Implementing extensions presenter that handles 3rd party tools handshake and authentication.

Author: krulis-martin

app/V1Module/presenters/EmailsPresenter.php

@@ -14,7 +14,6 @@
 
 class EmailsPresenter extends BasePresenter
 {
-
     /**
      * @var EmailLocalizationHelper
      * @inject
@@ -57,7 +56,8 @@ public function checkDefault()
      * Sends an email with provided subject and message to all ReCodEx users.
      * @POST
      * @Param(type="post", name="subject", validation="string:1..", description="Subject for the soon to be sent email")
-     * @Param(type="post", name="message", validation="string:1..", description="Message which will be sent, can be html code")
+     * @Param(type="post", name="message", validation="string:1..",
+     *        description="Message which will be sent, can be html code")
      */
     public function actionDefault()
     {
@@ -87,7 +87,8 @@ public function checkSendToSupervisors()
      * Sends an email with provided subject and message to all supervisors and superadmins.
      * @POST
      * @Param(type="post", name="subject", validation="string:1..", description="Subject for the soon to be sent email")
-     * @Param(type="post", name="message", validation="string:1..", description="Message which will be sent, can be html code")
+     * @Param(type="post", name="message", validation="string:1..",
+     *        description="Message which will be sent, can be html code")
      */
     public function actionSendToSupervisors()
     {
@@ -123,7 +124,8 @@ public function checkSendToRegularUsers()
      * Sends an email with provided subject and message to all regular users.
      * @POST
      * @Param(type="post", name="subject", validation="string:1..", description="Subject for the soon to be sent email")
-     * @Param(type="post", name="message", validation="string:1..", description="Message which will be sent, can be html code")
+     * @Param(type="post", name="message", validation="string:1..",
+     *        description="Message which will be sent, can be html code")
      */
     public function actionSendToRegularUsers()
     {

app/V1Module/presenters/ExtensionsPresenter.php

@@ -0,0 +1,135 @@
+<?php
+
+namespace App\V1Module\Presenters;
+
+use App\Exceptions\ForbiddenRequestException;
+use App\Exceptions\BadRequestException;
+use App\Model\Repository\Instances;
+use App\Model\Repository\Users;
+use App\Model\View\UserViewFactory;
+use App\Helpers\Extensions;
+use App\Security\AccessManager;
+use App\Security\TokenScope;
+
+/**
+ * Endpoints handling 3rd party extensions communication.
+ */
+class ExtensionsPresenter extends BasePresenter
+{
+    /**
+     * @var Extensions
+     * @inject
+     */
+    public $extensions;
+
+    /**
+     * @var Instances
+     * @inject
+     */
+    public $instances;
+
+    /**
+     * @var Users
+     * @inject
+     */
+    public $users;
+
+    /**
+     * @var AccessManager
+     * @inject
+     */
+    public $accessManager;
+
+    /**
+     * @var UserViewFactory
+     * @inject
+     */
+    public $userViewFactory;
+
+    public function checkUrl(string $extId, string $instanceId)
+    {
+        $user = $this->getCurrentUser();
+        $extension = $this->extensions->getExtension($extId);
+        $instance = $this->instances->findOrThrow($instanceId);
+        if (!$extension || !$extension->isAccessible($instance, $user)) {
+            throw new ForbiddenRequestException();
+        }
+    }
+
+    /**
+     * Return URL refering to the extension with properly injected temporary JWT token.
+     * @GET
+     * @Param(type="query", name="locale", required=false, validation="string:2")
+     */
+    public function actionUrl(string $extId, string $instanceId, ?string $locale)
+    {
+        $user = $this->getCurrentUser();
+        $extension = $this->extensions->getExtension($extId);
+
+        $token = $this->accessManager->issueToken(
+            $user,
+            null,
+            [TokenScope::EXTENSIONS],
+            $extension->getUrlTokenExpiration(),
+            ["instance" => $instanceId, "extension" => $extId]
+        );
+
+        if (!$locale) {
+            $locale = $this->getCurrentUserLocale();
+        }
+
+        $this->sendSuccessResponse($extension->getUrl($token, $locale));
+    }
+
+    public function checkToken(string $extId)
+    {
+        /*
+         * This checker does not employ traditional ACLs for permission checks since it is trvial and it is better
+         * to keep everything here (in one place). However, this may change in the future should the presenter get
+         * more complex.
+         * This action expects to be authenticated by temporary token generated in 'url' action.
+         */
+
+        // All users within this scope are allowed the operation...
+        $this->isInScope(TokenScope::EXTENSIONS);
+
+        // ...but the token must be also valid...
+        $token = $this->getAccessToken();
+        $instanceId = $token->getPayload('instance');
+        if ($token->getPayload('extension') !== $extId || !$instanceId) {
+            throw new BadRequestException();
+        }
+
+        // ...and the extension must be accessible by the user.
+        $user = $this->getCurrentUser();
+        $extension = $this->extensions->getExtension($extId);
+        $instance = $this->instances->findOrThrow($instanceId);
+        if (!$extension || !$extension->isAccessible($instance, $user)) {
+            throw new ForbiddenRequestException();
+        }
+    }
+
+    /**
+     * This endpoint is used by a backend of an extension to get a proper access token
+     * (from a temp token passed via URL). It also returns details about authenticated user.
+     * @POST
+     */
+    public function actionToken(string $extId)
+    {
+        $user = $this->getCurrentUser();
+        $extension = $this->extensions->getExtension($extId);
+        $authUser = $extension->getTokenUserId() ? $this->users->findOrThrow($extension->getTokenUserId()) : $user;
+
+        $token = $this->accessManager->issueToken(
+            $authUser,
+            null,
+            $extension->getTokenScopes(),
+            $extension->getTokenExpiration(),
+        );
+
+        $this->sendSuccessResponse([
+            "accessToken" => $token,
+            "user" => $this->userViewFactory->getFullUser($user, false /* do not show really everything */),
+        ]);
+    }
+}

