Merge pull request #8909 from MrPetovan/task/ex_auth

Refactor ExAuth for DICE
2020-08-22 22:12:22 +02:00 · 2020-08-22 22:12:22 +02:00 · fc2340d4af
parent d31010ca0e 8565617ea1
commit fc2340d4af
3 changed files with 102 additions and 65 deletions
--- a/bin/auth_ejabberd.php
+++ b/bin/auth_ejabberd.php
@ -80,6 +80,7 @@ $dice = $dice->addRule(LoggerInterface::class,['constructParams' => ['auth_ejabb
 $appMode = $dice->create(Mode::class);

 if ($appMode->isNormal()) {
-	$oAuth = new ExAuth();
+	/** @var ExAuth $oAuth */
+	$oAuth = $dice->create(ExAuth::class);
 	$oAuth->readStdin();
 }
--- a/src/Model/User.php
+++ b/src/Model/User.php
@ -21,7 +21,9 @@

 namespace Friendica\Model;

+use DivineOmega\DOFileCachePSR6\CacheItemPool;
 use DivineOmega\PasswordExposed;
+use ErrorException;
 use Exception;
 use Friendica\Content\Pager;
 use Friendica\Core\Hook;
@ -33,7 +35,7 @@ use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\DI;
 use Friendica\Model\TwoFactor\AppSpecificPassword;
-use Friendica\Network\HTTPException\InternalServerErrorException;
+use Friendica\Network\HTTPException;
 use Friendica\Object\Image;
 use Friendica\Util\Crypto;
 use Friendica\Util\DateTimeFormat;
@ -41,6 +43,7 @@ use Friendica\Util\Images;
 use Friendica\Util\Network;
 use Friendica\Util\Strings;
 use Friendica\Worker\Delivery;
+use ImagickException;
 use LightOpenID;

 /**
@ -401,11 +404,11 @@ class User
 	/**
 	 * Returns the default group for a given user and network
 	 *
-	 * @param int $uid User id
+	 * @param int    $uid     User id
 	 * @param string $network network name
 	 *
 	 * @return int group id
-	 * @throws InternalServerErrorException
+	 * @throws Exception
 	 */
 	public static function getDefaultGroup($uid, $network = '')
 	{
@ -457,7 +460,8 @@ class User
 	 * @param string $password
 	 * @param bool   $third_party
 	 * @return int User Id if authentication is successful
-	 * @throws Exception
+	 * @throws HTTPException\ForbiddenException
+	 * @throws HTTPException\NotFoundException
 	 */
 	public static function getIdFromPasswordAuthentication($user_info, $password, $third_party = false)
 	{
@ -492,7 +496,7 @@ class User
 			return $user['uid'];
 		}

-		throw new Exception(DI::l10n()->t('Login failed'));
+		throw new HTTPException\ForbiddenException(DI::l10n()->t('Login failed'));
 	}

 	/**
@ -506,7 +510,7 @@ class User
 	 *
 	 * @param mixed $user_info
 	 * @return array
-	 * @throws Exception
+	 * @throws HTTPException\NotFoundException
 	 */
 	private static function getAuthenticationInfo($user_info)
 	{
@ -550,7 +554,7 @@ class User
 			}

 			if (!DBA::isResult($user)) {
-				throw new Exception(DI::l10n()->t('User not found'));
+				throw new HTTPException\NotFoundException(DI::l10n()->t('User not found'));
 			}
 		}

@ -561,6 +565,7 @@ class User
 	 * Generates a human-readable random password
 	 *
 	 * @return string
+	 * @throws Exception
 	 */
 	public static function generateNewPassword()
 	{
@ -576,7 +581,7 @@ class User
 	 */
 	public static function isPasswordExposed($password)
 	{
-		$cache = new \DivineOmega\DOFileCachePSR6\CacheItemPool();
+		$cache = new CacheItemPool();
 		$cache->changeConfig([
 			'cacheDirectory' => get_temppath() . '/password-exposed-cache/',
 		]);
@ -585,7 +590,7 @@ class User
 			$passwordExposedChecker = new PasswordExposed\PasswordExposedChecker(null, $cache);

 			return $passwordExposedChecker->passwordExposed($password) === PasswordExposed\PasswordStatus::EXPOSED;
-		} catch (\Exception $e) {
+		} catch (Exception $e) {
 			Logger::error('Password Exposed Exception: ' . $e->getMessage(), [
 				'code' => $e->getCode(),
 				'file' => $e->getFile(),
@ -682,7 +687,6 @@ class User
 	 *
 	 * @param string $nickname The nickname that should be checked
 	 * @return boolean True is the nickname is blocked on the node
-	 * @throws InternalServerErrorException
 	 */
 	public static function isNicknameBlocked($nickname)
 	{
@ -727,9 +731,9 @@ class User
 	 *
 	 * @param  array $data
 	 * @return array
-	 * @throws \ErrorException
-	 * @throws InternalServerErrorException
-	 * @throws \ImagickException
+	 * @throws ErrorException
+	 * @throws HTTPException\InternalServerErrorException
+	 * @throws ImagickException
 	 * @throws Exception
 	 */
 	public static function create(array $data)
@ -855,7 +859,7 @@ class User

