oauth2/authorize.php

   1 <?php
   2
   3 /**
   4  * Authorization Server Member
   5  *
   6  * @package   OpenEMR
   7  * @link      http://www.open-emr.org
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @copyright Copyright (c) 2020 Jerry Padgett <sjpadgett@gmail.com>
  10  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  11  */
  12
  13 // below brings in autoloader
  14 require_once(__DIR__ . "/../_rest_config.php");
  15
  16 use OpenEMR\Common\Csrf\CsrfUtils;
  17 use OpenEMR\Common\Logging\SystemLogger;
  18 use OpenEMR\Common\Session\SessionUtil;
  19 use OpenEMR\RestControllers\AuthorizationController;
  20
  21 $gbl = RestConfig::GetInstance();
  22 if (empty($gbl::$SITE)) {
  23     http_response_code(401);
  24     exit;
  25 }
  26
  27 // Will start the oauth OpenEMR session/cookie.
  28 SessionUtil::oauthSessionStart($gbl::$web_root);
  29
  30 $_GET['site'] = $gbl::$SITE;
  31 //  No need for sessionAllowWrite since using oauth session
  32 $ignoreAuth = true;
  33 require_once __DIR__ . '/../interface/globals.php';
  34
  35 $logger = new SystemLogger();
  36
  37 // exit if api is not turned on
  38 if (empty($GLOBALS['rest_api']) && empty($GLOBALS['rest_fhir_api']) && empty($GLOBALS['rest_portal_api'])) {
  39     $logger->debug("api disabled exiting call");
  40     SessionUtil::oauthSessionCookieDestroy();
  41     http_response_code(404);
  42     exit;
  43 }
  44
  45 // ensure 1) sane site 2) site from gbl and globals are the same and 3) ensure the site exists on filesystem
  46 if (empty($gbl::$SITE) || empty($_SESSION['site_id']) || preg_match('/[^A-Za-z0-9\\-.]/', $gbl::$SITE) || ($gbl::$SITE != $_SESSION['site_id']) || !file_exists($GLOBALS['OE_SITES_BASE'] . '/' . $_SESSION['site_id'])) {
  47     // error collecting site
  48     $logger->error("OpenEMR error - oauth2 error since unable to properly collect site, so forced exit");
  49     SessionUtil::oauthSessionCookieDestroy();
  50     http_response_code(400);
  51     exit;
  52 }
  53
  54 // set up csrf
  55 //  used to prevent csrf in the 2 different types of submissions by oauth2/provider/login.php
  56 if (empty($_SESSION['csrf_private_key'])) {
  57     CsrfUtils::setupCsrfKey();
  58 }
  59
  60 $end_point = $gbl::getRequestEndPoint();
  61 $logger->debug("oauth2 request received", ["endpoint" => $end_point]);
  62
  63 // let's quickly be able to enable our CORS at the PHP level.
  64 header("Access-Control-Allow-Credentials: true");
  65 header("Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested-with");
  66 header("Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS");
  67 header("Access-Control-Allow-Origin: *");
  68
  69 $authServer = new AuthorizationController();
  70
  71 if (false !== stripos($end_point, '/token')) {
  72     // session is destroyed within below function
  73     $authServer->oauthAuthorizeToken();
  74     exit;
  75 }
  76
  77 if (false !== stripos($end_point, '/openid-configuration')) {
  78     $oauthdisc = true;
  79     $base_url = $authServer->authBaseFullUrl;
  80     require_once("provider/.well-known/discovery.php");
  81     exit;
  82 }
  83
  84 if (false !== stripos($end_point, '/authorize')) {
  85     // session is destroyed (when throws exception) within below function
  86     $authServer->oauthAuthorizationFlow();
  87     exit;
  88 }
  89
  90 if (false !== stripos($end_point, '/device/code')) {
  91     // session is destroyed within below function
  92     $authServer->authorizeUser();
  93     exit;
  94 }
  95
  96 if (false !== stripos($end_point, '/jwk')) {
  97     $oauthjwk = true;
  98     require_once(__DIR__ . "/provider/jwk.php");
  99     exit;
 100 }
 101
 102 if (false !== stripos($end_point, '/login')) {
 103     // session is maintained
 104     $authServer->userLogin();
 105     exit;
 106 }
 107 if ($authServer->isSMARTAuthorizationEndPoint($end_point)) {
 108     $authServer->dispatchSMARTAuthorizationEndpoint($end_point);
 109 }
 110
 111 if (false !== stripos($end_point, '/scope-authorize-confirm')) {
 112     // session is maintained
 113     $authServer->scopeAuthorizeConfirm();
 114     exit;
 115 }
 116
 117 if (false !== stripos($end_point, '/registration')) {
 118     // session is destroyed within below function
 119     $authServer->clientRegistration();
 120     exit;
 121 }
 122
 123 if (false !== stripos($end_point, '/client')) {
 124     // session is destroyed within below function
 125     $authServer->clientRegisteredDetails();
 126     exit;
 127 }
 128
 129 if (false !== stripos($end_point, '/logout')) {
 130     // session is destroyed within below function
 131     $authServer->userSessionLogout();
 132     exit;
 133 }
 134
 135 if (false !== stripos($end_point, '/introspect')) {
 136     // session is destroyed within below function
 137     $authServer->tokenIntrospection();
 138     exit;
 139 }