9 files changed, 209 insertions, 34 deletions
diff --git a/mayor-orig/www/include/base/log.php b/mayor-orig/www/include/base/log.php
index 0b8f6fd1..14e214a9 100644
--- a/mayor-orig/www/include/base/log.php
+++ b/mayor-orig/www/include/base/log.php
@@ -5,7 +5,7 @@
     function naploz($aCode)
     function szamlal($policy,$page)
 */
-
+    define('CLIENTIPADDRESS',_clientIp());
     function _clientIp() {
         return ($_SERVER['HTTP_X_FORWARDED_FOR']!='')?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];
     }
diff --git a/mayor-orig/www/include/base/login.php b/mayor-orig/www/include/base/login.php
index da3217a9..4624a92a 100644
--- a/mayor-orig/www/include/base/login.php
+++ b/mayor-orig/www/include/base/login.php
@@ -1,6 +1,6 @@
 <?php
 
-    if ($action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') {
+    if ($sessionMode===2 || $action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') {
 
         $toPolicy = readVariable($_REQUEST['toPolicy'], 'enum', 'private', $POLICIES);
         $policyOrderIndex = readVariable($_POST['policyOrderIndex'], 'id', 0);
@@ -46,6 +46,15 @@
 		$userAccount = $GOOGLEAPIDATA['userAccount'];
 		$googleapiAuth = true;
 	    }
+	} elseif ($sessionMode===2) {
+	    $MAYORAPIDATA = mayorApiAuth();
+	    if ($MAYORAPIDATA!==false && $MAYORAPIDATA['userAccount']!="") {
+		$userAccount = $MAYORAPIDATA['userAccount'];
+		$toPolicy = $MAYORAPIDATA['toPolicy'];
+		$mayorapiAuth = true;
+	    } else {
+		unsetTokenCookies(); // + unregister token
+	    }
 	} else {
 	    $userPassword = readVariable($_POST['userPassword'], 'string');
 	    // $userAccount = readVariable($_POST['userAccount'], 'regexp', null, array("^([a-z]|[A-Z]|[0-9]| |\.|,|_|[űáéúőóüöíŰÁÉÚŐÓÜÖÍäÄ]|-|@)*$"));
@@ -56,7 +65,7 @@
 	if (is_array($AUTH[$toPolicy]['allowOnly']) && !in_array($userAccount,$AUTH[$toPolicy]['allowOnly'])) $userAccount='';
 
 	if ($sessionID != '') $accountInformation['sessionID'] = $sessionID;
-	if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true)) {
+	if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true or $mayorapiAuth === true)) {
 
 	  for ($i=0; $i<count($__POLICYORDER[$policyOrderIndex]); $i++) {
 	    $toPolicy=$__POLICYORDER[$policyOrderIndex][$i];
@@ -84,6 +93,15 @@
 		    $_SESSION['alert'][] = 'info:A google azonosító nincs még összekötve! Először lépj be a MaYoR-ba, és kezdeményezd!';
 		    continue;;
 		}
+	    } elseif ($mayorapiAuth===true) {
+		if ($MAYORAPIDATA['toPolicy'] == $toPolicy) {
+		    $result = _AUTH_SUCCESS; // az authentikációt a mayorApiAuth() csinálta
+		    $accountInformation['cn'] = $MAYORAPIDATA['userCn'];
+		    // $accountInformation['mail'] = $MAYORAPIDATA['userEmail'];
+        	    $accountInformation['studyId'] = $MAYORAPIDATA['studyId'];	
+		} else {
+		    continue;;
+		}
 	    } else {
 		$result = userAuthentication($userAccount, $userPassword, $accountInformation, $toPolicy); // ??? toPolicy benne van az AccountInformation-ben!!! Ldap backend only?
 	    }
@@ -93,6 +111,7 @@
 	    if ($result === _AUTH_SUCCESS) {
 		$_SESSION['alert'] = array();
 		$sessionID = newSession($accountInformation, $toPolicy);
+		if ($mayorapiAuth!==true) generateAuthToken(array('userAccount'=>$userAccount, 'policy'=>$toPolicy, 'userCn'=>$accountInformation['cn'], 'studyId'=>$accountInformation['studyId'])); // --TODO untrusted clients
 		if ($toSkin == '') $toSkin = $skin;
 		header('Location: '.location("index.php?page=$toPage&sub=$toSub&f=$toF&sessionID=$sessionID&policy=$toPolicy&lang=$lang&skin=$toSkin", array('alertOLD')));
 		break;
diff --git a/mayor-orig/www/include/base/rights.php b/mayor-orig/www/include/base/rights.php
index 1f3eed0f..dc6b7aa7 100644
--- a/mayor-orig/www/include/base/rights.php
+++ b/mayor-orig/www/include/base/rights.php
@@ -1,4 +1,9 @@
 <?php
+
+// --TODO-- ez nem ide való!
+require_once('include/modules/auth/base/token.php');
+
+
 /*
     Module: base
 
