1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 3 of the License, or (at your option) any later
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License along
17 # with Koha; if not, write to the Free Software Foundation, Inc.,
18 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 use Mojo::Base 'Mojolicious::Controller';
24 use Net::OAuth2::AuthorizationServer;
26 use C4::Auth qw( check_cookie_auth get_session haspermission );
30 use Koha::Account::Lines;
34 use Koha::OAuthAccessTokens;
35 use Koha::Old::Checkouts;
39 use Koha::Exceptions::Authentication;
40 use Koha::Exceptions::Authorization;
42 use Scalar::Util qw( blessed );
53 This subroutine is called before every request to API.
58 my $c = shift->openapi->valid_input or return;;
63 $status = authenticate_api_request($c);
66 unless (blessed($_)) {
69 json => { error => 'Something went wrong, check the logs.' }
72 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
73 return $c->render(status => 503, json => { error => $_->error });
75 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
76 return $c->render(status => 401, json => { error => $_->error });
78 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
79 return $c->render(status => 401, json => { error => $_->error });
81 elsif ($_->isa('Koha::Exceptions::Authentication')) {
82 return $c->render(status => 500, json => { error => $_->error });
84 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
85 return $c->render(status => 400, json => $_->error );
87 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
88 return $c->render(status => 403, json => {
90 required_permissions => $_->required_permissions,
93 elsif ($_->isa('Koha::Exceptions')) {
94 return $c->render(status => 500, json => { error => $_->error });
99 json => { error => 'Something went wrong, check the logs.' }
107 =head3 authenticate_api_request
109 Validates authentication and allows access if authorization is not required or
110 if authorization is required and user has required permissions to access.
114 sub authenticate_api_request {
117 my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
118 my $authorization = $spec->{'x-koha-authorization'};
120 my $authorization_header = $c->req->headers->authorization;
121 if ($authorization_header and $authorization_header =~ /^Bearer /) {
122 my $server = Net::OAuth2::AuthorizationServer->new;
123 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
124 my ($type, $token) = split / /, $authorization_header;
125 my ($valid_token, $error) = $grant->verify_access_token(
126 access_token => $token,
130 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
131 my $patron = Koha::Patrons->find($patron_id);
132 my $permissions = $authorization->{'permissions'};
133 # Check if the patron is authorized
134 if ( haspermission($patron->userid, $permissions)
135 or allow_owner($c, $authorization, $patron)
136 or allow_guarantor($c, $authorization, $patron) ) {
138 validate_query_parameters( $c, $spec );
144 Koha::Exceptions::Authorization::Unauthorized->throw(
145 error => "Authorization failure. Missing required permission(s).",
146 required_permissions => $permissions,
150 # If we have "Authorization: Bearer" header and oauth authentication
151 # failed, do not try other authentication means
152 Koha::Exceptions::Authentication::Required->throw(
153 error => 'Authentication failure.'
157 my $cookie = $c->cookie('CGISESSID');
158 my ($session, $user);
159 # Mojo doesn't use %ENV the way CGI apps do
160 # Manually pass the remote_address to check_auth_cookie
161 my $remote_addr = $c->tx->remote_address;
162 my ($status, $sessionID) = check_cookie_auth(
164 { remote_addr => $remote_addr });
165 if ($status eq "ok") {
166 $session = get_session($sessionID);
167 $user = Koha::Patrons->find($session->param('number'));
168 $c->stash('koha.user' => $user);
170 elsif ($status eq "maintenance") {
171 Koha::Exceptions::UnderMaintenance->throw(
172 error => 'System is under maintenance.'
175 elsif ($status eq "expired" and $authorization) {
176 Koha::Exceptions::Authentication::SessionExpired->throw(
177 error => 'Session has been expired.'
180 elsif ($status eq "failed" and $authorization) {
181 Koha::Exceptions::Authentication::Required->throw(
182 error => 'Authentication failure.'
185 elsif ($authorization) {
186 Koha::Exceptions::Authentication->throw(
187 error => 'Unexpected authentication status.'
