PageRenderTime 68ms CodeModel.GetById 31ms RepoModel.GetById 0ms app.codeStats 0ms

/chapter_9/oauth1-php-3legged/OAuth.php

https://github.com/AramZS/programming-social-applications
PHP | 819 lines | 489 code | 130 blank | 200 comment | 58 complexity | 255da61230daf678522bba9341749cff MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * The MIT License
    4. 

  4.  * 
    5. 

  5.  * Copyright (c) 2008 OAuth.net
    6. 

  6.  * 
    7. 

  7.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    8. 

  8.  * of this software and associated documentation files (the "Software"), to deal
    9. 

  9.  * in the Software without restriction, including without limitation the rights
    10. 

  10.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    11. 

  11.  * copies of the Software, and to permit persons to whom the Software is
    12. 

  12.  * furnished to do so, subject to the following conditions:
    13. 

  13.  * 
    14. 

  14.  * The above copyright notice and this permission notice shall be included in
    15. 

  15.  * all copies or substantial portions of the Software.
    16. 

  16.  * 
    17. 

  17.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    18. 

  18.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    19. 

  19.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    20. 

  20.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    21. 

  21.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    22. 

  22.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    23. 

  23.  * THE SOFTWARE.
    24. 

  24.  * 
    25. 

  25.  */
    26. 

  26. 

  27. /**
    28. 

  28.  * Branched from version 587 of OAuth.php from the OAuth.net project. Major 
    29. 

  29.  * changes are limited to adding PHP 4 compatibility.
    30. 

  30.  *
    31. 

  31.  * Ryan Kennedy (rckenned@yahoo-inc.com)
    32. 

  32.  */
    33. 

  33. 

  34. class OAuthConsumer {/*{{{*/
    35. 

  35.   var $key;
    36. 

  36.   var $secret;
    37. 

  37. 

  38.   function OAuthConsumer($key, $secret, $callback_url=NULL) {/*{{{*/
    39. 

  39.     $this->key = $key;
    40. 

  40.     $this->secret = $secret;
    41. 

  41.     $this->callback_url = $callback_url;
    42. 

  42.   }/*}}}*/
    43. 

  43. }/*}}}*/
    44. 

  44. 

  45. class OAuthToken {/*{{{*/
    46. 

  46.   // access tokens and request tokens
    47. 

  47.   var $key;
    48. 

  48.   var $secret;
    49. 

  49. 

  50.   /**
    51. 

  51.    * key = the token
    52. 

  52.    * secret = the token secret
    53. 

  53.    */
    54. 

  54.   function OAuthToken($key, $secret) {/*{{{*/
    55. 

  55.     $this->key = $key;
    56. 

  56.     $this->secret = $secret;
    57. 

  57.   }/*}}}*/
    58. 

  58. 

  59.   /**
    60. 

  60.    * generates the basic string serialization of a token that a server
    61. 

  61.    * would respond to request_token and access_token calls with
    62. 

  62.    */
    63. 

  63.   function to_string() {/*{{{*/
    64. 

  64.     return "oauth_token=" . OAuthUtil::urlencodeRFC3986($this->key) . 
    65. 

  65.         "&oauth_token_secret=" . OAuthUtil::urlencodeRFC3986($this->secret);
    66. 

  66.   }/*}}}*/
    67. 

  67. 

  68.   function __toString() {/*{{{*/
    69. 

  69.     return $this->to_string();
    70. 

  70.   }/*}}}*/
    71. 

  71. }/*}}}*/
    72. 

  72. 

  73. class OAuthSignatureMethod {/*{{{*/
    74. 

  74.   function check_signature(&$request, $consumer, $token, $signature) {
    75. 

  75.     $built = $this->build_signature($request, $consumer, $token);
    76. 

  76.     return $built == $signature;
    77. 

  77.   }
    78. 

  78. }/*}}}*/
    79. 

  79. 

  80. class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod {/*{{{*/
    81. 

  81.   function get_name() {/*{{{*/
    82. 

  82.     return "HMAC-SHA1";
    83. 

  83.   }/*}}}*/
    84. 

  84. 

  85.   function build_signature($request, $consumer, $token) {/*{{{*/
    86. 

  86.     $base_string = $request->get_signature_base_string();
    87. 

  87.     $request->base_string = $base_string;
    88. 

  88. 

  89.     $key_parts = array(
    90. 

  90.       $consumer->secret,
    91. 

  91.       ($token) ? $token->secret : ""
    92. 

  92.     );
    93. 

  93. 

  94.     $key_parts = array_map(array('OAuthUtil','urlencodeRFC3986'), $key_parts);
    95. 

  95.     $key = implode('&', $key_parts);
    96. 

  96. 

  97.     return base64_encode(hash_hmac('sha1', $base_string, $key, true));
    98. 

  98.   }/*}}}*/
    99. 

  99. }/*}}}*/
    100. 

  100. 

  101. class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod {/*{{{*/
    102. 

  102.   function get_name() {/*{{{*/
    103. 

  103.     return "PLAINTEXT";
    104. 

