Skip to content
Snippets Groups Projects
Commit 842d3ff8 authored by Dominik František Bučík's avatar Dominik František Bučík
Browse files

chore: merge branch 'apiWritemulticreds' into 'main' 

feat: :guitar: Support multiple credentials write API

See merge request !94
parents 56b0c169 9055805c
No related branches found
No related tags found
1 merge request!94feat: 🎸 Support multiple credentials write API
Pipeline #415017 passed
Stage: .pre
Stage: test
Stage: deploy
Hide whitespace changes
Inline Side-by-side
config-templates/module_proxystatistics.php
+ 10
0
View file @ 842d3ff8
...@@ -104,6 +104,16 @@ $config = [ ...@@ -104,6 +104,16 @@ $config = [
*/ */
//'apiWritePasswordHash' => password_hash('ap1Wr1T3rP@S$'), //'apiWritePasswordHash' => password_hash('ap1Wr1T3rP@S$'),
/*
* Map of credentials for API writer (has no effect if write is disabled).
* Either apiWriteUsername and apiWritePasswordHash or this array has to contain valid credentials pair.
*/
//'apiWriters' => [
// 'api_writer' => password_hash('ap1Wr1T3rP@S$'),
// 'api_writer2' => password_hash('ap1Wr1T3rP@S$'),
//],
/* /*
* List of IDP and/or SP EntityIDs for which the login statistic will be ignored even * List of IDP and/or SP EntityIDs for which the login statistic will be ignored even
* when requested to be instered into the storage. By default lists are empty * when requested to be instered into the storage. By default lists are empty
......
lib/Config.php
+ 18
16
View file @ 842d3ff8
...@@ -41,6 +41,8 @@ class Config ...@@ -41,6 +41,8 @@ class Config
private const API_WRITE_PASSWORD_HASH = 'apiWritePasswordHash'; private const API_WRITE_PASSWORD_HASH = 'apiWritePasswordHash';
private const API_WRITERS_CREDENTIALS = 'apiWriteCredentials';
private const IGNORED_IDS = 'ignoredIds'; private const IGNORED_IDS = 'ignoredIds';
private const CRON_ENABLED = 'cronEnabled'; private const CRON_ENABLED = 'cronEnabled';
...@@ -63,9 +65,7 @@ class Config ...@@ -63,9 +65,7 @@ class Config
private $apiWriteEnabled; private $apiWriteEnabled;
private $apiWriteUsername; private $apiWriters;
private $apiWritePasswordHash;
private $ignoredIds; private $ignoredIds;
...@@ -87,13 +87,20 @@ class Config ...@@ -87,13 +87,20 @@ class Config
$this->apiWriteEnabled = $this->config->getBoolean(self::API_WRITE_ENABLED, false); $this->apiWriteEnabled = $this->config->getBoolean(self::API_WRITE_ENABLED, false);
$this->ignoredIds = $this->config->getArray(self::IGNORED_IDS, []); $this->ignoredIds = $this->config->getArray(self::IGNORED_IDS, []);
if ($this->apiWriteEnabled) { if ($this->apiWriteEnabled) {
$this->apiWriteUsername = $this->config->getString(self::API_WRITE_USERNAME); $apiWriteUsername = $this->config->getString(self::API_WRITE_USERNAME, null);
if (empty(trim($this->apiWriteUsername))) { $apiWritePasswordHash = $this->config->getString(self::API_WRITE_PASSWORD_HASH, null);
throw new Exception('Username for API write cannot be empty'); $this->apiWriters = $this->config->getArray(self::API_WRITERS_CREDENTIALS, []);
if (!empty(trim($apiWriteUsername)) && !empty(trim($apiWritePasswordHash))) {
$this->apiWriters[$apiWriteUsername] = $apiWritePasswordHash;
} }
$this->apiWritePasswordHash = $this->config->getString(self::API_WRITE_PASSWORD_HASH);
if (empty(trim($this->apiWritePasswordHash))) { foreach ($this->apiWriters as $username => $passwordHash) {
throw new Exception('Password for API write cannot be empty'); if (empty(trim($username))) {
throw new Exception('Username for API write cannot be empty');
}
if (empty(trim($passwordHash))) {
throw new Exception('Password for API write (' . $username . ') cannot be empty');
}
} }
} }
} }
...@@ -163,14 +170,9 @@ class Config ...@@ -163,14 +170,9 @@ class Config
return $this->apiWriteEnabled; return $this->apiWriteEnabled;
} }
public function getApiWriteUsername() public function getApiWriteCredentials()
{
return $this->apiWriteUsername;
}
public function getApiWritePasswordHash()
{ {
return $this->apiWritePasswordHash; return $this->apiWriters;
} }
public function getIgnoredIds() public function getIgnoredIds()
......
www/writeLoginApi.php
+ 9
3
View file @ 842d3ff8
...@@ -26,11 +26,17 @@ if (!$config->isApiWriteEnabled()) { ...@@ -26,11 +26,17 @@ if (!$config->isApiWriteEnabled()) {
$authUsername = $_SERVER['PHP_AUTH_USER'] ?? ''; $authUsername = $_SERVER['PHP_AUTH_USER'] ?? '';
$authPass = $_SERVER['PHP_AUTH_PW'] ?? ''; $authPass = $_SERVER['PHP_AUTH_PW'] ?? '';
$username = $config->getApiWriteUsername(); $apiCredentials = $config->getApiWriteCredentials();
$passwordHash = $config->getApiWritePasswordHash();
$validCreds = false;
foreach ($apiCredentials as $username => $passwordHash) {
if ($authUsername === $username && password_verify($authPass, $passwordHash)) {
$validCreds = true;
break;
}
}
// If we get here, username was provided. Check password. // If we get here, username was provided. Check password.
if ($authUsername !== $username || !password_verify($authPass, $passwordHash)) { if (!$validCreds) {
Logger::info( Logger::info(
sprintf( sprintf(
"%s - API write called with bad credentials (%s:%s) returning 401 response code", "%s - API write called with bad credentials (%s:%s) returning 401 response code",
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment