Exemplo n.º 1
0
 /**
  * Process the request
  * 
  * @throws lots of various exceptions
  */
 public static function process()
 {
     try {
         @session_start();
         // If undergoing maintenance report it as an error
         if (Config::get('maintenance')) {
             throw new RestUndergoingMaintenanceException();
         }
         // Split request path to get tokens
         $path = array();
         if (array_key_exists('PATH_INFO', $_SERVER)) {
             $path = array_filter(explode('/', $_SERVER['PATH_INFO']));
         }
         // Get method from possible headers
         $method = null;
         foreach (array('X_HTTP_METHOD_OVERRIDE', 'REQUEST_METHOD') as $k) {
             if (!array_key_exists($k, $_SERVER)) {
                 continue;
             }
             $method = strtolower($_SERVER[$k]);
         }
         // Record called method (for log), fail if unknown
         if (!in_array($method, array('get', 'post', 'put', 'delete'))) {
             throw new RestMethodNotAllowedException();
         }
         // Get endpoint (first token), fail if none
         $endpoint = array_shift($path);
         if (!$endpoint) {
             throw RestEndpointNotFound();
         }
         // Request data accessor
         self::$request = new RestRequest($method, $endpoint, $path);
         // Because php://input can only be read once for PUT requests we rely on a shared getter
         $input = Request::body();
         // Get request content type from possible headers
         $type = array_key_exists('CONTENT_TYPE', $_SERVER) ? $_SERVER['CONTENT_TYPE'] : null;
         if (!$type && array_key_exists('HTTP_CONTENT_TYPE', $_SERVER)) {
             $type = $_SERVER['HTTP_CONTENT_TYPE'];
         }
         // Parse content type
         $type_parts = array_map('trim', explode(';', $type));
         $type = array_shift($type_parts);
         self::$request->properties['type'] = $type;
         $type_properties = array();
         foreach ($type_parts as $part) {
             $part = array_map('trim', explode('=', $part));
             if (count($part) == 2) {
                 self::$request->properties[$part[0]] = $part[1];
             }
         }
         Logger::debug('Got "' . $method . '" request for endpoint "' . $endpoint . '/' . implode('/', $path) . '" with ' . strlen($input) . ' bytes payload');
         // Parse body
         switch ($type) {
             case 'text/plain':
                 self::$request->rawinput = trim(Utilities::sanitizeInput($input));
                 break;
             case 'application/octet-stream':
                 // Don't sanitize binary input !
                 self::$request->rawinput = $input;
                 break;
             case 'application/x-www-form-urlencoded':
                 $data = array();
                 parse_str($input, $data);
                 self::$request->input = (object) Utilities::sanitizeInput($data);
                 break;
             case 'application/json':
             default:
                 self::$request->input = json_decode(trim(Utilities::sanitizeInput($input)));
         }
         // Get authentication state (fills auth data in relevant classes)
         Auth::isAuthenticated();
         if (Auth::isRemoteApplication()) {
             // Remote applications must honor ACLs
             $application = AuthRemote::application();
             if (!$application->allowedTo($method, $endpoint)) {
                 throw new RestNotAllowedException();
             }
         } else {
             if (Auth::isRemoteUser()) {
                 // Nothing peculiar to do
             } else {
                 if (in_array($method, array('post', 'put', 'delete'))) {
                     // SP or Guest, lets do XSRF check
                     $token_name = 'HTTP_X_SECURITY_TOKEN';
                     $token = array_key_exists($token_name, $_SERVER) ? $_SERVER[$token_name] : '';
                     if ($method == 'post' && array_key_exists('security-token', $_POST)) {
                         $token = $_POST['security-token'];
                     }
                     if (!$token || !Utilities::checkSecurityToken($token)) {
                         throw new RestXSRFTokenInvalidException($token);
                     }
                 }
             }
         }
         // JSONP specifics
         if (array_key_exists('callback', $_GET) && $method != 'get') {
             throw new RestJSONPonlyGETException();
         }
         // Get response filters
         foreach ($_GET as $k => $v) {
             switch ($k) {
                 case 'count':
                 case 'startIndex':
                     if (preg_match('`^[0-9]+$`', $v)) {
                         self::$request->{$k} = (int) $v;
                     }
                     break;
                 case 'format':
                     break;
