marc
/
CiviProxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: marc:master
Branches Tags
marc:master
marc:issue/77
marc:issue/74
marc:issue/75
marc:issue/62_php8
marc:dev_29_new
marc:dev_0.6
marc:dev_26
marc:1.0.0-beta
marc:1.0.0-alpha2
marc:1.0.0-alpha1
marc:1.0.0-alpha
marc:0.7.0
marc:0.6.0
marc:0.6-beta5
marc:0.6-beta4
marc:0.6-beta3
marc:0.6-beta2
marc:0.6-beta1
marc:0.5
marc:0.5.beta1
marc:0.4
marc:0.3.2
marc:0.3
marc:0.2
..
compare: marc:0.6-beta2
Branches Tags
marc:master
marc:issue/77
marc:issue/74
marc:issue/75
marc:issue/62_php8
marc:dev_29_new
marc:dev_0.6
marc:dev_26
marc:1.0.0-beta
marc:1.0.0-alpha2
marc:1.0.0-alpha1
marc:1.0.0-alpha
marc:0.7.0
marc:0.6.0
marc:0.6-beta5
marc:0.6-beta4
marc:0.6-beta3
marc:0.6-beta2
marc:0.6-beta1
marc:0.5
marc:0.5.beta1
marc:0.4
marc:0.3.2
marc:0.3
marc:0.2

No commits in common. "master" and "0.6-beta2" have entirely different histories.
master ... 0.6-beta2

27 changed files with 538 additions and 779 deletions
Show Stats Expand all files Collapse all files

9
README.md
View File

@ -1,8 +1 @@
## About Documentation on CiviProxy can be found here: https://docs.civicrm.org/civiproxy/en/latest/
CiviProxy is a tool to set up a security proxy server specifically for your CiviCRM instance. It uses whitelisting and parameter sanitation to allow only legitimate requests to pass through.
## Documentation
The documentation on CiviProxy can be found here: https://docs.civicrm.org/civiproxy/en/latest/
## We need your support
This software is provided as Free and Open Source Software, and we are happy if you find it useful. However, we have put a lot of work into it (and continue to do so), much of it unpaid for. So if you benefit from our software, please consider making a financial contribution so we can continue to maintain and develop it further.
If you are willing to support us in developing this tool, please send an email to info@systopia.de to get an invoice or agree a different payment method. Thank you!

28
de.systopia.civiproxy/CRM/Civiproxy/Mailer.php
View File

@ -17,23 +17,12 @@ class CRM_Civiproxy_Mailer {
* this is the orginal, wrapped mailer * this is the orginal, wrapped mailer
*/ */
protected $mailer = NULL; protected $mailer = NULL;
/**
* @var Mail Driver
*/
protected $driver = NULL;
/**
* @var array Mail Params, currently not used
*/
protected $params = [];
/** /**
* construct this mailer wrapping another one * construct this mailer wrapping another one
*/ */
public function __construct($mailer, $driver, $params) { public function __construct($mailer) {
$this->mailer = $mailer; $this->mailer = $mailer;
$this->driver = $driver;
$this->params = $params;
} }
/** /**
@ -58,8 +47,6 @@ class CRM_Civiproxy_Mailer {
$enabled = CRM_Core_BAO_Setting::getItem('CiviProxy Settings', 'proxy_enabled'); $enabled = CRM_Core_BAO_Setting::getItem('CiviProxy Settings', 'proxy_enabled');
if (!$enabled) return; if (!$enabled) return;
$mosaico = CRM_Civiproxy_Mosaico::singleton();
// get the URLs // get the URLs
$config = CRM_Core_Config::singleton(); $config = CRM_Core_Config::singleton();
$system_base = $config->userFrameworkBaseURL; $system_base = $config->userFrameworkBaseURL;
@ -72,12 +59,6 @@ class CRM_Civiproxy_Mailer {
$value = preg_replace("#{$system_base}sites/all/modules/civicrm/extern/open.php#i", $proxy_base.'/open.php', $value); $value = preg_replace("#{$system_base}sites/all/modules/civicrm/extern/open.php#i", $proxy_base.'/open.php', $value);
$value = preg_replace("#{$system_base}sites/default/files/civicrm/persist/#i", $proxy_base.'/file.php?id=', $value); $value = preg_replace("#{$system_base}sites/default/files/civicrm/persist/#i", $proxy_base.'/file.php?id=', $value);
$value = preg_replace("#{$system_base}civicrm/mosaico/img\?src=#i", $proxy_base.'/mosaico.php?id=', $value); $value = preg_replace("#{$system_base}civicrm/mosaico/img\?src=#i", $proxy_base.'/mosaico.php?id=', $value);
$value = preg_replace("#{$system_base}civicrm/mosaico/img/\?src=#i", $proxy_base.'/mosaico.php?id=', $value);
if ($mosaico->isMosaicoInstalled()) {
$value = preg_replace_callback("#({$mosaico->getMosaicoExtensionUrl()}/packages/mosaico/templates/)(\S*)([\"'])#i", function($matches) use ($proxy_base) {
return $proxy_base . '/mosaico.php?template_url=' . urlencode($matches[2]) . $matches[3];
}, $value);
}
// Mailing related functions // Mailing related functions
$value = preg_replace("#{$system_base}civicrm/mailing/view#i", $proxy_base.'/mailing/mail.php', $value); $value = preg_replace("#{$system_base}civicrm/mailing/view#i", $proxy_base.'/mailing/mail.php', $value);
@ -92,11 +73,4 @@ class CRM_Civiproxy_Mailer {
$value = preg_replace("#{$system_base}civicrm/mailing/{$function}#i", $new_url, $value); $value = preg_replace("#{$system_base}civicrm/mailing/{$function}#i", $new_url, $value);
} }
} }
/**
* @return Mail|null
*/
public function getDriver() {
return $this->driver;
}
} }

70
de.systopia.civiproxy/CRM/Civiproxy/Mosaico.php
View File

@ -1,70 +0,0 @@
<?php
/**
* Copyright (C) 2021 Jaap Jansma (jaap.jansma@civicoop.org)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
class CRM_Civiproxy_Mosaico {
/**
* @var CRM_Civiproxy_Mosaico
*/
private static $singleton;
/**
* @var String
*/
private $mosiacoExtenionUrl;
/**
* @var bool
*/
private $isMosaicoInstalled = false;
private function __construct() {
try {
$mosaicoExt = civicrm_api3('Extension', 'getsingle', ['full_name' => "uk.co.vedaconsulting.mosaico"]);
$this->isMosaicoInstalled = true;
$this->mosiacoExtenionUrl = CRM_Mosaico_ExtensionUtil::url();
} catch (\Exception $ex) {
// Do nothing
}
}
/**
* @return CRM_Civiproxy_Mosaico
*/
public static function singleton() {
if (!self::$singleton) {
self::$singleton = new CRM_Civiproxy_Mosaico();
}
return self::$singleton;
}
/**
* @return bool
*/
public function isMosaicoInstalled() {
return $this->isMosaicoInstalled;
}
/**
* @return string
*/
public function getMosaicoExtensionUrl() {
return $this->mosiacoExtenionUrl;
}
}

