Completed
Push — master ( 8f67cd...1f0011 )
by Terrence
16:32 queued 01:33
created

index-site.php ➔ validateP12()   A

Complexity

Conditions 6
Paths 4

Size

Total Lines 18

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
cc 6
nc 4
nop 0
dl 0
loc 18
rs 9.0444
c 0
b 0
f 0
1
<?php
2
3
// error_reporting(E_ALL); ini_set('display_errors',1);
4
5
require_once __DIR__ . '/vendor/autoload.php';
6
7
use CILogon\Service\Util;
8
use CILogon\Service\Content;
9
use CILogon\Service\ShibError;
10
use CILogon\Service\Loggit;
11
12
Util::startPHPSession();
13
14
// Util::startTiming();
15
// Util::$timeit->printTime('MAIN Program START...');
16
17
// Check for a Shibboleth error and handle it
18
$shiberror = new ShibError();
19
20
// Check the csrf cookie against either a hidden <form> element or a
21
// PHP session variable, and get the value of the 'submit' element.
22
// Note: replace CR/LF with space for 'Show/Hide Help' buttons.
23
$retchars = array("\r\n","\n","\r");
24
$submit = str_replace(
25
    $retchars,
26
    " ",
27
    Util::getCsrf()->verifyCookieAndGetSubmit()
28
);
29
Util::unsetSessionVar('submit');
30
31
$log = new Loggit();
32
$log->info('submit="' . $submit . '"');
33
34
// Depending on the value of the clicked 'submit' button or the
35
// equivalent PHP session variable, take action or print out HTML.
36
switch ($submit) {
37
    case 'Log On': // Check for OpenID or InCommon usage.
38
    case 'Continue': // For OOI
39
        Content::handleLogOnButtonClicked();
40
        break; // End case 'Log On'
41
42
    case 'Log Off':   // Click the 'Log Off' button
43
        printLogonPage(true);
0 ignored issues
show
Unused Code introduced by
The call to printLogonPage() has too many arguments starting with true.

This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.

If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.

In this case you can add the @ignore PhpDoc annotation to the duplicate definition and it will be ignored.

Loading history...
44
        break; // End case 'Log Off'
45
46
    case 'gotuser': // Return from the getuser script
47
        Content::handleGotUser();
48
        break; // End case 'gotuser'
49
50
    case 'Go Back': // Return to the Main page
51
    case 'Proceed': // Proceed after 'User Changed' or Error page
52
    case 'Done with Two-Factor':
53
        Util::verifySessionAndCall('printMainPage');
0 ignored issues
show
Documentation introduced by
'printMainPage' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
54
        break; // End case 'Go Back' / 'Proceed'
55
56
    case 'Cancel': // Cancel button on WAYF page - go to Google
57
        header('Location: https://www.google.com/');
58
        exit; // No further processing necessary
59
        break;
60
61
    case 'Get New Certificate':
62
        if (Util::verifySessionAndCall(
63
            'CILogon\\Service\\Content::generateP12'
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Content::generateP12' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
64
        )) {
65
            printMainPage();
66
        }
67
        break; // End case 'Get New Certificate'
68
69
    case 'Get New Activation Code':
70
        if (Util::verifySessionAndCall('generateActivationCode')) {
0 ignored issues
show
Documentation introduced by
'generateActivationCode' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
71
            printMainPage();
72
        }
73
        break; // End case 'Get New Activation Code'
74
75
    case 'Manage Two-Factor':
76
        Util::verifySessionAndCall(
77
            'CILogon\\Service\\Content::printTwoFactorPage'
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Content::printTwoFactorPage' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
78
        );
79
        break; // End case 'Manage Two-Factor'
80
81
    case 'Enable':   // Enable / Disable two-factor authentication
82
    case 'Disable':
83
    case 'Verify':   // Log in with Google Authenticator
84
    case 'Disable Two-Factor':
85
        $enable = !preg_match('/^Disable/', $submit);
86
        Util::verifySessionAndCall(
87
            'CILogon\\Service\\Content::handleEnableDisableTwoFactor',
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Conte...EnableDisableTwoFactor' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
88
            array($enable)
89
        );
90
        break; // End case 'Enable' / 'Disable'
91
92
    case 'I Lost My Phone':
93
        Util::verifySessionAndCall(
94
            'CILogon\\Service\\Content::handleILostMyPhone'
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Content::handleILostMyPhone' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
95
        );
96
        break; // End case 'I Lost My Phone'
97
98
    case 'Enter': // Verify Google Authenticator one time password
99
        Util::verifySessionAndCall(
100
            'CILogon\\Service\\Content::handleGoogleAuthenticatorLogin'
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Conte...ogleAuthenticatorLogin' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
101
        );
102
        break; // End case 'Enter'
103
104
    case 'EnterDuo': // Verify Duo Security login
105
        Util::verifySessionAndCall(
106
            'CILogon\\Service\\Content::handleDuoSecurityLogin'
0 ignored issues
show
Documentation introduced by
'CILogon\\Service\\Conte...handleDuoSecurityLogin' is of type string, but the function expects a object<CILogon\Service\function>.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
107
        );
108
        break; // End case 'EnterDuo'
109
110
    case 'Show  Help ': // Toggle showing of help text on and off
111
    case 'Hide  Help ':
112
        Content::handleHelpButtonClicked();
113
        break; // End case 'Show Help' / 'Hide Help'
114
115
    default: // No submit button clicked nor PHP session submit variable set
116
        Content::handleNoSubmitButtonClicked();
117
        break; // End default case
118
} // End switch($submit)
119
120
121
/**
122
 * printLogonPage
123
 *
124
 * This function prints out the HTML for the main cilogon.org page.
125
 * Explanatory text is shown as well as a button to log in to an IdP
126
 * and get rerouted to the Shibboleth protected service script, or the
127
 * OpenID script.
128
 *
129
 * @param bool $clearcookies True if the Shibboleth cookies and session
130
 *        variables  should be cleared out before displaying the page.
131
 *        Defaults to false.
132
 */
133
function printLogonPage($clearcookies = false)
0 ignored issues
show
Best Practice introduced by
The function printLogonPage() has been defined more than once; this definition is ignored, only the first definition in authorize/index-site.php (L143-235) is considered.

