/**
* Revoke an api user key.
*
* @param string $api_key The API Key (public).
*
* @return bool
*/
function remove_api_user($api_key)
{
$dbprefix = elgg_get_config('dbprefix');
$keypair = get_api_user($api_key);
if ($keypair) {
return delete_data("DELETE from {$dbprefix}api_users where id={$keypair->id}");
}
return false;
}
/**
* Revoke an api user key.
*
* @param int $site_guid The GUID of the site.
* @param string $api_key The API Key (public).
*
* @return bool
*/
function remove_api_user($site_guid, $api_key)
{
global $CONFIG;
$keypair = get_api_user($site_guid, $api_key);
if ($keypair) {
return delete_data("DELETE from {$CONFIG->dbprefix}api_users where id={$keypair->id}");
}
return false;
}
function pleio_api_use_api_key($hook, $type, $returnvalue, $params)
{
$site = elgg_get_site_entity();
if ($site && $site->guid != 1) {
$license_key = elgg_get_plugin_setting("license_key", "pleio_api");
$last_check = intval(elgg_get_plugin_setting("last_license_check", "pleio_api"));
$hash = hash_hmac("SHA256", $site->url, $site->guid);
if (!$license_key || $hash != $license_key || !$last_check || $last_check < time() - 86400) {
elgg_set_plugin_setting("last_license_check", time(), "pleio_api");
if (!empty($params) && is_string($params)) {
$api_user = get_api_user($site->getGUID(), $params);
if ($api_user) {
$app = ws_pack_get_application_from_api_user_id($api_user->id);
if ($app) {
if ($app->application_id == "pleio_app") {
$data = array("id" => $site->guid, "name" => $site->name, "url" => $site->url, "email" => $site->email, "members" => $site->member_count);
$url = "http://appstaat.funil.nl/overheidsplein-app/license.php?" . http_build_query($data);
try {
$response = file_get_contents($url);
if ($response) {
$response = json_decode($response);
$license_key = $response->key;
elgg_set_plugin_setting("license_key", $license_key, "pleio_api");
}
} catch (Exception $ex) {
}
}
}
}
}
}
if (!$license_key) {
return false;
}
}
}
/**
* PAM: Confirm the HMAC signature
*
* @return true if success - otherwise throws exception
*
* @throws SecurityException
* @since 1.7.0
* @access private
*/
function api_auth_hmac()
{
// Get api header
$api_header = get_and_validate_api_headers();
// Pull API user details
$api_user = get_api_user(elgg_get_site_entity()->guid, $api_header->api_key);
if (!$api_user) {
throw new SecurityException(elgg_echo('SecurityException:InvalidAPIKey'), ErrorResult::$RESULT_FAIL_APIKEY_INVALID);
}
// Get the secret key
$secret_key = $api_user->secret;
// get the query string
$query = _elgg_services()->request->server->get('REQUEST_URI');
$query = substr($query, strpos($query, '?') + 1);
// calculate expected HMAC
$hmac = calculate_hmac($api_header->hmac_algo, $api_header->time, $api_header->nonce, $api_header->api_key, $secret_key, $query, $api_header->method == 'POST' ? $api_header->posthash : "");
if ($api_header->hmac !== $hmac) {
throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]{$hmac}");
}
// Now make sure this is not a replay
if (cache_hmac_check_replay($hmac)) {
throw new SecurityException(elgg_echo('SecurityException:DupePacket'));
}
// Validate post data
if ($api_header->method == "POST") {
$postdata = get_post_data();
$calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo);
if (strcmp($api_header->posthash, $calculated_posthash) != 0) {
$msg = elgg_echo('SecurityException:InvalidPostHash', array($calculated_posthash, $api_header->posthash));
throw new SecurityException($msg);
}
}
return true;
}
/**
* Store the used API application for future use
*
* @param string $hook name of the hook
* @param string $type type of the hook
* @param string $returnvalue current return value
* @param array $params hook parameters
