$myLog->log(LOG_NOTICE, 'NONCE is provided but not correct');
sendResp(S_MISSING_PARAMETER, $myLog);
}
if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) {
$myLog->log(LOG_NOTICE, 'Nonce too short or too long');
sendResp(S_MISSING_PARAMETER, $myLog);
}
/**
* Timestamp parameter is not checked since current protocol
* says that 1 means request timestamp and anything else is discarded.
*/
/**
* Initialize the sync library. Strive to use this instead of custom
* DB requests, custom comparisons etc.
*/
$sync = new SyncLib('ykval-verify:synclib');
$sync->addField('ip', $ipaddr);
$sync->addField('otp', $otp);
if (!$sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $myLog);
}
if (($cd = $sync->getClientData($client)) === FALSE) {
$myLog->log(LOG_NOTICE, "Invalid client id {$client}");
sendResp(S_NO_SUCH_CLIENT, $myLog);
}
$myLog->log(LOG_DEBUG, 'Client data:', $cd);
/**
* Check client signature
*/
$apiKey = $cd['secret'];
$apiKey = base64_decode($apiKey);
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set_include_path(implode(PATH_SEPARATOR, array(get_include_path(), '/usr/share/yubikey-val', '/etc/yubico/val')));
require_once 'ykval-synclib.php';
require_once 'ykval-config.php';
require_once 'ykval-log.php';
if ($argc != 3) {
print "warning and critical levels have to be given on commandline\n";
exit(3);
}
$warning = $argv[1];
$critical = $argv[2];
$sync = new SyncLib('ykval-verify:synclib');
$len = $sync->getQueueLength();
$message = "Queue length is {$len}";
if ($len > $critical) {
print "CRITICAL: {$message}\n";
exit(2);
} elseif ($len > $warning) {
print "WARNING: {$message}\n";
exit(1);
} else {
print "OK: {$message}\n";
exit(0);
}
require_once "System/Daemon.php";
$appname = "ykval-queue";
System_Daemon::setOption("appName", $appname);
System_Daemon::setOption("appDescription", "Yubico val-server sync daemon");
System_Daemon::setOption("authorName", "*****@*****.**");
System_Daemon::setOption("authorEmail", "*****@*****.**");
if ($argc == 2 && strcmp($argv[1], "install") == 0) {
$autostart_path = System_Daemon::writeAutoRun();
if ($autostart_path != 1) {
echo "Successfully created start script at " . $autostart_path . "\n";
echo "To start daemon use: /etc/init.d/" . $appname . " start\n";
} else {
echo "Start script already created\n";
echo "To start daemon use: /etc/init.d/" . $appname . " start\n";
}
exit;
}
require_once 'ykval-synclib.php';
require_once 'ykval-config.php';
require_once 'ykval-log.php';
System_Daemon::start();
// Spawn Deamon!
/* Application start */
$sl = new SyncLib('ykval-queue:synclib');
# Loop forever and resync
$res == 0;
while ($res == 0) {
$sl->reSync($baseParams['__YKVAL_SYNC_OLD_LIMIT__'], $baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__']);
$res = sleep($baseParams['__YKVAL_SYNC_INTERVAL__']);
}
System_Daemon::stop();
<?php
require_once 'ykval-common.php';
require_once 'ykval-config.php';
require_once 'ykval-synclib.php';
$apiKey = '';
header("content-type: text/plain");
$myLog = new Log('ykval-sync');
$myLog->addField('ip', $_SERVER['REMOTE_ADDR']);
$myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']);
$sync = new SyncLib('ykval-sync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
if (!$sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $apiKey);
exit;
}
#
# Verify that request comes from valid server
#
$myLog->log(LOG_INFO, 'remote request ip is ' . $_SERVER['REMOTE_ADDR']);
$allowed = False;
foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) {
$myLog->log(LOG_DEBUG, 'checking against ip ' . $server);
if ($_SERVER['REMOTE_ADDR'] == $server) {
$myLog->log(LOG_DEBUG, 'server ' . $server . ' is allowed');
$allowed = True;
break;
}
}
if (!$allowed) {
$myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
# Get all keys
$res = $db->customQuery("SELECT yk_publicname FROM yubikeys WHERE active = true");
while ($r = $db->fetchArray($res)) {
$yubikeys[] = $r['yk_publicname'];
}
$db->closeCursor($res);
} else {
# Check if key exists
$r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1);
if (!$r) {
logdie($myLog, "ERROR Unknown yubikey: {$yk}");
}
$yubikeys = array($yk);
}
/* Initialize the sync library. */
$sync = new SyncLib('ykval-resync:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('yk', $yk);
if (!$sync->isConnected()) {
logdie($myLog, 'ERROR Database connect error (2)');
}
foreach ($yubikeys as $key) {
if (($localParams = $sync->getLocalParams($key)) === FALSE) {
logdie($myLog, 'ERROR Invalid Yubikey ' . $key);
}
$localParams['otp'] = $key . str_repeat('c', 32);
// Fake an OTP, only used for logging.
$myLog->log(LOG_DEBUG, "Auth data:", $localParams);
/* Queue sync request */
if (!$sync->queue($localParams, $localParams)) {
logdie($myLog, 'ERROR Failed resync');
}
// define requirements on protocol
$syncParams = array('modified' => NULL, 'otp' => NULL, 'nonce' => NULL, 'yk_publicname' => NULL, 'yk_counter' => NULL, 'yk_use' => NULL, 'yk_high' => NULL, 'yk_low' => NULL);
// extract values from HTTP request
$tmp_log = 'Received ';
foreach ($syncParams as $param => $value) {
$value = getHttpVal($param, NULL);
if ($value == NULL) {
$myLog->log(LOG_NOTICE, "Received request with parameter[s] ({$param}) missing value");
sendResp(S_MISSING_PARAMETER, $myLog);
}
$syncParams[$param] = $value;
$tmp_log .= "{$param}={$value} ";
}
$myLog->log(LOG_INFO, $tmp_log);
$sync = new SyncLib('ykval-sync:synclib');
$sync->addField('ip', $ipaddr);
if (!$sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $myLog);
}
// at this point we should have the otp so let's add it to the logging module
$myLog->addField('otp', $syncParams['otp']);
$sync->addField('otp', $syncParams['otp']);
// verify correctness of input parameters
foreach (array('modified', 'yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) {
// -1 is valid except for modified
if ($param !== 'modified' && $syncParams[$param] === '-1') {
continue;
}
// [0-9]+
if ($syncParams[$param] !== '' && ctype_digit($syncParams[$param])) {
public function testNullQueue()
{
$sl = new SyncLib();
$sl->syncServers = array("http://localhost/wsapi/syncvalid1", "http://doesntexist/wsapi/syncvalid2", "http://localhost/wsapi/syncvalid3");
$start_length = $sl->getQueueLength();
$p1 = array('modified' => 1259585588 + 1000, 'otp' => "ccccccccccccfrhiutjgfnvgdurgliidceuilikvfhui", 'yk_publicname' => "cccccccccccc", 'yk_counter' => 9, 'yk_use' => 3, 'yk_high' => 100, 'yk_low' => 1000);
$this->assertTrue($sl->queue($p1, $p1));
$res = $sl->db->findByMultiple('queue', array("modified" => 1259585588 + 1000, "server_nonce" => $sl->server_nonce));
$lastRes = $res[0];
$info = $sl->otpParamsFromInfoString($lastRes['info']);
$res = array('queued' => $lastRes['queued'], 'modified' => $lastRes['modified'], 'otp' => $lastRes['otp'], 'server' => $lastRes['server'], 'nonce' => $info['nonce'], 'yk_publicname' => $info['yk_publicname'], 'yk_counter' => $info['yk_counter'], 'yk_use' => $info['yk_use'], 'yk_high' => $info['yk_high'], 'yk_low' => $info['yk_low']);
$this->assertNotNull($res['queued']);
$res = $sl->sync(3);
$this->assertEquals(1 + $start_length, $sl->getQueueLength());
$res = $sl->db->findByMultiple('queue', array("modified" => 1259585588 + 1000, "server_nonce" => $sl->server_nonce));
$lastRes = $res[0];
$info = $sl->otpParamsFromInfoString($lastRes['info']);
