TomaHost/Chamilo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

upgrade

Browse Source
This commit is contained in:
Xes
2025-08-14 22:41:49 +02:00
parent 2de81ccc46
commit 8ce45119b6
39774 changed files with 4309466 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
vendor/thenetworg/oauth2-azure/src/Grant/JwtBearer.php vendored Normal file
View File

@@ -0,0 +1,19 @@
<?php
namespace TheNetworg\OAuth2\Client\Grant;
class JwtBearer extends \League\OAuth2\Client\Grant\AbstractGrant
{
protected function getName()
{
return 'urn:ietf:params:oauth:grant-type:jwt-bearer';
}
protected function getRequiredRequestParameters()
{
return [
'requested_token_use',
'assertion',
];
}
}

353
vendor/thenetworg/oauth2-azure/src/Provider/Azure.php vendored Normal file
View File

@@ -0,0 +1,353 @@
<?php
namespace TheNetworg\OAuth2\Client\Provider;
use Firebase\JWT\JWT;
use League\OAuth2\Client\Grant\AbstractGrant;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
use Psr\Http\Message\ResponseInterface;
use TheNetworg\OAuth2\Client\Grant\JwtBearer;
use TheNetworg\OAuth2\Client\Token\AccessToken;
class Azure extends AbstractProvider
{
use BearerAuthorizationTrait;
public $urlLogin = 'https://login.microsoftonline.com/';
public $pathAuthorize = '/oauth2/authorize';
public $pathToken = '/oauth2/token';
public $scope = [];
public $scopeSeparator = ' ';
public $tenant = 'common';
public $urlAPI = 'https://graph.windows.net/';
public $resource = '';
public $API_VERSION = '1.6';
public $authWithResource = true;
public function __construct(array $options = [], array $collaborators = [])
{
parent::__construct($options, $collaborators);
$this->grantFactory->setGrant('jwt_bearer', new JwtBearer());
}
public function getBaseAuthorizationUrl()
{
return $this->urlLogin . $this->tenant . $this->pathAuthorize;
}
public function getBaseAccessTokenUrl(array $params)
{
return $this->urlLogin . $this->tenant . $this->pathToken;
}
public function getAccessToken($grant, array $options = [])
{
if ($this->authWithResource) {
$options['resource'] = $this->resource ? $this->resource : $this->urlAPI;
}
return parent::getAccessToken($grant, $options);
}
public function getResourceOwner(\League\OAuth2\Client\Token\AccessToken $token)
{
$data = $token->getIdTokenClaims();
return $this->createResourceOwner($data, $token);
}
public function getResourceOwnerDetailsUrl(\League\OAuth2\Client\Token\AccessToken $token)
{
}
public function getObjects($tenant, $ref, &$accessToken, $headers = [])
{
$objects = [];
$response = null;
do {
if (false === filter_var($ref, FILTER_VALIDATE_URL)) {
$ref = $tenant . '/' . $ref;
}
$response = $this->request('get', $ref, $accessToken, ['headers' => $headers]);
$values = $response;
if (isset($response['value'])) {
$values = $response['value'];
}
foreach ($values as $value) {
$objects[] = $value;
}
if (isset($response['odata.nextLink'])) {
$ref = $response['odata.nextLink'];
} elseif (isset($response['@odata.nextLink'])) {
$ref = $response['@odata.nextLink'];
} else {
$ref = null;
}
} while (null != $ref);
return $objects;
}
public function get($ref, &$accessToken, $headers = [])
{
$response = $this->request('get', $ref, $accessToken, ['headers' => $headers]);
return $this->wrapResponse($response);
}
public function post($ref, $body, &$accessToken, $headers = [])
{
$response = $this->request('post', $ref, $accessToken, ['body' => $body, 'headers' => $headers]);
return $this->wrapResponse($response);
}
public function put($ref, $body, &$accessToken, $headers = [])
{
$response = $this->request('put', $ref, $accessToken, ['body' => $body, 'headers' => $headers]);
return $this->wrapResponse($response);
}
public function delete($ref, &$accessToken, $headers = [])
{
$response = $this->request('delete', $ref, $accessToken, ['headers' => $headers]);
return $this->wrapResponse($response);
}
public function patch($ref, $body, &$accessToken, $headers = [])
{
$response = $this->request('patch', $ref, $accessToken, ['body' => $body, 'headers' => $headers]);
return $this->wrapResponse($response);
}
public function request($method, $ref, &$accessToken, $options = [])
{
if ($accessToken->hasExpired()) {
$accessToken = $this->getAccessToken('refresh_token', [
'refresh_token' => $accessToken->getRefreshToken(),
]);
}
$url = null;
if (false !== filter_var($ref, FILTER_VALIDATE_URL)) {
$url = $ref;
} else {
if (false !== strpos($this->urlAPI, 'graph.windows.net')) {
$tenant = 'common';
if (property_exists($this, 'tenant')) {
$tenant = $this->tenant;
}
$ref = "$tenant/$ref";
$url = $this->urlAPI . $ref;
$url .= (false === strrpos($url, '?')) ? '?' : '&';
$url .= 'api-version=' . $this->API_VERSION;
} else {
$url = $this->urlAPI . $ref;
}
}
