src/Controller/ApiController.php line 50

Open in your IDE?
  1. <?php
  2. // src/Controller/ApiController.php
  4. namespace App\Controller;
  6. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  7. use Symfony\Component\HttpFoundation\JsonResponse;
  8. use Symfony\Component\HttpFoundation\Request;
  9. use Symfony\Component\Routing\Annotation\Route;
  10. use Symfony\Component\Validator\Validator\ValidatorInterface;
  11. use Symfony\Component\Validator\Constraints as Assert;
  12. use Psr\Log\LoggerInterface;
  13. use Doctrine\ORM\EntityManagerInterface;
  15. /**
  16. * API Controller for DS-C4RGO device registration and activation.
  17. *
  18. * Endpoints:
  19. * POST /api/v1/reg - Device activation (new Rust client: client_code/email/license)
  20. * POST /api/v1/reg/reset - Remove machine key (reset for re-registration)
  21. * GET /api/v1/ping - Connectivity check
  22. * POST /api/v1/reg/legacy - Legacy C++ activation (hkey only) - deprecated
  23. *
  24. * @Route("/api/v1", name="api_")
  25. */
  26. class ApiController extends AbstractController
  27. {
  28. /** Max registration attempts per IP within the rate limit window. */
  29. private const RATE_LIMIT_MAX_ATTEMPTS = 10;
  31. /** Rate limit window in seconds. */
  32. private const RATE_LIMIT_WINDOW_SECS = 300;
  34. private LoggerInterface $logger;
  35. private EntityManagerInterface $em;
  37. public function __construct(LoggerInterface $logger, EntityManagerInterface $em)
  38. {
  39. $this->logger = $logger;
  40. $this->em = $em;
  41. }
  43. // ─── Ping ────────────────────────────────────────────────────────
  45. /**
  46. * Connectivity check used by c4rgo-reg-ui before starting registration.
  47. *
  48. * @Route("/ping", name="ping", methods={"GET"})
  49. */
  50. public function ping(Request $request): JsonResponse
  51. {
  52. $serviceUp = $this->checkServiceStatus();
  54. $this->logger->info('Ping', [
  55. 'ip' => $request->getClientIp(),
  56. 'status' => $serviceUp ? 'ok' : 'degraded',
  57. ]);
  59. return new JsonResponse([
  60. 'status' => $serviceUp ? 'ok' : 'degraded',
  61. 'message' => 'DS-C4RGO API is running',
  62. 'timestamp' => time(),
  63. 'service_available' => $serviceUp,
  64. 'version' => '1.0.0',
  65. ]);
  66. }
  68. // ─── Registration (new Rust client) ──────────────────────────────
  70. /**
  71. * Device activation endpoint.
  72. *
  73. * Called by c4rgo-activate init with:
  74. * { "client_code", "email", "license", "cpu_serial", "mac_address" }
  75. *
  76. * Returns the passepartout key on success.
  77. *
  78. * @Route("/reg", name="register", methods={"POST"})
  79. */
  80. public function register(Request $request, ValidatorInterface $validator): JsonResponse
  81. {
  82. $data = $this->parseJsonBody($request);
  83. if ($data instanceof JsonResponse) {
  84. return $data;
  85. }
  87. // --- Input validation ---
  88. $constraints = new Assert\Collection([
  89. 'fields' => [
  90. 'client_code' => [
  91. new Assert\NotBlank(),
  92. new Assert\Type('string'),
  93. new Assert\Length(['max' => 64]),
  94. ],
  95. 'email' => [
  96. new Assert\NotBlank(),
  97. new Assert\Email(),
  98. new Assert\Length(['max' => 255]),
  99. ],
  100. 'license' => [
  101. new Assert\NotBlank(),
  102. new Assert\Type('string'),
  103. new Assert\Length(['max' => 255]),
  104. ],
  105. 'cpu_serial' => [
  106. new Assert\NotBlank(),
  107. new Assert\Regex([
  108. 'pattern' => '/^[0-9a-fA-F]{8,32}$/',
  109. 'message' => 'cpu_serial must be a hex string (8-32 chars)',
  110. ]),
  111. ],
  112. 'mac_address' => [
  113. new Assert\NotBlank(),
  114. new Assert\Regex([
  115. 'pattern' => '/^[0-9a-fA-F]{12}$/',
  116. 'message' => 'mac_address must be 12 hex chars without separators',
  117. ]),
  118. ],
  119. ],
  120. 'allowExtraFields' => false,
  121. ]);
  123. $validationError = $this->validateData($data, $constraints, $validator);
  124. if ($validationError !== null) {
  125. return $validationError;
  126. }
  128. // --- Rate limiting ---
  129. // NOTE: Current implementation uses audit_log table for rate limiting.