191 # We do not need any authorization
192 unless ($authorization) {
193 # Check the parameters
194 validate_query_parameters( $c, $spec );
198 my $permissions = $authorization->{'permissions'};
199 # Check if the user is authorized
200 if ( haspermission($user->userid, $permissions)
201 or allow_owner($c, $authorization, $user)
202 or allow_guarantor($c, $authorization, $user) ) {
204 validate_query_parameters( $c, $spec );
210 Koha::Exceptions::Authorization::Unauthorized->throw(
211 error => "Authorization failure. Missing required permission(s).",
212 required_permissions => $permissions,
215 sub validate_query_parameters {
216 my ( $c, $action_spec ) = @_;
218 # Check for malformed query parameters
220 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
221 my $existing_params = $c->req->query_params->to_hash;
222 for my $param ( keys %{$existing_params} ) {
223 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
226 Koha::Exceptions::BadParameter->throw(
234 Allows access to object for its owner.
236 There are endpoints that should allow access for the object owner even if they
237 do not have the required permission, e.g. access an own reserve. This can be
238 achieved by defining the operation as follows:
240 "/holds/{reserve_id}": {
243 "x-koha-authorization": {
255 my ($c, $authorization, $user) = @_;
257 return unless $authorization->{'allow-owner'};
259 return check_object_ownership($c, $user) if $user and $c;
262 =head3 allow_guarantor
264 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
269 sub allow_guarantor {
270 my ($c, $authorization, $user) = @_;
272 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
276 my $guarantees = $user->guarantees->as_list;
277 foreach my $guarantee (@{$guarantees}) {
278 return 1 if check_object_ownership($c, $guarantee);
282 =head3 check_object_ownership
284 Determines ownership of an object from request parameters.
286 As introducing an endpoint that allows access for object's owner; if the
287 parameter that will be used to determine ownership is not already inside
288 $parameters, add a new subroutine that checks the ownership and extend
289 $parameters to contain a key with parameter_name and a value of a subref to
290 the subroutine that you created.
294 sub check_object_ownership {
297 return if not $c or not $user;
300 accountlines_id => \&_object_ownership_by_accountlines_id,
301 borrowernumber => \&_object_ownership_by_patron_id,
302 patron_id => \&_object_ownership_by_patron_id,
303 checkout_id => \&_object_ownership_by_checkout_id,
304 reserve_id => \&_object_ownership_by_reserve_id,
307 foreach my $param ( keys %{ $parameters } ) {
308 my $check_ownership = $parameters->{$param};
309 if ($c->stash($param)) {
310 return &$check_ownership($c, $user, $c->stash($param));
312 elsif ($c->param($param)) {
313 return &$check_ownership($c, $user, $c->param($param));
315 elsif ($c->match->stack->[-1]->{$param}) {
316 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
318 elsif ($c->req->json && $c->req->json->{$param}) {
319 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
324 =head3 _object_ownership_by_accountlines_id
326 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
331 sub _object_ownership_by_accountlines_id {
332 my ($c, $user, $accountlines_id) = @_;
334 my $accountline = Koha::Account::Lines->find($accountlines_id);
335 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
338 =head3 _object_ownership_by_borrowernumber
340 Compares C<$borrowernumber> to currently logged in C<$user>.
344 sub _object_ownership_by_patron_id {
345 my ($c, $user, $patron_id) = @_;
347 return $user->borrowernumber == $patron_id;
350 =head3 _object_ownership_by_checkout_id
352 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
353 compare its borrowernumber to currently logged in C<$user>. However, if an issue
354 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
355 borrowernumber to currently logged in C<$user>.
359 sub _object_ownership_by_checkout_id {
360 my ($c, $user, $issue_id) = @_;
362 my $issue = Koha::Checkouts->find($issue_id);
363 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
364 return $issue && $issue->borrowernumber
365 && $user->borrowernumber == $issue->borrowernumber;
368 =head3 _object_ownership_by_reserve_id
370 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
373 TODO: Also compare against old_reserves
377 sub _object_ownership_by_reserve_id {
378 my ($c, $user, $reserve_id) = @_;
380 my $reserve = Koha::Holds->find($reserve_id);
381 return $reserve && $user->borrowernumber == $reserve->borrowernumber;