if (isset($options['body']) && ('array' == gettype($options['body']) || 'object' == gettype($options['body']))) {
$options['body'] = json_encode($options['body']);
}
if (!isset($options['headers']['Content-Type']) && isset($options['body'])) {
$options['headers']['Content-Type'] = 'application/json';
}
$request = $this->getAuthenticatedRequest($method, $url, $accessToken, $options);
$response = $this->getParsedResponse($request);
return $response;
}
public function getClientId()
{
return $this->clientId;
}
/**
* Obtain URL for logging out the user.
*
* @param $post_logout_redirect_uri string The URL which the user should be redirected to after logout
*
* @return string
*/
public function getLogoutUrl($post_logout_redirect_uri)
{
return 'https://login.microsoftonline.com/' . $this->tenant . '/oauth2/logout?post_logout_redirect_uri=' . rawurlencode($post_logout_redirect_uri);
}
/**
* Validate the access token you received in your application.
*
* @param $accessToken string The access token you received in the authorization header.
*
* @return array
*/
public function validateAccessToken($accessToken)
{
$keys = $this->getJwtVerificationKeys();
$tokenClaims = (array)JWT::decode($accessToken, $keys, ['RS256']);
if ($this->getClientId() != $tokenClaims['aud'] && $this->getClientId() != $tokenClaims['appid']) {
throw new \RuntimeException('The client_id / audience is invalid!');
}
if ($tokenClaims['nbf'] > time() || $tokenClaims['exp'] < time()) {
// Additional validation is being performed in firebase/JWT itself
throw new \RuntimeException('The id_token is invalid!');
}
if ('common' == $this->tenant) {
$this->tenant = $tokenClaims['tid'];
$tenant = $this->getTenantDetails($this->tenant);
if ($tokenClaims['iss'] != $tenant['issuer']) {
throw new \RuntimeException('Invalid token issuer!');
}
} else {
$tenant = $this->getTenantDetails($this->tenant);
if ($tokenClaims['iss'] != $tenant['issuer']) {
throw new \RuntimeException('Invalid token issuer!');
}
}
return $tokenClaims;
}
/**
* Get JWT verification keys from Azure Active Directory.
*
* @return array
*/
public function getJwtVerificationKeys()
{
$factory = $this->getRequestFactory();
$request = $factory->getRequestWithOptions('get', 'https://login.windows.net/common/discovery/keys', []);
$response = $this->getParsedResponse($request);
$keys = [];
foreach ($response['keys'] as $i => $keyinfo) {
if (isset($keyinfo['x5c']) && is_array($keyinfo['x5c'])) {
foreach ($keyinfo['x5c'] as $encodedkey) {
$cert =
'-----BEGIN CERTIFICATE-----' . PHP_EOL
. chunk_split($encodedkey, 64, PHP_EOL)
. '-----END CERTIFICATE-----' . PHP_EOL;
$cert_object = openssl_x509_read($cert);
if ($cert_object === false) {
throw new \RuntimeException('An attempt to read ' . $encodedkey . ' as a certificate failed.');
}
$pkey_object = openssl_pkey_get_public($cert_object);
if ($pkey_object === false) {
throw new \RuntimeException('An attempt to read a public key from a ' . $encodedkey . ' certificate failed.');
}
$pkey_array = openssl_pkey_get_details($pkey_object);
if ($pkey_array === false) {
throw new \RuntimeException('An attempt to get a public key as an array from a ' . $encodedkey . ' certificate failed.');
}
$publicKey = $pkey_array ['key'];
$keys[$keyinfo['kid']] = $publicKey;
}
}
}
return $keys;
}
/**
* Get the specified tenant's details.
*
* @param string $tenant
*
* @return array
*/
public function getTenantDetails($tenant)
{
$factory = $this->getRequestFactory();
$request = $factory->getRequestWithOptions(
'get',
'https://login.windows.net/' . $tenant . '/.well-known/openid-configuration',
[]
);
$response = $this->getParsedResponse($request);
return $response;
}
protected function checkResponse(ResponseInterface $response, $data)
{
if (isset($data['odata.error']) || isset($data['error'])) {
if (isset($data['odata.error']['message']['value'])) {
$message = $data['odata.error']['message']['value'];
} elseif (isset($data['error']['message'])) {
$message = $data['error']['message'];
} elseif (isset($data['error']) && !is_array($data['error'])) {
$message = $data['error'];
} else {
$message = $response->getReasonPhrase();
}
throw new IdentityProviderException(
$message,
$response->getStatusCode(),
$response
);
}
}
protected function getDefaultScopes()
{
return $this->scope;
}
protected function getScopeSeparator()
{
return $this->scopeSeparator;
}
protected function createAccessToken(array $response, AbstractGrant $grant)
{
return new AccessToken($response, $this);
}
protected function createResourceOwner(array $response, \League\OAuth2\Client\Token\AccessToken $token)
{
return new AzureResourceOwner($response);
}
private function wrapResponse($response)
{
if (empty($response)) {
return;
} elseif (isset($response['value'])) {
return $response['value'];
}
return $response;
}
}

