move settings sanitation to utils, move whitelist for client registration to settings

diff --git a/app/api.php b/app/api.php
index 4cdbe24e2416d0be92d516b197dd0425ad4abdc0..10d43edd0d1461cb9119f1b08616642e245124b5 100644 (file)
--- a/app/api.php
+++ b/app/api.php
@@ -67,7 +67,7 @@ if (!count($errors)) {
                                   'error_description' => 'The user the access token is connected to was not recognized.')));
         }
         else {
                                   'error_description' => 'The user the access token is connected to was not recognized.')));
         }
         else {

-          if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
+          if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {

             if (strlen(@$_GET['client_id']) >= 5) {
               $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;');
               $result->execute(array(':clientid' => $_GET['client_id']));
             if (strlen(@$_GET['client_id']) >= 5) {
               $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;');
               $result->execute(array(':clientid' => $_GET['client_id']));

diff --git a/app/authsystem.inc.php b/app/authsystem.inc.php
index 0cf7db2c41ab0d90a79e865f1b750d16e606fa23..7f3b783c07a6a9a900cc9fb6925d7351a5d6cd0c 100644 (file)
--- a/app/authsystem.inc.php
+++ b/app/authsystem.inc.php
@@ -3,13 +3,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 

-/*
-  Some resources for how to store passwords:
-  - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
-  - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
-  oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
-*/
-

 // error reporting (for testing)
 ini_set('display_errors', 1); error_reporting(E_ALL);
 
 // error reporting (for testing)
 ini_set('display_errors', 1); error_reporting(E_ALL);
 


@@ -35,12 +28,6 @@ catch (Exception $e) {
 
 $utils->setUpL10n();
 
 
 $utils->setUpL10n();
 

-// Sanitize settings.
-$settings['piwik_enabled'] = (@$settings['piwik_enabled']) ? true : false;
-$settings['piwik_site_id'] = intval(@$settings['piwik_site_id']);
-$settings['piwik_url'] = strlen(@$settings['piwik_url']) ? $settings['piwik_url'] : '/piwik/';
-$settings['piwik_tracker_path'] = strlen(@$settings['piwik_tracker_path']) ? $settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/';
-

 // Set up our OAuth2 Server object
 $server = $utils->getOAuthServer();
 ?>
 // Set up our OAuth2 Server object
 $server = $utils->getOAuthServer();
 ?>

diff --git a/app/authutils.php-class b/app/authutils.php-class
index f80936558335e2193641c50eed01760f6dbba366..4690bf2cd7566c87458da51fc9c105b7232de15d 100755 (executable)
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -117,6 +117,14 @@ class AuthUtils {
     // *** constructor ***
     $this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true);
     if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); }
     // *** constructor ***
     $this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true);
     if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); }

+
+    // Sanitize settings.
+    $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false;
+    $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']);
+    $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/piwik/';
+    $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/';
+
+    // Initialize database.

     $config = new \Doctrine\DBAL\Configuration();
     $connectionParams = array(
         'dbname' => $this->settings['db_name'],
     $config = new \Doctrine\DBAL\Configuration();
     $connectionParams = array(
         'dbname' => $this->settings['db_name'],


@@ -127,6 +135,7 @@ class AuthUtils {
     );
     $this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
     $this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection.
     );
     $this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
     $this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection.

+    // Update DB schema if needed (if the utils PHP file has been changed since we last checked the DB, we trigger the update functionality).

     try {
       $last_log = $this->db->fetchColumn('SELECT time_logged FROM fs_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
       $utils_mtime = filemtime(__FILE__);
     try {
       $last_log = $this->db->fetchColumn('SELECT time_logged FROM fs_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
       $utils_mtime = filemtime(__FILE__);


@@ -137,6 +146,8 @@ class AuthUtils {
     if (!$last_log || strtotime($last_log) < $utils_mtime) {
       $this->updateDBSchema();
     }
     if (!$last_log || strtotime($last_log) < $utils_mtime) {
       $this->updateDBSchema();
     }

+
+    // Set local variables.

     // For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
     $this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
     if (array_key_exists('pwd_cost', $this->settings)) {
     // For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
     $this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
     if (array_key_exists('pwd_cost', $this->settings)) {


@@ -145,12 +156,16 @@ class AuthUtils {
     if (array_key_exists('pwd_nonces', $this->settings)) {
       $this->pwd_nonces = $this->settings['pwd_nonces'];
     }
     if (array_key_exists('pwd_nonces', $this->settings)) {
       $this->pwd_nonces = $this->settings['pwd_nonces'];
     }

+    if (array_key_exists('client_reg_email_whitelist', $this->settings) && is_array($this->settings['client_reg_email_whitelist'])) {
+      // If the config lists any emails, set whitelist to them, otherwise there is no whitelist and any user can add OAuth2 clients.
+      $this->client_reg_email_whitelist = $this->settings['client_reg_email_whitelist'];
+    }

   }
 
   public $settings = null;
   public $db = null;
   public $running_on_localhost = false;
   }
 
   public $settings = null;
   public $db = null;
   public $running_on_localhost = false;

-  public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
+  public $client_reg_email_whitelist = false;

   private $pwd_cost = 10;
   private $pwd_nonces = array();
 
   private $pwd_cost = 10;
   private $pwd_nonces = array();
 


@@ -365,6 +380,12 @@ class AuthUtils {
     return false;
   }
 
     return false;
   }
 

+  /*
+    Some resources for how to store passwords:
+    - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
+    - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
+    oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+  */

   function pwdHash($new_password) {
     $hash_prefix = '';
     if (count($this->pwd_nonces)) {
   function pwdHash($new_password) {
     $hash_prefix = '';
     if (count($this->pwd_nonces)) {

diff --git a/app/index.php b/app/index.php
index 8ce0012d177119b7d4d4cb814a09986bfae3d69c..ba0d0247e7e42bc500b84eb6181b717661e0c8f7 100644 (file)
--- a/app/index.php
+++ b/app/index.php
@@ -462,7 +462,7 @@ if (!count($errors)) {
     $link = $litem->appendLink('./?logout', _('Log out'));
     $litem = $ulist->appendElement('li');
     $link = $litem->appendLink('./?addemail', _('Add another email address'));
     $link = $litem->appendLink('./?logout', _('Log out'));
     $litem = $ulist->appendElement('li');
     $link = $litem->appendLink('./?addemail', _('Add another email address'));

-    if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
+    if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {

       $litem = $ulist->appendElement('li');
       $link = $litem->appendLink('./?clients', _('Manage OAuth2 clients'));
     }
       $litem = $ulist->appendElement('li');
       $link = $litem->appendLink('./?clients', _('Manage OAuth2 clients'));
     }

diff --git a/etc/kairo/auth_settings.json b/etc/kairo/auth_settings.json
index 6294f26e634947210426089af58fda705e3c3833..fa4b58b09ef4a79b01102ec73f8427ca2c7f65f0 100644 (file)
--- a/etc/kairo/auth_settings.json
+++ b/etc/kairo/auth_settings.json
@@ -7,6 +7,7 @@
 "pwd_nonces": [
  ""
 ],
 "pwd_nonces": [
  ""
 ],

+"client_reg_email_whitelist": ["you@example.com"],

 "piwik_enabled": false,
 "piwik_url": "/piwik/",
 "piwik_site_id": 1,
 "piwik_enabled": false,
 "piwik_url": "/piwik/",
 "piwik_site_id": 1,