Revert "DataObjects/Core_person.php"

author Alan Knowles <alan@roojs.com>

Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)

committer Alan Knowles <alan@roojs.com>

Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)
author Alan Knowles <alan@roojs.com>
Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)
committer Alan Knowles <alan@roojs.com>
Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)
diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php

index 02d42ea..db086dd 100644 (file)
--- a/DataObjects/Core_person.php
+++ b/DataObjects/Core_person.php
@@ -172,18 +172,13 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
              // h embeds images here..
              $body = $mime->get();
              $headers = $mime->headers($headers);
              // h embeds images here..
              $body = $mime->get();
              $headers = $mime->headers($headers);
-            
          }
          
          }
          
-         
-        
          return array(
              'recipients' => $recipents,
              'headers'    => $headers,
              'body'      => $body
          );
          return array(
              'recipients' => $recipents,
              'headers'    => $headers,
              'body'      => $body
          );
-        
-        
      }
      
      
      }
      
      
@@ -195,10 +190,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
       */
      function sendTemplate($templateFile, $args)
      {
       */
      function sendTemplate($templateFile, $args)
      {
-        
          $ar = $this->buildMail($templateFile, $args);
        
          $ar = $this->buildMail($templateFile, $args);
        
-        
          //print_r($recipents);exit;
          $mailOptions = PEAR::getStaticProperty('Mail','options');
          $mail = Mail::factory("SMTP",$mailOptions);
          //print_r($recipents);exit;
          $mailOptions = PEAR::getStaticProperty('Mail','options');
          $mail = Mail::factory("SMTP",$mailOptions);
@@ -211,7 +204,6 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          error_reporting($oe);
         
          return $ret;
          error_reporting($oe);
         
          return $ret;
-    
      }
      
    
      }
      
    
@@ -298,7 +290,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
              return false;
          }
          
              return false;
          }
          
-         // local auth - 
+        
+        // local auth - 
          $default_admin = false;
          if (!empty($ff->Pman['local_autoauth']) && 
              ($ff->Pman['local_autoauth'] === true) &&
          $default_admin = false;
          if (!empty($ff->Pman['local_autoauth']) && 
              ($ff->Pman['local_autoauth'] === true) &&
@@ -315,7 +308,6 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
                  )
              )
          ) {
                  )
              )
          ) {
-            
              $group = DB_DataObject::factory('core_group');
              $group->get('name', 'Administrators');
              
              $group = DB_DataObject::factory('core_group');
              $group->get('name', 'Administrators');
              
@@ -528,19 +520,23 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
      
      function checkTwoFactorAuthentication($val)
      {
      
      function checkTwoFactorAuthentication($val)
      {
+        // also used in login
          require_once 'System.php';
          
          require_once 'System.php';
          
+        if(
+            empty($this->id) ||
+            empty($this->oath_key)
+        ) {
+            return false;
+        }
+        
          $oathtool = System::which('oathtool');
          
          if (!$oathtool) {
              return false;
          }
          
          $oathtool = System::which('oathtool');
          
          if (!$oathtool) {
              return false;
          }
          
-        if(empty($this->oath_key)) {
-            return true;
-        }
-        
-        $cmd = "{$oathtool} --totp --base32 " . escapeshellarg($this->oath_key);
+        $cmd = "{$oathtool} --totp --base32 {$this->oath_key}";
          
          $password = exec($cmd);
          
          
          $password = exec($cmd);
          
@@ -675,6 +671,16 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          $aur['oath_key'] = '';
          
          $aur['oath_key_enable'] = !empty($this->oath_key);
          $aur['oath_key'] = '';
          
          $aur['oath_key_enable'] = !empty($this->oath_key);
+        $aur['require_oath'] = 1;
+        
+        $s = DB_DataObject::Factory('core_setting');
+        $oath_require = $s->lookup('core', 'two_factor_authentication_requirement');
+        
+        if(!empty($oath_require)) {
+            if($oath_require->val == 0) {
+                $aur['require_oath'] = 0;
+            }
+        } 
          
          return $aur;
      }
          
          return $aur;
      }
@@ -766,30 +772,26 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
      function applyFilters($q, $au, $roo)
      {
          //DB_DataObject::DebugLevel(1);
      function applyFilters($q, $au, $roo)
      {
          //DB_DataObject::DebugLevel(1);
-        if(!empty($q['_generate_oath_key'])){
-            $o = clone($this);
-            $this->generateOathKey();
-            $this->update($o);
-            $roo->jok('OK');
-        }
-        
-        // missing id for core_person mgmt
          if(!empty($q['_to_qr_code'])){
          if(!empty($q['_to_qr_code'])){
+            $person = DB_DataObject::factory('Core_person');
+            $person->id = $q['id']; 
              
              
-            if($q['id'] == 'is_auth') {
-                $person = $this->getAuthUser();
-            } else {
-                $person = DB_DataObject::factory('Core_person');
-                $person->get($q['id']);
+            if(!$person->find(true)) {
+                $roo->jerr('_invalid_person');
              }
              
