Merge branch 'master' of http://smartcost.in.8866.org:26903/caipin/cld

protected/class/auth.php

@@ -0,0 +1,87 @@
+<?php
+class auth
+{
+function yundanran_auth($string=0, $operation = 'DECODE', $key = '', $expiry = 0)
+    {
+    // 动态密匙长度，相同的明文会生成不同密文就是依靠动态密匙
+    // 加入随机密钥，可以令密文无任何规律，即便是原文和密钥完全相同，加密结果也会每次不同，增大破解难度。
+    // 取值越大，密文变动规律越大，密文变化 = 16 的 $ckey_length 次方
+    // 当此值为 0 时，则不产生随机密钥
+    $ckey_length = 4;
+     
+    // 密匙
+    $key = md5($key);
+     
+    // 密匙a会参与加解密
+    $keya = md5(substr($key, 0, 16));
+     
+    // 密匙b会用来做数据完整性验证
+    $keyb = md5(substr($key, 16, 16));
+     
+    // 密匙c用于变化生成的密文
+    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
+     
+    // 参与运算的密匙
+    $cryptkey = $keya.md5($keya.$keyc);
+    $key_length = strlen($cryptkey);
+     
+    // 明文，前10位用来保存时间戳，解密时验证数据有效性，10到26位用来保存$keyb(密匙b)，解密时会通过这个密匙验证数据完整性
+    // 如果是解码的话，会从第$ckey_length位开始，因为密文前$ckey_length位保存 动态密匙，以保证解密正确
+    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
+    $string_length = strlen($string);
+    $result = '';
+    $box = range(0, 255);
+    $rndkey = array();
+     
+    // 产生密匙簿
+    for($i = 0; $i <= 255; $i++)
+    {
+    $rndkey[$i] = ord($cryptkey[$i % $key_length]);
+    }
+     
+    // 用固定的算法，打乱密匙簿，增加随机性，好像很复杂，实际上并不会增加密文的强度
+    for($j = $i = 0; $i < 256; $i++)
+    {
+    $j = ($j + $box[$i] + $rndkey[$i]) % 256;
+    $tmp = $box[$i];
+    $box[$i] = $box[$j];
+    $box[$j] = $tmp;
+    }
+    // 核心加解密部分
+    for($a = $j = $i = 0; $i < $string_length; $i++)
+    {
+    $a = ($a + 1) % 256;
+    $j = ($j + $box[$a]) % 256;
+    $tmp = $box[$a];
+    $box[$a] = $box[$j];
+    $box[$j] = $tmp;
+     
+    // 从密匙簿得出密匙进行异或，再转成字符
+    $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
+    }
+     
+    if($operation == 'DECODE')
+    {
+    // substr($result, 0, 10) == 0 验证数据有效性
+    // substr($result, 0, 10) - time() > 0 验证数据有效性
+    // substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16) 验证数据完整性
+    // 验证数据有效性，请看未加密明文的格式
+    if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16))
+    {
+    return substr($result, 26);
+    }
+    else
+    {
+    return '';
+    }
+    }
+    else
+    {
+    // 把动态密匙保存在密文里，这也是为什么同样的明文，生产不同密文后能解密的原因
+    // 因为加密后的密文可能是一些特殊字符，复制过程可能会丢失，所以用base64编码
+    return $keyc.str_replace('=', '', base64_encode($result));
+    }
+    }
+}
+
+?>

protected/class/crypto.php

@@ -0,0 +1,97 @@
+<?php
+class Crypto
+{
+	const METHOD = 'aes-256-ctr';
+
+	public function encrypt($plaintext, $password, $salt='', $encode = false)
+	{
+		$keyAndIV = self::evpKDF($password, $salt);
+
+		$ciphertext = openssl_encrypt(
+				$plaintext,
+				self::METHOD,
+				$keyAndIV["key"],
+				OPENSSL_RAW_DATA,
+				$keyAndIV["iv"]
+				);
+
+		$ciphertext = bin2hex($ciphertext);
+
+		if ($encode)
+		{
+			$ciphertext = base64_encode($ciphertext);
+		}
+
+		return $ciphertext;
+	}
+
+
+	public function decrypt($ciphertext, $password, $salt='', $encoded = false)
+	{
+		if ( $encoded )
+		{
+			$ciphertext = base64_decode($ciphertext, true);
+
+			if ($ciphertext === false)
+			{
+				throw new Exception('Encryption failure');
+			}
+		}
+
+		$ciphertext = hex2bin($ciphertext);
+		$keyAndIV   = self::evpKDF($password, $salt);
+
+		$plaintext = openssl_decrypt(
+				$ciphertext,
+				self::METHOD,
+				$keyAndIV["key"],
+				OPENSSL_RAW_DATA,
+				$keyAndIV["iv"]
+				);
+
+		return $plaintext;
+	}
+
+	public function evpKDF($password, $salt, $keySize = 8, $ivSize = 4, $iterations = 1, $hashAlgorithm = "md5")
+	{
+		$targetKeySize = $keySize + $ivSize;
+		$derivedBytes  = "";
+
+		$numberOfDerivedWords = 0;
+		$block         = NULL;
+		$hasher        = hash_init($hashAlgorithm);
+
+		while ($numberOfDerivedWords < $targetKeySize)
+		{
+			if ($block != NULL)
+			{
+				hash_update($hasher, $block);
+			}
+
+			hash_update($hasher, $password);
+			hash_update($hasher, $salt);
+
+			$block   = hash_final($hasher, TRUE);
+			$hasher  = hash_init($hashAlgorithm);
+
+			// Iterations
+			for ($i = 1; $i < $iterations; $i++)
+			{
+				hash_update($hasher, $block);
+				$block   = hash_final($hasher, TRUE);
+				$hasher  = hash_init($hashAlgorithm);
+			}
+
+			$derivedBytes .= substr($block, 0, min(strlen($block), ($targetKeySize - $numberOfDerivedWords) * 4));
+
+			$numberOfDerivedWords += strlen($block)/4;
+		}
+
+		return array(
+				"key" => substr($derivedBytes, 0, $keySize * 4),
+				"iv"  => substr($derivedBytes, $keySize * 4, $ivSize * 4)
+		);
+	}
+}
+
+?>

protected/controller/ghController.php

@@ -0,0 +1,100 @@
+<?php
+
+/**
+ * @author darkredz
+ */
+
+class ghController extends DooController {
+	
+	public $staff;
+	
+	
+	function __construct() {
+		
+	if (isset ( $_COOKIE ["staff"] )) {
+			if (! empty ( $_COOKIE ["staff"] )) {
+				Doo::loadModel ( 'staff' );
+				$staff = new staff ();
+				$this->staff = $staff->getUserByIdList ( $_COOKIE ["staff"] );
+				
+				return "";
+			}
+		}
+		
+		Doo::loadCore ( 'uri/DooUriRouter' );
+		$router = new DooUriRouter ();
+		$routeRs = $router->execute ( Doo::app ()->route, Doo::conf ()->SUBFOLDER );
+		
+		if ($routeRs ['1'] != "login") {
+			header ( 'Content-Type:text/html;charset=utf-8' );
+			@header ( "Location: /login" );
+		}
+	}
+	
+	function authToken(){
+		
+		$BuildUrl = 'http://gh.cld.smartcost.com.cn';
+		//$url = $BuildUrl. '/auth/token?staffGH='. urlencode($_COOKIE ['staffGH']);
+		$url = $BuildUrl. '/auth/token';
+		$data=array("staffGH"=>$_COOKIE ['staffGH']);
+		
+		
+		
+		//echo $url;
+		//echo $this->curl_request($url,$data);
+		$result = json_decode($this->curl_request($url,$data), true);
+		$result['staff']=$_COOKIE ['staff'];
+		echo json_encode($result);
+		//print_r($result);
+	}
+	
+/**
+ * curl 获取接口数据，data为空时为GET方法，有值则为POST方法
+ *
+ * @param $url
+ * @param string $data
+ * @return mixed|string
+ */
+function curl_request($url, $data = '') {
+	$curl = curl_init();
+	curl_setopt($curl, CURLOPT_URL, $url);
+	curl_setopt($curl, CURLOPT_HEADER, 0);
+	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+	if($data) {
+		curl_setopt($curl, CURLOPT_POST, 1);
+		curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));
+	}
+	curl_setopt($curl, CURLOPT_TIMEOUT, 10);
+	$data = curl_exec($curl);
+	curl_close($curl);
+	return $data;
+}
+	
+
+	/**
+	 * 获取get或者POST值
+	 * @param string $name 属性名称
+	 * @return fixed 值
+	 */
+	private function get_args($name) {
+		if (isset ( $_GET [$name] )) {
+			if (is_array ( $_GET [$name] ))
+				return $_GET [$name];
+			else {
+				return addslashes ( $_GET [$name] );
+		//return  $_GET [$name] ;
+			}
+		
+		} elseif (isset ( $_POST [$name] )) {
+			if (is_array ( $_POST [$name] ))
+				return $_POST [$name];
+			else {
+				return addslashes ( $_POST [$name] );
+		//return $_POST [$name];
+			}
+		} else 
+			return false;
+	}
+}
+
+?>