From 42c1d8a7237b5c27301735504f39244b0c0ad218 Mon Sep 17 00:00:00 2001
From: Laurent Laffont <llaffont@afi-sa.fr>
Date: Mon, 18 Feb 2019 17:17:30 +0100
Subject: [PATCH] hotline #87312 remove LeKiosk keys from source code
---
VERSIONS_HOTLINE/87312 | 2 +-
library/digital_resources/Lekiosk/Config.php | 12 +++--
library/digital_resources/Lekiosk/Link.php | 10 ++--
library/digital_resources/Lekiosk/Service.php | 1 -
.../Lekiosk/tests/LekioskTest.php | 50 +++++++++++--------
5 files changed, 43 insertions(+), 32 deletions(-)
diff --git a/VERSIONS_HOTLINE/87312 b/VERSIONS_HOTLINE/87312
index 362232488fe..bd454c26f97 100644
--- a/VERSIONS_HOTLINE/87312
+++ b/VERSIONS_HOTLINE/87312
@@ -1 +1 @@
- - ticket #87312 : Des clés valides LeKiosk sont dans le code source!
\ No newline at end of file
+ - ticket #87312 : sécurisation de l'accès à la plateforme LeKiosk
\ No newline at end of file
diff --git a/library/digital_resources/Lekiosk/Config.php b/library/digital_resources/Lekiosk/Config.php
index 27120451fef..f7b40600424 100644
--- a/library/digital_resources/Lekiosk/Config.php
+++ b/library/digital_resources/Lekiosk/Config.php
@@ -36,16 +36,18 @@ class Lekiosk_Config extends Class_DigitalResource_Config {
'MailUrl' => 'http://get.lekiosk.com/pro/?utm_source=LK&utm_campaign=B2B&utm_medium=footer',
'AdminVars' => [
- 'ID' => Class_AdminVar_Meta::newDefault($this->_('Identifiant fournit par LeKiosk'))->bePrivate(),
+ 'ID' => Class_AdminVar_Meta::newDefault($this->_('Identifiant fourni par LeKiosk'))->bePrivate(),
'SSO_MODE' => Class_AdminVar_Meta::newCombo($this->_('Type de SSO lekiosk.com'),
['options' => ['selectOptions' => ['label' => $this->_('Mode d\'authentification'),
'multioptions' => ['' => 'Lien',
'CAS' => 'CAS']]]])->bePrivate(),
- 'FTP_LOGIN' => Class_AdminVar_Meta::newDefault($this->_('Identifiant du compte FTP fournit par LeKiosk (déprécié)'))->bePrivate(),
- 'FTP_PASSWORD' => Class_AdminVar_Meta::newDefault($this->_('Mot de passe du compte FTP fournit par LeKiosk (déprécié)'))->bePrivate(),
- 'HTTP_LOGIN' => Class_AdminVar_Meta::newDefault($this->_('Identifiant du compte HTTP fournit par LeKiosk'))->bePrivate(),
- 'HTTP_PASSWORD' => Class_AdminVar_Meta::newDefault($this->_('Mot de passe du compte HTTP fournit par LeKiosk'))->bePrivate(),
+ 'FTP_LOGIN' => Class_AdminVar_Meta::newDefault($this->_('Identifiant du compte FTP fourni par LeKiosk (déprécié)'))->bePrivate(),
+ 'FTP_PASSWORD' => Class_AdminVar_Meta::newDefault($this->_('Mot de passe du compte FTP fourni par LeKiosk (déprécié)'))->bePrivate(),
+ 'HTTP_LOGIN' => Class_AdminVar_Meta::newDefault($this->_('Identifiant du compte HTTP fourni par LeKiosk'))->bePrivate(),
+ 'HTTP_PASSWORD' => Class_AdminVar_Meta::newDefault($this->_('Mot de passe du compte HTTP fourni par LeKiosk'))->bePrivate(),
'HARVEST_URL' => Class_AdminVar_Meta::newDefault($this->_('URL de moissonage de la ressource LeKiosk'))->bePrivate(),
+ 'AES_KEY' => Class_AdminVar_Meta::newDefault($this->_('Clé de cryptage/AES des mails fourni par LeKiosk'))->bePrivate(),
