mdaniels5757 / waca

includes/Security/CredentialProviders/PasswordCredentialProvider.php

Spacing +2 added lines, -2 removed lines

@@ -30,13 +30,13 @@
     public function authenticate(User $user, $data)
     {
         $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
+        if ($storedData === null)
         {
             // No available credential matching these parameters
             return false;
         }
 
-        if($storedData->getVersion() !== 2) {
+        if ($storedData->getVersion() !== 2) {
             // Non-2 versions are not supported.
             return false;
         }

Braces +1 added lines, -2 removed lines

@@ -30,8 +30,7 @@
     public function authenticate(User $user, $data)
     {
         $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
-        {
+        if($storedData === null) {
             // No available credential matching these parameters
             return false;
         }

Indentation +109 added lines, -109 removed lines

@@ -19,123 +19,123 @@
 
 class PasswordCredentialProvider extends CredentialProviderBase
 {
-    const PASSWORD_COST = 10;
-    const PASSWORD_ALGO = PASSWORD_BCRYPT;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'password');
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId());
-        if($storedData === null)
-        {
-            // No available credential matching these parameters
-            return false;
-        }
-
-        if($storedData->getVersion() !== 2) {
-            // Non-2 versions are not supported.
-            return false;
-        }
-
-        if (!password_verify($data, $storedData->getData())) {
-            return false;
-        }
-
-        if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
-            array('cost' => self::PASSWORD_COST))) {
-            try {
-                $this->reallySetCredential($user, $storedData->getFactor(), $data);
-            }
-            catch (OptimisticLockFailedException $e) {
-                // optimistic lock failed, but no biggie. We'll catch it on the next login.
-            }
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+	const PASSWORD_COST = 10;
+	const PASSWORD_ALGO = PASSWORD_BCRYPT;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'password');
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId());
+		if($storedData === null)
+		{
+			// No available credential matching these parameters
+			return false;
+		}
+
+		if($storedData->getVersion() !== 2) {
+			// Non-2 versions are not supported.
+			return false;
+		}
+
+		if (!password_verify($data, $storedData->getData())) {
+			return false;
+		}
+
+		if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
+			array('cost' => self::PASSWORD_COST))) {
+			try {
+				$this->reallySetCredential($user, $storedData->getFactor(), $data);
+			}
+			catch (OptimisticLockFailedException $e) {
+				// optimistic lock failed, but no biggie. We'll catch it on the next login.
+			}
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
-            // prevent login for extremely weak passwords
-            // at this point the user has authenticated via password, so they *know* it's weak.
-            SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
-            return false;
-        }
-
-        return true;
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws OptimisticLockFailedException
-     */
-    private function reallySetCredential(User $user, int $factor, string $password) : void {
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(2);
-
-        $storedData->save();
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws ApplicationLogicException
-     * @throws OptimisticLockFailedException
-     */
-    public function setCredential(User $user, $factor, $password)
-    {
-        if (CommonPasswords::isCommon($password)) {
-            throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+		if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
+			// prevent login for extremely weak passwords
+			// at this point the user has authenticated via password, so they *know* it's weak.
+			SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws OptimisticLockFailedException
+	 */
+	private function reallySetCredential(User $user, int $factor, string $password) : void {
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(2);
+
+		$storedData->save();
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws OptimisticLockFailedException
+	 */
+	public function setCredential(User $user, $factor, $password)
+	{
+		if (CommonPasswords::isCommon($password)) {
+			throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
-            throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
-        }
-
-        if ($strength['score'] <= 3) {
-            SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
-        }
-
-        $this->reallySetCredential($user, $factor, $password);
-    }
-
-    /**
-     * @param User $user
-     *
-     * @throws ApplicationLogicException
-     */
-    public function deleteCredential(User $user)
-    {
-        throw new ApplicationLogicException('Deletion of password credential is not allowed.');
-    }
+		if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
+			throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
+		}
+
+		if ($strength['score'] <= 3) {
+			SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
+		}
+
+		$this->reallySetCredential($user, $factor, $password);
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	public function deleteCredential(User $user)
+	{
+		throw new ApplicationLogicException('Deletion of password credential is not allowed.');
+	}
 }