This check looks for functions that have already been defined in other files.

Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the @ignore annotation.

/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}

See also the PhpDoc documentation for @ignore.

Loading history...
134
{
135
    if ($clearcookies) {
136
        Util::removeShibCookies();
137
        Util::unsetAllUserSessionVars();
138
        Util::getSkin()->init(true);  // Clear cilogon_skin var; check for forced skin
139
    }
140
141
    $log = new Loggit();
142
    $log->info('Welcome page hit.');
143
144
    Util::setSessionVar('stage', 'logon'); // For Show/Hide Help button clicks
145
146
    Content::printHeader('Welcome To The CILogon Service');
147
148
    echo '
149
    <div class="boxed">
150
    ';
151
152
    Content::printHelpButton();
153
    Content::printWAYF();
154
155
    echo '
156
    </div> <!-- End boxed -->
157
    ';
158
    Content::printFooter();
159
}
160
161
/**
162
 * printMainPage
163
 *
164
 * This function prints out the HTML for the main page where the user
165
 * can download a certificate or generate an Activation Code.
166
 */
167
function printMainPage()
0 ignored issues
show
Best Practice introduced by
The function printMainPage() has been defined more than once; this definition is ignored, only the first definition in authorize/index-site.php (L306-401) is considered.

This check looks for functions that have already been defined in other files.

Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the @ignore annotation.

/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}

See also the PhpDoc documentation for @ignore.

