Friendica/friendica
Friendica/friendica
1
0
Fork 1
mirror of https://git.friendi.ca/friendica/friendica.git synced 2025-06-07 21:24:27 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Refactor auth_ejabberd.php into a Console command

Browse source 
- Transforming ExAuth into a daemon
- Replace PID Locking with Lock class
- Replace CURL operations with guzzle HTTP client
- Code hardening (type-save, argument validation, ...)
- Bugfixing
- Added a lot of unit tests
This commit is contained in:
Philipp 2025-05-05 00:55:56 +02:00
parent a4d4e199c1
commit 080c756042
No known key found for this signature in database
GPG key ID: 24A7501396EB5432
10 changed files with 940 additions and 572 deletions
Download patch file Download diff file Expand all files Collapse all files

9
bin/auth_ejabberd.php
View file

@ -17,7 +17,7 @@
*
* Installation:
*
* - Change it's owner to whichever user is running the server, ie. ejabberd
* - Change its owner to whichever user is running the server, ie. ejabberd
* $ chown ejabberd:ejabberd /path/to/friendica/bin/auth_ejabberd.php
*
* - Change the access mode so it is readable only to the user ejabberd and has exec
@ -48,8 +48,13 @@ chdir(dirname(__DIR__));
require dirname(__DIR__) . '/vendor/autoload.php';
// BC: Add console command as second argument
$argv = $_SERVER['argv'] ?? [];
array_splice($argv, 1, 0, "auth_ejabberd");
$_SERVER['argv'] = $argv;
$container = \Friendica\Core\DiceContainer::fromBasePath(dirname(__DIR__));
$app = \Friendica\App::fromContainer($container);
$app->processEjabberd($_SERVER);
$app->processConsole($_SERVER);

44
src/App.php
View file

@ -42,9 +42,7 @@ use Friendica\Module\Special\HTTPException as ModuleHTTPException;
use Friendica\Network\HTTPException;
use Friendica\Protocol\ATProtocol\DID;
use Friendica\Security\Authentication;
use Friendica\Security\ExAuth;
use Friendica\Security\OpenWebAuth;
use Friendica\Util\BasePath;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\HTTPInputData;
use Friendica\Util\HTTPSignature;
@ -234,48 +232,6 @@ class App
(\Friendica\Core\Console::create($this->container, $argv))->execute();
}
/**
* @internal
*/
public function processEjabberd(array $serverParams): void
{
$this->setupContainerForAddons();
$this->setupLogChannel(LogChannel::AUTH_JABBERED);
$this->setupLegacyServiceLocator();
$this->registerErrorHandler();
$this->registerEventDispatcher();
$this->load(
$serverParams,
$this->container->create(DbaDefinition::class),
$this->container->create(ViewDefinition::class),
$this->container->create(Mode::class),
$this->container->create(IManageConfigValues::class),
$this->container->create(Profiler::class),
$this->container->create(EventDispatcherInterface::class),
$this->container->create(AppHelper::class),
$this->container->create(AddonHelper::class),
);
/** @var BasePath */
$basePath = $this->container->create(BasePath::class);
// Check the database structure and possibly fixes it
Update::check($basePath->getPath(), true);
$appMode = $this->container->create(Mode::class);
if ($appMode->isNormal()) {
/** @var ExAuth $oAuth */
$oAuth = $this->container->create(ExAuth::class);
$oAuth->readStdin();
}
}
private function setupContainerForAddons(): void
{
/** @var ICanLoadAddons $addonLoader */

