123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692 |
- # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
- require 'exceptions'
- class ApplicationController < ActionController::Base
- include ErrorHandling
- helper_method :current_user,
- :authentication_check,
- :config_frontend,
- :http_log_config,
- :model_create_render,
- :model_update_render,
- :model_restory_render,
- :mode_show_rendeder,
- :model_index_render
- skip_before_action :verify_authenticity_token
- before_action :verify_csrf_token, :transaction_begin, :set_user, :session_update, :user_device_check, :cors_preflight_check
- after_action :transaction_end, :http_log, :set_access_control_headers, :set_csrf_token_headers
- # For all responses in this controller, return the CORS access control headers.
- def set_access_control_headers
- return if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
- set_access_control_headers_execute
- end
- def set_access_control_headers_execute
- headers['Access-Control-Allow-Origin'] = '*'
- headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
- headers['Access-Control-Max-Age'] = '1728000'
- headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
- end
- # If this is a preflight OPTIONS request, then short-circuit the
- # request, return only the necessary headers and return an empty
- # text/plain.
- def cors_preflight_check
- return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
- cors_preflight_check_execute
- end
- def cors_preflight_check_execute
- return true if request.method != 'OPTIONS'
- headers['Access-Control-Allow-Origin'] = '*'
- headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
- headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
- headers['Access-Control-Max-Age'] = '1728000'
- render text: '', content_type: 'text/plain'
- false
- end
- def set_csrf_token_headers
- return true if @_auth_type.present? && @_auth_type != 'session'
- headers['CSRF-TOKEN'] = form_authenticity_token
- end
- def verify_csrf_token
- return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH'
- return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth'
- return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
- logger.info 'CSRF token verification failed'
- raise Exceptions::NotAuthorized, 'CSRF token verification failed!'
- end
- def http_log_config(config)
- @http_log_support = config
- end
- private
- def transaction_begin
- ApplicationHandleInfo.current = 'application_server'
- PushMessages.init
- end
- def transaction_end
- Observer::Transaction.commit
- PushMessages.finish
- ActiveSupport::Dependencies::Reference.clear!
- end
- # Finds the User with the ID stored in the session with the key
- # :current_user_id This is a common way to handle user login in
- # a Rails application; logging in sets the session value and
- # logging out removes it.
- def current_user
- return @_current_user if @_current_user
- return if !session[:user_id]
- @_current_user = User.lookup(id: session[:user_id])
- end
- def current_user_set(user, auth_type = 'session')
- session[:user_id] = user.id
- @_auth_type = auth_type
- @_current_user = user
- set_user
- end
- # Sets the current user into a named Thread location so that it can be accessed
- # by models and observers
- def set_user
- if !current_user
- UserInfo.current_user_id = 1
- return
- end
- UserInfo.current_user_id = current_user.id
- end
- # update session updated_at
- def session_update
- #sleep 0.6
- session[:ping] = Time.zone.now.iso8601
- # check if remote ip need to be updated
- if !session[:remote_ip] || session[:remote_ip] != request.remote_ip
- session[:remote_ip] = request.remote_ip
- session[:geo] = Service::GeoIp.location(request.remote_ip)
- end
- # fill user agent
- return if session[:user_agent]
- session[:user_agent] = request.env['HTTP_USER_AGENT']
- end
- # log http access
- def http_log
- return if !@http_log_support
- # request
- request_data = {
- content: '',
- content_type: request.headers['Content-Type'],
- content_encoding: request.headers['Content-Encoding'],
- source: request.headers['User-Agent'] || request.headers['Server'],
- }
- request.headers.each { |key, value|
- next if key[0, 5] != 'HTTP_'
- request_data[:content] += if key == 'HTTP_COOKIE'
- "#{key}: xxxxx\n"
- else
- "#{key}: #{value}\n"
- end
- }
- body = request.body.read
- if body
- request_data[:content] += "\n" + body
- end
- request_data[:content] = request_data[:content].slice(0, 8000)
- # response
- response_data = {
- code: response.status = response.code,
- content: '',
- content_type: nil,
- content_encoding: nil,
- source: nil,
- }
- response.headers.each { |key, value|
- response_data[:content] += "#{key}: #{value}\n"
- }
- body = response.body
- if body
- response_data[:content] += "\n" + body
