harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'dev'

Browse Source
This commit is contained in:
redmatrix 2015-12-06 20:50:02 -08:00
commit 53627c89a7
12 changed files with 640 additions and 470 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Zotlabs/Identity/BasicId.php Normal file
View File

@ -0,0 +1,18 @@
<?php
namespace Zotlabs\Identity\BasicId;
class BasicId {
private $name;
private $profile_photo;
private $profile_url;
private $address;
private $protocol;
}

16
Zotlabs/Identity/ProfilePhoto.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace Zotlabs\Identity\ProfilePhoto;
class ProfilePhoto {
private $photo_large_url;
private $photo_medium_url;
private $photo_small_url;
private $photo_mimetype;
private $photo_updated;
}

126
Zotlabs/Zot/Receiver.php Normal file
View File

@ -0,0 +1,126 @@
<?php
namespace Zotlabs\Zot;
class Receiver {
protected $data;
protected $encrypted;
protected $error;
protected $messagetype;
protected $sender;
protected $validated;
protected $recipients;
protected $response;
function __construct($data,$prvkey) {
$this->error = false;
$this->validated = false;
$this->messagetype = '';
$this->response = array('success' => false);
if(! is_array($data))
$data = json_decode($data,true);
if($data && is_array($data)) {
$this->encrypted = ((array_key_exists('iv',$data)) ? true : false);
if($this->encrypted) {
$this->data = @json_decode(@crypto_unencapsulate($data,$prvkey),true);
}
if(! $this->data)
$this->data = $data;
if($this->data && is_array($this->data) && array_key_exists('type',$this->data))
$this->messagetype = $this->data['type'];
}
if(! $this->messagetype)
$this->error = true;
$this->sender = ((array_key_exists('sender',$this->data)) ? $this->data['sender'] : null);
$this->recipients = ((array_key_exists('recipients',$this->data)) ? $this->data['recipients'] : null);
if($this->sender)
$this->ValidateSender();
$this->Dispatch();
}
function ValidateSender() {
$hubs = zot_gethub($this->sender,true);
if (! $hubs) {
/* Have never seen this guid or this guid coming from this location. Check it and register it. */
/* (!!) this will validate the sender. */
$result = zot_register_hub($this->sender);
if ((! $result['success']) || (! ($hubs = zot_gethub($this->sender,true)))) {
$this->response['message'] = 'Hub not available.';
json_return_and_die($this->response);
}
}
foreach($hubs as $hub) {
update_hub_connected($hub,((array_key_exists('sitekey',$this->sender)) ? $this->sender['sitekey'] : ''));
}
$this->validated = true;
}
function Dispatch() {
/* Handle tasks which don't require sender validation */
switch($this->messagetype) {
case 'ping':
/* no validation needed */
zot_reply_ping();
break;
case 'pickup':
/* perform site validation, as opposed to sender validation */
zot_reply_pickup($this->data);
break;
default:
if(! $this->validated) {
$this->response['message'] = 'Sender not valid';
json_return_and_die($this->response);
}
break;
}
/* Now handle tasks which require sender validation */
switch($this->messagetype) {
case 'auth_check':
zot_reply_auth_check($this->data,$this->encrypted);
break;
case 'request':
json_return_and_die(zot_process_message_request($this->data));
break;
case 'purge':
zot_reply_purge($this->sender,$this->recipients);
break;
case 'refresh':
case 'force_refresh':
zot_reply_refresh($this->sender,$this->recipients);
break;
case 'notify':
zot_reply_notify($this->data);
break;
default:
$this->response['message'] = 'Not implemented';
json_return_and_die($this->response);
break;
}
}
}

11
doc/hook/check_channelallowed.bb Normal file
View File

@ -0,0 +1,11 @@
[h2]check_channelallowed[/h2]
Called when checking the channel (xchan) black and white lists to see if a channel is blocked.
Hook data
array('hash' => xchan_hash of xchan to check);
create and set array element 'allowed' to true or false to override the system checks

10
doc/hook/check_siteallowed.bb Normal file
View File

@ -0,0 +1,10 @@
[h2]check_siteallowed[/h2]
Called when checking the site black and white lists to see if a site is blocked.
Hook data
array('url' => URL of site to check);
create and set array element 'allowed' to true or false to override the system checks

