diff options
| -rw-r--r-- | mod/authtest.php | 43 | ||||
| -rw-r--r-- | mod/magic.php | 48 | ||||
| -rw-r--r-- | mod/post.php | 64 | ||||
| -rw-r--r-- | version.inc | 2 |
4 files changed, 147 insertions, 10 deletions
diff --git a/mod/authtest.php b/mod/authtest.php new file mode 100644 index 000000000..ec32fe171 --- /dev/null +++ b/mod/authtest.php @@ -0,0 +1,43 @@ +<?php + +require_once('include/zot.php'); +require_once('mod/magic.php'); + +function authtest_content(&$a) { + + + + $o .= '<h3>Magic-Auth Diagnostic</h3>'; + + if(! local_user()) { + notice( t('Permission denied.') . EOL); + return $o; + } + + $o .= '<form action="authtest" method="get">'; + $o .= 'Target URL: <input type="text" style="width: 250px;" name="dest" value="' . $_GET['dest'] .'" />'; + $o .= '<input type="submit" name="submit" value="Submit" /></form>'; + + $o .= '<br /><br />'; + + if(x($_GET,'dest')) { + $_REQUEST['test'] = 1; + $x = magic_init($a); + $o .= 'Local Setup returns: ' . print_r($x,true); + + + + if($x['url']) { + $z = z_fetch_url($x['url'] . '&test=1'); + if($z['success']) { + $j = json_decode($z['body'],true); + $o .= 'Remote site responded: ' . print_r($j,true); + } + else { + $o .= 'fetch url failure.' . print_r($z,true); + } + } + } + + return str_replace("\n",'<br />',$o); +} diff --git a/mod/magic.php b/mod/magic.php index a268f1ecb..03d09e70d 100644 --- a/mod/magic.php +++ b/mod/magic.php @@ -4,6 +4,7 @@ function magic_init(&$a) { + $ret = array('success' => false, 'url' => '', 'message' => ''); logger('mod_magic: invoked', LOGGER_DEBUG); logger('mod_magic: args: ' . print_r($_REQUEST,true),LOGGER_DATA); @@ -11,12 +12,18 @@ function magic_init(&$a) { $addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : ''); $hash = ((x($_REQUEST,'hash')) ? $_REQUEST['hash'] : ''); $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : ''); - $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); + $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); + $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); $parsed = parse_url($dest); - if(! $parsed) + if(! $parsed) { + if($test) { + $ret['message'] .= 'could not parse ' . $dest . EOL; + return($ret); + } goaway($dest); + } $basepath = $parsed['scheme'] . '://' . $parsed['host'] . (($parsed['port']) ? ':' . $parsed['port'] : ''); @@ -49,6 +56,10 @@ function magic_init(&$a) { goaway($dest); else { logger('mod_magic: no channels found for requested hub.' . print_r($_REQUEST,true)); + if($test) { + $ret['message'] .= 'This site has no previous connections with ' . $basepath . EOL; + return $ret; + } notice( t('Hub not found.') . EOL); return; } @@ -66,12 +77,22 @@ function magic_init(&$a) { call_hooks('magic_auth',$arr); $dest = $arr['destination']; - if(! $arr['proceed']) + if(! $arr['proceed']) { + if($test) { + $ret['message'] .= 'cancelled by plugin.' . EOL; + return $ret; + } goaway($dest); + } if((get_observer_hash()) && ($x[0]['hubloc_url'] === z_root())) { // We are already authenticated on this site and a registered observer. // Just redirect. + if($test) { + $ret['success'] = true; + $ret['message'] .= 'Local site - you are already authenticated.' . EOL; + return $ret; + } goaway($dest); } @@ -92,12 +113,25 @@ function magic_init(&$a) { dbesc(datetime_convert()) ); - $target_url = $x[0]['hubloc_callback']; + $target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . $a->get_hostname()) + . '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION; + logger('mod_magic: redirecting to: ' . $target_url, LOGGER_DEBUG); - goaway($target_url - . '/?f=&auth=' . urlencode($channel['channel_address'] . '@' . $a->get_hostname()) - . '&sec=' . $token . '&dest=' . urlencode($dest) . '&version=' . ZOT_REVISION); + if($test) { + $ret['success'] = true; + $ret['url'] = $target_url; + $ret['message'] = 'token ' . $token . ' created for channel ' . $channel['channel_id'] . ' for url ' . $x[0]['hubloc_url'] . EOL; + return $ret; + } + + goaway($target_url); + + } + + if($test) { + $ret['message'] = 'Not authenticated or invalid arguments to mod_magic' . EOL; + return $ret; } goaway($dest); diff --git a/mod/post.php b/mod/post.php index e589378dc..31f17a873 100644 --- a/mod/post.php +++ b/mod/post.php @@ -83,12 +83,15 @@ function post_init(&$a) { */ if(array_key_exists('auth',$_REQUEST)) { + + $ret = array('success' => false, 'message' => ''); + logger('mod_zot: auth request received.'); $address = $_REQUEST['auth']; $desturl = $_REQUEST['dest']; $sec = $_REQUEST['sec']; $version = $_REQUEST['version']; - + $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); // They are authenticating ultimately to the site and not to a particular channel. // Any channel will do, providing it's currently active. We just need to have an @@ -100,8 +103,12 @@ function post_init(&$a) { if(! $c) { // nobody here - logger('mod_zot: auth: unable to find a response channel'); + if($test) { + $ret['message'] .= 'no local channels found.' . EOL; + json_return_and_die($ret); + } + goaway($desturl); } @@ -124,6 +131,12 @@ function post_init(&$a) { } if(! $x) { logger('mod_zot: auth: unable to finger ' . $address); + + if($test) { + $ret['message'] .= 'no hubloc found for ' . $address . ' and probing failed.' . EOL; + json_return_and_die($ret); + } + goaway($desturl); } @@ -143,6 +156,8 @@ function post_init(&$a) { $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote) && ($x[0]['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false); + $j = array(); + if(! $already_authed) { // Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the site private key @@ -150,9 +165,21 @@ function post_init(&$a) { // which can be verified $p = zot_build_packet($c[0],$type = 'auth_check', array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec); + if($test) { + $ret['message'] .= 'auth check packet created using sitekey ' . $x[0]['hubloc_sitekey'] . EOL; + $ret['message'] .= 'packet contents: ' . $p . EOL; + } + $result = zot_zot($x[0]['hubloc_callback'],$p); + + $ret['message'] .= 'auth check request to your site returned .' . print_r($result, true) . EOL; + if(! $result['success']) { logger('mod_zot: auth_check callback failed.'); + if($test) { + json_return_and_die($ret); + } + goaway($desturl); } $j = json_decode($result['body'],true); @@ -163,6 +190,11 @@ function post_init(&$a) { // legit response, but we do need to check that this wasn't answered by a man-in-middle if(! rsa_verify($sec . $x[0]['xchan_hash'],base64url_decode($j['confirm']),$x[0]['xchan_pubkey'])) { logger('mod_zot: auth: final confirmation failed.'); + if($test) { + $ret['message'] .= 'final confirmation failed. ' . $sec . print_r($j,true) . print_r($x[0],true); + json_return_and_die($ret); + } + goaway($desturl); } if(array_key_exists('service_class',$j)) @@ -177,11 +209,23 @@ function post_init(&$a) { if($a->channel['channel_hash'] != $x[0]['xchan_hash']) { logger('mod_zot: auth: already authenticated locally as somebody else.'); notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry.') . EOL); + if($test) { + $ret['message'] .= 'already logged in locally with a conflicting identity.' . EOL; + json_return_and_die($ret); + } + } goaway($desturl); } // log them in + if($test) { + $ret['success'] = true; + $ret['message'] .= 'Success' . EOL; + json_return_and_die($ret); + } + + $_SESSION['authenticated'] = 1; $_SESSION['visitor_id'] = $x[0]['xchan_hash']; $_SESSION['my_address'] = $address; @@ -197,6 +241,11 @@ function post_init(&$a) { logger('mod_zot: auth success from ' . $x[0]['xchan_addr']); } else { + if($test) { + $ret['message'] .= 'auth failure. ' . print_r($_REQUEST,true) . print_r($j,true) . EOL; + json_return_and_dir($ret); + } + logger('mod_zot: magic-auth failure - not authenticated: ' . $x[0]['xchan_addr']); q("update hubloc set hubloc_status = (hubloc_status | %d ) where hubloc_id = %d ", intval(HUBLOC_RECEIVE_ERROR), @@ -208,6 +257,11 @@ function post_init(&$a) { // This does however prevent a recursion if you visit rmagic directly, as it would otherwise send you back here again. // But z_root() probably isn't where you really want to go. + if($test) { + $ret['message'] .= 'auth failure fallthrough ' . print_r($_REQUEST,true) . print_r($j,true) . EOL; + json_return_and_dir($ret); + } + if(strstr($desturl,z_root() . '/rmagic')) goaway(z_root()); @@ -608,6 +662,7 @@ function post_post(&$a) { if(! $encrypted_packet) { logger('mod_zot: auth_check packet was not encrypted.'); + $ret['message'] .= 'no packet encryption' . EOL; json_return_and_die($ret); } @@ -628,11 +683,14 @@ function post_post(&$a) { if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); + $ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL; json_return_and_die($ret); } // There should be exactly one recipient, the original auth requestor + $ret['message'] .= 'recipients ' . print_r($recipients,true) . EOL; + if($data['recipients']) { $arr = $data['recipients'][0]; @@ -642,6 +700,7 @@ function post_post(&$a) { ); if(! $c) { logger('mod_zot: auth_check: recipient channel not found.'); + $ret['message'] .= 'recipient not found.' . EOL; json_return_and_die($ret); } @@ -657,6 +716,7 @@ function post_post(&$a) { ); if(! $z) { logger('mod_zot: auth_check: verification key not found.'); + $ret['message'] .= 'verification key not found' . EOL; json_return_and_die($ret); } $r = q("delete from verify where id = %d limit 1", diff --git a/version.inc b/version.inc index 8e4f4a4dc..b1d3ec938 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-12-04.517 +2013-12-05.518 |