enwikipedia-acc /
waca
@@ -32,7 +32,7 @@ |
||
| 32 | 32 | { |
| 33 | 33 | parent::__construct($database, $configuration, 'u2f'); |
| 34 | 34 | |
| 35 | - $appId = 'https://' . WebRequest::httpHost(); |
|
| 35 | + $appId = 'https://'.WebRequest::httpHost(); |
|
| 36 | 36 | $this->u2f = new U2F($appId); |
| 37 | 37 | } |
| 38 | 38 | |
@@ -9,14 +9,14 @@ |
||
| 9 | 9 | namespace Waca\Security\CredentialProviders; |
| 10 | 10 | |
| 11 | 11 | use DateTimeImmutable; |
| 12 | -use u2flib_server\Error; |
|
| 13 | -use u2flib_server\U2F; |
|
| 14 | 12 | use Waca\DataObjects\User; |
| 15 | 13 | use Waca\Exceptions\ApplicationLogicException; |
| 16 | 14 | use Waca\Exceptions\OptimisticLockFailedException; |
| 17 | 15 | use Waca\PdoDatabase; |
| 18 | 16 | use Waca\SiteConfiguration; |
| 19 | 17 | use Waca\WebRequest; |
| 18 | +use u2flib_server\Error; |
|
| 19 | +use u2flib_server\U2F; |
|
| 20 | 20 | |
| 21 | 21 | class U2FCredentialProvider extends CredentialProviderBase |
| 22 | 22 | { |
@@ -20,131 +20,131 @@ |
||
| 20 | 20 | |
| 21 | 21 | class U2FCredentialProvider extends CredentialProviderBase |
| 22 | 22 | { |
| 23 | - /** @var U2F */ |
|
| 24 | - private $u2f; |
|
| 25 | - |
|
| 26 | - /** |
|
| 27 | - * U2FCredentialProvider constructor. |
|
| 28 | - * |
|
| 29 | - * @param PdoDatabase $database |
|
| 30 | - * @param SiteConfiguration $configuration |
|
| 31 | - */ |
|
| 32 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | - { |
|
| 34 | - parent::__construct($database, $configuration, 'u2f'); |
|
| 35 | - |
|
| 36 | - $appId = 'https://' . WebRequest::httpHost(); |
|
| 37 | - $this->u2f = new U2F($appId); |
|
| 38 | - } |
|
| 39 | - |
|
| 40 | - /** |
|
| 41 | - * Validates a user-provided credential |
|
| 42 | - * |
|
| 43 | - * @param User $user The user to test the authentication against |
|
| 44 | - * @param string $data The raw credential data to be validated |
|
| 45 | - * |
|
| 46 | - * @return bool |
|
| 47 | - * @throws OptimisticLockFailedException |
|
| 48 | - */ |
|
| 49 | - public function authenticate(User $user, $data) |
|
| 50 | - { |
|
| 51 | - if (!is_array($data)) { |
|
| 52 | - return false; |
|
| 53 | - } |
|
| 54 | - |
|
| 55 | - list($authenticate, $request, $isU2F) = $data; |
|
| 56 | - |
|
| 57 | - if ($isU2F !== 'u2f') { |
|
| 58 | - return false; |
|
| 59 | - } |
|
| 60 | - |
|
| 61 | - $storedData = $this->getCredentialData($user->getId(), false); |
|
| 62 | - $registrations = json_decode($storedData->getData()); |
|
| 63 | - |
|
| 64 | - try { |
|
| 65 | - $updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate); |
|
| 66 | - $storedData->setData(json_encode($updatedRegistration)); |
|
| 67 | - $storedData->save(); |
|
| 68 | - } |
|
| 69 | - catch (Error $ex) { |
|
| 70 | - return false; |
|
| 71 | - } |
|
| 72 | - |
|
| 73 | - return true; |
|
| 74 | - } |
|
| 75 | - |
|
| 76 | - public function enable(User $user, $request, $u2fData) |
|
| 77 | - { |
|
| 78 | - $registrationData = $this->u2f->doRegister($request, $u2fData); |
|
| 79 | - |
|
| 80 | - $storedData = $this->getCredentialData($user->getId(), true); |
|
| 81 | - |
|
| 82 | - if ($storedData === null) { |
|
| 83 | - throw new ApplicationLogicException('Credential data not found'); |
|
| 84 | - } |
|
| 85 | - |
|
| 86 | - if ($storedData->getTimeout() > new DateTimeImmutable()) { |
|
| 87 | - $storedData->setData(json_encode($registrationData)); |
|
| 88 | - $storedData->setDisabled(0); |
|
| 89 | - $storedData->setTimeout(null); |
|
| 90 | - $storedData->save(); |
|
| 91 | - } |
|
| 92 | - } |
|
| 93 | - |
|
| 94 | - /** |
|
| 95 | - * @param User $user The user the credential belongs to |
|
| 96 | - * @param int $factor The factor this credential provides |
|
| 97 | - * @param string $data Unused here, due to multi-stage enrollment |
|
| 98 | - */ |
|
| 99 | - public function setCredential(User $user, $factor, $data) |
|
| 100 | - { |
|
| 101 | - $storedData = $this->getCredentialData($user->getId(), null); |
|
| 102 | - |
|
| 103 | - if ($storedData !== null) { |
|
| 104 | - $storedData->delete(); |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - $storedData = $this->createNewCredential($user); |
|
| 108 | - |
|
| 109 | - $storedData->setData(null); |
|
| 110 | - $storedData->setFactor($factor); |
|
| 111 | - $storedData->setTimeout(new DateTimeImmutable('+ 1 hour')); |
|
| 112 | - $storedData->setDisabled(1); |
|
| 113 | - $storedData->setPriority(4); |
|
| 114 | - $storedData->setVersion(1); |
|
| 115 | - |
|
| 116 | - $storedData->save(); |
|
| 117 | - } |
|
| 118 | - |
|
| 119 | - public function isPartiallyEnrolled(User $user) |
|
| 120 | - { |
|
| 121 | - $storedData = $this->getCredentialData($user->getId(), true); |
|
| 122 | - |
|
| 123 | - if ($storedData->getTimeout() < new DateTimeImmutable()) { |
|
| 124 | - $storedData->delete(); |
|
| 125 | - |
|
| 126 | - return false; |
|
| 127 | - } |
|
| 128 | - |
|
| 129 | - if ($storedData === null) { |
|
| 130 | - return false; |
|
| 131 | - } |
|
| 132 | - |
|
| 133 | - return true; |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - public function getRegistrationData() |
|
| 137 | - { |
|
| 138 | - return $this->u2f->getRegisterData(); |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - public function getAuthenticationData(User $user) |
|
| 142 | - { |
|
| 143 | - $storedData = $this->getCredentialData($user->getId(), false); |
|
| 144 | - $registrations = json_decode($storedData->getData()); |
|
| 145 | - |
|
| 146 | - $authenticateData = $this->u2f->getAuthenticateData(array($registrations)); |
|
| 147 | - |
|
| 148 | - return $authenticateData; |
|
| 149 | - } |
|
| 23 | + /** @var U2F */ |
|
| 24 | + private $u2f; |
|
| 25 | + |
|
| 26 | + /** |
|
| 27 | + * U2FCredentialProvider constructor. |
|
| 28 | + * |
|
| 29 | + * @param PdoDatabase $database |
|
| 30 | + * @param SiteConfiguration $configuration |
|
| 31 | + */ |
|
| 32 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | + { |
|
| 34 | + parent::__construct($database, $configuration, 'u2f'); |
|
| 35 | + |
|
| 36 | + $appId = 'https://' . WebRequest::httpHost(); |
|
| 37 | + $this->u2f = new U2F($appId); |
|
| 38 | + } |
|
| 39 | + |
|
| 40 | + /** |
|
| 41 | + * Validates a user-provided credential |
|
| 42 | + * |
|
| 43 | + * @param User $user The user to test the authentication against |
|
| 44 | + * @param string $data The raw credential data to be validated |
|
| 45 | + * |
|
| 46 | + * @return bool |
|
| 47 | + * @throws OptimisticLockFailedException |
|
| 48 | + */ |
|
| 49 | + public function authenticate(User $user, $data) |
|
| 50 | + { |
|
| 51 | + if (!is_array($data)) { |
|
| 52 | + return false; |
|
| 53 | + } |
|
| 54 | + |
|
| 55 | + list($authenticate, $request, $isU2F) = $data; |
|
| 56 | + |
|
| 57 | + if ($isU2F !== 'u2f') { |
|
| 58 | + return false; |
|
| 59 | + } |
|
| 60 | + |
|
| 61 | + $storedData = $this->getCredentialData($user->getId(), false); |
|
| 62 | + $registrations = json_decode($storedData->getData()); |
|
| 63 | + |
|
| 64 | + try { |
|
| 65 | + $updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate); |
|
| 66 | + $storedData->setData(json_encode($updatedRegistration)); |
|
| 67 | + $storedData->save(); |
|
| 68 | + } |
|
| 69 | + catch (Error $ex) { |
|
| 70 | + return false; |
|
| 71 | + } |
|
| 72 | + |
|
| 73 | + return true; |
|
| 74 | + } |
|
| 75 | + |
|
| 76 | + public function enable(User $user, $request, $u2fData) |
|
| 77 | + { |
|
| 78 | + $registrationData = $this->u2f->doRegister($request, $u2fData); |
|
| 79 | + |
|
| 80 | + $storedData = $this->getCredentialData($user->getId(), true); |
|
| 81 | + |
|
| 82 | + if ($storedData === null) { |
|
| 83 | + throw new ApplicationLogicException('Credential data not found'); |
|
| 84 | + } |
|
| 85 | + |
|
| 86 | + if ($storedData->getTimeout() > new DateTimeImmutable()) { |
|
| 87 | + $storedData->setData(json_encode($registrationData)); |
|
| 88 | + $storedData->setDisabled(0); |
|
| 89 | + $storedData->setTimeout(null); |
|
| 90 | + $storedData->save(); |
|
| 91 | + } |
|
| 92 | + } |
|
| 93 | + |
|
| 94 | + /** |
|
| 95 | + * @param User $user The user the credential belongs to |
|
| 96 | + * @param int $factor The factor this credential provides |
|
| 97 | + * @param string $data Unused here, due to multi-stage enrollment |
|
| 98 | + */ |
|
| 99 | + public function setCredential(User $user, $factor, $data) |
|
| 100 | + { |
|
| 101 | + $storedData = $this->getCredentialData($user->getId(), null); |
|
| 102 | + |
|
| 103 | + if ($storedData !== null) { |
|
| 104 | + $storedData->delete(); |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + $storedData = $this->createNewCredential($user); |
|
| 108 | + |
|
| 109 | + $storedData->setData(null); |
|
| 110 | + $storedData->setFactor($factor); |
|
| 111 | + $storedData->setTimeout(new DateTimeImmutable('+ 1 hour')); |
|
| 112 | + $storedData->setDisabled(1); |
|
| 113 | + $storedData->setPriority(4); |
|
| 114 | + $storedData->setVersion(1); |
|
| 115 | + |
|
| 116 | + $storedData->save(); |
|
| 117 | + } |
|
| 118 | + |
|
| 119 | + public function isPartiallyEnrolled(User $user) |
|
| 120 | + { |
|
| 121 | + $storedData = $this->getCredentialData($user->getId(), true); |
|
| 122 | + |
|
| 123 | + if ($storedData->getTimeout() < new DateTimeImmutable()) { |
|
| 124 | + $storedData->delete(); |
|
| 125 | + |
|
| 126 | + return false; |
|
| 127 | + } |
|
| 128 | + |
|
| 129 | + if ($storedData === null) { |
|
| 130 | + return false; |
|
| 131 | + } |
|
| 132 | + |
|
| 133 | + return true; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + public function getRegistrationData() |
|
| 137 | + { |
|
| 138 | + return $this->u2f->getRegisterData(); |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + public function getAuthenticationData(User $user) |
|
| 142 | + { |
|
| 143 | + $storedData = $this->getCredentialData($user->getId(), false); |
|
| 144 | + $registrations = json_decode($storedData->getData()); |
|
| 145 | + |
|
| 146 | + $authenticateData = $this->u2f->getAuthenticateData(array($registrations)); |
|
| 147 | + |
|
| 148 | + return $authenticateData; |
|
| 149 | + } |
|
| 150 | 150 | } |
@@ -15,137 +15,137 @@ |
||
| 15 | 15 | |
| 16 | 16 | abstract class CredentialProviderBase implements ICredentialProvider |
| 17 | 17 | { |
| 18 | - /** |
|
| 19 | - * @var PdoDatabase |
|
| 20 | - */ |
|
| 21 | - private $database; |
|
| 22 | - /** |
|
| 23 | - * @var SiteConfiguration |
|
| 24 | - */ |
|
| 25 | - private $configuration; |
|
| 26 | - /** @var string */ |
|
| 27 | - private $type; |
|
| 28 | - |
|
| 29 | - /** |
|
| 30 | - * CredentialProviderBase constructor. |
|
| 31 | - * |
|
| 32 | - * @param PdoDatabase $database |
|
| 33 | - * @param SiteConfiguration $configuration |
|
| 34 | - * @param string $type |
|
| 35 | - */ |
|
| 36 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type) |
|
| 37 | - { |
|
| 38 | - $this->database = $database; |
|
| 39 | - $this->configuration = $configuration; |
|
| 40 | - $this->type = $type; |
|
| 41 | - } |
|
| 42 | - |
|
| 43 | - /** |
|
| 44 | - * @param int $userId |
|
| 45 | - * |
|
| 46 | - * @param bool $disabled |
|
| 47 | - * |
|
| 48 | - * @return Credential |
|
| 49 | - */ |
|
| 50 | - protected function getCredentialData($userId, $disabled = false) |
|
| 51 | - { |
|
| 52 | - $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u'; |
|
| 53 | - $parameters = array( |
|
| 54 | - ':u' => $userId, |
|
| 55 | - ':t' => $this->type |
|
| 56 | - ); |
|
| 57 | - |
|
| 58 | - if($disabled !== null) { |
|
| 59 | - $sql .= ' AND disabled = :d'; |
|
| 60 | - $parameters[':d'] = $disabled ? 1 : 0; |
|
| 61 | - } |
|
| 62 | - |
|
| 63 | - $statement = $this->database->prepare($sql); |
|
| 64 | - $statement->execute($parameters); |
|
| 65 | - |
|
| 66 | - /** @var Credential $obj */ |
|
| 67 | - $obj = $statement->fetchObject(Credential::class); |
|
| 68 | - |
|
| 69 | - if ($obj === false) { |
