/**

* @file ssu.cpp

* @copyright 2012 Jolla Ltd.

* @author Bernd Wachter <bernd.wachter@jollamobile.com>

* @date 2012

*/

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

#include <QUrlQuery>

#endif

#include <getdef.h>

#include <pwd.h>

#include "ssucoreconfig.h"

#include "ssurepomanager.h"

#include "../constants.h"

// dirty hack to make sure we can write to the configuration

// this is currently required since there's no global gconf,

// and we migth not yet have users on bootstrap

QFileInfo settingsInfo(SSU_CONFIGURATION);

if (settingsInfo.groupId() != SSU_GROUP_ID ||

!settingsInfo.permission(QFile::WriteGroup)){

QProcess proc;

proc.start("/usr/bin/ssuconfperm");

proc.waitForFinished();

}

#ifdef TARGET_ARCH

if (!settings->contains("arch"))

settings->setValue("arch", TARGET_ARCH);

#else

// FIXME, try to guess a matching architecture

#warning "TARGET_ARCH not defined"

#endif

settings->sync();

manager = new QNetworkAccessManager(this);

connect(manager, SIGNAL(finished(QNetworkReply *)),

SLOT(requestFinished(QNetworkReply *)));

}

// FIXME, the whole credentials stuff needs reworking

// should probably be part of repo handling instead of core configuration

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->credentials(scope);

}

QString Ssu::credentialsScope(QString repoName, bool rndRepo){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->credentialsScope(repoName, rndRepo);

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->credentialsUrl(scope);

}

bool Ssu::error(){

return errorFlag;

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->flavour();

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->deviceMode();

}

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->isRegistered();

}

QDateTime Ssu::lastCredentialsUpdate(){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->lastCredentialsUpdate();

}

QString Ssu::release(bool rnd){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->release(rnd);

}

void Ssu::setDeviceMode(int mode, int editMode){

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setDeviceMode(mode, editMode);

}

void Ssu::setFlavour(QString flavour){

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setFlavour(flavour);

}

void Ssu::setRelease(QString release, bool rnd){

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setRelease(release, rnd);

}

void Ssu::setDomain(QString domain){

SsuCoreConfig *settings = SsuCoreConfig::instance();

}

bool Ssu::useSslVerify(){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->useSslVerify();

}

//...

QString Ssu::lastError(){

return errorString;

}

bool Ssu::registerDevice(QDomDocument *response){

QString certificateString = response->elementsByTagName("certificate").at(0).toElement().text();

if (certificate.isNull()){

// make sure device is in unregistered state on failed registration

settings->setValue("registered", false);

setError("Certificate is invalid");

return false;

} else

settings->setValue("certificate", certificate.toPem());

QString privateKeyString = response->elementsByTagName("privateKey").at(0).toElement().text();

if (privateKey.isNull()){

settings->setValue("registered", false);

setError("Private key is invalid");

return false;

} else

settings->setValue("privateKey", privateKey.toPem());

// oldUser is just for reference purposes, in case we want to notify

// about owner changes for the device

QString oldUser = response->elementsByTagName("user").at(0).toElement().text();

// if we came that far everything required for device registration is done

settings->setValue("registered", true);

settings->sync();

emit registrationStatusChanged();

return true;

}

// RND repos have flavour (devel, testing, release), and release (latest, next)

// Release repos only have release (latest, next, version number)

QString Ssu::repoUrl(QString repoName, bool rndRepo,

QHash<QString, QString> repoParameters,

QHash<QString, QString> parametersOverride){

SsuRepoManager manager;

return manager.url(repoName, rndRepo, repoParameters, parametersOverride);

}

void Ssu::requestFinished(QNetworkReply *reply){

QSslConfiguration sslConfiguration = reply->sslConfiguration();

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

ssuLog->print(LOG_DEBUG, QString("Certificate used was issued for '%1' by '%2'. Complete chain:")

.arg(sslConfiguration.peerCertificate().subjectInfo(QSslCertificate::CommonName).join(""))

.arg(sslConfiguration.peerCertificate().issuerInfo(QSslCertificate::CommonName).join("")));

foreach (const QSslCertificate cert, sslConfiguration.peerCertificateChain()){

ssuLog->print(LOG_DEBUG, QString("-> %1").arg(cert.subjectInfo(QSslCertificate::CommonName).join("")));

