From f23a877cd8ad8d583b74c312c7e9baa842b5a86a Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 15:38:48 -0500 Subject: Discovery::lookup now throws an exception --- plugins/OStatus/classes/Ostatus_profile.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php index 35539bff7..7b1aec76b 100644 --- a/plugins/OStatus/classes/Ostatus_profile.php +++ b/plugins/OStatus/classes/Ostatus_profile.php @@ -1288,9 +1288,9 @@ class Ostatus_profile extends Memcached_DataObject $disco = new Discovery(); - $result = $disco->lookup($addr); - - if (!$result) { + try { + $result = $disco->lookup($addr); + } catch (Exception $e) { self::cacheSet(sprintf('ostatus_profile:webfinger:%s', $addr), null); return null; } -- cgit v1.2.3-54-g00ecf From e4c462570f8010f751caf214f329617c08bf7105 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 15:39:30 -0500 Subject: move salmon posting to send application/magic-envelope+xml per http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-salmon-00.html#RPF --- plugins/OStatus/lib/magicenvelope.php | 22 ++++++++++++++++++++++ plugins/OStatus/lib/salmon.php | 18 +++++++++++------- plugins/OStatus/lib/salmonaction.php | 26 ++++++++++++++------------ 3 files changed, 47 insertions(+), 19 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/lib/magicenvelope.php b/plugins/OStatus/lib/magicenvelope.php index f33119b8f..230d81ba1 100644 --- a/plugins/OStatus/lib/magicenvelope.php +++ b/plugins/OStatus/lib/magicenvelope.php @@ -83,6 +83,28 @@ class MagicEnvelope } + public function toXML($env) { + $dom = new DOMDocument(); + + $envelope = $dom->createElementNS(MagicEnvelope::NS, 'me:env'); + $envelope->setAttribute('xmlns:me', MagicEnvelope::NS); + $data = $dom->createElementNS(MagicEnvelope::NS, 'me:data', $env['data']); + $data->setAttribute('type', $env['data_type']); + $envelope->appendChild($data); + $enc = $dom->createElementNS(MagicEnvelope::NS, 'me:encoding', $env['encoding']); + $envelope->appendChild($enc); + $alg = $dom->createElementNS(MagicEnvelope::NS, 'me:alg', $env['alg']); + $envelope->appendChild($alg); + $sig = $dom->createElementNS(MagicEnvelope::NS, 'me:sig', $env['sig']); + $envelope->appendChild($sig); + + $dom->appendChild($envelope); + + + return $dom->saveXML(); + } + + public function unfold($env) { $dom = new DOMDocument(); diff --git a/plugins/OStatus/lib/salmon.php b/plugins/OStatus/lib/salmon.php index 6e2459544..68883a410 100644 --- a/plugins/OStatus/lib/salmon.php +++ b/plugins/OStatus/lib/salmon.php @@ -48,12 +48,17 @@ class Salmon return false; } - if (!common_config('ostatus', 'skip_signatures')) { + try { $xml = $this->createMagicEnv($xml, $actor); + } catch (Exception $e) { + common_log(LOG_ERR, "Salmon unable to sign: " . $e->getMessage()); + return false; } - $headers = array('Content-Type: application/atom+xml'); + $headers = array('Content-Type: application/magic-envelope+xml'); + common_log(LOG_DEBUG, "Salmon: going to post " . $xml); + try { $client = new HTTPClient(); $client->setBody($xml); @@ -72,7 +77,6 @@ class Salmon public function createMagicEnv($text, $actor) { - common_log(LOG_DEBUG, "Got actor as : ". print_r($actor, true)); $magic_env = new MagicEnvelope(); $user = User::staticGet('id', $actor->id); @@ -84,7 +88,6 @@ class Salmon $magickey = new Magicsig(); $magickey->generate($user->id); } - common_log(LOG_DEBUG, "Salmon: Loaded key for ". $user->id); } else { throw new Exception("Salmon invalid actor for signing"); } @@ -95,15 +98,16 @@ class Salmon common_log(LOG_ERR, "Salmon signing failed: ". $e->getMessage()); return $text; } - return $magic_env->unfold($env); + return $magic_env->toXML($env); } - public function verifyMagicEnv($dom) + public function verifyMagicEnv($text) { + common_log(LOG_DEBUG, "Going to verify ". $text); $magic_env = new MagicEnvelope(); - $env = $magic_env->fromDom($dom); + $env = $magic_env->parse($text); return $magic_env->verify($env); } diff --git