includes/Security/CredentialProviders/ICredentialProvider.php

Indentation +25 added lines, -25 removed lines

@@ -12,32 +12,32 @@
 
 interface ICredentialProvider
 {
-    /**
-     * Validates a user-provided credential
-     *
-     * @param User $user The user to test the authentication against
-     * @param string $data The raw credential data to be validated
-     *
-     * @return bool
-     */
-    public function authenticate(User $user, $data);
+	/**
+	 * Validates a user-provided credential
+	 *
+	 * @param User $user The user to test the authentication against
+	 * @param string $data The raw credential data to be validated
+	 *
+	 * @return bool
+	 */
+	public function authenticate(User $user, $data);
 
-    /**
-     * @param User $user The user the credential belongs to
-     * @param int $factor The factor this credential provides
-     * @param string $data
-     */
-    public function setCredential(User $user, $factor, $data);
+	/**
+	 * @param User $user The user the credential belongs to
+	 * @param int $factor The factor this credential provides
+	 * @param string $data
+	 */
+	public function setCredential(User $user, $factor, $data);
 
-    /**
-     * @param User $user
-     */
-    public function deleteCredential(User $user);
+	/**
+	 * @param User $user
+	 */
+	public function deleteCredential(User $user);
 
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId);
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId);
 }
\ No newline at end of file

