X-Git-Url: https://git.defcon.no/?a=blobdiff_plain;f=api%2Fauth.php;h=1513aae2d7585dd948c387f439e1a240abca605a;hb=6496a650839b71ea7bfaab1b3b461886de4475a8;hp=6a8188ecc12ac859c217db5b933223b3fd08c696;hpb=7fd48bae862f9eb34c3100995a58c01f3ab9deb4;p=hermes

diff --git a/api/auth.php b/api/auth.php
index 6a8188e..1513aae 100644
--- a/api/auth.php
+++ b/api/auth.php
@@ -19,6 +19,8 @@ if ( !$config['sql_link'] )
 }
 
 //*************************************************************************************	
+if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logout" ) )
+{
 	switch ( $_SERVER['PATH_INFO'] )
 	{
 		case "/login":
@@ -46,7 +48,7 @@ if ( !$config['sql_link'] )
 			}
 			else if ( array_key_exists('api_key', $_GET) )
 			{
-				if ( apikey_verify( sql_clean( $_GET['api_key'] ) ) == 1 )
+				if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 )
 				{
 					$type = "key";
 					$authid = $_GET['api_key'];
@@ -66,20 +68,6 @@ if ( !$config['sql_link'] )
 			$auth_key = update_authkey( $session_name, $authid );
 			print json_encode( array( 'response' => 'ok', 'session' => $session_name, 'auth_key' => $auth_key ));
 			break;
-		case "/ping":
-			// API clients are required to periodically ping the server
-			// The time between pings (interval) is 5 minutes?
-			// A ping call refreshes cookie lifetimes, then
-			// generates and stores a new auth_key
-			// The ping required a valid session...
-			// A successful ping returns a 'response' => 'pong'
-			// along with the new auth_key.
-			token_auth();
-			$session_name = $_GET['session'];
-			$authid = $_SESSION['authid'];
-			$auth_key = update_authkey( $session_name, $authid );
-			print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
-			break;
 		case "/logout":
 			// De-authenticate/deauthorize the ongoing session.
 			// I.e. destroy session data, remove session cookies.
@@ -95,12 +83,91 @@ if ( !$config['sql_link'] )
 			else
 				print json_encode ( array( 'response' => 'ok') );
 			break;
-		case "/list_users":
-			// List valid API user-acounts.
-			// Fail with notauthorized if current authentication
-			// does not have write access.
-			// Should not return users from backend, 
-			// but should only return users with authorization.
+		default:
+			print json_encode ( array( 'response' => 'invalid') );
+	}
+}
+else
+{
+	token_auth();
+
+	switch ( $_SERVER['PATH_INFO'] )
+	{
+		case "/ping":
+			// API clients are required to periodically ping the server
+			// The time between pings (interval) is 5 minutes?
+			// A ping call refreshes cookie lifetimes, then
+			// generates and stores a new auth_key
+			// The ping required a valid session...
+			// A successful ping returns a 'response' => 'pong'
+			// along with the new auth_key.
+			$session_name = $_GET['session'];
+			$authid = $_SESSION['authid'];
+			$auth_key = update_authkey( $session_name, $authid );
+			print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
+			break;
+		case "/new_apikey":
+			// If the current authorization has write access, create
+			// a new API key with requested access (ro/rw).
+			if ( ! can_write() )
+				simple_authfail();
+
+			if ( array_key_exists('host_ip', $_GET )
+				&& array_key_exists('access', $_GET ))
+			{
+				$host = $_GET['host_ip'];
+				$access = $_GET['access'];
+
+				if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
+				{
+					print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
+					break;	
+				}
+				$level = authlevel_value( $access );
+				$key = add_apikey( $host, $level );
+				if ( ! $key )
+				{
+					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
+					break;
+				}
+				print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( $level ) ) );
+				break;
+			}
+			else print json_encode ( array( 'response' => 'invalid') );
+			break;	
+		case "/remove_apikey":
+			// If the current authorization has write access,
+			// remove the given API key.
+			if ( ! can_write() )
+				simple_authfail();
+
+			if ( array_key_exists('api_key', $_GET ) )
+			{
+				$key = sql_clean( $_GET['api_key'] );
+				// Perform a key-verification, skipping host/remote-address check.
+				if ( ! verify_apikey( $key, true ) )
+				{
+					print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
+					break;
+				}
+				if ( ! remove_apikey( $key ) )
+				{
+					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
+					break;
+				}
+				print json_encode( array( 'response' => 'ok', 'key' => $key ) );
+				break;
+			}
+			else print json_encode ( array( 'response' => 'invalid') );
+			break;	
+		case "/list_apikeys":
+			// List valid API keys.
+			// Fail is current authorization does not have write access.
+			if ( ! can_write() )
+				simple_authfail();
+			$list = list_apikeys();
+			print json_encode( array( 'response' => 'ok', 'list' => $list ) );
+			break;
 		case "/authorize_user":
 			// Add or update a valid back-end user in authorization
 			// if the current authentication has write access.
@@ -108,30 +175,31 @@ if ( !$config['sql_link'] )
 			// needed parameters should be username and access level
 			// If the authorization does not exist, add it.
 			// If the user is already authorized, replace access level.
+		case "/remove_user":
+			// If the current authentication has write access:
+			// Remove authorization for the given users.
+			// Delete user from backend if backend is read-write.
+		case "/list_users":
+			// List valid API user-acounts.
+			// Fail with notauthorized if current authentication
+			// does not have write access.
+			// Should not return users from backend, 
+			// but should only return users with authorization.
 		case "/add_user":
 			// Add user to backend if backend is read-write and
 			// the current authentication has write access.
+			// The created user should be added to authorizations
+			// with an access level of "limited_read (1)"
 		case "/update_user":
 			// Update the given user in the backend, if the backend
 			// is read-write, and the current authentication has
 			// write access.
-		case "/remove_user":
-			// Delete user from backend if backend is read-write
-			// and the current authentication has write access.
-		case "/list_apikeys":
-			// List valid API keys.
-			// Fail is current authorization does not have write access.
-		case "/new_apikey":
-			// If the current authorization has write access, create
-			// a new API key with requested access (ro/rw).
-		case "/remove_apikey":
-			// If the current authorization has write access,
-			// remove the given API key.
 			print json_encode ( array( 'response' => 'notimplemented') );
 			break;
 		default:
 			print json_encode ( array( 'response' => 'invalid') );
 	}
+}
 //*************************************************************************************	
 mysql_close( $config['sql_link'] );
 ?>