Proxy requests to API4, support authx flows

In order to use the .htaccess rewrite rules you'll need to inlcude
the appropriate AllowOverride in your apache site config.

Introduces new configuration options $target_rest4 (URL to API4
endpoint), authx_internal_flow, and authx_external_flow
(both of which are explained in config.dist.php). Note that this
commit only supports authx flows on API4 requests.

Fixes #66

proxy/.htaccess

@@ -0,0 +1,6 @@
+# Serve
+<IfModule mod_rewrite.c>
+  RewriteEngine on
+  RewriteCond %{REQUEST_URI} ^/civicrm/ajax/api4
+  RewriteRule ^civicrm/ajax/api4/([^/]*)/([^/]*) rest4.php?entity=$1&action=$2 [QSA,B]
+</IfModule>

proxy/checks.php

@@ -0,0 +1,82 @@
+<?php
+
+/**
+ * generates a CiviCRM REST API compliant error
+ * and ends processing
+ */
+function civiproxy_rest_error($message) {
+  $error = array( 'is_error'      => 1,
+                  'error_message' => $message);
+  // TODO: Implement header();
+  print json_encode($error);
+  exit();
+}
+
+/**
+ * Updates $credentials['api_key'] in-place, or displays an error if api key
+ * is missing or does not correspond to an entry in $api_key_map (which should
+ * be set in config.php).
+ * @param array $credentials
+ * @param array $api_key_map
+ */
+function civiproxy_map_api_key(array &$credentials, array $api_key_map) {
+  if (empty($credentials['api_key'])) {
+    civiproxy_rest_error("No API key given");
+  }
+  else {
+    if (isset($api_key_map[$credentials['api_key']])) {
+      $credentials['api_key'] = $api_key_map[$credentials['api_key']];
+    }
+    else {
+      civiproxy_rest_error("Invalid api key");
+    }
+  }
+}
+
+/**
+ * Updates $credentials['key'] in-place, or displays an error if site key
+ * is missing or does not correspond to an entry in $sys_key_map (which should
+ * be set in config.php).
+ * @param array $credentials
+ * @param array $sys_key_map
+ */
+function civiproxy_map_site_key(array &$credentials, array $sys_key_map) {
+  if (empty($credentials['key'])) {
+    civiproxy_rest_error("No site key given");
+  }
+  else {
+    if (isset($sys_key_map[$credentials['key']])) {
+      $credentials['key'] = $sys_key_map[$credentials['key']];
+    }
+	else {
+      civiproxy_rest_error("Invalid site key");
+    }
+  }
+}
+
+/**
+ * @param array $action should have both 'entity' and 'action' keys set
+ * @param array $rest_allowed_actions from config.php
+ * @return array
+ */
+function civiproxy_get_valid_parameters(array $action, array $rest_allowed_actions) {
+  // in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
+  // the previous test is still used when no 'all' key is found in the array
+  if (isset($rest_allowed_actions['all'])) {
+    // get valid key for the rest_allowed_actions
+    $valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
+    $valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
+    if (!$valid_parameters) {
+      civiproxy_rest_error("Invalid entity/action.");
+    }
+  }
+  else {
+    if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
+      $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
+    }
+    else {
+      civiproxy_rest_error("Invalid entity/action.");
+    }
+  }
+  return $valid_parameters;
+}

proxy/config.dist.php

@@ -41,6 +41,8 @@ $target_civicrm = 'https://your.civicrm.installation.org';
 
 // default paths, override if you want. Set to NULL to disable
 $target_rest      = $target_civicrm . '/sites/all/modules/civicrm/extern/rest.php';
+// base URL for api4 calls. Will append entity and action path segments
+$target_rest4     = $target_civicrm . '/civicrm/ajax/api4/';
 $target_file      = $target_civicrm . '/sites/default/files/civicrm/persist/';
 $target_mosaico   = NULL; // (disabled by default): $target_civicrm . '/civicrm/mosaico/img?src=';
 $target_mosaico_template_url = NULL; // (disabled by default): $target_civicrm . '/wp-content/uploads/civicrm/ext/uk.co.vedaconsulting.mosaico/packages/mosaico/templates/';
@@ -75,6 +77,10 @@ $debug                      = NULL; //'LUXFbiaoz4dVWuAHEcuBAe7YQ4YP96rN4MCDmKj89
 // This is useful in some VPN configurations (see CURLOPT_INTERFACE)
 $target_interface           = NULL;
 
