From e8b6d7c946da5fb2ce5397bccfd332de8ca1f9dd Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Tue, 19 Oct 2010 20:54:53 -0700 Subject: [PATCH] Add support for an anonymous OAuth consumer. Note: this requires a small DB tweak. Oauth_application_user needs to have the primary compound key: (profile_id, application_id, token). http://status.net/open-source/issues/2761 This should also make it possible to have multiple access tokens per application. http://status.net/open-source/issues/2788 --- actions/apioauthaccesstoken.php | 4 +- actions/apioauthauthorize.php | 15 -- actions/apistatusesupdate.php | 1 - actions/oauthconnectionssettings.php | 95 +++++----- classes/Oauth_application_user.php | 41 ++++- classes/Profile.php | 10 +- classes/statusnet.ini | 3 +- db/statusnet.sql | 4 +- lib/apiauth.php | 4 +- lib/apioauthstore.php | 53 ++++-- lib/applicationlist.php | 250 +++++++++++++++++++++------ 11 files changed, 338 insertions(+), 142 deletions(-) diff --git a/actions/apioauthaccesstoken.php b/actions/apioauthaccesstoken.php index 6b36d1919e..21e0049cec 100644 --- a/actions/apioauthaccesstoken.php +++ b/actions/apioauthaccesstoken.php @@ -81,7 +81,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction $app = $datastore->getAppByRequestToken($this->reqToken); $atok = $server->fetch_access_token($req); - } catch (OAuthException $e) { + } catch (Exception $e) { common_log(LOG_WARNING, 'API OAuthException - ' . $e->getMessage()); common_debug(var_export($req, true)); $code = $e->getCode(); @@ -99,7 +99,7 @@ class ApiOauthAccessTokenAction extends ApiOauthAction $this->verifier ); - common_log(LOG_WARNIGN, $msg); + common_log(LOG_WARNING, $msg); $this->clientError(_("Invalid request token or verifier.", 400, 'text')); } else { diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php index eb1000e252..01cbca18f7 100644 --- a/actions/apioauthauthorize.php +++ b/actions/apioauthauthorize.php @@ -177,21 +177,6 @@ class ApiOauthAuthorizeAction extends Action $this->serverError($e->getMessage()); } - // Check to see if there was a previous token associated - // with this user/app and kill it. If the user is doing this she - // probably doesn't want any old tokens anyway. - - $appUser = Oauth_application_user::getByKeys($user, $this->app); - - if (!empty($appUser)) { - $result = $appUser->delete(); - - if (!$result) { - common_log_db_error($appUser, 'DELETE', __FILE__); - $this->serverError(_('Database error deleting OAuth application user.')); - } - } - // associated the authorized req token with the user and the app $appUser = new Oauth_application_user(); diff --git a/actions/apistatusesupdate.php b/actions/apistatusesupdate.php index 4715f70027..91dcdd10fc 100644 --- a/actions/apistatusesupdate.php +++ b/actions/apistatusesupdate.php @@ -150,7 +150,6 @@ require_once INSTALLDIR . '/lib/mediafile.php'; class ApiStatusesUpdateAction extends ApiAuthAction { - var $source = null; var $status = null; var $in_reply_to_status_id = null; var $lat = null; diff --git a/actions/oauthconnectionssettings.php b/actions/oauthconnectionssettings.php index 1fa70662fc..72624de84d 100644 --- a/actions/oauthconnectionssettings.php +++ b/actions/oauthconnectionssettings.php @@ -22,7 +22,7 @@ * @category Settings * @package StatusNet * @author Zach Copley - * @copyright 2008-2009 StatusNet, Inc. + * @copyright 2008-2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ @@ -50,13 +50,13 @@ require_once INSTALLDIR . '/lib/apioauthstore.php'; class OauthconnectionssettingsAction extends ConnectSettingsAction { - var $page = null; - var $id = null; + var $page = null; + var $oauth_token = null; function prepare($args) { parent::prepare($args); - $this->id = (int)$this->arg('id'); + $this->oauth_token = $this->arg('oauth_token'); $this->page = ($this->arg('page')) ? ($this->arg('page') + 0) : 1; return true; } @@ -80,7 +80,7 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction function getInstructions() { - return _('You have allowed the following applications to access your account.'); + return _('The following connections exist for your account.'); } /** @@ -97,22 +97,26 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction $offset = ($this->page - 1) * APPS_PER_PAGE; $limit = APPS_PER_PAGE + 1; - $application = $profile->getApplications($offset, $limit); + $connection = $profile->getConnectedApps($offset, $limit); $cnt = 0; - if (!empty($application)) { - $al = new