function get_restapi_tokens_search($params)
{
if (!isset($params['user'], $params['hash'], $params['nonce'])) {
return array('status' => 'error', 'msg' => 'Invalid params');
}
$user = core_users_get($params['user']);
//password MUST be set
if (!$user['password']) {
return false;
}
//password must match!
//note: we send a sha1+nonce to prevent password snooping. nonce is the
//time, and must match the servers time within a 10 minute frame
$time = time();
$time_frame = 5 * 60;
if ($params['nonce'] < $time - $time_frame || $params['nonce'] > $time + $time_frame) {
return false;
}
if ($params['hash'] != hash('sha256', $user['password'] . $params['nonce'])) {
return false;
}
//seems this request is legit. Lets see if we have any tokens for
//this user
$t = restapi_user_get_user_tokens($params['user']);
if (!isset($t[0])) {
return array('status' => 'error', 'msg' => 'No tokens found!');
} else {
return restapi_tokens_get($t[0]);
}
}
<?php
$html = '';
$html .= heading(_('Tokens'), 2);
$html .= '<div id="line"><div class="spacer"></div><div class="spacer"></div></div>';
if (!$tokens) {
$html .= _('No tokens associated with this user');
} else {
$html .= form_open($_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']);
$html .= form_hidden('f', 'action');
$html .= form_hidden('m', 'restapi');
$html .= form_hidden('action', 'save');
$table = new CI_Table();
foreach ($tokens as $token) {
$t = restapi_tokens_get($token);
$name = $t['name'] ? $t['name'] : _('Token') . ' ' . $token;
$label = fpbx_label($name, $t['desc']);
$status_opts = array('enabled' => _('Enabled'), 'disabled' => _('Disabled'));
$status = form_dropdown('token_status[' . $token . ']', $status_opts, $t['token_status']);
$table->add_row(array('data' => heading($label, 5) . '<hr>', 'colspan' => 2));
$table->add_row(_('Token'), $t['token']);
$table->add_row(_('Token Key'), $t['tokenkey']);
$table->add_row(_('Status'), $status);
}
$table->add_row(form_submit('save', _('Save')));
$html .= $table->generate();
$html .= form_close() . br();
}
echo $html;
function restapi_tokens_put($vars)
{
global $db, $amp_conf;
//reuse old token/key on non-new tokens
if ($vars['id']) {
$orig = restapi_tokens_get($vars['id']);
$vars['token'] = $orig['token'];
$vars['tokenkey'] = $orig['tokenkey'];
}
//insert headers
$sql = 'REPLACE INTO restapi_tokens (id, name, `desc`) VALUES (?, ?, ?)';
$ret = $db->query($sql, array($vars['id'], $vars['name'], $vars['desc']));
db_e($ret);
//get an id if we dont alredy have one
if (empty($vars['id'])) {
$vars['id'] = $db->getOne($amp_conf["AMPDBENGINE"] == "sqlite3" ? 'SELECT last_insert_rowid()' : 'SELECT LAST_INSERT_ID()');
}
//clear stale data
$sql = 'DELETE FROM restapi_token_details WHERE token_id = ?';
$ret = $db->query($sql, array($vars['id']));
//dbug($vars['id'], $db->last_query);
db_e($ret);
//insert fresh values
foreach ($vars as $k => $v) {
switch ($k) {
case 'allow':
case 'deny':
//TODO: validate ip's
$data[] = array($vars['id'], $k, json_encode($v));
break;
case 'users':
//TODO: validate that users really exist
$data[] = array($vars['id'], $k, json_encode($v));
break;
case 'modules':
//TODO: validate that modules really exist
$modules = is_array($v) ? $v : array();
if (in_array('*', $modules)) {
$modules = array('*');
}
$data[] = array($vars['id'], $k, json_encode($modules));
break;
case 'token':
case 'tokenkey':
case 'token_status':
case 'rate':
$data[] = array($vars['id'], $k, $v);
break;
default:
break;
}
}
//insert fresh data
$sql = $db->prepare('INSERT INTO restapi_token_details (token_id, `key`, value) VALUES (?, ?, ?)');
$ret = $db->executeMultiple($sql, $data);
db_e($ret);
//update user mappings
if ($vars['assoc_user']) {
restapi_user_set_token($vars['assoc_user'], $vars['id']);
}
return $vars['id'];
}
/**
* Gets all the sent headers
*/
function _get_req()
{
$this->req = isset($this->req) ? $this->req : new stdClass();
//dbug($_SERVER);
$h = array('address' => '', 'content_type' => '', 'host' => '', 'ip' => '', 'nonce' => '', 'port' => '', 'token' => '', 'tokenkey' => '', 'timestamp' => '', 'user_agent' => '', 'uri' => '', 'signature' => '');
foreach ($_SERVER as $k => $v) {
switch ($k) {
case 'HTTP_HOST':
$h['host'] = $v;
break;
case 'CONTENT_TYPE':
$h['content_type'] = $v;
break;
case 'SERVER_NAME':
$h['address'] = $v;
break;
case 'SERVER_PORT':
$h['port'] = $v;
break;
case 'REMOTE_ADDR':
$h['ip'] = $v;
break;
case 'REQUEST_URI':
$h['uri'] = $v;
break;
case 'HTTP_TOKEN':
$h['token'] = $v;
break;
/*case 'HTTP_TOKEN_KEY':
$h['token_key'] = $v;
break;*/
/*case 'HTTP_TOKEN_KEY':
$h['token_key'] = $v;
break;*/
case 'HTTP_NONCE':
$h['nonce'] = $v;
break;
case 'HTTP_SIGNATURE':
$h['signature'] = $v;
break;
case 'HTTP_USER_AGENT':
$h['user_agent'] = $v;
default:
break;
}
}
//always add fake data if none is set, otherwise auth test will never fail
//when no data is passed
$this->req->token = $h['token'] ? $h['token'] : md5(time());
$this->req->nonce = $h['nonce'] ? $h['nonce'] : md5(time());
