application_controller.rb 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. require 'exceptions'
  3. class ApplicationController < ActionController::Base
  4. include ErrorHandling
  5. helper_method :current_user,
  6. :authentication_check,
  7. :config_frontend,
  8. :http_log_config,
  9. :model_create_render,
  10. :model_update_render,
  11. :model_restory_render,
  12. :mode_show_rendeder,
  13. :model_index_render
  14. skip_before_action :verify_authenticity_token
  15. before_action :verify_csrf_token, :transaction_begin, :set_user, :session_update, :user_device_check, :cors_preflight_check
  16. after_action :transaction_end, :http_log, :set_access_control_headers, :set_csrf_token_headers
  17. # For all responses in this controller, return the CORS access control headers.
  18. def set_access_control_headers
  19. return if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
  20. set_access_control_headers_execute
  21. end
  22. def set_access_control_headers_execute
  23. headers['Access-Control-Allow-Origin'] = '*'
  24. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
  25. headers['Access-Control-Max-Age'] = '1728000'
  26. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  27. end
  28. # If this is a preflight OPTIONS request, then short-circuit the
  29. # request, return only the necessary headers and return an empty
  30. # text/plain.
  31. def cors_preflight_check
  32. return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
  33. cors_preflight_check_execute
  34. end
  35. def cors_preflight_check_execute
  36. return true if request.method != 'OPTIONS'
  37. headers['Access-Control-Allow-Origin'] = '*'
  38. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
  39. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  40. headers['Access-Control-Max-Age'] = '1728000'
  41. render text: '', content_type: 'text/plain'
  42. false
  43. end
  44. def set_csrf_token_headers
  45. return true if @_auth_type.present? && @_auth_type != 'session'
  46. headers['CSRF-TOKEN'] = form_authenticity_token
  47. end
  48. def verify_csrf_token
  49. return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH'
  50. return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth'
  51. return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
  52. logger.info 'CSRF token verification failed'
  53. raise Exceptions::NotAuthorized, 'CSRF token verification failed!'
  54. end
  55. def http_log_config(config)
  56. @http_log_support = config
  57. end
  58. private
  59. def transaction_begin
  60. ApplicationHandleInfo.current = 'application_server'
  61. PushMessages.init
  62. end
  63. def transaction_end
  64. Observer::Transaction.commit
  65. PushMessages.finish
  66. ActiveSupport::Dependencies::Reference.clear!
  67. end
  68. # Finds the User with the ID stored in the session with the key
  69. # :current_user_id This is a common way to handle user login in
  70. # a Rails application; logging in sets the session value and
  71. # logging out removes it.
  72. def current_user
  73. return @_current_user if @_current_user
  74. return if !session[:user_id]
  75. @_current_user = User.lookup(id: session[:user_id])
  76. end
  77. def current_user_set(user, auth_type = 'session')
  78. session[:user_id] = user.id
  79. @_auth_type = auth_type
  80. @_current_user = user
  81. set_user
  82. end
  83. # Sets the current user into a named Thread location so that it can be accessed
  84. # by models and observers
  85. def set_user
  86. if !current_user
  87. UserInfo.current_user_id = 1
  88. return
  89. end
  90. UserInfo.current_user_id = current_user.id
  91. end
  92. # update session updated_at
  93. def session_update
  94. #sleep 0.6
  95. session[:ping] = Time.zone.now.iso8601
  96. # check if remote ip need to be updated
  97. if !session[:remote_ip] || session[:remote_ip] != request.remote_ip
  98. session[:remote_ip] = request.remote_ip
  99. session[:geo] = Service::GeoIp.location(request.remote_ip)
  100. end
  101. # fill user agent
  102. return if session[:user_agent]
  103. session[:user_agent] = request.env['HTTP_USER_AGENT']
  104. end
  105. # log http access
  106. def http_log
  107. return if !@http_log_support
  108. # request
  109. request_data = {
  110. content: '',
  111. content_type: request.headers['Content-Type'],
  112. content_encoding: request.headers['Content-Encoding'],
  113. source: request.headers['User-Agent'] || request.headers['Server'],
