From 3e51d4cb8733c3c7cdd9b33c11b7c0e40a63f6a5 Mon Sep 17 00:00:00 2001
From: dakriy <git@persignum.com>
Date: Sun, 1 Mar 2020 13:08:04 -0800
Subject: [PATCH] sort out doorcode hashing... Also progress on authorization

---
 src/web/backend/app/Group.php                 | 12 +++++-
 src/web/backend/app/User.php                  | 11 ++++-
 .../src/Authorization/ApiAuthorizer.php       | 42 +++++++++++++++++++
 .../backend/src/Authorization/Authorizer.php  | 20 +++++++++
 .../backend/src/Authorization/Permissions.php | 12 ++++++
 .../Users/DatabaseUsersRepository.php         | 24 +++++++++--
 .../UseCases/Users/UpdateUser/UseCaseTest.php |  2 +-
 7 files changed, 117 insertions(+), 6 deletions(-)
 create mode 100644 src/web/backend/src/Authorization/ApiAuthorizer.php
 create mode 100644 src/web/backend/src/Authorization/Authorizer.php
 create mode 100644 src/web/backend/src/Authorization/Permissions.php

diff --git a/src/web/backend/app/Group.php b/src/web/backend/app/Group.php
index 90b9c5a2..d77919f2 100644
--- a/src/web/backend/app/Group.php
+++ b/src/web/backend/app/Group.php
@@ -3,6 +3,16 @@
 
 namespace App;
 
-class Group
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsToMany;
+
+class Group extends Model
 {
+    /**
+     * @return \Illuminate\Database\Eloquent\Relations\BelongsToMany
+     */
+    public function groups(): BelongsToMany
+    {
+        return $this->belongsToMany(User::class);
+    }
 }
diff --git a/src/web/backend/app/User.php b/src/web/backend/app/User.php
index e3b05952..38407a7c 100644
--- a/src/web/backend/app/User.php
+++ b/src/web/backend/app/User.php
@@ -5,6 +5,7 @@ namespace App;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\User as Authenticatable;
+use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 
 class User extends Authenticatable
 {
@@ -24,10 +25,18 @@ class User extends Authenticatable
     ];
 
     /**
-     * @return HasMany
+     * @return \Illuminate\Database\Eloquent\Relations\HasMany
      */
     public function tokens(): HasMany
     {
         return $this->hasMany(Token::class);
     }
+
+    /**
+     * @return \Illuminate\Database\Eloquent\Relations\BelongsToMany
+     */
+    public function groups(): BelongsToMany
+    {
+        return $this->belongsToMany(Group::class);
+    }
 }
diff --git a/src/web/backend/src/Authorization/ApiAuthorizer.php b/src/web/backend/src/Authorization/ApiAuthorizer.php
new file mode 100644
index 00000000..e610b1e4
--- /dev/null
+++ b/src/web/backend/src/Authorization/ApiAuthorizer.php
@@ -0,0 +1,42 @@
+<?php
+
+
+namespace Source\Authorization;
+
+
+use Illuminate\Contracts\Auth\Guard;
+use Source\Exceptions\AuthorizationException;
+
+class ApiAuthorizer implements Authorizer
+{
+    protected Guard $guard;
+
+    public function __construct(Guard $guard)
+    {
+        $this->guard = $guard;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function allows(array $permissions): bool
+    {
+        $user = $this->guard->user();
+
+        if (!$user) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function protect(array $permissions): void
+    {
+        if (!$this->allows($permissions)) {
+            throw new AuthorizationException();
+        }
+    }
+}
diff --git a/src/web/backend/src/Authorization/Authorizer.php b/src/web/backend/src/Authorization/Authorizer.php
new file mode 100644
index 00000000..69a57d05
--- /dev/null
+++ b/src/web/backend/src/Authorization/Authorizer.php
@@ -0,0 +1,20 @@
+<?php
+
+
+namespace Source\Authorization;
+
+
+interface Authorizer
+{
+    /**
+     * @param array $permissions
+     * @return bool
+     */
+    public function allows(array $permissions): bool;
+
+    /**
+     * @param array $permissions
+     * @throws \Source\Exceptions\AuthorizationException
+     */
+    public function protect(array $permissions): void;
+}
diff --git a/src/web/backend/src/Authorization/Permissions.php b/src/web/backend/src/Authorization/Permissions.php
new file mode 100644
index 00000000..fcd87a47
--- /dev/null
+++ b/src/web/backend/src/Authorization/Permissions.php
@@ -0,0 +1,12 @@
+<?php
+
+
+namespace Source\Authorization;
+
+
+class Permissions
+{
+    public const ADMIN = 'admin';
+    public const MODIFY_USER = 'user:modify';
+    public const READ_USERS = 'user:read';
+}
diff --git a/src/web/backend/src/Gateways/Users/DatabaseUsersRepository.php b/src/web/backend/src/Gateways/Users/DatabaseUsersRepository.php
index a365505d..4d27ec47 100644
--- a/src/web/backend/src/Gateways/Users/DatabaseUsersRepository.php
+++ b/src/web/backend/src/Gateways/Users/DatabaseUsersRepository.php
@@ -5,8 +5,20 @@ namespace Source\Gateways\Users;
 