+ 'SHA1_KEY' => Class_AdminVar_Meta::newDefault($this->_('Clé de cryptage/SHA1 des accès fourni par LeKiosk'))->bePrivate(),
],
'SsoAction' => true,
diff --git a/library/digital_resources/Lekiosk/Link.php b/library/digital_resources/Lekiosk/Link.php
index 8fcce9be861..9414b08008c 100644
--- a/library/digital_resources/Lekiosk/Link.php
+++ b/library/digital_resources/Lekiosk/Link.php
@@ -23,8 +23,6 @@
class Lekiosk_Link extends Lekiosk_LinkAbstract {
const ROOT_URL = 'https://pros.lekiosk.com';
const BASE_URL = '/login/accesshash?';
- const AES_KEY = '56FGH4sTOV9ZXr4Q';
- const SHA1_KEY = '897RDZQo789';
protected $_mail;
protected $_base_url;
@@ -48,7 +46,7 @@ class Lekiosk_Link extends Lekiosk_LinkAbstract {
protected function accessHash() {
- return sha1($this->baseUrl() . static::SHA1_KEY);
+ return sha1($this->baseUrl() . Lekiosk_Config::getInstance()->getAdminVar('SHA1_KEY'));
}
@@ -64,7 +62,11 @@ class Lekiosk_Link extends Lekiosk_LinkAbstract {
protected function cryptedMail() {
- return bin2hex(openssl_encrypt($this->_mail, 'aes-128-cbc', static::AES_KEY, true, static::AES_KEY));
+ return bin2hex(openssl_encrypt($this->_mail,
+ 'aes-128-cbc',
+ Lekiosk_Config::getInstance()->getAdminVar('AES_KEY'),
+ true,
+ Lekiosk_Config::getInstance()->getAdminVar('AES_KEY')));
}
}
?>
\ No newline at end of file
diff --git a/library/digital_resources/Lekiosk/Service.php b/library/digital_resources/Lekiosk/Service.php
index 24f8fe8db23..6411ddacd73 100644
--- a/library/digital_resources/Lekiosk/Service.php
+++ b/library/digital_resources/Lekiosk/Service.php
@@ -1,4 +1,3 @@
-
<?php
/**
* Copyright (c) 2012, Agence Française Informatique (AFI). All rights reserved.
diff --git a/library/digital_resources/Lekiosk/tests/LekioskTest.php b/library/digital_resources/Lekiosk/tests/LekioskTest.php
index e0ddb360028..7c727e0607e 100644
--- a/library/digital_resources/Lekiosk/tests/LekioskTest.php
+++ b/library/digital_resources/Lekiosk/tests/LekioskTest.php
@@ -15,7 +15,7 @@
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
-* along with BOKEH; if not, write to the Free Software
+ * along with BOKEH; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
@@ -23,9 +23,11 @@
class LekioskAdminVars {
public static function activate() {
- Class_AdminVar::set('Lekiosk_ID', '29');
- Class_AdminVar::set('Lekiosk_FTP_LOGIN', 'FOIX');
+ Class_AdminVar::set('Lekiosk_ID', '66');
+ Class_AdminVar::set('Lekiosk_FTP_LOGIN', 'POIS');
Class_AdminVar::set('Lekiosk_FTP_PASSWORD', 'PWD');
+ Class_AdminVar::set('Lekiosk_AES_KEY', '12FA88sE3V5UKr3K');
+ Class_AdminVar::set('Lekiosk_SHA1_KEY', '976ABWQo231');
}
@@ -33,6 +35,8 @@ class LekioskAdminVars {
Class_AdminVar::set('Lekiosk_ID', '');
Class_AdminVar::set('Lekiosk_FTP_LOGIN', '');
Class_AdminVar::set('Lekiosk_FTP_PASSWORD', '');
+ Class_AdminVar::set('Lekiosk_AES_KEY', '');
+ Class_AdminVar::set('Lekiosk_SHA1_KEY', '');
}
}
@@ -61,7 +65,7 @@ abstract class LekioskLinkModeLinkTestCase extends ModelTestCase {
class LekioskLinkModeLinkTest extends LekioskLinkModeLinkTestCase {
/** @test */
public function urlForMyemailAtLekioskDotComShouldContainsEncryptedEmail() {
- $expected = 'https://pros.lekiosk.com/login/accesshash?email=1671f18f515f49271985280397c1c2bc48e1bfa31a3b638cb22e510e4953d65e&id=29&AccessHash=4eef094aacc80db2698f841214bba28f8b5d001a';
+ $expected = 'https://pros.lekiosk.com/login/accesshash?email=a9be7374efd20f652cc1206da2d721f58420bf24f5b6febd143643d402f0cf39&id=66&AccessHash=6750ec2389df54aff5ae952b7e03a521e3f2a5d5';
$this->assertEquals(
$expected,
(new Lekiosk_Link('myemail@lekiosk.com'))->url()
@@ -71,7 +75,7 @@ class LekioskLinkModeLinkTest extends LekioskLinkModeLinkTestCase {
/** @test */
public function withoutMailShouldBeNotContainsEmailKey() {
- $expected = 'https://pros.lekiosk.com/login/accesshash?email=18ca3d8ad40255ce09d5d20debc1e069&id=29&AccessHash=69436bc8e1ea7a85b3a7c9d2d764077e3519a6c5';
+ $expected = 'https://pros.lekiosk.com/login/accesshash?email=a0dc2568ae735ff737ffc8b9bf2e4fb8&id=66&AccessHash=92a485f29b5000e908fef0815c00487b1aa759a1';
$this->assertEquals($expected, (new Lekiosk_Link(''))->url());
}
@@ -79,7 +83,7 @@ class LekioskLinkModeLinkTest extends LekioskLinkModeLinkTestCase {
/** @test */
public function withEmptyUserMailShouldGetSiteOrProfileMail() {
Class_Profil::find(1)->setMailSite('toto@example.com');
- $expected = 'https://pros.lekiosk.com/login/accesshash?email=76903fe54055ab757db99c2370d89970e25c5b33b5a69cafc108c0031685af88&id=29&AccessHash=5db96ac3eb21187f2a7622ebbfa255321c7f32c1';
+ $expected = 'https://pros.lekiosk.com/login/accesshash?email=bd612092eb8f12afc609f161d641ba9a4ac6b6e45bfae616f4994f9205f50a7d&id=66&AccessHash=4c09021c872852de07b4e5e89a9fc1659a3c293c';
$this->assertEquals($expected, (new Lekiosk_Link(''))->url());
}
}
@@ -104,7 +108,7 @@ class LekioskLinkModeSSOTest extends LekioskLinkModeLinkTestCase {
public function linkShouldBeCasUrlWithLekioskId() {
$url = 'https://apipros.lekiosk.com/login/cas?'
.'cas_fournisseur=' . urlencode(Class_Url::rootUrl() . BASE_URL . '/cas-server-v10')
- .'&id=29'
+ .'&id=66'
.'&returnUrl=';
$this->assertEquals($url,
@@ -259,7 +263,7 @@ abstract class LekioskServiceTestCase extends AbstractControllerTestCase {
$file_system = $this->mock()
->whenCalled('file_get_contents')
- ->with('ftp://FOIX:PWD@ftp.lekiosk.com/lekiosque_06022017.xml')
+ ->with('ftp://POIS:PWD@ftp.lekiosk.com/lekiosque_06022017.xml')
->answers($catalogue_xml);
$http_client = $this->mock()
@@ -423,7 +427,7 @@ class LekioskRenderAlbumFromRecordTest extends LekioskServiceTestCase {
$this->_dispatchAlbum();
$url = 'https://apipros.lekiosk.com/login/cas?'
.'cas_fournisseur=' . urlencode(Class_Url::absolute('/cas-server-v10'))
- .'&id=29'
+ .'&id=66'
.'&returnUrl=Le-10-Sport-National-z1962566.aspx';
$this->assertXPath('//a[@href="' . $url . '"]', $this->_response->getBody());
@@ -435,9 +439,9 @@ class LekioskRenderAlbumFromRecordTest extends LekioskServiceTestCase {
Class_AdminVar::set('Lekiosk_SSO_MODE', '');
$this->_dispatchAlbum();
$url = 'https://pros.lekiosk.com/login/accesshash?'
