Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F2528641
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
11 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/lib/Kolab/FreeBusy/HTTPAuth.php b/lib/Kolab/FreeBusy/HTTPAuth.php
new file mode 100644
index 0000000..ad0c394
--- /dev/null
+++ b/lib/Kolab/FreeBusy/HTTPAuth.php
@@ -0,0 +1,117 @@
+<?php
+
+namespace Kolab\FreeBusy;
+
+use \Net_LDAP3;
+use \Monolog\Logger as Monolog;
+
+/**
+ * Static class to process HTTP authentication to this service
+ */
+class HTTPAuth
+{
+ private static $logger;
+
+ /**
+ * Validate HTTP basic auth against the configured backend
+ */
+ public static function check($config)
+ {
+ $logger = Logger::get('httpauth');
+
+ // no http auth submitted, abort!
+ if (empty($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
+ $logger->addDebug('No HTTP auth submitted');
+ return false;
+ }
+
+ switch ($config['type']) {
+ case 'static':
+ return self::checkStatic($config, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+
+ case 'ldap':
+ return self::checkLDAP($config, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+
+ default:
+ $logger->addWarning('Unsupported auth type ' . $config['type']);
+ break;
+ }
+
+ return false;
+ }
+
+ /**
+ * Validate static user credentials from config
+ */
+ private static function checkStatic($config, $user, $pass)
+ {
+ $valid = $user == $config['username'] && $pass == $config['password'];
+ Logger::get('httpauth')->addInfo("Static: authenticating user '$user': " . ($valid ? 'SUCCESS' : 'FAILURE'));
+ return $valid;
+ }
+
+ /**
+ * Validate user credentials against the configured LDAP backend
+ */
+ private static function checkLDAP($config, $user, $pass)
+ {
+ self::$logger = Logger::get('httpauth', intval($config['loglevel']));
+
+ $host = parse_url($config['host']);
+ $ldap_config = array(
+ 'hosts' => array($host['host']),
+ 'port' => $host['port'] ?: 389,
+ 'use_tls' => $host['scheme'] == 'tls' || $host['scheme'] == 'ldaps',
+ 'root_dn' => $config['base_dn'],
+ 'filter' => $config['filter'],
+ 'service_bind_dn' => $config['bind_dn'],
+ 'service_bind_pw' => $config['bind_pw'],
+ 'sizelimit' => 0,
+ 'timelimit' => 0,
+ );
+
+ // instantiate Net_LDAP3 and connect with logger
+ $ldap = new Net_LDAP3($ldap_config);
+ $ldap->config_set('log_hook', 'Kolab\FreeBusy\HTTPAuth::ldapLog');
+
+ // connect + bind to LDAP server
+ if ($ldap->connect()) {
+ self::$logger->addDebug("LDAP: connected to $config[host] with '$config[bind_dn]'");
+
+ // extract domain part from base_dn
+ $dn_domain = ldap_explode_dn($config['base_dn'], 1);
+ unset($dn_domain['count']);
+ $domain = join('.', $dn_domain);
+
+ $valid = (bool)$ldap->login($user, $pass, $domain);
+ }
+ else {
+ self::$logger->addWarning("LDAP: connectiion to $config[host] with '$config[bind_dn]' failed!");
+ }
+
+ self::$logger->addInfo("LDAP: authenticating user '$user': " . ($valid ? 'SUCCESS' : 'FAILURE'));
+ return $valid;
+ }
+
+ /**
+ * Callback for Net_LDAP3 logging
+ */
+ public static function ldapLog($level, $msg)
+ {
+ // map PHP log levels to Monolog levels
+ static $loglevels = array(
+ LOG_DEBUG => Monolog::DEBUG,
+ LOG_NOTICE => Monolog::NOTICE,
+ LOG_INFO => Monolog::INFO,
+ LOG_WARNING => Monolog::WARNING,
+ LOG_ERR => Monolog::ERROR,
+ LOG_CRIT => Monolog::CRITICAL,
+ LOG_ALERT => Monolog::ALERT,
+ LOG_EMERG => Monolog::EMERGENCY,
+ );
+
+ $msg = is_array($msg) ? join('; ', $msg) : strval($msg);
+ self::$logger->addRecord($loglevels[$level], $msg);
+ }
+
+}
