API.php 5.94 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
<?php
/**
 *    Copyright (C) 2015 Deciso B.V.
 *
 *    All rights reserved.
 *
 *    Redistribution and use in source and binary forms, with or without
 *    modification, are permitted provided that the following conditions are met:
 *
 *    1. Redistributions of source code must retain the above copyright notice,
 *       this list of conditions and the following disclaimer.
 *
 *    2. Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in the
 *       documentation and/or other materials provided with the distribution.
 *
 *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
 *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 *    POSSIBILITY OF SUCH DAMAGE.
 *
 */

namespace OPNsense\Auth;

use OPNsense\Core\Config;

/**
 * Class API key/secret database connector (connect to legacy xml structure).
 * @package OPNsense\Auth
 */
class API implements IAuthConnector
{
    /**
     * @var array internal list of authentication properties
     */
    private $lastAuthProperties = array();

    /**
     * set connector properties
     * @param array $config connection properties
     */
    public function setProperties($config)
    {
        // local api authenticator doesn't use any additional settings.
    }

    /**
     * unused
     * @return array mixed named list of authentication properties
     */
    public function getLastAuthProperties()
    {
        return $this->lastAuthProperties;
    }


    /**
     * generate a new api key for an existing user
     * @param $username username
     * @return array|null apikey/secret pair
     */
    public function createKey($username)
    {
        $configObj = Config::getInstance()->object();
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user' && (string)$username == (string)$value->name) {
                if (!isset($value->apikeys)) {
                    $apikeys = $value->addChild('apikeys');
                } else {
                    $apikeys = $value->apikeys;
                }
                $item = $apikeys->addChild('item');

                $newKey = base64_encode(openssl_random_pseudo_bytes(60));
                $newSecret = base64_encode(openssl_random_pseudo_bytes(60));

                $item->addChild('key', $newKey);
                $item->addChild('secret', crypt($newSecret, '$6$'));
                Config::getInstance()->save();
                $response = array('key' => $newKey, 'secret' => $newSecret);
                return $response;
            }
        }
        return null;
    }

94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
    /**
     * remove user api key
     * @param string $username username
     * @param string $apikey api key
     * @return bool key found
     */
    public function dropKey($username, $apikey)
    {
        $configObj = Config::getInstance()->object();
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user' && (string)$username == (string)$value->name) {
                if (isset($value->apikeys)) {
                    $indx=0;
                    foreach ($value->apikeys->children() as $apiNodeId => $apiNode) {
                        if ($apiNodeId == 'item' && (string)$apiNode->key == $apikey) {
                            unset($value->apikeys->item[$indx]);
                            Config::getInstance()->save();
                            return true;
                        }
                        $indx++;
                    }
                }
            }
        }
        return false;
    }

121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172
    /**
     * authenticate user against local database (in config.xml)
     * @param string $username username to authenticate
     * @param string $password user password
     * @return bool authentication status
     */
    public function authenticate($username, $password)
    {
        // reset auth properties
        $this->lastAuthProperties = array();

        // search local user in database
        $configObj = Config::getInstance()->object();
        $userObject = null;
        $apiKey = null;
        $apiSecret = null;
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user') {
                if (!empty($value->apikeys)) {
                    foreach ($value->apikeys->children() as $apikey) {
                        if (!empty($apikey->key) &&  (string)$apikey->key == $username) {
                            // api key found, stop search
                            $userObject = $value;
                            $apiSecret = (string)$apikey->secret;
                            break;
                        }
                    }
                }
            }
        }

        if ($userObject != null) {
            if (isset($userObject->disabled)) {
                // disabled user
                return false;
            }
            if (!empty($userObject->expires)
                && strtotime("-1 day") > strtotime(date("m/d/Y", strtotime((string)$userObject->expires)))) {
                // expired user
                return false;
            }
            $passwd = crypt($password, $apiSecret);
            if ($passwd == $apiSecret) {
                // password ok, return successfully authentication
                $this->lastAuthProperties['username'] = (string)$userObject->name;
                return true;
            }
        }

        return false;
    }
}