/**

* @file ssu.cpp

* @copyright 2012 Jolla Ltd.

* @author Bernd Wachter <bernd.wachter@jollamobile.com>

* @date 2012

*/

#include <QDBusConnection>

#include <QDBusMessage>

#include <QDBusPendingReply>

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

#include <QUrlQuery>

#endif

#include <getdef.h>

#include <pwd.h>

#include <sys/types.h>

#include <unistd.h>

#include "ssulog_p.h"

#include "ssuvariables_p.h"

#include "ssucoreconfig_p.h"

#include "../constants.h"

#define SSU_NETWORK_REQUEST_DOMAIN_DATA (static_cast<QNetworkRequest::Attribute>(QNetworkRequest::User + 1))

static void restoreUid(){

if (getuid() == 0){

seteuid(0);

setegid(0);

}

}

// dirty hack to make sure we can write to the configuration

// this is currently required since there's no global gconf,

// and we migth not yet have users on bootstrap

QFileInfo settingsInfo(SSU_CONFIGURATION);

if (settingsInfo.groupId() != SSU_GROUP_ID ||

!settingsInfo.permission(QFile::WriteGroup)){

QProcess proc;

proc.start("/usr/bin/ssuconfperm");

proc.waitForFinished();

}

#ifdef TARGET_ARCH

if (!settings->contains("arch"))

settings->setValue("arch", TARGET_ARCH);

#else

// FIXME, try to guess a matching architecture

#warning "TARGET_ARCH not defined"

#endif

settings->sync();

manager = new QNetworkAccessManager(this);

connect(manager, SIGNAL(finished(QNetworkReply *)),

SLOT(requestFinished(QNetworkReply *)));

}

// FIXME, the whole credentials stuff needs reworking

// should probably be part of repo handling instead of core configuration

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->credentials(scope);

}

QString Ssu::credentialsScope(QString repoName, bool rndRepo){

// hardcoded magic for doing special privileges store repositories

if (repoName == "store" || repoName.startsWith("store-c-"))

return "store";

// check if some repos are marked for using store-credentials

// in current domain, checking first for rnd/release specific

// settings, and if not found in generic settings

QString storeAuthReposKey = QString("store-auth-repos-%1")

.arg(rndRepo ? "rnd" : "release");

QStringList storeAuthRepos =

SsuVariables::variable(&repoSettings,

domain() + "-domain",

storeAuthReposKey).toStringList();

if (storeAuthRepos.empty())

storeAuthRepos =

SsuVariables::variable(&repoSettings,

domain() + "-domain",

"store-auth-repos").toStringList();

if (storeAuthRepos.contains(repoName))

return "store";

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->credentialsUrl(scope);

}

bool Ssu::error(){

return errorFlag;

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->flavour();

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->deviceMode();

}

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->isRegistered();

}

QDateTime Ssu::lastCredentialsUpdate(){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->lastCredentialsUpdate();

}

QString Ssu::release(bool rnd){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->release(rnd);

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setDeviceMode(mode, editMode);

}

void Ssu::setFlavour(QString flavour){

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setFlavour(flavour);

}

void Ssu::setRelease(QString release, bool rnd){

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->setRelease(release, rnd);

}

void Ssu::setDomain(QString domain){

SsuCoreConfig *settings = SsuCoreConfig::instance();

}

bool Ssu::useSslVerify(){

SsuCoreConfig *settings = SsuCoreConfig::instance();

return settings->useSslVerify();

}

//...

