xNightR00T File Manager

<?php

namespace Users\Controller;

use Zend\Http\PhpEnvironment\Response;
use Zend\Authentication\Adapter\Ldap;
use ZendServer\Exception;
use ZendServer\FS\FS;
use Zend\Config\Config;
use Application\Module;
use Zend\Config\Writer\Ini;
use Zend\Config\Factory;
use ZendServer\Log\Log;
use Audit\Db\ProgressMapper;
use Audit\Db\Mapper;
use Users\Forms\ChangePassword;
use ZendServer\Mvc\Controller\WebAPIActionController;
use Zend\Ldap\Exception\LdapException;

class WebAPIController extends WebAPIActionController
{

    /**
     * Get current mapped groups (LDAP) for roles and applications
     * 
     * @api
     * @method GET
     * @section Administration
     * @response "responseData": {
      "groups": []
      }
     */
    public function usersGetMappedGroupsAction()
    {
        $this->isMethodGet();

        $mappedData  = array();
        $mappedRoles = $this->getLocator('Acl\Db\MapperGroups')->findAllMappedRoles();
        foreach ($mappedRoles as $key => $group) {
            $mappedData['role_groups'][$key] = $group;
        }
        $mappedApplications = $this->getLocator('Acl\Db\MapperGroups')->findAllMappedApplications();
        foreach ($mappedApplications as $key => $group) {
            $mappedData['app_groups'][$key] = $group;
        }

        return array('mappedGroups' => $mappedData);
    }

    /**
     * RGet users and roles in Zend Server. The data will provided accordingly to the users who request this method,
     * not admin user will get his user only, the received roles will be only his role + parent roles
     * 
     * @api
     * @method GET
     * @section Administration
     * @response "responseData": {
      "users": [
      {
      "id": 1,
      "name": "admin",
      "role": "administrator"
      },
      {
      "id": 2,
      "name": "developer",
      "role": "developer"
      }
      ],
      "roles": [
      {
      "role_id": "1",
      "role_name": "guest",
      "role_parent": null
      },
      {
      "role_id": "3",
      "role_name": "developerLimited",
      "role_parent": "1",
      "parent_name": "guest"
      },
      {
      "role_id": "4",
      "role_name": "developer",
      "role_parent": "3",
      "parent_name": "developerLimited"
      },
      {
      "role_id": "5",
      "role_name": "administrator",
      "role_parent": "4",
      "parent_name": "developer"
      }
      ]
      }
     */
    public function usersGetListAction()
    {
        $this->isMethodGet();
        $acl = $this->getLocator('ZendServerAcl');

        $aclMapper = $this->getLocator('Acl\Db\Mapper'); /* @var $aclMapper Acl\Db\Mapper */
        $rolesDB   = $aclMapper->getRoles()->toArray();

        $identityAcl = $this->getLocator('ZendServerIdentityAcl');

        $allowedRoles = array($acl->getIdentity()->getRole());
        foreach ($identityAcl->getRoles() as $inherit) {
            if ($identityAcl->inheritsRole($acl->getIdentity()->getRole(), $inherit)) {
                $allowedRoles[] = $inherit;
            }
        }

        $roles = array();
        foreach ($rolesDB as $role) {
            //Now we take care that user will get only inherited roles (inc. his role)
            if (in_array($role['role_name'], $allowedRoles)) {
                $roles[] = $role;
            }
        }


        $usersMapper = $this->getLocator('Users\Db\Mapper'); /* @var $usersMapper \Users\Db\Mapper */
        $usersDB     = $usersMapper->getUsers()->toArray();
        $users       = array();
        foreach ($usersDB as $user) {
            if ($acl->isAllowed('route:UsersWebAPI', 'userSetPassword') || $user['NAME'] == $acl->getIdentity()->getUsername()) {
                $users[] = array(
                    'id' => intval($user['ID']),
                    'name' => $user['NAME'],
                    'role' => $user['ROLE']
                );
            }
        }

        return array('users' => $users, 'roles' => $roles);
    }

    /**
     * Get current authentication settings, allowing the user to switch between simple and extended authentication and authorization schemes.
     *
     * @api
     * @method GET
     * @section Administration
     * @response "responseData": {
      "ldap": {
      "host": "",
      "port": "",
      "useSsl": "",
      "useStartTls": "",
      "username": "",
      "password": "",
      "baseDn": "",
      "accountCanonicalForm": "",
      "accountDomainName": "",
      "accountDomainNameShort": "",
      "bindRequiresDn": "",
      "adminRoleGroup": "",
      "groupsAttribute": "",
      "encryption": "none"
      },
      "type": "simple"
      }
     */
    public function userGetAuthenticationSettingsAction()
    {
        $this->isMethodGet();