a/plugins/OStatus/lib/salmonaction.php b/plugins/OStatus/lib/salmonaction.php index a03169101..9ca350e67 100644 --- a/plugins/OStatus/lib/salmonaction.php +++ b/plugins/OStatus/lib/salmonaction.php @@ -41,29 +41,31 @@ class SalmonAction extends Action $this->clientError(_m('This method requires a POST.')); } - if (empty($_SERVER['CONTENT_TYPE']) || $_SERVER['CONTENT_TYPE'] != 'application/atom+xml') { - $this->clientError(_m('Salmon requires application/atom+xml')); + if (empty($_SERVER['CONTENT_TYPE']) || $_SERVER['CONTENT_TYPE'] != 'application/magic-envelope+xml') { + $this->clientError(_m('Salmon requires application/magic-envelope+xml')); } $xml = file_get_contents('php://input'); - $dom = DOMDocument::loadXML($xml); + // Check the signature + $salmon = new Salmon; + if (!$salmon->verifyMagicEnv($xml)) { + common_log(LOG_DEBUG, "Salmon signature verification failed."); + $this->clientError(_m('Salmon signature verification failed.')); + } else { + $env = MagicEnvelope::parse($xml); + $xml = MagicEnvelope::unfold($env); + } + + + $dom = DOMDocument::loadXML($xml); if ($dom->documentElement->namespaceURI != Activity::ATOM || $dom->documentElement->localName != 'entry') { common_log(LOG_DEBUG, "Got invalid Salmon post: $xml"); $this->clientError(_m('Salmon post must be an Atom entry.')); } - // Check the signature - $salmon = new Salmon; - if (!common_config('ostatus', 'skip_signatures')) { - if (!$salmon->verifyMagicEnv($dom)) { - common_log(LOG_DEBUG, "Salmon signature verification failed."); - $this->clientError(_m('Salmon signature verification failed.')); - } - } - $this->act = new Activity($dom->documentElement); return true; } -- cgit v1.2.3-54-g00ecf From c82cee18769763d105304f09de9b6b4079e48aae Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:25:47 -0500 Subject: removing some extraneous debug logging --- plugins/OStatus/lib/salmon.php | 4 ---- 1 file changed, 4 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/lib/salmon.php b/plugins/OStatus/lib/salmon.php index 68883a410..3d3341bc6 100644 --- a/plugins/OStatus/lib/salmon.php +++ b/plugins/OStatus/lib/salmon.php @@ -57,8 +57,6 @@ class Salmon $headers = array('Content-Type: application/magic-envelope+xml'); - common_log(LOG_DEBUG, "Salmon: going to post " . $xml); - try { $client = new HTTPClient(); $client->setBody($xml); @@ -95,7 +93,6 @@ class Salmon try { $env = $magic_env->signMessage($text, 'application/atom+xml', $magickey->toString()); } catch (Exception $e) { - common_log(LOG_ERR, "Salmon signing failed: ". $e->getMessage()); return $text; } return $magic_env->toXML($env); @@ -104,7 +101,6 @@ class Salmon public function verifyMagicEnv($text) { - common_log(LOG_DEBUG, "Going to verify ". $text); $magic_env = new MagicEnvelope(); $env = $magic_env->parse($text); -- cgit v1.2.3-54-g00ecf From 0ecf435dc5df3d6424fc7bd0438d2856aa07c1da Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:50:00 -0500 Subject: adding sequenceKeys() to magicsig --- plugins/OStatus/classes/Magicsig.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'plugins') diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 751527c81..dee193cd5 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -84,6 +84,10 @@ class Magicsig extends Memcached_DataObject return array('user_id' => 'K'); } + function sequenceKeys() { + return array(false, false, false); + } + function insert() { $this->keypair = $this->toString(); -- cgit v1.2.3-54-g00ecf From 6ee7660a585faf290dc1650a714d280b40ac3a2d Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:51:50 -0500 Subject: should be sequenceKey (singular) --- plugins/OStatus/classes/HubSub.php | 2 +- plugins/OStatus/classes/Magicsig.