From 3875e0fb8b2b31d82809bd20880f1d206db4cb2c Mon Sep 17 00:00:00 2001 From: Robert Kaiser Date: Thu, 15 Dec 2016 23:06:10 +0100 Subject: [PATCH] move settings sanitation to utils, move whitelist for client registration to settings --- app/api.php | 2 +- app/authsystem.inc.php | 13 ------------- app/authutils.php-class | 23 ++++++++++++++++++++++- app/index.php | 2 +- etc/kairo/auth_settings.json | 1 + 5 files changed, 25 insertions(+), 16 deletions(-) diff --git a/app/api.php b/app/api.php index 4cdbe24..10d43ed 100644 --- a/app/api.php +++ b/app/api.php @@ -67,7 +67,7 @@ if (!count($errors)) { 'error_description' => 'The user the access token is connected to was not recognized.'))); } else { - if (in_array($user['email'], $utils->client_reg_email_whitelist)) { + if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) { if (strlen(@$_GET['client_id']) >= 5) { $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;'); $result->execute(array(':clientid' => $_GET['client_id'])); diff --git a/app/authsystem.inc.php b/app/authsystem.inc.php index 0cf7db2..7f3b783 100644 --- a/app/authsystem.inc.php +++ b/app/authsystem.inc.php @@ -3,13 +3,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* - Some resources for how to store passwords: - - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/ - - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines - oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook -*/ - // error reporting (for testing) ini_set('display_errors', 1); error_reporting(E_ALL); @@ -35,12 +28,6 @@ catch (Exception $e) { $utils->setUpL10n(); -// Sanitize settings. -$settings['piwik_enabled'] = (@$settings['piwik_enabled']) ? true : false; -$settings['piwik_site_id'] = intval(@$settings['piwik_site_id']); -$settings['piwik_url'] = strlen(@$settings['piwik_url']) ? $settings['piwik_url'] : '/piwik/'; -$settings['piwik_tracker_path'] = strlen(@$settings['piwik_tracker_path']) ? $settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/'; - // Set up our OAuth2 Server object $server = $utils->getOAuthServer(); ?> diff --git a/app/authutils.php-class b/app/authutils.php-class index f809365..4690bf2 100755 --- a/app/authutils.php-class +++ b/app/authutils.php-class @@ -117,6 +117,14 @@ class AuthUtils { // *** constructor *** $this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true); if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); } + + // Sanitize settings. + $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false; + $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']); + $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/piwik/'; + $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/'; + + // Initialize database. $config = new \Doctrine\DBAL\Configuration(); $connectionParams = array( 'dbname' => $this->settings['db_name'], @@ -127,6 +135,7 @@ class AuthUtils { ); $this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config); $this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection. + // Update DB schema if needed (if the utils PHP file has been changed since we last checked the DB, we trigger the update functionality). try { $last_log = $this->db->fetchColumn('SELECT time_logged FROM fs_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0); $utils_mtime = filemtime(__FILE__); @@ -137,6 +146,8 @@ class AuthUtils { if (!$last_log || strtotime($last_log) < $utils_mtime) { $this->updateDBSchema(); } + + // Set local variables. // For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily. $this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']); if (array_key_exists('pwd_cost', $this->settings)) { @@ -145,12 +156,16 @@ class AuthUtils { if (array_key_exists('pwd_nonces', $this->settings)) { $this->pwd_nonces = $this->settings['pwd_nonces']; } + if (array_key_exists('client_reg_email_whitelist', $this->settings) && is_array($this->settings['client_reg_email_whitelist'])) { + // If the config lists any emails, set whitelist to them, otherwise there is no whitelist and any user can add OAuth2 clients. + $this->client_reg_email_whitelist = $this->settings['client_reg_email_whitelist']; + } } public $settings = null; public $db = null; public $running_on_localhost = false; - public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at'); + public $client_reg_email_whitelist = false; private $pwd_cost = 10; private $pwd_nonces = array(); @@ -365,6 +380,12 @@ class AuthUtils { return false; } + /* + Some resources for how to store passwords: + - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/ + - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines + oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook + */ function pwdHash($new_password) { $hash_prefix = ''; if (count($this->pwd_nonces)) { diff --git a/app/index.php b/app/index.php index 8ce0012..ba0d024 100644 --- a/app/index.php +++ b/app/index.php @@ -462,7 +462,7 @@ if (!count($errors)) { $link = $litem->appendLink('./?logout', _('Log out')); $litem = $ulist->appendElement('li'); $link = $litem->appendLink('./?addemail', _('Add another email address')); - if (in_array($user['email'], $utils->client_reg_email_whitelist)) { + if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) { $litem = $ulist->appendElement('li'); $link = $litem->appendLink('./?clients', _('Manage OAuth2 clients')); } diff --git a/etc/kairo/auth_settings.json b/etc/kairo/auth_settings.json index 6294f26..fa4b58b 100644 --- a/etc/kairo/auth_settings.json +++ b/etc/kairo/auth_settings.json @@ -7,6 +7,7 @@ "pwd_nonces": [ "" ], +"client_reg_email_whitelist": ["you@example.com"], "piwik_enabled": false, "piwik_url": "/piwik/", "piwik_site_id": 1, -- 2.43.0