mdaniels5757 /
waca
@@ -7,46 +7,46 @@ |
||
| 7 | 7 | ******************************************************************************/ |
| 8 | 8 | |
| 9 | 9 | $toolList = array( |
| 10 | - 'tparis-pcount' => '//tools.wmflabs.org/supercount/index.php?user=%DATA%&project=en.wikipedia', |
|
| 11 | - 'guc' => '//tools.wmflabs.org/guc/?by=date&user=%DATA%', |
|
| 12 | - 'oq-whois' => 'https://whois.domaintools.com/%DATA%', |
|
| 13 | - 'tl-whois' => 'https://tools.wmflabs.org/whois/gateway.py?lookup=true&ip=%DATA%', |
|
| 14 | - 'honeypot' => 'https://www.projecthoneypot.org/ip_%DATA%', |
|
| 15 | - 'stopforumspam' => 'https://www.stopforumspam.com/ipcheck/%DATA%', |
|
| 16 | - 'google' => 'https://www.google.com/search?q=%DATA%', |
|
| 17 | - 'domain' => 'http://%DATA%/', |
|
| 18 | - 'rangefinder' => 'https://tools.wmflabs.org/rangeblockfinder/?ip=%DATA%', |
|
| 10 | + 'tparis-pcount' => '//tools.wmflabs.org/supercount/index.php?user=%DATA%&project=en.wikipedia', |
|
| 11 | + 'guc' => '//tools.wmflabs.org/guc/?by=date&user=%DATA%', |
|
| 12 | + 'oq-whois' => 'https://whois.domaintools.com/%DATA%', |
|
| 13 | + 'tl-whois' => 'https://tools.wmflabs.org/whois/gateway.py?lookup=true&ip=%DATA%', |
|
| 14 | + 'honeypot' => 'https://www.projecthoneypot.org/ip_%DATA%', |
|
| 15 | + 'stopforumspam' => 'https://www.stopforumspam.com/ipcheck/%DATA%', |
|
| 16 | + 'google' => 'https://www.google.com/search?q=%DATA%', |
|
| 17 | + 'domain' => 'http://%DATA%/', |
|
| 18 | + 'rangefinder' => 'https://tools.wmflabs.org/rangeblockfinder/?ip=%DATA%', |
|
| 19 | 19 | 'ipcheck' => 'https://ipcheck.toolforge.org/index.php?ip=%DATA%', |
| 20 | 20 | 'bgpview' => 'https://bgpview.io/ip/%DATA%' |
| 21 | 21 | ); |
| 22 | 22 | |
| 23 | 23 | if (!isset($_GET['tool']) |
| 24 | - || !isset($toolList[$_GET['tool']]) |
|
| 25 | - || !isset($_GET['data']) |
|
| 24 | + || !isset($toolList[$_GET['tool']]) |
|
| 25 | + || !isset($_GET['data']) |
|
| 26 | 26 | ) { |
| 27 | - header("HTTP/1.1 403 Forbidden"); |
|
| 27 | + header("HTTP/1.1 403 Forbidden"); |
|
| 28 | 28 | |
| 29 | - return; |
|
| 29 | + return; |
|
| 30 | 30 | } |
| 31 | 31 | |
| 32 | 32 | if (isset($_GET['round2'])) { |
| 33 | - $data = $_GET['data']; |
|
| 34 | - $tool = $_GET['tool']; |
|
| 33 | + $data = $_GET['data']; |
|
| 34 | + $tool = $_GET['tool']; |
|
| 35 | 35 | |
| 36 | - if ($tool === 'domain') { |
|
| 37 | - // quick security check - if you want to exploit something, you better be sure your exploit resolves via dns. |
|
| 38 | - // this is not intended to catch everything, just as a quick sanity check. |
|
| 39 | - if (gethostbyname($data) == $data) { |
|
| 40 | - echo 'Error resolving hostname, it doesn\'t look like this domain exists.'; |
|
| 41 | - die(); |
|
| 42 | - } |
|
| 43 | - } |
|
| 44 | - else { |
|
| 45 | - $data = urlencode($data); |
|
| 46 | - } |
|
| 36 | + if ($tool === 'domain') { |
|
| 37 | + // quick security check - if you want to exploit something, you better be sure your exploit resolves via dns. |
|
| 38 | + // this is not intended to catch everything, just as a quick sanity check. |
|
| 39 | + if (gethostbyname($data) == $data) { |
|
| 40 | + echo 'Error resolving hostname, it doesn\'t look like this domain exists.'; |
|
| 41 | + die(); |
|
| 42 | + } |
|
| 43 | + } |
|
| 44 | + else { |
|
| 45 | + $data = urlencode($data); |
|
| 46 | + } |
|
| 47 | 47 | |
| 48 | - echo '<script>window.location.href=' . json_encode(str_replace("%DATA%", $data, $toolList[$tool])) . '</script>'; |
|
| 48 | + echo '<script>window.location.href=' . json_encode(str_replace("%DATA%", $data, $toolList[$tool])) . '</script>'; |
|
| 49 | 49 | } |
| 50 | 50 | else { |
| 51 | - header("Location: " . $_SERVER["REQUEST_URI"] . "&round2=true"); |
|
| 51 | + header("Location: " . $_SERVER["REQUEST_URI"] . "&round2=true"); |
|
| 52 | 52 | } |
@@ -40,13 +40,11 @@ |
||
| 40 | 40 | echo 'Error resolving hostname, it doesn\'t look like this domain exists.'; |
| 41 | 41 | die(); |
| 42 | 42 | } |
| 43 | - } |
|
| 44 | - else { |
|
| 43 | + } else { |
|
| 45 | 44 | $data = urlencode($data); |
| 46 | 45 | } |
| 47 | 46 | |
| 48 | 47 | echo '<script>window.location.href=' . json_encode(str_replace("%DATA%", $data, $toolList[$tool])) . '</script>'; |
| 49 | -} |
|
| 50 | -else { |
|
| 48 | +} else { |
|
| 51 | 49 | header("Location: " . $_SERVER["REQUEST_URI"] . "&round2=true"); |
| 52 | 50 | } |
@@ -13,17 +13,17 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | function smarty_modifier_iphex($input) |
| 15 | 15 | { |
| 16 | - $output = $input; |
|
| 16 | + $output = $input; |
|
| 17 | 17 | |
| 18 | - if (filter_var($input, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) { |
|
| 19 | - $octets = explode('.', $input); |
|
| 20 | - $output = ''; |
|
| 21 | - foreach ($octets as $octet) { |
|
| 22 | - $output .= str_pad(dechex($octet), 2, '0', STR_PAD_LEFT); |
|
| 23 | - } |
|
| 18 | + if (filter_var($input, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) { |
|
| 19 | + $octets = explode('.', $input); |
|
| 20 | + $output = ''; |
|
| 21 | + foreach ($octets as $octet) { |
|
| 22 | + $output .= str_pad(dechex($octet), 2, '0', STR_PAD_LEFT); |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | - $output = str_pad($output, 32, '0', STR_PAD_LEFT); |
|
| 26 | - } |
|
| 25 | + $output = str_pad($output, 32, '0', STR_PAD_LEFT); |
|
| 26 | + } |
|
| 27 | 27 | |
| 28 | - return $output; |
|
| 28 | + return $output; |
|
| 29 | 29 | } |
@@ -14,9 +14,9 @@ |