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/classes/HubSub.php b/plugins/OStatus/classes/HubSub.php index 1ac181fee..e599d83a9 100644 --- a/plugins/OStatus/classes/HubSub.php +++ b/plugins/OStatus/classes/HubSub.php @@ -99,7 +99,7 @@ class HubSub extends Memcached_DataObject return array_keys($this->keyTypes()); } - function sequenceKeys() + function sequenceKey() { return array(false, false, false); } diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index dee193cd5..d47dcf143 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -84,7 +84,7 @@ class Magicsig extends Memcached_DataObject return array('user_id' => 'K'); } - function sequenceKeys() { + function sequenceKey() { return array(false, false, false); } -- cgit v1.2.3-54-g00ecf From 1cf08c7ad7704cd92d59f319573e831d1115e996 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 17:09:50 -0500 Subject: MagicEnvelope::parse shouldn't be called statically --- plugins/OStatus/lib/salmonaction.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/lib/salmonaction.php b/plugins/OStatus/lib/salmonaction.php index 9ca350e67..fa9dc3b1d 100644 --- a/plugins/OStatus/lib/salmonaction.php +++ b/plugins/OStatus/lib/salmonaction.php @@ -54,8 +54,9 @@ class SalmonAction extends Action common_log(LOG_DEBUG, "Salmon signature verification failed."); $this->clientError(_m('Salmon signature verification failed.')); } else { - $env = MagicEnvelope::parse($xml); - $xml = MagicEnvelope::unfold($env); + $magic_env = new MagicEnvelope(); + $env = $magic_env->parse($xml); + $xml = $magic_env->unfold($env); } -- cgit v1.2.3-54-g00ecf From ee7603b09f162188caaf1d319a70e7fd5d6aa385 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 17:52:12 -0500 Subject: better return check in Magicsig::staticGet() --- plugins/OStatus/classes/Magicsig.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index d47dcf143..30da63c36 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -50,7 +50,11 @@ class Magicsig extends Memcached_DataObject public /*static*/ function staticGet($k, $v=null) { $obj = parent::staticGet(__CLASS__, $k, $v); - return Magicsig::fromString($obj->keypair); + if (!empty($obj)) { + return Magicsig::fromString($obj->keypair); + } + + return $obj; } -- cgit v1.2.3-54-g00ecf From 831eb0d2b6e35073992106a792f2878bb98e6aa4 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 18:22:08 -0500 Subject: renaming sha256 to prevent conflict --- plugins/OStatus/classes/Magicsig.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'plugins') diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 30da63c36..96900d876 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -181,14 +181,15 @@ class Magicsig extends Memcached_DataObject switch ($this->alg) { case 'RSA-SHA256': - return 'sha256'; + return 'magicsig_sha256'; } } public function sign($bytes) { - $sig = $this->_rsa->createSign($bytes, null, 'sha256'); + $hash = $this->getHash(); + $sig = $this->_rsa->createSign($bytes, null, $hash); if ($this->_rsa->isError()) { $error = $this->_rsa->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -200,7 +201,8 @@ class Magicsig extends Memcached_DataObject public function verify($signed_bytes, $signature) { - $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'sha256'); + $hash = $this->getHash(); + $result = $this->_rsa->validateSign($signed_bytes, $signature, null, $hash); if ($this->_rsa->isError()) { $error = $this->keypair->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -213,7 +215,7 @@ class Magicsig extends Memcached_DataObject // Define a sha256 function for hashing // (Crypt_RSA should really be updated to use hash() ) -function sha256($bytes) +function magicsig_sha256($bytes) { return hash('sha256', $bytes); } -- cgit v1.2.3-54-g00ecf From 55f27feb78a8ae5c6a829623f89bf3f89016aa08 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sat, 27 Feb 2010 15:03:17 -0500 Subject: Plugin to restrict too many registrations from one IP We throttle registrations by IP. We record IP address of each registration, and if too many registrations have been done by the same IP address in the time interval, we reject the registration. --- .../RegisterThrottle/RegisterThrottlePlugin.php | 249 +++++++++++++++++++++ plugins/RegisterThrottle/Registration_ip.php | 124 ++++++++++ 2 files changed, 373 insertions(+) create mode 100644 plugins/RegisterThrottle/RegisterThrottlePlugin.php create mode 100644 plugins/RegisterThrottle/Registration_ip.php (limited to 'plugins') diff --git a/plugins/RegisterThrottle/RegisterThrottlePlugin.php b/plugins/RegisterThrottle/RegisterThrottlePlugin.php new file mode 100644 index 000000000..05709b780 --- /dev/null +++ b/plugins/RegisterThrottle/RegisterThrottlePlugin.php @@ -0,0 +1,249 @@ +. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @copyright 2010 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET')) { + exit(1); +} + +/** + * Throttle registration by IP address + * + * We a) record IP address of registrants and b) throttle registrations. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @copyright 2010 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +class RegisterThrottlePlugin extends Plugin +{ + /** + * Array of time spans in seconds to limits. + * + * Default is 3 registrations per hour, 5 per day, 10 per week. + */ + + public $regLimits = array(604800 => 10, // per week + 86400 => 5, // per day + 3600 => 3); // per hour + + /** + * Database schema setup + * + * We store user registrations in a table registration_ip. + * + * @return boolean hook value; true means continue processing, false means stop. + */ + + function onCheckSchema() + { + $schema = Schema::get(); + + // For storing user-submitted flags on profiles + + $schema->ensureTable('registration_ip', + array(new ColumnDef('user_id', 'integer', null, + false, 'PRI'), + new ColumnDef('ipaddress', 'varchar', 15, false, 'MUL'), + new ColumnDef('created', 'timestamp', null, false, 'MUL'))); + + return true; + } + + /** + * Load related modules when needed + * + * @param string $cls Name of the class to be loaded + * + * @return boolean hook value; true means continue processing, false means stop. + */ + + function onAutoload($cls) + { + $dir = dirname(__FILE__); + + switch ($cls) + { + case 'Registration_ip': + include_once $dir . '/'.$cls.'.php'; + return false; + default: + return true; + } + } + + /** + * Called when someone tries to register. + * + * We check the IP here to determine if it goes over any of our + * configured limits. + * + * @param Action $action Action that is being executed + * + * @return boolean hook value + * + */ + + function onStartRegistrationTry($action) + { + $ipaddress = $this->_getIpAddress(); + + if (empty($ipaddress)) { + throw new ServerException(_m('Cannot find IP address.')); + } + + foreach ($this->regLimits as $seconds => $limit) { + + $this->debug("Checking $seconds ($limit)"); + + $reg = $this->_getNthReg($ipaddress, $limit); + + if (!empty($reg)) { + $this->debug("Got a {$limit}th registration."); + $regtime = strtotime($reg->created); + $now = time(); + $this->debug("Comparing {$regtime} to {$now}"); + if ($now - $regtime < $seconds) { + throw new Exception(_("Too many registrations. Take a break and try again later.")); + } + } + } + + return true; + } + + /** + * Called after someone registers. + * + * We record the successful registration and IP address. + * + * @param Action $action Action that is being executed + * + * @return boolean hook value + * + */ + + function onEndRegistrationTry($action) + { + $ipaddress = $this->_getIpAddress(); + + if (empty($ipaddress)) { + throw new ServerException(_m('Cannot find IP address.')); + } + + $user = common_current_user(); + + if (empty($user)) { + throw new ServerException(_m('Cannot find user after successful registration.')); + } + + $reg = new Registration_ip(); + + $reg->user_id = $user->id; + $reg->ipaddress = $ipaddress; + + $result = $reg->insert(); + + if (!