From c4ad3d4f061d05a01db25aa54dda830ba776792d Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 7 Jul 2020 10:15:56 +0200 Subject: Process Shaarli install through Slim controller --- application/bookmark/BookmarkFileService.php | 26 +++- application/bookmark/BookmarkInitializer.php | 12 +- application/bookmark/BookmarkServiceInterface.php | 13 ++ application/container/ContainerBuilder.php | 7 + application/container/ShaarliContainer.php | 3 + application/front/ShaarliMiddleware.php | 6 + .../front/controller/admin/LogoutController.php | 10 +- .../front/controller/visitor/InstallController.php | 173 +++++++++++++++++++++ .../front/exceptions/AlreadyInstalledException.php | 15 ++ .../exceptions/ResourcePermissionException.php | 13 ++ application/security/CookieManager.php | 33 ++++ application/security/LoginManager.php | 16 +- application/security/SessionManager.php | 16 +- application/updater/Updater.php | 30 ++-- 14 files changed, 340 insertions(+), 33 deletions(-) create mode 100644 application/front/controller/visitor/InstallController.php create mode 100644 application/front/exceptions/AlreadyInstalledException.php create mode 100644 application/front/exceptions/ResourcePermissionException.php create mode 100644 application/security/CookieManager.php (limited to 'application') diff --git a/application/bookmark/BookmarkFileService.php b/application/bookmark/BookmarkFileService.php index 3d15d4c9..6e04f3b7 100644 --- a/application/bookmark/BookmarkFileService.php +++ b/application/bookmark/BookmarkFileService.php @@ -46,6 +46,9 @@ class BookmarkFileService implements BookmarkServiceInterface /** @var bool true for logged in users. Default value to retrieve private bookmarks. */ protected $isLoggedIn; + /** @var bool Allow datastore alteration from not logged in users. */ + protected $anonymousPermission = false; + /** * @inheritDoc */ @@ -64,7 +67,7 @@ class BookmarkFileService implements BookmarkServiceInterface $this->bookmarks = $this->bookmarksIO->read(); } catch (EmptyDataStoreException $e) { $this->bookmarks = new BookmarkArray(); - if ($isLoggedIn) { + if ($this->isLoggedIn) { $this->save(); } } @@ -154,7 +157,7 @@ class BookmarkFileService implements BookmarkServiceInterface */ public function set($bookmark, $save = true) { - if ($this->isLoggedIn !== true) { + if (true !== $this->isLoggedIn && true !== $this->anonymousPermission) { throw new Exception(t('You\'re not authorized to alter the datastore')); } if (! $bookmark instanceof Bookmark) { @@ -179,7 +182,7 @@ class BookmarkFileService implements BookmarkServiceInterface */ public function add($bookmark, $save = true) { - if ($this->isLoggedIn !== true) { + if (true !== $this->isLoggedIn && true !== $this->anonymousPermission) { throw new Exception(t('You\'re not authorized to alter the datastore')); } if (! $bookmark instanceof Bookmark) { @@ -204,7 +207,7 @@ class BookmarkFileService implements BookmarkServiceInterface */ public function addOrSet($bookmark, $save = true) { - if ($this->isLoggedIn !== true) { + if (true !== $this->isLoggedIn && true !== $this->anonymousPermission) { throw new Exception(t('You\'re not authorized to alter the datastore')); } if (! $bookmark instanceof Bookmark) { @@ -221,7 +224,7 @@ class BookmarkFileService implements BookmarkServiceInterface */ public function remove($bookmark, $save = true) { - if ($this->isLoggedIn !== true) { + if (true !== $this->isLoggedIn && true !== $this->anonymousPermission) { throw new Exception(t('You\'re not authorized to alter the datastore')); } if (! $bookmark instanceof Bookmark) { @@ -274,10 +277,11 @@ class BookmarkFileService implements BookmarkServiceInterface */ public function save() { - if (!$this->isLoggedIn) { + if (true !== $this->isLoggedIn && true !== $this->anonymousPermission) { // TODO: raise an Exception instead die('You are not authorized to change the database.'); } + $this->bookmarks->reorder(); $this->bookmarksIO->write($this->bookmarks); $this->pageCacheManager->invalidateCaches(); @@ -357,6 +361,16 @@ class BookmarkFileService implements BookmarkServiceInterface $initializer->initialize(); } + public function enableAnonymousPermission(): void + { + $this->anonymousPermission = true; + } + + public function disableAnonymousPermission(): void + { + $this->anonymousPermission = false; + } + /** * Handles migration to the new database format (BookmarksArray). */ diff --git a/application/bookmark/BookmarkInitializer.php b/application/bookmark/BookmarkInitializer.php index 9eee9a35..479ee9a9 100644 --- a/application/bookmark/BookmarkInitializer.php +++ b/application/bookmark/BookmarkInitializer.php @@ -34,13 +34,15 @@ class BookmarkInitializer */ public function initialize() { + $this->bookmarkService->enableAnonymousPermission(); + $bookmark = new Bookmark(); $bookmark->setTitle(t('My secret stuff... - Pastebin.com')); - $bookmark->setUrl('http://sebsauvage.net/paste/?8434b27936c09649#bR7XsXhoTiLcqCpQbmOpBi3rq2zzQUC5hBI7ZT1O3x8=', []); + $bookmark->setUrl('http://sebsauvage.net/paste/?8434b27936c09649#bR7XsXhoTiLcqCpQbmOpBi3rq2zzQUC5hBI7ZT1O3x8='); $bookmark->setDescription(t('Shhhh! I\'m a private link only YOU can see. You can delete me too.')); $bookmark->setTagsString('secretstuff'); $bookmark->setPrivate(true); - $this->bookmarkService->add($bookmark); + $this->bookmarkService->add($bookmark, false); $bookmark = new Bookmark(); $bookmark->setTitle(t('The personal, minimalist, super-fast, database free, bookmarking service')); @@ -54,6 +56,10 @@ To learn how to use Shaarli, consult the link "Documentation" at the bottom of t You use the community supported version of the original Shaarli project, by Sebastien Sauvage.' )); $bookmark->setTagsString('opensource software'); - $this->bookmarkService->add($bookmark); + $this->bookmarkService->add($bookmark, false); + + $this->bookmarkService->save(); + + $this->bookmarkService->disableAnonymousPermission(); } } diff --git a/application/bookmark/BookmarkServiceInterface.php b/application/bookmark/BookmarkServiceInterface.php index 7b7a4f09..37fbda89 100644 --- a/application/bookmark/BookmarkServiceInterface.php +++ b/application/bookmark/BookmarkServiceInterface.php @@ -177,4 +177,17 @@ interface BookmarkServiceInterface * Creates the default database after a fresh install. */ public function initialize(); + + /** + * Allow to write the datastore from anonymous session (not logged in). + * + * This covers a few specific use cases, such as datastore initialization, + * but it should be used carefully as it can lead to security issues. + */ + public function enableAnonymousPermission(); + + /** + * Disable anonymous permission. + */ + public function disableAnonymousPermission(); } diff --git a/application/container/ContainerBuilder.php b/application/container/ContainerBuilder.php index ccb87c3a..593aafb7 100644 --- a/application/container/ContainerBuilder.php +++ b/application/container/ContainerBuilder.php @@ -15,6 +15,7 @@ use Shaarli\Netscape\NetscapeBookmarkUtils; use Shaarli\Plugin\PluginManager; use Shaarli\Render\PageBuilder; use Shaarli\Render\PageCacheManager; +use Shaarli\Security\CookieManager; use Shaarli\Security\LoginManager; use Shaarli\Security\SessionManager; use Shaarli\Thumbnailer; @@ -38,6 +39,9 @@ class ContainerBuilder /** @var SessionManager */ protected $session; + /** @var CookieManager */ + protected $cookieManager; + /** @var LoginManager */ protected $login; @@ -47,11 +51,13 @@ class ContainerBuilder public function __construct( ConfigManager $conf, SessionManager $session, + CookieManager $cookieManager, LoginManager $login ) { $this->conf = $conf; $this->session = $session; $this->login = $login; + $this->cookieManager = $cookieManager; } public function build(): ShaarliContainer @@ -60,6 +66,7 @@ class ContainerBuilder $container['conf'] = $this->conf; $container['sessionManager'] = $this->session; + $container['cookieManager'] = $this->cookieManager; $container['loginManager'] = $this->login; $container['basePath'] = $this->basePath; diff --git a/application/container/ShaarliContainer.php b/application/container/ShaarliContainer.php index 09e7d5b1..c4fe753e 100644 --- a/application/container/ShaarliContainer.php +++ b/application/container/ShaarliContainer.php @@ -4,6 +4,7 @@ declare(strict_types=1); namespace Shaarli\Container; +use http\Cookie; use Shaarli\Bookmark\BookmarkServiceInterface; use Shaarli\Config\ConfigManager; use Shaarli\Feed\FeedBuilder; @@ -14,6 +15,7 @@ use Shaarli\Netscape\NetscapeBookmarkUtils; use Shaarli\Plugin\PluginManager; use Shaarli\Render\PageBuilder; use Shaarli\Render\PageCacheManager; +use Shaarli\Security\CookieManager; use Shaarli\Security\LoginManager; use Shaarli\Security\SessionManager; use Shaarli\Thumbnailer; @@ -25,6 +27,7 @@ use Slim\Container; * * @property string $basePath Shaarli's instance base path (e.g. `/shaarli/`) * @property BookmarkServiceInterface $bookmarkService + * @property CookieManager $cookieManager * @property ConfigManager $conf * @property mixed[] $environment $_SERVER automatically injected by Slim * @property callable $errorHandler Overrides default Slim error display diff --git a/application/front/ShaarliMiddleware.php b/application/front/ShaarliMiddleware.php index baea6ef2..595182ac 100644 --- a/application/front/ShaarliMiddleware.php +++ b/application/front/ShaarliMiddleware.php @@ -43,6 +43,12 @@ class ShaarliMiddleware $this->container->basePath = rtrim($request->getUri()->getBasePath(), '/'); try { + if (!is_file($this->container->conf->getConfigFileExt()) + && !in_array($next->getName(), ['displayInstall', 'saveInstall'], true) + ) { + return $response->withRedirect($this->container->basePath . '/install'); + } + $this->runUpdates(); $this->checkOpenShaarli($request, $response, $next); diff --git a/application/front/controller/admin/LogoutController.php b/application/front/controller/admin/LogoutController.php index c5984814..28165129 100644 --- a/application/front/controller/admin/LogoutController.php +++ b/application/front/controller/admin/LogoutController.php @@ -4,6 +4,7 @@ declare(strict_types=1); namespace Shaarli\Front\Controller\Admin; +use Shaarli\Security\CookieManager; use Shaarli\Security\LoginManager; use Slim\Http\Request; use Slim\Http\Response; @@ -20,9 +21,12 @@ class LogoutController extends ShaarliAdminController { $this->container->pageCacheManager->invalidateCaches(); $this->container->sessionManager->logout(); - - // TODO: switch to a simple Cookie manager allowing to check the session, and create mocks. - setcookie(LoginManager::$STAY_SIGNED_IN_COOKIE, 'false', 0, $this->container->basePath . '/'); + $this->container->cookieManager->setCookieParameter( + CookieManager::STAY_SIGNED_IN, + 'false', + 0, + $this->container->basePath . '/' + ); return $this->redirect($response, '/'); } diff --git a/application/front/controller/visitor/InstallController.php b/application/front/controller/visitor/InstallController.php new file mode 100644 index 00000000..aa032860 --- /dev/null +++ b/application/front/controller/visitor/InstallController.php @@ -0,0 +1,173 @@ +container->conf->getConfigFileExt())) { + throw new AlreadyInstalledException(); + } + } + + /** + * Display the install template page. + * Also test file permissions and sessions beforehand. + */ + public function index(Request $request, Response $response): Response + { + // Before installation, we'll make sure that permissions are set properly, and sessions are working. + $this->checkPermissions(); + + if (static::SESSION_TEST_VALUE + !== $this->container->sessionManager->getSessionParameter(static::SESSION_TEST_KEY) + ) { + $this->container->sessionManager->setSessionParameter(static::SESSION_TEST_KEY, static::SESSION_TEST_VALUE); + + return $this->redirect($response, '/install/session-test'); + } + + [$continents, $cities] = generateTimeZoneData(timezone_identifiers_list(), date_default_timezone_get()); + + $this->assignView('continents', $continents); + $this->assignView('cities', $cities); + $this->assignView('languages', Languages::getAvailableLanguages()); + + return $response->write($this->render('install')); + } + + /** + * Route checking that the session parameter has been properly saved between two distinct requests. + * If the session parameter is preserved, redirect to install template page, otherwise displays error. + */ + public function sessionTest(Request $request, Response $response): Response + { + // This part makes sure sessions works correctly. + // (Because on some hosts, session.save_path may not be set correctly, + // or we may not have write access to it.) + if (static::SESSION_TEST_VALUE + !== $this->container->sessionManager->getSessionParameter(static::SESSION_TEST_KEY) + ) { + // Step 2: Check if data in session is correct. + $msg = t( + '
Sessions do not seem to work correctly on your server.
'.
+                'Make sure the variable "session.save_path" is set correctly in your PHP config, '.
+                'and that you have write access to it.
'.
+                'It currently points to %s.
'.
+                'On some browsers, accessing your server via a hostname like \'localhost\' '.
+                'or any custom hostname without a dot causes cookie storage to fail. '.
+                'We recommend accessing your server via it\'s IP address or Fully Qualified Domain Name.
'
+            );
+            $msg = sprintf($msg, $this->container->sessionManager->getSavePath());
+