302
de.systopia.civiproxy/civiproxy.civix.php
View File

@ -7,9 +7,9 @@
* extension. * extension.
*/ */
class CRM_Civiproxy_ExtensionUtil { class CRM_Civiproxy_ExtensionUtil {
const SHORT_NAME = 'civiproxy'; const SHORT_NAME = "civiproxy";
const LONG_NAME = 'de.systopia.civiproxy'; const LONG_NAME = "de.systopia.civiproxy";
const CLASS_PREFIX = 'CRM_Civiproxy'; const CLASS_PREFIX = "CRM_Civiproxy";
/** /**
* Translate a string using the extension's domain. * Translate a string using the extension's domain.
@ -24,7 +24,7 @@ class CRM_Civiproxy_ExtensionUtil {
* Translated text. * Translated text.
* @see ts * @see ts
*/ */
public static function ts($text, $params = []): string { public static function ts($text, $params = []) {
if (!array_key_exists('domain', $params)) { if (!array_key_exists('domain', $params)) {
$params['domain'] = [self::LONG_NAME, NULL]; $params['domain'] = [self::LONG_NAME, NULL];
} }
@ -41,7 +41,7 @@ class CRM_Civiproxy_ExtensionUtil {
* Ex: 'http://example.org/sites/default/ext/org.example.foo'. * Ex: 'http://example.org/sites/default/ext/org.example.foo'.
* Ex: 'http://example.org/sites/default/ext/org.example.foo/css/foo.css'. * Ex: 'http://example.org/sites/default/ext/org.example.foo/css/foo.css'.
*/ */
public static function url($file = NULL): string { public static function url($file = NULL) {
if ($file === NULL) { if ($file === NULL) {
return rtrim(CRM_Core_Resources::singleton()->getUrl(self::LONG_NAME), '/'); return rtrim(CRM_Core_Resources::singleton()->getUrl(self::LONG_NAME), '/');
} }
@ -75,7 +75,6 @@ class CRM_Civiproxy_ExtensionUtil {
return self::CLASS_PREFIX . '_' . str_replace('\\', '_', $suffix); return self::CLASS_PREFIX . '_' . str_replace('\\', '_', $suffix);
} }
} }
use CRM_Civiproxy_ExtensionUtil as E; use CRM_Civiproxy_ExtensionUtil as E;
@ -85,17 +84,40 @@ use CRM_Civiproxy_ExtensionUtil as E;
* *
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_config
*/ */
function _civiproxy_civix_civicrm_config($config = NULL) { function _civiproxy_civix_civicrm_config(&$config = NULL) {
static $configured = FALSE; static $configured = FALSE;
if ($configured) { if ($configured) {
return; return;
} }
$configured = TRUE; $configured = TRUE;
$extRoot = __DIR__ . DIRECTORY_SEPARATOR; $template =& CRM_Core_Smarty::singleton();
$extRoot = dirname(__FILE__) . DIRECTORY_SEPARATOR;
$extDir = $extRoot . 'templates';
if (is_array($template->template_dir)) {
array_unshift($template->template_dir, $extDir);
}
else {
$template->template_dir = [$extDir, $template->template_dir];
}
$include_path = $extRoot . PATH_SEPARATOR . get_include_path(); $include_path = $extRoot . PATH_SEPARATOR . get_include_path();
set_include_path($include_path); set_include_path($include_path);
// Based on <compatibility>, this does not currently require mixin/polyfill.php. }
/**
* (Delegated) Implements hook_civicrm_xmlMenu().
*
* @param $files array(string)
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_xmlMenu
*/
function _civiproxy_civix_civicrm_xmlMenu(&$files) {
foreach (_civiproxy_civix_glob(__DIR__ . '/xml/Menu/*.xml') as $file) {
$files[] = $file;
}
} }
/** /**
@ -105,7 +127,35 @@ function _civiproxy_civix_civicrm_config($config = NULL) {
*/ */
function _civiproxy_civix_civicrm_install() { function _civiproxy_civix_civicrm_install() {
_civiproxy_civix_civicrm_config(); _civiproxy_civix_civicrm_config();
// Based on <compatibility>, this does not currently require mixin/polyfill.php. if ($upgrader = _civiproxy_civix_upgrader()) {
$upgrader->onInstall();
}
}
/**
* Implements hook_civicrm_postInstall().
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_postInstall
*/
function _civiproxy_civix_civicrm_postInstall() {
_civiproxy_civix_civicrm_config();
if ($upgrader = _civiproxy_civix_upgrader()) {
if (is_callable([$upgrader, 'onPostInstall'])) {
$upgrader->onPostInstall();
}
}
}
/**
* Implements hook_civicrm_uninstall().
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_uninstall
*/
function _civiproxy_civix_civicrm_uninstall() {
_civiproxy_civix_civicrm_config();
if ($upgrader = _civiproxy_civix_upgrader()) {
$upgrader->onUninstall();
}
} }
/** /**
@ -113,9 +163,212 @@ function _civiproxy_civix_civicrm_install() {
* *
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable * @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_enable
*/ */
function _civiproxy_civix_civicrm_enable(): void { function _civiproxy_civix_civicrm_enable() {
_civiproxy_civix_civicrm_config(); _civiproxy_civix_civicrm_config();
// Based on <compatibility>, this does not currently require mixin/polyfill.php. if ($upgrader = _civiproxy_civix_upgrader()) {
if (is_callable([$upgrader, 'onEnable'])) {
$upgrader->onEnable();
}
}
}
/**
* (Delegated) Implements hook_civicrm_disable().
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_disable
* @return mixed
*/
function _civiproxy_civix_civicrm_disable() {
_civiproxy_civix_civicrm_config();
if ($upgrader = _civiproxy_civix_upgrader()) {
if (is_callable([$upgrader, 'onDisable'])) {
$upgrader->onDisable();
}
}
}
/**
* (Delegated) Implements hook_civicrm_upgrade().
*
* @param $op string, the type of operation being performed; 'check' or 'enqueue'
* @param $queue CRM_Queue_Queue, (for 'enqueue') the modifiable list of pending up upgrade tasks
*
* @return mixed
* based on op. for 'check', returns array(boolean) (TRUE if upgrades are pending)
* for 'enqueue', returns void
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_upgrade
*/
function _civiproxy_civix_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
if ($upgrader = _civiproxy_civix_upgrader()) {
return $upgrader->onUpgrade($op, $queue);
}
}
/**
* @return CRM_Civiproxy_Upgrader
*/
function _civiproxy_civix_upgrader() {
if (!file_exists(__DIR__ . '/CRM/Civiproxy/Upgrader.php')) {
return NULL;
}
else {
return CRM_Civiproxy_Upgrader_Base::instance();
}
}
/**
* Search directory tree for files which match a glob pattern.
*
* Note: Dot-directories (like "..", ".git", or ".svn") will be ignored.
* Note: In Civi 4.3+, delegate to CRM_Utils_File::findFiles()
*
* @param string $dir base dir
* @param string $pattern , glob pattern, eg "*.txt"
*
* @return array
*/
function _civiproxy_civix_find_files($dir, $pattern) {
if (is_callable(['CRM_Utils_File', 'findFiles'])) {
return CRM_Utils_File::findFiles($dir, $pattern);
}
$todos = [$dir];
$result = [];
while (!empty($todos)) {
$subdir = array_shift($todos);
foreach (_civiproxy_civix_glob("$subdir/$pattern") as $match) {
if (!is_dir($match)) {
$result[] = $match;
}
}
if ($dh = opendir($subdir)) {
while (FALSE !== ($entry = readdir($dh))) {
$path = $subdir . DIRECTORY_SEPARATOR . $entry;
if ($entry[0] == '.') {
}
elseif (is_dir($path)) {
$todos[] = $path;
}
}
closedir($dh);
}
}
return $result;
}
/**
* (Delegated) Implements hook_civicrm_managed().
*
* Find any *.mgd.php files, merge their content, and return.
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_managed
*/
function _civiproxy_civix_civicrm_managed(&$entities) {
$mgdFiles = _civiproxy_civix_find_files(__DIR__, '*.mgd.php');
sort($mgdFiles);
foreach ($mgdFiles as $file) {
$es = include $file;
foreach ($es as $e) {
if (empty($e['module'])) {
$e['module'] = E::LONG_NAME;
}
if (empty($e['params']['version'])) {
$e['params']['version'] = '3';
}
$entities[] = $e;
}
}
}
/**
* (Delegated) Implements hook_civicrm_caseTypes().
*
* Find any and return any files matching "xml/case/*.xml"
*
* Note: This hook only runs in CiviCRM 4.4+.
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_caseTypes
*/
function _civiproxy_civix_civicrm_caseTypes(&$caseTypes) {
if (!is_dir(__DIR__ . '/xml/case')) {
return;
}
foreach (_civiproxy_civix_glob(__DIR__ . '/xml/case/*.xml') as $file) {
$name = preg_replace('/\.xml$/', '', basename($file));
if ($name != CRM_Case_XMLProcessor::mungeCaseType($name)) {
$errorMessage = sprintf("Case-type file name is malformed (%s vs %s)", $name, CRM_Case_XMLProcessor::mungeCaseType($name));
throw new CRM_Core_Exception($errorMessage);
}
$caseTypes[$name] = [
'module' => E::LONG_NAME,
'name' => $name,
'file' => $file,
];
}
}
/**
* (Delegated) Implements hook_civicrm_angularModules().
*
* Find any and return any files matching "ang/*.ang.php"
*
* Note: This hook only runs in CiviCRM 4.5+.
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_angularModules
*/
function _civiproxy_civix_civicrm_angularModules(&$angularModules) {
if (!is_dir(__DIR__ . '/ang')) {
return;
}
$files = _civiproxy_civix_glob(__DIR__ . '/ang/*.ang.php');
foreach ($files as $file) {
$name = preg_replace(':\.ang\.php$:', '', basename($file));
$module = include $file;
if (empty($module['ext'])) {
$module['ext'] = E::LONG_NAME;
}
$angularModules[$name] = $module;
}
}
/**
* (Delegated) Implements hook_civicrm_themes().
*
* Find any and return any files matching "*.theme.php"
*/
function _civiproxy_civix_civicrm_themes(&$themes) {
$files = _civiproxy_civix_glob(__DIR__ . '/*.theme.php');
foreach ($files as $file) {
$themeMeta = include $file;
if (empty($themeMeta['name'])) {
$themeMeta['name'] = preg_replace(':\.theme\.php$:', '', basename($file));
}
if (empty($themeMeta['ext'])) {
$themeMeta['ext'] = E::LONG_NAME;
}
$themes[$themeMeta['name']] = $themeMeta;
}
}
/**
* Glob wrapper which is guaranteed to return an array.
*
* The documentation for glob() says, "On some systems it is impossible to
* distinguish between empty match and an error." Anecdotally, the return
* result for an empty match is sometimes array() and sometimes FALSE.
* This wrapper provides consistency.
*
* @link http://php.net/glob
* @param string $pattern
*
* @return array
*/
function _civiproxy_civix_glob($pattern) {
$result = glob($pattern);
return is_array($result) ? $result : [];
} }
/** /**
@ -134,7 +387,7 @@ function _civiproxy_civix_insert_navigation_menu(&$menu, $path, $item) {
if (empty($path)) { if (empty($path)) {
$menu[] = [ $menu[] = [
'attributes' => array_merge([ 'attributes' => array_merge([
'label' => $item['name'] ?? NULL, 'label' => CRM_Utils_Array::value('name', $item),
'active' => 1, 'active' => 1,
], $item), ], $item),
]; ];
@ -199,3 +452,26 @@ function _civiproxy_civix_fixNavigationMenuItems(&$nodes, &$maxNavID, $parentID)
} }
} }
} }
/**
* (Delegated) Implements hook_civicrm_alterSettingsFolders().
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_alterSettingsFolders
*/
function _civiproxy_civix_civicrm_alterSettingsFolders(&$metaDataFolders = NULL) {
$settingsDir = __DIR__ . DIRECTORY_SEPARATOR . 'settings';
if (!in_array($settingsDir, $metaDataFolders) && is_dir($settingsDir)) {
$metaDataFolders[] = $settingsDir;
}
}
/**
* (Delegated) Implements hook_civicrm_entityTypes().
*
* Find any *.entityType.php files, merge their content, and return.
*
* @link https://docs.civicrm.org/dev/en/latest/hooks/hook_civicrm_entityTypes
*/
function _civiproxy_civix_civicrm_entityTypes(&$entityTypes) {
$entityTypes = array_merge($entityTypes, []);
}