Loading history...
168
{
169
    $log = new Loggit();
170
    $log->info('Get And Use Certificate page hit.');
171
172
    Util::setSessionVar('stage', 'main'); // For Show/Hide Help button clicks
173
174
    Content::printHeader('Get Your Certificate');
175
176
    echo '
177
    <div class="boxed">
178
    ';
179
180
    Content::printHelpButton();
181
    printCertInfo();
182
    printGetCertificate();
183
    printDownloadCertificate();
184
    printGetActivationCode();
185
    Content::printTwoFactorBox();
186
    printLogOff();
187
188
    echo '
189
    </div> <!-- boxed -->
190
    ';
191
    Content::printFooter();
192
}
193
194
/**
195
 * printCertInfo
196
 *
197
 * This function prints the certificate information table at the top
198
 * of the main page.
199
 */
200
function printCertInfo()
201
{
202
    $dn = Util::getSessionVar('dn');
203
    $dn = Content::reformatDN(preg_replace('/\s+email=.+$/', '', $dn));
204
205
    echo '
206
    <table class="certinfo">
207
      <tr>
208
        <th>Certificate&nbsp;Subject:</th>
209
        <td>' , Util::htmlent($dn) , '</td>
210
      </tr>
211
      <tr>
212
        <th>Identity&nbsp;Provider:</th>
213
        <td>' , Util::getSessionVar('idpname') , '</td>
214
      </tr>
215
      <tr>
216
        <th><a target="_blank"
217
        href="http://ca.cilogon.org/loa">Level&nbsp;of&nbsp;Assurance:</a></th>
218
        <td>
219
    ';
220
221
    $loa = Util::getSessionVar('loa');
222
    if ($loa == 'openid') {
223
        echo '<a href="http://ca.cilogon.org/policy/openid"
224
              target="_blank">OpenID</a>';
225
    } elseif ($loa == 'http://incommonfederation.org/assurance/silver') {
226
        echo '<a href="http://ca.cilogon.org/policy/silver"
227
              target="_blank">Silver</a>';
228
    } else {
229
        echo '<a href="http://ca.cilogon.org/policy/basic"
230
              target="_blank">Basic</a>';
231
    }
232
    echo '
233
        </td>
234
      </tr>
235
    </table>
236
    ';
237
}
238
239
/**
240
 * printGetCertificate
241
 *
242
 * This function prints the 'Get New Certificate' box on the main page.
243
 * If the 'p12' PHP session variable is valid, it is read and a link for the
244
 * usercred.p12 file is presented to the user.
245
 */
246
function printGetCertificate()
247
{
248
    // Check if PKCS12 downloading is disabled. If so, print out message.
249
    $skin = Util::getSkin();
250
    $disabled = $skin->getConfigOption('pkcs12', 'disabled');
251
    if ((!is_null($disabled)) && ((int)$disabled == 1)) {
252
        $disabledmsg = $skin->getConfigOption(
253
            'pkcs12',
254
            'disabledmessage'
255
        );
256
        if (!is_null($disabledmsg)) {
257
            $disabledmsg = trim(html_entity_decode($disabledmsg));
258
        }
259
        if (strlen($disabledmsg) == 0) {
260
            $disabledmsg = "Downloading PKCS12 certificates is " .
261
                "restricted. Please try another method or log on " .
262
                "with a different Identity Provider.";
263
        }
264
265
        echo '<div class="p12actionbox"><p>
266
             ', $disabledmsg , '
267
             </p></div> <!-- p12actionbox -->';
268
    } else { // PKCS12 downloading is okay
269
        $downloadcerttext = "Clicking this button will generate a link " .
270
            "to a new certificate, which you can download to your local " .
271
            "computer. The certificate is valid for up to 13 months.";
272
        $p12linktext = "Left-click this link to import the certificate " .
273
            "into your broswer / operating system. (Firefox users see " .
274
            "the FAQ.) Right-click this link and select 'Save As...' to " .
275
            "save the certificate to your desktop.";
276
        $passwordtext1 = 'Enter a password of at least 12 characters to " .
277
            "protect your certificate.';
278
        $passwordtext2 = 'Re-enter your password to verify.';
279
280
        validateP12();
281
        $p12expire = '';
282
        $p12link = '';
283
        $p12 = Util::getSessionVar('p12');
284
        if (preg_match('/([^\s]*)\s(.*)/', $p12, $match)) {
285
            $p12expire = $match[1];
286
            $p12link = $match[2];
287
        }
288
289
        if ((strlen($p12link) > 0) && (strlen($p12expire) > 0)) {
290
            $p12link = '<a href="' . $p12link .
291
                '">&raquo; Click Here To Download Your Certificate &laquo;</a>';
292
        }
293
        if ((strlen($p12expire) > 0) && ($p12expire > 0)) {
294
            $expire = $p12expire - time();
295
            $minutes = floor($expire % 3600 / 60);
296
            $seconds = $expire % 60;
297
            $p12expire = 'Link Expires: ' .
298
                sprintf("%02dm:%02ds", $minutes, $seconds);
299
        } else {
300
            $p12expire = '';
301
        }
302
303
        $p12lifetime = Util::getSessionVar('p12lifetime');
304
