/**
* Convert string values to PHP integers
*
* @param mixed $value The value to convert.
* @param Driver $driver The driver instance to convert with.
* @return string|null
*/
public function toPHP($value, Driver $driver)
{
if ($value === null || empty($value)) {
return null;
}
return Security::decrypt(base64_decode($value), Configure::read('Security.key'));
}
/**
* Test marshalling
*
* @return void
*/
public function testMarshal()
{
$this->assertNull($this->type->marshal(null));
$encrypted = $this->type->marshal('string');
$this->assertSame(128, strlen($encrypted));
$decrypted = Security::decrypt(base64_decode($encrypted), Configure::read('Security.key'));
$this->assertSame('string', $decrypted);
}
/**
* Tries to decode, decrypt and unserialize the given token and return the data as an
* array
*
* @param string $token The string token
* @return array|false
*/
public function decryptToken($token)
{
$tokenData = false;
$encrypted = base64_decode($token);
if ($encrypted) {
$serialized = Security::decrypt($encrypted, Configure::read('Security.cryptKey'));
$tokenData = unserialize($serialized);
}
return $tokenData;
}
public function testValueIsAddedToDatabaseWithEncryption()
{
$value = '555';
$store = MapStore::load('2');
$store->set('access_token', $value);
$entity = $this->Model->get(['2', 'access_token']);
$dbValue = stream_get_contents($entity->value);
$dbValueDecrypted = Security::decrypt($dbValue, Configure::read('Security.key'), Configure::read('Security.salt'));
$this->assertNotEquals($value, $dbValue);
$this->assertEquals($value, $dbValueDecrypted);
}
/**
* Decodes and decrypts a single value.
*
* @param string $value The value to decode & decrypt.
* @param string|false $encrypt The encryption cipher to use.
* @return string Decoded value.
*/
protected function _decode($value, $encrypt)
{
if (!$encrypt) {
return $this->_explode($value);
}
$this->_checkCipher($encrypt);
$prefix = 'Q2FrZQ==.';
$value = base64_decode(substr($value, strlen($prefix)));
if ($encrypt === 'rijndael') {
$value = Security::rijndael($value, $this->_config['key'], 'decrypt');
}
if ($encrypt === 'aes') {
$value = Security::decrypt($value, $this->_config['key']);
}
return $this->_explode($value);
}
/**
* Test writing with a custom encryption key using ConfigKey
*
* @return void
*/
public function testWriteConfigKeyWithCustomEncryptionKey()
{
$name = 'sampleCookieTest';
$value = 'some data';
$encryption = 'aes';
$prefix = "Q2FrZQ==.";
$key = 'justanotherencryptionkeyjustanotherencryptionkey';
$this->Cookie->configKey($name, compact('key', 'encryption'));
$this->Cookie->write($name, $value);
$cookie = $this->Controller->response->cookie($name);
$this->assertEquals($value, Security::decrypt(base64_decode(substr($cookie['value'], strlen($prefix))), $key));
}
/**
* Decrypt an encrypted value
* @param type $cryptedValue Value to be decrypted
* @return type Decrypted value
*/
public function decrypt($cryptedValue)
{
if (is_resource($cryptedValue)) {
$cryptedValue = stream_get_contents($cryptedValue);
}
return Security::decrypt($cryptedValue, $this->config('key'), $this->config('salt'));
}
/**
* Decrypt a base64 encoded string
*
* @param string $value string to decrypt
* @return bool|string
*/
protected function _decrypt($value)
{
if (empty($value)) {
return false;
}
return Security::decrypt(base64_decode($value), $this->_encryptionKey());
}
/**
* Test that values encrypted with open ssl can be decrypted with mcrypt and the reverse.
*
* @return void
*/
public function testEngineEquivalence()
{
$this->skipIf(!defined('MCRYPT_RIJNDAEL_128'), 'This needs mcrypt extension to be loaded.');
$restore = Security::engine();
$txt = "Obi-wan you're our only hope";
$key = 'This is my secret key phrase it is quite long.';
$salt = 'A tasty salt that is delicious';
Security::engine(new Mcrypt());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new Mcrypt());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
}
/**
* Test that values encrypted with open ssl can be decrypted with mcrypt and the reverse.
*
* @return void
*/
public function testEngineEquivalence()
{
$restore = Security::engine();
$txt = "Obi-wan you're our only hope";
$key = 'This is my secret key phrase it is quite long.';
$salt = 'A tasty salt that is delicious';
Security::engine(new Mcrypt());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new OpenSsl());
$cipher = Security::encrypt($txt, $key, $salt);
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
Security::engine(new Mcrypt());
$this->assertEquals($txt, Security::decrypt($cipher, $key, $salt));
}
/**
* Decodes and decrypts a single value.
*
* @param string $value The value to decode & decrypt.
* @return string Decoded value.
*/
protected function _decode($value)
{
$prefix = 'Q2FrZQ==.';
$pos = strpos($value, $prefix);
if ($pos === false) {
return $this->_explode($value);
}
$value = base64_decode(substr($value, strlen($prefix)));
if ($this->_config['encryption'] === 'rijndael') {
$plain = Security::rijndael($value, $this->_config['key'], 'decrypt');
}
if ($this->_config['encryption'] === 'aes') {
$plain = Security::decrypt($value, $this->_config['key']);
}
return $this->_explode($plain);
}
/**
* {@inheritdoc}
*/
public function decrypt($cipher)
{
return Security::decrypt($cipher, $this->__key);
}
/**
* Decodes and decrypts a single value.
*
* @param string $value The value to decode & decrypt.
* @param string|false $encrypt The encryption cipher to use.
* @param string|null $key Used as the security salt if specified.
* @return string Decoded value.
*/
protected function _decode($value, $encrypt, $key)
{
if (!$encrypt) {
return $this->_explode($value);
}
$this->_checkCipher($encrypt);
$prefix = 'Q2FrZQ==.';
$value = base64_decode(substr($value, strlen($prefix)));
if ($key === null) {
$key = $this->_getCookieEncryptionKey();
}
if ($encrypt === 'rijndael') {
$value = Security::rijndael($value, $key, 'decrypt');
}
if ($encrypt === 'aes') {
$value = Security::decrypt($value, $key);
}
return $this->_explode($value);
}
/**
* Test that empty data cause errors
*
* @expectedException \Cake\Error\Exception
* @expectedExceptionMessage The data to decrypt cannot be empty.
* @return void
*/
public function testDecryptInvalidData()
{
$txt = '';
$key = 'This is a key that is long enough to be ok.';
Security::decrypt($txt, $key);
}
/**
* Ask to the user the 2FA code and verify it.
*
* @return \Cake\Network\Response|void
*/
public function tfa()
{
if ($this->Auth->user()) {
return $this->redirect($this->Auth->redirectUrl());
}
if ($this->request->is('post')) {
$this->loadModel('UsersTwoFactorAuth');
$id = $this->Cookie->read('CookieTfa');
if (empty($id) || $id == false) {
$this->Cookie->delete('CookieTfa');
return $this->redirect($this->Auth->config('loginAction'));
}
try {
$id = Security::decrypt(base64_decode($id), Configure::read('Security.key'));
} catch (\Exception $e) {
$this->Flash->error(__('The link used for the Two-factor Authentication is incorrect.'));
return $this->redirect($this->Auth->config('loginAction'));
}
$userTfa = $this->UsersTwoFactorAuth->find()->where(['user_id' => $id])->first();
$tfa = new TwoFactorAuth('Xeta');
$isAuthorized = false;
$recoveryCodeUsed = false;
if ($tfa->verifyCode($userTfa->secret, $this->request->data['code']) === true && $this->request->data['code'] !== $userTfa->current_code) {
$isAuthorized = true;
//Check recovery code and verify if the recovery code is not already used.
} elseif ($userTfa->recovery_code === $this->request->data['code'] && $userTfa->recovery_code_used == false && $this->request->data['code'] !== $userTfa->current_code) {
$isAuthorized = true;
$recoveryCodeUsed = true;
}
if ($isAuthorized === true) {
$data = ['session' => $this->request->clientIp() . $this->request->header('User-Agent') . gethostbyaddr($this->request->clientIp()), 'current_code' => $recoveryCodeUsed === true ? 'recovery' : $this->request->data['code'], 'recovery_code_used' => $recoveryCodeUsed === true ? 1 : $userTfa->recovery_code_used];
$this->UsersTwoFactorAuth->patchEntity($userTfa, $data);
$this->UsersTwoFactorAuth->save($userTfa);
//Login the user.
$userLogin = $this->Users->find()->where(['id' => $id])->hydrate(false)->first();
unset($userLogin['password']);
$this->_handleLogin($userLogin);
$this->Cookie->delete('CookieTfa');
//Logs Event.
$this->eventManager()->attach(new Logs());
$event = new Event('Log.User', $this, ['user_id' => $userLogin['id'], 'username' => $userLogin['username'], 'user_ip' => $this->request->clientIp(), 'user_agent' => $this->request->header('User-Agent'), 'action' => '2FA.recovery_code.used']);
$this->eventManager()->dispatch($event);
return $this->redirect(['controller' => 'pages', 'action' => 'home']);
} else {
$this->Flash->error(__('Two-factor secret verification failed. Please verify your code and try again.'));
}
}
$id = $this->Cookie->read('CookieTfa');
if (empty($id) || $id == false) {
$this->Cookie->delete('CookieTfa');
return $this->redirect($this->Auth->config('loginAction'));
}
}
/**
* Decrypt an encrypted value
*
* @param type $encryptedValue Value to be decrypted
* @return type Decrypted value
*/
protected function _decrypt($encryptedValue)
{
return Security::decrypt($encryptedValue, $this->options['key'], $this->options['salt']);
}
