lib.php 36.3 KB
Newer Older
1
2
<?php
/**
Francois Marier's avatar
Francois Marier committed
3
 * Mahara: Electronic portfolio, weblog, resume builder and social networking
4
 * Copyright (C) 2006-2008 Catalyst IT Ltd (http://www.catalyst.net.nz)
5
 *
Francois Marier's avatar
Francois Marier committed
6
7
8
9
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
10
 *
Francois Marier's avatar
Francois Marier committed
11
12
13
14
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
15
 *
Francois Marier's avatar
Francois Marier committed
16
17
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
18
19
20
 *
 * @package    mahara
 * @subpackage auth
21
 * @author     Catalyst IT Ltd
22
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL
23
 * @copyright  (C) 2006-2008 Catalyst IT Ltd http://catalyst.net.nz
24
25
26
 *
 */

27
28
defined('INTERNAL') || die();

29
function xmlrpc_exception (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
30
31
32
33
34
35
    if (($e instanceof XmlrpcServerException) && get_class($e) == 'XmlrpcServerException') {
        $e->handle_exception();
        return;
    } elseif (($e instanceof MaharaException) && get_class($e) == 'MaharaException') {
        throw new XmlrpcServerException($e->getMessage(), $e->getCode());
        return;
36
    }
Donal McMullan's avatar
Donal McMullan committed
37
38
    xmlrpc_error('An unexpected error has occurred: '.$e->getMessage(), $e->getCode());
    log_message($e->getMessage(), LOG_LEVEL_WARN, true, true, $e->getFile(), $e->getLine(), $e->getTrace());
39
40
}

41
function get_hostname_from_uri($uri = null) {
42
43
44
45
    static $cache = array();
    if (array_key_exists($uri, $cache)) {
        return $cache[$uri];
    }
46
    $count = preg_match("@^(?:http[s]?://)?([A-Z0-9\-\.]+).*@i", $uri, $matches);
47
    $cache[$uri] = $matches[1];
48
49
50
51
52
53
54
55
56
57
58
    if ($count > 0) return $matches[1];
    return false;
}

function dropslash($wwwroot) {
    if (substr($wwwroot, -1, 1) == '/') {
        return substr($wwwroot, 0, -1);
    }
    return $wwwroot;
}

59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
function generate_token() {
    return sha1(str_shuffle('' . mt_rand(999999,99999999) . microtime(true)));
}

function start_jump_session($peer, $instanceid, $wantsurl="") {
    global $USER;

    $rpc_negotiation_timeout = 15;
    $providers = get_service_providers($USER->authinstance);

    $approved = false;
    foreach ($providers as $provider) {
        if ($provider['wwwroot'] == $peer->wwwroot) {
            $approved = true;
            break;
        }
    }

    if (false == $approved) {
Donal McMullan's avatar
Donal McMullan committed
78
79
        // This shouldn't happen: the user shouldn't have been presented with 
        // the link
80
        throw new AccessTotallyDeniedException('Host not approved for sso');
81
82
83
84
    }

    // set up the session
    $sso_session = get_record('sso_session',
85
                              'userid',     $USER->id);
86
87
88
89
90
91
92
93
94
95
96
    if ($sso_session == false) {
        $sso_session = new stdClass();
        $sso_session->instanceid = $instanceid;
        $sso_session->userid = $USER->id;
        $sso_session->username = $USER->username;
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
        $sso_session->token = generate_token();
        $sso_session->confirmtimeout = time() + $rpc_negotiation_timeout;
        $sso_session->expires = time() + (integer)ini_get('session.gc_maxlifetime');
        $sso_session->sessionid = session_id();
        if (! insert_record('sso_session', $sso_session)) {
Donal McMullan's avatar
Donal McMullan committed
97
            throw new SQLException("database error");
98
99
100
101
        }
    } else {
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
        $sso_session->token = generate_token();
102
        $sso_session->instanceid = $instanceid;
103
104
        $sso_session->confirmtimeout = time() + $rpc_negotiation_timeout;
        $sso_session->expires = time() + (integer)ini_get('session.gc_maxlifetime');
105
        $sso_session->useragent = sha1($_SERVER['HTTP_USER_AGENT']);
106
107
        $sso_session->sessionid = session_id();
        if (false == update_record('sso_session', $sso_session, array('userid' => $USER->id))) {
Donal McMullan's avatar
Donal McMullan committed
108
            throw new SQLException("database error");
109
110
111
        }
    }

112
    $wwwroot = dropslash(get_config('wwwroot'));
113
114
115
116
117
118
119

    // construct the redirection URL
    $url = "{$peer->wwwroot}{$peer->application->ssolandurl}?token={$sso_session->token}&idp={$wwwroot}&wantsurl={$wantsurl}";

    return $url;
}

120
function api_dummy_method($methodname, $argsarray, $functionname) {
121
122
123
    return call_user_func_array($functionname, $argsarray);
}

124
function fetch_user_image($username) {
125
    global $REMOTEWWWROOT;
126
127
128
129
130
131
132
133
134

    $institution = get_field('host', 'institution', 'wwwroot', $REMOTEWWWROOT);

    if (false == $institution) {
        // This should never happen, because if we don't know the host we'll
        // already have exited
        throw new XmlrpcServerException('Unknown error');
    }

135
136
    $authinstances = auth_get_auth_instances_for_institution($institution);
    $candidates    = array();
137
138
139
140

    $sql = 'SElECT
                ai.*
            FROM
141
142
143
                {auth_instance} ai,
                {auth_instance} ai2,
                {auth_instance_config} aic
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
            WHERE
                ai.id = ? AND
                ai.institution = ? AND
                ai2.institution = ai.institution AND
                ai.id = aic.value AND
                aic.field = \'parent\' AND
                aic.instance = ai2.id AND
                ai2.authname = \'xmlrpc\'';

    foreach ($authinstances as $authinstance) {
        if ($authinstance->authname != 'xmlrpc') {
            $records = get_records_sql_array($sql, array($authinstance->id, $institution));
            if (false == $records) {
                continue;
            }
        }
        try {
            $user = new User;
162
            $user->find_by_instanceid_username($authinstance->id, $username, true);
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
            $candidates[$user->id] = $user;
        } catch (Exception $e) {
            // we don't care
            continue;
        } 
    }

    if (count($candidates) != 1) {
        return false;
    }

    $user = array_pop($candidates);
    
    $ic = $user->profileicon;
    if (!empty($ic)) {
        $filename = get_config('dataroot') . 'artefact/internal/profileicons/' . ($user->profileicon % 256) . '/'.$user->profileicon;
        $return = array();
        try {
            $fi = file_get_contents($filename);
        } catch (Exception $e) {
            // meh
        }

        $return['f1'] = base64_encode($fi);

        require_once('file.php');
189
        $im = get_dataroot_image_path('artefact/internal/profileicons' , $user->profileicon, 100);
190
191
192
193
        $fi = file_get_contents($im);
        $return['f2'] = base64_encode($fi);
        return $return;
    } else {
194
        // no icon
195
196
197
    }
}

198
function user_authorise($token, $useragent) {
199
    global $USER;
200
201
202

    $sso_session = get_record('sso_session', 'token', $token, 'useragent', $useragent);
    if (empty($sso_session)) {
Donal McMullan's avatar
Donal McMullan committed
203
        throw new XmlrpcServerException('No such session exists');
204
205
206
207
    }

    // check session confirm timeout
    if ($sso_session->expires < time()) {
Donal McMullan's avatar
Donal McMullan committed
208
        throw new XmlrpcServerException('This session has timed out');
209
210
211
212
213
214
215
    }

    // session okay, try getting the user
    $user = new User();
    try {
        $user->find_by_id($sso_session->userid);
    } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
216
        throw new XmlrpcServerException('Unable to get information for the specified user');
217
218
    }

219
220
    require(get_config('docroot') . 'artefact/lib.php');
    require(get_config('docroot') . 'artefact/internal/lib.php');
221
222
223
224
225
226
227

    $element_list = call_static_method('ArtefactTypeProfile', 'get_all_fields');
    $element_required = call_static_method('ArtefactTypeProfile', 'get_mandatory_fields');

    // load existing profile information
    $profilefields = array();
    $profile_data = get_records_select_assoc('artefact', "owner=? AND artefacttype IN (" . join(",",array_map(create_function('$a','return db_quote($a);'),array_keys($element_list))) . ")", array($USER->get('id')), '','artefacttype, title');
228
229
230
    if ($profile_data == false) {
        $profile_data = array();
    }
231
232

    $email = get_field('artefact_internal_profile_email', 'email', 'owner', $sso_session->userid, 'principal', 1);
233
    if (false == $email) {
Donal McMullan's avatar
Donal McMullan committed
234
        throw new XmlrpcServerException("No email adress for user");
235
236
237
238
    }