ApplicationList($application, $user, $this, true); - $cnt = $al->show(); + if (!empty($connection)) { + $cal = new ConnectedAppsList($connection, $user, $this); + $cnt = $cal->show(); } if ($cnt == 0) { $this->showEmptyListMessage(); } - $this->pagination($this->page > 1, $cnt > APPS_PER_PAGE, - $this->page, 'connectionssettings', - array('nickname' => $user->nickname)); + $this->pagination( + $this->page > 1, + $cnt > APPS_PER_PAGE, + $this->page, + 'connectionssettings', + array('nickname' => $user->nickname) + ); } /** @@ -138,11 +142,7 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction } if ($this->arg('revoke')) { - $this->revokeAccess($this->id); - - // XXX: Show some indicator to the user of what's been done. - - $this->showPage(); + $this->revokeAccess($this->oauth_token); } else { $this->clientError(_('Unexpected form submission.'), 401); return false; @@ -150,32 +150,27 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction } /** - * Revoke access to an authorized OAuth application + * Revoke an access token + * + * XXX: Confirm revoke before doing it * * @param int $appId the ID of the application * */ - function revokeAccess($appId) + function revokeAccess($token) { $cur = common_current_user(); - $app = Oauth_application::staticGet('id', $appId); - - if (empty($app)) { - $this->clientError(_('No such application.'), 404); - return false; - } - - // XXX: Transaction here? - - $appUser = Oauth_application_user::getByKeys($cur, $app); + $appUser = Oauth_application_user::getByUserAndToken($cur, $token); if (empty($appUser)) { $this->clientError(_('You are not a user of that application.'), 401); return false; } + $app = Oauth_application::staticGet('id', $appUser->application_id); + $datastore = new ApiStatusNetOAuthDataStore(); $datastore->revoke_token($appUser->token, 1); @@ -187,10 +182,25 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction return false; } - $msg = 'User %s (id: %d) revoked access to app %s (id: %d)'; - common_log(LOG_INFO, sprintf($msg, $cur->nickname, - $cur->id, $app->name, $app->id)); + $msg = 'API OAuth - user %s (id: %d) revoked access token %s for app id %d'; + common_log( + LOG_INFO, + sprintf( + $msg, + $cur->nickname, + $cur->id, + $appUser->token, + $appUser->application_id + ) + ); + $msg = sprintf( + _('You have successfully revoked access for %s and the access token starting with %s'), + $app->name, + substr($appUser->token, 0, 7) + ); + + $this->showForm($msg, true); } function showEmptyListMessage() @@ -204,15 +214,20 @@ class OauthconnectionssettingsAction extends ConnectSettingsAction function showSections() { - $cur = common_current_user(); + $cur = common_current_user(); - $this->element('h2', null, 'Developers'); - $this->elementStart('p'); - $this->raw(_('Developers can edit the registration settings for their applications ')); - $this->element('a', - array('href' => common_local_url('oauthappssettings')), - 'here.'); - $this->elementEnd('p'); + $this->element('h2', null, 'Developers'); + $this->elementStart('p'); + + $devMsg = sprintf( + _('Are you a developer? [Register an OAuth client application](%s) to use with this instance of StatusNet.'), + common_local_url('oauthappssettings') + ); + + $output = common_markup_to_html($devMsg); + + $this->raw($output); + $this->elementEnd('p'); } } diff --git a/classes/Oauth_application_user.php b/classes/Oauth_application_user.php index 3d4238d640..fcf6553ffe 100644 --- a/classes/Oauth_application_user.php +++ b/classes/Oauth_application_user.php @@ -13,7 +13,7 @@ class Oauth_application_user extends Memcached_DataObject public $profile_id; // int(4) primary_key not_null public $application_id; // int(4) primary_key not_null public $access_type; // tinyint(1) - public $token; // varchar(255) + public $token; // varchar(255) primary_key not_null public $created; // datetime not_null public $modified; // timestamp not_null default_CURRENT_TIMESTAMP @@ -24,20 +24,51 @@ class Oauth_application_user extends Memcached_DataObject /* the code above is auto generated do not remove the tag below */ ###END_AUTOCODE - static function getByKeys($user, $app) + static function getByUserAndToken($user, $token) { - if (empty($user) || empty($app)) { + if (empty($user) || empty($token)) { return null; } $oau = new Oauth_application_user(); - $oau->profile_id = $user->id; - $oau->application_id = $app->id; + $oau->profile_id = $user->id; + $oau->token = $token; $oau->limit(1); $result = $oau->find(true); return empty($result) ? null : $oau; } + + function updateKeys(&$orig) + { + $this->_connect(); + $parts = array(); + foreach (array('profile_id', 'application_id', 'token', 'access_type') as $k) { + if (strcmp($this->$k, $orig->$k) != 0) { + $parts[] = $k . ' = ' . $this->_quote($this->$k); + } + } + if (count($parts) == 0) { + # No changes + return true; + } + $toupdate = implode(', ', $parts); + + $table = $this->tableName(); + if(common_config('db','quote_identifiers')) { + $table = '"' . $table . '"'; + } + $qry = 'UPDATE ' . $table . ' SET ' . $toupdate . + ' WHERE profile_id = ' . $orig->profile_id + . ' AND application_id = ' . $orig->application_id + . " AND token = '$orig->token'"; + $orig->decache(); + $result = $this->query($qry); + if ($result) { + $this->encache(); + } + return $result; + } } diff --git a/classes/Profile.php b/classes/Profile.php index 12ce5d9b6c..a32051d07d 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -401,10 +401,10 @@ class Profile extends Memcached_DataObject return $profile; } - function getApplications($offset = 0, $limit = null) + function getConnectedApps($offset = 0, $limit = null) { $qry = - 'SELECT a.* ' . + 'SELECT u.* ' . 'FROM oauth_application_user u, oauth_application a ' . 'WHERE u.profile_id = %d ' . 'AND a.id = u.application_id ' . @@ -419,11 +419,11 @@ class Profile extends Memcached_DataObject } } - $application = new Oauth_application(); + $apps = new Oauth_application_user(); - $cnt = $application->query(sprintf($qry, $this->id)); + $cnt = $apps->query(sprintf($qry, $this->id)); - return $application; + return $apps; } function subscriptionCount() diff --git a/classes/statusnet.ini b/classes/statusnet.ini index 3fb8ee208b..7aa115fecd 100644 --- a/classes/statusnet.ini +++ b/classes/statusnet.ini @@ -393,13 +393,14 @@ name = U profile_id = 129 application_id = 129 access_type = 17 -token = 2 +token = 130 created = 142 modified = 384 [oauth_application_user__keys] profile_id = K application_id = K +token = K [profile] id = 129 diff --git a/db/statusnet.sql b/db/statusnet.sql index 3f95948e1e..4ae7e56841 100644 --- a/db/statusnet.sql +++ b/db/statusnet.sql @@ -231,10 +231,10 @@ create table oauth_application_user ( profile_id integer not null comment 'user of the application' references profile (id), application_id integer not null comment 'id of the application' references oauth_application (id), access_type tinyint default 0 comment 'access type, bit 1 = read, bit 2 = write', - token varchar(255) comment 'request or access token', + token varchar(255) not null comment 'request or access token', created datetime not null comment 'date this record was created', modified timestamp comment 'date this record was modified', - constraint primary key (profile_id, application_id) + constraint primary key (profile_id, application_id, token) ) ENGINE=InnoDB CHARACTER SET utf8 COLLATE utf8_bin; /* These are used by JanRain OpenID library */ diff --git a/lib/apiauth.php b/lib/apiauth.php index a1c698bba9..0ebd7aa105 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -178,8 +178,10 @@ class ApiAuthAction extends ApiAction } // set the source attr + if ($app->name != 'anonymous') { + $this->source = $app->name; + } - $this->source = $app->name; $appUser = Oauth_application_user::staticGet('token', $access_token); diff --git a/lib/apioauthstore.php b/lib/apioauthstore.php index 6e0039bdd9..e30eea129f 100644 --- a/lib/apioauthstore.php +++ b/lib/apioauthstore.php @@ -23,16 +23,43 @@ require_once INSTALLDIR . '/lib/oauthstore.php'; class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore { - function lookup_consumer($consumer_key) + function lookup_consumer($consumerKey) { - $con = Consumer::staticGet('consumer_key', $consumer_key); + $con = Consumer::staticGet('consumer_key', $consumerKey); if (!$con) { - return null; + + // Create an anon consumer and anon application if one + // doesn't exist already + if ($consumerKey == 'anonymous') { + $con = new Consumer(); + $con->consumer_key = $consumerKey; + $con->consumer_secret = $consumerKey; + $result = $con->insert(); + if (!$result) { + $this->serverError(_("Could not create anonymous consumer.")); + } + $app = new OAuth_application(); + $app->consumer_key = $con->consumer_key; + $app->name = 'anonymous'; + + // XXX: allow the user to set the access type when + // authorizing? Currently we default to r+w for anonymous + // OAuth client applications + $app->access_type = 3; // read + write + $id = $app->insert(); + if (!