              }
              
-            $o = clone($person);
-            
-            $person->generateOathKey();
+            $hash = $this->generateOathKey();
              
              
-            $person->update($o);
-            
-            $qrcode = $person->generateQRCode();
+            $_SESSION[__CLASS__] = 
+                isset($_SESSION[__CLASS__]) ? 
+                    $_SESSION[__CLASS__] : array();
+            $_SESSION[__CLASS__]['oath'] = 
+                isset($_SESSION[__CLASS__]['oath']) ? 
+                    $_SESSION[__CLASS__]['oath'] : array();
+                
+            $_SESSION[__CLASS__]['oath'][$person->id] = $hash;
+
+            $qrcode = $person->generateQRCode($hash);
              
              if(empty($qrcode)){
                  $roo->jerr('Fail to generate QR Code');
              
              if(empty($qrcode)){
                  $roo->jerr('Fail to generate QR Code');
@@ -799,15 +801,14 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          }
          
          if(!empty($q['two_factor_auth_code'])) {
          }
          
          if(!empty($q['two_factor_auth_code'])) {
-            
-            $person = $this;
-            
-            if(isset($q['id'])) {
-                $person = DB_DataObject::factory('core_person');
-                $person->get($q['id']);
-            }
+            $person = DB_DataObject::factory('core_person');
+            $person->get($q['id']);
+            $o = clone($person);
+            $person->oath_key = $_SESSION[__CLASS__]['oath'][$person->id];
              
              if($person->checkTwoFactorAuthentication($q['two_factor_auth_code'])) {
              
              if($person->checkTwoFactorAuthentication($q['two_factor_auth_code'])) {
+                $person->update($o);
+                unset($_SESSION[__CLASS__]['oath'][$person->id]);
                  $roo->jok('DONE');
              }
              
                  $roo->jok('DONE');
              }
              
@@ -815,22 +816,12 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          }
          
          if(!empty($q['oath_key_disable'])) {
          }
          
          if(!empty($q['oath_key_disable'])) {
-            
-            $person = $this->getAuthUser();
-            
-            if(!empty($q['id'])) {
-                $person = DB_DataObject::factory('core_person');
-                $person->get($q['id']);
-            }
-            
-            if(empty($person)) {
-                $roo->jerr('Please login to the system');
-            }
+            $person = DB_DataObject::factory('core_person');
+            $person->get($q['id']);
              
              $o = clone($person);
              
              $person->oath_key = '';
              
              $o = clone($person);
              
              $person->oath_key = '';
-            
              $person->update($o);
              
              $roo->jok('DONE');
              $person->update($o);
              
              $roo->jok('DONE');
@@ -1125,7 +1116,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          $this->setFrom($ar);
          
          if(!empty($ar['_enable_oath_key'])){
          $this->setFrom($ar);
          
          if(!empty($ar['_enable_oath_key'])){
-            $this->generateOathKey();
+            $oath_key = $this->generateOathKey();
          }
          
          if (!empty($ar['passwd1'])) {
          }
          
          if (!empty($ar['passwd1'])) {
@@ -1449,22 +1440,18 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
      
      function generateOathKey()
      {
      
      function generateOathKey()
      {
-        $hex = bin2hex(openssl_random_pseudo_bytes(10));
-        
          require 'Base32.php';
          
          $base32 = new Base32();
          
          require 'Base32.php';
          
          $base32 = new Base32();
          
-        $this->oath_key = $base32->base32_encode($hex);
-        
-        return $this->oath_key;
+        return $base32->base32_encode(bin2hex(openssl_random_pseudo_bytes(10)));
      }
      
      }
      
-    function generateQRCode()
+    function generateQRCode($hash)
      {
          if(
              empty($this->email) &&
      {
          if(
              empty($this->email) &&
-            empty($this->oath_key)
+            empty($hash)
          ){
              return false;
          }
          ){
              return false;
          }
@@ -1472,7 +1459,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject
          $issuer = (empty($this->name)) ? 
              rawurlencode('ROOJS') : rawurlencode($this->name);
          
          $issuer = (empty($this->name)) ? 
              rawurlencode('ROOJS') : rawurlencode($this->name);
          
-        $uri = "otpauth://totp/{$issuer}:{$this->email}?secret={$this->oath_key}&issuer={$issuer}&algorithm=SHA1&digits=6&period=30";
+        $uri = "otpauth://totp/{$issuer}:{$this->email}?secret={$hash}&issuer={$issuer}&algorithm=SHA1&digits=6&period=30";
          
          require_once 'Image/QRCode.php';
          
          
          require_once 'Image/QRCode.php';
author	Alan Knowles <alan@roojs.com>
	Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)
committer	Alan Knowles <alan@roojs.com>
	Fri, 12 Oct 2018 02:28:33 +0000 (10:28 +0800)