diff --git a/web.d b/web.d index 2dc17d1..6d5a166 100644 --- a/web.d +++ b/web.d @@ -2169,6 +2169,10 @@ version(Windows) { alias GetTempPathW GetTempPath; } +version(Posix) { + static import linux = std.c.linux.linux; +} + /// Provides some persistent storage, kinda like PHP /// But, you have to manually commit() the data back to a file. /// You might want to put this in a scope(exit) block or something like that. @@ -2176,6 +2180,7 @@ class Session { /// Loads the session if available, and creates one if not. /// May write a session id cookie to the passed cgi object. this(Cgi cgi, string cookieName = "_sess_id", bool useFile = true) { + // assert(cgi.https); // you want this for best security, but I won't be an ass and require it. this._cookieName = cookieName; this.cgi = cgi; bool isNew = false; @@ -2183,8 +2188,14 @@ class Session { if(cookieName in cgi.cookies && cgi.cookies[cookieName].length) token = cgi.cookies[cookieName]; else { - token = makeNewCookie(); - isNew = true; + if("x-arsd-session-override" in cgi.requestHeaders) { + loadSpecialSession(cgi); + return; + } else { + // there is no session; make a new one. + token = makeNewCookie(); + isNew = true; + } } makeSessionId(token); @@ -2192,7 +2203,63 @@ class Session { if(useFile) reload(); if(isNew) - set("csrfToken", generateCsrfToken()); + addDefaults(); + } + + /// This loads a session that the user requests, without the normal + /// checks. The idea is to allow debugging or local request sharing. + /// + /// It is private because you never have to call it yourself, but read on + /// to understand how it works and some potential security concerns. + /// + /// It loads the requested session read-only (it does not commit), + /// if and only if the request asked for the correct hash and id. + /// + /// If they have enough info to build the correct hash, they must + /// already know the contents of the file, so there should be no + /// risk of data contamination here. (A traditional session hijack + /// is surely much easier.) + /// + /// It is possible for them to forge a request as a particular user + /// if they can read the file, but otherwise not write. For that reason, + /// especially with this functionality here, it is very important for you + /// to lock down your session files. If on a shared host, be sure each user's + /// processes run as separate operating system users, so the file permissions + /// set in commit() actually help you. + /// + /// If you can't reasonably protect the session file, compile this out with + /// -version=no_session_override and only access unauthenticated functions + /// from other languages. They can still read your sessions, and potentially + /// hijack it, but it will at least be a little harder. + /// + /// Also, don't use this over the open internet at all. It's supposed + /// to be local only. If someone sniffs the request, hijacking it + /// becomes very easy; even easier than a normal session id since they just reply it. + /// (you should really ssl encrypt all sessions for any real protection btw) + private void loadSpecialSession(Cgi cgi) { + version(no_session_override) + throw new Exception("You cannot access sessions this way."); + else { + // the header goes full-session-id;file-contents-hash + auto info = split(cgi.requestHeaders["x-arsd-session-override"], ";"); + + _sessionId = info[0]; + auto hash = info[1]; + + // FIXME: race condition if the session changes? + enforce(hashToString(SHA256(readText(getFilePath()))) == hash); + _readOnly = true; + reload(); + } + } + + private void addDefaults() { + set("csrfToken", generateCsrfToken()); + + // this is there to help control access to someone requesting a specific session id (helpful for debugging or local access from other languages) + // the idea is if there's some random stuff in there that you can only know if you have access to the file, it doesn't hurt to load that + // session, since they have to be able to read it