  114. }
  115. request.headers.each { |key, value|
  116. next if key[0, 5] != 'HTTP_'
  117. request_data[:content] += if key == 'HTTP_COOKIE'
  118. "#{key}: xxxxx\n"
  119. else
  120. "#{key}: #{value}\n"
  121. end
  122. }
  123. body = request.body.read
  124. if body
  125. request_data[:content] += "\n" + body
  126. end
  127. request_data[:content] = request_data[:content].slice(0, 8000)
  128. # response
  129. response_data = {
  130. code: response.status = response.code,
  131. content: '',
  132. content_type: nil,
  133. content_encoding: nil,
  134. source: nil,
  135. }
  136. response.headers.each { |key, value|
  137. response_data[:content] += "#{key}: #{value}\n"
  138. }
  139. body = response.body
  140. if body
  141. response_data[:content] += "\n" + body
  142. end
  143. response_data[:content] = response_data[:content].slice(0, 8000)
  144. record = {
  145. direction: 'in',
  146. facility: @http_log_support[:facility],
  147. url: url_for(only_path: false, overwrite_params: {}),
  148. status: response.status,
  149. ip: request.remote_ip,
  150. request: request_data,
  151. response: response_data,
  152. method: request.method,
  153. }
  154. HttpLog.create(record)
  155. end
  156. def user_device_check
  157. return false if !user_device_log(current_user, 'session')
  158. true
  159. end
  160. def user_device_log(user, type)
  161. switched_from_user_id = ENV['SWITCHED_FROM_USER_ID'] || session[:switched_from_user_id]
  162. return true if params[:controller] == 'init' # do no device logging on static inital page
  163. return true if switched_from_user_id
  164. return true if !user
  165. return true if !user.permissions?('user_preferences.device')
  166. time_to_check = true
  167. user_device_updated_at = session[:user_device_updated_at]
  168. if ENV['USER_DEVICE_UPDATED_AT']
  169. user_device_updated_at = Time.zone.parse(ENV['USER_DEVICE_UPDATED_AT'])
  170. end
  171. if user_device_updated_at
  172. # check if entry exists / only if write action
  173. diff = Time.zone.now - 10.minutes
  174. method = request.method
  175. if method == 'GET' || method == 'OPTIONS' || method == 'HEAD'
  176. diff = Time.zone.now - 30.minutes
  177. end
  178. # only update if needed
  179. if user_device_updated_at > diff
  180. time_to_check = false
  181. end
  182. end
  183. # if ip has not changed and ttl in still valid
  184. remote_ip = ENV['TEST_REMOTE_IP'] || request.remote_ip
  185. return true if time_to_check == false && session[:user_device_remote_ip] == remote_ip
  186. session[:user_device_remote_ip] = remote_ip
  187. # for sessions we need the fingperprint
  188. if type == 'session'
  189. if !session[:user_device_updated_at] && !params[:fingerprint] && !session[:user_device_fingerprint]
  190. raise Exceptions::UnprocessableEntity, 'Need fingerprint param!'
  191. end
  192. if params[:fingerprint]
  193. session[:user_device_fingerprint] = params[:fingerprint]
  194. end
  195. end
  196. session[:user_device_updated_at] = Time.zone.now
  197. # add device if needed
  198. http_user_agent = ENV['HTTP_USER_AGENT'] || request.env['HTTP_USER_AGENT']
  199. Delayed::Job.enqueue(
  200. Observer::UserDeviceLogJob.new(
  201. http_user_agent,
  202. remote_ip,
  203. user.id,
  204. session[:user_device_fingerprint],
  205. type,
  206. )
  207. )
  208. end
  209. def authentication_check_only(auth_param = {})
  210. #logger.debug 'authentication_check'
  211. #logger.debug params.inspect
  212. #logger.debug session.inspect
  213. #logger.debug cookies.inspect
  214. # already logged in, early exit
  215. if session.id && session[:user_id]
  216. logger.debug 'session based auth check'
  217. user = User.lookup(id: session[:user_id])
  218. return authentication_check_prerequesits(user, 'session', auth_param) if user
  219. end
  220. # check sso based authentication
  221. sso_user = User.sso(params)
  222. if sso_user
  223. if authentication_check_prerequesits(sso_user, 'session', auth_param)
  224. session[:persistent] = true
  225. return sso_user
  226. end
  227. end
  228. # check http basic based authentication
  229. authenticate_with_http_basic do |username, password|
  230. request.session_options[:skip] = true # do not send a session cookie
  231. logger.debug "http basic auth check '#{username}'"
  232. if Setting.get('api_password_access') == false
  233. raise Exceptions::NotAuthorized, 'API password access disabled!'
