From 3875e0fb8b2b31d82809bd20880f1d206db4cb2c Mon Sep 17 00:00:00 2001
From: Robert Kaiser <kairo@kairo.at>
Date: Thu, 15 Dec 2016 23:06:10 +0100
Subject: [PATCH] move settings sanitation to utils, move whitelist for client
 registration to settings

---
 app/api.php                  |  2 +-
 app/authsystem.inc.php       | 13 -------------
 app/authutils.php-class      | 23 ++++++++++++++++++++++-
 app/index.php                |  2 +-
 etc/kairo/auth_settings.json |  1 +
 5 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/app/api.php b/app/api.php
index 4cdbe24..10d43ed 100644
--- a/app/api.php
+++ b/app/api.php
@@ -67,7 +67,7 @@ if (!count($errors)) {
                                   'error_description' => 'The user the access token is connected to was not recognized.')));
         }
         else {
-          if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
+          if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {
             if (strlen(@$_GET['client_id']) >= 5) {
               $result = $db->prepare('SELECT `client_id`,`user_id` FROM `oauth_clients` WHERE `client_id` = :clientid;');
               $result->execute(array(':clientid' => $_GET['client_id']));
diff --git a/app/authsystem.inc.php b/app/authsystem.inc.php
index 0cf7db2..7f3b783 100644
--- a/app/authsystem.inc.php
+++ b/app/authsystem.inc.php
@@ -3,13 +3,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/*
-  Some resources for how to store passwords:
-  - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
-  - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
-  oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
-*/
-
 // error reporting (for testing)
 ini_set('display_errors', 1); error_reporting(E_ALL);
 
@@ -35,12 +28,6 @@ catch (Exception $e) {
 
 $utils->setUpL10n();
 
-// Sanitize settings.
-$settings['piwik_enabled'] = (@$settings['piwik_enabled']) ? true : false;
-$settings['piwik_site_id'] = intval(@$settings['piwik_site_id']);
-$settings['piwik_url'] = strlen(@$settings['piwik_url']) ? $settings['piwik_url'] : '/piwik/';
-$settings['piwik_tracker_path'] = strlen(@$settings['piwik_tracker_path']) ? $settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/';
-
 // Set up our OAuth2 Server object
 $server = $utils->getOAuthServer();
 ?>
diff --git a/app/authutils.php-class b/app/authutils.php-class
index f809365..4690bf2 100755
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -117,6 +117,14 @@ class AuthUtils {
     // *** constructor ***
     $this->settings = json_decode(@file_get_contents('/etc/kairo/auth_settings.json'), true);
     if (!is_array($this->settings)) { throw new ErrorException('Authentication system settings not found', 0); }
+
+    // Sanitize settings.
+    $this->settings['piwik_enabled'] = (@$this->settings['piwik_enabled']) ? true : false;
+    $this->settings['piwik_site_id'] = intval(@$this->settings['piwik_site_id']);
+    $this->settings['piwik_url'] = strlen(@$this->settings['piwik_url']) ? $this->settings['piwik_url'] : '/piwik/';
+    $this->settings['piwik_tracker_path'] = strlen(@$this->settings['piwik_tracker_path']) ? $this->settings['piwik_tracker_path'] : '../vendor/piwik/piwik-php-tracker/';
+
+    // Initialize database.
     $config = new \Doctrine\DBAL\Configuration();
     $connectionParams = array(
         'dbname' => $this->settings['db_name'],
@@ -127,6 +135,7 @@ class AuthUtils {
     );
     $this->db = \Doctrine\DBAL\DriverManager::getConnection($connectionParams, $config);
     $this->db->executeQuery('SET time_zone = "+00:00";'); // Make sure the DB runs on UTC for this connection.
+    // Update DB schema if needed (if the utils PHP file has been changed since we last checked the DB, we trigger the update functionality).
     try {
       $last_log = $this->db->fetchColumn('SELECT time_logged FROM fs_log WHERE code = \'db_checked\' ORDER BY id DESC LIMIT 1', array(1), 0);
       $utils_mtime = filemtime(__FILE__);
@@ -137,6 +146,8 @@ class AuthUtils {
     if (!$last_log || strtotime($last_log) < $utils_mtime) {
       $this->updateDBSchema();
     }
+
+    // Set local variables.
     // For debugging, potentially add |robert\.box\.kairo\.at to that regex temporarily.
     $this->running_on_localhost = preg_match('/^((.+\.)?localhost|127\.0\.0\.\d+)$/', $_SERVER['SERVER_NAME']);
     if (array_key_exists('pwd_cost', $this->settings)) {
@@ -145,12 +156,16 @@ class AuthUtils {
     if (array_key_exists('pwd_nonces', $this->settings)) {
       $this->pwd_nonces = $this->settings['pwd_nonces'];
     }
+    if (array_key_exists('client_reg_email_whitelist', $this->settings) && is_array($this->settings['client_reg_email_whitelist'])) {
+      // If the config lists any emails, set whitelist to them, otherwise there is no whitelist and any user can add OAuth2 clients.
+      $this->client_reg_email_whitelist = $this->settings['client_reg_email_whitelist'];
+    }
   }
 
   public $settings = null;
   public $db = null;
   public $running_on_localhost = false;
-  public $client_reg_email_whitelist = array('kairo@kairo.at', 'com@kairo.at');
+  public $client_reg_email_whitelist = false;
   private $pwd_cost = 10;
   private $pwd_nonces = array();
 
@@ -365,6 +380,12 @@ class AuthUtils {
     return false;
   }
 
+  /*
+    Some resources for how to store passwords:
+    - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
+    - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
+    oauth-server-php: https://bshaffer.github.io/oauth2-server-php-docs/cookbook
+  */
   function pwdHash($new_password) {
     $hash_prefix = '';
     if (count($this->pwd_nonces)) {
diff --git a/app/index.php b/app/index.php
index 8ce0012..ba0d024 100644
--- a/app/index.php
+++ b/app/index.php
@@ -462,7 +462,7 @@ if (!count($errors)) {
     $link = $litem->appendLink('./?logout', _('Log out'));
     $litem = $ulist->appendElement('li');
     $link = $litem->appendLink('./?addemail', _('Add another email address'));
-    if (in_array($user['email'], $utils->client_reg_email_whitelist)) {
+    if (($utils->client_reg_email_whitelist === false) || (in_array($user['email'], $utils->client_reg_email_whitelist))) {
       $litem = $ulist->appendElement('li');
       $link = $litem->appendLink('./?clients', _('Manage OAuth2 clients'));
     }
diff --git a/etc/kairo/auth_settings.json b/etc/kairo/auth_settings.json
index 6294f26..fa4b58b 100644
--- a/etc/kairo/auth_settings.json
+++ b/etc/kairo/auth_settings.json
@@ -7,6 +7,7 @@
 "pwd_nonces": [
  ""
 ],
+"client_reg_email_whitelist": ["you@example.com"],
 "piwik_enabled": false,
 "piwik_url": "/piwik/",
 "piwik_site_id": 1,
-- 
2.35.3