414
src/Console/AuthEJabberd.php Normal file
View file

@ -0,0 +1,414 @@
<?php
/*
* SPDX-FileCopyrightText: Dalibor Karlovic, The Friendica project
*
* SPDX-License-Identifier: GPL-2.0-only
*
* ejabberd extauth script for the integration with friendica
*
* Originally written for joomla by Dalibor Karlovic <dado@krizevci.info>
* modified for Friendica by Michael Vogel <icarus@dabo.de>
* published under GPL
*
* Latest version of the original script for joomla is available at:
* http://87.230.15.86/~dado/ejabberd/joomla-login
*/
declare(strict_types=1);
namespace Friendica\Console;
use Asika\SimpleConsole\Console;
use Friendica\App\BaseURL;
use Friendica\App\Mode;
use Friendica\Core\Config\Capability\IManageConfigValues;
use Friendica\Core\Lock\Capability\ICanLock;
use Friendica\Core\PConfig\Capability\IManagePersonalConfigValues;
use Friendica\Database\Database;
use Friendica\Model\User;
use Friendica\Network\HTTPClient\Capability\ICanSendHttpRequests;
use Friendica\Network\HTTPClient\Client\HttpClientAccept;
use Friendica\Network\HTTPClient\Client\HttpClientOptions;
use Friendica\Network\HTTPClient\Client\HttpClientRequest;
use Friendica\Network\HTTPException\ForbiddenException;
/**
* ejabberd supports external authentication via a small daemon (script or binary)
* that communicates with the ejabberd server using STDIN and STDOUT and a binary protocol.
*/
final class AuthEJabberd extends Console
{
/** @var string Command to authenticate user */
private const COMMAND_AUTH = 'auth';
/** @var string Command to check if user exists */
private const COMMAND_IS_USER = 'isuser';
/** @var string Command to set user password */
private const COMMAND_SET_PASS = 'setpass';
/** @var string The name of the lock for the host lock */
private const LOCK_EX_AUTH_HOST = 'ex_auth_host';
private Mode $mode;
private IManageConfigValues $config;
private Database $dba;
private BaseURL $baseURL;
private ICanSendHttpRequests $httpClient;
private int $debugMode = 0;
private string $host;
private IManagePersonalConfigValues $pConfig;
private ICanLock $lock;
private $input;
private $output;
public function __construct(
Mode $mode,
IManageConfigValues $config,
IManagePersonalConfigValues $pConfig,
Database $dba,
BaseURL $baseUrl,
ICanLock $lock,
ICanSendHttpRequests $httpClient,
array $argv = null,
$input = null,
$output = null
) {
parent::__construct($argv);
$this->mode = $mode;
$this->config = $config;
$this->pConfig = $pConfig;
$this->dba = $dba;
$this->baseURL = $baseUrl;
$this->httpClient = $httpClient;
$this->lock = $lock;
$this->input = $input ?? fopen('php://stdin', 'rb');
$this->output = $output ?? fopen('php://stdout', 'wb');
}
protected function getHelp(): string
{
return <<<HELP
auth_ejabberd - Daemon that communicates with the ejabberd server
Synopsis
bin/console auth_ejabberd [-h|--help|-?] [-v]
Description
ejabberd supports external authentication via a small daemon (script or binary)
that communicates with the ejabberd server using STDIN and STDOUT and a binary protocol.
Options
-h|--help|-? Show help information
-v Show more debug information.
Examples
bin/console auth_ejabberd
Starts the daemon and reads per STDIN
HELP;
}
/**
* @return int
* @throws \Exception
*/
protected function doExecute(): int
{
$this->debugMode = (int)$this->config->get('jabber', 'debug');
openlog('auth_ejabberd', LOG_PID, LOG_USER);
$this->writeLog(LOG_NOTICE, 'start');
if (!$this->mode->isNormal()) {
$this->writeFailed('The node isn\'t ready.');
throw new \RuntimeException('The node isn\'t ready.');
}
$this->readStdin();
return 0;
}
/**
* Standard input reading function, executes the auth with the provided
* parameters
*
* @throws \Exception
*/
private function readStdin()
{
while (!feof($this->input)) {
$meta = stream_get_meta_data($this->input);
if ($meta['eof']) {
$this->writeFailed('we got no data, quitting');
break;
}
// Quit if the database connection went down
if (!$this->dba->isConnected()) {
$this->writeFailed('the database connection went down');
throw new \RuntimeException('the database connection went down');
}
$iHeader = fgets($this->input, 3);
if (empty($iHeader)) {
$this->writeFailed('empty stdin');
break;
}
$aLength = unpack('n', $iHeader);
$iLength = $aLength['1'];
// No data? Then quit
if ($iLength == 0) {
$this->writeFailed('we got no data, quitting');
break;
}
// Fetching the data
$sData = fgets($this->input, $iLength + 1);
$this->writeLog(LOG_DEBUG, 'received data: ' . $sData);
$aCommand = explode(':', $sData);
if (!is_array($aCommand)) {
$this->writeFailed('invalid command string ' . $sData);
break;
}
$cmd = $aCommand[0];
switch ($cmd) {
case self::COMMAND_IS_USER:
// Check the existence of a given username
if (count($aCommand) < 3) {
$this->writeFailed('Invalid data.');
break;
};
list($cmd, $username, $server) = $aCommand;
$this->isUser($username, $server);
break;
case self::COMMAND_AUTH:
case self::COMMAND_SET_PASS:
if (count($aCommand) < 4) {
$this->writeFailed('Invalid data.');
break;
};
list($cmd, $username, $server, $password) = $aCommand;
switch ($cmd) {
case self::COMMAND_AUTH:
// Check if the given password is correct
$this->auth($username, $server, $password);
break;
case self::COMMAND_SET_PASS:
// We don't accept the setting of passwords here
$this->writeFailed('setpass command disabled');
