From c44e84124b9eb36e2cc4717b7973bf2c36737f13 Mon Sep 17 00:00:00 2001
From: Gregory Soutade <gregory@soutade.fr>
Date: Tue, 22 Oct 2013 18:33:44 +0200
Subject: [PATCH] Add add_entry and delete_entry

---
 server/functions.php       |  26 +++--
 server/index.php           |  23 ++--
 server/ressources/gpass.js | 233 +++++++++++++++++++++++++++++++++++--
 3 files changed, 254 insertions(+), 28 deletions(-)

diff --git a/server/functions.php b/server/functions.php
index 9a43ab6..df844d4 100755
--- a/server/functions.php
+++ b/server/functions.php
@@ -171,28 +171,28 @@ function load_database($user)
     return $db;
 }
 
-function add_entry($user, $mkey, $url, $login, $password)
+function add_entry($user, $login, $password)
 {
     $db = load_database($user);
 
-    if ($db == null) return false;
-
-    $password = encrypt($mkey, trim($password), true);
-    $login = encrypt($mkey, "@@" . trim($url) . ";" . trim($login), false);
-
-    if ($password == null || $login == null)
+    if ($db == null)
+    {
+        echo "Unknown user";
         return false;
+    }
 
     $count = $db->querySingle("SELECT COUNT(*) FROM gpass WHERE login='" . $login . "'");
 
     if ($count != 0)
     {
-        echo "<div class=\"error\">Entry already exists</div>";
+        echo "Entry already exists";
         return false;
     }
 
     $result = $db->query("INSERT INTO gpass ('login', 'password') VALUES ('" . $login . "', '" . $password . "')");
 
+    echo "OK";
+
     return true;
 }
 
@@ -200,10 +200,16 @@ function delete_entry($user, $login)
 {
     $db = load_database($user);
 
-    if ($db == null) return false;
+    if ($db == null)
+    {
+        echo "Unknown user";
+        return false;
+    }
 
     $db->query("DELETE FROM gpass WHERE login='" . $login . "'");
 
+    echo "OK";
+
     return true;
 }
 
@@ -223,6 +229,8 @@ function list_entries($user)
 
     $result = $db->query("SELECT * FROM gpass");
 
+    echo "entries\n";
+
     while (($row = $result->fetchArray()))
     {
         echo $row['login'] . ";" . $row['password'] . "\n";
diff --git a/server/index.php b/server/index.php
index a599d11..66e566b 100644
--- a/server/index.php
+++ b/server/index.php
@@ -25,8 +25,16 @@ session_start();
 $VIEW_CIPHERED_PASSWORDS=true;
 $ADMIN_MODE=true;
 
-if (isset($_GET['get_passwords']) && isset($_GET['user']))
-    return list_entries($_GET['user']);
+if (isset($_POST['get_passwords']) && isset($_POST['user']))
+    return list_entries($_POST['user']);
+
+if (isset($_POST['add_entry']) && isset($_POST['user']) && 
+    isset($_POST['login']) && isset($_POST['password']))
+    return add_entry($_POST['user'], $_POST['login'], $_POST['password']);
+
+if (isset($_POST['delete_entry']) && isset($_POST['user']) && 
+    isset($_POST['login']))
+    return delete_entry($_POST['user'], $_POST['login']);
 
 ?>
 <!DOCTYPE html> 
@@ -96,16 +104,13 @@ else
 if ($user != "")
 {
     echo "<b>Add a new password</b><br/>\n";
-    echo '<form method="post">' . "\n";
-    echo '<input type="hidden" name="user" value="' . $user . '"/>';
 
-    echo 'URL <input id="new_url" type="text" name="url"/>';
+    echo 'URL <input type="text" name="url"/>';
     echo 'login <input type="text" name="login" />';
-    echo 'password <input id="new_password" type="text" name="pwd"/>';
-    echo 'master key <input id="new_mkey" type="password" name="mkey"/>';
+    echo 'password <input id="new_password" type="text" name="password"/>';
+    echo 'master key <input type="password" name="mkey"/>';
     echo '<input type="button" value="Generate password" onClick="generate_password();"/>';
-    echo "<input type=\"submit\" name=\"add\" value=\"Add\" onclick=\"a = document.getElementById('new_url') ; a.value = url_domain(a.value); return derive_mkey('$user', 'new_mkey') ;\"/>";
-    echo '</form>' . "\n";
+    echo "<input type=\"button\" name=\"add\" value=\"Add\" onclick=\"add_password();\"/>";
 }
 ?>
 </div>
diff --git a/server/ressources/gpass.js b/server/ressources/gpass.js
index eea0fe8..a16bf94 100755
--- a/server/ressources/gpass.js
+++ b/server/ressources/gpass.js
@@ -31,6 +31,20 @@ parseUri.options = {
 	}
 };
 
+if (!String.prototype.trim) {
+    String.prototype.trim = function() {
+	return this.replace(/^\s+|\s+$/g, "");
+    };
+}
+
+// Array Remove - By John Resig (MIT Licensed)
+// http://stackoverflow.com/questions/500606/javascript-array-delete-elements
+Array.prototype.remove = function(from, to) {
+    var rest = this.slice((to || from) + 1 || this.length);
+    this.length = from < 0 ? this.length + from : from;
+    return this.push.apply(this, rest);
+};
+
 function generate_password()
 {
     // symbols 32 - 47 / 58 - 64 / 91 - 96 / 123 - 126
@@ -119,6 +133,10 @@ function PasswordEntry (ciphered_login="", ciphered_password="") {
 	this.masterkey = masterkey;
 	aes.finish();
 
+	// Remove salt
+	this.clear_password = this.clear_password.replace(/\0*$/, "");
+	this.clear_password = this.clear_password.substr(0, this.clear_password.length-3);
+
 	return true;
     }
 
@@ -135,16 +153,19 @@ function list_all_entries(user)
     req = new XMLHttpRequest();
     req.addEventListener("load", function(evt) {
 	entries = this.responseText.split("\n");
-	for(i=0; i<entries.length; i++)
+	if (entries[0] == "entries")
 	{
-	    if (entries[i] == "") continue;
-	    entry = entries[i].split(";");
-	    passwords.push(new PasswordEntry(entry[0], entry[1]));
+	    for(i=1; i<entries.length; i++)
+	    {
+		if (entries[i] == "") continue;
+		entry = entries[i].split(";");
+		passwords.push(new PasswordEntry(entry[0], entry[1]));
+	    }
 	}
     }, false);
-    req.open("GET", document.documentURI + "?get_passwords=1&user=" + user, false);
+    req.open("POST", document.documentURI, false);
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
-    req.send(null);
+    req.send("get_passwords=1&user=" + user);
 }
 
 function change_master_key()
@@ -176,9 +197,15 @@ function change_master_key()
 	if (passwords[i].isUnciphered(current_mkey))
 	{
 	    div = document.createElement("div");
-	    div.setAttribute("id", i);
+	    div.setAttribute("id", "entry_" + i);
 	    div.setAttribute("class", "password");
 
+	    ciph_login = document.createElement("input");
+	    ciph_login.setAttribute("name", "ciphered_login");
+	    ciph_login.setAttribute("type", "hidden");
+	    ciph_login.setAttribute("login", passwords[i].ciphered_login);
+	    div.appendChild(ciph_login);
+
 	    div.appendChild(document.createTextNode("URL"));
 	    url = document.createElement("input");
 	    url.setAttribute("type", "text");
@@ -203,6 +230,7 @@ function change_master_key()
 	    delete_button = document.createElement("input");
 	    delete_button.setAttribute("type", "button");
 	    delete_button.setAttribute("value", "Delete");
+	    delete_button.setAttribute("onclick", "delete_entry(\"entry_" + i + "\");");
 	    div.appendChild(delete_button);
 
 	    update_button = document.createElement("input");
@@ -227,9 +255,15 @@ function change_master_key()
 	if (!passwords[i].isUnciphered(current_mkey))
 	{
 	    div = document.createElement("div");
-	    div.setAttribute("id", i);
+	    div.setAttribute("id", "entry_" + i);
 	    div.setAttribute("class", "password");
 
+	    ciph_login = document.createElement("input");
+	    ciph_login.setAttribute("name", "ciphered_login");
+	    ciph_login.setAttribute("type", "hidden");
+	    ciph_login.setAttribute("login", passwords[i].ciphered_login);
+	    div.appendChild(ciph_login);
+
 	    div.appendChild(document.createTextNode("URL"));
 	    url = document.createElement("input");
 	    url.setAttribute("class", "hash");
@@ -249,6 +283,7 @@ function change_master_key()
 	    delete_button = document.createElement("input");
 	    delete_button.setAttribute("type", "button");
 	    delete_button.setAttribute("value", "Delete");
+	    delete_button.setAttribute("onclick", "delete_entry(\"entry_" + i + "\");");
 	    div.appendChild(delete_button);
 
 	    password_div.appendChild(div);
@@ -263,8 +298,9 @@ function update_master_key()
     if (user != current_user)
     {
 	current_user = user;
+
 	document.title = "gPass : global Password - " + current_user;
-	passwords = new Array();
+
 	list_all_entries(current_user);
 
 	addon_address = document.getElementById("addon_address");
@@ -287,4 +323,181 @@ function start()
     if (select_widget == null) return;
 
