From 2f74619552fd8ab55eeac95fb89955326ccf04ac Mon Sep 17 00:00:00 2001
From: juan-cortizas-ponte <juan.cortizas@ivorysoluciones.com>
Date: Fri, 31 Jul 2020 12:09:17 +0200
Subject: [PATCH 1/4] sso with HMAC token validation

---
 main/auth/hmac/login.php          | 107 ++++++++++++++++++++++++++++++
 main/auth/hmac/settings.dist..php |   7 ++
 2 files changed, 114 insertions(+)
 create mode 100644 main/auth/hmac/login.php
 create mode 100644 main/auth/hmac/settings.dist..php

diff --git a/main/auth/hmac/login.php b/main/auth/hmac/login.php
new file mode 100644
index 0000000000..31a0610f8e
--- /dev/null
+++ b/main/auth/hmac/login.php
@@ -0,0 +1,107 @@
+<?php
+
+use ChamiloSession as Session;
+
+/**
+ * This file contains the necessary elements to allow a Single Sign On
+ * based on a validation of a hmac computed hash
+ * 
+ * To allow the SSO access /main/auth/hmac/login.php must receive as
+ * query string parameters the following parameters:
+ * 
+ * 'N': user email.
+ * 
+ * 'H': time of the request, as HH:mm.
+ * 
+ * 'S': System name, a control value.
+ * 
+ * 'Token': a HMAC computed SHA256 algorithm based on the concatenation of
+ * the 'H' and 'N' value.
+ * 
+ * Example:
+ * 
+ * https://campus.chamilo/main/auth/hmac/login.php?N=user@domain.com&H=10:48&S=SystemName&Token=0407ae5cf5f80525800eaf4276a48c5ce293dd766be4c5edb0a87ecd082f20bd
+ * 
+ * Also a settings.php file must be configured the set the following values:
+ * 
+ * 'secret': secret key used to generate a HMAC computed hash to validate the
+ * received 'Token' parameter on the query string.
+ * 
+ * 'secret': secret key used to generate a HMAC computed hash to validate the 'Token' parameter on the query string.
+ * 
+ * 'expiration_time': integer value, maximum time in minutes of the request lifetime.
+ * 
+ */
+
+require_once '../../../main/inc/global.inc.php';
+
+// Create a settings.dist.php
+if (file_exists('settings.php')) {
+    require_once 'settings.php';
+} else {
+    $message = '';
+    if (api_is_platform_admin()) {
+        $message = 'Create a settings.php';
+    }
+    api_not_allowed(true, $message);
+}
+
+// Check if we have all the parameters from the query string
+if (isset($_GET['N']) && isset($_GET['H']) && isset($_GET['S']) && isset($_GET['Token'])) {
+    $email = $_GET['N'];
+    $time = $_GET['H'];
+    $system = $_GET['S'];
+    $token =  $_GET['Token'];
+
+    // Generate the token
+    $validToken = hash_hmac('sha256', $time.$email, $settingsInfo['secret'], false);
+
+    // Compare the received token & the valid token
+    if ($token !== $validToken) {
+        Display::addFlash(Display::return_message('Incorrect token', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    // Check the system is correct
+    if ($settingsInfo['system'] !== $system) {
+        Display::addFlash(Display::return_message('Incorrect client', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    // Check if the request expired with a diff between the query string parameter & the actual time
+    if ($settingsInfo['expiration_time'] && $settingsInfo['expiration_time'] > 0) {
+        $tokenTime = strtotime($time);
+        $diff = abs($tokenTime - time()) / 60;
+        if ($diff > $settingsInfo['expiration_time']) {
+            Display::addFlash(Display::return_message('Token expired', 'error'));
+            header('Location: '.api_get_path(WEB_PATH));
+            exit;
+        }
+    }
+
+    // Get the user info
+    $userInfo = api_get_user_info_from_email($email);
+
+    // Log-in user if exists or a show error message
+    if (!empty($userInfo)) {        
+        Session::write('_user', $userInfo);
+        Session::write('is_platformAdmin', false);
+        Session::write('is_allowedCreateCourse', false);
+
+        Event::eventLogin($userId);
+
+        Session::write('flash_messages', '');
+    } else {
+        Display::addFlash(Display::return_message('User not found', 'error'));
+        header('Location: '.api_get_path(WEB_PATH));
+        exit;
+    }
+
+    header('Location: '.api_get_path(WEB_PATH).'user_portal.php');
+} else {
+    Display::addFlash(Display::return_message('Invalid request', 'error'));
+    header('Location: '.api_get_path(WEB_PATH));
+    exit;
+}
\ No newline at end of file
diff --git a/main/auth/hmac/settings.dist..php b/main/auth/hmac/settings.dist..php
new file mode 100644
index 0000000000..f46e7ebf6e
--- /dev/null
+++ b/main/auth/hmac/settings.dist..php
@@ -0,0 +1,7 @@
+<?php
+
+$settingsInfo = [
+    'secret' => '',
+    'system' => '',
+    'expiration_time' => 0,
+];
\ No newline at end of file

From 79197dd34898590718df28daf59bc9a8af0d6138 Mon Sep 17 00:00:00 2001
From: juan-cortizas-ponte <juan.cortizas@ivorysoluciones.com>
Date: Fri, 31 Jul 2020 13:18:26 +0200
Subject: [PATCH 2/4] fix lint errors & refactoring