$h['protocol'] = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on" ? "https" : "http";
$h['url'] = $h['host'] . $h['uri'];
//get data associated with this token
$opts = restapi_tokens_get($this->req->token, 'token');
if ($opts) {
foreach ($opts as $k => $v) {
$this->req->token_opts->{$k} = $v;
}
} else {
//add defaults
$this->req->token_opts = new StdClass();
$this->req->token_opts->token_status = 'not_found';
$this->req->token_opts->users = array();
$this->req->token_opts->modules = array();
$this->req->token_opts->allow = array();
$this->req->token_opts->deny = array();
$this->req->token_opts->name = '';
$this->req->token_opts->rate = '';
$this->req->token_opts->token = '';
$this->req->token_opts->tokenkey = '';
$this->req->token_opts->assoc_user = '';
if ($this->opts['token'] != '') {
switch ($this->opts['status']) {
case 'normal':
$this->req->token_opts->token_status = 'enabled';
break;
default:
$this->req->token_opts->token_status = 'disabled';
break;
}
$this->req->token_opts->token = $this->opts['token'];
$this->req->token_opts->tokenkey = $this->opts['tokenkey'];
$this->req->token_opts->name = 'general';
$this->req->token_opts->users = array('*');
$this->req->token_opts->modules = array('*');
$this->req->token_opts->rate = -1;
}
}
//headers
$this->req->headers = $h;
//build request body hash
$this->req->body_hash = $this->auth->get_data_hash($this->req->token, $this->req->headers['url'], $this->router->verb, $this->req->nonce, $this->router->body);
//dbug($h);
$this->req->files = $_FILES;
if ($this->log) {
$this->log->event('Request', $this->req);
}
}
public function usermanShowPage()
{
if (isset($_REQUEST['action'])) {
switch ($_REQUEST['action']) {
case 'showgroup':
case 'addgroup':
case 'adduser':
case 'showuser':
$enabled = null;
if ($_REQUEST['action'] == "showuser") {
$enabled = $this->userman->getModuleSettingByID($_REQUEST['user'], 'restapi', 'restapi_token_status', true);
$tokens = restapi_user_get_user_tokens($_REQUEST['user']);
} else {
$tokens = array();
}
$displayvars = array("mode" => in_array($_REQUEST['action'], array("showgroup", "addgroup")) ? "group" : "user", "enabled" => $enabled);
$tokens = !empty($tokens) ? $tokens : array();
$displayvars['user_list_all'] = array();
if (in_array($_REQUEST['action'], array("showgroup", "addgroup"))) {
$displayvars['user_list_all']['self'] = _("User Primary Extension");
}
$cul = array();
foreach (core_users_list() as $list) {
$cul[$list[0]] = array("name" => $list[1], "vmcontext" => $list[2]);
$displayvars['user_list_all'][$list[0]] = $list[1] . " <" . $list[0] . ">";
}
// Get list of modules that have been API enabled.
$api = new \Api();
$api_mods = array();
foreach ($api->maps as $verb => $urls) {
foreach ($urls as $url => $maps) {
foreach ($maps as $map => $details) {
$api_mods[$details["module"]] = 1;
}
}
}
unset($api);
//modules
global $db;
$mods = \modulelist::create($db);
$displayvars['module_list'] = array();
foreach ($mods->module_array as $mod) {
if (isset($mod['rawname']) && isset($api_mods[$mod['rawname']])) {
$displayvars['module_list'][$mod['rawname']] = $mod['name'];
}
}
asort($displayvars['module_list']);
$displayvars['module_list'] = array('*' => _('All')) + $displayvars['module_list'];
//everything else
$rest_template = $displayvars;
if (!empty($tokens)) {
foreach ($tokens as $token) {
$displayvars['tokens'][] = array_merge($rest_template, restapi_tokens_get($token));
}
} else {
$displayvars['tokens'][0] = array_merge($rest_template, restapi_tokens_get());
$displayvars['tokens'][0]['token'] = \restapi_tokens_generate();
$displayvars['tokens'][0]['tokenkey'] = \restapi_tokens_generate();
$displayvars['tokens'][0]['id'] = 0;
$displayvars['tokens'][0]['users'] = array("self");
$displayvars['tokens'][0]['rate'] = 1000;
}
if ($displayvars['mode'] == "user") {
} else {
//group mode
$enabled = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_token_status');
$users = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_users');
$modules = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_modules');
$rate = $this->userman->getModuleSettingByGID($_REQUEST['group'], 'restapi', 'restapi_rate');
$displayvars['tokens'][0] = array_merge($rest_template, restapi_tokens_get());
$displayvars['tokens'][0]['token'] = 1;
$displayvars['tokens'][0]['tokenkey'] = 1;
$displayvars['tokens'][0]['id'] = 0;
if (!$enabled) {
$displayvars['tokens'][0]['users'] = is_array($users) ? $users : array("self");
$displayvars['enabled'] = $enabled;
} else {
$displayvars['tokens'][0]['users'] = is_array($users) ? $users : array("self");
$displayvars['tokens'][0]['rate'] = !empty($rate) ? $rate : "1000";
$displayvars['tokens'][0]['modules'] = is_array($modules) ? $modules : array();
$displayvars['enabled'] = $enabled;
}
}
return array(array("title" => _("Rest API"), "rawname" => "restapi", "content" => load_view(__DIR__ . '/views/hook_userman.php', $displayvars)));
break;
}
}
}
