dcovington
/
KCI-CAMPAIGN-TRACKER
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
1 Revize
1 Větev
177KB
Strom: af50885a19
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „af50885a19“
${ noResults }
KCI-CAMPAIGN-TRACKER/core/Auth/KeycloakAuth.php

196 řádky
7.3KB
Surový Blame Historie 

  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. namespace Core\Auth;

  6. 

  7. use Core\Http\Session;

  8. use Stevenmaguire\OAuth2\Client\Provider\Keycloak;

  9. 

  10. class KeycloakAuth

  11. {

  12.     private Session $session;

  13.     private PermissionService $permissions;

  14.     private ?Keycloak $provider = null;

  15. 

  16.     /** Keycloak service-account roles to exclude from the app role list. */

  17.     private const SYSTEM_ROLES = ['uma_authorization', 'offline_access', 'account', 'view-profile', 'manage-account', 'manage-account-links'];

  18. 

  19.     public function __construct(Session $session, PermissionService $permissions)

  20.     {

  21.         $this->session     = $session;

  22.         $this->permissions = $permissions;

  23.     }

  24. 

  25.     // ── Auth state ────────────────────────────────────────────────────────────

  26. 

  27.     public function check(): bool

  28.     {

  29.         return ($this->session->get('auth', [])['is_authenticated'] ?? false) === true;

  30.     }

  31. 

  32.     public function user(): ?AuthUser

  33.     {

  34.         return $this->check() ? AuthUser::fromSession($this->session->get('auth', [])) : null;

  35.     }

  36. 

  37.     public function id(): ?string

  38.     {

  39.         return $this->user()?->keycloakId;

  40.     }

  41. 

  42.     public function roles(): array

  43.     {

  44.         return $this->user()?->roles ?? [];

  45.     }

  46. 

  47.     public function permissions(): array

  48.     {

  49.         return $this->user()?->permissions ?? [];

  50.     }

  51. 

  52.     public function hasRole(string $role): bool

  53.     {

  54.         return in_array($role, $this->roles(), true);

  55.     }

  56. 

  57.     public function can(string $permission): bool

  58.     {

  59.         return in_array($permission, $this->permissions(), true);

  60.     }

  61. 

  62.     // ── Login flow ────────────────────────────────────────────────────────────

  63. 

  64.     /**

  65.      * Build the Keycloak authorization URL and store the state for CSRF validation.

  66.      */

  67.     public function beginLogin(): string

  68.     {

  69.         $provider = $this->getProvider();

  70. 

  71.         $authUrl = $provider->getAuthorizationUrl([

  72.             'scope' => 'openid email profile',

  73.         ]);

  74. 

  75.         $this->session->set('oauth_state', $provider->getState());

  76. 

  77.         return $authUrl;

  78.     }

  79. 

  80.     /**

  81.      * Exchange the authorization code for tokens, populate the session.

  82.      *

  83.      * @throws \RuntimeException on state mismatch or token exchange failure

  84.      */

  85.     public function handleCallback(string $code, string $returnedState): void

  86.     {

  87.         $storedState = $this->session->get('oauth_state');

  88.         $this->session->forget('oauth_state');

  89. 

  90.         if ($storedState === null || !hash_equals((string) $storedState, $returnedState)) {

  91.             throw new \RuntimeException('OAuth state mismatch — possible CSRF attempt.');

  92.         }

  93. 

  94.         $provider = $this->getProvider();

  95.         $token    = $provider->getAccessToken('authorization_code', ['code' => $code]);

  96. 

  97.         // Decode the access-token JWT to extract realm/client role claims.

  98.         // Signature verification is not needed here: the token arrived directly

  99.         // from Keycloak over an authenticated server-to-server HTTPS exchange.

  100.         $accessClaims = $this->decodeJwtPayload($token->getToken());

  101.         $idTokenRaw   = (string) ($token->getValues()['id_token'] ?? '');

  102. 

  103.         $realmRoles  = (array) ($accessClaims['realm_access']['roles'] ?? []);

  104.         $clientId    = (string) env('KEYCLOAK_CLIENT_ID', '');

  105.         $clientRoles = (array) ($accessClaims['resource_access'][$clientId]['roles'] ?? []);

  106. 