to know this value anyway, so you aren't giving them anything they don't already have. + set("randomRandomness", to!string(uniform(0, ulong.max))); } private string makeSessionId(string cookieToken) { @@ -2241,7 +2308,7 @@ class Session { // and new cookie -> new session id -> new csrf token makeSessionId(makeNewCookie()); - set("csrfToken", generateCsrfToken()); + addDefaults(); if(hasData) changed = true; @@ -2307,6 +2374,7 @@ class Session { return value; } + // FIXME: doesn't seem to work string* opBinary(string op)(string key) if(op == "in") { return key in fields; } @@ -2394,13 +2462,26 @@ class Session { /// Commits your changes back to disk. void commit(bool force = false) { - if(force || changed) + if(_readOnly) + return; + if(force || changed) { std.file.write(getFilePath(), toJson(data)); + // We have to make sure that only we can read this file, + // since otherwise, on shared hosts, our session data might be + // easily stolen. Note: if your shared host doesn't have different + // users on the operating system for each user, it's still possible + // for them to access this file and hijack your session! + version(Posix) + enforce(linux.chmod(toStringz(getFilePath()), octal!600) == 0, "chmod failed"); + // FIXME: ensure the file's read permissions are locked down + // on Windows too. + } } private string[string] data; private bool _hasData; private bool changed; + private bool _readOnly; private string _sessionId; private string _cookieName; private Cgi cgi; // used to regenerate cookies, etc. diff --git a/web.d.php b/web.d.php index 9ddffd0..45e4a45 100644 --- a/web.d.php +++ b/web.d.php @@ -1,12 +1,10 @@ sessionId; - if(file_exists($path)) - $this->data = - json_decode(file_get_contents($path)); + if(file_exists($path)) { + $filecontents = file_get_contents($path); + $this->data = json_decode($filecontents); + $this->fileHash = hash("sha256", $filecontents); + } } } public $sessionId = ""; + public $fileHash = ""; /// The data in the session, as a PHP object. Note that any writes /// to it will be discarded. @@ -50,6 +51,13 @@ class WebDotDSession { /// This provides a base for exceptions thrown by D class WebDotDException extends Exception {} +// internal helper function; assoc arrays should be encoded differently than +// linear arrays +function arsd_helper_is_assoc_array($v) { + if(!is_array($v)) return false; + return array_diff_assoc(array_keys($v), range(0, count($v))); +} + /** If you've used the Javascript generated by web.d, you'll find this very familiar; this is a port of that for the @@ -104,14 +112,15 @@ class WebDotDException extends Exception {} anonymous one-liner. */ class WebDotDMethodCall { - public function __construct($apiProvider, $method, $url, $params) { + public function __construct($apiProvider, $httpMethod, $functionName, $url, $params) { $this->apiProvider = $apiProvider; - $this->method = $method; + $this->method = $httpMethod; $this->url = $url; $this->requestedDataFormat = "json"; + $this->functionName = $functionName; $num = 0; foreach($params as $arg) { - $this->urlargs["positional-arg-" . $num] = $arg; + $this->urlArgs["positional-arg-" . $num] = $arg; $num++; } } @@ -127,61 +136,56 @@ class WebDotDMethodCall { } public function setValue($name, $value) { - $this->urlargs[$name] = $value; + $this->urlArgs[$name] = $value; return $this; } private $apiProvider; private $url; - private $urlargs; + private $urlArgs = array(); private $method; private $requestedDataFormat; + private $functionName; public function getSync() { - $args = ""; - $num = 0; - $params = $this->urlargs; + $params = $this->urlArgs; $params["envelopeFormat"] = "json"; $params["format"] = $this->requestedDataFormat; - $outputted = false; - foreach($params as $k => $arg) { - if($outputted) { - $args .= "&"; - } else { - $outputted = true; - } + $this->apiProvider->addCustomRequestData($this, $params); - $args .= urlencode($k); - $args .= "="; - $args .