        if ((strlen($p12lifetime) == 0) || ($p12lifetime == 0)) {
305
            $p12lifetime = Util::getCookieVar('p12lifetime');
306
        }
307
        $p12multiplier = Util::getSessionVar('p12multiplier');
308
        if ((strlen($p12multiplier) == 0) || ($p12multiplier == 0)) {
309
            $p12multiplier = Util::getCookieVar('p12multiplier');
310
        }
311
312
        // Try to read the skin's intiallifetime if not yet set
313
        if ((strlen($p12lifetime) == 0) || ($p12lifetime <= 0)) {
314
            // See if the skin specified an initial value
315
            $skinlife = $skin->getConfigOption('pkcs12', 'initiallifetime', 'number');
316
            $skinmult = $skin->getConfigOption('pkcs12', 'initiallifetime', 'multiplier');
317
            if ((!is_null($skinlife)) && (!is_null($skinmult)) &&
318
                ((int)$skinlife > 0) && ((int)$skinmult > 0)) {
319
                $p12lifetime = (int)$skinlife;
320
                $p12multiplier = (int)$skinmult;
321
            } else {
322
                $p12lifetime = 13;      // Default to 13 months
323
                $p12multiplier = 732;
324
            }
325
        }
326
        if ((strlen($p12multiplier) == 0) || ($p12multiplier <= 0)) {
327
            $p12multiplier = 732;   // Default to months
328
            if ($p12lifetime > 13) {
329
                $p12lifetime = 13;
330
            }
331
        }
332
333
        // Make sure lifetime is within [minlifetime,maxlifetime]
334
        list($minlifetime, $maxlifetime) =
335
            Content::getMinMaxLifetimes('pkcs12', 9516);
336
        if (($p12lifetime * $p12multiplier) < $minlifetime) {
337
            $p12lifetime = $minlifetime;
338
            $p12multiplier = 1; // In hours
339
        } elseif (($p12lifetime * $p12multiplier) > $maxlifetime) {
340
            $p12lifetime = $maxlifetime;
341
            $p12multiplier = 1; // In hours
342
        }
343
344
        $lifetimetext = "Specify the certificate lifetime. Acceptable range " .
345
                        "is between $minlifetime and $maxlifetime hours" .
346
                        (($maxlifetime > 732) ?
347
                            " ( = " . round(($maxlifetime/732), 2) . " months)." :
348
                            "."
349
                        );
350
351
        echo '
352
        <div class="p12actionbox"';
353
354
        if (Util::getSessionVar('showhelp') == 'on') {
355
            echo ' style="width:92%;"';
356
        }
357
358
        echo '>
359
        <table class="helptable">
360
        <tr>
361
        <td class="actioncell">
362
        ';
363
364
        Content::printFormHead();
365
366
        echo '
367
          <fieldset>
368
          ';
369
370
        $p12error = Util::getSessionVar('p12error');
371
        if (strlen($p12error) > 0) {
372
            echo "<p class=\"logonerror\">$p12error</p>";
373
            Util::unsetSessionVar('p12error');
374
        }
375
376
        echo '
377
          <p>
378
          Password Protect Your New Certificate:
379
          </p>
380
381
          <p>
382
          <label for="password1" class="helpcursor" title="' ,
383
          $passwordtext1 , '">Enter A Password:</label>
384
          <input type="password" name="password1" id="password1"
385
          size="22" title="' , $passwordtext1 , '" onkeyup="checkPassword()"/>
386
          <img src="/images/blankIcon.png" width="14" height="14" alt=""
387
          id="pw1icon"/>
388
          </p>
389
390
          <p>
391
          <label for="password2" class="helpcursor" title="' ,
392
          $passwordtext2 , '">Confirm Password:</label>
393
          <input type="password" name="password2" id="password2"
394
          size="22" title="' , $passwordtext2 , '" onkeyup="checkPassword()"/>
395
          <img src="/images/blankIcon.png" width="14" height="14" alt=""
396
          id="pw2icon"/>
397
          </p>
398
399
          <p class="p12certificatelifetime">
400
          <label for="p12lifetime" title="' , $lifetimetext ,
401
          '" class="helpcursor">Certificate Lifetime:</label>
402
          <input type="text" name="p12lifetime" id="p12lifetime"
403
          title="', $lifetimetext ,
404
          '" class="helpcursor" value="' , $p12lifetime ,
405
          '" size="8" maxlength="8"/>
406
          <select title="' , $lifetimetext ,
407
          '" class="helpcursor" id="p12multiplier" name="p12multiplier">
408
          <option value="1"' ,
409
              (($p12multiplier==1) ? ' selected="selected"' : '') ,
410
              '>hours</option>
411
          <option value="24"' ,
412
              (($p12multiplier==24) ? ' selected="selected"' : '') ,
413
              '>days</option>
414
          <option value="732"' ,
415
              (($p12multiplier==732) ? ' selected="selected"' : '') ,
416
              '>months</option>
417
          </select>
418
          <img src="/images/blankIcon.png" width="14" height="14" alt=""/>
