From 38daa2aeddf9d3bf908de9657c395f525c921cbb Mon Sep 17 00:00:00 2001
From: Stanislas Dolcini <stanislas.dolcini@devinci.fr>
Date: Wed, 3 Oct 2018 19:44:02 +0200
Subject: [PATCH] Move some code to specific classes files

---
 .../login/class/connection_handler.php        |  81 +++++++++++
 .../public_php/login/class/nel_command.php    |  20 +++
 code/web/public_php/login/r2_login.php        | 129 +++++-------------
 3 files changed, 138 insertions(+), 92 deletions(-)
 create mode 100644 code/web/public_php/login/class/connection_handler.php
 create mode 100644 code/web/public_php/login/class/nel_command.php

diff --git a/code/web/public_php/login/class/connection_handler.php b/code/web/public_php/login/class/connection_handler.php
new file mode 100644
index 000000000..d3307dee9
--- /dev/null
+++ b/code/web/public_php/login/class/connection_handler.php
@@ -0,0 +1,81 @@
+<?php
+include_once './nel_command.php';
+
+class ConnectionHandler
+{
+    private $db_Connection;
+
+    public function __construct()
+    {
+        global $DBHost, $DBUserName, $DBPassword, $DBName, $AutoInsertInRing;
+    }
+
+    public function __destruct()
+    {
+        $db_Connection->close();
+    }
+
+    /**
+     * @param NelCommand
+     * the command you got from the client
+     */
+    public function process_command($command)
+    {
+        switch ($command->cmd) {
+            case 'ask':
+                echo '1:' . askSalt($command->login, $command->lg);
+                break;
+            case 'login-https':
+                $salt = askSalt($command->login, $command->lg);
+                crypt($command->password, sprintf('$6$rounds=%d$%s$', 5000, $salt));
+            case 'login':
+                $domainId = -1;
+                // client sent is login info
+                if (!checkUserValidity($_GET['login'], $_GET['password'], $_GET['clientApplication'], $cp, $id, $reason, $priv, $extended, $domainId, $submittedLang)) {
+                    echo '0:' . $reason;
+                } else {
+
+                    // retreive the domain info
+                    $domainInfo = getDomainInfo($domainId);
+
+                    // if we need to create missing ring info
+                    if ($AutoCreateRingInfo) {
+                        // check if the ring user exist, and create it if not
+                        $ringDb = mysqli_connect($DBHost, $RingDBUserName, $RingDBPassword) or die(errorMsgBlock(3004, 'Ring', $DBHost, $RingDBUserName));
+                        mysqli_select_db($ringDb, $domainInfo['ring_db_name']) or die(errorMsgBlock(3005, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName));
+                        $query = "SELECT user_id FROM ring_users where user_id = '" . $id . "'";
+                        $result = mysqli_query($ringDb, $query) or die(errorMsgBlock(3006, $query, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName, mysqli_error($ringDb)));
+
+                        if (mysqli_num_rows($result) == 0) {
+                            // no ring user record, build one
+                            $login = mysqli_real_escape_string($ringDb, $_GET['login']);
+                            $query = "INSERT INTO ring_users SET user_id = '$id', user_name = '$login', user_type='ut_pioneer'";
+                            $result = mysqli_query($ringDb, $query) or die(errorMsgBlock(3006, $query, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName, mysqli_error($ringDb)));
+                        }
+                    }
+
+                    // store the web host for this domain
+                    global $RingWebHost, $RingWebHostPHP;
+                    $RingWebHost = $domainInfo['web_host'];
+                    $RingWebHostPHP = $domainInfo['web_host_php'];
+
+                    $LSaddr = explode(":", $domainInfo['login_address']);
+
+                    // ask for a session cookie to the login service
+                    $login = new LoginCb;
+                    $res = "";
+                    $login->connect($LSaddr[0], $LSaddr[1], $res);
+                    $login->login($id, $_SERVER["REMOTE_ADDR"], $domainId);
+
+                    // wait for the return message
+                    if (!$login->waitCallback()) {
+                        die(errorMsgBlock(3003));
+                    }
+                    //the rest of the process is done in the callback function
+                }
+                break;
+            default:
+                break;
+        }
+    }
+}
diff --git a/code/web/public_php/login/class/nel_command.php b/code/web/public_php/login/class/nel_command.php
new file mode 100644
index 000000000..da0754fb5
--- /dev/null
+++ b/code/web/public_php/login/class/nel_command.php
@@ -0,0 +1,20 @@
+<?php
+class NelCommand
+{
+    public $cmd;
+    public $login;
+    public $password;
+    public $clientApplication;
+    public $cp;
+    public $lg;
+
+    public function __construct($getParams)
+    {
+        $this->cmd = $getParams['cmd'];
+        $this->login = $getParams['login'];
+        $this->password = $getParams['password'];
+        $this->clientApplication = $getParams['clientApplication'];
+        $this->cp = isset($getParams['cp']) ? $getParams['cp'] : 0;
+        $this->submittedLang = isset($getParams['lg']) ? $getParams['lg'] : 'unknown';
+    }
+}
diff --git a/code/web/public_php/login/r2_login.php b/code/web/public_php/login/r2_login.php
index 6b3529cc4..94c83cc25 100755
--- a/code/web/public_php/login/r2_login.php
+++ b/code/web/public_php/login/r2_login.php
@@ -14,19 +14,13 @@ include_once 'login_service_itf.php';
 include_once '../ring/join_shard.php';
 include_once './class/CWwwLog.php';
 include_once './class/LoginCb.php';
+include_once './class/connection_handler.php';
+include_once './class/nel_command.php';
 