6
doc/hooklist.bb
View File

@ -82,6 +82,12 @@ Hooks allow plugins/addons to "hook into" the code at many points and alter the
[zrl=[baseurl]/help/hook/check_account_password]check_account_password[/zrl] [zrl=[baseurl]/help/hook/check_account_password]check_account_password[/zrl]
Used to provide policy control over account passwords (minimum length, character set inclusion, etc.) Used to provide policy control over account passwords (minimum length, character set inclusion, etc.)
[zrl=[baseurl]/help/hook/check_channelallowed]check_channelallowed[/zrl]
Used to over-ride or bypass the channel black/white block lists
[zrl=[baseurl]/help/hook/check_siteallowed]check_siteallowed[/zrl]
Used to over-ride or bypass the site black/white block lists
[zrl=[baseurl]/help/hook/connect_premium]connect_premium[/zrl] [zrl=[baseurl]/help/hook/connect_premium]connect_premium[/zrl]
Called when connecting to a premium channel Called when connecting to a premium channel

1
include/message.php
View File

@ -506,3 +506,4 @@ function private_messages_fetch_conversation($channel_id, $messageitem_id, $upda
return $messages; return $messages;
} }

13
include/network.php
View File

@ -1822,6 +1822,13 @@ function check_siteallowed($url) {
$retvalue = true; $retvalue = true;
$arr = array('url' => $url);
call_hooks('check_siteallowed',$arr);
if(array_key_exists('allowed',$arr))
return $arr['allowed'];
$bl1 = get_config('system','whitelisted_sites'); $bl1 = get_config('system','whitelisted_sites');
if(is_array($bl1) && $bl1) { if(is_array($bl1) && $bl1) {
foreach($bl1 as $bl) { foreach($bl1 as $bl) {
@ -1848,6 +1855,12 @@ function check_channelallowed($hash) {
$retvalue = true; $retvalue = true;
$arr = array('hash' => $hash);
call_hooks('check_channelallowed',$arr);
if(array_key_exists('allowed',$arr))
return $arr['allowed'];
$bl1 = get_config('system','whitelisted_channels'); $bl1 = get_config('system','whitelisted_channels');
if(is_array($bl1) && $bl1) { if(is_array($bl1) && $bl1) {
foreach($bl1 as $bl) { foreach($bl1 as $bl) {

