MDL-18183 mnet: Option to verify peer and host of MNet peer using HTTPS

admin/mnet/peer_forms.php

@@ -94,6 +94,15 @@ function definition() {
         $mform->setType('wwwroot', PARAM_URL);
         $mform->addRule('wwwroot', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
 
+        $options = array(
+            mnet_peer::SSL_NONE => get_string('none'),
+            mnet_peer::SSL_HOST => get_string('verifyhostonly', 'core_mnet'),
+            mnet_peer::SSL_HOST_AND_PEER => get_string('verifyhostandpeer', 'core_mnet')
+        );
+        $mform->addElement('select', 'sslverification', get_string('sslverification', 'core_mnet'), $options);
+        $mform->setDefault('sslverification', mnet_peer::SSL_HOST_AND_PEER);
+        $mform->addHelpButton('sslverification', 'sslverification', 'core_mnet');
+
         $themes = array('' => get_string('forceno'));
         foreach (array_keys(core_component::get_plugin_list('theme')) as $themename) {
             $themes[$themename] = get_string('pluginname', 'theme_'.$themename);

admin/mnet/peers.php

@@ -172,6 +172,7 @@
     $mnet_peer->public_key          = $formdata->public_key;
     $credentials                    = $mnet_peer->check_credentials($mnet_peer->public_key);
     $mnet_peer->public_key_expires  = $credentials['validTo_time_t'];
+    $mnet_peer->sslverification     = $formdata->sslverification;
 
     if ($mnet_peer->commit()) {
         redirect(new moodle_url('/admin/mnet/peers.php', array('hostid' => $mnet_peer->id)), get_string('changessaved'));

admin/mnet/testclient.php

@@ -66,12 +66,19 @@
 
     $mnet_request->set_method('system/listServices');
     $mnet_request->send($mnet_peer);
+
     $services = $mnet_request->response;
     $yesno = array('No', 'Yes');
     $servicenames = array();
 
     echo $OUTPUT->heading(get_string('servicesavailableonhost', 'mnet', $host->wwwroot));
 
+    if (!empty($mnet_request->error)) {
+        echo $OUTPUT->heading(get_string('error'), 3);
+        echo html_writer::alist($mnet_request->error);
+        $services = array();
+    }
+
     $table = new html_table();
     $table->head = array(
         get_string('serviceid', 'mnet'),
@@ -127,6 +134,7 @@
     echo html_writer::table($table);
 
 
+    $mnet_request = new mnet_xmlrpc_client();
     $mnet_request->set_method('system/listMethods');
     if (isset($servicename) && array_key_exists($servicename, $serviceinfo)) {
         echo $OUTPUT->heading(get_string('methodsavailableonhostinservice', 'mnet', (object)array('host' => $host->wwwroot, 'service' => $servicename)));
@@ -139,6 +147,11 @@
     $mnet_request->send($mnet_peer);
     $methods = $mnet_request->response;
 
+    if (!empty($mnet_request->error)) {
+        echo $OUTPUT->heading(get_string('error'), 3);
+        echo html_writer::alist($mnet_request->error);
+        $methods = array();
+    }
 
     $table = new html_table();
     $table->head = array(
@@ -171,6 +184,12 @@
 
         echo $OUTPUT->heading(get_string('methodsignature', 'mnet', $method));
 
+        if (!empty($mnet_request->error)) {
+            echo $OUTPUT->heading(get_string('error'), 3);
+            echo html_writer::alist($mnet_request->error);
+            $signature = array();
+        }
+
         $table = new html_table();
         $table->head = array(
             get_string('position', 'mnet'),

lang/en/mnet.php

@@ -216,6 +216,12 @@
 $string['showremote'] = 'Show remote users';
 $string['ssl_acl_allow'] = 'SSO ACL: Allow user \'{$a->user}\' from \'{$a->host}\'';
 $string['ssl_acl_deny'] = 'SSO ACL: Deny user \'{$a->user}\' from \'{$a->host}\'';
+$string['sslverification'] = 'SSL verification';
+$string['sslverification_help'] = 'This option allows you to configure the level of security when connecting to a peer using HTTPS.
+
+* None: no level of security
+* Verify host only: validates the domain of the SSL certificate
+* Verify host and peer (recommended): validates the domain and issuer of the SSL certificate';
 $string['ssoaccesscontrol'] = 'SSO access control';
 $string['ssoacldescr'] = 'Use this page to grant/deny access to specific users from remote MNet hosts. This is functional when you are offering SSO services to remote users. To control your <em>local</em> users\' ability to roam to other MNet hosts, use the roles system to grant them the <em>mnetlogintoremote</em> capability.';
 $string['ssoaclneeds'] = 'For this functionality to work, you must have Networking on, plus the MNet authentication plugin enabled.';
@@ -244,6 +250,8 @@
 $string['usernotfullysetup'] = 'Your user account is incomplete.  You need to go <a href="{$a}">back to your provider</a> and ensure your profile is completed there.  You may need to log out and in again for this to take effect.';
 $string['usersareonline'] = 'Warning: {$a} users from that server are currently logged on to your site.';
 $string['validated_by'] = 'It is validated by the network: <code>{$a}</code>';
+$string['verifyhostandpeer'] = 'Verify host and peer';
+$string['verifyhostonly'] = 'Verify host only';
 $string['verifysignature-error'] = 'The signature verification failed. An error has occurred.';
 $string['verifysignature-invalid'] = 'The signature verification failed. It appears that this payload was not signed by you.';
 $string['version'] = 'Version';

