* Copyright (C) 2014-2024 Frédéric France * Copyright (C) 2020 Nicolas ZABOURI * Copyright (C) 2024 MDW * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ /** * \file htdocs/admin/oauthlogintokens.php * \ingroup oauth * \brief Setup page to configure oauth access to login information */ // Load Dolibarr environment require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/oauth.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; use OAuth\Common\Storage\DoliStorage; use OAuth\Common\Consumer\Credentials; $supportedoauth2array = getSupportedOauth2Array(); /** * @var Conf $conf * @var DoliDB $db * @var HookManager $hookmanager * @var Translate $langs * @var User $user * * @var string $dolibarr_main_url_root */ // Load translation files required by the page $langs->loadLangs(array('admin', 'printing', 'oauth')); $action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $value = GETPOST('value', 'alpha'); $varname = GETPOST('varname', 'alpha'); $driver = GETPOST('driver', 'alpha'); if (!empty($driver)) { $langs->load($driver); } if (!$mode) { $mode = 'setup'; } if (!$user->admin) { accessforbidden(); } /* * Action */ $error = 0; /*if (($mode == 'test' || $mode == 'setup') && empty($driver)) { setEventMessages($langs->trans('PleaseSelectaDriverfromList'), null); header("Location: ".$_SERVER['PHP_SELF'].'?mode=config'); exit; }*/ if ($action == 'setconst' && $user->admin) { $db->begin(); $setupconstarray = GETPOST('setupdriver', 'array'); foreach ($setupconstarray as $setupconst) { $constname = dol_escape_htmltag($setupconst['varname']); $constvalue = dol_escape_htmltag($setupconst['value']); $consttype = dol_escape_htmltag($setupconst['type']); $constnote = dol_escape_htmltag($setupconst['note']); $result = dolibarr_set_const($db, $constname, $constvalue, $consttype, 0, $constnote, $conf->entity); if (!($result > 0)) { $error++; } } if (!$error) { $db->commit(); setEventMessages($langs->trans("SetupSaved"), null); } else { $db->rollback(); dol_print_error($db); } $action = ''; } if ($action == 'setvalue' && $user->admin) { $db->begin(); $result = dolibarr_set_const($db, $varname, $value, 'chaine', 0, '', $conf->entity); if (!($result > 0)) { $error++; } if (!$error) { $db->commit(); setEventMessages($langs->trans("SetupSaved"), null); } else { $db->rollback(); dol_print_error($db); } $action = ''; } // Test a refresh of a token using the refresh token if ($action == 'refreshtoken' && $user->admin) { $keyforprovider = GETPOST('keyforprovider'); $OAUTH_SERVICENAME = GETPOST('service'); // Show value of token $tokenobj = null; // Load OAUth libraries require_once DOL_DOCUMENT_ROOT.'/includes/OAuth/bootstrap.php'; $keyforsupportedoauth2array = $OAUTH_SERVICENAME; if (preg_match('/^.*-/', $keyforsupportedoauth2array)) { $keyforprovider = preg_replace('/^.*-/', '', $keyforsupportedoauth2array); } else { $keyforprovider = ''; } $keyforsupportedoauth2array = preg_replace('/-.*$/', '', strtoupper($keyforsupportedoauth2array)); $keyforsupportedoauth2array = 'OAUTH_'.$keyforsupportedoauth2array.'_NAME'; $keyforparamtenant = 'OAUTH_'.strtoupper(empty($supportedoauth2array[$keyforsupportedoauth2array]['callbackfile']) ? 'Unknown' : $supportedoauth2array[$keyforsupportedoauth2array]['callbackfile']).($keyforprovider ? '-'.$keyforprovider : '').'_TENANT'; // Dolibarr storage $storage = new DoliStorage($db, $conf, $keyforprovider, getDolGlobalString($keyforparamtenant)); try { // $OAUTH_SERVICENAME is for example 'Google-keyforprovider' print ''."\n"; dol_syslog("oauthlogintokens.php: Read token for service ".$OAUTH_SERVICENAME); $tokenobj = $storage->retrieveAccessToken($OAUTH_SERVICENAME); $expire = ($tokenobj->getEndOfLife() !== -9002 && $tokenobj->getEndOfLife() !== -9001 && time() > ($tokenobj->getEndOfLife() - 30)); // We have to save the refresh token in a memory variable because Google give it only once $refreshtoken = $tokenobj->getRefreshToken(); print ''; //print $tokenobj->getExtraParams()['id_token'].'