break;
}
break;
default:
// We don't know the given command
$this->writeFailed('unknown command ' . $cmd);
break;
}
}
}
/**
* Check if the given username exists
*
* @throws \Exception
*/
private function isUser(string $username, string $server)
{
// We only allow one process per hostname. So we set a lock file
// Problem: We get the firstname after the first auth - not before
if ($this->lock->acquire(self::LOCK_EX_AUTH_HOST . ':' . $server, 10, 20)) {
// Now we check if the given user is valid
$username = str_replace(['%20', '(a)'], [' ', '@'], $username);
// Does the hostname match? So we try directly
if ($this->baseURL->getHost() == $server) {
$this->writeLog(LOG_INFO, 'internal user check for ' . $username . '@' . $server);
$found = $this->dba->exists('user', ['nickname' => $username]);
} else {
$found = false;
}
// If the hostnames doesn't match or there is some failure, we try to check remotely
if (!$found) {
$found = $this->checkUser($username, $server);
}
if ($found) {
// The user is okay
$this->writeSuccess('valid user: ' . $username);
} else {
// The user isn't okay
$this->writeFailed('invalid user: ' . $username);
}
$this->lock->release(self::LOCK_EX_AUTH_HOST . ':' . $server);
}
}
/**
* Check remote user existence via HTTP(S)
*
* @param string $user Username
* @param string $host The hostname
*
* @return bool Was the user found?
*/
private function checkUser(string $user, string $host): bool
{
$this->writeLog(LOG_INFO, 'external user check for ' . $user . '@' . $host);
$url = 'https://' . $host . '/noscrape/' . $user;
try {
$curlResult = $this->httpClient->get($url, HttpClientAccept::JSON, [HttpClientOptions::REQUEST => HttpClientRequest::CONTACTVERIFIER]);
} catch (\Throwable $th) {
return false;
}
if (!$curlResult->isSuccess()) {
return false;
}
if ($curlResult->getReturnCode() != 200) {
return false;
}
$json = @json_decode($curlResult->getBodyString());
if (!is_object($json)) {
return false;
}
return $json->nick == $user;
}
/**
* Authenticate the given user and password
*
* @param string $username
* @param string $server
* @param string $password
*
* @throws \Exception
*/
private function auth(string $username, string $server, string $password)
{
// We only allow one process per hostname. So we set a lock file
// Problem: We get the firstname after the first auth - not before
if ($this->lock->acquire(self::LOCK_EX_AUTH_HOST . ':' . $server, 10, 20)) {
// We now check if the password match
$username = str_replace(['%20', '(a)'], [' ', '@'], $username);
$Error = false;
// Does the hostname match? So we try directly
if ($this->baseURL->getHost() == $server) {
try {
$this->writeLog(LOG_INFO, 'internal auth for ' . $username . '@' . $server);
User::getIdFromPasswordAuthentication($username, $password, true);
} catch (ForbiddenException $ex) {
// User exists, authentication failed
$this->writeLog(LOG_INFO, 'check against alternate password for ' . $username . '@' . $server);
$aUser = User::getByNickname($username, ['uid']);
if (!empty($aUser['uid'])) {
$sPassword = $this->pConfig->get($aUser['uid'], 'xmpp', 'password', null, true);
$Error = ($password != $sPassword);
} else {
$Error = true;
}
} catch (\Throwable $ex) {
// User doesn't exist and any other failure case
$this->writeLog(LOG_WARNING, $ex->getMessage() . ': ' . $username);
$Error = true;
}
} else {
$Error = true;
}
// If the hostnames doesn't match or there is some failure, we try to check remotely
if ($Error && !$this->checkCredentials($server, $username, $password)) {
$this->writeFailed('authentication failed for user ' . $username . '@' . $server);
} else {
$this->writeSuccess('authenticated user ' . $username . '@' . $server);
}
$this->lock->release(self::LOCK_EX_AUTH_HOST . ':' . $server);
}
}
/**
* Check remote credentials via HTTP(S)
*
* @param string $host The hostname
* @param string $user Username
* @param string $password Password
*
* @return bool Are the credentials okay?
*/
private function checkCredentials(string $host, string $user, string $password): bool
{
$this->writeLog(LOG_INFO, 'external credential check for ' . $user . '@' . $host);
$url = 'https://' . $host . '/api/account/verify_credentials.json?skip_status=true';
try {
$curlResult = $this->httpClient->head($url, [
HttpClientOptions::REQUEST => HttpClientRequest::CONTACTVERIFIER,
HttpClientOptions::TIMEOUT => 5,
HttpClientOptions::AUTH => [
$user,
$password,
],
]);
} catch (\Throwable $th) {
return false;
}
return ($curlResult->isSuccess() && $curlResult->getReturnCode() == 200);
}
/**
* Returns a binary "success" to the output stream
*
* @return void
*/
private function writeSuccess(string $message = ''): void
{
if (!empty($message)) {
$this->writeLog(LOG_NOTICE, $message);
}
fwrite($this->output, pack('nn', 2, 1));
}
/**
* Returns a binary "failed" to the output stream
*
* @return void
*/
protected function writeFailed(string $message = '')
{
if (!empty($message)) {
$this->writeLog(LOG_ERR, $message);
}
fwrite($this->output, pack('nn', 2, 0));
}
/**
* write data to the syslog
*
* @param int $loglevel The syslog loglevel
* @param string $message The syslog message
*/
private function writeLog(int $loglevel, string $message)
{
if (!$this->debugMode && ($loglevel >= LOG_DEBUG)) {
return;
}
syslog($loglevel, $message);
}
}

