Skip to Content.
Sympa Menu

comanage-dev - [comanage-dev] diff for CO-202 solution

Subject: COmanage Developers List

List archive

[comanage-dev] diff for CO-202 solution


Chronological Thread 
  • From: Scott Koranda <>
  • To: comanage-dev <>
  • Subject: [comanage-dev] diff for CO-202 solution
  • Date: Tue, 14 Feb 2012 16:35:08 -0600
Hi,

The JIRA issue is "Salts should be randomized on install":

https://bugs.internet2.edu/jira/browse/CO-202

Attached is a diff showing the implemenation.

Please send me any comments and let me know if I can push the code.

Thanks,

Scott

Index: Console/Command/SetupShell.php
===================================================================
--- Console/Command/SetupShell.php (revision 221)
+++ Console/Command/SetupShell.php (working copy)
@@ -35,6 +35,8 @@
$gn = $this->in(_txt('se.cf.admin.given'));
$sn = $this->in(_txt('se.cf.admin.sn'));
$user = $this->in(_txt('se.cf.admin.user'));
+ $salt = $this->in(_txt('se.cf.admin.salt'));
+ $seed = $this->in(_txt('se.cf.admin.seed'));

// Since we'll be doing some direct DB manipulation, find the table
prefix
$prefix = "";
@@ -190,6 +192,34 @@
$this->CoGroupMember->save($grm);
$grm_id = $this->CoGroupMember->id;

+ // Create the security salt file using a random string
+ // if one was not entered.
+
+ $this->out("- " . _txt('se.security.salt'));
+
+ if (!$salt) {
+ $salt =
str_repeat("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
10);
+ $salt = str_shuffle($salt);
+ $salt = substr($salt, 0, 40);
+ }
+
+ $securitySaltFilename = APP . '/Config/security.salt';
+ file_put_contents($securitySaltFilename, $salt);
+
+ // Create the security seed file using a random string
+ // if one was not entered.
+
+ $this->out("- " . _txt('se.security.seed'));
+
+ if (!$seed) {
+ $seed = str_repeat("0123456789", 100);
+ $seed = str_shuffle($seed);
+ $seed = substr($seed, 0, 29);
+ }
+
+ $securitySeedFilename = APP . '/Config/security.seed';
+ file_put_contents($securitySeedFilename, $seed);
+
// Clear the models in the cache since the cm_users view
// was just created and will not otherwise appear in the cache.
//
Index: Controller/AppController.php
===================================================================
--- Controller/AppController.php (revision 221)
+++ Controller/AppController.php (working copy)
@@ -67,7 +67,7 @@

public function beforeFilter() {
// Tell the Auth module to call the controller's isAuthorized() function.
- $this->Auth->authorize = 'controller';
+ $this->Auth->authorize = array('Controller');

// First, determine if we're handling a RESTful request.
// If so, we'll do a few things differently.
Index: Config/core.php
===================================================================
--- Config/core.php (revision 221)
+++ Config/core.php (working copy)
@@ -32,7 +32,7 @@
* In production mode, flash messages redirect after a time interval.
* In development mode, you need to click the flash message to continue.
*/
- Configure::write('debug', 0);
+ Configure::write('debug', 2);

/**
* Configure the Error handler used to handle errors for your application.
By default
@@ -182,15 +182,52 @@
Configure::write('Security.level', 'medium');

/**
- * A random string used in security hashing methods.
+ * Security.salt is a random string used in security hashing methods.
+ * It is read from the file app/Config/security.salt and should be at
+ * least 40 characters long. If the file is not present or readable
+ * a default is used but this is not recommended.
+ *
+ * During the COmanage Database setup the salt file is created.
*/
- Configure::write('Security.salt',
'DYhG93b0qyJfIxfs2guUoUubWwvniR2G0FgaC9mi');

+ $securitySaltFilename = APP . "/Config/security.salt";
+
+ if(file_exists($securitySaltFilename)){
+ $handle = fopen($securitySaltFilename, "r");
+ $saltLine = fgets($handle);
+ fclose($handle);
+
+ $salt = trim($saltLine);
+ if (strlen($salt) < 40){
+ throw new ConfigureException("security salt must be 40 or more
characters");
+ }
+ Configure::write('Security.salt', $salt);
+ } else {
+ Configure::write('Security.salt',
'DYhG93b0qyJfIxfs2guUoUubWwvniR2G0FgaC9mi');
+ }
+
/**
- * A random numeric string (digits only) used to encrypt/decrypt strings.
+ * Security.cipherSeed is a random numeric string (digits only) used to
encrypt/decrypt strings.
+ * It is read from the file app/Config/security.seed and should be at least
29
+ * characters long. If the file is not present or readable a default is used
+ * but this is not recommended.
*/
- Configure::write('Security.cipherSeed',
'76859309657453542496849683645');
+ $securitySeedFilename = APP . "/Config/security.seed";

+ if(file_exists($securitySeedFilename)){
+ $handle = fopen($securitySeedFilename, "r");
+ $seedLine = fgets($handle);
+ fclose($handle);
+
+ $seed = trim($seedLine);
+ if (strlen($seed) < 29){
+ throw new ConfigureException("security seed must be 40 or more
digits");
+ }
+ Configure::write('Security.cipherSeed', $seed);
+ } else {
+ Configure::write('Security.cipherSeed',
'76859309657453542496849683645');
+ }
+
/**
* Apply timestamps with the last modified time to static assets (js, css,
images).
* Will append a querystring parameter containing the time the file was
modified. This is
Index: Lib/lang.php
===================================================================
--- Lib/lang.php (revision 221)
+++ Lib/lang.php (working copy)
@@ -402,10 +402,14 @@
'se.cf.admin.given' => 'Enter administrator\'s given name',
'se.cf.admin.sn' => 'Enter administrator\'s family name',
'se.cf.admin.user' => 'Enter administrator\'s login username',
+ 'se.cf.admin.salt' => 'Enter >= 40 character security salt or blank for
random',
+ 'se.cf.admin.seed' => 'Enter >= 29 digit security seed or blank for
random',
'se.db.co' => 'Creating COmanage CO',
'se.db.cop' => 'Adding Org Identity to CO',
'se.db.group' => 'Creating COmanage admin group',
'se.db.op' => 'Adding initial Org Identity',
+ 'se.security.salt' => 'Creating security salt file',
+ 'se.security.seed' => 'Creating security seed file',
'se.done' => 'Setup complete',
'se.users.view' => 'Creating users view'
);

Archive powered by MHonArc 2.6.16.

Top of Page