Bitrix-D7 23.9
 
Загрузка...
Поиск...
Не найдено
auth.php
1<?php
9namespace Bitrix\Rest\APAuth;
10
11use Bitrix\Main\Authentication\ApplicationManager;
12use Bitrix\Main\Authentication\ApplicationPasswordTable;
13use Bitrix\Main\Context;
14use Bitrix\Main\Localization\Loc;
15use Bitrix\Main\Type\DateTime;
16use Bitrix\Main\UserTable;
17use Bitrix\Rest\Engine\Access;
18use Bitrix\Rest\Engine\Access\HoldEntity;
19
20class Auth
21{
22 const AUTH_TYPE = 'apauth';
23
24 protected static $authQueryParams = array(
25 'UID' => 'aplogin', 'PASSWORD' => 'ap',
26 );
27
28 protected static $integrationScope = array('crm', 'telephony', 'imopenlines');
29
30 protected static $scopeCache = array();
31
32 public static function onRestCheckAuth(array $query, $scope, &$res)
33 {
34 $auth = array();
35 foreach(static::$authQueryParams as $key)
36 {
37 if(array_key_exists($key, $query))
38 {
39 $auth[$key] = $query[$key];
40 }
41 }
42
43 if(count($auth) === count(static::$authQueryParams))
44 {
45
46 if(!defined('REST_APAUTH_ALLOW_HTTP') && !Context::getCurrent()->getRequest()->isHttps())
47 {
48 $res = array('error' => 'INVALID_REQUEST', 'error_description' => 'Https required.');
49 return false;
50 }
51
52 $tokenInfo = static::check($auth, $scope);
53
54 if(is_array($tokenInfo))
55 {
56 $error = array_key_exists('error', $tokenInfo);
57
58 if (!$error && HoldEntity::is(HoldEntity::TYPE_WEBHOOK, $auth[static::$authQueryParams['PASSWORD']]))
59 {
60 $tokenInfo = [
61 'error' => 'OVERLOAD_LIMIT',
62 'error_description' => 'REST API is blocked due to overload.'
63 ];
64 $error = true;
65 }
66
67 if (
68 !$error
69 && (
70 !Access::isAvailable()
71 || (
72 Access::needCheckCount()
73 && !Access::isAvailableCount(Access::ENTITY_TYPE_WEBHOOK, $tokenInfo['password_id'])
74 )
75 )
76 )
77 {
78 $tokenInfo = [
79 'error' => 'ACCESS_DENIED',
80 'error_description' => 'REST is available only on commercial plans.'
81 ];
82 $error = true;
83 }
84
85 if(!$error && $tokenInfo['user_id'] > 0)
86 {
87 $tokenInfo['scope'] = implode(',', static::getPasswordScope($tokenInfo['password_id']));
88
89 global $USER;
90 if ($USER instanceof \CUser && $USER->isAuthorized())
91 {
92 if ((int)$USER->GetID() !== (int)$tokenInfo['user_id'])
93 {
94 $tokenInfo = [
95 'error' => 'authorization_error',
96 'error_description' => Loc::getMessage('REST_AP_AUTH_ERROR_LOGOUT_BEFORE'),
97 ];
98 $error = true;
99 }
100 }
101 elseif (!\CRestUtil::makeAuth($tokenInfo))
102 {
103 $tokenInfo = array('error' => 'authorization_error', 'error_description' => 'Unable to authorize user');
104 $error = true;
105 }
106 else
107 {
108 PasswordTable::update($tokenInfo['password_id'], array(
109 'DATE_LOGIN' => new DateTime(),
110 'LAST_IP' => Context::getCurrent()->getRequest()->getRemoteAddress(),
111 ));
112
113 unset($tokenInfo['application_id']);
114 }
115 }
116
117 $res = $tokenInfo;
118
119 $res['parameters_clear'] = static::$authQueryParams;
120 $res['auth_type'] = static::AUTH_TYPE;
121
122 return !$error;
123 }
124
125 return false;
126 }
127
128 return null;
129 }
130
131 protected static function check($auth, $scope)
132 {
133 $result = array('error' => 'INVALID_CREDENTIALS', 'error_description' => 'Invalid request credentials');
134
135 $uid = $auth[static::$authQueryParams['UID']];
136
137 if(strval(intval($uid)) === $uid)
138 {
139 $userInfo = array('ID' => intval($uid));
140 }
141 else
142 {
143 $dbRes = UserTable::getList(array(
144 'filter' => array(
145 '=LOGIN' => $uid,
146 '=ACTIVE' => 'Y',
147 ),
148 'select' => array('ID'),
149 ));
150 $userInfo = $dbRes->fetch();
151 }
152
153 if($userInfo)
154 {
155 $dbRes = PasswordTable::getList(array(
156 'filter' => array(
157 '=USER_ID' => $userInfo['ID'],
158 '=PASSWORD' => $auth[static::$authQueryParams['PASSWORD']],
159 '=ACTIVE' => PasswordTable::ACTIVE,
160 ),
161 'select' => array('ID')
162 ));
163 $passwordInfo = $dbRes->fetch();
164
165 if(!$passwordInfo)
166 {
167 $passwordInfo = static::checkOldPassword($userInfo['ID'], $auth[static::$authQueryParams['PASSWORD']]);
168 }
169
170 if($passwordInfo)
