Koha/REST/V1/Auth.pm

   1 package Koha::REST::V1::Auth;
   2
   3 # Copyright Koha-Suomi Oy 2017
   4 #
   5 # This file is part of Koha.
   6 #
   7 # Koha is free software; you can redistribute it and/or modify it
   8 # under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation; either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # Koha is distributed in the hope that it will be useful, but
  13 # WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
  19
  20 use Modern::Perl;
  21
  22 use Mojo::Base 'Mojolicious::Controller';
  23
  24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
  25 use C4::Context;
  26
  27 use Koha::ApiKeys;
  28 use Koha::Account::Lines;
  29 use Koha::Checkouts;
  30 use Koha::Holds;
  31 use Koha::OAuth;
  32 use Koha::OAuthAccessTokens;
  33 use Koha::Old::Checkouts;
  34 use Koha::Patrons;
  35
  36 use Koha::Exceptions;
  37 use Koha::Exceptions::Authentication;
  38 use Koha::Exceptions::Authorization;
  39
  40 use MIME::Base64;
  41 use Module::Load::Conditional;
  42 use Scalar::Util qw( blessed );
  43 use Try::Tiny;
  44
  45 =head1 NAME
  46
  47 Koha::REST::V1::Auth
  48
  49 =head2 Operations
  50
  51 =head3 under
  52
  53 This subroutine is called before every request to API.
  54
  55 =cut
  56
  57 sub under {
  58     my ( $c ) = @_;
  59
  60     my $status = 0;
  61
  62     try {
  63
  64         # /api/v1/{namespace}
  65         my $namespace = $c->req->url->to_abs->path->[2] // '';
  66
  67         my $is_public = 0; # By default routes are not public
  68         my $is_plugin = 0;
  69
  70         if ( $namespace eq 'public' ) {
  71             $is_public = 1;
  72         } elsif ( $namespace eq 'contrib' ) {
  73             $is_plugin = 1;
  74         }
  75
  76         if ( $is_public
  77             and !C4::Context->preference('RESTPublicAPI') )
  78         {
  79             Koha::Exceptions::Authorization->throw(
  80                 "Configuration prevents the usage of this endpoint by unprivileged users");
  81         }
  82
  83         if ( $c->req->url->to_abs->path eq '/api/v1/oauth/token' ) {
  84             # Requesting a token shouldn't go through the API authenticaction chain
  85             $status = 1;
  86         }
  87         elsif ( $namespace eq '' or $namespace eq '.html' ) {
  88             $status = 1;
  89         }
  90         else {
  91             $status = authenticate_api_request($c, { is_public => $is_public, is_plugin => $is_plugin });
  92         }
  93
  94     } catch {
  95         unless (blessed($_)) {
  96             return $c->render(
  97                 status => 500,
  98                 json => { error => 'Something went wrong, check the logs.' }
  99             );
 100         }
 101         if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
 102             return $c->render(status => 503, json => { error => $_->error });
 103         }
 104         elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
 105             return $c->render(status => 401, json => { error => $_->error });
 106         }
 107         elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
 108             return $c->render(status => 401, json => { error => $_->error });
 109         }
 110         elsif ($_->isa('Koha::Exceptions::Authentication')) {
 111             return $c->render(status => 401, json => { error => $_->error });
 112         }
 113         elsif ($_->isa('Koha::Exceptions::BadParameter')) {
 114             return $c->render(status => 400, json => $_->error );
 115         }
 116         elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
 117             return $c->render(status => 403, json => {
 118                 error => $_->error,
 119                 required_permissions => $_->required_permissions,
 120             });
 121         }
 122         elsif ($_->isa('Koha::Exceptions::Authorization')) {
 123             return $c->render(status => 403, json => { error => $_->error });
 124         }
 125         elsif ($_->isa('Koha::Exceptions')) {
 126             return $c->render(status => 500, json => { error => $_->error });
 127         }
 128         else {
 129             return $c->render(
 130                 status => 500,
 131                 json => { error => 'Something went wrong, check the logs.' }
 132             );
 133         }
 134     };
 135
 136     return $status;
 137 }
 138
 139 =head3 authenticate_api_request
 140
 141 Validates authentication and allows access if authorization is not required or
 142 if authorization is required and user has required permissions to access.
 143
 144 =cut
 145
 146 sub authenticate_api_request {
 147     my ( $c, $params ) = @_;
 148
 149     my $user;
 150
 151     # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
 152     # and older versions (second one).
 153     # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
 154     my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
 155
 156     $c->stash_embed({ spec => $spec });
 157
 158     my $authorization = $spec->{'x-koha-authorization'};
 159
 160     my $authorization_header = $c->req->headers->authorization;
 161
 162     if ($authorization_header and $authorization_header =~ /^Bearer /) {
 163         # attempt to use OAuth2 authentication
 164         if ( ! Module::Load::Conditional::can_load(
 165                     modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
 166             Koha::Exceptions::Authorization::Unauthorized->throw(
 167                 error => 'Authentication failure.'