app/V1Module/presenters/InstancesPresenter.php

@@ -4,9 +4,7 @@
 
 use App\Exceptions\ForbiddenRequestException;
 use App\Exceptions\NotFoundException;
-use App\Model\Entity\Group;
 use App\Model\Entity\LocalizedGroup;
-use App\Model\Entity\User;
 use App\Model\View\GroupViewFactory;
 use App\Model\View\InstanceViewFactory;
 use App\Model\View\UserViewFactory;

app/V1Module/presenters/LoginPresenter.php

@@ -15,7 +15,6 @@
 use App\Model\Repository\SecurityEvents;
 use App\Model\Repository\Users;
 use App\Model\View\UserViewFactory;
-use App\Security\AccessToken;
 use App\Security\AccessManager;
 use App\Security\ACL\IUserPermissions;
 use App\Security\CredentialsAuthenticator;
@@ -257,7 +256,7 @@ public function actionIssueRestrictedToken()
         $this->sendSuccessResponse(
             [
                 "accessToken" => $this->accessManager->issueToken($user, $effectiveRole, $scopes, $expiration),
-                "user" => $this->userViewFactory->getFullUser($user)
+                "user" => $this->userViewFactory->getFullUser($user),
             ]
         );
     }

app/V1Module/presenters/base/BasePresenter.php

@@ -137,19 +137,26 @@ protected function isRequestJson(): bool
     }
 
     /**
-     * @return User
-     * @throws ForbiddenRequestException
+     * @return User|null (null if no user is authenticated)
      */
-    protected function getCurrentUser(): User
+    protected function getCurrentUserOrNull(): ?User
     {
         /** @var ?Identity $identity */
         $identity = $this->getUser()->getIdentity();
+        return $identity?->getUserData();
+    }
 
-        if ($identity === null || $identity->getUserData() === null) {
+    /**
+     * @return User
+     * @throws ForbiddenRequestException
+     */
+    protected function getCurrentUser(): User
+    {
+        $user = $this->getCurrentUserOrNull();
+        if ($user === null) {
             throw new ForbiddenRequestException();
         }
-
-        return $identity->getUserData();
+        return $user;
     }
 
