Point808/LobbySIO
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rough encrypt

Browse Source
This commit is contained in:
Josh North 2021-09-02 11:23:35 -04:00
parent 65a34f5b65
commit f8f37fe6e2
15 changed files with 566 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
classes/index.php Executable file
View File

@ -0,0 +1,26 @@
<?php
/*
* Copyright (C) 2018 josh.north@point808.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION
ini_set('session.gc_probability', 1); // GC RATES
ini_set('session.gc_divisor', 100); // TIMES
ini_set('session.use_cookies', '1');
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_lifetime', '0');
ini_set('session.cookie_secure', '0');
ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax');

189
classes/misc/csrf.php Normal file
View File

@ -0,0 +1,189 @@
<?php
/*
* Copyright (C) 2018 josh.north@point808.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
namespace classes\misc;
class csrf {
/**
* Generates a new token
* @return [object] token
*/
protected static function setNewToken(string $page, int $expiry) {
$token = new \stdClass();
$token->page = $page;
$token->expiry = time() + $expiry;
$token->sessiontoken = base64_encode(random_bytes(32));
$token->cookietoken = md5(base64_encode(random_bytes(32)));
setcookie ( self::makeCookieName($page), $token->cookietoken, [
'expires' => $token->expiry,
'secure' => false,
'httponly' => false,
'samesite' => 'Lax',
]);
return $_SESSION['csrftokens'][$page] = $token;
}
/**
* Returns a session token for a page
* @param [string] page name
* @return [object] token
*/
protected static function getSessionToken(string $page) {
return !empty($_SESSION['csrftokens'][$page]) ? $_SESSION['csrftokens'][$page] : null;
}
/**
* [getCookieToken description]
* @param [string] page name
* @return [string] token string / empty string
*/
protected static function getCookieToken(string $page) : string {
$value = self::makeCookieName($page);
return !empty($_COOKIE[$value]) ? $_COOKIE[$value] : '';
}
/**
* Centralised method to make the cookie name
* @param [string] page name
* @return [string] cookie token name / empty string
*/
protected static function makeCookieName(string $page) : string {
if (empty($page)) {
return '';
}
return 'csrftoken-' . substr(md5($page), 0, 10);
}
/**
* Confirms that the superglobal $_SESSION exists
* @return [bool] Whether the session exists or not
*/
protected static function confirmSessionStarted() : bool {
if (!isset($_SESSION)) {
trigger_error('Session has not been started.', E_USER_ERROR);
return false;
}
return true;
}
/**
* Returns a page's token.
* - Page name is required so that users can browse to multiple pages and allows for each
* page to have its own unique token
*
* @param [string] page name
* @param [int] expiry time
* @return [mixed] markup to be used in the form, false on data missing
*/
public static function getInputToken(string $page, int $expiry = 1800) {
self::confirmSessionStarted();
if (empty($page)) {
trigger_error('Page is missing.', E_USER_ERROR);
return false;
}
$token = (self::getSessionToken($page) ?? self::setNewToken($page, $expiry));
return '<input type="hidden" id="csrftoken" name="csrftoken" value="'. $token->sessiontoken .'">';
}
/**
* Verify's a request token against a session token
* @param [string] page name
* @param [string] token from the request
* @return [bool] whether the request submission is valid or not
*/
public static function verifyToken(string $page, $removeToken = false, $requestToken = null) : bool {
self::confirmSessionStarted();
// if the request token has not been passed, check POST
$requestToken = ($requestToken ?? $_POST['csrftoken'] ?? null);
if (empty($page)) {
trigger_error('Page alias is missing', E_USER_WARNING);
return false;
}
else if (empty($requestToken)) {
trigger_error('Token is missing', E_USER_WARNING);
return false;
}
$token = self::getSessionToken($page);
// if the time is greater than the expiry form submission window
if (empty($token) || time() > (int) $token->expiry) {
self::removeToken($page);
return false;
}
// check the hash matches the Session / Cookie
$sessionConfirm = hash_equals($token->sessiontoken, $requestToken);
$cookieConfirm = hash_equals($token->cookietoken, self::getCookieToken($page));
// remove the token
if ($removeToken) {
self::removeToken($page);
}
// both session and cookie match
if ($sessionConfirm && $cookieConfirm) {
return true;
}
return false;
}
/**
* Removes a token from the session
* @param [string] $page page name
* @return [bool] successfully removed or not
*/
public static function removeToken(string $page) : bool {
self::confirmSessionStarted();
if (empty($page)) {
return false;
}
unset($_COOKIE[self::makeCookieName($page)], $_SESSION['csrftokens'][$page]);
return true;
}
} // Csrf

