WebSVN – oidplus – Blame – /trunk/plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php

Rev	Author	Line No.	Line
329	daniel-mar	1	<?php
		2
		3	/*
		4	* OIDplus 2.0
		5	* Copyright 2019 Daniel Marschall, ViaThinkSoft
		6	*
		7	* Licensed under the Apache License, Version 2.0 (the "License");
		8	* you may not use this file except in compliance with the License.
		9	* You may obtain a copy of the License at
		10	*
		11	* http://www.apache.org/licenses/LICENSE-2.0
		12	*
		13	* Unless required by applicable law or agreed to in writing, software
		14	* distributed under the License is distributed on an "AS IS" BASIS,
		15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		16	* See the License for the specific language governing permissions and
		17	* limitations under the License.
		18	*/
		19
		20	// ATTENTION: If you change something, please make sure that the changes
		21	// are synchronous with OIDplusPageAdminAutomatedAJAXCalls
		22
		23	class OIDplusPageRaAutomatedAJAXCalls extends OIDplusPagePluginRa {
		24
		25	private static function getUnlockKey($user) {
		26	// This key prevents that the system gets hacked with brute
		27	// force of the user passwords.
392	daniel-mar	28	return sha3_512('ANTI-BRUTEFORCE-AJAX/'.$user.'/'.OIDplus::baseConfig()->getValue('SERVER_SECRET',''));
329	daniel-mar	29	}
		30
		31	private $autoLoginList = array();
		32
424	daniel-mar	33	// Attention: Needs to be public, because otherwise register_shutdown_function() won't work
		34	public function shutdownLogout() {
329	daniel-mar	35	foreach ($this->autoLoginList as $username) {
		36	OIDplus::authUtils()::raLogout($username);
		37	}
		38	}
		39
		40	public function init($html=true) {
		41	if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'ajax.php')) {
		42	$input = array_merge($_POST,$_GET);
		43
426	daniel-mar	44	if (isset($input['batch_ajax_unlock_key']) && isset($input['batch_login_username']) && isset($input['batch_login_password'])) {
		45	originHeaders(); // Allows queries from other domains
		46	OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token
329	daniel-mar	47
426	daniel-mar	48	if ($input['batch_login_username'] != 'admin') {
		49	if ($input['batch_ajax_unlock_key'] != self::getUnlockKey($input['batch_login_username'])) {
		50	throw new OIDplusException(_L('Invalid AJAX unlock key'));
		51	}
424	daniel-mar	52
426	daniel-mar	53	if (OIDplus::authUtils()::raCheckPassword($input['batch_login_username'], $input['batch_login_password'])) {
		54	OIDplus::sesHandler()->simulate = true; // do not change the user session
		55	OIDplus::authUtils()::raLogin($input['batch_login_username']);
		56	$this->autoLoginList[] = $input['batch_login_username'];
		57	register_shutdown_function(array($this,'shutdownLogout'));
		58	} else {
		59	throw new OIDplusException(_L('Wrong RA username or password'));
		60	}
		61	}
329	daniel-mar	62	}
		63	}
		64	}
		65
		66	public function gui($id, &$out, &$handled) {
		67	if (explode('$',$id)[0] == 'oidplus:automated_ajax_information_ra') {
		68	$handled = true;
		69
		70	$ra_email = explode('$',$id)[1];
		71
360	daniel-mar	72	$out['title'] = _L('Automated AJAX calls');
329	daniel-mar	73	$out['icon'] = file_exists(__DIR__.'/icon_big.png') ? OIDplus::webpath(__DIR__).'icon_big.png' : '';
		74
		75	if (!OIDplus::authUtils()::isRaLoggedIn($ra_email) && !OIDplus::authUtils()::isAdminLoggedIn()) {
		76	$out['icon'] = 'img/error_big.png';
360	daniel-mar	77	$out['text'] = '<p>'._L('You need to <a %1>log in</a> as the requested RA %2 or as admin.',OIDplus::gui()->link('oidplus:login'),'<b>'.htmlentities($ra_email).'</b>').'</p>';
329	daniel-mar	78	return;
		79	}
		80
360	daniel-mar	81	$out['text'] .= '<p>'._L('You can make automated calls to your OIDplus account by calling the AJAX API.').'</p>';
