WebSVN – oidplus – Blame – /trunk/plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php

Rev	Author	Line No.	Line
329	daniel-mar	1	<?php
		2
		3	/*
		4	* OIDplus 2.0
511	daniel-mar	5	* Copyright 2019 - 2021 Daniel Marschall, ViaThinkSoft
329	daniel-mar	6	*
		7	* Licensed under the Apache License, Version 2.0 (the "License");
		8	* you may not use this file except in compliance with the License.
		9	* You may obtain a copy of the License at
		10	*
		11	* http://www.apache.org/licenses/LICENSE-2.0
		12	*
		13	* Unless required by applicable law or agreed to in writing, software
		14	* distributed under the License is distributed on an "AS IS" BASIS,
		15	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		16	* See the License for the specific language governing permissions and
		17	* limitations under the License.
		18	*/
		19
		20	// ATTENTION: If you change something, please make sure that the changes
		21	// are synchronous with OIDplusPageAdminAutomatedAJAXCalls
		22
511	daniel-mar	23	if (!defined('INSIDE_OIDPLUS')) die();
		24
329	daniel-mar	25	class OIDplusPageRaAutomatedAJAXCalls extends OIDplusPagePluginRa {
		26
		27	private static function getUnlockKey($user) {
		28	// This key prevents that the system gets hacked with brute
		29	// force of the user passwords.
392	daniel-mar	30	return sha3_512('ANTI-BRUTEFORCE-AJAX/'.$user.'/'.OIDplus::baseConfig()->getValue('SERVER_SECRET',''));
329	daniel-mar	31	}
		32
		33	private $autoLoginList = array();
		34
424	daniel-mar	35	// Attention: Needs to be public, because otherwise register_shutdown_function() won't work
		36	public function shutdownLogout() {
329	daniel-mar	37	foreach ($this->autoLoginList as $username) {
		38	OIDplus::authUtils()::raLogout($username);
		39	}
		40	}
		41
		42	public function init($html=true) {
		43	if (isset($_SERVER['SCRIPT_FILENAME']) && (basename($_SERVER['SCRIPT_FILENAME']) == 'ajax.php')) {
		44	$input = array_merge($_POST,$_GET);
		45
426	daniel-mar	46	if (isset($input['batch_ajax_unlock_key']) && isset($input['batch_login_username']) && isset($input['batch_login_password'])) {
		47	originHeaders(); // Allows queries from other domains
		48	OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token
329	daniel-mar	49
426	daniel-mar	50	if ($input['batch_login_username'] != 'admin') {
		51	if ($input['batch_ajax_unlock_key'] != self::getUnlockKey($input['batch_login_username'])) {
		52	throw new OIDplusException(_L('Invalid AJAX unlock key'));
		53	}
424	daniel-mar	54
426	daniel-mar	55	if (OIDplus::authUtils()::raCheckPassword($input['batch_login_username'], $input['batch_login_password'])) {
		56	OIDplus::sesHandler()->simulate = true; // do not change the user session
		57	OIDplus::authUtils()::raLogin($input['batch_login_username']);
		58	$this->autoLoginList[] = $input['batch_login_username'];
		59	register_shutdown_function(array($this,'shutdownLogout'));
		60	} else {
		61	throw new OIDplusException(_L('Wrong RA username or password'));
		62	}
		63	}
329	daniel-mar	64	}
		65	}
		66	}
		67
		68	public function gui($id, &$out, &$handled) {
		69	if (explode('$',$id)[0] == 'oidplus:automated_ajax_information_ra') {
		70	$handled = true;
		71
		72	$ra_email = explode('$',$id)[1];
		73
360	daniel-mar	74	$out['title'] = _L('Automated AJAX calls');
329	daniel-mar	75	$out['icon'] = file_exists(__DIR__.'/icon_big.png') ? OIDplus::webpath(__DIR__).'icon_big.png' : '';
		76
		77	if (!OIDplus::authUtils()::isRaLoggedIn($ra_email) && !OIDplus::authUtils()::isAdminLoggedIn()) {
		78	$out['icon'] = 'img/error_big.png';
360	daniel-mar	79	$out['text'] = '<p>'._L('You need to <a %1>log in</a> as the requested RA %2 or as admin.',OIDplus::gui()->link('oidplus:login'),'<b>'.htmlentities($ra_email).'</b>').'</p>';
329	daniel-mar	80	return;
		81	}
		82
360	daniel-mar	83	$out['text'] .= '<p>'._L('You can make automated calls to your OIDplus account by calling the AJAX API.').'</p>';