\ No newline at end of file
diff --git a/lib/Kolab/FreeBusy/Utils.php b/lib/Kolab/FreeBusy/Utils.php
new file mode 100644
index 0000000..ba1e736
--- /dev/null
+++ b/lib/Kolab/FreeBusy/Utils.php
@@ -0,0 +1,118 @@
+<?php
+
+namespace Kolab\FreeBusy;
+
+/**
+ * Static calss providing utility functions for the Free/Busy service
+ */
+class Utils
+{
+ /**
+ * Resolve the given directory to a real path ending with $append
+ *
+ * @param string Arbitrary directory directory path
+ * @param string Make path end with this string/character
+ * @return string Absolute file system path
+ */
+ public static function abspath($dirname, $append = '')
+ {
+ if ($dirname[0] != '/')
+ $dirname = realpath(KOLAB_FREEBUSY_ROOT . '/' . $dirname);
+
+ return rtrim($dirname, '/') . $append;
+ }
+
+ /**
+ * Returns remote IP address and forwarded addresses if found
+ *
+ * @return string Remote IP address(es)
+ */
+ public static function remoteIP()
+ {
+ $address = $_SERVER['REMOTE_ADDR'];
+
+ // use the NGINX X-Real-IP header, if set
+ if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+ $address = $_SERVER['HTTP_X_REAL_IP'];
+ }
+ // use the X-Forwarded-For header, if set
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ $address = $_SERVER['HTTP_X_FORWARDED_FOR'];
+ }
+
+ return $address;
+ }
+
+
+ /**
+ * Checks if the given IP address is in one of the provided ranges
+ *
+ * @param string IP address
+ * @param array List of IP ranges/subnets to check against
+ * @return boolean True if in range, False if not
+ */
+ public static function checkIPRange($ip, $ranges)
+ {
+ $ipv6 = strpos($ip, ':') !== false;
+ $ipbin = $ipv6 ? self::ip6net2bits($ip) : ip2long($ip);
+
+ foreach ((array)$ranges as $range) {
+ // don't compare IPv4 and IPv6 addresses/ranges
+ $rangev6 = strpos($range, ':') !== false;
+ if ($ipv6 != $rangev6) {
+ continue;
+ }
+
+ // quick substring check (e.g. 192.168.0.)
+ if (( $ipv6 && strpos($ipbin, self::ip6net2bits($range)) === 0) ||
+ (!$ipv6 && strpos($ip, rtrim($range, '*')) === 0)) {
+ return true;
+ }
+
+ // range from-to specified (IPv4 only)
+ list($lower, $upper) = explode('-', $range);
+ if (strlen($upper) && !$ipv6) {
+ if ($ipbin >= ip2long(trim($lower)) && $ipbin <= ip2long(trim($upper))) {
+ return true;
+ }
+ }
+
+ // subnet/length is given
+ list($subnet, $bits) = explode('/', $range);
+
+ // IPv6 subnet
+ if (strlen($bits) && $ipv6) {
+ $subnetbin = self::ip6net2bits($subnet);
+ if (substr($ipbin, 0, $bits) === substr($subnetbin, 0, $bits)) {
+ return true;
+ }
+ }
+ // IPv4 subnet
+ else if (strlen($bits)) {
+ $subnet = ip2long($subnet);
+ $mask = -1 << $bits;
+ $subnet &= $mask; // just in case the supplied subnet wasn't correctly aligned
+ if (($ipbin & $mask) == $subnet) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Convert the given IPv6 address to a binary string representation.
+ * (from http://stackoverflow.com/questions/7951061/matching-ipv6-address-to-a-cidr-subnet)
+ */
+ public static function ip6net2bits($inet)
+ {
+ $binaryip = '';
+ $unpacked = @unpack('A16', inet_pton($inet));
+ foreach (str_split($unpacked[1]) as $char) {
+ $binaryip .= str_pad(decbin(ord($char)), 8, '0', STR_PAD_LEFT);
+ }
+ return $binaryip;
+ }
+
+}
\ No newline at end of file
diff --git a/web/index.php b/web/index.php
index 41286da..93115f2 100644
--- a/web/index.php
+++ b/web/index.php
@@ -1,118 +1,128 @@
<?php
/**
* Kolab Server Free/Busy Service Endpoint
*
* This is the public API to provide Free/Busy information for Kolab users.
