owa - first commit

Zotlabs/Module/Magic.php

@@ -17,6 +17,7 @@ class Magic extends \Zotlabs\Web\Controller {
 		$dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
 		$test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0);
 		$rev  = ((x($_REQUEST,'rev'))  ? intval($_REQUEST['rev'])  : 0);
+		$owa  = ((x($_REQUEST,'owa'))  ? intval($_REQUEST['owa'])  : 0);
 		$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate']  : '');
 	
 		$parsed = parse_url($dest);
@@ -132,12 +133,41 @@ class Magic extends \Zotlabs\Web\Controller {
 		if(local_channel()) {
 			$channel = \App::get_channel();
 	
-			$token = random_string();
+			// OpenWebAuth
-//			$token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
 
+			if($owa) {
+
+				$headers = [];
+				$headers['Accept'] = 'application/x-zot+json' ;
+				$headers['X-Open-Web-Auth'] = random_string();
+				$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
+					'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
+
+				$x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]);
+				if($x['success']) {
+					$j = json_decode($x['body'],true);
+					if($j['success'] && $j['token']) {
+						$x = strpbrk($dest,'?&');
+						$args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token) . (($delegate) ? '&delegate=1' : '');
+						goaway($dest . $args);
+					}
+				}
+				goaway($dest);
+			}
+
+
+			$token = random_string();
+
+//			$token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
 //			$channel['token'] = $token;
 //			$channel['token_sig'] = $token_sig;
 	
+
+
+
+
+
+
 			\Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
 	
 			$target_url = $x[0]['hubloc_callback'] . '/?f=&auth=' . urlencode(channel_reddress($channel))

Zotlabs/Module/Owa.php

@@ -0,0 +1,57 @@
+<?php
+
+
+namespace Zotlabs\Module;
+
+
+
+class Owa extends \Zotlabs\Web\Controller {
+
+	function init() {
+		foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+
+			if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+				if($head !== 'HTTP_AUTHORIZATION') {
+					$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
+					continue;
+				}
+
+				$sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+				if($sigblock) {
+					$keyId = $sigblock['keyId'];
+
+					if($keyId) {
+						$r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash 
+							where hubloc_addr = '%s' limit 1",
+							dbesc(str_replace('acct:','',$keyId))
+						);
+						if($r) {
+							$hubloc = $r[0];
+							$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
+
+logger('verified: ' . print_r($verified,true));
+
+							if($verified && $verified['header_signed'] && $verified['header_valid']) {
+								$token = random_string(32);
+								\Zotlabs\Zot\Verify::create('owt',0,token,$r[0]['hubloc_hash']);
+								$x = json_encode([ 'success' => true, 'token' => $token ]);
+								header('Content-Type: application/x-zot+json');
+								echo $x;
+								killme();
+							}
+						}
+					}
+				}
+				$x = json_encode([ 'success' => false ]);
+				header('Content-Type: application/x-zot+json');
+				echo $x;
+				killme();	
+			}
+		}
+
+		$x = json_encode([ 'success' => false ]);
+		header('Content-Type: application/x-zot+json');
+		echo $x;
+		killme();	
+	}
+}

Zotlabs/Module/Rmagic.php

@@ -18,7 +18,7 @@ class Rmagic extends \Zotlabs\Web\Controller {
 				if($r[0]['hubloc_url'] === z_root())
 					goaway(z_root() . '/login');
 				$dest = z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string);
-				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&dest=' . $dest);
+				goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest);
 			}
 		}
 	}
@@ -63,7 +63,7 @@ class Rmagic extends \Zotlabs\Web\Controller {
 				else
 					$dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',\App::$query_string));
 	
-				goaway($url . '/magic' . '?f=&dest=' . $dest);
+				goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest);
 			}
 		}
 	}

Zotlabs/Web/HTTPSig.php

@@ -91,6 +91,9 @@ class HTTPSig {
 		if($sig_block['algorithm'] === 'rsa-sha256') {
 			$algorithm = 'sha256';
 		}
+		if($sig_block['algorithm'] === 'rsa-sha512') {
+			$algorithm = 'sha512';
+		}
 
 		if(! $key) {
 			$result['signer'] = $sig_block['keyId'];
@@ -113,6 +116,8 @@ class HTTPSig {
 			$digest = explode('=', $headers['digest']);
 			if($digest[0] === 'SHA-256')
 				$hashalg = 'sha256';
+			if($digest[0] === 'SHA-512')
+				$hashalg = 'sha512';
 
