Commit | Line | Data |
---|---|---|
7946d659 TO |
1 | <?php |
2 | ||
3 | require_once 'authx.civix.php'; | |
4 | // phpcs:disable | |
5 | use CRM_Authx_ExtensionUtil as E; | |
6 | // phpcs:enable | |
7 | ||
3a429e3f | 8 | Civi::dispatcher()->addListener('civi.invoke.auth', function($e) { |
476ba2b9 TO |
9 | $params = ($_SERVER['REQUEST_METHOD'] === 'GET') ? $_GET : $_POST; |
10 | $siteKey = $_SERVER['HTTP_X_CIVI_KEY'] ?? $params['_authxSiteKey'] ?? NULL; | |
11 | ||
3a429e3f | 12 | if (!empty($_SERVER['HTTP_X_CIVI_AUTH'])) { |
476ba2b9 | 13 | return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'xheader', 'cred' => $_SERVER['HTTP_X_CIVI_AUTH'], 'siteKey' => $siteKey]); |
3a429e3f TO |
14 | } |
15 | ||
19a3491b | 16 | if (!empty($_SERVER['HTTP_AUTHORIZATION']) && !empty(Civi::settings()->get('authx_header_cred'))) { |
476ba2b9 | 17 | return (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'header', 'cred' => $_SERVER['HTTP_AUTHORIZATION'], 'siteKey' => $siteKey]); |
3a429e3f TO |
18 | } |
19 | ||
3a429e3f TO |
20 | if (!empty($params['_authx'])) { |
21 | if ((implode('/', $e->args) === 'civicrm/authx/login')) { | |
476ba2b9 | 22 | (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'login', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]); |
3a429e3f TO |
23 | _authx_redact(['_authx']); |
24 | } | |
25 | elseif (!empty($params['_authxSes'])) { | |
476ba2b9 | 26 | (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'auto', 'cred' => $params['_authx'], 'useSession' => TRUE, 'siteKey' => $siteKey]); |
a196e838 TO |
27 | if ($_SERVER['REQUEST_METHOD'] === 'GET') { |
28 | _authx_reload(implode('/', $e->args), $_SERVER['QUERY_STRING']); | |
29 | } | |
30 | else { | |
31 | _authx_redact(['_authx', '_authxSes']); | |
32 | } | |
3a429e3f TO |
33 | } |
34 | else { | |
476ba2b9 | 35 | (new \Civi\Authx\Authenticator())->auth($e, ['flow' => 'param', 'cred' => $params['_authx'], 'siteKey' => $siteKey]); |
3a429e3f TO |
36 | _authx_redact(['_authx']); |
37 | } | |
38 | } | |
df9b24b2 | 39 | |
8d5feabb TO |
40 | // Accept legacy auth (?key=...&api_key=...) for 'civicrm/ajax/rest' and 'civicrm/ajax/api4/*'. |
41 | // The use of `?key=` could clash on some endpoints. Only accept on a small list of endpoints that are compatible with it. | |
42 | if (count($e->args) > 2 && $e->args[1] === 'ajax' && in_array($e->args[2], ['rest', 'api4'])) { | |
43 | if ((!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) { | |
44 | return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]); | |
45 | } | |
df9b24b2 | 46 | } |
3a429e3f TO |
47 | }); |
48 | ||
97209e61 TO |
49 | /** |
50 | * Perform a system login. | |
51 | * | |
52 | * This is useful for backend scripts that need to switch to a specific user. | |
53 | * | |
54 | * As needed, this will update the Civi session and CMS data. | |
55 | * | |
56 | * @param array{flow: ?string, useSession: ?bool, principal: ?array, cred: ?string,} $details | |
57 | * Describe the authentication process with these properties: | |
58 | * | |
59 | * - string $flow (default 'script'); | |
60 | * The type of authentication flow being used | |
61 | * Ex: 'param', 'header', 'auto' | |
62 | * - bool $useSession (default FALSE) | |
63 | * If TRUE, then the authentication should be persistent (in a session variable). | |
64 | * If FALSE, then the authentication should be ephemeral (single page-request). | |
