DataSet: Add oauth2 client_credentials support for access_token auth

db/migrations/20232402024000_add_auth_url_for_oauth2_to_dataset_table.php

@@ -0,0 +1,50 @@
+<?php
+/*
+ * Copyright (C) 2022 Xibo Signage Ltd
+ *
+ * Xibo - Digital Signage - http://www.xibo.org.uk
+ *
+ * This file is part of Xibo.
+ *
+ * Xibo is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * any later version.
+ *
+ * Xibo is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Xibo.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+use Phinx\Migration\AbstractMigration;
+
+/**
+ * Add display venue metadata
+ * @phpcs:disable PSR1.Classes.ClassDeclaration.MissingNamespace
+ */
+
+class AddAuthUrlForOauth2ToDatasetTable extends AbstractMigration
+{
+    /** @inheritDoc */
+    public function change()
+    {
+        // Add new column
+        $this->table('dataset')
+            ->addColumn('oauth2Url', 'string', ['after' => 'authentication', 'limit' => 1024, 'default' => null, 'null' => true])
+            ->addColumn('oauth2Client', 'string', ['after' => 'oauth2Url', 'limit' => 1024, 'default' => null, 'null' => true])
+            ->addColumn('oauth2ClientSecret', 'string', ['after' => 'oauth2Client', 'limit' => 1024, 'default' => null, 'null' => true])
+            ->addColumn('oauth2GrantType', 'enum', ['values' => ['client_credentials', 'authorization_code'], 'default' => null, 'null' => true])
+            ->save();
+
+        // Modify the existing 'authentication' column to add the 'oauth2' value
+        $tableName = 'dataset';
+        $columnName = 'authentication';
+        $newValues = "'none', 'plain', 'basic', 'digest', 'bearer', 'ntlm', 'oauth2'";
+
+        $this->execute("ALTER TABLE `$tableName` CHANGE `$columnName` `$columnName` ENUM($newValues) DEFAULT NULL");
+    }
+}

db/migrations/20232902024000_extend_dataset_password_column_length.php

@@ -0,0 +1,32 @@
+<?php
+/*
+ * Copyright (C) 2022 Xibo Signage Ltd
+ *
+ * Xibo - Digital Signage - http://www.xibo.org.uk
+ *
+ * This file is part of Xibo.
+ *
+ * Xibo is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * any later version.
+ *
+ * Xibo is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Xibo.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+use Phinx\Migration\AbstractMigration;
+
+class ExtendDatasetPasswordColumnLength extends AbstractMigration
+{
+    public function change(): void
+    {
+        // Updating the password column to accept much longer tokens for the Bearer method
+        $this->execute("ALTER TABLE `dataset` MODIFY `password` VARCHAR(1024)");
+    }
+}

lib/Controller/DataSet.php

@@ -88,6 +88,9 @@ public function getDataSetFactory()
     public function displayPage(Request $request, Response $response)
     {
         $this->getState()->template = 'dataset-page';
+        $this->getState()->setData([
+            'users' => $this->userFactory->query(),
+        ]);
 
