Subversion Repositories oidplus

April 2023 planned:

- Don't send "information object (i.e. Non-OIDs)" OIDs to oid-info.com anymore

- In re Internet access:

    * Check if all instances of https://github.com/danielmarschall/oidplus/issues/5 ("Offline mode") have been addressed

    * Everywhere where url_post_contents() is used, we need to check url_post_contents_available() too.

    * Everywhere where url_get_contents() is used, we need to check url_get_contents_available() too.

Exception Refactoring:

- [DONE]  Instead of catching OIDplusException, catch Exception

- [DONE]  Check every "new OIDplusException" and "new \OIDplusException" if it contains HTML and needs to be "new OIDplusHtmlException"

- [DONE]  Check every instance of "->getMessage()" it it needs to be HTML or Text

                HTML would be   $htmlmsg = $e instanceof OIDplusException ? $e->getHtmlMessage() : htmlentities($e->getMessage());

-         Check every instance of "catch (\Exception"

                Question: In the whole code we write "catch (\Exception" . Is that correct or should we write "catch (\Throwable" ?

-         Why are there 66 matches of  "$out['icon'] = 'img/error.png';"  ?  Shouldn't gui() just throw OIDplusException or OIDplusHtmlException and let the caller do the rest?

                Problem is this: If gui() uses $out[...], then the title can be chosen

                But we still should prefer throwing Exceptions!

-               Idea: Implement "friendly Exceptions"

                    * A "friendly" Exception is an Exception where the user has done something wrong (i.e. they are not logged in).

                    * The error is therefore clearly known and therefore a technical stacktrace is NOT shown.

Type safety:

- PhpStorm warnings

- Re-Check "mixed"

- Nullable params passed to non-nullable methods => find using PHPStan level 7

Admin Auth:

- implement argon2 as alternative to bcrypt?

- idea: could RA-auth-plugins also be used to create the admin-hash? problem: setup/ generates hash with javascript, not via PHP!!!

- BCrypt

	Make #rounds and length of admin password configurable (pre-baseconfig?)

	Include dev/bcrypt_cost_calculator somewhere in the configuration page?

	... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin)

	... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!)

	See "Example #3" here https://www.php.net/manual/de/function.password-hash.php which helps you finding a good cost value for your system

Feb 2023 entries:

- Create oid => immediately after creating an OID, show the title/description edit dialog in a popup?? we must be sure that people don't add OIDs without title

- OID Description textarea: add link to oid-info.com faq to show how descriptions should be done

- Oidinfo blacklist object types (set by the user in the system config)

- Db Config: datatypes/enums for the settings

- Db Config: default setting button

- improved PHP class loader, see frdlweb github discussion https://github.com/frdl/frdl-oidplus-plugin-type-pen/issues/1

Ideas by Simon T.:

- System status plugin: Check if file owners are mixed

- a possibility to upload & assign custom icons to objects (both in the tree & in the page)

- a possibility to move objects/nodes from one hierarchy level to another (for now, I have to reconstruct them)

- 2FA TOTP support (+backup codes) - good for public instances, like FreeOID (Yes, I'm that one person who always asks for true totp 2FA everywhere xD )

- a setting for a permanent choice between 'Always switch to newly created object' / 'Never switch' / 'Ask user if they want to switch'

- a possibility to export&transfer all data between OIDplus'es: Attention: Do not use this XML Export/Import to exchange, backup or restore data between OIDplus systems!

- a possibility to 'construct' my own object types in UI (1: specify list of their fields and 2: choose "oid-like/forward" com.example.api or "domain-like/reverse" api.example.com naming scheme), so they would appear as the whole new type

Recently added TODO entries:

- should all country codes (even unused) in 1.2 and 2.16 be added to the wellknown list?

- "Decoding" section (tech info) at OID nodes, e.g. the AID decoder, should this be a scrolling <pre> block instead of a <code> block? (For mobile devices)

- problem: if an identical class file (with same namespace) is placed in two plugin folders, then the oidplus autoloader will include both, which will cause a fatal error

- oidplus docker image?

