src/Core/Framework/Routing/ApiRequestContextResolver.php line 342

  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Routing;
  5. use Doctrine\DBAL\Connection;
  6. use Shopware\Core\Checkout\Cart\Price\Struct\CartPrice;
  7. use Shopware\Core\Defaults;
  8. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  9. use Shopware\Core\Framework\Api\Context\ContextSource;
  10. use Shopware\Core\Framework\Api\Context\SalesChannelApiSource;
  11. use Shopware\Core\Framework\Api\Context\SystemSource;
  12. use Shopware\Core\Framework\Api\Exception\MissingPrivilegeException;
  13. use Shopware\Core\Framework\Api\Util\AccessKeyHelper;
  14. use Shopware\Core\Framework\App\Exception\AppNotFoundException;
  15. use Shopware\Core\Framework\Context;
  16. use Shopware\Core\Framework\DataAbstractionLayer\Pricing\CashRoundingConfig;
  17. use Shopware\Core\Framework\Log\Package;
  18. use Shopware\Core\Framework\Routing\Exception\LanguageNotFoundException;
  19. use Shopware\Core\Framework\Uuid\Uuid;
  20. use Shopware\Core\PlatformRequest;
  21. use Symfony\Component\HttpFoundation\Request;
  23. #[Package('core')]
  24. class ApiRequestContextResolver implements RequestContextResolverInterface
  25. {
  26.     use RouteScopeCheckTrait;
  28.     /**
  29.      * @internal
  30.      */
  31.     public function __construct(private readonly Connection $connection, private readonly RouteScopeRegistry $routeScopeRegistry)
  32.     {
  33.     }
  35.     public function resolve(Request $request): void
  36.     {
  37.         if ($request->attributes->has(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT)) {
  38.             return;
  39.         }
  41.         if (!$this->isRequestScoped($requestApiContextRouteScopeDependant::class)) {
  42.             return;
  43.         }
  45.         $params $this->getContextParameters($request);
  46.         $languageIdChain $this->getLanguageIdChain($params);
  48.         $rounding $this->getCashRounding($params['currencyId']);
  50.         $context = new Context(
  51.             $this->resolveContextSource($request),
  52.             [],
  53.             $params['currencyId'],
  54.             $languageIdChain,
  55.             $params['versionId'] ?? Defaults::LIVE_VERSION,
  56.             $params['currencyFactory'],
  57.             $params['considerInheritance'],
  58.             CartPrice::TAX_STATE_GROSS,
  59.             $rounding
  60.         );
  62.         if ($request->headers->has(PlatformRequest::HEADER_SKIP_TRIGGER_FLOW)) {
  63.             $skipTriggerFlow filter_var($request->headers->get(PlatformRequest::HEADER_SKIP_TRIGGER_FLOW'false'), \FILTER_VALIDATE_BOOLEAN);
  65.             if ($skipTriggerFlow) {
  66.                 $context->addState(Context::SKIP_TRIGGER_FLOW);
  67.             }
  68.         }
  70.         $request->attributes->set(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT$context);
  71.     }
  73.     protected function getScopeRegistry(): RouteScopeRegistry
  74.     {
  75.         return $this->routeScopeRegistry;
  76.     }
  78.     /**
  79.      * @return array{currencyId: string, languageId: string, systemFallbackLanguageId: string, currencyFactory: float, currencyPrecision: int, versionId: ?string, considerInheritance: bool}
  80.      */
  81.     private function getContextParameters(Request $request): array
  82.     {
  83.         $params = [
  84.             'currencyId' => Defaults::CURRENCY,
  85.             'languageId' => Defaults::LANGUAGE_SYSTEM,
  86.             'systemFallbackLanguageId' => Defaults::LANGUAGE_SYSTEM,
  87.             'currencyFactory' => 1.0,
  88.             'currencyPrecision' => 2,
  89.             'versionId' => $request->headers->get(PlatformRequest::HEADER_VERSION_ID),
  90.             'considerInheritance' => false,
  91.         ];
  93.         $runtimeParams $this->getRuntimeParameters($request);
  95.         /** @var array{currencyId: string, languageId: string, systemFallbackLanguageId: string, currencyFactory: float, currencyPrecision: int, versionId: ?string, considerInheritance: bool} $params */
  96.         $params array_replace_recursive($params$runtimeParams);
  98.         return $params;
