PhabricatorConduitAPIController.php 20.3 KB
Newer Older
epriestley's avatar
epriestley committed
1
2
<?php

3
final class PhabricatorConduitAPIController
epriestley's avatar
epriestley committed
4
5
  extends PhabricatorConduitController {

epriestley's avatar
epriestley committed
6
7
8
9
  public function shouldRequireLogin() {
    return false;
  }

Chad Little's avatar
Chad Little committed
10
11
  public function handleRequest(AphrontRequest $request) {
    $method = $request->getURIData('method');
epriestley's avatar
epriestley committed
12
13
14
    $time_start = microtime(true);

    $api_request = null;
15
    $method_implementation = null;
epriestley's avatar
epriestley committed
16
17
18

    $log = new PhabricatorConduitMethodCallLog();
    $log->setMethod($method);
19
    $metadata = array();
epriestley's avatar
epriestley committed
20

21
22
23
24
25
    $multimeter = MultimeterControl::getInstance();
    if ($multimeter) {
      $multimeter->setEventContext('api.'.$method);
    }

epriestley's avatar
epriestley committed
26
27
    try {

28
      list($metadata, $params) = $this->decodeConduitParams($request, $method);
epriestley's avatar
epriestley committed
29

30
      $call = new ConduitCall($method, $params);
31
      $method_implementation = $call->getMethodImplementation();
32

33
34
      $result = null;

epriestley's avatar
epriestley committed
35
36
37
38
39
40
      // TODO: The relationship between ConduitAPIRequest and ConduitCall is a
      // little odd here and could probably be improved. Specifically, the
      // APIRequest is a sub-object of the Call, which does not parallel the
      // role of AphrontRequest (which is an indepenent object).
      // In particular, the setUser() and getUser() existing independently on
      // the Call and APIRequest is very awkward.
41

epriestley's avatar
epriestley committed
42
      $api_request = $call->getAPIRequest();
epriestley's avatar
epriestley committed
43

44
      $allow_unguarded_writes = false;
45
      $auth_error = null;
46
      $conduit_username = '-';
47
      if ($call->shouldRequireAuthentication()) {
Chad Little's avatar
Chad Little committed
48
        $auth_error = $this->authenticateUser($api_request, $metadata, $method);
49
50
51
        // If we've explicitly authenticated the user here and either done
        // CSRF validation or are using a non-web authentication mechanism.
        $allow_unguarded_writes = true;
Emil Hesslow's avatar
Emil Hesslow committed
52

53
54
55
56
57
        if ($auth_error === null) {
          $conduit_user = $api_request->getUser();
          if ($conduit_user && $conduit_user->getPHID()) {
            $conduit_username = $conduit_user->getUsername();
          }
58
          $call->setUser($api_request->getUser());
59
        }
60
61
62
63
      }

      $access_log = PhabricatorAccessLog::getLog();
      if ($access_log) {
64
65
66
67
68
69
70
        $access_log->setData(
          array(
            'u' => $conduit_username,
            'm' => $method,
          ));
      }

71
      if ($call->shouldAllowUnguardedWrites()) {
72
        $allow_unguarded_writes = true;
73
74
      }

75
      if ($auth_error === null) {
76
77
78
        if ($allow_unguarded_writes) {
          $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
        }
Emil Hesslow's avatar
Emil Hesslow committed
79

80
        try {
81
          $result = $call->execute();
82
83
84
85
86
          $error_code = null;
          $error_info = null;
        } catch (ConduitException $ex) {
          $result = null;
          $error_code = $ex->getMessage();
87
88
89
          if ($ex->getErrorDescription()) {
            $error_info = $ex->getErrorDescription();
          } else {
90
            $error_info = $call->getErrorDescription($error_code);
91
          }
92
        }
93
94
95
        if ($allow_unguarded_writes) {
          unset($unguarded);
        }
96
97
      } else {
        list($error_code, $error_info) = $auth_error;
epriestley's avatar
epriestley committed
98
99
      }
    } catch (Exception $ex) {
100
101
102
      if (!($ex instanceof ConduitMethodNotFoundException)) {
        phlog($ex);
      }
epriestley's avatar
epriestley committed
103
      $result = null;
104
105
106
      $error_code = ($ex instanceof ConduitException
        ? 'ERR-CONDUIT-CALL'
        : 'ERR-CONDUIT-CORE');
epriestley's avatar
epriestley committed
107
108
109
110
111
      $error_info = $ex->getMessage();
    }

