vendor/shopware/core/Framework/Routing/ApiRequestContextResolver.php line 323

  1. <?php declare(strict_types=1);
  3. namespace Shopware\Core\Framework\Routing;
  5. use Doctrine\DBAL\Connection;
  6. use Shopware\Core\Checkout\Cart\Price\Struct\CartPrice;
  7. use Shopware\Core\Defaults;
  8. use Shopware\Core\Framework\Api\Context\AdminApiSource;
  9. use Shopware\Core\Framework\Api\Context\ContextSource;
  10. use Shopware\Core\Framework\Api\Context\SalesChannelApiSource;
  11. use Shopware\Core\Framework\Api\Context\SystemSource;
  12. use Shopware\Core\Framework\Api\Exception\MissingPrivilegeException;
  13. use Shopware\Core\Framework\Api\Util\AccessKeyHelper;
  14. use Shopware\Core\Framework\App\Exception\AppNotFoundException;
  15. use Shopware\Core\Framework\Context;
  16. use Shopware\Core\Framework\DataAbstractionLayer\Pricing\CashRoundingConfig;
  17. use Shopware\Core\Framework\Log\Package;
  18. use Shopware\Core\Framework\Routing\Exception\LanguageNotFoundException;
  19. use Shopware\Core\Framework\Uuid\Uuid;
  20. use Shopware\Core\PlatformRequest;
  21. use Symfony\Component\HttpFoundation\Request;
  23. #[Package('core')]
  24. class ApiRequestContextResolver implements RequestContextResolverInterface
  25. {
  26.     use RouteScopeCheckTrait;
  28.     /**
  29.      * @internal
  30.      */
  31.     public function __construct(
  32.         private readonly Connection $connection,
  33.         private readonly RouteScopeRegistry $routeScopeRegistry
  34.     ) {
  35.     }
  37.     public function resolve(Request $request): void
  38.     {
  39.         if ($request->attributes->has(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT)) {
  40.             return;
  41.         }
  43.         if (!$this->isRequestScoped($requestApiContextRouteScopeDependant::class)) {
  44.             return;
  45.         }
  47.         $params $this->getContextParameters($request);
  48.         $languageIdChain $this->getLanguageIdChain($params);
  50.         $rounding $this->getCashRounding($params['currencyId']);
  52.         $context = new Context(
  53.             $this->resolveContextSource($request),
  54.             [],
  55.             $params['currencyId'],
  56.             $languageIdChain,
  57.             $params['versionId'] ?? Defaults::LIVE_VERSION,
  58.             $params['currencyFactory'],
  59.             $params['considerInheritance'],
  60.             CartPrice::TAX_STATE_GROSS,
  61.             $rounding
  62.         );
  64.         if ($request->headers->has(PlatformRequest::HEADER_SKIP_TRIGGER_FLOW)) {
  65.             $skipTriggerFlow filter_var($request->headers->get(PlatformRequest::HEADER_SKIP_TRIGGER_FLOW'false'), \FILTER_VALIDATE_BOOLEAN);
  67.             if ($skipTriggerFlow) {
  68.                 $context->addState(Context::SKIP_TRIGGER_FLOW);
  69.             }
  70.         }
  72.         $request->attributes->set(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT$context);
  73.     }
  75.     protected function getScopeRegistry(): RouteScopeRegistry
  76.     {
  77.         return $this->routeScopeRegistry;
  78.     }
  80.     /**
  81.      * @return array{currencyId: string, languageId: string, systemFallbackLanguageId: string, currencyFactory: float, currencyPrecision: int, versionId: ?string, considerInheritance: bool}
  82.      */
  83.     private function getContextParameters(Request $request): array
  84.     {
  85.         $params = [
  86.             'currencyId' => Defaults::CURRENCY,
  87.             'languageId' => Defaults::LANGUAGE_SYSTEM,
  88.             'systemFallbackLanguageId' => Defaults::LANGUAGE_SYSTEM,
  89.             'currencyFactory' => 1.0,
  90.             'currencyPrecision' => 2,
  91.             'versionId' => $request->headers->get(PlatformRequest::HEADER_VERSION_ID),
  92.             'considerInheritance' => false,
  93.         ];
  95.         $runtimeParams $this->getRuntimeParameters($request);
  97.         /** @var array{currencyId: string, languageId: string, systemFallbackLanguageId: string, currencyFactory: float, currencyPrecision: int, versionId: ?string, considerInheritance: bool} $params */
  98.         $params array_replace_recursive($params$runtimeParams);