||
| 14 | 14 | |
| 15 | 15 | function smarty_modifier_nlimplode($list, $conjunction = 'or') |
| 16 | 16 | { |
| 17 | - $last = array_pop($list); |
|
| 18 | - if ($list) { |
|
| 19 | - return implode(', ', $list) . ', ' . $conjunction . ' ' . $last; |
|
| 20 | - } |
|
| 21 | - return $last; |
|
| 17 | + $last = array_pop($list); |
|
| 18 | + if ($list) { |
|
| 19 | + return implode(', ', $list) . ', ' . $conjunction . ' ' . $last; |
|
| 20 | + } |
|
| 21 | + return $last; |
|
| 22 | 22 | } |
| 23 | 23 | \ No newline at end of file |
@@ -16,73 +16,73 @@ |
||
| 16 | 16 | */ |
| 17 | 17 | function smarty_modifier_relativedate($input) |
| 18 | 18 | { |
| 19 | - $now = new DateTime(); |
|
| 19 | + $now = new DateTime(); |
|
| 20 | 20 | |
| 21 | - if (gettype($input) === 'object' |
|
| 22 | - && (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class) |
|
| 23 | - ) { |
|
| 24 | - $then = $input; |
|
| 25 | - } |
|
| 26 | - else { |
|
| 27 | - try { |
|
| 28 | - $then = new DateTime($input); |
|
| 29 | - } |
|
| 30 | - catch(Exception $ex) { |
|
| 31 | - return $input; |
|
| 32 | - } |
|
| 33 | - } |
|
| 21 | + if (gettype($input) === 'object' |
|
| 22 | + && (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class) |
|
| 23 | + ) { |
|
| 24 | + $then = $input; |
|
| 25 | + } |
|
| 26 | + else { |
|
| 27 | + try { |
|
| 28 | + $then = new DateTime($input); |
|
| 29 | + } |
|
| 30 | + catch(Exception $ex) { |
|
| 31 | + return $input; |
|
| 32 | + } |
|
| 33 | + } |
|
| 34 | 34 | |
| 35 | - $secs = $now->getTimestamp() - $then->getTimestamp(); |
|
| 35 | + $secs = $now->getTimestamp() - $then->getTimestamp(); |
|
| 36 | 36 | |
| 37 | - $second = 1; |
|
| 38 | - $minute = 60 * $second; |
|
| 39 | - $minuteCut = 60 * $second; |
|
| 40 | - $hour = 60 * $minute; |
|
| 41 | - $hourCut = 90 * $minute; |
|
| 42 | - $day = 24 * $hour; |
|
| 43 | - $dayCut = 48 * $hour; |
|
| 44 | - $week = 7 * $day; |
|
| 45 | - $weekCut = 14 * $day; |
|
| 46 | - $month = 30 * $day; |
|
| 47 | - $monthCut = 60 * $day; |
|
| 48 | - $year = 365 * $day; |
|
| 49 | - $yearCut = $year * 2; |
|
| 37 | + $second = 1; |
|
| 38 | + $minute = 60 * $second; |
|
| 39 | + $minuteCut = 60 * $second; |
|
| 40 | + $hour = 60 * $minute; |
|
| 41 | + $hourCut = 90 * $minute; |
|
| 42 | + $day = 24 * $hour; |
|
| 43 | + $dayCut = 48 * $hour; |
|
| 44 | + $week = 7 * $day; |
|
| 45 | + $weekCut = 14 * $day; |
|
| 46 | + $month = 30 * $day; |
|
| 47 | + $monthCut = 60 * $day; |
|
| 48 | + $year = 365 * $day; |
|
| 49 | + $yearCut = $year * 2; |
|
| 50 | 50 | |
| 51 | - $pluralise = true; |
|
| 51 | + $pluralise = true; |
|
| 52 | 52 | |
| 53 | - if ($secs <= 10) { |
|
| 54 | - $output = "just now"; |
|
| 55 | - $pluralise = false; |
|
| 56 | - } |
|
| 57 | - elseif ($secs > 10 && $secs < $minuteCut) { |
|
| 58 | - $output = round($secs / $second) . " second"; |
|
| 59 | - } |
|
| 60 | - elseif ($secs >= $minuteCut && $secs < $hourCut) { |
|
| 61 | - $output = round($secs / $minute) . " minute"; |
|
| 62 | - } |
|
| 63 | - elseif ($secs >= $hourCut && $secs < $dayCut) { |
|
| 64 | - $output = round($secs / $hour) . " hour"; |
|
| 65 | - } |
|
| 66 | - elseif ($secs >= $dayCut && $secs < $weekCut) { |
|
| 67 | - $output = round($secs / $day) . " day"; |
|
| 68 | - } |
|
| 69 | - elseif ($secs >= $weekCut && $secs < $monthCut) { |
|
| 70 | - $output = round($secs / $week) . " week"; |
|
| 71 | - } |
|
| 72 | - elseif ($secs >= $monthCut && $secs < $yearCut) { |
|
| 73 | - $output = round($secs / $month) . " month"; |
|
| 74 | - } |
|
| 75 | - elseif ($secs >= $yearCut && $secs < $year * 10) { |
|
| 76 | - $output = round($secs / $year) . " year"; |
|
| 77 | - } |
|
| 78 | - else { |
|
| 79 | - $output = "a long time ago"; |
|
| 80 | - $pluralise = false; |
|
| 81 | - } |
|
| 53 | + if ($secs <= 10) { |
|
| 54 | + $output = "just now"; |
|
| 55 | + $pluralise = false; |
|
| 56 | + } |
|
| 57 | + elseif ($secs > 10 && $secs < $minuteCut) { |
|
| 58 | + $output = round($secs / $second) . " second"; |
|
| 59 | + } |
|
| 60 | + elseif ($secs >= $minuteCut && $secs < $hourCut) { |
|
| 61 | + $output = round($secs / $minute) . " minute"; |
|
| 62 | + } |
|
| 63 | + elseif ($secs >= $hourCut && $secs < $dayCut) { |
|
| 64 | + $output = round($secs / $hour) . " hour"; |
|
| 65 | + } |
|
| 66 | + elseif ($secs >= $dayCut && $secs < $weekCut) { |
|
| 67 | + $output = round($secs / $day) . " day"; |
|
| 68 | + } |
|
| 69 | + elseif ($secs >= $weekCut && $secs < $monthCut) { |
|
| 70 | + $output = round($secs / $week) . " week"; |
|
| 71 | + } |
|
| 72 | + elseif ($secs >= $monthCut && $secs < $yearCut) { |
|
| 73 | + $output = round($secs / $month) . " month"; |
|
| 74 | + } |
|
| 75 | + elseif ($secs >= $yearCut && $secs < $year * 10) { |
|
| 76 | + $output = round($secs / $year) . " year"; |
|
| 77 | + } |
|
| 78 | + else { |
|
| 79 | + $output = "a long time ago"; |
|
| 80 | + $pluralise = false; |
|
| 81 | + } |
|
| 82 | 82 | |
| 83 | - if ($pluralise) { |
|
| 84 | - $output = (substr($output, 0, 2) <> "1 ") ? $output . "s ago" : $output . " ago"; |
|
| 85 | - } |
|
| 83 | + if ($pluralise) { |
|
| 84 | + $output = (substr($output, 0, 2) <> "1 ") ? $output . "s ago" : $output . " ago"; |
|
| 85 | + } |
|
| 86 | 86 | |
| 87 | - return $output; |
|
| 87 | + return $output; |
|
| 88 | 88 | } |
@@ -27,7 +27,7 @@ |
||
| 27 | 27 | try { |
| 28 | 28 | $then = new DateTime($input); |
| 29 | 29 | } |
| 30 | - catch(Exception $ex) { |
