TYPO3 Formhandler HashService Interceptor

Tx_Formhandler_Interceptor_HashService.php

<?php
/*                                                                        *
 * This script is part of the TYPO3 project - inspiring people to share!  *
 *                                                                        *
 * TYPO3 is free software; you can redistribute it and/or modify it under *
 * the terms of the GNU General Public License version 2 as published by  *
 * the Free Software Foundation.                                          *
 *                                                                        *
 * This script is distributed in the hope that it will be useful, but     *
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHAN-    *
 * TABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General      *
 * Public License for more details.                                       *
 *                                                                        */

/**
 * An interceptor which is able to validate GET/POST variables with the
 * TYPO3 Extbase HashService.
 *
 * NOTE: Make sure you use PreProcessor_LoadGetPost before using this interceptor!
 *
 * Example:
 * <code>
 * initInterceptors.1.class = Tx_Formhandler_Interceptor_HashService
 *
 * initInterceptors.1.config.redirectPage = 17
 *
 * initInterceptors.1.config.validateHmac.fields.uid1 = hmacForUid1
 * initInterceptors.1.config.validateHmac.fields.uid2 = hmacForUid2
 *
 * initInterceptors.1.config.validateAndStripHmac.fields.1 = appendedHmacString1
 * initInterceptors.1.config.validateAndStripHmac.fields.2 = appendedHmacString2
 *
 * </code>
 *
 * The validateHmac configuration checks, if the the GP var hmacForUid1 is the
 * correct HMAC for the GP var uid1
 *
 * The validateAndStripHmac configuration checks, if the the GP var appendedHmacString1
 * is a HMAC string that can be validated
 *
 * @author	Torben Hansen <derhansen@gmail.com>
 */
class Tx_Formhandler_Interceptor_HashService extends Tx_Formhandler_AbstractInterceptor {

	/**
	 * The main method called by the controller
	 *
	 * @return array The GET/POST parameters
	 */
	public function process() {

		if (!$this->validateGPVars()) {
			if ($this->settings['redirectPage']) {
				$this->globals->getSession()->reset();
				$this->utilityFuncs->doRedirectBasedOnSettings($this->settings, $this->gp);
				return 'Given GET/POST vars could not be validated';
			} else {
				$content = 'Given GET/POST vars could not be validated';
				$this->globals->getSession()->reset();
				return $content;
			}
		}

		return $this->gp;
	}

	/**
	 * Performs HMAC validation for the configured GET/POST variables
	 *
	 * @return bool TRUE, if successfull, else FALSE
	 */
	public function validateGPVars(){
		$hashService = new \TYPO3\CMS\Extbase\Security\Cryptography\HashService();

		// Checks if validateHmac is configured and validates each string/hmac
		if (is_array($this->settings['validateHmac.'])) {
			foreach ($this->settings['validateHmac.']['fields.'] as $fieldName => $hmac) {
				if (is_null($this->gp[$fieldName]) || is_null($this->gp[$hmac])) {
					return FALSE;
				}
				$result = $hashService->validateHmac($this->gp[$fieldName], $this->gp[$hmac]);
				if (!$result) {
					return FALSE;
				}
			}
		}

		// Checks if validateAndStripHmac is configured and validates the given hmacs
		if (is_array($this->settings['validateAndStripHmac.'])) {
			foreach ($this->settings['validateAndStripHmac.']['fields.'] as $fieldNum => $appendedHmac) {
				if (is_null($this->gp[$appendedHmac])) {
					return FALSE;
				}
				try {
					$hashService->validateAndStripHmac($this->gp[$appendedHmac]);
				} catch(\Exception $e) {
					return FALSE;
				}
			}
		}

		return TRUE;
	}

}
?>