  100.         return $params;
  101.     }
  103.     private function getRuntimeParameters(Request $request): array
  104.     {
  105.         $parameters = [];
  107.         if ($request->headers->has(PlatformRequest::HEADER_LANGUAGE_ID)) {
  108.             $langHeader $request->headers->get(PlatformRequest::HEADER_LANGUAGE_ID);
  110.             if ($langHeader !== null) {
  111.                 $parameters['languageId'] = $langHeader;
  112.             }
  113.         }
  115.         if ($request->headers->has(PlatformRequest::HEADER_CURRENCY_ID)) {
  116.             $currencyHeader $request->headers->get(PlatformRequest::HEADER_CURRENCY_ID);
  118.             if ($currencyHeader !== null) {
  119.                 $parameters['currencyId'] = $currencyHeader;
  120.             }
  121.         }
  123.         if ($request->headers->has(PlatformRequest::HEADER_INHERITANCE)) {
  124.             $parameters['considerInheritance'] = true;
  125.         }
  127.         return $parameters;
  128.     }
  130.     private function resolveContextSource(Request $request): ContextSource
  131.     {
  132.         if ($userId $request->attributes->get(PlatformRequest::ATTRIBUTE_OAUTH_USER_ID)) {
  133.             $appIntegrationId $request->headers->get(PlatformRequest::HEADER_APP_INTEGRATION_ID);
  135.             // The app integration id header is only to be used by a privileged user
  136.             if ($this->userAppIntegrationHeaderPrivileged($userId$appIntegrationId)) {
  137.                 $userId null;
  138.             } else {
  139.                 $appIntegrationId null;
  140.             }
  142.             return $this->getAdminApiSource($userId$appIntegrationId);
  143.         }
  145.         if (!$request->attributes->has(PlatformRequest::ATTRIBUTE_OAUTH_ACCESS_TOKEN_ID)) {
  146.             return new SystemSource();
  147.         }
  149.         $clientId $request->attributes->get(PlatformRequest::ATTRIBUTE_OAUTH_CLIENT_ID);
  150.         $keyOrigin AccessKeyHelper::getOrigin($clientId);
  152.         if ($keyOrigin === 'user') {
  153.             $userId $this->getUserIdByAccessKey($clientId);
  155.             return $this->getAdminApiSource($userId);
  156.         }
  158.         if ($keyOrigin === 'integration') {
  159.             $integrationId $this->getIntegrationIdByAccessKey($clientId);
  161.             return $this->getAdminApiSource(null$integrationId);
  162.         }
  164.         if ($keyOrigin === 'sales-channel') {
  165.             $salesChannelId $this->getSalesChannelIdByAccessKey($clientId);
  167.             return new SalesChannelApiSource($salesChannelId);
  168.         }
  170.         return new SystemSource();
  171.     }
  173.     /**
  174.      * @param array{languageId: string, systemFallbackLanguageId: string} $params
  175.      *
  176.      * @return non-empty-array<string>
  177.      */
  178.     private function getLanguageIdChain(array $params): array
  179.     {
  180.         $chain = [$params['languageId']];
  181.         if ($chain[0] === Defaults::LANGUAGE_SYSTEM) {
  182.             return $chain// no query needed
  183.         }
  184.         // `Context` ignores nulls and duplicates
  185.         $chain[] = $this->getParentLanguageId($chain[0]);
  186.         $chain[] = $params['systemFallbackLanguageId'];
  188.         /** @var non-empty-array<string> $filtered */
  189.         $filtered array_filter($chain);
  191.         return $filtered;
  192.     }
  194.     private function getParentLanguageId(?string $languageId): ?string
  195.     {
  196.         if ($languageId === null || !Uuid::isValid($languageId)) {
  197.             throw new LanguageNotFoundException($languageId);
  198.         }
  199.         $data $this->connection->createQueryBuilder()
  200.             ->select(['LOWER(HEX(language.parent_id))'])
  201.             ->from('language')
  202.             ->where('language.id = :id')
  203.             ->setParameter('id'Uuid::fromHexToBytes($languageId))
  204.             ->executeQuery()
  205.             ->fetchFirstColumn();
  207.         if (empty($data)) {
  208.             throw new LanguageNotFoundException($languageId);
  209.         }
  211.         return $data[0];
  212.     }
  214.     private function getUserIdByAccessKey(string $clientId): string
  215.     {
  216.         $id $this->connection->createQueryBuilder()
  217.             ->select(['user_id'])
  218.             ->from('user_access_key')
  219.             ->where('access_key = :accessKey')
  220.             ->setParameter('accessKey'$clientId)
  221.             ->executeQuery()
  222.             ->fetchOne();
  224.         return Uuid::fromBytesToHex($id);
  225.     }
  227.     private function getSalesChannelIdByAccessKey(string $clientId): string
  228.     {
  229.         $id $this->connection->createQueryBuilder()
  230.             ->select(['id'])
  231.             ->from('sales_channel')
  232.             ->where('access_key = :accessKey')
  233.             ->setParameter('accessKey'$clientId)
  234.             ->executeQuery()
  235.             ->fetchOne();
  237.         return Uuid::fromBytesToHex($id);
  238.     }
  240.     private function getIntegrationIdByAccessKey(string $clientId): string
  241.     {
  242.         $id $this->connection->createQueryBuilder()
  243.             ->select(['id'])
  244.             ->from('integration')
  245.             ->where('access_key = :accessKey')
  246.             ->setParameter('accessKey'$clientId)
  247.             ->executeQuery()
  248.             ->fetchOne();
  250.         return Uuid::fromBytesToHex($id);
  251.     }
  253.     private function getAdminApiSource(?string $userId, ?string $integrationId null): AdminApiSource
  254.     {
  255.         $source = new AdminApiSource($userId$integrationId);
  257.         // Use the permissions associated to that app, if the request is made by an integration associated to an app
  258.         $appPermissions $this->fetchPermissionsIntegrationByApp($integrationId);
  259.         if ($appPermissions !== null) {
  260.             $source->setIsAdmin(false);
  261.             $source->setPermissions($appPermissions);
  263.             return $source;
  264.         }
  266.         if ($userId !== null) {
  267.             $source->setPermissions($this->fetchPermissions($userId));
  268.             $source->setIsAdmin($this->isAdmin($userId));
  270.             return $source;
  271.         }
  273.         if ($integrationId !== null) {
  274.             $source->setIsAdmin($this->isAdminIntegration($integrationId));
  275.             $source->setPermissions($this->fetchIntegrationPermissions($integrationId));
  277.             return $source;
  278.         }
  280.         return $source;
  281.     }
  283.     private function isAdmin(string $userId): bool
  284.     {
  285.         return (bool) $this->connection->fetchOne(
  286.             'SELECT admin FROM `user` WHERE id = :id',
  287.             ['id' => Uuid::fromHexToBytes($userId)]
  288.         );
  289.     }
  291.     private function isAdminIntegration(string $integrationId): bool
  292.     {
  293.         return (bool) $this->connection->fetchOne(
  294.             'SELECT admin FROM `integration` WHERE id = :id',
  295.             ['id' => Uuid::fromHexToBytes($integrationId)]
  296.         );
  297.     }
  299.     private function fetchPermissions(string $userId): array
  300.     {
  301.         $permissions $this->connection->createQueryBuilder()
  302.             ->select(['role.privileges'])
  303.             ->from('acl_user_role''mapping')
  304.             ->innerJoin('mapping''acl_role''role''mapping.acl_role_id = role.id')
  305.             ->where('mapping.user_id = :userId')
  306.             ->setParameter('userId'Uuid::fromHexToBytes($userId))
  307.             ->executeQuery()
  308.             ->fetchFirstColumn();
  310.         $list = [];
  311.         foreach ($permissions as $privileges) {
  312.             $privileges json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  313.             $list array_merge($list$privileges);
  314.         }
  316.         return array_unique(array_filter($list));
  317.     }
  319.     private function getCashRounding(string $currencyId): CashRoundingConfig
  320.     {
  321.         $rounding $this->connection->fetchAssociative(
  322.             'SELECT item_rounding FROM currency WHERE id = :id',
  323.             ['id' => Uuid::fromHexToBytes($currencyId)]
  324.         );
  325.         if ($rounding === false) {
  326.             throw new \RuntimeException(sprintf('No cash rounding for currency "%s" found'$currencyId));
  327.         }
  329.         $rounding json_decode((string) $rounding['item_rounding'], true512\JSON_THROW_ON_ERROR);
  331.         return new CashRoundingConfig(
  332.             (int) $rounding['decimals'],
  333.             (float) $rounding['interval'],
  334.             (bool) $rounding['roundForNet']
  335.         );
  336.     }
  338.     private function fetchPermissionsIntegrationByApp(?string $integrationId): ?array
  339.     {
  340.         if (!$integrationId) {
  341.             return null;
  342.         }
  344.         $privileges $this->connection->fetchOne('
  345.             SELECT `acl_role`.`privileges`
  346.             FROM `acl_role`
  347.             INNER JOIN `app` ON `app`.`acl_role_id` = `acl_role`.`id`
  348.             WHERE `app`.`integration_id` = :integrationId
  349.         ', ['integrationId' => Uuid::fromHexToBytes($integrationId)]);
  351.         if ($privileges === false) {
  352.             return null;
  353.         }
  355.         return json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  356.     }
  358.     private function fetchIntegrationPermissions(string $integrationId): array
  359.     {
  360.         $permissions $this->connection->createQueryBuilder()
  361.             ->select(['role.privileges'])
  362.             ->from('integration_role''mapping')
  363.             ->innerJoin('mapping''acl_role''role''mapping.acl_role_id = role.id')
  364.             ->where('mapping.integration_id = :integrationId')
  365.             ->setParameter('integrationId'Uuid::fromHexToBytes($integrationId))
  366.             ->executeQuery()
  367.             ->fetchFirstColumn();
  369.         $list = [];
  370.         foreach ($permissions as $privileges) {
  371.             $privileges json_decode((string) $privilegestrue512\JSON_THROW_ON_ERROR);
  372.             $list array_merge($list$privileges);
  373.         }
  375.         return array_unique(array_filter($list));
  376.     }
  378.     private function fetchAppNameByIntegrationId(string $integrationId): ?string
  379.     {
  380.         $name $this->connection->createQueryBuilder()
  381.             ->select(['app.name'])
  382.             ->from('app''app')
  383.             ->innerJoin('app''integration''integration''integration.id = app.integration_id')
  384.             ->where('integration.id = :integrationId')
  385.             ->andWhere('app.active = 1')
  386.             ->setParameter('integrationId'Uuid::fromHexToBytes($integrationId))
  387.             ->executeQuery()
  388.             ->fetchOne();
  390.         if ($name === false) {
  391.             return null;
  392.         }
  394.         return $name;
  395.     }
  397.     /**
  398.      * @throws MissingPrivilegeException
  399.      * @throws AppNotFoundException
  400.      */
  401.     private function userAppIntegrationHeaderPrivileged(string $userId, ?string $appIntegrationId): bool
  402.     {
  403.         if ($appIntegrationId === null) {
  404.             return false;
  405.         }
  407.         $appName $this->fetchAppNameByIntegrationId($appIntegrationId);
  408.         if ($appName === null) {
  409.             throw new AppNotFoundException($appIntegrationId);
  410.         }
  412.         $isAdmin $this->isAdmin($userId);
  413.         if ($isAdmin) {
  414.             return true;
  415.         }
  417.         $permissions $this->fetchPermissions($userId);
  418.         $allAppsPrivileged \in_array('app.all'$permissionstrue);
  419.         $appPrivilegeName \sprintf('app.%s'$appName);
  420.         $specificAppPrivileged \in_array($appPrivilegeName$permissionstrue);
  422.         if (!($specificAppPrivileged || $allAppsPrivileged)) {
  423.             throw new MissingPrivilegeException([$appPrivilegeName]);
  424.         }
  426.         return true;
  427.     }
  428. }