_rest_config.php

   1 <?php
   2
   3 /**
   4  * Useful globals class for Rest
   5  *
   6  * @package   OpenEMR
   7  * @link      http://www.open-emr.org
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @copyright Copyright (c) 2018 Jerry Padgett <sjpadgett@gmail.com>
  11  * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15 require_once(dirname(__FILE__) . "/src/Common/Session/SessionUtil.php");
  16
  17 use OpenEMR\Common\Acl\AclMain;
  18 use OpenEMR\Common\Crypto\CryptoGen;
  19 use OpenEMR\Common\Logging\EventAuditLogger;
  20 use OpenEMR\RestControllers\AuthRestController;
  21
  22 // also a handy place to add utility methods
  23 //
  24 class RestConfig
  25 {
  26     /** @var set to true to send debug info to the browser */
  27     public static $DEBUG_MODE = false;
  28
  29     /** @var default action is the controller.method fired when no route is specified */
  30     public static $DEFAULT_ACTION = "";
  31
  32     /** @var routemap is an array of patterns and routes */
  33     public static $ROUTE_MAP;
  34
  35     /** @var fhir routemap is an array of patterns and routes */
  36     public static $FHIR_ROUTE_MAP;
  37
  38     /** @var portal routemap is an array of patterns and routes */
  39     public static $PORTAL_ROUTE_MAP;
  40
  41     /** @var portal fhir routemap is an array of patterns and routes */
  42     public static $PORTAL_FHIR_ROUTE_MAP;
  43
  44     /** @var app root is the root directory of the application */
  45     public static $APP_ROOT;
  46
  47     /** @var root url of the application */
  48     public static $ROOT_URL;
  49     public static $REST_FULL_URL;
  50     public static $VENDOR_DIR;
  51     public static $webserver_root;
  52     public static $web_root;
  53     public static $server_document_root;
  54     public static $SITE;
  55
  56     private static $INSTANCE;
  57     private static $IS_INITIALIZED = false;
  58
  59     /**  @var set to true if local api call */
  60     private static $localCall = false;
  61
  62     /**  @var set to true if not rest call */
  63     private static $notRestCall = false;
  64
  65     /** prevents external construction */
  66     private function __construct()
  67     {
  68     }
  69
  70     /** prevents external cloning */
  71     private function __clone()
  72     {
  73     }
  74
  75     /**
  76      * Initialize the RestConfig object
  77      */
  78     static function Init()
  79     {
  80         if (!self::$IS_INITIALIZED) {
  81             self::setPaths();
  82             self::$REST_FULL_URL = $_SERVER['REQUEST_SCHEME'] . "//" . $_SERVER['SERVER_NAME'] . $_SERVER['REDIRECT_URL']; // @todo unsure here!
  83             self::$ROOT_URL = self::$web_root . "/apis";
  84             self::$VENDOR_DIR = self::$webserver_root . "/vendor";
  85             self::$IS_INITIALIZED = true;
  86         }
  87     }
  88
  89     /**
  90      * Returns an instance of the RestConfig singleton
  91      * @return RestConfig
  92      */
  93     static function GetInstance()
  94     {
  95         if (!self::$IS_INITIALIZED) {
  96             self::Init();
  97         }
  98
  99         if (!self::$INSTANCE instanceof self) {
 100             self::$INSTANCE = new self();
 101         }
 102
 103         return self::$INSTANCE;
 104     }
 105
 106
 107     /**
 108      * Basic paths when GLOBALS are not yet available.
 109      * @return none
 110      */
 111     static function SetPaths()
 112     {
 113         $isWindows = stripos(PHP_OS, 'WIN') === 0;
 114         self::$webserver_root = dirname(__FILE__);
 115         if ($isWindows) {
 116             //convert windows path separators
 117             self::$webserver_root = str_replace("\\", "/", self::$webserver_root);
 118         }
 119         // Collect the apache server document root (and convert to windows slashes, if needed)
 120         self::$server_document_root = realpath($_SERVER['DOCUMENT_ROOT']);
 121         if ($isWindows) {
 122             //convert windows path separators
 123             self::$server_document_root = str_replace("\\", "/", self::$server_document_root);
 124         }
 125         self::$web_root = substr(self::$webserver_root, strspn(self::$webserver_root ^ self::$server_document_root, "\0"));
 126         // Ensure web_root starts with a path separator
 127         if (preg_match("/^[^\/]/", self::$web_root)) {
 128             self::$web_root = "/" . self::$web_root;
 129         }
 130     }
 131
 132     static function destroySession()
 133     {
 134         OpenEMR\Common\Session\SessionUtil::apiSessionCookieDestroy();
 135     }
 136
 137     static function getPostData($data)
 138     {
 139         if (count($_POST)) {
 140             return $_POST;
 141         } elseif ($post_data = file_get_contents('php://input')) {
 142             if ($post_json = json_decode($post_data, true)) {
 143                 return $post_json;
 144             } else {
 145                 parse_str($post_data, $post_variables);
 146                 if (count($post_variables)) {
 147                     return $post_variables;
 148                 }
 149             }
 150         }
 151
 152         return false;
 153     }
 154
 155     static function authorization_check($section, $value)
 156     {