includes/Security/CredentialProviders/YubikeyOtpCredentialProvider.php

Indentation +150 added lines, -150 removed lines

@@ -16,154 +16,154 @@
 
 class YubikeyOtpCredentialProvider extends CredentialProviderBase
 {
-    /** @var HttpHelper */
-    private $httpHelper;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
-    {
-        parent::__construct($database, $configuration, 'yubikeyotp');
-        $this->httpHelper = $httpHelper;
-        $this->configuration = $configuration;
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $credentialData = $this->getCredentialData($user->getId());
-
-        if ($credentialData === null) {
-            return false;
-        }
-
-        if ($credentialData->getData() !== $this->getYubikeyId($data)) {
-            // different device
-            return false;
-        }
-
-        return $this->verifyToken($data);
-    }
-
-    public function setCredential(User $user, $factor, $data)
-    {
-        $keyId = $this->getYubikeyId($data);
-        $valid = $this->verifyToken($data);
-
-        if (!$valid) {
-            throw new ApplicationLogicException("Provided token is not valid.");
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData($keyId);
-        $storedData->setFactor($factor);
-        $storedData->setVersion(1);
-        $storedData->setPriority(8);
-
-        $storedData->save();
-    }
-
-    /**
-     * Get the Yubikey ID.
-     *
-     * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
-     *
-     * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
-     * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
-     * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
-     *
-     * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
-     * the device, and that will change the serial number too.
-     *
-     * More information about the structure of OTPs can be found here:
-     * https://developers.yubico.com/OTP/OTPs_Explained.html
-     *
-     * @param int $userId
-     *
-     * @return null|string
-     */
-    public function getYubikeyData($userId)
-    {
-        $credential = $this->getCredentialData($userId);
-
-        if ($credential === null) {
-            return null;
-        }
-
-        return $credential->getData();
-    }
-
-    /**
-     * @param $result
-     *
-     * @return array
-     */
-    private function parseYubicoApiResult($result)
-    {
-        $data = array();
-        foreach (explode("\r\n", $result) as $line) {
-            $pos = strpos($line, '=');
-            if ($pos === false) {
-                continue;
-            }
-
-            $data[substr($line, 0, $pos)] = substr($line, $pos + 1);
-        }
-
-        return $data;
-    }
-
-    private function getYubikeyId($data)
-    {
-        return substr($data, 0, -32);
-    }
-
-    private function verifyHmac($apiResponse, $apiKey)
-    {
-        ksort($apiResponse);
-        $signature = $apiResponse['h'];
-        unset($apiResponse['h']);
-
-        $data = array();
-        foreach ($apiResponse as $key => $value) {
-            $data[] = $key . "=" . $value;
-        }
-        $dataString = implode('&', $data);
-
-        $hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
-
-        return $hmac === $signature;
-    }
-
-    /**
-     * @param $data
-     *
-     * @return bool
-     */
-    private function verifyToken($data)
-    {
-        $result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
-            'id'    => $this->configuration->getYubicoApiId(),
-            'otp'   => $data,
-            'nonce' => md5(openssl_random_pseudo_bytes(64)),
-        ));
-
-        $apiResponse = $this->parseYubicoApiResult($result);
-
-        if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
-            return false;
-        }
-
-        return $apiResponse['status'] == 'OK';
-    }
+	/** @var HttpHelper */
+	private $httpHelper;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
+	{
+		parent::__construct($database, $configuration, 'yubikeyotp');
+		$this->httpHelper = $httpHelper;
+		$this->configuration = $configuration;
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$credentialData = $this->getCredentialData($user->getId());
+
+		if ($credentialData === null) {
+			return false;
+		}
+
+		if ($credentialData->getData() !== $this->getYubikeyId($data)) {
+			// different device
+			return false;
+		}
+
+		return $this->verifyToken($data);
+	}
+
+	public function setCredential(User $user, $factor, $data)
+	{
+		$keyId = $this->getYubikeyId($data);
+		$valid = $this->verifyToken($data);
+
+		if (!$valid) {
+			throw new ApplicationLogicException("Provided token is not valid.");
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData($keyId);
+		$storedData->setFactor($factor);
+		$storedData->setVersion(1);
+		$storedData->setPriority(8);
+
+		$storedData->save();
+	}
+
+	/**
+	 * Get the Yubikey ID.
+	 *
+	 * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
+	 *
+	 * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
+	 * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
+	 * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
+	 *
+	 * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
+	 * the device, and that will change the serial number too.
+	 *
+	 * More information about the structure of OTPs can be found here:
+	 * https://developers.yubico.com/OTP/OTPs_Explained.html
+	 *
+	 * @param int $userId
+	 *
+	 * @return null|string
+	 */
+	public function getYubikeyData($userId)
+	{
+		$credential = $this->getCredentialData($userId);
+
+		if ($credential === null) {
+			return null;
+		}
+
+		return $credential->getData();
+	}
+
+	/**
+	 * @param $result
+	 *
+	 * @return array
+	 */
+	private function parseYubicoApiResult($result)
+	{
+		$data = array();
+		foreach (explode("\r\n", $result) as $line) {
+			$pos = strpos($line, '=');
+			if ($pos === false) {
+				continue;
+			}
+
+			$data[substr($line, 0, $pos)] = substr($line, $pos + 1);
+		}
+
+		return $data;
+	}
+
+	private function getYubikeyId($data)
+	{
+		return substr($data, 0, -32);
+	}
+
+	private function verifyHmac($apiResponse, $apiKey)
+	{
+		ksort($apiResponse);
+		$signature = $apiResponse['h'];
+		unset($apiResponse['h']);
+
+		$data = array();
+		foreach ($apiResponse as $key => $value) {
+			$data[] = $key . "=" . $value;
+		}
+		$dataString = implode('&', $data);
+
+		$hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
+
+		return $hmac === $signature;
+	}
+
+	/**
+	 * @param $data
+	 *
+	 * @return bool
+	 */
+	private function verifyToken($data)
+	{
+		$result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
+			'id'    => $this->configuration->getYubicoApiId(),
+			'otp'   => $data,
+			'nonce' => md5(openssl_random_pseudo_bytes(64)),
+		));
+
+		$apiResponse = $this->parseYubicoApiResult($result);
+
+		if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
+			return false;
+		}
+
+		return $apiResponse['status'] == 'OK';
+	}
 }

includes/Security/AuthenticationManager.php

Indentation +56 added lines, -56 removed lines

@@ -22,67 +22,67 @@
 
 class AuthenticationManager
 {
-    const AUTH_OK = 1;
-    const AUTH_FAIL = 2;
-    const AUTH_REQUIRE_NEXT_STAGE = 3;
-    private $typeMap = array();
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
+	const AUTH_OK = 1;
+	const AUTH_FAIL = 2;
+	const AUTH_REQUIRE_NEXT_STAGE = 3;
+	private $typeMap = array();
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
 
-    /**
-     * AuthenticationManager constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $siteConfiguration
-     * @param HttpHelper        $httpHelper
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
-    {
-        // setup providers
-        // note on type map: this *must* be the value in the database, as this is what it maps.
-        $this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
-        $this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
-        $this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration);
-        $this->database = $database;
-    }
+	/**
+	 * AuthenticationManager constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param HttpHelper        $httpHelper
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $siteConfiguration, HttpHelper $httpHelper)
+	{
+		// setup providers
+		// note on type map: this *must* be the value in the database, as this is what it maps.
+		$this->typeMap['password'] = new PasswordCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['yubikeyotp'] = new YubikeyOtpCredentialProvider($database, $siteConfiguration, $httpHelper);
+		$this->typeMap['totp'] = new TotpCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['scratch'] = new ScratchTokenCredentialProvider($database, $siteConfiguration);
+		$this->typeMap['u2f'] = new U2FCredentialProvider($database, $siteConfiguration);
+		$this->database = $database;
+	}
 
-    public function authenticate(User $user, $data, $stage)
-    {
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
-        $options = $statement->fetchAll(PDO::FETCH_COLUMN);
+	public function authenticate(User $user, $data, $stage)
+	{
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority ASC';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage));
+		$options = $statement->fetchAll(PDO::FETCH_COLUMN);
 
-        $sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
-        $statement = $this->database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
-        $requiredFactors = $statement->fetchColumn();
+		$sql = 'SELECT count(DISTINCT factor) FROM credential WHERE user = :user AND factor > :stage AND disabled = 0 AND type <> :scratch';
+		$statement = $this->database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $stage, ':scratch' => 'scratch'));
+		$requiredFactors = $statement->fetchColumn();
 
-        // prep the correct OK response based on how many factors are ahead of this one
-        $success = self::AUTH_OK;
-        if ($requiredFactors > 0) {
-            $success = self::AUTH_REQUIRE_NEXT_STAGE;
-        }
+		// prep the correct OK response based on how many factors are ahead of this one
+		$success = self::AUTH_OK;
+		if ($requiredFactors > 0) {
+			$success = self::AUTH_REQUIRE_NEXT_STAGE;
+		}
 
-        foreach ($options as $type) {
-            if (!isset($this->typeMap[$type])) {
-                // does this type have a credentialProvider registered?
-                continue;
-            }
+		foreach ($options as $type) {
+			if (!isset($this->typeMap[$type])) {
+				// does this type have a credentialProvider registered?
+				continue;
+			}
 
-            /** @var ICredentialProvider $credentialProvider */
-            $credentialProvider = $this->typeMap[$type];
-            if ($credentialProvider->authenticate($user, $data)) {
-                return $success;
-            }
-        }
+			/** @var ICredentialProvider $credentialProvider */
+			$credentialProvider = $this->typeMap[$type];
+			if ($credentialProvider->authenticate($user, $data)) {
+				return $success;
+			}
+		}
 
-        // We've iterated over all the available providers for this stage.
-        // They all hate you.
-        return self::AUTH_FAIL;
-    }
+		// We've iterated over all the available providers for this stage.
+		// They all hate you.
+		return self::AUTH_FAIL;
+	}
 }
\ No newline at end of file

includes/Providers/GlobalState/GlobalStateProvider.php

Indentation +35 added lines, -35 removed lines

@@ -18,43 +18,43 @@
  */
 class GlobalStateProvider implements IGlobalStateProvider
 {
-    /**
-     * @return array
-     */
-    public function &getServerSuperGlobal()
-    {
-        return $_SERVER;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getServerSuperGlobal()
+	{
+		return $_SERVER;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getGetSuperGlobal()
-    {
-        return $_GET;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getGetSuperGlobal()
+	{
+		return $_GET;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getPostSuperGlobal()
-    {
-        return $_POST;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getPostSuperGlobal()
+	{
+		return $_POST;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getSessionSuperGlobal()
-    {
-        return $_SESSION;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getSessionSuperGlobal()
+	{
+		return $_SESSION;
+	}
 