 if (!isset($_GET['cmd'])) {
     die(errorMsgBlock(3002));
 }
 
-// check for 'clear password' tag
-if (!isset($_GET['cp'])) {
-    $cp = 0;
-} else {
-    $cp = $_GET['cp'];
-}
-
-$submittedLang = isset($_GET['lg']) ? $_GET['lg'] : 'unknown';
 /**
  * $DisplayDbg is used in login_translations.php
  * @todo Make sure this is the best place to do it.
@@ -35,61 +29,9 @@ if (isset($_GET['dbg']) && ($_GET['dbg'] == 1)) {
     $DisplayDbg = true;
 }
 
-switch ($_GET['cmd']) {
-    case 'ask':
-        // client ask for a login salt
-        askSalt($_GET['login'], $submittedLang);
-        break;
-    case 'login':
-        $domainId = -1;
-        // client sent is login info
-        if (!checkUserValidity($_GET['login'], $_GET['password'], $_GET['clientApplication'], $cp, $id, $reason, $priv, $extended, $domainId, $submittedLang)) {
-            echo '0:' . $reason;
-        } else {
-
-            // retreive the domain info
-            $domainInfo = getDomainInfo($domainId);
-
-            // if we need to create missing ring info
-            if ($AutoCreateRingInfo) {
-                // check if the ring user exist, and create it if not
-                $ringDb = mysqli_connect($DBHost, $RingDBUserName, $RingDBPassword) or die(errorMsgBlock(3004, 'Ring', $DBHost, $RingDBUserName));
-                mysqli_select_db($ringDb, $domainInfo['ring_db_name']) or die(errorMsgBlock(3005, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName));
-                $query = "SELECT user_id FROM ring_users where user_id = '" . $id . "'";
-                $result = mysqli_query($ringDb, $query) or die(errorMsgBlock(3006, $query, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName, mysqli_error($ringDb)));
-
-                if (mysqli_num_rows($result) == 0) {
-                    // no ring user record, build one
-                    $login = mysqli_real_escape_string($ringDb, $_GET['login']);
-                    $query = "INSERT INTO ring_users SET user_id = '$id', user_name = '$login', user_type='ut_pioneer'";
-                    $result = mysqli_query($ringDb, $query) or die(errorMsgBlock(3006, $query, 'Ring', $domainInfo['ring_db_name'], $DBHost, $RingDBUserName, mysqli_error($ringDb)));
-                }
-            }
-
-            // store the web host for this domain
-            global $RingWebHost, $RingWebHostPHP;
-            $RingWebHost = $domainInfo['web_host'];
-            $RingWebHostPHP = $domainInfo['web_host_php'];
-
-            $LSaddr = explode(":", $domainInfo['login_address']);
-
-            // ask for a session cookie to the login service
-            $login = new LoginCb;
-            $res = "";
-            $login->connect($LSaddr[0], $LSaddr[1], $res);
-            $login->login($id, $_SERVER["REMOTE_ADDR"], $domainId);
-
-            // wait for the return message
-            if (!$login->waitCallback()) {
-                die(errorMsgBlock(3003));
-            }
-            break;
-            //the rest of the process is done in the callback function
-        }
-}
-
-// no more to do (other global statement are old garbage)
-die();
+$nel_command = new NelCommand($_GET);
+$connection_handler = new ConnectionHandler();
+$connection_handler->process_command($nel_command);
 
 // ----------------------------------------------------------------------------------------
 // Functions
@@ -97,20 +39,14 @@ die();
 
 function get_salt($password)
 {
-    if ($password[0] == '$') {
-        $salt = substr($password, 0, 19);
-    } else {
-        $salt = substr($password, 0, 2);
-    }
-    return $salt;
+    return $password[0] == '$' ? substr($password, 0, 19) : substr($password, 0, 2);
 }
 