QString Ssu::lastError(){

return errorString;

}

bool Ssu::registerDevice(QDomDocument *response){

QString certificateString = response->elementsByTagName("certificate").at(0).toElement().text();

if (certificate.isNull()){

// make sure device is in unregistered state on failed registration

settings->setValue("registered", false);

setError("Certificate is invalid");

return false;

} else

settings->setValue("certificate", certificate.toPem());

QString privateKeyString = response->elementsByTagName("privateKey").at(0).toElement().text();

if (privateKey.isNull()){

settings->setValue("registered", false);

setError("Private key is invalid");

return false;

} else

settings->setValue("privateKey", privateKey.toPem());

// oldUser is just for reference purposes, in case we want to notify

// about owner changes for the device

QString oldUser = response->elementsByTagName("user").at(0).toElement().text();

// if we came that far everything required for device registration is done

settings->setValue("registered", true);

settings->sync();

if (!settings->isWritable()){

setError("Configuration is not writable, device registration failed.");

return false;

}

emit registrationStatusChanged();

return true;

}

// RND repos have flavour (devel, testing, release), and release (latest, next)

// Release repos only have release (latest, next, version number)

QString Ssu::repoUrl(QString repoName, bool rndRepo,

QHash<QString, QString> repoParameters,

QHash<QString, QString> parametersOverride){

SsuRepoManager manager;

return manager.url(repoName, rndRepo, repoParameters, parametersOverride);

}

void Ssu::requestFinished(QNetworkReply *reply){

QSslConfiguration sslConfiguration = reply->sslConfiguration();

QNetworkRequest request = reply->request();

QVariant originalDomainVariant = request.attribute(SSU_NETWORK_REQUEST_DOMAIN_DATA);

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

ssuLog->print(LOG_DEBUG, QString("Certificate used was issued for '%1' by '%2'. Complete chain:")

.arg(sslConfiguration.peerCertificate().subjectInfo(QSslCertificate::CommonName).join(""))

.arg(sslConfiguration.peerCertificate().issuerInfo(QSslCertificate::CommonName).join("")));

foreach (const QSslCertificate cert, sslConfiguration.peerCertificateChain()){

ssuLog->print(LOG_DEBUG, QString("-> %1").arg(cert.subjectInfo(QSslCertificate::CommonName).join("")));

}

#else

.arg(sslConfiguration.peerCertificate().subjectInfo(QSslCertificate::CommonName))

.arg(sslConfiguration.peerCertificate().issuerInfo(QSslCertificate::CommonName)));

foreach (const QSslCertificate cert, sslConfiguration.peerCertificateChain()){

pendingRequests--;

QString action;

QByteArray data;

QDomDocument doc;

QString xmlError;

if (settings->contains("home-url")){

QString homeUrl = settings->value("home-url").toString().arg("");

homeUrl.remove(QRegExp("//+$"));

if (request.url().toString().startsWith(homeUrl, Qt::CaseInsensitive)){

// we don't care about errors on download request

if (reply->error() == 0) {

QByteArray data = reply->readAll();

storeAuthorizedKeys(data);

goto success;

if (reply->error() > 0){

setError(reply->errorString());

goto failure;

}

data = reply->readAll();

ssuLog->print(LOG_DEBUG, QString("RequestOutput %1")

.arg(data.data()));

if (!doc.setContent(data, &xmlError)){

setError(tr("Unable to parse server response (%1)").arg(xmlError));

goto failure;

}

action = doc.elementsByTagName("action").at(0).toElement().text();

if (!verifyResponse(&doc)) {

goto failure;

}

ssuLog->print(LOG_DEBUG, QString("Handling request of type %1")

.arg(action));

if (action == "register") {

if (registerDevice(&doc)) {

goto success;

}

} else if (action == "credentials") {

if (setCredentials(&doc)) {

goto success;

} else {

setError(tr("Response to unknown action encountered: %1").arg(action));

}

failure:

// Restore the original domain in case of failures with the registration

if (!originalDomainVariant.isNull()) {

QString originalDomain = originalDomainVariant.toString();

ssuLog->print(LOG_DEBUG, QString("Restoring domain on error: '%1'").arg(originalDomain));

setDomain(originalDomain);

}

// Fall through to cleanup handling in success from failure label

success:

}

errorFlag = false;

QString ssuCaCertificate, ssuRegisterUrl;

