git.sur5r.net Git - bacula/bacula/blob - gui/baculum/protected/API/Class/BaculumAPIServer.php

   1 <?php
   2 /*
   3  * Bacula(R) - The Network Backup Solution
   4  * Baculum   - Bacula web interface
   5  *
   6  * Copyright (C) 2013-2017 Kern Sibbald
   7  *
   8  * The main author of Baculum is Marcin Haba.
   9  * The original author of Bacula is Kern Sibbald, with contributions
  10  * from many others, a complete list can be found in the file AUTHORS.
  11  *
  12  * You may use this file and others of this release according to the
  13  * license defined in the LICENSE file, which includes the Affero General
  14  * Public License, v3.0 ("AGPLv3") and some additional permissions and
  15  * terms pursuant to its AGPLv3 Section 7.
  16  *
  17  * This notice must be preserved when any source code is
  18  * conveyed and/or propagated.
  19  *
  20  * Bacula(R) is a registered trademark of Kern Sibbald.
  21  */
  22
  23 Prado::using('System.Web.UI.TPage');
  24 Prado::using('System.Exceptions.TException');
  25 Prado::using('Application.Common.Class.Errors');
  26 Prado::using('Application.Common.Class.OAuth2');
  27 Prado::using('Application.Common.Class.Logging');
  28 Prado::using('Application.API.Class.BException');
  29 Prado::using('Application.API.Class.APIDbModule');
  30 Prado::using('Application.API.Class.Bconsole');
  31 Prado::using('Application.API.Class.OAuth2.TokenRecord');
  32
  33 /**
  34  * Abstract module from which inherits each of API module.
  35  * The module contains methods that are common for all API pages.
  36  *
  37  * @author Marcin Haba <marcin.haba@bacula.pl>
  38  */
  39 abstract class BaculumAPIServer extends TPage {
  40
  41         /**
  42          * API server version (used in HTTP header)
  43          */
  44         const API_SERVER_VERSION = 0.1;
  45
  46         /**
  47          * Storing output from API commands in numeric array.
  48          */
  49         protected $output;
  50
  51         /**
  52          * Storing error from API commands as integer value.
  53          */
  54         protected $error;
  55
  56         /**
  57          * Storing currently used Director name for bconsole commands.
  58          */
  59         protected $director;
  60
  61         /**
  62          * Web interface User name that sent request to API.
  63          * Null value means administrator, any other value means normal user
  64          * (non-admin user).
  65          */
  66         protected $user;
  67
  68         private $public_endpoints = array('auth', 'token', 'welcome', 'catalog', 'dbsize', 'directors');
  69
  70         /**
  71          * Action methods.
  72          */
  73
  74         // get elements
  75         const GET_METHOD = 'GET';
  76
  77         // create new elemenet
  78         const POST_METHOD = 'POST';
  79
  80         // update elements
  81         const PUT_METHOD = 'PUT';
  82
  83         // delete element
  84         const DELETE_METHOD = 'DELETE';
  85
  86         /**
  87          * Get request, login user and do request action.
  88          *
  89          * @access public
  90          * @param mixed $params onInit action params
  91          * @return none
  92          */
  93         public function onInit($params) {
  94                 parent::onInit($params);
  95                 /*
  96                  * Workaround to bug in PHP 5.6 by FastCGI that caused general protection error.
  97                  * @TODO: Check on newer PHP if it is already fixed.
  98                  */
  99                 // @TODO: Move it to API module.
 100                 //$db_params = $this->getModule('api_config')->getConfig('db');
 101                 //APIDbModule::getAPIDbConnection($db_params);
 102
 103                 // set Director to bconsole execution
 104                 $this->director = $this->Request->contains('director') ? $this->Request['director'] : null;
 105
 106                 $is_auth = false;
 107                 $config = $this->getModule('api_config')->getConfig('api');
 108                 Logging::$debug_enabled = (array_key_exists('debug', $config) && $config['debug'] == 1);
 109                 $headers = $this->getRequest()->getHeaders(CASE_LOWER);
 110                 if (array_key_exists('auth_type', $config) && array_key_exists('authorization', $headers) && preg_match('/^\w+ [\w=]+$/', $headers['authorization']) === 1) {
 111                         list($type, $token) = explode(' ', $headers['authorization'], 2);
 112                         if ($config['auth_type'] === 'oauth2' && $type === 'Bearer') {
 113                                 // deleting expired tokens
 114                                 $this->getModule('oauth2_token')->deleteExpiredTokens();
 115
 116                                 $auth = TokenRecord::findByPk($token);
 117                                 if (is_array($auth)) {
 118                                         if ($this->isScopeValid($auth['scope'])) {
 119                                                 // AUTH OK
 120                                                 $is_auth = true;
 121                                                 $this->init_auth($auth);
 122                                         } else {
 123                                                 // Scopes error. Access to not allowed resource
 124                                                 header(OAuth2::HEADER_UNAUTHORIZED);
 125                                                 $url = $this->getRequest()->getUrl()->getPath();
 126                                                 $this->output = AuthorizationError::MSG_ERROR_ACCESS_ATTEMPT_TO_NOT_ALLOWED_RESOURCE .' Endpoint: ' .  $url;
 127                                                 $this->error = AuthorizationError::ERROR_ACCESS_ATTEMPT_TO_NOT_ALLOWED_RESOURCE;
 128                                                 return;
 129
 130                                         }
 131                                 }
 132                         } elseif ($config['auth_type'] === 'basic' && $type === 'Basic') {
 133                                 // AUTH OK
 134                                 $is_auth = true;
 135                         }
 136
 137                 }
 138
 139                 if ($is_auth === false) {
 140                         // Authorization error.
 141                         header(OAuth2::HEADER_UNAUTHORIZED);
 142                         $this->output = AuthorizationError::MSG_ERROR_AUTHORIZATION_TO_API_PROBLEM;
 143                         $this->error = AuthorizationError::ERROR_AUTHORIZATION_TO_API_PROBLEM;
 144                         return;
 145                 }
 146                 try {
 147                         switch($_SERVER['REQUEST_METHOD']) {
 148                                 case self::GET_METHOD: {
 149                                         $this->get();
 150                                         break;
 151                                 }
 152                                 case self::POST_METHOD: {
 153                                         $this->post();
 154                                         break;
 155                                 }
 156                                 case self::PUT_METHOD: {
 157                                         $this->put();
 158                                         break;
 159                                 }
 160                                 case self::DELETE_METHOD: {
 161                                         $this->delete();
 162                                         break;
 163                                 }
 164                         }
 165                 } catch(TException $e) {
 166                         $this->getModule('logging')->log(
 167                                 __FUNCTION__,
 168                                 "Method: {$_SERVER['REQUEST_METHOD']} $e",
 169                                 Logging::CATEGORY_APPLICATION,
 170                                 __FILE__,
 171                                 __LINE__
 172                         );
 173                         if ($e instanceof BException) {
 174                                 $this->output = $e->getErrorMessage();
 175                                 $this->error = $e->getErrorCode();
 176                         } else {
 177                                 $this->output = GenericError::MSG_ERROR_INTERNAL_ERROR . ' ' . $e->getErrorMessage();
 178                                 $this->error = GenericError::ERROR_INTERNAL_ERROR;
 179                         }
 180                 }
 181         }
 182
 183         /**
 184          * Initialize auth parameters.
 185          *
 186          * @param array $auth token params stored in TokenRecord session
 187          * @return none
 188          */
 189         private function init_auth(array $auth) {
 190                 // if client has own bconsole config, assign it here
 191                 if (array_key_exists('bconsole_cfg_path', $auth) && !empty($auth['bconsole_cfg_path'])) {
 192                         Bconsole::setCfgPath($auth['bconsole_cfg_path'], true);
 193                 }
 194         }
 195
 196         /**
 197          * Get request result data and pack it in JSON format.
 198          * JSON values are: {
 199          * "output": (list) output values
 200          * "error" : (integer) result exit code (0 - OK, non-zero - error)
 201          *
 202          * @access private
 203          * @return string JSON value with output and error values
 204          */
 205         private function getOutput() {
 206                 $output = array('output' => $this->output, 'error' => $this->error);
 207                 $this->setOutputHeaders();
 208                 $json = json_encode($output);
 209                 return $json;
 210         }
 211
 212         /**
 213          * Set output headers to send in response.
 214          */
 215         private function setOutputHeaders() {
 216                 $response = $this->getResponse();
 217                 $response->setContentType('application/json');
 218                 $response->appendHeader('Baculum-API-Version: ' . strval(self::API_SERVER_VERSION));
 219         }
 220
 221         /**
 222          * Return action result which was realized in onInit() method.
 223          * On standard output is printed JSON value with request results.
 224          *
 225          * @access public
 226          * @param mixed $params onInit action params
 227          * @return none
 228          */
 229         public function onLoad($params) {
 230                 parent::onLoad($params);
 231                 echo $this->getOutput();
 232         }
 233
 234         /**
 235          * Changing/updating values via API.