419
          </p>
420
421
          <p>
422
          <input type="submit" name="submit" class="submit helpcursor"
423
          title="' , $downloadcerttext , '" value="Get New Certificate"
424
          onclick="showHourglass(\'p12\')"/>
425
          <img src="/images/hourglass.gif" width="32" height="32" alt=""
426
          class="hourglass" id="p12hourglass"/>
427
          </p>
428
429
          <p id="p12value" class="helpcursor" title="' ,
430
              $p12linktext , '">' , $p12link , '</p>
431
          <p id="p12expire">' , $p12expire , '</p>
432
433
          </fieldset>
434
          </form>
435
        </td>
436
        ';
437
438
        if (Util::getSessionVar('showhelp') == 'on') {
439
            echo '
440
            <td class="helpcell">
441
            <div>
442
            <p>
443
            In order to get a new certificate, please enter a password of at
444
            least 12 characters in length.  This password protects the private
445
            key of the certificate and is different from your identity provider
446
            password.  You must enter the password twice for verification.
447
            </p>
448
            <p>
449
            After entering a password, click the "Get New Certificate" button to
450
            generate a new link.  Right-click on this link to download the
451
            certificate to your computer.  The certificate is valid for up to 13
452
            months.
453
            </p>
454
            </div>
455
            </td>
456
            ';
457
        }
458
459
        echo '
460
        </tr>
461
        </table>
462
        </div> <!-- p12actionbox -->
463
        ';
464
    }
465
}
466
467
/**
468
 * printDownlaodCertificate
469
 *
470
 * This function prints the 'Download Certificate' box, which uses the
471
 * GridShib-CA JWS client to download a certificate for the user.
472
 */
473
function printDownloadCertificate()
474
{
475
    $gridshibconf = Util::parseGridShibConf();
476
    $idpname = Util::getSessionVar('idpname');
0 ignored issues
show
Unused Code introduced by
$idpname is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
477
478
    $downloadcerttext = "Download a certificate to your local computer. " .
479
        "Clicking this button should launch a Java Web Start (JWS) " .
480
        "application, which requires Java to be installed on your " .
481
        "computer and enabled in your web browser.";
482
483
    echo '
484
    <div class="certactionbox"';
485
486
    if (Util::getSessionVar('showhelp') == 'on') {
487
        echo ' style="width:92%;"';
488
    }
489
490
    echo '>
491
    <table class="helptable">
492
    <tr>
493
    <td class="actioncell">
494
    ';
495
496
    Content::printFormHead(
497
        preg_replace(
498
            '/^\s*=\s*/',
499
            '',
500
            $gridshibconf['root']['GridShibCAURL']
501
        ) . 'shibCILaunchGSCA.jnlp',
502
        'post',
503
        true
504
    );
505
506
    $certlifetime   = Util::getCookieVar('certlifetime');
507
    $certmultiplier = Util::getCookieVar('certmultiplier');
508
509
    // Try to read the skin's initiallifetime if not yet set
510
    if ((strlen($certlifetime) == 0) || ($certlifetime <= 0)) {
511
        $skin = Util::getSkin();
512
        $skinlife = $skin->getConfigOption('gsca', 'initiallifetime', 'number');
513
        $skinmult = $skin->getConfigOption('gsca', 'initiallifetime', 'multiplier');
514
        if ((!is_null($skinlife)) && (!is_null($skinmult)) &&
515
            ((int)$skinlife > 0) && ((int)$skinmult > 0)) {
516
            $certlifetime = (int)$skinlife;
517
            $certmultiplier = (int)$skinmult;
518
        } else { // Use gridshib-ca.conf default value
519
            $certlifetime = round(preg_replace(
520
                '/^\s*=\s*/',
521
                '',
522
                $gridshibconf['root']['CA']['DefaultCredLifetime']
523
            ) / 3600);
524
            $certmultiplier = 3600;
525
        }
526
    }
527
    if ((strlen($certmultiplier) == 0) || ($certmultiplier <= 0)) {
528
        $certmultiplier = 3600;   // Default to hours
529
    }
530
531
    // Make sure lifetime is within [minlifetime,maxlifetime]
532
    $defaultmaxlifetime = preg_replace(
533
        '/^\s*=\s*/',
534
        '',
535
        $gridshibconf['root']['CA']['MaximumCredLifetime']
536
    ) / 3600;
537
    list($minlifetime, $maxlifetime) =
538
        Content::getMinMaxLifetimes('gsca', $defaultmaxlifetime);
539
    if (($certlifetime * $certmultiplier / 3600) < $minlifetime) {
540
        $certlifetime = $minlifetime;
541
        $certmultiplier = 3600; // In hours
542
    } elseif (($certlifetime * $certmultiplier / 3600) > $maxlifetime) {
543
        $certlifetime = $maxlifetime;
544
        $certmultiplier = 3600; // In hours
545
    }
546
547
    $lifetimetext = "Specify the certificate lifetime. Acceptable range " .
548
                    "is between $minlifetime and $maxlifetime hours" .
549
                    (($maxlifetime > 732) ?
550
                        " ( = " . round(($maxlifetime/732), 2) . " months)." :
551
                        "."
552
                    );
553
554
    $maxcleartextlifetime = preg_replace(
555
        '/^\s*=\s*/',
556
        '',
557
        $gridshibconf['root']['LaunchClient']['MaxCleartextLifetime']
558
    ) / 3600;
559
    if (($maxcleartextlifetime > 0) &&
560
        ($maxlifetime >= $maxcleartextlifetime)) {
561
        $lifetimetext .= " Lifetimes greater than " .
562
            round(($maxcleartextlifetime/24), 2) .
563
            " days will require you to specify a passphrase.";
564
    }
565
566
    echo '
567
      <fieldset>
568
      <p class="jwscertificatelifetime">
569
      <label for="certlifetime" title="' , $lifetimetext ,
570
      '" class="helpcursor">Lifetime:</label>
571
      <input type="text" name="certlifetime" id="certlifetime"
572
      title="', $lifetimetext ,
573
      '" class="helpcursor" value="' , $certlifetime ,
574
      '" size="8" maxlength="8" disabled="disabled"/>
575
      <select title="' , $lifetimetext ,
576
      '" class="helpcursor" id="certmultiplier" name="certmultiplier"
577
      disabled="disabled">
578
      <option value="3600"' ,
579
          (($certmultiplier==3600) ? ' selected="selected"' : '') ,
580
          '>hours</option>
581
      <option value="86400"' ,
582
          (($certmultiplier==86400) ? ' selected="selected"' : '') ,
583
          '>days</option>
584
      <option value="2635200"' ,
585
          (($certmultiplier==2635200) ? ' selected="selected"' : '') ,
586
          '>months</option>
587
      </select>
588
      <input type="hidden" name="minlifetime" id="minlifetime" value="' ,
589
      $minlifetime*3600 , '" />
590
      <input type="hidden" name="maxlifetime" id="maxlifetime" value="' ,
591
      $maxlifetime*3600 , '" />
592
      <input type="hidden" name="RequestedLifetime" id="RequestedLifetime"
593
      value="' , ($certlifetime * $certmultiplier) , '" />
594
      </p>
595
      <p>
596
      <input type="submit" name="submit" class="submit helpcursor"
597
      title="' , $downloadcerttext ,
598
      '" value="Download Certificate" onclick="handleLifetime();" />
599
      </p>
600
      <p class="smaller zeroheight" id="mayneedjava">
601
      You may need to install <a target="_blank"
602
      href="http://www.javatester.org/version.html">Java</a>.
603
      </p>
604
      </fieldset>
605
606
      <noscript>
607
      <div class="nojs smaller">
608
      JavaScript must be enabled to specify Lifetime.
609
      </div>
610
      </noscript>
611
612
      </form>
613
    </td>
614
    ';
615
616
    if (Util::getSessionVar('showhelp') == 'on') {
617
        echo '
618
        <td class="helpcell">
619
        <div>
620
        <p>
621
        When you click on the "Download Certificate" button, a JNLP file is
622
        downloaded to your computer which will launch Java Web Start
623
        (assuming <a target="_blank"
624
        href="http://java.com/getjava/">Java</a> is correctly installed on
625
        your machine).  This will run the CILogon Certificate Retriever
626
        program to download a certificate.  The program may prompt you to
627
        enter a password of at least 12 characters to protect the private
628
        key of the certificate.  This password is different from your
629
        identity provider password.
630
        </p>
631
        </div>
632
        </td>
633
        ';
634
    }
635
636
    echo '
637
    </tr>
638
    </table>
639
    </div> <!-- certactionbox -->
640
    ';
641
}
642
643
/**
644
 * printGetActivationCode
645
 *
646
 * This function prints the 'Get New Activation Code' box on the main
647
 * page.  If the 'activation' PHP session variable is valid, it is
648
 * shown at the bottom of the box.  The Activation Code can be used by
649
 * the GridShib-CA python client to fetch a certificate.
650
 */
651
function printGetActivationCode()
652
{
653
    $generatecodetext = "Get a new one-time-use activation code for " .
654
        "CILogon-enabled applications.";
655
    $tokenhelptext = "Click the button below to display a one-time-use " .
656
        "activation code for CILogon-enabled applications. You can copy " .
657
        "and paste this code into the application to download a " .
658
        "certificate. See FAQ for more information.";
659
    $tokenvaluetext = 'Copy and paste the one-time-use activation code " .
660
        "into your CILogon-enabled application to download a certificate.';
661
662
    echo '
663
    <div class="tokenactionbox"';
664
665
    if (Util::getSessionVar('showhelp') == 'on') {
666
        echo ' style="width:92%;"';
667
    }
668
669
    echo '>
670
    <table class="helptable">
671
    <tr>
672
    <td class="actioncell">
673
    ';
674
675
    Content::printFormHead();
676
