I have set up a Zend SOAP client and server:
See partial code below. In the client I set a username and password in the headers.
But I cannot find any information on how to extract this in the server so that I can authenticate the incoming message, ideally through the Zend_Auth stuff I already use for the rest of the system
Cient:
$username = "user";
$password = "pass";
// initialize SOAP client
$options = array(
'location' => 'http://dev.local/api/soap/index',
'uri' => 'http://dev.local/api/soap/index',
'soap_version' => SOAP_1_2,
'login' => $username,
'password' => $password
);
try {
$client = new Zend_Soap_Client(null, $options);
Server:
$options = array('uri' => 'http://dev.local/api/soap');
$server = new Zend\Soap\Server(null, $options);
$manager = new Manager_Api_Soap();
$server->setClass($manager);
You're able to get header values of variables like this within zend:
$this->getRequest()->getHeader('login')
For further details have a look at a prior answer from me regarding Zend and REST:
Zend Framework 1.12 plugin for checking "Authorization" header
Related
I am trying to obtain the authentication token from the Processmaker to use the APIs. I have used the same API call which works perfectly fine in the test environment, with production urls and respective client id and client secret. But, I am getting below error, although the username and password of the account is correct.
Request:
{
"grant_type": "password",
"scope": "*",
"client_id": "xxxxxx",
"client_secret":"7777777",
"username": "username",
"password": "password"
}
Response:
{
"error": "invalid_client",
"error_description": "The client credentials are invalid"
}
I have tried below steps. But still the same error.
Create a new account without AD user account as the account used in test environment is not a domain account
Change the role of account to 'System Administrator' which is similar to the account in test
**While registering the client to use the APIs, we didn't use the Callback URL as it is optional (we did not configure it in the test environment as well)
Some help is really appreciated, as I have no clue what else to check between the environment to resolve this issue.
I am not sure if you are trying to call API from ProcessMaker to RPA or RPA to ProcessMaker.
For ProcessMaker to RPA:
Using Script: I have built a ProcessMaker script in PHP and with appropriate script configuration, you will be able to run the RPA bot from ProcessMaker.
<?php
/*
* Yo. This script is developed by Abhishek Kadam.
* This script is sufficient to run all the Microbots.
* The Script Configuration contains "release_key" which is the Process ID,
* "robot_id" which is to identify where to run the Bot, "orch_unit_id" which is the folder name
* and "orch_url" which stands for Orchestrator URL. To Run the bot, All the configurations are required.
*/
//******ASSIGNING VARIABLES*****
$client_id = $config['client_id']; // $config to get data from Script Configuration
$refresh_token = $config['refresh_token'];
$release_key = $config['release_key'];
$robot_id = $config['robot_id'];
$orch_url = $config['orch_url'];
$orch_unit_id = $config["orch_unit_id"];
//****** GET ACCESS TOKENS USING CLIENT ID AND REFRESH TOKENS******
$access_token = getAccessToken($client_id,$refresh_token);
$output_response = runBot($access_token,$release_key,$robot_id,$orch_url,$orch_unit_id);
//pass the Access token to runbot() and run the bot ez-pz!
function getAccessToken($client_id,$refresh_token){
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://account.uipath.com/oauth/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS =>"{\r\n \"grant_type\": \"refresh_token\",\r\n \"client_id\": \"".$client_id."\",\r\n \"refresh_token\": \"".$refresh_token."\"\r\n}",
CURLOPT_HTTPHEADER => array(
"Content-Type: application/json"
),
));
$response = curl_exec($curl);
curl_close($curl);
$responseDecode = json_decode($response);
$accessToken= $responseDecode -> access_token; //get the access token
return $accessToken;
}
function runBot($access_token,$release_key,$robot_id,$orch_url,$orch_unit_id){
$curl = curl_init(); //Not sure if it's the right way to initialize or not but meh, it works :P
curl_setopt_array($curl, array(
CURLOPT_URL => $orch_url."/odata/Jobs/UiPath.Server.Configuration.OData.StartJobs",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS =>"{ \"startInfo\":\r\n { \"ReleaseKey\": \"".$release_key."\",\r\n \"Strategy\": \"Specific\",\r\n \"RobotIds\": [ ".$robot_id."],\r\n \"JobsCount\": 0,\r\n \"Source\": \"Manual\" \r\n } \r\n}",
// Release key and Robot ID can be concatenated and passed as an argument(once I figure out how to get arguments in PM 4 scripts)
CURLOPT_HTTPHEADER => array(
"Content-Type: application/json",
"Authorization: Bearer ".$access_token,
"X-UIPATH-OrganizationUnitId: ".$orch_unit_id
//There's another way to use the Access token. For now, I found this more helpful.
