/** * Revoke an api user key. * * @param string $api_key The API Key (public). * * @return bool */ function remove_api_user($api_key) { $dbprefix = elgg_get_config('dbprefix'); $keypair = get_api_user($api_key); if ($keypair) { return delete_data("DELETE from {$dbprefix}api_users where id={$keypair->id}"); } return false; }
/** * Revoke an api user key. * * @param int $site_guid The GUID of the site. * @param string $api_key The API Key (public). * * @return bool */ function remove_api_user($site_guid, $api_key) { global $CONFIG; $keypair = get_api_user($site_guid, $api_key); if ($keypair) { return delete_data("DELETE from {$CONFIG->dbprefix}api_users where id={$keypair->id}"); } return false; }
function pleio_api_use_api_key($hook, $type, $returnvalue, $params) { $site = elgg_get_site_entity(); if ($site && $site->guid != 1) { $license_key = elgg_get_plugin_setting("license_key", "pleio_api"); $last_check = intval(elgg_get_plugin_setting("last_license_check", "pleio_api")); $hash = hash_hmac("SHA256", $site->url, $site->guid); if (!$license_key || $hash != $license_key || !$last_check || $last_check < time() - 86400) { elgg_set_plugin_setting("last_license_check", time(), "pleio_api"); if (!empty($params) && is_string($params)) { $api_user = get_api_user($site->getGUID(), $params); if ($api_user) { $app = ws_pack_get_application_from_api_user_id($api_user->id); if ($app) { if ($app->application_id == "pleio_app") { $data = array("id" => $site->guid, "name" => $site->name, "url" => $site->url, "email" => $site->email, "members" => $site->member_count); $url = "http://appstaat.funil.nl/overheidsplein-app/license.php?" . http_build_query($data); try { $response = file_get_contents($url); if ($response) { $response = json_decode($response); $license_key = $response->key; elgg_set_plugin_setting("license_key", $license_key, "pleio_api"); } } catch (Exception $ex) { } } } } } } if (!$license_key) { return false; } } }
/** * PAM: Confirm the HMAC signature * * @return true if success - otherwise throws exception * * @throws SecurityException * @since 1.7.0 * @access private */ function api_auth_hmac() { // Get api header $api_header = get_and_validate_api_headers(); // Pull API user details $api_user = get_api_user(elgg_get_site_entity()->guid, $api_header->api_key); if (!$api_user) { throw new SecurityException(elgg_echo('SecurityException:InvalidAPIKey'), ErrorResult::$RESULT_FAIL_APIKEY_INVALID); } // Get the secret key $secret_key = $api_user->secret; // get the query string $query = _elgg_services()->request->server->get('REQUEST_URI'); $query = substr($query, strpos($query, '?') + 1); // calculate expected HMAC $hmac = calculate_hmac($api_header->hmac_algo, $api_header->time, $api_header->nonce, $api_header->api_key, $secret_key, $query, $api_header->method == 'POST' ? $api_header->posthash : ""); if ($api_header->hmac !== $hmac) { throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]{$hmac}"); } // Now make sure this is not a replay if (cache_hmac_check_replay($hmac)) { throw new SecurityException(elgg_echo('SecurityException:DupePacket')); } // Validate post data if ($api_header->method == "POST") { $postdata = get_post_data(); $calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo); if (strcmp($api_header->posthash, $calculated_posthash) != 0) { $msg = elgg_echo('SecurityException:InvalidPostHash', array($calculated_posthash, $api_header->posthash)); throw new SecurityException($msg); } } return true; }
/** * Store the used API application for future use * * @param string $hook name of the hook * @param string $type type of the hook * @param string $returnvalue current return value * @param array $params hook parameters * * @return void */ function ws_pack_api_key_use_hook_handler($hook, $type, $returnvalue, $params) { if (!empty($params) && is_string($params)) { $site = elgg_get_site_entity(); // get the current api user if ($api_user = get_api_user($site->getGUID(), $params)) { // check if we're using our API application if ($api_application = ws_pack_get_application_from_api_user_id($api_user->id)) { // store the API application for later use ws_pack_set_current_api_application($api_application); } } } }
= function() { if ( confirm(elgg.echo('apiadmin:regenerate_prompt')) ) { document.location.href = '<?php echo "{$CONFIG->url}action/apiadmin/regenerate?keyid={$entity->guid}&__elgg_token={$token}&__elgg_ts={$ts}"; ?> '; } }; </script> <?php $icon = elgg_view('graphics/icon', array('entity' => $entity, 'size' => 'small')); $public_label = elgg_echo('apiadmin:public'); $private_label = elgg_echo('apiadmin:private'); $revoke_label = elgg_echo('apiadmin:revoke'); $rename_label = elgg_echo('apiadmin:rename'); $regenerate_label = elgg_echo('apiadmin:regenerate'); $info = "<div class=\"contentWrapper\">"; $info .= "<p><b>{$entity->title}</b>"; $info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_revoke{$entity->guid}();\">{$revoke_label}</a>]"; $info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_rename{$entity->guid}();\">{$rename_label}</a>]"; $info .= " [<a href=\"#\" onclick=\"elgg.apiadmin_regen{$entity->guid}();\">{$regenerate_label}</a>]"; $info .= "</p></div>"; $info .= "<div><p><b>{$public_label}:</b> {$entity->public}<br />"; // Only show secret portion to admins if (elgg_is_admin_logged_in()) { // Fetch key $keypair = get_api_user($CONFIG->site_id, $entity->public); $info .= "<b>{$private_label}:</b> {$keypair->secret}"; } $info .= "</p></div>"; echo elgg_view_image_block($icon, $info);
/** * Secure authentication through headers and HMAC. */ function pam_auth_hmac($credentials = NULL) { global $CONFIG; $api_header = get_and_validate_api_headers(); // Get api header $api_user = get_api_user($CONFIG->site_id, $api_header->api_key); // Pull API user details if ($api_user) { // Get the secret key $secret_key = $api_user->secret; // Serialise parameters $encoded_params = array(); foreach ($api_header->get_variables as $k => $v) { $encoded_params[] = urlencode($k) . '=' . urlencode($v); } $params = implode('&', $encoded_params); // Validate HMAC $hmac = calculate_hmac($api_header->hmac_algo, $api_header->time, $api_header->api_key, $secret_key, $params, $api_header->method == 'POST' ? $api_header->posthash : ""); if (strcmp($api_header->hmac, $hmac) == 0 && $api_header->hmac && $hmac) { // Now make sure this is not a replay if (!cache_hmac_check_replay($hmac)) { // Validate post data if ($api_header->method == "POST") { $postdata = get_post_data(); $calculated_posthash = calculate_posthash($postdata, $api_header->posthash_algo); if (strcmp($api_header->posthash, $calculated_posthash) != 0) { throw new SecurityException(sprintf(elgg_echo('SecurityException:InvalidPostHash'), $calculated_posthash, $api_header->posthash)); } } // If we've passed all the checks so far then we can be reasonably certain that the request is authentic, so return this fact to the PAM engine. return true; } else { throw new SecurityException(elgg_echo('SecurityException:DupePacket')); } } else { throw new SecurityException("HMAC is invalid. {$api_header->hmac} != [calc]{$hmac} = {$api_header->hmac_algo}(**SECRET KEY**, time:{$api_header->time}, apikey:{$api_header->api_key}, get_vars:{$params}" . ($api_header->method == "POST" ? "posthash:{$api_header->posthash}}" : ")")); } } else { throw new SecurityException(elgg_echo('SecurityException:InvalidAPIKey'), ErrorResult::$RESULT_FAIL_APIKEY_INVALID); } return false; }