Merge pull request #11 from samtuke/master

Improved configuration file handling

Author: michield

.gitignore

@@ -2,3 +2,4 @@ composer.lock
 config.ini
 config.php
 .idea/
+core/phpunit.xml

core/Admin.php

@@ -270,11 +270,16 @@ function validateLogin( $plainPass, $username )
             'admin' => null
         );
 
+        // Hash the supplied password for comparison
+        $encPass = $this->pass->encrypt( $plainPass );
+
         $result = $this->adminModel->getAdminByUsername( $username );
 
-        $adminEntity = $this->adminEntityFromArray( $result );
+        // If an admin was found with that username
+        if( $result ) {
 
-        $encPass = $this->pass->encrypt( $plainPass );
+            $adminEntity = $this->adminEntityFromArray( $result );
+        }
 
         /*
          * TODO: this should not happen imo, can this be removed
@@ -288,16 +293,21 @@ function validateLogin( $plainPass, $username )
             $result = Sql_Query_Params($query, array($login));
         }*/
 
-        if ( $adminEntity->disabled ) {
+        if ( ! $result ) {
+            $return['error'] = 'Admin not found'; // If admin not found
+        } elseif( $adminEntity->disabled ) {
             // FIXME: translation / formatting via s() removed
             $return['error'] = 'Your account has been disabled';
-        } elseif ($encPass == $adminEntity->encPass) {
+        } elseif ( $encPass == $adminEntity->encPass ) {
             $return['result'] = true;
             $return['error'] = '';
             $return['admin'] = $adminEntity;
-        } else {
+        } elseif ( $encPass != $adminEntity->encPass ) {
             // FIXME: translation / formatting via s() removed
             $return['error'] = 'Incorrect password';
+        } else {
+            // FIXME: translation / formatting via s() removed
+            $return['error'] = 'Unknown error';
         }
         return $return;
     }

core/Config.php

@@ -7,38 +7,98 @@
 
 class Config
 {
+    public $configFileOrigin;
     private $running_config = array();
     private $default_config = array();
 
+    public function parseIniFile( $configFile )
+    {
+        // Load the config file
+        $parsed = parse_ini_file( $configFile );
+        if( ! is_array( $parsed ) ) {
+            throw new \Exception( 'Could not parse specified ini config file: ' . $configFile );
+        }
+        return $parsed;
+    }
+
     /**
      * Default constructor
      * load configuration from database each new session
      * TODO: probably not a good idea when using an installation with multiple subscribers
      */
-    public function __construct($config_file)
-    {
-        /**
+     public function __construct( $configFile = NULL )
+     {
+         /**
          * Constants used for debugging and developping
          */
-        defined('DEBUG') ? null : define('DEBUG', true);
-        defined('PHPLIST_DEVELOPER_EMAIL') ? null : define('PHPLIST_DEVELOPER_EMAIL', '[email protected]');
-        defined('PHPLIST_DEV_VERSION') ? null : define('PHPLIST_DEV_VERSION', true);
-        defined('PHPLIST_VERSION') ? null : define('PHPLIST_VERSION', '4.0.0 dev');
-
-        //do we have a configuration saved in session?
-        if (isset($_SESSION['running_config'])) {
-            $this->running_config = $_SESSION['running_config'];
+         defined('DEBUG') ? null : define('DEBUG', true);
+         defined('PHPLIST_DEVELOPER_EMAIL') ? null : define('PHPLIST_DEVELOPER_EMAIL', '[email protected]');
+         defined('PHPLIST_DEV_VERSION') ? null : define('PHPLIST_DEV_VERSION', true);
+         defined('PHPLIST_VERSION') ? null : define('PHPLIST_VERSION', '4.0.0 dev');
+
+         // Find the config file to use
+         $foundConfigFile = $this->findConfigFile( $configFile );
+         // Check config file is valid
+         $this->validateConfigFile( $foundConfigFile );
+         // Load the config file path as an ini file
+         $this->running_config = $this->parseIniFile( $this->configFilePath );
+         //Initialise further config
+         $this->initConfig();
+     }
+
+     /**
+      * Find the right config file to use
+      */
+     public function findConfigFile( $configFile )
+     {
+         // If no config file path provided
+         if( $configFile !== NULL ) {
+                 $this->configFileOrigin = "supplied file path";
+                 $this->configFilePath = $configFile;
+         } else { // If no config file specified, look for one
+             // determine which config file to use
+             if (
+                isset( $_SESSION['running_config'] )
+                && count( $_SESSION['running_config'] ) > 15
+            ) { // do we have a configuration saved in session?
+                 // If phpList is being used as a library, the config file may be set in session
+                 $this->configFileOrigin = "session";
+                 $this->configFilePath = $_SESSION['running_config'];
+
+             } elseif( isset( $GLOBALS['configfile'] ) ) { // Is a phpList 3 config file stored in globals?
+
+                 $this->configFileOrigin = "globals: phpList3 ini file path";
+                 $this->configFilePath = $GLOBALS['configfile'];
+
+             } elseif( isset( $GLOBALS['phplist4-ini-config-file-path'] ) ) { // Is a phpList 4 config file stored in globals?
+                 $this->configFileOrigin = "globals: phpList4 ini file path";
+                 $this->configFilePath = $GLOBALS['phplist4-ini-config-file-path'];
+
+             } else {
+                 throw new \Exception( 'Could not find config file, none specified' );
+             }
+         }
+         return $this->configFilePath;
+     }
+
+     /**
+      * Check that config file is valid
+      * @param string $configFilePath Path to check
+      */
+     public function validateConfigFile( $configFilePath )
+     {
+        if ( ! is_string( $configFilePath ) ) {
+            throw new \Exception( 'Config file path is not a string (' . gettype( $configFilePath ) . ')' );
+        } elseif ( ! is_file( $configFilePath ) ) {
+            throw new \Exception( 'Config file is not a file: ' . $configFilePath );
+        } elseif( ! filesize( $configFilePath ) > 20 ) {
+            throw new \Exception( 'Config file too small: ' . $configFilePath );
+        } elseif(  ! parse_ini_file( $configFilePath ) ) {
+            throw new \Exception( 'Config file not an INI file: ' . $configFilePath );
         } else {
-            if (is_file($config_file) && filesize($config_file) > 20) {
-                //load from config file
-                $this->running_config = parse_ini_file($config_file);
-                //Initialise further config
-                $this->initConfig();
-            } else{
-                throw new \Exception('Cannot find config file: ' . $config_file);
-            }
+            return true;
         }
-    }
+     }
 