- end
- response_data[:content] = response_data[:content].slice(0, 8000)
- record = {
- direction: 'in',
- facility: @http_log_support[:facility],
- url: url_for(only_path: false, overwrite_params: {}),
- status: response.status,
- ip: request.remote_ip,
- request: request_data,
- response: response_data,
- method: request.method,
- }
- HttpLog.create(record)
- end
- def user_device_check
- return false if !user_device_log(current_user, 'session')
- true
- end
- def user_device_log(user, type)
- switched_from_user_id = ENV['SWITCHED_FROM_USER_ID'] || session[:switched_from_user_id]
- return true if params[:controller] == 'init' # do no device logging on static inital page
- return true if switched_from_user_id
- return true if !user
- return true if !user.permissions?('user_preferences.device')
- time_to_check = true
- user_device_updated_at = session[:user_device_updated_at]
- if ENV['USER_DEVICE_UPDATED_AT']
- user_device_updated_at = Time.zone.parse(ENV['USER_DEVICE_UPDATED_AT'])
- end
- if user_device_updated_at
- # check if entry exists / only if write action
- diff = Time.zone.now - 10.minutes
- method = request.method
- if method == 'GET' || method == 'OPTIONS' || method == 'HEAD'
- diff = Time.zone.now - 30.minutes
- end
- # only update if needed
- if user_device_updated_at > diff
- time_to_check = false
- end
- end
- # if ip has not changed and ttl in still valid
- remote_ip = ENV['TEST_REMOTE_IP'] || request.remote_ip
- return true if time_to_check == false && session[:user_device_remote_ip] == remote_ip
- session[:user_device_remote_ip] = remote_ip
- # for sessions we need the fingperprint
- if type == 'session'
- if !session[:user_device_updated_at] && !params[:fingerprint] && !session[:user_device_fingerprint]
- raise Exceptions::UnprocessableEntity, 'Need fingerprint param!'
- end
- if params[:fingerprint]
- session[:user_device_fingerprint] = params[:fingerprint]
- end
- end
- session[:user_device_updated_at] = Time.zone.now
- # add device if needed
- http_user_agent = ENV['HTTP_USER_AGENT'] || request.env['HTTP_USER_AGENT']
- Delayed::Job.enqueue(
- Observer::UserDeviceLogJob.new(
- http_user_agent,
- remote_ip,
- user.id,
- session[:user_device_fingerprint],
- type,
- )
- )
- end
- def authentication_check_only(auth_param = {})
- #logger.debug 'authentication_check'
- #logger.debug params.inspect
- #logger.debug session.inspect
- #logger.debug cookies.inspect
- # already logged in, early exit
- if session.id && session[:user_id]
- logger.debug 'session based auth check'
- user = User.lookup(id: session[:user_id])
- return authentication_check_prerequesits(user, 'session', auth_param) if user
- end
- # check sso based authentication
- sso_user = User.sso(params)
- if sso_user
- if authentication_check_prerequesits(sso_user, 'session', auth_param)
- session[:persistent] = true
- return sso_user
- end
- end
- # check http basic based authentication
- authenticate_with_http_basic do |username, password|
- request.session_options[:skip] = true # do not send a session cookie
- logger.debug "http basic auth check '#{username}'"
- if Setting.get('api_password_access') == false
- raise Exceptions::NotAuthorized, 'API password access disabled!'
- end
- user = User.authenticate(username, password)
- return authentication_check_prerequesits(user, 'basic_auth', auth_param) if user
- end
- # check http token based authentication
- authenticate_with_http_token do |token_string, _options|
- logger.debug "http token auth check '#{token_string}'"
- request.session_options[:skip] = true # do not send a session cookie
- if Setting.get('api_token_access') == false
- raise Exceptions::NotAuthorized, 'API token access disabled!'
- end
- user = Token.check(
- action: 'api',
- name: token_string,
- inactive_user: true,
- )
- if user && auth_param[:permission]
- user = Token.check(
- action: 'api',
- name: token_string,
- permission: auth_param[:permission],
- inactive_user: true,
- )
- raise Exceptions::NotAuthorized, 'Not authorized (token)!' if !user
- end
- if user
- token = Token.find_by(name: token_string)
- token.last_used_at = Time.zone.now
- token.save!
- if token.expires_at &&
- Time.zone.today >= token.expires_at
- raise Exceptions::NotAuthorized, 'Not authorized (token expired)!'
- end
- end
- @_token_auth = token_string # remember for permission_check
- return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
- end
- # check oauth2 token based authentication
- token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
- if token
- request.session_options[:skip] = true # do not send a session cookie
- logger.debug "oauth2 token auth check '#{token}'"
- access_token = Doorkeeper::AccessToken.by_token(token)
- if !access_token
- raise Exceptions::NotAuthorized, 'Invalid token!'
