Skip to content

Commit

Permalink
Plugin: OnlyOffice: Bump plugin to version 1.2.0 (adds support for Fo…
Browse files Browse the repository at this point in the history 
…rms and JWT) - refs #4639
  • Loading branch information
@ywarnier
ywarnier committed Jun 2, 2023
1 parent d0f9f5f commit aecd5c7
Show file tree
Hide file tree
Showing 62 changed files with 711 additions and 395 deletions.
2 changes: 1 addition & 1 deletion plugin/onlyoffice/3rdparty/jwt/BeforeValidException.php
View file
@@ -1,7 +1,7 @@
<?php

namespace Firebase\JWT;

class BeforeValidException extends \UnexpectedValueException
{

}
2 changes: 1 addition & 1 deletion plugin/onlyoffice/3rdparty/jwt/ExpiredException.php
View file
@@ -1,7 +1,7 @@
<?php

namespace Firebase\JWT;

class ExpiredException extends \UnexpectedValueException
{

}
213 changes: 107 additions & 106 deletions plugin/onlyoffice/3rdparty/jwt/JWT.php
View file
@@ -1,29 +1,27 @@
<?php

namespace Firebase\JWT;

use DateTime;
use DomainException;
use InvalidArgumentException;
use UnexpectedValueException;
use \DomainException;
use \InvalidArgumentException;
use \UnexpectedValueException;
use \DateTime;

/**
* JSON Web Token implementation, based on this spec:
* http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06.
* http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06
*
* PHP version 5
*
* @category Authentication
* @package Authentication_JWT
*
* @author Neuman Vong <neuman@twilio.com>
* @author Anant Narayanan <anant@php.net>
* @license http://opensource.org/licenses/BSD-3-Clause 3-clause BSD
*
* @see https://github.com/firebase/php-jwt
* @link https://github.com/firebase/php-jwt
*/
class JWT
{

/**
* When checking nbf, iat or expiration times,
* we want to provide some extra leeway time to
Expand All @@ -39,34 +37,34 @@ class JWT
*/
public static $timestamp = null;

public static $supported_algs = [
'HS256' => ['hash_hmac', 'SHA256'],
'HS512' => ['hash_hmac', 'SHA512'],
'HS384' => ['hash_hmac', 'SHA384'],
'RS256' => ['openssl', 'SHA256'],
];
public static $supported_algs = array(
'HS256' => array('hash_hmac', 'SHA256'),
'HS512' => array('hash_hmac', 'SHA512'),
'HS384' => array('hash_hmac', 'SHA384'),
'RS256' => array('openssl', 'SHA256'),
);

/**
* Decodes a JWT string into a PHP object.
*
* @param string $jwt The JWT
* @param string|array $key The key, or map of keys.
* If the algorithm used is asymmetric, this is the public key
* @param array $allowed_algs List of supported verification algorithms
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
*
* @throws UnexpectedValueException Provided JWT was invalid
* @throws SignatureInvalidException Provided JWT was invalid because the signature verification failed
* @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf'
* @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat'
* @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim
* @param string $jwt The JWT
* @param string|array $key The key, or map of keys.
* If the algorithm used is asymmetric, this is the public key
* @param array $allowed_algs List of supported verification algorithms
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
*
* @return object The JWT's payload as a PHP object
*
* @throws UnexpectedValueException Provided JWT was invalid
* @throws SignatureInvalidException Provided JWT was invalid because the signature verification failed
* @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf'
* @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat'
* @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim
*
* @uses jsonDecode
* @uses urlsafeB64Decode
*/
public static function decode($jwt, $key, $allowed_algs = [])
public static function decode($jwt, $key, $allowed_algs = array())
{
$timestamp = is_null(static::$timestamp) ? time() : static::$timestamp;

Expand All @@ -88,7 +86,7 @@ public static function decode($jwt, $key, $allowed_algs = [])
throw new UnexpectedValueException('Invalid claims encoding');
}
$sig = static::urlsafeB64Decode($cryptob64);

if (empty($header->alg)) {
throw new UnexpectedValueException('Empty algorithm');
}
Expand All @@ -114,14 +112,18 @@ public static function decode($jwt, $key, $allowed_algs = [])
// Check if the nbf if it is defined. This is the time that the
// token can actually be used. If it's not yet that time, abort.
if (isset($payload->nbf) && $payload->nbf > ($timestamp + static::$leeway)) {
throw new BeforeValidException('Cannot handle token prior to '.date(DateTime::ISO8601, $payload->nbf));
throw new BeforeValidException(
'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
);
}