2
src/Core/Console.php
View file

@ -71,6 +71,7 @@ Commands:
serverblock Manage blocked servers
storage Manage storage backend
relay Manage ActivityPub relay servers
auth_jabberd Daemon that communicates with the ejabberd server
Options:
-h|--help|-? Show help information
@ -83,6 +84,7 @@ HELP;
'addon' => Friendica\Console\Addon::class,
'archivecontact' => Friendica\Console\ArchiveContact::class,
'autoinstall' => Friendica\Console\AutomaticInstallation::class,
'auth_ejabberd' => Friendica\Console\AuthEJabberd::class,
'cache' => Friendica\Console\Cache::class,
'clearavatarcache' => Friendica\Console\ClearAvatarCache::class,
'config' => Friendica\Console\Config::class,

403
src/Security/ExAuth.php
View file

@ -1,403 +0,0 @@
<?php
/*
* SPDX-FileCopyrightText: Dalibor Karlovic, The Friendica project
*
* SPDX-License-Identifier: GPL-2.0-only
*
* ejabberd extauth script for the integration with friendica
*
* Originally written for joomla by Dalibor Karlovic <dado@krizevci.info>
* modified for Friendica by Michael Vogel <icarus@dabo.de>
* published under GPL
*
* Latest version of the original script for joomla is available at:
* http://87.230.15.86/~dado/ejabberd/joomla-login
*
* Installation:
*
* - Change it's owner to whichever user is running the server, ie. ejabberd
* $ chown ejabberd:ejabberd /path/to/friendica/bin/auth_ejabberd.php
*
* - Change the access mode so it is readable only to the user ejabberd and has exec
* $ chmod 700 /path/to/friendica/bin/auth_ejabberd.php
*
* - Edit your ejabberd.cfg file, comment out your auth_method and add:
* {auth_method, external}.
* {extauth_program, "/path/to/friendica/bin/auth_ejabberd.php"}.
*
* - Restart your ejabberd service, you should be able to login with your friendica auth info
*
* Other hints:
* - if your users have a space or a @ in their nickname, they'll run into trouble
* registering with any client so they should be instructed to replace these chars
* " " (space) is replaced with "%20"
* "@" is replaced with "(a)"
*
*/
namespace Friendica\Security;
use Exception;
use Friendica\App;
use Friendica\Core\Config\Capability\IManageConfigValues;
use Friendica\Core\PConfig\Capability\IManagePersonalConfigValues;
use Friendica\Database\Database;
use Friendica\DI;
use Friendica\Model\User;
use Friendica\Network\HTTPClient\Client\HttpClientAccept;
use Friendica\Network\HTTPClient\Client\HttpClientOptions;
use Friendica\Network\HTTPClient\Client\HttpClientRequest;
use Friendica\Network\HTTPException;
use Friendica\Util\PidFile;
class ExAuth
{
private $bDebug;
private $host;
/**
* @var App\Mode
*/
private $appMode;
/**
* @var IManageConfigValues
*/
private $config;
/**
* @var IManagePersonalConfigValues
*/
private $pConfig;
/**
* @var Database
*/
private $dba;
/**
* @var App\BaseURL
*/
private $baseURL;
/**
* @param App\Mode $appMode
* @param IManageConfigValues $config
* @param IManagePersonalConfigValues $pConfig
* @param Database $dba
* @param App\BaseURL $baseURL
*
* @throws Exception
*/
public function __construct(App\Mode $appMode, IManageConfigValues $config, IManagePersonalConfigValues $pConfig, Database $dba, App\BaseURL $baseURL)
{
$this->appMode = $appMode;
$this->config = $config;
$this->pConfig = $pConfig;
$this->dba = $dba;
$this->baseURL = $baseURL;
$this->bDebug = (int)$config->get('jabber', 'debug');
openlog('auth_ejabberd', LOG_PID, LOG_USER);
$this->writeLog(LOG_NOTICE, 'start');
}
/**
* Standard input reading function, executes the auth with the provided
* parameters
*
* @throws HTTPException\InternalServerErrorException
*/
public function readStdin()
{
if (!$this->appMode->isNormal()) {
$this->writeLog(LOG_ERR, 'The node isn\'t ready.');
return;
}
while (!feof(STDIN)) {
// Quit if the database connection went down
if (!$this->dba->isConnected()) {
$this->writeLog(LOG_ERR, 'the database connection went down');
return;
}
$iHeader = fgets(STDIN, 3);
if (empty($iHeader)) {
$this->writeLog(LOG_ERR, 'empty stdin');
return;
}
$aLength = unpack('n', $iHeader);
$iLength = $aLength['1'];
// No data? Then quit
if ($iLength == 0) {
$this->writeLog(LOG_ERR, 'we got no data, quitting');
return;
}
// Fetching the data
$sData = fgets(STDIN, $iLength + 1);
$this->writeLog(LOG_DEBUG, 'received data: ' . $sData);
$aCommand = explode(':', $sData);
if (is_array($aCommand)) {
switch ($aCommand[0]) {
case 'isuser':
// Check the existence of a given username
$this->isUser($aCommand);
break;
case 'auth':
// Check if the given password is correct
$this->auth($aCommand);
break;
case 'setpass':
// We don't accept the setting of passwords here
$this->writeLog(LOG_NOTICE, 'setpass command disabled');
fwrite(STDOUT, pack('nn', 2, 0));
break;
default:
// We don't know the given command
$this->writeLog(LOG_NOTICE, 'unknown command ' . $aCommand[0]);
fwrite(STDOUT, pack('nn', 2, 0));
break;
}
} else {
$this->writeLog(LOG_NOTICE, 'invalid command string ' . $sData);
fwrite(STDOUT, pack('nn', 2, 0));
}
}
}
/**
* Check if the given username exists
*
* @param array $aCommand The command array
* @throws HTTPException\InternalServerErrorException
*/
private function isUser(array $aCommand)
{
// Check if there is a username
if (!isset($aCommand[1])) {
$this->writeLog(LOG_NOTICE, 'invalid isuser command, no username given');
fwrite(STDOUT, pack('nn', 2, 0));
return;
}
// We only allow one process per hostname. So we set a lock file
// Problem: We get the firstname after the first auth - not before
$this->setHost($aCommand[2]);
// Now we check if the given user is valid
$sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]);