//As the document is TL;DR. https://www.php.net/manual/en/function.curl-setopt.php
),
));
$response = curl_exec($curl);
curl_close($curl);
return $response;
//echo $response; //Print Response cuz why not? ;)
}
return [$access_token];
?>
I had used the UiPath RPA tool for this without mentioning any callback URL.
Using Data Connectors: Create Data Connectors in ProcessMaker. I prefer to using the Postman application before creating DC. Refer: Postman to UiPath Bot
For RPA Bot to ProcessMaker
In ProcessMaker documentation you can see the Swagger Link for your particular instance. The Swagger Documentation for ProcessMaker was not really helpful. There are few mistakes in the documentation provided.
For ease, I did import the API collection in Postman and proceeded with creating variables: baseURL & accessToken
baseURL: Your URL (https://something.processmaker.net)
ADD /api/1.0
/api/1.0 (https://something.processmaker.net/api/1.0)
Now the URL is correct. Also while sending the request make sure Params are not empty.
Note: For Access Token, Admin --> Users --> Edit --> API Tokens --> Create new Token --> Copy Token.
In Processmaker 4, API tokens are available for individual Users.
I hope this will help you in a way. Thanks!
Trouble with authentication in vk.com with zend_oauth
Message:
Error in HTTP request: Unable to enable crypto on TCP connection oauth.vk.com: make sure the "sslcafile" or "sslcapath" option are properly set for the environment.
Help me please
You need to use curl as adapter and turn off ssl certificate checks:
$adapter = new \Zend\Http\Client\Adapter\Curl();
$adapter = $adapter->setCurlOption(CURLOPT_SSL_VERIFYHOST, false);
$adapter = $adapter->setCurlOption(CURLOPT_SSL_VERIFYPEER, false);
$config = array(
'siteUrl' => 'https://url',
'consumerKey' => 'login',
'consumerSecret' => 'pass'
);
$consumer = new \ZendOAuth\Consumer($config);
/** #var \Zend\Http\Client $httpClient */
$httpClient = $consumer->getHttpClient();
$httpClient->setAdapter($adapter);
I'm trying to implement HTTP-based authentication through a Zend\Authentication\Adapter\Http as explained in the ZF2 documentation about the HTTP Authentication Adapter.
I want to block every incoming request until the user agent is authenticated, however I'm unsure about how to implement this in my module.
How would I setup my Zend\Mvc application to deny access to my controllers?
What you are looking for is probably a listener attached to the Zend\Mvc\MvcEvent::EVENT_DISPATCH event of your application.
In order, here's what you have to do to block access to any action through an authentication adapter. First of all, define a factory that is responsible for producing your authentication adapter:
namespace MyApp\ServiceFactory;
use Zend\ServiceManager\FactoryInterface;
use Zend\ServiceManager\ServiceLocatorInterface;
use Zend\Authentication\Adapter\Http as HttpAdapter;
use Zend\Authentication\Adapter\Http\FileResolver;
class AuthenticationAdapterFactory implements FactoryInterface
{
public function createService(ServiceLocatorInterface $serviceLocator)
{
$config = $serviceLocator->get('Config');
$authConfig = $config['my_app']['auth_adapter'];
$authAdapter = new HttpAdapter($authConfig['config']);
$basicResolver = new FileResolver();
$digestResolver = new FileResolver();
$basicResolver->setFile($authConfig['basic_passwd_file']);
$digestResolver->setFile($authConfig['digest_passwd_file']);
$adapter->setBasicResolver($basicResolver);
$adapter->setDigestResolver($digestResolver);
return $adapter;
}
}
This factory will basically give you a configured auth adapter, and abstract its instantiation logic away.