171 {
172 if(static::checkPermission($passwordInfo["ID"], $scope) === true)
173 {
174 $result = array(
175 'user_id' => $userInfo["ID"],
176 'password_id' => $passwordInfo["ID"],
177 );
178 }
179 else
180 {
181 $result = array('error' => 'insufficient_scope', 'error_description' => 'The request requires higher privileges than provided by the webhook token');
182 }
183 }
184 }
185
186 return $result;
187 }
188
189 protected static function checkOldPassword($userId, $password)
190 {
191 $appPassword = ApplicationPasswordTable::findPassword($userId, $password);
192 if($appPassword !== false)
193 {
194 if($appPassword["APPLICATION_ID"] === Application::ID)
195 {
196 $appManager = ApplicationManager::getInstance();
197 if($appManager->checkScope($appPassword["APPLICATION_ID"]) === true)
198 {
199 return static::convertOldPassword($appPassword, $password);
200 }
201 }
202 }
203
204 return false;
205 }
206
207 protected static function convertOldPassword($appPassword, $password)
208 {
209 $dbRes = ApplicationPasswordTable::getById($appPassword['ID']);
210 $oldPassword = $dbRes->fetch();
211 if($oldPassword)
212 {
213 ApplicationPasswordTable::delete($appPassword['ID']);
214 $result = PasswordTable::add(array(
215 'USER_ID' => $oldPassword['USER_ID'],
216 'PASSWORD' => $password,
217 'ACTIVE' => PasswordTable::ACTIVE,
218 'TITLE' => $oldPassword['SYSCOMMENT'],
219 'COMMENT' => $oldPassword['COMMENT'],
220 'DATE_CREATE' => $oldPassword['DATE_CREATE'],
221 'DATE_LOGIN' => $oldPassword['DATE_LOGIN'],
222 'LAST_IP' => $oldPassword['LAST_IP'],
223 ));
224 if($result->isSuccess())
225 {
226 $passwordId = $result->getId();
227
228 foreach(static::$integrationScope as $scope)
229 {
230 PermissionTable::add(array(
231 'PASSWORD_ID' => $passwordId,
232 'PERM' => $scope,
233 ));
234 }
235
236 return array(
237 'ID' => $passwordId,
238 );
239 }
240 }
241
242 return false;
243 }
244
245 protected static function checkPermission($passwordId, $scope)
246 {
247 if($scope === \CRestUtil::GLOBAL_SCOPE)
248 {
249 return true;
250 }
251
252 $scopeList = static::getPasswordScope($passwordId);
253 $scopeList = \Bitrix\Rest\Engine\RestManager::fillAlternativeScope($scope, $scopeList);
254 return in_array($scope, $scopeList);
255 }
256
257 protected static function getPasswordScope($passwordId)
258 {
259 if(!array_key_exists($passwordId, static::$scopeCache))
260 {
261 static::$scopeCache[$passwordId] = array();
262
263 $dbRes = PermissionTable::getList(array(
264 'filter' => array(
265 '=PASSWORD_ID' => $passwordId,
266 ),
267 'select' => array('PERM')
268 ));
269 while($perm = $dbRes->fetch())
270 {
271 static::$scopeCache[$passwordId][] = $perm['PERM'];
272 }
273 }
274
275 return static::$scopeCache[$passwordId];
276 }
277}
Bitrix\Main\Context\getCurrent
static getCurrent()
Definition context.php:241
Bitrix\Main\Localization\Loc\getMessage
static getMessage($code, $replace=null, $language=null)
Definition loc.php:29
Bitrix\Rest\APAuth\Auth\checkOldPassword
static checkOldPassword($userId, $password)
Definition auth.php:189
Bitrix\Rest\APAuth\Auth\check
static check($auth, $scope)
Definition auth.php:131
Bitrix\Rest\APAuth\Auth\$authQueryParams
static $authQueryParams
Definition auth.php:24
Bitrix\Rest\APAuth\Auth\getPasswordScope
static getPasswordScope($passwordId)
Definition auth.php:257
Bitrix\Rest\APAuth\Auth\$integrationScope
static $integrationScope
Definition auth.php:28
Bitrix\Rest\APAuth\Auth\convertOldPassword
static convertOldPassword($appPassword, $password)
Definition auth.php:207
Bitrix\Rest\APAuth\Auth\checkPermission
static checkPermission($passwordId, $scope)
Definition auth.php:245
Bitrix\Rest\APAuth\Auth\onRestCheckAuth
static onRestCheckAuth(array $query, $scope, &$res)
Definition auth.php:32
Bitrix\Rest\Engine\Access\HoldEntity\is
static is(string $type, string $code)
Definition holdentity.php:150
Bitrix\Rest\Engine\Access\isAvailableCount
static isAvailableCount(string $entityType, $entity=0)
Definition access.php:110
Bitrix\Rest\Engine\Access\isAvailable
static isAvailable($app='')
Definition access.php:65