418
include/zot.php
View File

@ -3989,3 +3989,421 @@ function delivery_report_is_storable($dr) {
} }
function update_hub_connected($hub,$sitekey = '') {
if($sitekey) {
/*
* This hub has now been proven to be valid.
* Any hub with the same URL and a different sitekey cannot be valid.
* Get rid of them (mark them deleted). There's a good chance they were re-installs.
*/
q("update hubloc set hubloc_deleted = 1, hubloc_error = 1 where hubloc_url = '%s' and hubloc_sitekey != '%s' ",
dbesc($hub['hubloc_url']),
dbesc($sitekey)
);
}
else {
$sitekey = $hub['sitekey'];
}
// $sender['sitekey'] is a new addition to the protcol to distinguish
// hublocs coming from re-installed sites. Older sites will not provide
// this field and we have to still mark them valid, since we can't tell
// if this hubloc has the same sitekey as the packet we received.
// Update our DB to show when we last communicated successfully with this hub
// This will allow us to prune dead hubs from using up resources
$r = q("update hubloc set hubloc_connected = '%s' where hubloc_id = %d and hubloc_sitekey = '%s' ",
dbesc(datetime_convert()),
intval($hub['hubloc_id']),
dbesc($sitekey)
);
// a dead hub came back to life - reset any tombstones we might have
if(intval($hub['hubloc_error'])) {
q("update hubloc set hubloc_error = 0 where hubloc_id = %d and hubloc_sitekey = '%s' ",
intval($hub['hubloc_id']),
dbesc($sitekey)
);
if(intval($r[0]['hubloc_orphancheck'])) {
q("update hubloc set hubloc_orhpancheck = 0 where hubloc_id = %d and hubloc_sitekey = '%s' ",
intval($hub['hubloc_id']),
dbesc($sitekey)
);
}
q("update xchan set xchan_orphan = 0 where xchan_orphan = 1 and xchan_hash = '%s'",
dbesc($hub['hubloc_hash'])
);
}
return $hub['hubloc_url'];
}
function zot_reply_ping() {
$ret = array('success'=> false);
// Useful to get a health check on a remote site.
// This will let us know if any important communication details
// that we may have stored are no longer valid, regardless of xchan details.
logger('POST: got ping send pong now back: ' . z_root() , LOGGER_DEBUG );
$ret['success'] = true;
$ret['site'] = array();
$ret['site']['url'] = z_root();
$ret['site']['url_sig'] = base64url_encode(rsa_sign(z_root(),get_config('system','prvkey')));
$ret['site']['sitekey'] = get_config('system','pubkey');
json_return_and_die($ret);
}
function zot_reply_pickup($data) {
$ret = array('success'=> false);
/*
* The 'pickup' message arrives with a tracking ID which is associated with a particular outq_hash
* First verify that that the returned signatures verify, then check that we have an outbound queue item
* with the correct hash.
* If everything verifies, find any/all outbound messages in the queue for this hubloc and send them back
*/
if((! $data['secret']) || (! $data['secret_sig'])) {
$ret['message'] = 'no verification signature';
logger('mod_zot: pickup: ' . $ret['message'], LOGGER_DEBUG);
json_return_and_die($ret);
}
$r = q("select distinct hubloc_sitekey from hubloc where hubloc_url = '%s' and hubloc_callback = '%s' and hubloc_sitekey != '' group by hubloc_sitekey ",
dbesc($data['url']),
dbesc($data['callback'])
);
if(! $r) {
$ret['message'] = 'site not found';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
foreach ($r as $hubsite) {
// verify the url_sig
// If the server was re-installed at some point, there could be multiple hubs with the same url and callback.
// Only one will have a valid key.
$forgery = true;
$secret_fail = true;
$sitekey = $hubsite['hubloc_sitekey'];
logger('mod_zot: Checking sitekey: ' . $sitekey, LOGGER_DATA);
if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
$forgery = false;
}
if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
$secret_fail = false;
}
if((! $forgery) && (! $secret_fail))
break;
}
if($forgery) {
$ret['message'] = 'possible site forgery';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
if($secret_fail) {
$ret['message'] = 'secret validation failed';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
/*
* If we made it to here, the signatures verify, but we still don't know if the tracking ID is valid.
* It wouldn't be an error if the tracking ID isn't found, because we may have sent this particular
* queue item with another pickup (after the tracking ID for the other pickup was verified).
*/
$r = q("select outq_posturl from outq where outq_hash = '%s' and outq_posturl = '%s' limit 1",
dbesc($data['secret']),
dbesc($data['callback'])
);
if(! $r) {
$ret['message'] = 'nothing to pick up';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
/*
* Everything is good if we made it here, so find all messages that are going to this location
* and send them all.
*/
$r = q("select * from outq where outq_posturl = '%s'",
dbesc($data['callback'])
);
if($r) {
logger('mod_zot: successful pickup message received from ' . $data['callback'] . ' ' . count($r) . ' message(s) picked up', LOGGER_DEBUG);
$ret['success'] = true;
$ret['pickup'] = array();
foreach($r as $rr) {
if($rr['outq_msg']) {
$x = json_decode($rr['outq_msg'],true);
if(! $x)
continue;
if(array_key_exists('message_list',$x)) {
foreach($x['message_list'] as $xx) {
$ret['pickup'][] = array('notify' => json_decode($rr['outq_notify'],true),'message' => $xx);
}
}
else
$ret['pickup'][] = array('notify' => json_decode($rr['outq_notify'],true),'message' => $x);
$x = q("delete from outq where outq_hash = '%s'",
dbesc($rr['outq_hash'])
);
}
}
}
$encrypted = crypto_encapsulate(json_encode($ret),$sitekey);
json_return_and_die($encrypted);
/* pickup: end */
}
function zot_reply_auth_check($data,$encrypted_packet) {
$ret = array('success' => false);
/*
* Requestor visits /magic/?dest=somewhere on their own site with a browser
* magic redirects them to $destsite/post [with auth args....]
* $destsite sends an auth_check packet to originator site
* The auth_check packet is handled here by the originator's site