20
classes/misc/date.php Normal file
View File

@ -0,0 +1,20 @@
<?php
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
namespace classes\misc;
class date {
public function getUTC () {
return gmdate('Y-m-d H:i:s');
}
}

26
classes/misc/index.php Executable file
View File

@ -0,0 +1,26 @@
<?php
/*
* Copyright (C) 2018 josh.north@point808.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION
ini_set('session.gc_probability', 1); // GC RATES
ini_set('session.gc_divisor', 100); // TIMES
ini_set('session.use_cookies', '1');
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_lifetime', '0');
ini_set('session.cookie_secure', '0');
ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax');

21
classes/misc/simple.php Normal file
View File

@ -0,0 +1,21 @@
<?php
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
namespace classes\misc;
use App\LobbySIO\Config\Registry;
class simple {
public function getHideFooter () {
return Registry::HIDEFOOTER;
}
}

114
encrypt-test.php Normal file
View File

@ -0,0 +1,114 @@
<?php
/*
* Copyright (C) 2018 josh.north@point808.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION
ini_set('session.gc_probability', 1); // GC RATES
ini_set('session.gc_divisor', 100); // TIMES
ini_set('session.use_cookies', '1');
ini_set('session.use_only_cookies', '0');
ini_set('session.cookie_lifetime', '0');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
require_once __DIR__ . '/src/Misc/defuse-crypto.phar';
use App\LobbySIO\Config\Registry;
use Defuse\Crypto\Crypto;
use Defuse\Crypto\Key;
$Users = new \App\LobbySIO\Database\Users();
if (Registry::AUTHMETHOD == 'SAML') {
//simplesaml
require_once('../simplesamlphp/lib/_autoload.php');
$auth = new \SimpleSAML\Auth\Simple(Registry::AUTHIDP);
//$auth->requireAuth();
$auth->isAuthenticated();
if (!$auth->isAuthenticated()) {
$attributes = 'none';
} else {
$attributes = $auth->getAttributes();
$saml_user_email = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
$saml_user_info = $Users->getUserInfoByEmail($saml_user_email, "1", "0");
$saml_user_id = $saml_user_info["0"]["users_id"];
}
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
}
$StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES
$encKey = $StaticFunctions->loadEncryptionKeyFromConfig();
$SiteInfo = new \App\LobbySIO\Database\SiteInfo();
if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT
if (isset($saml_user_id)) {
$sessuserid=$saml_user_id;
} else {
$sessuserid=$_SESSION['user_id'];
}
} elseif (!isset($_SESSION['user_id'])) {
if (isset($saml_user_id)) {
$sessuserid=$saml_user_id;
} else {
$sessuserid='2';
}
$session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
if (isset($session_user)) { // GET UID OR SET TO KIOSK
$uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP LANGUAGE
if(!isset($app_disp_lang)) {
$app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP SITE
foreach($SiteInfo->getSite("0", $uid, "0", "0") as $arr) {
$lookup_array[$arr['sites_id']]=1; }
if(isset($lookup_array[$siteidcookie])) {
$siteid = $siteidcookie; } else { $siteid = "1"; }
if(!isset($siteid)) { $siteid="1"; }
$Translate = new \App\LobbySIO\Language\Translate($app_disp_lang); // SETUP TRANSLATOR
$transLang = $Translate->userLanguage();
$VisitTypeInfo = new \App\LobbySIO\Database\VisitTypeInfo(); // ADDITIONAL CLASSES
$IDTypeInfo = new \App\LobbySIO\Database\IDTypeInfo();
$VisitInfo = new \App\LobbySIO\Database\VisitInfo();
$VisitActions = new \App\LobbySIO\Database\VisitActions();
$app_current_pagename = $transLang['STR_COMMON_HOME']; // PAGE SETUP
$app_current_pageicon = '<i class="fas fa-home"></i> ';
require_once("inc/header.inc.php");
$urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
//header("X-Frame-Options: SAMEORIGIN");
//header("X-Content-Type-Options: nosniff");
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
}
?>
<?php if ($StaticFunctions->getUserSessionStatus() == false) {
die; //do not run if not authenticated
} else {
$samplekey = Key::createNewRandomKey();
$samplekeysafe = $samplekey->saveToAsciiSafeString();
echo "Sample Keys (Reload page for more...)<br />";
for ($i=0; $i < 10; $i++) {
$samplekey = Key::createNewRandomKey();
$samplekeysafe = $samplekey->saveToAsciiSafeString();
$samplekeysafelength=strlen($samplekeysafe);
print $samplekeysafe." (".$samplekeysafelength.")<br/>";
}
}