Databases:

- Let plugins create tables for all DBMS by including a "create table" function with abstract types in the SQL slang plugins (similar to Medoo)

Ideas

- if a third-party plugin throws an exception in the init() method, maybe OIDplus should avoid loading the plugin?

- "hidden" alt ids which are not shown in the GUI, but can be used for reverse-Alt-ID ? (I believe we have excluded some AltIDs which are "not neccessary", e.g. an GUID already is a GUID and therefore does not need a Namespace GUID, or something like that)

RDAP:

- Extend handle404() to handle more things required by the RFC, as well as more object types

- More TODO see GitHub repository https://github.com/frdl/oidplus-frdlweb-rdap/issues

GS1 plugin:

- prefilterQuery: If we query a gs1 which has a check digit, we should be redirected to the number without checkdigit.

                  But... how do we know if the last digit is a checkdigit or if it is a longer number with a missing check-digit?

New Object Type plugins:

- LSID ?

Treeview / Navigation:

- In the tree, let the operator create "shortcuts" to important OIDs?

- Define "critical" OIDs which should always be visible; this means: the tree will always be extended so that these OIDs are shown?

SECURITY Improvements:

- Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check")

  and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404.

Setup:

- Make following things configurable in some kind of base-config INI/XML file:

	Min length of admin password

	Bcrypt Round

	Default language (like the "DEFAULT_LANGUAGE" base config setting)

	Design (like the "design" config setting)

IDEAS FOR NEW FUNCTIONALITIES

- Admin plugin "Attachments" with following functionalities:

	* Show every object and its attachments, so that the admin knows what's going on

	  (Alternatively they can just look in the userdata directory using FTP)

	* Give the ability to enable/disable RA uploading/deleting

	  (Alternatively they need to do it in the configuration module and enter '0' and '1' by hand)

- "Notifications plugin"

	OK:      Make a plugin that shows warnings from plugins (via "feature-interface"), e.g. the registration plugin could warn that CURL is not working correctly etc.

	No:	 But it should also have JavaScript components, e.g. check if dev/ and other confidential folders can be accessed (see code in setup/)

	Not yet: Also offer VNag that informs the user via Nagios if new Notifications are there?

- Excel/CSV import tool for bulk data import (as alternative to XML import. Maybe previous Excel->XML import tool?)

- External Syslog server

LDAP / OAUTH

- Implement other OAuth providers?

	Try out https://github.com/SocialConnect/auth

	     or https://github.com/hybridauth/hybridauth

- Credentials and API-Keys should be protected or obfuscated or encrypted? (JoomlaKeychainKeychain?)

TINYMCE

- mce dirty flag: call performCloseQueryCB()/performCloseCB(), if ...

	OK:   The page (browser tab) is about to be closed or the page is reloaded

	      => TinyMCE uses the window.onbeforeunload event

	TODO: The browser navigation buttons are clicked

	      => This only works PARTIALLY. Preventing popstate() works and no data is lost,

	         but the browser will think that it was successful!!

	OK:   When a node at the jsTree is clicked (conditional select)

	OK:   In the openOidInPanel() function, i.e. when you enter something into the goto-bar.

- critical bug: open page, edit tiny mce, click save. Then F5 reload (not Ctrl+F5): then the old content is there again. Except if you press Ctrl+F5

	(cannot be reproduced anymore? tested with firefox and chrome)

- TinyMCE "isDirty" does not correctly work on Internet Explorer: It always reports "dirty"

	see bug https://github.com/tinymce/tinymce/issues/6048

- The "is dirty" check should also include the "Title" input box

- (Sep 2022) Need more detailled reproduction:

	If you use the browser back functionality and switch between

	content pages (containing TinyMCE) and non-content pages (e.g. FreeOID page)

	then sometimes TinyMCE has vanished and you just have a small textarea with HTML code.

	You probably also need to use the "GoTo" button for reloading (not F5).