// Does the hostname match? So we try directly
if ($this->baseURL->getHost() == $aCommand[2]) {
$this->writeLog(LOG_INFO, 'internal user check for ' . $sUser . '@' . $aCommand[2]);
$found = $this->dba->exists('user', ['nickname' => $sUser]);
} else {
$found = false;
}
// If the hostnames doesn't match or there is some failure, we try to check remotely
if (!$found) {
$found = $this->checkUser($aCommand[2], $aCommand[1], true);
}
if ($found) {
// The user is okay
$this->writeLog(LOG_NOTICE, 'valid user: ' . $sUser);
fwrite(STDOUT, pack('nn', 2, 1));
} else {
// The user isn't okay
$this->writeLog(LOG_WARNING, 'invalid user: ' . $sUser);
fwrite(STDOUT, pack('nn', 2, 0));
}
}
/**
* Check remote user existence via HTTP(S)
*
* @param string $host The hostname
* @param string $user Username
* @param boolean $ssl Should the check be done via SSL?
*
* @return boolean Was the user found?
* @throws HTTPException\InternalServerErrorException
*/
private function checkUser($host, $user, $ssl)
{
$this->writeLog(LOG_INFO, 'external user check for ' . $user . '@' . $host);
$url = ($ssl ? 'https' : 'http') . '://' . $host . '/noscrape/' . $user;
try {
$curlResult = DI::httpClient()->get($url, HttpClientAccept::JSON, [HttpClientOptions::REQUEST => HttpClientRequest::CONTACTVERIFIER]);
} catch (\Throwable $th) {
return false;
}
if (!$curlResult->isSuccess()) {
return false;
}
if ($curlResult->getReturnCode() != 200) {
return false;
}
$json = @json_decode($curlResult->getBodyString());
if (!is_object($json)) {
return false;
}
return $json->nick == $user;
}
/**
* Authenticate the given user and password
*
* @param array $aCommand The command array
* @throws Exception
*/
private function auth(array $aCommand)
{
// check user authentication
if (sizeof($aCommand) != 4) {
$this->writeLog(LOG_NOTICE, 'invalid auth command, data missing');
fwrite(STDOUT, pack('nn', 2, 0));
return;
}
// We only allow one process per hostname. So we set a lock file
// Problem: We get the firstname after the first auth - not before
$this->setHost($aCommand[2]);
// We now check if the password match
$sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]);
$Error = false;
// Does the hostname match? So we try directly
if ($this->baseURL->getHost() == $aCommand[2]) {
try {
$this->writeLog(LOG_INFO, 'internal auth for ' . $sUser . '@' . $aCommand[2]);
User::getIdFromPasswordAuthentication($sUser, $aCommand[3], true);
} catch (HTTPException\ForbiddenException $ex) {
// User exists, authentication failed
$this->writeLog(LOG_INFO, 'check against alternate password for ' . $sUser . '@' . $aCommand[2]);
$aUser = User::getByNickname($sUser, ['uid']);
$sPassword = $this->pConfig->get($aUser['uid'], 'xmpp', 'password', null, true);
$Error = ($aCommand[3] != $sPassword);
} catch (\Throwable $ex) {
// User doesn't exist and any other failure case
$this->writeLog(LOG_WARNING, $ex->getMessage() . ': ' . $sUser);
$Error = true;
}
} else {
$Error = true;
}
// If the hostnames doesn't match or there is some failure, we try to check remotely
if ($Error && !$this->checkCredentials($aCommand[2], $aCommand[1], $aCommand[3], true)) {
$this->writeLog(LOG_WARNING, 'authentication failed for user ' . $sUser . '@' . $aCommand[2]);
fwrite(STDOUT, pack('nn', 2, 0));
} else {
$this->writeLog(LOG_NOTICE, 'authenticated user ' . $sUser . '@' . $aCommand[2]);
fwrite(STDOUT, pack('nn', 2, 1));
}
}
/**
* Check remote credentials via HTTP(S)
*
* @param string $host The hostname
* @param string $user Username
* @param string $password Password
* @param boolean $ssl Should the check be done via SSL?
*
* @return boolean Are the credentials okay?
*/
private function checkCredentials($host, $user, $password, $ssl)
{
$this->writeLog(LOG_INFO, 'external credential check for ' . $user . '@' . $host);
$url = ($ssl ? 'https' : 'http') . '://' . $host . '/api/account/verify_credentials.json?skip_status=true';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_NOBODY, true);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, $user . ':' . $password);
curl_exec($ch);
$curl_info = @curl_getinfo($ch);
$http_code = $curl_info['http_code'];
curl_close($ch);
$this->writeLog(LOG_INFO, 'external auth for ' . $user . '@' . $host . ' returned ' . $http_code);
return $http_code == 200;
}
/**
* Set the hostname for this process
*
* @param string $host The hostname
*/
private function setHost($host)
{
if (!empty($this->host)) {
return;
}
$this->writeLog(LOG_INFO, 'Hostname for process ' . getmypid() . ' is ' . $host);
$this->host = $host;
$lockpath = $this->config->get('jabber', 'lockpath');
if (is_null($lockpath)) {
$this->writeLog(LOG_INFO, 'No lockpath defined.');
return;
}
$file = $lockpath . DIRECTORY_SEPARATOR . $host;
if (PidFile::isRunningProcess($file)) {
if (PidFile::killProcess($file)) {
$this->writeLog(LOG_INFO, 'Old process was successfully killed');
} else {
$this->writeLog(LOG_ERR, "The old Process wasn't killed in time. We now quit our process.");
die();
}
}
// Now it is safe to create the pid file
PidFile::create($file);
if (!file_exists($file)) {
$this->writeLog(LOG_WARNING, 'Logfile ' . $file . " couldn't be created.");
}
}
/**
* write data to the syslog
*
* @param integer $loglevel The syslog loglevel
* @param string $sMessage The syslog message
*/
private function writeLog($loglevel, $sMessage)
{
if (!$this->bDebug && ($loglevel >= LOG_DEBUG)) {
return;
}
syslog($loglevel, $sMessage);
}
/**
* destroy the class, close the syslog connection.
*/
public function __destruct()
{
$this->writeLog(LOG_NOTICE, 'stop');
closelog();
}
}