 168             );
 169         }
 170         else {
 171             require Net::OAuth2::AuthorizationServer;
 172         }
 173
 174         my $server = Net::OAuth2::AuthorizationServer->new;
 175         my $grant = $server->client_credentials_grant(Koha::OAuth::config);
 176         my ($type, $token) = split / /, $authorization_header;
 177         my ($valid_token, $error) = $grant->verify_access_token(
 178             access_token => $token,
 179         );
 180
 181         if ($valid_token) {
 182             my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
 183             $user         = Koha::Patrons->find($patron_id);
 184             C4::Context->interface('api');
 185         }
 186         else {
 187             # If we have "Authorization: Bearer" header and oauth authentication
 188             # failed, do not try other authentication means
 189             Koha::Exceptions::Authentication::Required->throw(
 190                 error => 'Authentication failure.'
 191             );
 192         }
 193     }
 194     elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
 195         unless ( C4::Context->preference('RESTBasicAuth') ) {
 196             Koha::Exceptions::Authentication::Required->throw(
 197                 error => 'Basic authentication disabled'
 198             );
 199         }
 200         $user = $c->_basic_auth( $authorization_header );
 201         C4::Context->interface('api');
 202         unless ( $user ) {
 203             # If we have "Authorization: Basic" header and authentication
 204             # failed, do not try other authentication means
 205             Koha::Exceptions::Authentication::Required->throw(
 206                 error => 'Authentication failure.'
 207             );
 208         }
 209     }
 210     else {
 211
 212         my $cookie = $c->cookie('CGISESSID');
 213
 214         # Mojo doesn't use %ENV the way CGI apps do
 215         # Manually pass the remote_address to check_auth_cookie
 216         my $remote_addr = $c->tx->remote_address;
 217         my ($status, $sessionID) = check_cookie_auth(
 218                                                 $cookie, undef,
 219                                                 { remote_addr => $remote_addr });
 220         if ($status eq "ok") {
 221             my $session = get_session($sessionID);
 222             $user = Koha::Patrons->find( $session->param('number') )
 223               unless $session->param('sessiontype')
 224                  and $session->param('sessiontype') eq 'anon';
 225         }
 226         elsif ($status eq "maintenance") {
 227             Koha::Exceptions::UnderMaintenance->throw(
 228                 error => 'System is under maintenance.'
 229             );
 230         }
 231         elsif ($status eq "expired" and $authorization) {
 232             Koha::Exceptions::Authentication::SessionExpired->throw(
 233                 error => 'Session has been expired.'
 234             );
 235         }
 236         elsif ($status eq "failed" and $authorization) {
 237             Koha::Exceptions::Authentication::Required->throw(
 238                 error => 'Authentication failure.'
 239             );
 240         }
 241         elsif ($authorization) {
 242             Koha::Exceptions::Authentication->throw(
 243                 error => 'Unexpected authentication status.'
 244             );
 245         }
 246     }
 247
 248     $c->stash('koha.user' => $user);
 249
 250     if ( !$authorization and
 251          ( $params->{is_public} and
 252           ( C4::Context->preference('RESTPublicAnonymousRequests') or
 253             $user) ) or $params->{is_plugin} ) {
 254         # We do not need any authorization
 255         # Check the parameters
 256         validate_query_parameters( $c, $spec );
 257         return 1;
 258     }
 259     else {
 260         # We are required authorizarion, there needs
 261         # to be an identified user
 262         Koha::Exceptions::Authentication::Required->throw(
 263             error => 'Authentication failure.' )
 264           unless $user;
 265     }
 266
 267
 268     my $permissions = $authorization->{'permissions'};
 269     # Check if the user is authorized
 270     if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
 271         or allow_owner($c, $authorization, $user)
 272         or allow_guarantor($c, $authorization, $user) ) {
 273
 274         validate_query_parameters( $c, $spec );
 275
 276         # Everything is ok
 277         return 1;
 278     }
 279
 280     Koha::Exceptions::Authorization::Unauthorized->throw(
 281         error => "Authorization failure. Missing required permission(s).",
 282         required_permissions => $permissions,
 283     );
 284 }
 285
 286 =head3 validate_query_parameters
 287
 288 Validates the query parameters against the spec.
 289
 290 =cut
 291
 292 sub validate_query_parameters {
 293     my ( $c, $action_spec ) = @_;
 294
 295     # Check for malformed query parameters
 296     my @errors;
 297     my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
 298     my $existing_params = $c->req->query_params->to_hash;
 299     for my $param ( keys %{$existing_params} ) {
 300         push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
 301     }
 302
 303     Koha::Exceptions::BadParameter->throw(
 304         error => \@errors
 305     ) if @errors;
 306 }
 307
 308
 309 =head3 allow_owner
 310
 311 Allows access to object for its owner.
 312
 313 There are endpoints that should allow access for the object owner even if they
 314 do not have the required permission, e.g. access an own reserve. This can be
 315 achieved by defining the operation as follows:
 316
 317 "/holds/{reserve_id}": {
 318     "get": {
 319         ...,
 320         "x-koha-authorization": {
 321             "allow-owner": true,
 322             "permissions": {
 323                 "borrowers": "1"
 324             }
 325         }
 326     }
 327 }
 328
 329 =cut
 330
 331 sub allow_owner {
 332     my ($c, $authorization, $user) = @_;
 333
 334     return unless $authorization->{'allow-owner'};
 335
 336     return check_object_ownership($c, $user) if $user and $c;
 337 }
 338
 339 =head3 allow_guarantor
 340
 341 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
 342 guarantees.