  107.         $appRoles = array_values(array_filter(

  108.             array_unique(array_merge($realmRoles, $clientRoles)),

  109.             static fn(string $r): bool => !in_array($r, self::SYSTEM_ROLES, true)

  110.         ));

  111. 

  112.         // Fetch the user-profile claims from the userinfo endpoint.

  113.         $ownerData   = $provider->getResourceOwner($token)->toArray();

  114.         $displayName = trim(($ownerData['given_name'] ?? '') . ' ' . ($ownerData['family_name'] ?? ''));

  115. 

  116.         if ($displayName === '') {

  117.             $displayName = (string) ($ownerData['preferred_username'] ?? $ownerData['sub'] ?? '');

  118.         }

  119. 

  120.         // Prevent session fixation: regenerate ID before writing auth data.

  121.         $this->session->regenerate();

  122. 

  123.         $this->session->set('auth', [

  124.             'is_authenticated' => true,

  125.             'user' => [

  126.                 'keycloak_id'  => (string) ($ownerData['sub']                ?? $accessClaims['sub'] ?? ''),

  127.                 'username'     => (string) ($ownerData['preferred_username'] ?? ''),

  128.                 'email'        => (string) ($ownerData['email']              ?? ''),

  129.                 'display_name' => $displayName,

  130.                 'roles'        => $appRoles,

  131.                 'permissions'  => $this->permissions->permissionsForRoles($appRoles),

  132.             ],

  133.             // id_token is stored solely to support Keycloak RP-initiated logout

  134.             // (id_token_hint parameter). It is never used to derive identity or

  135.             // resolve permissions. Do not pass it to the browser or log it.

  136.             'id_token'                => $idTokenRaw !== '' ? $idTokenRaw : null,

  137.             'login_time'              => time(),

  138.             'last_permission_refresh' => time(),

  139.         ]);

  140.     }

  141. 

  142.     // ── Logout ────────────────────────────────────────────────────────────────

  143. 

  144.     /**

  145.      * Destroy the local session and return the Keycloak RP-initiated logout URL.

  146.      */

  147.     public function logout(): string

  148.     {

  149.         $idToken      = $this->session->get('auth')['id_token'] ?? null;

  150.         $redirectUri  = (string) env('KEYCLOAK_LOGOUT_REDIRECT_URI', '/');

  151.         $base         = rtrim((string) env('KEYCLOAK_BASE_URL', ''), '/');

  152.         $realm        = (string) env('KEYCLOAK_REALM', '');

  153. 

  154.         $this->session->destroy();

  155. 

  156.         $params = ['post_logout_redirect_uri' => $redirectUri];

  157. 

  158.         if ($idToken !== null) {

  159.             $params['id_token_hint'] = $idToken;

  160.         }

  161. 

  162.         return "{$base}/realms/{$realm}/protocol/openid-connect/logout?" . http_build_query($params);

  163.     }

  164. 

  165.     // ── Internal ──────────────────────────────────────────────────────────────

  166. 

  167.     private function getProvider(): Keycloak

  168.     {

  169.         if ($this->provider === null) {

  170.             $this->provider = new Keycloak([

  171.                 'authServerUrl' => rtrim((string) env('KEYCLOAK_BASE_URL', ''), '/'),

  172.                 'realm'         => (string) env('KEYCLOAK_REALM', ''),

  173.                 'clientId'      => (string) env('KEYCLOAK_CLIENT_ID', ''),

  174.                 'clientSecret'  => (string) env('KEYCLOAK_CLIENT_SECRET', ''),

  175.                 'redirectUri'   => (string) env('KEYCLOAK_REDIRECT_URI', ''),

  176.             ]);

  177.         }

  178. 

  179.         return $this->provider;

  180.     }

  181. 

  182.     private function decodeJwtPayload(string $jwt): array

  183.     {

  184.         $parts = explode('.', $jwt);

  185. 

  186.         if (count($parts) !== 3) {

  187.             return [];

  188.         }

  189. 

  190.         $padded  = str_pad(strtr($parts[1], '-_', '+/'), (int) ceil(strlen($parts[1]) / 4) * 4, '=');

  191.         $decoded = base64_decode($padded, true);

  192. 

  193.         return $decoded !== false ? (json_decode($decoded, true) ?? []) : [];

  194.     }

  195. }

Powered by TurnKey Linux.