|
| 1 | +<?php |
| 2 | + |
| 3 | +/** |
| 4 | + * --------------------------------------------------------------------- |
| 5 | + * |
| 6 | + * GLPI - Gestionnaire Libre de Parc Informatique |
| 7 | + * |
| 8 | + * http://glpi-project.org |
| 9 | + * |
| 10 | + * @copyright 2015-2025 Teclib' and contributors. |
| 11 | + * @licence https://www.gnu.org/licenses/gpl-3.0.html |
| 12 | + * |
| 13 | + * --------------------------------------------------------------------- |
| 14 | + * |
| 15 | + * LICENSE |
| 16 | + * |
| 17 | + * This file is part of GLPI. |
| 18 | + * |
| 19 | + * This program is free software: you can redistribute it and/or modify |
| 20 | + * it under the terms of the GNU General Public License as published by |
| 21 | + * the Free Software Foundation, either version 3 of the License, or |
| 22 | + * (at your option) any later version. |
| 23 | + * |
| 24 | + * This program is distributed in the hope that it will be useful, |
| 25 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 26 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 27 | + * GNU General Public License for more details. |
| 28 | + * |
| 29 | + * You should have received a copy of the GNU General Public License |
| 30 | + * along with this program. If not, see <https://www.gnu.org/licenses/>. |
| 31 | + * |
| 32 | + * --------------------------------------------------------------------- |
| 33 | + */ |
| 34 | + |
| 35 | +/** |
| 36 | + * @var \DBmysql $DB |
| 37 | + * @var \Migration $migration |
| 38 | + */ |
| 39 | + |
| 40 | +$glpi_key_manager = new GLPIKey(); |
| 41 | +$use_legacy_key = $glpi_key_manager->keyExists() === false; |
| 42 | + |
| 43 | +if ($use_legacy_key) { |
| 44 | + $glpi_key = $glpi_key_manager->getLegacyKey(); |
| 45 | + $encrypt_fct = function (string $value) use ($glpi_key): string { |
| 46 | + // Code corresponding to encryption used prior to GLPI 9.5 (copied from `Toolbox::encrypt()`). |
| 47 | + // /!\ It is mandatory to encrypt data using the legacy key to handle migrations from a GLPI version < 9.5.0. |
| 48 | + // Data will be re-encrypted at the update process when a new key will be generated. |
| 49 | + $result = ''; |
| 50 | + $strlen = strlen($value); |
| 51 | + for ($i = 0; $i < $strlen; $i++) { |
| 52 | + $char = substr($value, $i, 1); |
| 53 | + $keychar = substr($glpi_key, ($i % strlen($glpi_key)) - 1, 1); |
| 54 | + $char = chr(ord($char) + ord($keychar)); |
| 55 | + $result .= $char; |
| 56 | + } |
| 57 | + return base64_encode($result); |
| 58 | + }; |
| 59 | +} else { |
| 60 | + $glpi_key = $glpi_key_manager->get(); |
| 61 | + $encrypt_fct = fn(string $value) => $glpi_key_manager->encrypt($value); |
| 62 | +} |
| 63 | + |
| 64 | +if ($glpi_key === null) { |
| 65 | + // If `$glpi_key` is `null`, it means tha the key file exists but an error occurs while reading it. |
| 66 | + // It is preferable to fail here rather than ruin all tokens values in database. |
| 67 | + throw new RuntimeException('Unable to get the GLPI encryption key value.'); |
| 68 | +} |
| 69 | + |
| 70 | +// Encrypt API clients tokens |
| 71 | +$are_apiclients_tokens_encrypted = $DB->request([ |
| 72 | + 'FROM' => 'glpi_configs', |
| 73 | + 'WHERE' => [ |
| 74 | + 'name' => 'are_apiclients_tokens_encrypted', |
| 75 | + 'context' => 'core', |
| 76 | + ], |
| 77 | +])->current()['value'] ?? false; |
| 78 | + |
| 79 | +if ((bool) $are_apiclients_tokens_encrypted === false) { |
| 80 | + $api_clients_iterator = $DB->request([ |
| 81 | + 'FROM' => 'glpi_apiclients', |
| 82 | + ]); |
| 83 | + |
| 84 | + foreach ($api_clients_iterator as $api_client_data) { |
| 85 | + if (empty($api_client_data['app_token'])) { |
| 86 | + continue; |
| 87 | + } |
| 88 | + |
| 89 | + $migration->addPostQuery( |
| 90 | + $DB->buildUpdate( |
| 91 | + 'glpi_apiclients', |
| 92 | + [ |
| 93 | + 'app_token' => $encrypt_fct($api_client_data['app_token']), |
| 94 | + ], |
| 95 | + [ |
| 96 | + 'id' => $api_client_data['id'], |
| 97 | + ] |
| 98 | + ) |
| 99 | + ); |
| 100 | + } |
| 101 | + |
| 102 | + $migration->addConfig(['are_apiclients_tokens_encrypted' => 1]); |
| 103 | +} |
| 104 | + |
| 105 | +// Encrypt users tokens |
| 106 | +$are_users_tokens_encrypted = $DB->request([ |
| 107 | + 'FROM' => 'glpi_configs', |
| 108 | + 'WHERE' => [ |
| 109 | + 'name' => 'are_users_tokens_encrypted', |
| 110 | + 'context' => 'core', |
| 111 | + ], |
| 112 | +])->current()['value'] ?? false; |
| 113 | + |
| 114 | +if ((bool) $are_users_tokens_encrypted === false) { |
| 115 | + $migration->changeField('glpi_users', 'password_forget_token', 'password_forget_token', 'string'); // change length from 40 to 255 |
| 116 | + |
| 117 | + $users_iterator = $DB->request([ |
| 118 | + 'FROM' => 'glpi_users', |
| 119 | + ]); |
| 120 | + |
| 121 | + foreach ($users_iterator as $user_data) { |
| 122 | + $update_input = []; |
| 123 | + |
| 124 | + foreach (['password_forget_token', 'personal_token', 'api_token', 'cookie_token'] as $token_field) { |
| 125 | + if (!empty($user_data[$token_field])) { |
| 126 | + $update_input[$token_field] = $encrypt_fct($user_data[$token_field]); |
| 127 | + } |
| 128 | + } |
| 129 | + |
| 130 | + if ($update_input === []) { |
| 131 | + continue; |
| 132 | + } |
| 133 | + |
| 134 | + $migration->addPostQuery( |
| 135 | + $DB->buildUpdate( |
| 136 | + 'glpi_users', |
| 137 | + $update_input, |
| 138 | + [ |
| 139 | + 'id' => $user_data['id'], |
| 140 | + ] |
| 141 | + ) |
| 142 | + ); |
| 143 | + } |
| 144 | + |
| 145 | + $migration->addConfig(['are_users_tokens_encrypted' => 1]); |
| 146 | +} |
0 commit comments