}

#else

.arg(sslConfiguration.peerCertificate().subjectInfo(QSslCertificate::CommonName))

.arg(sslConfiguration.peerCertificate().issuerInfo(QSslCertificate::CommonName)));

foreach (const QSslCertificate cert, sslConfiguration.peerCertificateChain()){

// what sucks more, this or goto?

do {

if (settings->contains("home-url")){

QString homeUrl = settings->value("home-url").toString().arg("");

homeUrl.remove(QRegExp("//+$"));

QNetworkRequest request = reply->request();

if (request.url().toString().startsWith(homeUrl, Qt::CaseInsensitive)){

// we don't care about errors on download request

if (reply->error() > 0) break;

QByteArray data = reply->readAll();

storeAuthorizedKeys(data);

break;

}

}

if (reply->error() > 0){

pendingRequests--;

setError(reply->errorString());

} else {

QByteArray data = reply->readAll();

qDebug() << "RequestOutput" << data;

QDomDocument doc;

QString xmlError;

if (!doc.setContent(data, &xmlError)){

pendingRequests--;

setError(tr("Unable to parse server response (%1)").arg(xmlError));

return;

}

if (action == "register"){

if (!registerDevice(&doc)) break;

} else if (action == "credentials"){

if (!setCredentials(&doc)) break;

} else {

pendingRequests--;

setError(tr("Response to unknown action encountered: %1").arg(action));

return;

}

emit done();

}

errorFlag = false;

QString ssuCaCertificate, ssuRegisterUrl;

// Username can include also domain, (user@domain), separate those

if (usernameDomain.contains('@')) {

// separate domain/username and set domain

username = usernameDomain.section('@', 0, 0);

domainName = usernameDomain.section('@', 1, 1);

setDomain(domainName);

} else {

// No domain defined

username = usernameDomain;

}

ssuCaCertificate = SsuRepoManager::caCertificatePath();

if (ssuCaCertificate.isEmpty()){

setError("CA certificate for SSU not set ('_ca-certificate in domain')");

if (!settings->contains("register-url")){

ssuRegisterUrl = repoUrl("register-url");

if (ssuRegisterUrl.isEmpty()){

setError("URL for SSU registration not set (config key 'register-url')");

return;

}

} else

ssuRegisterUrl = settings->value("register-url").toString();

if (IMEI == ""){

setError("No valid UID available for your device. For phones: is your modem online?");

return;

}

QSslConfiguration sslConfiguration;

if (!useSslVerify())

sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);

sslConfiguration.setCaCertificates(QSslCertificate::fromPath(ssuCaCertificate));

QNetworkRequest request;

request.setUrl(QUrl(QString(ssuRegisterUrl)

.arg(IMEI)

));

request.setSslConfiguration(sslConfiguration);

request.setRawHeader("Authorization", "Basic " +

QByteArray(QString("%1:%2")

.arg(username).arg(password)

request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");

QUrl form;

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

QUrlQuery q;

q.addQueryItem("protocolVersion", SSU_PROTOCOL_VERSION);

q.addQueryItem("deviceModel", deviceInfo.deviceModel());

if (!domain().isEmpty()){

q.addQueryItem("domain", domain());

}

form.setQuery(q);

#else

if (!domain().isEmpty()){

form.addQueryItem("domain", domain());

}

qDebug() << "Sending request to " << request.url();

QNetworkReply *reply;

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

reply = manager->post(request, form.query(QUrl::FullyEncoded).toStdString().c_str());

#else

QString homeUrl = settings->value("home-url").toString().arg(username);

if (!homeUrl.isEmpty()){

// clear header, the other request bits are reusable

request.setHeader(QNetworkRequest::ContentTypeHeader, 0);

request.setUrl(homeUrl + "/authorized_keys");

pendingRequests++;

manager->get(request);

}

}

bool Ssu::setCredentials(QDomDocument *response){

// generate list with all scopes for generic section, add sections

QDomNodeList credentialsList = response->elementsByTagName("credentials");

QStringList credentialScopes;

for (int i=0;i<credentialsList.size();i++){

QDomNode node = credentialsList.at(i);

QString scope;

QDomNamedNodeMap attributes = node.attributes();

if (attributes.contains("scope")){

scope = attributes.namedItem("scope").toAttr().value();

} else {

setError(tr("Credentials element does not have scope"));

return false;

}

if (node.hasChildNodes()){

QDomElement username = node.firstChildElement("username");