'; //print $tokenobj->getAccessToken().'
'; //print $tokenobj->getRefreshToken().'
'; //var_dump($expire); // We do the refresh even if not expired, this is the goal of action. $oauthname = explode('-', $OAUTH_SERVICENAME); $keyforoauthservice = strtoupper($oauthname[0]).(empty($oauthname[1]) ? '' : '-'.$oauthname[1]); $credentials = new Credentials( getDolGlobalString('OAUTH_'.$keyforoauthservice.'_ID'), getDolGlobalString('OAUTH_'.$keyforoauthservice.'_SECRET'), getDolGlobalString('OAUTH_'.$keyforoauthservice.'_URLCALLBACK') ); $serviceFactory = new \OAuth\ServiceFactory(); $httpClient = new \OAuth\Common\Http\Client\CurlClient(); // TODO Set options for proxy and timeout // $params=array('CURLXXX'=>value, ...) //$httpClient->setCurlParameters($params); $serviceFactory->setHttpClient($httpClient); $scopes = array(); if (preg_match('/^Microsoft/', $OAUTH_SERVICENAME)) { //$extraparams = $tokenobj->getExtraParams(); $tmp = explode('-', $OAUTH_SERVICENAME); $scopes = explode(',', getDolGlobalString('OAUTH_'.strtoupper($tmp[0]).(empty($tmp[1]) ? '' : '-'.$tmp[1]).'_SCOPE')); } // ex service is Google-Emails we need only the first part Google $apiService = $serviceFactory->createService($oauthname[0], $credentials, $storage, $scopes); if ($apiService instanceof OAuth\OAuth2\Service\AbstractService || $apiService instanceof OAuth\OAuth1\Service\AbstractService) { // ServiceInterface does not provide refreshAccessToekn, AbstractService does dol_syslog("oauthlogintokens.php: call refreshAccessToken to get the new access token"); $tokenobj = $apiService->refreshAccessToken($tokenobj); // This call refresh and store the new token (but does not include the refresh token) dol_syslog("oauthlogintokens.php: call setRefreshToken"); $tokenobj->setRefreshToken($refreshtoken); // Restore the refresh token dol_syslog("oauthlogintokens.php: call storeAccessToken to save the new access token + the old refresh token"); $storage->storeAccessToken($OAUTH_SERVICENAME, $tokenobj); // This save the new token including the refresh token if ($expire) { setEventMessages($langs->trans("OldTokenWasExpiredItHasBeenRefresh"), null, 'mesgs'); } else { setEventMessages($langs->trans("OldTokenWasNotExpiredButItHasBeenRefresh"), null, 'mesgs'); } } else { dol_print_error($db, 'apiService is not a correct OAUTH2 Abstract service'); } dol_syslog("oauthlogintokens.php: Read token again for service ".$OAUTH_SERVICENAME); $tokenobj = $storage->retrieveAccessToken($OAUTH_SERVICENAME); } catch (Exception $e) { // Return an error if token not found print $e->getMessage(); } } /* * View */ // Define $urlwithroot $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root)); $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file //$urlwithroot=DOL_MAIN_URL_ROOT; // This is to use same domain name than current $form = new Form($db); $title = $langs->trans("TokenManager"); $help_url = 'EN:Module_OAuth|FR:Module_OAuth_FR|ES:Módulo_OAuth_ES'; llxHeader('', $title, $help_url, '', 0, 0, '', '', '', 'mod-admin page-oauthlogintokens'); $linkback = ''.$langs->trans("BackToModuleList").''; print load_fiche_titre($langs->trans('ConfigOAuth'), $linkback, 'title_setup'); $head = oauthadmin_prepare_head(); print dol_get_fiche_head($head, 'tokengeneration', '', -1, ''); if (GETPOST('error')) { setEventMessages(GETPOST('error'), null, 'errors'); } if ($mode == 'setup' && $user->admin) { print ''.$langs->trans("OAuthSetupForLogin")."