 157         $result = AclMain::aclCheckCore($section, $value);
 158         if (!$result) {
 159             if (!self::$notRestCall) {
 160                 http_response_code(401);
 161             }
 162             exit();
 163         }
 164     }
 165
 166     static function setLocalCall()
 167     {
 168         self::$localCall = true;
 169     }
 170
 171     static function setNotRestCall()
 172     {
 173         self::$notRestCall = true;
 174     }
 175
 176     static function is_skip_auth($resource)
 177     {
 178         return ($resource === "/api/auth" || $resource === "/fhir/auth" || $resource === "/portal/auth" || $resource === "/portalfhir/auth" || $resource === "/fhir/metadata");
 179     }
 180
 181     static function get_bearer_token()
 182     {
 183         $parse = preg_split("/[\s,]+/", $_SERVER["HTTP_AUTHORIZATION"]);
 184         if (strtoupper(trim($parse[0])) !== 'BEARER') {
 185             return false;
 186         }
 187
 188         return trim($parse[1]);
 189     }
 190
 191     static function is_api_request($resource)
 192     {
 193         return (stripos(strtolower($resource), "/api/") !== false) ? true : false;
 194     }
 195
 196     static function is_fhir_request($resource)
 197     {
 198         return (stripos(strtolower($resource), "/fhir/") !== false) ? true : false;
 199     }
 200
 201     static function is_portal_request($resource)
 202     {
 203         return (stripos(strtolower($resource), "/portal/") !== false) ? true : false;
 204     }
 205
 206     static function is_portal_fhir_request($resource)
 207     {
 208         return (stripos(strtolower($resource), "/portalfhir/") !== false) ? true : false;
 209     }
 210
 211     static function verify_api_request($resource, $api)
 212     {
 213         $api = strtolower(trim($api));
 214         if (self::is_fhir_request($resource)) {
 215             if ($api !== 'fhir') {
 216                 http_response_code(401);
 217                 exit();
 218             }
 219         } elseif (self::is_portal_request($resource)) {
 220             if ($api !== 'port') {
 221                 http_response_code(401);
 222                 exit();
 223             }
 224         } elseif (self::is_portal_fhir_request($resource)) {
 225             if ($api !== 'pofh') {
 226                 http_response_code(401);
 227                 exit();
 228             }
 229         } elseif (self::is_api_request($resource)) {
 230             if ($api !== 'oemr') {
 231                 http_response_code(401);
 232                 exit();
 233             }
 234         } else {
 235             // somebody is up to no good
 236             http_response_code(401);
 237             exit();
 238         }
 239
 240         return;
 241     }
 242
 243     static function authentication_check($resource)
 244     {
 245         if (!self::is_skip_auth($resource)) {
 246             $token = $_SERVER["HTTP_X_API_TOKEN"];
 247             $authRestController = new AuthRestController();
 248             if (!$authRestController->isValidToken($token)) {
 249                 self::destroySession();
 250                 http_response_code(401);
 251                 exit();
 252             }
 253         }
 254     }
 255
 256     static function apiLog($response = '', $requestBody = '')
 257     {
 258         // only log when using standard api calls (skip when using local api calls from within OpenEMR)
 259         //  and when api log option is set
 260         if (!$GLOBALS['is_local_api'] && $GLOBALS['api_log_option']) {
 261             if ($GLOBALS['api_log_option'] == 1) {
 262                 // Do not log the response and requestBody
 263                 $response = '';
 264                 $requestBody = '';
 265             }
 266
 267             // convert pertinent elements to json
 268             $requestBody = (!empty($requestBody)) ? json_encode($requestBody) : '';
 269             $response = (!empty($response)) ? json_encode($response) : '';
 270
 271             // prepare values and call the log function
 272             $event = 'api';
 273             $category = 'api';
 274             $method = $_SERVER['REQUEST_METHOD'];
 275             $url = $_SERVER['REQUEST_URI'];
 276             $patientId = $_SESSION['pid'] ?? 0;
 277             $userId = $_SESSION['authUserID'] ?? 0;
 278             $api = [
 279                 'user_id' => $userId,
 280                 'patient_id' => $patientId,
 281                 'method' => $method,
 282                 'request' => $GLOBALS['resource'],
 283                 'request_url' => $url,
 284                 'request_body' => $requestBody,
 285                 'response' => $response
 286             ];
 287             if ($patientId == 0) {
 288                 $patientId = null; //entries in log table are blank for no patient_id, whereas in api_log are 0, which is why above $api value uses 0 when empty
 289             }
 290             EventAuditLogger::instance()->recordLogItem(1, $event, ($_SESSION['authUser'] ?? ''), ($_SESSION['authProvider'] ?? ''), 'api log', $patientId, $category, 'open-emr', null, null, '', $api);
 291         }
 292     }
 293 }
 294
 295 // Include our routes and init routes global
 296 //
 297 require_once(dirname(__FILE__) . "/_rest_routes.inc.php");