Allow API authentication using the `auth` query parameter containing an auth. hash. (#1845)

* Allow API authentication using the `auth` query parameter containing an auth. hash.

Fixes #1827

The same auth. hash for zms is used here. This allows consumers to use the API without sending the password in the query string and not require forging logins via the login form.

* Move logger.php's global Debug function to Logger::Debug to avoid polluting globals

This avoids a conflict with CakePHP when logger.php gets included indrectly from API code.

* Protect action=login when ZM_ENABLE_CSRF_MAGIC is enabled
This commit is contained in:
Matt N 2017-05-15 18:51:49 -07:00 committed by Isaac Connor
parent 1e45146db8
commit 33092e4022
7 changed files with 45 additions and 17 deletions

View File

@ -21,23 +21,23 @@ if ( !@socket_bind( $socket, $locSockFile ) )
switch ( $_REQUEST['command'] ) switch ( $_REQUEST['command'] )
{ {
case CMD_VARPLAY : case CMD_VARPLAY :
Debug( "Varplaying to ".$_REQUEST['rate'] ); Logger::Debug( "Varplaying to ".$_REQUEST['rate'] );
$msg = pack( "lcn", MSG_CMD, $_REQUEST['command'], $_REQUEST['rate']+32768 ); $msg = pack( "lcn", MSG_CMD, $_REQUEST['command'], $_REQUEST['rate']+32768 );
break; break;
case CMD_ZOOMIN : case CMD_ZOOMIN :
Debug( "Zooming to ".$_REQUEST['x'].",".$_REQUEST['y'] ); Logger::Debug( "Zooming to ".$_REQUEST['x'].",".$_REQUEST['y'] );
$msg = pack( "lcnn", MSG_CMD, $_REQUEST['command'], $_REQUEST['x'], $_REQUEST['y'] ); $msg = pack( "lcnn", MSG_CMD, $_REQUEST['command'], $_REQUEST['x'], $_REQUEST['y'] );
break; break;
case CMD_PAN : case CMD_PAN :
Debug( "Panning to ".$_REQUEST['x'].",".$_REQUEST['y'] ); Logger::Debug( "Panning to ".$_REQUEST['x'].",".$_REQUEST['y'] );
$msg = pack( "lcnn", MSG_CMD, $_REQUEST['command'], $_REQUEST['x'], $_REQUEST['y'] ); $msg = pack( "lcnn", MSG_CMD, $_REQUEST['command'], $_REQUEST['x'], $_REQUEST['y'] );
break; break;
case CMD_SCALE : case CMD_SCALE :
Debug( "Scaling to ".$_REQUEST['scale'] ); Logger::Debug( "Scaling to ".$_REQUEST['scale'] );
$msg = pack( "lcn", MSG_CMD, $_REQUEST['command'], $_REQUEST['scale'] ); $msg = pack( "lcn", MSG_CMD, $_REQUEST['command'], $_REQUEST['scale'] );
break; break;
case CMD_SEEK : case CMD_SEEK :
Debug( "Seeking to ".$_REQUEST['offset'] ); Logger::Debug( "Seeking to ".$_REQUEST['offset'] );
$msg = pack( "lcN", MSG_CMD, $_REQUEST['command'], $_REQUEST['offset'] ); $msg = pack( "lcN", MSG_CMD, $_REQUEST['command'], $_REQUEST['offset'] );
break; break;
default : default :

View File

@ -88,6 +88,31 @@ class AppController extends Controller {
} }
} }
if ( isset($_REQUEST['auth']) ) {
require_once "../../../includes/functions.php";
// Define some defines required by getAuthUser in functions.php
$defines = array('ZM_AUTH_HASH_IPS', 'ZM_AUTH_HASH_SECRET', 'ZM_AUTH_RELAY', 'ZM_OPT_USE_AUTH');
$configQuery = array(
'conditions' => array('OR' => array('Name' => $defines)),
'fields' => array('Name', 'Value')
);
$config = $this->Config->find('list', $configQuery);
foreach ($defines as $define) {
define($define, $config[$define]);
}
$user = getAuthUser($_REQUEST['auth']);
if ( ! $user ) {
throw new UnauthorizedException(__('User not found'));
return;
} else {
$this->Session->Write( 'user.Username', $user['Username'] );
$this->Session->Write( 'user.Enabled', $user['Enabled'] );
}
}
if( ! $this->Session->Read('user.Username') ) { if( ! $this->Session->Read('user.Username') ) {
throw new UnauthorizedException(__('Not Authenticated')); throw new UnauthorizedException(__('Not Authenticated'));
return; return;

