function osTicketSession($ttl = 0)
{
$this->ttl = $ttl ?: ini_get('session.gc_maxlifetime') ?: SESSION_TTL;
// Set osTicket specific session name.
session_name('OSTSESSID');
// Forced cleanup on shutdown
register_shutdown_function('session_write_close');
// Set session cleanup time to match TTL
ini_set('session.gc_maxlifetime', $ttl);
if (OsticketConfig::getDBVersion()) {
return session_start();
}
# Cookies
// Avoid setting a cookie domain without a dot, thanks
// http://stackoverflow.com/a/1188145
$domain = null;
if (isset($_SERVER['HTTP_HOST']) && strpos($_SERVER['HTTP_HOST'], '.') !== false && !Validator::is_ip($_SERVER['HTTP_HOST'])) {
// Remote port specification, as it will make an invalid domain
list($domain) = explode(':', $_SERVER['HTTP_HOST']);
}
session_set_cookie_params($ttl, ROOT_PATH, $domain, osTicket::is_https());
//Set handlers.
session_set_save_handler(array(&$this, 'open'), array(&$this, 'close'), array(&$this, 'read'), array(&$this, 'write'), array(&$this, 'destroy'), array(&$this, 'gc'));
//Start the session.
session_start();
}
function osTicketSession($ttl = 0)
{
$this->ttl = $ttl ?: ini_get('session.gc_maxlifetime') ?: SESSION_TTL;
// Set osTicket specific session name.
session_name('OSTSESSID');
// Forced cleanup on shutdown
register_shutdown_function('session_write_close');
// Set session cleanup time to match TTL
ini_set('session.gc_maxlifetime', $ttl);
if (OsticketConfig::getDBVersion()) {
return session_start();
}
# Cookies
// Avoid setting a cookie domain without a dot, thanks
// http://stackoverflow.com/a/1188145
$domain = null;
if (isset($_SERVER['HTTP_HOST']) && strpos($_SERVER['HTTP_HOST'], '.') !== false && !Validator::is_ip($_SERVER['HTTP_HOST'])) {
// Remote port specification, as it will make an invalid domain
list($domain) = explode(':', $_SERVER['HTTP_HOST']);
}
session_set_cookie_params($ttl, ROOT_PATH, $domain, osTicket::is_https());
if (!defined('SESSION_BACKEND')) {
define('SESSION_BACKEND', 'db');
}
try {
$bk = SESSION_BACKEND;
if (!class_exists(self::$backends[$bk])) {
$bk = 'db';
}
$this->backend = new self::$backends[$bk]($this->ttl);
} catch (Exception $x) {
// Use the database for sessions
trigger_error($x->getMessage(), E_USER_WARNING);
$this->backend = new self::$backends['db']($this->ttl);
}
if ($this->backend instanceof SessionBackend) {
// Set handlers.
session_set_save_handler(array($this->backend, 'open'), array($this->backend, 'close'), array($this->backend, 'read'), array($this->backend, 'write'), array($this->backend, 'destroy'), array($this->backend, 'gc'));
}
// Start the session.
session_start();
}
function add($ip, &$errors)
{
global $cfg;
$passphrase = $cfg->getAPIPassphrase();
if (!$passphrase) {
$errors['err'] = 'Senha API faltando.';
}
if (!$ip || !Validator::is_ip($ip)) {
$errors['ip'] = 'IP válido obrigatório';
} elseif (Api::getKey($ip)) {
$errors['ip'] = 'Chave API para o IP já existe';
}
$id = 0;
if (!$errors) {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase))));
//Security of the apikey is not as critical at the moment
if (db_query($sql)) {
$id = db_insert_id();
}
}
return $id;
}
function add($ip, &$errors)
{
global $cfg;
$passphrase = $cfg->getAPIPassphrase();
if (!$passphrase) {
$errors['err'] = 'API passphrase missing.';
}
if (!$ip || !Validator::is_ip($ip)) {
$errors['ip'] = 'Valid IP required';
} elseif (Api::getKey($ip)) {
$errors['ip'] = 'API key for the IP already exists';
}
$id = 0;
if (!$errors) {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase))));
//Security of the apikey is not as critical at the moment
if (db_query($sql)) {
$id = db_insert_id();
}
}
return $id;
}
function add($ip, &$errors)
{
global $cfg;
$passphrase = $cfg->getAPIPassphrase();
if (!$passphrase) {
$errors['err'] = 'Falta la frase secreta de la API.';
}
if (!$ip || !Validator::is_ip($ip)) {
$errors['ip'] = 'Se requiere una IP válida';
} elseif (Api::getKey($ip)) {
$errors['ip'] = 'Clave API para esta IP ya existe';
}
$id = 0;
if (!$errors) {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase))));
//Security of the apikey is not as critical at the moment
if (db_query($sql)) {
$id = db_insert_id();
}
}
return $id;
}
case EX_NOINPUT:
default:
Http::response(416, $code, 'text/plain');
}
}
exit($code);
}
//Remote hosts need authorization.
if ($remotehost) {
//Upto 10 consecutive errors allowed...before a 5 minute timeout.