|
| 70 | - return null; |
|
| 71 | - } |
|
| 72 | - |
|
| 73 | - $obj->setDatabase($this->database); |
|
| 74 | - |
|
| 75 | - $statement->closeCursor(); |
|
| 76 | - |
|
| 77 | - return $obj; |
|
| 78 | - } |
|
| 79 | - |
|
| 80 | - /** |
|
| 81 | - * @return PdoDatabase |
|
| 82 | - */ |
|
| 83 | - public function getDatabase() |
|
| 84 | - { |
|
| 85 | - return $this->database; |
|
| 86 | - } |
|
| 87 | - |
|
| 88 | - /** |
|
| 89 | - * @return SiteConfiguration |
|
| 90 | - */ |
|
| 91 | - public function getConfiguration() |
|
| 92 | - { |
|
| 93 | - return $this->configuration; |
|
| 94 | - } |
|
| 95 | - |
|
| 96 | - public function deleteCredential(User $user) { |
|
| 97 | - // get this factor |
|
| 98 | - $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type'); |
|
| 99 | - $statement->execute(array(':user' => $user->getId(), ':type' => $this->type)); |
|
| 100 | - /** @var Credential $credential */ |
|
| 101 | - $credential = $statement->fetchObject(Credential::class); |
|
| 102 | - $credential->setDatabase($this->database); |
|
| 103 | - $statement->closeCursor(); |
|
| 104 | - |
|
| 105 | - $stage = $credential->getFactor(); |
|
| 106 | - |
|
| 107 | - $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor'); |
|
| 108 | - $statement->execute(array(':user' => $user->getId(), ':factor' => $stage)); |
|
| 109 | - $alternates = $statement->fetchColumn(); |
|
| 110 | - $statement->closeCursor(); |
|
| 111 | - |
|
| 112 | - if($alternates <= 1) { |
|
| 113 | - // decrement the factor for every stage above this |
|
| 114 | - $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor'; |
|
| 115 | - $statement = $this->database->prepare($sql); |
|
| 116 | - $statement->execute(array(':user' => $user->getId(), ':factor' => $stage)); |
|
| 117 | - } |
|
| 118 | - else { |
|
| 119 | - // There are other auth factors at this point. Don't renumber the factors just yet. |
|
| 120 | - } |
|
| 121 | - |
|
| 122 | - // delete this credential. |
|
| 123 | - $credential->delete(); |
|
| 124 | - } |
|
| 125 | - |
|
| 126 | - /** |
|
| 127 | - * @param User $user |
|
| 128 | - * |
|
| 129 | - * @return Credential |
|
| 130 | - */ |
|
| 131 | - protected function createNewCredential(User $user) |
|
| 132 | - { |
|
| 133 | - $credential = new Credential(); |
|
| 134 | - $credential->setDatabase($this->getDatabase()); |
|
| 135 | - $credential->setUserId($user->getId()); |
|
| 136 | - $credential->setType($this->type); |
|
| 137 | - |
|
| 138 | - return $credential; |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - /** |
|
| 142 | - * @param int $userId |
|
| 143 | - * |
|
| 144 | - * @return bool |
|
| 145 | - */ |
|
| 146 | - public function userIsEnrolled($userId) { |
|
| 147 | - $cred = $this->getCredentialData($userId); |
|
| 148 | - |
|
| 149 | - return $cred !== null; |
|
| 150 | - } |
|
| 18 | + /** |
|
| 19 | + * @var PdoDatabase |
|
| 20 | + */ |
|
| 21 | + private $database; |
|
| 22 | + /** |
|
| 23 | + * @var SiteConfiguration |
|
| 24 | + */ |
|
| 25 | + private $configuration; |
|
| 26 | + /** @var string */ |
|
| 27 | + private $type; |
|
| 28 | + |
|
| 29 | + /** |
|
| 30 | + * CredentialProviderBase constructor. |
|
| 31 | + * |
|
| 32 | + * @param PdoDatabase $database |
|
| 33 | + * @param SiteConfiguration $configuration |
|
| 34 | + * @param string $type |
|
| 35 | + */ |
|
| 36 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type) |
|
| 37 | + { |
|
| 38 | + $this->database = $database; |
|
| 39 | + $this->configuration = $configuration; |
|
| 40 | + $this->type = $type; |
|
| 41 | + } |
|
| 42 | + |
|
| 43 | + /** |
|
| 44 | + * @param int $userId |
|
| 45 | + * |
|
| 46 | + * @param bool $disabled |
|
| 47 | + * |
|
| 48 | + * @return Credential |
|
| 49 | + */ |
|
| 50 | + protected function getCredentialData($userId, $disabled = false) |
|
| 51 | + { |
|
| 52 | + $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u'; |
|
| 53 | + $parameters = array( |
|
| 54 | + ':u' => $userId, |
|
| 55 | + ':t' => $this->type |
|
| 56 | + ); |
|
| 57 | + |
|
| 58 | + if($disabled !== null) { |
|
| 59 | + $sql .= ' AND disabled = :d'; |
|
| 60 | + $parameters[':d'] = $disabled ? 1 : 0; |
|
| 61 | + } |
|
| 62 | + |
|
| 63 | + $statement = $this->database->prepare($sql); |
|
| 64 | + $statement->execute($parameters); |
|
| 65 | + |
|
| 66 | + /** @var Credential $obj */ |
|
| 67 | + $obj = $statement->fetchObject(Credential::class); |
|
| 68 | + |
|
| 69 | + if ($obj === false) { |
|
| 70 | + return null; |
|
| 71 | + } |
|
| 72 | + |
|
| 73 | + $obj->setDatabase($this->database); |
|
| 74 | + |
|
| 75 | + $statement->closeCursor(); |
|
| 76 | + |
|
| 77 | + return $obj; |
|
| 78 | + } |
|
| 79 | + |
|
| 80 | + /** |
|
| 81 | + * @return PdoDatabase |
|
| 82 | + */ |
|
| 83 | + public function getDatabase() |
|
| 84 | + { |
|
| 85 | + return $this->database; |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + /** |
|
| 89 | + * @return SiteConfiguration |
|
| 90 | + */ |
|
| 91 | + public function getConfiguration() |
|
| 92 | + { |
|
| 93 | + return $this->configuration; |
|
| 94 | + } |
|
| 95 | + |
|
| 96 | + public function deleteCredential(User $user) { |
|
| 97 | + // get this factor |
|
| 98 | + $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type'); |
|
| 99 | + $statement->execute(array(':user' => $user->getId(), ':type' => $this->type)); |
|
| 100 | + /** @var Credential $credential */ |
|
| 101 | + $credential = $statement->fetchObject(Credential::class); |
|
| 102 | + $credential->setDatabase($this->database); |
|
| 103 | + $statement->closeCursor(); |
|
| 104 | + |
|
| 105 | + $stage = $credential->getFactor(); |
|
| 106 | + |
|
| 107 | + $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor'); |
|
| 108 | + $statement->execute(array(':user' => $user->getId(), ':factor' => $stage)); |
|
| 109 | + $alternates = $statement->fetchColumn(); |
|
| 110 | + $statement->closeCursor(); |
|
| 111 | + |
|
