]> git.defcon.no Git - hermes/blob - api/auth.php
ad8650f0ac70426fa88d4f1226f426cf121d4b46
[hermes] / api / auth.php
1 <?php
2 require_once('config.php');
3 require_once('lib/auth_base.php');
4 require_once('lib/common_functions.php');
5 require_once('lib/db_functions.php');
6 require_once('lib/domain_functions.php');
7
8 $config = get_config();
9
10 $config['sql_link'] = @mysql_connect(
11 $config['sql_server'],
12 $config['sql_username'],
13 $config['sql_password']
14 );
15 if ( !$config['sql_link'] )
16 {
17 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
18 exit;
19 }
20
21 //*************************************************************************************
22 if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logout" ) )
23 {
24 switch ( $_SERVER['PATH_INFO'] )
25 {
26 case "/login":
27 // Allow login using username and password, or API key.
28 // On successful login, a named session should be started,
29 // some data related to the session should be stored,
30 // and the name of the session provided to the user
31 // in the result.
32 $type = false;
33 $authid = false;
34
35 if ( array_key_exists('username', $_POST)
36 && array_key_exists('password', $_POST) )
37 {
38 if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password'])))
39 {
40 $type = "user";
41 $authid = $_POST['username'];
42 }
43 else
44 {
45 print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
46 exit;
47 }
48 }
49 else if ( array_key_exists('api_key', $_POST) )
50 {
51 if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 )
52 {
53 $type = "key";
54 $authid = $_POST['api_key'];
55 }
56 else
57 {
58 print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Login failed') );
59 exit;
60 }
61 }
62 else
63 {
64 print json_encode ( array( 'response' => 'invalid') );
65 break;
66 }
67 $session_name = set_credentials( $authid, $type );
68 $auth_key = update_authkey( $session_name, $authid );
69 print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key ));
70 break;
71 case "/logout":
72 // De-authenticate/deauthorize the ongoing session.
73 // I.e. destroy session data, remove session cookies.
74 $session_name = "";
75 if ( array_key_exists('session', $_POST ) )
76 $session_name = $_POST['session'];
77 session_name($session_name);
78 session_start();
79 clear_credentials($session_name);
80
81 if ( $_SESSION )
82 print json_encode ( array( 'response' => 'wtffailed?') );
83 else
84 print json_encode ( array( 'response' => 'ok') );
85 break;
86 default:
87 print json_encode ( array( 'response' => 'invalid') );
88 }
89 }
90 else
91 {
92 token_auth();
93
94 switch ( $_SERVER['PATH_INFO'] )
95 {
96 case "/ping":
97 // API clients are required to periodically ping the server
98 // The time between pings (interval) is 5 minutes?
99 // A ping call refreshes cookie lifetimes, then
100 // generates and stores a new auth_key
101 // The ping required a valid session...
102 // A successful ping returns a 'response' => 'pong'
103 // along with the new auth_key.
104 $session_name = $_POST['session'];
105 $authid = $_SESSION['authid'];
106 $auth_key = update_authkey( $session_name, $authid );
107 print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
108 break;
109 case "/new_apikey":
110 // If the current authorization has write access, create
111 // a new API key with requested access (ro/rw).
112 if ( ! can_write() )
113 simple_authfail();
114
115 if ( array_key_exists('host_ip', $_POST )
116 && array_key_exists('access', $_POST ))
117 {
118 $host = $_POST['host_ip'];
119 $access = $_POST['access'];
120
121 if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
122 {
123 print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
124 break;
125 }
126 $level = authlevel_value( $access );
127 $key = add_apikey( $host, $level );
128 if ( ! $key )
129 {
130 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
131 break;
132 }
133 print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( get_authorization( "key", $key ) ) ) );
134 break;
135 }
136 else print json_encode ( array( 'response' => 'invalid') );
137 break;
138 case "/remove_apikey":
139 // If the current authorization has write access,
140 // remove the given API key.
141 if ( ! can_write() )
142 simple_authfail();
143
144 if ( array_key_exists('api_key', $_POST ) )
145 {
146 $key = sql_clean( $_POST['api_key'] );
147 // Perform a key-verification, skipping host/remote-address check.
148 if ( ! verify_apikey( $key, true ) )
149 {
150 print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
151 break;
152 }
153 if ( ! remove_apikey( $key ) )
154 {
155 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
156 break;
157 }
158 print json_encode( array( 'response' => 'ok', 'key' => $key ) );
159 break;
160 }
161 else print json_encode ( array( 'response' => 'invalid') );
162 break;
163 case "/list_apikeys":
164 // List valid API keys.
165 // Fail is current authorization does not have write access.
166 if ( ! can_write() )
167 simple_authfail();
168 $list = list_apikeys();
169 print json_encode( array( 'response' => 'ok', 'list' => $list ) );
170 break;
171 case "/authorize_user":
172 // Add or update a valid back-end user in authorization
173 // if the current authentication has write access.
174 // Since the user exists in backend, the only
175 // needed parameters should be username and access level
176 // If the authorization does not exist, add it.
177 // If the user is already authorized, replace access level.
178 if ( ! can_write() )
179 simple_authfail();
180
181 if ( array_key_exists('username', $_POST )
182 && array_key_exists('access', $_POST ))
183 {
184 $user = $_POST['username'];
185 $access = $_POST['access'];
186 $level = authlevel_value( $access );
187
188 if ( ! $level )
189 {
190 print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
191 break;
192 }
193 if ( ! authuser_getinfo( $user ) )
194 {
195 print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
196 break;
197 }
198
199 if ( ! update_authorization( "user", $user, $level ) )
200 {
201 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
202 break;
203 }
204
205 print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) );
206 break;
207 }
208 else print json_encode ( array( 'response' => 'invalid') );
209 break;
210
211 case "/remove_user":
212 // If the current authentication has write access:
213 // Remove authorization for the given users.
214 // Delete user from backend if backend is read-write.
215 if ( ! can_write() )
216 simple_authfail();
217
218 if ( array_key_exists('username', $_POST ))
219 {
220 $user = $_POST['username'];
221
222 $t_level = get_authorization( "user", $user );
223
224 if ( $t_level && ! remove_authorization( $user ) )
225 {
226 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
227 break;
228 }
229 if ( ! authmethod_readonly() )
230 {
231 if ( !authuser_getinfo( $user ) )
232 {
233 print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
234 break;
235 }
236 if ( !authuser_delete( $user ) )
237 {
238 print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
239 break;
240 }
241 }
242
243 print json_encode( array( 'response' => 'ok', 'user' => $user ) );
244 break;
245 }
246 else print json_encode ( array( 'response' => 'invalid') );
247 break;
248
249 case "/list_users":
250 // List valid API user-acounts.
251 // Fail with notauthorized if current authentication
252 // does not have write access.
253 // Should not return users from backend,
254 // but should only return users with authorization.
255 if ( ! can_write() )
256 simple_authfail();
257 $list = list_authusers();
258 print json_encode( array( 'response' => 'ok', 'list' => $list ) );
259 break;
260
261 case "/add_user":
262 // Add user to backend if backend is read-write and
263 // the current authentication has write access.
264 // The created user should be added to authorizations
265 // with an access level of "limited_read (1)"
266 case "/update_user":
267 // Update the given user in the backend, if the backend
268 // is read-write, and the current authentication has
269 // write access.
270 print json_encode ( array( 'response' => 'notimplemented') );
271 break;
272 default:
273 print json_encode ( array( 'response' => 'invalid') );
274 }
275 }
276 //*************************************************************************************
277 mysql_close( $config['sql_link'] );
278 ?>