Merge branch 'stable-3.1' into 'stable-3.1'

XMPP Server Setup bugfix for 3.1

Content:
- replaced old dev default values in dns generation for XMPP domains by server name
- added datalog tokens for xmpp domains and users
- fixed DB query for XMPP authentication and user query
- added default values for all CSR fields, so they cannot be empty

There is still a new error with the authentication. The Auth script used to authenticate against the database should be spawned in its own process, but the auth module seems not to load it.  
Maybe it is a problem with new library versions released during the last year. I'm in contact with the metronome Devs to solve this problem.

In meantime, this bugfix will ensure that the servers are configured correctly.

See merge request !471

Author: Till Brehm

install/apps/metronome_libs/mod_auth_external/db_auth.php

@@ -17,15 +17,15 @@
 
     // check for existing user
     $dbmail = $db->real_escape_string($arg_email);
-    $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id);
-    result_false($result->num_rows != 1);
-
-    $user = $result->fetch_object();
-
-    // check for domain autologin api key
-    $domain_key = 'f47kmm5Yh5hJzSws2KTS';
-
-    checkAuth($argv[1], $argv[2], $arg_password, $user->password, $domain_key);
+    $query = $db->prepare("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
+    $query->bind_param('si', $arg_email, $isp_server_id);
+    $query->execute();
+    $query->bind_result($jid, $password);
+    $query->fetch();
+    $query->close();
+
+    result_false(is_null($jid));
+    checkAuth($arg_password, $password);
 }catch(Exception $ex){
     echo 0;
     exit();
@@ -40,19 +40,9 @@ function result_true(){
     echo 1;
     exit();
 }
-function checkAuth($user, $domain, $pw_arg, $pw_db, $domain_key){
+function checkAuth($pw_arg, $pw_db){
     if(crypt($pw_arg, $pw_db) == $pw_db)
         result_true();
-
-    if($domain_key){
-        $datetime = new DateTime();
-        $datetime->setTimezone(new DateTimeZone("UTC"));
-        for($t = $datetime->getTimestamp(); $t >= $datetime->getTimestamp()-30; $t--){
-            $pw_api = md5($domain.'@'.$domain_key.'@'.$user.'@'.$t);
-            if($pw_api == $pw_arg)
-                result_true();
-        }
-    }
     result_false();
 }
 ?>

install/apps/metronome_libs/mod_auth_external/db_isuser.php

@@ -15,8 +15,14 @@
 
     // check for existing user
     $dbmail = $db->real_escape_string($arg_email);
-    $result = $db->query("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?", $dbmail, $isp_server_id);
-    result_false($result->num_rows != 1);
+    $query = $db->prepare("SELECT count(*) AS usercount FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
+    $query->bind_param('si', $arg_email, $isp_server_id);
+    $query->execute();
+    $query->bind_result($usercount);
+    $query->fetch();
+    $query->close();
+
+    result_false($usercount != 1);
     result_true();
 
 }catch(Exception $ex){
@@ -34,4 +40,4 @@ function result_true(){
     exit();
 }
 
-?>
+?>

install/lib/installer_base.lib.php

@@ -1597,6 +1597,7 @@ public function configure_xmpp($options = '') {
         // Copy isp libs
         if(!@is_dir('/usr/lib/metronome/isp-modules')) mkdir('/usr/lib/metronome/isp-modules', 0755, true);
         caselog('cp -rf apps/metronome_libs/* /usr/lib/metronome/isp-modules/', __FILE__, __LINE__);
+        caselog('chmod 755 /usr/lib/metronome/isp-modules/mod_auth_external/authenticate_isp.sh', __FILE__, __LINE__);
         // Process db config
         $full_file_name = '/usr/lib/metronome/isp-modules/mod_auth_external/db_conf.inc.php';
         $content = rf($full_file_name);
@@ -1609,13 +1610,14 @@ public function configure_xmpp($options = '') {
 
