_rest_config.php

   1 <?php
   2
   3 /**
   4  * Useful globals class for Rest
   5  *
   6  * @package   OpenEMR
   7  * @link      http://www.open-emr.org
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @copyright Copyright (c) 2018-2020 Jerry Padgett <sjpadgett@gmail.com>
  11  * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15 require_once __DIR__ . '/vendor/autoload.php';
  16 require_once(__DIR__ . "/src/Common/Session/SessionUtil.php");
  17
  18 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
  19 use League\OAuth2\Server\Exception\OAuthServerException;
  20 use League\OAuth2\Server\ResourceServer;
  21 use Nyholm\Psr7\Factory\Psr17Factory;
  22 use Nyholm\Psr7Server\ServerRequestCreator;
  23 use OpenEMR\Common\Acl\AclMain;
  24 use OpenEMR\Common\Auth\OpenIDConnect\Repositories\AccessTokenRepository;
  25 use OpenEMR\Common\Logging\EventAuditLogger;
  26 use OpenEMR\Common\Logging\SystemLogger;
  27 use OpenEMR\Common\Uuid\UuidRegistry;
  28 use Psr\Http\Message\ResponseInterface;
  29 use Psr\Http\Message\ServerRequestInterface;
  30
  31 // also a handy place to add utility methods
  32 // TODO before v6 release: refactor http_response_code(); for psr responses.
  33 //
  34 class RestConfig
  35 {
  36     /** @var routemap is an array of patterns and routes */
  37     public static $ROUTE_MAP;
  38
  39     /** @var fhir routemap is an  of patterns and routes */
  40     public static $FHIR_ROUTE_MAP;
  41
  42     /** @var portal routemap is an  of patterns and routes */
  43     public static $PORTAL_ROUTE_MAP;
  44
  45     /** @var portal fhir routemap is an  of patterns and routes */
  46     public static $PORTAL_FHIR_ROUTE_MAP;
  47
  48     /** @var app root is the root directory of the application */
  49     public static $APP_ROOT;
  50
  51     /** @var root url of the application */
  52     public static $ROOT_URL;
  53     // you can guess what the rest are!
  54     public static $VENDOR_DIR;
  55     public static $SITE;
  56     public static $apisBaseFullUrl;
  57     public static $webserver_root;
  58     public static $web_root;
  59     public static $server_document_root;
  60     public static $publicKey;
  61     private static $INSTANCE;
  62     private static $IS_INITIALIZED = false;
  63     /**  @var set to true if local api call */
  64     private static $localCall = false;
  65     /**  @var set to true if not rest call */
  66     private static $notRestCall = false;
  67
  68     /** prevents external construction */
  69     private function __construct()
  70     {
  71     }
  72
  73     /**
  74      * Returns an instance of the RestConfig singleton
  75      *
  76      * @return RestConfig
  77      */
  78     public static function GetInstance(): \RestConfig
  79     {
  80         if (!self::$IS_INITIALIZED) {
  81             self::Init();
  82         }
  83
  84         if (!self::$INSTANCE instanceof self) {
  85             self::$INSTANCE = new self();
  86         }
  87
  88         return self::$INSTANCE;
  89     }
  90
  91     /**
  92      * Initialize the RestConfig object
  93      */
  94     public static function Init(): void
  95     {
  96         if (self::$IS_INITIALIZED) {
  97             return;
  98         }
  99         // The busy stuff.
 100         self::setPaths();
 101         self::setSiteFromEndpoint();
 102         self::$ROOT_URL = self::$web_root . "/apis";
 103         self::$VENDOR_DIR = self::$webserver_root . "/vendor";
 104         self::$publicKey = self::$webserver_root . "/sites/" . self::$SITE . "/documents/certificates/oapublic.key";
 105         self::$IS_INITIALIZED = true;
 106     }
 107
 108     /**
 109      * Basic paths when GLOBALS are not yet available.
 110      *
 111      * @return void
 112      */
 113     private static function SetPaths(): void
 114     {
 115         $isWindows = (stripos(PHP_OS_FAMILY, 'WIN') === 0);
 116         // careful if moving this class to modify where's root.