70
de.systopia.civiproxy/civiproxy.php
View File

@ -15,7 +15,7 @@ require_once 'civiproxy.civix.php';
* so we can mend all the URLs in outgoing emails * so we can mend all the URLs in outgoing emails
*/ */
function civiproxy_civicrm_alterMailer(&$mailer, $driver, $params) { function civiproxy_civicrm_alterMailer(&$mailer, $driver, $params) {
$mailer = new CRM_Civiproxy_Mailer($mailer, $driver, $params); $mailer = new CRM_Civiproxy_Mailer($mailer);
} }
/** /**
@ -25,6 +25,15 @@ function civiproxy_civicrm_config(&$config) {
_civiproxy_civix_civicrm_config($config); _civiproxy_civix_civicrm_config($config);
} }
/**
* Implementation of hook_civicrm_xmlMenu
*
* @param $files array(string)
*/
function civiproxy_civicrm_xmlMenu(&$files) {
_civiproxy_civix_civicrm_xmlMenu($files);
}
/** /**
* Implementation of hook_civicrm_install * Implementation of hook_civicrm_install
*/ */
@ -32,6 +41,13 @@ function civiproxy_civicrm_install() {
return _civiproxy_civix_civicrm_install(); return _civiproxy_civix_civicrm_install();
} }
/**
* Implementation of hook_civicrm_uninstall
*/
function civiproxy_civicrm_uninstall() {
return _civiproxy_civix_civicrm_uninstall();
}
/** /**
* Implementation of hook_civicrm_enable * Implementation of hook_civicrm_enable
*/ */
@ -39,9 +55,61 @@ function civiproxy_civicrm_enable() {
return _civiproxy_civix_civicrm_enable(); return _civiproxy_civix_civicrm_enable();
} }
/**
* Implementation of hook_civicrm_disable
*/
function civiproxy_civicrm_disable() {
return _civiproxy_civix_civicrm_disable();
}
/**
* Implementation of hook_civicrm_upgrade
*
* @param $op string, the type of operation being performed; 'check' or 'enqueue'
* @param $queue CRM_Queue_Queue, (for 'enqueue') the modifiable list of pending up upgrade tasks
*
* @return mixed based on op. for 'check', returns array(boolean) (TRUE if upgrades are pending)
* for 'enqueue', returns void
*/
function civiproxy_civicrm_upgrade($op, CRM_Queue_Queue $queue = NULL) {
return _civiproxy_civix_civicrm_upgrade($op, $queue);
}
/**
* Implementation of hook_civicrm_managed
*
* Generate a list of entities to create/deactivate/delete when this module
* is installed, disabled, uninstalled.
*/
function civiproxy_civicrm_managed(&$entities) {
return _civiproxy_civix_civicrm_managed($entities);
}
/**
* Implementation of hook_civicrm_caseTypes
*
* Generate a list of case-types
*
* Note: This hook only runs in CiviCRM 4.4+.
*/
function civiproxy_civicrm_caseTypes(&$caseTypes) {
_civiproxy_civix_civicrm_caseTypes($caseTypes);
}
/** /**
* Implementation of hook_civicrm_alterSettingsFolders * Implementation of hook_civicrm_alterSettingsFolders
* *
* Scan for settings in custom folder and import them * Scan for settings in custom folder and import them
* *
*/ */
function civiproxy_civicrm_alterSettingsFolders(&$metaDataFolders = NULL){
static $configured = FALSE;
if ($configured) return;
$configured = TRUE;
$extRoot = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
$extDir = $extRoot . 'settings';
if(!in_array($extDir, $metaDataFolders)){
$metaDataFolders[] = $extDir;
}
}