-    /**
-     * @return array
-     */
-    public function &getCookieSuperGlobal()
-    {
-        return $_COOKIE;
-    }
+	/**
+	 * @return array
+	 */
+	public function &getCookieSuperGlobal()
+	{
+		return $_COOKIE;
+	}
 }
\ No newline at end of file

includes/Providers/GlobalState/IGlobalStateProvider.php

Indentation +20 added lines, -20 removed lines

@@ -14,28 +14,28 @@
  */
 interface IGlobalStateProvider
 {
-    /**
-     * @return array
-     */
-    public function getServerSuperGlobal();
+	/**
+	 * @return array
+	 */
+	public function getServerSuperGlobal();
 
-    /**
-     * @return array
-     */
-    public function getGetSuperGlobal();
+	/**
+	 * @return array
+	 */
+	public function getGetSuperGlobal();
 
-    /**
-     * @return array
-     */
-    public function getPostSuperGlobal();
+	/**
+	 * @return array
+	 */
+	public function getPostSuperGlobal();
 
-    /**
-     * @return array
-     */
-    public function getSessionSuperGlobal();
+	/**
+	 * @return array
+	 */
+	public function getSessionSuperGlobal();
 
-    /**
-     * @return array
-     */
-    public function getCookieSuperGlobal();
+	/**
+	 * @return array
+	 */
+	public function getCookieSuperGlobal();
 }
\ No newline at end of file

includes/Providers/GlobalState/FakeGlobalStateProvider.php

Indentation +25 added lines, -25 removed lines

@@ -18,34 +18,34 @@
  */
 class FakeGlobalStateProvider extends GlobalStateProvider implements IGlobalStateProvider
 {
-    var $server = array();
-    var $get = array();
-    var $post = array();
-    var $session = array();
-    var $cookie = array();
+	var $server = array();
+	var $get = array();
+	var $post = array();
+	var $session = array();
+	var $cookie = array();
 
-    public function &getServerSuperGlobal()
-    {
-        return $this->server;
-    }
+	public function &getServerSuperGlobal()
+	{
+		return $this->server;
+	}
 
-    public function &getGetSuperGlobal()
-    {
-        return $this->get;
-    }
+	public function &getGetSuperGlobal()
+	{
+		return $this->get;
+	}
 
-    public function &getPostSuperGlobal()
-    {
-        return $this->post;
-    }
+	public function &getPostSuperGlobal()
+	{
+		return $this->post;
+	}
 
-    public function &getSessionSuperGlobal()
-    {
-        return $this->session;
-    }
+	public function &getSessionSuperGlobal()
+	{
+		return $this->session;
+	}
 
-    public function &getCookieSuperGlobal()
-    {
-        return $this->cookie;
-    }
+	public function &getCookieSuperGlobal()
+	{
+		return $this->cookie;
+	}
 }
\ No newline at end of file

includes/Providers/IpLocationProvider.php

Indentation +103 added lines, -103 removed lines

@@ -21,107 +21,107 @@
  */
 class IpLocationProvider implements ILocationProvider
 {
-    /** @var string */
-    private $apiKey;
-    /** @var PdoDatabase */
-    private $database;
-    /** @var HttpHelper */
-    private $httpHelper;
-
-    /**
-     * IpLocationProvider constructor.
-     *
-     * @param PdoDatabase $database
-     * @param string      $apiKey
-     * @param HttpHelper  $httpHelper
-     */
-    public function __construct(PdoDatabase $database, $apiKey, HttpHelper $httpHelper)
-    {
-        $this->database = $database;
-        $this->apiKey = $apiKey;
-        $this->httpHelper = $httpHelper;
-    }
-
-    /**
-     * @param string $address
-     *
-     * @return array|null
-     * @throws Exception
-     * @throws OptimisticLockFailedException
-     */
-    public function getIpLocation($address)
-    {
-        $address = trim($address);
-
-        // lets look in our database first.
-        $location = GeoLocation::getByAddress($address, $this->database, true);
-
-        if ($location != null) {
-            // touch cache timer
-            $location->save();
-
-            return $location->getData();
-        }
-
-        // OK, it's not there, let's do an IP2Location lookup.
-        $result = $this->getResult($address);
-
-        if ($result != null) {
-            $location = new GeoLocation();
-            $location->setDatabase($this->database);
-            $location->setAddress($address);
-            $location->setData($result);
-            $location->save();
-
-            return $result;
-        }
-
-        return null;
-    }
-
-    // adapted from http://www.ipinfodb.com/ip_location_api.php
-
-    /**
-     * @param string $ip
-     *
-     * @return array|null
-     */
-    private function getResult($ip)
-    {
-        try {
-            if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
-                $xml = $this->httpHelper->get($this->getApiBase(), array(
-                    'key'    => $this->apiKey,
-                    'ip'     => $ip,
-                    'format' => 'xml',
-                ));
-
-                $response = @new SimpleXMLElement($xml);
-
-                $result = array();
-
-                foreach ($response as $field => $value) {
-                    $result[(string)$field] = (string)$value;
-                }
-
-                return $result;
-            }
-        }
-        catch (Exception $ex) {
-            return null;
-
-            // LOGME: do something smart here, or wherever we use this value.
-            // This is just a temp hack to squash errors on the UI for now.
-        }
-
-        return null;
-    }
-
-    /**
-     * @return string
-     */
-    protected function getApiBase()
-    {
-        return "http://api.ipinfodb.com/v3/ip-city/";
-    }
+	/** @var string */
+	private $apiKey;
+	/** @var PdoDatabase */
+	private $database;
+	/** @var HttpHelper */
+	private $httpHelper;
+
+	/**
+	 * IpLocationProvider constructor.
+	 *
+	 * @param PdoDatabase $database
+	 * @param string      $apiKey
+	 * @param HttpHelper  $httpHelper
+	 */
+	public function __construct(PdoDatabase $database, $apiKey, HttpHelper $httpHelper)
+	{
+		$this->database = $database;
+		$this->apiKey = $apiKey;
+		$this->httpHelper = $httpHelper;
+	}
+
+	/**
+	 * @param string $address
+	 *
+	 * @return array|null
+	 * @throws Exception
+	 * @throws OptimisticLockFailedException
+	 */
+	public function getIpLocation($address)
+	{
+		$address = trim($address);
+
+		// lets look in our database first.
+		$location = GeoLocation::getByAddress($address, $this->database, true);
+
+		if ($location != null) {
+			// touch cache timer
+			$location->save();
+
+			return $location->getData();
+		}
+
+		// OK, it's not there, let's do an IP2Location lookup.
+		$result = $this->getResult($address);
+
+		if ($result != null) {
+			$location = new GeoLocation();
+			$location->setDatabase($this->database);
+			$location->setAddress($address);
+			$location->setData($result);
+			$location->save();
+
+			return $result;
+		}
+
+		return null;
+	}
+
+	// adapted from http://www.ipinfodb.com/ip_location_api.php
+
+	/**
+	 * @param string $ip
+	 *
+	 * @return array|null
+	 */
+	private function getResult($ip)
+	{
+		try {
+			if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+				$xml = $this->httpHelper->get($this->getApiBase(), array(
+					'key'    => $this->apiKey,
+					'ip'     => $ip,
+					'format' => 'xml',
+				));
+
+				$response = @new SimpleXMLElement($xml);
+
+				$result = array();
+
+				foreach ($response as $field => $value) {
+					$result[(string)$field] = (string)$value;
+				}
+
+				return $result;
+			}
+		}
+		catch (Exception $ex) {
+			return null;
+
+			// LOGME: do something smart here, or wherever we use this value.
+			// This is just a temp hack to squash errors on the UI for now.
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return string
+	 */
+	protected function getApiBase()
+	{
+		return "http://api.ipinfodb.com/v3/ip-city/";
+	}
 }