  130. // For better performance at scale, consider migrating to Symfony RateLimiter
  131. // component with a Redis backend.
  132. $rateLimitResponse = $this->checkRateLimit($request, 'reg');
  133. if ($rateLimitResponse !== null) {
  134. return $rateLimitResponse;
  135. }
  137. // --- Business logic ---
  138. try {
  139. // 1. Find machine by client_code + license
  140. $machine = $this->findMachine($data['client_code'], $data['license']);
  141. if ($machine === null) {
  142. $this->logAudit('register', $data, $request, 'INVALID_KEY');
  143. return $this->errorResponse('INVALID_KEY',
  144. 'License not found or does not match client code', 403);
  145. }
  147. // 2. Verify email
  148. if (!$this->emailMatches($machine, $data['email'])) {
  149. $this->logAudit('register', $data, $request, 'INVALID_EMAIL');
  150. return $this->errorResponse('INVALID_EMAIL',
  151. 'Email does not match license registration', 403);
  152. }
  154. // 3. Verify hardware identity (cpu_serial + mac_address)
  155. $hwCheck = $this->verifyHardware($machine, $data['cpu_serial'], $data['mac_address']);
  156. if ($hwCheck !== null) {
  157. $this->logAudit('register', $data, $request, $hwCheck);
  158. return $this->errorResponse($hwCheck,
  159. 'Device hardware does not match registered machine', 403);
  160. }
  162. // 4. Retrieve passepartout (skey)
  163. $passepartout = $machine->getSkey();
  164. if (empty($passepartout)) {
  165. $this->logger->error('Passepartout (skey) is empty for machine', [
  166. 'machine_id' => $machine->getId(),
  167. ]);
  168. return $this->errorResponse('SERVER_ERROR',
  169. 'Passepartout not available for this machine', 500);
  170. }
  172. // 5. Mark license as used and record activation
  173. $this->recordActivation($machine, $data, $request);
  175. // 6. Audit log
  176. $this->logAudit('register', $data, $request, 'OK');
  178. return new JsonResponse([
  179. 'success' => true,
  180. 'key' => $passepartout,
  181. ]);
  183. } catch (\Exception $e) {
  184. $this->logger->error('Registration failed unexpectedly', [
  185. 'error' => $e->getMessage(),
  186. 'client_code' => $data['client_code'] ?? '?',
  187. ]);
  189. return $this->errorResponse('SERVER_ERROR',
  190. 'Registration failed due to internal error', 500);
  191. }
  192. }
  194. // ─── Reset ───────────────────────────────────────────────────────
  196. /**
  197. * Reset endpoint: returns the passepartout so c4rgo-activate can remove
  198. * the machine key (slot 2) and allow re-initialization.