| 112 | + if($alternates <= 1) { |
|
| 113 | + // decrement the factor for every stage above this |
|
| 114 | + $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor'; |
|
| 115 | + $statement = $this->database->prepare($sql); |
|
| 116 | + $statement->execute(array(':user' => $user->getId(), ':factor' => $stage)); |
|
| 117 | + } |
|
| 118 | + else { |
|
| 119 | + // There are other auth factors at this point. Don't renumber the factors just yet. |
|
| 120 | + } |
|
| 121 | + |
|
| 122 | + // delete this credential. |
|
| 123 | + $credential->delete(); |
|
| 124 | + } |
|
| 125 | + |
|
| 126 | + /** |
|
| 127 | + * @param User $user |
|
| 128 | + * |
|
| 129 | + * @return Credential |
|
| 130 | + */ |
|
| 131 | + protected function createNewCredential(User $user) |
|
| 132 | + { |
|
| 133 | + $credential = new Credential(); |
|
| 134 | + $credential->setDatabase($this->getDatabase()); |
|
| 135 | + $credential->setUserId($user->getId()); |
|
| 136 | + $credential->setType($this->type); |
|
| 137 | + |
|
| 138 | + return $credential; |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + /** |
|
| 142 | + * @param int $userId |
|
| 143 | + * |
|
| 144 | + * @return bool |
|
| 145 | + */ |
|
| 146 | + public function userIsEnrolled($userId) { |
|
| 147 | + $cred = $this->getCredentialData($userId); |
|
| 148 | + |
|
| 149 | + return $cred !== null; |
|
| 150 | + } |
|
| 151 | 151 | } |
| 152 | 152 | \ No newline at end of file |
@@ -55,7 +55,7 @@ discard block |
||
| 55 | 55 | ':t' => $this->type |
| 56 | 56 | ); |
| 57 | 57 | |
| 58 | - if($disabled !== null) { |
|
| 58 | + if ($disabled !== null) { |
|
| 59 | 59 | $sql .= ' AND disabled = :d'; |
| 60 | 60 | $parameters[':d'] = $disabled ? 1 : 0; |
| 61 | 61 | } |
@@ -109,7 +109,7 @@ discard block |
||
| 109 | 109 | $alternates = $statement->fetchColumn(); |
| 110 | 110 | $statement->closeCursor(); |
| 111 | 111 | |
| 112 | - if($alternates <= 1) { |
|
| 112 | + if ($alternates <= 1) { |
|
| 113 | 113 | // decrement the factor for every stage above this |
| 114 | 114 | $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor'; |
| 115 | 115 | $statement = $this->database->prepare($sql); |
@@ -93,7 +93,8 @@ discard block |
||
| 93 | 93 | return $this->configuration; |
| 94 | 94 | } |
| 95 | 95 | |
| 96 | - public function deleteCredential(User $user) { |
|
| 96 | + public function deleteCredential(User $user) |
|
| 97 | + { |
|
| 97 | 98 | // get this factor |
| 98 | 99 | $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type'); |
| 99 | 100 | $statement->execute(array(':user' => $user->getId(), ':type' => $this->type)); |
@@ -143,7 +144,8 @@ discard block |
||
| 143 | 144 | * |
| 144 | 145 | * @return bool |
| 145 | 146 | */ |
| 146 | - public function userIsEnrolled($userId) { |
|
| 147 | + public function userIsEnrolled($userId) |
|
| 148 | + { |
|
| 147 | 149 | $cred = $this->getCredentialData($userId); |
| 148 | 150 | |
| 149 | 151 | return $cred !== null; |
@@ -12,48 +12,48 @@ |
||
| 12 | 12 | |
| 13 | 13 | class EncryptionHelper |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * @var SiteConfiguration |
|
| 17 | - */ |
|
| 18 | - private $configuration; |
|
| 19 | - |
|
| 20 | - /** |
|
| 21 | - * EncryptionHelper constructor. |
|
| 22 | - * |
|
| 23 | - * @param SiteConfiguration $configuration |
|
| 24 | - */ |
|
| 25 | - public function __construct(SiteConfiguration $configuration) |
|
| 26 | - { |
|
| 27 | - $this->configuration = $configuration; |
|
| 28 | - } |
|
| 29 | - |
|
| 30 | - public function encryptData($secret) |
|
| 31 | - { |
|
| 32 | - $iv = openssl_random_pseudo_bytes(16); |
|
| 33 | - $password = $this->getEncryptionKey(); |
|
| 34 | - $encryptedKey = openssl_encrypt($secret, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 35 | - |
|
| 36 | - $data = base64_encode($iv) . '|' . base64_encode($encryptedKey); |
|
| 37 | - |
|
| 38 | - return $data; |
|
| 39 | - } |
|
| 40 | - |
|
| 41 | - public function decryptData($data) |
|
| 42 | - { |
|
| 43 | - list($iv, $encryptedKey) = array_map('base64_decode', explode('|', $data)); |
|
| 44 | - |
|
| 45 | - $password = $this->getEncryptionKey(); |
|
| 46 | - |
|
| 47 | - $secret = openssl_decrypt($encryptedKey, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 48 | - |
|
| 49 | - return $secret; |
|
| 50 | - } |
|
| 51 | - |
|
| 52 | - /** |
|
| 53 | - * @return string |
|
| 54 | - */ |
|
| 55 | - private function getEncryptionKey() |
|
| 56 | - { |
|
| 57 | - return openssl_digest($this->configuration->getTotpEncryptionKey(), 'sha256'); |
|
| 58 | - } |
|
| 15 | + /** |
|
| 16 | + * @var SiteConfiguration |
|
| 17 | + */ |
|
| 18 | + private $configuration; |
|
| 19 | + |
|
| 20 | + /** |
|
| 21 | + * EncryptionHelper constructor. |
|
| 22 | + * |
|
| 23 | + * @param SiteConfiguration $configuration |
|
| 24 | + */ |
|
| 25 | + public function __construct(SiteConfiguration $configuration) |
|
| 26 | + { |
|
| 27 | + $this->configuration = $configuration; |
|
| 28 | + } |
|
| 29 | + |
|
| 30 | + public function encryptData($secret) |
|
| 31 | + { |
|
| 32 | + $iv = openssl_random_pseudo_bytes(16); |
|
| 33 | + $password = $this->getEncryptionKey(); |
|
| 34 | + $encryptedKey = openssl_encrypt($secret, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 35 | + |
|
| 36 | + $data = base64_encode($iv) . '|' . base64_encode($encryptedKey); |
|
| 37 | + |
|
| 38 | + return $data; |
|
| 39 | + } |
|
| 40 | + |
|
| 41 | + public function decryptData($data) |
|
| 42 | + { |
|
| 43 | + list($iv, $encryptedKey) = array_map('base64_decode', explode('|', $data)); |
|
| 44 | + |
|
| 45 | + $password = $this->getEncryptionKey(); |
|
| 46 | + |
|
| 47 | + $secret = openssl_decrypt($encryptedKey, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 48 | + |
|
| 49 | + return $secret; |
|
| 50 | + } |
|
| 51 | + |
|
| 52 | + /** |
|
| 53 | + * @return string |
|
| 54 | + */ |
|
| 55 | + private function getEncryptionKey() |
|
| 56 | + { |
|