28
de.systopia.civiproxy/info.xml
View File

@ -3,36 +3,20 @@
<file>civiproxy</file> <file>civiproxy</file>
<name>CiviProxy</name> <name>CiviProxy</name>
<description>This will enable CiviProxy support for mailings</description> <description>This will enable CiviProxy support for mailings</description>
<license>AGPL</license> <license></license>
<maintainer> <maintainer>
<author>B. Endres</author> <author>B. Endres</author>
<email>endres@systopia.de</email> <email>endres@systopia.de</email>
</maintainer> </maintainer>
<urls> <releaseDate>2021-06-14</releaseDate>
<url desc="Main Extension Page">https://github.com/systopia/CiviProxy</url> <version>0.6-beta2</version>
<url desc="Documentation">https://docs.civicrm.org/civiproxy/en/latest/</url>
<url desc="Support">https://github.com/systopia/CiviProxy/issues</url>
<url desc="Licensing">http://www.gnu.org/licenses/agpl-3.0.html</url>
</urls>
<releaseDate>2024-01-07</releaseDate>
<version>1.0.0-beta</version>
<develStage>beta</develStage> <develStage>beta</develStage>
<compatibility> <compatibility>
<ver>5.45</ver> <ver>4.7</ver>
<ver>5.0</ver>
</compatibility> </compatibility>
<comments>This is the companion extension to SYSTOPIA's CiviProxy security system</comments> <comments>This is an addition to SYSTOPIA's CiviProxy security system</comments>
<civix> <civix>
<namespace>CRM/Civiproxy</namespace> <namespace>CRM/Civiproxy</namespace>
<format>24.09.1</format>
</civix> </civix>
<mixins>
<mixin>menu-xml@1.0.0</mixin>
<mixin>setting-php@1.0.0</mixin>
<mixin>smarty-v2@1.0.3</mixin>
<mixin>entity-types-php@2.0.0</mixin>
</mixins>
<classloader>
<psr0 prefix="CRM_" path="."/>
<psr4 prefix="Civi\" path="Civi"/>
</classloader>
</extension> </extension>

40
de.systopia.civiproxy/mixin/entity-types-php@2.0.0.mixin.php
View File

@ -1,40 +0,0 @@
<?php
/**
* Auto-register entity declarations from `schema/*.entityType.php`.
*
* @mixinName entity-types-php
* @mixinVersion 2.0.0
* @since 5.73
*
* Changelog:
* - v2.0 scans /schema directory instead of /xml/schema/*
* - v2.0 supports only one entity per file
* - v2.0 adds 'module' key to each entity
*
* @param CRM_Extension_MixInfo $mixInfo
* On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
* @param \CRM_Extension_BootCache $bootCache
* On newer deployments, this will be an instance of BootCache. On older deployments, Civix may polyfill with a work-a-like.
*/
return function ($mixInfo, $bootCache) {
/**
* @param \Civi\Core\Event\GenericHookEvent $e
* @see CRM_Utils_Hook::entityTypes()
*/
Civi::dispatcher()->addListener('hook_civicrm_entityTypes', function ($e) use ($mixInfo) {
// When deactivating on a polyfill/pre-mixin system, listeners may not cleanup automatically.
if (!$mixInfo->isActive() || !is_dir($mixInfo->getPath('schema'))) {
return;
}
$files = (array) glob($mixInfo->getPath('schema/*.entityType.php'));
foreach ($files as $file) {
$entity = include $file;
$entity['module'] = $mixInfo->longName;
$e->entityTypes[$entity['name']] = $entity;
}
});
};

78
de.systopia.civiproxy/mixin/smarty-v2@1.0.3.mixin.php
View File

@ -1,78 +0,0 @@
<?php
/**
* Auto-register "templates/" folder.
*
* @mixinName smarty-v2
* @mixinVersion 1.0.3
* @since 5.59
*
* @deprecated - it turns out that the mixin is not version specific so the 'smarty'
* mixin is preferred over smarty-v2 (they are the same but not having the version
* in the name is less misleading.)
*
* @param CRM_Extension_MixInfo $mixInfo
* On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
* @param \CRM_Extension_BootCache $bootCache
* On newer deployments, this will be an instance of MixInfo. On older deployments, Civix may polyfill with a work-a-like.
*/
return function ($mixInfo, $bootCache) {
$dir = $mixInfo->getPath('templates');
if (!file_exists($dir)) {
return;
}
$register = function($newDirs) {
$smarty = CRM_Core_Smarty::singleton();
$v2 = isset($smarty->_version) && version_compare($smarty->_version, 3, '<');
$templateDirs = (array) ($v2 ? $smarty->template_dir : $smarty->getTemplateDir());
$templateDirs = array_merge($newDirs, $templateDirs);
$templateDirs = array_unique(array_map(function($v) {
$v = str_replace(DIRECTORY_SEPARATOR, '/', $v);
$v = rtrim($v, '/') . '/';
return $v;
}, $templateDirs));
if ($v2) {
$smarty->template_dir = $templateDirs;
}
else {
$smarty->setTemplateDir($templateDirs);
}
};
// Let's figure out what environment we're in -- so that we know the best way to call $register().
if (!empty($GLOBALS['_CIVIX_MIXIN_POLYFILL'])) {
// Polyfill Loader (v<=5.45): We're already in the middle of firing `hook_config`.
if ($mixInfo->isActive()) {
$register([$dir]);
}
return;
}
if (CRM_Extension_System::singleton()->getManager()->extensionIsBeingInstalledOrEnabled($mixInfo->longName)) {
// New Install, Standard Loader: The extension has just been enabled, and we're now setting it up.
// System has already booted. New templates may be needed for upcoming installation steps.
$register([$dir]);
return;
}
// Typical Pageview, Standard Loader: Defer the actual registration for a moment -- to ensure that Smarty is online.
// We need to bundle-up all dirs -- Smarty 3/4/5 is inefficient with processing repeated calls to `getTemplateDir()`+`setTemplateDir()`
if (!isset(Civi::$statics[__FILE__]['event'])) {
Civi::$statics[__FILE__]['event'] = 'civi.smarty-v2.addPaths.' . md5(__FILE__);
Civi::dispatcher()->addListener('hook_civicrm_config', function() use ($register) {
$dirs = [];
$event = \Civi\Core\Event\GenericHookEvent::create(['dirs' => &$dirs]);
Civi::dispatcher()->dispatch(Civi::$statics[__FILE__]['event'], $event);
$register($dirs);
});
}
Civi::dispatcher()->addListener(Civi::$statics[__FILE__]['event'], function($event) use ($mixInfo, $dir) {
if ($mixInfo->isActive()) {
array_unshift($event->dirs, $dir);
}
});
};

2
docs/requirements.md
View File

@ -3,7 +3,7 @@
There shouldn't be any requirements that any web hoster wouldn't comply with, but here they are: There shouldn't be any requirements that any web hoster wouldn't comply with, but here they are:
1. PHP 5.3+ 1. PHP 5.3+
2. PHP PEAR (to install on Debian/Ubuntu, run `apt-get install php-pear`) 2. PHP PEAR (to install on Debian/Ubunto, run `apt-get install php-pear`)
3. The `php-curl` module 3. The `php-curl` module
4. Read/write permissions on your webspace 4. Read/write permissions on your webspace
5. Reasonable amount of protection, i.e. only authorised users (you) can upload/download the files 5. Reasonable amount of protection, i.e. only authorised users (you) can upload/download the files