         return $this->render($request, $response);
     }
@@ -423,6 +426,34 @@ public function addForm(Request $request, Response $response)
      *      required=false
      *   ),
      *  @SWG\Parameter(
+     *      name="oauth2Url",
+     *      in="formData",
+     *      description="Oauth2.0 Authorization Token Endpoint",
+     *      type="string",
+     *      required=false
+     *   ),
+     *   @SWG\Parameter(
+     *      name="oauth2Client",
+     *      in="formData",
+     *      description="Oauth2.0 Client ID",
+     *      type="string",
+     *      required=false
+     *   ),
+     *   @SWG\Parameter(
+     *      name="oauth2ClientSecret",
+     *      in="formData",
+     *      description="Oauth2.0 Client Secret",
+     *      type="string",
+     *      required=false
+     *   ),
+     *  @SWG\Parameter(
+     *      name="oauth2GrantType",
+     *      in="formData",
+     *      description="Oauth2.0 Grant Type Requested client_credentials|authorization_code",
+     *      type="string",
+     *      required=false
+     *   ),
+     *  @SWG\Parameter(
      *      name="customHeaders",
      *      in="formData",
      *      description="Comma separated string of custom HTTP headers",
@@ -581,6 +612,10 @@ public function add(Request $request, Response $response)
             $dataSet->username = $sanitizedParams->getString('username');
             $dataSet->password = $sanitizedParams->getString('password');
             $dataSet->customHeaders = $sanitizedParams->getString('customHeaders');
+            $dataSet->oauth2Url = $sanitizedParams->getString('oauth2Url');
+            $dataSet->oauth2Client = $sanitizedParams->getString('oauth2Client');
+            $dataSet->oauth2ClientSecret = $sanitizedParams->getString('oauth2ClientSecret');
+            $dataSet->oauth2GrantType = $sanitizedParams->getString('oauth2GrantType');
             $dataSet->userAgent = $sanitizedParams->getString('userAgent');
             $dataSet->refreshRate = $sanitizedParams->getInt('refreshRate');
             $dataSet->clearRate = $sanitizedParams->getInt('clearRate');
@@ -748,6 +783,34 @@ public function editForm(Request $request, Response $response, $id)
      *      required=false
      *   ),
      *  @SWG\Parameter(
+     *      name="oauth2Url",
+     *      in="formData",
+     *      description="Oauth2.0 Authorization Token Endpoint",
+     *      type="string",
+     *      required=false
+     *   ),
+     *   @SWG\Parameter(
+     *      name="oauth2Client",
+     *      in="formData",
+     *      description="Oauth2.0 Client ID",
+     *      type="string",
+     *      required=false
+     *   ),
+     *   @SWG\Parameter(
+     *      name="oauth2ClientSecret",
+     *      in="formData",
+     *      description="Oauth2.0 Client Secret",
+     *      type="string",
+     *      required=false
+     *   ),
+     *  @SWG\Parameter(
+     *      name="oauth2GrantType",
+     *      in="formData",
+     *      description="Oauth2.0 Grant Type Requested client_credentials|authorization_code",
+     *      type="string",
+     *      required=false
+     *   ),
+     *  @SWG\Parameter(
      *      name="customHeaders",
      *      in="formData",
      *      description="Comma separated string of custom HTTP headers",
@@ -890,6 +953,10 @@ public function edit(Request $request, Response $response, $id)
             $dataSet->username = $sanitizedParams->getString('username');
             $dataSet->password = $sanitizedParams->getString('password');
             $dataSet->customHeaders = $sanitizedParams->getString('customHeaders');
+            $dataSet->oauth2Url = $sanitizedParams->getString('oauth2Url');
+            $dataSet->oauth2Client = $sanitizedParams->getString('oauth2Client');
+            $dataSet->oauth2ClientSecret = $sanitizedParams->getString('oauth2ClientSecret');
+            $dataSet->oauth2GrantType = $sanitizedParams->getString('oauth2GrantType');
             $dataSet->userAgent = $sanitizedParams->getString('userAgent');
             $dataSet->refreshRate = $sanitizedParams->getInt('refreshRate');
             $dataSet->clearRate = $sanitizedParams->getInt('clearRate');
@@ -1420,9 +1487,24 @@ public function testRemoteRequest(Request $request, Response $response)
         $dataSet->authentication = $sanitizedParams->getString('authentication');
         $dataSet->username = $sanitizedParams->getString('username');
         $dataSet->password = $sanitizedParams->getString('password');
+        $dataSet->customHeaders = $sanitizedParams->getString('customHeaders');
+        $dataSet->oauth2Url = $sanitizedParams->getString('oauth2Url');
+        $dataSet->oauth2Client = $sanitizedParams->getString('oauth2Client');
+        $dataSet->oauth2ClientSecret = $sanitizedParams->getString('oauth2ClientSecret');
+        $dataSet->oauth2GrantType = $sanitizedParams->getString('oauth2GrantType');
+        $dataSet->userAgent = $sanitizedParams->getString('userAgent');
+        $dataSet->refreshRate = $sanitizedParams->getInt('refreshRate');
+        $dataSet->clearRate = $sanitizedParams->getInt('clearRate');
+        $dataSet->truncateOnEmpty = $sanitizedParams->getCheckbox('truncateOnEmpty');
+        $dataSet->runsAfter = $sanitizedParams->getInt('runsAfter');
         $dataSet->dataRoot = $sanitizedParams->getString('dataRoot');
+        $dataSet->summarize = $sanitizedParams->getString('summarize');
+        $dataSet->summarizeField = $sanitizedParams->getString('summarizeField');
         $dataSet->sourceId = $sanitizedParams->getInt('sourceId');
         $dataSet->ignoreFirstRow = $sanitizedParams->getCheckbox('ignoreFirstRow');
+        $dataSet->rowLimit = $sanitizedParams->getInt('rowLimit');
+        $dataSet->limitPolicy = $sanitizedParams->getString('limitPolicy') ?? 'stop';
+        $dataSet->csvSeparator = ($dataSet->sourceId === 2) ? $sanitizedParams->getString('csvSeparator') ?? ',' : null;
 