133
encrypt.php.example Normal file
View File

@ -0,0 +1,133 @@
<?php
/*
* Copyright (C) 2018 josh.north@point808.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION
ini_set('session.gc_probability', 1); // GC RATES
ini_set('session.gc_divisor', 100); // TIMES
ini_set('session.use_cookies', '1');
ini_set('session.use_only_cookies', '0');
ini_set('session.cookie_lifetime', '0');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
require_once __DIR__ . '/src/Misc/defuse-crypto.phar';
use App\LobbySIO\Config\Registry;
use Defuse\Crypto\Crypto;
$Users = new \App\LobbySIO\Database\Users();
if (Registry::AUTHMETHOD == 'SAML') {
//simplesaml
require_once('../simplesamlphp/lib/_autoload.php');
$auth = new \SimpleSAML\Auth\Simple(Registry::AUTHIDP);
//$auth->requireAuth();
$auth->isAuthenticated();
if (!$auth->isAuthenticated()) {
$attributes = 'none';
} else {
$attributes = $auth->getAttributes();
$saml_user_email = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
$saml_user_info = $Users->getUserInfoByEmail($saml_user_email, "1", "0");
$saml_user_id = $saml_user_info["0"]["users_id"];
}
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
}
$StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES
$encKey = $StaticFunctions->loadEncryptionKeyFromConfig();
$SiteInfo = new \App\LobbySIO\Database\SiteInfo();
if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT
if (isset($saml_user_id)) {
$sessuserid=$saml_user_id;
} else {
$sessuserid=$_SESSION['user_id'];
}
} elseif (!isset($_SESSION['user_id'])) {
if (isset($saml_user_id)) {
$sessuserid=$saml_user_id;
} else {
$sessuserid='2';
}
$session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
if (isset($session_user)) { // GET UID OR SET TO KIOSK
$uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP LANGUAGE
if(!isset($app_disp_lang)) {
$app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP SITE
foreach($SiteInfo->getSite("0", $uid, "0", "0") as $arr) {
$lookup_array[$arr['sites_id']]=1; }
if(isset($lookup_array[$siteidcookie])) {
$siteid = $siteidcookie; } else { $siteid = "1"; }
if(!isset($siteid)) { $siteid="1"; }
$Translate = new \App\LobbySIO\Language\Translate($app_disp_lang); // SETUP TRANSLATOR
$transLang = $Translate->userLanguage();
$VisitTypeInfo = new \App\LobbySIO\Database\VisitTypeInfo(); // ADDITIONAL CLASSES
$IDTypeInfo = new \App\LobbySIO\Database\IDTypeInfo();
$VisitInfo = new \App\LobbySIO\Database\VisitInfo();
$VisitActions = new \App\LobbySIO\Database\VisitActions();
$app_current_pagename = $transLang['STR_COMMON_HOME']; // PAGE SETUP
$app_current_pageicon = '<i class="fas fa-home"></i> ';
require_once("inc/header.inc.php");
$urlsrc=basename(filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL));
//header("X-Frame-Options: SAMEORIGIN");
//header("X-Content-Type-Options: nosniff");
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
}
?>
<?php if ($StaticFunctions->getUserSessionStatus() == false) {
die;
} else {
$query = "
SELECT
" . Registry::DB_PRFX . "visits.id as visits_id,
" . Registry::DB_PRFX . "visits.firstname as visits_firstname,
" . Registry::DB_PRFX . "visits.lastname as visits_lastname,
" . Registry::DB_PRFX . "visits.company as visits_company,
" . Registry::DB_PRFX . "visits.escort as visits_escort,
" . Registry::DB_PRFX . "visits.carnum as visits_carnum
FROM " . Registry::DB_PRFX . "visits";
$database = new \App\LobbySIO\Database\Connect();
$rows = $database->getQuery($query);
foreach ($rows as $tr) {
$visits_id = $tr['visits_id'];
$visits_firstname_e = Crypto::encrypt($tr['visits_firstname'], $encKey);
$visits_lastname_e = Crypto::encrypt($tr['visits_lastname'], $encKey);
$visits_company_e = Crypto::encrypt($tr['visits_company'], $encKey);
$visits_escort_e = Crypto::encrypt($tr['visits_escort'], $encKey);
$visits_carnum_e = Crypto::encrypt($tr['visits_carnum'], $encKey);
$query = "
UPDATE " . Registry::DB_PRFX . "visits
SET " . Registry::DB_PRFX . "visits.firstname = \"$visits_firstname_e\",
" . Registry::DB_PRFX . "visits.lastname = \"$visits_lastname_e\",
" . Registry::DB_PRFX . "visits.company = \"$visits_company_e\",
" . Registry::DB_PRFX . "visits.escort = \"$visits_escort_e\",
" . Registry::DB_PRFX . "visits.carnum = \"$visits_carnum_e\"
WHERE " . Registry::DB_PRFX . "visits.id = \"$visits_id\"
";
$database = new \App\LobbySIO\Database\Connect();
$count = $database->runQuery($query);
}
}

2
inc/footer.inc.php
View File

@ -22,7 +22,7 @@
<div class="container-fluid"> <div class="container-fluid">
<div class="row">&nbsp;</div> <div class="row">&nbsp;</div>
<div class="row row-cols-3"> <div class="row row-cols-3">
<?php if($StaticFunctions->getHideFooter()=='false' || $app_current_pagename == $transLang['LOGIN']){ ?> <?php if(Classes\Misc\Simple::GetHideFooter()=='false' || $app_current_pagename == $transLang['LOGIN']){ ?>
<div class="col-sm text-muted text-start"><?php echo $transLang['SERVER_TIME'] . ": " . $StaticFunctions->getUTC(); ?></div> <div class="col-sm text-muted text-start"><?php echo $transLang['SERVER_TIME'] . ": " . $StaticFunctions->getUTC(); ?></div>
<div class="col-sm text-muted text-center"><?php echo $transLang['LOCAL_TIME'] . ": " . $timenow; ?></div> <div class="col-sm text-muted text-center"><?php echo $transLang['LOCAL_TIME'] . ": " . $timenow; ?></div>
<div class="col-sm text-muted text-end"> <div class="col-sm text-muted text-end">

16
index.php
View File

@ -25,9 +25,12 @@
ini_set('session.cookie_httponly', '0'); ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax'); ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP session_save_path('.tmp'); // TEMP
spl_autoload_register();
session_start(); // START session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD require_once __DIR__ . '/autoload.php'; // AUTOLOAD
require_once __DIR__ . '/src/Misc/defuse-crypto.phar';
use App\LobbySIO\Config\Registry; use App\LobbySIO\Config\Registry;
use Defuse\Crypto\Crypto;
$Users = new \App\LobbySIO\Database\Users(); $Users = new \App\LobbySIO\Database\Users();
if (Registry::AUTHMETHOD == 'SAML') { if (Registry::AUTHMETHOD == 'SAML') {
//simplesaml //simplesaml
@ -47,6 +50,7 @@
$session->cleanup(); $session->cleanup();
} }
$StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES $StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES
$encKey = $StaticFunctions->loadEncryptionKeyFromConfig();
$SiteInfo = new \App\LobbySIO\Database\SiteInfo(); $SiteInfo = new \App\LobbySIO\Database\SiteInfo();
if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT
if (isset($saml_user_id)) { if (isset($saml_user_id)) {
@ -87,9 +91,9 @@
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); //header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) { if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>'; echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); echo 'Verification has been : ' . (Classes\Misc\Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
} }
?> ?>
@ -249,9 +253,9 @@ $form_data = filter_input_array(INPUT_POST, [
$form_data['fd_manualTimeDate'] = $StaticFunctions->getUTC(); // OTHERWISE USE NOW()UTC $form_data['fd_manualTimeDate'] = $StaticFunctions->getUTC(); // OTHERWISE USE NOW()UTC
} }
$visitid = $VisitActions->newVisit( // ADD VISIT RECORD $visitid = $VisitActions->newVisit( // ADD VISIT RECORD
$form_data['fd_firstName'], Crypto::encrypt($form_data['fd_firstName'], $encKey),
$form_data['fd_lastName'], Crypto::encrypt($form_data['fd_lastName'], $encKey),
$form_data['fd_visitorCompany'], Crypto::encrypt($form_data['fd_visitorCompany'], $encKey),
$form_data['fd_visitType'], $form_data['fd_visitType'],
$form_data['fd_manualTimeDate'], $form_data['fd_manualTimeDate'],
$form_data['fd_visitorSignature'], $form_data['fd_visitorSignature'],
@ -946,7 +950,7 @@ if ($db_vendorinfo_workcompleted === 1 && $db_vendorinfo_sitecleanup === 1) { $f
<span class="badge bg-light text-dark"><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]["visittypes_name"]]; ?></span> <span class="badge bg-light text-dark"><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]["visittypes_name"]]; ?></span>
</div> </div>
</td> </td>
<td class="small"><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" nonce="<?=$_SESSION['nonceStr']?>"></img></td> <td class="small"><?php echo Crypto::decrypt($row['visits_lastname'], $encKey) . ", " . Crypto::decrypt($row['visits_firstname'], $encKey); ?><br><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" nonce="<?=$_SESSION['nonceStr']?>"></img></td>
<td class="small"><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" nonce="'.$_SESSION['nonceStr'].'"></img>'; } ?></td> <td class="small"><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" nonce="'.$_SESSION['nonceStr'].'"></img>'; } ?></td>
<td class="small"> <td class="small">
<?php if($row['visits_approved'] === 2) { ?> <?php if($row['visits_approved'] === 2) { ?>

17
reports.php
View File

@ -27,7 +27,9 @@
session_save_path('.tmp'); // TEMP session_save_path('.tmp'); // TEMP
session_start(); // START session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD require_once __DIR__ . '/autoload.php'; // AUTOLOAD
require_once __DIR__ . '/src/Misc/defuse-crypto.phar';
use App\LobbySIO\Config\Registry; use App\LobbySIO\Config\Registry;
use Defuse\Crypto\Crypto;
$Users = new \App\LobbySIO\Database\Users(); $Users = new \App\LobbySIO\Database\Users();
if (Registry::AUTHMETHOD == 'SAML') { if (Registry::AUTHMETHOD == 'SAML') {
//simplesaml //simplesaml
@ -47,6 +49,7 @@
$session->cleanup(); $session->cleanup();
} }
$StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES $StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES
$encKey = $StaticFunctions->loadEncryptionKeyFromConfig();
$SiteInfo = new \App\LobbySIO\Database\SiteInfo(); $SiteInfo = new \App\LobbySIO\Database\SiteInfo();
if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT
if (isset($saml_user_id)) { if (isset($saml_user_id)) {
@ -221,9 +224,9 @@ $form_data = filter_input_array(INPUT_POST, [
<td><?php echo $timein_disp; ?></td> <td><?php echo $timein_disp; ?></td>
<td><?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?></td> <td><?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?></td>
<td><?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?></td> <td><?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?></td>
<td><?php echo $row['visits_company']; ?></td> <td><?php echo Crypto::decrypt($row['visits_company'], $encKey); ?></td>
<td><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]['visittypes_name']]; ?></td> <td><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]['visittypes_name']]; ?></td>
<td><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" alt="Signature" /></td> <td><?php echo Crypto::decrypt($row['visits_lastname'], $encKey) . ", " . Crypto::decrypt($row['visits_firstname'], $encKey); ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" alt="Signature" /></td>
<td><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" alt="Escort Signature" />'; } ?></td> <td><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" alt="Escort Signature" />'; } ?></td>
<td><?php echo $row['visits_badge']; ?></td> <td><?php echo $row['visits_badge']; ?></td>
<td><?php if(!empty($Users->readUserFirstAndLast($row['visits_initials']))){ echo $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_firstname"] . " " . $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_lastname"]; } ?></td> <td><?php if(!empty($Users->readUserFirstAndLast($row['visits_initials']))){ echo $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_firstname"] . " " . $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_lastname"]; } ?></td>
@ -293,9 +296,9 @@ $form_data = filter_input_array(INPUT_POST, [
<td><?php echo $timein_disp; ?></td> <td><?php echo $timein_disp; ?></td>
<td><?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?></td> <td><?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?></td>
<td><?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?></td> <td><?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?></td>
<td><?php echo $row['visits_company']; ?></td> <td><?php echo Crypto::decrypt($row['visits_company'], $encKey); ?></td>
<td><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]['visittypes_name']]; ?></td> <td><?php echo $transLang[$VisitTypeInfo->getInfoVisitType("%", $row['visits_reason'])[0]['visittypes_name']]; ?></td>
<td><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" alt="Signature" /></td> <td><?php echo Crypto::decrypt($row['visits_lastname'], $encKey) . ", " . Crypto::decrypt($row['visits_firstname'], $encKey); ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" alt="Signature" /></td>
<td><?php echo $row['visits_badge']; ?></td> <td><?php echo $row['visits_badge']; ?></td>
<td><?php if(!empty($Users->readUserFirstAndLast($row['visits_initials']))){ echo $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_firstname"] . " " . $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_lastname"]; } ?></td> <td><?php if(!empty($Users->readUserFirstAndLast($row['visits_initials']))){ echo $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_firstname"] . " " . $Users->readUserFirstAndLast($row['visits_initials'])[0]["users_lastname"]; } ?></td>
<?php if($selsite=="%" || $SiteInfo->getSite($siteid, $uid, "0", "0")[0]["sites_region"] == "EMEA") { ?> <?php if($selsite=="%" || $SiteInfo->getSite($siteid, $uid, "0", "0")[0]["sites_region"] == "EMEA") { ?>
@ -332,11 +335,11 @@ $form_data = filter_input_array(INPUT_POST, [
<input type="hidden" name="form_data_timein" id="form_data_timein" value="<?php echo $timein_disp; ?>" /> <input type="hidden" name="form_data_timein" id="form_data_timein" value="<?php echo $timein_disp; ?>" />
<input type="hidden" name="form_data_timeout" id="form_data_timeout" value="<?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?>" /> <input type="hidden" name="form_data_timeout" id="form_data_timeout" value="<?php if (!empty($row['visits_outtime'])) {echo $timeout_disp; } else {echo $transLang['IN'];} ?>" />
<input type="hidden" name="form_data_sitename" id="form_data_sitename" value="<?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?>" /> <input type="hidden" name="form_data_sitename" id="form_data_sitename" value="<?php echo $SiteInfo->getSite($row['visits_site_id'], $uid, "0", "0")[0]["sites_name"]; ?>" />
<input type="hidden" name="form_data_firstname" id="form_data_firstname" value="<?php echo $row['visits_firstname']; ?>" /> <input type="hidden" name="form_data_firstname" id="form_data_firstname" value="<?php echo Crypto::decrypt($row['visits_firstname'], $encKey); ?>" />
<input type="hidden" name="form_data_lastname" id="form_data_lastname" value="<?php echo $row['visits_lastname']; ?>" /> <input type="hidden" name="form_data_lastname" id="form_data_lastname" value="<?php echo Crypto::decrypt($row['visits_lastname'], $encKey); ?>" />
<input type="hidden" name="form_data_carnum" id="form_data_carnum" value="<?php echo $form_data['form_data_carnum']; ?>" /> <input type="hidden" name="form_data_carnum" id="form_data_carnum" value="<?php echo $form_data['form_data_carnum']; ?>" />
<input type="hidden" name="form_data_ssanum" id="form_data_ssanum" value="<?php echo $form_data['form_data_ssanum']; ?>" /> <input type="hidden" name="form_data_ssanum" id="form_data_ssanum" value="<?php echo $form_data['form_data_ssanum']; ?>" />
<input type="hidden" name="form_data_company" id="form_data_company" value="<?php echo $row['visits_company']; ?>" /> <input type="hidden" name="form_data_company" id="form_data_company" value="<?php echo Crypto::decrypt($row['visits_company'], $encKey); ?>" />
<input type="hidden" name="form_data_contact1" id="form_data_contact1" value="<?php echo $db_vendorinfo_contact1; ?>" /> <input type="hidden" name="form_data_contact1" id="form_data_contact1" value="<?php echo $db_vendorinfo_contact1; ?>" />
<input type="hidden" name="form_data_contact2" id="form_data_contact2" value="<?php echo $db_vendorinfo_contact2; ?>" /> <input type="hidden" name="form_data_contact2" id="form_data_contact2" value="<?php echo $db_vendorinfo_contact2; ?>" />
<input type="hidden" name="form_data_workstart" id="form_data_workstart" value="<?php echo $db_vendorinfo_workstart; ?>" /> <input type="hidden" name="form_data_workstart" id="form_data_workstart" value="<?php echo $db_vendorinfo_workstart; ?>" />

6
signin_display.php
View File

@ -27,8 +27,12 @@
session_save_path('.tmp'); // TEMP session_save_path('.tmp'); // TEMP
session_start(); // START session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD require_once __DIR__ . '/autoload.php'; // AUTOLOAD
require_once __DIR__ . '/src/Misc/defuse-crypto.phar';
use App\LobbySIO\Config\Registry;
use Defuse\Crypto\Crypto;
use App\LobbySIO\Misc\Csrf; // ANTICSRF use App\LobbySIO\Misc\Csrf; // ANTICSRF
$StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES $StaticFunctions = new \App\LobbySIO\Misc\StaticFunctions(); // DEFAULT CLASSES
$encKey = $StaticFunctions->loadEncryptionKeyFromConfig();
$SiteInfo = new \App\LobbySIO\Database\SiteInfo(); $SiteInfo = new \App\LobbySIO\Database\SiteInfo();
$Users = new \App\LobbySIO\Database\Users(); $Users = new \App\LobbySIO\Database\Users();
if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT if (isset($_SESSION['user_id'])) { // LOGGED IN? GET USER OBJECT
@ -94,7 +98,7 @@ if (empty($form_data['fd_vendorContact2'])) { $db_vendorinfo_contact2="";} else
if (empty($form_data['fd_workStartTime'])) { $db_vendorinfo_workstart="";} else {$db_vendorinfo_workstart=$form_data['fd_workStartTime'];} if (empty($form_data['fd_workStartTime'])) { $db_vendorinfo_workstart="";} else {$db_vendorinfo_workstart=$form_data['fd_workStartTime'];}
if (empty($form_data['fd_workEndTime'])) { $db_vendorinfo_workend="";} else {$db_vendorinfo_workend=$form_data['fd_workEndTime'];} if (empty($form_data['fd_workEndTime'])) { $db_vendorinfo_workend="";} else {$db_vendorinfo_workend=$form_data['fd_workEndTime'];}
if (empty($form_data['fd_clientImpacted'])) { $db_vendorinfo_customerimpacted="";} else {$db_vendorinfo_customerimpacted=$form_data['fd_clientImpacted'];} if (empty($form_data['fd_clientImpacted'])) { $db_vendorinfo_customerimpacted="";} else {$db_vendorinfo_customerimpacted=$form_data['fd_clientImpacted'];}
$visitid = $VisitActions->newVisit($form_data['fd_firstName'], $form_data['fd_lastName'], $form_data['fd_visitorCompany'], $form_data['fd_visitType'], $StaticFunctions->getUTC(), $form_data['fd_visitorSignature'], $form_data['fd_siteId'], "1", $form_data['fd_escortSignature'], $form_data['fd_escortName'], $carnum, $ssanum, $isvendor); $visitid = $VisitActions->newVisit(Crypto::encrypt($form_data['fd_firstName'], $encKey), Crypto::encrypt($form_data['fd_lastName'], $encKey), Crypto::encrypt($form_data['fd_visitorCompany'], $encKey), $form_data['fd_visitType'], $StaticFunctions->getUTC(), $form_data['fd_visitorSignature'], $form_data['fd_siteId'], "1", $form_data['fd_escortSignature'], $form_data['fd_escortName'], $carnum, $ssanum, $isvendor);
if($form_data['fd_isVendor'] === (int)"1") { if($form_data['fd_isVendor'] === (int)"1") {
$vendorid = $VisitActions->setInfoVendorVisitNew($visitid, $db_vendorinfo_contact1, $db_vendorinfo_contact2, $db_vendorinfo_workstart, $db_vendorinfo_workend, $db_vendorinfo_customerimpacted); $vendorid = $VisitActions->setInfoVendorVisitNew($visitid, $db_vendorinfo_contact1, $db_vendorinfo_contact2, $db_vendorinfo_workstart, $db_vendorinfo_workend, $db_vendorinfo_customerimpacted);
} }