6
proxy/.htaccess
View File

@ -1,6 +0,0 @@
# Serve
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/civicrm/ajax/api4
RewriteRule ^civicrm/ajax/api4/([^/]*)/([^/]*) rest4.php?entity=$1&action=$2 [QSA,B]
</IfModule>

82
proxy/checks.php
View File

@ -1,82 +0,0 @@
<?php
/**
* generates a CiviCRM REST API compliant error
* and ends processing
*/
function civiproxy_rest_error($message) {
$error = array( 'is_error' => 1,
'error_message' => $message);
// TODO: Implement header();
print json_encode($error);
exit();
}
/**
* Updates $credentials['api_key'] in-place, or displays an error if api key
* is missing or does not correspond to an entry in $api_key_map (which should
* be set in config.php).
* @param array $credentials
* @param array $api_key_map
*/
function civiproxy_map_api_key(array &$credentials, array $api_key_map) {
if (empty($credentials['api_key'])) {
civiproxy_rest_error("No API key given");
}
else {
if (isset($api_key_map[$credentials['api_key']])) {
$credentials['api_key'] = $api_key_map[$credentials['api_key']];
}
else {
civiproxy_rest_error("Invalid api key");
}
}
}
/**
* Updates $credentials['key'] in-place, or displays an error if site key
* is missing or does not correspond to an entry in $sys_key_map (which should
* be set in config.php).
* @param array $credentials
* @param array $sys_key_map
*/
function civiproxy_map_site_key(array &$credentials, array $sys_key_map) {
if (empty($credentials['key'])) {
civiproxy_rest_error("No site key given");
}
else {
if (isset($sys_key_map[$credentials['key']])) {
$credentials['key'] = $sys_key_map[$credentials['key']];
}
else {
civiproxy_rest_error("Invalid site key");
}
}
}
/**
* @param array $action should have both 'entity' and 'action' keys set
* @param array $rest_allowed_actions from config.php
* @return array
*/
function civiproxy_get_valid_parameters(array $action, array $rest_allowed_actions) {
// in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
// the previous test is still used when no 'all' key is found in the array
if (isset($rest_allowed_actions['all'])) {
// get valid key for the rest_allowed_actions
$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
$valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
if (!$valid_parameters) {
civiproxy_rest_error("Invalid entity/action.");
}
}
else {
if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
$valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
}
else {
civiproxy_rest_error("Invalid entity/action.");
}
}
return $valid_parameters;
}

42
proxy/config.dist.php
View File

@ -41,18 +41,16 @@ $target_civicrm = 'https://your.civicrm.installation.org';
// default paths, override if you want. Set to NULL to disable // default paths, override if you want. Set to NULL to disable
$target_rest = $target_civicrm . '/sites/all/modules/civicrm/extern/rest.php'; $target_rest = $target_civicrm . '/sites/all/modules/civicrm/extern/rest.php';
// base URL for api4 calls. Will append entity and action path segments
$target_rest4 = $target_civicrm . '/civicrm/ajax/api4/';
$target_file = $target_civicrm . '/sites/default/files/civicrm/persist/'; $target_file = $target_civicrm . '/sites/default/files/civicrm/persist/';
$target_mosaico = NULL; // (disabled by default): $target_civicrm . '/civicrm/mosaico/img?src='; $target_mosaico = NULL; // (disabled by default): $target_civicrm . '/civicrm/mosaico/img?src=';
$target_mosaico_template_url = NULL; // (disabled by default): $target_civicrm . '/wp-content/uploads/civicrm/ext/uk.co.vedaconsulting.mosaico/packages/mosaico/templates/';
$target_mail_view = $target_civicrm . '/civicrm/mailing/view'; $target_mail_view = $target_civicrm . '/civicrm/mailing/view';
$target_url = $target_civicrm . '/civicrm/mailing/url'; $target_url = $target_civicrm . '/civicrm/mailing/url';
$target_open = $target_civicrm . '/civicrm/mailing/open'; $target_open = $target_civicrm . '/civicrm/mailing/open';
// CAUTION: use the following for CiviCRM < 5.27 or "Extern URL Style" = "Standalone Scripts" // CAUTION: use the following for CiviCRM < 5.27 or "Extern URL Style" = "Standalone Scripts"
//$target_url = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php'; #$target_url = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php';
//$target_open = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php'; #$target_open = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php';
/**************************************************************** /****************************************************************
** GENERAL OPTIONS ** ** GENERAL OPTIONS **
@ -76,10 +74,6 @@ $debug = NULL; //'LUXFbiaoz4dVWuAHEcuBAe7YQ4YP96rN4MCDmKj89
// This is useful in some VPN configurations (see CURLOPT_INTERFACE) // This is useful in some VPN configurations (see CURLOPT_INTERFACE)
$target_interface = NULL; $target_interface = NULL;
/***************************************************************
** Authentication Options **
***************************************************************/
// API and SITE keys (you may add keys here) // API and SITE keys (you may add keys here)
$api_key_map = [ $api_key_map = [
'my_api_key' => 'my_api_key', // use this to allow API key 'my_api_key' => 'my_api_key', // use this to allow API key
@ -96,36 +90,6 @@ if (file_exists(dirname(__FILE__)."/secrets.php")) {
require "secrets.php"; require "secrets.php";
} }
// Parameter whitelisting for open tracking and URL tracking
// basic civicrm URL/open parameter are u, q and qid (as int)
// If additional parameters are needed, best practise would be to whitelist each one as needed in
// $valid_url_parameters and/or $valid_open_parameters.
// Alternatively it is also possible to allow all parameters with the wildcard parameter '*' => 'string'
$valid_url_parameters = [
'u' => 'int',
'q' => 'int',
'qid' => 'int',
// '*' => 'string' // whildcard, whitelist all url parameters
];
$valid_open_parameters = [
'u' => 'int',
'q' => 'int',
'qid' => 'int',
// '*' => 'string' // wildcard, whitelist *all* open parameters
];
// CiviCRM's API can authenticate with different flows
// https://docs.civicrm.org/dev/en/latest/framework/authx/#flows
// CiviProxy supports 'header', 'xheader', 'legacyrest', and 'param'.
// These flows are supported for API4 but could be extended to API3.
// $authx_internal_flow controls how CiviProxy sends credentials to CiviCRM, and
// $authx_external_flow where CiviProxy looks for credentials on incoming requests.
// The internal setting needs to have a single scalar value, but the
// external setting can be an array of accepted flows.
// There is no standard header for site key, so in both header and xheader
// flows it uses X-Civi-Key
$authx_internal_flow = 'header';
$authx_external_flow = ['legacyrest'];
/**************************************************************** /****************************************************************
** File Caching Options ** ** File Caching Options **

1
proxy/error.php
View File

@ -15,6 +15,7 @@ require_once "proxy.php";
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Error</title> <title>CiviProxy Error</title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

1
proxy/index.php
View File

@ -16,6 +16,7 @@ require_once "proxy.php";
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Version <?php echo $civiproxy_version;?></title> <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

4
proxy/libs/Cache/Lite.php
View File

@ -564,7 +564,7 @@ class Cache_Lite
*/ */
function raiseError($msg, $code) function raiseError($msg, $code)
{ {
return PEAR::raiseError($msg, $code, $this->_pearErrorMode); error_log("[code] $msg");
} }
/** /**
@ -638,7 +638,7 @@ class Cache_Lite
return true; return true;
} }
} }
if (!($dh = @opendir($dir))) { if (!($dh = opendir($dir))) {
return $this->raiseError('Cache_Lite : Unable to open cache directory !', -4); return $this->raiseError('Cache_Lite : Unable to open cache directory !', -4);
} }
$result = true; $result = true;

