/**
* @param array $parts = []
* @return array
*/
protected function getPrimaryKeyDefinition(array $parts = [])
{
if ($this->primary) {
$parts[] = $this->primary->getDefinitionString();
}
return $parts;
}
/**
* Get public key
*
* Gets the public key for the issuer. If our own identity provider is the issuer, we
* can load our own public key avoiding network traffic.
*
* @access public
* @static
* @param string $issuer The issuers domain
* @return AbstractPublicKey
*/
public static function getPublicKey($issuer)
{
// allow other retrievers for testing
if ($issuer === Configuration::getInstance()->get("hostname")) {
return Secrets::loadPublicKey();
}
/*else if (config.get('disable_primary_support')) {
throw new \Exception("this verifier doesn't respect certs issued from domains other than: " . Configuration::getInstance()->get("hostname"));
}*/
// let's go fetch the public key for this host
return Primary::getPublicKey($issuer);
}
/**
* Check for authority delegation
*
* Checking if the issuing domain is allowed to issue identity certificates for
* this email domain. This should only be the case if the issuing domain is
* Mozilla's server or if the email domain is delegating to the issuing domain.
*
* @param string $emailDomain The domain of the mail, the expected issuer
* @param string $issuingDomain The domain that issued the assertion
* @return type
*/
static function delegatesAuthority($emailDomain, $issuingDomain)
{
/* // TODO: Maybe later
if (config.has('proxy_idps')) {
var proxyIDPs = config.get('proxy_idps');
if (proxyIDPs.hasOwnProperty(emailDomain))
if (g_shim_cache.hasOwnProperty(proxyIDPs[emailDomain])) {
var url = g_shim_cache[proxyIDPs[emailDomain]].origin + "/";
if (url.indexOf('://' + issuingDomain + ':') !== -1)
return cb(true);
}
}*/
$result = Primary::checkSupport($emailDomain);
$urls =& $result["urls"];
// Check http or https://{issuingDomain}/some/sign_in_path
if (!$err && $urls && $urls["auth"] && strpos($urls["auth"], '://' . issuingDomain . '/') !== false) {
return true;
}
return false;
}
function __construct()
{
Primary::$cnf = array("name" => "Primary", "post" => array());
}
/**
* XML-RPC service to update A records
*
*@access public
*@params XML-RPC message $m
*@return XML-RPC answer
*
*The request for this service is a structure containing:
*
* - user: the user name
* - password: his password
* - zone: the name of the zone
* - name: the name of the A record(s)
* - oldaddress (optional): the address of the A record to
* delete or "*" to delete all A records
* for the given name.
* - newaddress (optional): the address of the A record to add.
* - ttl (optional): the TTL of the A record to add.
*
* The return value is the whole zone as text.
*
* Inserts can be performed by leaving "oldaddress" empty.
* Deletes can be performed by leaving "newaddress" empty.
* Updates are performed by giving both old and new addresses.
*
*/
function updateArecord($m)
{
global $xmlrpcerruser, $stateNames;
global $db, $dbauth, $user, $config;
if ($_SERVER["HTTPS"] != "on") {
return new xmlrpcresp(0, $xmlrpcerruser, "non-https modifications disabled " . "(also, now you have to change your password)");
}
$res = "";
$modified = 0;
$req = php_xmlrpc_decode($m->getParam(0));
$db = new Db();
if ($config->userdbname) {
$dbauth = new DbAuth();
} else {
$dbauth = $db;
}
$user = new User($req["user"], $req["password"], NULL);
if ($user->authenticated == 0) {
$user = new User($req["user"], $req["password"], NULL, 1);
}
if ($user->authenticated == 0) {
return new xmlrpcresp(0, $xmlrpcerruser, "authentication refused");
} elseif ($user->authenticated >= 2) {
return new xmlrpcresp(0, $xmlrpcerruser, "you have to migrate first");
}
$zonename = $req["zone"];
$zonetype = "P";
$zone = new Zone($zonename, $zonetype);
$zone->isErroneous();
if ($zone->error) {
return new xmlrpcresp(0, $xmlrpcerruser, $zone->error);
}
if ($config->usergroups) {
include 'libs/group.php';
$group = new Group($user->userid);
if ($config->userlogs) {
include 'libs/userlogs.php';
$userlogs = new UserLogs($group->groupid, $user->userid);
}
}
if (!$config->usergroups && $zone->RetrieveUser() != $user->userid || $config->usergroups && $zone->RetrieveUser() != $group->groupid) {
return new xmlrpcresp(0, $xmlrpcerruser, "You can not manage zone " . $zone->zonename);
}
$currentzone = new Primary($zone->zonename, $zone->zonetype, $user);
if (!empty($req["newaddress"]) && $req["newaddress"] == "<dynamic>") {