Let's move on and attach a listener to our application's dispatch event so that we can block any request with invalid authentication headers:
namespace MyApp;
use Zend\ModuleManager\Feature\ConfigProviderInterface;
use Zend\ModuleManager\Feature\BootstrapListenerInterface;
use Zend\EventManager\EventInterface;
use Zend\Mvc\MvcEvent;
use Zend\Http\Request as HttpRequest;
use Zend\Http\Response as HttpResponse;
class MyModule implements ConfigProviderInterface, BootstrapListenerInterface
{
public function getConfig()
{
// moved out for readability on SO, since config is pretty short anyway
return require __DIR__ . '/config/module.config.php';
}
public function onBootstrap(EventInterface $event)
{
/* #var $application \Zend\Mvc\ApplicationInterface */
$application = $event->getTarget();
$serviceManager = $application->getServiceManager();
// delaying instantiation of everything to the latest possible moment
$application
->getEventManager()
->attach(function (MvcEvent $event) use ($serviceManager) {
$request = $event->getRequest();
$response = $event->getResponse();
if ( ! (
$request instanceof HttpRequest
&& $response instanceof HttpResponse
)) {
return; // we're not in HTTP context - CLI application?
}
/* #var $authAdapter \Zend\Authentication\Adapter\Http */
$authAdapter = $serviceManager->get('MyApp\AuthenticationAdapter');
$authAdapter->setRequest($request);
$authAdapter->setResponse($response);
$result = $adapter->authenticate();
if ($result->isValid()) {
return; // everything OK
}
$response->setBody('Access denied');
$response->setStatusCode(HttpResponse::STATUS_CODE_401);
$event->setResult($response); // short-circuit to application end
return false; // stop event propagation
}, MvcEvent::EVENT_DISPATCH);
}
}
And then the module default configuration, which in this case was moved to MyModule/config/module.config.php:
return array(
'my_app' => array(
'auth_adapter' => array(
'config' => array(
'accept_schemes' => 'basic digest',
'realm' => 'MyApp Site',
'digest_domains' => '/my_app /my_site',
'nonce_timeout' => 3600,
),
'basic_passwd_file' => __DIR__ . '/dummy/basic.txt',
'digest_passwd_file' => __DIR__ . '/dummy/digest.txt',
),
),
'service_manager' => array(
'factories' => array(
'MyApp\AuthenticationAdapter'
=> 'MyApp\ServiceFactory\AuthenticationAdapterFactory',
),
),
);
This is the essence of how you can get it done.
Obviously, you need to place something like an my_app.auth.local.php file in your config/autoload/ directory, with the settings specific to your current environment (please note that this file should NOT be committed to your SCM):
<?php
return array(
'my_app' => array(
'auth_adapter' => array(
'basic_passwd_file' => __DIR__ . '/real/basic_passwd.txt',
'digest_passwd_file' => __DIR__ . '/real/digest_passwd.txt',
),
),
);
Eventually, if you also want to have better testable code, you may want to move the listener defined as a closure to an own class implementing the Zend\EventManager\ListenerAggregateInterface.
You can achieve the same results by using ZfcUser backed by a Zend\Authentication\Adapter\Http, combined with BjyAuthorize, which handles the listener logic on unauthorized actions.
Answer of #ocramius is accept answer But you forget to describe How to write two files basic_password.txt and digest_passwd.txt
According to Zend 2 Official Doc about Basic Http Authentication:
basic_passwd.txt file contains username, realm(the same realm into your configuration) and plain password -> <username>:<realm>:<credentials>\n
digest_passwd.txt file contains username, realm(the same realm into your configuration) and password hashing Using MD5 hash -> <username>:<realm>:<credentials hashed>\n
Example:
if basic_passwd.txt file:
user:MyApp Site:password\n
Then digest_passwd.txt file:
user:MyApp Site:5f4dcc3b5aa765d61d8327deb882cf99\n
Alternatively you can use Apache Resolver for HTTP Adapter
use Zend\Authentication\Adapter\Http\ApacheResolver;
$path = 'data/htpasswd';
// Inject at instantiation:
$resolver = new ApacheResolver($path);
// Or afterwards:
$resolver = new ApacheResolver();
$resolver->setFile($path);
According to https://zendframework.github.io/zend-authentication/adapter/http/#resolvers
Trying to do a simple read via PHP cURL. I can read my data successfully if my security rules let everyone in e.g.
{
"rules": {
".read": true,
".write": true
}
}
However if I restrict read/write to a specific username e.g.
{
"rules": {
".read": "auth.username == 'admin'",
".write": "auth.username == 'admin'"
}
}
I get permission denied.