                 case 'filterOp':
                     if (is_array($v)) {
                         foreach ($v as $p => $f) {
                             self::$request->filterOp[$p] = array();
                             foreach (array('equals', 'startWith', 'contains', 'present') as $k) {
                                 if (array_key_exists($k, $f)) {
                                     self::$request->filterOp[$p][$k] = $f[$k];
                                 }
                             }
                         }
                     }
                     break;
                 case 'sortOrder':
                     if (in_array($v, array('ascending', 'descending'))) {
                         self::$request->sortOrder = $v;
                     }
                     break;
                 case 'updatedSince':
                     // updatedSince takes ISO date, relative N days|weeks|months|years format and epoch timestamp (UTC)
                     $updatedSince = null;
                     if (preg_match('`^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(Z|[+-][0-9]{2}:[0-9]{2})$`', $v)) {
                         // ISO date
                         $localetz = new DateTimeZone(Config::get('default_timezone'));
                         $offset = $localetz->getOffset(new DateTime($v));
                         $updatedSince = strtotime($v) + $offset;
                     } else {
                         if (preg_match('`^([0-9]+)\\s*(hour|day|week|month|year)s?$`', $v, $m)) {
                             // Relative N day|days|week|weeks|month|months|year|years format
                             $updatedSince = strtotime('-' . $m[1] . ' ' . $m[2]);
                         } else {
                             if (preg_match('`^[0-9]+$`', $v)) {
                                 $updatedSince = (int) $v;
                             }
                         }
                     }
                     // Epoch timestamp
                     if (!$updatedSince || !is_numeric($updatedSince)) {
                         throw new RestUpdatedSinceBadFormatException($updatedSince);
                     }
                     self::$request->updatedSince = $updatedSince;
                     break;
             }
         }
         $event = new Event('rest_request', self::$request);
         $data = $event->trigger(function () {
             $request = RestServer::getRequest();
             // Forward to handler, fail if unknown or method not implemented
             $class = ucfirst($request->endpoint) . 'Endpoint';
             if (!file_exists(APPLICATION_BASE . '/classes/endpoints/' . $class . '.class.php') && !file_exists(APPLICATION_BASE . '/classes/core/endpoints/' . $class . '.class.php')) {
                 throw new RestEndpointNotFoundException();
             }
             if (!method_exists($class, $request->method)) {
                 throw new RestMethodNotImplementedException();
             }
             Logger::debug('Forwarding call to ' . $class . '::' . $request->method . '() handler');
             return call_user_func_array($class . '::' . $request->method, $request->path);
         });
         Logger::debug('Got data to send back');
         // Output data
         if (array_key_exists('callback', $_GET)) {
             header('Content-Type: text/javascript');
             $callback = preg_replace('`[^a-z0-9_\\.-]`i', '', $_GET['callback']);
             echo $callback . '(' . json_encode($data) . ');';
             exit;
         }
         if (array_key_exists('iframe_callback', $_GET)) {
             header('Content-Type: text/html');
             $callback = preg_replace('`[^a-z0-9_\\.-]`i', '', $_GET['iframe_callback']);
             echo '<html><body><script type="text/javascript">window.parent.' . $callback . '(' . json_encode($data) . ');</script></body></html>';
             exit;
         }
         header('Content-Type: application/json');
         if ($method == 'post' && $data) {
             RestUtilities::sendResponseCode(201);
             if (substr($data['path'], 0, 1) != '/') {
                 $data['path'] = '/' . $data['path'];
             }
             header('Location: ' . Config::get('application_url') . 'rest.php' . $data['path']);
             $data = $data['data'];
         }
         echo json_encode($data);
     } catch (Exception $e) {
         // Return exceptions as HTTP errors
         $code = $e->getCode();
         if ($code < 400 || $code >= 600) {
             $code = 500;
         }
         RestUtilities::sendResponseCode($code);
         header('Content-Type: application/json');
         echo json_encode(array('message' => $e->getMessage(), 'uid' => method_exists($e, 'getUid') ? $e->getUid() : null, 'details' => method_exists($e, 'getDetails') ? $e->getDetails() : null));
     }
 }
Exemplo n.º 2
0
 /**
  * Authentication check.
