$myLog->log(LOG_NOTICE, 'NONCE is provided but not correct'); sendResp(S_MISSING_PARAMETER, $myLog); } if (isset($nonce) && (strlen($nonce) < 16 || strlen($nonce) > 40)) { $myLog->log(LOG_NOTICE, 'Nonce too short or too long'); sendResp(S_MISSING_PARAMETER, $myLog); } /** * Timestamp parameter is not checked since current protocol * says that 1 means request timestamp and anything else is discarded. */ /** * Initialize the sync library. Strive to use this instead of custom * DB requests, custom comparisons etc. */ $sync = new SyncLib('ykval-verify:synclib'); $sync->addField('ip', $ipaddr); $sync->addField('otp', $otp); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); } if (($cd = $sync->getClientData($client)) === FALSE) { $myLog->log(LOG_NOTICE, "Invalid client id {$client}"); sendResp(S_NO_SUCH_CLIENT, $myLog); } $myLog->log(LOG_DEBUG, 'Client data:', $cd); /** * Check client signature */ $apiKey = $cd['secret']; $apiKey = base64_decode($apiKey);
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. set_include_path(implode(PATH_SEPARATOR, array(get_include_path(), '/usr/share/yubikey-val', '/etc/yubico/val'))); require_once 'ykval-synclib.php'; require_once 'ykval-config.php'; require_once 'ykval-log.php'; if ($argc != 3) { print "warning and critical levels have to be given on commandline\n"; exit(3); } $warning = $argv[1]; $critical = $argv[2]; $sync = new SyncLib('ykval-verify:synclib'); $len = $sync->getQueueLength(); $message = "Queue length is {$len}"; if ($len > $critical) { print "CRITICAL: {$message}\n"; exit(2); } elseif ($len > $warning) { print "WARNING: {$message}\n"; exit(1); } else { print "OK: {$message}\n"; exit(0); }
require_once "System/Daemon.php"; $appname = "ykval-queue"; System_Daemon::setOption("appName", $appname); System_Daemon::setOption("appDescription", "Yubico val-server sync daemon"); System_Daemon::setOption("authorName", "*****@*****.**"); System_Daemon::setOption("authorEmail", "*****@*****.**"); if ($argc == 2 && strcmp($argv[1], "install") == 0) { $autostart_path = System_Daemon::writeAutoRun(); if ($autostart_path != 1) { echo "Successfully created start script at " . $autostart_path . "\n"; echo "To start daemon use: /etc/init.d/" . $appname . " start\n"; } else { echo "Start script already created\n"; echo "To start daemon use: /etc/init.d/" . $appname . " start\n"; } exit; } require_once 'ykval-synclib.php'; require_once 'ykval-config.php'; require_once 'ykval-log.php'; System_Daemon::start(); // Spawn Deamon! /* Application start */ $sl = new SyncLib('ykval-queue:synclib'); # Loop forever and resync $res == 0; while ($res == 0) { $sl->reSync($baseParams['__YKVAL_SYNC_OLD_LIMIT__'], $baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__']); $res = sleep($baseParams['__YKVAL_SYNC_INTERVAL__']); } System_Daemon::stop();
<?php require_once 'ykval-common.php'; require_once 'ykval-config.php'; require_once 'ykval-synclib.php'; $apiKey = ''; header("content-type: text/plain"); $myLog = new Log('ykval-sync'); $myLog->addField('ip', $_SERVER['REMOTE_ADDR']); $myLog->log(LOG_INFO, "Request: " . $_SERVER['QUERY_STRING']); $sync = new SyncLib('ykval-sync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $apiKey); exit; } # # Verify that request comes from valid server # $myLog->log(LOG_INFO, 'remote request ip is ' . $_SERVER['REMOTE_ADDR']); $allowed = False; foreach ($baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] as $server) { $myLog->log(LOG_DEBUG, 'checking against ip ' . $server); if ($_SERVER['REMOTE_ADDR'] == $server) { $myLog->log(LOG_DEBUG, 'server ' . $server . ' is allowed'); $allowed = True; break; } } if (!$allowed) { $myLog->log(LOG_NOTICE, 'Operation not allowed from IP ' . $_SERVER['REMOTE_ADDR']);
# Get all keys $res = $db->customQuery("SELECT yk_publicname FROM yubikeys WHERE active = true"); while ($r = $db->fetchArray($res)) { $yubikeys[] = $r['yk_publicname']; } $db->closeCursor($res); } else { # Check if key exists $r = $db->findBy('yubikeys', 'yk_publicname', $yk, 1); if (!$r) { logdie($myLog, "ERROR Unknown yubikey: {$yk}"); } $yubikeys = array($yk); } /* Initialize the sync library. */ $sync = new SyncLib('ykval-resync:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('yk', $yk); if (!$sync->isConnected()) { logdie($myLog, 'ERROR Database connect error (2)'); } foreach ($yubikeys as $key) { if (($localParams = $sync->getLocalParams($key)) === FALSE) { logdie($myLog, 'ERROR Invalid Yubikey ' . $key); } $localParams['otp'] = $key . str_repeat('c', 32); // Fake an OTP, only used for logging. $myLog->log(LOG_DEBUG, "Auth data:", $localParams); /* Queue sync request */ if (!$sync->queue($localParams, $localParams)) { logdie($myLog, 'ERROR Failed resync');
} // define requirements on protocol $syncParams = array('modified' => NULL, 'otp' => NULL, 'nonce' => NULL, 'yk_publicname' => NULL, 'yk_counter' => NULL, 'yk_use' => NULL, 'yk_high' => NULL, 'yk_low' => NULL); // extract values from HTTP request $tmp_log = 'Received '; foreach ($syncParams as $param => $value) { $value = getHttpVal($param, NULL); if ($value == NULL) { $myLog->log(LOG_NOTICE, "Received request with parameter[s] ({$param}) missing value"); sendResp(S_MISSING_PARAMETER, $myLog); } $syncParams[$param] = $value; $tmp_log .= "{$param}={$value} "; } $myLog->log(LOG_INFO, $tmp_log); $sync = new SyncLib('ykval-sync:synclib'); $sync->addField('ip', $ipaddr); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); } // at this point we should have the otp so let's add it to the logging module $myLog->addField('otp', $syncParams['otp']); $sync->addField('otp', $syncParams['otp']); // verify correctness of input parameters foreach (array('modified', 'yk_counter', 'yk_use', 'yk_high', 'yk_low') as $param) { // -1 is valid except for modified if ($param !== 'modified' && $syncParams[$param] === '-1') { continue; } // [0-9]+ if ($syncParams[$param] !== '' && ctype_digit($syncParams[$param])) {
public function testNullQueue() { $sl = new SyncLib(); $sl->syncServers = array("http://localhost/wsapi/syncvalid1", "http://doesntexist/wsapi/syncvalid2", "http://localhost/wsapi/syncvalid3"); $start_length = $sl->getQueueLength(); $p1 = array('modified' => 1259585588 + 1000, 'otp' => "ccccccccccccfrhiutjgfnvgdurgliidceuilikvfhui", 'yk_publicname' => "cccccccccccc", 'yk_counter' => 9, 'yk_use' => 3, 'yk_high' => 100, 'yk_low' => 1000); $this->assertTrue($sl->queue($p1, $p1)); $res = $sl->db->findByMultiple('queue', array("modified" => 1259585588 + 1000, "server_nonce" => $sl->server_nonce)); $lastRes = $res[0]; $info = $sl->otpParamsFromInfoString($lastRes['info']); $res = array('queued' => $lastRes['queued'], 'modified' => $lastRes['modified'], 'otp' => $lastRes['otp'], 'server' => $lastRes['server'], 'nonce' => $info['nonce'], 