// Check that this token has been created before 'now'. This prevents
// using tokens that have been created for later use (and haven't
// correctly used the nbf claim).
if (isset($payload->iat) && $payload->iat > ($timestamp + static::$leeway)) {
throw new BeforeValidException('Cannot handle token prior to '.date(DateTime::ISO8601, $payload->iat));
throw new BeforeValidException(
'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)
);
}

// Check if this token has expired.
Expand All @@ -135,13 +137,13 @@ public static function decode($jwt, $key, $allowed_algs = [])
/**
* Converts and signs a PHP object or array into a JWT string.
*
* @param object|array $payload PHP object or array
* @param string $key The secret key.
* If the algorithm used is asymmetric, this is the private key
* @param string $alg The signing algorithm.
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
* @param mixed $keyId
* @param array $head An array with header elements to attach
* @param object|array $payload PHP object or array
* @param string $key The secret key.
* If the algorithm used is asymmetric, this is the private key
* @param string $alg The signing algorithm.
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
* @param mixed $keyId
* @param array $head An array with header elements to attach
*
* @return string A signed JWT
*
Expand All @@ -150,14 +152,14 @@ public static function decode($jwt, $key, $allowed_algs = [])
*/
public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
{
$header = ['typ' => 'JWT', 'alg' => $alg];
$header = array('typ' => 'JWT', 'alg' => $alg);
if ($keyId !== null) {
$header['kid'] = $keyId;
}
if (isset($head) && is_array($head)) {
if ( isset($head) && is_array($head) ) {
$header = array_merge($head, $header);
}
$segments = [];
$segments = array();
$segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
$segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
$signing_input = implode('.', $segments);
Expand All @@ -171,22 +173,22 @@ public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $he
/**
* Sign a string with a given key and algorithm.
*
* @param string $msg The message to sign
* @param string|resource $key The secret key
* @param string $alg The signing algorithm.
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
*
* @throws DomainException Unsupported algorithm was specified
* @param string $msg The message to sign
* @param string|resource $key The secret key
* @param string $alg The signing algorithm.
* Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
*
* @return string An encrypted message
*
* @throws DomainException Unsupported algorithm was specified
*/
public static function sign($msg, $key, $alg = 'HS256')
{
if (empty(static::$supported_algs[$alg])) {
throw new DomainException('Algorithm not supported');
}
list($function, $algorithm) = static::$supported_algs[$alg];
switch ($function) {
switch($function) {
case 'hash_hmac':
return hash_hmac($algorithm, $msg, $key, true);
case 'openssl':
Expand All @@ -200,14 +202,60 @@ public static function sign($msg, $key, $alg = 'HS256')
}
}

/**
* Verify a signature with the message, key and method. Not all methods
* are symmetric, so we must have a separate verify and sign method.
*
* @param string $msg The original message (header and body)
* @param string $signature The original signature
* @param string|resource $key For HS*, a string key works. for RS*, must be a resource of an openssl public key
* @param string $alg The algorithm
*
* @return bool
*
* @throws DomainException Invalid Algorithm or OpenSSL failure
*/
private static function verify($msg, $signature, $key, $alg)
{
if (empty(static::$supported_algs[$alg])) {
throw new DomainException('Algorithm not supported');
}

list($function, $algorithm) = static::$supported_algs[$alg];
switch($function) {
case 'openssl':
$success = openssl_verify($msg, $signature, $key, $algorithm);
if (!$success) {
throw new DomainException("OpenSSL unable to verify data: " . openssl_error_string());
} else {
return $signature;
}
case 'hash_hmac':
default:
$hash = hash_hmac($algorithm, $msg, $key, true);
if (function_exists('hash_equals')) {
return hash_equals($signature, $hash);
}
$len = min(static::safeStrlen($signature), static::safeStrlen($hash));