     /**

app/V1Module/router/RouterFactory.php

@@ -58,6 +58,7 @@ public static function createRouter()
         $router[] = self::createWorkerFilesRoutes("$prefix/worker-files");
         $router[] = self::createAsyncJobsRoutes("$prefix/async-jobs");
         $router[] = self::createPlagiarismRoutes("$prefix/plagiarism");
+        $router[] = self::createExtensionsRoutes("$prefix/extensions");
 
         return $router;
     }
@@ -664,4 +665,12 @@ private static function createPlagiarismRoutes(string $prefix): RouteList
         $router[] = new PostRoute("$prefix/<id>/<solutionId>", "Plagiarism:addSimilarities");
         return $router;
     }
+
+    private static function createExtensionsRoutes(string $prefix): RouteList
+    {
+        $router = new RouteList();
+        $router[] = new GetRoute("$prefix/<extId>/<instanceId>", "Extensions:url");
+        $router[] = new PostRoute("$prefix/<extId>", "Extensions:token");
+        return $router;
+    }
 }

app/V1Module/security/TokenScope.php

@@ -56,4 +56,9 @@ class TokenScope
      * Usually used in combination with other scopes. Allows refreshing the token.
      */
     public const REFRESH = "refresh";
+
+    /**
+     * Scope for handling handshake and auth-exchange with 3rd party extensions. Temp tokens must use this scope.
+     */
+    public const EXTENSIONS = "extensions";
 }

app/config/config.local.neon.example

@@ -81,7 +81,9 @@ parameters:
         cs: "Český popisek"
         en: "English Caption"
       url: "https://extetrnal.domain.com/recodex/extension?token={token}&locale={locale}"  # '{token}' and '{locale}' are placeholders
+      urlTokenExpiration: 60  # [s] how long a temporary url token lasts
       token:  # generated from tmp tokens passed via URL so the ext. tool can access ReCodEx API
+        expiration: 86400  # [s] how long a full token lasts
         scopes: [ 'master', 'refresh' ]  # list of scopes for generated tokens (to be used by the extension)
         user: null  # user override (ID) for generating tokens (if null, the token will be generated for logged-in user)
       instances: []  # array of instances where this extension is enabled (empty array = all)

app/helpers/Emails/EmailVerificationHelper/EmailVerificationHelper.php

@@ -12,7 +12,6 @@
 use App\Helpers\WebappLinks;
 use App\Security\TokenScope;
 use Exception;
-use Latte;
 use Nette\Utils\Arrays;
 use App\Model\Entity\User;
 use App\Security\AccessToken;

app/helpers/Extensions/ExtensionConfig.php

@@ -34,6 +34,16 @@ class ExtensionConfig
      */
     private string $url;
 
+    /**
+     * Expiration time (in seconds) for temporary tokens.
+     */
+    private int $urlTokenExpiration;
+
+    /**
+     * Expiration time (in seconds) for full tokens.
+     */
+    private int $tokenExpiration;
+
     /**
      * List of scopes that will be set to (full) access tokens generated after tmp-token verification.
      * @var string[]
@@ -81,6 +91,8 @@ public function __construct(array $config)
         }
 
         $this->url = Arrays::get($config, "url");
+        $this->urlTokenExpiration = Arrays::get($config, "urlTokenExpiration", 60);
+        $this->tokenExpiration = Arrays::get($config, ["token", "expiration"], 86400 /* one day */);
         $this->tokenScopes = Arrays::get(
             $config,
             ["token", "scopes"],
@@ -97,6 +109,9 @@ public function getId(): string
         return $this->id;
     }
 
+    /**
+     * @return string|array Either a universal caption or an array [ locale => localized-caption ]
+     */
     public function getCaption(): string|array
     {
         return $this->caption;
@@ -116,6 +131,39 @@ public function getUrl(string $token, string $locale): string
         return $url;
     }
 
+    /**
+     * @return int expiration in seconds
+     */
+    public function getUrlTokenExpiration(): int
+    {
+        return $this->urlTokenExpiration;
+    }
+
+    /**
+     * @return int expiration in seconds
+     */
+    public function getTokenExpiration(): int
+    {
+        return $this->tokenExpiration;
+    }
+
+    /**
+     * @return string[] list of scopes assigned to a full token
+     */
+    public function getTokenScopes(): array
+    {
+        return $this->tokenScopes;
+    }
+
+    /**
+     * Get ID of a user who should be used as an authority for full tokens.
+     * @return string|null either user ID (for auth override) or null (current user)
+     */
+    public function getTokenUserId(): ?string
+    {
+        return $this->tokenUserId;
+    }
+
     /**
      * Check whether this extension is accessible by given user in given instance.
      * @param Instance $instance