| 57 | + return openssl_digest($this->configuration->getTotpEncryptionKey(), 'sha256'); |
|
| 58 | + } |
|
| 59 | 59 | } |
| 60 | 60 | \ No newline at end of file |
@@ -33,7 +33,7 @@ |
||
| 33 | 33 | $password = $this->getEncryptionKey(); |
| 34 | 34 | $encryptedKey = openssl_encrypt($secret, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
| 35 | 35 | |
| 36 | - $data = base64_encode($iv) . '|' . base64_encode($encryptedKey); |
|
| 36 | + $data = base64_encode($iv).'|'.base64_encode($encryptedKey); |
|
| 37 | 37 | |
| 38 | 38 | return $data; |
| 39 | 39 | } |
@@ -22,67 +22,67 @@ |
||
| 22 | 22 | |
| 23 | 23 | class AuthenticationManager |
| 24 | 24 | { |
| 25 | - const AUTH_OK = 1; |
|
| 26 | - const AUTH_FAIL = 2; |
|
| 27 | - const AUTH_REQUIRE_NEXT_STAGE = 3; |
|
| 28 | - private $typeMap = array(); |
|
| 29 | - /** |
|
| 30 | - * @var PdoDatabase |
|
| 31 | - */ |
|
| 32 | - private $database; |
|
| 25 | + const AUTH_OK = 1; |
|
| 26 | + const AUTH_FAIL = 2; |
|
| 27 | + const AUTH_REQUIRE_NEXT_STAGE = 3; |
|
| 28 | + private $typeMap = array(); |
|
| 29 | + /** |
|
| 30 | + * @var PdoDatabase |
|
| 31 | + */ |
|
| 32 | + private $database; |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * AuthenticationManager constructor. |
|
| 36 | - * |
|
| 37 | - * @param PdoDatabase $database |
|
| 38 | - * @param SiteConfiguration $siteConfiguration |
|
| 39 | - * @param HttpHelper $httpHelper |
|
| 40 | - */ |
|
| 41 | - public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper) |
|
| 42 | - { |
|
| 43 | - // setup providers |
|
| 44 | - // note on type map: this *must* be the value in the database, as this is what it maps. |
|
| 45 | - $this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration); |
|
| 46 | - $this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper); |
|
| 47 | - $this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration); |
|
| 48 | - $this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration); |
|
| 49 | - $this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration); |
|
| 50 | - $this->database = $database; |
|
| 51 | - } |
|
| 34 | + /** |
|
| 35 | + * AuthenticationManager constructor. |
|
| 36 | + * |
|
| 37 | + * @param PdoDatabase $database |
|
| 38 | + * @param SiteConfiguration $siteConfiguration |
|
| 39 | + * @param HttpHelper $httpHelper |
|
| 40 | + */ |
|
| 41 | + public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper) |
|
| 42 | + { |
|
| 43 | + // setup providers |
|
| 44 | + // note on type map: this *must* be the value in the database, as this is what it maps. |
|
| 45 | + $this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration); |
|
| 46 | + $this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper); |
|
| 47 | + $this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration); |
|
| 48 | + $this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration); |
|
| 49 | + $this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration); |
|
| 50 | + $this->database = $database; |
|
| 51 | + } |
|
| 52 | 52 | |
| 53 | - public function authenticate(User $user, $data, $stage) |
|
| 54 | - { |
|
| 55 | - $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC'; |
|
| 56 | - $statement = $this->database->prepare($sql); |
|
| 57 | - $statement->execute(array(':user' => $user->getId(), ':stage' => $stage)); |
|
| 58 | - $options = $statement->fetchAll(PDO::FETCH_COLUMN); |
|
| 53 | + public function authenticate(User $user, $data, $stage) |
|
| 54 | + { |
|
| 55 | + $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC'; |
|
| 56 | + $statement = $this->database->prepare($sql); |
|
| 57 | + $statement->execute(array(':user' => $user->getId(), ':stage' => $stage)); |
|
| 58 | + $options = $statement->fetchAll(PDO::FETCH_COLUMN); |
|
| 59 | 59 | |
| 60 | - $sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch'; |
|
| 61 | - $statement = $this->database->prepare($sql); |
|
| 62 | - $statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch')); |
|
| 63 | - $requiredFactors = $statement->fetchColumn(); |
|
| 60 | + $sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch'; |
|
| 61 | + $statement = $this->database->prepare($sql); |
|
| 62 | + $statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch')); |
|
| 63 | + $requiredFactors = $statement->fetchColumn(); |
|
| 64 | 64 | |
| 65 | - // prep the correct OK response based on how many factors are ahead of this one |
|
| 66 | - $success = self::AUTH_OK; |
|
| 67 | - if ($requiredFactors > 0) { |
|
| 68 | - $success = self::AUTH_REQUIRE_NEXT_STAGE; |
|
| 69 | - } |
|
| 65 | + // prep the correct OK response based on how many factors are ahead of this one |
|
| 66 | + $success = self::AUTH_OK; |
|
| 67 | + if ($requiredFactors > 0) { |
|
| 68 | + $success = self::AUTH_REQUIRE_NEXT_STAGE; |
|
| 69 | + } |
|
| 70 | 70 | |
| 71 | - foreach ($options as $type) { |
|
| 72 | - if (!isset($this->typeMap[$type])) { |
|
| 73 | - // does this type have a credentialProvider registered? |
|
| 74 | - continue; |
|
| 75 | - } |
|
| 71 | + foreach ($options as $type) { |
|
| 72 | + if (!isset($this->typeMap[$type])) { |
|
| 73 | + // does this type have a credentialProvider registered? |
|
| 74 | + continue; |
|
| 75 | + } |
|
| 76 | 76 | |
| 77 | - /** @var ICredentialProvider $credentialProvider */ |
|
| 78 | - $credentialProvider = $this->typeMap[$type]; |
|
| 79 | - if ($credentialProvider->authenticate($user, $data)) { |
|
| 80 | - return $success; |
|
| 81 | - } |
|
| 82 | - } |
|
| 77 | + /** @var ICredentialProvider $credentialProvider */ |
|
| 78 | + $credentialProvider = $this->typeMap[$type]; |
|
| 79 | + if ($credentialProvider->authenticate($user, $data)) { |
|
| 80 | + return $success; |
|
| 81 | + } |
|
| 82 | + } |
|
| 83 | 83 | |
| 84 | - // We've iterated over all the available providers for this stage. |
|
| 85 | - // They all hate you. |
|
| 86 | - return self::AUTH_FAIL; |
|
| 87 | - } |
|
| 84 | + // We've iterated over all the available providers for this stage. |