 		$nickname = $data['nickname'] = strtolower($nickname);

-		if (!preg_match('/^[a-z0-9][a-z0-9\_]*$/', $nickname)) {
+		if (!preg_match('/^[a-z0-9][a-z0-9_]*$/', $nickname)) {
 			throw new Exception(DI::l10n()->t('Your nickname can only contain a-z, 0-9 and _.'));
 		}

@ -1044,7 +1048,7 @@ class User
 	 *
 	 * @return bool True, if the allow was successful
 	 *
-	 * @throws InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 * @throws Exception
 	 */
 	public static function allow(string $hash)
@ -1118,16 +1122,16 @@ class User
 	 * @param string $lang  The user's language (default is english)
 	 *
 	 * @return bool True, if the user was created successfully
-	 * @throws InternalServerErrorException
-	 * @throws \ErrorException
-	 * @throws \ImagickException
+	 * @throws HTTPException\InternalServerErrorException
+	 * @throws ErrorException
+	 * @throws ImagickException
 	 */
 	public static function createMinimal(string $name, string $email, string $nick, string $lang = L10n::DEFAULT)
 	{
 		if (empty($name) ||
 		    empty($email) ||
 		    empty($nick)) {
-			throw new InternalServerErrorException('Invalid arguments.');
+			throw new HTTPException\InternalServerErrorException('Invalid arguments.');
 		}

 		$result = self::create([
@ -1190,7 +1194,7 @@ class User
 	 * @param string $siteurl
 	 * @param string $password Plaintext password
 	 * @return NULL|boolean from notification() and email() inherited
-	 * @throws InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
 	public static function sendRegisterPendingEmail($user, $sitename, $siteurl, $password)
 	{
@ -1226,16 +1230,16 @@ class User
 	 *
 	 * It's here as a function because the mail is sent from different parts
 	 *
-	 * @param \Friendica\Core\L10n $l10n     The used language
-	 * @param array                $user     User record array
-	 * @param string               $sitename
-	 * @param string               $siteurl
-	 * @param string               $password Plaintext password
+	 * @param L10n   $l10n     The used language
+	 * @param array  $user     User record array
+	 * @param string $sitename
+	 * @param string $siteurl
+	 * @param string $password Plaintext password
 	 *
 	 * @return NULL|boolean from notification() and email() inherited
-	 * @throws InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
-	public static function sendRegisterOpenEmail(\Friendica\Core\L10n $l10n, $user, $sitename, $siteurl, $password)
+	public static function sendRegisterOpenEmail(L10n $l10n, $user, $sitename, $siteurl, $password)
 	{
 		$preamble = Strings::deindent($l10n->t(
 			'
@ -1292,7 +1296,7 @@ class User
 	/**
 	 * @param int $uid user to remove
 	 * @return bool
-	 * @throws InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
 	public static function remove(int $uid)
 	{
--- a/src/Util/ExAuth.php
+++ b/src/Util/ExAuth.php
@ -34,9 +34,13 @@

 namespace Friendica\Util;

-use Friendica\Database\DBA;
-use Friendica\DI;
+use Exception;
+use Friendica\App;
+use Friendica\Core\Config\IConfig;
+use Friendica\Core\PConfig\IPConfig;
+use Friendica\Database\Database;
 use Friendica\Model\User;
+use Friendica\Network\HTTPException;

 class ExAuth
 {
@ -44,12 +48,43 @@ class ExAuth
 	private $host;

 	/**
-	 * Create the class
-	 *
+	 * @var App\Mode
 	 */
-	public function __construct()
+	private $appMode;
+	/**
+	 * @var IConfig
+	 */
+	private $config;
+	/**
+	 * @var IPConfig
+	 */
+	private $pConfig;
+	/**
+	 * @var Database
+	 */
+	private $dba;
+	/**
+	 * @var App\BaseURL
+	 */
+	private $baseURL;
+
+	/**
+	 * @param App\Mode    $appMode
+	 * @param IConfig      $config
+	 * @param IPConfig     $pConfig
+	 * @param Database    $dba
+	 * @param App\BaseURL $baseURL
+	 * @throws Exception
+	 */
+	public function __construct(App\Mode $appMode, IConfig $config, IPConfig $pConfig, Database $dba, App\BaseURL $baseURL)
 	{
-		$this->bDebug = (int) DI::config()->get('jabber', 'debug');
+		$this->appMode = $appMode;
+		$this->config  = $config;
+		$this->pConfig = $pConfig;
+		$this->dba     = $dba;
+		$this->baseURL = $baseURL;
+
+		$this->bDebug = (int)$config->get('jabber', 'debug');

 		openlog('auth_ejabberd', LOG_PID, LOG_USER);