 // see errorMsg
-function errorMsgBlock($errNum = GENERIC_ERROR_NUM) // $mixedArgs
-
+// $mixedArgsx
+function errorMsgBlock($errNum = GENERIC_ERROR_NUM)
 {
-    $args = func_get_args();
-    return '0:' . call_user_func_array('errorMsg', $args);
+    return '0:' . call_user_func_array('errorMsg', func_get_args());
 }
 
 // Callback called on end of output buffering
@@ -159,37 +95,46 @@ function checkUserValidity($login, $password, $clientApplication, $cp, &$id, &$r
     global $AcceptUnknownUser;
     setMsgLanguage($lang);
     $res = false;
+    $mysqli = new mysqli($DBHost, $DBUserName, $DBPassword) or die(errorMsgBlock(3004, 'main', $DBHost, $DBUserName));
+    $mysqli->select_db($DBName) or die(errorMsgBlock(3005, 'main', $DBName, $DBHost, $DBUserName));
+    $domainName = $mysqli->escape_string($clientApplication);
 
-    $link = mysqli_connect($DBHost, $DBUserName, $DBPassword) or die(errorMsgBlock(3004, 'main', $DBHost, $DBUserName));
-    mysqli_select_db($link, $DBName) or die(errorMsgBlock(3005, 'main', $DBName, $DBHost, $DBUserName));
+    $numrows = 0;
+    if ($stmt = $mysqli->prepare("SELECT TOP 1 domain_id FROM domain WHERE domain_name='?'")) {
+        $stmt->bind_param("s", $domainName);
+        $stmt->execute();
+        $stmt->bind_result($result) or die(errorMsgBlock(3006, $query, 'main', $DBName, $DBHost, $DBUserName, mysqli_error($link)));
+        $stmt->fetch();
+        $numrows = $stmt->num_rows;
+        $stmt->close();
+    }
 
-    // we map the client application to the domain name
-    $domainName = mysqli_real_escape_string($link, $clientApplication);
-
-    // retreive the domain id
-    $query = "SELECT domain_id FROM domain WHERE domain_name='$domainName'";
-    $result = mysqli_query($link, $query) or die(errorMsgBlock(3006, $query, 'main', $DBName, $DBHost, $DBUserName, mysqli_error($link)));
-
-    if (mysqli_num_rows($result) == 0) {
+    if ($numrows == 0) {
         // unrecoverable error, we must giveup
         $reason = errorMsg(3007, $domainName);
-        mysqli_close($link);
+        $mysqli->close();
         return false;
     }
 
     // retrieve the domain info
-    $domainId = $row[0];
     $domainInfo = getDomainInfo($domainId);
 
     // convert the domain status enum into the privilege access set
     $accessPriv = strtoupper(substr($domainInfo['status'], 3));
 
     // now, retrieve the user infos
-    $login = mysqli_real_escape_string($link, $login);
-    $query = "SELECT * FROM user where Login='$login'";
-    $result = mysqli_query($link, $query) or die(errorMsgBlock(3006, $query, 'main', $DBName, $DBHost, $DBUserName, mysqli_error($link)));
+    $login = $mysqli->escape_string($login);
+    $numrows = 0;
+    if ($stmt = mysqli_prepare("SELECT 1 FROM user WHERE Login='?'")) {
+        $stmt->bind_param("s", $login);
+        $stmt->execute();
+        $stmt->bind_result($result) or die(errorMsgBlock(3006, $query, 'main', $DBName, $DBHost, $DBUserName, mysqli_error($link)));
+        $stmt->fetch();
+        $numrows = $stmt->num_rows;
+        $stmt->close();
+    }
 
-    if (mysqli_num_rows($result) == 0) {
+    if ($numrows == 0) {
         if ($AcceptUnknownUser) {
             // login doesn't exist, create it
             $escaped_password = $mysqli->escape_string($password);
@@ -220,7 +165,7 @@ function checkUserValidity($login, $password, $clientApplication, $cp, &$id, &$r
             $reason = errorMsg(2001, $login, 'checkUserValidity');
         }
     } else {
-        $row = mysqli_fetch_assoc($result);
+        $row = $mysqli->fetch_assoc();
         $salt = get_salt($row["Password"]);
         if (($cp && $row["Password"] == $password) || (!$cp && $row["Password"] == crypt($password, $salt))) {
             // Store the real login (with correct case)
@@ -287,7 +232,7 @@ function checkUserValidity($login, $password, $clientApplication, $cp, &$id, &$r
             $reason = errorMsg(2004, 'user');
         }
     }
-    mysqli_close($link);
+    $mysqli->close();
     return $res;
 }
 
@@ -348,6 +293,6 @@ function askSalt($login, $lang)
         $salt = get_salt($res_array['Password']);
     }
 
-    echo "1:" . $salt;
     mysqli_close($link);
+    return $salt;
 }