$res = array('queued' => $lastRes['queued'], 'modified' => $lastRes['modified'], 'otp' => $lastRes['otp'], 'server' => $lastRes['server'], 'nonce' => $info['nonce'], 'yk_publicname' => $info['yk_publicname'], 'yk_counter' => $info['yk_counter'], 'yk_use' => $info['yk_use'], 'yk_high' => $info['yk_high'], 'yk_low' => $info['yk_low']);
$this->assertNull($res['queued']);
}
}
echo "no (sync pool not configured)\n";
exit(0);
}
if (($endpoints = endpoints($urls)) === FALSE) {
echo "Cannot parse URLs from sync pool list\n";
exit(1);
}
if ($argc == 2 && strcmp($argv[1], 'config') == 0) {
echo "graph_title YK-VAL queue size\n";
echo "graph_vlabel sync requests in queue\n";
echo "graph_category ykval\n";
foreach ($endpoints as $endpoint) {
list($internal, $label, $url) = $endpoint;
echo "{$internal}_queuelength.label sync {$label}\n";
echo "{$internal}_queuelength.draw AREASTACK\n";
echo "{$internal}_queuelength.type GAUGE\n";
}
exit(0);
}
$sync = new SyncLib('ykval-synclib:munin');
$queuelength = $sync->getQueueLengthByServer();
foreach ($endpoints as $endpoint) {
list($internal, $label, $url) = $endpoint;
$count = 0;
if (array_key_exists($url, $queuelength)) {
$count = $queuelength[$url];
}
echo "{$internal}_queuelength.value {$count}\n";
}
exit(0);
$myLog->log(LOG_NOTICE, 'SL is provided but not correct');
sendResp(S_MISSING_PARAMETER, $myLog);
exit;
}
// NOTE: Timestamp parameter is not checked since current protocol says that 1 means request timestamp
// and anything else is discarded.
//// Get Client info from DB
//
if ($client <= 0) {
$myLog->log(LOG_NOTICE, 'Client ID is missing');
sendResp(S_MISSING_PARAMETER, $myLog);
exit;
}
/* Initialize the sync library. Strive to use this instead of custom
DB requests, custom comparisons etc */
$sync = new SyncLib('ykval-verify:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$sync->addField('otp', $otp);
if (!$sync->isConnected()) {
sendResp(S_BACKEND_ERROR, $myLog);
exit;
}
$cd = $sync->getClientData($client);
if (!$cd) {
$myLog->log(LOG_NOTICE, 'Invalid client id ' . $client);
sendResp(S_NO_SUCH_CLIENT, $myLog);
exit;
}
$myLog->log(LOG_DEBUG, "Client data:", $cd);
//// Check client signature
//
#!/usr/bin/php
<?php
set_include_path(get_include_path() . PATH_SEPARATOR . "/etc/ykval:/usr/share/ykval");
require_once 'ykval-synclib.php';
require_once 'ykval-config.php';
require_once 'ykval-log.php';
if ($argc == 2 && strcmp($argv[1], "autoconf") == 0) {
print "yes\n";
exit(0);
}
if ($argc == 2 && strcmp($argv[1], "config") == 0) {
echo "graph_title YK-VAL queue size\n";
echo "graph_vlabel sync requests in queue\n";
echo "graph_category ykval\n";
echo "queuelength.label sync requests\n";
echo "queuelength.draw AREA\n";
exit(0);
}
$sync = new SyncLib('ykval-verify:synclib');
$sync->addField('ip', $_SERVER['REMOTE_ADDR']);
$len = $sync->getQueueLength();
echo "queuelength.value {$len}\n";
#%# family=auto
#%# capabilities=autoconf
