-
Notifications
You must be signed in to change notification settings - Fork 0
/
islandora_rest_authen.module
252 lines (231 loc) · 8.81 KB
/
islandora_rest_authen.module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
<?php
/**
* @file
* Module file.
*/
/**
* Implements hook_menu().
*/
function islandora_rest_authen_menu() {
$items = array();
$items['admin/islandora/tools/rest_authen'] = array(
'title' => 'Islandora REST Authen',
'description' => 'Configure the Islandora REST Authen module.',
'page callback' => 'drupal_get_form',
'page arguments' => array('islandora_rest_authen_admin_settings'),
'access arguments' => array('administer site configuration'),
'type' => MENU_NORMAL_ITEM,
);
return $items;
}
/**
* Implements hook_init().
*/
function islandora_rest_authen_init() {
islandora_rest_authen_authenticate();
}
/**
* Admin settings form builder.
*/
function islandora_rest_authen_admin_settings($form, &$form_state) {
$form['islandora_rest_authen_users'] = array(
'#type' => 'textarea',
'#title' => t('REST users'),
'#default_value' => variable_get('islandora_rest_authen_users', ''),
'#description' => t('A list of REST username/encrypted key pairs, one per line. Separate usernames and keys with a pipe ("|"). Each username/plaintext key pair must be included in a "X-Authorization-User" HTTP request header. If you want to restrict access to the REST interface to a specific IP address, add it to the end of the username/key string, separated from it by a pipe. Ranges are allowed in the format 111.111.111.111:222.222.222.222. Multiple addresses and ranges can be separated with a comma. If you want access to the REST interface to expire at a specific date, add it to the end of the userename/key/IP address string, separated from it by a pipe and in the ISO 8601 date format (e.g. 2017-03-06T19:23:48-08:00). See this module\'s README for examples.'),
);
$form['islandora_rest_authen_key'] = array(
'#type' => 'textfield',
'#prefix' => '<div id="islandora_rest_authen_key">',
'#suffix' => '</div>',
'#size' => 100,
'#default_value' => '',
'#description' => t('Enter a plaintext key here to encrypt it, then enter the encrypted version into the key position in the "REST users" entry above.'),
'#attributes' => array(
'placeholder' => t('Plaintext key to encrypt'),
),
);
if (!empty($form_state['values']['islandora_rest_authen_hash_key_submit'])) {
$form['islandora_rest_authen_key']['#value'] = islandora_rest_authen_get_hash($form_state['values']['islandora_rest_authen_key']);
$form['islandora_rest_authen_key']['#description'] = t('After clicking on the "Encrypt key" button, copy the new value into the key position in the username|key entry above.');
}
$form['islandora_rest_authen_hash_key_submit'] = array(
'#type' => 'submit',
'#value' => t('Encrypt key'),
"#executes_submit_callback" => FALSE,
'#ajax' => array(
'callback' => 'islandora_rest_authen_hash_key',
'wrapper' => 'islandora_rest_authen_key',
),
);
$form['islandora_rest_authen_log_api_key_logins'] = array(
'#type' => 'checkbox',
'#title' => t('Log API key authentication attempts'),
'#default_value' => variable_get('islandora_rest_authen_log_api_key_logins', 1),
'#description' => t('Log attempts (success and failure) at authenticating using an REST API key.'),
);
return system_settings_form($form);
}
/**
* Form widget Ajax callback function.
*/
function islandora_rest_authen_hash_key($form, $form_state) {
return $form['islandora_rest_authen_key'];
}
/**
* Authenticates the REST user.
*/
function islandora_rest_authen_authenticate() {
if (preg_match('#^islandora/rest/#', current_path())) {
$request_headers = getallheaders();
if (isset($request_headers['X-Authorization-User'])) {
list($request_username, $request_key) = explode(':', $request_headers['X-Authorization-User']);
$authorized_users = preg_split("/\\r\\n|\\r|\\n/", trim(variable_get('islandora_rest_authen_users', '')));
$rest_users = array();
foreach ($authorized_users as $authorized_user_details) {
$entry = explode('|', trim($authorized_user_details));
$local_username = isset($entry[0]) ? $entry[0] : '';
$local_key = isset($entry[1]) ? $entry[1] : '';
$ip_whitelist = isset($entry[2]) ? $entry[2] : '';
$expiry = isset($entry[3]) ? $entry[3] : '';
$rest_users[$local_username] = array(
'key' => $local_key,
'ip_whitelist' => $ip_whitelist,
'expiry' => $expiry,
);
}
if (array_key_exists($request_username, $rest_users)) {
// Get the hashed version of the key supplied in the request.