  104.   }/*}}}*/
    105. 

  105. 

  106.   function build_signature($request, $consumer, $token) {/*{{{*/
    107. 

  107.     $sig = array(
    108. 

  108.       OAuthUtil::urlencodeRFC3986($consumer->secret)
    109. 

  109.     );
    110. 

  110. 

  111.     if ($token) {
    112. 

  112.       array_push($sig, OAuthUtil::urlencodeRFC3986($token->secret));
    113. 

  113.     } else {
    114. 

  114.       array_push($sig, '');
    115. 

  115.     }
    116. 

  116. 

  117.     $raw = implode("&", $sig);
    118. 

  118.     // for debug purposes
    119. 

  119.     $request->base_string = $raw;
    120. 

  120. 

  121.     return $raw;
    122. 

  122.   }/*}}}*/
    123. 

  123. }/*}}}*/
    124. 

  124. 

  125. class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {/*{{{*/
    126. 

  126.   function get_name() {/*{{{*/
    127. 

  127.     return "RSA-SHA1";
    128. 

  128.   }/*}}}*/
    129. 

  129. 

  130.   function fetch_public_cert(&$request) {/*{{{*/
    131. 

  131.     // not implemented yet, ideas are:
    132. 

  132.     // (1) do a lookup in a table of trusted certs keyed off of consumer
    133. 

  133.     // (2) fetch via http using a url provided by the requester
    134. 

  134.     // (3) some sort of specific discovery code based on request
    135. 

  135.     //
    136. 

  136.     // either way should return a string representation of the certificate
    137. 

  137.     trigger_error("fetch_public_cert not implemented", E_USER_ERROR);
    138. 

  138.     return NULL;
    139. 

  139.   }/*}}}*/
    140. 

  140. 

  141.   function fetch_private_cert(&$request) {/*{{{*/
    142. 

  142.     // not implemented yet, ideas are:
    143. 

  143.     // (1) do a lookup in a table of trusted certs keyed off of consumer
    144. 

  144.     //
    145. 

  145.     // either way should return a string representation of the certificate
    146. 

  146.     trigger_error("fetch_private_cert not implemented", E_USER_ERROR);
    147. 

  147.     return NULL;
    148. 

  148.   }/*}}}*/
    149. 

  149. 

  150.   function build_signature(&$request, $consumer, $token) {/*{{{*/
    151. 

  151.     $base_string = $request->get_signature_base_string();
    152. 

  152.   
    153. 

  153.     // Fetch the private key cert based on the request
    154. 

  154.     $cert = $this->fetch_private_cert($request);
    155. 

  155. 

  156.     // Pull the private key ID from the certificate
    157. 

  157.     $privatekeyid = openssl_get_privatekey($cert);
    158. 

  158. 

  159.     // Sign using the key
    160. 

  160.     $ok = openssl_sign($base_string, $signature, $privatekeyid);   
    161. 

  161. 

  162.     // Release the key resource
    163. 

  163.     openssl_free_key($privatekeyid);
    164. 

  164.   
    165. 

  165.     return base64_encode($signature);
    166. 

  166.   } /*}}}*/
    167. 

  167. 

  168.   function check_signature(&$request, $consumer, $token, $signature) {/*{{{*/
    169. 

  169.     $decoded_sig = base64_decode($signature);
    170. 

  170. 

  171.     $base_string = $request->get_signature_base_string();
    172. 

  172.   
    173. 

  173.     // Fetch the public key cert based on the request
    174. 

  174.     $cert = $this->fetch_public_cert($request);
    175. 

  175. 

  176.     // Pull the public key ID from the certificate
    177. 

  177.     $publickeyid = openssl_get_publickey($cert);
    178. 

  178. 

  179.     // Check the computed signature against the one passed in the query
    180. 

  180.     $ok = openssl_verify($base_string, $decoded_sig, $publickeyid);   
    181. 

  181. 

  182.     // Release the key resource
    183. 

  183.     openssl_free_key($publickeyid);
    184. 

  184.   
    185. 

  185.     return $ok == 1;
    186. 

  186.   } /*}}}*/
    187. 

  187. }/*}}}*/
    188. 

  188. 

  189. class OAuthRequest {/*{{{*/
    190. 

  190.   var $parameters;
    191. 

  191.   var $http_method;
    192. 

  192.   var $http_url;
    193. 

  193.   // for debug purposes
    194. 

  194.   var $base_string;
    195. 

  195. 

  196.   function OAuthRequest($http_method, $http_url, $parameters=array()) {/*{{{*/
    197. 

  197.     $this->parameters = $parameters;
    198. 

  198.     $this->http_method = $http_method;
    199. 

  199.     $this->http_url = $http_url;
    200. 

  200.   }/*}}}*/
    201. 

  201. 

  202. 

  203.   /**
    204. 

  204.    * attempt to build up a request from what was passed to the server
    205. 

  205.    */
    206. 

  206.   function from_request($http_method=NULL, $http_url=NULL, $parameters=NULL) {/*{{{*/
    207. 