$status = 0;
for ($i = 0; $i < $len; $i++) {
$status |= (ord($signature[$i]) ^ ord($hash[$i]));
}
$status |= (static::safeStrlen($signature) ^ static::safeStrlen($hash));

return ($status === 0);
}
}

/**
* Decode a JSON string into a PHP object.
*
* @param string $input JSON string
*
* @throws DomainException Provided string was invalid JSON
*
* @return object Object representation of JSON string
*
* @throws DomainException Provided string was invalid JSON
*/
public static function jsonDecode($input)
{
Expand All @@ -232,7 +280,6 @@ public static function jsonDecode($input)
} elseif ($obj === null && $input !== 'null') {
throw new DomainException('Null result with non-null input');
}

return $obj;
}

Expand All @@ -241,9 +288,9 @@ public static function jsonDecode($input)
*
* @param object|array $input A PHP object or array
*
* @throws DomainException Provided object could not be encoded to valid JSON
*
* @return string JSON representation of the PHP object or array
*
* @throws DomainException Provided object could not be encoded to valid JSON
*/
public static function jsonEncode($input)
{
Expand All @@ -253,7 +300,6 @@ public static function jsonEncode($input)
} elseif ($json === 'null' && $input !== null) {
throw new DomainException('Null result with non-null input');
}

return $json;
}

Expand All @@ -271,7 +317,6 @@ public static function urlsafeB64Decode($input)
$padlen = 4 - $remainder;
$input .= str_repeat('=', $padlen);
}

return base64_decode(strtr($input, '-_', '+/'));
}

Expand All @@ -287,53 +332,6 @@ public static function urlsafeB64Encode($input)
return str_replace('=', '', strtr(base64_encode($input), '+/', '-_'));
}

/**
* Verify a signature with the message, key and method. Not all methods
* are symmetric, so we must have a separate verify and sign method.
*
* @param string $msg The original message (header and body)
* @param string $signature The original signature
* @param string|resource $key For HS*, a string key works. for RS*, must be a resource of an openssl public key
* @param string $alg The algorithm
*
* @throws DomainException Invalid Algorithm or OpenSSL failure
*
* @return bool
*/
private static function verify($msg, $signature, $key, $alg)
{
if (empty(static::$supported_algs[$alg])) {
throw new DomainException('Algorithm not supported');
}

list($function, $algorithm) = static::$supported_algs[$alg];
switch ($function) {
case 'openssl':
$success = openssl_verify($msg, $signature, $key, $algorithm);
if (!$success) {
throw new DomainException("OpenSSL unable to verify data: ".openssl_error_string());
} else {
return $signature;
}
// no break
case 'hash_hmac':
default:
$hash = hash_hmac($algorithm, $msg, $key, true);
if (function_exists('hash_equals')) {
return hash_equals($signature, $hash);
}
$len = min(static::safeStrlen($signature), static::safeStrlen($hash));

$status = 0;
for ($i = 0; $i < $len; $i++) {
$status |= (ord($signature[$i]) ^ ord($hash[$i]));
}
$status |= (static::safeStrlen($signature) ^ static::safeStrlen($hash));

return $status === 0;
}
}

/**
* Helper method to create a JSON error.
*
Expand All @@ -343,12 +341,16 @@ private static function verify($msg, $signature, $key, $alg)
*/
private static function handleJsonError($errno)
{
$messages = [
$messages = array(
JSON_ERROR_DEPTH => 'Maximum stack depth exceeded',
JSON_ERROR_CTRL_CHAR => 'Unexpected control character found',
JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON',
];
throw new DomainException(isset($messages[$errno]) ? $messages[$errno] : 'Unknown JSON error: '.$errno);
JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON'
);
throw new DomainException(
isset($messages[$errno])
? $messages[$errno]
: 'Unknown JSON error: ' . $errno
);
}

/**
Expand All @@ -363,7 +365,6 @@ private static function safeStrlen($str)
if (function_exists('mb_strlen')) {
return mb_strlen($str, '8bit');
}

return strlen($str);
}
}
2 changes: 1 addition & 1 deletion plugin/onlyoffice/3rdparty/jwt/SignatureInvalidException.php
View file
@@ -1,7 +1,7 @@
<?php

namespace Firebase\JWT;

class SignatureInvalidException extends \UnexpectedValueException
{

}

0 comments on commit aecd5c7

Please sign in to comment.