This repository has been archived on 2022-06-23. You can view files and clone it, but cannot push or open issues or pull requests.
divi/core/components/lib/OAuth.php
2021-12-07 11:08:05 +00:00

504 lines
14 KiB
PHP

<?php
/**
* ET Core OAuth Library
*
* Copyright © 2016-2017 Elegant Themes, Inc.
*
* Based on code from the TwitterOAuth Library:
* - Copyright © 2009-2016 Abraham Williams
* - Copyright © 2007-2009 Andy Smith
*
* @license
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial
* portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
* WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
* OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
class ET_Core_LIB_OAuthBase {
/**
* Writes a message to the PHP error log.
*
* @since 1.1.0
*
* @param mixed $msg
*/
public static function write_log( $msg, $level = 'DEBUG', $_this = null ) {
$name = ( null !== $_this ) ? get_class( $_this ) : 'ET_Core_LIB_OAuthBase';
if ( ! is_string( $msg ) ) {
$msg = print_r( $msg, true );
}
error_log( "{$name} [{$level}]: $msg" );
}
}
class ET_Core_LIB_OAuthUtil {
public static function build_http_query( $params, $return_json=false ) {
if ( ! $params ) {
return '';
}
if ( $return_json ) {
// return json string without further processing if needed
return json_encode( $params );
}
// Url encode both the keys and the values
$keys = ET_Core_LIB_OAuthUtil::urlencode_rfc3986( array_keys( $params ) );
$values = ET_Core_LIB_OAuthUtil::urlencode_rfc3986( array_values( $params ) );
$params = array_combine( $keys, $values );
// Parameters are sorted by name, using lexicographical byte value ordering.
// Ref: Spec: 9.1.1 (1)
uksort( $params, 'strcmp' );
$pairs = array();
foreach ( $params as $parameter => $value ) {
if ( is_array( $value ) ) {
// When two or more parameters share the same name, they are sorted by their value
// Ref: Spec: 9.1.1 (1)
// June 12th, 2010 - changed to sort because of issue 164 by hidetaka
sort( $value, SORT_STRING );
foreach ( $value as $duplicate_value ) {
$pairs[] = "{$parameter}={$duplicate_value}";
}
} else {
$pairs[] = "{$parameter}={$value}";
}
}
// For each parameter, the name is separated from the corresponding value by an '=' character (ASCII code 61)
// Each name-value pair is separated by an '&' character (ASCII code 38)
return implode( '&', $pairs );
}
public static function parse_parameters( $input = '' ) {
if ( '' === $input ) {
return array();
}
$pairs = explode( '&', $input );
$parsed_parameters = array();
foreach ( $pairs as $pair ) {
$split = explode( '=', $pair, 2 );
$parameter = ET_Core_LIB_OAuthUtil::urldecode_rfc3986( $split[0] );
$value = isset( $split[1] ) ? ET_Core_LIB_OAuthUtil::urldecode_rfc3986( $split[1] ) : '';
if ( isset( $parsed_parameters[ $parameter ] ) ) {
// We have already received parameter(s) with this name, so add to the list
// of parameters with this name
if ( is_scalar( $parsed_parameters[ $parameter ] ) ) {
// This is the first duplicate, so transform scalar (string) into an array
// so we can add the duplicates
$parsed_parameters[ $parameter ] = array( $parsed_parameters[ $parameter ] );
}
$parsed_parameters[ $parameter ][] = $value;
} else {
$parsed_parameters[ $parameter ] = $value;
}
}
return $parsed_parameters;
}
public static function urldecode_rfc3986( $string ) {
return rawurldecode( $string );
}
public static function urlencode_rfc3986( $input ) {
$output = '';
if ( is_array( $input ) ) {
$output = array_map( array( 'ET_Core_LIB_OAuthUtil', 'urlencode_rfc3986' ), $input );
} else if ( is_scalar( $input ) ) {
$output = rawurlencode( utf8_encode( $input ) );
}
return $output;
}
}
/**
* A base class for implementing a Signature Method
* See section 9 ("Signing Requests") in the spec
*/
abstract class ET_Core_LIB_OAuthSignatureMethod {
/**
* Build the signature
* NOTE: The output of this function MUST NOT be urlencoded. The encoding is handled in
* {@link ET_Core_OAuth_Request} when the final request is serialized.
