feat(m2m): m2m authentication with HTTP backend

btry · btry · commit 9c6f00edb97f · 2018-05-20T09:46:44.000+02:00
Signed-off-by: Thierry Bugier &lt;tbugier@teclib.com&gt;
diff --git a/front/mosquitto-authenticate.php b/front/mosquitto-authenticate.php
@@ -0,0 +1,44 @@
+<?php
+/**
+ * LICENSE
+ *
+ * Copyright © 2016-2018 Teclib'
+ * Copyright © 2010-2018 by the FusionInventory Development Team.
+ *
+ * This file is part of Flyve MDM Plugin for GLPI.
+ *
+ * Flyve MDM Plugin for GLPI is a subproject of Flyve MDM. Flyve MDM is a mobile
+ * device management software.
+ *
+ * Flyve MDM Plugin for GLPI is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * Flyve MDM Plugin for GLPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Flyve MDM Plugin for GLPI. If not, see http://www.gnu.org/licenses/.
+ * ------------------------------------------------------------------------------
+ * @author    Thierry Bugier
+ * @copyright Copyright © 2018 Teclib
+ * @license   AGPLv3+ http://www.gnu.org/licenses/agpl.txt
+ * @link      https://github.com/flyve-mdm/glpi-plugin
+ * @link      https://flyve-mdm.com/
+ * ------------------------------------------------------------------------------
+ */
+
+ // Workaround CSRF checks
+$postData = $_POST;
+unset($_POST);
+include '../../../inc/includes.php';
+$plugin = new Plugin();
+if (!$plugin->isActivated('flyvemdm')) {
+   http_response_code(404);
+}
+$_POST = $postData;
+$flyvemdmM2mApi = new PluginFlyvemdmMosquittoAuth();
+$answer = $flyvemdmM2mApi->authenticate($_POST);
+
+http_response_code($answer);
diff --git a/inc/m2mauthinterface.class.php b/inc/m2mauthinterface.class.php
@@ -0,0 +1,46 @@
+<?php
+/**
+ * LICENSE
+ *
+ * Copyright © 2016-2018 Teclib'
+ * Copyright © 2010-2018 by the FusionInventory Development Team.
+ *
+ * This file is part of Flyve MDM Plugin for GLPI.
+ *
+ * Flyve MDM Plugin for GLPI is a subproject of Flyve MDM. Flyve MDM is a mobile
+ * device management software.
+ *
+ * Flyve MDM Plugin for GLPI is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * Flyve MDM Plugin for GLPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Flyve MDM Plugin for GLPI. If not, see http://www.gnu.org/licenses/.
+ * ------------------------------------------------------------------------------
+ * @author    Thierry Bugier
+ * @copyright Copyright © 2018 Teclib
+ * @license   AGPLv3+ http://www.gnu.org/licenses/agpl.txt
+ * @link      https://github.com/flyve-mdm/glpi-plugin
+ * @link      https://flyve-mdm.com/
+ * ------------------------------------------------------------------------------
+ */
+
+if (!defined('GLPI_ROOT')) {
+   die("Sorry. You can't access this file directly");
+}
+
+interface PluginFlyvemdmM2mAuthInterface {
+   /**
+    * Challenges an authentication attempt from Mosquitto
+    * @see https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/v3.7.5/README.md
+    *
+    * @param array $input POST data
+    *
+    * @return integer HTTP response code
+    */
+   public function authenticate($input);
+}
diff --git a/inc/mosquittoauth.class.php b/inc/mosquittoauth.class.php
@@ -0,0 +1,60 @@
+<?php
+/**
+ * LICENSE
+ *
+ * Copyright © 2016-2018 Teclib'
+ * Copyright © 2010-2018 by the FusionInventory Development Team.
+ *
+ * This file is part of Flyve MDM Plugin for GLPI.
+ *
+ * Flyve MDM Plugin for GLPI is a subproject of Flyve MDM. Flyve MDM is a mobile
+ * device management software.
+ *
+ * Flyve MDM Plugin for GLPI is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * Flyve MDM Plugin for GLPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Flyve MDM Plugin for GLPI. If not, see http://www.gnu.org/licenses/.
+ * ------------------------------------------------------------------------------
+ * @author    Thierry Bugier
+ * @copyright Copyright © 2018 Teclib
+ * @license   AGPLv3+ http://www.gnu.org/licenses/agpl.txt
+ * @link      https://github.com/flyve-mdm/glpi-plugin
+ * @link      https://flyve-mdm.com/
+ * ------------------------------------------------------------------------------
+ */
+
+if (!defined('GLPI_ROOT')) {
+   die("Sorry. You can't access this file directly");
+}
+
+class PluginFlyvemdmMosquittoAuth implements PluginFlyvemdmM2mAuthInterface {
+   public function authenticate($input) {
+      if (!isset($input['username']) || !isset($input['password'])) {
+         // No credentials or credentials incomplete
+         return 404;
+      }
+
+      $remoteIp = Toolbox::getRemoteIpAddress();
+      $config = Config::getConfigurationValues('flyvemdm', ['mqtt_broker_internal_address']);
+      if ($config['mqtt_broker_internal_address'] != $remoteIp) {
+         return 403;
+      }
+
+      $mqttUser = new PluginFlyvemdmMqttUser();
+      if (!$mqttUser->getByUser($input['username'])) {
+         return 404;
+      }
+      $input['password'] = Toolbox::stripslashes_deep($input['password']);
+      if ($mqttUser->comparePasswords($input['password'])) {
+         return 200;
+      }
+
+      return 404;
+   }
+}
diff --git a/inc/mqttuser.class.php b/inc/mqttuser.class.php
@@ -38,6 +38,13 @@
  */
 class PluginFlyvemdmMqttuser extends CommonDBTM {
 
