Пример #1
0
 /**
  * Send the request to the server - decode and return the response
  *
  * @param  object   $mnet_peer      A mnet_peer object with details of the
  *                                  remote host we're connecting to
  * @return mixed                    A PHP variable, as returned by the
  *                                  remote function
  */
 function send($mnet_peer)
 {
     global $CFG, $MNET;
     $this->uri = $mnet_peer->wwwroot . $mnet_peer->application->xmlrpc_server_url;
     // Initialize with the target URL
     $ch = curl_init($this->uri);
     $system_methods = array('system/listMethods', 'system/methodSignature', 'system/methodHelp', 'system/listServices');
     if (in_array($this->method, $system_methods)) {
         // Executing any system method is permitted.
     } else {
         $id_list = $mnet_peer->id;
         if (!empty($CFG->mnet_all_hosts_id)) {
             $id_list .= ', ' . $CFG->mnet_all_hosts_id;
         }
         // At this point, we don't care if the remote host implements the
         // method we're trying to call. We just want to know that:
         // 1. The method belongs to some service, as far as OUR host knows
         // 2. We are allowed to subscribe to that service on this mnet_peer
         // Find methods that we subscribe to on this host
         $sql = "\n                SELECT\n                    r.id\n                FROM\n                    {$CFG->prefix}mnet_rpc r,\n                    {$CFG->prefix}mnet_service2rpc s2r,\n                    {$CFG->prefix}mnet_host2service h2s\n                WHERE\n                    r.xmlrpc_path = '{$this->method}' AND\n                    s2r.rpcid = r.id AND\n                    s2r.serviceid = h2s.serviceid AND\n                    h2s.subscribe = '1' AND\n                    h2s.hostid in ({$id_list})";
         if (!record_exists_sql($sql)) {
             global $USER;
             $this->error[] = '7:User with ID ' . $USER->id . ' attempted to call unauthorised method ' . $this->method . ' on host ' . $mnet_peer->wwwroot;
             return false;
         }
     }
     $this->requesttext = xmlrpc_encode_request($this->method, $this->params, array("encoding" => "utf-8", "escaping" => "markup"));
     $rq = $this->requesttext;
     $rq = mnet_sign_message($this->requesttext);
     $this->signedrequest = $rq;
     $rq = mnet_encrypt_message($rq, $mnet_peer->public_key);
     $this->encryptedrequest = $rq;
     curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeout);
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
     curl_setopt($ch, CURLOPT_POST, true);
     curl_setopt($ch, CURLOPT_USERAGENT, 'Moodle');
     curl_setopt($ch, CURLOPT_POSTFIELDS, $rq);
     curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: text/xml charset=UTF-8"));
     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
     $timestamp_send = time();
     $this->rawresponse = curl_exec($ch);
     $timestamp_receive = time();
     if ($this->rawresponse === false) {
         $this->error[] = curl_errno($ch) . ':' . curl_error($ch);
         return false;
     }
     $this->rawresponse = trim($this->rawresponse);
     $mnet_peer->touch();
     $crypt_parser = new mnet_encxml_parser();
     $crypt_parser->parse($this->rawresponse);
     if ($crypt_parser->payload_encrypted) {
         $key = array_pop($crypt_parser->cipher);
         $data = array_pop($crypt_parser->cipher);
         $crypt_parser->free_resource();
         // Initialize payload var
         $payload = '';
         //                                          &$payload
         $isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $MNET->get_private_key());
         if (!$isOpen) {
             // Decryption failed... let's try our archived keys
             $openssl_history = get_config('mnet', 'openssl_history');
             if (empty($openssl_history)) {
                 $openssl_history = array();
                 set_config('openssl_history', serialize($openssl_history), 'mnet');
             } else {
                 $openssl_history = unserialize($openssl_history);
             }
             foreach ($openssl_history as $keyset) {
                 $keyresource = openssl_pkey_get_private($keyset['keypair_PEM']);
                 $isOpen = openssl_open(base64_decode($data), $payload, base64_decode($key), $keyresource);
                 if ($isOpen) {
                     // It's an older code, sir, but it checks out
                     break;
                 }
             }
         }
         if (!$isOpen) {
             trigger_error("None of our keys could open the payload from host {$mnet_peer->wwwroot} with id {$mnet_peer->id}.");
             $this->error[] = '3:No key match';
             return false;
         }
         if (strpos(substr($payload, 0, 100), '<signedMessage>')) {
             $sig_parser = new mnet_encxml_parser();
             $sig_parser->parse($payload);
         } else {
             $this->error[] = '2:Payload not signed: ' . $payload;
             return false;
         }
     } else {
         if (!empty($crypt_parser->remoteerror)) {
             $this->error[] = '4: remote server error: ' . $crypt_parser->remoteerror;
         } else {
             if (!empty($crypt_parser->error)) {
                 $crypt_parser_error = $crypt_parser->error[0];
                 $message = '3:XML Parse error in payload: ' . $crypt_parser_error['string'] . "\n";
                 if (array_key_exists('lineno', $crypt_parser_error)) {
                     $message .= 'At line number: ' . $crypt_parser_error['lineno'] . "\n";
                 }
                 if (array_key_exists('line', $crypt_parser_error)) {
                     $message .= 'Which reads: ' . $crypt_parser_error['line'] . "\n";
                 }
                 $this->error[] = $message;
             } else {
                 $this->error[] = '1:Payload not encrypted ';
             }
         }
         $crypt_parser->free_resource();
         return false;
     }
     // Margin of error is the time it took the request to complete.