 343
 344 =cut
 345
 346 sub allow_guarantor {
 347     my ($c, $authorization, $user) = @_;
 348
 349     if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
 350         return;
 351     }
 352
 353     my $guarantees = $user->guarantee_relationships->guarantees->as_list;
 354     foreach my $guarantee (@{$guarantees}) {
 355         return 1 if check_object_ownership($c, $guarantee);
 356     }
 357 }
 358
 359 =head3 check_object_ownership
 360
 361 Determines ownership of an object from request parameters.
 362
 363 As introducing an endpoint that allows access for object's owner; if the
 364 parameter that will be used to determine ownership is not already inside
 365 $parameters, add a new subroutine that checks the ownership and extend
 366 $parameters to contain a key with parameter_name and a value of a subref to
 367 the subroutine that you created.
 368
 369 =cut
 370
 371 sub check_object_ownership {
 372     my ($c, $user) = @_;
 373
 374     return if not $c or not $user;
 375
 376     my $parameters = {
 377         accountlines_id => \&_object_ownership_by_accountlines_id,
 378         borrowernumber  => \&_object_ownership_by_patron_id,
 379         patron_id       => \&_object_ownership_by_patron_id,
 380         checkout_id     => \&_object_ownership_by_checkout_id,
 381         reserve_id      => \&_object_ownership_by_reserve_id,
 382     };
 383
 384     foreach my $param ( keys %{ $parameters } ) {
 385         my $check_ownership = $parameters->{$param};
 386         if ($c->stash($param)) {
 387             return &$check_ownership($c, $user, $c->stash($param));
 388         }
 389         elsif ($c->param($param)) {
 390             return &$check_ownership($c, $user, $c->param($param));
 391         }
 392         elsif ($c->match->stack->[-1]->{$param}) {
 393             return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
 394         }
 395         elsif ($c->req->json && $c->req->json->{$param}) {
 396             return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
 397         }
 398     }
 399 }
 400
 401 =head3 _object_ownership_by_accountlines_id
 402
 403 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
 404 belongs to C<$user>.
 405
 406 =cut
 407
 408 sub _object_ownership_by_accountlines_id {
 409     my ($c, $user, $accountlines_id) = @_;
 410
 411     my $accountline = Koha::Account::Lines->find($accountlines_id);
 412     return $accountline && $user->borrowernumber == $accountline->borrowernumber;
 413 }
 414
 415 =head3 _object_ownership_by_borrowernumber
 416
 417 Compares C<$borrowernumber> to currently logged in C<$user>.
 418
 419 =cut
 420
 421 sub _object_ownership_by_patron_id {
 422     my ($c, $user, $patron_id) = @_;
 423
 424     return $user->borrowernumber == $patron_id;
 425 }
 426
 427 =head3 _object_ownership_by_checkout_id
 428
 429 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
 430 compare its borrowernumber to currently logged in C<$user>. However, if an issue
 431 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
 432 borrowernumber to currently logged in C<$user>.
 433
 434 =cut
 435
 436 sub _object_ownership_by_checkout_id {
 437     my ($c, $user, $issue_id) = @_;
 438
 439     my $issue = Koha::Checkouts->find($issue_id);
 440     $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
 441     return $issue && $issue->borrowernumber
 442             && $user->borrowernumber == $issue->borrowernumber;
 443 }
 444
 445 =head3 _object_ownership_by_reserve_id
 446
 447 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
 448 belongs to C<$user>.
 449
 450 TODO: Also compare against old_reserves
 451
 452 =cut
 453
 454 sub _object_ownership_by_reserve_id {
 455     my ($c, $user, $reserve_id) = @_;
 456
 457     my $reserve = Koha::Holds->find($reserve_id);
 458     return $reserve && $user->borrowernumber == $reserve->borrowernumber;
 459 }
 460
 461 =head3 _basic_auth
 462
 463 Internal method that performs Basic authentication.
 464
 465 =cut
 466
 467 sub _basic_auth {
 468     my ( $c, $authorization_header ) = @_;
 469
 470     my ( $type, $credentials ) = split / /, $authorization_header;
 471
 472     unless ($credentials) {
 473         Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
 474     }
 475
 476     my $decoded_credentials = decode_base64( $credentials );
 477     my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
 478
 479     my $dbh = C4::Context->dbh;
 480     unless ( checkpw_internal($dbh, $user_id, $password ) ) {
 481         Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
 482     }
 483
 484     return Koha::Patrons->find({ userid => $user_id });
 485 }
 486
 487 1;