diff options
author | Mario Vavti <mario@mariovavti.com> | 2017-09-08 09:22:36 +0200 |
---|---|---|
committer | Mario Vavti <mario@mariovavti.com> | 2017-09-08 09:22:36 +0200 |
commit | 108bb7649bb61bee65d9923c9080c3af8e715bc4 (patch) | |
tree | 4b96649d85d098de8e723df85b409cb0a43832d1 /Zotlabs | |
parent | 7b3aa92b5ad09c0820db2b20bc462c975f0d3aba (diff) | |
parent | 1104e2652f15aaa405208b6dec9e439fb8c39537 (diff) | |
download | volse-hubzilla-108bb7649bb61bee65d9923c9080c3af8e715bc4.tar.gz volse-hubzilla-108bb7649bb61bee65d9923c9080c3af8e715bc4.tar.bz2 volse-hubzilla-108bb7649bb61bee65d9923c9080c3af8e715bc4.zip |
Merge remote-tracking branch 'mike/master' into dev
Diffstat (limited to 'Zotlabs')
-rw-r--r-- | Zotlabs/Module/Magic.php | 35 | ||||
-rw-r--r-- | Zotlabs/Module/Owa.php | 57 | ||||
-rw-r--r-- | Zotlabs/Module/Rmagic.php | 4 | ||||
-rw-r--r-- | Zotlabs/Module/Wfinger.php | 42 | ||||
-rw-r--r-- | Zotlabs/Web/HTTPSig.php | 8 | ||||
-rw-r--r-- | Zotlabs/Web/WebServer.php | 6 | ||||
-rw-r--r-- | Zotlabs/Zot/Finger.php | 2 | ||||
-rw-r--r-- | Zotlabs/Zot/Verify.php | 16 |
8 files changed, 162 insertions, 8 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index bf3198067..342c11eb9 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -17,6 +17,7 @@ class Magic extends \Zotlabs\Web\Controller { $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : ''); $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); + $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0); $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : ''); $parsed = parse_url($dest); @@ -132,12 +133,44 @@ class Magic extends \Zotlabs\Web\Controller { if(local_channel()) { $channel = \App::get_channel(); + // OpenWebAuth + + if($owa) { + + $headers = []; + $headers['Accept'] = 'application/x-zot+json' ; + $headers['X-Open-Web-Auth'] = random_string(); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], + 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); + + $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + + logger('owtfetch: ' . print_r($x,true)); + + if($x['success']) { + $j = json_decode($x['body'],true); + if($j['success'] && $j['token']) { + $x = strpbrk($dest,'?&'); + $args = (($x) ? '&owt=' . $j['token'] : '?f=&owt=' . $j['token']) . (($delegate) ? '&delegate=1' : ''); + goaway($dest . $args); + } + } + goaway($dest); + } + + $token = random_string(); + // $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey'])); - // $channel['token'] = $token; // $channel['token_sig'] = $token_sig; + + + + + + \Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']); $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel)) diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php new file mode 100644 index 000000000..0b625dbe5 --- /dev/null +++ b/Zotlabs/Module/Owa.php @@ -0,0 +1,57 @@ +<?php + + +namespace Zotlabs\Module; + + + +class Owa extends \Zotlabs\Web\Controller { + + function init() { + foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { + + if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { + if($head !== 'HTTP_AUTHORIZATION') { + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; + continue; + } + + $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]); + if($sigblock) { + $keyId = $sigblock['keyId']; + + if($keyId) { + $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash + where hubloc_addr = '%s' limit 1", + dbesc(str_replace('acct:','',$keyId)) + ); + if($r) { + $hubloc = $r[0]; + $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); + +logger('verified: ' . print_r($verified,true)); + + if($verified && $verified['header_signed'] && $verified['header_valid']) { + $token = random_string(32); + \Zotlabs\Zot\Verify::create('owt',0,$token,$r[0]['hubloc_addr']); + $x = json_encode([ 'success' => true, 'token' => $token ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } + } + } + } + $x = json_encode([ 'success' => false ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } + } + + $x = json_encode([ 'success' => false ]); + header('Content-Type: application/x-zot+json'); + echo $x; + killme(); + } +} diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php index 9fcc72441..0c4eb9ae4 100644 --- a/Zotlabs/Module/Rmagic.php +++ b/Zotlabs/Module/Rmagic.php @@ -18,7 +18,7 @@ class Rmagic extends \Zotlabs\Web\Controller { if($r[0]['hubloc_url'] === z_root()) goaway(z_root() . '/login'); $dest = z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string); - goaway($r[0]['hubloc_url'] . '/magic' . '?f=&dest=' . $dest); + goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest); } } } @@ -63,7 +63,7 @@ class Rmagic extends \Zotlabs\Web\Controller { else $dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string)); - goaway($url . '/magic' . '?f=&dest=' . $dest); + goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest); } } } diff --git a/Zotlabs/Module/Wfinger.php b/Zotlabs/Module/Wfinger.php index 07a7b7735..d0c4d73d2 100644 --- a/Zotlabs/Module/Wfinger.php +++ b/Zotlabs/Module/Wfinger.php @@ -30,9 +30,15 @@ class Wfinger extends \Zotlabs\Web\Controller { $resource = $_REQUEST['resource']; logger('webfinger: ' . $resource,LOGGER_DEBUG); + + $root_resource = false; + + if(strcasecmp(rtrim($resource,'/'),z_root()) === 0) + $root_resource = true; + $r = null; - if($resource) { + if(($resource) && (! $root_resource)) { if(strpos($resource,'acct:') === 0) { $channel = str_replace('acct:','',$resource); @@ -60,7 +66,25 @@ class Wfinger extends \Zotlabs\Web\Controller { header('Access-Control-Allow-Origin: *'); + + if($root_resource) { + $result['subject'] = $resource; + $result['properties'] = [ + 'https://w3id.org/security/v1#publicKeyPem' => get_config('system','pubkey') + ]; + $result['links'] = [ + [ + 'rel' => 'http://purl.org/openwebauth/v1', + 'type' => 'application/x-zot+json', + 'href' => z_root() . '/owa', + ], + ]; + + + + } + if($resource && $r) { $h = q("select hubloc_addr from hubloc where hubloc_hash = '%s' and hubloc_deleted = 0", @@ -84,7 +108,8 @@ class Wfinger extends \Zotlabs\Web\Controller { $result['properties'] = [ 'http://webfinger.net/ns/name' => $r[0]['channel_name'], - 'http://xmlns.com/foaf/0.1/name' => $r[0]['channel_name'] + 'http://xmlns.com/foaf/0.1/name' => $r[0]['channel_name'], + 'https://w3id.org/security/v1#publicKeyPem' => $r[0]['xchan_pubkey'] ]; foreach($aliases as $alias) @@ -124,6 +149,13 @@ class Wfinger extends \Zotlabs\Web\Controller { 'rel' => 'http://purl.org/zot/protocol', 'href' => z_root() . '/.well-known/zot-info' . '?address=' . $r[0]['xchan_addr'], ], + + [ + 'rel' => 'http://purl.org/openwebauth/v1', + 'type' => 'application/x-zot+json', + 'href' => z_root() . '/owa', + ], + [ 'rel' => 'magic-public-key', @@ -136,14 +168,16 @@ class Wfinger extends \Zotlabs\Web\Controller { $result['zot'] = zotinfo( [ 'address' => $r[0]['xchan_addr'] ]); } } - else { + + if(! $result) { header($_SERVER["SERVER_PROTOCOL"] . ' ' . 400 . ' ' . 'Bad Request'); killme(); } $arr = [ 'channel' => $r[0], 'request' => $_REQUEST, 'result' => $result ]; call_hooks('webfinger',$arr); - + + json_return_and_die($arr['result'],'application/jrd+json'); } diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 2b139a2a1..fee8aaa41 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -91,6 +91,9 @@ class HTTPSig { if($sig_block['algorithm'] === 'rsa-sha256') { $algorithm = 'sha256'; } + if($sig_block['algorithm'] === 'rsa-sha512') { + $algorithm = 'sha512'; + } if(! $key) { $result['signer'] = $sig_block['keyId']; @@ -113,6 +116,8 @@ class HTTPSig { $digest = explode('=', $headers['digest']); if($digest[0] === 'SHA-256') $hashalg = 'sha256'; + if($digest[0] === 'SHA-512') + $hashalg = 'sha512'; // The explode operation will have stripped the '=' padding, so compare against unpadded base64 if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) { @@ -164,6 +169,9 @@ class HTTPSig { if($alg === 'sha256') { $algorithm = 'rsa-sha256'; } + if($alg === 'sha512') { + $algorithm = 'rsa-sha512'; + } $x = self::sign($request,$head,$prvkey,$alg); diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index a66384c40..8431a2e0e 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -70,6 +70,12 @@ class WebServer { } } + if((x($_REQUEST,'owt')) && (! \App::$install)) { + $token = $_REQUEST['owt']; + \App::$query_string = strip_query_param(\App::$query_string,'owt'); + owt_init($token); + } + if((x($_SESSION, 'authenticated')) || (x($_POST, 'auth-params')) || (\App::$module === 'login')) require('include/auth.php'); diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index dab7d9e01..348171bdc 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -123,7 +123,7 @@ class Finger { $x = json_decode($result['body'], true); $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : '')); - + if($x && (! $verify['header_valid'])) { $signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null); if($signed_token) { diff --git a/Zotlabs/Zot/Verify.php b/Zotlabs/Zot/Verify.php index 06bd3188c..1d9e6de3f 100644 --- a/Zotlabs/Zot/Verify.php +++ b/Zotlabs/Zot/Verify.php @@ -31,6 +31,22 @@ class Verify { return false; } + + function get_meta($type,$channel_id,$token) { + $r = q("select id, meta from verify where vtype = '%s' and channel = %d and token = '%s' limit 1", + dbesc($type), + intval($channel_id), + dbesc($token) + ); + if($r) { + q("delete from verify where id = %d", + intval($r[0]['id']) + ); + return $r[0]['meta']; + } + return false; + } + function purge($type,$interval) { q("delete from verify where vtype = '%s' and created < %s - INTERVAL %s", dbesc($type), |