From df9b24b2fcf2c2603380834b289e8460e80a7e5c Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 4 Mar 2021 01:25:20 -0800
Subject: [PATCH] authx - Allow `civicrm/ajax/rest` to accept auth params akin
 to `extern/rest.php`

---
 .../Civi/Authx/LegacyRestAuthenticator.php    | 42 +++++++++++++++++
 ext/authx/authx.php                           |  4 ++
 ext/authx/settings/authx.setting.php          |  5 ++-
 tests/phpunit/E2E/Extern/AuthxRestTest.php    | 45 +++++++++++++++++++
 4 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 ext/authx/Civi/Authx/LegacyRestAuthenticator.php
 create mode 100644 tests/phpunit/E2E/Extern/AuthxRestTest.php

diff --git a/ext/authx/Civi/Authx/LegacyRestAuthenticator.php b/ext/authx/Civi/Authx/LegacyRestAuthenticator.php
new file mode 100644
index 0000000000..aaf37892ca
--- /dev/null
+++ b/ext/authx/Civi/Authx/LegacyRestAuthenticator.php
@@ -0,0 +1,42 @@
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+
+namespace Civi\Authx;
+
+use GuzzleHttp\Psr7\Response;
+
+/**
+ * Historically, 'extern/rest.php' and 'civicrm/ajax/rest' were similar interfaces
+ * based on the same controller, but they used different authentication styles.
+ *
+ * This authenticator is activated if one requests 'civicrm/ajax/rest' using the
+ * authentication style of 'extern/rest.php'.
+ *
+ * @package Civi\Authx
+ */
+class LegacyRestAuthenticator extends Authenticator {
+
+  protected function reject($message = 'Authentication failed') {
+    $data = ["error_message" => "FATAL: $message", "is_error" => 1];
+    $r = new Response(200, ['Content-Type' => 'text/javascript'], json_encode($data));
+    \CRM_Utils_System::sendResponse($r);
+  }
+
+  protected function login(AuthenticatorTarget $tgt) {
+    parent::login($tgt);
+    \Civi::dispatcher()->addListener('hook_civicrm_permission_check', function ($e) {
+      if ($e->permission === 'access AJAX API') {
+        $e->granted = TRUE;
+      }
+    });
+  }
+
+}
diff --git a/ext/authx/authx.php b/ext/authx/authx.php
index 25fe959f4c..81b25c11df 100644
--- a/ext/authx/authx.php
+++ b/ext/authx/authx.php
@@ -36,6 +36,10 @@ Civi::dispatcher()->addListener('civi.invoke.auth', function($e) {
       _authx_redact(['_authx']);
     }
   }
+
+  if (count($e->args) > 2 && $e->args[1] === 'ajax' && $e->args[2] === 'rest' && (!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) {
+    return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]);
+  }
 });
 
 /**
diff --git a/ext/authx/settings/authx.setting.php b/ext/authx/settings/authx.setting.php
index 81ed26587c..4745d06e45 100644
--- a/ext/authx/settings/authx.setting.php
+++ b/ext/authx/settings/authx.setting.php
@@ -17,7 +17,7 @@ use CRM_Authx_ExtensionUtil as E;
  * @copyright CiviCRM LLC https://civicrm.org/licensing
  */
 $_authx_settings = function() {
-  $flows = ['param', 'header', 'xheader', 'login', 'auto', 'script', 'pipe'];
+  $flows = ['param', 'header', 'xheader', 'login', 'auto', 'script', 'pipe', 'legacyrest'];
   $basic = [
     'group_name' => 'CiviCRM Preferences',
     'group' => 'authx',
@@ -77,6 +77,9 @@ $_authx_settings = function() {
     ];
   }
 
+  // Override defaults for a few specific elements
+  $s['authx_legacyrest_cred']['default'] = ['jwt', 'api_key'];
+  $s['authx_legacyrest_user']['default'] = 'require';
   $s['authx_param_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_header_cred']['default'] = ['jwt', 'api_key'];
   $s['authx_xheader_cred']['default'] = ['jwt', 'api_key'];
diff --git a/tests/phpunit/E2E/Extern/AuthxRestTest.php b/tests/phpunit/E2E/Extern/AuthxRestTest.php
new file mode 100644
index 0000000000..ef38cad1fd
--- /dev/null
+++ b/tests/phpunit/E2E/Extern/AuthxRestTest.php
@@ -0,0 +1,45 @@
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+
+/**
+ * Verify that the REST API bindings correctly parse and authenticate requests.
+ *
+ * @group e2e
+ */
+class E2E_Extern_AuthxRestTest extends E2E_Extern_BaseRestTest {
+
+  public static function setUpBeforeClass() {
+    parent::setUpBeforeClass();
+    \Civi\Test::e2e()
+      ->install(['authx'])
+      ->callback(
+        function() {
+          \CRM_Utils_System::synchronizeUsers();
+        },
+        'synchronizeUsers'
+      )
+      ->apply();
+  }
+
+  protected function getRestUrl() {
+    return CRM_Utils_System::url('civicrm/ajax/rest', NULL, TRUE, NULL, FALSE, TRUE);
+  }
+
+  public function apiTestCases() {
+    $r = parent::apiTestCases();
+    $r = array_filter($r, function($case) {
+      // The 'civicrm/ajax/rest' end-point does not support '?q' inputs.
+      return !isset($case[0]['q']);
+    });
+    return $r;
+  }
+
+}
-- 
2.25.1