@@ -43,16 +48,14 @@ function sessionCookieEncode($sessionID,$now,$extra='')
 {
     if ($extra=='') $extra = uniqid(rand(), true);
     $extraHash=sessionHash('ripemd160',$extra);
-// pwHash added
-//  $value = base64_encode(strtotime($now).'g'.$extraHash);
     $pwHash = sessionHash('ripemd160',uniqid(rand(), true));
     $value = base64_encode(strtotime($now).'g'.$extraHash.'g'.$pwHash);
-    return array('name'=>md5($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash);
+    return array('name'=>($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash);
 }
 
 function sessionCookieDecode($sessionID) 
 {
-    return explode('g',base64_decode($_COOKIE[md5($sessionID)]));
+    return explode('g',base64_decode($_COOKIE[($sessionID)]));
 }
 
 function pseudoTokenGenerator() {
@@ -68,10 +71,8 @@ function pseudoTokenGenerator() {
 # Azonosított user ellenőrzése a session tábla alapján
 ######################################################################
 
-
-
 function validUser($sessionID,$policy,$skin='',$lang='') {
-
+    global $page;
     if (_RUNLEVEL === 'cron') {
     	    define('_USERPASSWORD','MaYoR-cron');
     	    define('_USERACCOUNT','MaYoR-cron');
@@ -82,31 +83,25 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
 	    return true;
     }
 
+//    if ($sessionID == '' || $MAYORAPIAUTH['valid']!==true) {
     if ($sessionID == '') {
-
-	if ($policy == _POLICY) {
+	$MAYORAPIAUTH = mayorApiAuth(); // van-e hosszulejáratu session-je
+	if ($policy == _POLICY && $MAYORAPIAUTH['valid']!==true) {
     	    define('_USERPASSWORD','');
     	    define('_USERACCOUNT','');
     	    define('_USERCN','');
     	    define('_STUDYID','');
-//    	    define('_SKIN',$skin);
     	    define('_LANG',$lang);
     	    define('_SESSIONID','');
 	}
         return false;
-
     } else {
 
        $lr = db_connect('login', array('fv' => 'validUser'));
 
         if ($lr === false) die('A keretrendeszer adatbázisa nem érhető el! (validUser)');
 	// ha nem tudta beállítani a sütit, akkor az $_sc üres lesz így a dt feltétel 1970-01-01, ami nem gond.
-// pwHash
-//	list($_sessionDt,$_sessionCookie) = sessionCookieDecode($sessionID);
 	list($_sessionDt,$_sessionCookie,$_sessionPwHash) = sessionCookieDecode($sessionID);
-// pwHash
-//        $query = "SELECT userAccount, userCn, studyId, decode(userPassword, '"._MYSQL_ENCODE_STR."'), skin, lang, activity, dt
-//                    FROM session WHERE sessionID='%s' AND policy='%s'";
         $query = "SELECT userAccount, userCn, studyId, aes_decrypt(userPassword, '%s'), skin, lang, activity, dt
 		    FROM session WHERE sessionID='%s' AND policy='%s'"; // [SECURITY-002] quickfix from marton.drotos@sztaki.hu
 
@@ -116,12 +111,30 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
 	$query .= " AND sessionCookie='%s'";
 
 	$ret = db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'result' => 'indexed', 'values' => array($_sessionPwHash, $sessionID, $policy, $_sessionCookie)), $lr);
-
 	$num = count($ret);
+	$sessionMode = 1;
+
+	// ha nincs találat, nézzük meg, van-e a kliensnek hosszú lejáratú tokenje, kivéve, ha ...
+	if ($num !== 1 && $page!='password') {
+	    $MAYORAPIAUTH = mayorApiAuth();
+	    if ($MAYORAPIAUTH['valid'] === true) {
+		global $sessionMode;
+		$sessionMode = 2;
+		// reauth AS:
+        	$toPolicy = $MAYORAPIAUTH['policy'];
+        	$userAccount = $MAYORAPIAUTH['userAccount'];
+		$userCn = $MAYORAPIAUTH['userCn'];
+		$studyId = $MAYORAPIAUTH['studyId'];
+		$userPassword = '';
+		$lang = _DEFAULT_LANG;
+	    } else {
+		unsetTokenCookies();
+	    }
+	} // --token vizsgálat vége
+
         if ($num == 1) {
 