@ -60,14 +95,18 @@ class ExAuth
 	 * Standard input reading function, executes the auth with the provided
 	 * parameters
 	 *
-	 * @return null
-	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
 	public function readStdin()
 	{
+		if (!$this->appMode->isNormal()) {
+			$this->writeLog(LOG_ERR, 'The node isn\'t ready.');
+			return;
+		}
+
 		while (!feof(STDIN)) {
 			// Quit if the database connection went down
-			if (!DBA::connected()) {
+			if (!$this->dba->isConnected()) {
 				$this->writeLog(LOG_ERR, 'the database connection went down');
 				return;
 			}
@ -123,7 +162,7 @@ class ExAuth
 	 * Check if the given username exists
 	 *
 	 * @param array $aCommand The command array
-	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
 	private function isUser(array $aCommand)
 	{
@ -142,9 +181,9 @@ class ExAuth
 		$sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]);

 		// Does the hostname match? So we try directly
-		if (DI::baseUrl()->getHostname() == $aCommand[2]) {
+		if ($this->baseURL->getHostname() == $aCommand[2]) {
 			$this->writeLog(LOG_INFO, 'internal user check for ' . $sUser . '@' . $aCommand[2]);
-			$found = DBA::exists('user', ['nickname' => $sUser]);
+			$found = $this->dba->exists('user', ['nickname' => $sUser]);
 		} else {
 			$found = false;
 		}
@ -173,7 +212,7 @@ class ExAuth
 	 * @param boolean $ssl  Should the check be done via SSL?
 	 *
 	 * @return boolean Was the user found?
-	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 * @throws HTTPException\InternalServerErrorException
 	 */
 	private function checkUser($host, $user, $ssl)
 	{
@ -203,7 +242,7 @@ class ExAuth
 	 * Authenticate the given user and password
 	 *
 	 * @param array $aCommand The command array
-	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
+	 * @throws Exception
 	 */
 	private function auth(array $aCommand)
 	{
@ -221,35 +260,29 @@ class ExAuth
 		// We now check if the password match
 		$sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]);

+		$Error = false;
 		// Does the hostname match? So we try directly
-		if (DI::baseUrl()->getHostname() == $aCommand[2]) {
-			$this->writeLog(LOG_INFO, 'internal auth for ' . $sUser . '@' . $aCommand[2]);
-
-			$aUser = DBA::selectFirst('user', ['uid', 'password', 'legacy_password'], ['nickname' => $sUser]);
-			if (DBA::isResult($aUser)) {
-				$uid = $aUser['uid'];
-				$success = User::authenticate($aUser, $aCommand[3], true);
-				$Error = $success === false;
-			} else {
-				$this->writeLog(LOG_WARNING, 'user not found: ' . $sUser);
-				$Error = true;
-				$uid = -1;
-			}
-			if ($Error) {
+		if ($this->baseURL->getHostname() == $aCommand[2]) {
+			try {
+				$this->writeLog(LOG_INFO, 'internal auth for ' . $sUser . '@' . $aCommand[2]);
+				User::getIdFromPasswordAuthentication($sUser, $aCommand[3], true);
+			} catch (HTTPException\ForbiddenException $ex) {
+				// User exists, authentication failed
 				$this->writeLog(LOG_INFO, 'check against alternate password for ' . $sUser . '@' . $aCommand[2]);
-				$sPassword = DI::pConfig()->get($uid, 'xmpp', 'password', null, true);
+				$aUser = User::getByNickname($sUser, ['uid']);
+				$sPassword = $this->pConfig->get($aUser['uid'], 'xmpp', 'password', null, true);
 				$Error = ($aCommand[3] != $sPassword);
+			} catch (\Throwable $ex) {
+				// User doesn't exist and any other failure case
+				$this->writeLog(LOG_WARNING, $ex->getMessage() . ': ' . $sUser);
+				$Error = true;
 			}
 		} else {
 			$Error = true;
 		}

 		// If the hostnames doesn't match or there is some failure, we try to check remotely
-		if ($Error) {
-			$Error = !$this->checkCredentials($aCommand[2], $aCommand[1], $aCommand[3], true);
-		}
-
-		if ($Error) {
+		if ($Error && !$this->checkCredentials($aCommand[2], $aCommand[1], $aCommand[3], true)) {
 			$this->writeLog(LOG_WARNING, 'authentification failed for user ' . $sUser . '@' . $aCommand[2]);
 			fwrite(STDOUT, pack('nn', 2, 0));
 		} else {
@ -297,7 +330,6 @@ class ExAuth
 	 * Set the hostname for this process
 	 *
 	 * @param string $host The hostname
-	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 */
 	private function setHost($host)
 	{
@ -309,7 +341,7 @@ class ExAuth

 		$this->host = $host;

-		$lockpath = DI::config()->get('jabber', 'lockpath');
+		$lockpath = $this->config->get('jabber', 'lockpath');
 		if (is_null($lockpath)) {
 			$this->writeLog(LOG_INFO, 'No lockpath defined.');
 			return;