     /**
      * Run this after db has been initialized, so we get the config from inside the database as well.
@@ -53,7 +113,7 @@ public function runAfterDBInitialised(Database $db){
      * @param Language $lan
      */
     public function runAfterLanguageInitialised(Language $lan){
-        $this->loadDefaultConfig($lan);
+        // $this->loadDefaultConfig($lan);
     }
 
     /**
@@ -322,12 +382,16 @@ private function initConfig()
         $this->running_config['TLD_REFETCH_TIMEOUT'] = 15552000; ## 180 days, about 6 months
         $this->running_config['SHOW_UNSUBSCRIBELINK'] = true;
 
-        if (function_exists('hash_algos') && !in_array($this->running_config['ENCRYPTION_ALGO'], hash_algos())) {
-            throw new \Exception('Encryption algorithm "' . $this->running_config['ENCRYPTION_ALGO'] . '" not supported, change your configuration');
+        // Check if desired hashing algo is supported by server
+        if (
+            function_exists( 'hash_algos' )
+            && !in_array( $this->running_config['ENCRYPTION_ALGO'], hash_algos() )
+        ) {
+            throw new \Exception( 'Encryption algorithm "' . $this->running_config['ENCRYPTION_ALGO'] . '" not supported, change your configuration' );
         }
-        ## remember the length of a hashed string
-        $this->running_config['hash_length'] = strlen(hash($this->running_config['ENCRYPTION_ALGO'],'some text'));
 
+        // check and store the length of a hash using the desired algo
+        $this->running_config['hash_length'] = strlen( hash( $this->running_config['ENCRYPTION_ALGO'], 'some text' ) );
 
         $this->running_config['NUMATTACHMENTS'] = 1;
         $this->running_config['FCKIMAGES_DIR'] = 'uploadimages';
@@ -1079,5 +1143,4 @@ private function loadDefaultConfig(Language $lan){
 
             );
     }
-
 }

core/Model/AdminModel.php

@@ -25,6 +25,10 @@ public function __construct( \phplist\Config $config, \phplist\helper\Database $
         $this->db = $db;
     }
 
+    /**
+     * Fetch all details of an Admin with a given username
+     * @param strong $username username of admin to fetch
+     */
     public function getAdminByUsername( $username )
     {
         $result = $this->db->query(
@@ -40,7 +44,7 @@ public function getAdminByUsername( $username )
                 , $username
             )
         );
-        
+
         return $result->fetch( \PDO::FETCH_ASSOC );
     }
 }

core/Pass.php

@@ -4,6 +4,17 @@
 
 class Pass {
 
+    protected $config;
+
+    /**
+    * @param Config $config
+    * @param helper\Database $db
+    */
+    public function __construct( Config $config )
+    {
+        $this->config = $config;
+    }
+
     /**
      * Encrypt a plaintext password using the best available algorithm
      * @todo: check php5.5 password api
@@ -12,7 +23,7 @@ class Pass {
      * @param string $desiredAlgo Name of desiresd algo
      * @return string $encPass Encrypted password
      */
-    public function encrypt( $plainPass, $desiredAlgo = 'md5' )
+    public function encrypt( $plainPass, $desiredAlgo = NULL )
     {
         // If no password was supplied, return empty
         // FIXME: Either log this event, or throw an exception, so client code
@@ -21,6 +32,12 @@ public function encrypt( $plainPass, $desiredAlgo = 'md5' )
             return '';
         }
 