-            list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]);
-	    /* PDA */
+	    if ($sessionMode == 1) list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]);
 	    global $SKINS;
 	    if (_USER_AGENT!=='ppc' && @in_array($savedSkin,$SKINS) ) $skin=$savedSkin;
 	    if ($policy == _POLICY) {
@@ -133,7 +146,8 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
                 define('_LANG',$lang);
         	define('_SESSIONID',$sessionID);
 	    }
-	    // Aktivitás figyelése!
+
+	    // Aktivitás figyelése! // hopp, nem biztos, hogy van session!
 	    $query = "UPDATE session SET activity = NOW() WHERE sessionID = '%s'";
 	    db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'values' => array($sessionID)), $lr);
     	    db_close($lr);
@@ -247,7 +261,10 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
 		unset($_POST['action']);
 		unset($action);
 	    }
-	} else { // klasszikus ellenőrzés, fallback // TODO BEGIN DEPRECATED BLOCK
+	} else { // klasszikus ellenőrzés, fallback
+	    echo 'FATAL ERROR 696';
+	    die();
+	    /*
 	    // $_JSON['result'] = false; // ITT gátolhatjuk a működést
 	    if ($_COOKIE[__SALTNAME]=='') { // a session átállásig - ez semmitől nem véd, adott nevű sütit generálni bárki tud
 		$_SESSION['alert'][] = 'message:not_valid_form:no cookie'.$_SESSION[__SALTNAME]; 
@@ -264,13 +281,17 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
 		unset($_POST['action']);
 		unset($action);
 	    }
+	    */
 	} // END DEPRECATED BLOCK
     }
     // eredeti post kezelés + ETAG prevent cache
     if (($_SERVER['HTTPS']!=='on') || (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']!='' && substr($_SERVER['HTTP_REFERER'],4,1)!=='s')) $_ssl = false; else $_ssl=true;
-    if (@setcookie(__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) {
-        $_SESSION['alert'][] = 'message:no_cookie:unabletoset';
-    }
+
+//4400    if (@setcookie('xxxDEPRECATEDxxx_'.__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) {
+//4400        $_SESSION['alert'][] = 'message:no_cookie:unabletoset';
+//4400    }
+
+
     /* /XSRF2 previous revision: r4138 */
 