$result) { + common_log_db_error($reg, 'INSERT', __FILE__); + // @todo throw an exception? + } + + return true; + } + + /** + * Check the version of the plugin. + * + * @param array &$versions Version array. + * + * @return boolean hook value + */ + + function onPluginVersion(&$versions) + { + $versions[] = array('name' => 'RegisterThrottle', + 'version' => STATUSNET_VERSION, + 'author' => 'Evan Prodromou', + 'homepage' => 'http://status.net/wiki/Plugin:RegisterThrottle', + 'description' => + _m('Throttles excessive registration from a single IP.')); + return true; + } + + /** + * Gets the current IP address. + * + * @return string IP address or null if not found. + */ + + private function _getIpAddress() + { + $keys = array('HTTP_X_FORWARDED_FOR', + 'CLIENT-IP', + 'REMOTE_ADDR'); + + foreach ($keys as $k) { + if (!empty($_SERVER[$k])) { + return $_SERVER[$k]; + } + } + + return null; + } + + /** + * Gets the Nth registration with the given IP address. + * + * @param string $ipaddress Address to key on + * @param integer $n Nth address + * + * @return Registration_ip nth registration or null if not found. + */ + + private function _getNthReg($ipaddress, $n) + { + $reg = new Registration_ip(); + + $reg->ipaddress = $ipaddress; + + $reg->orderBy('created DESC'); + $reg->limit($n - 1, 1); + + if ($reg->find(true)) { + return $reg; + } else { + return null; + } + } +} diff --git a/plugins/RegisterThrottle/Registration_ip.php b/plugins/RegisterThrottle/Registration_ip.php new file mode 100644 index 000000000..7e61d089e --- /dev/null +++ b/plugins/RegisterThrottle/Registration_ip.php @@ -0,0 +1,124 @@ + + * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3 + * @link http://status.net/ + * + * StatusNet - the distributed open-source microblogging tool + * Copyright (C) 2010, StatusNet, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +if (!defined('STATUSNET')) { + exit(1); +} + +require_once INSTALLDIR . '/classes/Memcached_DataObject.php'; + +/** + * Data class for storing IP addresses of new registrants. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3 + * @link http://status.net/ + */ + +class Registration_ip extends Memcached_DataObject +{ + public $__table = 'registration_ip'; // table name + public $user_id; // int(4) primary_key not_null + public $ipaddress; // varchar(15) + public $created; // timestamp + + /** + * Get an instance by key + * + * @param string $k Key to use to lookup (usually 'user_id' for this class) + * @param mixed $v Value to lookup + * + * @return User_greeting_count object found, or null for no hits + * + */ + + function staticGet($k, $v=null) + { + return Memcached_DataObject::staticGet('Registration_ip', $k, $v); + } + + /** + * return table definition for DB_DataObject + * + * @return array array of column definitions + */ + + function table() + { + return array('user_id' => DB_DATAOBJECT_INT + DB_DATAOBJECT_NOTNULL, + 'ipaddress' => DB_DATAOBJECT_STR + DB_DATAOBJECT_NOTNULL, + 'created' => DB_DATAOBJECT_MYSQLTIMESTAMP + DB_DATAOBJECT_NOTNULL); + } + + /** + * return key definitions for DB_DataObject + * + * DB_DataObject needs to know about keys that the table has; this function + * defines them. + * + * @return array key definitions + */ + + function keys() + { + return array('user_id' => 'K'); + } + + /** + * return key definitions for Memcached_DataObject + * + * Our caching system uses the same key definitions, but uses a different + * method to get them. + * + * @return array key definitions + */ + + function keyTypes() + { + return $this->keys(); + } + + /** + * Magic formula for non-autoincrementing integer primary keys + * + * If a table has a single integer column as its primary key, DB_DataObject + * assumes that the column is auto-incrementing and makes a sequence table + * to do this incrementation. Since we don't need this for our class, we + * overload this method and return the magic formula that DB_DataObject needs. + * + * @return array magic three-false array that stops auto-incrementing. + */ + + function sequenceKey() + { + return array(false, false, false); + } +} -- cgit v1.2.3-54-g00ecf