*
* @return void
*/
function ws_pack_api_key_use_hook_handler($hook, $type, $returnvalue, $params)
{
if (!empty($params) && is_string($params)) {
$site = elgg_get_site_entity();
// get the current api user
if ($api_user = get_api_user($site->getGUID(), $params)) {
// check if we're using our API application
if ($api_application = ws_pack_get_application_from_api_user_id($api_user->id)) {
// store the API application for later use
ws_pack_set_current_api_application($api_application);
}
}
}
}
= function() {
if ( confirm(elgg.echo('apiadmin:regenerate_prompt')) ) {
document.location.href = '<?php
echo "{$CONFIG->url}action/apiadmin/regenerate?keyid={$entity->guid}&__elgg_token={$token}&__elgg_ts={$ts}";
?>
';
}
};
</script>
<?php
$icon = elgg_view('graphics/icon', array('entity' => $entity, 'size' => 'small'));
$public_label = elgg_echo('apiadmin:public');
$private_label = elgg_echo('apiadmin:private');
$revoke_label = elgg_echo('apiadmin:revoke');
$rename_label = elgg_echo('apiadmin:rename');
$regenerate_label = elgg_echo('apiadmin:regenerate');
$info = "<div class=\"contentWrapper\">";
$info .= "<p><b>{$entity->title}</b>";
$info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_revoke{$entity->guid}();\">{$revoke_label}</a>]";
$info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_rename{$entity->guid}();\">{$rename_label}</a>]";
$info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_regen{$entity->guid}();\">{$regenerate_label}</a>]";
$info .= "</p></div>";
$info .= "<div><p><b>{$public_label}:</b> {$entity->public}<br />";
// Only show secret portion to admins
if (elgg_is_admin_logged_in()) {
// Fetch key
$keypair = get_api_user($CONFIG->site_id, $entity->public);
$info .= "<b>{$private_label}:</b> {$keypair->secret}";
}
$info .= "</p></div>";
echo elgg_view_image_block($icon, $info);
/**
* Secure authentication through headers and HMAC.
*/
function pam_auth_hmac($credentials = NULL)
{
global $CONFIG;
$api_header = get_and_validate_api_headers();
// Get api header
$api_user = get_api_user($CONFIG->site_id, $api_header->api_key);
// Pull API user details
if ($api_user) {
// Get the secret key
$secret_key = $api_user->secret;
// Serialise parameters
$encoded_params = array();
foreach ($api_header->get_variables as $k => $v) {
$encoded_params[] = urlencode($k) . '=' . urlencode($v);
}
$params = implode('&', $encoded_params);
// Validate HMAC
$hmac = calculate_hmac($api_header->hmac_algo, $api_header->time, $api_header->api_key, $secret_key, $params, $api_header->method == 'POST' ? $api_header->posthash : "");
if (strcmp($api_header->hmac, $hmac) == 0 && $api_header->hmac && $hmac) {
// Now make sure this is not a replay
if (!cache_hmac_check_replay($hmac)) {
// Validate post data
if ($api_header->method == "POST") {
$postdata = get_post_data();
$calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo);
if (strcmp($api_header->posthash, $calculated_posthash) != 0) {
throw new SecurityException(sprintf(elgg_echo('SecurityException:InvalidPostHash'), $calculated_posthash, $api_header->posthash));
}
}
// If we've passed all the checks so far then we can be reasonably certain that the request is authentic, so return this fact to the PAM engine.
return true;
} else {
throw new SecurityException(elgg_echo('SecurityException:DupePacket'));
}
} else {
throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]{$hmac} = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$params}" . ($api_header->method == "POST" ? "posthash:{$api_header->posthash}}" : ")"));
}
} else {
throw new SecurityException(elgg_echo('SecurityException:InvalidAPIKey'), ErrorResult::$RESULT_FAIL_APIKEY_INVALID);
}
return false;
}
