function get_restapi_tokens_search($params) { if (!isset($params['user'], $params['hash'], $params['nonce'])) { return array('status' => 'error', 'msg' => 'Invalid params'); } $user = core_users_get($params['user']); //password MUST be set if (!$user['password']) { return false; } //password must match! //note: we send a sha1+nonce to prevent password snooping. nonce is the //time, and must match the servers time within a 10 minute frame $time = time(); $time_frame = 5 * 60; if ($params['nonce'] < $time - $time_frame || $params['nonce'] > $time + $time_frame) { return false; } if ($params['hash'] != hash('sha256', $user['password'] . $params['nonce'])) { return false; } //seems this request is legit. Lets see if we have any tokens for //this user $t = restapi_user_get_user_tokens($params['user']); if (!isset($t[0])) { return array('status' => 'error', 'msg' => 'No tokens found!'); } else { return restapi_tokens_get($t[0]); } }
<?php $html = ''; $html .= heading(_('Tokens'), 2); $html .= '<div id="line"><div class="spacer"></div><div class="spacer"></div></div>'; if (!$tokens) { $html .= _('No tokens associated with this user'); } else { $html .= form_open($_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']); $html .= form_hidden('f', 'action'); $html .= form_hidden('m', 'restapi'); $html .= form_hidden('action', 'save'); $table = new CI_Table(); foreach ($tokens as $token) { $t = restapi_tokens_get($token); $name = $t['name'] ? $t['name'] : _('Token') . ' ' . $token; $label = fpbx_label($name, $t['desc']); $status_opts = array('enabled' => _('Enabled'), 'disabled' => _('Disabled')); $status = form_dropdown('token_status[' . $token . ']', $status_opts, $t['token_status']); $table->add_row(array('data' => heading($label, 5) . '<hr>', 'colspan' => 2)); $table->add_row(_('Token'), $t['token']); $table->add_row(_('Token Key'), $t['tokenkey']); $table->add_row(_('Status'), $status); } $table->add_row(form_submit('save', _('Save'))); $html .= $table->generate(); $html .= form_close() . br(); } echo $html;
function restapi_tokens_put($vars) { global $db, $amp_conf; //reuse old token/key on non-new tokens if ($vars['id']) { $orig = restapi_tokens_get($vars['id']); $vars['token'] = $orig['token']; $vars['tokenkey'] = $orig['tokenkey']; } //insert headers $sql = 'REPLACE INTO restapi_tokens (id, name, `desc`) VALUES (?, ?, ?)'; $ret = $db->query($sql, array($vars['id'], $vars['name'], $vars['desc'])); db_e($ret); //get an id if we dont alredy have one if (empty($vars['id'])) { $vars['id'] = $db->getOne($amp_conf["AMPDBENGINE"] == "sqlite3" ? 'SELECT last_insert_rowid()' : 'SELECT LAST_INSERT_ID()'); } //clear stale data $sql = 'DELETE FROM restapi_token_details WHERE token_id = ?'; $ret = $db->query($sql, array($vars['id'])); //dbug($vars['id'], $db->last_query); db_e($ret); //insert fresh values foreach ($vars as $k => $v) { switch ($k) { case 'allow': case 'deny': //TODO: validate ip's $data[] = array($vars['id'], $k, json_encode($v)); break; case 'users': //TODO: validate that users really exist $data[] = array($vars['id'], $k, json_encode($v)); break; case 'modules': //TODO: validate that modules really exist $modules = is_array($v) ? $v : array(); if (in_array('*', $modules)) { $modules = array('*'); } $data[] = array($vars['id'], $k, json_encode($modules)); break; case 'token': case 'tokenkey': case 'token_status': case 'rate': $data[] = array($vars['id'], $k, $v); break; default: break; } } //insert fresh data $sql = $db->prepare('INSERT INTO restapi_token_details (token_id, `key`, value) VALUES (?, ?, ?)'); $ret = $db->executeMultiple($sql, $data); db_e($ret); //update user mappings if ($vars['assoc_user']) { restapi_user_set_token($vars['assoc_user'], $vars['id']); } return $vars['id']; }
/** * Gets all the sent headers */ function _get_req() { $this->req = isset($this->req) ? $this->req : new stdClass(); //dbug($_SERVER); $h = array('address' => '', 'content_type' => '', 'host' => '', 'ip' => '', 'nonce' => '', 'port' => '', 'token' => '', 'tokenkey' => '', 'timestamp' => '', 'user_agent' => '', 'uri' => '', 'signature' => ''); foreach ($_SERVER as $k => $v) { switch ($k) { case 'HTTP_HOST': $h['host'] = $v; break; case 'CONTENT_TYPE': $h['content_type'] = $v; break; case 'SERVER_NAME': $h['address'] = $v; break; case 'SERVER_PORT': $h['port'] = $v; break; case 'REMOTE_ADDR': $h['ip'] = $v; break; case 'REQUEST_URI': $h['uri'] = $v; break; case 'HTTP_TOKEN': $h['token'] = $v; break; /*case 'HTTP_TOKEN_KEY': $h['token_key'] = $v; break;*/ /*case 'HTTP_TOKEN_KEY': $h['token_key'] = $v; break;*/ case 'HTTP_NONCE': $h['nonce'] = $v; break; case 'HTTP_SIGNATURE': $h['signature'] = $v; break; case 'HTTP_USER_AGENT': $h['user_agent'] = $v; default: break; } } //always add fake data if none is set, otherwise auth test will never fail //when no data is passed $this->req->token = $h['token'] ? $h['token'] : md5(time()); $this->req->nonce = $h['nonce'] ? $h['nonce'] : md5(time()); $h['protocol'] = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on" ? "https" : "http"; $h['url'] = $h['host'] . $h['uri']; //get data associated with this token $opts = restapi_tokens_get($this->req->token, 'token'); if ($opts) { foreach ($opts as $k => $v) { $this->req->token_opts->{$k} = $v; } } else { //add defaults $this->req->token_opts = new StdClass(); $this->req->token_opts->token_status = 'not_found'; $this->req->token_opts->users = array(); $this->req->token_opts->modules = array(); $this->req->token_opts->allow = array(); $this->req->token_opts->deny = array(); $this->req->token_opts->name = ''; $this->req->token_opts->rate = ''; $this->req->token_opts->token = ''; $this->req->token_opts->tokenkey = ''; $this->req->token_opts->assoc_user = ''; if ($this->opts['token'] != '') { switch ($this->opts['status']) { case 'normal': $this->req->token_opts->token_status = 'enabled'; break; default: $this->req->token_opts->token_status = 'disabled'; break; } $this->req->token_opts->token = $this->opts['token']; $this->req->token_opts->tokenkey = $this->opts['tokenkey']; $this->req->token_opts->name = 'general'; $this->req->token_opts->users = array('*'); $this->req->token_opts->modules = array('*'); $this->req->token_opts->rate = -1; } } //headers $this->req->headers = $h; //build request body hash $this->req->body_hash = $this->auth->get_data_hash($this->req->token, $this->req->headers['url'], $this->router->verb, $this->req->nonce, $this->router->body); //dbug($h); $this->req->files = $_FILES; if ($this->log) { $this->log->event('Request', $this->req); } }
public function usermanShowPage() { if (isset($_REQUEST['action'])) { switch ($_REQUEST['action']) { case 'showgroup': case 'addgroup': case 'adduser': case 'showuser': $enabled = null; if ($_REQUEST['action'] == "showuser") { $enabled = $this->userman->getModuleSettingByID($_REQUEST['user'], 'restapi', 'restapi_token_status', true); $tokens = restapi_user_get_user_tokens($_REQUEST['user']); } else { $tokens = array(); } $displayvars = array("mode" => in_array($_REQUEST['action'], array("showgroup", "addgroup")) ? "group" : "user", "enabled" => $enabled); $tokens = !empty($tokens) ? $tokens : array(); $displayvars['user_list_all'] = array(); if (in_array($_REQUEST['action'], array("showgroup", "addgroup"))) { $displayvars['user_list_all']['self'] = _("User Primary Extension"); } $cul = array(); foreach (core_users_list() as $list) { $cul[$list[0]] = array("name" => $list[1], "vmcontext" => $list[2]); $displayvars['user_list_all'][$list[0]] = $list[1] . " <" . $list[0] . ">"; } // Get list of modules that have been API enabled. $api = new \Api(); $api_mods = array(); foreach ($api->maps as $verb => $urls) { foreach ($urls as $url => $maps) { foreach ($maps as $map => $details) { $api_mods[$details["module"]] = 1; } } } unset($api); //modules global $db; $mods = \modulelist::create($db); $displayvars['module_list'] = array(); foreach ($mods->module_array as $mod) { if (isset($mod['rawname']) && isset($api_mods[$mod['rawname']])) { $displayvars['module_list'][$mod['rawname']] = $mod['name']; } } asort($displayvars['module_list']); $displayvars['module_list'] = array('*' => _('All')) + $displayvars['module_list']; //everything else $rest_template = $displayvars; if (!empty($tokens)) { foreach ($tokens as $token) { $displayvars['tokens'][] = array_merge($rest_template, restapi_tokens_get($token)); } } else { $displayvars['tokens'][0] = array_merge($rest_template, restapi_tokens_get()); $displayvars['tokens'][0]['token'] = \restapi_tokens_generate(); $displayvars['tokens'][0]['tokenkey'] = \restapi_tokens_generate(); $displayvars['tokens'][0]['id'] = 0; $displayvars['tokens'][0]['users'] = array("self"); $displayvars['tokens'][0]['rate'] = 1000; } if ($displayvars['mode'] == "user") { } else { //group mode $enabled = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_token_status'); $users = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_users'); $modules = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_modules'); $rate = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_rate'); $displayvars['tokens'][0] = array_merge($rest_template, restapi_tokens_get()); $displayvars['tokens'][0]['token'] = 1; $displayvars['tokens'][0]['tokenkey'] = 1; $displayvars['tokens'][0]['id'] = 0; if (!$enabled) { $displayvars['tokens'][0]['users'] = is_array($users) ? $users : array("self"); $displayvars['enabled'] = $enabled; } else { $displayvars['tokens'][0]['users'] = is_array($users) ? $users : array("self"); $displayvars['tokens'][0]['rate'] = !empty($rate) ? $rate : "1000"; $displayvars['tokens'][0]['modules'] = is_array($modules) ? $modules : array(); $displayvars['enabled'] = $enabled; } } return array(array("title" => _("Rest API"), "rawname" => "restapi", "content" => load_view(__DIR__ . '/views/hook_userman.php', $displayvars))); break; } } }