dolibarr  17.0.2
api_access.class.php
1 <?php
2 /* Copyright (C) 2015 Jean-Fran├žois Ferry <jfefe@aternatik.fr>
3  * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
4  * Copyright (C) 2023 Ferran Marcet <fmarcet@2byte.es>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <https://www.gnu.org/licenses/>.
18  */
19 
20 // Create the autoloader for Luracast
21 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/AutoLoader.php';
22 call_user_func(function () {
23  $loader = Luracast\Restler\AutoLoader::instance();
24  spl_autoload_register($loader);
25  return $loader;
26 });
27 
28 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iAuthenticate.php';
29 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/iUseAuthentication.php';
30 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Resources.php';
31 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/Defaults.php';
32 require_once DOL_DOCUMENT_ROOT.'/includes/restler/framework/Luracast/Restler/RestException.php';
33 use \Luracast\Restler\iAuthenticate;
34 use \Luracast\Restler\iUseAuthentication;
35 use \Luracast\Restler\Resources;
36 use \Luracast\Restler\Defaults;
37 use \Luracast\Restler\RestException;
38 
43 class DolibarrApiAccess implements iAuthenticate
44 {
45  const REALM = 'Restricted Dolibarr API';
46 
50  public static $requires = array('user', 'external', 'admin');
51 
55  public static $role = 'user';
56 
60  public static $user = '';
61 
62 
66  public function __construct()
67  {
68  global $db;
69  $this->db = $db;
70  }
71 
72  // phpcs:disable PEAR.NamingConventions.ValidFunctionName
81  public function __isAllowed()
82  {
83  // phpcs:enable
84  global $conf, $db, $user;
85 
86  $login = '';
87  $stored_key = '';
88 
89  $userClass = Defaults::$userIdentifierClass;
90 
91  /*foreach ($_SERVER as $key => $val)
92  {
93  dol_syslog($key.' - '.$val);
94  }*/
95 
96  // api key can be provided in url with parameter api_key=xxx or ni header with header DOLAPIKEY:xxx
97  $api_key = '';
98  if (isset($_GET['api_key'])) { // For backward compatibility
99  // TODO Add option to disable use of api key on url. Return errors if used.
100  $api_key = $_GET['api_key'];
101  }
102  if (isset($_GET['DOLAPIKEY'])) {
103  // TODO Add option to disable use of api key on url. Return errors if used.
104  $api_key = $_GET['DOLAPIKEY']; // With GET method
105  }
106  if (isset($_SERVER['HTTP_DOLAPIKEY'])) { // Param DOLAPIKEY in header can be read with HTTP_DOLAPIKEY
107  $api_key = $_SERVER['HTTP_DOLAPIKEY']; // With header method (recommanded)
108  }
109 
110  if ($api_key) {
111  $userentity = 0;
112 
113  $sql = "SELECT u.login, u.datec, u.api_key, ";
114  $sql .= " u.tms as date_modification, u.entity";
115  $sql .= " FROM ".MAIN_DB_PREFIX."user as u";
116  $sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."' OR u.api_key = '".$this->db->escape(dolEncrypt($api_key, '', '', 'dolibarr'))."'";
117 
118  $result = $this->db->query($sql);
119  if ($result) {
120  $nbrows = $this->db->num_rows($result);
121  if ($nbrows == 1) {
122  $obj = $this->db->fetch_object($result);
123  $login = $obj->login;
124  $stored_key = dolDecrypt($obj->api_key);
125  $userentity = $obj->entity;
126 
127  if (!defined("DOLENTITY") && $conf->entity != ($obj->entity ? $obj->entity : 1)) { // If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user
128  $conf->entity = ($obj->entity ? $obj->entity : 1);
129  // We must also reload global conf to get params from the entity
130  dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING);
131  $conf->setValues($this->db);
132  }
133  } elseif ($nbrows > 1) {
134  throw new RestException(503, 'Error when fetching user api_key : More than 1 user with this apikey');
135  }
136  } else {
137  throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg);
138  }
139 
140  if ($stored_key != $api_key) { // This should not happen since we did a search on api_key
141  $userClass::setCacheIdentifier($api_key);
142  return false;
143  }
144 
145  if (!$login) {
146  throw new RestException(503, 'Error when searching login user from api key');
147  }
148  $fuser = new User($this->db);
149  $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity)
150  if ($result <= 0) {
151  throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')');
152  }
153  if ($fuser->statut == 0) {
154  throw new RestException(503, 'Error when fetching user. This user has been locked or disabled');
155  }
156 
157  $fuser->getrights();
158 
159  // Set the property $user to the $user of API
160  static::$user = $fuser;
161 
162  // Set also the global variable $user to the $user of API
163  $user = $fuser;
164 
165  if ($fuser->socid) {
166  static::$role = 'external';
167  }
168 
169  if ($fuser->admin) {
170  static::$role = 'admin';
171  }
172  } else {
173  throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL).");
174  }
175 
176  $userClass::setCacheIdentifier(static::$role);
177  Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
178  $requirefortest = static::$requires;
179  if (!is_array($requirefortest)) {
180  $requirefortest = explode(',', $requirefortest);
181  }
182  return in_array(static::$role, (array) $requirefortest) || static::$role == 'admin';
183  }
184 
185  // phpcs:disable PEAR.NamingConventions.ValidFunctionName
189  public function __getWWWAuthenticateString()
190  {
191  // phpcs:enable
192  return '';
193  }
194 
203  public static function verifyAccess(array $m)
204  {
205  $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
206  ? $m['class']['DolibarrApiAccess']['properties']['requires']
207  : false;
208 
209 
210  return $requires
211  ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
212  : true;
213  }
214 }
db
$conf db
API class for accounts.
Definition: inc.php:41
DolibarrApiAccess\__construct
__construct()
Constructor.
Definition: api_access.class.php:66
DolibarrApiAccess\verifyAccess
static verifyAccess(array $m)
Verify access.
Definition: api_access.class.php:203
DolibarrApiAccess
Dolibarr API access class.
Definition: api_access.class.php:43
DolibarrApiAccess\__isAllowed
__isAllowed()
Check access.
Definition: api_access.class.php:81
DolibarrApiAccess\__getWWWAuthenticateString
__getWWWAuthenticateString()
Definition: api_access.class.php:189
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition: functions.lib.php:1628
dolEncrypt
dolEncrypt($chain, $key='', $ciphering='AES-256-CTR', $forceseed='')
Encode a string with a symetric encryption.
Definition: security.lib.php:120
User
Class to manage Dolibarr users.
Definition: user.class.php:46
dolDecrypt
dolDecrypt($chain, $key='')
Decode a string with a symetric encryption.
Definition: security.lib.php:174