Commit e8d2fd26 authored by Till Brehm's avatar Till Brehm
Browse files

Merge branch 'stable-3.1' into 'stable-3.1'

XMPP Server Setup bugfix for 3.1

Content:
- replaced old dev default values in dns generation for XMPP domains by server name
- added datalog tokens for xmpp domains and users
- fixed DB query for XMPP authentication and user query
- added default values for all CSR fields, so they cannot be empty

There is still a new error with the authentication. The Auth script used to authenticate against the database should be spawned in its own process, but the auth module seems not to load it.  
Maybe it is a problem with new library versions released during the last year. I'm in contact with the metronome Devs to solve this problem.

In meantime, this bugfix will ensure that the servers are configured correctly.

See merge request !471
parents 1339a88a 38a07fee
......@@ -17,15 +17,15 @@ try{
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id);
result_false($result->num_rows != 1);
$user = $result->fetch_object();
// check for domain autologin api key
$domain_key = 'f47kmm5Yh5hJzSws2KTS';
checkAuth($argv[1], $argv[2], $arg_password, $user->password, $domain_key);
$query = $db->prepare("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($jid, $password);
$query->fetch();
$query->close();
result_false(is_null($jid));
checkAuth($arg_password, $password);
}catch(Exception $ex){
echo 0;
exit();
......@@ -40,19 +40,9 @@ function result_true(){
echo 1;
exit();
}
function checkAuth($user, $domain, $pw_arg, $pw_db, $domain_key){
function checkAuth($pw_arg, $pw_db){
if(crypt($pw_arg, $pw_db) == $pw_db)
result_true();
if($domain_key){
$datetime = new DateTime();
$datetime->setTimezone(new DateTimeZone("UTC"));
for($t = $datetime->getTimestamp(); $t >= $datetime->getTimestamp()-30; $t--){
$pw_api = md5($domain.'@'.$domain_key.'@'.$user.'@'.$t);
if($pw_api == $pw_arg)
result_true();
}
}
result_false();
}
?>
\ No newline at end of file
......@@ -15,8 +15,14 @@ try{
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id);
result_false($result->num_rows != 1);
$query = $db->prepare("SELECT count(*) AS usercount FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($usercount);
$query->fetch();
$query->close();
result_false($usercount != 1);
result_true();
}catch(Exception $ex){
......@@ -34,4 +40,4 @@ function result_true(){
exit();
}
?>
\ No newline at end of file
?>
......@@ -1597,6 +1597,7 @@ class installer_base {
// Copy isp libs
if(!@is_dir('/usr/lib/metronome/isp-modules')) mkdir('/usr/lib/metronome/isp-modules', 0755, true);
caselog('cp -rf apps/metronome_libs/* /usr/lib/metronome/isp-modules/', __FILE__, __LINE__);
caselog('chmod 755 /usr/lib/metronome/isp-modules/mod_auth_external/authenticate_isp.sh', __FILE__, __LINE__);
// Process db config
$full_file_name = '/usr/lib/metronome/isp-modules/mod_auth_external/db_conf.inc.php';
$content = rf($full_file_name);
......@@ -1609,13 +1610,14 @@ class installer_base {
if(!stristr($options, 'dont-create-certs')){
// Create SSL Certificate for localhost
echo "writing new private key to 'localhost.key'\n-----\n";
$ssl_country = $this->free_query('Country Name (2 letter code)', 'AU');
$ssl_locality = $this->free_query('Locality Name (eg, city)', '');
// Ensure no line is left blank
echo "writing new private key to 'localhost.key'\n-----\n";
$ssl_country = $this->free_query('Country Name (2 letter code)', 'AU');
$ssl_locality = $this->free_query('Locality Name (eg, city)', 'City Name');
$ssl_organisation = $this->free_query('Organization Name (eg, company)', 'Internet Widgits Pty Ltd');
$ssl_organisation_unit = $this->free_query('Organizational Unit Name (eg, section)', '');
$ssl_organisation_unit = $this->free_query('Organizational Unit Name (eg, section)', 'Infrastructure');
$ssl_domain = $this->free_query('Common Name (e.g. server FQDN or YOUR name)', $conf['hostname']);
$ssl_email = $this->free_query('Email Address', '');
$ssl_email = $this->free_query('Email Address', 'hostmaster@'.$conf['hostname']);
$tpl = new tpl('metronome_conf_ssl.master');
$tpl->setVar('ssl_country',$ssl_country);
......@@ -1632,6 +1634,14 @@ class installer_base {
exec("(cd /etc/metronome/certs && make localhost.cert)");
exec('chmod 0400 /etc/metronome/certs/localhost.key');
exec('chown metronome /etc/metronome/certs/localhost.key');
echo "IMPORTANT:\n";
echo "Localhost Key, Csr and a self-signed Cert have been saved to /etc/metronome/certs\n";
echo "In order to work with all clients, the server must have a trusted certificate, so use the Csr\n";
