| 1 | <?php |
| 2 | /* |
| 3 | +--------------------------------------------------------------------+ |
| 4 | | CiviCRM version 4.7 | |
| 5 | +--------------------------------------------------------------------+ |
| 6 | | Copyright CiviCRM LLC (c) 2004-2015 | |
| 7 | +--------------------------------------------------------------------+ |
| 8 | | This file is a part of CiviCRM. | |
| 9 | | | |
| 10 | | CiviCRM is free software; you can copy, modify, and distribute it | |
| 11 | | under the terms of the GNU Affero General Public License | |
| 12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | |
| 13 | | | |
| 14 | | CiviCRM is distributed in the hope that it will be useful, but | |
| 15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | |
| 17 | | See the GNU Affero General Public License for more details. | |
| 18 | | | |
| 19 | | You should have received a copy of the GNU Affero General Public | |
| 20 | | License and the CiviCRM Licensing Exception along | |
| 21 | | with this program; if not, contact CiviCRM LLC | |
| 22 | | at info[AT]civicrm[DOT]org. If you have questions about the | |
| 23 | | GNU Affero General Public License or the licensing of CiviCRM, | |
| 24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | |
| 25 | +--------------------------------------------------------------------+ |
| 26 | */ |
| 27 | namespace Civi\API\Subscriber; |
| 28 | |
| 29 | use Civi\API\Events; |
| 30 | use Civi\API\Event\AuthorizeEvent; |
| 31 | use Civi\API\Event\RespondEvent; |
| 32 | use Civi\API\WhitelistRule; |
| 33 | use Symfony\Component\EventDispatcher\EventSubscriberInterface; |
| 34 | |
| 35 | /** |
| 36 | * The WhitelistSubscriber listens to API requests and matches them against |
| 37 | * a whitelist of allowed API calls. If an API call does NOT appear in the |
| 38 | * whitelist, then it generates an error. |
| 39 | * |
| 40 | * @package Civi |
| 41 | * @copyright CiviCRM LLC (c) 2004-2015 |
| 42 | */ |
| 43 | class WhitelistSubscriber implements EventSubscriberInterface { |
| 44 | |
| 45 | /** |
| 46 | * @return array |
| 47 | */ |
| 48 | public static function getSubscribedEvents() { |
| 49 | return array( |
| 50 | Events::AUTHORIZE => array('onApiAuthorize', Events::W_EARLY), |
| 51 | Events::RESPOND => array('onApiRespond', Events::W_MIDDLE), |
| 52 | ); |
| 53 | } |
| 54 | |
| 55 | /** |
| 56 | * Array(WhitelistRule). |
| 57 | * |
| 58 | * @var array |
| 59 | */ |
| 60 | protected $rules; |
| 61 | |
| 62 | /** |
| 63 | * Array (scalar $reqId => WhitelistRule $rule). |
| 64 | * |
| 65 | * @var array |
| 66 | */ |
| 67 | protected $activeRules; |
| 68 | |
| 69 | /** |
| 70 | * @param array $rules |
| 71 | * Array of WhitelistRule. |
| 72 | * @see WhitelistRule |
| 73 | */ |
| 74 | public function __construct($rules) { |
| 75 | $this->rules = array(); |
| 76 | foreach ($rules as $rule) { |
| 77 | /** @var WhitelistRule $rule */ |
| 78 | if ($rule->isValid()) { |
| 79 | $this->rules[] = $rule; |
| 80 | } |
| 81 | else { |
| 82 | throw new \CRM_Core_Exception("Invalid rule"); |
| 83 | } |
| 84 | } |
| 85 | } |
| 86 | |
| 87 | /** |
| 88 | * Determine which, if any, whitelist rules apply this request. |
| 89 | * Reject unauthorized requests. |
| 90 | * |
| 91 | * @param AuthorizeEvent $event |
| 92 | * @throws \CRM_Core_Exception |
| 93 | */ |
| 94 | public function onApiAuthorize(AuthorizeEvent $event) { |
| 95 | $apiRequest = $event->getApiRequest(); |
| 96 | if (empty($apiRequest['params']['check_permissions']) || $apiRequest['params']['check_permissions'] !== 'whitelist') { |
| 97 | return; |
| 98 | } |
| 99 | foreach ($this->rules as $rule) { |
| 100 | if (TRUE === $rule->matches($apiRequest)) { |
| 101 | $this->activeRules[$apiRequest['id']] = $rule; |
| 102 | return; |
| 103 | } |
| 104 | } |
| 105 | throw new \CRM_Core_Exception('The request does not match any active API authorizations.'); |
| 106 | } |
| 107 | |
| 108 | /** |
| 109 | * Apply any filtering rules based on the chosen whitelist rule. |
| 110 | * @param RespondEvent $event |
| 111 | */ |
| 112 | public function onApiRespond(RespondEvent $event) { |
| 113 | $apiRequest = $event->getApiRequest(); |
| 114 | $id = $apiRequest['id']; |
| 115 | if (isset($this->activeRules[$id])) { |
| 116 | $event->setResponse($this->activeRules[$id]->filter($apiRequest, $event->getResponse())); |
| 117 | unset($this->activeRules[$id]); |
| 118 | } |
| 119 | } |
| 120 | |
| 121 | } |