$hashed_request_key = islandora_rest_authen_get_hash($request_key);
// Condition: Request is from outside IP address whitelist.
if (strlen($rest_users[$request_username]['ip_whitelist'])) {
if (!islandora_rest_authen_check_ip($request_username, $rest_users[$request_username]['ip_whitelist'])) {
header('HTTP/1.0 401 Unauthorized', TRUE);
exit;
}
}
// Condition: Request is from outside allow time range.
if (strlen($rest_users[$request_username]['expiry'])) {
if (!islandora_rest_authen_check_expiry($rest_users[$request_username], $rest_users[$request_username]['expiry'])) {
header('HTTP/1.0 401 Unauthorized', TRUE);
exit;
}
}
// Check the request key against local users's keys.
if ($hashed_request_key == $rest_users[$request_username]['key']) {
islandora_rest_authen_log_in($request_username);
}
}
else {
// Condition: User is not registered to use the REST interface.
header('HTTP/1.0 401 Unauthorized', TRUE);
exit;
}
}
}
}
/**
* Logs in the REST user.
*
* @param string $username
* The user's username.
*/
function islandora_rest_authen_log_in($username) {
$account = user_load_by_name($username);
$form_state['uid'] = $account->uid;
user_login_submit(array(), $form_state);
if (variable_get('islandora_rest_authen_log_api_key_logins', 1)) {
watchdog('islandora_rest_authen', "Login attempt using REST API key successful for user !user.", array('!user' => $username));
}
}
/**
* Compares the client's IP address against a list of allowed addresses.
*
* @param string $username
* The username from the REST credentials.
* @param string $ip_ranges
* The string containing the IP ranges to check.
*
* @return bool
* TRUE if the client address is in the ranges, FALSE if not.
*/
function islandora_rest_authen_check_ip($username, $ip_ranges) {
if (!strlen($ip_ranges)) {
return FALSE;
}
$is_allowed = FALSE;
// Get client's IP address and convert it to a long integer for
// comparison with the registered ranges.
$comparable_address = ip2long(ip_address());
$ranges = explode(',', $ip_ranges);
foreach ($ranges as $range) {
$range = preg_replace('/\s+/', '', $range);
if (!strlen($range)) {
continue;
}
list($low, $high) = array_pad(explode(':', $range, 2), 2, NULL);
// Check ranges of IP addresses.
if (!is_null($low) && !is_null($high)) {
$comparable_low = ip2long($low);
$comparable_high = ip2long($high);
if ($comparable_address >= $comparable_low && $comparable_address <= $comparable_high) {
$is_allowed = TRUE;
}
}
// Check individual IP addresses.
if (!is_null($low) && is_null($high)) {
if (ip_address() == $low) {
$is_allowed = TRUE;
}
}
}
if (!$is_allowed && variable_get('islandora_rest_authen_log_api_key_logins', 1)) {
watchdog('islandora_rest_authen', "Login attempt using REST API key failed for user !user from disallowed IP address !ip_address.", array('!user' => $username, '!ip_address' => ip_address()));
}
return $is_allowed;
}
/**
* Compares the current time to the API key's expiry date, if one is present.
*
* @param string $username
* The username supplied in the REST request.
* @param string $expiry
* The expiry date supplied in the REST request.
*
* @return bool
* TRUE if the entry does not contain an expiry date or if the
* date is in the future; FALSE if the date is present and in
* the past.
*/
function islandora_rest_authen_check_expiry($username, $expiry) {
if (strlen($expiry)) {
$now = time();
if (strtotime($expiry) > $now) {
// Expiry date is in the future.
return TRUE;
}
else {
if (variable_get('islandora_rest_authen_log_api_key_logins', 1)) {
watchdog('islandora_rest_authen', "Login attempt using expired REST API key failed for user !user.", array('!user' => $username));
}
// Expiry data is in the past.
return FALSE;
}
}
else {
// There is no expiry date.
return TRUE;
}
}
/**
* Hashes a string.
*
* @param string $string
* The string to hash.
*
* @return string
* The hashed string.
*/
function islandora_rest_authen_get_hash($string) {
return hash('sha256', $string);
}