65 | * | |
66 | * And then ONE of these properties to describe the user/principal: | |
67 | * | |
68 | * - string $cred | |
69 | * The credential, as formatted in the 'Authorization' header. | |
70 | * Ex: 'Bearer 12345', 'Basic ASDFFDSA==' | |
71 | * - array $principal | |
72 | * Description of a validated principal. | |
73 | * Must include 'contactId', 'userId', xor 'user' | |
74 | * @return array{contactId: int, userId: ?int, flow: string, credType: string, useSession: bool} | |
75 | * An array describing the authenticated session. | |
76 | * @throws \Civi\Authx\AuthxException | |
77 | */ | |
78 | function authx_login(array $details): array { | |
79 | $defaults = ['flow' => 'script', 'useSession' => FALSE]; | |
80 | $details = array_merge($defaults, $details); | |
81 | $auth = new \Civi\Authx\Authenticator(); | |
82 | $auth->setRejectMode('exception'); | |
83 | $auth->auth(NULL, array_merge($defaults, $details)); | |
84 | return \CRM_Core_Session::singleton()->get("authx"); | |
85 | } | |
86 | ||
3a429e3f TO |
87 | /** |
88 | * @return \Civi\Authx\AuthxInterface | |
89 | */ | |
90 | function _authx_uf() { | |
91 | $class = 'Civi\\Authx\\' . CIVICRM_UF; | |
92 | return class_exists($class) ? new $class() : new \Civi\Authx\None(); | |
93 | } | |
94 | ||
95 | /** | |
96 | * For parameter-based authentication, this option will hide parameters. | |
97 | * This is mostly a precaution, hedging against the possibility that some routes | |
98 | * make broad use of $_GET or $_PARAMS. | |
99 | * | |
100 | * @param array $keys | |
101 | */ | |
102 | function _authx_redact(array $keys) { | |
103 | foreach ($keys as $key) { | |
104 | unset($_POST[$key], $_GET[$key], $_REQUEST[$key]); | |
105 | } | |
106 | } | |
107 | ||
a196e838 TO |
108 | /** |
109 | * Reload the current page-view. | |
110 | * | |
111 | * @param string $route | |
112 | * @param string $queryString | |
113 | */ | |
114 | function _authx_reload($route, $queryString) { | |
115 | parse_str($queryString, $query); | |
116 | foreach (array_keys($query) as $key) { | |
117 | if (CRM_Utils_String::startsWith($key, '_authx')) { | |
118 | unset($query[$key]); | |
119 | } | |
120 | } | |
121 | $url = CRM_Utils_System::url($route, $query, TRUE, NULL, FALSE, CRM_Core_Config::singleton()->userSystem->isFrontEndPage()); | |
122 | CRM_Utils_System::redirect($url); | |
123 | } | |
124 | ||
7946d659 TO |
125 | /** |
126 | * Implements hook_civicrm_config(). | |
127 | * | |
128 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config/ | |
129 | */ | |
130 | function authx_civicrm_config(&$config) { | |
131 | _authx_civix_civicrm_config($config); | |
132 | } | |
133 | ||
7946d659 TO |
134 | /** |
135 | * Implements hook_civicrm_install(). | |
136 | * | |
137 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_install | |
138 | */ | |
139 | function authx_civicrm_install() { | |
140 | _authx_civix_civicrm_install(); | |
2a62e03c | 141 | |
7946d659 TO |
142 | } |
143 | ||
144 | /** | |
145 | * Implements hook_civicrm_postInstall(). | |
146 | * | |
147 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall | |
148 | */ | |
149 | function authx_civicrm_postInstall() { | |
150 | _authx_civix_civicrm_postInstall(); | |
151 | } | |
152 | ||
153 | /** | |
154 | * Implements hook_civicrm_uninstall(). | |
155 | * | |
156 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall | |
157 | */ | |