	Could be reproduced a few times. JavaScript console shows no error.

OID-IP

- query 'oid:' should show all root entries (subordinate entries), but there is only the message "not found"

- offer signature checker tool to verify responses

SETUP

- There should be a "test database connection" button

	=> however, this button could be abused to brute-force database connections,

	   and even abusing the server to connect (brute-force) to foreign database servers

DATA TRANSFER PLUGIN

- XML import: Let the user decide if existing OIDs shall be overwritten

- XML import: Let the user decide if RAs should be created

- XML import: Let the user decide if "created=now" should be set

- XML import: Waiting animation

- XML import: If output (errors) is too long, show them in a page rather than an alert() box

SMALL THINGS

- when you copy something into the clipboard, please show a toast message

- Setup: "None" CAPTCHA plugin should be the first option

- oobe.php leaks email address of administrator to spam bots

- Use DIRECTORY_SEPARATOR everywhere where local paths are used

- when you enter "guid:{0139d44e-6afe-49f2-8690-3dafcae6ffb8}" (which will be corrected in PHP prefilterQuery), JavaScript will not highlight "guid:0139d44e-6afe-49f2-8690-3dafcae6ffb8", because it searches for the brackets

- Let the user create shortcuts to any OIDplus-Goto-URLS (e.g. important OIDs) directly in the menu, without writing a plugin?

- Auto open some nodes automatically, or open until a specific level (like done in the Resources plugin?)

- Let the JavaScript value "oidplus_menu_width" being modified by a design plugin and/or the database config.

  A plugin can already do this by using htmlHeaderUpdate() and creating an inline JavaScript to modify the global variable "oidplus_menu_width"

- At a lot of forms, if you press "enter", the "form" will not be submitted (e.g. "create ra" plugin), cannot reproduce?

- system log plugin: Only show 100 events and let the user switch pages. To avoid that you load a page with 10000+ log entries!

- Alpine Linux SVN update: I get the error "svn: warning: W000013: Can't open file '/root/.subversion/servers': Permission denied", although "whoami" is "apache"! (Maybe because the initial checkout was done by root?!)

- AutoUpdate via cron?

- Login page etc.: If user clicks on a tab, then the gotoedit and static link should change to e.g. "oidplus:login$admin" or "oidplus:login$ra", respectively.

        $('#static_link').attr("href", "index.php?goto="+encodeURIComponent(id));

        $("#gotoedit").val(id);

- Add show_waiting_anim() and hide_waiting_anim() to all AJAX queries, like it is done in plugin "Software update"

- #gotobutton should have the same top and height as #gotoedit

- RA address data: Country selection box like in OIDInfo

	Possible data source: https://datahub.io/core/country-list#resource-data

- minimum menu expansion level: make it configurable for all objects and plugins, e.g. so that when you open OIDplus, all OIDs till level 2 are expanded

- There can be an extra table which contains "key - value" fields for each object

	Maybe even let the user define fields (with data type) which is then displayed at every OID,

	e.g. HL7 could define a lot of fields which are then all displayed at the OIDs and can be edited

- API : Make a function that checks if a RA exists, and use it everywhere where needed

- Object type plugins : take care that "treeicon.png" and "icon_big.png" exist everywhere (become standard)

- freeoid: gmail app does not hyperlink the activation URL. why?

- how to avoid invite spamming?

- when login expired, remove entries in the treeview

- disable specific functions (e.g. invite, login, rainfo, forgot password) if the plugins are not installed (check if class type is registered using class_exists())

- <abbr> in <code> is double underlined; that's not good

- if you have multiple identifiers, how do you tell the system which identifier should be the preferred one?

- show whois links only if folder "whois/" exists

- disable autocomplete on some forms

- graphical improvements of forms (input edits aligned)

- "Documents" section: Make documentation for usage of OIDplus (for members only)

- admin config more user friendly, e.g. having the enable/disable object type stuff (like in registration wizard) also in the admin control panel. Also, have types like bool, so we show a checkbox instead of an edit control

- it would be good if after the login, the opened nodes in the tree would stay open

- html checkbox: make use of "label for"

- when javascript fails, the form will be submitted to './' , that is not good! failed javascript must return false, so that the form does not get submitted

- admin: show privacy entries from RAs (but grey, so you know that it is private)

- admin should be able to edit contact data of a foreign RA [XXX isn't that already implemented?]

- freeoid: hide asn.1 and iri columns, because the RA is not allocating these identifiers?

- .... maybe we should have a list of OIDs where the OID does not allocate ASN.1/IRI identifiers... then we can also make use of the OID-WHOIS attributes

- Privacy flag of RAs: Should there be more privacy levels, e.g. that you don't show your personal name etc.?

- You should be able to change the "created" date for an object! Or maybe hide it completely if you don't know the original creation date?

- In the CRUD table, you should be able to see the name of the OID? But on the other hand, the title is not in the control of the Superior RA, and the CRUD table is actually the allocation table of the Superior RA.

- jstree select: automatically scroll down

- jstree: right click "open in new tab" is not possible

- things like RA: show more things, address, email etc.

- note that we (and the Internet Draft) talk about Objects, but actually OIDs only reference objects, but they are not the objects

- Multilang

	* Not yet translated:

		- plugins\publicPages\100_whois\whois\index.php [Problem: This page is kinda standalone and does not include the OIDplus code]

		- vendor\danielmarschall\fileformats\fileformats.conf [Problem: This is a third-party code!]

		- includes\classes\VtsBrowserDownload.class.php [Problem: This is a third-party code!]

	* Is there some useful German translation of the Apache 2.0 license?

- WEID UUID: Show the UUID 2.25/GUID equivalent as alternative ID

- When an OID is edited/added/deleted, don't reload the whole tree. Instead, just change the tree! This looks much more fluid.

- adminPages/902_systemfile_check/OIDplusPageAdminSystemFileCheck.class.php

	Should thumbs.db (case insensitive) and Apple turds be excluded?

	On the other hand, these files could then be used to hide malicious data

- Actually, there should be two Update-Timestamps: An Update-Timestamp for the Superior RA (i.e. when was the ASN.1/IRI or the RA changed? And a RA Update-Timestamp (i.e. when did the RA change its description?)

UPDATER

- Internal problem with GIT distribution channel:

	The GIT version might be behind the master SVN repository

	So if you do "git pull", the update/index.php page might still show that an update is available!

- add some kind of loading cricle animation or a progress bar during the update

DATABASE

- make usage of Foreign Keys

	PROBLEM: we need foreign keys with no check, because

	a) we want to keep log entries even if an object/user is deleted

	b) log_user.username can also be 'admin' (and therefore not be a foreign key to table 'ra')

	c) not every object should have a registered RA. There should be "unknown" RAs where only the email address is known

	d) well-known ASN1/IRI don't require an existing OID

FUTURE

- implement sitemaps xml

- admin should be able to change wellknown oids?

- move oid to different arc

- for very large arcs (e.g. PEN): maybe you should not show everything in the tree select?

- support for ORS?

- "Cutting Edge Technologie": AJAX, JSON, completely UTF-8, CRUD frameworks, PDO, HTML5, Mobile Design, Pure CSS, Autoloading, Object Oriented (maybe not MVC, though), Testing, ...

- "Search" plugin: Feature to search inside documentation (doc/ directory)

- "Search" plugin: I want to search in all object types and RAs. Not first select the type.

- How can we make sure that example objects are not exported using oid-info.com export?

- Administrator-Interface: enable and disable object types

- detailled change-history of each oid

- Add a "nonce" to all inline JavaScripts and add this nonce to CSP. Then disallow inline-JavaScripts in CSP completely.

BUGS?

- BUG! RA is logged in, then it is deleted => the RA can still edit their OIDs, since their session is not destroyed

- OIDplus does not work in Safari Mobile!