  207.     $scheme = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") ? 'http' : 'https';
    208. 

  208.     @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    209. 

  209.     @$http_method or $http_method = $_SERVER['REQUEST_METHOD'];
    210. 

  210.     
    211. 

  211.     $request_headers = OAuthRequest::get_headers();
    212. 

  212. 

  213.     // let the library user override things however they'd like, if they know
    214. 

  214.     // which parameters to use then go for it, for example XMLRPC might want to
    215. 

  215.     // do this
    216. 

  216.     if ($parameters) {
    217. 

  217.       $req = new OAuthRequest($http_method, $http_url, $parameters);
    218. 

  218.     }
    219. 

  219.     // next check for the auth header, we need to do some extra stuff
    220. 

  220.     // if that is the case, namely suck in the parameters from GET or POST
    221. 

  221.     // so that we can include them in the signature
    222. 

  222.     else if (@substr($request_headers['Authorization'], 0, 5) == "OAuth") {
    223. 

  223.       $header_parameters = OAuthRequest::split_header($request_headers['Authorization']);
    224. 

  224.       if ($http_method == "GET") {
    225. 

  225.         $req_parameters = $_GET;
    226. 

  226.       } 
    227. 

  227.       else if ($http_method = "POST") {
    228. 

  228.         $req_parameters = $_POST;
    229. 

  229.       } 
    230. 

  230.       $parameters = array_merge($header_parameters, $req_parameters);
    231. 

  231.       $req = new OAuthRequest($http_method, $http_url, $parameters);
    232. 

  232.     }
    233. 

  233.     else if ($http_method == "GET") {
    234. 

  234.       $req = new OAuthRequest($http_method, $http_url, $_GET);
    235. 

  235.     }
    236. 

  236.     else if ($http_method == "POST") {
    237. 

  237.       $req = new OAuthRequest($http_method, $http_url, $_POST);
    238. 

  238.     }
    239. 

  239.     return $req;
    240. 

  240.   }/*}}}*/
    241. 

  241. 

  242.   /**
    243. 

  243.    * pretty much a helper function to set up the request
    244. 

  244.    */
    245. 

  245.   function from_consumer_and_token($consumer, $token, $http_method, $http_url, $parameters=array()) {/*{{{*/
    246. 

  246.     static $version = '1.0';
    247. 

  247.     $defaults = array("oauth_version" => $version,
    248. 

  248.                       "oauth_nonce" => OAuthRequest::generate_nonce(),
    249. 

  249.                       "oauth_timestamp" => OAuthRequest::generate_timestamp(),
    250. 

  250.                       "oauth_consumer_key" => $consumer->key);
    251. 

  251.     $parameters = array_merge($defaults, $parameters);
    252. 

  252. 

  253.     if ($token) {
    254. 

  254.       $parameters['oauth_token'] = $token->key;
    255. 

  255.     }
    256. 

  256.     $req = new OAuthRequest($http_method, $http_url, $parameters);
    257. 

  257.     return $req;
    258. 

  258.   }/*}}}*/
    259. 

  259. 

  260.   function set_parameter($name, $value) {/*{{{*/
    261. 

  261.     $this->parameters[$name] = $value;
    262. 

  262.   }/*}}}*/
    263. 

  263. 

  264.   function get_parameter($name) {/*{{{*/
    265. 

  265.     return $this->parameters[$name];
    266. 

  266.   }/*}}}*/
    267. 

  267. 

  268.   function get_parameters() {/*{{{*/
    269. 

  269.     return $this->parameters;
    270. 

  270.   }/*}}}*/
    271. 

  271. 

  272.   /**
    273. 

  273.    * Returns the normalized parameters of the request
    274. 

  274.    * 
    275. 

  275.    * This will be all (except oauth_signature) parameters,
    276. 

  276.    * sorted first by key, and if duplicate keys, then by
    277. 

  277.    * value.
    278. 

  278.    *
    279. 

  279.    * The returned string will be all the key=value pairs
    280. 

  280.    * concated by &.
    281. 

  281.    * 
    282. 

  282.    * @return string
    283. 

  283.    */
    284. 

  284.   function get_signable_parameters() {/*{{{*/
    285. 

  285.     // Include query parameters
    286. 

  286.     $url = parse_url($this->http_url);
    287. 

  287.     if(array_key_exists("query", $url)) {
    288. 

  288.         parse_str($url["query"], $query);
    289. 

  289. 

  290.         foreach($query as $key => $value) {
    291. 

  291.             $this->set_parameter($key, $value);
    292. 

  292.         }
    293. 

  293.     }
    294. 

  294. 

  295.     // Grab all parameters
    296. 

  296.     $params = $this->parameters;
    297. 

  297. 		
    298. 

  298.     // Remove oauth_signature if present
    299. 

  299.     if (isset($params['oauth_signature'])) {
    300. 

  300.       unset($params['oauth_signature']);
    301. 

  301.     }
    302. 

  302. 		
    303. 

  303.     // Urlencode both keys and values
    304. 

  304.     $keys = array_map(array('OAuthUtil', 'urlencodeRFC3986'), array_keys($params));
    305. 