677
    validateActivationCode();
678
    $tokenvalue = '';
679
    $tokenexpire = '';
680
    $activation = Util::getSessionVar('activation');
681
    if (preg_match('/([^\s]*)\s(.*)/', $activation, $match)) {
682
        $tokenexpire = $match[1];
683
        $tokenvalue = $match[2];
684
    }
685
    if ((strlen($tokenvalue) > 0) && (strlen($tokenexpire) > 0)) {
686
        $tokenvalue = 'Activation&nbsp;Code: ' . $tokenvalue;
687
    }
688
    if ((strlen($tokenexpire) > 0) && ($tokenexpire > 0)) {
689
        $expire = $tokenexpire - time();
690
        $minutes = floor($expire % 3600 / 60);
691
        $seconds = $expire % 60;
692
        $tokenexpire = 'Code Expires: ' .
693
            sprintf("%02dm:%02ds", $minutes, $seconds);
694
    } else {
695
        $tokenexpire = '';
696
    }
697
698
    echo '
699
      <p class="helpcursor" title="' ,
700
          $tokenhelptext , '">For CILogon-enabled Applications:</p>
701
      <p>
702
703
      <input type="submit" name="submit" class="submit helpcursor"
704
      title="' , $generatecodetext , '" value="Get New Activation Code"
705
      onclick="showHourglass(\'token\')"/>
706
      <img src="/images/hourglass.gif" width="32" height="32" alt=""
707
      class="hourglass" id="tokenhourglass"/>
708
      </p>
709
      <p id="tokenvalue" class="helpcursor" title="' ,
710
          $tokenvaluetext , '">' , $tokenvalue , '</p>
711
      <p id="tokenexpire">' , $tokenexpire , '</p>
712
713
      </form>
714
    </td>
715
    ';
716
717
    if (Util::getSessionVar('showhelp') == 'on') {
718
        echo '
719
        <td class="helpcell">
720
        <div>
721
        <p>
722
        An Activation Code can be used by a <a target="_blank"
723
        href="http://www.cilogon.org/enabled">CILogon-enabled
724
        Application</a> to download a certificate. Click the "Get New
725
        Activation Code" button to generate a random sequence of letters and
726
        numbers.  Highlight the activation code (e.g. double-click it), copy
727
        the code from your browser, and paste it into the CILogon-enabled
728
        application.
729
        </p>
730
        </div>
731
        </td>
732
        ';
733
    }
734
735
    echo '
736
    </tr>
737
    </table>
738
    </div> <!-- tokenactionbox -->
739
    ';
740
}
741
742
/**
743
 * printLogOff
744
 *
745
 * This function prints the Log Off boxes at the bottom of the main page.
746
 */
747
function printLogOff()
748
{
749
    $logofftext = 'End your CILogon session and return to the welcome page. ' .
750
                  'Note that this will not log you out at ' .
751
                  Util::getSessionVar('idpname') . '.';
752
753
    $showhelp = Util::getSessionVar('showhelp');
754
755
    echo '
756
    <div class="logoffactionbox"';
757
758
    if ($showhelp == 'on') {
759
        echo ' style="width:92%;"';
760
    }
761
762
    echo '>
763
    <table class="helptable">
764
    <tr>
765
    <td class="actioncell">
766
    ';
767
768
    Content::printFormHead();
769
770
    echo '
771
      <p>
772
      <input type="submit" name="submit" class="submit helpcursor"
773
      title="' , $logofftext , '" value="Log Off" />
774
      </p>
775
    </form>
776
    </td>
777
    ';
778
779
    if ($showhelp == 'on') {
780
        echo '
781
        <td class="helpcell">
782
        <div>
783
        <p>
784
        This button will log you off of the CILogon Service. In order to log
785
        out from your identity provider, you must either quit your browser
786
        or manually clear your browser\'s cookies.
787
        </p>
788
        </div>
789
        </td>
790
        ';
791
    }
792
793
    echo '
794
    </tr>
795
    </table>
796
    </div> <!-- logoffactionbox -->
797
798
    <div class="logofftextbox"';
799
800
    if ($showhelp == 'on') {
801
        echo ' style="width:92%;"';
802
    }
803
804
    echo '>
805
    <table class="helptable">
806
    <tr>
807
    <td class="actioncell">
808
      <p>To log off, please quit your browser.<p>
809
    </td>
810
    ';
811
812
    if ($showhelp == 'on') {
813
        echo '
814
        <td class="helpcell">
815
        <div>
816
        <p>
817
        Quitting your browser clears all session cookies which logs you out
818
        from your identity provider.  Alternatively, you can manually clear
819
        your browser\'s cookies.
820
        </p>
821
        </div>
822
        </td>
823
        ';
824
    }
825
826
    echo '
827
    </tr>
828
    </table>
829
    </div> <!-- logofftextbox -->
830
    ';
831
}
832
833
/**
834
 * generateActivationCode
835
 *
836
 * This function is called when the user clicks the 'Get New Activation
837
 * Code' button.  It calls the GridShib CA functionality to create a
838
 * .jnlp file, uses 'curl' to slurp in the resulting .jnlp file, and
839
 * scans for the AuthenticationToken in the file.  This is stored in
840
 * the 'activation' PHP session value to be output to the user when
