diff --git a/bin/auth_ejabberd.php b/bin/auth_ejabberd.php index f00615f02b..fa71faf263 100755 --- a/bin/auth_ejabberd.php +++ b/bin/auth_ejabberd.php @@ -80,6 +80,7 @@ $dice = $dice->addRule(LoggerInterface::class,['constructParams' => ['auth_ejabb $appMode = $dice->create(Mode::class); if ($appMode->isNormal()) { - $oAuth = new ExAuth(); + /** @var ExAuth $oAuth */ + $oAuth = $dice->create(ExAuth::class); $oAuth->readStdin(); } diff --git a/src/Model/User.php b/src/Model/User.php index c329ef91a3..4362a6f7b4 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -21,7 +21,9 @@ namespace Friendica\Model; +use DivineOmega\DOFileCachePSR6\CacheItemPool; use DivineOmega\PasswordExposed; +use ErrorException; use Exception; use Friendica\Content\Pager; use Friendica\Core\Hook; @@ -33,7 +35,7 @@ use Friendica\Core\Worker; use Friendica\Database\DBA; use Friendica\DI; use Friendica\Model\TwoFactor\AppSpecificPassword; -use Friendica\Network\HTTPException\InternalServerErrorException; +use Friendica\Network\HTTPException; use Friendica\Object\Image; use Friendica\Util\Crypto; use Friendica\Util\DateTimeFormat; @@ -41,6 +43,7 @@ use Friendica\Util\Images; use Friendica\Util\Network; use Friendica\Util\Strings; use Friendica\Worker\Delivery; +use ImagickException; use LightOpenID; /** @@ -401,11 +404,11 @@ class User /** * Returns the default group for a given user and network * - * @param int $uid User id + * @param int $uid User id * @param string $network network name * * @return int group id - * @throws InternalServerErrorException + * @throws Exception */ public static function getDefaultGroup($uid, $network = '') { @@ -457,7 +460,8 @@ class User * @param string $password * @param bool $third_party * @return int User Id if authentication is successful - * @throws Exception + * @throws HTTPException\ForbiddenException + * @throws HTTPException\NotFoundException */ public static function getIdFromPasswordAuthentication($user_info, $password, $third_party = false) { @@ -492,7 +496,7 @@ class User return $user['uid']; } - throw new Exception(DI::l10n()->t('Login failed')); + throw new HTTPException\ForbiddenException(DI::l10n()->t('Login failed')); } /** @@ -506,7 +510,7 @@ class User * * @param mixed $user_info * @return array - * @throws Exception + * @throws HTTPException\NotFoundException */ private static function getAuthenticationInfo($user_info) { @@ -550,7 +554,7 @@ class User } if (!DBA::isResult($user)) { - throw new Exception(DI::l10n()->t('User not found')); + throw new HTTPException\NotFoundException(DI::l10n()->t('User not found')); } } @@ -561,6 +565,7 @@ class User * Generates a human-readable random password * * @return string + * @throws Exception */ public static function generateNewPassword() { @@ -576,7 +581,7 @@ class User */ public static function isPasswordExposed($password) { - $cache = new \DivineOmega\DOFileCachePSR6\CacheItemPool(); + $cache = new CacheItemPool(); $cache->changeConfig([ 'cacheDirectory' => get_temppath() . '/password-exposed-cache/', ]); @@ -585,7 +590,7 @@ class User $passwordExposedChecker = new PasswordExposed\PasswordExposedChecker(null, $cache); return $passwordExposedChecker->passwordExposed($password) === PasswordExposed\PasswordStatus::EXPOSED; - } catch (\Exception $e) { + } catch (Exception $e) { Logger::error('Password Exposed Exception: ' . $e->getMessage(), [ 'code' => $e->getCode(), 'file' => $e->getFile(), @@ -682,7 +687,6 @@ class User * * @param string $nickname The nickname that should be checked * @return boolean True is the nickname is blocked on the node - * @throws InternalServerErrorException */ public static function isNicknameBlocked($nickname) { @@ -727,9 +731,9 @@ class User * * @param array $data * @return array - * @throws \ErrorException - * @throws InternalServerErrorException - * @throws \ImagickException + * @throws ErrorException + * @throws HTTPException\InternalServerErrorException + * @throws ImagickException * @throws Exception */ public static function create(array $data) @@ -855,7 +859,7 @@ class User $nickname = $data['nickname'] = strtolower($nickname); - if (!preg_match('/^[a-z0-9][a-z0-9\_]*$/', $nickname)) { + if (!preg_match('/^[a-z0-9][a-z0-9_]*$/', $nickname)) { throw new Exception(DI::l10n()->t('Your nickname can only contain a-z, 0-9 and _.')); } @@ -1044,7 +1048,7 @@ class User * * @return bool True, if the allow was successful * - * @throws InternalServerErrorException + * @throws HTTPException\InternalServerErrorException * @throws Exception */ public static function allow(string $hash) @@ -1118,16 +1122,16 @@ class User * @param string $lang The user's language (default is english) * * @return bool True, if the user was created successfully - * @throws InternalServerErrorException - * @throws \ErrorException - * @throws \ImagickException + * @throws HTTPException\InternalServerErrorException + * @throws ErrorException + * @throws ImagickException */ public static function createMinimal(string $name, string $email, string $nick, string $lang = L10n::DEFAULT) { if (empty($name) || empty($email) || empty($nick)) { - throw new InternalServerErrorException('Invalid arguments.'); + throw new HTTPException\InternalServerErrorException('Invalid arguments.'); } $result = self::create([ @@ -1190,7 +1194,7 @@ class User * @param string $siteurl * @param string $password Plaintext password * @return NULL|boolean from notification() and email() inherited - * @throws InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ public static function sendRegisterPendingEmail($user, $sitename, $siteurl, $password) { @@ -1226,16 +1230,16 @@ class User * * It's here as a function because the mail is sent from different parts * - * @param \Friendica\Core\L10n $l10n The used language - * @param array $user User record array - * @param string $sitename - * @param string $siteurl - * @param string $password Plaintext password + * @param L10n $l10n The used language + * @param array $user User record array + * @param string $sitename + * @param string $siteurl + * @param string $password Plaintext password * * @return NULL|boolean from notification() and email() inherited - * @throws InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ - public static function sendRegisterOpenEmail(\Friendica\Core\L10n $l10n, $user, $sitename, $siteurl, $password) + public static function sendRegisterOpenEmail(L10n $l10n, $user, $sitename, $siteurl, $password) { $preamble = Strings::deindent($l10n->t( ' @@ -1292,7 +1296,7 @@ class User /** * @param int $uid user to remove * @return bool - * @throws InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ public static function remove(int $uid) { diff --git a/src/Util/ExAuth.php b/src/Util/ExAuth.php index 25eb3cc62e..a896440a97 100644 --- a/src/Util/ExAuth.php +++ b/src/Util/ExAuth.php @@ -34,9 +34,13 @@ namespace Friendica\Util; -use Friendica\Database\DBA; -use Friendica\DI; +use Exception; +use Friendica\App; +use Friendica\Core\Config\IConfig; +use Friendica\Core\PConfig\IPConfig; +use Friendica\Database\Database; use Friendica\Model\User; +use Friendica\Network\HTTPException; class ExAuth { @@ -44,12 +48,43 @@ class ExAuth private $host; /** - * Create the class - * + * @var App\Mode */ - public function __construct() + private $appMode; + /** + * @var IConfig + */ + private $config; + /** + * @var IPConfig + */ + private $pConfig; + /** + * @var Database + */ + private $dba; + /** + * @var App\BaseURL + */ + private $baseURL; + + /** + * @param App\Mode $appMode + * @param IConfig $config + * @param IPConfig $pConfig + * @param Database $dba + * @param App\BaseURL $baseURL + * @throws Exception + */ + public function __construct(App\Mode $appMode, IConfig $config, IPConfig $pConfig, Database $dba, App\BaseURL $baseURL) { - $this->bDebug = (int) DI::config()->get('jabber', 'debug'); + $this->appMode = $appMode; + $this->config = $config; + $this->pConfig = $pConfig; + $this->dba = $dba; + $this->baseURL = $baseURL; + + $this->bDebug = (int)$config->get('jabber', 'debug'); openlog('auth_ejabberd', LOG_PID, LOG_USER); @@ -60,14 +95,18 @@ class ExAuth * Standard input reading function, executes the auth with the provided * parameters * - * @return null - * @throws \Friendica\Network\HTTPException\InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ public function readStdin() { + if (!