116
src/Util/PidFile.php
View file

@ -1,116 +0,0 @@
<?php
// Copyright (C) 2010-2024, the Friendica project
// SPDX-FileCopyrightText: 2010-2024 the Friendica project
//
// SPDX-License-Identifier: AGPL-3.0-or-later
namespace Friendica\Util;
/**
* Pidfile class
*/
class PidFile
{
/**
* Read the pid from a given pid file
*
* @param string $file Filename of pid file
*
* @return boolean|string PID or "false" if nonexistent
*/
private static function pidFromFile(string $file)
{
if (!file_exists($file)) {
return false;
}
return trim(@file_get_contents($file));
}
/**
* Is there a running process with the given pid file
*
* @param string $file Filename of pid file
*
* @return boolean Is it running?
*/
public static function isRunningProcess(string $file): bool
{
$pid = self::pidFromFile($file);
if (!$pid) {
return false;
}
// Is the process running?
$running = posix_kill($pid, 0);
// If not, then we will kill the stale file
if (!$running) {
self::delete($file);
}
return $running;
}
/**
* Kills a process from a given pid file
*
* @param string $file Filename of pid file
*
* @return boolean Was it killed successfully?
*/
public static function killProcess(string $file): bool
{
$pid = self::pidFromFile($file);
// We don't have a process id? then we quit
if (!$pid) {
return false;
}
// We now kill the process
$killed = posix_kill($pid, SIGTERM);
// If we killed the process successfully, we can remove the pidfile
if ($killed) {
self::delete($file);
}
return $killed;
}
/**
* Creates a pid file
*
* @param string $file Filename of pid file
*
* @return boolean|string PID or "false" if not created
*/
public static function create(string $file)
{
$pid = self::pidFromFile($file);
// We have a process id? then we quit
if ($pid) {
return false;
}
$pid = getmypid();
file_put_contents($file, $pid);
// Now we check if everything is okay
return self::pidFromFile($file);
}
/**
* Deletes a given pid file
*
* @param string $file Filename of pid file
*
* @return boolean Is it running?
*/
public static function delete(string $file): bool
{
return @unlink($file);
}
}

4
tests/CacheTestCase.php
View file

@ -8,8 +8,6 @@
namespace Friendica\Test;
use Friendica\Core\Cache\Capability\ICanCache;
use Friendica\Test\MockedTestCase;
use Friendica\Util\PidFile;
abstract class CacheTestCase extends MockedTestCase
{
@ -42,7 +40,7 @@ abstract class CacheTestCase extends MockedTestCase
'boolFalse' => ['data' => false],
'float' => ['data' => 4.6634234],
'array' => ['data' => ['1', '2', '3', '4', '5']],
'object' => ['data' => new PidFile()],
'object' => ['data' => new \stdClass()],
'null' => ['data' => null],
];
}

9
tests/ConsoleTestCase.php
View file

@ -8,7 +8,6 @@
namespace Friendica\Test;
use Asika\SimpleConsole\Console;
use Friendica\Test\MockedTestCase;
use Friendica\Test\Util\Intercept;
abstract class ConsoleTestCase extends MockedTestCase
@ -18,7 +17,9 @@ abstract class ConsoleTestCase extends MockedTestCase
*/
protected $consoleArgv = [ 'consoleTest.php' ];
protected function setUp() : void
protected ?int $consoleExecReturn = null;
protected function setUp(): void
{
parent::setUp();
@ -35,8 +36,8 @@ abstract class ConsoleTestCase extends MockedTestCase
protected function dumpExecute(Console $console)
{
Intercept::reset();
$console->execute();
$returnStr = Intercept::$cache;
$this->consoleExecReturn = $console->execute();
$returnStr = Intercept::$cache;
Intercept::reset();
return $returnStr;

30
tests/datasets/ejabberd/fixture.php Normal file
View file

@ -0,0 +1,30 @@
<?php
// SPDX-FileCopyrightText: 2010-2024 the Friendica project
//
// SPDX-License-Identifier: AGPL-3.0-or-later
return [
'user' => [
[
'uid' => 51,
'nickname' => 'admin',
'username' => 'admin',
'email' => 'admin@friendica.local',
'password' => '$2y$10$QgqQemXm/MKxa30aoEqxBen.nsG7JMsyPFP/pTrtHqEq0GDpsWEsK',
'verified' => true,
'account_removed' => false,
'account_expired' => false,
],
[
'uid' => 52,
'nickname' => 'user',
'username' => 'user',
'email' => 'user@friendica.local',
'password' => '$2y$10$uR7EwWwaal/2kGx87As1X.iktGDeX25tU486gbtpN/PQ2FL0TNYam',
'verified' => true,
'account_removed' => false,
'account_expired' => false,
],
],
];