841
 * the Main Page is redrawn. The token can be used by the GridShib-CA
842
 * python client to fetch a certificate.
843
 */
844
function generateActivationCode()
845
{
846
    $tokenvalue = '';
847
    $gridshibconf = Util::parseGridShibConf();
848
849
    $ch = curl_init();
850
    if ($ch !== false) {
851
        $csrf = Util::getCsrf();
852
        $url = 'https://' . Util::getHN() . preg_replace(
853
            '/^\s*=\s*/',
854
            '',
855
            $gridshibconf['root']['GridShibCAURL']
856
        ) . 'shibCILaunchGSCA.jnlp';
857
        curl_setopt($ch, CURLOPT_URL, $url);
858
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
859
        curl_setopt($ch, CURLOPT_TIMEOUT, 30);
860
        curl_setopt($ch, CURLOPT_POST, true);
861
        curl_setopt($ch, CURLOPT_HEADER, false);
862
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
863
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
864
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
865
        curl_setopt($ch, CURLOPT_POSTFIELDS, 'CSRFProtection=' .
866
            $csrf->getTokenValue());
867
        curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID=' .
868
            Util::getCookieVar('PHPSESSID') . '; CSRFProtection=' .
869
            $csrf->getTokenValue() . ';');
870
871
        // Must close PHP session file so GridShib-CA can read it.
872
        session_write_close();
873
        $output = curl_exec($ch);
874
        if (curl_errno($ch)) { // Send alert on curl errors
875
            Util::sendErrorAlert(
876
                'cUrl Error',
877
                'cUrl Error    = ' . curl_error($ch) . "\n" .
878
                "URL Accessed  = $url"
879
            );
880
        }
881
        if (!empty($output)) {
882
            $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
883
            if ($httpcode == 200) {
884
                if (preg_match(
885
                    '/AuthenticationToken = ([^<]+)/',
886
                    $output,
887
                    $match
888
                )) {
889
                    $tokenvalue = $match[1];
890
                }
891
            }
892
        }
893
        curl_close($ch);
894
895
        // If we got a valid AuthenticationToken, store it in the session.
896
        Util::startPHPSession();
897
        if (strlen($tokenvalue) > 0) {
898
            $tokenlifetime = preg_replace(
899
                '/^\s*=\s*/',
900
                '',
901
                $gridshibconf['root']['Session']['CredentialRetrieverClientLifetime']
902
            );
903
            if ((strlen($tokenlifetime) == 0) || ($tokenlifetime == 0)) {
904
                $tokenlifetime = 300;
905
            }
906
            $activation = (time()+$tokenlifetime) . " " . $tokenvalue;
907
            Util::setSessionVar('activation', $activation);
908
            $log = new Loggit();
909
            $log->info('Generated New Activation Code="'.$tokenvalue.'"');
910
        }
911
    }
912
}
913
914
/**
915
 * validateP12
916
 *
917
 * This function is called just before the 'Download your certificate'
918
 * link is printed out to HTML. It checks to see if the p12 is still
919
 * valid time-wise. If not, then it unsets the PHP session variable
920
 * 'p12'.
921
 */
922
function validateP12()
923
{
924
    $p12link = '';
925
    $p12expire = '';
926
    $p12 = Util::getSessionVar('p12');
927
    if (preg_match('/([^\s]*)\s(.*)/', $p12, $match)) {
928
        $p12expire = $match[1];
929
        $p12link = $match[2];
930
    }
931
932
    // Verify that the p12expire and p12link values are valid.
933
    if ((strlen($p12expire) == 0) ||
934
        ($p12expire == 0) ||
935
        (time() > $p12expire) ||
936
        (strlen($p12link) == 0)) {
937
        Util::unsetSessionVar('p12');
938
    }
939
}
940
941
/**
942
 * validateActivationCode
943
 *
944
 * This function is called just before the certificate token is printed
945
 * out to HTML.  It checks to see if the activation token value is
946
 * expired. If so, it unsets the PHP session variable 'activation'.
947
 */
948
function validateActivationCode()
949
{
950
    $tokenvalue = '';
0 ignored issues
show
Unused Code introduced by
$tokenvalue is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
951
    $tokenexpire = '';
952
    $activation = Util::getSessionVar('activation');
953
    if (preg_match('/([^\s]*)\s(.*)/', $activation, $match)) {
954
        $tokenexpire = $match[1];
955
        $tokenvalue = $match[2];
0 ignored issues
show
Unused Code introduced by
$tokenvalue is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
956
    }
957
958
    // If there is a tokenexpire value, check against current time.
959
    if ((strlen($tokenexpire) == 0) ||
960
        ($tokenexpire == 0) ||
961
        (time() > $tokenexpire)) {
962
        Util::unsetSessionVar('activation');
963
    }
964
}
965
966
// Util::$timeit->printTime('MAIN Program END...  ');
967