includes/IdentificationVerifier.php

Indentation +160 added lines, -160 removed lines

@@ -26,133 +26,133 @@ 
  */
 class IdentificationVerifier
 {
-    /**
-     * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
-     * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
-     * of these values is *not* necessary; this is done automatically.
-     *
-     * @var string[]
-     * @category Security-Critical
-     */
-    private static $apiQueryParameters = array(
-        'action'   => 'query',
-        'format'   => 'json',
-        'prop'     => 'links',
-        // Populated from SiteConfiguration->getIdentificationNoticeboardPage
-        'titles'   => '',
-        // Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
-        'pltitles' => '',
-    );
-    /** @var HttpHelper */
-    private $httpHelper;
-    /** @var SiteConfiguration */
-    private $siteConfiguration;
-    /** @var PdoDatabase */
-    private $dbObject;
-
-    /**
-     * IdentificationVerifier constructor.
-     *
-     * @param HttpHelper        $httpHelper
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     */
-    public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $this->httpHelper = $httpHelper;
-        $this->siteConfiguration = $siteConfiguration;
-        $this->dbObject = $dbObject;
-    }
-
-    /**
-     * Checks if the given user is identified to the Wikimedia Foundation.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     * @throws EnvironmentException
-     */
-    public function isUserIdentified($onWikiName)
-    {
-        if ($this->checkIdentificationCache($onWikiName)) {
-            return true;
-        }
-        else {
-            if ($this->isIdentifiedOnWiki($onWikiName)) {
-                $this->cacheIdentificationStatus($onWikiName);
-
-                return true;
-            }
-            else {
-                return false;
-            }
-        }
-    }
-
-    /**
-     * Checks if the given user has a valid entry in the idcache table.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    private function checkIdentificationCache($onWikiName)
-    {
-        $interval = $this->siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+	/**
+	 * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
+	 * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
+	 * of these values is *not* necessary; this is done automatically.
+	 *
+	 * @var string[]
+	 * @category Security-Critical
+	 */
+	private static $apiQueryParameters = array(
+		'action'   => 'query',
+		'format'   => 'json',
+		'prop'     => 'links',
+		// Populated from SiteConfiguration->getIdentificationNoticeboardPage
+		'titles'   => '',
+		// Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
+		'pltitles' => '',
+	);
+	/** @var HttpHelper */
+	private $httpHelper;
+	/** @var SiteConfiguration */
+	private $siteConfiguration;
+	/** @var PdoDatabase */
+	private $dbObject;
+
+	/**
+	 * IdentificationVerifier constructor.
+	 *
+	 * @param HttpHelper        $httpHelper
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 */
+	public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$this->httpHelper = $httpHelper;
+		$this->siteConfiguration = $siteConfiguration;
+		$this->dbObject = $dbObject;
+	}
+
+	/**
+	 * Checks if the given user is identified to the Wikimedia Foundation.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 * @throws EnvironmentException
+	 */
+	public function isUserIdentified($onWikiName)
+	{
+		if ($this->checkIdentificationCache($onWikiName)) {
+			return true;
+		}
+		else {
+			if ($this->isIdentifiedOnWiki($onWikiName)) {
+				$this->cacheIdentificationStatus($onWikiName);
+
+				return true;
+			}
+			else {
+				return false;
+			}
+		}
+	}
+
+	/**
+	 * Checks if the given user has a valid entry in the idcache table.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	private function checkIdentificationCache($onWikiName)
+	{
+		$interval = $this->siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			SELECT COUNT(`id`)
 			FROM `idcache`
 			WHERE `onwikiusername` = :onwikiname
 				AND DATE_ADD(`checktime`, INTERVAL {$interval}) >= NOW();
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-
-        // Guaranteed by the query to only return a single row with a single column
-        $results = $stmt->fetch(PDO::FETCH_NUM);
-
-        // I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
-        // unique key - but meh.
-        return $results[0] != 0;
-    }
-
-    /**
-     * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
-     * idcache table.  Meant to be called periodically by a maintenance script.
-     *
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     *
-     * @return void
-     */
-    public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $interval = $siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+
+		// Guaranteed by the query to only return a single row with a single column
+		$results = $stmt->fetch(PDO::FETCH_NUM);
+
+		// I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