         // Set this DataSet as active.
         $dataSet->setActive();
@@ -1571,3 +1653,4 @@ public function clearCache(Request $request, Response $response, $id)
         return $this->render($request, $response);
     }
 }
+

lib/Entity/DataSet.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2024 Xibo Signage Ltd
+ * Copyright (C) 2023 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -40,7 +40,6 @@
 use Xibo\Support\Exception\GeneralException;
 use Xibo\Support\Exception\InvalidArgumentException;
 use Xibo\Support\Exception\NotFoundException;
-use Xibo\Widget\Definition\Sql;
 
 /**
  * Class DataSet
@@ -148,6 +147,30 @@ class DataSet implements \JsonSerializable
      */
     public $password;
 
+    /**
+     * @SWG\Property(description="Oauth2.0 Authorization URL")
+     * @var string
+     */
+    public $oauth2Url;
+
+    /**
+     * @SWG\Property(description="Oauth2.0 Client ID")
+     * @var string
+     */
+    public $oauth2Client;
+
+    /**
+     * @SWG\Property(description="Oauth2.0 Client Secret")
+     * @var string
+     */
+    public $oauth2ClientSecret;
+
+    /**
+     * @SWG\Property(description="Oauth2.0 Grant Type")
+     * @var string
+     */
+    public $oauth2GrantType;
+
     /**
      * @SWG\Property(description="Comma separated string of custom HTTP headers")
      * @var string
@@ -266,6 +289,9 @@ class DataSet implements \JsonSerializable
 
     private $countLast = 0;
 
+    /** @var array Blacklist for SQL */
+    private $blackList = array(';', 'INSERT', 'UPDATE', 'SELECT', 'DELETE', 'TRUNCATE', 'TABLE', 'FROM', 'WHERE');
+
     /** @var  \Xibo\Helper\SanitizerService */
     private $sanitizerService;
 
@@ -440,12 +466,9 @@ public function getUniqueColumnValues($columns)
                 if ($column->heading == $heading) {
                     // Formula column?
                     if ($column->dataSetColumnTypeId == 2) {
-                        $select .= str_replace(
-                            Sql::DISALLOWED_KEYWORDS,
-                            '',
-                            htmlspecialchars_decode($column->formula, ENT_QUOTES)
-                        ) . ' AS `' . $column->heading . '`,';
-                    } else {
+                        $select .= str_replace($this->blackList, '', htmlspecialchars_decode($column->formula, ENT_QUOTES)) . ' AS `' . $column->heading . '`,';
+                    }
+                    else {
                         $select .= '`' . $column->heading . '`,';
                     }
                     $found = true;
@@ -521,20 +544,15 @@ public function getData($filterBy = [], $options = [])
             // Formula column?
             if ($column->dataSetColumnTypeId == 2) {
                 // Is this a client side column?
-                if (str_starts_with($column->formula, '$')) {
+                if (substr($column->formula, 0, 1) === '$') {
                     $clientSideFormula[] = $column;
                     continue;
                 }
 
-                $formula = str_ireplace(
-                    Sql::DISALLOWED_KEYWORDS,
-                    '',
-                    htmlspecialchars_decode($column->formula, ENT_QUOTES)
-                );
+                $formula = str_ireplace($this->blackList, '', htmlspecialchars_decode($column->formula, ENT_QUOTES));
                 $formula = str_replace('[DisplayId]', $displayId, $formula);
 
-                $heading = str_replace('[DisplayGeoLocation]', $displayGeoLocation, $formula)
-                    . ' AS `' . $column->heading . '`';
+                $heading = str_replace('[DisplayGeoLocation]', $displayGeoLocation, $formula) . ' AS `' . $column->heading . '`';
             } else {
                 $heading = '`' . $column->heading . '`';
             }
@@ -550,7 +568,7 @@ public function getData($filterBy = [], $options = [])
         if ($filter != '') {
             // Support display filtering.
             $filter = str_replace('[DisplayId]', $displayId, $filter);
-            $filter = str_ireplace(Sql::DISALLOWED_KEYWORDS, '', $filter);
+            $filter = str_ireplace($this->blackList, '', $filter);
 
             $body .= ' AND ' . $filter;
         }
@@ -1008,15 +1026,19 @@ private function add()
 
