cryptowrapper.php 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Joas Schilling <coding@schilljs.com>
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. * @author Phil Davis <phil.davis@inf.org>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. *
  10. * @license AGPL-3.0
  11. *
  12. * This code is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License, version 3,
  14. * as published by the Free Software Foundation.
  15. *
  16. * This program is distributed in the hope that it will be useful,
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  19. * GNU Affero General Public License for more details.
  20. *
  21. * You should have received a copy of the GNU Affero General Public License, version 3,
  22. * along with this program. If not, see <http://www.gnu.org/licenses/>
  23. *
  24. */
  25. namespace OC\Session;
  26. use OCP\IConfig;
  27. use OCP\IRequest;
  28. use OCP\ISession;
  29. use OCP\Security\ICrypto;
  30. use OCP\Security\ISecureRandom;
  31. /**
  32. * Class CryptoWrapper provides some rough basic level of additional security by
  33. * storing the session data in an encrypted form.
  34. *
  35. * The content of the session is encrypted using another cookie sent by the browser.
  36. * One should note that an adversary with access to the source code or the system
  37. * memory is still able to read the original session ID from the users' request.
  38. * This thus can not be considered a strong security measure one should consider
  39. * it as an additional small security obfuscation layer to comply with compliance
  40. * guidelines.
  41. *
  42. * TODO: Remove this in a future release with an approach such as
  43. * https://github.com/owncloud/core/pull/17866
  44. *
  45. * @package OC\Session
  46. */
  47. class CryptoWrapper {
  48. const COOKIE_NAME = 'oc_sessionPassphrase';
  49. /** @var ISession */
  50. protected $session;
  51. /** @var \OCP\Security\ICrypto */
  52. protected $crypto;
  53. /** @var ISecureRandom */
  54. protected $random;
  55. /**
  56. * @param IConfig $config
  57. * @param ICrypto $crypto
  58. * @param ISecureRandom $random
  59. * @param IRequest $request
  60. */
  61. public function __construct(IConfig $config,
  62. ICrypto $crypto,
  63. ISecureRandom $random,
  64. IRequest $request) {
  65. $this->crypto = $crypto;
  66. $this->config = $config;
  67. $this->random = $random;
  68. if (!is_null($request->getCookie(self::COOKIE_NAME))) {
  69. $this->passphrase = $request->getCookie(self::COOKIE_NAME);
  70. } else {
  71. $this->passphrase = $this->random->generate(128);
  72. $secureCookie = $request->getServerProtocol() === 'https';
  73. // FIXME: Required for CI
  74. if (!defined('PHPUNIT_RUN')) {
  75. $webRoot = \OC::$WEBROOT;
  76. if($webRoot === '') {
  77. $webRoot = '/';
  78. }
  79. setcookie(self::COOKIE_NAME, $this->passphrase, 0, $webRoot, '', $secureCookie, true);
  80. }
  81. }
  82. }
  83. /**
  84. * @param ISession $session
  85. * @return ISession
  86. */
  87. public function wrapSession(ISession $session) {
  88. if (!($session instanceof CryptoSessionData)) {
  89. return new CryptoSessionData($session, $this->crypto, $this->passphrase);
  90. }
  91. return $session;
  92. }
  93. }