* - the browser session is still waiting
* inside $destsite/post for everything to verify
* If everything checks out we'll return a token to $destsite
* and then $destsite will verify the token, authenticate the browser
* session and then redirect to the original destination.
* If authentication fails, the redirection to the original destination
* will still take place but without authentication.
*/
logger('mod_zot: auth_check', LOGGER_DEBUG);
if (! $encrypted_packet) {
logger('mod_zot: auth_check packet was not encrypted.');
$ret['message'] .= 'no packet encryption' . EOL;
json_return_and_die($ret);
}
$arr = $data['sender'];
$sender_hash = make_xchan_hash($arr['guid'],$arr['guid_sig']);
// garbage collect any old unused notifications
// This was and should be 10 minutes but my hosting provider has time lag between the DB and
// the web server. We should probably convert this to webserver time rather than DB time so
// that the different clocks won't affect it and allow us to keep the time short.
q("delete from verify where type = 'auth' and created < %s - INTERVAL %s",
db_utcnow(), db_quoteinterval('30 MINUTE')
);
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash)
);
// We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
// the verify table. It is now coming back to us as 'secret' and is signed by a channel at the other end.
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification.
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;
json_return_and_die($ret);
}
// There should be exactly one recipient, the original auth requestor
$ret['message'] .= 'recipients ' . print_r($recipients,true) . EOL;
if ($data['recipients']) {
$arr = $data['recipients'][0];
$recip_hash = make_xchan_hash($arr['guid'], $arr['guid_sig']);
$c = q("select channel_id, channel_account_id, channel_prvkey from channel where channel_hash = '%s' limit 1",
dbesc($recip_hash)
);
if (! $c) {
logger('mod_zot: auth_check: recipient channel not found.');
$ret['message'] .= 'recipient not found.' . EOL;
json_return_and_die($ret);
}
$confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey']));
// This additionally checks for forged sites since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token
$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']),
dbesc($data['secret']),
dbesc($data['sender']['url'])
);
if (! $z) {
logger('mod_zot: auth_check: verification key not found.');
$ret['message'] .= 'verification key not found' . EOL;
json_return_and_die($ret);
}
$r = q("delete from verify where id = %d",
intval($z[0]['id'])
);
$u = q("select account_service_class from account where account_id = %d limit 1",
intval($c[0]['channel_account_id'])
);
logger('mod_zot: auth_check: success', LOGGER_DEBUG);
$ret['success'] = true;
$ret['confirm'] = $confirm;
if ($u && $u[0]['account_service_class'])
$ret['service_class'] = $u[0]['account_service_class'];
// Set "do not track" flag if this site or this channel's profile is restricted
// in some way
if (intval(get_config('system','block_public')))
$ret['DNT'] = true;
if (! perm_is_allowed($c[0]['channel_id'],'','view_profile'))
$ret['DNT'] = true;
if (get_pconfig($c[0]['channel_id'],'system','do_not_track'))
$ret['DNT'] = true;
if (get_pconfig($c[0]['channel_id'],'system','hide_online_status'))
$ret['DNT'] = true;
json_return_and_die($ret);
}
json_return_and_die($ret);
}
function zot_reply_purge($sender,$recipients) {
$ret = array('success' => false);
if ($recipients) {
// basically this means "unfriend"
foreach ($recipients as $recip) {
$r = q("select channel.*,xchan.* from channel
left join xchan on channel_hash = xchan_hash
where channel_guid = '%s' and channel_guid_sig = '%s' limit 1",
dbesc($recip['guid']),
dbesc($recip['guid_sig'])
);
if ($r) {
$r = q("select abook_id from abook where uid = %d and abook_xchan = '%s' limit 1",
intval($r[0]['channel_id']),
dbesc(make_xchan_hash($sender['guid'],$sender['guid_sig']))
);
if ($r) {
contact_remove($r[0]['channel_id'],$r[0]['abook_id']);
}
}
}
$ret['success'] = true;
}
else {
// Unfriend everybody - basically this means the channel has committed suicide
$arr = $sender;
$sender_hash = make_xchan_hash($arr['guid'],$arr['guid_sig']);
require_once('include/Contact.php');
remove_all_xchan_resources($sender_hash);
$ret['success'] = true;
}
json_return_and_die($ret);
}
function zot_reply_refresh($sender,$recipients) {
$ret = array('success' => false);
// remote channel info (such as permissions or photo or something)
// has been updated. Grab a fresh copy and sync it.
// The difference between refresh and force_refresh is that
// force_refresh unconditionally creates a directory update record,
// even if no changes were detected upon processing.
if($recipients) {
// This would be a permissions update, typically for one connection
foreach ($recipients as $recip) {
$r = q("select channel.*,xchan.* from channel
left join xchan on channel_hash = xchan_hash
where channel_guid = '%s' and channel_guid_sig = '%s' limit 1",
dbesc($recip['guid']),
dbesc($recip['guid_sig'])
);
$x = zot_refresh(array(
'xchan_guid' => $sender['guid'],
'xchan_guid_sig' => $sender['guid_sig'],
'hubloc_url' => $sender['url']
), $r[0], (($msgtype === 'force_refresh') ? true : false));
}
}
else {
// system wide refresh
$x = zot_refresh(array(
'xchan_guid' => $sender['guid'],
'xchan_guid_sig' => $sender['guid_sig'],
'hubloc_url' => $sender['url']
), null, (($msgtype === 'force_refresh') ? true : false));
}
$ret['success'] = true;
json_return_and_die($ret);
}
function zot_reply_notify($data) {
$ret = array('success' => false);
logger('notify received from ' . $connecting_url);
$async = get_config('system','queued_fetch');
if($async) {
// add to receive queue
// qreceive_add($data);
}
else {
$x = zot_fetch($data);
$ret['delivery_report'] = $x;
}
$ret['success'] = true;
json_return_and_die($ret);
}