 use Source\Entities\User;
 
+// TODO: Write tests for this
 class DatabaseUsersRepository implements UsersRepository
 {
+    protected function secureDoorcode(string $doorcode): string
+    {
+        // As of PHP 7 the salt parameter to password_hash has been depreciated.
+        // As we need to be able to search for users by doorcode they either all need to have the same salt
+        // (in this case, the app key) or no salt (I'd prefer a salt). This way the doorcode can be hashed and
+        // then easily searched for in the database without having to check against every user and rehash every
+        // time with the new salt. As such it is not as easy to use BCRYPT :(
+        // So I'll just shred it twice using sha512 with with the application key.
+        return hash('sha512', hash('sha512', $doorcode . config('app.key')));
+    }
+
     /**
      * @inheritDoc
      */
@@ -84,7 +96,7 @@ class DatabaseUsersRepository implements UsersRepository
         );
     }
 
-    protected function fillBasicUserAttrs(User $user, \App\User $dbUser): \App\User
+    protected function fillBasicUserAttrs(User $user, \App\User $dbUser, bool $includeDoorcode = true): \App\User
     {
         $dbUser->first_name = $user->getFirstName();
         $dbUser->last_name = $user->getLastName();
@@ -92,8 +104,14 @@ class DatabaseUsersRepository implements UsersRepository
         $dbUser->emplid = $user->getEmplid();
         $dbUser->email = $user->getEmail();
         $dbUser->password = bcrypt($user->getPassword());
-        $dbUser->doorcode = hash('sha256', $user->getDoorcode());
         $dbUser->expires_at = $user->getExpiresAt();
+
+        // If the doorcode exists and is the same as provided, don't change
+        // Else regenerate
+        if (!isset($dbUser->doorcode) || (isset($dbUser->doorcode) && $dbUser->doorcode !== $user->getDoorcode())) {
+            $dbUser->doorcode = $this->secureDoorcode($user->getDoorcode());
+        }
+
         return $dbUser;
     }
 
@@ -179,7 +197,7 @@ class DatabaseUsersRepository implements UsersRepository
      */
     public function findByDoorcode(string $doorcode): ?User
     {
-        $doorcode = hash('sha256', $doorcode);
+        $doorcode = $this->secureDoorcode($doorcode);
 
         $user = \App\User::where('doorcode', $doorcode)->first();
 
diff --git a/src/web/backend/tests/Unit/Source/UseCases/Users/UpdateUser/UseCaseTest.php b/src/web/backend/tests/Unit/Source/UseCases/Users/UpdateUser/UseCaseTest.php
index f08e9f6d..8fb0b4aa 100644
--- a/src/web/backend/tests/Unit/Source/UseCases/Users/UpdateUser/UseCaseTest.php
+++ b/src/web/backend/tests/Unit/Source/UseCases/Users/UpdateUser/UseCaseTest.php
@@ -136,7 +136,7 @@ class UseCaseTest extends TestCase
         $this->handleTest('69', $this->createUserAttributes($updatedUser, null, null));
 
         $this->assertEquals('pass', $this->response->getUser()->getPassword());
-        $this->assertEquals('door', $this->response->getUser()->getDoorcode());
+        $this->assertEquals(null, $this->response->getUser()->getDoorcode());
     }
 
     /**
-- 
GitLab