  99.     }
  101.     private function getRuntimeParameters(Request $request): array
  102.     {
  103.         $parameters = [];
  105.         if ($request->headers->has(PlatformRequest::HEADER_LANGUAGE_ID)) {
  106.             $langHeader $request->headers->get(PlatformRequest::HEADER_LANGUAGE_ID);
  108.             if ($langHeader !== null) {
  109.                 $parameters['languageId'] = $langHeader;
  110.             }
  111.         }
  113.         if ($request->headers->has(PlatformRequest::HEADER_CURRENCY_ID)) {
  114.             $currencyHeader $request->headers->get(PlatformRequest::HEADER_CURRENCY_ID);
  116.             if ($currencyHeader !== null) {
  117.                 $parameters['currencyId'] = $currencyHeader;
  118.             }
  119.         }
  121.         if ($request->headers->has(PlatformRequest::HEADER_INHERITANCE)) {
  122.             $parameters['considerInheritance'] = true;
  123.         }
  125.         return $parameters;
  126.     }
  128.     private function resolveContextSource(Request $request): ContextSource
  129.     {
  130.         if ($userId $request->attributes->get(PlatformRequest::ATTRIBUTE_OAUTH_USER_ID)) {
  131.             $appIntegrationId $request->headers->get(PlatformRequest::HEADER_APP_INTEGRATION_ID);
  133.             // The app integration id header is only to be used by a privileged user
  134.             if ($this->userAppIntegrationHeaderPrivileged($userId$appIntegrationId)) {
  135.                 $userId null;
  136.             } else {
  137.                 $appIntegrationId null;
  138.             }
  140.             return $this->getAdminApiSource($userId$appIntegrationId);
  141.         }
  143.         if (!$request->attributes->has(PlatformRequest::ATTRIBUTE_OAUTH_ACCESS_TOKEN_ID)) {
  144.             return new SystemSource();
  145.         }
  147.         $clientId $request->attributes->get(PlatformRequest::ATTRIBUTE_OAUTH_CLIENT_ID);
  148.         $keyOrigin AccessKeyHelper::getOrigin($clientId);
  150.         if ($keyOrigin === 'user') {
  151.             $userId $this->getUserIdByAccessKey($clientId);
  153.             return $this->getAdminApiSource($userId);
  154.         }
  156.         if ($keyOrigin === 'integration') {
  157.             $integrationId $this->getIntegrationIdByAccessKey($clientId);
  159.             return $this->getAdminApiSource(null$integrationId);
  160.         }
  162.         if ($keyOrigin === 'sales-channel') {
  163.             $salesChannelId $this->getSalesChannelIdByAccessKey($clientId);
  165.             return new SalesChannelApiSource($salesChannelId);
  166.         }
  168.         return new SystemSource();
  169.     }
  171.     /**
  172.      * @param array{languageId: string, systemFallbackLanguageId: string} $params
  173.      *
  174.      * @return non-empty-array<string>
  175.      */
  176.     private function getLanguageIdChain(array $params): array
  177.     {
  178.         $chain = [$params['languageId']];
  179.         if ($chain[0] === Defaults::LANGUAGE_SYSTEM) {
  180.             return $chain// no query needed
  181.         }
  182.         // `Context` ignores nulls and duplicates
  183.         $chain[] = $this->getParentLanguageId($chain[0]);
  184.         $chain[] = $params['systemFallbackLanguageId'];
  186.         /** @var non-empty-array<string> $filtered */
  187.         $filtered array_filter($chain);
  189.         return $filtered;
  190.     }
  192.     private function getParentLanguageId(?string $languageId): ?string
  193.     {
  194.         if ($languageId === null || !Uuid::isValid($languageId)) {
  195.             throw new LanguageNotFoundException($languageId);
  196.         }
  197.         $data $this->connection->createQueryBuilder()
  198.             ->select(['LOWER(HEX(language.parent_id))'])
  199.             ->from('language')
  200.             ->where('language.id = :id')
  201.             ->setParameter('id'Uuid::fromHexToBytes($languageId))
  202.             ->executeQuery()
  203.             ->fetchFirstColumn();
  205.         if (empty($data)) {
  206.             throw new LanguageNotFoundException($languageId);