	1. You cannot scroll the OID grid, as the scrolling affects the whole page, not the grid.

	2. JQueryUI sliders cannot be dragged

REJECTED IDEAS

- well known OIDs: Should also the RA address be recorded? (so that you cannot create a 2.999 OID and telling that you are the RA?)

- should there more than one person be able to manage an OID? (multiple emails per "RA" ?)

- record first RA and current RA => X.660 does not have this requirement

- markers DRAFT, LEAF and FROZEN etc. => use "Protected" if you want to make it invisible

- Giving the "goto" argument OIDs instead of names, so that there are no conflict

  with plugin vendors (like it was done with the "plugin" argument at ajax.php)

	Rejected due to following reasons:

	a) The "goto" parameter should usually be human readable (especially since it is shown at the right top)...

	   Having a ViaThinkSoft OID there might get the user confused because they could think that the

	   page is a OID page request for that OID instead of a plugin page.

	b) Vendors should use something like "?goto=oidplus:com.example...."

- AID Plugin: When aid_decoder.inc.php finds a mistake, should we forbid to create the AID?

	=> Rejected. Some companies might already use invalid identifiers.

- oidplus dependency system (dependency plugin oid in manifest) => Rejected. Check dependencies in the init() method of a plugin.

LOGS

- prune logs entries? automatically prune things like "logged in" but not prune OID changes, etc?

- admin logs: don't show all logs. load more log entries as soon as the page is scrolled down

- when user changed email from "A" => "B", then all previous log events for "A" are not visible for "B" anymore!

	=> should we also change the log entry email address references when the user changes their email address?

- At "oidplus:system_log", user log section and object log section, the users and/or objects should be clickable

IDEAS

- admin plugin that shows the recent oid edits / inserts?

- in the search feature, search for object creation/update date?

- adminPages/800_plugins: We could also list plugins that have been blacklisted in the config? But that is hard to achieve, because these plugins are ignored and not loaded at all

- Similar to Security Event Token, we could issue JWT tokens which log the allocation of an OID to an RA. This signed token can be stored somewhere and can be used to proove the ownership of an OID.

- have an option to assign a custom icon to any object in the system (file attachment with name "icon.*"?). Especially useful for easy visual distinguishing between root objects inside 'Other objects', but may be useful for other object types too.

- Give configuration settings a type (int, bool, enum, etc.) so that the configuration page can be more user friendly (use a checkbox rather than typing "1" and "0")

	Even better: Give plugins the opportunity to display their own config GUI, exactly like OOBE does

- OID-WHOIS: For well-known OIDs, e.g. IANA PEN, show information where to retrieve information

	=> Problem: Well-known OIDs are implemented as ASN/IRI identifiers only; no information in table "objects"!

- Should plugins be able to add additional object sub-nodes/pages into the tree,

  which are not "real" objects? For example, in the object tree,

  you could include file attachments [by File Attachment Plugin].

  Also, Object Type Plugins could add more sub-nodes/pages into the

  tree, for example if you have object types where each object

  consists of various components.

  => currently OIDplus::menuUtils()->tree_populate() handles the object tree loading

     ... but shouldn't this task do the plugin publicPages/000_objects ?

     ... then we could establish an API which can give object type plugins the possibility to add additional children

- Hide/Proxy RA E-Mails from public requests

- let users choose their own creation arc

- In regards multilinguality: Allow "oidplus_base$dede.css", so that languages can have their own CSS (e.g. wider "Go" button)

	But this means that a language change also need to reload the style sheet (like the color-plugin does when you click "Test")

- when an object was not found, the error message could show the next possible known object (like WebWHOIS does)

- the "goto" quickbar (at the top right) could also be used to search something ...

- ... alternatively, the "object not found" error page could link to the search plugin

- make color plugin available for everyone. Admin may permanently save the colors, but users should be able to set their own theme, saved via cookies

- there should be a form where an RA can request an invitation, even if the superior RA did not invite them.

  the fact that a RA exists in the Object Table should permit the RA to invite theirself.