     // betöltjük az össes config-ot... (lásd még widgets)
diff --git a/mayor-orig/www/include/modules/auth/base/token.php b/mayor-orig/www/include/modules/auth/base/token.php
new file mode 100644
index 00000000..72cbcffb
--- /dev/null
+++ b/mayor-orig/www/include/modules/auth/base/token.php
@@ -0,0 +1,116 @@
+<?php
+
+    function generateAuthToken($accountData) {
+
+	if (!defined('AUTHTOKENENABLED') || AUTHTOKENENABLED!==true) return false;
+
+	if (version_compare(PHP_VERSION,'5.3.0')>=0) {
+	    $selector = bin2hex(openssl_random_pseudo_bytes(8));
+	    $token = openssl_random_pseudo_bytes(32);
+	} elseif (version_compare(PHP_VERSION,'7.0.0')>=0) {
+	    $selector = bin2hex(random_bytes(8));
+	    $token = random_bytes(32);
+	} else {
+	    return false; // nem támogatjuk
+	}
+
+	if (isset($_COOKIE['t_selector'])===true && isset($_COOKIE['t_validator'])===true) return true; // már van selector/validator elmentve 
+
+	$lr = db_connect('login');
+	db_start_trans($lr);
+
+	$q = "DELETE FROM authToken WHERE expires <= NOW() - INTERVAL 10 DAY";
+	db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'delete'),$lr);
+
+	$q = "INSERT INTO authToken (policy, userAccount, 
+	    userCn, studyId,
+	    selector, token, expires, activity, ipAddress) VALUES ('%s', '%s', '%s', '%s', '%s','%s',NOW() + INTERVAL 30 DAY,NOW(),'%s')";
+	$v = array($accountData['policy'], $accountData['userAccount'], 
+		$accountData['userCn'], $accountData['studyId'],
+		$selector, 
+		hash('sha256', $token),
+		CLIENTIPADDRESS
+	);
+	$Id = db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'insert', 'values'=>$v),$lr);
+	db_commit($lr);
+	db_close($lr);
+
+	if ($Id !== false) {
+	    setcookie('t_selector',$selector,time()+604800*5,'/','',TRUE,TRUE);
+	    setcookie('t_validator',bin2hex($token),time()+604800*5,'/','',TRUE,TRUE);
+	    $_SESSION['mayorapiauth'] = true;
+	    return true;
+	} else {
+	    return false;
+	}
+    }
+
+    function unsetTokenCookies() { // + MS_*
+	$selector = readVariable($_COOKIE['t_selector'], 'string', readVariable($_GET['t_selector'], 'hexa', null));
+	if ($selector!='') {
+	    $q = "DELETE FROM authToken WHERE selector='%s'";
+	    $values = array($selector);
+	    db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'delete', 'values'=>$values),$lr);
+	}
+        setcookie('t_selector','',time() - 3600,'/','',TRUE,TRUE);
+        setcookie('t_validator','',time() - 3600,'/','',TRUE,TRUE);
+	if (is_array($_COOKIE)) {
+	    foreach($_COOKIE as $key => $value) {
+		if (substr($key,0,3) == 'MS_') {
+    		    setcookie($key,'',time() - 3600,'/','',TRUE,TRUE);
+		}
+	    }
+	}
+	$_SESSION['mayorapiauth'] = false;
+    }
+
+    function mayorApiAuth() {
+
+	// $MAYORAPIDATA tömb feltöltése
+            $selector = readVariable($_COOKIE['t_selector'], 'string', readVariable($_GET['t_selector'], 'hexa', null));
+            $validator = readVariable($_COOKIE['t_validator'], 'string', readVariable($_GET['t_validator'], 'hexa', null));
+            if ($selector!='' && $validator!='') {
+                $q = "SELECT * FROM authToken WHERE selector = '%s' AND expires >= NOW()";
+                $r = db_query($q, array('fv'=>'rights/xltoken','modul'=>'login','result'=>'record','values'=>array($selector)));
+            }
+            if (is_array($r)) {
+                $calc = hash('sha256', hex2bin($validator));
+                if (hash_equals($calc, $r['token'])) { // valid token
+                        global $sessionMode;
+                        $sessionMode = 2;
+                        // reauth AS:
+                        $toPolicy = $r['policy'];
+                        $userAccount = $r['userAccount'];
+                        $userCn = $r['userCn'];
+                        $studyId = $r['studyId'];
+                        $userPassword = ''; // ???
+                        $lang = _DEFAULT_LANG;
+			$data = $r;
+		    $_SESSION['mayorapiauth'] = true;
+            	    $q = "UPDATE authToken SET activity=NOW(), ipAddress='%s' WHERE selector = '%s'";
+		    $v = array(CLIENTIPADDRESS,$selector);
+            	    db_query($q, array('fv'=>'rights/xltoken','modul'=>'login','result'=>'update','values'=>$v));
+		    return array('userAccount'=>$data['userAccount'],'toPolicy'=>$data['policy'],'studyId'=>$data['studyId'],'userCn'=>$data['userCn'],'valid'=>true);
+                } else {
+                    unsetTokenCookies();
+                }
+	    } else {
+                unsetTokenCookies();
+	    }
+	return false;
+    }
+
+    function getMyActivity() {
+	$q = "SELECT ipAddress,activity FROM authToken WHERE userAccount ='%s' AND policy='%s'";
+	$v = array(_USERACCOUNT,_POLICY);
+        return db_query($q, array('fv'=>'rights/getMyActivity','modul'=>'login','result'=>'indexed','values'=>$v));
+    }
+
+    function revokeTokens() {
+	unsetTokenCookies();
+	$q = "DELETE FROM authToken WHERE userAccount ='%s' AND policy='%s'";
+	$v = array(_USERACCOUNT,_POLICY);
+        return db_query($q, array('fv'=>'rights/revokeTokens','modul'=>'login','result'=>'delete','values'=>$v));
+    }
+
+?>
diff --git a/mayor-orig/www/include/modules/portal/share/hirek.php b/mayor-orig/www/include/modules/portal/share/hirek.php
index f9a64f62..5aa3bdc9 100644
--- a/mayor-orig/www/include/modules/portal/share/hirek.php
+++ b/mayor-orig/www/include/modules/portal/share/hirek.php
@@ -14,6 +14,7 @@
     }
 
