diff --git a/classes/JWKSHandler.php b/classes/JWKSHandler.php index 4c2ca9b645ba17b53bc51f32c717a060adda1af0..feffd906d1ac26d6c27e3ae528ffcf8461773efb 100644 --- a/classes/JWKSHandler.php +++ b/classes/JWKSHandler.php @@ -5,7 +5,7 @@ namespace RAP; use phpseclib\Crypt\RSA; /** - * Manages the JWT Key Sets (currently only RSA . + * Manages the JWT Key Sets (currently only RSA). */ class JWKSHandler { diff --git a/classes/UserSearchResult.php b/classes/UserSearchResult.php deleted file mode 100644 index c1d49d90c8284a12229685fddb6ba6e704b10f86..0000000000000000000000000000000000000000 --- a/classes/UserSearchResult.php +++ /dev/null @@ -1,88 +0,0 @@ -user = $user; - - $nameAndSurname = null; - $email = null; - $identityTypes = []; - foreach ($user->identities as $identity) { - array_push($identityTypes, $identity->getUIType()); - if ($nameAndSurname === null && $identity->name !== null && $identity->surname !== null) { - $nameAndSurname = $identity->name . ' ' . $identity->surname; - } - if ($email === null) { - $email = $identity->email; - } - } - - // Building display text string - $displayText = ""; - - if ($nameAndSurname !== null) { - $displayText .= $nameAndSurname; - } else { - $displayText .= $email; - } - - $displayText .= ' ('; - $firstIdentity = true; - foreach ($identityTypes as $type) { - if (!$firstIdentity) { - $displayText .= '+'; - } - $displayText .= $type; - $firstIdentity = false; - } - $displayText .= ')'; - - $usr->userDisplayText = $displayText; - - return $usr; - } - - public function getUser() { - return $this->user; - } - -} diff --git a/classes/Util.php b/classes/Util.php deleted file mode 100644 index 4879b9b08d3005625644a1736b2202b030093860..0000000000000000000000000000000000000000 --- a/classes/Util.php +++ /dev/null @@ -1,40 +0,0 @@ -getDBHandler(); // Load clients info - $queryClient = "SELECT id, title, icon, client, secret, redirect_url, scope FROM oauth2_client"; + $queryClient = "SELECT id, title, icon, client, secret, redirect_url, scope, home_page, show_in_home FROM oauth2_client"; $stmtClients = $dbh->prepare($queryClient); $stmtClients->execute(); @@ -27,6 +27,8 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { $client->secret = $row['secret']; $client->redirectUrl = $row['redirect_url']; $client->scope = $row['scope']; + $client->homePage = $row['home_page']; + $client->showInHome = boolval($row['show_in_home']); $clientsMap[$client->id] = $client; } @@ -49,14 +51,14 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { return $clients; } - function createOAuth2Client($client): OAuth2Client { + function createOAuth2Client(OAuth2Client $client): OAuth2Client { $dbh = $this->getDBHandler(); try { $dbh->beginTransaction(); - $stmt = $dbh->prepare("INSERT INTO `oauth2_client`(`title`, `icon`, `client`, `secret`, `redirect_url`, `scope`)" - . " VALUES(:title, :icon, :client, :secret, :redirect_url, :scope)"); + $stmt = $dbh->prepare("INSERT INTO `oauth2_client`(`title`, `icon`, `client`, `secret`, `redirect_url`, `scope`, home_page, show_in_home)" + . " VALUES(:title, :icon, :client, :secret, :redirect_url, :scope, :home_page, :show_in_home)"); $stmt->bindParam(':title', $client->title); $stmt->bindParam(':icon', $client->icon); @@ -64,6 +66,8 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { $stmt->bindParam(':secret', $client->secret); $stmt->bindParam(':redirect_url', $client->redirectUrl); $stmt->bindParam(':scope', $client->scope); + $stmt->bindParam(':home_page', $client->homePage); + $stmt->bindParam(':show_in_home', $client->showInHome, \PDO::PARAM_INT); $stmt->execute(); @@ -88,14 +92,15 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { return $client; } - function updateOAuth2Client($client): OAuth2Client { + function updateOAuth2Client(OAuth2Client $client): OAuth2Client { $dbh = $this->getDBHandler(); try { $dbh->beginTransaction(); $stmt = $dbh->prepare("UPDATE `oauth2_client` SET `title` = :title, `icon` = :icon, " - . " `client` = :client, `secret` = :secret, `redirect_url` = :redirect_url, `scope` = :scope " + . " `client` = :client, `secret` = :secret, `redirect_url` = :redirect_url, `scope` = :scope, " + . " `home_page` = :home_page, `show_in_home` = :show_in_home" . " WHERE id = :id"); $stmt->bindParam(':title', $client->title); @@ -104,6 +109,8 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { $stmt->bindParam(':secret', $client->secret); $stmt->bindParam(':redirect_url', $client->redirectUrl); $stmt->bindParam(':scope', $client->scope); + $stmt->bindParam(':home_page', $client->homePage); + $stmt->bindParam(':show_in_home', $client->showInHome, \PDO::PARAM_INT); $stmt->bindParam(':id', $client->id); $stmt->execute(); @@ -158,7 +165,7 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { $dbh = $this->getDBHandler(); // Load clients info - $queryClient = "SELECT id, title, icon, client, secret, redirect_url, scope FROM oauth2_client WHERE client = :client"; + $queryClient = "SELECT id, title, icon, client, secret, redirect_url, scope, home_page, show_in_home FROM oauth2_client WHERE client = :client"; $stmtClient = $dbh->prepare($queryClient); $stmtClient->bindParam(':client', $clientId); $stmtClient->execute(); @@ -182,6 +189,8 @@ class MySQLOAuth2ClientDAO extends BaseMySQLDAO implements OAuth2ClientDAO { $client->secret = $row['secret']; $client->redirectUrl = $row['redirect_url']; $client->scope = $row['scope']; + $client->homePage = $row['home_page']; + $client->showInHome = $row['show_in_home']; // Load authentication methods info $queryAuthNMethods = "SELECT auth_method FROM oauth2_client_auth_methods WHERE client_id = :id"; diff --git a/classes/datalayer/mysql/MySQLUserDAO.php b/classes/datalayer/mysql/MySQLUserDAO.php index cc1adaa0fd3aacee871859c5eb4516e333cbdb04..14f8c0d283e118c7046821c260c7375f2a8fcbdf 100644 --- a/classes/datalayer/mysql/MySQLUserDAO.php +++ b/classes/datalayer/mysql/MySQLUserDAO.php @@ -266,4 +266,19 @@ class MySQLUserDAO extends BaseMySQLDAO implements UserDAO { } } + function isAdmin($userId): bool { + + $dbh = $this->getDBHandler(); + + $query = "SELECT user_id FROM rap_permissions WHERE permission = 'ADMIN' AND user_id = :userId"; + + $stmt = $dbh->prepare($query); + $stmt->bindParam(':userId', $userId); + $stmt->execute(); + + $result = $stmt->fetchAll(); + + return count($result) === 1; + } + } diff --git a/classes/model/InternalClient.php b/classes/model/InternalClient.php index 36a81aa85f08e73f0844591ace4ae368964afc65..f91f7d0077244fca781c50469a6dcdbdc64e66d6 100644 --- a/classes/model/InternalClient.php +++ b/classes/model/InternalClient.php @@ -2,6 +2,10 @@ namespace RAP; +/** + * Represents a client that connects to parts of RAP itself (e.g. Account Manager). + * It doesn't use OAuth2, instead stores data directly into the PHP session. + */ class InternalClient extends RAPClient { public $action; diff --git a/classes/model/OAuth2Client.php b/classes/model/OAuth2Client.php index ba6f43f851a8f0732b3c690cba3571a54b36cbe7..254fefed6efde4f8d78f921a79ae5257a59323ae 100644 --- a/classes/model/OAuth2Client.php +++ b/classes/model/OAuth2Client.php @@ -34,6 +34,8 @@ class OAuth2Client extends RAPClient { public $secret; public $redirectUrl; public $scope; + public $homePage; + public $showInHome; public function getIconBasePath() { return 'client-icons/'; diff --git a/include/admin.php b/include/admin.php index 2c344df4e6de47016091e119e7b7e88d06ef3647..3e3b7fafade74e09d1f090f98b17811460ff1711 100644 --- a/include/admin.php +++ b/include/admin.php @@ -16,7 +16,10 @@ function checkUser() { die("You must be registered to perform this action"); } - // TODO: check is admin + $dao = $locator->getUserDAO(); + if (!