|
| 30 | + catch (Exception $ex) { |
|
| 31 | 31 | return $input; |
| 32 | 32 | } |
| 33 | 33 | } |
@@ -22,8 +22,7 @@ discard block |
||
| 22 | 22 | && (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class) |
| 23 | 23 | ) { |
| 24 | 24 | $then = $input; |
| 25 | - } |
|
| 26 | - else { |
|
| 25 | + } else { |
|
| 27 | 26 | try { |
| 28 | 27 | $then = new DateTime($input); |
| 29 | 28 | } |
@@ -53,29 +52,21 @@ discard block |
||
| 53 | 52 | if ($secs <= 10) { |
| 54 | 53 | $output = "just now"; |
| 55 | 54 | $pluralise = false; |
| 56 | - } |
|
| 57 | - elseif ($secs > 10 && $secs < $minuteCut) { |
|
| 55 | + } elseif ($secs > 10 && $secs < $minuteCut) { |
|
| 58 | 56 | $output = round($secs / $second) . " second"; |
| 59 | - } |
|
| 60 | - elseif ($secs >= $minuteCut && $secs < $hourCut) { |
|
| 57 | + } elseif ($secs >= $minuteCut && $secs < $hourCut) { |
|
| 61 | 58 | $output = round($secs / $minute) . " minute"; |
| 62 | - } |
|
| 63 | - elseif ($secs >= $hourCut && $secs < $dayCut) { |
|
| 59 | + } elseif ($secs >= $hourCut && $secs < $dayCut) { |
|
| 64 | 60 | $output = round($secs / $hour) . " hour"; |
| 65 | - } |
|
| 66 | - elseif ($secs >= $dayCut && $secs < $weekCut) { |
|
| 61 | + } elseif ($secs >= $dayCut && $secs < $weekCut) { |
|
| 67 | 62 | $output = round($secs / $day) . " day"; |
| 68 | - } |
|
| 69 | - elseif ($secs >= $weekCut && $secs < $monthCut) { |
|
| 63 | + } elseif ($secs >= $weekCut && $secs < $monthCut) { |
|
| 70 | 64 | $output = round($secs / $week) . " week"; |
| 71 | - } |
|
| 72 | - elseif ($secs >= $monthCut && $secs < $yearCut) { |
|
| 65 | + } elseif ($secs >= $monthCut && $secs < $yearCut) { |
|
| 73 | 66 | $output = round($secs / $month) . " month"; |
| 74 | - } |
|
| 75 | - elseif ($secs >= $yearCut && $secs < $year * 10) { |
|
| 67 | + } elseif ($secs >= $yearCut && $secs < $year * 10) { |
|
| 76 | 68 | $output = round($secs / $year) . " year"; |
| 77 | - } |
|
| 78 | - else { |
|
| 69 | + } else { |
|
| 79 | 70 | $output = "a long time ago"; |
| 80 | 71 | $pluralise = false; |
| 81 | 72 | } |
@@ -13,10 +13,10 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | function smarty_modifier_demodhex($input) |
| 15 | 15 | { |
| 16 | - $hex = preg_replace( |
|
| 17 | - array('/c/', '/b/', '/d/', '/e/', '/f/', '/g/', '/h/', '/i/', '/j/', '/k/', '/l/', '/n/', '/r/', '/t/', '/u/', '/v/'), |
|
| 18 | - array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'), |
|
| 19 | - $input); |
|
| 16 | + $hex = preg_replace( |
|
| 17 | + array('/c/', '/b/', '/d/', '/e/', '/f/', '/g/', '/h/', '/i/', '/j/', '/k/', '/l/', '/n/', '/r/', '/t/', '/u/', '/v/'), |
|
| 18 | + array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'), |
|
| 19 | + $input); |
|
| 20 | 20 | |
| 21 | - return hexdec($hex); |
|
| 21 | + return hexdec($hex); |
|
| 22 | 22 | } |
| 23 | 23 | \ No newline at end of file |
@@ -12,48 +12,48 @@ |
||
| 12 | 12 | |
| 13 | 13 | class EncryptionHelper |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * @var SiteConfiguration |
|
| 17 | - */ |
|
| 18 | - private $configuration; |
|
| 19 | - |
|
| 20 | - /** |
|
| 21 | - * EncryptionHelper constructor. |
|
| 22 | - * |
|
| 23 | - * @param SiteConfiguration $configuration |
|
| 24 | - */ |
|
| 25 | - public function __construct(SiteConfiguration $configuration) |
|
| 26 | - { |
|
| 27 | - $this->configuration = $configuration; |
|
| 28 | - } |
|
| 29 | - |
|
| 30 | - public function encryptData($secret) |
|
| 31 | - { |
|
| 32 | - $iv = openssl_random_pseudo_bytes(16); |
|
| 33 | - $password = $this->getEncryptionKey(); |
|
| 34 | - $encryptedKey = openssl_encrypt($secret, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 35 | - |
|
| 36 | - $data = base64_encode($iv) . '|' . base64_encode($encryptedKey); |
|
| 37 | - |
|
| 38 | - return $data; |
|
| 39 | - } |
|
| 40 | - |
|
| 41 | - public function decryptData($data) |
|
| 42 | - { |
|
| 43 | - list($iv, $encryptedKey) = array_map('base64_decode', explode('|', $data)); |
|
| 44 | - |
|
| 45 | - $password = $this->getEncryptionKey(); |
|
| 46 | - |
|
| 47 | - $secret = openssl_decrypt($encryptedKey, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 48 | - |
|
| 49 | - return $secret; |
|
| 50 | - } |
|
| 51 | - |
|
| 52 | - /** |
|
| 53 | - * @return string |
|
| 54 | - */ |
|
| 55 | - private function getEncryptionKey() |
|
| 56 | - { |
|
| 57 | - return openssl_digest($this->configuration->getTotpEncryptionKey(), 'sha256'); |
|
| 58 | - } |
|
| 15 | + /** |
|
| 16 | + * @var SiteConfiguration |
|
| 17 | + */ |
|
| 18 | + private $configuration; |
|
| 19 | + |
|
| 20 | + /** |
|
| 21 | + * EncryptionHelper constructor. |
|
| 22 | + * |
|
| 23 | + * @param SiteConfiguration $configuration |
|
| 24 | + */ |
|
| 25 | + public function __construct(SiteConfiguration $configuration) |
|
| 26 | + { |
|
| 27 | + $this->configuration = $configuration; |
|
| 28 | + } |
|
| 29 | + |
|
| 30 | + public function encryptData($secret) |
|
| 31 | + { |
|
| 32 | + $iv = openssl_random_pseudo_bytes(16); |
|
| 33 | + $password = $this->getEncryptionKey(); |
|
| 34 | + $encryptedKey = openssl_encrypt($secret, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 35 | + |
|
| 36 | + $data = base64_encode($iv) . '|' . base64_encode($encryptedKey); |
|
| 37 | + |
|
| 38 | + return $data; |
|
| 39 | + } |
|
| 40 | + |
|
| 41 | + public function decryptData($data) |
|
| 42 | + { |
|
| 43 | + list($iv, $encryptedKey) = array_map('base64_decode', explode('|', $data)); |