+		// unique key - but meh.
+		return $results[0] != 0;
+	}
+
+	/**
+	 * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
+	 * idcache table.  Meant to be called periodically by a maintenance script.
+	 *
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 *
+	 * @return void
+	 */
+	public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$interval = $siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			DELETE FROM `idcache`
 			WHERE DATE_ADD(`checktime`, INTERVAL {$interval}) < NOW();
 SQL;
-        $dbObject->prepare($query)->execute();
-    }
-
-    /**
-     * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
-     * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
-     * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return void
-     * @category Security-Critical
-     */
-    private function cacheIdentificationStatus($onWikiName)
-    {
-        $query = <<<SQL
+		$dbObject->prepare($query)->execute();
+	}
+
+	/**
+	 * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
+	 * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
+	 * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return void
+	 * @category Security-Critical
+	 */
+	private function cacheIdentificationStatus($onWikiName)
+	{
+		$query = <<<SQL
 			INSERT INTO `idcache`
 				(`onwikiusername`)
 			VALUES
@@ -161,45 +161,45 @@ 
 				`onwikiusername` = VALUES(`onwikiusername`),
 				`checktime` = CURRENT_TIMESTAMP;
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-    }
-
-    /**
-     * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @throws EnvironmentException
-     * @category Security-Critical
-     */
-    private function isIdentifiedOnWiki($onWikiName)
-    {
-        $strings = new StringFunctions();
-
-        // First character of Wikipedia usernames is always capitalized.
-        $onWikiName = $strings->upperCaseFirst($onWikiName);
-
-        $parameters = self::$apiQueryParameters;
-        $parameters['pltitles'] = "User:" . $onWikiName;
-        $parameters['titles'] = $this->siteConfiguration->getIdentificationNoticeboardPage();
-
-        try {
-            $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
-            $response = $this->httpHelper->get($endpoint, $parameters);
-            $response = json_decode($response, true);
-        } catch (CurlException $ex) {
-            // failed getting identification status, so throw a nicer error.
-            $message = 'Could not contact metawiki API to determine user\' identification status. '
-                . 'This is probably a transient error, so please try again.';
-
-            throw new EnvironmentException($message);
-        }
-
-        $page = @array_pop($response['query']['pages']);
-
-        return @$page['links'][0]['title'] === "User:" . $onWikiName;
-    }
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+	}
+
+	/**
+	 * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @throws EnvironmentException
+	 * @category Security-Critical
+	 */
+	private function isIdentifiedOnWiki($onWikiName)
+	{
+		$strings = new StringFunctions();
+
+		// First character of Wikipedia usernames is always capitalized.
+		$onWikiName = $strings->upperCaseFirst($onWikiName);
+
+		$parameters = self::$apiQueryParameters;
+		$parameters['pltitles'] = "User:" . $onWikiName;
+		$parameters['titles'] = $this->siteConfiguration->getIdentificationNoticeboardPage();
+
+		try {
+			$endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
+			$response = $this->httpHelper->get($endpoint, $parameters);
+			$response = json_decode($response, true);
+		} catch (CurlException $ex) {
+			// failed getting identification status, so throw a nicer error.
+			$message = 'Could not contact metawiki API to determine user\' identification status. '
+				. 'This is probably a transient error, so please try again.';
+
+			throw new EnvironmentException($message);
+		}
+
+		$page = @array_pop($response['query']['pages']);
+
+		return @$page['links'][0]['title'] === "User:" . $onWikiName;
+	}
 }

Braces +4 added lines, -5 removed lines

@@ -77,14 +77,12 @@ 
     {
         if ($this->checkIdentificationCache($onWikiName)) {
             return true;
-        }
-        else {
+        } else {
             if ($this->isIdentifiedOnWiki($onWikiName)) {
                 $this->cacheIdentificationStatus($onWikiName);
 
                 return true;
-            }
-            else {
+            } else {
                 return false;
             }
         }
@@ -190,7 +188,8 @@ 
             $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
             $response = $this->httpHelper->get($endpoint, $parameters);
             $response = json_decode($response, true);
-        } catch (CurlException $ex) {
+        }
+        catch (CurlException $ex) {
             // failed getting identification status, so throw a nicer error.
             $message = 'Could not contact metawiki API to determine user\' identification status. '
                 . 'This is probably a transient error, so please try again.';