  * 
  * @return bool
  */
 public static function isAuthenticated()
 {
     if (is_null(self::$isAuthenticated)) {
         self::$isAuthenticated = false;
         // Do we have remote authentication data in the request ?
         if (!array_key_exists('signature', $_GET)) {
             return false;
         }
         if (!array_key_exists('timestamp', $_GET)) {
             return false;
         }
         $application = array_key_exists('remote_application', $_GET) ? $_GET['remote_application'] : null;
         $uid = array_key_exists('remote_user', $_GET) ? $_GET['remote_user'] : null;
         if (!$application && !$uid) {
             return false;
         }
         self::$attributes = array();
         // Get data
         $received_signature = $_GET['signature'];
         $timestamp = (int) $_GET['timestamp'];
         if ($application) {
             // Check that application is known
             $applications = Config::get('auth_remote_applications');
             if (!is_array($applications) || !array_key_exists($application, $applications)) {
                 throw new AuthRemoteUknownApplicationException($application);
             }
             $application = new RemoteApplication($application, $applications[$application]);
         }
         // Check request time to avoid replays
         $late = time() - $timestamp - 15;
         if ($late > 0) {
             throw new AuthRemoteTooLateException($late);
         }
         // Get method from headers
         $method = null;
         foreach (array('X_HTTP_METHOD_OVERRIDE', 'REQUEST_METHOD') as $k) {
             if (!array_key_exists($k, $_SERVER)) {
                 continue;
             }
             $method = strtolower($_SERVER[$k]);
         }
         // Build signed data
         $signed = $method . '&' . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'] . (array_key_exists('PATH_INFO', $_SERVER) ? $_SERVER['PATH_INFO'] : '');
         $args = $_GET;
         unset($args['signature']);
         if (count($args)) {
             $signed .= '?' . implode('&', RestUtilities::flatten($args));
         }
         $input = Request::body();
         if ($input) {
             $signed .= '&' . $input;
         }
         // Check signature
         if ($application) {
             $secret = $application->secret;
         } else {
             // Get user, fail if unknown or no user secret
             try {
                 $user = User::fromId($uid);
             } catch (UserNotFoundException $e) {
                 throw new AuthRemoteUserRejectedException($uid, 'user not found');
             }
             if (!$user->auth_secret) {
                 throw new AuthRemoteUserRejectedException($user->id, 'no secret set');
             }
             $secret = $user->auth_secret;
         }
         $algorithm = Config::get('auth_remote_signature_algorithm');
         if (!$algorithm) {
             $algorithm = 'sha1';
         }
         $signature = hash_hmac($algorithm, $signed, $secret);
         if ($received_signature !== $signature) {
             throw new AuthRemoteSignatureCheckFailedException($signed, $secret, $received_signature, $signature);
         }
         // Register user id if given
         if ($uid) {
             self::$attributes['uid'] = $uid;
         }
         // Register admin level if asked for and enabled
         if ($application) {
             self::$isAdmin = $application->isAdmin;
             self::$application = $application;
             self::$attributes['remote_application'] = $application->name;
         }
         self::$isAuthenticated = true;
     }
     return self::$isAuthenticated;
 }
Exemplo n.º 3
0
 /**
  * Tells if the user authenticated in a remote fashion.
  * 
  * @return bool
  */
 public static function isRemoteUser()
 {
     return self::isRemote() && !AuthRemote::application();
 }