View File

@ -218,11 +218,11 @@ class Event {
} }
$command ='ffmpeg -v 0 -i '.$videoPath.' -vf "select=gte(n\\,'.$frame['FrameId'].'),setpts=PTS-STARTPTS" '.$eventPath.'/'.$captImage; $command ='ffmpeg -v 0 -i '.$videoPath.' -vf "select=gte(n\\,'.$frame['FrameId'].'),setpts=PTS-STARTPTS" '.$eventPath.'/'.$captImage;
Debug( "Running $command" ); Logger::Debug( "Running $command" );
$output = array(); $output = array();
$retval = 0; $retval = 0;
exec( $command, $output, $retval ); exec( $command, $output, $retval );
Debug("Retval: $retval, output: " . implode("\n", $output)); Logger::Debug("Retval: $retval, output: " . implode("\n", $output));
} else { } else {
Error("Can't create frame images from video becuase there is no video file for this event (".$Event->DefaultVideo() ); Error("Can't create frame images from video becuase there is no video file for this event (".$Event->DefaultVideo() );
} }

View File

@ -88,7 +88,7 @@ function dbLog( $sql, $update=false )
global $dbLogLevel; global $dbLogLevel;
$noExecute = $update && ($dbLogLevel >= DB_LOG_DEBUG); $noExecute = $update && ($dbLogLevel >= DB_LOG_DEBUG);
if ( $dbLogLevel > DB_LOG_OFF ) if ( $dbLogLevel > DB_LOG_OFF )
Debug( "SQL-LOG: $sql".($noExecute?" (not executed)":"") ); Logger::Debug( "SQL-LOG: $sql".($noExecute?" (not executed)":"") );
return( $noExecute ); return( $noExecute );
} }

View File

@ -27,6 +27,9 @@ if ( version_compare( phpversion(), "4.3.0", "<") ) {
} }
} }
require_once( 'logger.php' );
require_once( 'database.php' );
function userLogin( $username, $password="", $passwordHashed=false ) { function userLogin( $username, $password="", $passwordHashed=false ) {
global $user, $cookies; global $user, $cookies;

View File

@ -165,7 +165,7 @@ class Logger
$this->initialised = true; $this->initialised = true;
Debug( "LogOpts: level=".self::$codes[$this->level]."/".self::$codes[$this->effectiveLevel].", screen=".self::$codes[$this->termLevel].", database=".self::$codes[$this->databaseLevel].", logfile=".self::$codes[$this->fileLevel]."->".$this->logFile.", weblog=".self::$codes[$this->weblogLevel].", syslog=".self::$codes[$this->syslogLevel] ); Logger::Debug( "LogOpts: level=".self::$codes[$this->level]."/".self::$codes[$this->effectiveLevel].", screen=".self::$codes[$this->termLevel].", database=".self::$codes[$this->databaseLevel].", logfile=".self::$codes[$this->fileLevel]."->".$this->logFile.", weblog=".self::$codes[$this->weblogLevel].", syslog=".self::$codes[$this->syslogLevel] );
} }
private function terminate() private function terminate()
@ -212,6 +212,11 @@ class Logger
return self::$instance; return self::$instance;
} }
public static function Debug( $string )
{
Logger::fetch()->logPrint( Logger::DEBUG, $string );
}
public function id( $id=NULL ) public function id( $id=NULL )
{ {
if ( isset($id) && $this->id != $id ) if ( isset($id) && $this->id != $id )
@ -505,11 +510,6 @@ function Dump( &$var, $label="VAR" )
Logger::fetch()->logPrint( Logger::DEBUG, ob_get_clean() ); Logger::fetch()->logPrint( Logger::DEBUG, ob_get_clean() );
} }
function Debug( $string )
{
Logger::fetch()->logPrint( Logger::DEBUG, $string );
}
function Info( $string ) function Info( $string )
{ {
Logger::fetch()->logPrint( Logger::INFO, $string ); Logger::fetch()->logPrint( Logger::INFO, $string );

View File

@ -114,7 +114,7 @@ if ( !file_exists( ZM_SKIN_PATH ) )
$skinBase[] = $skin; $skinBase[] = $skin;
$currentCookieParams = session_get_cookie_params(); $currentCookieParams = session_get_cookie_params();
Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1)'); Logger::Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1)');
session_set_cookie_params( session_set_cookie_params(
$currentCookieParams["lifetime"], $currentCookieParams["lifetime"],
$currentCookieParams["path"], $currentCookieParams["path"],
@ -176,8 +176,8 @@ isset($view) || $view = NULL;
isset($request) || $request = NULL; isset($request) || $request = NULL;
isset($action) || $action = NULL; isset($action) || $action = NULL;
if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) { if ( ZM_ENABLE_CSRF_MAGIC ) {
Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\""); Logger::Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
csrf_check(); csrf_check();
} }