+            $this->assignView('message', $msg);
+
+            return $response->write($this->render('error'));
+        }
+
+        return $this->redirect($response, '/install');
+    }
+
+    /**
+     * Save installation form and initialize config file and datastore if necessary.
+     */
+    public function save(Request $request, Response $response): Response
+    {
+        $timezone = 'UTC';
+        if (!empty($request->getParam('continent'))
+            && !empty($request->getParam('city'))
+            && isTimeZoneValid($request->getParam('continent'), $request->getParam('city'))
+        ) {
+            $timezone = $request->getParam('continent') . '/' . $request->getParam('city');
+        }
+        $this->container->conf->set('general.timezone', $timezone);
+
+        $login = $request->getParam('setlogin');
+        $this->container->conf->set('credentials.login', $login);
+        $salt = sha1(uniqid('', true) .'_'. mt_rand());
+        $this->container->conf->set('credentials.salt', $salt);
+        $this->container->conf->set('credentials.hash', sha1($request->getParam('setpassword') . $login . $salt));
+
+        if (!empty($request->getParam('title'))) {
+            $this->container->conf->set('general.title', escape($request->getParam('title')));
+        } else {
+            $this->container->conf->set(
+                'general.title',
+                'Shared bookmarks on '.escape(index_url($this->container->environment))
+            );
+        }
+
+        $this->container->conf->set('translation.language', escape($request->getParam('language')));
+        $this->container->conf->set('updates.check_updates', !empty($request->getParam('updateCheck')));
+        $this->container->conf->set('api.enabled', !empty($request->getParam('enableApi')));
+        $this->container->conf->set(
+            'api.secret',
+            generate_api_secret(
+                $this->container->conf->get('credentials.login'),
+                $this->container->conf->get('credentials.salt')
+            )
+        );
+
+        try {
+            // Everything is ok, let's create config file.
+            $this->container->conf->write($this->container->loginManager->isLoggedIn());
+        } catch (\Exception $e) {
+            $this->assignView('message', $e->getMessage());
+            $this->assignView('stacktrace', $e->getTraceAsString());
+
+            return $response->write($this->render('error'));
+        }
+
+        if ($this->container->bookmarkService->count(BookmarkFilter::$ALL) === 0) {
+            $this->container->bookmarkService->initialize();
+        }
+
+        $this->container->sessionManager->setSessionParameter(
+            SessionManager::KEY_SUCCESS_MESSAGES,
+            [t('Shaarli is now configured. Please login and start shaaring your bookmarks!')]
+        );
+
+        return $this->redirect($response, '/');
+    }
+
+    protected function checkPermissions(): bool
+    {
+        // Ensure Shaarli has proper access to its resources
+        $errors = ApplicationUtils::checkResourcePermissions($this->container->conf);
+
+        if (empty($errors)) {
+            return true;
+        }
+
+        // FIXME! Do not insert HTML here.
+        $message = '
'. t('Insufficient permissions:') .'
';
+
+        throw new ResourcePermissionException($message);
+    }
+}
diff --git a/application/front/exceptions/AlreadyInstalledException.php b/application/front/exceptions/AlreadyInstalledException.php
new file mode 100644
index 00000000..4add86cf
--- /dev/null
+++ b/application/front/exceptions/AlreadyInstalledException.php
@@ -0,0 +1,15 @@
+cookies = $cookies;
+    }
+
+    public function setCookieParameter(string $key, string $value, int $expires, string $path): self
+    {
+        $this->cookies[$key] = $value;
+
+        setcookie($key, $value, $expires, $path);
+
+        return $this;
+    }
+
+    public function getCookieParameter(string $key, string $default = null): ?string
+    {
+        return $this->cookies[$key] ?? $default;
+    }
+}
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 39ec9b2e..d74c3118 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -9,9 +9,6 @@ use Shaarli\Config\ConfigManager;
  */
 class LoginManager
 {
-    /** @var string Name of the cookie set after logging in **/
-    public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn';
-
     /** @var array A reference to the $_GLOBALS array */
     protected $globals = [];
 
@@ -32,17 +29,21 @@ class LoginManager
 
     /** @var string User sign-in token depending on remote IP and credentials */
     protected $staySignedInToken = '';
+    /** @var CookieManager */
+    protected $cookieManager;
 
     /**
      * Constructor
      *
      * @param ConfigManager  $configManager  Configuration Manager instance
      * @param SessionManager $sessionManager SessionManager instance
+     * @param CookieManager  $cookieManager  CookieManager instance
      */
-    public function __construct($configManager, $sessionManager)
+    public function __construct($configManager, $sessionManager, $cookieManager)
     {
         $this->configManager = $configManager;
         $this->sessionManager = $sessionManager;
+        $this->cookieManager = $cookieManager;
         $this->banManager = new BanManager(
             $this->configManager->get('security.trusted_proxies', []),
             $this->configManager->get('security.ban_after'),
@@ -86,10 +87,9 @@ class LoginManager
     /**
      * Check user session state and validity (expiration)
      *
-     * @param array  $cookie     The $_COOKIE array
      * @param string $clientIpId Client IP address identifier
      */
-    public function checkLoginState($cookie, $clientIpId)
+    public function checkLoginState($clientIpId)
     {
         if (! $this->configManager->exists('credentials.login')) {
             // Shaarli is not configured yet
@@ -97,9 +97,7 @@ class LoginManager
             return;
         }
 
