]> git.defcon.no Git - hermes/blob - api/auth.php
Added general framework for API-key authentication. From this point, the API requires...
[hermes] / api / auth.php
1 <?php
2 require_once('config.php');
3 require_once('lib/auth_base.php');
4 require_once('lib/common_functions.php');
5 require_once('lib/db_functions.php');
6 require_once('lib/domain_functions.php');
7
8 $config = get_config();
9
10 $config['sql_link'] = @mysql_connect(
11 $config['sql_server'],
12 $config['sql_username'],
13 $config['sql_password']
14 );
15 if ( !$config['sql_link'] )
16 {
17 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
18 exit;
19 }
20
21 //*************************************************************************************
22 if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logout" ) )
23 {
24 switch ( $_SERVER['PATH_INFO'] )
25 {
26 case "/login":
27 // Allow login using username and password, or API key.
28 // On successful login, a named session should be started,
29 // some data related to the session should be stored,
30 // and the name of the session provided to the user
31 // in the result.
32 $type = false;
33 $authid = false;
34
35 if ( array_key_exists('username', $_GET)
36 && array_key_exists('password', $_GET) )
37 {
38 if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password'])))
39 {
40 $type = "user";
41 $authid = $_GET['username'];
42 }
43 else
44 {
45 print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
46 exit;
47 }
48 }
49 else if ( array_key_exists('api_key', $_GET) )
50 {
51 if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 )
52 {
53 $type = "key";
54 $authid = $_GET['api_key'];
55 }
56 else
57 {
58 print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
59 exit;
60 }
61 }
62 else
63 {
64 print json_encode ( array( 'response' => 'invalid') );
65 break;
66 }
67 $session_name = set_credentials( $authid, $type );
68 $auth_key = update_authkey( $session_name, $authid );
69 print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key ));
70 break;
71 case "/logout":
72 // De-authenticate/deauthorize the ongoing session.
73 // I.e. destroy session data, remove session cookies.
74 $session_name = "";
75 if ( array_key_exists('session', $_GET ) )
76 $session_name = $_GET['session'];
77 session_name($session_name);
78 session_start();
79 clear_credentials($session_name);
80
81 if ( $_SESSION )
82 print json_encode ( array( 'response' => 'wtffailed?') );
83 else
84 print json_encode ( array( 'response' => 'ok') );
85 break;
86 default:
87 print json_encode ( array( 'response' => 'invalid') );
88 }
89 }
90 else
91 {
92 token_auth();
93
94 switch ( $_SERVER['PATH_INFO'] )
95 {
96 case "/ping":
97 // API clients are required to periodically ping the server
98 // The time between pings (interval) is 5 minutes?
99 // A ping call refreshes cookie lifetimes, then
100 // generates and stores a new auth_key
101 // The ping required a valid session...
102 // A successful ping returns a 'response' => 'pong'
103 // along with the new auth_key.
104 $session_name = $_GET['session'];
105 $authid = $_SESSION['authid'];
106 $auth_key = update_authkey( $session_name, $authid );
107 print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
108 break;
109 case "/new_apikey":
110 // If the current authorization has write access, create
111 // a new API key with requested access (ro/rw).
112 if ( ! can_write() )
113 simple_authfail();
114
115 if ( array_key_exists('host_ip', $_GET )
116 && array_key_exists('access', $_GET ))
117 {
118 $host = $_GET['host_ip'];
119 $access = $_GET['access'];
120
121 if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
122 {
123 print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
124 break;
125 }
126 $level = authlevel_value( $access );
127 $key = add_apikey( $host, $level );
128 if ( ! $key )
129 {
130 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
131 break;
132 }
133 print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( $level ) ) );
134 break;
135 }
136 else print json_encode ( array( 'response' => 'invalid') );
137 break;
138 case "/remove_apikey":
139 // If the current authorization has write access,
140 // remove the given API key.
141 if ( ! can_write() )
142 simple_authfail();
143
144 if ( array_key_exists('api_key', $_GET ) )
145 {
146 $key = sql_clean( $_GET['api_key'] );
147 // Perform a key-verification, skipping host/remote-address check.
148 if ( ! verify_apikey( $key, true ) )
149 {
150 print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
151 break;
152 }
153 if ( ! remove_apikey( $key ) )
154 {
155 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
156 break;
157 }
158 print json_encode( array( 'response' => 'ok', 'key' => $key ) );
159 break;
160 }
161 else print json_encode ( array( 'response' => 'invalid') );
162 break;
163 case "/list_apikeys":
164 // List valid API keys.
165 // Fail is current authorization does not have write access.
166 if ( ! can_write() )
167 simple_authfail();
168 $list = list_apikeys();
169 print json_encode( array( 'response' => 'ok', 'list' => $list ) );
170 break;
171 case "/authorize_user":
172 // Add or update a valid back-end user in authorization
173 // if the current authentication has write access.
174 // Since the user exists in backend, the only
175 // needed parameters should be username and access level
176 // If the authorization does not exist, add it.
177 // If the user is already authorized, replace access level.
178 case "/remove_user":
179 // If the current authentication has write access:
180 // Remove authorization for the given users.
181 // Delete user from backend if backend is read-write.
182 case "/list_users":
183 // List valid API user-acounts.
184 // Fail with notauthorized if current authentication
185 // does not have write access.
186 // Should not return users from backend,
187 // but should only return users with authorization.
188 case "/add_user":
189 // Add user to backend if backend is read-write and
190 // the current authentication has write access.
191 // The created user should be added to authorizations
192 // with an access level of "limited_read (1)"
193 case "/update_user":
194 // Update the given user in the backend, if the backend
195 // is read-write, and the current authentication has
196 // write access.
197 print json_encode ( array( 'response' => 'notimplemented') );
198 break;
199 default:
200 print json_encode ( array( 'response' => 'invalid') );
201 }
202 }
203 //*************************************************************************************
204 mysql_close( $config['sql_link'] );
205 ?>