+
+/***************************************************************
+ **                Authentication Options                     **
+ ***************************************************************/
 // API and SITE keys (you may add keys here)
 $api_key_map = [
   'my_api_key'   => 'my_api_key',   // use this to allow API key
@@ -91,6 +97,19 @@ if (file_exists(dirname(__FILE__)."/secrets.php")) {
   require "secrets.php";
 }
 
+// CiviCRM's API can authenticate with different flows
+// https://docs.civicrm.org/dev/en/latest/framework/authx/#flows
+// CiviProxy supports 'header', 'xheader', 'legacyrest', and 'param'.
+// These flows are supported for API4 but could be extended to API3.
+// $authx_internal_flow controls how CiviProxy sends credentials to CiviCRM, and
+// $authx_external_flow where CiviProxy looks for credentials on incoming requests.
+// The internal setting needs to have a single scalar value, but the
+// external setting can be an array of accepted flows.
+// There is no standard header for site key, so in both header and xheader
+// flows it uses X-Civi-Key
+$authx_internal_flow = 'header';
+$authx_external_flow = ['legacyrest'];
+
 
 /****************************************************************
  **                   File Caching Options                     **

proxy/proxy.php

@@ -90,6 +90,148 @@ function civiproxy_redirect($url_requested, $parameters) {
   curl_close ($curlSession);
 }
 