  234. end
  235. user = User.authenticate(username, password)
  236. return authentication_check_prerequesits(user, 'basic_auth', auth_param) if user
  237. end
  238. # check http token based authentication
  239. authenticate_with_http_token do |token_string, _options|
  240. logger.debug "http token auth check '#{token_string}'"
  241. request.session_options[:skip] = true # do not send a session cookie
  242. if Setting.get('api_token_access') == false
  243. raise Exceptions::NotAuthorized, 'API token access disabled!'
  244. end
  245. user = Token.check(
  246. action: 'api',
  247. name: token_string,
  248. inactive_user: true,
  249. )
  250. if user && auth_param[:permission]
  251. user = Token.check(
  252. action: 'api',
  253. name: token_string,
  254. permission: auth_param[:permission],
  255. inactive_user: true,
  256. )
  257. raise Exceptions::NotAuthorized, 'Not authorized (token)!' if !user
  258. end
  259. if user
  260. token = Token.find_by(name: token_string)
  261. token.last_used_at = Time.zone.now
  262. token.save!
  263. if token.expires_at &&
  264. Time.zone.today >= token.expires_at
  265. raise Exceptions::NotAuthorized, 'Not authorized (token expired)!'
  266. end
  267. end
  268. @_token_auth = token_string # remember for permission_check
  269. return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
  270. end
  271. # check oauth2 token based authentication
  272. token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
  273. if token
  274. request.session_options[:skip] = true # do not send a session cookie
  275. logger.debug "oauth2 token auth check '#{token}'"
  276. access_token = Doorkeeper::AccessToken.by_token(token)
  277. if !access_token
  278. raise Exceptions::NotAuthorized, 'Invalid token!'
  279. end
  280. # check expire
  281. if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
  282. raise Exceptions::NotAuthorized, 'OAuth2 token is expired!'
  283. end
  284. # if access_token.scopes.empty?
  285. # raise Exceptions::NotAuthorized, 'OAuth2 scope missing for token!'
  286. # end
  287. user = User.find(access_token.resource_owner_id)
  288. return authentication_check_prerequesits(user, 'token_auth', auth_param) if user
  289. end
  290. false
  291. end
  292. def authentication_check_prerequesits(user, auth_type, auth_param)
  293. if check_maintenance_only(user)
  294. raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
  295. end
  296. if user.active == false
  297. raise Exceptions::NotAuthorized, 'User is inactive!'
  298. end
  299. # check scopes / permission check
  300. if auth_param[:permission] && !user.permissions?(auth_param[:permission])
  301. raise Exceptions::NotAuthorized, 'Not authorized (user)!'
  302. end
  303. current_user_set(user, auth_type)
  304. user_device_log(user, auth_type)
  305. logger.debug "#{auth_type} for '#{user.login}'"
  306. true
  307. end
  308. def authentication_check(auth_param = {})
  309. user = authentication_check_only(auth_param)
  310. # check if basic_auth fallback is possible
  311. if auth_param[:basic_auth_promt] && !user
  312. return request_http_basic_authentication
  313. end
  314. # return auth not ok
  315. if !user
  316. raise Exceptions::NotAuthorized, 'authentication failed'
  317. end
  318. # return auth ok
  319. true
  320. end
  321. def ticket_permission(ticket)
  322. return true if ticket.permission(current_user: current_user)
  323. raise Exceptions::NotAuthorized
  324. end
  325. def article_permission(article)
  326. ticket = Ticket.lookup(id: article.ticket_id)
  327. return true if ticket.permission(current_user: current_user)
  328. raise Exceptions::NotAuthorized
  329. end
  330. def article_create(ticket, params)
  331. # create article if given
  332. form_id = params[:form_id]
  333. params.delete(:form_id)
  334. # check min. params
  335. raise Exceptions::UnprocessableEntity, 'Need at least article: { body: "some text" }' if !params[:body]
  336. # fill default values
  337. if params[:type_id].empty? && params[:type].empty?
  338. params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
  339. end
  340. if params[:sender_id].empty? && params[:sender].empty?