QNetworkRequest request;

request.setAttribute(SSU_NETWORK_REQUEST_DOMAIN_DATA, domain());

ssuLog->print(LOG_DEBUG, QString("Saving current domain before request: '%1'").arg(domain()));

// Username can include also domain, (user@domain), separate those

if (usernameDomain.contains('@')) {

// separate domain/username and set domain

username = usernameDomain.section('@', 0, 0);

domainName = usernameDomain.section('@', 1, 1);

setDomain(domainName);

} else {

// No domain defined

username = usernameDomain;

if (settings->contains("default-rnd-domain"))

setDomain(settings->value("default-rnd-domain").toString());

}

ssuCaCertificate = SsuRepoManager::caCertificatePath();

if (ssuCaCertificate.isEmpty()){

if (!settings->contains("register-url")){

ssuRegisterUrl = repoUrl("register-url");

if (ssuRegisterUrl.isEmpty()){

return;

}

} else

ssuRegisterUrl = settings->value("register-url").toString();

if (IMEI == ""){

setError("No valid UID available for your device. For phones: is your modem online?");

return;

}

QSslConfiguration sslConfiguration;

if (!useSslVerify())

sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);

sslConfiguration.setCaCertificates(QSslCertificate::fromPath(ssuCaCertificate));

request.setUrl(QUrl(QString(ssuRegisterUrl)

.arg(IMEI)

));

request.setSslConfiguration(sslConfiguration);

request.setRawHeader("Authorization", "Basic " +

QByteArray(QString("%1:%2")

.arg(username).arg(password)

request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");

QUrl form;

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

QUrlQuery q;

q.addQueryItem("protocolVersion", SSU_PROTOCOL_VERSION);

q.addQueryItem("deviceModel", deviceInfo.deviceModel());

if (!domain().isEmpty()){

q.addQueryItem("domain", domain());

}

form.setQuery(q);

#else

if (!domain().isEmpty()){

form.addQueryItem("domain", domain());

}

ssuLog->print(LOG_DEBUG, QString("Sending request to %1")

.arg(request.url().url()));

QNetworkReply *reply;

#if QT_VERSION >= QT_VERSION_CHECK(5, 0, 0)

reply = manager->post(request, form.query(QUrl::FullyEncoded).toStdString().c_str());

#else

QString homeUrl = settings->value("home-url").toString().arg(username);

if (!homeUrl.isEmpty()){

// clear header, the other request bits are reusable

request.setHeader(QNetworkRequest::ContentTypeHeader, 0);

request.setUrl(homeUrl + "/authorized_keys");

pendingRequests++;

manager->get(request);

}

}

bool Ssu::setCredentials(QDomDocument *response){

// generate list with all scopes for generic section, add sections

QDomNodeList credentialsList = response->elementsByTagName("credentials");

QStringList credentialScopes;

for (int i=0;i<credentialsList.size();i++){

QDomNode node = credentialsList.at(i);

QString scope;

QDomNamedNodeMap attributes = node.attributes();

if (attributes.contains("scope")){

scope = attributes.namedItem("scope").toAttr().value();

} else {

setError(tr("Credentials element does not have scope"));

return false;

}

if (node.hasChildNodes()){

QDomElement username = node.firstChildElement("username");

QDomElement password = node.firstChildElement("password");

if (username.isNull() || password.isNull()){

setError(tr("Username and/or password not set"));

return false;

} else {

settings->beginGroup("credentials-" + scope);

settings->setValue("username", username.text());

settings->setValue("password", password.text());

settings->endGroup();

settings->sync();

credentialScopes.append(scope);

}

} else {

setError("");

return false;

}

}

settings->setValue("credentialScopes", credentialScopes);

settings->setValue("lastCredentialsUpdate", QDateTime::currentDateTime());

settings->sync();

emit credentialsChanged();

return true;

}

void Ssu::setError(QString errorMessage){

errorFlag = true;

errorString = errorMessage;