     return update_master_key();
-}
\ No newline at end of file
+}
+
+function add_password()
+{
+    var url = "";
+    var login = "";
+    var password = "";
+    var mkey = "";
+
+    div = document.getElementById("add_new_password");
+    
+    inputs = div.getElementsByTagName("input");
+
+    for(i=0; i<inputs.length; i++)
+    {
+	if (inputs[i].getAttribute("name") == "url")
+	    url = url_domain(inputs[i].value);
+	else if (inputs[i].getAttribute("name") == "login")
+	    login = inputs[i].value.trim();
+	else if (inputs[i].getAttribute("name") == "password")
+	    password = inputs[i].value.trim();
+	else if (inputs[i].getAttribute("name") == "mkey")
+	    mkey = inputs[i].value;
+    }
+
+    if (url == "")
+    {
+	alert("URL is empty");
+	return false;
+    }
+
+    if (login == "")
+    {
+	alert("Login is empty");
+	return false;
+    }
+
+    if (password == "")
+    {
+	alert("Password is empty");
+	return false;
+    }
+
+    if (mkey == "")
+    {
+	alert("Master key is empty");
+	return false;
+    }
+
+    mkey = derive_mkey(current_user, mkey);
+
+    for(i=0; i<passwords.length; i++)
+    {
+	p = passwords[i];
+	if (p.clear_url == url &&
+	    p.clear_password == password &&
+	    p.clear_login == login &&
+	    p.masterkey == mkey)
+	{
+	    alert("Entry already exists");
+	    return false;
+	}
+    }
+
+    ciphered_login = "@@" + url + ";" + login;
+    ciphered_password = password;
+
+    for(i=0; i<3; i++)
+    {
+	password += String.fromCharCode((Math.random() * 128)+1); 
+    }
+
+    aes = new AES();
+    a_masterkey = aes.init(hex2a(mkey));
+    ciphered_login = a2hex(aes.encryptLongString(ciphered_login, a_masterkey));
+    ciphered_password = a2hex(aes.encryptLongString(ciphered_password, a_masterkey));
+
+    var ok = false;
+    req = new XMLHttpRequest();
+    req.addEventListener("load", function(evt) {
+	resp = this.responseText;
+	if (resp == "OK")
+	    ok = true;
+	else
+	    alert(resp);
+    }, false);
+    req.open("POST", document.documentURI, false);
+    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
+    req.send("add_entry=1&user=" + user + "&login=" + ciphered_login + "&password=" + ciphered_password);
+
+    if (!ok) return false;
+
+    current_mkey = mkey;
+
+    pentry = new PasswordEntry(ciphered_login, ciphered_password);
+    pentry.unciphered = true;
+    pentry.clear_url = url;
+    pentry.clear_login = login;
+    pentry.clear_password = password.substr(0, password.length-3);
+    pentry.masterkey = mkey;
+    
+    passwords.push(pentry);
+
+    change_master_key();
+
+    for(i=0; i<inputs.length; i++)
+	inputs[i].value = "";
+
+    return true;
+}
+
+function delete_entry(entry_number)
+{
+    entry = document.getElementById(entry_number);
+
+    if (entry == null) {
+	alert(entry_number + " not found"); 
+	return;
+    }
+
+    inputs = entry.getElementsByTagName("input");
+
+    var ciphered_login = null;
+    for(i=0; i<inputs.length; i++)
+    {
+	if (inputs[i].getAttribute("name") == "ciphered_login")
+	{
+	    ciphered_login = inputs[i];
+	    break;
+	}
+    }
+
+    if (ciphered_login == null)
+    {
+	alert("Widget not found"); 
+	return;
+    }
+
+    var found = -1;
+    ciphered_login = ciphered_login.getAttribute("login");
+    for(i=0; i<passwords.length; i++)
+    {
+	if (passwords[i].ciphered_login == ciphered_login)
+	{
+	    found = i;
+	    break;
+	}
+    }
+
+    if (found == -1)
+    {
+	alert("Password not found int database");
+	return;
+    }
+
+    if(!confirm("Are you sure want to delete this entry ?"))
+	return;
+
+    var ok = false;
+    req = new XMLHttpRequest();
+    req.addEventListener("load", function(evt) {
+	resp = this.responseText;
+	if (resp == "OK")
+	    ok = true;
+	else
+	    alert(resp);
+    }, false);
+    req.open("POST", document.documentURI, false);
+    req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
+    req.send("delete_entry=1&user=" + user + "&login=" + ciphered_login);
+
+    if (!ok) return false;
+
+    entry.parentNode.removeChild(entry);
+
+    passwords.remove(found);
+}
+