private function getAccessControlScope()
{
$scope = new accessControlScope();
if ($this->referrer) {
$scope->setReferrer($this->referrer);
}
$scope->setKs($this->ks);
$scope->setEntryId($this->entry->getId());
$scope->setContexts($this->contexts);
return $scope;
}
public function validateApiAccessControl()
{
if (kIpAddressUtils::isInternalIp()) {
return true;
}
if ($this->getEnforceHttpsApi() && infraRequestUtils::getProtocol() != infraRequestUtils::PROTOCOL_HTTPS) {
KalturaLog::err('Action was accessed over HTTP while the partner is configured for HTTPS access only');
return false;
}
$accessControl = $this->getApiAccessControl();
if (is_null($accessControl)) {
return true;
}
$context = new kEntryContextDataResult();
$scope = new accessControlScope();
$scope->setKs(kCurrentContext::$ks);
$scope->setContexts(array(ContextType::PLAY));
$disableCache = $accessControl->applyContext($context, $scope);
if ($disableCache) {
kApiCache::disableCache();
}
if (count($context->getMessages())) {
header("X-Kaltura-API-Access-Control: " . implode(', ', $context->getMessages()));
}
if (count($context->getActions())) {
$actions = $context->getActions();
foreach ($actions as $action) {
/* @var $action kAccessControlAction */
if ($action->getType() == RuleActionType::BLOCK) {
KalturaLog::err('Action was blocked by API access control');
return false;
}
}
}
return true;
}
/**
* @return accessControlScope
*/
public static function partialInit()
{
$scope = new accessControlScope();
$scope->setIp(requestUtils::getRemoteAddress());
$scope->setReferrer(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : null);
return $scope;
}
/**
* Validate all the restrictions using the accessControlScope
*
* @return bool
*/
public function isValid()
{
if (!$this->scope instanceof accessControlScope) {
throw new Exception("Scope was not set");
}
// if we have ks
if ($this->scope->getKs() && $this->scope->getKs() instanceof ks) {
// not need to validate if we have an admin ks
if ($this->scope->getKs()->isAdmin()) {
return true;
}
}
$restrictions = $this->getRestrictions();
foreach ($restrictions as $restriction) {
if ($restriction->isValid() === false) {
// if one is not valid, all access control considered not valid
return false;
}
}
return true;
}
private function applyAccessControlOnContextData(accessControlScope $accessControlScope)
{
if ($this->isAdmin) {
return;
}
$accessControl = $this->entry->getAccessControl();
/* @var $accessControl accessControl */
if ($accessControl && $accessControl->hasRules()) {
$this->isSecured = true;
if (kConf::hasMap("optimized_playback")) {
$partnerId = $accessControl->getPartnerId();
$optimizedPlayback = kConf::getMap("optimized_playback");
if (array_key_exists($partnerId, $optimizedPlayback)) {
$params = $optimizedPlayback[$partnerId];
if (array_key_exists('cache_kdp_access_control', $params) && $params['cache_kdp_access_control'] && (strpos(strtolower(kCurrentContext::$client_lang), "kdp") !== false || strpos(strtolower(kCurrentContext::$client_lang), "html") !== false)) {
return;
}
}
}
$accessControlScope->setEntryId($this->entry->getId());
$this->isAdmin = $accessControlScope->getKs() && $accessControlScope->getKs()->isAdmin();
$this->disableCache = $accessControl->applyContext($this->contextDataResult);
}
}
private function getApiAccessControlScope()
{
$scope = new accessControlScope();
$scope->setKs(kCurrentContext::$ks);
$scope->setContexts(array(accessControlContextType::PLAY));
return $scope;
}
private function getAccessControlScope()
{
$accessControlScope = accessControlScope::partialInit();
if ($this->_referrer) {
$accessControlScope->setReferrer($this->_referrer);
}
$accessControlScope->setKs($this->_ks);
$accessControlScope->setEntryId($this->_entry->getId());
return $accessControlScope;
}
/**
* @action getContextData
* @param string $entryId
* @param KalturaEntryContextDataParams $contextDataParams
* @return KalturaEntryContextDataResult
*/
public function getContextData($entryId, KalturaEntryContextDataParams $contextDataParams)
{
$dbEntry = entryPeer::retrieveByPK($entryId);
if (!$dbEntry) {
throw new KalturaAPIException(KalturaErrors::ENTRY_ID_NOT_FOUND, $entryId);
}
$ks = $this->getKs();
$isAdmin = false;
if ($ks) {
$isAdmin = $ks->isAdmin();
}
$accessControl = $dbEntry->getAccessControl();
$result = new KalturaEntryContextDataResult();
$result->isAdmin = $isAdmin;
$result->isScheduledNow = $dbEntry->isScheduledNow();
// defaults
$result->isSiteRestricted = false;
$result->isCountryRestricted = false;
$result->isSessionRestricted = false;
$result->isIpAddressRestricted = false;
$result->previewLength = -1;
if ($accessControl && $accessControl->hasRestrictions()) {
KalturaResponseCacher::disableCache();
$accessControlScope = accessControlScope::partialInit();
$accessControlScope->setReferrer($contextDataParams->referrer);
$accessControlScope->setKs($this->getKs());
$accessControlScope->setEntryId($entryId);
$accessControl->setScope($accessControlScope);
if ($accessControl->hasSiteRestriction()) {
$result->isSiteRestricted = !$accessControl->getSiteRestriction()->isValid();
}
if ($accessControl->hasCountryRestriction()) {
$result->isCountryRestricted = !$accessControl->getCountryRestriction()->isValid();
}
if ($accessControl->hasSessionRestriction()) {
$result->isSessionRestricted = !$accessControl->getSessionRestriction()->isValid();
}
if ($accessControl->hasPreviewRestriction()) {
$result->isSessionRestricted = !$accessControl->getPreviewRestriction()->isValid();
$result->previewLength = $accessControl->getPreviewRestriction()->getPreviewLength();
}
if ($accessControl->hasIpAddressRestriction()) {
$result->isIpAddressRestricted = !$accessControl->getIpAddressRestriction()->isValid();
}
}
return $result;
}