+/**
+ * this will redirect the request to an API4 URL,
+ *  i.e. will pass the reply on to this request
+ *
+ * @see losely based on https://code.google.com/p/php-proxy/
+ *
+ * @param $url_requested string the URL to which the request should be sent
+ * @param $parameters array
+ * @param $credentials array
+ */
+function civiproxy_redirect4($url_requested, $parameters, $credentials) {
+  global $target_interface, $authx_internal_flow;
+  $url = $url_requested;
+  $curlSession = curl_init();
+  $credential_params = civiproxy_build_credential_params($credentials, $authx_internal_flow);
+  $credential_headers = civiproxy_build_credential_headers($credentials, $authx_internal_flow);
+
+  if ($_SERVER['REQUEST_METHOD'] == 'POST'){
+    // POST requests should be passed on as POST
+    curl_setopt($curlSession, CURLOPT_POST, 1);
+    $urlparams = 'params=' . urlencode(json_encode($parameters)) . $credential_params;
+    curl_setopt($curlSession, CURLOPT_POSTFIELDS, $urlparams);
+  } else {
+    // GET requests will get the parameters as url params
+    if (!empty($parameters)) {
+      $url .= '?params=' . urlencode(json_encode($parameters)) . $credential_params;
+    }
+  }
+
+  curl_setopt($curlSession, CURLOPT_HTTPHEADER, array_merge([
+    'Content-Type: application/x-www-form-urlencoded'
+  ], $credential_headers));
+  curl_setopt($curlSession, CURLOPT_URL, $url);
+  curl_setopt($curlSession, CURLOPT_HEADER, 1);
+  curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,1);
+  curl_setopt($curlSession, CURLOPT_TIMEOUT, 30);
+  curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 2);
+  if (!empty($target_interface)) {
+    curl_setopt($curlSession, CURLOPT_INTERFACE, $target_interface);
+  }
+  if (file_exists(dirname(__FILE__).'/target.pem')) {
+    curl_setopt($curlSession, CURLOPT_CAINFO, dirname(__FILE__).'/target.pem');
+  }
+
+  //Send the request and store the result in an array
+  $response = curl_exec($curlSession);
+
+  // Check that a connection was made
+  if (curl_error($curlSession)){
+    civiproxy_http_error(curl_error($curlSession), curl_errno($curlSession));
+
+  } else {
+    //clean duplicate header that seems to appear on fastcgi with output buffer on some servers!!
+    $response = str_replace("HTTP/1.1 100 Continue\r\n\r\n","",$response);
+
+    // split header / content
+    $content = explode("\r\n\r\n", $response, 2);
+    $header = $content[0];
+    $body = $content[1];
+
+    // handle headers - simply re-outputing them
+    $header_ar = explode(chr(10), $header);
+    foreach ($header_ar as $header_line){
+      if (!preg_match("/^Transfer-Encoding/", $header_line)){
+        civiproxy_mend_URLs($header_line);
+        header(trim($header_line));
+      }
+    }
+
+    //rewrite all hard coded urls to ensure the links still work!
+    civiproxy_mend_URLs($body);
+
+    print $body;
+  }
+
+  curl_close($curlSession);
+}
+
+/**
+ * Creates a string with the API credentials to be appended to an API4 GET or POST request.
+ * When $api4_internal_auth_flow is 'header' or 'xheader', returns a blank string
+ *
+ * @param array $credentials
+ * @param string $authx_internal_flow
+ * @return string credential string, including leading '&'
+ */
+function civiproxy_build_credential_params(array $credentials, string $authx_internal_flow): string {
+  switch($authx_internal_flow) {
+    case 'legacyrest':
+      $map = ['api_key' => 'api_key', 'key' => 'key'];
+      break;
+    case 'param':
+      $map = ['api_key' => '_authx', 'key' => '_authxSiteKey'];
+      break;
+    default:
+      return '';
+  }
+  $params = [];
+  foreach($map as $credential_key => $param_name) {
+    if (isset($credentials[$credential_key])) {
+      $credential_value = $credentials[$credential_key];
+      if ($param_name === '_authx') {
+        $credential_value = 'Bearer ' . $credential_value;
+      }
+      $params[$param_name] = $credential_value;
+    }
+  }
+
+  $param_string = http_build_query($params);
+  if (!empty($param_string)) {
+    $param_string = '&' . $param_string;
+  }
+  return $param_string;
+}
+
+/**
+ * Builds an array of headers to send on an API4 request. When $api4_internal_auth_flow
+ * is 'param' or 'legacyrest', will always return an empty array.
+ *
+ * @param array $credentials
+ * @param string $authx_internal_flow
+ * @return array
+ */
+function civiproxy_build_credential_headers(array $credentials, string $authx_internal_flow): array {
+  switch($authx_internal_flow) {
+    case 'header':
+      $map = ['api_key' => 'Authorization: Bearer', 'key' => 'X-Civi-Key:'];
+      break;
+    case 'xheader':
+      $map = ['api_key' => 'X-Civi-Auth: Bearer', 'key' => 'X-Civi-Key:'];
+      break;
+    default:
+      return [];
+  }
+  $headers = [];
+  foreach($map as $credential_key => $header_prefix) {
+    if (isset($credentials[$credential_key])) {
+      $headers[] = $header_prefix . ' ' . $credentials[$credential_key];
+    }
+  }
+  return $headers;
+}
 
 /**
  * Will mend all the URLs in the string that point to the target,
@@ -131,11 +273,12 @@ function civiproxy_mend_URLs(&$string) {
  * unauthorized access quantities, etc.
  *
  * @param $target
- * @param $quit    if TRUE, quit immediately if access denied
+ * @param $quit bool if TRUE, quit immediately if access denied
+ * @param $log_headers array add these headers (sanitized) to log data
  *
  * @return TRUE if allowed, FALSE if not (or quits if $quit is set)
  */
-function civiproxy_security_check($target, $quit=TRUE) {
+function civiproxy_security_check($target, $quit=TRUE, $log_headers = []) {
   // verify that we're SSL encrypted
   if ($_SERVER['HTTPS'] != "on") {
     civiproxy_http_error("This CiviProxy installation requires SSL encryption.", 400);
@@ -145,11 +288,16 @@ function civiproxy_security_check($target, $quit=TRUE) {
   if (!empty($debug)) {
     // filter log data
     $log_data = $_REQUEST;
-    if (isset($log_data['api_key'])) {
-      $log_data['api_key'] = substr($log_data['api_key'], 0, 4) . '...';
+    $sanitize_params = ['api_key', 'key', '_authxSiteKey', '_authx'];
+    foreach ($sanitize_params as $param) {
+      if (isset($log_data[$param])) {
+        $log_data[$param] = substr($log_data[$param], 0, 4) . '...';
       }
-    if (isset($log_data['key'])) {
-      $log_data['key'] = substr($log_data['key'], 0, 4) . '...';
+    }
+
+    foreach($log_headers as $header) {
+      if (!empty($_SERVER[$header]))
+      $log_data[$header] = substr($_SERVER[$header], 0, 4) . '...';
     }
 