lib/db/install.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
-<XMLDB PATH="lib/db" VERSION="20141017" COMMENT="XMLDB file for core Moodle tables"
+<XMLDB PATH="lib/db" VERSION="20141117" COMMENT="XMLDB file for core Moodle tables"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="../../lib/xmldb/xmldb.xsd"
 >
@@ -1442,6 +1442,7 @@
         <FIELD NAME="force_theme" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
         <FIELD NAME="theme" TYPE="char" LENGTH="100" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="applicationid" TYPE="int" LENGTH="10" NOTNULL="true" DEFAULT="1" SEQUENCE="false"/>
+        <FIELD NAME="sslverification" TYPE="int" LENGTH="1" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id" COMMENT="primary key of the mnet_host table"/>
@@ -3081,4 +3082,4 @@
       </KEYS>
     </TABLE>
   </TABLES>
-</XMLDB>
+</XMLDB>

lib/db/upgrade.php

@@ -4058,5 +4058,21 @@ function xmldb_main_upgrade($oldversion) {
     // Moodle v2.8.0 release upgrade line.
     // Put any upgrade step following this.
 
+    if ($oldversion < 2014112001.00) {
+
+        // Define field sslverification to be added to mnet_host.
+        $table = new xmldb_table('mnet_host');
+        $field = new xmldb_field('sslverification', XMLDB_TYPE_INTEGER, '1', null, XMLDB_NOTNULL, null, '0', 'applicationid');
+
+        // Conditionally launch add field sslverification.
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        // Main savepoint reached.
+        upgrade_main_savepoint(true, 2014112001.00);
+    }
+
+
     return true;
 }

mnet/peer.php

@@ -12,6 +12,15 @@
 
 class mnet_peer {
 
+    /** No SSL verification. */
+    const SSL_NONE = 0;
+
+    /** SSL verification for host. */
+    const SSL_HOST = 1;
+
+    /** SSL verification for host and peer. */
+    const SSL_HOST_AND_PEER = 2;
+
     var $id                 = 0;
     var $wwwroot            = '';
     var $ip_address         = '';
@@ -27,6 +36,9 @@ class mnet_peer {
     var $error              = array();
     var $bootstrapped       = false; // set when the object is populated
 
+    /** @var int $sslverification The level of SSL verification to apply. */
+    public $sslverification = self::SSL_HOST_AND_PEER;
+
     function mnet_peer() {
         return true;
     }
@@ -192,6 +204,7 @@ function commit() {
         $obj->force_theme           = $this->force_theme;
         $obj->theme                 = $this->theme;
         $obj->applicationid         = $this->applicationid;
+        $obj->sslverification       = $this->sslverification;
 
         if (isset($this->id) && $this->id > 0) {
             $obj->id = $this->id;
@@ -286,6 +299,7 @@ function populate($hostinfo) {
         $this->force_theme          = $hostinfo->force_theme;
         $this->theme                = $hostinfo->theme;
         $this->applicationid        = $hostinfo->applicationid;
+        $this->sslverification      = $hostinfo->sslverification;
         $this->application = $DB->get_record('mnet_application', array('id'=>$this->applicationid));
         $this->bootstrapped = true;
     }

mnet/xmlrpc/client.php

@@ -368,8 +368,17 @@ function prepare_http_request ($mnet_peer) {
         curl_setopt($httprequest, CURLOPT_POST, true);
         curl_setopt($httprequest, CURLOPT_USERAGENT, 'Moodle');
         curl_setopt($httprequest, CURLOPT_HTTPHEADER, array("Content-Type: text/xml charset=UTF-8"));
-        curl_setopt($httprequest, CURLOPT_SSL_VERIFYPEER, false);
-        curl_setopt($httprequest, CURLOPT_SSL_VERIFYHOST, 0);
+
+        $verifyhost = 0;
+        $verifypeer = false;
+        if ($mnet_peer->sslverification == mnet_peer::SSL_HOST_AND_PEER) {
+            $verifyhost = 2;
+            $verifypeer = true;
+        } else if ($mnet_peer->sslverification == mnet_peer::SSL_HOST) {
+            $verifyhost = 2;
+        }
+        curl_setopt($httprequest, CURLOPT_SSL_VERIFYHOST, $verifyhost);
+        curl_setopt($httprequest, CURLOPT_SSL_VERIFYPEER, $verifypeer);
         return $httprequest;
     }
 }

version.php

@@ -29,7 +29,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$version  = 2014112000.00;              // YYYYMMDD      = weekly release date of this DEV branch.
+$version  = 2014112001.00;              // YYYYMMDD      = weekly release date of this DEV branch.
                                         //         RR    = release increments - 00 in DEV branches.
                                         //           .XX = incremental changes.