(mvc) refactor base/api controllers and move shared functionality one level up

2026-03-14 08:34:39 +00:00 · 2015-06-12 16:14:13 +02:00 · 2015-06-12 16:14:13 +02:00 · f23c25a0a9
commit f23c25a0a9
parent 9d12fd35fa
3 changed files with 102 additions and 57 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
@ -28,15 +28,12 @@
 */
 namespace OPNsense\Base;

-use OPNsense\Core\ACL;
-use Phalcon\Mvc\Controller;
-use Phalcon\Logger\Adapter\Syslog;

 /**
 * Class ApiControllerBase, inherit this class to implement API calls
 * @package OPNsense\Base
 */
-class ApiControllerBase extends Controller
+class ApiControllerBase extends ControllerRoot
 {
    /**
     * Initialize API controller
@ -47,29 +44,6 @@ class ApiControllerBase extends Controller
        $this->view->disable();
    }

-    /**
-     * Wrap close session, for long running operations.
-     */
-    protected function sessionClose()
-    {
-        session_write_close();
-    }
-
-    /**
-     * get system logger
-     * @param string $ident syslog identifier
-     * @return Syslog log handler
-     */
-    protected function getLogger($ident = "api")
-    {
-        $logger = new Syslog($ident, array(
-            'option' => LOG_PID,
-            'facility' => LOG_LOCAL4
-        ));
-
-        return $logger;
-    }
-

    /**
     * before routing event
@ -81,17 +55,8 @@ class ApiControllerBase extends Controller
        // TODO: implement authentication for api calls, at this moment you need a valid session on the web interface

        // use authentication of legacy OPNsense to validate user.
-        if ($this->session->has("Username") == false) {
-            $this->getLogger()->error("no active session, user not found");
-            $this->response->redirect("/", true);
-        }
-
-        // Authorization using legacy acl structure
-        $acl = new ACL();
-        if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
-            $this->getLogger()->error("uri ".$_SERVER['REQUEST_URI'].
-                " not accessible for user ".$this->session->get("Username"));
-            $this->response->redirect("/", true);
+        if (!$this->doAuth()) {
+            return false;
        }

        // check for valid csrf on post requests
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@ -29,7 +29,6 @@
 namespace OPNsense\Base;

 use OPNsense\Core\Config;
-use OPNsense\Core\ACL;
 use Phalcon\Mvc\Controller;
 use Phalcon\Translate\Adapter\Gettext;
 use Phalcon\Translate\Adapter\NativeArray;
@ -38,7 +37,7 @@ use Phalcon\Translate\Adapter\NativeArray;
 * Class ControllerBase implements core controller for OPNsense framework
 * @package OPNsense\Base
 */
-class ControllerBase extends Controller
+class ControllerBase extends ControllerRoot
 {
    /**
     * translate a text
@ -161,17 +160,10 @@ class ControllerBase extends Controller
        if (!$dispatcher->wasForwarded()) {
            // Authentication
            // - use authentication of legacy OPNsense.
-            if ($this->session->has("Username") == false) {
-                $this->response->redirect("/", true);
+            if (!$this->doAuth()) {
+                return false;
            }

-            // Authorization using legacy acl structure
-            $acl = new ACL();
-            if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
-                $this->response->redirect("/", true);
-            }
-
-
            // check for valid csrf on post requests
            if ($this->request->isPost() && !$this->security->checkToken()) {
                // post without csrf, exit.
@ -215,12 +207,4 @@ class ControllerBase extends Controller
        $this->view->acl = new \OPNsense\Core\ACL();
    }

-    /**
-     * @param $dispatcher
-     */
-    public function afterExecuteRoute($dispatcher)
-    {
-        // Executed after every found action
-        // TODO: implement default behavior
-    }
 }
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
@ -0,0 +1,96 @@
+<?php
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Base;
+
+use Phalcon\Mvc\Controller;
+use Phalcon\Logger\Adapter\Syslog;
+use OPNsense\Core\ACL;
+
+/**
+ * Class ControllerRoot wrap shared OPNsense controller features (auth, logging)
+ * @package OPNsense\Base
+ */
+class ControllerRoot extends Controller
+{
+    /**
+     * Wrap close session, for long running operations.
+     */
+    protected function sessionClose()
+    {
+        session_write_close();
+    }
+
+    /**
+     * get system logger
+     * @param string $ident syslog identifier
+     * @return Syslog log handler
+     */
+    protected function getLogger($ident = "api")
+    {
+        $logger = new Syslog($ident, array(
+            'option' => LOG_PID,
+            'facility' => LOG_LOCAL4
+        ));
+
+        return $logger;
+    }
+
+    /**
+     * perform authentication, redirect user on non successful auth
+     * @return bool
+     */
+    public function doAuth()
+    {
+        if ($this->session->has("Username") == false) {
+            // user unknown
+            $this->getLogger()->error("no active session, user not found");
+            $this->response->redirect("/", true);
+            return false;
+        } elseif ($this->session->has("last_access")
+            && $this->session->get("last_access") < (time() - 14400)) {
+            // session expired (todo, use config timeout)
+            $this->getLogger()->error("session expired");
+            $this->response->redirect("/", true);
+            return false;
+        }
+        $this->session->set("last_access", time());
+
+        // Authorization using legacy acl structure
+        $acl = new ACL();
+        if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
+            $this->getLogger()->error("uri ".$_SERVER['REQUEST_URI'].
+                " not accessible for user ".$this->session->get("Username"));
+            $this->response->redirect("/", true);
+            return false;
+        }
+
+        return true;
+    }
+}