* SecurityManager which persist validation/encryption keys outside of global state cache

4 files changed, 88 insertions, 0 deletions

diff --git a/.gitattributes b/.gitattributes
index 17366f1..da046eb 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
 config/db.json filter=git-crypt diff=git-crypt
+app/frontend/encryption.xml filter=git-crypt diff=git-crypt
diff --git a/app/frontend/encryption.xml b/app/frontend/encryption.xml
new file mode 100644
index 0000000..c22bdb2
--- /dev/null
+++ b/app/frontend/encryption.xml
diff --git a/app/frontend/user/SecurityManager.php b/app/frontend/user/SecurityManager.php
new file mode 100644
index 0000000..b83174c
--- /dev/null
+++ b/app/frontend/user/SecurityManager.php
@@ -0,0 +1,85 @@
+<?php
+
+Prado::using('System.Security.TSecurityManager');
+PRado::using('System.Xml.TXmlDocument');
+
+class SecurityManager extends TSecurityManager {
+
+    private $_configFile;
+    private $_validationKey;
+    private $_encryptionKey;
+
+    public function setConfigFile($path) {
+        $this->_configFile = Prado::getPathOfNamespace($path, '.xml');
+        $this->_restoreKeys();
+    }
+
+    public function getValidationKey() {
+        if (!$this->_configFile) {
+            return parent::getValidationKey();
+        }
+        if (!$this->_validationKey) {
+            $this->_storeKeys($this->_encryptionKey, $this->generateRandomKey());
+        }
+        return $this->_validationKey;
+    }
+
+    public function setValidationKey($key) {
+        parent::setValidationKey($key);
+        if ($this->_configFile) {
+            $this->_storeKeys($this->_encryptionKey, $key);
+        }
+    }
+
+    public function getEncryptionKey() {
+        if (!$this->_configFile) {
+            return parent::getEncryptionKey();
+        }
+        if (!$this->_encryptionKey) {
+            $this->_storeKeys($this->generateRandomKey(), $this->_validationKey);
+        }
+        return $this->_encryptionKey;
+    }
+
+    public function setEncryptionKey($key) {
+        parent::setEncryptionKey($key);
+        if ($this->_configFile) {
+            $this->_storeKeys($key, $this->_validationKey);
+        }
+    }
+
+    private function _restoreKeys() {
+        if ($this->_configFile) {
+            try {
+                $xml = new TXmlDocument();
+                $xml->loadFromFile($this->_configFile);
+                foreach ($xml->getELementsByTagName('key') as $key) {
+                    $this->{'_' . $key->Attributes['for'] . 'Key'} = $key->Value;
+                }
+            } catch (TIOException $e) {}
+        }
+    }
+
+    private function _storeKeys($encryptionKey, $validationKey) {
+        $this->_encryptionKey = $encryptionKey;
+        $this->_validationKey = $validationKey;
+        if ($this->_configFile) {
+            $xml = new TXmlDocument();
+            $xml->TagName = 'keys';
+            $encElement = new TXmlElement('key');
+            $encElement->Attributes['for'] = 'encryption';
+            $encElement->Value = $this->_encryptionKey;
+            $xml->Elements[] = $encElement;
+            $valElement = new TXmlElement('key');
+            $valElement->Attributes['for'] = 'validation';
+            $valElement->Value = $this->_validationKey;
+            $xml->Elements[] = $valElement;
+            @chmod($this->_configFile, 0600);
+            $xml->saveToFile($this->_configFile);
+            chmod($this->_configFile, 0400);
+        }
+    }
+
+}
+
+?>
diff --git a/app/frontend/user/config.xml b/app/frontend/user/config.xml
index 103b007..a815ed6 100644
--- a/app/frontend/user/config.xml
+++ b/app/frontend/user/config.xml
@@ -6,5 +6,7 @@
             AllowAutoLogin="true" />
     <module id="users" class="System.Security.TDbUserManager"
             UserClass="Application.user.DbUser" />
+    <module id="security" class="Application.user.SecurityManager"
+            ConfigFile="Application.encryption" />
   </modules>
 </configuration>