echo "to get a trusted certificate from your CA or replace Key and Cert with already signed files for\n";
echo "your domain. Clients like Pidgin dont allow to use untrusted self-signed certificates.\n";
echo "\n";
}else{
echo "-----\n";
echo "Metronome XMPP SSL server certificate is not renewed. Run the following command manual as root to recreate it:\n";
......@@ -1645,45 +1655,6 @@ class installer_base {
caselog('update-rc.d metronome defaults', __FILE__, __LINE__);
exec($this->getinitcommand($conf['xmpp']['init_script'], 'restart'));
/*
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
* */
/*// Dont just copy over the virtualhost template but add some custom settings
$tpl = new tpl('apache_apps.vhost.master');
$tpl->setVar('apps_vhost_port',$conf['web']['apps_vhost_port']);
$tpl->setVar('apps_vhost_dir',$conf['web']['website_basedir'].'/apps');
$tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
$tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
$tpl->setVar('apache_version',getapacheversion());
// comment out the listen directive if port is 80 or 443
if($conf['web']['apps_vhost_ip'] == 80 or $conf['web']['apps_vhost_ip'] == 443) {
$tpl->setVar('vhost_port_listen','#');
} else {
$tpl->setVar('vhost_port_listen','');
}
wf($vhost_conf_dir.'/apps.vhost', $tpl->grab());
unset($tpl);*/
}
......
......@@ -131,6 +131,12 @@ $wb['datalog_status_d_web_folder'] = 'Verzeichnisschutz löschen';
$wb['datalog_status_i_web_folder_user'] = 'Verzeichnisschutz Benutzer anlegen';
$wb['datalog_status_u_web_folder_user'] = 'Verzeichnisschutz Benutzer ändern';
$wb['datalog_status_d_web_folder_user'] = 'Verzeichnisschutz Benutzer löschen';
$wb['datalog_status_i_xmpp_domain'] = 'XMPP Domain erstellen';
$wb['datalog_status_u_xmpp_domain'] = 'XMPP Domain ändern';
$wb['datalog_status_d_xmpp_domain'] = 'XMPP Domain löschen';
$wb['datalog_status_i_xmpp_user'] = 'XMPP Benutzer erstellen';
$wb['datalog_status_u_xmpp_user'] = 'XMPP Benutzer ändern';
$wb['datalog_status_d_xmpp_user'] = 'XMPP Benutzer löschen';
$wb['login_as_txt'] = 'Anmelden als';
$wb['no_domain_perm'] = 'Sie haben keine Berechtigung für diese Domain.';
$wb['no_destination_perm'] = 'Sie haben keine Berechtigung für dieses Ziel.';
......
......@@ -131,6 +131,12 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
$wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
$wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
$wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
$wb['datalog_status_i_xmpp_domain'] = 'Create XMPP domain';
$wb['datalog_status_u_xmpp_domain'] = 'Update XMPP domain';
$wb['datalog_status_d_xmpp_domain'] = 'Delete XMPP domain';
$wb['datalog_status_i_xmpp_user'] = 'Create XMPP user';
$wb['datalog_status_u_xmpp_user'] = 'Update XMPP user';
$wb['datalog_status_d_xmpp_user'] = 'Delete XMPP user';
$wb['err_csrf_attempt_blocked'] = 'CSRF attempt blocked.';
$wb['login_as_txt'] = 'Log in as';
$wb["no_domain_perm"] = 'You have no permission for this domain.';
......
......@@ -411,6 +411,9 @@ class page_action extends tform_actions {
private function update_dns($dataRecord, $new_rr) {
global $app, $conf;
$sql = "SELECT server_name from server WHERE server_id = " . intval($dataRecord['server_id']);
$xmpp_server = $app->db->queryOneRecord($sql);
$rec = $app->db->queryOneRecord("SELECT use_pubsub, use_proxy, use_anon_host, use_vjud, use_muc_host from xmpp_domain WHERE domain_id = ?", $this->id);
$required_hosts = array('xmpp');
if($rec['use_pubsub']=='y')
......@@ -437,7 +440,7 @@ class page_action extends tform_actions {
$rr = $new_rr;
$rr['name'] = $h;
$rr['type'] = 'CNAME';
$rr['data'] = 'jalapeno.spicyweb.de.';
$rr['data'] = $xmpp_server['server_name'] . '.';
$rr['aux'] = 0;
$rr['active'] = 'Y';
$rr['stamp'] = date('Y-m-d H:i:s');
......@@ -449,7 +452,7 @@ class page_action extends tform_actions {
$rr = $new_rr;
$rr['name'] = '_xmpp-client._tcp.'.$dataRecord['domain'].'.';
$rr['type'] = 'SRV';
$rr['data'] = '5 5222 jalapeno.spicyweb.de.';
$rr['data'] = '5 5222 ' . $xmpp_server['server_name'] . '.';
$rr['aux'] = 0;
$rr['active'] = 'Y';
$rr['stamp'] = date('Y-m-d H:i:s');
......@@ -458,7 +461,7 @@ class page_action extends tform_actions {
$rr = $new_rr;
$rr['name'] = '_xmpp-server._tcp.'.$dataRecord['domain'].'.';
$rr['type'] = 'SRV';
$rr['data'] = '5 5269 jalapeno.spicyweb.de.';
$rr['data'] = '5 5269 ' . $xmpp_server['server_name'] . '.';
$rr['aux'] = 0;
$rr['active'] = 'Y';
$rr['stamp'] = date('Y-m-d H:i:s');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment