Current File : /var/www/projetos/suporte.iigd.com.br/src/GLPIKey.php
<?php
/**
* ---------------------------------------------------------------------
*
* GLPI - Gestionnaire Libre de Parc Informatique
*
* http://glpi-project.org
*
* @copyright 2015-2024 Teclib' and contributors.
* @copyright 2003-2014 by the INDEPNET Development Team.
* @licence https://www.gnu.org/licenses/gpl-3.0.html
*
* ---------------------------------------------------------------------
*
* LICENSE
*
* This file is part of GLPI.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* ---------------------------------------------------------------------
*/
use Glpi\Plugin\Hooks;
use Glpi\Toolbox\Sanitizer;
/**
* GLPI security key
**/
class GLPIKey
{
/**
* Key file path.
*
* @var string
*/
private $keyfile;
/**
* Legacy key file path.
*
* @var string
*/
private $legacykeyfile;
/**
* List of crypted DB fields.
*
* @var array
*/
protected $fields = [
'glpi_authldaps.rootdn_passwd',
'glpi_mailcollectors.passwd',
'glpi_snmpcredentials.auth_passphrase',
'glpi_snmpcredentials.priv_passphrase',
];
/**
* List of crypted configuration values.
* Each key corresponds to a configuration context, and contains list of configs names.
*
* @var array
*/
protected $configs = [
'core' => [
'glpinetwork_registration_key',
'proxy_passwd',
'smtp_passwd',
'smtp_oauth_client_secret',
'smtp_oauth_refresh_token',
]
];
public function __construct(string $config_dir = GLPI_CONFIG_DIR)
{
$this->keyfile = $config_dir . '/glpicrypt.key';
$this->legacykeyfile = $config_dir . '/glpi.key';
}
/**
* Returns expected key path for given GLPI version.
* Will return null for GLPI versions that was not yet handling a custom security key.
*
* @param string $glpi_version
*
* @return string|null
*/
public function getExpectedKeyPath(string $glpi_version): ?string
{
if (version_compare($glpi_version, '9.4.6', '<')) {
return null;
} else if (version_compare($glpi_version, '9.5.x', '<')) {
return $this->legacykeyfile;
} else {
return $this->keyfile;
}
}
/**
* Check if GLPI security key used for decryptable passwords exists
*
* @return string
*/
public function keyExists()
{
return file_exists($this->keyfile);
}
/**
* Get GLPI security key used for decryptable passwords
*
* @return string|null
*/
public function get(): ?string
{
if (!file_exists($this->keyfile)) {
trigger_error('You must create a security key, see security:change_key command.', E_USER_WARNING);
return null;
}
if (!is_readable($this->keyfile) || ($key = file_get_contents($this->keyfile)) === false) {
trigger_error('Unable to get security key file contents.', E_USER_WARNING);
return null;
}
if (strlen($key) !== SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES) {
trigger_error('Invalid security key file contents.', E_USER_WARNING);
return null;
}
return $key;
}
/**
* Get GLPI security legacy key that was used for decryptable passwords.
* Usage of this key should only be used during migration from GLPI < 9.5 to GLPI >= 9.5.0.
*
* @return string|null
*/
public function getLegacyKey(): ?string
{
if (!file_exists($this->legacykeyfile)) {
return GLPIKEY;
}
//load key from existing config file
if (!is_readable($this->legacykeyfile) || ($key = file_get_contents($this->legacykeyfile)) === false) {
trigger_error('Unable to get security legacy key file contents.', E_USER_WARNING);
return null;
}
return $key;
}
/**
* Generate GLPI security key used for decryptable passwords
* and update values in DB if necessary.
*
* @return bool
*/
public function generate(): bool
{
/** @var \DBmysql $DB */
global $DB;
// Check ability to create/update key file.
if (
(file_exists($this->keyfile) && !is_writable($this->keyfile))
|| (!file_exists($this->keyfile) && !is_writable(dirname($this->keyfile)))
) {
trigger_error(sprintf('Security key file path (%s) is not writable.', $this->keyfile), E_USER_WARNING);
return false;
}
// Fetch old key before generating the new one (but only if DB exists and there is something to migrate)
$previous_key = null;
if ($DB instanceof DBmysql && $DB->connected) {
if ($this->keyExists()) {
$previous_key = $this->get();
if ($previous_key === null) {
// Do not continue if unable to get previous key.
// Detailed warning has already been triggered by `get()` method.
return false;
}
}
}
$key = sodium_crypto_aead_chacha20poly1305_ietf_keygen();
$written_bytes = file_put_contents($this->keyfile, $key);
if ($written_bytes !== strlen($key)) {
trigger_error('Unable to write security key file contents.', E_USER_WARNING);
return false;
}
if ($DB instanceof DBmysql && $DB->connected) {
if (!$this->migrateFieldsInDb($previous_key) || !$this->migrateConfigsInDb($previous_key)) {
trigger_error('Error during encrypted data update in database.', E_USER_WARNING);
return false;
}
}
return true;
}
/**
* Get fields
*
* @return array
*/
public function getFields(): array
{
/** @var array $PLUGIN_HOOKS */
global $PLUGIN_HOOKS;
$fields = $this->fields;
if (isset($PLUGIN_HOOKS[Hooks::SECURED_FIELDS])) {
foreach ($PLUGIN_HOOKS[Hooks::SECURED_FIELDS] as $plugfields) {
$fields = array_merge($fields, $plugfields);
}
}
return $fields;
}
/**
* Get configs
*
* @return array
*/
public function getConfigs(): array
{
/** @var array $PLUGIN_HOOKS */
global $PLUGIN_HOOKS;
$configs = $this->configs;
if (isset($PLUGIN_HOOKS[Hooks::SECURED_CONFIGS])) {
foreach ($PLUGIN_HOOKS[Hooks::SECURED_CONFIGS] as $plugin => $plugconfigs) {
$configs['plugin:' . $plugin] = $plugconfigs;
}
}
return $configs;
}
/**
* Check if configuration is secured.
*
* @param string $context
* @param string $name
*
* @return bool
*/
public function isConfigSecured(string $context, string $name): bool
{
$secured_configs = $this->getConfigs();
return array_key_exists($context, $secured_configs)
&& in_array($name, $secured_configs[$context]);
}
/**
* Migrate fields in database
*
* @param string|null $sodium_key Previous key. If null, legacy key will be used.
*
* @return bool
*/
protected function migrateFieldsInDb(?string $sodium_key): bool
{
/** @var \DBmysql $DB */
global $DB;
$success = true;
foreach ($this->getFields() as $field) {
list($table, $column) = explode('.', $field);
$iterator = $DB->request([
'SELECT' => ['id', $column],
'FROM' => $table,
['NOT' => [$column => null]],
]);
foreach ($iterator as $row) {
$value = (string)$row[$column];
if ($sodium_key !== null) {
$pass = $this->encrypt($this->decrypt($value, $sodium_key));
} else {
$pass = $this->encrypt($this->decryptUsingLegacyKey($value));
}
$success = $DB->update(
$table,
[$field => $pass],
['id' => $row['id']]
);
if (!$success) {
break;
}
}
}
return $success;
}
/**
* Migrate configurations in database
*
* @param string|null $sodium_key Previous key. If null, legacy key will be used.
*
* @return bool
*/
protected function migrateConfigsInDb($sodium_key): bool
{
/** @var \DBmysql $DB */
global $DB;
$success = true;
foreach ($this->getConfigs() as $context => $names) {
$iterator = $DB->request([
'FROM' => Config::getTable(),
'WHERE' => [
'context' => $context,
'name' => $names,
['NOT' => ['value' => null]],
]
]);
foreach ($iterator as $row) {
$value = (string)$row['value'];
if ($sodium_key !== null) {
$pass = $this->encrypt($this->decrypt($value, $sodium_key));
} else {
$pass = $this->encrypt($this->decryptUsingLegacyKey($value));
}
$success = $DB->update(
Config::getTable(),
['value' => $pass],
['id' => $row['id']]
);
if (!$success) {
break;
}
}
}
return $success;
}
/**
* Encrypt a string.
*
* @param string $string String to encrypt.
* @param string|null $key Key to use, fallback to default key if null.
*
* @return string
*/
public function encrypt(string $string, ?string $key = null): string
{
if ($key === null) {
$key = $this->get();
}
if ($key === null) {
// Cannot encrypt string as key reading fails, returns a empty value
// to ensure sensitive data is not propagated unencrypted.
return '';
}
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES); // NONCE = Number to be used ONCE, for each message
$encrypted = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
$string,
$nonce,
$nonce,
$key
);
return base64_encode($nonce . $encrypted);
}
/**
* Descrypt a string.
*
* @param string|null $string String to decrypt.
* @param string|null $key Key to use, fallback to default key if null.
*
* @return string|null
*/
public function decrypt(?string $string, $key = null): ?string
{
if (empty($string)) {
// Avoid sodium exception for blank content. Just return the null/empty value.
return $string;
}
if ($key === null) {
$key = $this->get();
}
if ($key === null) {
// Cannot decrypt string as key reading fails, returns encrypted value.
return $string;
}
$string = base64_decode($string);
$nonce = mb_substr($string, 0, SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES, '8bit');
if (mb_strlen($nonce, '8bit') !== SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES) {
trigger_error(
'Unable to extract nonce from string. It may not have been crypted with sodium functions.',
E_USER_WARNING
);
return '';
}
$ciphertext = mb_substr($string, SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES, null, '8bit');
$plaintext = sodium_crypto_aead_xchacha20poly1305_ietf_decrypt(
$ciphertext,
$nonce,
$nonce,
$key
);
if ($plaintext === false) {
trigger_error(
'Unable to decrypt string. It may have been crypted with another key.',
E_USER_WARNING
);
return '';
}
return $plaintext;
}
/**
* Decrypt a string using a legacy key.
* If key is not provided, the default legacy key will be used.
*
* @param string $string
* @param string|null $key
*
* @return string
*/
public function decryptUsingLegacyKey(string $string, ?string $key = null): string
{
if ($key === null) {
$key = $this->getLegacyKey();
}
if ($key === null) {
// Cannot decrypt string as key reading fails, returns encrypted value.
return $string;
}
$result = '';
$string = base64_decode($string);
for ($i = 0; $i < strlen($string); $i++) {
$char = substr($string, $i, 1);
$keychar = substr($key, ($i % strlen($key)) - 1, 1);
$char = chr(ord($char) - ord($keychar));
$result .= $char;
}
return Sanitizer::unsanitize($result);
}
}
Mini Shell