         if(!stristr($options, 'dont-create-certs')){
             // Create SSL Certificate for localhost
-            echo "writing new private key to 'localhost.key'\n-----\n";
-            $ssl_country = $this->free_query('Country Name (2 letter code)', 'AU');
-            $ssl_locality = $this->free_query('Locality Name (eg, city)', '');
+            // Ensure no line is left blank
+			echo "writing new private key to 'localhost.key'\n-----\n";
+			$ssl_country = $this->free_query('Country Name (2 letter code)', 'AU');
+            $ssl_locality = $this->free_query('Locality Name (eg, city)', 'City Name');
             $ssl_organisation = $this->free_query('Organization Name (eg, company)', 'Internet Widgits Pty Ltd');
-            $ssl_organisation_unit = $this->free_query('Organizational Unit Name (eg, section)', '');
+            $ssl_organisation_unit = $this->free_query('Organizational Unit Name (eg, section)', 'Infrastructure');
             $ssl_domain = $this->free_query('Common Name (e.g. server FQDN or YOUR name)', $conf['hostname']);
-            $ssl_email = $this->free_query('Email Address', '');
+            $ssl_email = $this->free_query('Email Address', 'hostmaster@'.$conf['hostname']);
 
             $tpl = new tpl('metronome_conf_ssl.master');
             $tpl->setVar('ssl_country',$ssl_country);
@@ -1632,6 +1634,14 @@ public function configure_xmpp($options = '') {
             exec("(cd /etc/metronome/certs && make localhost.cert)");
             exec('chmod 0400 /etc/metronome/certs/localhost.key');
             exec('chown metronome /etc/metronome/certs/localhost.key');
+
+			echo "IMPORTANT:\n";
+			echo "Localhost Key, Csr and a self-signed Cert have been saved to /etc/metronome/certs\n";
+			echo "In order to work with all clients, the server must have a trusted certificate, so use the Csr\n";
+			echo "to get a trusted certificate from your CA or replace Key and Cert with already signed files for\n";
+			echo "your domain. Clients like Pidgin dont allow to use untrusted self-signed certificates.\n";
+			echo "\n";
+
         }else{
             echo "-----\n";
             echo "Metronome XMPP SSL server certificate is not renewed. Run the following command manual as root to recreate it:\n";
@@ -1645,45 +1655,6 @@ public function configure_xmpp($options = '') {
         caselog('update-rc.d metronome defaults', __FILE__, __LINE__);
 
         exec($this->getinitcommand($conf['xmpp']['init_script'], 'restart'));
-
-/*
-writing new private key to 'smtpd.key'
------
-You are about to be asked to enter information that will be incorporated
-into your certificate request.
-What you are about to enter is what is called a Distinguished Name or a DN.
-There are quite a few fields but you can leave some blank
-For some fields there will be a default value,
-If you enter '.', the field will be left blank.
------
-Country Name (2 letter code) [AU]:
-State or Province Name (full name) [Some-State]:
-Locality Name (eg, city) []:
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-Organizational Unit Name (eg, section) []:
-Common Name (e.g. server FQDN or YOUR name) []:
-Email Address []:
- * */
-
-        /*// Dont just copy over the virtualhost template but add some custom settings
-        $tpl = new tpl('apache_apps.vhost.master');
-
-        $tpl->setVar('apps_vhost_port',$conf['web']['apps_vhost_port']);
-        $tpl->setVar('apps_vhost_dir',$conf['web']['website_basedir'].'/apps');
-        $tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
-        $tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
-        $tpl->setVar('apache_version',getapacheversion());
-
-
-        // comment out the listen directive if port is 80 or 443
-        if($conf['web']['apps_vhost_ip'] == 80 or $conf['web']['apps_vhost_ip'] == 443) {
-            $tpl->setVar('vhost_port_listen','#');
-        } else {
-            $tpl->setVar('vhost_port_listen','');
-        }
-
-        wf($vhost_conf_dir.'/apps.vhost', $tpl->grab());
-        unset($tpl);*/
     }
 