 236          *
 237          * @access private
 238          * @return none
 239          */
 240         private function put() {
 241                 $id = $this->Request->contains('id') ? $this->Request['id'] : null;
 242
 243                 /**
 244                  * Check if it is possible to read PUT method data.
 245                  * Note that some clients sends data in PUT request as PHP input stream which
 246                  * is not possible to read by $_REQUEST data. From this reason, when is
 247                  * not possible to ready by superglobal $_REQUEST variable, then is try to
 248                  * read PUT data by PHP input stream.
 249                  */
 250                 if ($this->Request->contains('update') && is_array($this->Request['update']) && count($this->Request['update']) > 0) {
 251                         // $_REQUEST available to read
 252                         $params = (object)$this->Request['update'];
 253                         $this->set($id, $params);
 254                 } else {
 255                         // no possibility to read data from $_REQUEST. Try to load from input stream.
 256                         $inputstr = file_get_contents("php://input");
 257
 258                         /**
 259                          * Read using chunks for case large updates (over 1000 values).
 260                          * Otherwise max_input_vars limitation in php.ini can be reached (usually
 261                          * set to 1000 variables)
 262                          * @see http://php.net/manual/en/info.configuration.php#ini.max-input-vars
 263                          */
 264                         $chunks = explode('&', $inputstr);
 265
 266                         $response_data = array();
 267                         for($i = 0; $i<count($chunks); $i++) {
 268                                 // if chunks would not be used, then here occurs reach max_input_vars limit
 269                                 parse_str($chunks[$i], $response_el);
 270                                 if (is_array($response_el) && array_key_exists('update', $response_el) && is_array($response_el['update'])) {
 271                                         $key = key($response_el['update']);
 272                                         $response_data['update'][$key] = $response_el['update'][$key];
 273                                 }
 274                         }
 275                         if (is_array($response_data) && array_key_exists('update', $response_data)) {
 276                                 $params = (object)$response_data['update'];
 277                                 $this->set($id, $params);
 278                         } else {
 279                                 /**
 280                                  * This case should never occur because it means that there is
 281                                  * given nothing to update.
 282                                  */
 283                                 $params = new stdClass;
 284                                 $this->set($id, $params);
 285                         }
 286                 }
 287         }
 288
 289         /**
 290          * Creating new elements.
 291          *
 292          * @access private
 293          * @return none
 294          */
 295         private function post() {
 296                 $params = new stdClass;
 297                 if ($this->Request->contains('create') && is_array($this->Request['create']) && count($this->Request['create']) > 0) {
 298                         $params = (object)$this->Request['create'];
 299                 }
 300                 $this->create($params);
 301         }
 302
 303         /**
 304          * Deleting element by element ID.
 305          *
 306          * @access private
 307          * @return none
 308          */
 309         private function delete() {
 310                 $id = null;
 311                 if ($this->Request->contains('id')) {
 312                         $id = intval($this->Request['id']);
 313                 }
 314                 $this->remove($id);
 315         }
 316
 317         /**
 318          * Check if request is allowed to access basing on OAuth2 scope.
 319          *
 320          * @access private
 321          * @param string scopes assigned with token
 322          * @return bool true if scope in url and from token are valid, otherwise false
 323          */
 324         private function isScopeValid($scope) {
 325                 $is_valid = false;
 326                 $scopes = explode(' ', $scope);
 327                 $url = $this->getRequest()->getUrl()->getPath();
 328                 $params = explode('/', $url);
 329                 if (count($params) >= 3 && $params[1] === 'api') {
 330                         if (in_array($params[2], $this->public_endpoints)) {
 331                                 $is_valid = true;
 332                         } else {
 333                                 for ($i = 0; $i < count($scopes); $i++) {
 334                                         if ($params[2] === $scopes[$i]) {
 335                                                 $is_valid = true;
 336                                                 break;
 337                                         }
 338                                 }
 339                         }
 340                 }
 341                 return $is_valid;
 342         }
 343
 344         /**
 345          * Shortcut method for getting application modules instances by
 346          * module name.
 347          *
 348          * @access public
 349          * @param string $name application module name
 350          * @return object module class instance
 351          */
 352         public function getModule($name) {
 353                 return $this->Application->getModule($name);
 354         }
 355
 356         /**
 357          * Get Baculum web client version.
 358          *
 359          * @return float client version
 360          */
 361         public function getClientVersion() {
 362                 $version = 0;
 363                 $headers = $this->getRequest()->getHeaders(CASE_LOWER);
 364                 if (array_key_exists('x-baculum-api', $headers)) {
 365                         $version = floatval($headers['x-baculum-api']);
 366                 }
 367                 return $version;
 368         }
 369 }
 370 ?>