    $time_end = microtime(true);

epriestley's avatar
epriestley committed
112
113
114
115
116
117
118
119
120
121
122
    $log
      ->setCallerPHID(
        isset($conduit_user)
          ? $conduit_user->getPHID()
          : null)
      ->setError((string)$error_code)
      ->setDuration(1000000 * ($time_end - $time_start));

    $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
    $log->save();
    unset($unguarded);
epriestley's avatar
epriestley committed
123

124
125
126
127
    $response = id(new ConduitAPIResponse())
      ->setResult($result)
      ->setErrorCode($error_code)
      ->setErrorInfo($error_info);
epriestley's avatar
epriestley committed
128
129
130
131
132
133

    switch ($request->getStr('output')) {
      case 'human':
        return $this->buildHumanReadableResponse(
          $method,
          $api_request,
134
135
          $response->toDictionary(),
          $method_implementation);
epriestley's avatar
epriestley committed
136
137
      case 'json':
      default:
138
        return id(new AphrontJSONResponse())
139
          ->setAddJSONShield(false)
140
          ->setContent($response->toDictionary());
epriestley's avatar
epriestley committed
141
142
143
    }
  }

144
145
146
147
148
149
150
151
152
153
  /**
   * Authenticate the client making the request to a Phabricator user account.
   *
   * @param   ConduitAPIRequest Request being executed.
   * @param   dict              Request metadata.
   * @return  null|pair         Null to indicate successful authentication, or
   *                            an error code and error message pair.
   */
  private function authenticateUser(
    ConduitAPIRequest $api_request,
Chad Little's avatar
Chad Little committed
154
155
    array $metadata,
    $method) {
156
157
158
159

    $request = $this->getRequest();

    if ($request->getUser()->getPHID()) {
160
      $request->validateCSRF();
161
162
163
      return $this->validateAuthenticatedUser(
        $api_request,
        $request->getUser());
164
165
    }

166
167
168
169
170
171
172
    $auth_type = idx($metadata, 'auth.type');
    if ($auth_type === ConduitClient::AUTH_ASYMMETRIC) {
      $host = idx($metadata, 'auth.host');
      if (!$host) {
        return array(
          'ERR-INVALID-AUTH',
          pht(
Joshua Spence's avatar
Joshua Spence committed
173
174
            'Request is missing required "%s" parameter.',
            'auth.host'),
175
176
177
178
179
180
181
        );
      }

      // TODO: Validate that we are the host!

      $raw_key = idx($metadata, 'auth.key');
      $public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($raw_key);
182
      $ssl_public_key = $public_key->toPKCS8();
183
184
185
186
187

      // First, verify the signature.
      try {
        $protocol_data = $metadata;
        ConduitClient::verifySignature(
Chad Little's avatar
Chad Little committed
188
          $method,
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
          $api_request->getAllParameters(),
          $protocol_data,
          $ssl_public_key);
      } catch (Exception $ex) {
        return array(
          'ERR-INVALID-AUTH',
          pht(
            'Signature verification failure. %s',
            $ex->getMessage()),
        );
      }

      // If the signature is valid, find the user or device which is
      // associated with this public key.