158 | function authx_civicrm_uninstall() { | |
159 | _authx_civix_civicrm_uninstall(); | |
160 | } | |
161 | ||
162 | /** | |
163 | * Implements hook_civicrm_enable(). | |
164 | * | |
165 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable | |
166 | */ | |
167 | function authx_civicrm_enable() { | |
168 | _authx_civix_civicrm_enable(); | |
2a62e03c TO |
169 | // If the system is already using HTTP `Authorization:` headers before installation/re-activation, then |
170 | // it's probably an extra/independent layer of security. | |
171 | // Only activate support for `Authorization:` if this looks like a clean/amenable environment. | |
172 | // @link https://github.com/civicrm/civicrm-core/pull/22837 | |
173 | if (empty($_SERVER['HTTP_AUTHORIZATION']) && NULL === Civi::settings()->getExplicit('authx_header_cred')) { | |
174 | Civi::settings()->set('authx_header_cred', ['jwt', 'api_key']); | |
175 | } | |
7946d659 TO |
176 | } |
177 | ||
178 | /** | |
179 | * Implements hook_civicrm_disable(). | |
180 | * | |
181 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable | |
182 | */ | |
183 | function authx_civicrm_disable() { | |
184 | _authx_civix_civicrm_disable(); | |
185 | } | |
186 | ||
187 | /** | |
188 | * Implements hook_civicrm_upgrade(). | |
189 | * | |
190 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade | |
191 | */ | |
192 | function authx_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) { | |
193 | return _authx_civix_civicrm_upgrade($op, $queue); | |
194 | } | |
195 | ||
7946d659 TO |
196 | /** |
197 | * Implements hook_civicrm_entityTypes(). | |
198 | * | |
199 | * Declare entity types provided by this module. | |
200 | * | |
201 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes | |
202 | */ | |
203 | function authx_civicrm_entityTypes(&$entityTypes) { | |
204 | _authx_civix_civicrm_entityTypes($entityTypes); | |
205 | } | |
206 | ||
476ba2b9 TO |
207 | /** |
208 | * Implements hook_civicrm_permission(). | |
209 | * | |
210 | * @see CRM_Utils_Hook::permission() | |
211 | */ | |
212 | function authx_civicrm_permission(&$permissions) { | |
27212330 | 213 | $permissions['authenticate with password'] = E::ts('AuthX: Authenticate to services with password'); |
214 | $permissions['authenticate with api key'] = E::ts('AuthX: Authenticate to services with API key'); | |
476ba2b9 TO |
215 | } |
216 | ||
7946d659 TO |
217 | // --- Functions below this ship commented out. Uncomment as required. --- |
218 | ||
219 | /** | |
220 | * Implements hook_civicrm_preProcess(). | |
221 | * | |
222 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_preProcess | |
223 | */ | |
224 | //function authx_civicrm_preProcess($formName, &$form) { | |
225 | // | |
226 | //} | |
227 | ||
228 | /** | |
229 | * Implements hook_civicrm_navigationMenu(). | |
230 | * | |
231 | * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_navigationMenu | |
232 | */ | |
233 | //function authx_civicrm_navigationMenu(&$menu) { | |
234 | // _authx_civix_insert_navigation_menu($menu, 'Mailings', array( | |
235 | // 'label' => E::ts('New subliminal message'), | |
236 | // 'name' => 'mailing_subliminal_message', | |
237 | // 'url' => 'civicrm/mailing/subliminal', | |
238 | // 'permission' => 'access CiviMail', | |
239 | // 'operator' => 'OR', | |
240 | // 'separator' => 0, | |
241 | // )); | |
242 | // _authx_civix_navigationMenu($menu); | |
243 | //} |