         // Insert the extra columns we expect for a remote DataSet
         if ($this->isRemote === 1) {
-            $columns .= ', `method`, `uri`, `postData`, `authentication`, `username`, `password`, `customHeaders`, `userAgent`, `refreshRate`, `clearRate`, `truncateOnEmpty`, `runsAfter`, `dataRoot`, `lastSync`, `summarize`, `summarizeField`, `sourceId`, `ignoreFirstRow`, `rowLimit`, `limitPolicy`, `csvSeparator`';
-            $values .= ', :method, :uri, :postData, :authentication, :username, :password, :customHeaders, :userAgent, :refreshRate, :clearRate, :truncateOnEmpty, :runsAfter, :dataRoot, :lastSync, :summarize, :summarizeField, :sourceId, :ignoreFirstRow, :rowLimit, :limitPolicy, :csvSeparator';
+            $columns .= ', `method`, `uri`, `postData`, `authentication`, `username`, `password`, `oauth2Url`, `oauth2Client`, `oauth2ClientSecret`, `oauth2GrantType`, `customHeaders`, `userAgent`, `refreshRate`, `clearRate`, `truncateOnEmpty`, `runsAfter`, `dataRoot`, `lastSync`, `summarize`, `summarizeField`, `sourceId`, `ignoreFirstRow`, `rowLimit`, `limitPolicy`, `csvSeparator`';
+            $values .= ', :method, :uri, :postData, :authentication, :username, :password, :oauth2Url, :oauth2Client, :oauth2ClientSecret, :oauth2GrantType, :customHeaders, :userAgent, :refreshRate, :clearRate, :truncateOnEmpty, :runsAfter, :dataRoot, :lastSync, :summarize, :summarizeField, :sourceId, :ignoreFirstRow, :rowLimit, :limitPolicy, :csvSeparator';
 
             $params['method'] = $this->method;
             $params['uri'] = $this->uri;
             $params['postData'] = $this->postData;
             $params['authentication'] = $this->authentication;
             $params['username'] = $this->username;
             $params['password'] = $this->password;
+            $params['oauth2Url'] = $this->oauth2Url;
+            $params['oauth2Client'] = $this->oauth2Client;
+            $params['oauth2ClientSecret'] = $this->oauth2ClientSecret;
+            $params['oauth2GrantType'] = $this->oauth2GrantType;
             $params['customHeaders'] = $this->customHeaders;
             $params['userAgent'] = $this->userAgent;
             $params['refreshRate'] = $this->refreshRate;
@@ -1061,14 +1083,18 @@ private function edit()
         ];
 
         if ($this->isRemote) {
-            $sql .= ', method = :method, uri = :uri, postData = :postData, authentication = :authentication, `username` = :username, `password` = :password, `customHeaders` = :customHeaders, `userAgent` = :userAgent, refreshRate = :refreshRate, clearRate = :clearRate, truncateOnEmpty = :truncateOnEmpty, runsAfter = :runsAfter, `dataRoot` = :dataRoot, `summarize` = :summarize, `summarizeField` = :summarizeField, `sourceId` = :sourceId, `ignoreFirstRow` = :ignoreFirstRow , `rowLimit` = :rowLimit, `limitPolicy` = :limitPolicy, `csvSeparator` = :csvSeparator ';
+            $sql .= ', method = :method, uri = :uri, postData = :postData, authentication = :authentication, `username` = :username, `password` = :password, `oauth2Url` = :oauth2Url, `oauth2Client` = :oauth2Client, `oauth2ClientSecret` = :oauth2ClientSecret, `oauth2GrantType` = :oauth2GrantType, `customHeaders` = :customHeaders, `userAgent` = :userAgent, refreshRate = :refreshRate, clearRate = :clearRate, truncateOnEmpty = :truncateOnEmpty, runsAfter = :runsAfter, `dataRoot` = :dataRoot, `summarize` = :summarize, `summarizeField` = :summarizeField, `sourceId` = :sourceId, `ignoreFirstRow` = :ignoreFirstRow , `rowLimit` = :rowLimit, `limitPolicy` = :limitPolicy, `csvSeparator` = :csvSeparator ';
 
             $params['method'] = $this->method;
             $params['uri'] = $this->uri;
             $params['postData'] = $this->postData;
             $params['authentication'] = $this->authentication;
             $params['username'] = $this->username;
             $params['password'] = $this->password;
+            $params['oauth2Url'] = $this->oauth2Url;
+            $params['oauth2Client'] = $this->oauth2Client;
+            $params['oauth2ClientSecret'] = $this->oauth2ClientSecret;
+            $params['oauth2GrantType'] = $this->oauth2GrantType;
             $params['customHeaders'] = $this->customHeaders;
             $params['userAgent'] = $this->userAgent;
             $params['refreshRate'] = $this->refreshRate;
@@ -1228,3 +1254,4 @@ public function clearCache()
         $this->pool->deleteItem('/dataset/cache/' . $this->dataSetId);
     }
 }
+