3
proxy/mailing/confirm.php
View File

@ -19,7 +19,7 @@ civiproxy_security_check('mail-confirm');
// basic restraints // basic restraints
$valid_parameters = array( 'sid' => 'int', $valid_parameters = array( 'sid' => 'int',
'cid' => 'int', 'cid' => 'int',
'h' => 'string'); 'h' => 'hex');
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
// check if parameters specified // check if parameters specified
@ -45,6 +45,7 @@ if (!empty($group_query['is_error'])) {
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Version <?php echo $civiproxy_version;?></title> <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

2
proxy/mailing/mail.php
View File

@ -17,7 +17,7 @@ if (!$target_mail_view) civiproxy_http_error("Feature disabled", 405);
civiproxy_security_check('mail-view'); civiproxy_security_check('mail-view');
// basic restraints // basic restraints
$valid_parameters = array( 'id' => 'int', 'cid' => 'int', 'cs' => 'string' ); $valid_parameters = array( 'id' => 'int' );
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
// check if id specified // check if id specified

3
proxy/mailing/resubscribe.php
View File

@ -19,7 +19,7 @@ civiproxy_security_check('mail-resubscribe');
// basic restraints // basic restraints
$valid_parameters = array( 'jid' => 'int', $valid_parameters = array( 'jid' => 'int',
'qid' => 'int', 'qid' => 'int',
'h' => 'string'); 'h' => 'hex');
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
// check if parameters specified // check if parameters specified
@ -45,6 +45,7 @@ if (!empty($group_query['is_error'])) {
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Version <?php echo $civiproxy_version;?></title> <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

1
proxy/mailing/subscribe.php
View File

@ -83,6 +83,7 @@ if (!empty($_REQUEST['email'])) {
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Version <?php echo $civiproxy_version;?></title> <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

3
proxy/mailing/unsubscribe.php
View File

@ -19,7 +19,7 @@ civiproxy_security_check('mail-unsubscribe');
// basic restraints // basic restraints
$valid_parameters = array( 'jid' => 'int', $valid_parameters = array( 'jid' => 'int',
'qid' => 'int', 'qid' => 'int',
'h' => 'string'); 'h' => 'hex');
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
// check if parameters specified // check if parameters specified
@ -45,6 +45,7 @@ if (!empty($group_query['is_error'])) {
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>CiviProxy Version <?php echo $civiproxy_version;?></title> <title>CiviProxy Version <?php echo $civiproxy_version;?></title>
<link href="http://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" type="text/css">
<style type="text/css"> <style type="text/css">
body { body {
margin: 0; margin: 0;

52
proxy/mosaico.php
View File

@ -17,19 +17,21 @@ if (!$target_mosaico) civiproxy_http_error("Feature disabled", 405);
civiproxy_security_check('file'); civiproxy_security_check('file');
// basic restraints // basic restraints
$valid_parameters = array( 'id' => 'string', 'template_url' => 'string' ); $valid_parameters = array( 'id' => 'string' );
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
if (!empty($parameters['id'])) { // check if id specified
// check restrictions if (empty($parameters['id'])) civiproxy_http_error("Resource not found");
if (!empty($file_cache_exclude)) {
// check restrictions
if (!empty($file_cache_exclude)) {
foreach ($file_cache_exclude as $pattern) { foreach ($file_cache_exclude as $pattern) {
if (preg_match($pattern, $parameters['id'])) { if (preg_match($pattern, $parameters['id'])) {
civiproxy_http_error("Invalid Resource", 403); civiproxy_http_error("Invalid Resource", 403);
} }
} }
} }
if (!empty($file_cache_include)) { if (!empty($file_cache_include)) {
$accept_id = FALSE; $accept_id = FALSE;
foreach ($file_cache_include as $pattern) { foreach ($file_cache_include as $pattern) {
if (preg_match($pattern, $parameters['id'])) { if (preg_match($pattern, $parameters['id'])) {
@ -39,39 +41,6 @@ if (!empty($parameters['id'])) {
if (!$accept_id) { if (!$accept_id) {
civiproxy_http_error("Invalid Resource", 403); civiproxy_http_error("Invalid Resource", 403);
} }
}
// look up the required resource
$header_key = 'header&' . $parameters['id'];
$data_key = 'data&' . $parameters['id'];
$url = $target_mosaico . $parameters['id'];
} elseif (!empty($parameters['template_url'])) {
// check restrictions
if (!empty($file_cache_exclude)) {
foreach ($file_cache_exclude as $pattern) {
if (preg_match($pattern, $parameters['template_url'])) {
civiproxy_http_error("Invalid Resource", 403);
}
}
}
if (!empty($file_cache_include)) {
$accept_id = FALSE;
foreach ($file_cache_include as $pattern) {
if (preg_match($pattern, $parameters['template_url'])) {
$accept_id = TRUE;
}
}
if (!$accept_id) {
civiproxy_http_error("Invalid Resource", 403);
}
}
// look up the required resource
$header_key = 'header&' . $parameters['template_url'];
$data_key = 'data&' . $parameters['template_url'];
$url = $target_mosaico_template_url . $parameters['template_url'];
} else {
civiproxy_http_error("Resource not found");
} }
// load PEAR file cache // load PEAR file cache
@ -80,6 +49,9 @@ if (!file_exists($file_cache_options['cacheDir'])) mkdir($file_cache_options['ca
require_once('Cache/Lite.php'); require_once('Cache/Lite.php');
$file_cache = new Cache_Lite($file_cache_options); $file_cache = new Cache_Lite($file_cache_options);
// look up the required resource
$header_key = 'header&' . $parameters['id'];
$data_key = 'data&' . $parameters['id'];
$header = $file_cache->get($header_key); $header = $file_cache->get($header_key);
$data = $file_cache->get($data_key); $data = $file_cache->get($data_key);
@ -96,6 +68,8 @@ if ($header && $data) {
} }
// if we get here, we have a cache miss => load // if we get here, we have a cache miss => load
$url = $target_mosaico . $parameters['id'];
$curlSession = curl_init(); $curlSession = curl_init();
curl_setopt($curlSession, CURLOPT_URL, $url); curl_setopt($curlSession, CURLOPT_URL, $url);
curl_setopt($curlSession, CURLOPT_HEADER, 1); curl_setopt($curlSession, CURLOPT_HEADER, 1);

5
proxy/open.php
View File

@ -16,5 +16,8 @@ if (!$target_open) civiproxy_http_error("Feature disabled", 405);
// basic check // basic check
civiproxy_security_check('open'); civiproxy_security_check('open');
$parameters = civiproxy_get_parameters($valid_open_parameters); // basic restraints
$valid_parameters = array( 'q' => 'int' );
$parameters = civiproxy_get_parameters($valid_parameters);
civiproxy_redirect($target_open, $parameters); civiproxy_redirect($target_open, $parameters);