+        // If no hashing algo was specified
+        if( $desiredAlgo == NULL ) {
+            // Fetch default hashing algo from config file
+            $desiredAlgo = $this->config->get( 'ENCRYPTION_ALGO' );
+        }
+
         if ( function_exists( 'hash' ) ) {
             if (
                 ! in_array(
@@ -37,8 +54,10 @@ public function encrypt( $plainPass, $desiredAlgo = 'md5' )
             } else {
                 $algo = $desiredAlgo;
             }
+            // Hash the password using desired algo
             $encPass = hash( $algo, $plainPass );
         } else {
+            //. Hash the password using a fallback default
             $encPass = md5( $plainPass );
         }
         return $encPass;

core/phpunit.example.xml

@@ -0,0 +1,38 @@
+<phpunit colors='true' bootstrap='./tests/phpunit-bootstrap.php'>
+    <testsuites>
+        <testsuite name='Primary'>
+            <directory>./tests</directory>
+        </testsuite>
+    </testsuites>
+    <php>
+        <!-- Constants -->
+        <const name='API_LOGIN_USERNAME' value='admin'/>
+        <const name='API_LOGIN_PASSWORD' value='phplist'/>
+        <!-- Absolute path to system's temporary directory -->
+        <const name='TMP_PATH' value='/tmp'/>
+        <!-- Name of the folder housing phpList -->
+        <const name='PAGE_ROOT' value='/lists'/>
+        <!-- Name of the admin directory -->
+        <const name='ADMIN_PATH' value='/admin'/>
+
+        <!-- Variables -->
+        <var name="DB_HOST" value="localhost" />
+        <var name="DB_PORT" value="3306" />
+        // !! Change these vars to fit your local config !!
+
+        // Path to phpList 4 configuration file
+        <var name="phplist4-ini-config-file-path" value="/path/to/config.ini" />
+
+        // Database configuration
+        <var name="DB_NAME" value="" />
+        <var name="DB_USER" value="" />
+        <var name="DB_PASSWD" value="" />
+
+        // Admin user credentials
+        <var name="admin_username" value="admin" />
+        <var name="admin_password" value="phplist" />
+
+        // Other configuration parameters
+        <const name='API_URL_BASE_PATH' value='http://path-to-phplist.local'/>
+    </php>
+</phpunit>

core/phpunit.xml

@@ -7,7 +7,7 @@
     <php>
         <!-- Constants -->
         <const name='API_LOGIN_USERNAME' value='admin'/>
-        <const name='API_LOGIN_PASSWORD' value='phplist'/>
+        <const name='API_LOGIN_PASSWORD' value='admin'/>
         <!-- Absolute path to system's temporary directory -->
         <const name='TMP_PATH' value='/tmp'/>
         <!-- Name of the folder housing phpList -->
@@ -20,14 +20,17 @@
         <var name="DB_PORT" value="3306" />
         // !! Change these vars to fit your local config !!
 
+        // Path to phpList 4 configuration file
+        <var name="phplist4-ini-config-file-path" value="/var/www/rapinew/plugins/restapi2/vendor/phplist/phplist4-core/config.ini" />
+
         // Database configuration
         <var name="DB_NAME" value="pl" />
         <var name="DB_USER" value="pl" />
         <var name="DB_PASSWD" value="pl" />
 
         // Admin user credentials
         <var name="admin_username" value="admin" />
-        <var name="admin_password" value="phplist" />
+        <var name="admin_password" value="admin" />
 
         // Other configuration parameters
         <const name='API_URL_BASE_PATH' value='http://path-to-phplist.local'/>

core/services.yml

@@ -11,6 +11,8 @@ services:
   EmailAddress:
     class:  phpList\EmailAddress
     arguments: [@Config, %emailaddress.address%]
+  EmailUtil:
+    class:  phpList\EmailUtil
   Config:
     class: phpList\Config
     arguments: [%config.configfile%]
@@ -22,6 +24,7 @@ services:
     arguments: [@Database, @Config]
   Pass:
     class: phpList\Pass
+    arguments: [@Config]
   phpList:
     class: phpList\phpList
     arguments: [@Config, @Database, @Language, @Util]
@@ -70,6 +73,6 @@ services:
 # NOTE: the classname.parameter syntax is just a Symfony convention; parameter
 # names are handles as single simple strings
 parameters:
-  config.configfile: configfile
+  config.configfile: null
   emailaddress.address: emailaddress
   password.password: password