 

interface/lib/lang/de.lng

@@ -131,6 +131,12 @@ $wb['datalog_status_d_web_folder'] = 'Verzeichnisschutz löschen';
 $wb['datalog_status_i_web_folder_user'] = 'Verzeichnisschutz Benutzer anlegen';
 $wb['datalog_status_u_web_folder_user'] = 'Verzeichnisschutz Benutzer ändern';
 $wb['datalog_status_d_web_folder_user'] = 'Verzeichnisschutz Benutzer löschen';
+$wb['datalog_status_i_xmpp_domain'] = 'XMPP Domain erstellen';
+$wb['datalog_status_u_xmpp_domain'] = 'XMPP Domain ändern';
+$wb['datalog_status_d_xmpp_domain'] = 'XMPP Domain löschen';
+$wb['datalog_status_i_xmpp_user'] = 'XMPP Benutzer erstellen';
+$wb['datalog_status_u_xmpp_user'] = 'XMPP Benutzer ändern';
+$wb['datalog_status_d_xmpp_user'] = 'XMPP Benutzer löschen';
 $wb['login_as_txt'] = 'Anmelden als';
 $wb['no_domain_perm'] = 'Sie haben keine Berechtigung für diese Domain.';
 $wb['no_destination_perm'] = 'Sie haben keine Berechtigung für dieses Ziel.';

interface/lib/lang/en.lng

@@ -131,6 +131,12 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
 $wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
 $wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
 $wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
+$wb['datalog_status_i_xmpp_domain'] = 'Create XMPP domain';
+$wb['datalog_status_u_xmpp_domain'] = 'Update XMPP domain';
+$wb['datalog_status_d_xmpp_domain'] = 'Delete XMPP domain';
+$wb['datalog_status_i_xmpp_user'] = 'Create XMPP user';
+$wb['datalog_status_u_xmpp_user'] = 'Update XMPP user';
+$wb['datalog_status_d_xmpp_user'] = 'Delete XMPP user';
 $wb['err_csrf_attempt_blocked'] = 'CSRF attempt blocked.';
 $wb['login_as_txt'] = 'Log in as';
 $wb["no_domain_perm"] = 'You have no permission for this domain.';

interface/web/mail/xmpp_domain_edit.php

@@ -411,6 +411,9 @@ function onAfterUpdate() {
     private function update_dns($dataRecord, $new_rr) {
         global $app, $conf;
 
+        $sql = "SELECT server_name from server WHERE server_id = " . intval($dataRecord['server_id']);
+        $xmpp_server = $app->db->queryOneRecord($sql);
+
         $rec = $app->db->queryOneRecord("SELECT use_pubsub, use_proxy, use_anon_host, use_vjud, use_muc_host from xmpp_domain WHERE domain_id = ?", $this->id);
         $required_hosts = array('xmpp');
         if($rec['use_pubsub']=='y')
@@ -437,7 +440,7 @@ private function update_dns($dataRecord, $new_rr) {
             $rr = $new_rr;
             $rr['name'] = $h;
             $rr['type'] = 'CNAME';
-            $rr['data'] = 'jalapeno.spicyweb.de.';
+            $rr['data'] = $xmpp_server['server_name'] . '.';
             $rr['aux'] = 0;
             $rr['active'] = 'Y';
             $rr['stamp'] = date('Y-m-d H:i:s');
@@ -449,7 +452,7 @@ private function update_dns($dataRecord, $new_rr) {
         $rr = $new_rr;
         $rr['name'] = '_xmpp-client._tcp.'.$dataRecord['domain'].'.';
         $rr['type'] = 'SRV';
-        $rr['data'] = '5 5222 jalapeno.spicyweb.de.';
+        $rr['data'] = '5 5222 ' . $xmpp_server['server_name'] . '.';
         $rr['aux'] = 0;
         $rr['active'] = 'Y';
         $rr['stamp'] = date('Y-m-d H:i:s');
@@ -458,7 +461,7 @@ private function update_dns($dataRecord, $new_rr) {
         $rr = $new_rr;
         $rr['name'] = '_xmpp-server._tcp.'.$dataRecord['domain'].'.';
         $rr['type'] = 'SRV';
-        $rr['data'] = '5 5269 jalapeno.spicyweb.de.';
+        $rr['data'] = '5 5269 ' . $xmpp_server['server_name'] . '.';
         $rr['aux'] = 0;
         $rr['active'] = 'Y';
         $rr['stamp'] = date('Y-m-d H:i:s');