<?php
/*
** Zabbix
** Copyright (C) 2001-2022 Zabbix SIA
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
**/
/**
* This class should be used to call API services locally using the CApiService classes.
*/
class CLocalApiClient extends CApiClient {
/**
* Factory for creating API services.
*
* @var CRegistryFactory
*/
protected $serviceFactory;
/**
* Whether debug mode is enabled.
*
* @var bool
*/
protected $debug = false;
/**
* Set service factory.
*
* @param CRegistryFactory $factory
*/
public function setServiceFactory(CRegistryFactory $factory) {
$this->serviceFactory = $factory;
}
/**
* Call the given API service method and return the response.
*
* @param string $requestApi API name
* @param string $requestMethod API method
* @param array $params API parameters
* @param string $auth Authentication token
*
* @return CApiClientResponse
*/
public function callMethod($requestApi, $requestMethod, array $params, $auth) {
global $DB;
$api = strtolower($requestApi);
$method = strtolower($requestMethod);
$response = new CApiClientResponse();
// check API
if (!$this->isValidApi($api)) {
$response->errorCode = ZBX_API_ERROR_NO_METHOD;
$response->errorMessage = _s('Incorrect API "%1$s".', $requestApi);
return $response;
}
// check method
if (!$this->isValidMethod($api, $method)) {
$response->errorCode = ZBX_API_ERROR_NO_METHOD;
$response->errorMessage = _s('Incorrect method "%1$s.%2$s".', $requestApi, $requestMethod);
return $response;
}
$requiresAuthentication = $this->requiresAuthentication($api, $method);
// check that no authentication token is passed to methods that don't require it
if (!$requiresAuthentication && $auth !== null) {
$response->errorCode = ZBX_API_ERROR_PARAMETERS;
$response->errorMessage = _s('The "%1$s.%2$s" method must be called without the "auth" parameter.',
$requestApi, $requestMethod
);
return $response;
}
$newTransaction = false;
try {
// authenticate
if ($requiresAuthentication) {
$this->authenticate($auth);
// check permissions
if (APP::getMode() === APP::EXEC_MODE_API && !$this->isAllowedMethod($api, $method)) {
$response->errorCode = ZBX_API_ERROR_PARAMETERS;
$response->errorMessage = _s('No permissions to call "%1$s.%2$s".', $requestApi, $requestMethod);
return $response;
}
}
// the nopermission parameter must not be available for external API calls.
unset($params['nopermissions']);
// if no transaction has been started yet - start one
if ($DB['TRANSACTIONS'] == 0) {
DBstart();
$newTransaction = true;
}
// call API method
$result = call_user_func_array([$this->serviceFactory->getObject($api), $method], [$params]);
// if the method was called successfully - commit the transaction
if ($newTransaction) {
DBend(true);
}
$response->data = $result;
}
catch (Exception $e) {
if ($newTransaction) {
// if we're calling user.login and authentication failed - commit the transaction to save the
// failed attempt data
if ($api === 'user' && $method === 'login') {
DBend(true);
}
// otherwise - revert the transaction
else {
DBend(false);
}
}
$response->errorCode = ($e instanceof APIException) ? $e->getCode() : ZBX_API_ERROR_INTERNAL;
$response->errorMessage = $e->getMessage();
// add debug data
if ($this->debug) {
$response->debug = $e->getTrace();
}
}
return $response;
}
/**
* Checks if the authentication token is valid.
*
* @param string $auth
*
* @throws APIException
*/
protected function authenticate($auth) {
if (zbx_empty($auth)) {
throw new APIException(ZBX_API_ERROR_NO_AUTH, _('Not authorized.'));
}
if (strlen($auth) == 64) {
return $this->tokenAuthentication($auth);
}
$user = $this->serviceFactory->getObject('user')->checkAuthentication(['sessionid' => $auth]);
if (array_key_exists('debug_mode', $user)) {
$this->debug = $user['debug_mode'];
}
}
/**
* Authenticates user based on token.
*
* @param string $auth_token
*
* @throws APIException
*/
protected function tokenAuthentication(string $auth_token) {
$api_tokens = DB::select('token', [
'output' => ['userid', 'expires_at', 'tokenid'],
'filter' => ['token' => hash('sha512', $auth_token), 'status' => ZBX_AUTH_TOKEN_ENABLED]
]);
if (!$api_tokens) {
usleep(10000);
throw new APIException(ZBX_API_ERROR_NO_AUTH, _('Not authorized.'));
}
[['expires_at' => $expires_at, 'userid' => $userid, 'tokenid' => $tokenid]] = $api_tokens;
if ($expires_at != 0 && $expires_at < time()) {
throw new APIException(ZBX_API_ERROR_PERMISSIONS, _('API token expired.'));
}
[['roleid' => $roleid, 'username' => $username]] = DB::select('users', [
'output' => ['roleid', 'username'],
'userids' => $userid
]);
[$type] = DBfetchColumn(DBselect('SELECT type FROM role WHERE roleid='.zbx_dbstr($roleid)), 'type');
$db_usrgrps = DBselect(
'SELECT g.debug_mode,g.users_status'.