  305.     $values = array_map(array('OAuthUtil', 'urlencodeRFC3986'), array_values($params));
    306. 

  306.     $params = array();
    307. 

  307.     for($i = 0; $i < count($keys); $i++) {
    308. 

  308.         $params[$keys[$i]] = $values[$i];
    309. 

  309.     }
    310. 

  310. 

  311.     // Sort by keys (natsort)
    312. 

  312.     uksort($params, 'strnatcmp');
    313. 

  313. 

  314.     // Generate key=value pairs
    315. 

  315.     $pairs = array();
    316. 

  316.     foreach ($params as $key=>$value ) {
    317. 

  317.       if (is_array($value)) {
    318. 

  318.         // If the value is an array, it's because there are multiple 
    319. 

  319.         // with the same key, sort them, then add all the pairs
    320. 

  320.         natsort($value);
    321. 

  321.         foreach ($value as $v2) {
    322. 

  322.           $pairs[] = $key . '=' . $v2;
    323. 

  323.         }
    324. 

  324.       } else {
    325. 

  325.         $pairs[] = $key . '=' . $value;
    326. 

  326.       }
    327. 

  327.     }
    328. 

  328. 		
    329. 

  329.     // Return the pairs, concated with &
    330. 

  330.     return implode('&', $pairs);
    331. 

  331.   }/*}}}*/
    332. 

  332. 

  333.   /**
    334. 

  334.    * Returns the base string of this request
    335. 

  335.    *
    336. 

  336.    * The base string defined as the method, the url
    337. 

  337.    * and the parameters (normalized), each urlencoded
    338. 

  338.    * and the concated with &.
    339. 

  339.    */
    340. 

  340.   function get_signature_base_string() {/*{{{*/
    341. 

  341.     $parts = array(
    342. 

  342.       $this->get_normalized_http_method(),
    343. 

  343.       $this->get_normalized_http_url(),
    344. 

  344.       $this->get_signable_parameters()
    345. 

  345.     );
    346. 

  346. 

  347.     $parts = array_map(array('OAuthUtil', 'urlencodeRFC3986'), $parts);
    348. 

  348. 

  349.     return implode('&', $parts);
    350. 

  350.   }/*}}}*/
    351. 

  351. 

  352.   /**
    353. 

  353.    * just uppercases the http method
    354. 

  354.    */
    355. 

  355.   function get_normalized_http_method() {/*{{{*/
    356. 

  356.     return strtoupper($this->http_method);
    357. 

  357.   }/*}}}*/
    358. 

  358. 

  359.   /**
    360. 

  360.    * parses the url and rebuilds it to be
    361. 

  361.    * scheme://host/path
    362. 

  362.    */
    363. 

  363.   function get_normalized_http_url() {/*{{{*/
    364. 

  364.     $parts = parse_url($this->http_url);
    365. 

  365. 

  366.     // FIXME: port should handle according to http://groups.google.com/group/oauth/browse_thread/thread/1b203a51d9590226
    367. 

  367.     $port = (isset($parts['port']) && $parts['port'] != '80') ? ':' . $parts['port'] : '';
    368. 

  368.     $path = (isset($parts['path'])) ? $parts['path'] : '';
    369. 

  369. 

  370.     return $parts['scheme'] . '://' . $parts['host'] . $port . $path;
    371. 

  371.   }/*}}}*/
    372. 

  372. 

  373.   /**
    374. 

  374.    * builds a url usable for a GET request
    375. 

  375.    */
    376. 

  376.   function to_url() {/*{{{*/
    377. 

  377.     $out = $this->get_normalized_http_url() . "?";
    378. 

  378.     $out .= $this->to_postdata();
    379. 

  379.     return $out;
    380. 

  380.   }/*}}}*/
    381. 

  381. 

  382.   /**
    383. 

  383.    * builds the data one would send in a POST request
    384. 

  384.    */
    385. 

  385.   function to_postdata() {/*{{{*/
    386. 

  386.     $total = array();
    387. 

  387.     foreach ($this->parameters as $k => $v) {
    388. 

  388.       $total[] = OAuthUtil::urlencodeRFC3986($k) . "=" . OAuthUtil::urlencodeRFC3986($v);
    389. 

  389.     }
    390. 

  390.     $out = implode("&", $total);
    391. 

  391.     return $out;
    392. 

  392.   }/*}}}*/
    393. 

  393. 

  394.   /**
    395. 

  395.    * builds the Authorization: header
    396. 

  396.    */
    397. 

  397.   function to_header() {/*{{{*/
    398. 

  398.     $headerParams = array();
    399. 

  399.     foreach ($this->parameters as $k => $v) {
    400. 

  400.       if (substr($k, 0, 5) != "oauth") continue;
    401. 

  401.       $headerParams[] = OAuthUtil::urlencodeRFC3986($k) . '="' . OAuthUtil::urlencodeRFC3986($v) . '"';
    402. 

  402.     }
    403. 

  403.     return sprintf("Authorization: OAuth %s", implode(",", $headerParams));
    404. 