		82	$out['text'] .= '<p>'._L('The URL for the AJAX script is:').':</p>';
496	daniel-mar	83	$out['text'] .= '<p><b>'.OIDplus::webpath(null,false).'ajax.php</b></p>';
360	daniel-mar	84	$out['text'] .= '<p>'._L('You must at least provide following fields').':</p>';
329	daniel-mar	85	$out['text'] .= '<p><pre>';
		86	$out['text'] .= 'batch_login_username = "'.htmlentities($ra_email).'"'."\n";
		87	$out['text'] .= 'batch_login_password = "........."'."\n";
		88	$out['text'] .= 'batch_ajax_unlock_key = "'.$this->getUnlockKey($ra_email).'"'."\n";
		89	$out['text'] .= '</pre></p>';
360	daniel-mar	90	$out['text'] .= '<p>'._L('Please keep this information confidential!').'</p>';
		91	$out['text'] .= '<p>'._L('The batch-fields will automatically perform a one-time-login to fulfill the request. The other fields are the normal fields which are called during the usual operation of OIDplus.').'</p>';
		92	$out['text'] .= '<p>'._L('Currently, there is no documentation for the AJAX calls. However, you can look at the <b>script.js</b> files of the plugins to see the field names being used. You can also enable network analysis in your web browser debugger (F12) to see the request headers sent to the server during the operation of OIDplus.').'</p>';
425	daniel-mar	93
360	daniel-mar	94	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using JavaScript').'</h2>';
424	daniel-mar	95	$cont = file_get_contents(__DIR__.'/examples/example_js.html');
496	daniel-mar	96	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
424	daniel-mar	97	$cont = str_replace('<username>', $ra_email, $cont);
		98	$cont = str_replace('<password>', '.........', $cont);
425	daniel-mar	99	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
424	daniel-mar	100	$out['text'] .= '<pre>'.htmlentities($cont).'</pre>';
425	daniel-mar	101
360	daniel-mar	102	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using PHP (located at a foreign server)').'</h2>';
424	daniel-mar	103	$cont = file_get_contents(__DIR__.'/examples/example_php.phps');
496	daniel-mar	104	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
424	daniel-mar	105	$cont = str_replace('<username>', $ra_email, $cont);
		106	$cont = str_replace('<password>', '.........', $cont);
425	daniel-mar	107	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
424	daniel-mar	108	$out['text'] .= '<pre>'.preg_replace("@<br.*>@ismU","",highlight_string($cont,true)).'</pre>';
		109
425	daniel-mar	110	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using VBScript').'</h2>';
		111	$cont = file_get_contents(__DIR__.'/examples/example_vbs.vbs');
496	daniel-mar	112	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
425	daniel-mar	113	$cont = str_replace('<username>', $ra_email, $cont);
		114	$cont = str_replace('<password>', '.........', $cont);
		115	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
		116	$out['text'] .= '<pre>'.htmlentities($cont).'</pre>';
329	daniel-mar	117	}
		118	}
		119
		120	public function tree(&$json, $ra_email=null, $nonjs=false, $req_goto='') {
		121	if (!$ra_email) return false;
		122	if (!OIDplus::authUtils()::isRaLoggedIn($ra_email) && !OIDplus::authUtils()::isAdminLoggedIn()) return false;
		123
		124	if (file_exists(__DIR__.'/treeicon.png')) {
		125	$tree_icon = OIDplus::webpath(__DIR__).'treeicon.png';
		126	} else {
		127	$tree_icon = null; // default icon (folder)
		128	}
		129
		130	$json[] = array(
		131	'id' => 'oidplus:automated_ajax_information_ra$'.$ra_email,
		132	'icon' => $tree_icon,
360	daniel-mar	133	'text' => _L('Automated AJAX calls')
329	daniel-mar	134	);
		135
		136	return true;
		137	}
		138
		139	public function tree_search($request) {
		140	return false;
		141	}
426	daniel-mar	142	}

Subversion Repositories oidplus

oidplus/trunk/plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php – Rev 496