      $stored_key = id(new PhabricatorAuthSSHKeyQuery())
        ->setViewer(PhabricatorUser::getOmnipotentUser())
        ->withKeys(array($public_key))
        ->executeOne();
      if (!$stored_key) {
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
211
          pht('No user or device is associated with that public key.'),
212
213
214
215
216
217
218
219
        );
      }

      $object = $stored_key->getObject();

      if ($object instanceof PhabricatorUser) {
        $user = $object;
      } else {
220
221
222
223
224
225
226
227
228
        if (!$stored_key->getIsTrusted()) {
          return array(
            'ERR-INVALID-AUTH',
            pht(
              'The key which signed this request is not trusted. Only '.
              'trusted keys can be used to sign API calls.'),
          );
        }

229
230
231
232
233
234
        if (!PhabricatorEnv::isClusterRemoteAddress()) {
          return array(
            'ERR-INVALID-AUTH',
            pht(
              'This request originates from outside of the Phabricator '.
              'cluster address range. Requests signed with trusted '.
Joshua Spence's avatar
Joshua Spence committed
235
236
              'device keys must originate from within the cluster.'),
          );
237
238
239
        }

        $user = PhabricatorUser::getOmnipotentUser();
epriestley's avatar
epriestley committed
240
241
242

        // Flag this as an intracluster request.
        $api_request->setIsClusterRequest(true);
243
244
245
246
247
248
249
250
251
252
253
254
      }

      return $this->validateAuthenticatedUser(
        $api_request,
        $user);
    } else if ($auth_type === null) {
      // No specified authentication type, continue with other authentication
      // methods below.
    } else {
      return array(
        'ERR-INVALID-AUTH',
        pht(
Joshua Spence's avatar
Joshua Spence committed
255
256
          'Provided "%s" ("%s") is not recognized.',
          'auth.type',
257
258
259
260
          $auth_type),
      );
    }

261
262
263
264
265
266
267
268
    $token_string = idx($metadata, 'token');
    if (strlen($token_string)) {

      if (strlen($token_string) != 32) {
        return array(
          'ERR-INVALID-AUTH',
          pht(
            'API token "%s" has the wrong length. API tokens should be '.
269
270
            '32 characters long.',
            $token_string),
271
272
273
274
        );
      }

      $type = head(explode('-', $token_string));
275
276
277
278
279
280
281
282
283
284
      $valid_types = PhabricatorConduitToken::getAllTokenTypes();
      $valid_types = array_fuse($valid_types);
      if (empty($valid_types[$type])) {
        return array(
          'ERR-INVALID-AUTH',
          pht(
            'API token "%s" has the wrong format. API tokens should be '.
            '32 characters long and begin with one of these prefixes: %s.',
            $token_string,
            implode(', ', $valid_types)),
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
          );
      }

      $token = id(new PhabricatorConduitTokenQuery())
        ->setViewer(PhabricatorUser::getOmnipotentUser())
        ->withTokens(array($token_string))
        ->withExpired(false)
        ->executeOne();
      if (!$token) {
        $token = id(new PhabricatorConduitTokenQuery())
          ->setViewer(PhabricatorUser::getOmnipotentUser())
          ->withTokens(array($token_string))
          ->withExpired(true)
          ->executeOne();
        if ($token) {
          return array(
            'ERR-INVALID-AUTH',
            pht(
              'API token "%s" was previously valid, but has expired.',
              $token_string),
          );
        } else {
          return array(
            'ERR-INVALID-AUTH',
            pht(
              'API token "%s" is not valid.',
              $token_string),
          );
        }
      }

316
317
318
319
320
321
322
323
324
325
326
327
328
      // If this is a "cli-" token, it expires shortly after it is generated
      // by default. Once it is actually used, we extend its lifetime and make
      // it permanent. This allows stray tokens to get cleaned up automatically
      // if they aren't being used.
      if ($token->getTokenType() == PhabricatorConduitToken::TYPE_COMMANDLINE) {
        if ($token->getExpires()) {
          $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
            $token->setExpires(null);
            $token->save();
          unset($unguarded);
        }
      }

329
330
331
332
333
334
335
336
337
      // If this is a "clr-" token, Phabricator must be configured in cluster
      // mode and the remote address must be a cluster node.
      if ($token->getTokenType() == PhabricatorConduitToken::TYPE_CLUSTER) {
        if (!PhabricatorEnv::isClusterRemoteAddress()) {
          return array(
            'ERR-INVALID-AUTH',
            pht(
              'This request originates from outside of the Phabricator '.
              'cluster address range. Requests signed with cluster API '.
Joshua Spence's avatar
Joshua Spence committed
338
339
              'tokens must originate from within the cluster.'),
          );
340
        }
epriestley's avatar
epriestley committed
341
342
343

