X-Git-Url: https://git-public.kairo.at/?p=authserver.git;a=blobdiff_plain;f=app%2Fauthutils.php-class;h=440a153140b3c92fb594492cfe5c5a4b5450e9d6;hp=db5dd891a27754f1bf906ed8f6464f031c575d41;hb=55648bcf1a3d50e77d2077de5d2c9f2ad0631bfd;hpb=7be13777491767920a76f854c8e8160fe04c4851
diff --git a/app/authutils.php-class b/app/authutils.php-class
index db5dd89..440a153 100755
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -7,10 +7,11 @@ class AuthUtils {
// KaiRo.at authentication utilities PHP class
// This class contains helper functions for the authentication system.
//
- // function __construct($settings, $db)
+ // function __construct()
// CONSTRUCTOR
- // Settings are an associative array with a numeric pwd_cost field and an array pwd_nonces field.
- // The DB is a PDO object.
+ //
+ // public $settings
+ // An array of settings for the auth server website.
//
// public $db
// A PDO database object for interaction.
@@ -34,6 +35,9 @@ class AuthUtils {
// function checkForSecureConnection()
// Check is the connection is secure and return an array of error messages (empty if it's secure).
//
+ // function sendSecurityHeaders()
+ // Rend HTTP headers for improving security.
+ //
// function initSession()
// Initialize a session. Returns an associative array of all the DB fields of the session.
//
@@ -82,12 +86,18 @@ class AuthUtils {
// function pwdNeedsRehash($user)
// Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
//
+ // function setUpL10n()
+ // Set up the localization stack (gettext).
+ //
// function negotiateLocale($supportedLanguages)
// Return the language to use out of the given array of supported locales, via netotiation based on the HTTP Accept-Language header.
//
// function getGroupedEmails($group_id, [$exclude_email])
// Return all emails grouped in the specified group ID, optionally exclude a specific email (e.g. because you only want non-current entries)
//
+ // function getOAuthServer()
+ // Return an OAuth2 server object to use for all our actual OAuth2 interaction.
+ //
// function initHTMLDocument($titletext, [$headlinetext]) {
// initialize the HTML document for the auth system, with some elements we always use, esp. all the scripts and stylesheet.
// Sets the title of the document to the given title, the main headline will be the same as the title if not set explicitly.
@@ -96,24 +106,70 @@ class AuthUtils {
// function appendLoginForm($dom_element, $session, $user, [$addfields])
// Append a login form for the given session to the given DOM element, possibly prefilling the email from the given user info array.
// The optional $addfields parameter is an array of name=>value pairs of hidden fields to add to the form.
+ //
+ // function updateDBSchema()
+ // update DB Schema to current requirements as specified by getDBSchema().
+ //
+ // function getDBSchema()
+ // Return a DB schema with all tables, fields, etc. that the app requires.
- function __construct($settings, $db) {
+ function __construct() {
// *** constructor ***
- $this->db = $db;
- $this->db->exec("SET time_zone='+00:00';"); // Execute directly on PDO object, set session to UTC to make our gmdate() values match correctly.
+ $this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true);
+ if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); }
+
+ // Sanitize settings.
+ $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false;
+ $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']);
+ $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/piwik/';
+ $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/';
+ $this->settings['skin'] = (@$this->settings['skin'] && is_dir('skin/'.$this->settings['skin'])) ? $this->settings['skin'] : 'default';
+ $this->settings['operator_name'] = (@$this->settings['operator_name']) ? $this->settings['operator_name'] : 'Example';
+ $this->settings['operator_contact_url'] = (@$this->settings['operator_contact_url']) ? $this->settings['operator_contact_url'] : 'https://github.com/KaiRo_at/authserver/';
+ $this->settings['info_from_email'] = (@$this->settings['info_from_email']) ? $this->settings['info_from_email'] : 'noreply@example.com';
+
+ // Initialize database.
+ $config = new \Doctrine\DBAL\Configuration();
+ $connectionParams = array(
+ 'dbname' => $this->settings['db_name'],
+ 'user' => $this->settings['db_username'],
+ 'password' => $this->settings['db_password'],
+ 'host' => $this->settings['db_host'],
+ 'driver' => 'pdo_mysql',
+ );
+ $this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
+ $this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection.
+ // Update DB schema if needed (if the utils PHP file has been changed since we last checked the DB, we trigger the update functionality).
+ try {
+ $last_log = $this->db->fetchColumn('SELECT time_logged FROM auth_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
+ $utils_mtime = filemtime(__FILE__);
+ }
+ catch (Exception $e) {
+ $last_log = false;
+ }
+ if (!$last_log || strtotime($last_log) < $utils_mtime) {
+ $this->updateDBSchema();
+ }
+
+ // Set local variables.
// For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
$this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
- if (array_key_exists('pwd_cost', $settings)) {
- $this->pwd_cost = $settings['pwd_cost'];
+ if (array_key_exists('pwd_cost', $this->settings)) {
+ $this->pwd_cost = $this->settings['pwd_cost'];
}
- if (array_key_exists('pwd_nonces', $settings)) {
- $this->pwd_nonces = $settings['pwd_nonces'];
+ if (array_key_exists('pwd_nonces', $this->settings)) {
+ $this->pwd_nonces = $this->settings['pwd_nonces'];
+ }
+ if (array_key_exists('client_reg_email_whitelist', $this->settings) && is_array($this->settings['client_reg_email_whitelist'])) {
+ // If the config lists any emails, set whitelist to them, otherwise there is no whitelist and any user can add OAuth2 clients.
+ $this->client_reg_email_whitelist = $this->settings['client_reg_email_whitelist'];
}
}
+ public $settings = null;
public $db = null;
public $running_on_localhost = false;
- public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
+ public $client_reg_email_whitelist = false;
private $pwd_cost = 10;
private $pwd_nonces = array();
@@ -200,14 +256,16 @@ class AuthUtils {
}
else {
$utils->log('create_session_failure', 'at login, prev session: '.$session['id'].', new user: '.$userid);
- $errors[] = _('The session system is not working.').' '._('Please contact KaiRo.at and tell the team about this.');
+ $errors[] = _('The session system is not working.').' '
+ .sprintf(_('Please contact %s and tell the team about this.'), $this->settings['operator_contact_url'], $this->settings['operator_name']);
}
}
else {
$result = $this->db->prepare('UPDATE `auth_sessions` SET `sesskey` = :sesskey, `user` = :userid, `logged_in` = TRUE, `time_expire` = :expire WHERE `id` = :sessid;');
if (!$result->execute(array(':sesskey' => $sesskey, ':userid' => $userid, ':expire' => gmdate('Y-m-d H:i:s', strtotime('+1 day')), ':sessid' => $session['id']))) {
$utils->log('login_failure', 'session: '.$session['id'].', user: '.$userid);
- $errors[] = _('Login failed unexpectedly.').' '._('Please contact KaiRo.at and tell the team about this.');
+ $errors[] = _('Login failed unexpectedly.').' '
+ .sprintf(_('Please contact %s and tell the team about this.'), $this->settings['operator_contact_url'], $this->settings['operator_name']);
}
else {
// After update, actually fetch the session row from the DB so we have all values.
@@ -328,6 +386,12 @@ class AuthUtils {
return false;
}
+ /*
+ Some resources for how to store passwords:
+ - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
+ - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
+ oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+ */
function pwdHash($new_password) {
$hash_prefix = '';
if (count($this->pwd_nonces)) {
@@ -361,6 +425,22 @@ class AuthUtils {
}
}
+ function setUpL10n() {
+ // This is an array of locale tags in browser style mapping to unix system locale codes to use with gettext.
+ $supported_locales = array(
+ 'en-US' => 'en_US',
+ 'de' => 'de_DE',
+ );
+
+ $textdomain = 'kairo_auth';
+ $textlocale = $this->negotiateLocale(array_keys($supported_locales));
+ putenv('LC_ALL='.$supported_locales[$textlocale]);
+ $selectedlocale = setlocale(LC_ALL, $supported_locales[$textlocale]);
+ bindtextdomain($textdomain, '../locale');
+ bind_textdomain_codeset($textdomain, 'utf-8');
+ textdomain($textdomain);
+ }
+
function negotiateLocale($supportedLanguages) {
$nlocale = $supportedLanguages[0];
$headers = getAllHeaders();
@@ -397,6 +477,41 @@ class AuthUtils {
return $emails;
}
+ function getOAuthServer() {
+ // Simple server based on https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+ $dbdata = array('dsn' => 'mysql:dbname='.$this->settings['db_name'].';host='.$this->settings['db_host'],
+ 'username' => $this->settings['db_username'],
+ 'password' => $this->settings['db_password']);
+ $oauth2_storage = new OAuth2\Storage\Pdo($dbdata);
+
+ // Set configuration
+ $oauth2_config = array(
+ 'require_exact_redirect_uri' => false,
+ 'always_issue_new_refresh_token' => true, // Needs to be handed below as well as there it's not constructed from within the server object.
+ 'refresh_token_lifetime' => 90*24*3600,
+ );
+
+ // Pass a storage object or array of storage objects to the OAuth2 server class
+ $server = new OAuth2\Server($oauth2_storage, $oauth2_config);
+
+ // Add the "Client Credentials" grant type (it is the simplest of the grant types)
+ //$server->addGrantType(new OAuth2\GrantType\ClientCredentials($storage));
+
+ // Add the "Authorization Code" grant type (this is where the oauth magic happens)
+ $server->addGrantType(new OAuth2\GrantType\AuthorizationCode($oauth2_storage));
+
+ // Add the "Refresh Token" grant type (required to get longer-living resource access by generating new access tokens)
+ $server->addGrantType(new OAuth2\GrantType\RefreshToken($oauth2_storage, array('always_issue_new_refresh_token' => true)));
+
+ // Add 'token' response type (mirroring what getDefaultResponseTypes is doing).
+ $server->addResponseType(new OAuth2\ResponseType\AccessToken($oauth2_storage, $oauth2_storage, $oauth2_config));
+
+ // Add 'code' response type (mirroring what getDefaultResponseTypes is doing).
+ $server->addResponseType(new OAuth2\ResponseType\AuthorizationCode($oauth2_storage));
+
+ return $server;
+ }
+
function initHTMLDocument($titletext, $headlinetext = null) {
global $settings;
if (is_null($headlinetext)) { $headlinetext = $titletext; }
@@ -407,12 +522,19 @@ class AuthUtils {
$style = $head->appendElement('link');
$style->setAttribute('rel', 'stylesheet');
$style->setAttribute('href', 'authsystem.css');
+ $style = $head->appendElement('link');
+ $style->setAttribute('rel', 'stylesheet');
+ $style->setAttribute('href', 'skin/'.$settings['skin'].'/authskin.css');
$head->appendJSFile('authsystem.js');
if ($settings['piwik_enabled']) {
$head->setAttribute('data-piwiksite', $settings['piwik_site_id']);
$head->setAttribute('data-piwikurl', $settings['piwik_url']);
$head->appendJSFile('piwik.js', true, true);
}
+ $icon = $head->appendElement('link');
+ $icon->setAttribute('rel', 'shortcut icon');
+ $icon->setAttribute('href', 'skin/'.$settings['skin'].'/icon32.png');
+ $icon->setAttribute('type', 'image/png');
$title->appendText($titletext);
$h1 = $body->appendElement('h1', $headlinetext);
@@ -475,5 +597,102 @@ class AuthUtils {
$submit = $litem->appendInputSubmit(_('Log in / Register'));
$submit->setAttribute('class', 'loginbutton');
}
+
+ function updateDBSchema() {
+ $newSchema = $this->getDBSchema();
+ $synchronizer = new \Doctrine\DBAL\Schema\Synchronizer\SingleDatabaseSynchronizer($this->db);
+ $up_sql = $synchronizer->getUpdateSchema($newSchema); // for logging only
+ $synchronizer->updateSchema($newSchema);
+ $this->log('db_checked', implode("\n", $up_sql));
+ }
+
+ function getDBSchema() {
+ $schema = new \Doctrine\DBAL\Schema\Schema();
+
+ $table = $schema->createTable('auth_sessions');
+ $table->addColumn('id', 'bigint', array('unsigned' => true, 'notnull' => true, 'autoincrement' => true));
+ $table->addColumn('sesskey', 'string', array('length' => 150, 'notnull' => true, 'default' => ''));
+ $table->addColumn('user', 'integer', array('unsigned' => true, 'notnull' => false, 'default' => null));
+ $table->addColumn('logged_in', 'boolean', array('notnull' => true, 'default' => false));
+ $table->addColumn('time_created', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
+ $table->addColumn('time_expire', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
+ $table->addColumn('saved_redirect', 'string', array('length' => 2000, 'notnull' => true, 'default' => ''));
+ $table->setPrimaryKey(array('id'), 'id');
+ $table->addIndex(array('sesskey'), 'sesskey');
+ $table->addIndex(array('time_expire'), 'time_expire');
+
+ $table = $schema->createTable('auth_users');
+ $table->addColumn('id', 'integer', array('unsigned' => true, 'notnull' => true, 'autoincrement' => true));
+ $table->addColumn('email', 'string', array('length' => 255, 'notnull' => true, 'default' => ''));
+ $table->addColumn('pwdhash', 'string', array('length' => 255, 'notnull' => true, 'default' => ''));
+ $table->addColumn('status', 'string', array('length' => 20, 'notnull' => true, 'default' => 'unverified'));