 			// The explode operation will have stripped the '=' padding, so compare against unpadded base64 
 			if(rtrim(base64_encode(hash($hashalg,$body,true)),'=') === $digest[1]) {
@@ -164,6 +169,9 @@ class HTTPSig {
 		if($alg === 'sha256') {
 			$algorithm = 'rsa-sha256';
 		}
+		if($alg === 'sha512') {
+			$algorithm = 'rsa-sha512';
+		}
 
 		$x = self::sign($request,$head,$prvkey,$alg);			
 

Zotlabs/Web/WebServer.php

@@ -70,6 +70,12 @@ class WebServer {
 			}
 		}
 
+		if((x($_REQUEST,'owt')) && (! \App::$install)) {
+			$token = $_REQUEST['owt'];
+			\App::$query_string = strip_query_param(\App::$query_string,'owt');
+			owt_init($token);
+		}
+
 		if((x($_SESSION, 'authenticated')) || (x($_POST, 'auth-params')) || (\App::$module === 'login'))
 			require('include/auth.php');
 

Zotlabs/Zot/Verify.php

@@ -31,6 +31,22 @@ class Verify {
 		return false;
 	}
 
+
+	function get_meta($type,$channel_id,$token) {
+		$r = q("select id from verify where vtype = '%s' and channel = %d and token = '%s' limit 1",
+			dbesc($type),
+			intval($channel_id),
+			dbesc($token)
+		);
+		if($r) {
+			q("delete from verify where id = %d",
+				intval($r[0]['id'])
+			);
+			return $r[0]['meta']; 
+		}
+		return false;
+	}
+
 	function purge($type,$interval) {
 		q("delete from verify where vtype = '%s' and created < %s - INTERVAL %s",
 			dbesc($type),

include/zid.php

@@ -81,6 +81,10 @@ function zid($s,$address = '') {
 }
 
 
+function strip_query_param($s,$param) {
+	return preg_replace('/[\?&]' . $param . '=(.*?)(&|$)/ism','$2',$s);
+}
+
 function strip_zids($s) {
 	return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
 }
@@ -230,3 +234,65 @@ function red_zrlify_img_callback($matches) {
 	return $matches[0];
 }
 
+function owt_init($token) {
+
+	\Zotlabs\Zot\Verify::purge('owt','3 MINUTE');
+
+	$ob_hash = \Zotlabs\Zot\Verify::get_meta('owt',0,$token);
+	if($ob_hash === false) {
+		return;
+	}
+
+	$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
+		where hubloc_addr = '%s' order by hubloc_id desc",
+		dbesc($ob_hash)
+	);
+
+	if(! $r) {
+		// finger them if they can't be found.
+		$j = Finger::run($ob_hash, null);
+		if ($j['success']) {
+			import_xchan($j);
+			$r = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash
+				where hubloc_addr = '%s' order by hubloc_id desc",
+				dbesc($ob_hash)
+			);
+		}
+	}
+	if(! $r) {
+		logger('owt: unable to finger ' . $ob_hash);
+		return;	
+	}
+	$hubloc = $r[0];
+
+	$delegate_success = false;
+	if($_REQUEST['delegate']) {
+		$r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
+			dbesc($_REQUEST['delegate'])
+		);
+		if ($r && intval($r[0]['channel_id'])) {
+			$allowed = perm_is_allowed($r[0]['channel_id'],$hubloc['xchan_hash'],'delegate');
+			if($allowed) {
+				$_SESSION['delegate_channel'] = $r[0]['channel_id'];
+				$_SESSION['delegate'] = $hubloc['xchan_hash'];
+				$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
+				require_once('include/security.php');
+				// this will set the local_channel authentication in the session
+				change_channel($r[0]['channel_id']);
+				$delegate_success = true;
+			}
+		}
+	}
+
+	if (! $delegate_success) {
+		// normal visitor (remote_channel) login session credentials
+		$_SESSION['visitor_id'] = $hubloc['xchan_hash'];
+		$_SESSION['my_url'] = $hubloc['xchan_url'];
+		$_SESSION['my_address'] = $hubloc['hubloc_addr'];
+		$_SESSION['remote_hub'] = $hubloc['hubloc_url'];
+		$_SESSION['DNT'] = 1;
+	}
+
+	logger('owa success!');
+
+}