  199. *
  200. * Called by c4rgo-activate reset with:
  201. * { "cpu_serial", "mac_address", "operation": "reset" }
  202. *
  203. * @Route("/reg/reset", name="register_reset", methods={"POST"})
  204. */
  205. public function reset(Request $request, ValidatorInterface $validator): JsonResponse
  206. {
  207. $data = $this->parseJsonBody($request);
  208. if ($data instanceof JsonResponse) {
  209. return $data;
  210. }
  212. $constraints = new Assert\Collection([
  213. 'fields' => [
  214. 'cpu_serial' => [
  215. new Assert\NotBlank(),
  216. new Assert\Regex(['pattern' => '/^[0-9a-fA-F]{8,32}$/']),
  217. ],
  218. 'mac_address' => [
  219. new Assert\NotBlank(),
  220. new Assert\Regex(['pattern' => '/^[0-9a-fA-F]{12}$/']),
  221. ],
  222. 'operation' => [
  223. new Assert\NotBlank(),
  224. new Assert\EqualTo(['value' => 'reset']),
  225. ],
  226. ],
  227. 'allowExtraFields' => false,
  228. ]);
  230. $validationError = $this->validateData($data, $constraints, $validator);
  231. if ($validationError !== null) {
  232. return $validationError;
  233. }
  235. $rateLimitResponse = $this->checkRateLimit($request, 'reset');
  236. if ($rateLimitResponse !== null) {
  237. return $rateLimitResponse;
  238. }
  240. try {
  241. // Find machine by hardware parameters
  242. $machine = $this->findMachineByHardware(
  243. $data['cpu_serial'],
  244. $data['mac_address']
  245. );
  247. if ($machine === null) {
  248. $this->logAudit('reset', $data, $request, 'DEVICE_NOT_FOUND');
  249. return $this->errorResponse('DEVICE_NOT_FOUND',
  250. 'No registered machine matches the provided hardware parameters', 403);
  251. }
  253. $passepartout = $machine->getSkey();
  254. if (empty($passepartout)) {
  255. return $this->errorResponse('SERVER_ERROR',
  256. 'Passepartout not available for this machine', 500);
  257. }
  259. $this->logAudit('reset', $data, $request, 'OK');
  261. return new JsonResponse([
  262. 'success' => true,
  263. 'key' => $passepartout,
  264. ]);
  266. } catch (\Exception $e) {
  267. $this->logger->error('Reset failed unexpectedly', [
  268. 'error' => $e->getMessage(),
  269. ]);
  271. return $this->errorResponse('SERVER_ERROR',
  272. 'Reset failed due to internal error', 500);
  273. }
  274. }
  276. // ─── Legacy endpoint (C++ compatibility) ─────────────────────────
  278. /**
  279. * Legacy registration used by the old C++ c4rgoinit.
  280. * Accepts { "hkey": "..." } and returns { "success": true, "key": "<passepartout>" }.
  281. *
  282. * @deprecated Use /reg with full credentials instead.
  283. * @Route("/reg/legacy", name="register_legacy", methods={"POST"})
  284. */
  285. public function registerLegacy(Request $request, ValidatorInterface $validator): JsonResponse
  286. {
  287. $data = $this->parseJsonBody($request);
  288. if ($data instanceof JsonResponse) {
  289. return $data;
  290. }
  292. $constraints = new Assert\Collection([
  293. 'fields' => [
  294. 'hkey' => [new Assert\NotBlank()],
  295. ],
  296. 'allowExtraFields' => false,
  297. ]);
  299. $validationError = $this->validateData($data, $constraints, $validator);
  300. if ($validationError !== null) {
  301. return $validationError;
  302. }
  304. try {
  305. $machine = $this->em->getRepository('App:Macchine')->findOneBy([
  306. 'HKey' => $data['hkey'],
  307. ]);
  309. if (!$machine) {
  310. return $this->errorResponse('DEVICE_NOT_FOUND',
  311. 'No machine matches the provided hardware key', 403);
  312. }
  314. $passepartout = $machine->getSkey();
  315. if (empty($passepartout)) {
  316. return $this->errorResponse('SERVER_ERROR',
  317. 'Passepartout not available', 500);
  318. }
  320. $this->logAudit('register_legacy', ['hkey' => '***'], $request, 'OK');
  322. return new JsonResponse([
  323. 'success' => true,
  324. 'key' => $passepartout,
  325. ]);
  327. } catch (\Exception $e) {
  328. $this->logger->error('Legacy registration failed', [
  329. 'error' => $e->getMessage(),
  330. ]);
  332. return $this->errorResponse('SERVER_ERROR',
  333. 'Registration failed due to internal error', 500);
  334. }
  335. }
  337. // ─── Private helpers ─────────────────────────────────────────────
  339. /**
  340. * Parse and validate JSON body from the request.
  341. *
  342. * @return array|JsonResponse Parsed data or error response.