     $margin_of_error = $timestamp_receive - $timestamp_send;
     // Guess the time gap between sending the request and the remote machine
     // executing the time() function. Marginally better than nothing.
     $hysteresis = $margin_of_error / 2;
     $remote_timestamp = $sig_parser->remote_timestamp - $hysteresis;
     $time_offset = $remote_timestamp - $timestamp_send;
     if ($time_offset > 0) {
         $threshold = get_config('mnet', 'drift_threshold');
         if (empty($threshold)) {
             // We decided 15 seconds was a pretty good arbitrary threshold
             // for time-drift between servers, but you can customize this in
             // the config_plugins table. It's not advised though.
             set_config('drift_threshold', 15, 'mnet');
             $threshold = 15;
         }
         if ($time_offset > $threshold) {
             $this->error[] = '6:Time gap with ' . $mnet_peer->name . ' (' . $time_offset . ' seconds) is greater than the permitted maximum of ' . $threshold . ' seconds';
             return false;
         }
     }
     $this->xmlrpcresponse = base64_decode($sig_parser->data_object);
     $this->response = xmlrpc_decode($this->xmlrpcresponse);
     curl_close($ch);
     // xmlrpc errors are pushed onto the $this->error stack
     if (is_array($this->response) && array_key_exists('faultCode', $this->response)) {
         // The faultCode 7025 means we tried to connect with an old SSL key
         // The faultString is the new key - let's save it and try again
         // The re_key attribute stops us from getting into a loop
         if ($this->response['faultCode'] == 7025 && empty($mnet_peer->re_key)) {
             $record = new stdClass();
             $record->id = $mnet_peer->id;
             if ($this->response['faultString'] == clean_param($this->response['faultString'], PARAM_PEM)) {
                 $record->public_key = $this->response['faultString'];
                 $details = openssl_x509_parse($record->public_key);
                 if (is_array($details) && isset($details['validTo_time_t'])) {
                     $record->public_key_expires = $details['validTo_time_t'];
                     update_record('mnet_host', $record);
                     $mnet_peer2 = new mnet_peer();
                     $mnet_peer2->set_id($record->id);
                     $mnet_peer2->re_key = true;
                     $this->send($mnet_peer2);
                 } else {
                     $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'];
                 }
             } else {
                 $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'];
             }
         } else {
             if (!empty($CFG->mnet_rpcdebug)) {
                 $guidance = get_string('error' . $this->response['faultCode'], 'mnet');
             } else {
                 $guidance = '';
             }
             $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'];
         }
     }
     // ok, it's signed, but is it signed with the right certificate ?
     // do this *after* we check for an out of date key
     $verified = openssl_verify($this->xmlrpcresponse, base64_decode($sig_parser->signature), $mnet_peer->public_key);
     if ($verified != 1) {
         $this->error[] = 'Invalid signature';
     }
     return empty($this->error);
 }
Пример #2
0
/**
 * Package a response in any required envelope, and return it to the client
 *
 * @param   string   $response      The XMLRPC response string
 * @param   resource $privatekey    The private key to sign the response with
 * @return  string                  The encoded response string
 */
function mnet_server_prepare_response($response, $privatekey = null)
{
    global $MNET_REMOTE_CLIENT;
    if ($MNET_REMOTE_CLIENT->request_was_signed) {
        $response = mnet_sign_message($response, $privatekey);
    }
    if ($MNET_REMOTE_CLIENT->request_was_encrypted) {
        $response = mnet_encrypt_message($response, $MNET_REMOTE_CLIENT->public_key);
    }
    return $response;
}
Пример #3
0
/**
 * Package a response in any required envelope, and return it to the client
 *
 * @param   string   $response      The XMLRPC response string
 * @param   resource $privatekey    The private key to sign the response with
 * @return  string                  The encoded response string
 */
function mnet_server_prepare_response($response, $privatekey = null) {
    $remoteclient = get_mnet_remote_client();
    if ($remoteclient->request_was_signed) {
        $response = mnet_sign_message($response, $privatekey);
    }

    if ($remoteclient->request_was_encrypted) {
        $response = mnet_encrypt_message($response, $remoteclient->public_key);
    }

    return $response;
}
Пример #4
0
 /**
  * Send the request to the server - decode and return the response
  *
  * @param  object   $mnet_peer      A mnet_peer object with details of the
  *                                  remote host we're connecting to
  * @return mixed                    A PHP variable, as returned by the
  *                                  remote function
  */
 function send($mnet_peer)
 {
     global $CFG, $DB;
     if (!$this->permission_to_call($mnet_peer)) {
         mnet_debug("tried and wasn't allowed to call a method on {$mnet_peer->wwwroot}");
         return false;
     }
     $this->requesttext = xmlrpc_encode_request($this->method, $this->params, array("encoding" => "utf-8", "escaping" => "markup"));
     $this->signedrequest = mnet_sign_message($this->requesttext);
     $this->encryptedrequest = mnet_encrypt_message($this->signedrequest, $mnet_peer->public_key);
     $httprequest = $this->prepare_http_request($mnet_peer);
     curl_setopt($httprequest, CURLOPT_POSTFIELDS, $this->encryptedrequest);
     $timestamp_send = time();
     mnet_debug("about to send the curl request");
     $this->rawresponse = curl_exec($httprequest);
     mnet_debug("managed to complete a curl request");
     $timestamp_receive = time();
     if ($this->rawresponse === false) {
         $this->error[] = curl_errno($httprequest) . ':' . curl_error($httprequest);
         return false;
     }
     curl_close($httprequest);
     $this->rawresponse = trim($this->rawresponse);
     $mnet_peer->touch();
     $crypt_parser = new mnet_encxml_parser();
     $crypt_parser->parse($this->rawresponse);
     // If we couldn't parse the message, or it doesn't seem to have encrypted contents,
     // give the most specific error msg available & return
     if (!$crypt_parser->payload_encrypted) {
         if (!empty($crypt_parser->remoteerror)) {
             $this->error[] = '4: remote server error: ' . $crypt_parser->remoteerror;
         } else {
             if (!empty($crypt_parser->error)) {
                 $crypt_parser_error = $crypt_parser->error[0];
                 $message = '3:XML Parse error in payload: ' . $crypt_parser_error['string'] . "\n";
                 if (array_key_exists('lineno', $crypt_parser_error)) {
                     $message .= 'At line number: ' . $crypt_parser_error['lineno'] . "\n";
                 }
                 if (array_key_exists('line', $crypt_parser_error)) {
                     $message .= 'Which reads: ' . $crypt_parser_error['line'] . "\n";
                 }
                 $this->error[] = $message;
             } else {
                 $this->error[] = '1:Payload not encrypted ';
             }
         }
         $crypt_parser->free_resource();
         return false;
     }
     $key = array_pop($crypt_parser->cipher);
     $data = array_pop($crypt_parser->cipher);
     $crypt_parser->free_resource();
     // Initialize payload var
     $decryptedenvelope = '';
     //                                          &$decryptedenvelope
     $isOpen = openssl_open(base64_decode($data), $decryptedenvelope, base64_decode($key), $this->mnet->get_private_key());
     if (!$isOpen) {
         // Decryption failed... let's try our archived keys
         $openssl_history = get_config('mnet', 'openssl_history');
         if (empty($openssl_history)) {
             $openssl_history = array();
             set_config('openssl_history', serialize($openssl_history), 'mnet');
         } else {
             $openssl_history = unserialize($openssl_history);
         }
         foreach ($openssl_history as $keyset) {
             $keyresource = openssl_pkey_get_private($keyset['keypair_PEM']);
             $isOpen = openssl_open(base64_decode($data), $decryptedenvelope, base64_decode($key), $keyresource);
             if ($isOpen) {
                 // It's an older code, sir, but it checks out
                 break;
             }
         }
     }
     if (!$isOpen) {
         trigger_error("None of our keys could open the payload from host {$mnet_peer->wwwroot} with id {$mnet_peer->id}.");
         $this->error[] = '3:No key match';
         return false;
     }
     if (strpos(substr($decryptedenvelope, 0, 100), '<signedMessage>')) {
         $sig_parser = new mnet_encxml_parser();
         $sig_parser->parse($decryptedenvelope);
     } else {
         $this->error[] = '2:Payload not signed: ' . $decryptedenvelope;
         return false;
     }
     // Margin of error is the time it took the request to complete.