+   private $pbdkf2Settings = [
+      'algorithm'  => 'sha256',
+      'iterations' => 901,
+      'saltSize'   => 12,
+      'keyLength'  => 48,
+   ];
+
    /**
     * @see CommonDBTM::prepareInputForAdd()
     */
@@ -112,34 +119,61 @@ public function post_updateItem($history = 1) {
       }
    }
 
+
    /**
     * Hash a password
     * @param string $clearPassword
     * @return string PBKDF2 hashed password
     */
-   protected function hashPassword($clearPassword) {
+   public function hashPassword($clearPassword) {
       // These parameters may be added to the function as a future improvement
-      $algorithm = 'sha256';
-      $saltSize = 12;
-      $keyLength = 24;
-      $salt = base64_encode(openssl_random_pseudo_bytes($saltSize));
-      $iterations = 901;
-      $rawOutput = true;
-
-      if ($rawOutput) {
-         $keyLength *= 2;
-      }
+      $algorithm = $this->pbdkf2Settings['algorithm'];
+      $keyLength = $this->pbdkf2Settings['keyLength'];
+      $salt = base64_encode(openssl_random_pseudo_bytes($this->pbdkf2Settings['saltSize']));
+      $iterations = $this->pbdkf2Settings['iterations'];
+
+      $hashed = hash_pbkdf2('sha256', $clearPassword, $salt, $iterations, $keyLength, true);
+
+      return implode(
+         '$',
+         [
+            'PBKDF2',
+            $algorithm,
+            $iterations,
+            $salt,
+            base64_encode($hashed)
+         ]
+      );
+   }
 
-      $hashed = hash_pbkdf2('sha256', $clearPassword, $salt, $iterations, $keyLength, $rawOutput);
+   /**
+    * Challenge a password against tha hashed password stored in database
+    *
+    * @param string $challenged
+    *
+    * @return boolean true if the password matches the hashed password
+    */
+   public function comparePasswords($challenged) {
+      if ($this->isNewItem()) {
+         return false;
+      }
 
-      return 'PBKDF2$' . $algorithm . '$' . $iterations . '$' . $salt . '$' . base64_encode($hashed);
+      $pbdkf2 = explode('$', $this->fields['password']);
+      $algorithm = $pbdkf2[1];
+      $salt = $pbdkf2[3];
+      $iterations = $pbdkf2[2];
+      $keyLength = strlen(base64_decode($pbdkf2[4]));
+      $hashed = hash_pbkdf2($algorithm, $challenged, $salt, $iterations, $keyLength, true);
+      return $hashed === base64_decode($pbdkf2[4]);
    }
 