$this->appMode->isNormal()) { + $this->writeLog(LOG_ERR, 'The node isn\'t ready.'); + return; + } + while (!feof(STDIN)) { // Quit if the database connection went down - if (!DBA::connected()) { + if (!$this->dba->isConnected()) { $this->writeLog(LOG_ERR, 'the database connection went down'); return; } @@ -123,7 +162,7 @@ class ExAuth * Check if the given username exists * * @param array $aCommand The command array - * @throws \Friendica\Network\HTTPException\InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ private function isUser(array $aCommand) { @@ -142,9 +181,9 @@ class ExAuth $sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]); // Does the hostname match? So we try directly - if (DI::baseUrl()->getHostname() == $aCommand[2]) { + if ($this->baseURL->getHostname() == $aCommand[2]) { $this->writeLog(LOG_INFO, 'internal user check for ' . $sUser . '@' . $aCommand[2]); - $found = DBA::exists('user', ['nickname' => $sUser]); + $found = $this->dba->exists('user', ['nickname' => $sUser]); } else { $found = false; } @@ -173,7 +212,7 @@ class ExAuth * @param boolean $ssl Should the check be done via SSL? * * @return boolean Was the user found? - * @throws \Friendica\Network\HTTPException\InternalServerErrorException + * @throws HTTPException\InternalServerErrorException */ private function checkUser($host, $user, $ssl) { @@ -203,7 +242,7 @@ class ExAuth * Authenticate the given user and password * * @param array $aCommand The command array - * @throws \Friendica\Network\HTTPException\InternalServerErrorException + * @throws Exception */ private function auth(array $aCommand) { @@ -221,35 +260,29 @@ class ExAuth // We now check if the password match $sUser = str_replace(['%20', '(a)'], [' ', '@'], $aCommand[1]); + $Error = false; // Does the hostname match? So we try directly - if (DI::baseUrl()->getHostname() == $aCommand[2]) { - $this->writeLog(LOG_INFO, 'internal auth for ' . $sUser . '@' . $aCommand[2]); - - $aUser = DBA::selectFirst('user', ['uid', 'password', 'legacy_password'], ['nickname' => $sUser]); - if (DBA::isResult($aUser)) { - $uid = $aUser['uid']; - $success = User::authenticate($aUser, $aCommand[3], true); - $Error = $success === false; - } else { - $this->writeLog(LOG_WARNING, 'user not found: ' . $sUser); - $Error = true; - $uid = -1; - } - if ($Error) { + if ($this->baseURL->getHostname() == $aCommand[2]) { + try { + $this->writeLog(LOG_INFO, 'internal auth for ' . $sUser . '@' . $aCommand[2]); + User::getIdFromPasswordAuthentication($sUser, $aCommand[3], true); + } catch (HTTPException\ForbiddenException $ex) { + // User exists, authentication failed $this->writeLog(LOG_INFO, 'check against alternate password for ' . $sUser . '@' . $aCommand[2]); - $sPassword = DI::pConfig()->get($uid, 'xmpp', 'password', null, true); + $aUser = User::getByNickname($sUser, ['uid']); + $sPassword = $this->pConfig->get($aUser['uid'], 'xmpp', 'password', null, true); $Error = ($aCommand[3] != $sPassword); + } catch (\Throwable $ex) { + // User doesn't exist and any other failure case + $this->writeLog(LOG_WARNING, $ex->getMessage() . ': ' . $sUser); + $Error = true; } } else { $Error = true; } // If the hostnames doesn't match or there is some failure, we try to check remotely - if ($Error) { - $Error = !$this->checkCredentials($aCommand[2], $aCommand[1], $aCommand[3], true); - } - - if ($Error) { + if ($Error && !$this->checkCredentials($aCommand[2], $aCommand[1], $aCommand[3], true)) { $this->writeLog(LOG_WARNING, 'authentification failed for user ' . $sUser . '@' . $aCommand[2]); fwrite(STDOUT, pack('nn', 2, 0)); } else { @@ -297,7 +330,6 @@ class ExAuth * Set the hostname for this process * * @param string $host The hostname - * @throws \Friendica\Network\HTTPException\InternalServerErrorException */ private function setHost($host) { @@ -309,7 +341,7 @@ class ExAuth $this->host = $host; - $lockpath = DI::config()->get('jabber', 'lockpath'); + $lockpath = $this->config->get('jabber', 'lockpath'); if (is_null($lockpath)) { $this->writeLog(LOG_INFO, 'No lockpath defined.'); return;