 117         self::$webserver_root = __DIR__;
 118         if ($isWindows) {
 119             //convert windows path separators
 120             self::$webserver_root = str_replace("\\", "/", self::$webserver_root);
 121         }
 122         // Collect the apache server document root (and convert to windows slashes, if needed)
 123         self::$server_document_root = realpath($_SERVER['DOCUMENT_ROOT']);
 124         if ($isWindows) {
 125             //convert windows path separators
 126             self::$server_document_root = str_replace("\\", "/", self::$server_document_root);
 127         }
 128         self::$web_root = substr(self::$webserver_root, strspn(self::$webserver_root ^ self::$server_document_root, "\0"));
 129         // Ensure web_root starts with a path separator
 130         if (preg_match("/^[^\/]/", self::$web_root)) {
 131             self::$web_root = "/" . self::$web_root;
 132         }
 133         // Will need these occasionally. sql init comes to mind!
 134         $GLOBALS['rootdir'] = self::$web_root . "/interface";
 135         // Absolute path to the source code include and headers file directory (Full path):
 136         $GLOBALS['srcdir'] = self::$webserver_root . "/library";
 137         // Absolute path to the location of documentroot directory for use with include statements:
 138         $GLOBALS['fileroot'] = self::$webserver_root;
 139         // Absolute path to the location of interface directory for use with include statements:
 140         $GLOBALS['incdir'] = self::$webserver_root . "/interface";
 141         // Absolute path to the location of documentroot directory for use with include statements:
 142         $GLOBALS['webroot'] = self::$web_root;
 143         // Static assets directory, relative to the webserver root.
 144         $GLOBALS['assets_static_relative'] = self::$web_root . "/public/assets";
 145         // Relative themes directory, relative to the webserver root.
 146         $GLOBALS['themes_static_relative'] = self::$web_root . "/public/themes";
 147         // Relative images directory, relative to the webserver root.
 148         $GLOBALS['images_static_relative'] = self::$web_root . "/public/images";
 149         // Static images directory, absolute to the webserver root.
 150         $GLOBALS['images_static_absolute'] = self::$webserver_root . "/public/images";
 151         //Composer vendor directory, absolute to the webserver root.
 152         $GLOBALS['vendor_dir'] = self::$webserver_root . "/vendor";
 153     }
 154
 155     private static function setSiteFromEndpoint(): void
 156     {
 157         // Get site from endpoint if available. Unsure about this though!
 158         // Will fail during sql init otherwise.
 159         $endPointParts = self::parseEndPoint(self::getRequestEndPoint());
 160         if (count($endPointParts) > 1) {
 161             $site_id = $endPointParts[0] ?? '';
 162             if ($site_id) {
 163                 self::$SITE = $site_id;
 164             }
 165         }
 166     }
 167
 168     public static function parseEndPoint($resource): array
 169     {
 170         if ($resource[0] === '/') {
 171             $resource = substr($resource, 1);
 172         }
 173         return explode('/', $resource);
 174     }
 175
 176     public static function getRequestEndPoint(): string
 177     {
 178         $resource = null;
 179         if (!empty($_REQUEST['_REWRITE_COMMAND'])) {
 180             $resource = "/" . $_REQUEST['_REWRITE_COMMAND'];
 181         } elseif (!empty($_SERVER['REDIRECT_QUERY_STRING'])) {
 182             $resource = str_replace('_REWRITE_COMMAND=', '/', $_SERVER['REDIRECT_QUERY_STRING']);
 183         } else {
 184             if (!empty($_SERVER['REQUEST_URI'])) {
 185                 if (strpos($_SERVER['REQUEST_URI'], '?') > 0) {
 186                     $resource = strstr($_SERVER['REQUEST_URI'], '?', true);
 187                 } else {
 188                     $resource = str_replace(self::$ROOT_URL, '', $_SERVER['REQUEST_URI']);
 189                 }
 190             }
 191         }
 192
 193         return $resource;
 194     }
 195
 196     public static function verifyAccessToken()
 197     {
 198         $logger = SystemLogger::instance();
 199         $response = self::createServerResponse();
 200         $request = self::createServerRequest();
 201         $server = new ResourceServer(
 202             new AccessTokenRepository(),
 203             self::$publicKey
 204         );
 205         try {
 206             $raw = $server->validateAuthenticatedRequest($request);
 207         } catch (OAuthServerException $exception) {