97
vendor/thenetworg/oauth2-azure/src/Provider/AzureResourceOwner.php vendored Normal file
View File

@@ -0,0 +1,97 @@
<?php
namespace TheNetworg\OAuth2\Client\Provider;
use League\OAuth2\Client\Provider\ResourceOwnerInterface;
class AzureResourceOwner implements ResourceOwnerInterface
{
/**
* Response payload
*
* @var array
*/
protected $data;
/**
* Creates new azure resource owner.
*
* @param array $data
*/
public function __construct($data = [])
{
$this->data = $data;
}
/**
* Retrieves id of resource owner.
*
* @return string|null
*/
public function getId()
{
return $this->claim('oid');
}
/**
* Retrieves first name of resource owner.
*
* @return string|null
*/
public function getFirstName()
{
return $this->claim('given_name');
}
/**
* Retrieves last name of resource owner.
*
* @return string|null
*/
public function getLastName()
{
return $this->claim('family_name');
}
/**
* Retrieves user principal name of resource owner.
*
* @return string|null
*/
public function getUpn()
{
return $this->claim('upn');
}
/**
* Retrieves tenant id of resource owner.
*
* @return string|null
*/
public function getTenantId()
{
return $this->claim('tid');
}
/**
* Returns a field from the parsed JWT data.
*
* @param string $name
*
* @return mixed|null
*/
public function claim($name)
{
return isset($this->data[$name]) ? $this->data[$name] : null;
}
/**
* Returns all the data obtained about the user.
*
* @return array
*/
public function toArray()
{
return $this->data;
}
}

71
vendor/thenetworg/oauth2-azure/src/Token/AccessToken.php vendored Normal file
View File

@@ -0,0 +1,71 @@
<?php
namespace TheNetworg\OAuth2\Client\Token;
use Firebase\JWT\JWT;
use InvalidArgumentException;
use League\OAuth2\Client\Tool\RequestFactory;
use RuntimeException;
class AccessToken extends \League\OAuth2\Client\Token\AccessToken
{
protected $idToken;
protected $idTokenClaims;
public function __construct(array $options, $provider)
{
parent::__construct($options);
if (!empty($options['id_token'])) {
$this->idToken = $options['id_token'];
$keys = $provider->getJwtVerificationKeys();
$idTokenClaims = null;
try {
$tks = explode('.', $this->idToken);
// Check if the id_token contains signature
if (3 == count($tks) && !empty($tks[2])) {
$idTokenClaims = (array)JWT::decode($this->idToken, $keys, ['RS256']);
} else {
// The id_token is unsigned (coming from v1.0 endpoint) - https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
// Since idToken is not signed, we just do OAuth2 flow without validating the id_token
// // Validate the access_token signature first by parsing it as JWT into claims
// $accessTokenClaims = (array)JWT::decode($options['access_token'], $keys, ['RS256']);
// Then parse the idToken claims only without validating the signature
$idTokenClaims = (array)JWT::jsonDecode(JWT::urlsafeB64Decode($tks[1]));
}
} catch (JWT_Exception $e) {
throw new RuntimeException('Unable to parse the id_token!');
}
if ($provider->getClientId() != $idTokenClaims['aud']) {
throw new RuntimeException('The audience is invalid!');
}
if ($idTokenClaims['nbf'] > time() || $idTokenClaims['exp'] < time()) {
// Additional validation is being performed in firebase/JWT itself
throw new RuntimeException('The id_token is invalid!');
}
if ('common' == $provider->tenant) {
$provider->tenant = $idTokenClaims['tid'];
$tenant = $provider->getTenantDetails($provider->tenant);
if ($idTokenClaims['iss'] != $tenant['issuer']) {
throw new RuntimeException('Invalid token issuer!');
}
} else {
$tenant = $provider->getTenantDetails($provider->tenant);
if ($idTokenClaims['iss'] != $tenant['issuer']) {
throw new RuntimeException('Invalid token issuer!');
}
}
$this->idTokenClaims = $idTokenClaims;
}
}
public function getIdTokenClaims()
{
return $this->idTokenClaims;
}
}