {

  105.     $this->calculatedSignature = Utils::hmac($key, $macaroon->getIdentifier());

  106.     $this->verifyCaveats($macaroon, $dischargeMacaroons);

  107. 

  108.     if ($rootMacaroon != $macaroon)

  109.     {

  110.       $this->calculatedSignature = $rootMacaroon->bindSignature(strtolower(Utils::hexlify($this->calculatedSignature)));

  111.     }

  112. 

  113.     $signature = Utils::unhexlify($macaroon->getSignature());

  114.     if ($this->signaturesMatch($this->calculatedSignature, $signature) === FALSE)

  115.     {

  116.       throw new SignatureMismatchException('Signatures do not match.');

  117.     }

  118.     return true;

  119.   }

  120. 

  121.   /**

  122.    * verifies all first and third party caveats of macaroon are valid

  123.    * @param  Macaroon

  124.    * @param  Array

  125.    */

  126.   private function verifyCaveats(Macaroon $macaroon, Array $dischargeMacaroons = array())

  127.   {

  128.     foreach ($macaroon->getCaveats() as $caveat)

  129.     {

  130.       $caveatMet = false;

  131.       if ($caveat->isFirstParty())

  132.         $caveatMet = $this->verifyFirstPartyCaveat($caveat);

  133.       else if ($caveat->isThirdParty())

  134.         $caveatMet = $this->verifyThirdPartyCaveat($caveat, $macaroon, $dischargeMacaroons);

  135.       if (!$caveatMet)

  136.         throw new CaveatUnsatisfiedException("Caveat not met. Unable to satisfy: {$caveat->getCaveatId()}");

  137.     }

  138.   }

  139. 

  140.   private function verifyFirstPartyCaveat(Caveat $caveat)

  141.   {

  142.     $caveatMet = false;

  143.     if (in_array($caveat->getCaveatId(), $this->predicates))

  144.       $caveatMet = true;

  145.     else

  146.     {

  147.       foreach ($this->callbacks as $callback)

  148.       {

  149.         if ($callback($caveat->getCaveatId()))

  150.           $caveatMet = true;

  151.       }

  152.     }

  153.     if ($caveatMet)

  154.       $this->calculatedSignature = Utils::signFirstPartyCaveat($this->calculatedSignature, $caveat->getCaveatId());

  155. 

  156.     return $caveatMet;

  157.   }

  158. 

  159.   private function verifyThirdPartyCaveat(Caveat $caveat, Macaroon $rootMacaroon, Array $dischargeMacaroons)

  160.   {

  161.     $caveatMet = false;

  162. 

  163.     $dischargesMatchingCaveat = array_filter($dischargeMacaroons, function($discharge) use ($rootMacaroon, $caveat) {

  164.       return $discharge->getIdentifier() === $caveat->getCaveatId();

  165.     });

  166. 

  167.     $caveatMacaroon = array_shift($dischargesMatchingCaveat);

  168. 

  169.     if (!$caveatMacaroon)

  170.       throw new CaveatUnsatisfiedException("Caveat not met. No discharge macaroon found for identifier: {$caveat->getCaveatId()}");

  171. 

  172.     $caveatKey = $this->extractCaveatKey($this->calculatedSignature, $caveat);

  173.     $caveatMacaroonVerifier = new Verifier();

  174.     $caveatMacaroonVerifier->setPredicates($this->predicates);

  175.     $caveatMacaroonVerifier->setCallbacks($this->callbacks);

  176. 

  177.     $caveatMet = $caveatMacaroonVerifier->verifyDischarge(

  178.                                                           $rootMacaroon,

  179.                                                           $caveatMacaroon,

  180.                                                           $caveatKey,

  181.                                                           $dischargeMacaroons

  182.                                                           );

  183.     if ($caveatMet)

  184.     {

  185.       $this->calculatedSignature = Utils::signThirdPartyCaveat(

  186.                                                                 $this->calculatedSignature,

  187.                                                                 $caveat->getVerificationId(),

  188.                                                                 $caveat->getCaveatId()

  189.                                                               );

  190.     }

  191. 

  192.     return $caveatMet;

  193.   }

  194. 

  195.   /**

  196.    * returns the derived key from the caveat verification id

  197.    * @param  string $signature

  198.    * @param  Caveat $caveat

  199.    * @return string

  200.    */

  201.   private function extractCaveatKey($signature, Caveat $caveat)

  202.   {

  203.     $verificationHash = $caveat->getVerificationId();

  204.     $nonce            = substr($verificationHash, 0, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES);

  205.     $verificationId   = substr($verificationHash, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES);

  206.     $key              = Utils::truncateOrPad($signature);

  207.     return \Sodium\crypto_secretbox_open($verificationId, $nonce, $key);

  208.   }

  209. 

  210.   /**

  211.    * compares the calculated signature of a macaroon and the macaroon supplied

  212.    * by the client

  213.    * The user supplied string MUST be the second argument or this will leak

  214.    * the length of the actual signature

  215.    * @param  string $a known signature from our key and macaroon metadata

  216.    * @param  string $b signature from macaroon we are verifying (from the client)

  217.    * @return boolean

  218.    */

  219.   private function signaturesMatch($a, $b)

  220.   {

  221.     $ret = strlen($a) ^ strlen($b);

  222.     $ret |= array_sum(unpack("C*", $a^$b));

  223. 

  224.     return !$ret;

  225.   }

  226. }