Example #1
0
 function __construct($person)
 {
     parent::__construct($person);
     $this->attributes = array();
     $this->idp = "";
     $personIndex = 0;
     try {
         $personIndex = (int) Config::get_config('bypass_id');
     } catch (KeyNotFoundException $knfe) {
         Logger::log_event(LOG_NOTICE, __FILE__ . ":" . __LINE__ . " bypass_id not set in config. Using default ID.");
     }
     switch ($personIndex) {
         case 0:
             $this->attributes = array('cn2' => array('John Doe'), 'eduPersonPrincipalName' => array('jdoe@example.org'), 'mail2' => array('john.doe@example.org'), 'country' => array('NN'), 'organization' => array('o=Hogwarts, dc=hsww, dc=wiz'), 'nren' => array('testnren'), 'eduPersonEntitlement2' => array('urn:mace:feide.no:sigma.uninett.no:confusa'));
             $this->idp = "idp.example.org";
             break;
         case 1:
             $this->attributes = array('cn2' => array('Jane Doe'), 'eduPersonPrincipalName' => array('janedoe@example.org'), 'mail2' => array('jane.doe@example.org', 'jane@example.org', 'janed@example.org'), 'country' => array('NN'), 'organization' => array('o=Barad, dc=Dur'), 'nren' => array('testnren'), 'eduPersonEntitlement2' => array('urn:mace:feide.no:sigma.uninett.no:confusaAdmin', 'urn:mace:feide.no:sigma.uninett.no:confusa'));
             $this->idp = "idp.example.org";
             break;
         case 2:
         default:
             $this->attributes = array('cn2' => array('Ola Nordmann'), 'eduPersonPrincipalName' => array('onordmann@example.org', 'olamann@example.org', 'ola@example.org'), 'mail2' => array('ola.nordmann@example.org'), 'country' => array('NO'), 'organization' => array('o=Hogwarts, dc=hsww, dc=wiz'), 'nren' => array('testnren'), 'eduPersonEntitlement2' => array('urn:mace:feide.no:sigma.uninett.no:confusa'));
             $this->idp = "idp.example.org";
             break;
     }
 }
Example #2
0
 public function process()
 {
     if (!$this->person->isNRENAdmin() && !$this->person->isSubscriberAdmin()) {
         Logger::log_event(LOG_NOTICE, "User " . stripslashes($this->person->getX509ValidCN()) . " tried to access the NREN-area");
         $this->tpl->assign('reason', 'You are not an NREN or subscriber-admin');
         $this->tpl->assign('content', $this->tpl->fetch('restricted_access.tpl'));
         return;
     }
     if (isset($_GET['attr_value'])) {
         /* no need for sanitization, only used in array lookup & does not go
          * into the DB
          */
         $this->handleAttrValueAJAX($_GET['attr_value']);
         return;
     }
     $this->tpl->assign('handle_map', true);
     if ($this->person->isNRENAdmin()) {
         $map = $this->person->getNREN()->getMap();
     } else {
         if ($this->person->isSubscriberAdmin()) {
             /* This will get the Subscriber-map if available,
              * otherwise it will return the NREN-map. */
             $map = $this->person->getMap();
         }
     }
     $auth = AuthHandler::getAuthManager($this->person);
     if (isset($map['epodn'])) {
         $epodn = implode(', ', $auth->getAttributeValue($map['epodn']));
         $this->tpl->assign('epodn', $epodn);
     } else {
         $this->tpl->assign('epodn', '');
     }
     if (isset($map['cn'])) {
         $cn = implode(', ', $auth->getAttributeValue($map['cn']));
         $this->tpl->assign('cn', $cn);
     } else {
         $this->tpl->assign('cn', '');
     }
     if (isset($map['mail'])) {
         $mail = implode(', ', $auth->getAttributeValue($map['mail']));
         $this->tpl->assign('mail', $mail);
     } else {
         $this->tpl->assign('mail', '');
     }
     if (isset($map['entitlement'])) {
         $entitlement = implode(', ', $auth->getAttributeValue($map['entitlement']));
         $this->tpl->assign('entitlement', $entitlement);
     } else {
         $this->tpl->assign('entitlement', '');
     }
     $this->tpl->assign('map', $map);
     $this->tpl->assign('keys', AuthHandler::getAuthManager($this->person)->getAttributeKeys($this->person->isNRENAdmin()));
     $this->tpl->assign('content', $this->tpl->fetch('attributes.tpl'));
 }
Example #3
0
 public function process()
 {
     if (Config::get_config('cert_product') == PRD_PERSONAL) {
         $this->tpl->assign('cps', ConfusaConstants::$LINK_PERSONAL_CPS);
     } else {
         $this->tpl->assign('cps', ConfusaConstants::$LINK_ESCIENCE_CPS);
     }
     Logger::log_event(LOG_INFO, "User acknowledged session: " . CS::getSessionKey('hasAcceptedAUP'));
     $this->tpl->assign('aup_session_state', CS::getSessionKey('hasAcceptedAUP'));
     $this->tpl->assign('privacy_notice_text', $this->person->getNREN()->getPrivacyNotice($this->person));
     $this->tpl->assign('content', $this->tpl->fetch('confirm_aup.tpl'));
 }
Example #4
0
 /**
  * Constructor
  *
  * Note that the person is tied to a OAuth datastore here
  */
 function __construct($person = NULL)
 {
     parent::__construct($person);
     /* Find the path to simpelsamlphp and run the autoloader */
     try {
         $sspdir = Config::get_config('simplesaml_path');
     } catch (KeyNotFoundException $knfe) {
         echo "Cannot find path to simplesaml. This install is not valid. Aborting.<br />\n";
         Logger::log_event(LOG_ALERT, "Trying to instantiate simpleSAMLphp without a configured path.");
         exit(0);
     }
     require_once $sspdir . '/lib/_autoload.php';
     SimpleSAML_Configuration::setConfigDir($sspdir . '/config');
     $this->oauthStore = new OAuthDataStore_Confusa();
     $this->oauthServer = new sspmod_oauth_OAuthServer($this->oauthStore);
     $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
     $this->oauthServer->add_signature_method($hmac_method);
     $req = OAuthRequest::from_request();
     list($consumer, $this->accessToken) = $this->oauthServer->verify_request($req);
     $this->isAuthenticated = isset($this->accessToken);
 }
Example #5
0
 public function process()
 {
     if (!$this->person->isNRENAdmin()) {
         Logger::log_event(LOG_NOTICE, "User " . stripslashes($this->person->getX509ValidCN()) . " tried to access the NREN-area");
         $this->tpl->assign('reason', 'You are not an NREN-admin');
         $this->tpl->assign('content', $this->tpl->fetch('restricted_access.tpl'));
         return;
     }
     $this->tpl->assign('nren_maint_msg', $this->person->getNREN()->getMaintMsg());
     /* set maint-mode msg */
     if ($this->person->getNREN()->getMaintMode() === "y") {
         $this->tpl->assign('maint_mode_msg', $this->translateTag('l10n_nren_maint_mode_enabled', 'portal_config'));
     } else {
         $this->tpl->assign('maint_mode_msg', $this->translateTag('l10n_nren_maint_mode_disabled', 'portal_config'));
     }
     /* set the radio-buttons */
     $this->tpl->assign('maint_mode_v', array('y', 'n'));
     $this->tpl->assign('maint_mode_t', array(' enabled', ' disabled'));
     $this->tpl->assign('maint_mode_selected', $this->person->getNREN()->getMaintMode());
     $this->tpl->assign('maint_mode', $this->person->getNREN()->getMaintMode() === 'y');
     $this->tpl->assign('content', $this->tpl->fetch('portal_config.tpl'));
 }
Example #6
0
 public static function curlContactCert($url, $key, $cert, $keypw = false, $postData = null)
 {
     if (is_null($key) || is_null($cert) || $key === "" || $cert === "") {
         throw new ConfusaGenException("Empty key or certificate received " . "when using curlContactCert(). " . "Aborting curl-transfer to url: {$url}");
     }
     if (is_null($postData) || !is_array($postData) || count($postData) == 0) {
         return false;
     }
     /* Do basic URL filtering */
     $curlurl = Input::sanitizeURL($url);
     if (is_null($curlurl) || $curlurl === "" || filter_var($curlurl, FILTER_VALIDATE_URL) === false) {
         Logger::log_event(LOG_NOTICE, "invalid URL (" . $curlurl . "), aborting curl-fetch.");
         return false;
     }
     Logger::log_event(LOG_DEBUG, "Contacting {$curlurl} using cert AuthN");
     /* key should be encrypted, if not, do not use it (not safe!) */
     $start = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
     if (substr($key, 0, strlen($start)) !== $start) {
         Logger::log_event(LOG_NOTICE, "Trying to use curlContactCert with unecrypted private key, aborting.");
         return false;
     }
     $rkey = openssl_pkey_get_private($key, $keypw);
     if ($rkey === false) {
         Logger::log_event(LOG_NOTICE, "Could not parse private key for CurlContactCert, aborting");
         return false;
     }
     if (!openssl_x509_check_private_key($cert, $rkey)) {
         Logger::log_event(LOG_NOTICE, "Provided key and certificate is not a pair, cannot continue.");
         /* throw exception? */
         return false;
     }
     $rcert = new Certificate($cert);
     if (!$rcert->isValid()) {
         $logline = "Certificate (" . $rcert->getHash() . ") has expired, cannot use this. Aborting curl.";
         Logger::log_event(LOG_NOTICE, $logline);
         return false;
     }
     if (!file_exists("/tmp/" . $rcert->getHash() . ".key") || !file_exists("/tmp/" . $rcert->getHash() . ".crt")) {
         if (file_put_contents("/tmp/" . $rcert->getHash() . ".key", $key) === false) {
             Logger::log_event(LOG_NOTICE, "Could not write key to file");
         }
         if (file_put_contents("/tmp/" . $rcert->getHash() . ".crt", $cert) === false) {
             Logger::log_event(LOG_NOTICE, "Could not write cert to file");
         }
     }
     $options = array(CURLOPT_URL => $curlurl, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => 2, CURLOPT_SSLKEY => "/tmp/" . $rcert->getHash() . ".key", CURLOPT_SSLCERT => "/tmp/" . $rcert->getHash() . ".crt", CURLOPT_SSLKEYPASSWD => $keypw, CURLOPT_HEADER => false, CURLOPT_FOLLOWLOCATION => true, CURLOPT_RETURNTRANSFER => 1, CURLOPT_CONNECTTIMEOUT => 15);
     $channel = curl_init();
     curl_setopt_array($channel, $options);
     $data = curl_exec($channel);
     $status = curl_errno($channel);
     curl_close($channel);
     if ($status !== 0) {
         throw new ConfusaGenException("Could not connect properly to remote " . "endpoint {$curlurl} using cert-based authN! " . "Maybe the Confusa instance is misconfigured? " . "Please contact an administrator!");
     }
     return $data;
 }
Example #7
0
 /** getCountriesIdP() return all countries and IdP present in the database
  *
  * @params void
  * @return array list of available countries with corresponding IdP(s)
  * @access private
  */
 private function getCountriesIdP()
 {
     if (isset($this->cidp)) {
         return $this->cidp;
     }
     try {
         $res = MDB2Wrapper::execute("SELECT idp_url, country, name FROM nrens n " . "LEFT JOIN idp_map im ON n.nren_id = im.nren_id", NULL, NULL);
     } catch (ConfusaGenException $cge) {
         Logger::log_event(LOG_WARNING, "Could not get IdP-URLs from the database, " . "make sure DB-connection is properly configured\n");
         Framework::error_output($this->translateTag('l10n_err_db_select', 'disco'));
         return array();
     }
     $this->cidp = array();
     foreach ($res as $key => $value) {
         if (!isset($this->cidp[$value['country']])) {
             $this->cidp[$value['country']] = array();
         }
         $this->cidp[$value['country']][] = $value['idp_url'];
     }
     return $res;
 }
Example #8
0
 /**
  * Update the contact information for a subscriber to a new value
  *
  * @param $contact_email string A general subscriber-mail address
  * @param $contact_phone string The (main) phone number of the subscriber
  * @param $resp_name string The name of a responsible person at the subscr.
  * @param $resp_email string e-mail address of a responsible person
  * @param $help_url string URL of the subscriber's helpdesk
  * @param $help_email string e-mail address of the subscriber's helpdesk
  * @param $language string the language code for the subscriber's preferred
  *                         language
  */
 private function updateSubscriberContact($language)
 {
     $subscriber = $this->person->getSubscriber();
     $subscriber->setEmail($contact_email);
     $subscriber->setPhone($contact_phone);
     $subscriber->setRespName($resp_name);
     $subscriber->setRespEmail($resp_email);
     $subscriber->setHelpURL($help_url);
     $subscriber->setHelpEmail($help_email);
     $subscriber->setLanguage($language);
     try {
         $subscriber->save();
     } catch (ConfusaGenException $cge) {
         Framework::error_output($this->translateTag('l10n_err_updatesubscr', 'contactinfo') . " " . htmlentities($cge->getMessage()));
         Logger::log_event(LOG_INFO, "[sadm] Could not update " . "contact of subscriber {$subscriber}: " . $cge->getMessage());
     }
     Framework::success_output($this->translateTag('l10n_suc_updatesubscr', 'contactinfo') . " " . htmlentities($subscriber->getIdPName()) . ".");
     Logger::log_event(LOG_DEBUG, "[sadm] Updated contact for subscriber {$subscriber}.");
 }
Example #9
0
 /**
  * Synchronize the changes in the subscriber object to the database or
  * freshly store the subscriber in the DB
  *
  * @param $forcedSynch boolean if true, UPDATE the db even if no the object
  *                             is not explicitly marked as having changed
  * @throws ConfusaGenException INSERT/UPDATE of the subscriber failed for
  *                             some reason
  * @access	public
  */
 public function save($forcedSynch = false)
 {
     if (!$this->isValid()) {
         return false;
     }
     if ($this->pendingChanges || $forcedSynch) {
         $query = "UPDATE subscribers SET ";
         if (!is_null($this->getEmail())) {
             $query .= " subscr_email=:subscr_email, ";
             $data['subscr_email'] = $this->getEmail();
         }
         if (!is_null($this->getPhone())) {
             $query .= " subscr_phone=:subscr_phone, ";
             $data['subscr_phone'] = $this->getPhone();
         }
         if (!is_null($this->getRespName())) {
             $query .= "subscr_resp_name=:subscr_resp_name, ";
             $data['subscr_resp_name'] = $this->getRespName();
         }
         if (!is_null($this->getRespEmail())) {
             $query .= "subscr_resp_email=:subscr_resp_email, ";
             $data['subscr_resp_email'] = $this->getRespEmail();
         }
         if (!is_null($this->getState())) {
             $query .= "org_state=:org_state, ";
             $data['org_state'] = $this->getState();
         }
         if (!is_null($this->getComment())) {
             $query .= "subscr_comment=:subscr_comment, ";
             $data['subscr_comment'] = $this->getComment();
         }
         if (!is_null($this->getLanguage())) {
             $query .= "lang=:lang, ";
             $data['lang'] = $this->getLanguage();
         }
         if (!is_null($this->getHelpURL())) {
             $query .= "subscr_help_url=:subscr_help_url, ";
             $data['subscr_help_url'] = $this->getHelpURL();
         }
         if (!is_null($this->getHelpEmail())) {
             $query .= "subscr_help_email=:subscr_help_email, ";
             $data['subscr_help_email'] = $this->getHelpEmail();
         }
         $query = substr($query, 0, -2) . " WHERE subscriber_id=:subscriber_id";
         $data['subscriber_id'] = $this->getDBID();
         try {
             MDB2Wrapper::update($query, null, $data);
             Logger::log_event(LOG_NOTICE, "Updated data for subscriber (" . $this->getDBID() . ") " . $this->getOrgName());
         } catch (DBStatementException $dbse) {
             $msg = __CLASS__ . "::" . __FUNCTION__ . "(" . __LINE__ . ") ";
             $msg .= "Cannot connect properly to database, some internal error. ";
             $msg .= "Make sure the DB is configured correctly." . $dbse->getMessage();
             throw new ConfusaGenException($msg);
         } catch (DBQueryException $dbqe) {
             $msg = __CLASS__ . "::" . __FUNCTION__ . "(" . __LINE__ . ") ";
             $msg .= "Cannot connect properly to database, ";
             $msg .= "errors with supplied data.";
             throw new ConfusaGenException($msg);
         }
         $this->pendingChanges = false;
         return true;
     }
     return false;
 }
Example #10
0
 /**
  * downloadArchive() pack the RI-library in a zip-file and present it as
  * a file to download.
  *
  * @param  : void
  * @return : Boolean True if no errors were encountered.
  */
 private function downloadArchive()
 {
     require_once 'file_download.php';
     $confusa_client = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/Confusa_Client.py");
     $parser = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/Parser.py");
     $https_client = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/HTTPSClient.py");
     $timeout = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/Timeout.py");
     $readme = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/README");
     $license = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/LICENSE");
     $gplv3 = file_get_contents(Config::get_config('install_path') . "/COPYING");
     $init = file_get_contents(Config::get_config('install_path') . "/extlibs/XML_Client/__init__.py");
     $zip = new ZipArchive();
     $name = tempnam($ZIP_CACHE, "XML_Cli_");
     $zip->open($name, ZipArchive::OVERWRITE);
     $zip->addFromString("XML_Client/Confusa_Client.py", $confusa_client);
     $zip->addFromString("XML_Client/Parser.py", $parser);
     $zip->addFromString("XML_Client/HTTPSClient.py", $https_client);
     $zip->addFromString("XML_Client/Timeout.py", $timeout);
     $zip->addFromString("XML_Client/README", $readme);
     $zip->addFromString("XML_Client/LICENSE", $license);
     $zip->addFromString("XML_Client/COPYING", $gplv3);
     $zip->addFromString("XML_Client/__init__.py", $init);
     if ($zip->numFiles != 8) {
         Logger::log_event(LOG_NOTICE, " Could not add all RI-library files to ZIP-archive.");
         Framework::error_output("Error creating archive. Cannot send");
         return False;
     }
     if ($zip->close()) {
         $contents = file_get_contents($name);
         download_zip($contents, "XML_Client.zip");
     }
     unlink($name);
     Logger::log_event(LOG_NOTICE, "Sending XML_Client.zip to " . $this->person->getEPPN());
     return True;
 }
Example #11
0
 /**
  * Guess the "best" language for a user. This should be called whenever a
  * decorated person object is availabe.
  * The "best" language is determined by the following order of steps:
  *
  * 1.) If there is already a language set (this->language) take that one.
  *     Thus the language settings can be functionaly overriden, e.g. in
  *     the framework.
  * 2.) The language stored in the cookie of the user dominates over everything else
  *     Thus, manually changing the language only means setting a cookie.
  * 3.) Try to take the language set by the subscriber, if the user is logged in
  * 4.) If the subscriber-language is NULL, take the language set by the NREN,
  *     if the user is logged in
  * 5.) If the user is not logged in and no session variable is set, take the
  *     first available language from the user's language accept-headers
  * 6.) If none of the languages in the user's accept header is available,
  *     take the default language of the Confusa instance (usually but not necessarily English)
  *
  * @param $person Person-oject (Decorated) Person, from the subscriber or
  *                             NREN of which translator can deduce the
  *                             best language
  * @return void
  */
 public function guessBestLanguage($person)
 {
     if ($this->languageOverridden) {
         return;
     }
     if (isset($_COOKIE['language'])) {
         $cookielang = Input::sanitizeLangCode($_COOKIE['language']);
         $this->language = $cookielang;
         return;
     }
     if ($person->isAuth()) {
         if (!is_null($person->getSubscriber())) {
             try {
                 $query = "SELECT lang FROM subscribers WHERE name=?";
                 $res = MDB2Wrapper::execute($query, array('text'), array($person->getSubscriber()->getIdPName()));
                 if (isset($res[0]['lang'])) {
                     setCookie('language', $res[0]['lang']);
                     $this->language = $res[0]['lang'];
                     return;
                 }
                 $query = "SELECT lang FROM nrens WHERE name=?";
                 $res = MDB2Wrapper::execute($query, array('text'), array($person->getNREN()));
                 if (isset($res[0]['lang'])) {
                     setCookie('language', $res[0]['lang']);
                     $this->language = $res[0]['lang'];
                     return;
                 }
             } catch (DBQueryException $dbqe) {
                 Logger::log_event(LOG_WARNING, "Could not query subscriber/NREN default language. " . "Falling back to system language default! " . $dbqe->getMessage());
             } catch (DBStatementException $dbse) {
                 Logger::log_event(LOG_WARNING, "Could not query subscriber/NREN default language. " . "Falling back to system default! " . $dbse->getMessage());
             }
         }
     }
     $sspdir = Config::get_config('simplesaml_path');
     /* turn off warnings to keep the page header tidy */
     $level = error_reporting(E_ERROR);
     /* poll the accept languages only, if we can load simplesamlphp
      * simplesamlphp *should* always be enabled (otherwise no authN :)),
      * But there can be configurations in bypass auth-mode without a working
      * simplesamlphp instance
      */
     if (file_exists($sspdir . "/lib/_autoload.php")) {
         require_once $sspdir . '/lib/_autoload.php';
         $accept_languages = SimpleSAML_Utilities::getAcceptLanguage();
         $available_languages = Config::get_config('language.available');
         if (empty($accept_languages)) {
             Logger::log_event(LOG_DEBUG, "Simplesamlphp instance seems to be not " . "configured, or not configured properly. Translator " . "will not use the browser's accept-header to determine " . "language settings.");
         }
         foreach ($accept_languages as $key => $value) {
             if (array_search($key, $available_languages) === FALSE) {
                 continue;
             } else {
                 $this->language = $key;
                 return;
             }
         }
     }
     /* turn on warnings again */
     error_reporting($level);
     $this->language = $this->defaultLanguage;
     return;
 }
Example #12
0
 /**
  * Delete the NREN logo for the given position within Confusa. This will
  * really delete the physical file containing the logo.
  *
  * @param $position string a position from
  *                  ConfusaConstants::$ALLOWED_IMG_POSITIONS
  * @param $nren string the name of the NREN, whose custom-logo should be
  *                     removed
  * @return void
  */
 private function deleteLogo($position, $nren)
 {
     $basepath = Config::get_config('custom_logo') . $nren . "/custom_";
     $basepath .= $position . ".";
     $result = FALSE;
     foreach (ConfusaConstants::$ALLOWED_IMG_SUFFIXES as $sfx) {
         $logoName = $basepath . $sfx;
         if (file_exists($logoName)) {
             $result = unlink($logoName);
             break;
         }
     }
     if ($result === FALSE) {
         Framework::error_output($this->translateTag('l10n_error_delete_logo', 'stylist'));
         Logger::log_event(LOG_INFO, "[nadm] Error when trying to delete " . "NREN logo {$logoName}, for NREN {$nren}.");
     } else {
         Framework::success_output($this->translateTag('l10n_success_delete_logo', 'stylist'));
     }
 }
Example #13
0
 public function revokeCert($key, $reason)
 {
     /* TODO: method stub
      *
      * At a first glance there seems to be no revoke function in php-openssl.
      * shell_exec('openssl ca -revoke...') would be possible but... eew...
      * Generously leaving this decision to Henrik ;-)
      *
      */
     $cmd = "./../cert_handle/revoke_cert.sh {$key} " . ConfusaConstants::$OPENSSL_CRL_FILE;
     $res = exec($cmd, $output, $return);
     foreach ($output as $line) {
         $msg .= $line . "<BR />\n";
     }
     if ((int) $return != 0) {
         Logger::log_event(LOG_NOTICE, "Problems revoking certificate for " . $this->getFullDN() . "({$key})");
         throw new CGE_KeyRevokeException($msg);
     }
     Logger::log_event(LOG_NOTICE, "Revoked certificate {$key} for user " . $this->getFullDN());
     if (!$this->deleteCertFromDB($key)) {
         Logger::log_event(LOG_NOTICE, "Could not delete certificate ({$key}) from database, revocation only partially completed.");
     }
     return true;
 }
 function new_access_token($requestToken, $consumer)
 {
     $data = $this->getAuthorizedData($requestToken->key);
     if (isset($data[ConfusaConstants::$OAUTH_VALIDITY_ATTRIBUTE])) {
         $validity = $data[ConfusaConstants::$OAUTH_VALIDITY_ATTRIBUTE];
     } else {
         $validity = ConfusaConstants::$DEFAULT_REAUTH_TIMEOUT;
     }
     /* need the validity in seconds */
     $validity = $validity * 60;
     Logger::log_event(LOG_DEBUG, '[OAuthDataStore_Confusa] OAuth new_access_token(' . $requestToken . ',' . $consumer . ')');
     $token = new OAuthToken(SimpleSAML_Utilities::generateID(), SimpleSAML_Utilities::generateID());
     $this->store->set('access', $token->key, $consumer->key, $token, $validity);
     return $token;
 }
Example #15
0
 /**
  * MDB2Wrapper::create() create the connection (connect and initialize)
  *
  * This function will retrieve the database-credentials from the
  * config-file. From this, it will connect tot he database and store the
  * connection so the other functions can use it.
  *
  * At the moment, this is hard-coded to mysql (see the naming
  * below), but if we should ever change to another database, this is the
  * place to add the logic).
  *
  */
 private static function create()
 {
     $uname = Config::get_config('mysql_username');
     $passwd = Config::get_config('mysql_password');
     $host = Config::get_config('mysql_host');
     $db = Config::get_config('mysql_db');
     $dsn = "mysql://{$uname}:{$passwd}@{$host}/{$db}";
     $options = array('debug' => 2, 'result_buffering' => true);
     MDB2Wrapper::$conn = MDB2::factory($dsn, $options);
     if (PEAR::isError(MDB2Wrapper::$conn)) {
         Logger::log_event(LOG_WARNING, MDB2Wrapper::$conn->getMessage());
         /* FIXME l10n, better error-reporting */
         echo "Cannot connect to database: " . MDB2Wrapper::$conn->getMessage() . "<br>\n";
         die(MDB2Wrapper::$conn->getMessage());
     }
 }
Example #16
0
 /**
  * decoratePerson - get the supplied attributes and add to the correct
  * fields in person
  *
  * This function is a bit fragile. The reason for this, is that it needs
  * to 'bootstrap' the map for person-identifier (e.g. ePPN)
  * through various encodings.
  *
  * One way would be to add a specific mapping for all known NRENs, but
  * we'd rather add a generic approach and just try the known encodings
  * and see if we find something there.
  *
  * If, for some reason, a new NREN/IdP fails to correctly decorate the
  * person-object, the problem most likely starts here.
  *
  * @author Henrik Austad <henrik.austad@uninett.no>
  * @author Thomas Zangerl <tzangerl@pdc.kth.se>
  *
  * @throws CGE_CriticalAttributeException If an attribute without which Confusa
  *                                        really can not work is not found
  * @throws MapNotFoundException           If the NREN-map is not found
  *
  * @param array	$attributes
  * @param String $idp
  * @throws MapNotFoundException
  */
 protected function decoratePerson($attributes, $idp)
 {
     $cnPrefix = "";
     $oPrefix = "";
     if (Config::get_config('capi_test')) {
         $cnPrefix = ConfusaConstants::$CAPI_TEST_CN_PREFIX;
         $oPrefix = ConfusaConstants::$CAPI_TEST_O_PREFIX;
     }
     if (is_null($idp)) {
         throw new CGE_CriticalAttributeException("Need the URL of the IdP in order to create an NREN-object!");
     }
     if (is_null($attributes)) {
         throw new CGE_CriticalAttributeException("Cannot find <b>any</b> attributes!");
     }
     /* From the IdP, find the NREN-details */
     $this->person->setNREN(new NREN($idp));
     if (is_null($this->person->getNREN()) || !$this->person->getNREN()->isValid()) {
         $msg = "Could not map from the identity provider to the NREN. ";
         $msg .= "Probably the idp_map in the database is not configured for your idp ({$idp}) ";
         $msg .= "Please tell an administrator about that problem!";
         throw new CGE_CriticalAttributeException($msg);
     }
     $nren_id = $this->person->getNREN()->getID();
     Logger::logEvent(LOG_INFO, "Confusa_Auth", "decoratePerson(..., {$idp})", "Decorating person with map from NREN {$nren_id}.");
     $map = $this->person->getMap();
     /* Normal mapping, this is what we want. */
     if ($this->mapSanityCheck($map)) {
         /* Now that we have the NREN-map, reiterate getMap() in
          * case we can find the subscriber-map. */
         $this->person->setSubscriber(new Subscriber($attributes[$map['epodn']][0], $this->person->getNREN()));
         $new_map = $this->person->getMap();
         if ($this->mapSanityCheck($new_map)) {
             $map = $new_map;
         }
         $eppn = Input::sanitizeEPPN($attributes[$map['eppn']][0]);
         $this->person->setEPPN($eppn);
         if (!is_null($map['eppn'])) {
             $this->person->setEPPNKey($map['eppn']);
         }
         if (!is_null($map['cn'])) {
             if (array_key_exists($map['cn'], $attributes)) {
                 $cn = mysql_real_escape_string($attributes[$map['cn']][0]);
                 $this->person->setName($cnPrefix . $cn);
             }
         }
         /* end map has cn */
         if (!is_null($map['mail'])) {
             if (array_key_exists($map['mail'], $attributes)) {
                 $mail = Input::sanitizeEmail($attributes[$map['mail']]);
                 $this->person->setEmail($mail);
             }
         }
         /* go through and add the relevant entitlement-parts.
          * TODO: cleanup this and move to person::setEntitlement()
          */
         if (!is_null($map['entitlement'])) {
             if (array_key_exists($map['entitlement'], $attributes)) {
                 $entitlements = $attributes[$map['entitlement']];
             }
         }
         if (isset($entitlements)) {
             $namespace = Config::get_config('entitlement_namespace');
             foreach ($entitlements as $key => $entitlementValue) {
                 $pos = strpos($entitlementValue, $namespace);
                 /* Note: we *must* check for both false *and*
                  * type, as we want pos to be 0 */
                 if ($pos === false || (int) $pos != 0) {
                     continue;
                 } else {
                     $val = explode(":", $entitlementValue);
                     if (count($val) !== count(explode(":", $namespace)) + 1) {
                         Framework::error_output("Error with namespace, too many objects in namespace (" . count($val) . ")");
                         continue;
                     }
                     /* only set the part *after*
                      * entitlement-namespace */
                     $entitlement = Input::sanitizeEntitlement($val[count($val) - 1]);
                     /* is the entitlement a valid entitlement? */
                     if ($entitlement == Config::get_config('entitlement_user') || $entitlement == Config::get_config('entitlement_admin')) {
                         $this->person->setEntitlement($entitlement);
                     }
                 }
             }
         }
     } else {
         /* At this point we're on shaky ground as we have to
          * 'see if we can find anything'
          *
          *		no map is set, can we find the ePPN in there?
          */
         $eppnKey = $this->findEPPN($attributes);
         if (!is_null($eppnKey)) {
             $eppn = Input::sanitizeEPPN($eppnKey['value']);
             $this->person->setEPPN($eppn);
             $this->person->setEPPNKey($eppnKey['key']);
         }
         /* is ePPN registred as NREN admin (from bootstrap) */
         if ($this->person->isNRENAdmin()) {
             if (is_array($map)) {
                 Logger::log_event(LOG_WARNING, "Map for NREN {$nren_id} ({$idp}) corrupted. " . "Contains empty fields, consider dropping the map.");
             }
             $msg = "No NREN map found!";
             if (Config::get_config('debug')) {
                 $msg .= "Raw-dump of supplied attributes:<br />\n";
                 $msg .= "<br /><pre>\n";
                 foreach ($attributes as $key => $val) {
                     $tabs = "\t";
                     if (strlen($key) < 8) {
                         $tabs .= "\t\t";
                     } else {
                         if (strlen($key) < 16) {
                             $tabs .= "\t";
                         }
                     }
                     $msg .= htmlentities("{$key}{$tabs}{$val[0]}") . "\n";
                 }
                 $msg .= "</pre><br />\n";
             }
             throw new MapNotFoundException($msg);
         }
     }
 }
Example #17
0
 /**
  * isCSRFAttempt() - test to see if the current connection is an CSRF
  *
  * If a GET or POST is set, the client tries to send data to the
  * portal, and we must make sure that the user is not being fooled by a
  * malicious site.
  *
  * @param	void
  * @return	boolean status indicating if a detectable
  * @access	private
  */
 private function isCSRFAttempt()
 {
     if (!empty($_GET) || !empty($_POST)) {
         $facsrft = null;
         if (isset($_GET) && array_key_exists('anticsrf', $_GET)) {
             $facsrft = Input::sanitizeAntiCSRFToken($_GET['anticsrf']);
         } else {
             if (isset($_POST) && array_key_exists('anticsrf', $_POST)) {
                 $facsrft = Input::sanitizeAntiCSRFToken($_POST['anticsrf']);
             } else {
                 if (isset($_GET) && array_key_exists('return', $_GET)) {
                     /* handle SSP redirect to idp_select */
                     $res = self::getCSRFRandToken(urldecode(urldecode($_GET['return'])));
                     Logger::log_event(LOG_WARNING, "Handling SSP redirect - " . $res['csrf'] . "\n");
                     if (is_array($res)) {
                         $facsrft = $res['full'];
                     }
                 }
             }
         }
         if (!self::validateACSRFT($facsrft)) {
             $msg = "Got a GET/POST request without the correct anticsrf tag.";
             $msg .= "Supplied: {$facsrft} (res: " . $res['full'] . ")";
             if (array_key_exists('HTTP_REFERER', $_SERVER)) {
                 $msg .= " Referer was " . $_SERVER['HTTP_REFERER'];
             }
             Logger::log_event(LOG_WARNING, "[Anti CSRF] {$msg}");
             return true;
         }
     }
     /* no detectable CSRF attempt */
     return false;
 }
Example #18
0
 /**
  * save() store updated results to the database, encrypting the password
  * before storage.
  */
 public function save($validate = true)
 {
     if (!$this->changed) {
         return false;
     }
     if ($validate && !CAHandler::getCA($this->person)->verifyCredentials($this->login_name, $this->password)) {
         /* FIXME: l10n */
         throw new ConfusaGenException("Invalid username/password, Comodo will not accept!");
     }
     /* We create a new ivector every time we save the password */
     $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CFB);
     $iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
     $cryptpw = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, Config::get_config('capi_enc_pw'), base64_encode($this->password), MCRYPT_MODE_CFB, $iv));
     if (MDB2Wrapper::testColumn('nrens', 'login_name') && MDB2Wrapper::testColumn('nrens', 'password') && MDB2Wrapper::testColumn('nrens', 'ivector') && MDB2Wrapper::testColumn('nrens', 'ap_name')) {
         $sql = " UPDATE nrens SET login_name=?, password=?, ivector=?, ap_name=?";
         $sql .= " WHERE nren_id = ?";
         Logger::log_event(LOG_DEBUG, "Using the new database-schema for account-details");
     } else {
         if (isset($this->account_id)) {
             $sql = "UPDATE account_map SET login_name=?, password=?, ivector=?, ap_name=?";
             $sql .= " WHERE nren_id = ?";
         } else {
             $sql = "INSERT INTO account_map (login_name, password, ivector, ap_name, nren_id) ";
             $sql .= "VALUES(?, ?, ?, ?, ?)";
         }
     }
     $params = array('text', 'text', 'text', 'text', 'integer');
     $data = array($this->login_name, $cryptpw, base64_encode($iv), $this->ap_name, $this->nren->getID());
     try {
         MDB2Wrapper::update($sql, $params, $data);
         Logger::log_event(LOG_NOTICE, "account-data updated for NREN " . $this->nren->getID());
     } catch (DBQueryException $dqe) {
         $errorTag = PW::create();
         Logger::log_event(LOG_ERR, "Could not update the login-account with ID " . $this->account_id . " for " . $this->nren->getID() . "(" . $this->login_name . ")");
         return false;
     } catch (DBStatementException $dse) {
         $errorTag = PW::create();
         Logger::log_event(LOG_ERR, "Could not update the login-account for NREN " . $this->nren->getID() . " to new value {$login_name} " . $dse->getMessage());
         return false;
     }
     $this->changed = false;
     return true;
 }
Example #19
0
 /**
  * Revoke a list of certificates possibly belonging to more than one end-entity
  * based on an array of auth_keys stored in the session. Based on the number of
  * certificates that are going to be revoked, this may take some time.
  *
  * @param string $reason The reason for revocation (as in RFC 3280)
  *
  */
 private function revoke_list($reason)
 {
     if (Config::get_config('ca_mode') === CA_COMODO && Config::get_config('capi_test') === true) {
         Framework::message_output($this->translateTag('l10n_msg_revsim1', 'revocation'));
     }
     $auth_keys = CS::getSessionKey('auth_keys');
     CS::deleteSessionKey('auth_keys');
     if (is_null($auth_keys)) {
         Framework::error_output("Lost session! Please log-out of Confusa, " . "log-in again and try again!\n");
         return;
     }
     $num_certs = count($auth_keys);
     $num_certs_revoked = 0;
     Logger::log_event(LOG_INFO, "Trying to revoke {$num_certs} certificates." . "Administrator contacted us from " . $_SERVER['REMOTE_ADDR'] . " in a bulk (list) revocation request.");
     foreach ($auth_keys as $auth_key) {
         try {
             if (!$this->ca->revokeCert($auth_key, $reason)) {
                 Framework::error_output("Could not revoke certificate " . htmlentities($auth_key) . ".");
             } else {
                 $num_certs_revoked = $num_certs_revoked + 1;
             }
         } catch (ConfusaGenException $cge) {
             Framework::error_output($cge->getMessage());
         }
     }
     Logger::log_event(LOG_INFO, "Successfully revoked {$num_certs_revoked} certificates out of {$num_certs}. " . "Administrator contacted us from " . $_SERVER['REMOTE_ADDR'] . " in a bulk (list) revocation request.");
     Framework::message_output($this->translateTag('l10n_suc_revoke1', 'revocation') . " " . $num_certs_revoked . " " . $this->translateTag('l10n_suc_revoke2', 'revocation') . " " . $num_certs);
 }
Example #20
0
 private function deleteAdmin($admin, $level)
 {
     /* does the current user have the rights? */
     try {
         $query = "SELECT a.* FROM admins a LEFT JOIN nrens n on n.nren_id = a.nren";
         $query .= " WHERE (a.admin=? OR a.admin=?) AND n.name=?";
         $res = MDB2Wrapper::execute($query, array('text', 'text', 'text'), array($admin, $this->person->getEPPN(), $this->person->getNREN()));
         switch (count($res)) {
             case 0:
                 Framework::error_output("Did not find neither the admin to delete or the current admin in the database. Cannot continue.");
                 return;
             case 1:
                 if ($res[0]['admin'] != $admin) {
                     Framework::error_output("Cannot find the admin to delete in the admins-table. Cannot continue.");
                     return;
                 }
                 break;
             case 2:
                 $id = 0;
                 if ($res[1]['admin'] == $admin) {
                     $id = 1;
                 }
                 $nrenID = $res[$id]['nren'];
                 $subscriberID = $res[$id]['subscriber'];
                 break;
             default:
                 Framework::error_output("Too many hits in the database. Cannot decide where to go from here.");
                 return;
         }
     } catch (DBStatementException $dbse) {
         $msg = "Cannot find id-values in the database due to server problems. Server said: " . htmlentities($dbse->getMessage());
         Framework::error_output($msg);
         return;
     } catch (DBQueryException $dbqe) {
         $msg = "Cannot find id-values due to data inconsistency. Server said: " . htmlentities($dbqe->getMessage());
         Framework::error_output($msg);
         return;
     }
     /* Find the admin-level of both admins and make sure that the
      * enforcer (the admin performing the deletion) has the rights
      * to do so. */
     if ($res[0]['admin'] == $admin) {
         $targetLevel = (int) $res[0]['admin_level'];
         $enforcerLevel = (int) $res[1]['admin_level'];
     } else {
         $targetLevel = (int) $res[1]['admin_level'];
         $enforcerLevel = (int) $res[0]['admin_level'];
     }
     if ($enforcerLevel < $targetLevel) {
         Framework::error_output("Cannot delete admin with higher admin-level.");
         return;
     }
     if ($targetLevel == NREN_ADMIN) {
         $query = "DELETE FROM admins WHERE admin=? AND nren=?";
         $params = array('text', 'text');
         $data = array($admin, $nrenID);
     } else {
         $query = "DELETE FROM admins WHERE admin=? AND nren=? AND subscriber=?";
         $params = array('text', 'text', 'text');
         $data = array($admin, $nrenID, $subscriberID);
     }
     try {
         MDB2Wrapper::update($query, $params, $data);
         Logger::log_event(LOG_INFO, "Successfully deleted admin {$admin} with level {$targetLevel}");
     } catch (DBStatementException $dbse) {
         Framework::error_output("Could not delete the admin because the statement was bad " . "Please contact an administrator. Server said " . htmlentities($dbse->getMessage()));
         Logger::log_event(LOG_NOTICE, __FILE__ . ":" . __LINE__ . ": Problem occured when trying to delete " . "admin {$admin} with level {$level}: " . $dbse->getMessage());
     } catch (DBQueryException $dbqe) {
         Framework::error_output("Could not delete the admin because of problems with the " . "received data. Server said " . htmlentities($dbqe->getMessage()));
         Logger::log_event(LOG_INFO, __FILE__ . ":" . __LINE__ . ": Problem occured when tyring to delete " . "admin {$admin} with level {$level}: " . $dbqe->getMessage());
     }
     Framework::success_output($this->translateTag('l10n_suc_deleteadm1', 'admin') . " " . htmlentities($admin));
 }
Example #21
0
 /**
  *After the CSR has been uploaded to the Comodo certificate apply API, it
  * must be authorized by the user.
  * Call the authorize endpoint in the API and update the respective DB entry.
  */
 private function capiAuthorizeCSR()
 {
     $authorize_endpoint = ConfusaConstants::$CAPI_AUTH_ENDPOINT;
     $postfields_auth = $this->bs_pf();
     $postfields_auth["orderNumber"] = $this->order_number;
     $data = CurlWrapper::curlContact($authorize_endpoint, "post", $postfields_auth);
     Logger::log_event(LOG_DEBUG, "Authorizing CSR " . $this->order_number . " for signing.");
     /* the only formal restriction we have is if the API returns 0 for the query */
     if (substr($data, 0, 1) == "0") {
         /* update the database-entry to reflect the autorization-state */
         MDB2Wrapper::update("UPDATE order_store SET authorized='authorized' WHERE order_number=?", array('text'), array($this->order_number));
         Logger::log_event(LOG_NOTICE, "Authorized certificate with order number " . $this->order_number . ". " . $this->owner_string);
     } else {
         Logger::log_event(LOG_WARNING, "Error authorizing CSR " . $this->order_number . " " . "Server said " . $error_parts[0] . " (" . $error_parts[1] . ")");
         $msg = "Received an error when authorizing the CSR with orderNumber " . $this->order_number . $data . "\n";
         $error_parts = explode("\n", $data, 2);
         $msg .= $this->capiErrorMessage($error_parts[0], $error_parts[1]);
         throw new CGE_ComodoAPIException($msg);
     }
 }
Example #22
0
 /**
  * parseRevList() work through a list of eppns and revoke certificates for those users
  *
  * @param list Array list of ePPNs for users to revoke
  * @param admin Person the admin owning the client-certiticate
  *
  * @return Array of a list of persons coupled to the number of revoked
  * certificates.
  */
 static function parseRevList($list, $admin)
 {
     $revokedUsers = array();
     $ca = CAHandler::getCA($admin);
     foreach ($list as $value) {
         /* Get eppn from value*/
         $uid = $value['uid'];
         if (!isset($uid) || $uid == "") {
             echo "Need the UID. This is a REQUIRED attribute.<br />\n";
             break;
         }
         /* Search after matches for cn and subscriber */
         $list = $ca->getCertListForEPPN($uid, $admin->getSubscriber()->getOrgName());
         Logger::log_event(LOG_DEBUG, "[Robot] Got list (" . count($list) . " in total) of certs for {$uid} to revoke.");
         $count = 0;
         if (count($list) > 0) {
             foreach ($list as $key => $value) {
                 try {
                     if ($ca->revokeCert($value['auth_key'], "privilegeWithdrawn")) {
                         $count = $count + 1;
                     }
                 } catch (CGE_KeyRevokeException $kre) {
                     echo htmlentities($kre->getMessage()) . "<br />\n";
                 }
             }
             /* end foreach() uid-list */
             $revokedUsers[] = array('eppn' => $uid, 'count' => $count);
         }
     }
     /* end foreach() */
     return $revokedUsers;
 }
Example #23
0
function print_csr_details($person, $auth_key)
{
    try {
        $csr = get_csr_from_db_raw($person->getX509ValidCN(), $auth_key);
    } catch (CSRNotFoundException $csrnfe) {
        $msg = "Error with auth-token (" . htmlentities($auth_key) . ") - not found. ";
        $msg .= "Please verify that you have entered the correct auth-url and try again.";
        $msg .= "If this problem persists, try to upload a new CSR and inspect the fields carefully";
        Framework::error_output($msg);
        return false;
    } catch (ConfusaGenException $cge) {
        $msg = "Too menu returns received. This can indicate database inconsistency.";
        Framework::error_output($msg);
        Logger::log_event(LOG_ALERT, "Several identical CSRs (" . $auth_token . ") exists in the database for user " . stripslashes($person->getX509ValidCN()));
        return false;
    }
    $subj = openssl_csr_get_subject($csr['csr'], false);
    echo "<table class=\"small\">\n";
    echo "<tr><td>AuthToken</td><td>" . $csr['auth_key'] . "</td></tr>\n";
    /* Print subject-elements */
    foreach ($subj as $key => $value) {
        echo "<tr><td>{$key}</td><td>{$value}</td></tr>\n";
    }
    echo "<tr><td>Length:</td><td>" . csr_pubkey_length($csr['csr']) . " bits</td></tr>\n";
    echo "<tr><td>Uploaded </td><td>" . $csr['uploaded_date'] . "</td></tr>\n";
    echo "<tr><td>From IP: </td><td>" . Output::formatIP($csr['from_ip'], true) . "</td></tr>\n";
    echo "<tr><td></td><td></td></tr>\n";
    echo "<tr><td>[ <A HREF=\"" . $_SERVER['PHP_SELF'] . "?delete_csr={$auth_key}\">Delete from Database</A> ]</td>\n";
    echo "<td>[ <A HREF=\"" . $_SERVER['PHP_SELF'] . "?sign_csr={$auth_key}\">Approve for signing</A> ]</td></tr>\n";
    echo "</table>\n";
    echo "<BR>\n";
    return true;
}
Example #24
0
 public static function getCA($person)
 {
     if (!isset(CAHandler::$ca)) {
         if (Config::get_config('cert_product') == PRD_PERSONAL) {
             /* if no NREN object is set, we can not know anything about the days */
             if (!is_object($person->getNREN())) {
                 $days = min(ConfusaConstants::$CAPI_VALID_PERSONAL);
             } else {
                 $days = $person->getNREN()->getCertValidity();
             }
         } else {
             if (Config::get_config('cert_product') == PRD_ESCIENCE) {
                 $days = ConfusaConstants::$CAPI_VALID_ESCIENCE;
             } else {
                 throw new ConfusaGenException("Confusa's configured product-mode is " . "illegal! Must be one of: PRD_ESCIENCE, " . "PRD_PERSONAL. Please contact an IT " . "administrator about that!");
             }
         }
         switch ((int) Config::get_config('ca_mode')) {
             case CA_STANDALONE:
                 require_once 'CA_Standalone.php';
                 CAHandler::$ca = new CA_Standalone($person, $days);
                 break;
             case CA_COMODO:
                 require_once 'CA_Comodo.php';
                 if (Config::get_config('capi_test') == TRUE) {
                     $days = ConfusaConstants::$CAPI_TEST_VALID_DAYS;
                 }
                 CAHandler::$ca = new CA_Comodo($person, $days);
                 break;
             default:
                 /* This is going to produce a *lot* of errors,
                  * but it should also catch the attention of
                  * the operators. */
                 Logger::log_event(LOG_ALERT, "Tried to instantiate CA " . Config::get_config('ca_mode') . " but this is unknow. Config-file has errors. Check the ca_mode.");
                 return null;
         }
     }
     return CAHandler::$ca;
 }
Example #25
0
 /**
  * Check if the person that called "revoke" on auth_key may revoke the respective
  * certificate, i.e. whether the certificate is issued to the person herself.
  *
  * @param $auth_key mixed The auth_key for which to check
  * @return boolean true, if revocation of the passed key is permitted
  */
 private function checkRevocationPermissions($auth_key)
 {
     try {
         $info = $this->ca->getCertInformation($auth_key);
         if (is_null($info)) {
             Framework::error_output($this->translateTag('l10n_err_ordnum_notfound', 'download'));
             return false;
         }
         $cn = $this->person->getX509ValidCN();
         $subscriber = $this->person->getSubscriber()->getOrgName();
         if (stripslashes($info['cert_owner']) === stripslashes($cn) && $info['organization'] === $subscriber) {
             return true;
         }
     } catch (ConfusaGenException $cge) {
         Framework::error_output($this->translateTag('l10n_err_retrieval_fail', 'download') . ' ' . htmlentities($cge->getMessage()));
         Logger::log_event(LOG_INFO, "[norm] Revoking certificate " . "with key {$auth_key} failed, because permissions could not be " . "determined!");
     }
     return false;
 }
Example #26
0
 /**
 * getCertFromDB() take the registred Certificate and find a match in
 * the DB
 *
 * Robot_Certificates are used for authenticating remote
 * clients. Therefore, we will *always* start the object with a
 * certificate.
 *
 * The authN-mechanism lies in whether or not the certicate is also
 * present in the database.
 *
 * @param	Boolean $db_authoriative the values in the database is
 *			     authorative (overwrite local values if
 *			     present).
 * @return	Boolean flag indicating if the certificate was found and
 *			     it matches the current
  @access	private
 */
 private function getCertFromDB($db_authorative = false)
 {
     $fp = $this->getFingerprint();
     if (!$fp) {
         return false;
     }
     try {
         $query = "SELECT * FROM robot_certs WHERE fingerprint=?";
         $res = MDB2Wrapper::execute($query, array('text'), array($fp));
         if (count($res) == 1) {
             if ($res[0]['cert'] == $this->getPEMContent()) {
                 if ($db_authorative) {
                     $this->db_id = Input::sanitize($res[0]['id']);
                     $this->owner = Input::sanitize($res[0]['uploaded_by']);
                     $this->subscriber = Input::sanitize($res[0]['subscriber_id']);
                     $this->lwsent = Input::sanitize($res[0]['last_warning_sent']);
                     $this->uploaded_date = Input::sanitize($res[0]['uploaded_date']);
                 }
                 return true;
             }
         }
         return false;
     } catch (DBStatementException $dbse) {
         Logger::log_event(LOG_NOTICE, "Corrupted statement in query (" . __FILE__ . ":" . __LINE__ . " " . $dbse->getMessage());
     } catch (DBQueryException $dbqe) {
         Logger::log_event(LOG_NOTICE, "Corrupted content in query (" . __FILE__ . ":" . __LINE__ . " " . $dbqe->getMessage());
     }
     return false;
 }
Example #27
0
 /**
  * getFromQuery() run the query and create a new NREN
  *
  * @param	String $query the query
  * @param	Array  $params
  * @param	Array  $data
  * @access	private
  */
 private function getFromQuery($query, $params, $data)
 {
     try {
         $res = MDB2Wrapper::execute($query, $params, $data);
         if (count($res) == 0) {
             return false;
         }
         /* loop through the resultset and return an NREN for
          * the first entry with idp_url.
          *
          * If we get multiple hits, there's no way we can adapt
          * to this, so we default to _the_first_valid_entry_
          */
         foreach ($res as $key => $r) {
             if (array_key_exists('idp_url', $r)) {
                 return new NREN($r['idp_url']);
             }
         }
     } catch (DBStatementException $dbse) {
         Logger::log_event(LOG_ALERT, __FILE__ . ":" . __LINE__ . " problem with db-statement when finding NREN. " . $dbse->getMessage());
     } catch (DBQueryException $dbqe) {
         Logger::log_event(LOG_ALERT, __FILE__ . ":" . __LINE__ . " Query-error when finding NREN. " . $dbqe->getMessage());
     }
     return false;
 }
Example #28
0
 /**
  * getAdminStatus() get the admin-level from the database
  *
  * This function assumes isAuth() has been verified.
  *
  * @param void
  * @return Integer value indication the admin-level
  */
 private function getAdminStatus()
 {
     if (isset($this->adminStatus)) {
         return $this->adminStatus;
     }
     $adminRes = NORMAL_USER;
     if (!$this->isAuth()) {
         $this->adminStatus = NORMAL_USER;
         return NORMAL_USER;
     }
     /* if the database is riddled with errors, do not run through the
      * test once more, just bail */
     if ($this->adminDBError) {
         $this->adminStatus = NORMAL_USER;
         return NORMAL_USER;
     }
     require_once 'MDB2Wrapper.php';
     $errorCode = PW::create(8);
     $query = "SELECT * FROM admins WHERE admin=:admin AND nren=:nren_id AND ";
     $query .= "((admin_level='2' AND (idp_url='' OR ISNULL(idp_url) OR idp_url=:idp_url)) OR ";
     $query .= "((admin_level='1' OR admin_level='0') AND subscriber=:subscriber_id))";
     $params = array();
     $params['admin'] = $this->eppn;
     $params['nren_id'] = $this->nren->getID();
     $params['idp_url'] = $this->nren->getIdP();
     $params['subscriber_id'] = -1;
     if (!is_null($this->getSubscriber())) {
         $params['subscriber_id'] = $this->getSubscriber()->getDBID();
     }
     $res = MDB2Wrapper::execute($query, null, $params);
     $size = count($res);
     if ($size == 1) {
         $adminRes = $res[0]['admin_level'];
         if ($this->getName(false) != $res[0]['admin_name'] || $this->getEmail(false) != $res[0]['admin_email']) {
             try {
                 MDB2Wrapper::update("UPDATE admins SET admin_name=?, admin_email=? WHERE admin_id=?", array('text', 'text', 'text'), array($this->getName(false), $this->getEmail(false), $res[0]['admin_id']));
             } catch (DBStatementException $dbse) {
                 $msg = "[{$errorCode}] Database not properly set. Missing fields in the admins-table.";
                 Logger::log_event(LOG_ALERT, __FILE__ . ":" . __LINE__ . $msg);
                 Framework::error_output($msg . "<br />Server said: " . $dbse->getMessage());
                 $this->adminDBError = true;
             } catch (DBQueryException $dbqe) {
                 Logger::log_event(LOG_INFO, "[{$errorCode}] Could not update data for admin." . $dbqe->getMessage());
                 Framework::error_output("[{$errorCode}] Could not update data for admin. Problems with keys. Server said: " . $dbqe->getMessage());
                 $this->adminDBError = true;
             } catch (Exception $e) {
                 $msg = "Could not update admin-data. Unknown error. Server said: " . $e->getMessage();
                 Framework::error_output($msg);
                 Logger::Log_event(LOG_INFO, $msg);
                 $this->adminDBError = true;
             }
         }
     }
     $this->adminStatus = $adminRes;
     return $adminRes;
 }
Example #29
0
/**
 * printXMLRes() Print the returned array as a valid ConfusaRobot XML-file
 *
 * @param $resArray Array of data to print
 * @param $type String indicating the class of output
 */
function printXMLRes($resArray, $type = 'userList')
{
    /* lets hope that the header has not yet been set so we can trigger
     * proper XML headers */
    global $admin;
    $element_count = 0;
    $xml = new SimpleXMLElement("<ConfusaRobot></ConfusaRobot>");
    $xml->addAttribute("date", date("Y-m-d H:i:s"));
    $xml->addAttribute("subscriber", $admin->getSubscriber()->getOrgName());
    $xml->addAttribute("version", "1.0");
    $element = null;
    switch (strtolower($type)) {
        case 'userlist':
            $element = $xml->addChild("userList");
            break;
        case 'revokelist':
            $element = $xml->addChild("revokedCerts");
            break;
        default:
            Logger::log_event(LOG_NOTICE, "Unknown XML-list-type ({$type}), aborting.");
            return;
    }
    if (isset($resArray) && is_array($resArray) && count($resArray) > 0) {
        foreach ($resArray as $value) {
            $le = $element->addChild('listElement');
            $le->addAttribute('uid', htmlentities($value['uid']));
            if (isset($value['count'])) {
                $le->addAttribute('count', $value['count']);
            }
            if (isset($value['fullDN'])) {
                $le->addAttribute('fullDN', $value['fullDN']);
            }
            $element_count += 1;
        }
    }
    $xml->addAttribute("elementCount", $element_count);
    Logger::log_event(LOG_DEBUG, "Returning list with {$element_count} entries.");
    header("content-type: text/xml");
    echo $xml->asXML();
}
Example #30
0
 /**
  * Test whether the CSR in $content contains a public key that is
  * blacklisted (due to the Debian prime number generator flaw).
  *
  * If the key is blacklisted, this method will throw an exception
  * @param $content String containing CSR to be tested
  * @throws ConfusaGenException if key is blacklisted
  */
 static function testBlacklist($content)
 {
     $shellContent = Input::sanitizeBase64(escapeshellarg($content));
     $fp = popen("echo {$shellContent} | openssl-vulnkey -", "r");
     if (!$fp) {
         Logger::log_event(LOG_ALERT, __CLASS__ . "::testBlacklist()", " Could not open process file-pointer in order to test for blacklisted CSR!");
         /* if we cannot open openssl-vulnkey, we must assume that all uploaded
          * keys are blacklisted */
         /* FIXME: add l10n */
         throw new ConfusaGenException("Could not verify CSR against blacklist!");
     }
     $res = fread($fp, 1024);
     fclose($fp);
     if (stripos($res, "not blacklisted", 0) === 0) {
         return;
     } else {
         if (stripos($res, "COMPROMISED", 0) === 0) {
             throw new ConfusaGenException("Key is blacklisted!");
         }
     }
     Logger::log_event(LOG_DEBUG, __CLASS__ . "::testBlacklist()", " Unknown return ({$res}) value from shell");
 }