SsuLog *ssuLog = SsuLog::instance();

emit done();

}

void Ssu::storeAuthorizedKeys(QByteArray data){

QDir dir;

int uid_min = getdef_num("UID_MIN", -1);

QString homePath;

if (getuid() >= uid_min){

homePath = dir.homePath();

} else if (getuid() == 0){

// place authorized_keys in the default users home when run with uid0

struct passwd *pw = getpwuid(uid_min);

if (pw == NULL){

ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1")

.arg(uid_min));

return;

}

//homePath = QString(pw->pw_dir);

homePath = pw->pw_dir;

// use users uid/gid for creating the directories and files

setegid(pw->pw_gid);

seteuid(uid_min);

ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys")

.arg(uid_min)

.arg(pw->pw_gid));

} else

return;

homePath = Sandbox::map(homePath);

if (dir.exists(homePath + "/.ssh/authorized_keys")){

ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1")

.arg(homePath));

return;

}

if (!dir.exists(homePath + "/.ssh"))

if (!dir.mkdir(homePath + "/.ssh")){

ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1")

.arg(homePath));

return;

}

QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);

authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate);

authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner);

QTextStream out(&authorizedKeys);

out << data;

out.flush();

authorizedKeys.close();

}

errorFlag = false;

SsuLog *ssuLog = SsuLog::instance();

setError("No valid UID available for your device. For phones: is your modem online?");

return;

}

ssuCaCertificate = SsuRepoManager::caCertificatePath();

if (ssuCaCertificate.isEmpty()){

if (!settings->contains("credentials-url")){

ssuCredentialsUrl = repoUrl("credentials-url");

if (ssuCredentialsUrl.isEmpty()){

setError("URL for credentials update not set (config key 'credentials-url')");

return;

}

} else

ssuCredentialsUrl = settings->value("credentials-url").toString();

if (!isRegistered()){

setError("Device is not registered.");

return;

}

if (!force){

QDateTime now = QDateTime::currentDateTime();

if (settings->contains("lastCredentialsUpdate")){

QDateTime last = settings->value("lastCredentialsUpdate").toDateTime();

emit done();

return;

}

}

}

// check when the last update was, decide if an update is required

QSslConfiguration sslConfiguration;

if (!useSslVerify())

sslConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);

QSslKey privateKey(settings->value("privateKey").toByteArray(), QSsl::Rsa);

QSslCertificate certificate(settings->value("certificate").toByteArray());

QList<QSslCertificate> caCertificates;

caCertificates << QSslCertificate::fromPath(ssuCaCertificate);

sslConfiguration.setCaCertificates(caCertificates);

sslConfiguration.setPrivateKey(privateKey);

sslConfiguration.setLocalCertificate(certificate);

QNetworkRequest request;

request.setSslConfiguration(sslConfiguration);

pendingRequests++;

manager->get(request);

}

SsuCoreConfig *settings = SsuCoreConfig::instance();

SsuLog *ssuLog = SsuLog::instance();

QDBusMessage message = QDBusMessage::createMethodCall("com.jolla.jollastore",

"/StoreClient",

"com.jolla.jollastore",

"storeCredentials");

reply.waitForFinished();

if (reply.isError()) {

if (settings->value("ignore-credential-errors").toBool() == true){

ssuLog->print(LOG_WARNING, QString("Warning: ignore-credential-errors is set, passing auth errors down to libzypp"));

ssuLog->print(LOG_WARNING, QString("Store credentials not received. %1").arg(reply.error().message()));

} else

setError(QString("Store credentials not received. %1").arg(reply.error().message()));

} else {

SsuCoreConfig *settings = SsuCoreConfig::instance();

settings->beginGroup("credentials-store");

settings->setValue("username", reply.argumentAt<0>());

settings->setValue("password", reply.argumentAt<1>());

settings->endGroup();

settings->sync();

}

void Ssu::unregister(){