*
* @version 0.1.0
* @author Thomas Bruederli <bruederli@kolabsys.com>
*
* Copyright (C) 2013, Kolab Systems AG <contact@kolabsys.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define('KOLAB_FREEBUSY_ROOT', realpath('../'));
// suppress error notices
ini_set('error_reporting', E_ALL &~ E_NOTICE);
// use composer's autoloader for both dependencies and local lib
require_once KOLAB_FREEBUSY_ROOT . '/vendor/autoload.php';
+use Kolab\FreeBusy\Utils;
use Kolab\FreeBusy\Config;
use Kolab\FreeBusy\Logger;
use Kolab\FreeBusy\Directory;
+use Kolab\FreeBusy\HTTPAuth;
-#header('Content-type: text/calendar; charset=utf-8', true);
-header('Content-type: text/plain', true);
// load config
$config = Config::getInstance(KOLAB_FREEBUSY_ROOT . '/config');
if ($config->isValid()) {
-# print_r($config);
- $log = Logger::get('service');
- $log->addInfo('Request: ' . $_SERVER['REDIRECT_URL'], array('ip' => $_SERVER['REMOTE_ADDR']));
-
- // check HTTP auth first
- if ($config->httpauth) {
- // TODO: implement this
+ // check for trusted IP first
+ $remote_ip = Utils::remoteIP();
+ $trusted_ip = $config->trustednetworks ? Utils::checkIPRange($remote_ip, $config->trustednetworks['allow']) : false;
+
+ $log = Logger::get('web');
+ $log->addDebug('Request: ' . $_SERVER['REDIRECT_URL'], array('ip' => $remote_ip, 'trusted' => $trusted_ip));
+
+ // check HTTP authentication
+ if (!$trusted_ip && $config->httpauth) {
+ if (!HTTPAuth::check($config->httpauth)) {
+ $log->addDebug("Abort with 401 Unauthorized");
+ header('WWW-Authenticate: Basic realm="Kolab Free/Busy Service"');
+ header($_SERVER['SERVER_PROTOCOL'] . " 401 Unauthorized", true);
+ exit;
+ }
}
+ #header('Content-type: text/calendar; charset=utf-8', true);
+ header('Content-type: text/plain', true);
+
// analyse request
$url = array_filter(explode('/', $_SERVER['REDIRECT_URL']));
$user = strtolower(array_pop($url));
$action = strtolower(array_pop($url));
$extended = false;
// remove file extension
if (preg_match('/^(.+)\.([ipx]fb)$/i', $user, $m)) {
$user = $m[1];
$extended = $m[2] == 'xfb';
}
// iterate over directories
foreach ($config->directories as $key => $dirconfig) {
$log->addDebug("Trying directory $key", $dirconfig);
$directory = Directory::factory($dirconfig);
- if ($fbdata = $directory->getFreeBusyData($user, $extended)) {
- $log->addInfo("Found valid data for user $user");
+ if ($directory && ($fbdata = $directory->getFreeBusyData($user, $extended))) {
+ $log->addInfo("Found valid data for user $user in directory $key");
echo $fbdata;
exit;
}
}
-/*
- if ($_SERVER['REMOTE_ADDR'] is in $config->trustednetworks['allow]) {
+ // return 404 if request was sent from a trusted IP
+ if ($trusted_ip) {
$log->addDebug("Returning '404 Not Found' for user $user");
header($_SERVER['SERVER_PROTOCOL'] . " 404 Not found", true);
}
else {
-*/
$log->addInfo("Returning empty Free/Busy list for user $user");
$now = time();
$dtformat = 'Ymd\THis\Z';
// NOTE: The following settings should probably correspond with
// whatever period of time kolab-freebusyd thinks it should use.
// Should probably be a setting. For now, do 8 weeks in the past
$start = $now - (60 * 60 * 24 * 7 * 8);
// Should probably be a setting. For now, do 16 weeks into the future
$end = $now + (60 * 60 * 24 * 7 * 16);
// Return an apparent empty Free/Busy list.
print "BEGIN:VCALENDAR\n";
print "VERSION:2.0\n";
print "PRODID:-//kolab.org//NONSGML Kolab Server 3//EN\n";
print "METHOD:PUBLISH\n";
print "BEGIN:VFREEBUSY\n";
print "ORGANIZER:MAILTO:" . $user . ".ifb\n";
print "DTSTAMP:" . gmdate($dtformat) . "\n";
print "DTSTART:" . gmdate($dtformat, $start) . "\n";
print "DTEND:" . gmdate($dtformat, $end) . "\n";
print "COMMENT:This is a dummy vfreebusy that indicates an empty calendar\n";
print "FREEBUSY:19700101T000000Z/19700101T000000Z\n";
print "END:VFREEBUSY\n";
print "END:VCALENDAR\n";
-// }
+ }
}
// exit with error
# header($_SERVER['SERVER_PROTOCOL'] . " 500 Internal Server Error", true);
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Sun, Feb 1, 4:37 PM (1 d, 21 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
426694
Default Alt Text
(11 KB)
Attached To
Mode
R28 freebusy
Attached
Detach File
Event Timeline
Log In to Comment