481
tests/src/Console/EjabberdAuthTest.php Normal file
View file

@ -0,0 +1,481 @@
<?php
namespace Friendica\Test\src\Console;
use Friendica\App\Mode;
use Friendica\Console\AuthEJabberd;
use Friendica\DI;
use Friendica\Network\HTTPClient\Capability\ICanHandleHttpResponses;
use Friendica\Network\HTTPClient\Capability\ICanSendHttpRequests;
use Friendica\Network\HTTPClient\Client\HttpClientAccept;
use Friendica\Network\HTTPClient\Client\HttpClientOptions;
use Friendica\Network\HTTPClient\Client\HttpClientRequest;
use Friendica\Test\ConsoleTestCase;
use Friendica\Test\FixtureTestTrait;
use GuzzleHttp\Handler\MockHandler;
use GuzzleHttp\Psr7\Response;
use Mockery;
use Mockery\MockInterface;
class EjabberdAuthTest extends ConsoleTestCase
{
use FixtureTestTrait;
private $inputStream;
private $outputStream;
/** @var Mode|MockInterface */
private $mode;
/** @var ICanSendHttpRequests|MockInterface */
private $httpClient;
protected function setUp(): void
{
parent::setUp();
$this->setUpFixtures();
$this->mode = \Mockery::mock(Mode::class);
$this->httpClient = \Mockery::mock(ICanSendHttpRequests::class);
$this->loadFixture(__DIR__ . '/../../datasets/ejabberd/fixture.php', DI::dba());
$this->inputStream = fopen('php://memory', 'r+');
$this->outputStream = fopen('php://memory', 'w+');
}
protected function tearDown(): void
{
DI::lock()->releaseAll();
$this->tearDownFixtures();
parent::tearDown();
}
private function sendInput(string $payload, bool $rewind = true)
{
$bin = pack('n', strlen($payload)) . $payload;
fwrite($this->inputStream, $bin);
}
private function assertSuccess(): void
{
$this->assertEquals(pack('nn', 2, 1), fread($this->outputStream, 4), 'Expected success'); // 2-byte length + 2-byte response
}
private function assertFailed(): void
{
$this->assertEquals(pack('nn', 2, 0), fread($this->outputStream, 4), 'Expected success'); // 2-byte length + 2-byte response
}
public function testWrongMode(): void
{
$this->mode->shouldReceive('isNormal')->andReturn(false)->once();
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$txt = $this->dumpExecute($console);
rewind($this->outputStream);
$this->assertFailed();
$this->assertSame(1, $this->consoleExecReturn);
$this->assertEquals("[Error] The node isn't ready.\n", $txt);
}
public function dataAuth(): array
{
return [
'empty' => [
'input' => [
'',
],
'assertion' => [
false,
],
],
'wrongCommand' => [
'input' => [
'wrong:command:so',
],
'assertion' => [
false,
],
],
'isuserValid' => [
'input' => [
"isuser:admin:friendica.local",
],
'assertion' => [
true,
],
],
'isuserThreeDifferent' => [
'input' => [
"isuser:admin:friendica.local",
"isuser:wrong:friendica.local",
"isuser:user:friendica.local",
],
'assertion' => [
true,
false,
true,
],
'httpHandlers' => [
new Response(404),
],
],
'isuserTooShort' => [
'input' => [
'isuser',
'isuser:admin',
'isuser:admin:friendica.local',
],
'assertion' => [
false,
false,
true,
],
],
'authValid' => [
'input' => [
"auth:admin:friendica.local:admin",
],
'assertion' => [
true,
],
],
'authThreeDifferent' => [
'input' => [
"auth:admin:friendica.local:admin",
"auth:admin:friendica.local:wrong",
"auth:user:friendica.local:user",
],
'assertion' => [
true,
false,
true,
],
],
'authWrongPassword' => [
'input' => [
"auth:admin:friendica.local:wrong",
],
'assertion' => [
false,
],
],
'authTooShort' => [
'input' => [
'auth',
'auth:admin',
'auth:admin:friendica.local',
'auth:admin:friendica.local:admin',
],
'assertion' => [
false,
false,
false,
true,
],
],
];
}
/**
* Assert different kind of data, but shouldn't fail the daemon
*
* @dataProvider dataAuth
*/
public function testData(array $input, array $assertion, array $handlers = []): void
{
$this->mode->shouldReceive('isNormal')->andReturn(true)->once();
DI::config()->set('jabber', 'debug', 1);
foreach ($input as $payload) {
$this->sendInput($payload);
}
rewind($this->inputStream);
$mockHandler = new MockHandler();
foreach ($handlers as $handler) {
if (empty($handler)) {
continue;
}
$mockHandler->append($handler);
}
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$txt = $this->dumpExecute($console);
print_r($txt);
$this->assertSame(0, $this->consoleExecReturn);
$this->assertEmpty($txt);
rewind($this->outputStream);
foreach ($assertion as $assertType) {
if ($assertType) {
$this->assertSuccess();
} else {
$this->assertFailed();
}
}
}
public function dataCheckCredentialsExternal(): array
{
return [
'authWrongUser' => [
'payload' => 'auth:wrong:friendica.local:someelse',
// Only 200 is valid - not even 202
'assertUrl' => 'https://friendica.local/api/account/verify_credentials.json?skip_status=true',
'isSuccess' => true,
'returnCode' => 202,
'assertion' => false,
],
'authRightUser' => [