     // log
@@ -205,7 +353,7 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
   // process wildcard elements
   if ($default_sanitation !== NULL) {
     // i.e. we want the others too
-    $remove_parameters = array('key', 'api_key', 'version', 'entity', 'action');
+    $remove_parameters = array('key', 'api_key', '_authx', '_authxSiteKey', 'version', 'entity', 'action');
     foreach ($request as $name => $value) {
       if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) {
         $result[$name] = civiproxy_sanitise($value, $default_sanitation);
@@ -216,6 +364,26 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
   return $result;
 }
 
+/**
+ * Get the value of a header on the incoming request
+ *
+ * @param string $header name of the header, in all uppercase
+ * @param string $prefix to be stripped off the value of the header
+ * @return string|null value of the header, or null if not found.
+ */
+function civiproxy_get_header($header, $prefix = ''): ?string {
+  if (!empty($_SERVER['HTTP_' . $header])) {
+    $value = $_SERVER['HTTP_' . $header];
+    if ($prefix === '') {
+      return $value;
+    }
+    if (strpos($value, $prefix) === 0) {
+      return trim(substr($value, strlen($prefix)));
+    }
+  }
+  return NULL;
+}
+
 /**
  * sanitise the given value with the given sanitiation type
  */

proxy/rest.php

@@ -9,11 +9,11 @@
 
 require_once "config.php";
 require_once "proxy.php";
+require_once "checks.php";
 
 // see if REST API is enabled
 if (!$target_rest) civiproxy_http_error("Feature disabled", 405);
 
-
 // basic check
 if (!civiproxy_security_check('rest')) {
   civiproxy_rest_error("Access denied.");
@@ -21,25 +21,9 @@ if (!civiproxy_security_check('rest')) {
 
 // check credentials
 $credentials = civiproxy_get_parameters(array('key' => 'string', 'api_key' => 'string'));
-if (empty($credentials['key'])) {
-  civiproxy_rest_error("No site key given");
-} else {
-  if (isset($sys_key_map[$credentials['key']])) {
-    $credentials['key'] = $sys_key_map[$credentials['key']];
-  } else {
-    civiproxy_rest_error("Invalid site key");
-  }
-}
 
-if (empty($credentials['api_key'])) {
-  civiproxy_rest_error("No API key given");
-} else {
-  if (isset($api_key_map[$credentials['api_key']])) {
-    $credentials['api_key'] = $api_key_map[$credentials['api_key']];
-  } else {
-    civiproxy_rest_error("Invalid api key");
-  }
-}
+civiproxy_map_site_key($credentials, $sys_key_map);
+civiproxy_map_api_key($credentials, $api_key_map);
 
 // check if the call itself is allowed
 $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
@@ -47,22 +31,7 @@ if (!isset($action['version']) || $action['version'] != 3) {
   civiproxy_rest_error("API 'version' information missing.");
 }
 
-// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
-// the previous test is still used when no 'all' key is found in the array
-if (isset($rest_allowed_actions['all'])) {
-	// get valid key for the rest_allowed_actions
-	$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
-  $valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
-	if (!$valid_parameters) {
-		civiproxy_rest_error("Invalid entity/action.");
-	}
-} else {
-	if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
-		$valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
-	} else {
-		civiproxy_rest_error("Invalid entity/action.");
-	}
-}
+$valid_parameters= civiproxy_get_valid_parameters($action, $rest_allowed_actions);
 