 208             $logger->error("RestConfig->verifyAccessToken() OAuthServerException", ["message" => $exception->getMessage()]);
 209             return $exception->generateHttpResponse($response);
 210         } catch (\Exception $exception) {
 211             $logger->error("RestConfig->verifyAccessToken() Exception", ["message" => $exception->getMessage()]);
 212             return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
 213                 ->generateHttpResponse($response);
 214         }
 215
 216         return $raw;
 217     }
 218
 219     public static function isTrustedUser($clientId, $userId)
 220     {
 221         $response = self::createServerResponse();
 222         try {
 223             $trusted = sqlQueryNoLog("SELECT * FROM `oauth_trusted_user` WHERE `client_id`= ? AND `user_id`= ?", array($clientId, $userId));
 224             if (empty($trusted['session_cache'])) {
 225                 throw new OAuthServerException('Refresh Token revoked or logged out', 0, 'invalid _request', 400);
 226             }
 227         } catch (OAuthServerException $exception) {
 228             return $exception->generateHttpResponse($response);
 229         } catch (\Exception $exception) {
 230             return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
 231                 ->generateHttpResponse($response);
 232         }
 233
 234         return $trusted;
 235     }
 236
 237     public static function createServerResponse(): ResponseInterface
 238     {
 239         $psr17Factory = new Psr17Factory();
 240
 241         return $psr17Factory->createResponse();
 242     }
 243
 244     public static function createServerRequest(): ServerRequestInterface
 245     {
 246         $psr17Factory = new Psr17Factory();
 247         $creator = new ServerRequestCreator(
 248             $psr17Factory, // ServerRequestFactory
 249             $psr17Factory, // UriFactory
 250             $psr17Factory, // UploadedFileFactory
 251             $psr17Factory  // StreamFactory
 252         );
 253
 254         return $creator->fromGlobals();
 255     }
 256
 257     public static function destroySession(): void
 258     {
 259         OpenEMR\Common\Session\SessionUtil::apiSessionCookieDestroy();
 260     }
 261
 262     public static function getPostData($data)
 263     {
 264         if (count($_POST)) {
 265             return $_POST;
 266         }
 267
 268         if ($post_data = file_get_contents('php://input')) {
 269             if ($post_json = json_decode($post_data, true)) {
 270                 return $post_json;
 271             }
 272             parse_str($post_data, $post_variables);
 273             if (count($post_variables)) {
 274                 return $post_variables;
 275             }
 276         }
 277
 278         return null;
 279     }
 280
 281     public static function authorization_check($section, $value): void
 282     {
 283         $result = AclMain::aclCheckCore($section, $value);
 284         if (!$result) {
 285             if (!self::$notRestCall) {
 286                 http_response_code(401);
 287             }
 288             exit();
 289         }
 290     }
 291
 292     public static function setLocalCall(): void
 293     {
 294         self::$localCall = true;
 295     }
 296
 297     public static function setNotRestCall(): void
 298     {
 299         self::$notRestCall = true;
 300     }
 301
 302     public static function is_fhir_request($resource): bool
 303     {
 304         return stripos(strtolower($resource), "/fhir/") !== false;
 305     }
 306
 307     public static function is_portal_request($resource): bool
 308     {
 309         return stripos(strtolower($resource), "/portal/") !== false;
 310     }
 311
 312     public static function is_portal_fhir_request($resource): bool
 313     {
 314         return stripos(strtolower($resource), "/portalfhir/") !== false;
 315     }
 316
 317     public static function is_api_request($resource): bool
 318     {
 319         return stripos(strtolower($resource), "/api/") !== false;
 320     }
 321
 322     public static function skipApiAuth($resource): bool
 323     {
 324         if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
 325             // we don't authenticate OPTIONS requests
 326             return true;
 327         }
 328
 329         // ensure 1) sane site and 2) ensure the site exists on filesystem before even considering for skip api auth
 330         if (empty(self::$SITE) || preg_match('/[^A-Za-z0-9\\-.]/', self::$SITE) || !file_exists(__DIR__ . '/sites/' . self::$SITE)) {
 331             error_log("OpenEMR Error - api site error, so forced exit");
 332             http_response_code(400);
 333             exit();
 334         }