  404.   }/*}}}*/
    405. 

  405. 

  406.   function __toString() {/*{{{*/
    407. 

  407.     return $this->to_url();
    408. 

  408.   }/*}}}*/
    409. 

  409. 

  410. 

  411.   function sign_request($signature_method, $consumer, $token) {/*{{{*/
    412. 

  412.     $this->set_parameter("oauth_signature_method", $signature_method->get_name());
    413. 

  413.     $signature = $this->build_signature($signature_method, $consumer, $token);
    414. 

  414.     $this->set_parameter("oauth_signature", $signature);
    415. 

  415.   }/*}}}*/
    416. 

  416. 

  417.   function build_signature($signature_method, $consumer, $token) {/*{{{*/
    418. 

  418.     $signature = $signature_method->build_signature($this, $consumer, $token);
    419. 

  419.     return $signature;
    420. 

  420.   }/*}}}*/
    421. 

  421. 

  422.   /**
    423. 

  423.    * util function: current timestamp
    424. 

  424.    */
    425. 

  425.   function generate_timestamp() {/*{{{*/
    426. 

  426.     return time();
    427. 

  427.   }/*}}}*/
    428. 

  428. 

  429.   /**
    430. 

  430.    * util function: current nonce
    431. 

  431.    */
    432. 

  432.   function generate_nonce() {/*{{{*/
    433. 

  433.     $mt = microtime();
    434. 

  434.     $rand = mt_rand();
    435. 

  435. 

  436.     return md5($mt . $rand); // md5s look nicer than numbers
    437. 

  437.   }/*}}}*/
    438. 

  438. 

  439.   /**
    440. 

  440.    * util function for turning the Authorization: header into
    441. 

  441.    * parameters, has to do some unescaping
    442. 

  442.    */
    443. 

  443.   function split_header($header) {/*{{{*/
    444. 

  444.     // this should be a regex
    445. 

  445.     // error cases: commas in parameter values
    446. 

  446.     $parts = explode(",", $header);
    447. 

  447.     $out = array();
    448. 

  448.     foreach ($parts as $param) {
    449. 

  449.       $param = ltrim($param);
    450. 

  450.       // skip the "realm" param, nobody ever uses it anyway
    451. 

  451.       if (substr($param, 0, 5) != "oauth") continue;
    452. 

  452. 

  453.       $param_parts = explode("=", $param);
    454. 

  454. 

  455.       // rawurldecode() used because urldecode() will turn a "+" in the
    456. 

  456.       // value into a space
    457. 

  457.       $out[$param_parts[0]] = rawurldecode(substr($param_parts[1], 1, -1));
    458. 

  458.     }
    459. 

  459.     return $out;
    460. 

  460.   }/*}}}*/
    461. 

  461. 

  462.   /**
    463. 

  463.    * helper to try to sort out headers for people who aren't running apache
    464. 

  464.    */
    465. 

  465.   function get_headers() {/*{{{*/
    466. 

  466.     if (function_exists('apache_request_headers')) {
    467. 

  467.       // we need this to get the actual Authorization: header
    468. 

  468.       // because apache tends to tell us it doesn't exist
    469. 

  469.       return apache_request_headers();
    470. 

  470.     }
    471. 

  471.     // otherwise we don't have apache and are just going to have to hope
    472. 

  472.     // that $_SERVER actually contains what we need
    473. 

  473.     $out = array();
    474. 

  474.     foreach ($_SERVER as $key => $value) {
    475. 

  475.       if (substr($key, 0, 5) == "HTTP_") {
    476. 

  476.         // this is chaos, basically it is just there to capitalize the first
    477. 

  477.         // letter of every word that is not an initial HTTP and strip HTTP
    478. 

  478.         // code from przemek
    479. 

  479.         $key = str_replace(" ", "-", ucwords(strtolower(str_replace("_", " ", substr($key, 5)))));
    480. 

  480.         $out[$key] = $value;
    481. 

  481.       }
    482. 

  482.     }
    483. 

  483.     return $out;
    484. 

  484.   }/*}}}*/
    485. 

  485. }/*}}}*/
    486. 

  486. 

  487. class OAuthServer {/*{{{*/
    488. 

  488.   var $timestamp_threshold = 300; // in seconds, five minutes
    489. 

  489.   var $version = 1.0;             // hi blaine
    490. 

  490.   var $signature_methods = array();
    491. 

  491. 

  492.   var $data_store;
    493. 

  493. 

  494.   function OAuthServer($data_store) {/*{{{*/
    495. 

  495.     $this->data_store = $data_store;
    496. 

  496.   }/*}}}*/
    497. 

  497. 

  498.   function add_signature_method($signature_method) {/*{{{*/
    499. 

  499.     $this->signature_methods[$signature_method->get_name()] = 
    500. 

  500.         $signature_method;
    501. 

  501.   }/*}}}*/
    502. 

  502.   
    503. 

  503.   // high level functions
    504. 

  504. 

  505.   /**
    506. 

  506.    * process a request_token request
    507. 