184
proxy/proxy.php
View File

@ -8,7 +8,7 @@
+---------------------------------------------------------*/ +---------------------------------------------------------*/
require_once "config.php"; require_once "config.php";
$civiproxy_version = '1.0.0-beta'; $civiproxy_version = '0.6-beta2';
/** /**
* this will redirect the request to another URL, * this will redirect the request to another URL,
@ -90,148 +90,6 @@ function civiproxy_redirect($url_requested, $parameters) {
curl_close ($curlSession); curl_close ($curlSession);
} }
/**
* this will redirect the request to an API4 URL,
* i.e. will pass the reply on to this request
*
* @see losely based on https://code.google.com/p/php-proxy/
*
* @param $url_requested string the URL to which the request should be sent
* @param $parameters array
* @param $credentials array
*/
function civiproxy_redirect4($url_requested, $parameters, $credentials) {
global $target_interface, $authx_internal_flow;
$url = $url_requested;
$curlSession = curl_init();
$credential_params = civiproxy_build_credential_params($credentials, $authx_internal_flow);
$credential_headers = civiproxy_build_credential_headers($credentials, $authx_internal_flow);
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
// POST requests should be passed on as POST
curl_setopt($curlSession, CURLOPT_POST, 1);
$urlparams = 'params=' . urlencode(json_encode($parameters)) . $credential_params;
curl_setopt($curlSession, CURLOPT_POSTFIELDS, $urlparams);
} else {
// GET requests will get the parameters as url params
if (!empty($parameters)) {
$url .= '?params=' . urlencode(json_encode($parameters)) . $credential_params;
}
}
curl_setopt($curlSession, CURLOPT_HTTPHEADER, array_merge([
'Content-Type: application/x-www-form-urlencoded'
], $credential_headers));
curl_setopt($curlSession, CURLOPT_URL, $url);
curl_setopt($curlSession, CURLOPT_HEADER, 1);
curl_setopt($curlSession, CURLOPT_RETURNTRANSFER,1);
curl_setopt($curlSession, CURLOPT_TIMEOUT, 30);
curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 2);
if (!empty($target_interface)) {
curl_setopt($curlSession, CURLOPT_INTERFACE, $target_interface);
}
if (file_exists(dirname(__FILE__).'/target.pem')) {
curl_setopt($curlSession, CURLOPT_CAINFO, dirname(__FILE__).'/target.pem');
}
//Send the request and store the result in an array
$response = curl_exec($curlSession);
// Check that a connection was made
if (curl_error($curlSession)){
civiproxy_http_error(curl_error($curlSession), curl_errno($curlSession));
} else {
//clean duplicate header that seems to appear on fastcgi with output buffer on some servers!!
$response = str_replace("HTTP/1.1 100 Continue\r\n\r\n","",$response);
// split header / content
$content = explode("\r\n\r\n", $response, 2);
$header = $content[0];
$body = $content[1];
// handle headers - simply re-outputing them
$header_ar = explode(chr(10), $header);
foreach ($header_ar as $header_line){
if (!preg_match("/^Transfer-Encoding/", $header_line)){
civiproxy_mend_URLs($header_line);
header(trim($header_line));
}
}
//rewrite all hard coded urls to ensure the links still work!
civiproxy_mend_URLs($body);
print $body;
}
curl_close($curlSession);
}
/**
* Creates a string with the API credentials to be appended to an API4 GET or POST request.
* When $api4_internal_auth_flow is 'header' or 'xheader', returns a blank string
*
* @param array $credentials
* @param string $authx_internal_flow
* @return string credential string, including leading '&'
*/
function civiproxy_build_credential_params(array $credentials, string $authx_internal_flow): string {
switch($authx_internal_flow) {
case 'legacyrest':
$map = ['api_key' => 'api_key', 'key' => 'key'];
break;
case 'param':
$map = ['api_key' => '_authx', 'key' => '_authxSiteKey'];
break;
default:
return '';
}
$params = [];
foreach($map as $credential_key => $param_name) {
if (isset($credentials[$credential_key])) {
$credential_value = $credentials[$credential_key];
if ($param_name === '_authx') {
$credential_value = 'Bearer ' . $credential_value;
}
$params[$param_name] = $credential_value;
}
}
$param_string = http_build_query($params);
if (!empty($param_string)) {
$param_string = '&' . $param_string;
}
return $param_string;
}
/**
* Builds an array of headers to send on an API4 request. When $api4_internal_auth_flow
* is 'param' or 'legacyrest', will always return an empty array.
*
* @param array $credentials
* @param string $authx_internal_flow
* @return array
*/
function civiproxy_build_credential_headers(array $credentials, string $authx_internal_flow): array {
switch($authx_internal_flow) {
case 'header':
$map = ['api_key' => 'Authorization: Bearer', 'key' => 'X-Civi-Key:'];
break;
case 'xheader':
$map = ['api_key' => 'X-Civi-Auth: Bearer', 'key' => 'X-Civi-Key:'];
break;
default:
return [];
}
$headers = [];
foreach($map as $credential_key => $header_prefix) {
if (isset($credentials[$credential_key])) {
$headers[] = $header_prefix . ' ' . $credentials[$credential_key];
}
}
return $headers;
}
/** /**
* Will mend all the URLs in the string that point to the target, * Will mend all the URLs in the string that point to the target,
@ -273,12 +131,11 @@ function civiproxy_mend_URLs(&$string) {
* unauthorized access quantities, etc. * unauthorized access quantities, etc.
* *
* @param $target * @param $target
* @param $quit bool if TRUE, quit immediately if access denied * @param $quit if TRUE, quit immediately if access denied
* @param $log_headers array add these headers (sanitized) to log data
* *
* @return TRUE if allowed, FALSE if not (or quits if $quit is set) * @return TRUE if allowed, FALSE if not (or quits if $quit is set)
*/ */
function civiproxy_security_check($target, $quit=TRUE, $log_headers = []) { function civiproxy_security_check($target, $quit=TRUE) {
// verify that we're SSL encrypted // verify that we're SSL encrypted
if ($_SERVER['HTTPS'] != "on") { if ($_SERVER['HTTPS'] != "on") {
civiproxy_http_error("This CiviProxy installation requires SSL encryption.", 400); civiproxy_http_error("This CiviProxy installation requires SSL encryption.", 400);
@ -288,16 +145,11 @@ function civiproxy_security_check($target, $quit=TRUE, $log_headers = []) {
if (!empty($debug)) { if (!empty($debug)) {
// filter log data // filter log data
$log_data = $_REQUEST; $log_data = $_REQUEST;
$sanitize_params = ['api_key', 'key', '_authxSiteKey', '_authx']; if (isset($log_data['api_key'])) {
foreach ($sanitize_params as $param) { $log_data['api_key'] = substr($log_data['api_key'], 0, 4) . '...';
if (isset($log_data[$param])) {
$log_data[$param] = substr($log_data[$param], 0, 4) . '...';
} }
} if (isset($log_data['key'])) {
$log_data['key'] = substr($log_data['key'], 0, 4) . '...';
foreach($log_headers as $header) {
if (!empty($_SERVER[$header]))
$log_data[$header] = substr($_SERVER[$header], 0, 4) . '...';
} }
// log // log
@ -353,7 +205,7 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
// process wildcard elements // process wildcard elements
if ($default_sanitation !== NULL) { if ($default_sanitation !== NULL) {
// i.e. we want the others too // i.e. we want the others too
$remove_parameters = array('key', 'api_key', '_authx', '_authxSiteKey', 'version', 'entity', 'action'); $remove_parameters = array('key', 'api_key', 'version', 'entity', 'action');
foreach ($request as $name => $value) { foreach ($request as $name => $value) {
if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) { if (!in_array($name, $remove_parameters) && !isset($valid_parameters[$name])) {
$result[$name] = civiproxy_sanitise($value, $default_sanitation); $result[$name] = civiproxy_sanitise($value, $default_sanitation);
@ -364,26 +216,6 @@ function civiproxy_get_parameters($valid_parameters, $request = NULL) {
return $result; return $result;
} }
/**
* Get the value of a header on the incoming request
*
* @param string $header name of the header, in all uppercase
* @param string $prefix to be stripped off the value of the header
* @return string|null value of the header, or null if not found.
*/
function civiproxy_get_header($header, $prefix = ''): ?string {
if (!empty($_SERVER['HTTP_' . $header])) {
$value = $_SERVER['HTTP_' . $header];
if ($prefix === '') {
return $value;
}
if (strpos($value, $prefix) === 0) {
return trim(substr($value, strlen($prefix)));
}
}
return NULL;
}
/** /**
* sanitise the given value with the given sanitiation type * sanitise the given value with the given sanitiation type
*/ */