+ $table->addColumn('verify_hash', 'string', array('length' => 150, 'notnull' => false, 'default' => null));
+ $table->addColumn('group_id', 'integer', array('unsigned' => true, 'notnull' => true, 'default' => 0));
+ $table->setPrimaryKey(array('id'), 'id');
+ $table->addUniqueIndex(array('email'), 'email');
+
+ $table = $schema->createTable('auth_log');
+ $table->addColumn('id', 'bigint', array('unsigned' => true, 'notnull' => true, 'autoincrement' => true));
+ $table->addColumn('code', 'string', array('length' => 100, 'notnull' => true, 'default' => ''));
+ $table->addColumn('info', 'text', array('notnull' => false, 'default' => null));
+ $table->addColumn('ip_addr', 'string', array('length' => 50, 'notnull' => false, 'default' => null));
+ $table->addColumn('time_logged', 'datetime', array('notnull' => true, 'default' => 'CURRENT_TIMESTAMP'));
+ $table->setPrimaryKey(array('id'), 'id');
+ $table->addIndex(array('time_logged'), 'time_logged');
+
+ /* Doctrine DBAL variant of http://bshaffer.github.io/oauth2-server-php-docs/cookbook/#define-your-schema */
+ $table = $schema->createTable('oauth_clients');
+ $table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
+ $table->addColumn('client_secret', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('redirect_uri', 'string', array('length' => 2000, 'notnull' => true));
+ $table->addColumn('grant_types', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('scope', 'string', array('length' => 100, 'notnull' => false));
+ $table->addColumn('user_id', 'string', array('length' => 80, 'notnull' => false));
+ $table->setPrimaryKey(array('client_id'), 'clients_client_id_pk');
+
+ $table = $schema->createTable('oauth_access_tokens');
+ $table->addColumn('access_token', 'string', array('length' => 40, 'notnull' => true));
+ $table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
+ $table->addColumn('expires', 'datetime', array('notnull' => true));
+ $table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
+ $table->setPrimaryKey(array('access_token'), 'access_token_pk');
+
+ $table = $schema->createTable('oauth_authorization_codes');
+ $table->addColumn('authorization_code', 'string', array('length' => 40, 'notnull' => true));
+ $table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
+ $table->addColumn('redirect_uri', 'string', array('length' => 2000, 'notnull' => false));
+ $table->addColumn('expires', 'datetime', array('notnull' => true));
+ $table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
+ $table->setPrimaryKey(array('authorization_code'), 'auth_code_pk');
+
+ $table = $schema->createTable('oauth_refresh_tokens');
+ $table->addColumn('refresh_token', 'string', array('length' => 40, 'notnull' => true));
+ $table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
+ $table->addColumn('user_id', 'string', array('length' => 255, 'notnull' => false));
+ $table->addColumn('expires', 'datetime', array('notnull' => true));
+ $table->addColumn('scope', 'string', array('length' => 2000, 'notnull' => false));
+ $table->setPrimaryKey(array('refresh_token'), 'refresh_token_pk');
+
+ $table = $schema->createTable('oauth_users');
+ $table->addColumn('username', 'string', array('length' => 255, 'notnull' => true));
+ $table->addColumn('password', 'string', array('length' => 2000, 'notnull' => false));
+ $table->addColumn('first_name', 'string', array('length' => 255, 'notnull' => false));
+ $table->addColumn('last_name', 'string', array('length' => 255, 'notnull' => false));
+ $table->setPrimaryKey(array('username'), 'username_pk');
+
+ $table = $schema->createTable('oauth_scopes');
+ $table->addColumn('scope', 'text', array('notnull' => false));
+ $table->addColumn('is_default', 'boolean', array('notnull' => false));
+
+ $table = $schema->createTable('oauth_jwt');
+ $table->addColumn('client_id', 'string', array('length' => 80, 'notnull' => true));
+ $table->addColumn('subject', 'string', array('length' => 80, 'notnull' => false));
+ $table->addColumn('public_key', 'string', array('length' => 2000, 'notnull' => false));
+ $table->setPrimaryKey(array('client_id'), 'client_id_pk');
+
+ return $schema;
+ }
}
?>