\n"; // Define $listinsetup $listinsetup = array(); foreach ($conf->global as $key => $val) { if (!empty($val) && preg_match('/^OAUTH_.*_ID$/', $key)) { $provider = preg_replace('/_ID$/', '', $key); $listinsetup[] = array( $provider.'_NAME', $provider.'_ID', $provider.'_SECRET', $provider.'_URL', // For custom oauth links $provider.'_SCOPE' // For custom oauth links ); } } $oauthstateanticsrf = bin2hex(random_bytes(128 / 8)); // $list is defined into oauth.lib.php to the list of supported OAuth providers. if (!empty($listinsetup)) { foreach ($listinsetup as $key) { $supported = 0; $keyforsupportedoauth2array = $key[0]; // May be OAUTH_GOOGLE_NAME or OAUTH_GOOGLE_xxx_NAME $keyforsupportedoauth2array = preg_replace('/^OAUTH_/', '', $keyforsupportedoauth2array); $keyforsupportedoauth2array = preg_replace('/_NAME$/', '', $keyforsupportedoauth2array); if (preg_match('/^.*-/', $keyforsupportedoauth2array)) { $keybeforeprovider = preg_replace('/-.*$/', '', $keyforsupportedoauth2array); $keyforprovider = preg_replace('/^.*-/', '', $keyforsupportedoauth2array); } else { $keybeforeprovider = $keyforsupportedoauth2array; $keyforprovider = ''; } $keyforsupportedoauth2array = preg_replace('/-.*$/', '', strtoupper($keyforsupportedoauth2array)); $keyforsupportedoauth2array = 'OAUTH_'.$keyforsupportedoauth2array.'_NAME'; $nameofservice = ucfirst(strtolower(empty($supportedoauth2array[$keyforsupportedoauth2array]['callbackfile']) ? 'Unknown' : $supportedoauth2array[$keyforsupportedoauth2array]['callbackfile'])); $nameofservice .= ($keyforprovider ? '-'.$keyforprovider : ''); $OAUTH_SERVICENAME = $nameofservice; $keyforparamtenant = 'OAUTH_'.strtoupper(empty($supportedoauth2array[$keyforsupportedoauth2array]['callbackfile']) ? 'Unknown' : $supportedoauth2array[$keyforsupportedoauth2array]['callbackfile']).($keyforprovider ? '-'.$keyforprovider : '').'_TENANT'; $shortscope = ''; if (getDolGlobalString($key[4])) { $shortscope = getDolGlobalString($key[4]); } $state = $shortscope; // TODO USe a better state $urltorefresh = $_SERVER["PHP_SELF"].'?action=refreshtoken&token='.newToken(); // Define $urltorenew, $urltodelete, $urltocheckperms if ($keyforsupportedoauth2array == 'OAUTH_GITHUB_NAME') { // List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service). // We pass this param list in to 'state' because we need it before and after the redirect. // Note: github does not accept csrf key inside the state parameter (only known values) $urltorenew = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?shortscope='.urlencode($shortscope).'&state='.urlencode($shortscope).'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltodelete = $urlwithroot.'/core/modules/oauth/github_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltocheckperms = 'https://github.com/settings/applications/'; } elseif ($keyforsupportedoauth2array == 'OAUTH_GOOGLE_NAME') { // List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service). // List of scopes for Google are here: https://developers.google.com/identity/protocols/oauth2/scopes // We pass this key list into the param 'state' because we need it before and after the redirect. $urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.urlencode($shortscope).'&state='.urlencode($state).'-'.$oauthstateanticsrf.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltocheckperms = 'https://security.google.com/settings/security/permissions'; } elseif (!empty($supportedoauth2array[$keyforsupportedoauth2array]['returnurl'])) { $urltorenew = $urlwithroot.$supportedoauth2array[$keyforsupportedoauth2array]['returnurl'].'?shortscope='.urlencode($shortscope).'&state='.urlencode($state).'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltodelete = $urlwithroot.$supportedoauth2array[$keyforsupportedoauth2array]['returnurl'].'?action=delete&token='.newToken().'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltocheckperms = ''; } else { $urltorenew = ''; $urltodelete = ''; $urltocheckperms = ''; } if ($urltorenew) { $urltorenew .= '&keyforprovider='.urlencode($keyforprovider); } if ($urltorefresh) { $urltorefresh .= '&keyforprovider='.urlencode($keyforprovider).'&service='.urlencode($OAUTH_SERVICENAME); } if ($urltodelete) { $urltodelete .= '&keyforprovider='.urlencode($keyforprovider); } // Show value of token $tokenobj = null; // Token require_once DOL_DOCUMENT_ROOT.'/includes/OAuth/bootstrap.php'; // Dolibarr storage $storage = new DoliStorage($db, $conf, $keyforprovider, getDolGlobalString($keyforparamtenant)); try { // $OAUTH_SERVICENAME is for example 'Google-keyforprovider' print ''."\n"; $tokenobj = $storage->retrieveAccessToken($OAUTH_SERVICENAME); print ''; //print $tokenobj->getExtraParams()['id_token'].'
'; //print $tokenobj->getAccessToken().'
'; } catch (Exception $e) { // Return an error if token not found //print $e->getMessage(); } // Set other properties $refreshtoken = false; $expiredat = ''; $expire = false; // Is token expired or will token expire in the next 30 seconds if (is_object($tokenobj)) { $expire = ($tokenobj->getEndOfLife() !== $tokenobj::EOL_NEVER_EXPIRES && $tokenobj->getEndOfLife() !== $tokenobj::EOL_UNKNOWN && time() > ($tokenobj->getEndOfLife() - 30)); } if ($key[1] != '' && $key[2] != '') { if (is_object($tokenobj)) { $refreshtoken = $tokenobj->getRefreshToken(); $endoflife = $tokenobj->getEndOfLife(); if ($endoflife == $tokenobj::EOL_NEVER_EXPIRES) { $expiredat = $langs->trans("Never"); } elseif ($endoflife == $tokenobj::EOL_UNKNOWN) { $expiredat = $langs->trans("Unknown"); } else { $expiredat = dol_print_date($endoflife, "dayhour", 'tzuserrel'); } } } $submit_enabled = 0; print '
'; print ''; print ''; print ''; print '
'; print ''."\n"; // Api Name $label = $langs->trans($keyforsupportedoauth2array); print ''; print ''; print ''; print ''; print "\n"; print ''; print ''; print ''; print ''; print ''."\n"; // Scopes print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; if (is_object($tokenobj)) { print ''; print ''; print ''; print ''."\n"; print ''; print ''; print ''; print ''."\n"; // Token refresh print ''; print ''; print ''; print ''; } print '
'; print img_picto('', $supportedoauth2array[$keyforsupportedoauth2array]['picto'], 'class="pictofixedwidth"'); if ($label == $keyforsupportedoauth2array) { print $supportedoauth2array[$keyforsupportedoauth2array]['name']; } else { print $label; } if ($keyforprovider) { print ' ('.$keyforprovider.')'; } else { print ' ('.$langs->trans("NoName").')'; } print '
'; //var_dump($key); print $langs->trans("OAuthIDSecret").''; print ''.$langs->trans("SeePreviousTab").''; print ''; print '
'.$langs->trans("Scopes").''; $currentscopes = getDolGlobalString($key[4]); print $currentscopes; print '