  207.         }
  209.         return $data[0];
  210.     }
  212.     private function getUserIdByAccessKey(string $clientId): string
  213.     {
  214.         $id $this->connection->createQueryBuilder()
  215.             ->select(['user_id'])
  216.             ->from('user_access_key')
  217.             ->where('access_key = :accessKey')
  218.             ->setParameter('accessKey'$clientId)
  219.             ->executeQuery()
  220.             ->fetchOne();
  222.         return Uuid::fromBytesToHex($id);
  223.     }
  225.     private function getSalesChannelIdByAccessKey(string $clientId): string
  226.     {
  227.         $id $this->connection->createQueryBuilder()
  228.             ->select(['id'])
  229.             ->from('sales_channel')
  230.             ->where('access_key = :accessKey')
  231.             ->setParameter('accessKey'$clientId)
  232.             ->executeQuery()
  233.             ->fetchOne();
  235.         return Uuid::fromBytesToHex($id);
  236.     }
  238.     private function getIntegrationIdByAccessKey(string $clientId): string
  239.     {
  240.         $id $this->connection->createQueryBuilder()
  241.             ->select(['id'])
  242.             ->from('integration')
  243.             ->where('access_key = :accessKey')
  244.             ->setParameter('accessKey'$clientId)
  245.             ->executeQuery()
  246.             ->fetchOne();
  248.         return Uuid::fromBytesToHex($id);
  249.     }
  251.     private function getAdminApiSource(?string $userId, ?string $integrationId null): AdminApiSource
  252.     {
  253.         $source = new AdminApiSource($userId$integrationId);
  255.         // Use the permissions associated to that app, if the request is made by an integration associated to an app
  256.         $appPermissions $this->fetchPermissionsIntegrationByApp($integrationId);
  257.         if ($appPermissions !== null) {
  258.             $source->setIsAdmin(false);
  259.             $source->setPermissions($appPermissions);
  261.             return $source;
  262.         }
  264.         if ($userId !== null) {
  265.             $source->setPermissions($this->fetchPermissions($userId));
  266.             $source->setIsAdmin($this->isAdmin($userId));
  268.             return $source;
  269.         }
  271.         if ($integrationId !== null) {
  272.             $source->setIsAdmin($this->isAdminIntegration($integrationId));
  273.             $source->setPermissions($this->fetchIntegrationPermissions($integrationId));
  275.             return $source;
  276.         }
  278.         return $source;
  279.     }
  281.     private function isAdmin(string $userId): bool
  282.     {
  283.         return (bool) $this->connection->fetchOne(
  284.             'SELECT admin FROM `user` WHERE id = :id',
  285.             ['id' => Uuid::fromHexToBytes($userId)]
  286.         );
  287.     }
  289.     private function isAdminIntegration(string $integrationId): bool
  290.     {
  291.         return (bool) $this->connection->fetchOne(
  292.             'SELECT admin FROM `integration` WHERE id = :id',
  293.             ['id' => Uuid::fromHexToBytes($integrationId)]
  294.         );
  295.     }
  297.     private function fetchPermissions(string $userId): array
  298.     {
  299.         $permissions $this->connection->createQueryBuilder()
  300.             ->select(['role.privileges'])
  301.             ->from('acl_user_role''mapping')
  302.             ->innerJoin('mapping''acl_role''role''mapping.acl_role_id = role.id')
  303.             ->where('mapping.user_id = :userId')
  304.             ->setParameter('userId'Uuid::fromHexToBytes($userId))
  305.             ->executeQuery()
  306.             ->fetchFirstColumn();
  308.         $list = [];
  309.         foreach ($permissions as $privileges) {
  310.             $privileges json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  311.             $list array_merge($list$privileges);
  312.         }
  314.         return array_unique(array_filter($list));
  315.     }
  317.     private function getCashRounding(string $currencyId): CashRoundingConfig
  318.     {
  319.         $rounding $this->connection->fetchAssociative(
  320.             'SELECT item_rounding FROM currency WHERE id = :id',
  321.             ['id' => Uuid::fromHexToBytes($currencyId)]
  322.         );
  323.         if ($rounding === false) {
  324.             throw new \RuntimeException(sprintf('No cash rounding for currency "%s" found'$currencyId));
  325.         }
  327.         $rounding json_decode((string) $rounding['item_rounding'], true512\JSON_THROW_ON_ERROR);
  329.         return new CashRoundingConfig(
  330.             (int) $rounding['decimals'],
  331.             (float) $rounding['interval'],
  332.             (bool) $rounding['roundForNet']
  333.         );
  334.     }
  336.     private function fetchPermissionsIntegrationByApp(?string $integrationId): ?array
  337.     {
  338.         if (!$integrationId) {
  339.             return null;
  340.         }
  342.         $privileges $this->connection->fetchOne('
  343.             SELECT `acl_role`.`privileges`
  344.             FROM `acl_role`
  345.             INNER JOIN `app` ON `app`.`acl_role_id` = `acl_role`.`id`
  346.             WHERE `app`.`integration_id` = :integrationId
  347.         ', ['integrationId' => Uuid::fromHexToBytes($integrationId)]);
  349.         if ($privileges === false) {
  350.             return null;
  351.         }
  353.         return json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  354.     }
  356.     private function fetchIntegrationPermissions(string $integrationId): array
  357.     {
  358.         $permissions $this->connection->createQueryBuilder()
  359.             ->select(['role.privileges'])
  360.             ->from('integration_role''mapping')
  361.             ->innerJoin('mapping''acl_role''role''mapping.acl_role_id = role.id')
  362.             ->where('mapping.integration_id = :integrationId')
  363.             ->setParameter('integrationId'Uuid::fromHexToBytes($integrationId))
  364.             ->executeQuery()
  365.             ->fetchFirstColumn();
  367.         $list = [];
  368.         foreach ($permissions as $privileges) {
  369.             $privileges json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  370.             $list array_merge($list$privileges);
  371.         }
  373.         return array_unique(array_filter($list));
  374.     }
  376.     private function fetchAppNameByIntegrationId(string $integrationId): ?string
  377.     {
  378.         $name $this->connection->createQueryBuilder()
  379.             ->select(['app.name'])
  380.             ->from('app''app')
  381.             ->innerJoin('app''integration''integration''integration.id = app.integration_id')
  382.             ->where('integration.id = :integrationId')
  383.             ->andWhere('app.active = 1')
  384.             ->setParameter('integrationId'Uuid::fromHexToBytes($integrationId))
  385.             ->executeQuery()
  386.             ->fetchOne();
  388.         if ($name === false) {
  389.             return null;
  390.         }
  392.         return $name;
  393.     }
  395.     /**
  396.      * @throws MissingPrivilegeException
  397.      * @throws AppNotFoundException
  398.      */
  399.     private function userAppIntegrationHeaderPrivileged(string $userId, ?string $appIntegrationId): bool
  400.     {
  401.         if ($appIntegrationId === null) {
  402.             return false;
  403.         }
  405.         $appName $this->fetchAppNameByIntegrationId($appIntegrationId);
  406.         if ($appName === null) {
  407.             throw new AppNotFoundException($appIntegrationId);
  408.         }
  410.         $isAdmin $this->isAdmin($userId);
  411.         if ($isAdmin) {
  412.             return true;
  413.         }
  415.         $permissions $this->fetchPermissions($userId);
  416.         $allAppsPrivileged \in_array('app.all'$permissionstrue);
  417.         $appPrivilegeName \sprintf('app.%s'$appName);
  418.         $specificAppPrivileged \in_array($appPrivilegeName$permissionstrue);
  420.         if (!($specificAppPrivileged || $allAppsPrivileged)) {
  421.             throw new MissingPrivilegeException([$appPrivilegeName]);
  422.         }
  424.         return true;
  425.     }
  426. }