From ca2efb7b85bfe68bac821631975f085ed91091d5 Mon Sep 17 00:00:00 2001
From: gotlieb <gotlieb.erez@gmail.com>
Date: Wed, 13 May 2020 11:10:31 +0300
Subject: [PATCH 1/4] PLAT-10806 authenticate uri

---
 .../kaltura/lib/request/kNetworkUtils.php     | 48 +++++++++++++++++++
 .../actions/serveFlavorAction.class.php       |  4 +-
 configurations/local.template.ini             |  1 +
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 alpha/apps/kaltura/lib/request/kNetworkUtils.php

diff --git a/alpha/apps/kaltura/lib/request/kNetworkUtils.php b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
new file mode 100644
index 00000000000..5a878016ac8
--- /dev/null
+++ b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * @package server-infra
+ * @subpackage request
+ */
+class kNetworkUtils
+{
+	/**
+	 * @return bool
+	 * @throws Exception
+	 */
+	public static function isAuthenticatedURI()
+	{
+		if (!isset($_SERVER['HTTP_X_KALTURA_AUTH']))
+		{
+			KalturaLog::warning("Missing Header Parameter - X-Kaltura-Auth");
+			return false;
+		}
+		$xKalturaAuth = $_SERVER['HTTP_X_KALTURA_AUTH'];
+		$parts = explode(',', $xKalturaAuth);
+		if (count($parts) != 3)
+		{
+			KalturaLog::warning("Invalid X-Kaltura-Auth Format");
+			return false;
+		}
+
+		$version = $parts[0];
+		$timestamp = $parts[1];
+		$expectedSignature = $parts[2];
+		$url = $_SERVER['REQUEST_URI'];
+		$secret = kConf::get('authentication_secret','local', null);
+		if (!$secret)
+		{
+			KalturaLog::warning("Missing authentication_secret in configuration");
+			return false;
+		}
+
+		$actualSignature = base64_encode(hash_hmac('sha256', "$version,$timestamp,$url", $secret, true));
+		KalturaLog::debug("Actual Signature [$actualSignature] - Expected Signature [$expectedSignature]" );
+		if ( $actualSignature !== $expectedSignature)
+		{
+			KalturaLog::warning("Could not authenticate X-Kaltura-Auth");
+			return false;
+		}
+
+		return true;
+	}
+}
\ No newline at end of file
diff --git a/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php b/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php
index 2b7d39465bf..f5dbea38143 100644
--- a/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php
+++ b/alpha/apps/kaltura/modules/extwidget/actions/serveFlavorAction.class.php
@@ -26,7 +26,7 @@ protected static function jsonEncode($obj)
 		}
 		return json_encode($obj, $options);
 	}
-	
+
 	public function getFileSyncFullPath(FileSync $fileSync, $local = true)
 	{
 		if(!$local)
@@ -482,7 +482,7 @@ public function execute()
 		
 		$syncKey = $flavorAsset->getSyncKey(flavorAsset::FILE_SYNC_FLAVOR_ASSET_SUB_TYPE_ASSET, $version);
 
-		if ($this->pathOnly && kIpAddressUtils::isInternalIp($_SERVER['REMOTE_ADDR']))
+		if ($this->pathOnly && (kIpAddressUtils::isInternalIp($_SERVER['REMOTE_ADDR'])) || kNetworkUtils::isAuthenticatedURI())
 		{
 			$path = '';
 			$parent_file_sync = null;
diff --git a/configurations/local.template.ini b/configurations/local.template.ini
index 4dc3176938b..38b433d25b9 100644
--- a/configurations/local.template.ini
+++ b/configurations/local.template.ini
@@ -17,6 +17,7 @@ push_server_secret = @TOKEN@
 push_server_secret_iv = @TOKEN_IV@
 push_server_exchange = @EXCHANGE_NAME@
 live_packager_secure_token = @LIVE_PACKAGER_TOKEN@
+authentication_secret = @AUTHENTICATION_SECRET@
 
 ; Define a packager url for thumbs and volume_map (https://kaltura.atlassian.net/browse/PLAT-10835).
 ; The value set in the below directive will be concatenated to that set in packager_url

From 048e1d97a9865500c76a4e9dba8a4bb2888a5079 Mon Sep 17 00:00:00 2001
From: gotlieb <gotlieb.erez@gmail.com>
Date: Mon, 18 May 2020 12:10:03 +0300
Subject: [PATCH 2/4] PLAT-10806

---
 alpha/apps/kaltura/lib/request/kNetworkUtils.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/alpha/apps/kaltura/lib/request/kNetworkUtils.php b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
index 5a878016ac8..b190c13cc4b 100644
--- a/alpha/apps/kaltura/lib/request/kNetworkUtils.php
+++ b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
@@ -5,22 +5,23 @@
  */
 class kNetworkUtils
 {
+	const KALTURA_AUTH_HEADER = 'HTTP_X_KALTURA_AUTH';
 	/**
 	 * @return bool
 	 * @throws Exception
 	 */
 	public static function isAuthenticatedURI()
 	{
-		if (!isset($_SERVER['HTTP_X_KALTURA_AUTH']))
+		if (!isset($_SERVER[self::KALTURA_AUTH_HEADER]))
 		{
-			KalturaLog::warning("Missing Header Parameter - X-Kaltura-Auth");
+			KalturaLog::warning("Missing Header Parameter - ". self::KALTURA_AUTH_HEADER);
 			return false;
 		}
-		$xKalturaAuth = $_SERVER['HTTP_X_KALTURA_AUTH'];
+		$xKalturaAuth = $_SERVER[self::KALTURA_AUTH_HEADER];
 		$parts = explode(',', $xKalturaAuth);
 		if (count($parts) != 3)
 		{
-			KalturaLog::warning("Invalid X-Kaltura-Auth Format");
+			KalturaLog::warning('Invalid Fromat for ' . self::KALTURA_AUTH_HEADER);
 			return false;
 		}
 

From b78c49a352502cc5a0b702c92023d9532f1e3cec Mon Sep 17 00:00:00 2001
From: gotlieb <gotlieb.erez@gmail.com>
Date: Mon, 18 May 2020 12:19:10 +0300
Subject: [PATCH 3/4] PLAT-10806

---
 alpha/apps/kaltura/lib/request/kNetworkUtils.php | 2 +-
 configurations/local.template.ini                | 1 -
 release-notes.md                                 | 9 +++++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/alpha/apps/kaltura/lib/request/kNetworkUtils.php b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
index b190c13cc4b..9f49e5bdf35 100644
--- a/alpha/apps/kaltura/lib/request/kNetworkUtils.php
+++ b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
@@ -29,7 +29,7 @@ public static function isAuthenticatedURI()
 		$timestamp = $parts[1];
 		$expectedSignature = $parts[2];
 		$url = $_SERVER['REQUEST_URI'];
-		$secret = kConf::get('authentication_secret','local', null);
+		$secret = kConf::get('authentication_secret','secrets', null);
 		if (!$secret)
 		{
 			KalturaLog::warning("Missing authentication_secret in configuration");
diff --git a/configurations/local.template.ini b/configurations/local.template.ini
index 38b433d25b9..4dc3176938b 100644
--- a/configurations/local.template.ini
+++ b/configurations/local.template.ini
@@ -17,7 +17,6 @@ push_server_secret = @TOKEN@
 push_server_secret_iv = @TOKEN_IV@
 push_server_exchange = @EXCHANGE_NAME@
 live_packager_secure_token = @LIVE_PACKAGER_TOKEN@
-authentication_secret = @AUTHENTICATION_SECRET@
 
 ; Define a packager url for thumbs and volume_map (https://kaltura.atlassian.net/browse/PLAT-10835).
 ; The value set in the below directive will be concatenated to that set in packager_url
diff --git a/release-notes.md b/release-notes.md
index 776933ae522..c0e0efea04f 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -1,3 +1,12 @@
+# Propus 16.3.0  #
+
+## Authenticate uris ##
+- Issue Type: Task
+- Issue ID: PLAT-10806
+
+### Configuration ###
+Add the appropriate secret to 'authentication_secret' param in 'secrets' map
+
 # Propus 16.2.0  #
 
 ## Support export captions to remote storage ##

From 53f37a5169ec6a503e9812b211d52d7480f574c1 Mon Sep 17 00:00:00 2001
From: gotlieb <gotlieb.erez@gmail.com>
Date: Mon, 18 May 2020 12:26:03 +0300
Subject: [PATCH 4/4] PLAT-10806

---
 alpha/apps/kaltura/lib/request/kNetworkUtils.php | 2 +-
 configurations/local.template.ini                | 1 +
 release-notes.md                                 | 9 ---------
 3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/alpha/apps/kaltura/lib/request/kNetworkUtils.php b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
index 9f49e5bdf35..b190c13cc4b 100644
--- a/alpha/apps/kaltura/lib/request/kNetworkUtils.php
+++ b/alpha/apps/kaltura/lib/request/kNetworkUtils.php
@@ -29,7 +29,7 @@ public static function isAuthenticatedURI()
 		$timestamp = $parts[1];
 		$expectedSignature = $parts[2];
 		$url = $_SERVER['REQUEST_URI'];
-		$secret = kConf::get('authentication_secret','secrets', null);
+		$secret = kConf::get('authentication_secret','local', null);
 		if (!$secret)
 		{
 			KalturaLog::warning("Missing authentication_secret in configuration");
diff --git a/configurations/local.template.ini b/configurations/local.template.ini
index 4dc3176938b..38b433d25b9 100644
--- a/configurations/local.template.ini
+++ b/configurations/local.template.ini
@@ -17,6 +17,7 @@ push_server_secret = @TOKEN@
 push_server_secret_iv = @TOKEN_IV@
 push_server_exchange = @EXCHANGE_NAME@
 live_packager_secure_token = @LIVE_PACKAGER_TOKEN@
+authentication_secret = @AUTHENTICATION_SECRET@
 
 ; Define a packager url for thumbs and volume_map (https://kaltura.atlassian.net/browse/PLAT-10835).
 ; The value set in the below directive will be concatenated to that set in packager_url
diff --git a/release-notes.md b/release-notes.md
index c0e0efea04f..776933ae522 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -1,12 +1,3 @@
-# Propus 16.3.0  #
-
-## Authenticate uris ##
-- Issue Type: Task
-- Issue ID: PLAT-10806
-
-### Configuration ###
-Add the appropriate secret to 'authentication_secret' param in 'secrets' map
-
 # Propus 16.2.0  #
 
 ## Support export captions to remote storage ##