The code is as follows...
require('JWT.php');
$secret = 'MY_FIREBASE_SECRET';
$data = array('username' => 'admin');
$token = JWT::encode($data, $secret);
$url = "https://MY_FIREBASE.firebaseio.com/messages.json?auth=$token";
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url
));
$response = curl_exec($curl);
Its worth noting, if I just use my FB secret instead of a token in the URL I am able to successfully read the data (auth=$secret). I have also successfully tested reading the data in the Forge simulator using "custom auth" e.g. {'username': 'admin'}
I'm using the PHP JWT library: https://github.com/luciferous/jwt/blob/master/JWT.php
Not sure if I'm getting permission denied because my cURL call is not correct or I'm not constructing the token properly. I have tried using POST and GET via cURL but I'm getting the same result.
Any suggestions would be much appreciated...
Thanks for the super quick response Andrew. I tried your suggestion. Unfortunately, I'm still getting 'permission denied'. Here is my updated code...
require('JWT.php');
$secret = 'my-secret';
$user = array( 'v' => 0, 'iat' => time(), 'd' => array('username' => 'admin', 'type' => 'admin', 'fullname' => 'Administrator'));
$token = JWT::encode($user, $secret);
$curl = curl_init();
$url = "https://myfirebase.firebaseio.com/messages.json?auth=$token";
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url
));
$response = curl_exec($curl);
curl_close($curl);
I did get this working by changing the .read rule for our data to
"auth != null" - but that doesn't seem to quite as secure...
For reference our data structure is simply
+ myfirebase
+ messages
- 000001 = "this is the 1st test message"
- 000002 = "this is the 2nd test message"
BTW: Our application will only have 1 user reading/writing data. If I can not get the token to work... Is there a better way to authenticate calls via the REST API without resorting to passing our secret key in the URL? e.g. &auth='my-secret'
The Firebase JWT has some structure to it that is missing here. There's a detailed explanation of what should be in these auth tokens here:
https://www.firebase.com/docs/security/jwt-auth-token-format.html
Here is a snippet with the appropriate structure.
require_once('JWT.php');
$fbSecret = 'your-secret';
$user = array( 'v' => 0, 'iat' => <timestamp>,
'd' => array('username' => 'jimbob', 'type' => 'admin',\
'fullname' => 'Jim Bob')
);
$token = JWT::encode($user, $fbSecret);
Note that the "d" field contains the actual payload. "v", and "iat" are also required. "iat" should be the number of seconds since the epoch (it's the number that (new Date()).getTime() returns in Javascript).
Looking for a ColdFusion version of the following PHP API wrapper for CapsuleCRM:
<?php
// The data you want to send to Capsule CRM in xml format
// SEE http://capsulecrm.com/help/page/javelin_api_party
I'm understanding that this variable contains the XML string...
$myxml="<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n
<person>\n
<title>Mr</title>\n
<firstName>Test12</firstName>\n
<lastName>Tester12</lastName>\n
<jobTitle>Chairman</jobTitle>\n
<organisationName>Big Company</organisationName>\n
<about>Testing</about>\n
</person>";
// The URL to connect with (note the /api/ that's needed and note it's person rather than party)
// SEE: http://capsulecrm.com/help/page/api_gettingstarted/
$capsulepage = 'https://sample.capsulecrm.com/api/person';
However, I don't know how to initiate cURL in ColdFusion.
// Initialise the session and return a cURL handle to pass to other cURL functions.
$ch = curl_init($capsulepage);
What does the 'curl_setopt_array' function do exactly? Is there a CF equivalent?
// set appropriate options NB these are the minimum necessary to achieve a post with a useful response
// ...can and should add more in a real application such as
// timeout CURLOPT_CONNECTTIMEOUT
// and useragent CURLOPT_USERAGENT
// replace 1234567890123456789 with your own API token from your user preferences page
$options = array(CURLOPT_USERPWD => '1234567890123456789:x',
CURLOPT_HTTPHEADER => array('Content-Type: text/xml'),
CURLOPT_HEADER => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $myxml
);
curl_setopt_array($ch, $options);
// Do the POST and collect the response for future printing etc then close the session
$response = curl_exec($ch);
$responseInfo = curl_getinfo($ch);
curl_close($ch);
?>
I could be wrong, but that looks like a basic http post. The equivalent in CF is cfhttp. To pass parameters/headers (ie curl_setopt_array) use cfhttpparam.