  507.    * returns the request token on success
    508. 

  508.    */
    509. 

  509.   function fetch_request_token(&$request) {/*{{{*/
    510. 

  510.     $this->get_version($request);
    511. 

  511. 

  512.     $consumer = $this->get_consumer($request);
    513. 

  513. 

  514.     // no token required for the initial token request
    515. 

  515.     $token = NULL;
    516. 

  516. 

  517.     $this->check_signature($request, $consumer, $token);
    518. 

  518. 

  519.     $new_token = $this->data_store->new_request_token($consumer);
    520. 

  520. 

  521.     return $new_token;
    522. 

  522.   }/*}}}*/
    523. 

  523. 

  524.   /**
    525. 

  525.    * process an access_token request
    526. 

  526.    * returns the access token on success
    527. 

  527.    */
    528. 

  528.   function fetch_access_token(&$request) {/*{{{*/
    529. 

  529.     $this->get_version($request);
    530. 

  530. 

  531.     $consumer = $this->get_consumer($request);
    532. 

  532. 

  533.     // requires authorized request token
    534. 

  534.     $token = $this->get_token($request, $consumer, "request");
    535. 

  535. 

  536.     $this->check_signature($request, $consumer, $token);
    537. 

  537. 

  538.     $new_token = $this->data_store->new_access_token($token, $consumer);
    539. 

  539. 

  540.     return $new_token;
    541. 

  541.   }/*}}}*/
    542. 

  542. 

  543.   /**
    544. 

  544.    * verify an api call, checks all the parameters
    545. 

  545.    */
    546. 

  546.   function verify_request(&$request) {/*{{{*/
    547. 

  547.     $this->get_version($request);
    548. 

  548.     $consumer = $this->get_consumer($request);
    549. 

  549.     $token = $this->get_token($request, $consumer, "access");
    550. 

  550.     $this->check_signature($request, $consumer, $token);
    551. 

  551.     return array($consumer, $token);
    552. 

  552.   }/*}}}*/
    553. 

  553. 

  554.   // Internals from here
    555. 

  555.   /**
    556. 

  556.    * version 1
    557. 

  557.    */
    558. 

  558.   function get_version(&$request) {/*{{{*/
    559. 

  559.     $version = $request->get_parameter("oauth_version");
    560. 

  560.     if (!$version) {
    561. 

  561.       $version = 1.0;
    562. 

  562.     }
    563. 

  563.     if ($version && $version != $this->version) {
    564. 

  564.       trigger_error("OAuth version '$version' not supported", E_USER_WARNING);
    565. 

  565.       return NULL;
    566. 

  566.     }
    567. 

  567.     return $version;
    568. 

  568.   }/*}}}*/
    569. 

  569. 

  570.   /**
    571. 

  571.    * figure out the signature with some defaults
    572. 

  572.    */
    573. 

  573.   function get_signature_method(&$request) {/*{{{*/
    574. 

  574.     $signature_method =  
    575. 

  575.         @$request->get_parameter("oauth_signature_method");
    576. 

  576.     if (!$signature_method) {
    577. 

  577.       $signature_method = "PLAINTEXT";
    578. 

  578.     }
    579. 

  579.     if (!in_array($signature_method, 
    580. 

  580.                   array_keys($this->signature_methods))) {
    581. 

  581.       trigger_error("Signature method '$signature_method' not supported try one of the following: " . implode(", ", array_keys($this->signature_methods)), E_USER_WARNING);      
    582. 

  582.       return NULL;
    583. 

  583.     }
    584. 

  584.     return $this->signature_methods[$signature_method];
    585. 

  585.   }/*}}}*/
    586. 

  586. 

  587.   /**
    588. 

  588.    * try to find the consumer for the provided request's consumer key
    589. 

  589.    */
    590. 

  590.   function get_consumer(&$request) {/*{{{*/
    591. 

  591.     $consumer_key = @$request->get_parameter("oauth_consumer_key");
    592. 

  592.     if (!$consumer_key) {
    593. 

  593.       trigger_error("Invalid consumer key", E_USER_WARNING);
    594. 

  594.       return NULL;
    595. 

  595.     }
    596. 

  596. 

  597.     $consumer = $this->data_store->lookup_consumer($consumer_key);
    598. 

  598.     if (!$consumer) {
    599. 

  599.       trigger_error("Invalid consumer", E_USER_WARNING);
    600. 

  600.       return NULL;
    601. 

  601.     }
    602. 

  602. 

  603.     return $consumer;
    604. 

  604.   }/*}}}*/
    605. 

  605. 

  606.   /**
    607. 

  607.    * try to find the token for the provided request's token key
    608. 

  608.    */
    609. 

  609.   function get_token(&$request, $consumer, $token_type="access") {/*{{{*/
    610. 

  610.     $token_field = @$request->get_parameter('oauth_token');
    611. 

  611.     $token = $this->data_store->lookup_token(
    612. 

  612.       $consumer, $token_type, $token_field
    613. 

  613.     );
    614. 

  614.     if (!$token) {
    615. 

