function api_auth_oauth2_has_auth(&$method, $key_row = null)
{
    $access_token = api_auth_oauth2_get_access_token($method);
    if (!$access_token) {
        return array('ok' => 0, 'error' => 'Required access token missing', 'error_code' => 400);
    }
    $token_row = api_oauth2_access_tokens_get_by_token($access_token);
    if (!$token_row) {
        return array('ok' => 0, 'error' => 'Invalid access token', 'error_code' => 400);
    }
    if ($token_row['disabled']) {
        return array('ok' => 0, 'error' => 'Access token is disabled', 'error_code' => 502);
    }
    if ($token_row['expires'] && $token_row['expires'] < time()) {
        return array('ok' => 0, 'error' => 'Access token has expired', 'error_code' => 400);
    }
    # I find it singularly annoying that we have to do this here
    # but OAuth gets what [redacted] wants. See also: notes in
    # lib_api.php around ln 65 (20121026/straup)
    $key_row = api_keys_get_by_id($token_row['api_key_id']);
    $rsp = api_keys_utils_is_valid_key($key_row);
    if (!$rsp['ok']) {
        return $rsp;
    }
    if (isset($method['requires_perms'])) {
        if ($token_row['perms'] < $method['requires_perms']) {
            $perms_map = api_oauth2_access_tokens_permissions_map();
            $required = $perms_map[$method['requires_perms']];
            return array('ok' => 0, 'error' => "Insufficient permissions, method requires a token with '{$required}' permissions", 'error_code' => 403);
        }
    }
    # Ensure user-iness - this may seem like a no-brainer until you think
    # about how the site itself uses the API in the absence of a logged-in
    # user (20130508/straup)
    $ensure_user = 1;
    $user = null;
    if (!$token_row['user_id'] && $key_row && features_is_enabled("api_oauth2_tokens_null_users")) {
        $key_role_id = $key_row['role_id'];
        $roles_map = api_keys_roles_map('string keys');
        $valid_roles = $GLOBALS['cfg']['api_oauth2_tokens_null_users_allowed_roles'];
        $valid_roles_ids = array();
        foreach ($valid_roles as $role) {
            $valid_roles_ids[] = $roles_map[$role];
        }
        $ensure_user = $key_role_id && in_array($key_role_id, $valid_roles_ids) ? 0 : 1;
    }
    if ($ensure_user) {
        $user = users_get_by_id($token_row['user_id']);
        if (!$user || $user['deleted']) {
            return array('ok' => 0, 'error' => 'Not a valid user', 'error_code' => 400);
        }
    }
    #
    return array('ok' => 1, 'access_token' => $token_row, 'api_key' => $key_row, 'user' => $user);
}
function api_keys_is_infrastructure_key(&$key)
{
    $map = api_keys_roles_map();
    $role = $key['role_id'];
    return $map[$role] == "infrastructure" ? 1 : 0;
}
Example #3
0
function api_keys_create($user_id, $title, $description, $callback = '')
{
    $user = users_get_by_id($user_id);
    $id = dbtickets_create(64);
    $role_map = api_keys_roles_map('string keys');
    $role_id = $role_map['general'];
    $key = api_keys_generate_key();
    $secret = random_string(64);
    $now = time();
    $key_row = array('id' => $id, 'user_id' => $user['id'], 'api_key' => $key, 'app_secret' => $secret, 'created' => $now, 'last_modified' => $now, 'app_title' => $title, 'app_description' => $description, 'app_callback' => $callback);
    # TO DO: callbacks and other stuff (what?)
    $insert = array();
    foreach ($key_row as $k => $v) {
        $insert[$k] = AddSlashes($v);
    }
    $rsp = db_insert('ApiKeys', $insert);
    if ($rsp['ok']) {
        $rsp['key'] = $key_row;
    }
    return $rsp;
}
function api_oauth2_access_tokens_is_infrastructure_token(&$token)
{
    $map = api_keys_roles_map();
    $role = $token['api_key_role_id'];
    return $map[$role] == "infrastructure" ? 1 : 0;
}
Example #5
0
function api_config_ensure_role(&$method, &$key, &$token)
{
    $roles_map = api_keys_roles_map('string keys');
    $roles = array_keys($roles_map);
    if (!is_array($method['requires_role'])) {
        return 1;
    }
    foreach ($method['requires_role'] as $r) {
        if (in_array($r, $roles)) {
            return 1;
        }
    }
    api_output_error(403, "Insufficient permissions for API key");
}
function api_config_ensure_roles(&$method, &$key, &$token)
{
    $roles_map = api_keys_roles_map();
    if (is_array($method['requires_key_role'])) {
        $role_id = $key['role_id'];
        $role = $roles_map[$role_id];
        if (!in_array($role, $method['requires_key_role'])) {
            api_output_error(403, "Insufficient permissions for API key");
        }
    } elseif (isset($method['requires_key_role'])) {
        api_output_error(403, "Insufficient permissions for API key (because the server is misconfigured)");
    } else {
    }
    if (is_array($method['requires_user_role'])) {
        if (!auth_has_role_any($method['requires_user_role'], $token['user_id'])) {
            api_output_error(403, "Insufficient permissions for API key");
        }
    } else {
        if (isset($method['requires_user_role'])) {
            api_output_error(403, "Insufficient permissions for API key (because the server is misconfigured)");
        } else {
        }
    }
    return 1;
}