  343. */
  344. private function parseJsonBody(Request $request)
  345. {
  346. $content = $request->getContent();
  347. if (empty($content)) {
  348. return $this->errorResponse('INVALID_JSON', 'Request body is empty', 400);
  349. }
  351. $data = json_decode($content, true);
  352. if (!is_array($data)) {
  353. return $this->errorResponse('INVALID_JSON', 'Invalid JSON data', 400);
  354. }
  356. return $data;
  357. }
  359. /**
  360. * Validate request data against constraints.
  361. *
  362. * @return JsonResponse|null Error response or null if valid.
  363. */
  364. private function validateData(array $data, Assert\Collection $constraints, ValidatorInterface $validator): ?JsonResponse
  365. {
  366. $violations = $validator->validate($data, $constraints);
  368. if (count($violations) === 0) {
  369. return null;
  370. }
  372. $errors = [];
  373. foreach ($violations as $violation) {
  374. $errors[] = $violation->getPropertyPath() . ': ' . $violation->getMessage();
  375. }
  377. return new JsonResponse([
  378. 'success' => false,
  379. 'error' => 'VALIDATION_ERROR',
  380. 'message' => 'Validation failed: ' . implode('; ', $errors),
  381. ], 400);
  382. }
  384. /**
  385. * Build a standardized error JSON response (PRD-compliant).
  386. */
  387. private function errorResponse(string $errorCode, string $message, int $httpStatus = 403): JsonResponse
  388. {
  389. return new JsonResponse([
  390. 'success' => false,
  391. 'error' => $errorCode,
  392. 'message' => $message,
  393. ], $httpStatus);
  394. }
  396. /**
  397. * Find machine by client code and license (registration key).
  398. */
  399. private function findMachine(string $clientCode, string $license): ?object
  400. {
  401. return $this->em->getRepository('App:Macchine')->findOneBy([
  402. 'CodCliente' => $clientCode,
  403. 'Chiave' => $license,
  404. ]);
  405. }
  407. /**
  408. * Find machine by hardware parameters (for reset).
  409. */
  410. private function findMachineByHardware(string $cpuSerial, string $macAddress): ?object
  411. {
  412. return $this->em->getRepository('App:Macchine')->findOneBy([
  413. 'CpuSerial' => strtolower($cpuSerial),
  414. 'MacAddress' => strtolower($macAddress),
  415. ]);
  416. }
  418. /**
  419. * Verify that the provided email matches the machine record.
  420. * Case-insensitive comparison.
  421. */
  422. private function emailMatches(object $machine, string $email): bool
  423. {
  424. $registered = $machine->getEmail();
  425. if (empty($registered)) {
  426. return false;
  427. }
  429. return mb_strtolower($registered) === mb_strtolower($email);
  430. }
  432. /**
  433. * Verify hardware identity of the device against the machine record.
  434. *
  435. * If the machine has no HW data stored yet (first activation), we accept
  436. * any hardware and store it. On subsequent activations, we verify the match.
  437. *
  438. * @return string|null Error code on mismatch, null on success.
  439. */
  440. private function verifyHardware(object $machine, string $cpuSerial, string $macAddress): ?string
  441. {
  442. $storedSerial = $machine->getCpuSerial();
  443. $storedMac = $machine->getMacAddress();
  445. // First activation: no HW data stored yet — accept and store
  446. if (empty($storedSerial) && empty($storedMac)) {
  447. $machine->setCpuSerial(strtolower($cpuSerial));
  448. $machine->setMacAddress(strtolower($macAddress));
  449. $this->em->flush();
  451. $this->logger->info('Hardware parameters stored for first activation', [
  452. 'machine_id' => $machine->getId(),
  453. 'cpu_serial' => strtolower($cpuSerial),
  454. 'mac_address' => strtolower($macAddress),
  455. ]);
  457. return null;
  458. }
  460. // Subsequent activation: verify match
  461. if (strtolower($storedSerial) !== strtolower($cpuSerial)
  462. || strtolower($storedMac) !== strtolower($macAddress)
  463. ) {
  464. $this->logger->warning('Hardware mismatch during activation', [
  465. 'machine_id' => $machine->getId(),
  466. 'expected_serial' => $storedSerial,
  467. 'got_serial' => strtolower($cpuSerial),
  468. 'expected_mac' => $storedMac,
  469. 'got_mac' => strtolower($macAddress),
  470. ]);
  472. return 'DEVICE_MISMATCH';
  473. }
  475. return null;
  476. }
  478. /**
  479. * Record a successful activation (update machine state).