 // extract parameters and add credentials and action data
 $parameters = civiproxy_get_parameters($valid_parameters);
@@ -88,17 +57,3 @@ if ($rest_evaluate_json_parameter) {
 // finally execute query
 civiproxy_log($target_rest);
 civiproxy_redirect($target_rest, $parameters);
-
-
-/**
- * generates a CiviCRM REST API compliant error
- * and ends processing
- */
-function civiproxy_rest_error($message) {
-  $error = array( 'is_error'      => 1,
-                  'error_message' => $message);
-  // TODO: Implement
-  //header();
-  print json_encode($error);
-  exit();
-}

proxy/rest4.php

@@ -0,0 +1,89 @@
+<?php
+/*--------------------------------------------------------+
+| SYSTOPIA CiviProxy                                      |
+|  a simple proxy solution for external access to CiviCRM |
+| Copyright (C) 2015-2021 SYSTOPIA                        |
+| Author: B. Endres (endres -at- systopia.de)             |
+| http://www.systopia.de/                                 |
++---------------------------------------------------------*/
+
+require_once "config.php";
+require_once "proxy.php";
+require_once "checks.php";
+
+// see if REST API is enabled
+if (!$target_rest4) {
+  civiproxy_http_error("Feature disabled");
+}
+$valid_flows = ['header', 'xheader', 'legacyrest', 'param'];
+$headers_by_flow = [
+ 'header' => ['HTTP_AUTHORIZATION', 'HTTP_X_CIVI_KEY'],
+ 'xheader' => ['HTTP_X_CIVI_AUTH', 'HTTP_X_CIVI_KEY'],
+ 'legacyrest' => [],
+ 'param' => [],
+];
+if (!in_array($authx_internal_flow, $valid_flows)) {
+  civiproxy_http_error("Invalid internal auth flow '$authx_internal_flow'", 500);
+}
+$headers_to_log = [];
+foreach ($authx_external_flow as $external_flow) {
+  if (!in_array($external_flow, $valid_flows)) {
+    civiproxy_http_error("Invalid external auth flow '$external_flow'", 500);
+  }
+  $headers_to_log = array_merge($headers_to_log, $headers_by_flow[$external_flow]);
+}
+
+// basic check
+if (!civiproxy_security_check('rest', TRUE, $headers_to_log)) {
+  civiproxy_rest_error("Access denied.");
+}
+
+$credentials = [];
+// Find credentials on the incoming request
+foreach ($authx_external_flow as $external_flow) {
+  switch($external_flow) {
+    case 'header':
+      $credentials['api_key'] = civiproxy_get_header('AUTHORIZATION', 'Bearer ');
+      $credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
+      break;
+    case 'xheader':
+      $credentials['api_key'] = civiproxy_get_header('X_CIVI_AUTH', 'Bearer ');
+      $credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
+      break;
+    case 'legacyrest':
+      $credentials = civiproxy_get_parameters(array('api_key' => 'string', 'key' => 'string'));
+      break;
+    case 'param':
+      $authx_credentials = civiproxy_get_parameters(array('_authx' => 'string', '_authxSiteKey' => 'string'));
+      if (!empty($authx_credentials['_authx'])) {
+        // Snip off leading 'Bearer ' or 'Bearer+'
+        if (substr($authx_credentials['_authx'], 0, 6) === 'Bearer') {
+          $credentials['api_key'] = substr($authx_credentials['_authx'], 7);
+        }
+      }
+      if (!empty($authx_credentials['_authxSiteKey'])) {
+        $credentials['key'] = $authx_credentials['_authxSiteKey'];
+      }
+      break;
+  }
+  if (!empty($credentials['api_key'])) {
+    break;
+  }
+}
+
+civiproxy_map_api_key($credentials, $api_key_map);
+if (!empty($credentials['key'])) {
+  civiproxy_map_site_key( $credentials, $sys_key_map);
+}
+
+// check if the call itself is allowed
+$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string'));
+
+$valid_parameters = civiproxy_get_valid_parameters($action, $rest_allowed_actions);
+
+// extract parameters and add action data
+$parameters = civiproxy_get_parameters($valid_parameters, json_decode($_REQUEST['params'], true));
+
+// finally execute query
+civiproxy_log($target_rest4);
+civiproxy_redirect4($target_rest4 . $action['entity'] . '/' . $action['action'] , $parameters, $credentials);