'payload' => 'auth:wrong:friendica.local:someelse',
'assertUrl' => 'https://friendica.local/api/account/verify_credentials.json?skip_status=true',
'isSuccess' => true,
'returnCode' => 200,
'assertion' => true,
],
];
}
/**
* Tests, if the check user endpoint is correctly built
*
* @dataProvider dataCheckCredentialsExternal
*
* @return void
*/
public function testCheckCredentialsExternal(string $payload, string $assertUrl, bool $isSuccess, int $returnCode, bool $assertion): void
{
$this->mode->shouldReceive('isNormal')->andReturn(true)->once();
$response = Mockery::mock(ICanHandleHttpResponses::class);
$response->shouldReceive('isSuccess')->andReturn($isSuccess);
$response->shouldReceive('getReturnCode')->andReturn($returnCode);
$this->httpClient->shouldReceive('head')->with($assertUrl, [
HttpClientOptions::REQUEST => HttpClientRequest::CONTACTVERIFIER,
HttpClientOptions::TIMEOUT => 5,
HttpClientOptions::AUTH => [
'wrong',
'someelse',
],
])->andReturn($response)->once();
$this->sendInput($payload);
rewind($this->inputStream);
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$txt = $this->dumpExecute($console);
print_r($txt);
$this->assertSame(0, $this->consoleExecReturn);
$this->assertEmpty($txt);
rewind($this->outputStream);
if ($assertion) {
$this->assertSuccess();
} else {
$this->assertFailed();
}
}
public function dataCheckUserExternal(): array
{
return [
'isuserWrongUser' => [
'payload' => 'isuser:wrong:friendica.local',
// Only 200 is valid - not even 202
'assertUrl' => 'https://friendica.local/noscrape/wrong',
'isSuccess' => true,
'returnCode' => 202,
'bodyString' => '',
'assertion' => false,
],
'isuserRightUser' => [
'payload' => 'isuser:wrong:friendica.local',
'assertUrl' => 'https://friendica.local/noscrape/wrong',
'isSuccess' => true,
'returnCode' => 200,
'bodyString' => json_encode(['nick' => 'wrong']),
'assertion' => true,
],
'isuserEmptyBody' => [
'payload' => 'isuser:wrong:friendica.local',
'assertUrl' => 'https://friendica.local/noscrape/wrong',
'isSuccess' => true,
'returnCode' => 200,
'bodyString' => json_encode([]),
'assertion' => false
],
];
}
/**
* Tests, if the check user endpoint is correctly built
*
* @dataProvider dataCheckUserExternal
*
* @return void
*/
public function testCheckUserExternal(string $payload, string $assertUrl, bool $isSuccess, int $returnCode, string $bodyString, bool $assertion): void
{
$this->mode->shouldReceive('isNormal')->andReturn(true)->once();
$response = Mockery::mock(ICanHandleHttpResponses::class);
$response->shouldReceive('isSuccess')->andReturn($isSuccess);
$response->shouldReceive('getReturnCode')->andReturn($returnCode);
$response->shouldReceive('getBodyString')->andReturn($bodyString);
$this->httpClient->shouldReceive('get')
->with($assertUrl, HttpClientAccept::JSON, [HttpClientOptions::REQUEST => HttpClientRequest::CONTACTVERIFIER] )
->andReturn($response)->once();
$this->sendInput($payload);
rewind($this->inputStream);
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$txt = $this->dumpExecute($console);
print_r($txt);
$this->assertSame(0, $this->consoleExecReturn);
$this->assertEmpty($txt);
rewind($this->outputStream);
if ($assertion) {
$this->assertSuccess();
} else {
$this->assertFailed();
}
}
/**
* Tests, if the auth per pConfig works
*
* @return void
*/
public function testAuthForbidden(): void
{
$this->mode->shouldReceive('isNormal')->andReturn(true)->once();
DI::pConfig()->set(51, 'xmpp', 'password', 'pConfigPW');
$this->sendInput('auth:admin:friendica.local:pConfigPW');
rewind($this->inputStream);
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$txt = $this->dumpExecute($console);
print_r($txt);
$this->assertEmpty($txt);
rewind($this->outputStream);
$this->assertSuccess();
}
/**
* Just tests the help output
*
* @return void
*/
public function testGetHelp()
{
// Usable to purposely fail if new commands are added without taking tests into account
$theHelp = <<<HELP
auth_ejabberd - Daemon that communicates with the ejabberd server
Synopsis
bin/console auth_ejabberd [-h|--help|-?] [-v]
Description
ejabberd supports external authentication via a small daemon (script or binary)
that communicates with the ejabberd server using STDIN and STDOUT and a binary protocol.
Options
-h|--help|-? Show help information
-v Show more debug information.
Examples
bin/console auth_ejabberd
Starts the daemon and reads per STDIN
HELP;
$console = new AuthEJabberd(
$this->mode,
DI::config(),
DI::pConfig(),
DI::dba(),
DI::baseUrl(),
DI::lock(),
$this->httpClient,
$this->consoleArgv,
$this->inputStream,
$this->outputStream
);
$console->setOption('help', true);
$txt = $this->dumpExecute($console);
self::assertEquals($txt, $theHelp);
}
}