$dao->isAdmin($session->getUser()->id)) { + die("You must be an admin to perform this action"); + } } Flight::route('GET /admin', function() { @@ -94,6 +97,8 @@ function buildOAuth2ClientFromData() { $client->secret = $data['secret']; $client->redirectUrl = $data['redirectUrl']; $client->scope = $data['scope']; + $client->homePage = $data['homePage']; + $client->showInHome = $data['showInHome']; } if (isset($data['authMethods'])) { foreach ($data['authMethods'] as $method) { diff --git a/include/front-controller.php b/include/front-controller.php index 90a9da3af63c52dd2c07dae286e0b3a39bd8b779..fc172e27eebb57d8445a0ad556654a4814605924 100644 --- a/include/front-controller.php +++ b/include/front-controller.php @@ -56,8 +56,10 @@ Flight::route('/', function() { break; default: session_destroy(); + $clients = $locator->getOAuth2ClientDAO()->getOAuth2Clients(); Flight::render('services-list.php', array('title' => 'RAP', 'version' => $locator->getVersion(), + 'clients' => $clients, 'action' => $locator->getBasePath() . '/')); break; } @@ -308,11 +310,14 @@ Flight::route('GET /account', function () { session_start(); global $locator; - if ($locator->getSession()->getUser() === null) { + $user = $locator->getSession()->getUser(); + if ($user === null) { Flight::redirect('/'); } else { + $admin = $locator->getUserDAO()->isAdmin($user->id); Flight::render('account-management.php', array('title' => 'RAP Account Management', 'version' => $locator->getVersion(), 'session' => $locator->getSession(), + 'admin' => $admin, 'contextRoot' => $locator->config->contextRoot)); } }); diff --git a/js/admin.js b/js/admin.js index fd34841bdcbdf9432db04207a2d7bb23ff1f168b..d07d56d68abcf2289a87b6b2596b925b886032fa 100644 --- a/js/admin.js +++ b/js/admin.js @@ -54,6 +54,8 @@ secret: null, redirectUrl: null, scope: null, + homePage: null, + showInHome: false, authMethods: {}, edit: true }; diff --git a/sql/setup-database.sql b/sql/setup-database.sql index f561c33d17affd003e7698451a6573c086986e05..af10551eb6282a8ef44a99598693c718b373d2f2 100644 --- a/sql/setup-database.sql +++ b/sql/setup-database.sql @@ -6,6 +6,8 @@ CREATE TABLE `oauth2_client` ( `secret` varchar(255) NOT NULL, `redirect_url` text NOT NULL, `scope` varchar(255) NOT NULL, + `home_page` varchar(255), + `show_in_home` boolean DEFAULT FALSE, PRIMARY KEY (`id`), UNIQUE(client) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; @@ -64,6 +66,12 @@ CREATE TABLE `rsa_keypairs` ( PRIMARY KEY (`id`) ); +CREATE TABLE `rap_permissions` ( + `user_id` bigint NOT NULL, + `permission` varchar(255) NOT NULL, + PRIMARY KEY (`user_id`, `permission`) +); + CREATE EVENT login_tokens_cleanup ON SCHEDULE EVERY 1 MINUTE diff --git a/views/account-management.php b/views/account-management.php index 372bab592caf6e4a522542b1fbf259cf342d81d4..5cb798c9a1285bccc9cb2f7bb5a7f5ab968029fa 100644 --- a/views/account-management.php +++ b/views/account-management.php @@ -25,6 +25,15 @@ include 'include/header.php';
Logout
+ +
+

+ + + Admin + +
+ Add client -

OAuth2 clients

+

OAuth2/OIDC clients


@@ -39,6 +39,7 @@ include 'include/header.php';

{{client.icon}}

+
@@ -69,6 +70,26 @@ include 'include/header.php';
+
+ +
+

{{client.homePage}}

+ +
+
+
+ +
+

+ +

+
+ +
+
+
diff --git a/views/services-list.php b/views/services-list.php index bc441d1b58de1d346b41defcf4591ce24f6e872b..5929fd778417a487bec07c55f2e284f54e1bcc40 100644 --- a/views/services-list.php +++ b/views/services-list.php @@ -1,37 +1,27 @@

Please choose the service where you want to login: