From 2f74619552fd8ab55eeac95fb89955326ccf04ac Mon Sep 17 00:00:00 2001
From: juan-cortizas-ponte <juan.cortizas@ivorysoluciones.com>
Date: Fri, 31 Jul 2020 12:09:17 +0200
Subject: [PATCH] sso with HMAC token validation

---
 main/auth/hmac/login.php          | 107 ++++++++++++++++++++++++++++++
 main/auth/hmac/settings.dist..php |   7 ++
 2 files changed, 114 insertions(+)
 create mode 100644 main/auth/hmac/login.php
 create mode 100644 main/auth/hmac/settings.dist..php

diff --git a/main/auth/hmac/login.php b/main/auth/hmac/login.php
new file mode 100644
index 0000000000..31a0610f8e
--- /dev/null
+++ b/main/auth/hmac/login.php
@@ -0,0 +1,107 @@
+<?php
+
+use ChamiloSession as Session;
+
+/**
+ * This file contains the necessary elements to allow a Single Sign On
+ * based on a validation of a hmac computed hash
+ * 
+ * To allow the SSO access /main/auth/hmac/login.php must receive as
+ * query string parameters the following parameters:
+ * 
+ * 'N': user email.
+ * 
+ * 'H': time of the request, as HH:mm.
+ * 
+ * 'S': System name, a control value.
+ * 
+ * 'Token': a HMAC computed SHA256 algorithm based on the concatenation of
+ * the 'H' and 'N' value.
+ * 
+ * Example:
+ * 
+ * https://campus.chamilo/main/auth/hmac/login.php?N=user@domain.com&H=10:48&S=SystemName&Token=0407ae5cf5f80525800eaf4276a48c5ce293dd766be4c5edb0a87ecd082f20bd
+ * 
+ * Also a settings.php file must be configured the set the following values:
+ * 
+ * 'secret': secret key used to generate a HMAC computed hash to validate the
+ * received 'Token' parameter on the query string.
+ * 
+ * 'secret': secret key used to generate a HMAC computed hash to validate the 'Token' parameter on the query string.
+ * 
+ * 'expiration_time': integer value, maximum time in minutes of the request lifetime.
+ * 
+ */
+
+require_once '../../../main/inc/global.inc.php';
+
+// Create a settings.dist.php
+if (file_exists('settings.php')) {
+    require_once 'settings.php';
+} else {
+    $message = '';
+    if (api_is_platform_admin()) {
+        $message = 'Create a settings.php';
+    }
+    api_not_allowed(true, $message);
+}
+
+// Check if we have all the parameters from the query string
+if (isset($_GET['N']) && isset($_GET['H']) && isset($_GET['S']) && isset($_GET['Token'])) {
+    $email = $_GET['N'];
+    $time = $_GET['H'];
+    $system = $_GET['S'];
+    $token =  $_GET['Token'];
+
+    // Generate the token
+    $validToken = hash_hmac('sha256', $time.$email, $settingsInfo['secret'], false);
+
+    // Compare the received token & the valid token
+    if ($token !== $validToken) {
+        Display::addFlash(Display::return_message('Incorrect token', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    // Check the system is correct
+    if ($settingsInfo['system'] !== $system) {
+        Display::addFlash(Display::return_message('Incorrect client', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    // Check if the request expired with a diff between the query string parameter & the actual time
+    if ($settingsInfo['expiration_time'] && $settingsInfo['expiration_time'] > 0) {
+        $tokenTime = strtotime($time);
+        $diff = abs($tokenTime - time()) / 60;
+        if ($diff > $settingsInfo['expiration_time']) {
+            Display::addFlash(Display::return_message('Token expired', 'error'));
+            header('Location: '.api_get_path(WEB_PATH));
+            exit;
+        }
+    }
+
+    // Get the user info
+    $userInfo = api_get_user_info_from_email($email);
+
+    // Log-in user if exists or a show error message
+    if (!empty($userInfo)) {        
+        Session::write('_user', $userInfo);
+        Session::write('is_platformAdmin', false);
+        Session::write('is_allowedCreateCourse', false);
+
+        Event::eventLogin($userId);
+
+        Session::write('flash_messages', '');
+    } else {
+        Display::addFlash(Display::return_message('User not found', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    header('Location: '.api_get_path(WEB_PATH).'user_portal.php');
+} else {
+    Display::addFlash(Display::return_message('Invalid request', 'error'));
+    header('Location: '.api_get_path(WEB_PATH));
+    exit;
+}
\ No newline at end of file
diff --git a/main/auth/hmac/settings.dist..php b/main/auth/hmac/settings.dist..php
new file mode 100644
index 0000000000..f46e7ebf6e
--- /dev/null
+++ b/main/auth/hmac/settings.dist..php
@@ -0,0 +1,7 @@
+<?php
+
+$settingsInfo = [
+    'secret' => '',
+    'system' => '',
+    'expiration_time' => 0,
+];
\ No newline at end of file