|
| 85 | + // They all hate you. |
|
| 86 | + return self::AUTH_FAIL; |
|
| 87 | + } |
|
| 88 | 88 | } |
| 89 | 89 | \ No newline at end of file |
@@ -14,9 +14,9 @@ |
||
| 14 | 14 | |
| 15 | 15 | function smarty_modifier_nlimplode($list, $conjunction = 'or') |
| 16 | 16 | { |
| 17 | - $last = array_pop($list); |
|
| 18 | - if ($list) { |
|
| 19 | - return implode(', ', $list) . ', ' . $conjunction . ' ' . $last; |
|
| 20 | - } |
|
| 21 | - return $last; |
|
| 17 | + $last = array_pop($list); |
|
| 18 | + if ($list) { |
|
| 19 | + return implode(', ', $list) . ', ' . $conjunction . ' ' . $last; |
|
| 20 | + } |
|
| 21 | + return $last; |
|
| 22 | 22 | } |
| 23 | 23 | \ No newline at end of file |
@@ -16,7 +16,7 @@ |
||
| 16 | 16 | { |
| 17 | 17 | $last = array_pop($list); |
| 18 | 18 | if ($list) { |
| 19 | - return implode(', ', $list) . ', ' . $conjunction . ' ' . $last; |
|
| 19 | + return implode(', ', $list).', '.$conjunction.' '.$last; |
|
| 20 | 20 | } |
| 21 | 21 | return $last; |
| 22 | 22 | } |
| 23 | 23 | \ No newline at end of file |
@@ -8,10 +8,10 @@ |
||
| 8 | 8 | |
| 9 | 9 | function smarty_modifier_demodhex($input) |
| 10 | 10 | { |
| 11 | - $hex = preg_replace( |
|
| 12 | - array('/c/', '/b/', '/d/', '/e/', '/f/', '/g/', '/h/', '/i/', '/j/', '/k/', '/l/', '/n/', '/r/', '/t/', '/u/', '/v/'), |
|
| 13 | - array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'), |
|
| 14 | - $input); |
|
| 11 | + $hex = preg_replace( |
|
| 12 | + array('/c/', '/b/', '/d/', '/e/', '/f/', '/g/', '/h/', '/i/', '/j/', '/k/', '/l/', '/n/', '/r/', '/t/', '/u/', '/v/'), |
|
| 13 | + array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'), |
|
| 14 | + $input); |
|
| 15 | 15 | |
| 16 | - return hexdec($hex); |
|
| 16 | + return hexdec($hex); |
|
| 17 | 17 | } |
| 18 | 18 | \ No newline at end of file |
@@ -18,134 +18,134 @@ |
||
| 18 | 18 | |
| 19 | 19 | class ScratchTokenCredentialProvider extends CredentialProviderBase |
| 20 | 20 | { |
| 21 | - /** @var EncryptionHelper */ |
|
| 22 | - private $encryptionHelper; |
|
| 23 | - /** @var array the tokens generated in the last generation round. */ |
|
| 24 | - private $generatedTokens; |
|
| 25 | - |
|
| 26 | - /** |
|
| 27 | - * ScratchTokenCredentialProvider constructor. |
|
| 28 | - * |
|
| 29 | - * @param PdoDatabase $database |
|
| 30 | - * @param SiteConfiguration $configuration |
|
| 31 | - */ |
|
| 32 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | - { |
|
| 34 | - parent::__construct($database, $configuration, 'scratch'); |
|
| 35 | - $this->encryptionHelper = new EncryptionHelper($configuration); |
|
| 36 | - } |
|
| 37 | - |
|
| 38 | - /** |
|
| 39 | - * Validates a user-provided credential |
|
| 40 | - * |
|
| 41 | - * @param User $user The user to test the authentication against |
|
| 42 | - * @param string $data The raw credential data to be validated |
|
| 43 | - * |
|
| 44 | - * @return bool |
|
| 45 | - * @throws ApplicationLogicException|OptimisticLockFailedException |
|
| 46 | - */ |
|
| 47 | - public function authenticate(User $user, $data) |
|
| 48 | - { |
|
| 49 | - if (is_array($data)) { |
|
| 50 | - return false; |
|
| 51 | - } |
|
| 52 | - |
|
| 53 | - $storedData = $this->getCredentialData($user->getId()); |
|
| 54 | - |
|
| 55 | - if ($storedData === null) { |
|
| 56 | - throw new ApplicationLogicException('Credential data not found'); |
|
| 57 | - } |
|
| 58 | - |
|
| 59 | - $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 60 | - |
|
| 61 | - $usedToken = null; |
|
| 62 | - foreach ($scratchTokens as $scratchToken) { |
|
| 63 | - if (password_verify($data, $scratchToken)){ |
|
| 64 | - $usedToken = $scratchToken; |
|
| 65 | - break; |
|
| 66 | - } |
|
| 67 | - } |
|
| 68 | - |
|
| 69 | - if($usedToken === null) { |
|
| 70 | - return false; |
|
| 71 | - } |
|
| 72 | - |
|
| 73 | - $scratchTokens = array_diff($scratchTokens, [$usedToken]); |
|
| 74 | - |
|
| 75 | - $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens))); |
|
| 76 | - $storedData->save(); |
|
| 77 | - |
|
| 78 | - return true; |
|
| 79 | - } |
|
| 80 | - |
|
| 81 | - /** |
|
| 82 | - * @param User $user The user the credential belongs to |
|
| 83 | - * @param int $factor The factor this credential provides |
|
| 84 | - * @param string $data Unused. |
|
| 85 | - * |
|
| 86 | - * @throws OptimisticLockFailedException |
|
| 87 | - */ |
|
| 88 | - public function setCredential(User $user, $factor, $data) |
|
| 89 | - { |
|
| 90 | - $plaintextScratch = array(); |
|
| 91 | - $storedScratch = array(); |
|
| 92 | - for ($i = 0; $i < 5; $i++) { |
|
| 93 | - $token = Base32::encode(openssl_random_pseudo_bytes(10)); |
|
| 94 | - $plaintextScratch[] = $token; |
|
| 95 | - |
|
| 96 | - $storedScratch[] = password_hash( |
|
| 97 | - $token, |
|
| 98 | - PasswordCredentialProvider::PASSWORD_ALGO, |
|
| 99 | - array('cost' => PasswordCredentialProvider::PASSWORD_COST) |
|
| 100 | - ); |
|
| 101 | - } |
|
| 102 | - |
|
| 103 | - $storedData = $this->getCredentialData($user->getId(), null); |
|
| 104 | - |
|
| 105 | - if ($storedData !== null) { |
|
| 106 | - $storedData->delete(); |
|
| 107 | - } |
|
| 108 | - |
|
| 109 | - $storedData = $this->createNewCredential($user); |
|
| 110 | - |
|
| 111 | - $storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch))); |
|
| 112 | - $storedData->setFactor($factor); |
|
| 113 | - $storedData->setVersion(1); |
|
| 114 | - $storedData->setPriority(9); |
|
| 115 | - |
|
| 116 | - $storedData->save(); |
|
| 117 | - $this->generatedTokens = $plaintextScratch; |
|
| 118 | - } |
|
| 119 | - |
|
| 120 | - /** |
|
| 121 | - * Gets the count of remaining valid tokens |
|
| 122 | - * |
|
| 123 | - * @param int $userId |
|
| 124 | - * |
|
| 125 | - * @return int |
|
| 126 | - */ |
|
| 127 | - public function getRemaining($userId) |
|
| 128 | - { |
|
| 129 | - $storedData = $this->getCredentialData($userId); |
|
| 130 | - |
|
| 131 | - if ($storedData === null) { |