- end
- # check expire
- if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
- raise Exceptions::NotAuthorized, 'OAuth2 token is expired!'
- end
- # if access_token.scopes.empty?
- # raise Exceptions::NotAuthorized, 'OAuth2 scope missing for token!'
- # end
- user = User.find(access_token.resource_owner_id)
- return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
- end
- false
- end
- def authentication_check_prerequesits(user, auth_type, auth_param)
- if check_maintenance_only(user)
- raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
- end
- if user.active == false
- raise Exceptions::NotAuthorized, 'User is inactive!'
- end
- # check scopes / permission check
- if auth_param[:permission] && !user.permissions?(auth_param[:permission])
- raise Exceptions::NotAuthorized, 'Not authorized (user)!'
- end
- current_user_set(user, auth_type)
- user_device_log(user, auth_type)
- logger.debug "#{auth_type} for '#{user.login}'"
- true
- end
- def authentication_check(auth_param = {})
- user = authentication_check_only(auth_param)
- # check if basic_auth fallback is possible
- if auth_param[:basic_auth_promt] && !user
- return request_http_basic_authentication
- end
- # return auth not ok
- if !user
- raise Exceptions::NotAuthorized, 'authentication failed'
- end
- # return auth ok
- true
- end
- def ticket_permission(ticket)
- return true if ticket.permission(current_user: current_user)
- raise Exceptions::NotAuthorized
- end
- def article_permission(article)
- ticket = Ticket.lookup(id: article.ticket_id)
- return true if ticket.permission(current_user: current_user)
- raise Exceptions::NotAuthorized
- end
- def article_create(ticket, params)
- # create article if given
- form_id = params[:form_id]
- params.delete(:form_id)
- # check min. params
- raise Exceptions::UnprocessableEntity, 'Need at least article: { body: "some text" }' if !params[:body]
- # fill default values
- if params[:type_id].empty? && params[:type].empty?
- params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
- end
- if params[:sender_id].empty? && params[:sender].empty?
- sender = 'Customer'
- if current_user.permissions?('ticket.agent')
- sender = 'Agent'
- end
- params[:sender_id] = Ticket::Article::Sender.lookup(name: sender).id
- end
- # remember time accounting
- time_unit = params[:time_unit]
- clean_params = Ticket::Article.association_name_to_id_convert(params)
- clean_params = Ticket::Article.param_cleanup(clean_params, true)
- # overwrite params
- if !current_user.permissions?('ticket.agent')
- clean_params[:sender_id] = Ticket::Article::Sender.lookup(name: 'Customer').id
- clean_params.delete(:sender)
- type = Ticket::Article::Type.lookup(id: clean_params[:type_id])
- if type.name !~ /^(note|web)$/
- clean_params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
- end
- clean_params.delete(:type)
- clean_params[:internal] = false
- end
- article = Ticket::Article.new(clean_params)
- article.ticket_id = ticket.id
- # store dataurl images to store
- if form_id && article.body && article.content_type =~ %r{text/html}i
- article.body.gsub!( %r{(<img\s.+?src=")(data:image/(jpeg|png);base64,.+?)">}i ) { |_item|
- file_attributes = StaticAssets.data_url_attributes($2)
- cid = "#{ticket.id}.#{form_id}.#{rand(999_999)}@#{Setting.get('fqdn')}"
- headers_store = {
- 'Content-Type' => file_attributes[:mime_type],
- 'Mime-Type' => file_attributes[:mime_type],
- 'Content-ID' => cid,
- 'Content-Disposition' => 'inline',
- }
- store = Store.add(
- object: 'UploadCache',
- o_id: form_id,
- data: file_attributes[:content],
- filename: cid,
- preferences: headers_store
- )
- "#{$1}cid:#{cid}\">"
- }
- end
- # find attachments in upload cache
- if form_id
- article.attachments = Store.list(
- object: 'UploadCache',
- o_id: form_id,
- )
- end
- article.save!
- # account time
- if time_unit.present?
- Ticket::TimeAccounting.create!(
- ticket_id: article.ticket_id,
- ticket_article_id: article.id,
- time_unit: time_unit
- )
- end
- # remove attachments from upload cache
- return article if !form_id
- Store.remove(
- object: 'UploadCache',
- o_id: form_id,
- )
- article
- end
- def permission_check(key)
- if @_token_auth
- user = Token.check(
- action: 'api',
- name: @_token_auth,
- permission: key,
- )
- return false if user
- raise Exceptions::NotAuthorized, 'Not authorized (token)!'
- end
- return false if current_user && current_user.permissions?(key)
- raise Exceptions::NotAuthorized, 'Not authorized (user)!'