  615.       trigger_error("Invalid $token_type token: $token_field", E_USER_WARNING);
    616. 

  616.       return NULL;
    617. 

  617.     }
    618. 

  618.     return $token;
    619. 

  619.   }/*}}}*/
    620. 

  620. 

  621.   /**
    622. 

  622.    * all-in-one function to check the signature on a request
    623. 

  623.    * should guess the signature method appropriately
    624. 

  624.    */
    625. 

  625.   function check_signature(&$request, $consumer, $token) {/*{{{*/
    626. 

  626.     // this should probably be in a different method
    627. 

  627.     $timestamp = @$request->get_parameter('oauth_timestamp');
    628. 

  628.     $nonce = @$request->get_parameter('oauth_nonce');
    629. 

  629. 

  630.     $this->check_timestamp($timestamp);
    631. 

  631.     $this->check_nonce($consumer, $token, $nonce, $timestamp);
    632. 

  632. 

  633.     $signature_method = $this->get_signature_method($request);
    634. 

  634. 

  635.     $signature = $request->get_parameter('oauth_signature');    
    636. 

  636.     $valid_sig = $signature_method->check_signature(
    637. 

  637.       $request, 
    638. 

  638.       $consumer, 
    639. 

  639.       $token, 
    640. 

  640.       $signature
    641. 

  641.     );
    642. 

  642. 

  643.     if (!$valid_sig) {
    644. 

  644.       trigger_error("Invalid signature", E_USER_WARNING);
    645. 

  645.       return NULL;
    646. 

  646.     }
    647. 

  647.   }/*}}}*/
    648. 

  648. 

  649.   /**
    650. 

  650.    * check that the timestamp is new enough
    651. 

  651.    */
    652. 

  652.   function check_timestamp($timestamp) {/*{{{*/
    653. 

  653.     // verify that timestamp is recentish
    654. 

  654.     $now = time();
    655. 

  655.     if ($now - $timestamp > $this->timestamp_threshold) {
    656. 

  656.       trigger_error("Expired timestamp, yours $timestamp, ours $now", E_USER_WARNING);
    657. 

  657.       return NULL;
    658. 

  658.     }
    659. 

  659.   }/*}}}*/
    660. 

  660. 

  661.   /**
    662. 

  662.    * check that the nonce is not repeated
    663. 

  663.    */
    664. 

  664.   function check_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
    665. 

  665.     // verify that the nonce is uniqueish
    666. 

  666.     $found = $this->data_store->lookup_nonce($consumer, $token, $nonce, $timestamp);
    667. 

  667.     if ($found) {
    668. 

  668.       trigger_error("Nonce already used: $nonce", E_USER_WARNING);
    669. 

  669.       return NULL;
    670. 

  670.     }
    671. 

  671.   }/*}}}*/
    672. 

  672. 

  673. 

  674. 

  675. }/*}}}*/
    676. 

  676. 

  677. class OAuthDataStore {/*{{{*/
    678. 

  678.   function lookup_consumer($consumer_key) {/*{{{*/
    679. 

  679.     // implement me
    680. 

  680.   }/*}}}*/
    681. 

  681. 

  682.   function lookup_token($consumer, $token_type, $token) {/*{{{*/
    683. 

  683.     // implement me
    684. 

  684.   }/*}}}*/
    685. 

  685. 

  686.   function lookup_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
    687. 

  687.     // implement me
    688. 

  688.   }/*}}}*/
    689. 

  689. 

  690.   function fetch_request_token($consumer) {/*{{{*/
    691. 

  691.     // return a new token attached to this consumer
    692. 

  692.   }/*}}}*/
    693. 

  693. 

  694.   function fetch_access_token($token, $consumer) {/*{{{*/
    695. 

  695.     // return a new access token attached to this consumer
    696. 

  696.     // for the user associated with this token if the request token
    697. 

  697.     // is authorized
    698. 

  698.     // should also invalidate the request token
    699. 

  699.   }/*}}}*/
    700. 

  700. 

  701. }/*}}}*/
    702. 

  702. 

  703. 

  704. /*  A very naive dbm-based oauth storage
    705. 

  705.  */
    706. 

  706. class SimpleOAuthDataStore extends OAuthDataStore {/*{{{*/
    707. 

  707.   var $dbh;
    708. 

  708. 

  709.   function SimpleOAuthDataStore($path = "oauth.gdbm") {/*{{{*/
    710. 

  710.     $this->dbh = dba_popen($path, 'c', 'gdbm');
    711. 

  711.   }/*}}}*/
    712. 

  712. 

  713.   function __destruct() {/*{{{*/
    714. 

  714.     dba_close($this->dbh);
    715. 

  715.   }/*}}}*/
    716. 

  716. 

  717.   function lookup_consumer($consumer_key) {/*{{{*/
    718. 

  718.     $rv = dba_fetch("consumer_$consumer_key", $this->dbh);
    719. 

  719.     if ($rv === FALSE) {
    720. 

  720.       return NULL;
    721. 

  721.     }
    722. 

  722.     $obj = unserialize($rv);
    723. 

  723.     if (!is_a($obj, "OAuthConsumer")) {
    724. 

  724.       return NULL;
    725. 

  725.     }
    726. 

  726.     return $obj;
    727. 

  727.   }/*}}}*/
    728. 

  728. 

  729.   function lookup_token($consumer, $token_type, $token) {/*{{{*/
    730. 

  730.     $rv = dba_fetch("${token_type}_${token}", $this->dbh);
    731. 

  731.     if ($rv === FALSE) {
    732. 

  732.       return NULL;
    733. 

  733.     }
    734. 

  734.     $obj = unserialize($rv);
    735. 

  735.     if (!is_a($obj, "OAuthToken")) {
    736. 

  736.       return NULL;
    737. 

  737.     }
    738. 

  738.     return $obj;
    739. 

  739.   }/*}}}*/
    740. 

  740. 

  741.   function lookup_nonce($consumer, $token, $nonce, $timestamp) {/*{{{*/
    742. 

  742.     if (dba_exists("nonce_$nonce", $this->dbh)) {
    743. 

  743.       return TRUE;
    744. 

  744.     } else {
    745. 

  745.       dba_insert("nonce_$nonce", "1", $this->dbh);
    746. 

  746.       return FALSE;
    747. 

  747.     }
    748. 

  748.   }/*}}}*/
    749. 

  749. 

  750.   function new_token($consumer, $type="request") {/*{{{*/
    751. 

  751.     $key = md5(time());
    752. 

  752.     $secret = time() + time();
    753. 

  753.     $token = new OAuthToken($key, md5(md5($secret)));
    754. 

  754.     if (!dba_insert("${type}_$key", serialize($token), $this->dbh)) {
    755. 

  755.       trigger_error("doooom!", E_USER_WARNING);
    756. 

  756.       return NULL;
    757. 

  757.     }
    758. 

  758.     return $token;
    759. 

  759.   }/*}}}*/
    760. 

  760. 

  761.   function new_request_token($consumer) {/*{{{*/
    762. 

  762.     return $this->new_token($consumer, "request");
    763. 

  763.   }/*}}}*/
    764. 

  764. 

  765.   function new_access_token($token, $consumer) {/*{{{*/
    766. 

  766. 

  767.     $token = $this->new_token($consumer, 'access');
    768. 

  768.     dba_delete("request_" . $token->key, $this->dbh);
    769. 

  769.     return $token;
    770. 

  770.   }/*}}}*/
    771. 

  771. }/*}}}*/
    772. 

  772. 

  773. class OAuthUtil {/*{{{*/
    774. 

  774.   function urlencodeRFC3986($string) {/*{{{*/
    775. 

  775.     return str_replace('%7E', '~', rawurlencode($string));
    776. 

  776.   }/*}}}*/
    777. 

  777.     
    778. 

  778.   function urldecodeRFC3986($string) {/*{{{*/
    779. 

  779.     return rawurldecode($string);
    780. 

  780.   }/*}}}*/
    781. 

  781. }/*}}}*/
    782. 

  782. 

  783. /**
    784. 

  784.  * Crib'd native implementation of hash_hmac() for SHA1 from the 
    785. 

  785.  * Fire Eagle PHP code:
    786. 

  786.  *
    787. 

  787.  * http://fireeagle.yahoo.net/developer/code/php
    788. 

  788.  */
    789. 

  789. if (!function_exists("hash_hmac")) {
    790. 

  790.     // Earlier versions of PHP5 are missing hash_hmac().  Here's a
    791. 

  791.     // pure-PHP version in case you're using one of them.
    792. 

  792.     function hash_hmac($algo, $data, $key) {
    793. 

  793.         // Thanks, Kellan: http://laughingmeme.org/code/hmacsha1.php.txt
    794. 

  794.         if ($algo != 'sha1') {
    795. 

  795.             error_log("Internal hash_hmac() can only do sha1, sorry");
    796. 

  796.             return NULL;
    797. 

  797.         }
    798. 

  798. 

  799.         $blocksize = 64;
    800. 

  800.         $hashfunc = 'sha1';
    801. 

  801.         if (strlen($key)>$blocksize)
    802. 

  802.             $key = pack('H*', $hashfunc($key));
    803. 

  803.         $key = str_pad($key,$blocksize,chr(0x00));
    804. 

  804.         $ipad = str_repeat(chr(0x36),$blocksize);
    805. 

  805.         $opad = str_repeat(chr(0x5c),$blocksize);
    806. 

  806.         $hmac = pack(
    807. 

  807.                 'H*',$hashfunc(
    808. 

  808.                     ($key^$opad).pack(
    809. 

  809.                                       'H*',$hashfunc(
    810. 

  810.                                           ($key^$ipad).$data
    811. 

  811.                                           )
    812. 

  812.                                      )
    813. 

  813.                     )
    814. 

  814.                 );
    815. 

  815.         return $hmac;
    816. 

  816.     }
    817. 

  817. }
    818. 

  818. 

  819. ?>
    820. 

  820.