From 6f56e082e2656ebca864ce2c83d8e24971f959de Mon Sep 17 00:00:00 2001 From: Dario Rekowski on RockPI Date: Tue, 17 Sep 2019 11:49:42 +0000 Subject: [PATCH] check signature by Operator ajax save --- composer.json | 3 +- composer.lock | 129 ++++++++++++++++++++++++- mithril_client | 2 +- src/Controller/OperatorsController.php | 33 ++++++- src/Model/Entity/Operator.php | 3 +- src/Model/Table/OperatorsTable.php | 12 ++- src/Template/Operators/add.ctp | 3 +- src/Template/Operators/edit.ctp | 3 +- src/Template/Operators/index.ctp | 6 +- src/Template/Operators/view.ctp | 8 +- 10 files changed, 184 insertions(+), 18 deletions(-) diff --git a/composer.json b/composer.json index ed454e64b..a85d42c51 100644 --- a/composer.json +++ b/composer.json @@ -9,7 +9,8 @@ "cakephp/cakephp": "3.8.*", "cakephp/migrations": "^2.0.0", "cakephp/plugin-installer": "^1.0", - "mobiledetect/mobiledetectlib": "2.*" + "mobiledetect/mobiledetectlib": "2.*", + "paragonie/sodium_compat": "^1.11" }, "require-dev": { "cakephp/bake": "^1.9.0", diff --git a/composer.lock b/composer.lock index 22a90f998..ae70ee26a 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "bae3f640a631a993a49129d353eefbf9", + "content-hash": "67bc2c5a0445873e8399d5b549a7076a", "packages": [ { "name": "aura/intl", @@ -344,6 +344,133 @@ ], "time": "2018-09-01T15:05:15+00:00" }, + { + "name": "paragonie/random_compat", + "version": "v9.99.99", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95", + "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95", + "shasum": "" + }, + "require": { + "php": "^7" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*", + "vimeo/psalm": "^1" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "type": "library", + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "polyfill", + "pseudorandom", + "random" + ], + "time": "2018-07-02T15:55:56+00:00" + }, + { + "name": "paragonie/sodium_compat", + "version": "v1.11.1", + "source": { + "type": "git", + "url": "https://github.com/paragonie/sodium_compat.git", + "reference": "a9f968bc99485f85f9303a8524c3485a7e87bc15" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/sodium_compat/zipball/a9f968bc99485f85f9303a8524c3485a7e87bc15", + "reference": "a9f968bc99485f85f9303a8524c3485a7e87bc15", + "shasum": "" + }, + "require": { + "paragonie/random_compat": ">=1", + "php": "^5.2.4|^5.3|^5.4|^5.5|^5.6|^7|^8" + }, + "require-dev": { + "phpunit/phpunit": "^3|^4|^5" + }, + "suggest": { + "ext-libsodium": "PHP < 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security.", + "ext-sodium": "PHP >= 7.0: Better performance, password hashing (Argon2i), secure memory management (memzero), and better security." + }, + "type": "library", + "autoload": { + "files": [ + "autoload.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "ISC" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com" + }, + { + "name": "Frank Denis", + "email": "jedisct1@pureftpd.org" + } + ], + "description": "Pure PHP implementation of libsodium; uses the PHP extension if it exists", + "keywords": [ + "Authentication", + "BLAKE2b", + "ChaCha20", + "ChaCha20-Poly1305", + "Chapoly", + "Curve25519", + "Ed25519", + "EdDSA", + "Edwards-curve Digital Signature Algorithm", + "Elliptic Curve Diffie-Hellman", + "Poly1305", + "Pure-PHP cryptography", + "RFC 7748", + "RFC 8032", + "Salpoly", + "Salsa20", + "X25519", + "XChaCha20-Poly1305", + "XSalsa20-Poly1305", + "Xchacha20", + "Xsalsa20", + "aead", + "cryptography", + "ecdh", + "elliptic curve", + "elliptic curve cryptography", + "encryption", + "libsodium", + "php", + "public-key cryptography", + "secret-key cryptography", + "side-channel resistant" + ], + "time": "2019-09-12T12:05:58+00:00" + }, { "name": "psr/container", "version": "1.0.0", diff --git a/mithril_client b/mithril_client index a4af9311f..116e2b660 160000 --- a/mithril_client +++ b/mithril_client @@ -1 +1 @@ -Subproject commit a4af9311f84e31d1b4682ea6de953c3a018b5343 +Subproject commit 116e2b660676334a593658b46ead01f03a057f1e diff --git a/src/Controller/OperatorsController.php b/src/Controller/OperatorsController.php index ff7874578..523df13a3 100644 --- a/src/Controller/OperatorsController.php +++ b/src/Controller/OperatorsController.php @@ -3,6 +3,8 @@ namespace App\Controller; use App\Controller\AppController; +//require_once "../../vendor/paragonie/sodium_compat/autoload.php"; + /** * Operators Controller * @@ -37,10 +39,27 @@ class OperatorsController extends AppController { if ($this->request->is('post')) { - - $operatorTypeName = $this->request->getData('operator_type_name'); - $usernamePasswordHash = $this->request->getData('usernamePasswordHash'); + $username = $this->request->getData('username'); + $pubkey_bin = base64_decode($this->request->getData('user_pubkey')); + $data = base64_decode($this->request->getData('data_base64')); + $sign = base64_decode($this->request->getData('sign')); + + //$publicKey_hex = bin2hex($pubkey_bin); + //$signature_hex = bin2hex($sign); + + if(!sodium_crypto_sign_verify_detached($sign, $data, $pubkey_bin)) { + return $this->returnJson([ + 'state' => 'wrong signature', + /* 'details' => [ + 'pubkey' => $publicKey_hex, + 'sign' => $signature_hex, + 'data' => bin2hex($data) + ] +*/ + ]); + } + $operatorTypeId = $this->Operators->OperatorTypes-> find() ->where(['name' => $operatorTypeName]) @@ -52,14 +71,19 @@ class OperatorsController extends AppController ->find() ->where([ 'operator_type_id' => $operatorTypeId->id, - 'usernamePasswordHash' => $usernamePasswordHash]) + 'username' => $username, + 'user_pubkey' => $pubkey_bin]) ->first(); if(!$operator) { // create new entity $operator = $this->Operators->newEntity(); + } else { + // check if request has valid signature + } $operator = $this->Operators->patchEntity($operator, $this->request->getData()); + $operator->user_pubkey = $pubkey_bin; $operator->operator_type_id = $operatorTypeId->id; if ($this->Operators->save($operator)) { return $this->returnJson(['state' => 'success']); @@ -77,6 +101,7 @@ class OperatorsController extends AppController ->find() ->where(['usernamePasswordHash' => $usernamePasswordHash]) ->contain(['OperatorTypes']) + ->select(['data_base64', 'OperatorTypes.name']) ->toArray(); ; if($operators) { diff --git a/src/Model/Entity/Operator.php b/src/Model/Entity/Operator.php index 2342897bd..9d5ddd3ca 100644 --- a/src/Model/Entity/Operator.php +++ b/src/Model/Entity/Operator.php @@ -23,7 +23,8 @@ class Operator extends Entity * @var array */ protected $_accessible = [ - 'usernamePasswordHash' => true, + 'username' => true, + 'user_pubkey' => true, 'operator_type_id' => true, 'data_base64' => true, 'modified' => true diff --git a/src/Model/Table/OperatorsTable.php b/src/Model/Table/OperatorsTable.php index 044f89799..7ae272767 100644 --- a/src/Model/Table/OperatorsTable.php +++ b/src/Model/Table/OperatorsTable.php @@ -57,12 +57,16 @@ class OperatorsTable extends Table ->allowEmptyString('id', null, 'create'); $validator - ->scalar('usernamePasswordHash') - ->maxLength('usernamePasswordHash', 255) - ->requirePresence('usernamePasswordHash', 'create') - ->notEmptyString('usernamePasswordHash'); + ->scalar('username') + ->maxLength('username', 50) + ->requirePresence('username', 'create') + ->notEmptyString('username'); //->add('usernamePasswordHash', 'unique', ['rule' => 'validateUnique', 'provider' => 'table']); + $validator + ->requirePresence('user_pubkey', 'create') + ->notEmptyString('user_pubkey'); + $validator ->scalar('data_base64') ->maxLength('data_base64', 255) diff --git a/src/Template/Operators/add.ctp b/src/Template/Operators/add.ctp index 4d714f806..88cf2fef8 100644 --- a/src/Template/Operators/add.ctp +++ b/src/Template/Operators/add.ctp @@ -15,7 +15,8 @@
Form->control('usernamePasswordHash'); + echo $this->Form->control('username'); + echo $this->Form->control('user_pubkey'); echo $this->Form->control('operator_type_id'); echo $this->Form->control('data_base64'); ?> diff --git a/src/Template/Operators/edit.ctp b/src/Template/Operators/edit.ctp index 4e99f921f..6d8f577fa 100644 --- a/src/Template/Operators/edit.ctp +++ b/src/Template/Operators/edit.ctp @@ -21,7 +21,8 @@
Form->control('usernamePasswordHash'); + echo $this->Form->control('username'); + echo $this->Form->control('user_pubkey'); echo $this->Form->control('operator_type_id'); echo $this->Form->control('data_base64'); ?> diff --git a/src/Template/Operators/index.ctp b/src/Template/Operators/index.ctp index 9b506d61e..cb23c148f 100644 --- a/src/Template/Operators/index.ctp +++ b/src/Template/Operators/index.ctp @@ -16,7 +16,8 @@ Paginator->sort('id') ?> - Paginator->sort('usernamePasswordHash') ?> + Paginator->sort('username') ?> + Paginator->sort('user_pubkey') ?> Paginator->sort('operator_type_id') ?> Paginator->sort('data_base64') ?> Paginator->sort('modified') ?> @@ -28,7 +29,8 @@ //echo $operator->operator_type->name ?> Number->format($operator->id) ?> - usernamePasswordHash) ?> + username) ?> + user_pubkey)) ?> Html->link(__($operator->operator_type->name), ['controller' => 'OperatorTypes', 'action' => 'view', $operator->operator_type_id]) ?> data_base64) ?> modified) ?> diff --git a/src/Template/Operators/view.ctp b/src/Template/Operators/view.ctp index c3d745a5b..34ab36969 100644 --- a/src/Template/Operators/view.ctp +++ b/src/Template/Operators/view.ctp @@ -17,8 +17,12 @@

id) ?>

- - + + + + + +
usernamePasswordHash) ?>username) ?>
user_pubkey)) ?>