-        if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
-            && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
-        ) {
+        if ($this->staySignedInToken === $this->cookieManager->getCookieParameter(CookieManager::STAY_SIGNED_IN)) {
             // The user client has a valid stay-signed-in cookie
             // Session information is updated with the current client information
             $this->sessionManager->storeLoginInfo($clientIpId);
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index 0ac17d9a..82771c24 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -31,16 +31,21 @@ class SessionManager
     /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */
     protected $staySignedIn = false;
 
+    /** @var string */
+    protected $savePath;
+
     /**
      * Constructor
      *
-     * @param array         $session The $_SESSION array (reference)
-     * @param ConfigManager $conf    ConfigManager instance
+     * @param array         $session  The $_SESSION array (reference)
+     * @param ConfigManager $conf     ConfigManager instance
+     * @param string        $savePath Session save path returned by builtin function session_save_path()
      */
-    public function __construct(& $session, $conf)
+    public function __construct(&$session, $conf, string $savePath)
     {
         $this->session = &$session;
         $this->conf = $conf;
+        $this->savePath = $savePath;
     }
 
     /**
@@ -249,4 +254,9 @@ class SessionManager
 
         return $this;
     }
+
+    public function getSavePath(): string
+    {
+        return $this->savePath;
+    }
 }
diff --git a/application/updater/Updater.php b/application/updater/Updater.php
index f73a7452..4c578528 100644
--- a/application/updater/Updater.php
+++ b/application/updater/Updater.php
@@ -38,6 +38,11 @@ class Updater
      */
     protected $methods;
 
+    /**
+     * @var string $basePath Shaarli root directory (from HTTP Request)
+     */
+    protected $basePath = null;
+
     /**
      * Object constructor.
      *
@@ -62,11 +67,13 @@ class Updater
      * Run all new updates.
      * Update methods have to start with 'updateMethod' and return true (on success).
      *
+     * @param string $basePath Shaarli root directory (from HTTP Request)
+     *
      * @return array An array containing ran updates.
      *
      * @throws UpdaterException If something went wrong.
      */
-    public function update()
+    public function update(string $basePath = null)
     {
         $updatesRan = [];
 
@@ -123,16 +130,14 @@ class Updater
     }
 
     /**
-     * With the Slim routing system, default header link should be `./` instead of `?`.
-     * Otherwise you can not go back to the home page. Example: `/picture-wall` -> `/picture-wall?` instead of `/`.
+     * With the Slim routing system, default header link should be `/subfolder/` instead of `?`.
+     * Otherwise you can not go back to the home page.
+     * Example: `/subfolder/picture-wall` -> `/subfolder/picture-wall?` instead of `/subfolder/`.
      */
     public function updateMethodRelativeHomeLink(): bool
     {
-        $link = trim($this->conf->get('general.header_link'));
-        if ($link[0] === '?') {
-            $link = './'. ltrim($link, '?');
-
-            $this->conf->set('general.header_link', $link, true, true);
+        if ('?' === trim($this->conf->get('general.header_link'))) {
+            $this->conf->set('general.header_link', $this->basePath . '/', true, true);
         }
 
         return true;
@@ -152,7 +157,7 @@ class Updater
                 && 1 === preg_match('/^\?([a-zA-Z0-9-_@]{6})($|&|#)/', $bookmark->getUrl(), $match)
             ) {
                 $updated = true;
-                $bookmark = $bookmark->setUrl('/shaare/' . $match[1]);
+                $bookmark = $bookmark->setUrl($this->basePath . '/shaare/' . $match[1]);
 
                 $this->bookmarkService->set($bookmark, false);
             }
@@ -164,4 +169,11 @@ class Updater
 
         return true;
     }
+
+    public function setBasePath(string $basePath): self
+    {
+        $this->basePath = $basePath;
+
+        return $this;
+    }
 }
-- 
cgit v1.2.3