- make a list of OIDs that do not assign ASN1/IRI identifiers (e.g. IANA PEN or ViaThinkSoft FreeOID), then reject any identifier the user provides

- sanitize IPv4, IPv6, GUID during creation

	at IPv4 and IPv6: - if it is a single host address, don't put /32 or /128 suffix

	                  - strike unnecessary bits that are not defined in the netmask (also at the whois output)

- let the sysadmin decide if they want the title be "systemtitle - object title" or "object title - systemtitle"

- should a RA be able to mark their own oid as confidential, instead of asking the superior RA?

- should there be an OIDplus project page at oidplus.viathinksoft.com instead of a "naked" system?

- vendor signature to plugins + viathinksoft signatures + "check" program if all signatures match

	Why do we need it?

		We want to make sure that the OIDplus files aren't modified by hackers (e.g. replaced by a webshell)

		Unfortunately, we can only verify our own files. Plugins by vendors cannot be checked.

	Problem:

		We cannot store the ViaThinkSoft public key or the checking-tool in the OIDplus directory,

		because then they could be altered by the hacker.

		We also cannot add a "verified" icon in the "Plugins" admin section,

		because this could also be fake.

		The only solution to verify the OIDplus installation is to run a tool that

		is downloaded on-demand over a secure connection.

	Solution:

		1. The OIDplus installation contains a file "signature.md5" that contains the MD5 sums of all files.

		   The whole file is RSA signed with a ViaThinkSoft key.

		2. We should offer a tool which can be started on-demand by running something like:

		   curl -sSL https://oidplus.viathinksoft.com/signature_check/ | bash

		   This tool contains a check procedure and the ViaThinkSoft public key,

		   and verifies the OIDplus installation.

		3. The tool should also warn if there are missing or additional files,

		   because some additional files may be executed (e.g. if they are located in includes/db_updates/)

		4. With every new release of OIDplus, this file must be re-generated!

- have a menu item (plugin) "latest updates" which lists OIDs that have been changed or added recently?

- (unsure:) would it be good if the superior RA comment is shown in the object page itself?

- Protect attachments with a password? (Information objects?)

- IPv4/IPv6 plugin: Should we allow that private IPs are put into categories (e.g. different physical locations having the same subnet?)

- Like in OOBE, plugins should give the possibility to add an individual UI in the "oidplus:edit_config" page

- Login area: The "administrator" node in the treeview could be clicked, leading to a page that contains a link to all sub pages (big icons ordered in a grid?)

- "Invisible/service" plugin type, like page plugins, but they have no gui() method. They can be used for a simple task like extending HTTP headers

- OAuth for admin login? (email of administrator)

- SAML 2.0 SSO auth plugin?

QUESTIONS

- should the collation be case sensitive or case insensitive? For Java package names, it should be case senstivie

- use word "guid" or "uuid"?

- should "OID updated" be split into two categories "updated by superior" (e.g. identifiers) and "updated by owner" (description etc)?

- Don't renew "updated" field if you just click "Update" but didn't change anything (e.g. because you just wanted to send an invitation again)

- "Documents" section: Can base of URLs/images inside the HTML be changed automatically?

PRIVACY

- bring back "vendor/cookiecontent"? DM 28 May 2019: Removed CookieConsent temporarily, because it is placed at the beginning of the page and therefore ruins the Google index ...

	=> We might not need it, because cookies are only set during login, and at the login page itself, we already warn about cookies, in addition to the Privacy documentation

- Cookie law:

	Download CookieConsent code into vendor folder, do not hotlink it

	we need to log all consents

	do we need an explicit consent at the login form?

	do we need a consent for the cookie SSL_CHECK?

GUID Management

- Leaf nodes (GUIDs) should show/edit the Title in the CRUD, so you dont have to click the GUID to see the title

- weird bug: when i edit "guid:oidplus", then, after reload the treeview after the update, "guid:activedirectory" will be opened. somehow, the last opened node will be opened during the reload?!