|
| 132 | - return 0; |
|
| 133 | - } |
|
| 134 | - |
|
| 135 | - $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 136 | - |
|
| 137 | - return count($scratchTokens); |
|
| 138 | - } |
|
| 139 | - |
|
| 140 | - /** |
|
| 141 | - * @return array |
|
| 142 | - */ |
|
| 143 | - public function getTokens() |
|
| 144 | - { |
|
| 145 | - if ($this->generatedTokens != null) { |
|
| 146 | - return $this->generatedTokens; |
|
| 147 | - } |
|
| 148 | - |
|
| 149 | - return array(); |
|
| 150 | - } |
|
| 21 | + /** @var EncryptionHelper */ |
|
| 22 | + private $encryptionHelper; |
|
| 23 | + /** @var array the tokens generated in the last generation round. */ |
|
| 24 | + private $generatedTokens; |
|
| 25 | + |
|
| 26 | + /** |
|
| 27 | + * ScratchTokenCredentialProvider constructor. |
|
| 28 | + * |
|
| 29 | + * @param PdoDatabase $database |
|
| 30 | + * @param SiteConfiguration $configuration |
|
| 31 | + */ |
|
| 32 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | + { |
|
| 34 | + parent::__construct($database, $configuration, 'scratch'); |
|
| 35 | + $this->encryptionHelper = new EncryptionHelper($configuration); |
|
| 36 | + } |
|
| 37 | + |
|
| 38 | + /** |
|
| 39 | + * Validates a user-provided credential |
|
| 40 | + * |
|
| 41 | + * @param User $user The user to test the authentication against |
|
| 42 | + * @param string $data The raw credential data to be validated |
|
| 43 | + * |
|
| 44 | + * @return bool |
|
| 45 | + * @throws ApplicationLogicException|OptimisticLockFailedException |
|
| 46 | + */ |
|
| 47 | + public function authenticate(User $user, $data) |
|
| 48 | + { |
|
| 49 | + if (is_array($data)) { |
|
| 50 | + return false; |
|
| 51 | + } |
|
| 52 | + |
|
| 53 | + $storedData = $this->getCredentialData($user->getId()); |
|
| 54 | + |
|
| 55 | + if ($storedData === null) { |
|
| 56 | + throw new ApplicationLogicException('Credential data not found'); |
|
| 57 | + } |
|
| 58 | + |
|
| 59 | + $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 60 | + |
|
| 61 | + $usedToken = null; |
|
| 62 | + foreach ($scratchTokens as $scratchToken) { |
|
| 63 | + if (password_verify($data, $scratchToken)){ |
|
| 64 | + $usedToken = $scratchToken; |
|
| 65 | + break; |
|
| 66 | + } |
|
| 67 | + } |
|
| 68 | + |
|
| 69 | + if($usedToken === null) { |
|
| 70 | + return false; |
|
| 71 | + } |
|
| 72 | + |
|
| 73 | + $scratchTokens = array_diff($scratchTokens, [$usedToken]); |
|
| 74 | + |
|
| 75 | + $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens))); |
|
| 76 | + $storedData->save(); |
|
| 77 | + |
|
| 78 | + return true; |
|
| 79 | + } |
|
| 80 | + |
|
| 81 | + /** |
|
| 82 | + * @param User $user The user the credential belongs to |
|
| 83 | + * @param int $factor The factor this credential provides |
|
| 84 | + * @param string $data Unused. |
|
| 85 | + * |
|
| 86 | + * @throws OptimisticLockFailedException |
|
| 87 | + */ |
|
| 88 | + public function setCredential(User $user, $factor, $data) |
|
| 89 | + { |
|
| 90 | + $plaintextScratch = array(); |
|
| 91 | + $storedScratch = array(); |
|
| 92 | + for ($i = 0; $i < 5; $i++) { |
|
| 93 | + $token = Base32::encode(openssl_random_pseudo_bytes(10)); |
|
| 94 | + $plaintextScratch[] = $token; |
|
| 95 | + |
|
| 96 | + $storedScratch[] = password_hash( |
|
| 97 | + $token, |
|
| 98 | + PasswordCredentialProvider::PASSWORD_ALGO, |
|
| 99 | + array('cost' => PasswordCredentialProvider::PASSWORD_COST) |
|
| 100 | + ); |
|
| 101 | + } |
|
| 102 | + |
|
| 103 | + $storedData = $this->getCredentialData($user->getId(), null); |
|
| 104 | + |
|
| 105 | + if ($storedData !== null) { |
|
| 106 | + $storedData->delete(); |
|
| 107 | + } |
|
| 108 | + |
|
| 109 | + $storedData = $this->createNewCredential($user); |
|
| 110 | + |
|
| 111 | + $storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch))); |
|
| 112 | + $storedData->setFactor($factor); |
|
| 113 | + $storedData->setVersion(1); |
|
| 114 | + $storedData->setPriority(9); |
|
| 115 | + |
|
| 116 | + $storedData->save(); |
|
| 117 | + $this->generatedTokens = $plaintextScratch; |
|
| 118 | + } |
|
| 119 | + |
|
| 120 | + /** |
|
| 121 | + * Gets the count of remaining valid tokens |
|
| 122 | + * |
|
| 123 | + * @param int $userId |
|
| 124 | + * |
|
| 125 | + * @return int |
|
| 126 | + */ |
|
| 127 | + public function getRemaining($userId) |
|
| 128 | + { |
|
| 129 | + $storedData = $this->getCredentialData($userId); |
|
| 130 | + |
|
| 131 | + if ($storedData === null) { |
|
| 132 | + return 0; |
|
| 133 | + } |
|
| 134 | + |
|
| 135 | + $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 136 | + |
|
| 137 | + return count($scratchTokens); |
|
| 138 | + } |
|
| 139 | + |
|
| 140 | + /** |
|
| 141 | + * @return array |
|
| 142 | + */ |
|
| 143 | + public function getTokens() |
|
| 144 | + { |
|
| 145 | + if ($this->generatedTokens != null) { |
|
| 146 | + return $this->generatedTokens; |
|
| 147 | + } |
|
| 148 | + |
|
| 149 | + return array(); |
|
| 150 | + } |
|
| 151 | 151 | } |
@@ -60,13 +60,13 @@ |
||
| 60 | 60 | |
| 61 | 61 | $usedToken = null; |
| 62 | 62 | foreach ($scratchTokens as $scratchToken) { |
| 63 | - if (password_verify($data, $scratchToken)){ |
|
| 63 | + if (password_verify($data, $scratchToken)) { |
|
| 64 | 64 | $usedToken = $scratchToken; |
| 65 | 65 | break; |
| 66 | 66 | } |
| 67 | 67 | } |
| 68 | 68 | |
| 69 | - if($usedToken === null) { |
|
| 69 | + if ($usedToken === null) { |
|
| 70 | 70 | return false; |
| 71 | 71 | } |
| 72 | 72 | |
@@ -60,7 +60,7 @@ |
||
| 60 | 60 | |
| 61 | 61 | $usedToken = null; |
| 62 | 62 | foreach ($scratchTokens as $scratchToken) { |
| 63 | - if (password_verify($data, $scratchToken)){ |
|
| 63 | + if (password_verify($data, $scratchToken)) { |
|
| 64 | 64 | $usedToken = $scratchToken; |
| 65 | 65 | break; |
| 66 | 66 | } |
@@ -15,56 +15,56 @@ |
||
| 15 | 15 | |
| 16 | 16 | class PasswordCredentialProvider extends CredentialProviderBase |
| 17 | 17 | { |
| 18 | - const PASSWORD_COST = 10; |