     function getHirek($SET = array('all'=>true,'tolDt'=>'', 'igDt'=>'', 'id' => '', 'flag'=>array(), 'class'=>array(), 'cid'=>array(), 'limit'=>'', 'lang'=>'hu_HU') ) {
+
 	$tolDt = $SET['tolDt']; $igDt = $SET['igDt'];
 	if ($tolDt!='') $W[] = "kdt<='$tolDt'";
 	if ($igDt!='')  $W[] = "vdt>='$igDt'";
diff --git a/mayor-orig/www/include/modules/session/accountInfo.php b/mayor-orig/www/include/modules/session/accountInfo.php
index b670312f..b14a8edb 100644
--- a/mayor-orig/www/include/modules/session/accountInfo.php
+++ b/mayor-orig/www/include/modules/session/accountInfo.php
@@ -56,6 +56,22 @@
 
     }
 
+    function createEduroamSettings($ADAT) {
+
+	    $q = "INSERT INTO eduroam (userAccount,policy,eduroamUID,eduroamPASSWORD,eduroamAFFILIATION,eduroamDOMAIN)
+	    VALUES ('%s','%s','%s','%s','%s','%s')";
+	    $values = array(
+		$ADAT['userAccount'],
+		$ADAT['policy'],
+		$ADAT['eduroamUID'],
+		$ADAT['eduroamPASSWORD'],
+		$ADAT['eduroamAFFILIATION'],
+		$ADAT['eduroamDOMAIN'],
+	    );
+	    $res = db_query($q, array('modul'=>'login','values'=>$values));
+	    return $res;
+    }
+
     function getEduroamSettings($userAccount,$toPolicy,$ADAT) {
 
 	$res = false;
diff --git a/mayor-orig/www/include/share/auth/base.php b/mayor-orig/www/include/share/auth/base.php
index 9b4fa21a..8ff27f5e 100644
--- a/mayor-orig/www/include/share/auth/base.php
+++ b/mayor-orig/www/include/share/auth/base.php
@@ -93,7 +93,7 @@
 	    db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => array($sessionID, $policy)), $lr);
 	} 
 	$now = date('Y-m-d H:i:s');
-	$_SC = sessionCookieEncode($sessionID, $now);
+	$_SC = sessionCookieEncode($sessionID, $now); // TODO
 	$_studyId = ($studyId=='') ? 'NULL' : $studyId;
 	if ($studyId=='') {
     	    $query="INSERT INTO session
@@ -109,9 +109,7 @@
         db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => $v), $lr);
         db_close($lr);
 
-	// Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő az md5 is
-	// értékénél viszont a $now alkalmazása tökéletesen hibás, hiszen a lejárati dátumból 1:1-ben reprodukálható
-	
+	// Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő a gyenge hash is, de now alkalmazása hibás
 	setcookie($_SC['name'],$_SC['value'],time()+60*60*_SESSION_MAX_TIME,'/','',_SECURECOOKIE);
 
         return $sessionID;
diff --git a/mayor-orig/www/include/share/session/base.php b/mayor-orig/www/include/share/session/base.php
index 706a9ef9..337c72df 100644
--- a/mayor-orig/www/include/share/session/base.php
+++ b/mayor-orig/www/include/share/session/base.php
@@ -115,9 +115,11 @@
 	db_query($q, array('fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v));
     }
 
-
-
-
+    function _clearSessionCache($sessionID) {
+	$q = "DELETE FROM `cache` WHERE sessionID  IN ('%s','%s')";
+	$v = array(_SESSIONID,$sessionID);
+	db_query($q, array('debug'=>false,'fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v));
+    }
 
 ######################################################
 # getBackendAttrs - az adott policy backend-jéhez tartozó attribútumok - session modul
diff --git a/mayor-orig/www/include/share/session/close.php b/mayor-orig/www/include/share/session/close.php
index 146a038e..2c321ef0 100644
--- a/mayor-orig/www/include/share/session/close.php
+++ b/mayor-orig/www/include/share/session/close.php
@@ -30,6 +30,8 @@
     function closeSession($sessionID = '') {
 	// _SESSIONID csak validUser esetén van, de mi lehet, hogy másik policy-ből jöttünk!
 	if ($sessionID == '') $sessionID = $_REQUEST['sessionID'];
+	_clearSessionCache($sessionID);
+	unsetTokenCookies();
 	$q = "DELETE FROM session WHERE sessionID='%s'";
 	return db_query($q, array('fv' => 'closeSession', 'modul' => 'login', 'result' => 'affected rows', 'values' => array($sessionID)));
     }