From 4a355f242f4b80e9230bb65d13275932833bf569 Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 17 Nov 2020 13:38:28 +0100 Subject: [PATCH] [Web] Some fido2 fixes, table view for fido2 keys, fix renaming keys with the same subject --- data/web/admin.php | 39 +++++++------ data/web/inc/functions.inc.php | 26 ++++++--- data/web/js/site/admin.js | 2 +- data/web/js/site/user.js | 9 +++ data/web/json_api.php | 4 +- data/web/modals/admin.php | 4 +- data/web/modals/user.php | 4 +- data/web/user.php | 101 +++++++++++++++++---------------- 8 files changed, 108 insertions(+), 81 deletions(-) diff --git a/data/web/admin.php b/data/web/admin.php index d14495f0..e522dcfe 100644 --- a/data/web/admin.php +++ b/data/web/admin.php @@ -71,7 +71,7 @@ if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CAC
:

-
+
Get('LICENSE_STATUS_CAC
:
- diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 1404db29..e9055744 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1037,11 +1037,11 @@ function fido2($_data) { } return $cids; break; - case "get_pub_key": + case "get_by_b64cid": if (!isset($_data['cid']) || empty($_data['cid'])) { return false; } - $stmt = $pdo->prepare("SELECT `certificateSubject`, `username`, `credentialPublicKey` FROM `fido2` WHERE TO_BASE64(`credentialId`) = :cid"); + $stmt = $pdo->prepare("SELECT `certificateSubject`, `username`, `credentialPublicKey`, SHA2(`credentialId`, 256) AS `cid` FROM `fido2` WHERE TO_BASE64(`credentialId`) = :cid"); $stmt->execute(array(':cid' => $_data['cid'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (empty($row) || empty($row['credentialPublicKey']) || empty($row['username'])) { @@ -1049,7 +1049,8 @@ function fido2($_data) { } $data['pub_key'] = $row['credentialPublicKey']; $data['username'] = $row['username']; - $data['key_id'] = $row['certificateSubject']; + $data['subject'] = $row['certificateSubject']; + $data['cid'] = $row['cid']; return $data; break; case "get_friendly_names": @@ -1058,11 +1059,15 @@ function fido2($_data) { $_SESSION['mailcow_cc_role'] != "admin") { return false; } - $stmt = $pdo->prepare("SELECT `certificateSubject`, `friendlyName` FROM `fido2` WHERE `username` = :username"); + $stmt = $pdo->prepare("SELECT SHA2(`credentialId`, 256) AS `cid`, `certificateSubject`, `friendlyName` FROM `fido2` WHERE `username` = :username"); $stmt->execute(array(':username' => $username)); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); while($row = array_shift($rows)) { - $fns[] = array("subject" => $row['certificateSubject'], "fn" => $row['friendlyName']); + $fns[] = array( + "subject" => $row['certificateSubject'], + "fn" => $row['friendlyName'], + "cid" => $row['cid'] + ); } return $fns; break; @@ -1077,8 +1082,11 @@ function fido2($_data) { ); return false; } - $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username AND `certificateSubject` = :certificateSubject"); - $stmt->execute(array(':username' => $username, ':certificateSubject' => $_data['post_data']['unset_fido2_key'])); + $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username AND SHA2(`credentialId`, 256) = :cid"); + $stmt->execute(array( + ':username' => $username, + ':cid' => $_data['post_data']['unset_fido2_key'] + )); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_data_log), @@ -1096,11 +1104,11 @@ function fido2($_data) { ); return false; } - $stmt = $pdo->prepare("UPDATE `fido2` SET `friendlyName` = :friendlyName WHERE `certificateSubject` = :certificateSubject AND `username` = :username"); + $stmt = $pdo->prepare("UPDATE `fido2` SET `friendlyName` = :friendlyName WHERE SHA2(`credentialId`, 256) = :cid AND `username` = :username"); $stmt->execute(array( ':username' => $username, ':friendlyName' => $_data['fido2_attrs']['fido2_fn'], - ':certificateSubject' => base64_decode($_data['fido2_attrs']['fido2_subject']) + ':cid' => $_data['fido2_attrs']['fido2_cid'] )); $_SESSION['return'][] = array( 'type' => 'success', diff --git a/data/web/js/site/admin.js b/data/web/js/site/admin.js index 34e11f44..bdb2eaa9 100644 --- a/data/web/js/site/admin.js +++ b/data/web/js/site/admin.js @@ -457,7 +457,7 @@ jQuery(function($){ $('#fido2ChangeFn').on('show.bs.modal', function (e) { rename_link = $(e.relatedTarget) if (rename_link != null) { - $('#fido2_subject').val(rename_link.data('subject')); + $('#fido2_cid').val(rename_link.data('cid')); $('#fido2_subject_desc').text(Base64.decode(rename_link.data('subject'))); } }) diff --git a/data/web/js/site/user.js b/data/web/js/site/user.js index 83ee793e..0fdec8f9 100644 --- a/data/web/js/site/user.js +++ b/data/web/js/site/user.js @@ -296,6 +296,15 @@ jQuery(function($){ draw_wl_policy_mailbox_table(); draw_bl_policy_mailbox_table(); + // FIDO2 friendly name modal + $('#fido2ChangeFn').on('show.bs.modal', function (e) { + rename_link = $(e.relatedTarget) + if (rename_link != null) { + $('#fido2_cid').val(rename_link.data('cid')); + $('#fido2_subject_desc').text(Base64.decode(rename_link.data('subject'))); + } + }) + // Sieve data modal $('#userFilterModal').on('show.bs.modal', function(e) { $('#user_sieve_filter').text(lang.loading); diff --git a/data/web/json_api.php b/data/web/json_api.php index d7ac4f06..04616819 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -277,7 +277,7 @@ if (isset($_GET['query'])) { $signature = base64_decode($post->signature); $id = base64_decode($post->id); $challenge = $_SESSION['challenge']; - $process_fido2 = fido2(array("action" => "get_pub_key", "cid" => $post->id)); + $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $post->id)); if ($process_fido2['pub_key'] === false) { $return = new stdClass(); $return->success = false; @@ -296,7 +296,6 @@ if (isset($_GET['query'])) { } $return = new stdClass(); $return->success = true; - $_SESSION["fido2_subject"] = $process_fido2['key_id']; $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_fido2['username'])); $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); @@ -307,6 +306,7 @@ if (isset($_GET['query'])) { $_SESSION["mailcow_cc_role"] = "domainadmin"; } $_SESSION["mailcow_cc_username"] = $process_fido2['username']; + $_SESSION["fido2_cid"] = $process_fido2['cid']; $_SESSION['return'][] = array( 'type' => 'success', 'log' => array("fido2_login"), diff --git a/data/web/modals/admin.php b/data/web/modals/admin.php index 54eedc53..e796d2e1 100644 --- a/data/web/modals/admin.php +++ b/data/web/modals/admin.php @@ -111,11 +111,11 @@ if (!isset($_SESSION['mailcow_cc_role'])) {

-

+

- +
diff --git a/data/web/modals/user.php b/data/web/modals/user.php index c47e38a5..4d155564 100644 --- a/data/web/modals/user.php +++ b/data/web/modals/user.php @@ -11,11 +11,11 @@ if (!isset($_SESSION['mailcow_cc_role'])) {

-

+

- +
diff --git a/data/web/user.php b/data/web/user.php index 7fda800c..8cf804ba 100644 --- a/data/web/user.php +++ b/data/web/user.php @@ -41,7 +41,7 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'doma

-
+ @@ -50,7 +50,7 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'doma - +

@@ -66,56 +66,61 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'doma
- - - - - - -
-
:
-
-
- + + + + + + +
+
:
+
+
+ + + + + + + + + + + +
ID
+ +
- -
- - ")?$(this).closest("form").submit():"";'> - [] - - - [] - -
+ +
+ + ")?$(this).closest("form").submit():"";' class="btn btn-xs btn-danger"> - -
-
- - -
-
- -
-
-
-
-
:
-
-
-
+
+

-
+
+
+
+
+ +
+
+
+
+
:
+
+
-
+
+
+