        $authConfig = Module::config('authentication');

        $authSource = $authConfig->simple ? 'simple' : 'extended';
        $data       = Module::config('zend_server_authentication')->toArray();

        $mapper      = $this->getLocator('Acl\Db\MapperGroups'); /* @var $mapper \Acl\Db\MapperGroups */
        $mappedRoles = $mapper->findAllMappedRoles();
        if ($authConfig->simple) {
            $data['adminRoleGroup']  = isset($mappedRoles[Module::ACL_ROLE_ADMINISTRATOR]) ? $mappedRoles[Module::ACL_ROLE_ADMINISTRATOR]
                    : '';
            $data['groupsAttribute'] = $authConfig->groupsAttribute;
            if ($data['useSsl']) {
                $data['encryption'] = 'ssl';
            } elseif ($data['useStartTls']) {
                $data['encryption'] = 'tls';
            } else {
                $data['encryption'] = 'none';
            }
        }

        return array('data' => array('ldap' => $data, 'type' => $authConfig->simple ? 'simple' : 'extended'));
    }

    /**
     * Modify current authentication settings, allowing the user to switch
     * between simple and extended authentication and authorization schemes.
     * 
     * @api
     * @method POST
     * @version 1.3
     * @section Administration
     * @name userAuthenticationSettings
     * @url https://docs.roguewave.com/en/zend/Zend-Server/content/the_userauthenticatesettings_method.htm
     * @permissions Full
     * @editions All
     * @param Enum type Required. One of : simple, extended
     * @param Array ldap Required. Array of ldap properties: host: host, ip or location of the active
     * 	directory port: port part of the URL above encryption: ssl - use SSL
     * 	to secure communications tls - start TLS to secure communications
     * 	none - no encryption is used username: directory username, broken to
     * 	CN and DC parts for use in querying the active directory password:
     * 	matching password for the above username baseDn: DN broken down to CN
     * 	and DC parts for using during user authentication bindRequiresDn: 0
     * 	for use with Active Directory, 1 for use with other LDAP services
     * 	groupsAttribute: Name for a list of user groups membership
     * @param String password Required. Current users password for authentication
     * @param String confirmNewPassword Required. Confirmation of new password
     * @response 
     *
     * @return \WebAPI\View\WebApiResponseContainer|\Zend\View\Model\ViewModel|array
     */
    public function userAuthenticationSettingsAction()
    {
        $this->isMethodPost();

        $params = $this->getParameters(array('ldap' => array()));
        $this->validateMandatoryParameters($params, array('type', 'ldap', 'password'));

        $this->validateAllowedValues($params['type'], 'type', array('simple', 'extended'));
        $ldap = $this->validateArray($params['ldap'], 'ldap');

        $encryption = 'none';
        if (isset($ldap['encryption'])) {
            $encryption = $ldap['encryption'];
            unset($ldap['encryption']);
        }

        switch ($encryption) {
            case 'ssl':
                $ldap['useSsl']      = '1';
                $ldap['useStartTls'] = '0';
                break;
            case 'tls':
                $ldap['useSsl']      = '0';
                $ldap['useStartTls'] = '1';
                break;
            default :
                $ldap['useSsl']      = '0';
                $ldap['useStartTls'] = '0';
        }

        $this->validateString($params['password'], 'password');

        try {
            $identity = $this->Authentication()->getIdentity()->getUsername();
            if (!$this->Authentication()->authenticateOnly($identity, $params['password'])) {
                throw new \WebAPI\Exception("Validation for '{$identity}' failed", \WebAPI\Exception::WRONG_PASSWORD);
            }
        } catch (\WebAPI\Exception $e) {
            $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
                ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED, array(array('errorMessage' => $e->getMessage())));
            throw $e;
        } catch (\Exception $e) {
            $errorMsg = _t("%s failed: %s", array($this->getCmdName(), $e->getMessage()));
            $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
                ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED, array(array('errorMessage' => $errorMsg)));
            throw new \WebAPI\Exception($errorMsg, \WebAPI\Exception::INTERNAL_SERVER_ERROR, $e);
        }

        $ldapConfig = Module::config('zend_server_authentication');
        $authConfig = Module::config('authentication');