'yk_publicname' => $info['yk_publicname'], 'yk_counter' => $info['yk_counter'], 'yk_use' => $info['yk_use'], 'yk_high' => $info['yk_high'], 'yk_low' => $info['yk_low']); $this->assertNotNull($res['queued']); $res = $sl->sync(3); $this->assertEquals(1 + $start_length, $sl->getQueueLength()); $res = $sl->db->findByMultiple('queue', array("modified" => 1259585588 + 1000, "server_nonce" => $sl->server_nonce)); $lastRes = $res[0]; $info = $sl->otpParamsFromInfoString($lastRes['info']); $res = array('queued' => $lastRes['queued'], 'modified' => $lastRes['modified'], 'otp' => $lastRes['otp'], 'server' => $lastRes['server'], 'nonce' => $info['nonce'], 'yk_publicname' => $info['yk_publicname'], 'yk_counter' => $info['yk_counter'], 'yk_use' => $info['yk_use'], 'yk_high' => $info['yk_high'], 'yk_low' => $info['yk_low']); $this->assertNull($res['queued']); }
} echo "no (sync pool not configured)\n"; exit(0); } if (($endpoints = endpoints($urls)) === FALSE) { echo "Cannot parse URLs from sync pool list\n"; exit(1); } if ($argc == 2 && strcmp($argv[1], 'config') == 0) { echo "graph_title YK-VAL queue size\n"; echo "graph_vlabel sync requests in queue\n"; echo "graph_category ykval\n"; foreach ($endpoints as $endpoint) { list($internal, $label, $url) = $endpoint; echo "{$internal}_queuelength.label sync {$label}\n"; echo "{$internal}_queuelength.draw AREASTACK\n"; echo "{$internal}_queuelength.type GAUGE\n"; } exit(0); } $sync = new SyncLib('ykval-synclib:munin'); $queuelength = $sync->getQueueLengthByServer(); foreach ($endpoints as $endpoint) { list($internal, $label, $url) = $endpoint; $count = 0; if (array_key_exists($url, $queuelength)) { $count = $queuelength[$url]; } echo "{$internal}_queuelength.value {$count}\n"; } exit(0);
$myLog->log(LOG_NOTICE, 'SL is provided but not correct'); sendResp(S_MISSING_PARAMETER, $myLog); exit; } // NOTE: Timestamp parameter is not checked since current protocol says that 1 means request timestamp // and anything else is discarded. //// Get Client info from DB // if ($client <= 0) { $myLog->log(LOG_NOTICE, 'Client ID is missing'); sendResp(S_MISSING_PARAMETER, $myLog); exit; } /* Initialize the sync library. Strive to use this instead of custom DB requests, custom comparisons etc */ $sync = new SyncLib('ykval-verify:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $sync->addField('otp', $otp); if (!$sync->isConnected()) { sendResp(S_BACKEND_ERROR, $myLog); exit; } $cd = $sync->getClientData($client); if (!$cd) { $myLog->log(LOG_NOTICE, 'Invalid client id ' . $client); sendResp(S_NO_SUCH_CLIENT, $myLog); exit; } $myLog->log(LOG_DEBUG, "Client data:", $cd); //// Check client signature //
#!/usr/bin/php <?php set_include_path(get_include_path() . PATH_SEPARATOR . "/etc/ykval:/usr/share/ykval"); require_once 'ykval-synclib.php'; require_once 'ykval-config.php'; require_once 'ykval-log.php'; if ($argc == 2 && strcmp($argv[1], "autoconf") == 0) { print "yes\n"; exit(0); } if ($argc == 2 && strcmp($argv[1], "config") == 0) { echo "graph_title YK-VAL queue size\n"; echo "graph_vlabel sync requests in queue\n"; echo "graph_category ykval\n"; echo "queuelength.label sync requests\n"; echo "queuelength.draw AREA\n"; exit(0); } $sync = new SyncLib('ykval-verify:synclib'); $sync->addField('ip', $_SERVER['REMOTE_ADDR']); $len = $sync->getQueueLength(); echo "queuelength.value {$len}\n"; #%# family=auto #%# capabilities=autoconf