|
| 44 | + |
|
| 45 | + $password = $this->getEncryptionKey(); |
|
| 46 | + |
|
| 47 | + $secret = openssl_decrypt($encryptedKey, 'aes-256-ctr', $password, OPENSSL_RAW_DATA, $iv); |
|
| 48 | + |
|
| 49 | + return $secret; |
|
| 50 | + } |
|
| 51 | + |
|
| 52 | + /** |
|
| 53 | + * @return string |
|
| 54 | + */ |
|
| 55 | + private function getEncryptionKey() |
|
| 56 | + { |
|
| 57 | + return openssl_digest($this->configuration->getTotpEncryptionKey(), 'sha256'); |
|
| 58 | + } |
|
| 59 | 59 | } |
| 60 | 60 | \ No newline at end of file |
@@ -12,100 +12,100 @@ |
||
| 12 | 12 | |
| 13 | 13 | class ContentSecurityPolicyManager |
| 14 | 14 | { |
| 15 | - private $policy = [ |
|
| 16 | - 'default-src' => [], |
|
| 17 | - 'script-src' => ['self', 'nonce'], |
|
| 18 | - 'script-src-elem' => ['self', 'nonce'], |
|
| 19 | - 'script-src-attr' => [], |
|
| 20 | - 'connect-src' => ['self'], |
|
| 21 | - 'style-src' => ['self'], |
|
| 22 | - 'style-src-elem' => ['self'], |
|
| 23 | - 'style-src-attr' => [], |
|
| 24 | - 'img-src' => ['self', 'data:', 'https://upload.wikimedia.org', 'https://accounts-dev.wmflabs.org/'], |
|
| 25 | - 'font-src' => ['self'], |
|
| 26 | - 'form-action' => ['self', 'oauth'], |
|
| 27 | - 'frame-ancestors' => [], |
|
| 28 | - ]; |
|
| 29 | - private $nonce = null; |
|
| 30 | - private $reportOnly = false; |
|
| 31 | - /** |
|
| 32 | - * @var SiteConfiguration |
|
| 33 | - */ |
|
| 34 | - private $configuration; |
|
| 15 | + private $policy = [ |
|
| 16 | + 'default-src' => [], |
|
| 17 | + 'script-src' => ['self', 'nonce'], |
|
| 18 | + 'script-src-elem' => ['self', 'nonce'], |
|
| 19 | + 'script-src-attr' => [], |
|
| 20 | + 'connect-src' => ['self'], |
|
| 21 | + 'style-src' => ['self'], |
|
| 22 | + 'style-src-elem' => ['self'], |
|
| 23 | + 'style-src-attr' => [], |
|
| 24 | + 'img-src' => ['self', 'data:', 'https://upload.wikimedia.org', 'https://accounts-dev.wmflabs.org/'], |
|
| 25 | + 'font-src' => ['self'], |
|
| 26 | + 'form-action' => ['self', 'oauth'], |
|
| 27 | + 'frame-ancestors' => [], |
|
| 28 | + ]; |
|
| 29 | + private $nonce = null; |
|
| 30 | + private $reportOnly = false; |
|
| 31 | + /** |
|
| 32 | + * @var SiteConfiguration |
|
| 33 | + */ |
|
| 34 | + private $configuration; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * ContentSecurityPolicyManager constructor. |
|
| 38 | - * |
|
| 39 | - * @param SiteConfiguration $configuration |
|
| 40 | - */ |
|
| 41 | - public function __construct(SiteConfiguration $configuration) |
|
| 42 | - { |
|
| 43 | - $this->configuration = $configuration; |
|
| 44 | - } |
|
| 36 | + /** |
|
| 37 | + * ContentSecurityPolicyManager constructor. |
|
| 38 | + * |
|
| 39 | + * @param SiteConfiguration $configuration |
|
| 40 | + */ |
|
| 41 | + public function __construct(SiteConfiguration $configuration) |
|
| 42 | + { |
|
| 43 | + $this->configuration = $configuration; |
|
| 44 | + } |
|
| 45 | 45 | |
| 46 | - public function getNonce() |
|
| 47 | - { |
|
| 48 | - if ($this->nonce === null) { |
|
| 49 | - $this->nonce = base64_encode(openssl_random_pseudo_bytes(32)); |
|
| 50 | - } |
|
| 46 | + public function getNonce() |
|
| 47 | + { |
|
| 48 | + if ($this->nonce === null) { |
|
| 49 | + $this->nonce = base64_encode(openssl_random_pseudo_bytes(32)); |
|
| 50 | + } |
|
| 51 | 51 | |
| 52 | - return $this->nonce; |
|
| 53 | - } |
|
| 52 | + return $this->nonce; |
|
| 53 | + } |
|
| 54 | 54 | |
| 55 | - public function getHeader(): string |
|
| 56 | - { |
|
| 57 | - $reportOnly = ''; |
|
| 58 | - if ($this->reportOnly) { |
|
| 59 | - $reportOnly = '-Report-Only'; |
|
| 60 | - } |
|
| 55 | + public function getHeader(): string |
|
| 56 | + { |
|
| 57 | + $reportOnly = ''; |
|
| 58 | + if ($this->reportOnly) { |
|
| 59 | + $reportOnly = '-Report-Only'; |
|
| 60 | + } |
|
| 61 | 61 | |
| 62 | - $constructedPolicy = "Content-Security-Policy{$reportOnly}: "; |
|
| 62 | + $constructedPolicy = "Content-Security-Policy{$reportOnly}: "; |
|
| 63 | 63 | |
| 64 | - foreach ($this->policy as $item => $values) { |
|
| 65 | - $constructedPolicy .= $item . ' '; |
|
| 66 | - $policyIsSet = false; |
|
| 64 | + foreach ($this->policy as $item => $values) { |
|
| 65 | + $constructedPolicy .= $item . ' '; |
|
| 66 | + $policyIsSet = false; |
|
| 67 | 67 | |
| 68 | - if (count($values) > 0) { |
|
| 69 | - foreach ($values as $value) { |
|
| 70 | - switch ($value) { |
|
| 71 | - case 'none': |
|
| 72 | - case 'self': |
|
| 73 | - case 'strict-dynamic': |
|
| 74 | - $policyIsSet = true; |
|
| 75 | - $constructedPolicy .= "'{$value}' "; |
|
| 76 | - break; |
|
| 77 | - case 'nonce': |
|
| 78 | - if ($this->nonce !== null) { |
|
| 79 | - $policyIsSet = true; |
|
| 80 | - $constructedPolicy .= "'nonce-{$this->nonce}' "; |
|
| 81 | - } |
|
| 82 | - break; |
|
| 83 | - case 'oauth': |
|
| 84 | - $policyIsSet = true; |
|
| 85 | - $constructedPolicy .= "{$this->configuration->getOauthMediaWikiCanonicalServer()} "; |
|
| 86 | - break; |
|
| 87 | - default: |
|
| 88 | - $policyIsSet = true; |
|
| 89 | - $constructedPolicy .= $value . ' '; |
|
| 90 | - break; |
|
| 91 | - } |
|
| 92 | - } |
|
| 68 | + if (count($values) > 0) { |
|
| 69 | + foreach ($values as $value) { |
|
| 70 | + switch ($value) { |
|
| 71 | + case 'none': |
|
| 72 | + case 'self': |
|
| 73 | + case 'strict-dynamic': |
|
| 74 | + $policyIsSet = true; |
|
| 75 | + $constructedPolicy .= "'{$value}' "; |
|
| 76 | + break; |
|
| 77 | + case 'nonce': |