  341. sender = 'Customer'
  342. if current_user.permissions?('ticket.agent')
  343. sender = 'Agent'
  344. end
  345. params[:sender_id] = Ticket::Article::Sender.lookup(name: sender).id
  346. end
  347. # remember time accounting
  348. time_unit = params[:time_unit]
  349. clean_params = Ticket::Article.association_name_to_id_convert(params)
  350. clean_params = Ticket::Article.param_cleanup(clean_params, true)
  351. # overwrite params
  352. if !current_user.permissions?('ticket.agent')
  353. clean_params[:sender_id] = Ticket::Article::Sender.lookup(name: 'Customer').id
  354. clean_params.delete(:sender)
  355. type = Ticket::Article::Type.lookup(id: clean_params[:type_id])
  356. if type.name !~ /^(note|web)$/
  357. clean_params[:type_id] = Ticket::Article::Type.lookup(name: 'note').id
  358. end
  359. clean_params.delete(:type)
  360. clean_params[:internal] = false
  361. end
  362. article = Ticket::Article.new(clean_params)
  363. article.ticket_id = ticket.id
  364. # store dataurl images to store
  365. if form_id && article.body && article.content_type =~ %r{text/html}i
  366. article.body.gsub!( %r{(<img\s.+?src=")(data:image/(jpeg|png);base64,.+?)">}i ) { |_item|
  367. file_attributes = StaticAssets.data_url_attributes($2)
  368. cid = "#{ticket.id}.#{form_id}.#{rand(999_999)}@#{Setting.get('fqdn')}"
  369. headers_store = {
  370. 'Content-Type' => file_attributes[:mime_type],
  371. 'Mime-Type' => file_attributes[:mime_type],
  372. 'Content-ID' => cid,
  373. 'Content-Disposition' => 'inline',
  374. }
  375. store = Store.add(
  376. object: 'UploadCache',
  377. o_id: form_id,
  378. data: file_attributes[:content],
  379. filename: cid,
  380. preferences: headers_store
  381. )
  382. "#{$1}cid:#{cid}\">"
  383. }
  384. end
  385. # find attachments in upload cache
  386. if form_id
  387. article.attachments = Store.list(
  388. object: 'UploadCache',
  389. o_id: form_id,
  390. )
  391. end
  392. article.save!
  393. # account time
  394. if time_unit.present?
  395. Ticket::TimeAccounting.create!(
  396. ticket_id: article.ticket_id,
  397. ticket_article_id: article.id,
  398. time_unit: time_unit
  399. )
  400. end
  401. # remove attachments from upload cache
  402. return article if !form_id
  403. Store.remove(
  404. object: 'UploadCache',
  405. o_id: form_id,
  406. )
  407. article
  408. end
  409. def permission_check(key)
  410. if @_token_auth
  411. user = Token.check(
  412. action: 'api',
  413. name: @_token_auth,
  414. permission: key,
  415. )
  416. return false if user
  417. raise Exceptions::NotAuthorized, 'Not authorized (token)!'
  418. end
  419. return false if current_user && current_user.permissions?(key)
  420. raise Exceptions::NotAuthorized, 'Not authorized (user)!'
  421. end
  422. def valid_session_with_user
  423. return true if current_user
  424. raise Exceptions::UnprocessableEntity, 'No session user!'
  425. end
  426. def response_access_deny
  427. raise Exceptions::NotAuthorized
  428. end
  429. def config_frontend
  430. # config
  431. config = {}
  432. Setting.select('name, preferences').where(frontend: true).each { |setting|
  433. next if setting.preferences[:authentication] == true && !current_user
  434. value = Setting.get(setting.name)
  435. next if !current_user && (value == false || value.nil?)
  436. config[setting.name] = value
  437. }
  438. # remember if we can to swich back to user
  439. if session[:switched_from_user_id]
  440. config['switch_back_to_possible'] = true
  441. end
  442. # remember session_id for websocket logon
  443. if current_user
  444. config['session_id'] = session.id
  445. end
  446. config
  447. end
  448. # model helper
  449. def model_create_render(object, params)
  450. clean_params = object.association_name_to_id_convert(params)
  451. clean_params = object.param_cleanup(clean_params, true)
  452. # create object
  453. generic_object = object.new(clean_params)
  454. # save object
  455. generic_object.save!
