software-admin-panel/api.php

172 lines
5.9 KiB
PHP
Raw Normal View History

2018-07-20 18:33:59 -05:00
<?php
//@error_reporting(E_ALL | E_NOTICE);
//@ini_set('display_errors', 1);
require('./include/config.php');
require('./include/functions.php');
require('./include/apiresponse.class.php');
require('./include/authmanager.class.php');
$action = isset($_POST['action']) ? $_POST['action'] : '';
$format = isset($_REQUEST['format']) ? $_REQUEST['format'] : 'xml';
if($format == 'json') {
$response = new ApiResponseJson();
} else {
$response = new ApiResponseXml();
}
$db = new mysqli($config['db_host'], $config['db_user'], $config['db_pass'], $config['db_name']);
if ($db->connect_error) {
$response->error(900, 'Database connection failure.');
exit;
}
$auth = new AuthManager($db);
/****************** GLOBAL SESSION HANDLING ********************/
$session = array();
if( isset($_POST['sessionId']) ) {
$session_id = clean($db, $_POST['sessionId']);
if(($session = $auth->getSession($session_id)) == NULL) {
$response->error(201, 'Expired or nonexistent session!');
exit;
}
if($session['terminated'] == 1) {
$response->error(202, 'Session terminated!');
exit;
}
} else {
// only create session can be called without a session id.
if($action != 'createSession') {
$response->error(100, 'Session ID required to call this command.');
exit;
}
}
/***************************************************************/
switch($action) {
case 'createSession':
if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['programId'])) {
$username = clean($db, $_POST['username']);
$password = clean($db, $_POST['password']);
$program_id = (int)clean($db, $_POST['programId']);
if(($userdata = $auth->getUser($username, $password)) != NULL) {
if(($programdata = $auth->getProgram($program_id)) != NULL) {
$result = $db->query(sprintf("SELECT * FROM `permissions`
WHERE (`permissions`.`program_id` = %d OR `permissions`.`program_id` = -1) AND `permissions`.`user_id` = %d;", $program_id, $userdata['id']));
if($permission = $result->fetch_assoc()) {
$session_id = $auth->generateSessionId();
$auth->createSession($session_id, $programdata['id'], $permission['user_id'], $_SERVER['REMOTE_ADDR']);
$auth->logActivity($session_id, $programdata['id'], $permission['user_id'], $_SERVER['REMOTE_ADDR'], 'create_session');
$response->appendSection('AuthorizationResponse', array(
'ResponseCode' => 'OK',
'ProgramID' => $programdata['id'],
'LatestMajorVersion' => $programdata['major_version'],
'LatestMinorVersion' => $programdata['minor_version'],
'LatestRevisionVersion' => $programdata['revision_version'],
'SessionID' => $session_id,
'KeepAlive' => 900
));
$response->display();
} else {
$auth->logActivity('', $program_id, 0, $_SERVER['REMOTE_ADDR'], 'denied_access');
$response->error(102, 'Access denied.');
}
} else {
$auth->logActivity('', $program_id, 0, $_SERVER['REMOTE_ADDR'], 'bad_pid');
$response->error(101, 'Invalid or deactivated program.');
}
} else {
$auth->logActivity('', $program_id, 0, $_SERVER['REMOTE_ADDR'], 'login_error');
$response->error(101, 'Account deactivated or login invalid.');
}
} else {
$auth->logActivity('', 0, 0, $_SERVER['REMOTE_ADDR'], 'bad_request');
$response->error(100, 'Missing required variable.');
}
break;
case 'destroySession':
// set the last ping time to 0 so it expires instantly
$db->query('UPDATE `sessions` SET `last_ping_time` = 0 WHERE `session_id` = \''.$session['session_id'].'\';');
$auth->logActivity($session['session_id'], $session['program_id'], $session['user_id'], $_SERVER['REMOTE_ADDR'], 'destroy_session');
$response->appendSection('AuthorizationResponse', array(
'ResponseCode' => 'OK',
'Message' => 'Session has been destroyed.',
'LastPingTime' => 0,
'ProgramID' => $session['program_id'],
'SessionID' => $session['session_id']
));
$response->display();
break;
case 'ping':
$os_username = clean($db, $_POST['os_username']);
$db->query('UPDATE `sessions` SET `last_ping_time` = UNIX_TIMESTAMP(), `os_username` = \''.$os_username.'\' WHERE `session_id` = \''.$session['session_id'].'\';');
$auth->logActivity($session['session_id'], $session['program_id'], $session['user_id'], $_SERVER['REMOTE_ADDR'], 'ping');
$response->appendSection('AuthorizationResponse', array(
'ResponseCode' => 'OK',
'LastPingTime' => $session['last_ping_time'],
'ProgramID' => $session['program_id'],
'SessionID' => $session['session_id']
));
$response->display();
break;
case 'link':
if( isset( $_POST['url'] ) ) {
$url = clean($db, $_POST['url']);
$auth->logActivity($session['session_id'], $session['program_id'], $session['user_id'], $_SERVER['REMOTE_ADDR'], 'link');
// insert all the id's for the link log
$db->query( sprintf("INSERT INTO `link_logs` (`session_id`, `user_id`, `program_id`, `server_time`, `url`) VALUES ('%s', %d, %d, UNIX_TIMESTAMP(), '%s')",
$session['session_id'], $session['user_id'], $session['program_id'], $url) );
$response->appendSection('AuthorizationResponse', array(
'ResponseCode' => 'OK',
'ProgramID' => $session['program_id'],
'SessionID' => $session['session_id']
));
$response->display();
} else {
$response->error(100, 'Missing required variable.');
}
break;
case 'update':
$auth->logActivity($session['session_id'], $session['program_id'], $session['user_id'], $_SERVER['REMOTE_ADDR'], 'update');
$program_file = get_program_filename($session['program_id']);
if($zp = gzopen('./update/'.$program_file, 'r')) {
header('Content-Disposition: attachment; filename=update.exe');
header('Content-Type: application/octet-stream');
while (!gzeof($zp)) {
echo gzread($zp, 8192);
}
gzclose($zp);
} else {
$response->error(300, 'No update file found.');
}
break;
default:
$response->error(100, 'Missing required action.');
break;
}
?>