2
signout.php
View File

@ -129,7 +129,7 @@ if(empty($form_data['fd_formAction'])){
<tr> <tr>
<td><?=$row['visits_badge']?></td> <td><?=$row['visits_badge']?></td>
<td><?=$timein_disp?></td> <td><?=$timein_disp?></td>
<td><?php echo $row['visits_lastname'] . ", " . $row['visits_firstname']; ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" /></td> <td><?php echo Crypto::decrypt($row['visits_lastname'], $encKey) . ", " . Crypto::decrypt($row['visits_firstname'], $encKey); ?><br /><img src="<?php echo $row['visits_signature']; ?>" width="200" height="50" /></td>
<td><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" />'; } ?></td> <td><?php if (!empty($row['visits_escort'])) {echo $row['visits_escort'] . '<br /><img src="' . $row['visits_escort_signature'] . '" width="200" height="50" />'; } ?></td>
<td><nobr><?php if($isvendor===0){ ?><button type="submit" name="fd_endVisitForId" value="<?php echo $row['visits_id']; ?>" class="btn btn-warning btn-lg"><i class="fas fa-sign-out-alt"></i><?=$transLang['SIGNOUT']?></button> <td><nobr><?php if($isvendor===0){ ?><button type="submit" name="fd_endVisitForId" value="<?php echo $row['visits_id']; ?>" class="btn btn-warning btn-lg"><i class="fas fa-sign-out-alt"></i><?=$transLang['SIGNOUT']?></button>
<?php } elseif($isvendor===1){ <?php } elseif($isvendor===1){

5
src/Config/Registry.example.php
View File

@ -41,5 +41,8 @@ class Registry { const
DEFAULTTZ = 'America/New_York', // DEFAULT TIME ZONE DEFAULTTZ = 'America/New_York', // DEFAULT TIME ZONE
HIDEFOOTER = 'false', // HIDE TIMESTAMP FOOTER HIDEFOOTER = 'false', // HIDE TIMESTAMP FOOTER
AUTHMETHOD = 'INTERNAL', // Auth users using INTERNAL or SAML AUTHMETHOD = 'INTERNAL', // Auth users using INTERNAL or SAML
AUTHIDP = 'default-sp' // Identity Provider if using SAML AUTHIDP = 'default-sp', // Identity Provider if using SAML
ENCKEY = 'def00000231550b3ca99ed79ffe1010c5555d9ff9f6b3d0844c65dd5705aa72da77d427c76a50c7a19e52e5e3c38137f2db2d95a4d845c85b691e384d9ba6ee6e706baac'
// CHANGE ME BEFORE USING! Encryption key - 136 char ascii encryption key - generate
// online or via encrypt-test.php. WARNING! Changing after in production WILL BREAK YOUR DATA!!!
;} ;}

6
src/Misc/StaticFunctions.php
View File

@ -19,6 +19,7 @@
namespace App\LobbySIO\Misc; namespace App\LobbySIO\Misc;
use App\LobbySIO\Config\Registry; use App\LobbySIO\Config\Registry;
use SimpleSAML\Auth\Simple; use SimpleSAML\Auth\Simple;
use Defuse\Crypto\Key;
/** /**
* Miscellaneous junk probably not even deserving of a class but whatever * Miscellaneous junk probably not even deserving of a class but whatever
@ -26,6 +27,11 @@ use SimpleSAML\Auth\Simple;
* @author josh.north * @author josh.north
*/ */
class StaticFunctions { class StaticFunctions {
public function loadEncryptionKeyFromConfig() {
$keyAscii = Registry::ENCKEY;
return Key::loadFromAsciiSafeString($keyAscii);
}
public function getVersion ($app_disp_lang) { public function getVersion ($app_disp_lang) {
$Translate = new \App\LobbySIO\Language\Translate($app_disp_lang); $Translate = new \App\LobbySIO\Language\Translate($app_disp_lang);
$transLang = $Translate->userLanguage(); $transLang = $Translate->userLanguage();

BIN
src/Misc/defuse-crypto.phar Normal file
View File

Binary file not shown.