 335         // let the capability statement for FHIR or the SMART-on-FHIR through
 336         if (
 337             $resource === ("/" . self::$SITE . "/fhir/metadata") ||
 338             $resource === ("/" . self::$SITE . "/fhir/.well-known/smart-configuration")
 339         ) {
 340             return true;
 341         } else {
 342             return false;
 343         }
 344     }
 345
 346     public static function apiLog($response = '', $requestBody = ''): void
 347     {
 348         // only log when using standard api calls (skip when using local api calls from within OpenEMR)
 349         //  and when api log option is set
 350         if (!$GLOBALS['is_local_api'] && !self::$notRestCall && $GLOBALS['api_log_option']) {
 351             if ($GLOBALS['api_log_option'] == 1) {
 352                 // Do not log the response and requestBody
 353                 $response = '';
 354                 $requestBody = '';
 355             }
 356
 357             // convert pertinent elements to json
 358             $requestBody = (!empty($requestBody)) ? json_encode($requestBody) : '';
 359             $response = (!empty($response)) ? json_encode($response) : '';
 360
 361             // prepare values and call the log function
 362             $event = 'api';
 363             $category = 'api';
 364             $method = $_SERVER['REQUEST_METHOD'];
 365             $url = $_SERVER['REQUEST_URI'];
 366             $patientId = (int)($_SESSION['pid'] ?? 0);
 367             $userId = (int)($_SESSION['authUserID'] ?? 0);
 368             $api = [
 369                 'user_id' => $userId,
 370                 'patient_id' => $patientId,
 371                 'method' => $method,
 372                 'request' => $GLOBALS['resource'],
 373                 'request_url' => $url,
 374                 'request_body' => $requestBody,
 375                 'response' => $response
 376             ];
 377             if ($patientId === 0) {
 378                 $patientId = null; //entries in log table are blank for no patient_id, whereas in api_log are 0, which is why above $api value uses 0 when empty
 379             }
 380             EventAuditLogger::instance()->recordLogItem(1, $event, ($_SESSION['authUser'] ?? ''), ($_SESSION['authProvider'] ?? ''), 'api log', $patientId, $category, 'open-emr', null, null, '', $api);
 381         }
 382     }
 383
 384     public static function emitResponse($response, $build = false): void
 385     {
 386         if (headers_sent()) {
 387             throw new RuntimeException('Headers already sent.');
 388         }
 389         $statusLine = sprintf(
 390             'HTTP/%s %s %s',
 391             $response->getProtocolVersion(),
 392             $response->getStatusCode(),
 393             $response->getReasonPhrase()
 394         );
 395         header($statusLine, true);
 396         foreach ($response->getHeaders() as $name => $values) {
 397             $responseHeader = sprintf('%s: %s', $name, $response->getHeaderLine($name));
 398             header($responseHeader, false);
 399         }
 400         echo $response->getBody();
 401     }
 402
 403     public function authenticateUserToken($tokenId, $userId): bool
 404     {
 405         $ip = collectIpAddresses();
 406
 407         // check for token
 408         $authToken = sqlQueryNoLog("SELECT `expiry` FROM `api_token` WHERE `token` = ? AND `user_id` = ?", [$tokenId, $userId]);
 409         if (empty($authToken) || empty($authToken['expiry'])) {
 410             EventAuditLogger::instance()->newEvent('api', '', '', 0, "API failure: " . $ip['ip_string'] . ". Token not found for " . $userId . ".");
 411             return false;
 412         }
 413
 414         // Ensure token not expired (note an expired token should have already been caught by oauth2, however will also check here)
 415         $currentDateTime = date("Y-m-d H:i:s");
 416         $expiryDateTime = date("Y-m-d H:i:s", strtotime($authToken['expiry']));
 417         if ($expiryDateTime <= $currentDateTime) {
 418             EventAuditLogger::instance()->newEvent('api', '', '', 0, "API failure: " . $ip['ip_string'] . ". Token expired for " . $userId . ".");
 419             return false;
 420         }
 421
 422         // Token authentication passed
 423         EventAuditLogger::instance()->newEvent('api', '', '', 1, "API success: " . $ip['ip_string'] . ". Token successfully used for " . $userId . ".");
 424         return true;
 425     }
 426
 427     /** prevents external cloning */
 428     private function __clone()
 429     {
 430     }
 431 }
 432
 433 // Include our routes and init routes global
 434 //
 435 require_once(__DIR__ . "/_rest_routes.inc.php");