    $userdata = array();
    $userdata['username']                = $user->username;
239
    $userdata['email']                   = $email;
240
241
242
243
244
    $userdata['auth']                    = 'mnet';
    $userdata['confirmed']               = 1;
    $userdata['deleted']                 = 0;
    $userdata['firstname']               = $user->firstname;
    $userdata['lastname']                = $user->lastname;
245
246
    $userdata['city']                    = array_key_exists('city', $profile_data) ? $profile_data['city']->title : '';
    $userdata['country']                 = array_key_exists('country', $profile_data) ? $profile_data['country']->title : '';
247

248
249
    if (is_numeric($user->profileicon)) {
        $filename = get_config('dataroot') . 'artefact/internal/profileicons/' . ($user->profileicon % 256) . '/'.$user->profileicon;
250
        if (file_exists($filename) && is_readable($filename)) {
251
            $userdata['imagehash'] = sha1_file($filename);
252
253
254
255
256
257
258
259
260
261
262
        }
    }

    get_service_providers($USER->authinstance);

    // Todo: push application name to list of hosts... update Moodle block to display more info, maybe in 'Other' list
    $userdata['myhosts'] = array();

    return $userdata;
}

263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
/**
 * If we're an IDP, kill_children will kill the session of the given user here, 
 * as well as at any other children
 *
 * NOTE: well, currently it doesn't call kill_child on any other children, but 
 * it will kill the local sessions for the user
 *
 * @param   string  $username       Username for session to kill
 * @param   string  $useragent      SHA1 hash of user agent to look for
 * @return  string                  A plaintext report of what has happened
 */
function kill_children($username, $useragent) {
    global $REMOTEWWWROOT; // comes from server.php
    //require_once(get_config('docroot') .'api/xmlrpc/client.php');

    // We've received a logout request for user X. In Mahara, usernames are unique. So we check that user X 
    // has an authinstance that would have been able to SSO to the remote site.
    $userid = get_field('usr', 'id', 'username', $username);
    $providers = get_service_providers(get_field('usr', 'authinstance', 'username', $username));

    $approved = false;
    foreach ($providers as $provider) {
        if ($provider['wwwroot'] == $REMOTEWWWROOT) {
            $approved = true;
            break;
        }
    }

    if (false == $approved) {
        return 'This host is not permitted to kill sessions for this username';
    }

    $mnetsessions = get_records_select_array('sso_session', 'userid = ? AND useragent = ?', array($userid, $useragent));

    // Prepare to destroy local sessions associated with the user
    $start = ob_start();
    $uc = ini_get('session.use_cookies');
    ini_set('session.use_cookies', false);
    $sesscache = isset($_SESSION) ? clone($_SESSION) : null;
    $sessidcache = session_id();
    session_write_close();
    unset($_SESSION);

    foreach($mnetsessions as $mnetsession) {
        // Kills all local sessions associated with this user
        // TODO: We should send kill_child requests to the remote servers too
        session_id($mnetsession->sessionid);
        session_start();
        session_unregister("USER");
        session_unregister("SESSION");
        unset($_SESSION);
        $_SESSION = array();
        session_destroy();
        session_write_close();
    }

    // We're done destroying local sessions
    ini_set('session.use_cookies', $uc);
    if ($sessidcache) {
        session_name(get_config('cookieprefix') . 'mahara');
        session_id($sessidcache);
        session_start();
        $_SESSION = ($sesscache) ? clone($sesscache) : null;
        session_write_close();
    }
    $end = ob_end_clean();

    delete_records('sso_session',
                   'useragent', $useragent,
                   'userid',    $userid);

    return true;
}

337
338
339
340
function xmlrpc_not_implemented() {
    return true;
}

341
342
343
344
345
346
347
/**
 * Given a USER, get all Service Providers for that User, based on child auth
 * instances of its canonical auth instance
 */
function get_service_providers($instance) {
    static $cache = array();

348
349
350
351
    if (defined('INSTALLER')) {
        return array();
    }

352
353
354
355
    if (array_key_exists($instance, $cache)) {
        return $cache[$instance];
    }

356
    $query = "
357
358
359
360
361
362
        SELECT
            h.name,
            a.ssolandurl,
            h.wwwroot,
            aic.instance
        FROM
363
364
365
366
367
            {auth_instance_config} aic,
            {auth_instance_config} aic2,
            {auth_instance_config} aic3,
            {host} h,
            {application} a
368
        WHERE
369
370
          ((aic.value = '1' AND
            aic.field = 'theyautocreateusers' ) OR
371
           (aic.value = ?  AND
372
            aic.field = 'parent')) AND
373
374

            aic.instance = aic2.instance AND
375
            aic2.field = 'wwwroot' AND
376
377
378
            aic2.value = h.wwwroot AND

            aic.instance = aic3.instance AND
379
380
            aic3.field = 'wessoout' AND
            aic3.value = '1' AND
381

382
            a.name = h.appname";
383
384
385
386
387
388
    try {
        $results = get_records_sql_assoc($query, array('value' => $instance));
    } catch (SQLException $e) {
        // Table doesn't exist yet
        return array();
    }
389
390
391
392
393
394
395
396
397
398
399
400
401

    if (false == $results) {
        $results = array();
    }

    foreach($results as $key => $result) {
        $results[$key] = get_object_vars($result);
    }

    $cache[$instance] = $results;
    return $cache[$instance];
}

402
function get_public_key($uri, $application=null) {
403

404
405
406
407
408
409
410
    static $keyarray = array();
    if (isset($keyarray[$uri])) {
        return $keyarray[$uri];
    }

    $openssl = OpenSslRepo::singleton();

411
    if (empty($application)) {
412
        $application = 'moodle';
413
    }
414

415
    $xmlrpcserverurl = get_field('application', 'xmlrpcserverurl', 'name', $application);
416
417
418
    if (empty($xmlrpcserverurl)) {
        throw new XmlrpcClientException('Unknown application');
    } 
419
    $wwwroot = dropslash(get_config('wwwroot'));
420

421
    $rq = xmlrpc_encode_request('system/keyswap', array($wwwroot, $openssl->certificate), array("encoding" => "utf-8"));
422
    $ch = curl_init($uri . $xmlrpcserverurl);
423

424
425
426
427
428
    curl_setopt($ch, CURLOPT_TIMEOUT, 60);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_USERAGENT, 'Moodle');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $rq);
429
    curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: text/xml charset=UTF-8", 'Expect: '));
430

431
432
433
434
    $raw = curl_exec($ch);
    if (empty($raw)) {
        throw new XmlrpcClientException('CURL connection failed');
    }
435
436
437
438
439
440
441

    $response_code        = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $response_code_prefix = substr($response_code, 0, 1);

    if ('2' != $response_code_prefix) {
        if ('4' == $response_code_prefix) {
            throw new XmlrpcClientException('Client error code: ', $response_code);
442
        } elseif ('5' == $response_code_prefix) {
443
444
445
446
            throw new XmlrpcClientException('An error occurred at the remote server. Code: ', $response_code);
        }
    }

447
    $res = xmlrpc_decode($raw);
448
449
    curl_close($ch);

450
451
452
    // XMLRPC error messages are returned as an array
    // We are expecting a string
    if (!is_array($res)) {
453
454
455
456
457
458
459
460
461
        $keyarray[$uri] = $res;
        $credentials=array();
        if (strlen(trim($keyarray[$uri]))) {
            $credentials = openssl_x509_parse($keyarray[$uri]);
            $host = $credentials['subject']['CN'];
            if (strpos($uri, $host) !== false) {
                return $keyarray[$uri];
            }
        }
462
463
    } else {
        throw new XmlrpcClientException($res['faultString'], $res['faultCode']);
464
465
466
467
    }
    return false;
}

468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
/**
 * Output a valid XML-RPC error message.
 *
 * @param  string   $message              The error message
 * @param  int      $code                 Unique identifying integer
 * @return string                         An XMLRPC error doc
 */
function xmlrpc_error($message, $code) {
    echo <<<EOF
<?xml version="1.0"?>
<methodResponse>
   <fault>
      <value>
         <struct>
            <member>
               <name>faultCode</name>
               <value><int>$code</int></value>
            </member>
            <member>
               <name>faultString</name>
               <value><string>$message</string></value>
            </member>
         </struct>
      </value>
   </fault>
</methodResponse>
EOF;
}

497
function xmlenc_envelope_strip(&$xml, $oldkeyok=false) {
498
499
500
501
502
    $openssl           = OpenSslRepo::singleton();
    $payload_encrypted = true;
    $data              = base64_decode($xml->EncryptedData->CipherData->CipherValue);
    $key               = base64_decode($xml->EncryptedKey->CipherData->CipherValue);
    $payload           = '';    // Initialize payload var
503
    $payload           = $openssl->openssl_open($data, $key, $oldkeyok);
504
505
506
507
508
509
510
511
512
    $xml               = parse_payload($payload);
    return $payload;
}

function parse_payload($payload) {
    try {
        $xml = new SimpleXMLElement($payload);
        return $xml;
    } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
513
        throw new MaharaException('Encrypted payload is not a valid XML document', 6002);
514
515
516
    }
}

517
function get_peer($wwwroot, $cache=true) {
518

519
520
    $wwwroot = (string)$wwwroot;
    static $peers = array();
521
522
523
    if ($cache) {
        if (isset($peers[$wwwroot])) return $peers[$wwwroot];
    }
524

525
    require_once(get_config('libroot') . 'peer.php');
526
    $peer = new Peer();
527

528
    if (!$peer->findByWwwroot($wwwroot)) {
529
        // Bootstrap unknown hosts?
Donal McMullan's avatar
Donal McMullan committed
530
        throw new MaharaException('We don\'t have a record for your webserver in our database', 6003);
531
532
533
534
535
    }
    $peers[$wwwroot] = $peer;
    return $peers[$wwwroot];
}

536
537
538
/**
 * Check that the signature has been signed by the remote host.
 */
539
function xmldsig_envelope_strip(&$xml) {
540

541
542
543
544
545
546
    $signature      = base64_decode($xml->Signature->SignatureValue);
    $payload        = base64_decode($xml->object);
    $wwwroot        = (string)$xml->wwwroot;
    $timestamp      = $xml->timestamp;
    $peer           = get_peer($wwwroot);

547

548
549
550
551
552
553
554
555
556
    // Does the signature match the data and the public cert?
    $signature_verified = openssl_verify($payload, $signature, $peer->certificate);

    if ($signature_verified == 1) {
        // Parse the XML
        try {
            $xml = new SimpleXMLElement($payload);
            return $payload;
        } catch (Exception $e) {
Donal McMullan's avatar
Donal McMullan committed
557
            throw new MaharaException('Signed payload is not a valid XML document', 6007);
558
559
        }
    }
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
    else if ($signature_verified == 0) {
        // Maybe the remote host is using a new key?
        //$new_public_key = get_public_key($wwwroot, $peer->application->name);
        // Make a dummy request so we'll be given a new key
        log_info("Signature verification for message from $wwwroot failed, checking to see if they have a new signature for us");
        require_once(get_config('docroot') . 'api/xmlrpc/client.php');
        $client = new Client();
        $client->set_method('system/listServices')
               ->send($wwwroot);

        // Now use the new key and re-try verification
        $peer = get_peer($wwwroot, false);
        $signature_verified = openssl_verify($payload, $signature, $peer->certificate);
        if ($signature_verified == 1) {
            log_info("Succefully retrieved a new key for $wwwroot");
            // Parse the XML
            try {
                $xml = new SimpleXMLElement($payload);
                return $payload;
            } catch (Exception $e) {
                throw new MaharaException('Signed payload is not a valid XML document', 6007);
            }
        }
    }

    throw new MaharaException('An error occurred while trying to verify your message signature', 6004);
586
587
}

588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
/**
 * Encrypt a message and return it in an XML-Encrypted document
 *
 * This function can encrypt any content, but it was written to provide a system
 * of encrypting XML-RPC request and response messages. The message does not 
 * need to be text - binary data should work.
 * 
 * Asymmetric keys can encrypt only small chunks of data. Usually 1023 or 2047 
 * characters, depending on the key size. So - we generate a symmetric key and 
 * use the asymmetric key to secure it for transport with the data.
 *
 * We generate a symmetric key
 * We encrypt the symmetric key with the public key of the remote host
 * We encrypt our content with the symmetric key
 * We base64 the key & message data.
 * We identify our wwwroot - this must match our certificate's CN
 *
 * Normally, the XML-RPC document will be parceled inside an XML-SIG envelope.
 * We parcel the XML-SIG document inside an XML-ENC envelope.
 *
 * See the {@Link http://www.w3.org/TR/xmlenc-core/ XML-ENC spec} at the W3c
 * site
 *
 * @param  string   $message              The data you want to sign
 * @param  string   $remote_certificate   Peer's certificate in PEM format
 * @return string                         An XML-ENC document
 */
function xmlenc_envelope($message, $remote_certificate) {

    // Generate a key resource from the remote_certificate text string
    $publickey = openssl_get_publickey($remote_certificate);

    if ( gettype($publickey) != 'resource' ) {
        // Remote certificate is faulty.
Donal McMullan's avatar
Donal McMullan committed
622
        throw new MaharaException('Could not generate public key resource from certificate', 1);
623
624
625
    }

    // Initialize vars
626
    $wwwroot = dropslash(get_config('wwwroot'));
627
628
629
630
631
632
633
    $encryptedstring = '';
    $symmetric_keys = array();

    //      passed by ref ->      &$encryptedstring &$symmetric_keys
    $bool = openssl_seal($message, $encryptedstring, $symmetric_keys, array($publickey));
    $message = base64_encode($encryptedstring);
    $symmetrickey = base64_encode(array_pop($symmetric_keys));
634
    $zed = 'nothing';
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661

    return <<<EOF
<?xml version="1.0" encoding="iso-8859-1"?>
    <encryptedMessage>
        <EncryptedData Id="ED" xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#arcfour"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod URI="#EK" Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
                <ds:KeyName>XMLENC</ds:KeyName>
            </ds:KeyInfo>
            <CipherData>
                <CipherValue>$message</CipherValue>
            </CipherData>
        </EncryptedData>
        <EncryptedKey Id="EK" xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>SSLKEY</ds:KeyName>
            </ds:KeyInfo>
            <CipherData>
                <CipherValue>$symmetrickey</CipherValue>
            </CipherData>
            <ReferenceList>
                <DataReference URI="#ED"/>
            </ReferenceList>
            <CarriedKeyName>XMLENC</CarriedKeyName>
        </EncryptedKey>
662
        <wwwroot>{$wwwroot}</wwwroot>
663
        <X1>$zed</X1>
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
    </encryptedMessage>
EOF;
}

/**
 * Sign a message and return it in an XML-Signature document
 *
 * This function can sign any content, but it was written to provide a system of
 * signing XML-RPC request and response messages. The message will be base64
 * encoded, so it does not need to be text.
 *
 * We compute the SHA1 digest of the message.
 * We compute a signature on that digest with our private key.
 * We link to the public key that can be used to verify our signature.
 * We base64 the message data.
 * We identify our wwwroot - this must match our certificate's CN
 *
 * The XML-RPC document will be parceled inside an XML-SIG document, which holds
 * the base64_encoded XML as an object, the SHA1 digest of that document, and a
 * signature of that document using the local private key. This signature will
 * uniquely identify the RPC document as having come from this server.
 *
 * See the {@Link http://www.w3.org/TR/xmldsig-core/ XML-DSig spec} at the W3c
 * site
 *
 * @param  string   $message              The data you want to sign
 * @return string                         An XML-DSig document
 */
function xmldsig_envelope($message) {
693

694
    $openssl = OpenSslRepo::singleton();
695
    $wwwroot = dropslash(get_config('wwwroot'));
696
    $digest = sha1($message);
697

698
    $sig = base64_encode($openssl->sign_message($message));
699
700
    $message = base64_encode($message);
    $time = time();
701
    // TODO: Provide RESTful access to our public key as per KeyInfo element
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716

return <<<EOF
<?xml version="1.0" encoding="iso-8859-1"?>
    <signedMessage>
        <Signature Id="MoodleSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
                <Reference URI="#XMLRPC-MSG">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>$digest</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>$sig</SignatureValue>
            <KeyInfo>
717
                <RetrievalMethod URI="{$wwwroot}/api/xmlrpc/publickey.php"/>
718
719
720
            </KeyInfo>
        </Signature>
        <object ID="XMLRPC-MSG">$message</object>
721
        <wwwroot>{$wwwroot}</wwwroot>
722
723
724
725
726
727
        <timestamp>$time</timestamp>
    </signedMessage>
EOF;

}

728
729
730
/**
 * Good candidate to be a singleton
 */
731
class OpenSslRepo {
732
733
734

    private $keypair = array();

735
736
737
738
739
740
741
742
    /**
     * Sign a message with our private key so that peers can verify that it came
     * from us.
     *
     * @param  string   $message
     * @return string
     * @access public
     */
743
744
745
746
747
    public function sign_message($message) {
        $signature = '';
        $bool      = openssl_sign($message, $signature, $this->keypair['privatekey']);
        return $signature;
    }
748

749
750
751
752
753
754
755
756
757
    /**
     * Decrypt some data using our private key and an auxiliary symmetric key. 
     * The symmetric key encrypted the data, and then was itself encrypted with
     * our public key.
     * This is because asymmetric keys can only safely be used to encrypt 
     * relatively short messages.
     *
     * @param string   $data
     * @param string   $key
758
759
760
     * @param bool     $oldkeyok If true, we will simply return the data rather 
     *                           than complaining about the key being old (if 
     *                           we could decrypt it with an older key)
761
762
763
     * @return string
     * @access public
     */
764
    public function openssl_open($data, $key, $oldkeyok=false) {
765
766
767
768
769
770
771
        $payload = '';
        $isOpen = openssl_open($data, $payload, $key, $this->keypair['privatekey']);

        if (!empty($isOpen)) {
            return $payload;
        } else {
            // Decryption failed... let's try our archived keys
772
            $openssl_history = $this->get_history();
773
774
775
776
777
            foreach($openssl_history as $keyset) {
                $keyresource = openssl_pkey_get_private($keyset['keypair_PEM']);
                $isOpen      = openssl_open($data, $payload, $key, $keyresource);
                if ($isOpen) {
                    // It's an older code, sir, but it checks out
778
779
780
781
782
783
784
                    if ($oldkeyok) {
                        return $payload;
                    }
                    else {
                        // We notify the remote host that the key has changed
                        throw new CryptException($this->keypair['certificate'], 7025);
                    }
785
786
787
                }
            }
        }
788
        throw new CryptException('We know nothing about the key used to encrypt this message', 7025);
789
790
    }

791
    /**
792
     * Singleton function keeps us from generating multiple instances of this
793
794
795
796
797
     * class
     *
     * @return object   The class instance
     * @access public
     */
798
799
800
801
802
    public static function singleton() {
        //single instance
        static $instance;

        //if we don't have the single instance, create one
803
        if (!isset($instance)) {
804
805
806
807
808
809
810
811
812
813
814
815
816
            $instance = new OpenSslRepo();
        }
        return($instance);
    }

    /**
     * This is a singleton - don't try to create an instance by doing:
     * $openssl = new OpenSslRepo();
     * Instead, use:
     * $openssl = OpenSslRepo::singleton();
     * 
     */
    private function __construct() {
817
        if (empty($this->keypair)) {
818
            $this->get_keypair();
819
820
821
            $this->keypair['privatekey'] = openssl_pkey_get_private($this->keypair['keypair_PEM']);
            $this->keypair['publickey']  = openssl_pkey_get_public($this->keypair['certificate']);
        }
822
        return $this;
823
824
    }

825
826
827
828
829
830
831
    /**
     * Utility function to get old SSL keys from the config table, or create a 
     * blank record if none exists.
     *
     * @return array    Array of keypair hashes
     * @access private
     */
832
833
    private function get_history() {
        $openssl_history = get_field('config', 'value', 'field', 'openssl_history');
834
        if (empty($openssl_history)) {
835
836
837
838
839
840
841
842
843
844
845
            $openssl_history = array();
            $record = new stdClass();
            $record->field = 'openssl_history';
            $record->value = serialize($openssl_history);
            insert_record('config', $record);
        } else {
            $openssl_history = unserialize($openssl_history);
        }
        return $openssl_history;
    }

846
847
848
849
850
851
852
853
    /**
     * Utility function to stash old SSL keys in the config table. It will retain
     * a max of 'openssl_generations' which is itself a value in config.
     *
     * @param  array    Array of keypair hashes
     * @return bool
     * @access private
     */
854
855
    private function save_history($openssl_history) {
        $openssl_generations = get_field('config', 'value', 'field', 'openssl_generations');
856
        if (empty($openssl_generations)) {
857
858
859
            set_config('openssl_generations', 6);
            $openssl_generations = 6;
        }
860
        if (count($openssl_history) > $openssl_generations) {
861
862
863
864
865
            $openssl_history = array_slice($openssl_history, 0, $openssl_generations);
        }
        return set_config('openssl_history', serialize($openssl_history));
    }

866
867
868
869
870
871
872
873
874
    /**
     * The get Overloader will let you pull out the 'certificate' and 'expires'
     * values
     *
     * @param  string    Name of the value you want
     * @return mixed     The value of the thing you asked for or null (if it 
     *                   doesn't exist or is private)
     * @access public
     */
875
    public function __get($name) {
876
877
        if ('certificate' === $name) return $this->keypair['certificate'];
        if ('expires' === $name)     return $this->keypair['expires'];
878
879
        return null;
    }
880

881
882
883
884
885
886
887
888
    /**
     * Get the keypair. If it doesn't exist, create it. If it's out of date, 
     * archive it and create a fresh pair.
     *
     * @param  bool      True if you want to force fresh keys to be generated
     * @return bool     
     * @access private
     */
889
    public function get_keypair($regenerate = null) {
890
891
892
        $this->keypair = array();
        $records       = null;
        
893
894
895
896
897
        if ($records = get_records_select_menu('config', "field IN ('openssl_keypair', 'openssl_keypair_expires')", 'field', 'field, value')) {
            list($this->keypair['certificate'], $this->keypair['keypair_PEM']) = explode('@@@@@@@@', $records['openssl_keypair']);
            $this->keypair['expires'] = $records['openssl_keypair_expires'];
            if (empty($regenerate) && $this->keypair['expires'] > time()) {
                return true;
898
899
900
            }
        }

901
902
903
904
905
        // Save out the old key
        $openssl_history = $this->get_history();
        array_unshift($openssl_history, $this->keypair);
        $this->save_history($openssl_history);

906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
        // Initialize a new set of SSL keys
        $this->keypair = array();
        $this->generate_keypair();

        // A record for the keys
        $keyrecord = new stdClass();
        $keyrecord->field = 'openssl_keypair';
        $keyrecord->value = implode('@@@@@@@@', $this->keypair);

        // A convenience record for the keys' expire time (UNIX timestamp)
        $expiresrecord        = new stdClass();
        $expiresrecord->field = 'openssl_keypair_expires';

        // Getting the expire timestamp is convoluted, but required:
        $credentials = openssl_x509_parse($this->keypair['certificate']);
921
        if (is_array($credentials) && isset($credentials['validTo_time_t'])) {
922
923
924
925
            $expiresrecord->value = $credentials['validTo_time_t'];
            $this->keypair['expires'] = $credentials['validTo_time_t'];
        }

926
        if (empty($records)) {
927
928
929
930
931
932
933
934
935
936
            db_begin();
            insert_record('config', $keyrecord);
            insert_record('config', $expiresrecord);
            db_commit();
        }
        else {
            db_begin();
            update_record('config', $keyrecord,     array('field' => 'openssl_keypair'));
            update_record('config', $expiresrecord, array('field' => 'openssl_keypair_expires'));
            db_commit();
937
        }
938
        log_info("New public key has been generated. It expires " . date('Y/m/d h:i:s', $credentials['validTo_time_t']));
939
        return true;
940
941
    }

942
943
944
945
946
947
948
949
950
951
952
953
    /**
     * Generate public/private keys and store in the config table
     *
     * Use the distinguished name provided to create a CSR, and then sign that CSR
     * with the same credentials. Store the keypair you create in the config table.
     * If a distinguished name is not provided, create one using the fullname of
     * 'the course with ID 1' as your organization name, and your hostname (as
     * detailed in $CFG->wwwroot).
     *
     * @param   array  $dn  The distinguished name of the server
     * @return  string      The signature over that text
     */
954
    private function generate_keypair() {
955
        $host = get_hostname_from_uri(get_config('wwwroot'));
956
957
958
959
960
961
962
963
964

        $organization = get_config('sitename');
        $email        = get_config('noreplyaddress');
        $country      = get_config('country');
        $province     = get_config('province');
        $locality     = get_config('locality');

        //TODO: Create additional fields on site setup and read those from 
        //      config. Then remove the next 3 linez
965
966
967
        if (empty($country))  $country  = 'NZ';
        if (empty($province)) $province = 'Wellington';
        if (empty($locality)) $locality = 'Te Aro';
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983

        $dn = array(
           "countryName" => $country,
           "stateOrProvinceName" => $province,
           "localityName" => $locality,
           "organizationName" => $organization,
           "organizationalUnitName" => 'Mahara',
           "commonName" => get_config('wwwroot'),
           "emailAddress" => $email
        );

        // ensure we remove trailing slashes
        $dn["commonName"] = preg_replace(':/$:', '', $dn["commonName"]);

        $new_key = openssl_pkey_new();
        $csr_rsc = openssl_csr_new($dn, $new_key, array('private_key_bits',2048));
984
        $selfSignedCert = openssl_csr_sign($csr_rsc, null, $new_key, 365 /*days*/);
985
986
987
988
989
990
991
992
993
994
995
996
997
998
        unset($csr_rsc); // Free up the resource

        // We export our self-signed certificate to a string.
        openssl_x509_export($selfSignedCert, $this->keypair['certificate']);
        openssl_x509_free($selfSignedCert);

        // Export your public/private key pair as a PEM encoded string. You
        // can protect it with an optional passphrase if you wish.
        $export = openssl_pkey_export($new_key, $this->keypair['keypair_PEM'] /* , $passphrase */);
        openssl_pkey_free($new_key);
        unset($new_key); // Free up the resource

        return $this;
    }
999
1000
}