QDomElement password = node.firstChildElement("password");

if (username.isNull() || password.isNull()){

setError(tr("Username and/or password not set"));

return false;

} else {

settings->beginGroup("credentials-" + scope);

settings->setValue("username", username.text());

settings->setValue("password", password.text());

settings->endGroup();

settings->sync();

credentialScopes.append(scope);

}

} else {

setError("");

return false;

}

}

settings->setValue("credentialScopes", credentialScopes);

settings->setValue("lastCredentialsUpdate", QDateTime::currentDateTime());

settings->sync();

emit credentialsChanged();

return true;

}

void Ssu::setError(QString errorMessage){

errorFlag = true;

errorString = errorMessage;

SsuLog *ssuLog = SsuLog::instance();

emit done();

}

void Ssu::storeAuthorizedKeys(QByteArray data){

QDir dir;

int uid_min = getdef_num("UID_MIN", -1);

QString homePath;

if (getuid() >= uid_min){

homePath = dir.homePath();

} else if (getuid() == 0){

// place authorized_keys in the default users home when run with uid0

struct passwd *pw = getpwuid(uid_min);

if (pw == NULL){

ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1")

.arg(uid_min));

return;

}

//homePath = QString(pw->pw_dir);

homePath = pw->pw_dir;

// use users uid/gid for creating the directories and files

setegid(pw->pw_gid);

seteuid(uid_min);

ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys")

.arg(uid_min)

.arg(pw->pw_gid));

} else

return;

if (dir.exists(homePath + "/.ssh/authorized_keys")){

ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1")

.arg(homePath));

return;

}

if (!dir.exists(homePath + "/.ssh"))

if (!dir.mkdir(homePath + "/.ssh")){

ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1")

.arg(homePath));

return;

}

QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);

authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate);

authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner);

QTextStream out(&authorizedKeys);

out << data;

out.flush();

authorizedKeys.close();

if (getuid() == 0){

seteuid(0);

setegid(0);

}

}

errorFlag = false;

SsuLog *ssuLog = SsuLog::instance();

setError("No valid UID available for your device. For phones: is your modem online?");

return;

}

ssuCaCertificate = SsuRepoManager::caCertificatePath();

if (ssuCaCertificate.isEmpty()){

setError("CA certificate for SSU not set ('_ca-certificate in domain')");

if (!settings->contains("credentials-url")){

ssuCredentialsUrl = repoUrl("credentials-url");

if (ssuCredentialsUrl.isEmpty()){

setError("URL for credentials update not set (config key 'credentials-url')");

return;

}

} else

ssuCredentialsUrl = settings->value("credentials-url").toString();

if (!isRegistered()){

setError("Device is not registered.");

return;

}

if (!force){

QDateTime now = QDateTime::currentDateTime();

if (settings->contains("lastCredentialsUpdate")){

QDateTime last = settings->value("lastCredentialsUpdate").toDateTime();

emit done();

return;

}

}

}

// check when the last update was, decide if an update is required

QSslConfiguration sslConfiguration;

if (!useSslVerify())

sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);

QSslKey privateKey(settings->value("privateKey").toByteArray(), QSsl::Rsa);

QSslCertificate certificate(settings->value("certificate").toByteArray());

QList<QSslCertificate> caCertificates;

caCertificates << QSslCertificate::fromPath(ssuCaCertificate);

sslConfiguration.setCaCertificates(caCertificates);

sslConfiguration.setPrivateKey(privateKey);

sslConfiguration.setLocalCertificate(certificate);

QNetworkRequest request;

request.setSslConfiguration(sslConfiguration);

pendingRequests++;

manager->get(request);

}

void Ssu::unregister(){

settings->setValue("privateKey", "");

settings->setValue("certificate", "");

settings->setValue("registered", false);

emit registrationStatusChanged();

}

bool Ssu::verifyResponse(QDomDocument *response){

QString action = response->elementsByTagName("action").at(0).toElement().text();

QString deviceId = response->elementsByTagName("deviceId").at(0).toElement().text();

QString protocolVersion = response->elementsByTagName("protocolVersion").at(0).toElement().text();

// compare device ids

if (protocolVersion != SSU_PROTOCOL_VERSION){

setError(

tr("Response has unsupported protocol version %1, client requires version %2")

.arg(protocolVersion)

.arg(SSU_PROTOCOL_VERSION)

);

return false;

}

return true;

}