  480. */
  481. private function recordActivation(object $machine, array $data, Request $request): void
  482. {
  483. if (method_exists($machine, 'setLastActivation')) {
  484. $machine->setLastActivation(new \DateTime());
  485. }
  486. if (method_exists($machine, 'setLastActivationIp')) {
  487. $machine->setLastActivationIp($request->getClientIp());
  488. }
  490. $this->em->flush();
  491. }
  493. /**
  494. * Simple IP-based rate limiting using audit_log table.
  495. *
  496. * NOTE: For better performance at scale, consider migrating to
  497. * Symfony RateLimiter component with a Redis backend.
  498. *
  499. * @return JsonResponse|null Error response if rate limited, null otherwise.
  500. */
  501. private function checkRateLimit(Request $request, string $operation): ?JsonResponse
  502. {
  503. $ip = $request->getClientIp();
  504. $windowStart = time() - self::RATE_LIMIT_WINDOW_SECS;
  506. try {
  507. $conn = $this->em->getConnection();
  508. $count = (int) $conn->fetchOne(
  509. 'SELECT COUNT(*) FROM audit_log WHERE ip_address = ? AND operation = ? AND created_at > ?',
  510. [$ip, $operation, date('Y-m-d H:i:s', $windowStart)]
  511. );
  513. if ($count >= self::RATE_LIMIT_MAX_ATTEMPTS) {
  514. $this->logger->warning('Rate limit exceeded', [
  515. 'ip' => $ip,
  516. 'operation' => $operation,
  517. 'count' => $count,
  518. ]);
  520. return $this->errorResponse('RATE_LIMITED',
  521. 'Too many attempts, please try again later', 429);
  522. }
  523. } catch (\Exception $e) {
  524. // If audit_log table doesn't exist yet, skip rate limiting
  525. $this->logger->debug('Rate limit check skipped (table may not exist)', [
  526. 'error' => $e->getMessage(),
  527. ]);
  528. }
  530. return null;
  531. }
  533. /**
  534. * Write an audit trail entry for registration/reset operations.
  535. * Sensitive data (license, keys) is never stored in the audit log.
  536. */
  537. private function logAudit(string $operation, array $data, Request $request, string $result): void
  538. {
  539. $this->logger->info('Audit: ' . $operation, [
  540. 'result' => $result,
  541. 'ip' => $request->getClientIp(),
  542. 'client_code' => $data['client_code'] ?? null,
  543. 'cpu_serial' => $data['cpu_serial'] ?? null,
  544. 'mac_address' => $data['mac_address'] ?? null,
  545. ]);
  547. try {
  548. $conn = $this->em->getConnection();
  549. $conn->executeStatement(
  550. 'INSERT INTO audit_log (operation, result, ip_address, client_code, cpu_serial, mac_address, created_at)
  551. VALUES (?, ?, ?, ?, ?, ?, NOW())',
  552. [
  553. $operation,
  554. $result,
  555. $request->getClientIp(),
  556. $data['client_code'] ?? null,
  557. $data['cpu_serial'] ?? null,
  558. $data['mac_address'] ?? null,
  559. ]
  560. );
  561. } catch (\Exception $e) {
  562. // Audit failure must not break the operation
  563. $this->logger->warning('Audit log write failed', ['error' => $e->getMessage()]);
  564. }
  565. }
  567. /**
  568. * Check if the database connection is alive.
  569. */
  570. private function checkServiceStatus(): bool
  571. {
  572. try {
  573. $this->em->getConnection()->executeQuery('SELECT 1');
  574. return true;
  575. } catch (\Exception $e) {
  576. $this->logger->error('Service check failed', ['error' => $e->getMessage()]);
  577. return false;
  578. }
  579. }
  580. }