8
mod/mail.php
View File

@ -17,6 +17,7 @@ function mail_post(&$a) {
$body = ((x($_REQUEST,'body')) ? escape_tags(trim($_REQUEST['body'])) : ''); $body = ((x($_REQUEST,'body')) ? escape_tags(trim($_REQUEST['body'])) : '');
$recipient = ((x($_REQUEST,'messageto')) ? notags(trim($_REQUEST['messageto'])) : ''); $recipient = ((x($_REQUEST,'messageto')) ? notags(trim($_REQUEST['messageto'])) : '');
$rstr = ((x($_REQUEST,'messagerecip')) ? notags(trim($_REQUEST['messagerecip'])) : ''); $rstr = ((x($_REQUEST,'messagerecip')) ? notags(trim($_REQUEST['messagerecip'])) : '');
$preview = ((x($_REQUEST,'preview')) ? intval($_REQUEST['preview']) : 0);
$expires = ((x($_REQUEST,'expires')) ? datetime_convert(date_default_timezone_get(),'UTC', $_REQUEST['expires']) : NULL_DATE); $expires = ((x($_REQUEST,'expires')) ? datetime_convert(date_default_timezone_get(),'UTC', $_REQUEST['expires']) : NULL_DATE);
// If we have a raw string for a recipient which hasn't been auto-filled, // If we have a raw string for a recipient which hasn't been auto-filled,
@ -86,6 +87,13 @@ function mail_post(&$a) {
require_once('include/text.php'); require_once('include/text.php');
linkify_tags($a, $body, local_channel()); linkify_tags($a, $body, local_channel());
if($preview) {
}
if(! $recipient) { if(! $recipient) {
notice('No recipient found.'); notice('No recipient found.');
$a->argc = 2; $a->argc = 2;

478
mod/post.php
View File

@ -481,480 +481,16 @@ function post_init(&$a) {
* *
* @param[in,out] App &$a * @param[in,out] App &$a
*/ */
function post_post(&$a) { function post_post(&$a) {
$encrypted_packet = false; require_once('Zotlabs/Zot/Receiver.php');
$ret = array('success' => false);
$data = json_decode($_REQUEST['data'],true); $z = new Zotlabs\Zot\Receiver($_REQUEST['data'],get_config('system','prvkey'));
/* // notreached;
* Many message packets will arrive encrypted. The existence of an 'iv'
* element tells us we need to unencapsulate the AES-256-CBC content using exit;
* the site private key.
*/
if($data && array_key_exists('iv',$data)) {
$encrypted_packet = true;
$data = crypto_unencapsulate($data,get_config('system','prvkey'));
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
$data = json_decode($data,true);
}
if(! $data) {
// possible Bleichenbacher's attack, just treat it as a
// message we have no handler for. It should fail a bit
// further along with "no hub". Our public key is public
// knowledge. There's no reason why anybody should get the
// encryption wrong unless they're fishing or hacking. If
// they're developing and made a goof, this can be discovered
// in the logs of the destination site. If they're fishing or
// hacking, the bottom line is we can't verify their hub.
// That's all we're going to tell them.
$data = array('type' => 'bogus');
}
$msgtype = ((array_key_exists('type',$data)) ? $data['type'] : '');
if($msgtype === 'ping') {
// Useful to get a health check on a remote site.
// This will let us know if any important communication details
// that we may have stored are no longer valid, regardless of xchan details.
logger('POST: got ping send pong now back: ' . z_root() , LOGGER_DEBUG );
$ret['success'] = true;
$ret['site'] = array();
$ret['site']['url'] = z_root();
$ret['site']['url_sig'] = base64url_encode(rsa_sign(z_root(),get_config('system','prvkey')));
$ret['site']['sitekey'] = get_config('system','pubkey');
json_return_and_die($ret);
}
if($msgtype === 'pickup') {
/*
* The 'pickup' message arrives with a tracking ID which is associated with a particular outq_hash
* First verify that that the returned signatures verify, then check that we have an outbound queue item
* with the correct hash.
* If everything verifies, find any/all outbound messages in the queue for this hubloc and send them back
*/
if((! $data['secret']) || (! $data['secret_sig'])) {
$ret['message'] = 'no verification signature';
logger('mod_zot: pickup: ' . $ret['message'], LOGGER_DEBUG);
json_return_and_die($ret);
}
$r = q("select distinct hubloc_sitekey from hubloc where hubloc_url = '%s' and hubloc_callback = '%s' and hubloc_sitekey != '' group by hubloc_sitekey ",
dbesc($data['url']),
dbesc($data['callback'])
);
if(! $r) {
$ret['message'] = 'site not found';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
foreach ($r as $hubsite) {
// verify the url_sig
// If the server was re-installed at some point, there could be multiple hubs with the same url and callback.
// Only one will have a valid key.
$forgery = true;
$secret_fail = true;
$sitekey = $hubsite['hubloc_sitekey'];
logger('mod_zot: Checking sitekey: ' . $sitekey, LOGGER_DATA);
if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
$forgery = false;
}
if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
$secret_fail = false;
}
if((! $forgery) && (! $secret_fail))
break;
}
if($forgery) {
$ret['message'] = 'possible site forgery';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
if($secret_fail) {
$ret['message'] = 'secret validation failed';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
/*
* If we made it to here, the signatures verify, but we still don't know if the tracking ID is valid.
* It wouldn't be an error if the tracking ID isn't found, because we may have sent this particular
* queue item with another pickup (after the tracking ID for the other pickup was verified).
*/
$r = q("select outq_posturl from outq where outq_hash = '%s' and outq_posturl = '%s' limit 1",
dbesc($data['secret']),
dbesc($data['callback'])
);
if(! $r) {
$ret['message'] = 'nothing to pick up';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
/*
* Everything is good if we made it here, so find all messages that are going to this location
* and send them all.
*/
$r = q("select * from outq where outq_posturl = '%s'",
dbesc($data['callback'])
);
if($r) {
logger('mod_zot: successful pickup message received from ' . $data['callback'] . ' ' . count($r) . ' message(s) picked up', LOGGER_DEBUG);
$ret['success'] = true;
$ret['pickup'] = array();
foreach($r as $rr) {
if($rr['outq_msg']) {
$x = json_decode($rr['outq_msg'],true);
if(! $x)
continue;
if(array_key_exists('message_list',$x)) {
foreach($x['message_list'] as $xx) {
$ret['pickup'][] = array('notify' => json_decode($rr['outq_notify'],true),'message' => $xx);
}
}
else
$ret['pickup'][] = array('notify' => json_decode($rr['outq_notify'],true),'message' => $x);
$x = q("delete from outq where outq_hash = '%s'",
dbesc($rr['outq_hash'])
);
}
}
}
$encrypted = crypto_encapsulate(json_encode($ret),$sitekey);
json_return_and_die($encrypted);
/* pickup: end */
}
/*
* All other message types require us to verify the sender. This is a generic check, so we
* will do it once here and bail if anything goes wrong.
*/
if (array_key_exists('sender',$data)) {
$sender = $data['sender'];
}
/* Check if the sender is already verified here */
$hubs = zot_gethub($sender,true);
if (! $hubs) {
/* Have never seen this guid or this guid coming from this location. Check it and register it. */
// (!!) this will validate the sender
$result = zot_register_hub($sender);
if ((! $result['success']) || (! ($hubs = zot_gethub($sender,true)))) {
$ret['message'] = 'Hub not available.';
logger('mod_zot: no hub');
json_return_and_die($ret);
}
}
foreach($hubs as $hub) {
$sitekey = $hub['hubloc_sitekey'];
if(array_key_exists('sitekey',$sender) && $sender['sitekey']) {
/*
* This hub has now been proven to be valid.
* Any hub with the same URL and a different sitekey cannot be valid.
* Get rid of them (mark them deleted). There's a good chance they were re-installs.
*/
q("update hubloc set hubloc_deleted = 1, hubloc_error = 1 where hubloc_url = '%s' and hubloc_sitekey != '%s' ",
dbesc($hub['hubloc_url']),
dbesc($sender['sitekey'])
);
$sitekey = $sender['sitekey'];
}
// $sender['sitekey'] is a new addition to the protcol to distinguish
// hublocs coming from re-installed sites. Older sites will not provide
// this field and we have to still mark them valid, since we can't tell
// if this hubloc has the same sitekey as the packet we received.
// Update our DB to show when we last communicated successfully with this hub
// This will allow us to prune dead hubs from using up resources
$r = q("update hubloc set hubloc_connected = '%s' where hubloc_id = %d and hubloc_sitekey = '%s' ",
dbesc(datetime_convert()),
intval($hub['hubloc_id']),
dbesc($sitekey)
);
// a dead hub came back to life - reset any tombstones we might have
if(intval($hub['hubloc_error'])) {
q("update hubloc set hubloc_error = 0 where hubloc_id = %d and hubloc_sitekey = '%s' ",
intval($hub['hubloc_id']),
dbesc($sitekey)
);
if(intval($r[0]['hubloc_orphancheck'])) {
q("update hubloc set hubloc_orhpancheck = 0 where hubloc_id = %d and hubloc_sitekey = '%s' ",
intval($hub['hubloc_id']),
dbesc($sitekey)
);
}
q("update xchan set xchan_orphan = 0 where xchan_orphan = 1 and xchan_hash = '%s'",
dbesc($hub['hubloc_hash'])
);
}
$connecting_url = $hub['hubloc_url'];
}
/** @TODO check which hub is primary and take action if mismatched */
if (array_key_exists('recipients', $data))
$recipients = $data['recipients'];
if ($msgtype === 'auth_check') {
/*
* Requestor visits /magic/?dest=somewhere on their own site with a browser
* magic redirects them to $destsite/post [with auth args....]
* $destsite sends an auth_check packet to originator site
* The auth_check packet is handled here by the originator's site
* - the browser session is still waiting
* inside $destsite/post for everything to verify
* If everything checks out we'll return a token to $destsite
* and then $destsite will verify the token, authenticate the browser
* session and then redirect to the original destination.
* If authentication fails, the redirection to the original destination
* will still take place but without authentication.
*/
logger('mod_zot: auth_check', LOGGER_DEBUG);
if (! $encrypted_packet) {
logger('mod_zot: auth_check packet was not encrypted.');
$ret['message'] .= 'no packet encryption' . EOL;
json_return_and_die($ret);
}
$arr = $data['sender'];
$sender_hash = make_xchan_hash($arr['guid'],$arr['guid_sig']);
// garbage collect any old unused notifications
// This was and should be 10 minutes but my hosting provider has time lag between the DB and
// the web server. We should probably convert this to webserver time rather than DB time so
// that the different clocks won't affect it and allow us to keep the time short.
q("delete from verify where type = 'auth' and created < %s - INTERVAL %s",
db_utcnow(), db_quoteinterval('30 MINUTE')
);
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash)
);
// We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
// the verify table. It is now coming back to us as 'secret' and is signed by a channel at the other end.
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification.
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;
json_return_and_die($ret);
}
