<?php
namespace Cake\Http\Client\Auth;
use Cake\Core\Exception\Exception;
use Cake\Http\Client\Request;
use Cake\Utility\Security;
use RuntimeException;
class Oauth
{
public function authentication(Request $request, array $credentials)
{
if (!isset($credentials['consumerKey'])) {
return $request;
}
if (empty($credentials['method'])) {
$credentials['method'] = 'hmac-sha1';
}
$credentials['method'] = strtoupper($credentials['method']);
switch ($credentials['method']) {
case 'HMAC-SHA1':
$hasKeys = isset(
$credentials['consumerSecret'],
$credentials['token'],
$credentials['tokenSecret']
);
if (!$hasKeys) {
return $request;
}
$value = $this->_hmacSha1($request, $credentials);
break;
case 'RSA-SHA1':
if (!isset($credentials['privateKey'])) {
return $request;
}
$value = $this->_rsaSha1($request, $credentials);
break;
case 'PLAINTEXT':
$hasKeys = isset(
$credentials['consumerSecret'],
$credentials['token'],
$credentials['tokenSecret']
);
if (!$hasKeys) {
return $request;
}
$value = $this->_plaintext($request, $credentials);
break;
default:
throw new Exception(sprintf('Unknown Oauth signature method %s', $credentials['method']));
}
return $request->withHeader('Authorization', $value);
}
protected function _plaintext($request, $credentials)
{
$values = [
'oauth_version' => '1.0',
'oauth_nonce' => uniqid(),
'oauth_timestamp' => time(),
'oauth_signature_method' => 'PLAINTEXT',
'oauth_token' => $credentials['token'],
'oauth_consumer_key' => $credentials['consumerKey'],
];
if (isset($credentials['realm'])) {
$values['oauth_realm'] = $credentials['realm'];
}
$key = [$credentials['consumerSecret'], $credentials['tokenSecret']];
$key = implode('&', $key);
$values['oauth_signature'] = $key;
return $this->_buildAuth($values);
}
protected function _hmacSha1($request, $credentials)
{
$nonce = isset($credentials['nonce']) ? $credentials['nonce'] : uniqid();
$timestamp = isset($credentials['timestamp']) ? $credentials['timestamp'] : time();
$values = [
'oauth_version' => '1.0',
'oauth_nonce' => $nonce,
'oauth_timestamp' => $timestamp,
'oauth_signature_method' => 'HMAC-SHA1',
'oauth_token' => $credentials['token'],
'oauth_consumer_key' => $credentials['consumerKey'],
];
$baseString = $this->baseString($request, $values);
if (isset($credentials['realm'])) {
$values['oauth_realm'] = $credentials['realm'];
}
$key = [$credentials['consumerSecret'], $credentials['tokenSecret']];
$key = array_map([$this, '_encode'], $key);
$key = implode('&', $key);
$values['oauth_signature'] = base64_encode(
hash_hmac('sha1', $baseString, $key, true)
);
return $this->_buildAuth($values);
}
protected function _rsaSha1($request, $credentials)
{
if (!function_exists('openssl_pkey_get_private')) {
throw new RuntimeException('RSA-SHA1 signature method requires the OpenSSL extension.');
}
$nonce = isset($credentials['nonce']) ? $credentials['nonce'] : bin2hex(Security::randomBytes(16));
$timestamp = isset($credentials['timestamp']) ? $credentials['timestamp'] : time();
$values = [
'oauth_version' => '1.0',
'oauth_nonce' => $nonce,
'oauth_timestamp' => $timestamp,
'oauth_signature_method' => 'RSA-SHA1',
'oauth_consumer_key' => $credentials['consumerKey'],
];
if (isset($credentials['consumerSecret'])) {
$values['oauth_consumer_secret'] = $credentials['consumerSecret'];
}
if (isset($credentials['token'])) {
$values['oauth_token'] = $credentials['token'];
}
if (isset($credentials['tokenSecret'])) {
$values['oauth_token_secret'] = $credentials['tokenSecret'];
}
$baseString = $this->baseString($request, $values);
if (isset($credentials['realm'])) {
$values['oauth_realm'] = $credentials['realm'];
}
if (is_resource($credentials['privateKey'])) {
$resource = $credentials['privateKey'];
$privateKey = stream_get_contents($resource);
rewind($resource);
$credentials['privateKey'] = $privateKey;
}
$credentials += [
'privateKeyPassphrase' => null,
];
if (is_resource($credentials['privateKeyPassphrase'])) {
$resource = $credentials['privateKeyPassphrase'];
$passphrase = stream_get_line($resource, 0, PHP_EOL);
rewind($resource);
$credentials['privateKeyPassphrase'] = $passphrase;
}
$privateKey = openssl_pkey_get_private($credentials['privateKey'], $credentials['privateKeyPassphrase']);
$signature = '';
openssl_sign($baseString, $signature, $privateKey);
openssl_free_key($privateKey);
$values['oauth_signature'] = base64_encode($signature);
return $this->_buildAuth($values);
}
public function baseString($request, $oauthValues)
{
$parts = [
$request->getMethod(),
$this->_normalizedUrl($request->getUri()),
$this->_normalizedParams($request, $oauthValues),
];
$parts = array_map([$this, '_encode'], $parts);
return implode('&', $parts);
}
protected function _normalizedUrl($uri)
{
$out = $uri->getScheme() . '://';
$out .= strtolower($uri->getHost());
$out .= $uri->getPath();
return $out;
}
protected function _normalizedParams($request, $oauthValues)
{
$query = parse_url($request->getUri(), PHP_URL_QUERY);
parse_str($query, $queryArgs);
$post = [];
$body = $request->body();
if (is_string($body) && $request->getHeaderLine('content-type') === 'application/x-www-form-urlencoded') {
parse_str($body, $post);
}
if (is_array($body)) {
$post = $body;
}
$args = array_merge($queryArgs, $oauthValues, $post);
$pairs = $this->_normalizeData($args);
$data = [];
foreach ($pairs as $pair) {
$data[] = implode('=', $pair);
}
sort($data, SORT_STRING);
return implode('&', $data);
}
protected function _normalizeData($args, $path = '')
{
$data = [];
foreach ($args as $key => $value) {
if ($path) {
if (!is_numeric($key)) {
$key = "{$path}[{$key}]";
} else {
$key = $path;
}
}
if (is_array($value)) {
uksort($value, 'strcmp');
$data = array_merge($data, $this->_normalizeData($value, $key));
} else {
$data[] = [$key, $value];
}
}
return $data;
}
protected function _buildAuth($data)
{
$out = 'OAuth ';
$params = [];
foreach ($data as $key => $value) {
$params[] = $key . '="' . $this->_encode($value) . '"';
}
$out .= implode(',', $params);
return $out;
}
protected function _encode($value)
{
return str_replace(['%7E', '+'], ['~', ' '], rawurlencode($value));
}
}
class_alias('Cake\Http\Client\Auth\Oauth', 'Cake\Network\Http\Auth\Oauth');