'; //var_dump($key); print $langs->trans("IsTokenGenerated"); print ''; if ($keyforprovider != 'Login') { if (is_object($tokenobj)) { print $form->textwithpicto(yn(1), $langs->trans("HasAccessToken").' : '.dol_print_date($storage->date_modification, 'dayhour').' state='.dol_escape_htmltag($storage->state)); } else { print ''.$langs->trans("NoAccessToken").''; } } else { print ''.$langs->trans("TokenNotRequiredForOAuthLogin").''; } print ''; if ($keyforprovider != 'Login') { // Links to delete/checks token if (is_object($tokenobj)) { //test on $storage->hasAccessToken($OAUTH_SERVICENAME) ? if ($urltodelete) { print ''.$langs->trans('DeleteAccess').''; } else { print ''.$langs->trans('GoOnTokenProviderToDeleteToken').''; } } // Request remote token if ($urltorenew) { print ''.$langs->trans('GetAccess').''; } // Request remote token if ($urltorefresh && $refreshtoken) { print ''.$langs->trans('RefreshToken').''; } // Check remote access if ($urltocheckperms) { print '
'.$langs->trans("ToCheckDeleteTokenOnProvider", $OAUTH_SERVICENAME).': '.$urltocheckperms.''; } } print '
'; //var_dump($key); print $langs->trans("TokenRawValue").''; if (is_object($tokenobj)) { print '
'."\n"; } print '
'; //var_dump($key); print $langs->trans("AccessToken").''; $tokentoshow = $tokenobj->getAccessToken(); print ''.showValueWithClipboardCPButton($tokentoshow, 1, dol_trunc($tokentoshow, 32)).''; //print 'Refresh: '.$tokenobj->getRefreshToken().'
'; //print 'EndOfLife: '.$tokenobj->getEndOfLife().'
'; //var_dump($tokenobj->getExtraParams()); /*print '
Extra:
';*/ print '   -   '; print $langs->trans("ExpirationDate").': '; print ''; print $expiredat; print $expire ? ' ('.$langs->trans("TokenExpired").')' : ' ('.$langs->trans("TokenNotExpired").')'; print '
'; //var_dump($key); print $langs->trans("TOKEN_REFRESH"); print ''; print ''.showValueWithClipboardCPButton($refreshtoken, 1, dol_trunc($refreshtoken, 32)).''; print '
'; print '
'; if (!empty($driver)) { if ($submit_enabled) { print $form->buttonsSaveCancel("Modify", ''); } } print '
'; print '
'; } } } if ($mode == 'test' && $user->admin) { print $langs->trans('PrintTestDesc'.$driver)."

\n"; print '
'; print ''; if (!empty($driver)) { require_once DOL_DOCUMENT_ROOT.'/core/modules/printing/'.$driver.'.modules.php'; $classname = 'printing_'.$driver; $langs->load($driver); $printer = new $classname($db); '@phan-var-force PrintingDriver $printer'; //print '
'.print_r($printer, true).'
'; if (count($printer->getlistAvailablePrinters())) { if ($printer->listAvailablePrinters() == 0) { print $printer->resprint; } else { setEventMessages($printer->error, $printer->errors, 'errors'); } } else { print $langs->trans('PleaseConfigureDriverfromList'); } } print '
'; print '
'; } if ($mode == 'userconf' && $user->admin) { print $langs->trans('PrintUserConfDesc'.$driver)."

\n"; print '
'; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print "\n"; $sql = "SELECT p.rowid, p.printer_name, p.printer_location, p.printer_id, p.copy, p.module, p.driver, p.userid, u.login"; $sql .= " FROM ".MAIN_DB_PREFIX."printing as p, ".MAIN_DB_PREFIX."user as u WHERE p.userid = u.rowid"; $resql = $db->query($sql); while ($obj = $db->fetch_object($resql)) { print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print "\n"; } print '
'.$langs->trans("User").''.$langs->trans("PrintModule").''.$langs->trans("PrintDriver").''.$langs->trans("Printer").''.$langs->trans("PrinterLocation").''.$langs->trans("PrinterId").''.$langs->trans("NumberOfCopy").''.$langs->trans("Delete").'
'.$obj->login.''.$obj->module.''.$obj->driver.''.$obj->printer_name.''.$obj->printer_location.''.$obj->printer_id.''.$obj->copy.''.img_picto($langs->trans("Delete"), 'delete').'
'; print '
'; } print dol_get_fiche_end(); // End of page llxFooter(); $db->close();