*
* @param ET_Core_LIB_OAuthRequest $request
* @param ET_Core_LIB_OAuthConsumer $consumer
* @param ET_Core_LIB_OAuthToken|null $token
*
* @return string
*/
abstract public function build_signature( $request, $consumer, $token = null );
/**
* Verifies that a given signature is correct
*
* @param ET_Core_LIB_OAuthRequest $request
* @param ET_Core_LIB_OAuthConsumer $consumer
* @param ET_Core_LIB_OAuthToken $token
* @param string $signature
*
* @return bool
*/
public function check_signature( $request, $consumer, $token, $signature ) {
$built = $this->build_signature( $request, $consumer, $token );
// Check for zero length, although its unlikely here
if ( empty( $built ) || empty( $signature ) ) {
return false;
}
if ( strlen( $built ) !== strlen( $signature ) ) {
return false;
}
// Avoid a timing leak with a (hopefully) time insensitive compare
$result = 0;
for ( $i = 0; $i < strlen( $signature ); $i ++ ) {
$result |= ord( $built[ $i ] ) ^ ord( $signature[ $i ] );
}
return 0 === $result;
}
/**
* Returns the name of this Signature Method (ie HMAC-SHA1)
*
* @return string
*/
abstract public function get_name();
}
/**
* The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] where
* the Signature Base String is the text and the key is the concatenated values of the Consumer Secret and
* Token Secret (each encoded per Parameter Encoding first), separated by an '&' character (ASCII code 38)
* even if empty. As per Chapter 9.2 of the HMAC-SHA1 spec.
*/
class ET_Core_LIB_OAuthHMACSHA1 extends ET_Core_LIB_OAuthSignatureMethod {
/**
* @inheritDoc
*/
public function build_signature( $request, $consumer, $token = null ) {
$base_string = $request->get_signature_base_string();
$token = $token ? $token->secret : '';
$request->base_string = $base_string;
$key_parts = array( $consumer->secret, $token );
$key = implode( '&', $key_parts );
return base64_encode( hash_hmac( 'sha1', $base_string, $key, true ) );
}
/**
* @inheritDoc
*/
public function get_name() {
return 'HMAC-SHA1';
}
}
class ET_Core_LIB_OAuthConsumer {
public $callback_url;
public $id;
public $key;
public $secret;
public function __construct( $id, $secret, $callback_url = '' ) {
$this->id = $this->key = $id;
$this->secret = $secret;
$this->callback_url = $callback_url;
}
function __toString() {
$name = get_class( $this );
$key = 'ET_Core_LIB_OAuthConsumer' === $name ? 'key' : 'id';
return "{$name}[{$key}={$this->key}, secret={$this->secret}]";
}
}
class ET_Core_LIB_OAuthToken {
public $key;
public $secret;
public $refresh_token;
/**
* @param string $key The OAuth Token
* @param string $secret The OAuth Token Secret
*/
public function __construct( $key, $secret ) {
$this->key = $key;
$this->secret = $secret;
}
/**
* Generates the basic string serialization of a token that a server
* would respond to 'request_token' and 'access_token' calls with
*
* @return string
*/
public function __toString() {
return sprintf( "oauth_token=%s&oauth_token_secret=%s",
ET_Core_LIB_OAuthUtil::urlencode_rfc3986( $this->key ),
ET_Core_LIB_OAuthUtil::urlencode_rfc3986( $this->secret )
);
}
}
class ET_Core_LIB_OAuthRequest extends ET_Core_LIB_OAuthBase {
protected $parameters;
protected $http_method;
protected $http_url;
public static $version = '1.0';
public $base_string;
/**
* ET_Core_OAuth_Request Constructor
*
* @param string $http_method
* @param string $http_url
* @param array|null $parameters
*/
public function __construct( $http_method, $http_url, $parameters = array() ) {
$this->parameters = $parameters;
$this->http_method = $http_method;
$this->http_url = $http_url;
}
/**
* pretty much a helper function to set up the request
*
* @param ET_Core_LIB_OAuthConsumer $consumer
* @param ET_Core_LIB_OAuthToken $token
* @param string $http_method
* @param string $http_url
* @param array $parameters
*
* @return ET_Core_LIB_OAuthRequest
*/
public static function from_consumer_and_token( $consumer, $token, $http_method, $http_url, $parameters = array() ) {
$defaults = array(
"oauth_version" => ET_Core_LIB_OAuthRequest::$version,
"oauth_nonce" => ET_Core_LIB_OAuthRequest::generate_nonce(),
"oauth_timestamp" => time(),
"oauth_consumer_key" => $consumer->key
);
if ( $token ) {
$defaults['oauth_token'] = $token->key;
}
$parameters = wp_parse_args( $parameters, $defaults );
return new ET_Core_LIB_OAuthRequest( $http_method, $http_url, $parameters );
}
/**
* Returns the HTTP Method in uppercase
*
* @return string
*/
public function get_normalized_http_method() {
return strtoupper( $this->http_method );
}
/**
* parses the url and rebuilds it to be
* scheme://host/path
*
* @return string
*/
public function get_normalized_http_url() {
$parts = parse_url( $this->http_url );
$scheme = $parts['scheme'];
$host = strtolower( $parts['host'] );
$path = $parts['path'];
return "{$scheme}://{$host}{$path}";
}
/**
* @param $name
*
* @return string|null
*/
public function get_parameter( $name ) {
return isset( $this->parameters[ $name ] ) ? $this->parameters[ $name ] : null;
}
/**
* @return array
*/
public function get_parameters() {
return $this->parameters;
}
/**
* The request parameters, sorted and concatenated into a normalized string.
*
* @return string
*/
public function get_signable_parameters() {
// Grab a copy of all parameters
$params = $this->parameters;
// Remove oauth_signature if present
// Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")
if ( isset( $params['oauth_signature'] ) ) {
unset( $params['oauth_signature'] );
}
return ET_Core_LIB_OAuthUtil::build_http_query( $params );
}
/**
* Returns the base string of this request
*
* The base string defined as the method, the url, and the parameters (normalized),
* each urlencoded and then concatenated with '&'.
*
* @return string
*/
public function get_signature_base_string() {
$parts = array(
$this->get_normalized_http_method(),
$this->get_normalized_http_url(),
$this->get_signable_parameters()
);
$parts = ET_Core_LIB_OAuthUtil::urlencode_rfc3986( $parts );
return implode( '&', $parts );
}
/**
* @param $name
*/
public function remove_parameter( $name ) {
unset( $this->parameters[ $name ] );
}
/**
* @param string $name
* @param string $value
*/
public function set_parameter( $name, $value ) {
$this->parameters[ $name ] = $value;
}
/**
* Builds the data one would send in a POST request
* @param bool $need_json indicates the query data format ( http query string or json string )
*
* @return string
*/
public function to_post_data( $need_json = false ) {
return ET_Core_LIB_OAuthUtil::build_http_query( $this->parameters, $need_json );
}
/**
* Builds a url usable for a GET request
*
* @return string
*/
public function to_url() {
$postData = $this->to_post_data();
$out = $this->get_normalized_http_url();
if ( $postData ) {
$out .= '?' . $postData;
}
return $out;
}
/**
* Builds the HTTP Authorization Header
*
* @return string
*/
public function to_header() {
$out = '';
foreach ( $this->parameters as $parameter => $value ) {
if ( 0 !== strpos( 'oauth', $parameter ) ) {
continue;
}
if ( is_array( $value ) ) {
self::write_log( 'Arrays not supported in headers!', 'ERROR' );
continue;
}
$out .= ( '' === $out ) ? 'OAuth ' : ', ';
$out .= ET_Core_LIB_OAuthUtil::urlencode_rfc3986( $parameter );
$out .= '="' . ET_Core_LIB_OAuthUtil::urlencode_rfc3986( $value ) . '"';
}
return $out;
}
/**
* @return string
*/
public function __toString() {
return $this->to_url();
}
/**
* @param ET_Core_LIB_OAuthSignatureMethod $signature_method
* @param ET_Core_LIB_OAuthConsumer $consumer
* @param ET_Core_LIB_OAuthToken $token
*/
public function sign_request( $signature_method, $consumer, $token = null ) {
$this->set_parameter( 'oauth_signature_method', $signature_method->get_name() );
$signature = $this->build_signature( $signature_method, $consumer, $token );
$this->set_parameter( 'oauth_signature', $signature );
}
/**
* @param ET_Core_LIB_OAuthSignatureMethod $signatureMethod
* @param ET_Core_LIB_OAuthConsumer $consumer
* @param ET_Core_LIB_OAuthToken $token
*
* @return string
*/
public function build_signature( $signatureMethod, $consumer, $token = null ) {
return $signatureMethod->build_signature( $this, $consumer, $token );
}
/**
* @return string
*/
public static function generate_nonce() {
return md5( microtime() . mt_rand() );
}
}