        $ldapSettings = array();

        if ($params['type'] == 'simple') {
            $authConfig->merge(new Config(array('simple' => '1')));
        } else {
            $newAuthConfig = new Config(array('simple' => '0'));
            if (isset($ldap['groupsAttribute'])) {
                $newAuthConfig->merge(new Config(array('groupsAttribute' => $ldap['groupsAttribute'])));
                unset($ldap['groupsAttribute']);
            }
            $authConfig->merge($newAuthConfig);

            $ldapSettings  = array_intersect_key($ldap, $ldapConfig->toArray());
            $newLdapConfig = new Config($ldapSettings, true);
            $ldapConfig->merge($newLdapConfig);

            $bindname = isset($ldap['username']) && $ldap['username'] ? $ldap['username'] : null;
            $password = isset($ldap['password']) && $ldap['password'] ? $ldap['password'] : null;

            if ($bindname) {
                //// test new settings
                $authAdapter = new Ldap(array('test' => $ldapConfig->toArray()), $bindname, $password);
                $result      = $authAdapter->authenticate();
                $auditExtraDataArray = array_merge(
                    $this->filterAuthConfigForMessage($newLdapConfig->toArray()), 
                    array('messages' => implode(', ', $result->getMessages()))
                );
                
                if (!$result->isValid()) {
                    $this->auditMessage(
                        Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
                        ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                        array($auditExtraDataArray)
                    );
                    
                    Log::err('Could not connect to Ldap server:'.$result->getMessages());
                    throw new \WebAPI\Exception(_t('Could not connect to Ldap server: %s',
                        array(current($result->getMessages()))), \WebAPI\Exception::AUTH_ERROR);
                }
            } else {
                /// anonymous bind
                $ldapTest = new \Zend\Ldap\Ldap($ldapConfig->toArray());
                try {
                    $ldapTest->bind($bindname, $password);
                } catch (LdapException $ex) {
                    $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
                        ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                        array(
                            array_merge(
                                $this->filterAuthConfigForMessage($newLdapConfig->toArray()),
                                array('messages' => $ex->getMessage())
                            )
                        )
                    );
                    Log::err('Could not connect to Ldap server:'.$ex->getMessage());
                    throw new \WebAPI\Exception(_t('Could not connect to Ldap server: %s', array($ex->getMessage())),
                    \WebAPI\Exception::AUTH_ERROR);
                }
            }


            try {
                $adminRoleGroup = $ldap['adminRoleGroup'];
                $groupsMapper   = $this->getLocator('Acl\Db\MapperGroups'); /* @var $groupsMapper \Acl\Db\MapperGroups */
                $groupsMapper->setRoleMapping(Module::ACL_ROLE_ADMINISTRATOR, $adminRoleGroup);
            } catch (Exception $ex) {
                $this->auditMessage(
                    Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
                    ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                    array(
                        array_merge(
                            $this->filterAuthConfigForMessage($newLdapConfig->toArray()), 
                            array('messages' => $ex->getMessage())
                        )
                    )
                );
                Log::err('Could not connect to Ldap server:'.$ex->getMessage());
                Log::debug($ex);
                throw new \WebAPI\Exception($ex->getMessage(), \WebAPI\Exception::INTERNAL_SERVER_ERROR, $ex);
            }
        }

        $this->getGuiConfigurationMapper()->setGuiDirectives($authConfig->toArray() + $ldapConfig->toArray());
        $this->getResponse()->setStatusCode(Response::STATUS_CODE_202);
        $this->auditMessage(
            Mapper::AUDIT_GUI_CHANGE_AUTHENTICATION_SETTINGS,
            ProgressMapper::AUDIT_PROGRESS_ENDED_SUCCESFULLY,
            array(
                !empty($newLdapConfig) ? $this->filterAuthConfigForMessage($newLdapConfig->toArray()) : array()
            )
        );
        
        return array('authConfig' => $authConfig->toArray());
    }

    /**
     * Modify a current user password.
     * 
     * @api
     * @method POST
     * @version 1.3
     * @section Administration
     * @name setPassword
     * @url https://docs.roguewave.com/en/zend/Zend-Server/content/the_setpassword_method.htm
     * @permissions Full
     * @editions All
     * @param String password Required. Current password.
     * @param String newPassword Required. New password.
     * @param String confirmNewPassword Required. Confirmation of new password.
     * @response 
     *
     * @return \WebAPI\View\WebApiResponseContainer|\Zend\View\Model\ViewModel|array
     */
    public function setPasswordAction()
    {
        $this->isMethodPost();
        $params             = $this->getParameters();
        $this->validateMandatoryParameters($params, array('password', 'newPassword', 'confirmNewPassword'));
        $authService        = $this->getLocator('Zend\Authentication\AuthenticationService');
        $params['username'] = $authService->getIdentity()->getUsername();
        return $this->changePassword($params);
    }