//One more error during timeout and timeout starts a new clock
if ($_SESSION['api']['errors'] > 10 && time() - $_SESSION['api']['time'] <= 5 * 50) {
// timeout!
api_exit(EX_NOPERM, 'Host in Timeout');
}
//Check IP
$ip = $_SERVER['REMOTE_ADDR'];
if (!Validator::is_ip($ip) || !$cfg->isKnownHost($ip)) {
//unknown IP
api_exit(EX_NOPERM, 'Unknown remote host [' . $ip . ']');
}
//For added security...check API pass phrase.
$key = $_SERVER['HTTP_USER_AGENT'];
//pulling all tricks.
if (empty($key) || strcasecmp($key, md5($cfg->getAPIKey()))) {
api_exit(EX_NOPERM, 'Invalid API Key [' . $key . ']');
}
//At this point we know the remote host/IP is allowed.
$_SESSION['api']['errors'] = 0;
//clear errors for the session.
}
break;
case EX_NOPERM:
Http::response(403, $code, 'text/plain');
break;
case EX_DATAERR:
case EX_NOINPUT:
default:
Http::response(416, $code, 'text/plain');
}
}
exit($code);
}
//Remote hosts need authorization.
if ($remotehost) {
$ip = $_SERVER['REMOTE_ADDR'];
$key = $_SERVER['HTTP_USER_AGENT'];
//pulling all tricks.
//Upto 10 consecutive errors allowed...before a 5 minute timeout.
//One more error during timeout and timeout starts a new clock
if ($_SESSION['api']['errors'] > 10 && time() - $_SESSION['api']['time'] <= 5 * 60) {
// timeout!
api_exit(EX_NOPERM, "Remote host [{$ip}] in timeout - error #" . $_SESSION['api']['errors']);
}
//Check API key & ip
if (!Validator::is_ip($ip) || !Api::validate($key, $ip)) {
api_exit(EX_NOPERM, 'Unknown remote host [' . $ip . '] or invalid API key [' . $key . ']');
}
//At this point we know the remote host/IP is allowed.
$_SESSION['api']['errors'] = 0;
//clear errors for the session.
}
function save($id, $vars, &$errors)
{
if (!$id && (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr']))) {
$errors['ipaddr'] = 'Valid IP required';
}
if ($errors) {
return false;
}
$sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',can_create_tickets=' . db_input($vars['can_create_tickets']) . ',can_exec_cron=' . db_input($vars['can_exec_cron']) . ',notes=' . db_input($vars['notes']);
if ($id) {
$sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id);
if (db_query($sql)) {
return true;
}
$errors['err'] = 'Unable to update API key. Internal error occurred';
} else {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randCode(16)))));
if (db_query($sql) && ($id = db_insert_id())) {
return $id;
}
$errors['err'] = 'Unable to add API key. Try again!';
}
return false;
}
function save($id, $vars, &$errors)
{
if (!$id && (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr']))) {
$errors['ipaddr'] = __('Valid IP is required');
}
if ($errors) {
return false;
}
$sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',can_create_tickets=' . db_input($vars['can_create_tickets']) . ',can_exec_cron=' . db_input($vars['can_exec_cron']) . ',notes=' . db_input(Format::sanitize($vars['notes']));
if ($id) {
$sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id);
if (db_query($sql)) {
return true;
}
$errors['err'] = sprintf(__('Unable to update %s.'), __('this API key')) . ' ' . __('Internal error occurred');
} else {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randCode(16)))));
if (db_query($sql) && ($id = db_insert_id())) {
return $id;
}
$errors['err'] = sprintf(__('Unable to add %s. Correct error(s) below and try again.'), __('this API key'));
}
return false;
}
function save($id, $vars, &$errors)
{
if (!$id) {
if (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr'])) {
$errors['ipaddr'] = 'Valid IP required';
} elseif (API::getKeyByIPAddr($vars['ipaddr'])) {
$errors['ipaddr'] = 'API key for the IP already exists';
}
}
if ($errors) {
return false;
}
$sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',notes=' . db_input($vars['notes']);
if ($id) {
$sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id);
if (db_query($sql)) {
return true;
}
$errors['err'] = 'Unable to update API key. Internal error occurred';
} else {
$sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randcode(16)))));
if (db_query($sql) && ($id = db_insert_id())) {
return $id;
}
$errors['err'] = 'Unable to add API key. Internal error';
}
return false;
}