53
proxy/rest.php
View File

@ -9,11 +9,11 @@
require_once "config.php"; require_once "config.php";
require_once "proxy.php"; require_once "proxy.php";
require_once "checks.php";
// see if REST API is enabled // see if REST API is enabled
if (!$target_rest) civiproxy_http_error("Feature disabled", 405); if (!$target_rest) civiproxy_http_error("Feature disabled", 405);
// basic check // basic check
if (!civiproxy_security_check('rest')) { if (!civiproxy_security_check('rest')) {
civiproxy_rest_error("Access denied."); civiproxy_rest_error("Access denied.");
@ -21,9 +21,25 @@ if (!civiproxy_security_check('rest')) {
// check credentials // check credentials
$credentials = civiproxy_get_parameters(array('key' => 'string', 'api_key' => 'string')); $credentials = civiproxy_get_parameters(array('key' => 'string', 'api_key' => 'string'));
if (empty($credentials['key'])) {
civiproxy_rest_error("No site key given");
} else {
if (isset($sys_key_map[$credentials['key']])) {
$credentials['key'] = $sys_key_map[$credentials['key']];
} else {
civiproxy_rest_error("Invalid site key");
}
}
civiproxy_map_site_key($credentials, $sys_key_map); if (empty($credentials['api_key'])) {
civiproxy_map_api_key($credentials, $api_key_map); civiproxy_rest_error("No API key given");
} else {
if (isset($api_key_map[$credentials['api_key']])) {
$credentials['api_key'] = $api_key_map[$credentials['api_key']];
} else {
civiproxy_rest_error("Invalid api key");
}
}
// check if the call itself is allowed // check if the call itself is allowed
$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int')); $action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
@ -31,7 +47,22 @@ if (!isset($action['version']) || $action['version'] != 3) {
civiproxy_rest_error("API 'version' information missing."); civiproxy_rest_error("API 'version' information missing.");
} }
$valid_parameters= civiproxy_get_valid_parameters($action, $rest_allowed_actions); // in release 0.4, allowed entity/actions per IP were introduced. To introduce backward compatibility,
// the previous test is still used when no 'all' key is found in the array
if (isset($rest_allowed_actions['all'])) {
// get valid key for the rest_allowed_actions
$valid_allowed_key = civiproxy_get_valid_allowed_actions_key($action, $rest_allowed_actions);
$valid_parameters = civiproxy_retrieve_api_parameters($valid_allowed_key, $action['entity'], $action['action'], $rest_allowed_actions);
if (!$valid_parameters) {
civiproxy_rest_error("Invalid entity/action.");
}
} else {
if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
$valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
} else {
civiproxy_rest_error("Invalid entity/action.");
}
}
// extract parameters and add credentials and action data // extract parameters and add credentials and action data
$parameters = civiproxy_get_parameters($valid_parameters); $parameters = civiproxy_get_parameters($valid_parameters);
@ -57,3 +88,17 @@ if ($rest_evaluate_json_parameter) {
// finally execute query // finally execute query
civiproxy_log($target_rest); civiproxy_log($target_rest);
civiproxy_redirect($target_rest, $parameters); civiproxy_redirect($target_rest, $parameters);
/**
* generates a CiviCRM REST API compliant error
* and ends processing
*/
function civiproxy_rest_error($message) {
$error = array( 'is_error' => 1,
'error_message' => $message);
// TODO: Implement
//header();
print json_encode($error);
exit();
}

89
proxy/rest4.php
View File

@ -1,89 +0,0 @@
<?php
/*--------------------------------------------------------+
| SYSTOPIA CiviProxy |
| a simple proxy solution for external access to CiviCRM |
| Copyright (C) 2015-2021 SYSTOPIA |
| Author: B. Endres (endres -at- systopia.de) |
| http://www.systopia.de/ |
+---------------------------------------------------------*/
require_once "config.php";
require_once "proxy.php";
require_once "checks.php";
// see if REST API is enabled
if (!$target_rest4) {
civiproxy_http_error("Feature disabled");
}
$valid_flows = ['header', 'xheader', 'legacyrest', 'param'];
$headers_by_flow = [
'header' => ['HTTP_AUTHORIZATION', 'HTTP_X_CIVI_KEY'],
'xheader' => ['HTTP_X_CIVI_AUTH', 'HTTP_X_CIVI_KEY'],
'legacyrest' => [],
'param' => [],
];
if (!in_array($authx_internal_flow, $valid_flows)) {
civiproxy_http_error("Invalid internal auth flow '$authx_internal_flow'", 500);
}
$headers_to_log = [];
foreach ($authx_external_flow as $external_flow) {
if (!in_array($external_flow, $valid_flows)) {
civiproxy_http_error("Invalid external auth flow '$external_flow'", 500);
}
$headers_to_log = array_merge($headers_to_log, $headers_by_flow[$external_flow]);
}
// basic check
if (!civiproxy_security_check('rest', TRUE, $headers_to_log)) {
civiproxy_rest_error("Access denied.");
}
$credentials = [];
// Find credentials on the incoming request
foreach ($authx_external_flow as $external_flow) {
switch($external_flow) {
case 'header':
$credentials['api_key'] = civiproxy_get_header('AUTHORIZATION', 'Bearer ');
$credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
break;
case 'xheader':
$credentials['api_key'] = civiproxy_get_header('X_CIVI_AUTH', 'Bearer ');
$credentials['key'] = civiproxy_get_header('HTTP_X_CIVI_KEY');
break;
case 'legacyrest':
$credentials = civiproxy_get_parameters(array('api_key' => 'string', 'key' => 'string'));
break;
case 'param':
$authx_credentials = civiproxy_get_parameters(array('_authx' => 'string', '_authxSiteKey' => 'string'));
if (!empty($authx_credentials['_authx'])) {
// Snip off leading 'Bearer ' or 'Bearer+'
if (substr($authx_credentials['_authx'], 0, 6) === 'Bearer') {
$credentials['api_key'] = substr($authx_credentials['_authx'], 7);
}
}
if (!empty($authx_credentials['_authxSiteKey'])) {
$credentials['key'] = $authx_credentials['_authxSiteKey'];
}
break;
}
if (!empty($credentials['api_key'])) {
break;
}
}
civiproxy_map_api_key($credentials, $api_key_map);
if (!empty($credentials['key'])) {
civiproxy_map_site_key( $credentials, $sys_key_map);
}
// check if the call itself is allowed
$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string'));
$valid_parameters = civiproxy_get_valid_parameters($action, $rest_allowed_actions);
// extract parameters and add action data
$parameters = civiproxy_get_parameters($valid_parameters, json_decode($_REQUEST['params'], true));
// finally execute query
civiproxy_log($target_rest4);
civiproxy_redirect4($target_rest4 . $action['entity'] . '/' . $action['action'] , $parameters, $credentials);

7
proxy/url.php
View File

@ -16,5 +16,10 @@ if (!$target_url) civiproxy_http_error("Feature disabled", 405);
// basic check // basic check
civiproxy_security_check('url'); civiproxy_security_check('url');
$parameters = civiproxy_get_parameters($valid_url_parameters); // basic restraints
$valid_parameters = array( 'u' => 'int',
'q' => 'int',
'qid' => 'int');
$parameters = civiproxy_get_parameters($valid_parameters);
civiproxy_redirect($target_url, $parameters); civiproxy_redirect($target_url, $parameters);

2
proxy/webhook2api.php
View File

@ -126,7 +126,7 @@ function webhook2api_processConfiguration($configuration, $post_input) {
} }
if (!empty($result['values']['http_code'])) { if (!empty($result['values']['http_code'])) {
$http_code = $result['values']['http_code']; $http_code = $result['values']['http_code'];
} elseif ($result['is_error'] != 0) { } else {
$http_code = 403; $http_code = 403;
} }
} }