    /**
-    * Generate a random password havind a determined set pf chars
-    * http://stackoverflow.com/a/31284266
+    * Generate a random password havind a determined set of chars
+    * @see http://stackoverflow.com/a/31284266
+    *
     * @param integer $length password length to generate
     * @param string $keyspace characters available to build the password
+    *
     * @return string
     * @throws Exception
     */
diff --git a/tests/suite-unit/PluginFlyvemdmMosquittoAuth.php b/tests/suite-unit/PluginFlyvemdmMosquittoAuth.php
@@ -0,0 +1,117 @@
+<?php
+/**
+ * LICENSE
+ *
+ * Copyright © 2016-2018 Teclib'
+ * Copyright © 2010-2018 by the FusionInventory Development Team.
+ *
+ * This file is part of Flyve MDM Plugin for GLPI.
+ *
+ * Flyve MDM Plugin for GLPI is a subproject of Flyve MDM. Flyve MDM is a mobile
+ * device management software.
+ *
+ * Flyve MDM Plugin for GLPI is free software: you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * Flyve MDM Plugin for GLPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Flyve MDM Plugin for GLPI. If not, see http://www.gnu.org/licenses/.
+ * ------------------------------------------------------------------------------
+ * @author    Domingo Oropeza
+ * @copyright Copyright © 2018 Teclib
+ * @license   AGPLv3+ http://www.gnu.org/licenses/agpl.txt
+ * @link      https://github.com/flyve-mdm/glpi-plugin
+ * @link      https://flyve-mdm.com/
+ * ------------------------------------------------------------------------------
+ */
+namespace tests\units;
+
+use Flyvemdm\Tests\CommonTestCase;
+
+class PluginFlyvemdmMosquittoAuth extends CommonTestCase {
+
+   private $mqttUser = null;
+
+   public function beforeTestMethod($method) {
+      switch ($method) {
+         case 'testAuthenticate':
+            $this->mqttUser = new \PluginFlyvemdmMqttUser();
+            $this->mqttUser->add([
+               'user'      => 'john',
+               'password'  => 'doe',
+            ]);
+            break;
+      }
+   }
+
+   public function afterTestMethod($method) {
+      switch ($method) {
+         case 'testAuthenticate':
+            $this->mqttUser->delete($this->mqttUser->fields, 1);
+            break;
+      }
+   }
+
+   public function providerAuthenticate() {
+      return [
+         [
+            'input' => [
+               'username' => 'foo',
+               'password' => 'bar',
+            ],
+            'repoteIp' => '127.0.0.1',
+            'expected' => [
+               'httpCode' => '404',
+            ]
+         ],
+         [
+            'input' => [
+               'username' => 'john',
+               'password' => 'doe',
+            ],
+            'repoteIp' => '127.0.0.1',
+            'expected' => [
+               'httpCode' => '200',
+            ]
+         ],
+         [
+            'input' => [
+               'username' => 'john',
+               'password' => 'bar',
+            ],
+            'repoteIp' => '127.0.0.1',
+            'expected' => [
+               'httpCode' => '404',
+            ]
+         ],
+         [
+            'input' => [
+               'username' => 'john',
+               'password' => 'doe',
+            ],
+            'repoteIp' => '10.0.0.1',
+            'expected' => [
+               'httpCode' => '403',
+            ]
+         ],
+      ];
+   }
+
+   /**
+    * @dataProvider providerAuthenticate
+    */
+   public function testAuthenticate($input, $remoteIp, $expected) {
+      $backupServer = $_SERVER;
+      $_SERVER['REMOTE_ADDR'] = $remoteIp;
+
+      $instance = new \PluginFlyvemdmMosquittoAuth();
+      $output = $instance->authenticate($input);
+      $this->integer((int) $output)->isEqualTo($expected['httpCode']);
+
+      $_SERVER = $backupServer;
+   }
+}