    /**
     * Modify a specific user password. This action changes any user
     * password and is an administrative action. Note that a separate action
     * exists for the user to modify his own password and has a lower
     * permission level.
     * 
     * @api
     * @method POST
     * @version 1.3
     * @section Administration
     * @name userSetPassword
     * @url https://docs.roguewave.com/en/zend/Zend-Server/content/the_usersetpassword_method.htm
     * @permissions Full
     * @editions All
     * @param string username Required. This username will have his password modified.
     * @param string password Required. Password of the user executing this command.
     * @param string newPassword Required. New password.
     * @param string confirmNewPassword Required. Confirmation of new password.
     * @response 
     *
     * @return \WebAPI\View\WebApiResponseContainer|\Zend\View\Model\ViewModel|array
     */
    public function userSetPasswordAction()
    {
        $this->isMethodPost();

        $params = $this->getParameters();
        $this->validateMandatoryParameters($params, array('username', 'password', 'newPassword', 'confirmNewPassword'));
        return $this->changePassword($params);
    }

    protected function changePassword($params)
    {
        $changePasswordForm = $this->getLocator('Users\Forms\ChangePassword');
        $changePasswordForm->setData($params);
        if (!$changePasswordForm->isValid()) {
            $nonValidElements = '';
            foreach ($changePasswordForm->getMessages() as $field => $errors) {
                if (!$errors) continue;
                if (is_array($errors)) {
                    foreach ($errors as $type => $error) {
                        $nonValidElements .= $field.': '.$error;
                    }
                }
            }
            $errorMsg = _t("Invalid parameters: ".$nonValidElements);
            $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_PASSWORD, ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                array(array('username' => $params['username'], 'errorMessage' => $errorMsg)));
            throw new \WebAPI\Exception($errorMsg, \WebAPI\Exception::INVALID_PARAMETER);
        }

        if ($params['confirmNewPassword'] != $params['newPassword']) {
            $errorMsg = _t('New password should be identical to the confirmation password');
            $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_PASSWORD, ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                array(array('username' => $params['username'], 'errorMessage' => $errorMsg)));
            throw new \WebAPI\Exception($errorMsg, \WebAPI\Exception::WRONG_PASSWORD);
        }

        try {
            $identity = $this->Authentication()->getIdentity(); /* @var $identity \Users\Identity */
            if (!$this->Authentication()->authenticateOnly($identity->getUsername(), $params['password'])) {
                throw new \WebAPI\Exception("The current password for user '{$identity->getUsername()}' is incorrect",
                \WebAPI\Exception::WRONG_PASSWORD);
            }

            $usersMapper = $this->getLocator()->get('Users\Db\Mapper'); /* @var $usersMapper \Users\Db\Mapper */
            $user        = $usersMapper->findUserByName($params['username']);
            if (!$this->isAclAllowed('data:useMultipleUsers') && $user['ROLE'] != Module::ACL_ROLE_ADMINISTRATOR) {
                throw new Exception(_t('User %s is disabled', array($params['username'])));
            }

            $usersMapper->setUser($params['username'], $params['newPassword']);
        } catch (\Exception $e) {
            Log::err('error in changePassword'.$e->getMessage());
            Log::debug($e);
            $errorMsg = _t("%s failed: %s", array($this->getCmdName(), $e->getMessage()));
            $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_PASSWORD, ProgressMapper::AUDIT_PROGRESS_ENDED_FAILED,
                array(array('username' => $params['username'], 'errorMessage' => $errorMsg)));
            throw new \WebAPI\Exception($e->getMessage(), \WebAPI\Exception::INTERNAL_SERVER_ERROR);
        }
        $this->auditMessage(Mapper::AUDIT_GUI_CHANGE_PASSWORD, ProgressMapper::AUDIT_PROGRESS_ENDED_SUCCESFULLY,
            array(array('username' => $params['username'])));

        return array('userName' => $params['username']);
    }

    /**
     * @param array $authConfig
     * @return array
     */
    private function filterAuthConfigForMessage($authConfig)
    {
        return array_diff_key($authConfig, array('password' => false));
    }
}