public static function setUpBeforeClass()
{
include 'setuptests.php';
self::$i = FreePBX::Installer();
}
/**
* Check the module.sig file against the contents of the
* directory
*
* @param string Module name
* @return array (status => GPG::STATE_whatever, details => array (details, details))
*/
public function verifyModule($modulename = null)
{
if (!$modulename) {
throw new Exception(_("No module to check"));
}
if (strpos($modulename, "/") !== false) {
throw new Exception(_("Path given to verifyModule. Only provide a module name"));
}
// Get the module.sig file.
$file = FreePBX::Config()->get('AMPWEBROOT') . "/admin/modules/{$modulename}/module.sig";
if (!file_exists($file)) {
// Well. That was easy.
return array("status" => GPG::STATE_UNSIGNED, "details" => array(_("unsigned")));
}
// Check the signature on the module.sig
$module = $this->checkSig($file);
if (isset($module['status'])) {
return array("status" => $module['status'], "details" => array(sprintf(_("module.sig check failed! %s"), $module['trustdetails'][0])));
}
// OK, signature is valid. Let's look at the files we know
// about, and make sure they haven't been touched.
$retarr['status'] = GPG::STATE_GOOD | GPG::STATE_TRUSTED;
$retarr['details'] = array();
foreach ($module['hashes'] as $file => $hash) {
$dest = FreePBX::Installer()->getDestination($modulename, $file);
if ($dest === false) {
// If the file is explicitly un-checkable, ignore it.
continue;
}
if (!file_exists($dest)) {
$retarr['details'][] = $dest . " " . _("missing");
$retarr['status'] |= GPG::STATE_TAMPERED;
$retarr['status'] &= ~GPG::STATE_GOOD;
} elseif (hash_file('sha256', $dest) != $hash) {
// If you i18n this string, also note that it's used explicitly
// as a comparison of "altered" in modulefunctions.class, to
// warn people about bin/amportal needing to be updated
// with 'amportal chown'. Don't make them different!
$retarr['details'][] = $dest . " " . _("altered");
$retarr['status'] |= GPG::STATE_TAMPERED;
$retarr['status'] &= ~GPG::STATE_GOOD;
}
}
return $retarr;
// Reminder for people doing i18n.
if (false) {
echo _("If you're i18n-ing this file, read the comment about 'altered' and 'missing'");
}
}
/**
* Check the module.sig file against the contents of the
* directory
*
* @param string Module name
* @return array (status => GPG::STATE_whatever, details => array (details, details))
*/
public function verifyModule($modulename = null)
{
if (!$modulename) {
throw new Exception(_("No module to check"));
}
if (strpos($modulename, "/") !== false) {
throw new Exception(_("Path given to verifyModule. Only provide a module name"));
}
// Get the module.sig file.
$file = \FreePBX::Config()->get('AMPWEBROOT') . "/admin/modules/{$modulename}/module.sig";
if (!file_exists($file)) {
// Well. That was easy.
return array("status" => GPG::STATE_UNSIGNED, "details" => array(_("unsigned")));
}
$module = $this->checkSig($file);
// Is this a local module?
if (isset($module['parsedout']) && $module['parsedout']['config']['version'] > "1" && $module['parsedout']['config']['type'] == "local") {
// We need to actually validate the LOCAL SECURE module
$module = $this->processLocalSig($modulename, $module['parsedout']);
} else {
// Check the signature on the module.sig
if (isset($module['status'])) {
return array("status" => $module['status'], "details" => array(sprintf(_("module.sig check failed! %s"), $module['trustdetails'][0])));
}
}
// OK, signature is valid. Let's look at the files we know
// about, and make sure they haven't been touched.
$retarr['status'] = GPG::STATE_GOOD | GPG::STATE_TRUSTED;
$retarr['details'] = array();
// RINGFREE - SIGNATURE CHECK BYPASS (OPEN)
if (1 == 2) {
// RINGFREE - SIGNATURE CHECK BYPASS (CLOSE)
foreach ($module['hashes'] as $file => $hash) {
$dest = \FreePBX::Installer()->getDestination($modulename, $file, true);
if ($dest === false) {
// If the file is explicitly un-checkable, ignore it.
continue;
}
if (!file_exists($dest)) {
$retarr['details'][] = $dest . " " . _("missing");
$retarr['status'] |= GPG::STATE_TAMPERED;
$retarr['status'] &= ~GPG::STATE_GOOD;
} elseif (hash_file('sha256', $dest) != $hash) {
// If you i18n this string, also note that it's used explicitly
// as a comparison of "altered" in modulefunctions.class, to
// warn people about bin/fwconsole needing to be updated
// with 'fwconsole chown'. Don't make them different!
$retarr['details'][] = $dest . " " . _("altered");
$retarr['status'] |= GPG::STATE_TAMPERED;
$retarr['status'] &= ~GPG::STATE_GOOD;
}
}
// RINGFREE - SIGNATURE CHECK BYPASS (OPEN)
} else {
$set['SIGNATURECHECK'] = false;
// here's the slower BASH equivalent using PHP
// exec("/var/lib/asterisk/bin/freepbx_setting SIGNATURECHECK 0");
}
// RINGFREE - SIGNATURE CHECK BYPASS (CLOSE)
return $retarr;
// Reminder for people doing i18n.
if (false) {
echo _("If you're i18n-ing this file, read the comment about 'altered' and 'missing'");
}
}