|
| 19 | - const PASSWORD_ALGO = PASSWORD_BCRYPT; |
|
| 18 | + const PASSWORD_COST = 10; |
|
| 19 | + const PASSWORD_ALGO = PASSWORD_BCRYPT; |
|
| 20 | 20 | |
| 21 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 22 | - { |
|
| 23 | - parent::__construct($database, $configuration, 'password'); |
|
| 24 | - } |
|
| 21 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 22 | + { |
|
| 23 | + parent::__construct($database, $configuration, 'password'); |
|
| 24 | + } |
|
| 25 | 25 | |
| 26 | - public function authenticate(User $user, $data) |
|
| 27 | - { |
|
| 28 | - $storedData = $this->getCredentialData($user->getId()); |
|
| 29 | - if($storedData === null) |
|
| 30 | - { |
|
| 31 | - // No available credential matching these parameters |
|
| 32 | - return false; |
|
| 33 | - } |
|
| 26 | + public function authenticate(User $user, $data) |
|
| 27 | + { |
|
| 28 | + $storedData = $this->getCredentialData($user->getId()); |
|
| 29 | + if($storedData === null) |
|
| 30 | + { |
|
| 31 | + // No available credential matching these parameters |
|
| 32 | + return false; |
|
| 33 | + } |
|
| 34 | 34 | |
| 35 | - if($storedData->getVersion() !== 2) { |
|
| 36 | - // Non-2 versions are not supported. |
|
| 37 | - return false; |
|
| 38 | - } |
|
| 35 | + if($storedData->getVersion() !== 2) { |
|
| 36 | + // Non-2 versions are not supported. |
|
| 37 | + return false; |
|
| 38 | + } |
|
| 39 | 39 | |
| 40 | - if(password_verify($data, $storedData->getData())) { |
|
| 41 | - if(password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))){ |
|
| 42 | - $this->setCredential($user, $storedData->getFactor(), $data); |
|
| 43 | - } |
|
| 40 | + if(password_verify($data, $storedData->getData())) { |
|
| 41 | + if(password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))){ |
|
| 42 | + $this->setCredential($user, $storedData->getFactor(), $data); |
|
| 43 | + } |
|
| 44 | 44 | |
| 45 | - return true; |
|
| 46 | - } |
|
| 45 | + return true; |
|
| 46 | + } |
|
| 47 | 47 | |
| 48 | - return false; |
|
| 49 | - } |
|
| 48 | + return false; |
|
| 49 | + } |
|
| 50 | 50 | |
| 51 | - public function setCredential(User $user, $factor, $password) |
|
| 52 | - { |
|
| 53 | - $storedData = $this->getCredentialData($user->getId()); |
|
| 51 | + public function setCredential(User $user, $factor, $password) |
|
| 52 | + { |
|
| 53 | + $storedData = $this->getCredentialData($user->getId()); |
|
| 54 | 54 | |
| 55 | - if($storedData === null){ |
|
| 56 | - $storedData = $this->createNewCredential($user); |
|
| 57 | - } |
|
| 55 | + if($storedData === null){ |
|
| 56 | + $storedData = $this->createNewCredential($user); |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | - $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))); |
|
| 60 | - $storedData->setFactor($factor); |
|
| 61 | - $storedData->setVersion(2); |
|
| 59 | + $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))); |
|
| 60 | + $storedData->setFactor($factor); |
|
| 61 | + $storedData->setVersion(2); |
|
| 62 | 62 | |
| 63 | - $storedData->save(); |
|
| 64 | - } |
|
| 63 | + $storedData->save(); |
|
| 64 | + } |
|
| 65 | 65 | |
| 66 | - public function deleteCredential(User $user) |
|
| 67 | - { |
|
| 68 | - throw new ApplicationLogicException('Deletion of password credential is not allowed.'); |
|
| 69 | - } |
|
| 66 | + public function deleteCredential(User $user) |
|
| 67 | + { |
|
| 68 | + throw new ApplicationLogicException('Deletion of password credential is not allowed.'); |
|
| 69 | + } |
|
| 70 | 70 | } |
@@ -26,19 +26,19 @@ discard block |
||
| 26 | 26 | public function authenticate(User $user, $data) |
| 27 | 27 | { |
| 28 | 28 | $storedData = $this->getCredentialData($user->getId()); |
| 29 | - if($storedData === null) |
|
| 29 | + if ($storedData === null) |
|
| 30 | 30 | { |
| 31 | 31 | // No available credential matching these parameters |
| 32 | 32 | return false; |
| 33 | 33 | } |
| 34 | 34 | |
| 35 | - if($storedData->getVersion() !== 2) { |
|
| 35 | + if ($storedData->getVersion() !== 2) { |
|
| 36 | 36 | // Non-2 versions are not supported. |
| 37 | 37 | return false; |
| 38 | 38 | } |
| 39 | 39 | |
| 40 | - if(password_verify($data, $storedData->getData())) { |
|
| 41 | - if(password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))){ |
|
| 40 | + if (password_verify($data, $storedData->getData())) { |
|
| 41 | + if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))) { |
|
| 42 | 42 | $this->setCredential($user, $storedData->getFactor(), $data); |
| 43 | 43 | } |
| 44 | 44 | |
@@ -52,7 +52,7 @@ discard block |
||
| 52 | 52 | { |
| 53 | 53 | $storedData = $this->getCredentialData($user->getId()); |
| 54 | 54 | |
| 55 | - if($storedData === null){ |
|
| 55 | + if ($storedData === null) { |
|
| 56 | 56 | $storedData = $this->createNewCredential($user); |
| 57 | 57 | } |
| 58 | 58 | |
@@ -26,8 +26,7 @@ discard block |
||
| 26 | 26 | public function authenticate(User $user, $data) |
| 27 | 27 | { |
| 28 | 28 | $storedData = $this->getCredentialData($user->getId()); |
| 29 | - if($storedData === null) |
|
| 30 | - { |
|
| 29 | + if($storedData === null) { |
|
| 31 | 30 | // No available credential matching these parameters |
| 32 | 31 | return false; |
| 33 | 32 | } |
@@ -38,7 +37,7 @@ discard block |
||
| 38 | 37 | } |
| 39 | 38 | |
| 40 | 39 | if(password_verify($data, $storedData->getData())) { |
| 41 | - if(password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))){ |
|
| 40 | + if(password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST))) { |
|
| 42 | 41 | $this->setCredential($user, $storedData->getFactor(), $data); |
| 43 | 42 | } |
| 44 | 43 | |
@@ -52,7 +51,7 @@ discard block |
||
| 52 | 51 | { |
| 53 | 52 | $storedData = $this->getCredentialData($user->getId()); |
| 54 | 53 | |
| 55 | - if($storedData === null){ |
|
| 54 | + if($storedData === null) { |
|
| 56 | 55 | $storedData = $this->createNewCredential($user); |
| 57 | 56 | } |
| 58 | 57 | |