		84	$out['text'] .= '<p>'._L('The URL for the AJAX script is:').':</p>';
496	daniel-mar	85	$out['text'] .= '<p><b>'.OIDplus::webpath(null,false).'ajax.php</b></p>';
360	daniel-mar	86	$out['text'] .= '<p>'._L('You must at least provide following fields').':</p>';
329	daniel-mar	87	$out['text'] .= '<p><pre>';
		88	$out['text'] .= 'batch_login_username = "'.htmlentities($ra_email).'"'."\n";
		89	$out['text'] .= 'batch_login_password = "........."'."\n";
		90	$out['text'] .= 'batch_ajax_unlock_key = "'.$this->getUnlockKey($ra_email).'"'."\n";
		91	$out['text'] .= '</pre></p>';
360	daniel-mar	92	$out['text'] .= '<p>'._L('Please keep this information confidential!').'</p>';
		93	$out['text'] .= '<p>'._L('The batch-fields will automatically perform a one-time-login to fulfill the request. The other fields are the normal fields which are called during the usual operation of OIDplus.').'</p>';
		94	$out['text'] .= '<p>'._L('Currently, there is no documentation for the AJAX calls. However, you can look at the <b>script.js</b> files of the plugins to see the field names being used. You can also enable network analysis in your web browser debugger (F12) to see the request headers sent to the server during the operation of OIDplus.').'</p>';
425	daniel-mar	95
360	daniel-mar	96	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using JavaScript').'</h2>';
424	daniel-mar	97	$cont = file_get_contents(__DIR__.'/examples/example_js.html');
496	daniel-mar	98	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
424	daniel-mar	99	$cont = str_replace('<username>', $ra_email, $cont);
		100	$cont = str_replace('<password>', '.........', $cont);
425	daniel-mar	101	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
424	daniel-mar	102	$out['text'] .= '<pre>'.htmlentities($cont).'</pre>';
425	daniel-mar	103
360	daniel-mar	104	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using PHP (located at a foreign server)').'</h2>';
424	daniel-mar	105	$cont = file_get_contents(__DIR__.'/examples/example_php.phps');
496	daniel-mar	106	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
424	daniel-mar	107	$cont = str_replace('<username>', $ra_email, $cont);
		108	$cont = str_replace('<password>', '.........', $cont);
425	daniel-mar	109	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
424	daniel-mar	110	$out['text'] .= '<pre>'.preg_replace("@<br.*>@ismU","",highlight_string($cont,true)).'</pre>';
		111
425	daniel-mar	112	$out['text'] .= '<h2>'._L('Example for adding OID 2.999.123 using VBScript').'</h2>';
		113	$cont = file_get_contents(__DIR__.'/examples/example_vbs.vbs');
496	daniel-mar	114	$cont = str_replace('<url>', OIDplus::webpath(null,false).'ajax.php', $cont);
425	daniel-mar	115	$cont = str_replace('<username>', $ra_email, $cont);
		116	$cont = str_replace('<password>', '.........', $cont);
		117	$cont = str_replace('<unlock key>', $this->getUnlockKey($ra_email), $cont);
		118	$out['text'] .= '<pre>'.htmlentities($cont).'</pre>';
329	daniel-mar	119	}
		120	}
		121
		122	public function tree(&$json, $ra_email=null, $nonjs=false, $req_goto='') {
		123	if (!$ra_email) return false;
		124	if (!OIDplus::authUtils()::isRaLoggedIn($ra_email) && !OIDplus::authUtils()::isAdminLoggedIn()) return false;
		125
		126	if (file_exists(__DIR__.'/treeicon.png')) {
		127	$tree_icon = OIDplus::webpath(__DIR__).'treeicon.png';
		128	} else {
		129	$tree_icon = null; // default icon (folder)
		130	}
		131
		132	$json[] = array(
		133	'id' => 'oidplus:automated_ajax_information_ra$'.$ra_email,
		134	'icon' => $tree_icon,
360	daniel-mar	135	'text' => _L('Automated AJAX calls')
329	daniel-mar	136	);
		137
		138	return true;
		139	}
		140
		141	public function tree_search($request) {
		142	return false;
		143	}
426	daniel-mar	144	}

Subversion Repositories oidplus

oidplus/trunk/plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php – Rev 511