  456. # set relations
  457. generic_object.associations_from_param(params)
  458. if params[:expand]
  459. render json: generic_object.attributes_with_association_names, status: :created
  460. return
  461. end
  462. model_create_render_item(generic_object)
  463. end
  464. def model_create_render_item(generic_object)
  465. render json: generic_object.attributes_with_association_ids, status: :created
  466. end
  467. def model_update_render(object, params)
  468. # find object
  469. generic_object = object.find(params[:id])
  470. clean_params = object.association_name_to_id_convert(params)
  471. clean_params = object.param_cleanup(clean_params, true)
  472. generic_object.with_lock do
  473. # set attributes
  474. generic_object.update_attributes!(clean_params)
  475. # set relations
  476. generic_object.associations_from_param(params)
  477. end
  478. if params[:expand]
  479. render json: generic_object.attributes_with_association_names, status: :ok
  480. return
  481. end
  482. model_update_render_item(generic_object)
  483. end
  484. def model_update_render_item(generic_object)
  485. render json: generic_object.attributes_with_association_ids, status: :ok
  486. end
  487. def model_destroy_render(object, params)
  488. generic_object = object.find(params[:id])
  489. generic_object.destroy!
  490. model_destroy_render_item()
  491. end
  492. def model_destroy_render_item ()
  493. render json: {}, status: :ok
  494. end
  495. def model_show_render(object, params)
  496. if params[:expand]
  497. generic_object = object.find(params[:id])
  498. render json: generic_object.attributes_with_association_names, status: :ok
  499. return
  500. end
  501. if params[:full]
  502. generic_object_full = object.full(params[:id])
  503. render json: generic_object_full, status: :ok
  504. return
  505. end
  506. generic_object = object.find(params[:id])
  507. model_show_render_item(generic_object)
  508. end
  509. def model_show_render_item(generic_object)
  510. render json: generic_object.attributes_with_association_ids, status: :ok
  511. end
  512. def model_index_render(object, params)
  513. offset = 0
  514. per_page = 500
  515. if params[:page] && params[:per_page]
  516. offset = (params[:page].to_i - 1) * params[:per_page].to_i
  517. limit = params[:per_page].to_i
  518. end
  519. if per_page > 500
  520. per_page = 500
  521. end
  522. generic_objects = if offset.positive?
  523. object.limit(params[:per_page]).order(id: 'ASC').offset(offset).limit(limit)
  524. else
  525. object.all.order(id: 'ASC').offset(offset).limit(limit)
  526. end
  527. if params[:expand]
  528. list = []
  529. generic_objects.each { |generic_object|
  530. list.push generic_object.attributes_with_association_names
  531. }
  532. render json: list, status: :ok
  533. return
  534. end
  535. if params[:full]
  536. assets = {}
  537. item_ids = []
  538. generic_objects.each { |item|
  539. item_ids.push item.id
  540. assets = item.assets(assets)
  541. }
  542. render json: {
  543. record_ids: item_ids,
  544. assets: assets,
  545. }, status: :ok
  546. return
  547. end
  548. generic_objects_with_associations = []
  549. generic_objects.each { |item|
  550. generic_objects_with_associations.push item.attributes_with_association_ids
  551. }
  552. model_index_render_result(generic_objects_with_associations)
  553. end
  554. def model_index_render_result(generic_objects)
  555. render json: generic_objects, status: :ok
  556. end
  557. def model_references_check(object, params)
  558. generic_object = object.find(params[:id])
  559. result = Models.references(object, generic_object.id)
  560. return false if result.empty?
  561. raise Exceptions::UnprocessableEntity, 'Can\'t delete, object has references.'
  562. rescue => e
  563. raise Exceptions::UnprocessableEntity, e
  564. end
  565. # check maintenance mode
  566. def check_maintenance_only(user)
  567. return false if Setting.get('maintenance_mode') != true
  568. return false if user.permissions?('admin.maintenance')
  569. Rails.logger.info "Maintenance mode enabled, denied login for user #{user.login}, it's no admin user."
  570. true
  571. end
  572. def check_maintenance(user)
  573. return false if !check_maintenance_only(user)
  574. raise Exceptions::NotAuthorized, 'Maintenance mode enabled!'
  575. end
  576. end