|
| 78 | + if ($this->nonce !== null) { |
|
| 79 | + $policyIsSet = true; |
|
| 80 | + $constructedPolicy .= "'nonce-{$this->nonce}' "; |
|
| 81 | + } |
|
| 82 | + break; |
|
| 83 | + case 'oauth': |
|
| 84 | + $policyIsSet = true; |
|
| 85 | + $constructedPolicy .= "{$this->configuration->getOauthMediaWikiCanonicalServer()} "; |
|
| 86 | + break; |
|
| 87 | + default: |
|
| 88 | + $policyIsSet = true; |
|
| 89 | + $constructedPolicy .= $value . ' '; |
|
| 90 | + break; |
|
| 91 | + } |
|
| 92 | + } |
|
| 93 | 93 | |
| 94 | - if (!$policyIsSet) { |
|
| 95 | - $constructedPolicy .= "'none' "; |
|
| 96 | - } |
|
| 97 | - } |
|
| 98 | - else { |
|
| 99 | - $constructedPolicy .= "'none' "; |
|
| 100 | - } |
|
| 94 | + if (!$policyIsSet) { |
|
| 95 | + $constructedPolicy .= "'none' "; |
|
| 96 | + } |
|
| 97 | + } |
|
| 98 | + else { |
|
| 99 | + $constructedPolicy .= "'none' "; |
|
| 100 | + } |
|
| 101 | 101 | |
| 102 | - $constructedPolicy .= '; '; |
|
| 103 | - } |
|
| 102 | + $constructedPolicy .= '; '; |
|
| 103 | + } |
|
| 104 | 104 | |
| 105 | - if ($this->configuration->getCspReportUri() !== null) { |
|
| 106 | - $constructedPolicy .= 'report-uri ' . $this->configuration->getCspReportUri(); |
|
| 107 | - } |
|
| 105 | + if ($this->configuration->getCspReportUri() !== null) { |
|
| 106 | + $constructedPolicy .= 'report-uri ' . $this->configuration->getCspReportUri(); |
|
| 107 | + } |
|
| 108 | 108 | |
| 109 | - return $constructedPolicy; |
|
| 110 | - } |
|
| 109 | + return $constructedPolicy; |
|
| 110 | + } |
|
| 111 | 111 | } |
@@ -94,8 +94,7 @@ |
||
| 94 | 94 | if (!$policyIsSet) { |
| 95 | 95 | $constructedPolicy .= "'none' "; |
| 96 | 96 | } |
| 97 | - } |
|
| 98 | - else { |
|
| 97 | + } else { |
|
| 99 | 98 | $constructedPolicy .= "'none' "; |
| 100 | 99 | } |
| 101 | 100 | |
@@ -20,136 +20,136 @@ |
||
| 20 | 20 | |
| 21 | 21 | class ScratchTokenCredentialProvider extends CredentialProviderBase |
| 22 | 22 | { |
| 23 | - /** @var EncryptionHelper */ |
|
| 24 | - private $encryptionHelper; |
|
| 25 | - /** @var array the tokens generated in the last generation round. */ |
|
| 26 | - private $generatedTokens; |
|
| 27 | - |
|
| 28 | - /** |
|
| 29 | - * ScratchTokenCredentialProvider constructor. |
|
| 30 | - * |
|
| 31 | - * @param PdoDatabase $database |
|
| 32 | - * @param SiteConfiguration $configuration |
|
| 33 | - */ |
|
| 34 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 35 | - { |
|
| 36 | - parent::__construct($database, $configuration, 'scratch'); |
|
| 37 | - $this->encryptionHelper = new EncryptionHelper($configuration); |
|
| 38 | - } |
|
| 39 | - |
|
| 40 | - /** |
|
| 41 | - * Validates a user-provided credential |
|
| 42 | - * |
|
| 43 | - * @param User $user The user to test the authentication against |
|
| 44 | - * @param string $data The raw credential data to be validated |
|
| 45 | - * |
|
| 46 | - * @return bool |
|
| 47 | - * @throws ApplicationLogicException|OptimisticLockFailedException |
|
| 48 | - */ |
|
| 49 | - public function authenticate(User $user, $data) |
|
| 50 | - { |
|
| 51 | - if (is_array($data)) { |
|
| 52 | - return false; |
|
| 53 | - } |
|
| 54 | - |
|
| 55 | - $storedData = $this->getCredentialData($user->getId()); |
|
| 56 | - |
|
| 57 | - if ($storedData === null) { |
|
| 58 | - throw new ApplicationLogicException('Credential data not found'); |
|
| 59 | - } |
|
| 60 | - |
|
| 61 | - $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 62 | - |
|
| 63 | - $usedToken = null; |
|
| 64 | - foreach ($scratchTokens as $scratchToken) { |
|
| 65 | - if (password_verify($data, $scratchToken)){ |
|
| 66 | - $usedToken = $scratchToken; |
|
| 67 | - SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning'); |
|
| 68 | - WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor"); |
|
| 69 | - break; |
|
| 70 | - } |
|
| 71 | - } |
|
| 72 | - |
|
| 73 | - if($usedToken === null) { |
|
| 74 | - return false; |
|
| 75 | - } |
|
| 76 | - |
|
| 77 | - $scratchTokens = array_diff($scratchTokens, [$usedToken]); |
|
| 78 | - |
|
| 79 | - $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens))); |
|
| 80 | - $storedData->save(); |
|
| 81 | - |
|
| 82 | - return true; |
|
| 83 | - } |
|
| 84 | - |
|
| 85 | - /** |
|
| 86 | - * @param User $user The user the credential belongs to |
|
| 87 | - * @param int $factor The factor this credential provides |
|
| 88 | - * @param string $data Unused. |
|
| 89 | - * |
|
| 90 | - * @throws OptimisticLockFailedException |
|
| 91 | - */ |
|
| 92 | - public function setCredential(User $user, $factor, $data) |
|
| 93 | - { |
|
| 94 | - $plaintextScratch = array(); |
|
| 95 | - $storedScratch = array(); |
|
| 96 | - for ($i = 0; $i < 5; $i++) { |
|
| 97 | - $token = Base32::encodeUpper(openssl_random_pseudo_bytes(10)); |
|
| 98 | - $plaintextScratch[] = $token; |
|
| 99 | - |
|
| 100 | - $storedScratch[] = password_hash( |
|
| 101 | - $token, |
|
| 102 | - PasswordCredentialProvider::PASSWORD_ALGO, |
|
| 103 | - array('cost' => PasswordCredentialProvider::PASSWORD_COST) |
|
| 104 | - ); |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - $storedData = $this->getCredentialData($user->getId(), null); |
|
| 108 | - |
|
| 109 | - if ($storedData !== null) { |
|
| 110 | - $storedData->delete(); |
|
| 111 | - } |
|
| 112 | - |
|
| 113 | - $storedData = $this->createNewCredential($user); |
|
| 114 | - |
|
| 115 | - $storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch))); |
|
| 116 | - $storedData->setFactor($factor); |
|
| 117 | - $storedData->setVersion(1); |
|
| 118 | - $storedData->setPriority(9); |
|
| 119 | - |
|
| 120 | - $storedData->save(); |
|
| 121 | - $this->generatedTokens = $plaintextScratch; |
|
| 122 | - } |
|
| 123 | - |
|
| 124 | - /** |
|
| 125 | - * Gets the count of remaining valid tokens |
|
| 126 | - * |
|
| 127 | - * @param int $userId |
|
| 128 | - * |
|
| 129 | - * @return int |
|
| 130 | - */ |
|
| 131 | - public function getRemaining($userId) |
|
| 132 | - { |
|
| 133 | - $storedData = $this->getCredentialData($userId); |
|
| 134 | - |
|
| 135 | - if ($storedData === null) { |
|
| 136 | - return 0; |
|
| 137 | - } |
|
| 138 | - |
|
| 139 | - $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 140 | - |
|
| 141 | - return count($scratchTokens); |
|
| 142 | - } |
|
| 143 | - |
|
| 144 | - /** |
|
| 145 | - * @return array |
|
| 146 | - */ |
|
| 147 | - public function getTokens() |
|
| 148 | - { |
|
| 149 | - if ($this->generatedTokens != null) { |
|
| 150 | - return $this->generatedTokens; |
|
| 151 | - } |
|
| 152 | - |
|
| 153 | - return array(); |
|
| 154 | - } |
|
| 23 | + /** @var EncryptionHelper */ |
|
| 24 | + private $encryptionHelper; |
|
| 25 | + /** @var array the tokens generated in the last generation round. */ |
|
| 26 | + private $generatedTokens; |
|
| 27 | + |
|
| 28 | + /** |
|
| 29 | + * ScratchTokenCredentialProvider constructor. |
|
| 30 | + * |
|
| 31 | + * @param PdoDatabase $database |
|
| 32 | + * @param SiteConfiguration $configuration |
|
| 33 | + */ |
|
| 34 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 35 | + { |
|
| 36 | + parent::__construct($database, $configuration, 'scratch'); |
|
| 37 | + $this->encryptionHelper = new EncryptionHelper($configuration); |
|
| 38 | + } |
|
| 39 | + |
|
| 40 | + /** |
|
| 41 | + * Validates a user-provided credential |
|
| 42 | + * |
|
| 43 | + * @param User $user The user to test the authentication against |
|
| 44 | + * @param string $data The raw credential data to be validated |
|
| 45 | + * |
|
| 46 | + * @return bool |
|
| 47 | + * @throws ApplicationLogicException|OptimisticLockFailedException |
|
| 48 | + */ |
|
| 49 | + public function authenticate(User $user, $data) |
|
| 50 | + { |
|
| 51 | + if (is_array($data)) { |
|
| 52 | + return false; |
|
| 53 | + } |
|
| 54 | + |
|
| 55 | + $storedData = $this->getCredentialData($user->getId()); |
|
| 56 | + |
|
| 57 | + if ($storedData === null) { |
|
| 58 | + throw new ApplicationLogicException('Credential data not found'); |
|
| 59 | + } |
|
| 60 | + |
|
| 61 | + $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 62 | + |
|
| 63 | + $usedToken = null; |
|
| 64 | + foreach ($scratchTokens as $scratchToken) { |
|
| 65 | + if (password_verify($data, $scratchToken)){ |
|
| 66 | + $usedToken = $scratchToken; |
|
| 67 | + SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning'); |
|
| 68 | + WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor"); |
|
| 69 | + break; |
|
| 70 | + } |
|
| 71 | + } |
|
| 72 | + |
|
| 73 | + if($usedToken === null) { |
|
| 74 | + return false; |
|
| 75 | + } |
|
| 76 | + |
|
| 77 | + $scratchTokens = array_diff($scratchTokens, [$usedToken]); |
|
| 78 | + |
|
| 79 | + $storedData->setData($this->encryptionHelper->encryptData(serialize($scratchTokens))); |
|
| 80 | + $storedData->save(); |
|
| 81 | + |
|
| 82 | + return true; |
|
| 83 | + } |
|
| 84 | + |
|
| 85 | + /** |
|
| 86 | + * @param User $user The user the credential belongs to |
|
| 87 | + * @param int $factor The factor this credential provides |
|
| 88 | + * @param string $data Unused. |
|
| 89 | + * |
|
| 90 | + * @throws OptimisticLockFailedException |
|
| 91 | + */ |
|
| 92 | + public function setCredential(User $user, $factor, $data) |
|
| 93 | + { |
|
| 94 | + $plaintextScratch = array(); |
|
| 95 | + $storedScratch = array(); |
|
| 96 | + for ($i = 0; $i < 5; $i++) { |
|
| 97 | + $token = Base32::encodeUpper(openssl_random_pseudo_bytes(10)); |
|
| 98 | + $plaintextScratch[] = $token; |
|
| 99 | + |
|
| 100 | + $storedScratch[] = password_hash( |
|
| 101 | + $token, |
|
| 102 | + PasswordCredentialProvider::PASSWORD_ALGO, |
|
| 103 | + array('cost' => PasswordCredentialProvider::PASSWORD_COST) |
|
| 104 | + ); |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + $storedData = $this->getCredentialData($user->getId(), null); |
|
| 108 | + |
|
| 109 | + if ($storedData !== null) { |
|
| 110 | + $storedData->delete(); |
|
| 111 | + } |
|
| 112 | + |
|
| 113 | + $storedData = $this->createNewCredential($user); |
|
| 114 | + |
|
| 115 | + $storedData->setData($this->encryptionHelper->encryptData(serialize($storedScratch))); |
|
| 116 | + $storedData->setFactor($factor); |
|
| 117 | + $storedData->setVersion(1); |
|
| 118 | + $storedData->setPriority(9); |
|
| 119 | + |
|
| 120 | + $storedData->save(); |
|
| 121 | + $this->generatedTokens = $plaintextScratch; |
|
| 122 | + } |
|
| 123 | + |
|
| 124 | + /** |
|
| 125 | + * Gets the count of remaining valid tokens |
|
| 126 | + * |
|
| 127 | + * @param int $userId |
|
| 128 | + * |
|
| 129 | + * @return int |
|
| 130 | + */ |
|
| 131 | + public function getRemaining($userId) |
|
| 132 | + { |
|
| 133 | + $storedData = $this->getCredentialData($userId); |
|
| 134 | + |
|
| 135 | + if ($storedData === null) { |
|
| 136 | + return 0; |
|
| 137 | + } |
|
| 138 | + |
|
| 139 | + $scratchTokens = unserialize($this->encryptionHelper->decryptData($storedData->getData())); |
|
| 140 | + |
|
| 141 | + return count($scratchTokens); |
|
| 142 | + } |
|
| 143 | + |
|
| 144 | + /** |
|
| 145 | + * @return array |
|
| 146 | + */ |
|
| 147 | + public function getTokens() |
|
| 148 | + { |
|
| 149 | + if ($this->generatedTokens != null) { |
|
| 150 | + return $this->generatedTokens; |
|
| 151 | + } |
|
| 152 | + |
|
| 153 | + return array(); |
|
| 154 | + } |
|
| 155 | 155 | } |
@@ -62,7 +62,7 @@ discard block |
||
| 62 | 62 | |
| 63 | 63 | $usedToken = null; |
| 64 | 64 | foreach ($scratchTokens as $scratchToken) { |
| 65 | - if (password_verify($data, $scratchToken)){ |
|
| 65 | + if (password_verify($data, $scratchToken)) { |
|
| 66 | 66 | $usedToken = $scratchToken; |
| 67 | 67 | SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning'); |
| 68 | 68 | WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor"); |
@@ -70,7 +70,7 @@ discard block |
||
| 70 | 70 | } |
| 71 | 71 | } |
| 72 | 72 | |
| 73 | - if($usedToken === null) { |
|
| 73 | + if ($usedToken === null) { |
|
| 74 | 74 | return false; |
| 75 | 75 | } |
| 76 | 76 | |
@@ -62,7 +62,7 @@ |
||
| 62 | 62 | |
| 63 | 63 | $usedToken = null; |
| 64 | 64 | foreach ($scratchTokens as $scratchToken) { |
| 65 | - if (password_verify($data, $scratchToken)){ |
|
| 65 | + if (password_verify($data, $scratchToken)) { |
|
| 66 | 66 | $usedToken = $scratchToken; |
| 67 | 67 | SessionAlert::quick("Hey, it looks like you used a scratch token to log in. Would you like to change your multi-factor authentication configuration?", 'alert-warning'); |
| 68 | 68 | WebRequest::setPostLoginRedirect($this->getConfiguration()->getBaseUrl() . "/internal.php/multiFactor"); |
@@ -20,131 +20,131 @@ |
||
| 20 | 20 | |
| 21 | 21 | class U2FCredentialProvider extends CredentialProviderBase |
| 22 | 22 | { |
| 23 | - /** @var U2F */ |
|
| 24 | - private $u2f; |
|
| 25 | - |
|
| 26 | - /** |
|
| 27 | - * U2FCredentialProvider constructor. |
|
| 28 | - * |
|
| 29 | - * @param PdoDatabase $database |
|
| 30 | - * @param SiteConfiguration $configuration |
|
| 31 | - */ |
|
| 32 | - public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | - { |
|
| 34 | - parent::__construct($database, $configuration, 'u2f'); |
|
| 35 | - |
|
| 36 | - $appId = 'https://' . WebRequest::httpHost(); |
|
| 37 | - $this->u2f = new U2F($appId); |
|
| 38 | - } |
|
| 39 | - |
|
| 40 | - /** |
|
| 41 | - * Validates a user-provided credential |
|
| 42 | - * |
|
| 43 | - * @param User $user The user to test the authentication against |
|
| 44 | - * @param string $data The raw credential data to be validated |
|
| 45 | - * |
|
| 46 | - * @return bool |
|
| 47 | - * @throws OptimisticLockFailedException |
|
| 48 | - */ |
|
| 49 | - public function authenticate(User $user, $data) |
|
| 50 | - { |
|
| 51 | - if (!is_array($data)) { |
|
| 52 | - return false; |
|
| 53 | - } |
|
| 54 | - |
|
| 55 | - list($authenticate, $request, $isU2F) = $data; |
|
| 56 | - |
|
| 57 | - if ($isU2F !== 'u2f') { |
|
| 58 | - return false; |
|
| 59 | - } |
|
| 60 | - |
|
| 61 | - $storedData = $this->getCredentialData($user->getId(), false); |
|
| 62 | - $registrations = json_decode($storedData->getData()); |
|
| 63 | - |
|
| 64 | - try { |
|
| 65 | - $updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate); |
|
| 66 | - $storedData->setData(json_encode($updatedRegistration)); |
|
| 67 | - $storedData->save(); |
|
| 68 | - } |
|
| 69 | - catch (Error $ex) { |
|
| 70 | - return false; |
|
| 71 | - } |
|
| 72 | - |
|
| 73 | - return true; |
|
| 74 | - } |
|
| 75 | - |
|
| 76 | - public function enable(User $user, $request, $u2fData) |
|
| 77 | - { |
|
| 78 | - $registrationData = $this->u2f->doRegister($request, $u2fData); |
|
| 79 | - |
|
| 80 | - $storedData = $this->getCredentialData($user->getId(), true); |
|
| 81 | - |
|
| 82 | - if ($storedData === null) { |
|
| 83 | - throw new ApplicationLogicException('Credential data not found'); |
|
| 84 | - } |
|
| 85 | - |
|
| 86 | - if ($storedData->getTimeout() > new DateTimeImmutable()) { |
|
| 87 | - $storedData->setData(json_encode($registrationData)); |
|
| 88 | - $storedData->setDisabled(0); |
|
| 89 | - $storedData->setTimeout(null); |
|
| 90 | - $storedData->save(); |
|
| 91 | - } |
|
| 92 | - } |
|
| 93 | - |
|
| 94 | - /** |
|
| 95 | - * @param User $user The user the credential belongs to |
|
| 96 | - * @param int $factor The factor this credential provides |
|
| 97 | - * @param string $data Unused here, due to multi-stage enrollment |
|
| 98 | - */ |
|
| 99 | - public function setCredential(User $user, $factor, $data) |
|
| 100 | - { |
|
| 101 | - $storedData = $this->getCredentialData($user->getId(), null); |
|
| 102 | - |
|
| 103 | - if ($storedData !== null) { |
|
| 104 | - $storedData->delete(); |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - $storedData = $this->createNewCredential($user); |
|
| 108 | - |
|
| 109 | - $storedData->setData(null); |
|
| 110 | - $storedData->setFactor($factor); |
|
| 111 | - $storedData->setTimeout(new DateTimeImmutable('+ 1 hour')); |
|
| 112 | - $storedData->setDisabled(1); |
|
| 113 | - $storedData->setPriority(4); |
|
| 114 | - $storedData->setVersion(1); |
|
| 115 | - |
|
| 116 | - $storedData->save(); |
|
| 117 | - } |
|
| 118 | - |
|
| 119 | - public function isPartiallyEnrolled(User $user) |
|
| 120 | - { |
|
| 121 | - $storedData = $this->getCredentialData($user->getId(), true); |
|
| 122 | - |
|
| 123 | - if ($storedData->getTimeout() < new DateTimeImmutable()) { |
|
| 124 | - $storedData->delete(); |
|
| 125 | - |
|
| 126 | - return false; |
|
| 127 | - } |
|
| 128 | - |
|
| 129 | - if ($storedData === null) { |
|
| 130 | - return false; |
|
| 131 | - } |
|
| 132 | - |
|
| 133 | - return true; |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - public function getRegistrationData() |
|
| 137 | - { |
|
| 138 | - return $this->u2f->getRegisterData(); |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - public function getAuthenticationData(User $user) |
|
| 142 | - { |
|
| 143 | - $storedData = $this->getCredentialData($user->getId(), false); |
|
| 144 | - $registrations = json_decode($storedData->getData()); |
|
| 145 | - |
|
| 146 | - $authenticateData = $this->u2f->getAuthenticateData(array($registrations)); |
|
| 147 | - |
|
| 148 | - return $authenticateData; |
|
| 149 | - } |
|
| 23 | + /** @var U2F */ |
|
| 24 | + private $u2f; |
|
| 25 | + |
|
| 26 | + /** |
|
| 27 | + * U2FCredentialProvider constructor. |
|
| 28 | + * |
|
| 29 | + * @param PdoDatabase $database |
|
| 30 | + * @param SiteConfiguration $configuration |
|
| 31 | + */ |
|
| 32 | + public function __construct(PdoDatabase $database, SiteConfiguration $configuration) |
|
| 33 | + { |
|
| 34 | + parent::__construct($database, $configuration, 'u2f'); |
|
| 35 | + |
|
| 36 | + $appId = 'https://' . WebRequest::httpHost(); |
|
| 37 | + $this->u2f = new U2F($appId); |
|
| 38 | + } |
|
| 39 | + |
|
| 40 | + /** |
|
| 41 | + * Validates a user-provided credential |
|
| 42 | + * |
|
| 43 | + * @param User $user The user to test the authentication against |
|
| 44 | + * @param string $data The raw credential data to be validated |
|
| 45 | + * |
|
| 46 | + * @return bool |
|
| 47 | + * @throws OptimisticLockFailedException |
|
| 48 | + */ |
|
| 49 | + public function authenticate(User $user, $data) |
|
| 50 | + { |
|
| 51 | + if (!is_array($data)) { |
|
| 52 | + return false; |
|
| 53 | + } |
|
| 54 | + |
|
| 55 | + list($authenticate, $request, $isU2F) = $data; |
|
| 56 | + |
|
| 57 | + if ($isU2F !== 'u2f') { |
|
| 58 | + return false; |
|
| 59 | + } |
|
| 60 | + |
|
| 61 | + $storedData = $this->getCredentialData($user->getId(), false); |
|
| 62 | + $registrations = json_decode($storedData->getData()); |
|
| 63 | + |
|
| 64 | + try { |
|
| 65 | + $updatedRegistration = $this->u2f->doAuthenticate($request, array($registrations), $authenticate); |
|
| 66 | + $storedData->setData(json_encode($updatedRegistration)); |
|
| 67 | + $storedData->save(); |
|
| 68 | + } |
|
| 69 | + catch (Error $ex) { |
|
| 70 | + return false; |
|
| 71 | + } |
|
| 72 | + |
|
| 73 | + return true; |
|
| 74 | + } |
|
| 75 | + |
|
| 76 | + public function enable(User $user, $request, $u2fData) |
|
| 77 | + { |
|
| 78 | + $registrationData = $this->u2f->doRegister($request, $u2fData); |
|
| 79 | + |
|
| 80 | + $storedData = $this->getCredentialData($user->getId(), true); |
|
| 81 | + |
|
| 82 | + if ($storedData === null) { |
|
| 83 | + throw new ApplicationLogicException('Credential data not found'); |
|
| 84 | + } |
|
| 85 | + |
|
| 86 | + if ($storedData->getTimeout() > new DateTimeImmutable()) { |
|
| 87 | + $storedData->setData(json_encode($registrationData)); |
|
| 88 | + $storedData->setDisabled(0); |
|
| 89 | + $storedData->setTimeout(null); |
|
| 90 | + $storedData->save(); |
|
| 91 | + } |
|
| 92 | + } |
|
| 93 | + |
|
| 94 | + /** |
|
| 95 | + * @param User $user The user the credential belongs to |
|
| 96 | + * @param int $factor The factor this credential provides |
|
| 97 | + * @param string $data Unused here, due to multi-stage enrollment |
|
| 98 | + */ |
|
| 99 | + public function setCredential(User $user, $factor, $data) |
|
| 100 | + { |
|
| 101 | + $storedData = $this->getCredentialData($user->getId(), null); |
|
| 102 | + |
|
| 103 | + if ($storedData !== null) { |
|
| 104 | + $storedData->delete(); |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + $storedData = $this->createNewCredential($user); |
|
| 108 | + |
|
| 109 | + $storedData->setData(null); |
|
| 110 | + $storedData->setFactor($factor); |
|
| 111 | + $storedData->setTimeout(new DateTimeImmutable('+ 1 hour')); |
|
| 112 | + $storedData->setDisabled(1); |
|
| 113 | + $storedData->setPriority(4); |
|
| 114 | + $storedData->setVersion(1); |
|
| 115 | + |
|
| 116 | + $storedData->save(); |
|
| 117 | + } |
|
| 118 | + |
|
| 119 | + public function isPartiallyEnrolled(User $user) |
|
| 120 | + { |
|
| 121 | + $storedData = $this->getCredentialData($user->getId(), true); |
|
| 122 | + |
|
| 123 | + if ($storedData->getTimeout() < new DateTimeImmutable()) { |
|
| 124 | + $storedData->delete(); |
|
| 125 | + |
|
| 126 | + return false; |
|
| 127 | + } |
|
| 128 | + |
|
| 129 | + if ($storedData === null) { |
|
| 130 | + return false; |
|
| 131 | + } |
|
| 132 | + |
|
| 133 | + return true; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + public function getRegistrationData() |
|
| 137 | + { |
|
| 138 | + return $this->u2f->getRegisterData(); |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + public function getAuthenticationData(User $user) |
|
| 142 | + { |
|
| 143 | + $storedData = $this->getCredentialData($user->getId(), false); |
|
| 144 | + $registrations = json_decode($storedData->getData()); |
|
| 145 | + |
|
| 146 | + $authenticateData = $this->u2f->getAuthenticateData(array($registrations)); |
|
| 147 | + |
|
| 148 | + return $authenticateData; |
|
| 149 | + } |
|
| 150 | 150 | } |