---
 main/auth/hmac/login.php          | 48 +++++++++++++++----------------
 main/auth/hmac/settings.dist..php |  2 +-
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/main/auth/hmac/login.php b/main/auth/hmac/login.php
index 31a0610f8e..74b91d6361 100644
--- a/main/auth/hmac/login.php
+++ b/main/auth/hmac/login.php
@@ -5,32 +5,32 @@ use ChamiloSession as Session;
 /**
  * This file contains the necessary elements to allow a Single Sign On
  * based on a validation of a hmac computed hash
- * 
+ *
  * To allow the SSO access /main/auth/hmac/login.php must receive as
  * query string parameters the following parameters:
- * 
- * 'N': user email.
- * 
- * 'H': time of the request, as HH:mm.
- * 
- * 'S': System name, a control value.
- * 
+ *
+ * 'email': user email.
+ *
+ * 'time': time of the request, as HH:mm.
+ *
+ * 'system': System name, a control value.
+ *
  * 'Token': a HMAC computed SHA256 algorithm based on the concatenation of
- * the 'H' and 'N' value.
- * 
+ * the 'time' and 'email' value.
+ *
  * Example:
- * 
- * https://campus.chamilo/main/auth/hmac/login.php?N=user@domain.com&H=10:48&S=SystemName&Token=0407ae5cf5f80525800eaf4276a48c5ce293dd766be4c5edb0a87ecd082f20bd
- * 
+ *
+ * https://campus.chamilo/main/auth/hmac/login.php?email=user@domain.com&time=10:48&system=SystemName&Token=0407ae5cf5f80525800eaf4276a48c5ce293dd766be4c5edb0a87ecd082f20bd
+ *
  * Also a settings.php file must be configured the set the following values:
- * 
+ *
  * 'secret': secret key used to generate a HMAC computed hash to validate the
  * received 'Token' parameter on the query string.
- * 
+ *
  * 'secret': secret key used to generate a HMAC computed hash to validate the 'Token' parameter on the query string.
- * 
+ *
  * 'expiration_time': integer value, maximum time in minutes of the request lifetime.
- * 
+ *
  */
 
 require_once '../../../main/inc/global.inc.php';
@@ -47,11 +47,11 @@ if (file_exists('settings.php')) {
 }
 
 // Check if we have all the parameters from the query string
-if (isset($_GET['N']) && isset($_GET['H']) && isset($_GET['S']) && isset($_GET['Token'])) {
-    $email = $_GET['N'];
-    $time = $_GET['H'];
-    $system = $_GET['S'];
-    $token =  $_GET['Token'];
+if (isset($_GET['email']) && isset($_GET['time']) && isset($_GET['system']) && isset($_GET['Token'])) {
+    $email = $_GET['email'];
+    $time = $_GET['time'];
+    $system = $_GET['system'];
+    $token = $_GET['Token'];
 
     // Generate the token
     $validToken = hash_hmac('sha256', $time.$email, $settingsInfo['secret'], false);
@@ -85,7 +85,7 @@ if (isset($_GET['N']) && isset($_GET['H']) && isset($_GET['S']) && isset($_GET['
     $userInfo = api_get_user_info_from_email($email);
 
     // Log-in user if exists or a show error message
-    if (!empty($userInfo)) {        
+    if (!empty($userInfo)) {
         Session::write('_user', $userInfo);
         Session::write('is_platformAdmin', false);
         Session::write('is_allowedCreateCourse', false);
@@ -104,4 +104,4 @@ if (isset($_GET['N']) && isset($_GET['H']) && isset($_GET['S']) && isset($_GET['
     Display::addFlash(Display::return_message('Invalid request', 'error'));
     header('Location: '.api_get_path(WEB_PATH));
     exit;
-}
\ No newline at end of file
+}
diff --git a/main/auth/hmac/settings.dist..php b/main/auth/hmac/settings.dist..php
index f46e7ebf6e..97ac4af106 100644
--- a/main/auth/hmac/settings.dist..php
+++ b/main/auth/hmac/settings.dist..php
@@ -4,4 +4,4 @@ $settingsInfo = [
     'secret' => '',
     'system' => '',
     'expiration_time' => 0,
-];
\ No newline at end of file
+];

From 8b3203e593a23f4a1e77c4dea413f209a2578633 Mon Sep 17 00:00:00 2001
From: juan-cortizas-ponte <juan.cortizas@ivorysoluciones.com>
Date: Fri, 31 Jul 2020 13:23:54 +0200
Subject: [PATCH 3/4] fix lint errors on comments

---
 main/auth/hmac/login.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/auth/hmac/login.php b/main/auth/hmac/login.php
index 74b91d6361..6163125847 100644
--- a/main/auth/hmac/login.php
+++ b/main/auth/hmac/login.php
@@ -4,7 +4,7 @@ use ChamiloSession as Session;
 
 /**
  * This file contains the necessary elements to allow a Single Sign On
- * based on a validation of a hmac computed hash
+ * based on a validation of a hmac computed hash.
  *
  * To allow the SSO access /main/auth/hmac/login.php must receive as
  * query string parameters the following parameters:

From 769dd15b7cc77a873963b125bc2357d2355f13f0 Mon Sep 17 00:00:00 2001
From: juan-cortizas-ponte <juan.cortizas@ivorysoluciones.com>
Date: Fri, 31 Jul 2020 13:32:28 +0200
Subject: [PATCH 4/4] Remove line break and an extra asterisk on comments

---
 main/auth/hmac/login.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/main/auth/hmac/login.php b/main/auth/hmac/login.php
index 6163125847..c4eedc9384 100644
--- a/main/auth/hmac/login.php
+++ b/main/auth/hmac/login.php
@@ -30,9 +30,7 @@ use ChamiloSession as Session;
  * 'secret': secret key used to generate a HMAC computed hash to validate the 'Token' parameter on the query string.
  *
  * 'expiration_time': integer value, maximum time in minutes of the request lifetime.
- *
  */
-
 require_once '../../../main/inc/global.inc.php';
 
 // Create a settings.dist.php