- . 'email=18ca3d8ad40255ce09d5d20debc1e069'
- . '&id=29'
- . '&AccessHash=69436bc8e1ea7a85b3a7c9d2d764077e3519a6c5'
+ . 'email=a0dc2568ae735ff737ffc8b9bf2e4fb8'
+ . '&id=66'
+ . '&AccessHash=92a485f29b5000e908fef0815c00487b1aa759a1'
. '&ReturnUrl=Le-10-Sport-National-z1962566.aspx';
$this->assertXPath('//a[@href="' . $url . '"]', $this->_response->getBody());
}
@@ -547,10 +551,12 @@ abstract class LekioskServiceHttpHarvestingTestCase extends AbstractControllerTe
public function setUp() {
parent::setUp();
- Class_AdminVar::set('Lekiosk_ID', '29');
- Class_AdminVar::set('Lekiosk_HTTP_LOGIN', 'FOIX');
+ Class_AdminVar::set('Lekiosk_ID', '66');
+ Class_AdminVar::set('Lekiosk_HTTP_LOGIN', 'POIS');
Class_AdminVar::set('Lekiosk_HTTP_PASSWORD', 'PWD');
Class_AdminVar::set('Lekiosk_HARVEST_URL', 'https://apipros.lekiosk.com');
+ Class_AdminVar::set('Lekiosk_AES_KEY', '12FA88sE3V5UKr3K');
+ Class_AdminVar::set('Lekiosk_SHA1_KEY', '976ABWQo231');
$token_json = file_get_contents(__DIR__. '/token.json');
$catalogue_xml = file_get_contents(__DIR__. '/catalogue_from_http.xml');
@@ -558,7 +564,7 @@ abstract class LekioskServiceHttpHarvestingTestCase extends AbstractControllerTe
$http_client = $this->mock()
->whenCalled('postRawData')
->with('https://apipros.lekiosk.com/login',
- '{"username":"FOIX","userpwd":"PWD"}','application/json')
+ '{"username":"POIS","userpwd":"PWD"}','application/json')
->answers($token_json)
->whenCalled('open_url')
@@ -592,7 +598,7 @@ class LekioskServiceHttpUpdateHarvestingTest extends LekioskServiceHttpHarvestin
$http_client = $this->mock()
->whenCalled('postRawData')
->with('https://apipros.lekiosk.com/login',
- '{"username":"FOIX","userpwd":"PWD"}','application/json')
+ '{"username":"POIS","userpwd":"PWD"}','application/json')
->answers($token_json)
->whenCalled('open_url')
@@ -698,7 +704,7 @@ class LekioskServiceHttpHarvestingNoticeAjaxTest extends LekioskServiceHttpHarve
$this->_dispatchAlbum();
$url = 'https://apipros.lekiosk.com/login/cas?'
.'cas_fournisseur=' . urlencode(Class_Url::absolute('/cas-server-v10'))
- .'&id=29'
+ .'&id=66'
.'&returnUrl='. urlencode('/fr/pageproduct/851749/2052615');
$this->assertXPath('//a[@href="' . $url . '"]', $this->_response->getBody());
@@ -710,9 +716,9 @@ class LekioskServiceHttpHarvestingNoticeAjaxTest extends LekioskServiceHttpHarve
Class_AdminVar::set('Lekiosk_SSO_MODE', '');
$this->_dispatchAlbum();
$url = 'https://pros.lekiosk.com/login/accesshash?'
- . 'email=18ca3d8ad40255ce09d5d20debc1e069'
- . '&id=29'
- . '&AccessHash=69436bc8e1ea7a85b3a7c9d2d764077e3519a6c5'
+ . 'email=a0dc2568ae735ff737ffc8b9bf2e4fb8'
+ . '&id=66'
+ . '&AccessHash=92a485f29b5000e908fef0815c00487b1aa759a1'
. '&ReturnUrl='.urlencode('/fr/pageproduct/851749/2052615');
$this->assertXPath('//a[@href="' . $url . '"]', $this->_response->getBody());
}
@@ -728,11 +734,13 @@ class LekioskPluginTest extends Admin_AbstractControllerTestCase {
public function setUp() {
parent::setUp();
- Class_AdminVar::set('Lekiosk_ID', '29');
+ Class_AdminVar::set('Lekiosk_ID', '66');
Class_AdminVar::set('Lekiosk_HARVEST_URL', 'http://lekiosk.org/oai');
Class_AdminVar::set('Lekiosk_HTTP_LOGIN', 'lekiosk');
Class_AdminVar::set('Lekiosk_HTTP_PASSWORD', 'PWD+456');
+ Class_AdminVar::set('Lekiosk_AES_KEY', '12FA88sE3V5UKr3K');
+ Class_AdminVar::set('Lekiosk_SHA1_KEY', '976ABWQo231');
$group = $this->fixture('Class_UserGroup',
['id' => 1,
--
GitLab