// There should be exactly one recipient, the original auth requestor
$ret['message'] .= 'recipients ' . print_r($recipients,true) . EOL;
if ($data['recipients']) {
$arr = $data['recipients'][0];
$recip_hash = make_xchan_hash($arr['guid'], $arr['guid_sig']);
$c = q("select channel_id, channel_account_id, channel_prvkey from channel where channel_hash = '%s' limit 1",
dbesc($recip_hash)
);
if (! $c) {
logger('mod_zot: auth_check: recipient channel not found.');
$ret['message'] .= 'recipient not found.' . EOL;
json_return_and_die($ret);
}
$confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey']));
// This additionally checks for forged sites since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token
$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']),
dbesc($data['secret']),
dbesc($data['sender']['url'])
);
if (! $z) {
logger('mod_zot: auth_check: verification key not found.');
$ret['message'] .= 'verification key not found' . EOL;
json_return_and_die($ret);
}
$r = q("delete from verify where id = %d",
intval($z[0]['id'])
);
$u = q("select account_service_class from account where account_id = %d limit 1",
intval($c[0]['channel_account_id'])
);
logger('mod_zot: auth_check: success', LOGGER_DEBUG);
$ret['success'] = true;
$ret['confirm'] = $confirm;
if ($u && $u[0]['account_service_class'])
$ret['service_class'] = $u[0]['account_service_class'];
// Set "do not track" flag if this site or this channel's profile is restricted
// in some way
if (intval(get_config('system','block_public')))
$ret['DNT'] = true;
if (! perm_is_allowed($c[0]['channel_id'],'','view_profile'))
$ret['DNT'] = true;
if (get_pconfig($c[0]['channel_id'],'system','do_not_track'))
$ret['DNT'] = true;
if (get_pconfig($c[0]['channel_id'],'system','hide_online_status'))
$ret['DNT'] = true;
json_return_and_die($ret);
}
json_return_and_die($ret);
}
if ($msgtype === 'request') {
// request a particular post/conversation by message_id
$x = zot_process_message_request($data);
json_return_and_die($x);
}
if ($msgtype === 'purge') {
if ($recipients) {
// basically this means "unfriend"
foreach ($recipients as $recip) {
$r = q("select channel.*,xchan.* from channel
left join xchan on channel_hash = xchan_hash
where channel_guid = '%s' and channel_guid_sig = '%s' limit 1",
dbesc($recip['guid']),
dbesc($recip['guid_sig'])
);
if ($r) {
$r = q("select abook_id from abook where uid = %d and abook_xchan = '%s' limit 1",
intval($r[0]['channel_id']),
dbesc(make_xchan_hash($sender['guid'],$sender['guid_sig']))
);
if ($r) {
contact_remove($r[0]['channel_id'],$r[0]['abook_id']);
}
}
}
} else {
// Unfriend everybody - basically this means the channel has committed suicide
$arr = $data['sender'];
$sender_hash = make_xchan_hash($arr['guid'],$arr['guid_sig']);
require_once('include/Contact.php');
remove_all_xchan_resources($sender_hash);
$ret['success'] = true;
json_return_and_die($ret);
}
}
if (($msgtype === 'refresh') || ($msgtype === 'force_refresh')) {
// remote channel info (such as permissions or photo or something)
// has been updated. Grab a fresh copy and sync it.
// The difference between refresh and force_refresh is that
// force_refresh unconditionally creates a directory update record,
// even if no changes were detected upon processing.
if ($recipients) {
// This would be a permissions update, typically for one connection
foreach ($recipients as $recip) {
$r = q("select channel.*,xchan.* from channel
left join xchan on channel_hash = xchan_hash
where channel_guid = '%s' and channel_guid_sig = '%s' limit 1",
dbesc($recip['guid']),
dbesc($recip['guid_sig'])
);
$x = zot_refresh(array(
'xchan_guid' => $sender['guid'],
'xchan_guid_sig' => $sender['guid_sig'],
'hubloc_url' => $sender['url']
), $r[0], (($msgtype === 'force_refresh') ? true : false));
}
} else {
// system wide refresh
$x = zot_refresh(array(
'xchan_guid' => $sender['guid'],
'xchan_guid_sig' => $sender['guid_sig'],
'hubloc_url' => $sender['url']
), null, (($msgtype === 'force_refresh') ? true : false));
}
$ret['success'] = true;
json_return_and_die($ret);
}
if ($msgtype === 'notify') {
logger('notify received from ' . $connecting_url);
$async = get_config('system','queued_fetch');
if ($async) {
// add to receive queue
// qreceive_add($data);
} else {
$x = zot_fetch($data);
$ret['delivery_report'] = $x;
}
$ret['success'] = true;
json_return_and_die($ret);
}
// catchall
json_return_and_die($ret);
} }

7
util/typo.php
View File

@ -33,6 +33,13 @@
include_once($file); include_once($file);
} }
echo "Directory: Zotlabs\n";
$files = glob('Zotlabs/*/*.php');
foreach($files as $file) {
echo $file . "\n";
include_once($file);
}
echo "Directory: include/photo\n"; echo "Directory: include/photo\n";
$files = glob('include/photo/*.php'); $files = glob('include/photo/*.php');