= urlencode($arg); - } + $args = $this->getArgString($params); $url = $this->url; + $postData = ""; + if($this->method == "GET") $url .= "?" . $args; - + else + $postData = $args; $ch = curl_init($url); if($this->method == "POST") { curl_setopt($ch, CURLOPT_POST,1); - curl_setopt($ch, CURLOPT_POSTFIELDS, $args); + curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); } curl_setopt($ch, CURLOPT_HEADER,0); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); + + $this->apiProvider->addCustomCurlCode($ch, $this, $url, $postData); + $data = curl_exec($ch); $resultObj = json_decode($data); if($resultObj == null) { - echo $data; - throw new WebDotDException("Got null JSON"); + throw new WebDotDException("Got null JSON. Instead, got: " . $data); } if($resultObj->success) { - return $resultObj->result; + return $this->formatResult($resultObj->result); } else { // FIXME: maybe we can use type for better info? $msg = $resultObj->type; @@ -193,6 +197,109 @@ class WebDotDMethodCall { // assert(0); // not reached } + + // Why do I bother with this? It converts any generic object returned + // in the json to a custom class that, for now, only overrides toString, + // to make accessing the secondary format easier, but might offer more + // stuff in the future too, like better integration with the returned D types. + protected function formatResult($arg) { + if(is_object($arg)) { + $vars = get_object_vars($arg); + + $obj = new WebDotDResultObject(); + + foreach($vars as $k => $v) + $obj->_fields[$k] = $this->formatResult($v); + + return $obj; + } else if(is_array($arg)) { + $arr = Array(); + foreach($arg as $k => $v) + $arr[$k] = $this->formatResult($v); + return $arr; + } else + return $arg; + } + + private function argToUrlParam($k, $arg) { + if(is_object($arg) && get_class($arg) == "WebDotDMethodCall") { + $args = urlencode($k) . "=" . urlencode($arg->getRelativeUrlForNesting()); + $args .= "&".$k."-type=ServerResult"; + return $args; + } else if(is_object($arg) || arsd_helper_is_assoc_array($arg)) { + $aa = Array(); + if(get_class($arg) == "WebDotDResultObject") + $aa = $arg->_fields; + else if(is_object($arg)) + $aa = get_object_vars($arg); + else + $aa = $arg; + + // FIXME - needs to actually send it. web.d doesn't define how it + // actually receives associative arrays yet. + throw new Exception("not yet able to do object params"); + } else if(is_array($arg)) { + $args = ""; + $outputtedHere = false; + foreach($arg as $a) { + if($outputtedHere) { + $args .= "&"; + } else + $outputtedHere = true; + + $args .= argToUrlParam($k, $arg); + } + + return $args; + } else { + $args = ""; + $args .= urlencode($k); + $args .= "="; + $args .= urlencode($arg); + return $args; + } + } + + private function getArgString($params = null) { + if($params === null) + $params = $this->urlArgs; + $outputted = false; + $args = ""; + foreach($params as $k => $arg) { + if($outputted) { + $args .= "&"; + } else { + $outputted = true; + } + + $args .= $this->argToUrlParam($k, $arg); + } + + return $args; + } + + private function getRelativeUrlForNesting() { + return $this->functionName . "?" . $this->getArgString(); + } +} + +/// A simple class to represent objects returned by calling D functions +class WebDotDResultObject { + public $_fields = Array(); + + public function __get($name) { + return $this->_fields[$name]; + } + + public function __set($name, $value) { + $this->_fields[$name] = $value; + } + + public function __toString() { + if(isset($this->_fields["formattedSecondarily"])) + return $this->_fields["formattedSecondarily"]; + return json_encode($this->_fields); + } } /// Base class for accessing web.d ApiProviders. @@ -205,27 +312,266 @@ class WebDotDMethodCall { /// if you are making a web service, adding some authentication or /// custom branding. See the protected functions for available hooks. class WebDotDApiProvider { - private $endpoint; - // The endpoint is a full URL to the base of your web.d program, with trailing slash. - // for