' FROM usrgrp g,users_groups ug'.
' WHERE g.usrgrpid=ug.usrgrpid'.
' AND ug.userid='.$userid
);
$debug_mode = GROUP_DEBUG_MODE_DISABLED;
while ($db_usrgrp = DBfetch($db_usrgrps)) {
if ($db_usrgrp['users_status'] == GROUP_STATUS_DISABLED) {
throw new APIException(ZBX_API_ERROR_NO_AUTH, _('Not authorized.'));
}
if ($db_usrgrp['debug_mode'] == GROUP_DEBUG_MODE_ENABLED) {
$debug_mode = GROUP_DEBUG_MODE_ENABLED;
break;
}
}
CApiService::$userData = [
'userid' => $userid,
'username' => $username,
'type' => $type,
'roleid' => $roleid,
'userip' => CWebUser::getIp(),
'sessionid' => $auth_token,
'debug_mode' => $debug_mode
];
$this->debug = ($debug_mode == GROUP_DEBUG_MODE_ENABLED);
DB::update('token', [
'values' => ['lastaccess' => time()],
'where' => ['tokenid' => $tokenid]
]);
}
/**
* Returns true if the given API is valid.
*
* @param string $api
*
* @return bool
*/
protected function isValidApi($api) {
return $this->serviceFactory->hasObject($api);
}
/**
* Returns true if the given method is valid.
*
* @param string $api
* @param string $method
*
* @return bool
*/
protected function isValidMethod(string $api, string $method): bool {
$api_service = $this->serviceFactory->getObject($api);
return array_key_exists($method, $api_service::ACCESS_RULES);
}
/**
* Returns true if calling the given method requires a valid authentication token.
*
* @param $api
* @param $method
*
* @return bool
*/
protected function requiresAuthentication($api, $method) {
return !(($api === 'user' && $method === 'login')
|| ($api === 'user' && $method === 'checkauthentication')
|| ($api === 'apiinfo' && $method === 'version')
|| ($api === 'settings' && $method === 'getglobal'));
}
/**
* Returns true if the current user is permitted to call the given API method, and false otherwise.
*
* @param string $api
* @param string $method
*
* @return bool
*/
protected function isAllowedMethod(string $api, string $method): bool {
$api_service = $this->serviceFactory->getObject($api);
$user_data = $api_service::$userData;
$method_rules = $api_service::ACCESS_RULES[$method];
if (!array_key_exists('min_user_type', $method_rules)
|| !in_array($user_data['type'], [USER_TYPE_ZABBIX_USER, USER_TYPE_ZABBIX_ADMIN, USER_TYPE_SUPER_ADMIN])
|| $user_data['type'] < $method_rules['min_user_type']) {
return false;
}
$exists_action_rule = array_key_exists('action', $method_rules);
$name_conditions = 'name LIKE '.zbx_dbstr('api%');
if ($exists_action_rule) {
$name_conditions = '('.
$name_conditions.
' OR name='.zbx_dbstr($method_rules['action']).
' OR name='.zbx_dbstr('actions.default_access').
')';
}
$db_rules = DBselect(
'SELECT type,name,value_str,value_int'.
' FROM role_rule'.
' WHERE roleid='.zbx_dbstr($user_data['roleid']).
' AND '.$name_conditions.
' ORDER by name'
);
$api_access_mode = false;
$api_methods = [];
$actions_default_access = true;
$is_action_allowed = null;
while ($db_rule = DBfetch($db_rules)) {
$rule_value = $db_rule[CRole::RULE_TYPE_FIELDS[$db_rule['type']]];
switch ($db_rule['name']) {
case 'api.access':
if ($rule_value == 0) {
return false;
}
break;
case 'api.mode':
$api_access_mode = (bool) $rule_value;
break;
case 'actions.default_access':
$actions_default_access = (bool) $rule_value;
break;
default:
if (strpos($db_rule['name'], 'api.method.') === 0) {
$api_methods[] = $rule_value;
}
elseif ($exists_action_rule && $db_rule['name'] === $method_rules['action']) {
$is_action_allowed = (bool) $rule_value;
}
}
}
if ($exists_action_rule) {
$is_action_allowed = ($is_action_allowed !== null) ? $is_action_allowed : $actions_default_access;
if (!$is_action_allowed) {
return false;
}
}
if (!$api_methods) {
return true;
}
$api_method_masks = [
ZBX_ROLE_RULE_API_WILDCARD, ZBX_ROLE_RULE_API_WILDCARD_ALIAS, CRoleHelper::API_ANY_SERVICE.$method,
$api.CRoleHelper::API_ANY_METHOD
];
foreach ($api_methods as $api_method) {
if ($api_method === $api.'.'.$method || in_array($api_method, $api_method_masks)) {
return $api_access_mode;
}
}
return !$api_access_mode;
}
}