$id) { + $this->serverError(_("Could not create anonymous OAuth application.")); + } + } else { + return null; + } } - return new OAuthConsumer($con->consumer_key, - $con->consumer_secret); + return new OAuthConsumer( + $con->consumer_key, + $con->consumer_secret + ); } function getAppByRequestToken($token_key) @@ -94,7 +121,7 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore if ($rt->find(true) && $rt->state == 1 && $rt->verifier == $verifier) { // authorized - common_debug('request token found.', __FILE__); + common_debug('request token found.'); // find the associated user of the app @@ -140,6 +167,7 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore // update the token from req to access for the user $orig = clone($appUser); + $appUser->token = $at->tok; // It's at this point that we change the access type @@ -150,11 +178,10 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore $appUser->access_type = $app->access_type; - $result = $appUser->update($orig); + $result = $appUser->updateKeys($orig); - if (empty($result)) { - common_debug('couldn\'t update OAuth app user.'); - return null; + if (!$result) { + throw new Exception('Couldn\'t update OAuth app user.'); } // Okay, good @@ -179,9 +206,9 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore * @return void */ public function revoke_token($token_key, $type = 0) { - $rt = new Token(); - $rt->tok = $token_key; - $rt->type = $type; + $rt = new Token(); + $rt->tok = $token_key; + $rt->type = $type; $rt->state = 0; if (!$rt->find(true)) { diff --git a/lib/applicationlist.php b/lib/applicationlist.php index 8b6e3a8add..6801fb6cf1 100644 --- a/lib/applicationlist.php +++ b/lib/applicationlist.php @@ -22,7 +22,7 @@ * @category Application * @package StatusNet * @author Zach Copley - * @copyright 2008-2009 StatusNet, Inc. + * @copyright 2008-2010 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ @@ -55,14 +55,13 @@ class ApplicationList extends Widget /** Action object using us. */ var $action = null; - function __construct($application, $owner=null, $action=null, $connections = false) + function __construct($application, $owner=null, $action=null) { parent::__construct($action); $this->application = $application; $this->owner = $owner; $this->action = $action; - $this->connections = $connections; } function show() @@ -88,24 +87,34 @@ class ApplicationList extends Widget { $user = common_current_user(); - $this->out->elementStart('li', array('class' => 'application', - 'id' => 'oauthclient-' . $this->application->id)); + $this->out->elementStart( + 'li', + array( + 'class' => 'application', + 'id' => 'oauthclient-' . $this->application->id + ) + ); $this->out->elementStart('span', 'vcard author'); - if (!$this->connections) { - $this->out->elementStart('a', - array('href' => common_local_url('showapplication', - array('id' => $this->application->id)), - 'class' => 'url')); - } else { - $this->out->elementStart('a', array('href' => $this->application->source_url, - 'class' => 'url')); - } + $this->out->elementStart( + 'a', + array( + 'href' => common_local_url( + 'showapplication', + array('id' => $this->application->id)), + 'class' => 'url' + ) + ); if (!empty($this->application->icon)) { - $this->out->element('img', array('src' => $this->application->icon, - 'class' => 'photo avatar')); + $this->out->element( + 'img', + array( + 'src' => $this->application->icon, + 'class' => 'photo avatar' + ) + ); } $this->out->element('span', 'fn', $this->application->name); @@ -114,51 +123,18 @@ class ApplicationList extends Widget $this->out->raw(' by '); - $this->out->element('a', array('href' => $this->application->homepage, - 'class' => 'url'), - $this->application->organization); + $this->out->element( + 'a', + array( + 'href' => $this->application->homepage, + 'class' => 'url' + ), + $this->application->organization + ); $this->out->element('p', 'note', $this->application->description); $this->out->elementEnd('li'); - if ($this->connections) { - $appUser = Oauth_application_user::getByKeys($this->owner, $this->application); - - if (empty($appUser)) { - common_debug("empty appUser!"); - } - - $this->out->elementStart('li'); - - // TRANS: Application access type - $readWriteText = _('read-write'); - // TRANS: Application access type - $readOnlyText = _('read-only'); - - $access = ($this->application->access_type & Oauth_application::$writeAccess) - ? $readWriteText : $readOnlyText; - $modifiedDate = common_date_string($appUser->modified); - // TRANS: Used in application list. %1$s is a modified date, %2$s is access type ("read-write" or "read-only") - $txt = sprintf(_('Approved %1$s - "%2$s" access.'),$modifiedDate,$access); - - $this->out->raw($txt); - $this->out->elementEnd('li'); - - $this->out->elementStart('li', 'entity_revoke'); - $this->out->elementStart('form', array('id' => 'form_revoke_app', - 'class' => 'form_revoke_app', - 'method' => 'POST', - 'action' => - common_local_url('oauthconnectionssettings'))); - $this->out->elementStart('fieldset'); - $this->out->hidden('id', $this->application->id); - $this->out->hidden('token', common_session_token()); - // TRANS: Button label - $this->out->submit('revoke', _m('BUTTON','Revoke')); - $this->out->elementEnd('fieldset'); - $this->out->elementEnd('form'); - $this->out->elementEnd('li'); - } } /* Override this in subclasses. */ @@ -166,4 +142,164 @@ class ApplicationList extends Widget { return; } + +} + + +/** + * Widget to show a list of connected OAuth clients + * + * @category Application + * @package StatusNet + * @author Zach Copley + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ +class ConnectedAppsList extends Widget +{ + /** Current connected application query */ + var $connection = null; + + /** Owner of this list */ + var $owner = null; + + /** Action object using us. */ + var $action = null; + + function __construct($connection, $owner=null, $action=null) + { + parent::__construct($action); + + common_debug("ConnectedAppsList constructor"); + + $this->connection = $connection; + $this->owner = $owner; + $this->action = $action; + } + + /* Override this in subclasses. */ + function showOwnerControls() + { + return; + } + + function show() + { + $this->out->elementStart('ul', 'applications'); + + $cnt = 0; + + while ($this->connection->fetch()) { + $cnt++; + if($cnt > APPS_PER_PAGE) { + break; + } + $this->showConnection(); + } + + $this->out->elementEnd('ul'); + + return $cnt; + } + + function showConnection() + { + $app = Oauth_application::staticGet('id', $this->connection->application_id); + + $this->out->elementStart( + 'li', + array( + 'class' => 'application', + 'id' => 'oauthclient-' . $app->id + ) + ); + + $this->out->elementStart('span', 'vcard author'); + + $this->out->elementStart( + 'a', + array( + 'href' => $app->source_url, + 'class' => 'url' + ) + ); + + if (!empty($app->icon)) { + $this->out->element( + 'img', + array( + 'src' => $app->icon, + 'class' => 'photo avatar' + ) + ); + } + if ($app->name != 'anonymous') { + $this->out->element('span', 'fn', $app->name); + } + $this->out->elementEnd('a'); + + if ($app->name == 'anonymous') { + $this->out->element('span', 'fn', "Unknown application"); + } + + $this->out->elementEnd('span'); + + if ($app->name != 'anonymous') { + + $this->out->raw(_(' by ')); + + $this->out->element( + 'a', + array( + 'href' => $app->homepage, + 'class' => 'url' + ), + $app->organization + ); + } + + // TRANS: Application access type + $readWriteText = _('read-write'); + // TRANS: Application access type + $readOnlyText = _('read-only'); + + $access = ($this->connection->access_type & Oauth_application::$writeAccess) + ? $readWriteText : $readOnlyText; + $modifiedDate = common_date_string($this->connection->modified); + // TRANS: Used in application list. %1$s is a modified date, %2$s is access type ("read-write" or "read-only") + $txt = sprintf(_('Approved %1$s - "%2$s" access.'), $modifiedDate, $access); + + $this->out->raw(" - $txt"); + if (!empty($app->description)) { + $this->out->element( + 'p', array('class' => 'application_description'), + $app->description + ); + } + $this->out->element( + 'p', array( + 'class' => 'access_token'), + _('Access token starting with: ') . substr($this->connection->token, 0, 7) + ); + + $this->out->elementStart( + 'form', + array( + 'id' => 'form_revoke_app', + 'class' => 'form_revoke_app', + 'method' => 'POST', + 'action' => common_local_url('oauthconnectionssettings') + ) + ); + $this->out->elementStart('fieldset'); + $this->out->hidden('oauth_token', $this->connection->token); + $this->out->hidden('token', common_session_token()); + // TRANS: Button label + $this->out->submit('revoke', _('Revoke')); + $this->out->elementEnd('fieldset'); + $this->out->elementEnd('form'); + + $this->out->elementEnd('li'); + + } }