example: http://mywebsite.com/myapp/ - public function __construct($endpoint) { - $this->endpoint = $endpoint; + protected $endPoint; + /// The endpoint is a full URL to the base of your web.d program, with trailing slash. + /// for example: http://mywebsite.com/myapp/ + public function __construct($endPoint) { + $this->endPoint = $endPoint; } + /// this can be used to add additional data to a request being prepared by mutating args + protected function addCustomRequestData($apiRequest, &$args) { } + + /// use this to manipulate the http request a little before it is sent (custom headers, etc.) + protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) { } + + /// Returns a lazy method call object. The arguments and name are dynamic, so + /// you can do $api->anyFunction($any, $args)->getSync(); + /// The getSync() command should be run at the last possible moment, when you + /// need to convert the call into a PHP variable result. + /// + /// Note: you can pass those objects directly as arguments to other functions + /// to combine calls into one request! (Much of the time. It's not perfect server side, + /// but it works on primitives at least. This will eventually change.) + /// + /// See WebDotDMethodCall's documentation for more information. public function __call($name, $params = null) { - $url = $this->endpoint . $name; + $url = $this->endPoint . $name; return new WebDotDMethodCall($this, + // the naming convention currently used by Javascript in web.d too + // is if a function name starts with get, use GET, otherwise, use POST. + // This is imperfect, but it's not awful (to me anyway). + // If you get the method wrong, the request will probably still work. strpos($name, "get") === 0 ? "GET" : "POST", + $name, $url, $params); } } -/// Provides access to a *local* D ApiProvider. -class LocalWebDotDProvider extends WebDotDApiProvider { +/// Provides access to a *local* D ApiProvider, authenticating via a session. +/// This just works on most web.d code. +class LocalWebDotApiDProvider extends WebDotDApiProvider { /// Takes a WebDotDSession - public function __construct($session) { + public function __construct($endPoint, $session) { + parent::__construct($endPoint); + $this->session = $session; + } + protected $session; + + protected function addCustomRequestData($apiRequest, &$args) { + // we have to add the CSRF token or web.d will likely reject our command + if($apiRequest->method != "POST") + return; // no need for csrf token + if(!isset($session->data["csrfToken"])) + return; // we don't have one + $decoded = array(); + $csrfData = explode("&", $session->data["csrfToken"]); + foreach($csrfToken as $item) { + $info = split("=", $item); + $decoded[urldecode($info[0])] = urldecode($info[1]); + } + + // add the token to the arguments + $args[$decoded["key"]] = $decoded["token"]; + } + + protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) { + // we want to ask D to also use the same session we're looking at + // The full session ID tells it what to use, and the file hash proves + // to D that we already have access to it. + $magic = $this->session->sessionId . ";" . $this->session->fileHash; + if(strlen($magic) > 0) + curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Arsd-Session-Override: $magic")); } } + +/// Provides access to a remote D ApiProvider, using OAuth authentication. +/// +/// You'll almost certainly want to provide a subclass of this for actual use. +/// +/// You'll also have to implement OAuth in your D code too (I'll post my library +/// to help with that to github once I clean it up for public use, and then +/// I'll see how much I can reasonably automate in web.d.) +class RemoteWebDotDApiProvider extends WebDotDApiProvider { + /// The first three of these are specific to the system you are accessing. + /// The apiKey and apiSecret are how you identify as a specific user. + public function __construct($endPoint, $accessToken, $tokenSecret, $apiKey, $apiSecret) { + parent::__construct($endPoint); + + $this->accessToken = $accessToken; + $this->tokenSecret = $tokenSecret; + + $this->apiKey = $apiKey; + $this->apiSecret = $apiSecret; + } + + private $accessToken; + private $tokenSecret; + + private $apiKey; + private $apiSecret; + + protected function addCustomCurlCode($ch, $apiRequest, $url, $postData) { + $oauth = new ARSDOAuth; + $oauthHeader = $oauth->getRequestHeader( + $this->apiKey, $this->apiSecret, + $url, + $this->accessToken, $this->tokenSecret, + $postData); + + curl_setopt($ch, CURLOPT_HTTPHEADER, array($oauthHeader)); + } +} + +/* My implementation of OAuth 1 client requests, used for the remote authentication. A port from D. */ + +// Does custom sorting.. +class ARSDPair { + public $name; + public $value; + + public function __construct($k, $v) { + $this->name = $k; + $this->value = $v; + } + + public function __toString() { + return urlencode($this->name) ."=" . urlencode($this->value); + } + + static function opCmp($lhs, $rhs) { + $val = strcmp($lhs->name, $rhs->name); + + if($val == 0) + $val = strcmp($lhs->value, $rhs->value); + + return $val; + } +} + +// Actually does the signing +class ARSDOAuth { + public function getRequestHeader($apiKey, $apiSecret, $url, $oauthToken, $oauthTokenSecret, $data) { + $oauthValues = Array(); + $oauthValues["oauth_token"] = $oauthToken; + $oauthValues["token_secret"] = $oauthTokenSecret; + $oauthValues["oauth_consumer_key"] = $apiKey; + $oauthValues["oauth_nonce"] = rand() . time(); + $oauthValues["oauth_signature_method"] = "HMAC-SHA1"; + $oauthValues["oauth_timestamp"] = time(); + $oauthValues["oauth_version"] = "1.0"; + + $signWith = urlencode($apiSecret) . "&" . $oauthTokenSecret; + + $protocolHostAndPath = ""; + $queryStringContents = ""; + + $questionMark = strpos($url, "?"); + if($questionMark === FALSE) + $protocolHostAndPath = $url; + else { + $protocolHostAndPath = substr($url, 0, $questionMark); + $queryStringContents = substr($url, $questionMark + 1, strlen($url)); + } + + $sig = $this->getSignature( + strlen($data) > 0 ? "POST" : "GET", + $protocolHostAndPath, + $queryStringContents, + $oauthValues, + $data, + $signWith); + + $oauthValues["oauth_signature"] = $sig; + + + $oauthHeader = ""; + $outputted = false; + foreach($oauthValues as $k => $v) { + if($outputted) + $oauthHeader .= ","; + else + $outputted = true; + + $oauthHeader .= $k . "=" . "\"" . $v . "\""; + } + + return "Authorization: OAuth " . $oauthHeader; + } + + // A port from D + public function getSignature ( + $method, + $protocolHostAndPath, + $queryStringContents, + $authorizationHeaderContents, + $postBodyIfWwwEncoded, + $signWith) + { + + $baseString = ""; + + $baseString .= $method; + $baseString .= "&"; + $baseString .= urlencode($protocolHostAndPath); + + $baseString .= "&"; + + $getArray = $this->decodeVariables($queryStringContents); + $postArray = $this->decodeVariables($postBodyIfWwwEncoded); + + $pairs = Array(); // should hold Pairs + + foreach($getArray as $k => $vals) + foreach($vals as $v) + $pairs[]= new ARSDPair($k, $v); + foreach($postArray as $k => $vals) + foreach($vals as $v) + $pairs[] = new ARSDPair($k, $v); + foreach($authorizationHeaderContents as $k => $v) + $pairs[] = new ARSDPair($k, $v); + + $outputted = false; + + $params = ""; + + usort($pairs, "ARSDPair::opCmp"); + foreach($pairs as $pair) { + if($outputted) + $params.= "&"; + else + $outputted = true; + + $params .= $pair; + } + + $baseString .= urlencode($params); + + return urlencode(base64_encode(hash_hmac('sha1', $baseString, $signWith, TRUE))); + } + + private function decodeVariables($str) { + if(strlen($str) == 0) + return array(); + $ret = array(); + $parts = explode("&", $str); + + foreach($parts as $part) { + $kv = explode("=", $part); + $k = urldecode($kv[0]); + $v = ""; + if(count($kv) > 1) + $v = urldecode($kv[1]); + + if(!isset($ret[$k])) + $ret[$k] = array(); + $ret[$k][] = $v; + } + + return $ret; + } +} +