        // Flag this as an intracluster request.
        $api_request->setIsClusterRequest(true);
344
345
      }

346
347
348
349
      $user = $token->getObject();
      if (!($user instanceof PhabricatorUser)) {
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
350
          pht('API token is not associated with a valid user.'),
351
352
353
354
355
356
357
358
359
        );
      }

      return $this->validateAuthenticatedUser(
        $api_request,
        $user);
    }

    $access_token = idx($metadata, 'access_token');
360
    if ($access_token) {
361
      $token = id(new PhabricatorOAuthServerAccessToken())
Joshua Spence's avatar
Joshua Spence committed
362
        ->loadOneWhere('token = %s', $access_token);
363
364
365
      if (!$token) {
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
366
          pht('Access token does not exist.'),
367
368
369
370
        );
      }

      $oauth_server = new PhabricatorOAuthServer();
371
372
      $authorization = $oauth_server->authorizeToken($token);
      if (!$authorization) {
373
374
        return array(
          'ERR-INVALID-AUTH',
375
          pht('Access token is invalid or expired.'),
376
        );
377
      }
378

379
380
381
382
      $user = id(new PhabricatorPeopleQuery())
        ->setViewer(PhabricatorUser::getOmnipotentUser())
        ->withPHIDs(array($token->getUserPHID()))
        ->executeOne();
383
384
385
      if (!$user) {
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
386
          pht('Access token is for invalid user.'),
387
388
        );
      }
389
390
391
392
393
394
395
396
397

      $ok = $this->authorizeOAuthMethodAccess($authorization, $method);
      if (!$ok) {
        return array(
          'ERR-OAUTH-ACCESS',
          pht('You do not have authorization to call this method.'),
        );
      }

398
399
      $api_request->setOAuthToken($token);

400
401
402
      return $this->validateAuthenticatedUser(
        $api_request,
        $user);
403
404
    }

405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421

    // For intracluster requests, use a public user if no authentication
    // information is provided. We could do this safely for any request,
    // but making the API fully public means there's no way to disable badly
    // behaved clients.
    if (PhabricatorEnv::isClusterRemoteAddress()) {
      if (PhabricatorEnv::getEnvConfig('policy.allow-public')) {
        $api_request->setIsClusterRequest(true);

        $user = new PhabricatorUser();
        return $this->validateAuthenticatedUser(
          $api_request,
          $user);
      }
    }


422
423
424
425
    // Handle sessionless auth.
    // TODO: This is super messy.
    // TODO: Remove this in favor of token-based auth.

epriestley's avatar
epriestley committed
426
427
428
429
430
431
432
    if (isset($metadata['authUser'])) {
      $user = id(new PhabricatorUser())->loadOneWhere(
        'userName = %s',
        $metadata['authUser']);
      if (!$user) {
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
433
          pht('Authentication is invalid.'),
epriestley's avatar
epriestley committed
434
435
436
437
438
        );
      }
      $token = idx($metadata, 'authToken');
      $signature = idx($metadata, 'authSignature');
      $certificate = $user->getConduitCertificate();
439
440
      $hash = sha1($token.$certificate);
      if (!phutil_hashes_are_identical($hash, $signature)) {
epriestley's avatar
epriestley committed
441
442
        return array(
          'ERR-INVALID-AUTH',
Joshua Spence's avatar
Joshua Spence committed
443
          pht('Authentication is invalid.'),
epriestley's avatar
epriestley committed
444
445
        );
      }
446
447
448
      return $this->validateAuthenticatedUser(
        $api_request,
        $user);
epriestley's avatar
epriestley committed
449
450
    }

451
452
453
    // Handle session-based auth.
    // TODO: Remove this in favor of token-based auth.