$req["newaddress"] = $_SERVER["REMOTE_ADDR"];
}
if (!empty($req["oldaddress"])) {
if (!empty($req["newaddress"])) {
# skip changes if newaddress is the same we already have
$currentzone->getARecords($addarr, mysql_real_escape_string($req["name"]));
if (count($addarr) == 1 && in_array($req["newaddress"], $addarr)) {
$ttl = intval($req["ttl"]);
if (empty($ttl)) {
$ttl = "-1";
}
$ret = array("zone" => $req["zone"], "serial" => $currentzone->serial, "name" => $req["name"], "addresses" => $addarr, "ttl" => $ttl);
return new xmlrpcresp(php_xmlrpc_encode($ret));
}
}
$modified = 1;
if ($req["oldaddress"] == "*") {
$currentzone->deleteMultipleARecords($req["name"]);
} elseif ($req["oldaddress"] == "*.*") {
$currentzone->deleteMultipleARecords($req["name"], "A");
} elseif ($req["oldaddress"] == "*:*") {
$currentzone->deleteMultipleARecords($req["name"], "AAAA");
} else {
$tmpname = sprintf("%s(%s/%s)", preg_match('/:/', $req["oldaddress"]) ? "aaaa" : "a", mysql_real_escape_string($req["name"]), mysql_real_escape_string($req["oldaddress"]));
$currentzone->Delete(array($tmpname), 0, 0);
}
if ($currentzone->error) {
return new xmlrpcresp(0, $xmlrpcerruser, $currentzone->error);
}
}
$ttl = intval($req["ttl"]);
if (empty($ttl)) {
$ttl = "-1";
}
$updatereverse = !empty($req["updatereveverse"]);
if (!empty($req["newaddress"])) {
$modified = 1;
if (preg_match('/:/', $req["newaddress"])) {
$fn = "addAAAARecord";
} else {
$fn = "addARecord";
}
$res = $currentzone->{$fn}($zone->zoneid, array(mysql_real_escape_string($req["newaddress"])), array(mysql_real_escape_string($req["name"])), array($ttl), $updatereverse);
if ($currentzone->error) {
return new xmlrpcresp(0, $xmlrpcerruser, $res);
}
}
$currentzone->generateConfigFile();
$checker = sprintf("%s %s %s", $config->binnamedcheckzone, $currentzone->zonename, $currentzone->tempZoneFile());
$check = `{$checker}`;
unlink($currentzone->tempZoneFile());
if (!preg_match("/OK/", $check)) {
return new xmlrpcresp(0, $xmlrpcerruser, "Check error: " . $checker);
}
if ($modified) {
$currentzone->flagModified($currentzone->zoneid);
$currentzone->updateSerial($currentzone->zoneid);
if ($currentzone->error) {
return new xmlrpcresp(0, $xmlrpcerruser, "DB error: " . $currentzone->error);
}
}
$ret = array("zone" => $req["zone"], "serial" => $currentzone->serial, "name" => $req["name"], "addresses" => NULL, "ttl" => $ttl);
$currentzone->getArecords($ret["addresses"], mysql_real_escape_string($req["name"]));
if ($currentzone->error) {
return new xmlrpcresp(0, $xmlrpcerruser, $currentzone->error);
}
return new xmlrpcresp(php_xmlrpc_encode($ret));
}
/**
* Verificate validity
*
* Verify if the signed assertion is valid.
*
* @access public
* @return array Containing the used certificate chain as 'certChain', additional payload given in the assertion as 'payload' and the assertion object as 'assertion'
* @throws Exception Throws an exception if the verification fails
*/
public function verify()
{
// assertion is bundle
$bundle = CertBundle::unbundle($this->assertion);
$result = $bundle->verify(time() * 1000);
$certChain =& $result["certChain"];
$payload =& $result["payload"];
$assertion =& $result["assertion"];
// for now, to be extra safe, we don't allow cert chains
if (sizeof($certChain) > 1) {
throw new \Exception("certificate chaining is not yet allowed");
}
// audience must match!
$err = $this->compareAudiences($assertion->getAudience());
if ($err) {
//logger.debug("verification failure, audience mismatch: '"
// + assertionParams.audience + "' != '" + audience + "': " + err);
throw new ExceptionAudienceMismatch($err);
}
// principal and issuer are in the last cert
$lastCert =& $certChain[sizeof($certChain) - 1];
$principal = $lastCert->getCertParams()->getPrincipal();
$issuer = $lastCert->getAssertion()->getIssuer();
// verify that the issuer is the same as the email domain or
// that the email's domain delegated authority to the issuer
$domainFromEmail = preg_replace("/^.*@/", "", $principal["email"]);
//kiki : mettre ici la liste des issuers que nous connaissons
if ($issuer != Configuration::getInstance()->get("master_idp") && $issuer != Configuration::getInstance()->get("hostname") && $issuer !== $domainFromEmail) {
$delegated = Primary::delegatesAuthority($domainFromEmail, $issuer);
if (!$delegated) {
throw new \Exception("issuer '" . $issuer . "' may not speak for emails from '" . $domainFromEmail . "'");
}
}
return $result;
}