- end
- def valid_session_with_user
- return true if current_user
- raise Exceptions::UnprocessableEntity, 'No session user!'
- end
- def response_access_deny
- raise Exceptions::NotAuthorized
- end
- def config_frontend
- # config
- config = {}
- Setting.select('name, preferences').where(frontend: true).each { |setting|
- next if setting.preferences[:authentication] == true && !current_user
- value = Setting.get(setting.name)
- next if !current_user && (value == false || value.nil?)
- config[setting.name] = value
- }
- # remember if we can to swich back to user
- if session[:switched_from_user_id]
- config['switch_back_to_possible'] = true
- end
- # remember session_id for websocket logon
- if current_user
- config['session_id'] = session.id
- end
- config
- end
- # model helper
- def model_create_render(object, params)
- clean_params = object.association_name_to_id_convert(params)
- clean_params = object.param_cleanup(clean_params, true)
- # create object
- generic_object = object.new(clean_params)
- # save object
- generic_object.save!
- # set relations
- generic_object.associations_from_param(params)
- if params[:expand]
- render json: generic_object.attributes_with_association_names, status: :created
- return
- end
- model_create_render_item(generic_object)
- end
- def model_create_render_item(generic_object)
- render json: generic_object.attributes_with_association_ids, status: :created
- end
- def model_update_render(object, params)
- # find object
- generic_object = object.find(params[:id])
- clean_params = object.association_name_to_id_convert(params)
- clean_params = object.param_cleanup(clean_params, true)
- generic_object.with_lock do
- # set attributes
- generic_object.update_attributes!(clean_params)
- # set relations
- generic_object.associations_from_param(params)
- end
- if params[:expand]
- render json: generic_object.attributes_with_association_names, status: :ok
- return
- end
- model_update_render_item(generic_object)
- end
- def model_update_render_item(generic_object)
- render json: generic_object.attributes_with_association_ids, status: :ok
- end
- def model_destroy_render(object, params)
- generic_object = object.find(params[:id])
- generic_object.destroy!
- model_destroy_render_item()
- end
- def model_destroy_render_item ()
- render json: {}, status: :ok
- end
- def model_show_render(object, params)
- if params[:expand]
- generic_object = object.find(params[:id])
- render json: generic_object.attributes_with_association_names, status: :ok
- return
- end
- if params[:full]
- generic_object_full = object.full(params[:id])
- render json: generic_object_full, status: :ok
- return
- end
- generic_object = object.find(params[:id])
- model_show_render_item(generic_object)
- end
- def model_show_render_item(generic_object)
- render json: generic_object.attributes_with_association_ids, status: :ok
- end
- def model_index_render(object, params)
- offset = 0
- per_page = 500
- if params[:page] && params[:per_page]
- offset = (params[:page].to_i - 1) * params[:per_page].to_i
- limit = params[:per_page].to_i
- end
- if per_page > 500
- per_page = 500
- end
- generic_objects = if offset.positive?
- object.limit(params[:per_page]).order(id: 'ASC').offset(offset).limit(limit)
- else
- object.all.order(id: 'ASC').offset(offset).limit(limit)
- end
- if params[:expand]
- list = []
- generic_objects.each { |generic_object|
- list.push generic_object.attributes_with_association_names
- }
- render json: list, status: :ok
- return
- end
- if params[:full]
- assets = {}
- item_ids = []
- generic_objects.each { |item|
- item_ids.push item.id
- assets = item.assets(assets)
- }
- render json: {
- record_ids: item_ids,
- assets: assets,
- }, status: :ok
- return
- end
- generic_objects_with_associations = []
- generic_objects.each { |item|
- generic_objects_with_associations.push item.attributes_with_association_ids
- }
- model_index_render_result(generic_objects_with_associations)
- end
- def model_index_render_result(generic_objects)
- render json: generic_objects, status: :ok
- end
- def model_references_check(object, params)
- generic_object = object.find(params[:id])
- result = Models.references(object, generic_object.id)
- return false if result.empty?
- raise Exceptions::UnprocessableEntity, 'Can\'t delete, object has references.'
- rescue => e
- raise Exceptions::UnprocessableEntity, e
- end
- # check maintenance mode
- def check_maintenance_only(user)
- return false if Setting.get('maintenance_mode') != true
- return false if user.permissions?('admin.maintenance')
- Rails.logger.info "Maintenance mode enabled, denied login for user #{user.login}, it's no admin user."
- true
- end
- def check_maintenance(user)
- return false if !check_maintenance_only(user)
- raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
- end
- end
|