454
455
456
    $session_key = idx($metadata, 'sessionKey');
    if (!$session_key) {
      return array(
457
        'ERR-INVALID-SESSION',
Joshua Spence's avatar
Joshua Spence committed
458
        pht('Session key is not present.'),
459
460
461
      );
    }

462
    $user = id(new PhabricatorAuthSessionEngine())
463
      ->loadUserForSession(PhabricatorAuthSession::TYPE_CONDUIT, $session_key);
464
465
466
467

    if (!$user) {
      return array(
        'ERR-INVALID-SESSION',
Joshua Spence's avatar
Joshua Spence committed
468
        pht('Session key is invalid.'),
469
470
471
      );
    }

472
473
474
475
476
477
478
479
480
    return $this->validateAuthenticatedUser(
      $api_request,
      $user);
  }

  private function validateAuthenticatedUser(
    ConduitAPIRequest $request,
    PhabricatorUser $user) {

epriestley's avatar
epriestley committed
481
    if (!$user->canEstablishAPISessions()) {
482
      return array(
epriestley's avatar
epriestley committed
483
484
        'ERR-INVALID-AUTH',
        pht('User account is not permitted to use the API.'),
485
      );
486
487
488
    }

    $request->setUser($user);
489
490
491
    return null;
  }

epriestley's avatar
epriestley committed
492
493
494
  private function buildHumanReadableResponse(
    $method,
    ConduitAPIRequest $request = null,
495
496
    $result = null,
    ConduitAPIMethod $method_implementation = null) {
epriestley's avatar
epriestley committed
497
498

    $param_rows = array();
499
    $param_rows[] = array('Method', $this->renderAPIValue($method));
epriestley's avatar
epriestley committed
500
501
502
    if ($request) {
      foreach ($request->getAllParameters() as $key => $value) {
        $param_rows[] = array(
epriestley's avatar
epriestley committed
503
          $key,
504
          $this->renderAPIValue($value),
epriestley's avatar
epriestley committed
505
506
507
508
509
510
511
512
513
514
515
516
517
518
        );
      }
    }

    $param_table = new AphrontTableView($param_rows);
    $param_table->setColumnClasses(
      array(
        'header',
        'wide',
      ));

    $result_rows = array();
    foreach ($result as $key => $value) {
      $result_rows[] = array(
epriestley's avatar
epriestley committed
519
        $key,
520
        $this->renderAPIValue($value),
epriestley's avatar
epriestley committed
521
522
523
524
525
526
527
528
529
530
      );
    }

    $result_table = new AphrontTableView($result_rows);
    $result_table->setColumnClasses(
      array(
        'header',
        'wide',
      ));

Chad Little's avatar
Chad Little committed
531
532
533
534
    $param_panel = id(new PHUIObjectBoxView())
      ->setHeaderText(pht('Method Parameters'))
      ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
      ->setTable($param_table);
epriestley's avatar
epriestley committed
535

Chad Little's avatar
Chad Little committed
536
537
538
539
    $result_panel = id(new PHUIObjectBoxView())
      ->setHeaderText(pht('Method Result'))
      ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
      ->setTable($result_table);
epriestley's avatar
epriestley committed
540

541
542
    $method_uri = $this->getApplicationURI('method/'.$method.'/');

543
544
    $crumbs = $this->buildApplicationCrumbs()
      ->addTextCrumb($method, $method_uri)
Chad Little's avatar
Chad Little committed
545
546
      ->addTextCrumb(pht('Call'))
      ->setBorder(true);
547

548
549
550
551
552
553
554
555
    $example_panel = null;
    if ($request && $method_implementation) {
      $params = $request->getAllParameters();
      $example_panel = $this->renderExampleBox(
        $method_implementation,
        $params);
    }

Chad Little's avatar
Chad Little committed
556
557
558
559
560
561
562
563
    $title = pht('Method Call Result');
    $header = id(new PHUIHeaderView())
      ->setHeader($title)
      ->setHeaderIcon('fa-exchange');

    $view = id(new PHUITwoColumnView())
      ->setHeader($header)
      ->setFooter(array(
Chad Little's avatar
Chad Little committed
564
565
        $param_panel,
        $result_panel,
566
        $example_panel,
epriestley's avatar
epriestley committed
567
      ));
Chad Little's avatar
Chad Little committed
568
569
570
571
572
573
574
575

    $title = pht('Method Call Result');

    return $this->newPage()
      ->setTitle($title)
      ->setCrumbs($crumbs)
      ->appendChild($view);

epriestley's avatar
epriestley committed
576
577
  }

578
579
580
581
582
583
  private function renderAPIValue($value) {
    $json = new PhutilJSON();
    if (is_array($value)) {
      $value = $json->encodeFormatted($value);
    }

584
585
586
587
    $value = phutil_tag(
      'pre',
      array('style' => 'white-space: pre-wrap;'),
      $value);
588
589
590
591

    return $value;
  }

592
593
594
  private function decodeConduitParams(
    AphrontRequest $request,
    $method) {
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621

    // Look for parameters from the Conduit API Console, which are encoded
    // as HTTP POST parameters in an array, e.g.:
    //
    //   params[name]=value&params[name2]=value2
    //
    // The fields are individually JSON encoded, since we require users to
    // enter JSON so that we avoid type ambiguity.

    $params = $request->getArr('params', null);
    if ($params !== null) {
      foreach ($params as $key => $value) {
        if ($value == '') {
          // Interpret empty string null (e.g., the user didn't type anything
          // into the box).
          $value = 'null';
        }
        $decoded_value = json_decode($value, true);
        if ($decoded_value === null && strtolower($value) != 'null') {
          // When json_decode() fails, it returns null. This almost certainly
          // indicates that a user was using the web UI and didn't put quotes
          // around a string value. We can either do what we think they meant
          // (treat it as a string) or fail. For now, err on the side of
          // caution and fail. In the future, if we make the Conduit API
          // actually do type checking, it might be reasonable to treat it as
          // a string if the parameter type is string.
          throw new Exception(
Joshua Spence's avatar
Joshua Spence committed
622
623
624
625
626
627
628
            pht(
              "The value for parameter '%s' is not valid JSON. All ".
              "parameters must be encoded as JSON values, including strings ".
              "(which means you need to surround them in double quotes). ".
              "Check your syntax. Value was: %s.",
              $key,
              $value));
629
630
631
632
        }
        $params[$key] = $decoded_value;
      }

633
634
635
636
      $metadata = idx($params, '__conduit__', array());
      unset($params['__conduit__']);

      return array($metadata, $params);
637
638
639
    }

    // Otherwise, look for a single parameter called 'params' which has the
640
    // entire param dictionary JSON encoded.
641
    $params_json = $request->getStr('params');
642
    if (strlen($params_json)) {
643
644
645
646
647
648
      $params = null;
      try {
        $params = phutil_json_decode($params_json);
      } catch (PhutilJSONParserException $ex) {
        throw new PhutilProxyException(
          pht(
Joshua Spence's avatar
Joshua Spence committed
649
            "Invalid parameter information was passed to method '%s'.",
650
651
            $method),
          $ex);
652
      }
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670

      $metadata = idx($params, '__conduit__', array());
      unset($params['__conduit__']);

      return array($metadata, $params);
    }

    // If we do not have `params`, assume this is a simple HTTP request with
    // HTTP key-value pairs.
    $params = array();
    $metadata = array();
    foreach ($request->getPassthroughRequestData() as $key => $value) {
      $meta_key = ConduitAPIMethod::getParameterMetadataKey($key);
      if ($meta_key !== null) {
        $metadata[$meta_key] = $value;
      } else {
        $params[$key] = $value;
      }
671
672
    }

673
    return array($metadata, $params);
674
  }
Joshua Spence's avatar
Joshua Spence committed
675

676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
  private function authorizeOAuthMethodAccess(
    PhabricatorOAuthClientAuthorization $authorization,
    $method_name) {

    $method = ConduitAPIMethod::getConduitMethod($method_name);
    if (!$method) {
      return false;
    }

    $required_scope = $method->getRequiredScope();
    switch ($required_scope) {
      case ConduitAPIMethod::SCOPE_ALWAYS:
        return true;
      case ConduitAPIMethod::SCOPE_NEVER:
        return false;
    }

    $authorization_scope = $authorization->getScope();
    if (!empty($authorization_scope[$required_scope])) {
      return true;
    }

    return false;
  }


epriestley's avatar
epriestley committed
702
}