From cbfdcff2615e901bdc434d06f38a3da8eecbdf8b Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sun, 31 Jul 2016 10:46:17 +0200 Subject: Prepare settings for the API in the admin page and during the install API settings: - api.enabled - api.secret The API settings will be initialized (and the secret generated) with an update method. --- application/Updater.php | 23 +++++++++++++++++++++++ application/Utils.php | 26 ++++++++++++++++++++++++++ index.php | 12 ++++++++++++ tests/Updater/UpdaterTest.php | 40 ++++++++++++++++++++++++++++++++++++++-- tests/UtilsTest.php | 17 +++++++++++++++++ tpl/configure.html | 14 ++++++++++++++ tpl/install.html | 12 ++++++++++++ 7 files changed, 142 insertions(+), 2 deletions(-) diff --git a/application/Updater.php b/application/Updater.php index f0d02814..38de3350 100644 --- a/application/Updater.php +++ b/application/Updater.php @@ -256,6 +256,29 @@ class Updater return true; } + + /** + * Initialize API settings: + * - api.enabled: true + * - api.secret: generated secret + */ + public function updateMethodApiSettings() + { + if ($this->conf->exists('api.secret')) { + return true; + } + + $this->conf->set('api.enabled', true); + $this->conf->set( + 'api.secret', + generate_api_secret( + $this->conf->get('credentials.login'), + $this->conf->get('credentials.salt') + ) + ); + $this->conf->write($this->isLoggedIn); + return true; + } } /** diff --git a/application/Utils.php b/application/Utils.php index 0a5b476e..62902341 100644 --- a/application/Utils.php +++ b/application/Utils.php @@ -231,3 +231,29 @@ function autoLocale($headerLocale) } setlocale(LC_ALL, $attempts); } + +/** + * Generates a default API secret. + * + * Note that the random-ish methods used in this function are predictable, + * which makes them NOT suitable for crypto. + * BUT the random string is salted with the salt and hashed with the username. + * It makes the generated API secret secured enough for Shaarli. + * + * PHP 7 provides random_int(), designed for cryptography. + * More info: http://stackoverflow.com/questions/4356289/php-random-string-generator + + * @param string $username Shaarli login username + * @param string $salt Shaarli password hash salt + * + * @return string|bool Generated API secret, 12 char length. + * Or false if invalid parameters are provided (which will make the API unusable). + */ +function generate_api_secret($username, $salt) +{ + if (empty($username) || empty($salt)) { + return false; + } + + return str_shuffle(substr(hash_hmac('sha512', uniqid($salt), $username), 10, 12)); +} diff --git a/index.php b/index.php index cc448352..25e37b32 100644 --- a/index.php +++ b/index.php @@ -1142,6 +1142,8 @@ function renderPage($conf, $pluginManager) $conf->set('feed.rss_permalinks', !empty($_POST['enableRssPermalinks'])); $conf->set('updates.check_updates', !empty($_POST['updateCheck'])); $conf->set('privacy.hide_public_links', !empty($_POST['hidePublicLinks'])); + $conf->set('api.enabled', !empty($_POST['apiEnabled'])); + $conf->set('api.secret', escape($_POST['apiSecret'])); try { $conf->write(isLoggedIn()); } @@ -1170,6 +1172,8 @@ function renderPage($conf, $pluginManager) $PAGE->assign('enable_rss_permalinks', $conf->get('feed.rss_permalinks', false)); $PAGE->assign('enable_update_check', $conf->get('updates.check_updates', true)); $PAGE->assign('hide_public_links', $conf->get('privacy.hide_public_links', false)); + $PAGE->assign('api_enabled', $conf->get('api.enabled', true)); + $PAGE->assign('api_secret', $conf->get('api.secret')); $PAGE->renderPage('configure'); exit; } @@ -1952,6 +1956,14 @@ function install($conf) $conf->set('general.title', 'Shared links on '.escape(index_url($_SERVER))); } $conf->set('updates.check_updates', !empty($_POST['updateCheck'])); + $conf->set('api.enabled', !empty($_POST['enableApi'])); + $conf->set( + 'api.secret', + generate_api_secret( + $this->conf->get('credentials.login'), + $this->conf->get('credentials.salt') + ) + ); try { // Everything is ok, let's create config file. $conf->write(isLoggedIn()); diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index 4948fe52..0171daad 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php @@ -271,7 +271,7 @@ $GLOBALS[\'privateLinkByDefault\'] = true;'; public function testEscapeConfig() { $sandbox = 'sandbox/config'; - copy(self::$configFile .'.json.php', $sandbox .'.json.php'); + copy(self::$configFile . '.json.php', $sandbox . '.json.php'); $this->conf = new ConfigManager($sandbox); $title = ''; $headerLink = ''; @@ -286,7 +286,43 @@ $GLOBALS[\'privateLinkByDefault\'] = true;'; $this->assertEquals(escape($title), $this->conf->get('general.title')); $this->assertEquals(escape($headerLink), $this->conf->get('general.header_link')); $this->assertEquals(escape($redirectorUrl), $this->conf->get('redirector.url')); - unlink($sandbox .'.json.php'); + unlink($sandbox . '.json.php'); + } + + /** + * Test updateMethodApiSettings(): create default settings for the API (enabled + secret). + */ + public function testUpdateApiSettings() + { + $confFile = 'sandbox/config'; + copy(self::$configFile .'.json.php', $confFile .'.json.php'); + $conf = new ConfigManager($confFile); + $updater = new Updater(array(), array(), $conf, true); + + $this->assertFalse($conf->exists('api.enabled')); + $this->assertFalse($conf->exists('api.secret')); + $updater->updateMethodApiSettings(); + $conf->reload(); + $this->assertTrue($conf->get('api.enabled')); + $this->assertTrue($conf->exists('api.secret')); + unlink($confFile .'.json.php'); + } + + /** + * Test updateMethodApiSettings(): already set, do nothing. + */ + public function testUpdateApiSettingsNothingToDo() + { + $confFile = 'sandbox/config'; + copy(self::$configFile .'.json.php', $confFile .'.json.php'); + $conf = new ConfigManager($confFile); + $conf->set('api.enabled', false); + $conf->set('api.secret', ''); + $updater = new Updater(array(), array(), $conf, true); + $updater->updateMethodApiSettings(); + $this->assertFalse($conf->get('api.enabled')); + $this->assertEmpty($conf->get('api.secret')); + unlink($confFile .'.json.php'); } /** diff --git a/tests/UtilsTest.php b/tests/UtilsTest.php index 6a7870c4..0cf9a921 100644 --- a/tests/UtilsTest.php +++ b/tests/UtilsTest.php @@ -253,4 +253,21 @@ class UtilsTest extends PHPUnit_Framework_TestCase is_session_id_valid('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=') ); } + + /** + * Test generateSecretApi. + */ + public function testGenerateSecretApi() + { + $this->assertEquals(12, strlen(generate_api_secret('foo', 'bar'))); + } + + /** + * Test generateSecretApi with invalid parameters. + */ + public function testGenerateSecretApiInvalid() + { + $this->assertFalse(generate_api_secret('', '')); + $this->assertFalse(generate_api_secret(false, false)); + } } diff --git a/tpl/configure.html b/tpl/configure.html index 983bcd08..a015770e 100644 --- a/tpl/configure.html +++ b/tpl/configure.html @@ -80,6 +80,20 @@ + + Enable API + + + + + + + API secret + + + + diff --git a/tpl/install.html b/tpl/install.html index 88eb540e..eda4c54d 100644 --- a/tpl/install.html +++ b/tpl/install.html @@ -14,6 +14,18 @@ Update: + + + API: + + + + + + -- cgit v1.2.3