     $margin_of_error = $timestamp_receive - $timestamp_send;
     // Guess the time gap between sending the request and the remote machine
     // executing the time() function. Marginally better than nothing.
     $hysteresis = $margin_of_error / 2;
     $remote_timestamp = $sig_parser->remote_timestamp - $hysteresis;
     $time_offset = $remote_timestamp - $timestamp_send;
     if ($time_offset > 0) {
         $threshold = get_config('mnet', 'drift_threshold');
         if (empty($threshold)) {
             // We decided 15 seconds was a pretty good arbitrary threshold
             // for time-drift between servers, but you can customize this in
             // the config_plugins table. It's not advised though.
             set_config('drift_threshold', 15, 'mnet');
             $threshold = 15;
         }
         if ($time_offset > $threshold) {
             $this->error[] = '6:Time gap with ' . $mnet_peer->name . ' (' . $time_offset . ' seconds) is greater than the permitted maximum of ' . $threshold . ' seconds';
             return false;
         }
     }
     $this->xmlrpcresponse = base64_decode($sig_parser->data_object);
     $this->response = xmlrpc_decode($this->xmlrpcresponse);
     // xmlrpc errors are pushed onto the $this->error stack
     if (is_array($this->response) && array_key_exists('faultCode', $this->response)) {
         // The faultCode 7025 means we tried to connect with an old SSL key
         // The faultString is the new key - let's save it and try again
         // The re_key attribute stops us from getting into a loop
         if ($this->response['faultCode'] == 7025 && empty($mnet_peer->re_key)) {
             mnet_debug('recieved an old-key fault, so trying to get the new key and update our records');
             // If the new certificate doesn't come thru clean_param() unmolested, error out
             if ($this->response['faultString'] != clean_param($this->response['faultString'], PARAM_PEM)) {
                 $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'];
             }
             $record = new stdClass();
             $record->id = $mnet_peer->id;
             $record->public_key = $this->response['faultString'];
             $details = openssl_x509_parse($record->public_key);
             if (!isset($details['validTo_time_t'])) {
                 $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'];
             }
             $record->public_key_expires = $details['validTo_time_t'];
             $DB->update_record('mnet_host', $record);
             // Create a new peer object populated with the new info & try re-sending the request
             $rekeyed_mnet_peer = new mnet_peer();
             $rekeyed_mnet_peer->set_id($record->id);
             $rekeyed_mnet_peer->re_key = true;
             return $this->send($rekeyed_mnet_peer);
         }
         if (!empty($CFG->mnet_rpcdebug)) {
             if (get_string_manager()->string_exists('error' . $this->response['faultCode'], 'mnet')) {
                 $guidance = get_string('error' . $this->response['faultCode'], 'mnet');
             } else {
                 $guidance = '';
             }
         } else {
             $guidance = '';
         }
         $this->error[] = $this->response['faultCode'] . " : " . $this->response['faultString'] . "\n" . $guidance;
     }
     // ok, it's signed, but is it signed with the right certificate ?
     // do this *after* we check for an out of date key
     if (!openssl_verify($this->xmlrpcresponse, base64_decode($sig_parser->signature), $mnet_peer->public_key)) {
         $this->error[] = 'Invalid signature';
     }
     return empty($this->error);
 }