Commit | Line | Data |
---|---|---|
66ea2662 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
fee14197 | 4 | | CiviCRM version 5 | |
66ea2662 | 5 | +--------------------------------------------------------------------+ |
f299f7db | 6 | | Copyright CiviCRM LLC (c) 2004-2020 | |
66ea2662 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | namespace Civi\API\Subscriber; | |
28 | ||
29 | use Civi\API\Events; | |
30 | use Civi\API\Event\AuthorizeEvent; | |
31 | use Civi\API\Event\RespondEvent; | |
66ea2662 TO |
32 | use Symfony\Component\EventDispatcher\EventSubscriberInterface; |
33 | ||
34 | /** | |
35 | * The WhitelistSubscriber listens to API requests and matches them against | |
36 | * a whitelist of allowed API calls. If an API call does NOT appear in the | |
37 | * whitelist, then it generates an error. | |
38 | * | |
39 | * @package Civi | |
ca5cec67 | 40 | * @copyright CiviCRM LLC https://civicrm.org/licensing |
66ea2662 TO |
41 | */ |
42 | class WhitelistSubscriber implements EventSubscriberInterface { | |
43 | ||
44 | /** | |
45 | * @return array | |
46 | */ | |
47 | public static function getSubscribedEvents() { | |
c64f69d9 CW |
48 | return [ |
49 | Events::AUTHORIZE => ['onApiAuthorize', Events::W_EARLY], | |
50 | Events::RESPOND => ['onApiRespond', Events::W_MIDDLE], | |
51 | ]; | |
66ea2662 TO |
52 | } |
53 | ||
54 | /** | |
55 | * Array(WhitelistRule). | |
56 | * | |
57 | * @var array | |
58 | */ | |
59 | protected $rules; | |
60 | ||
61 | /** | |
62 | * Array (scalar $reqId => WhitelistRule $rule). | |
63 | * | |
64 | * @var array | |
65 | */ | |
66 | protected $activeRules; | |
67 | ||
68 | /** | |
69 | * @param array $rules | |
70 | * Array of WhitelistRule. | |
71 | * @see WhitelistRule | |
066c4638 | 72 | * @throws \CRM_Core_Exception |
66ea2662 TO |
73 | */ |
74 | public function __construct($rules) { | |
c64f69d9 | 75 | $this->rules = []; |
66ea2662 | 76 | foreach ($rules as $rule) { |
34f3bbd9 | 77 | /** @var \Civi\API\WhitelistRule $rule */ |
66ea2662 TO |
78 | if ($rule->isValid()) { |
79 | $this->rules[] = $rule; | |
80 | } | |
81 | else { | |
82 | throw new \CRM_Core_Exception("Invalid rule"); | |
83 | } | |
84 | } | |
85 | } | |
86 | ||
87 | /** | |
88 | * Determine which, if any, whitelist rules apply this request. | |
89 | * Reject unauthorized requests. | |
90 | * | |
34f3bbd9 | 91 | * @param \Civi\API\Event\AuthorizeEvent $event |
66ea2662 TO |
92 | * @throws \CRM_Core_Exception |
93 | */ | |
94 | public function onApiAuthorize(AuthorizeEvent $event) { | |
95 | $apiRequest = $event->getApiRequest(); | |
96 | if (empty($apiRequest['params']['check_permissions']) || $apiRequest['params']['check_permissions'] !== 'whitelist') { | |
97 | return; | |
98 | } | |
99 | foreach ($this->rules as $rule) { | |
100 | if (TRUE === $rule->matches($apiRequest)) { | |
101 | $this->activeRules[$apiRequest['id']] = $rule; | |
102 | return; | |
103 | } | |
104 | } | |
105 | throw new \CRM_Core_Exception('The request does not match any active API authorizations.'); | |
106 | } | |
107 | ||
108 | /** | |
109 | * Apply any filtering rules based on the chosen whitelist rule. | |
34f3bbd9 | 110 | * @param \Civi\API\Event\RespondEvent $event |
66ea2662 TO |
111 | */ |
112 | public function onApiRespond(RespondEvent $event) { | |
113 | $apiRequest = $event->getApiRequest(); | |
114 | $id = $apiRequest['id']; | |
115 | if (isset($this->activeRules[$id])) { | |
116 | $event->setResponse($this->activeRules[$id]->filter($apiRequest, $event->getResponse())); | |
117 | unset($this->activeRules[$id]); | |
118 | } | |
119 | } | |
120 | ||
121 | } |