The mnet_environment->keypair array contains the following
elements (and more, just focussing on these):
- keypair_PEM : textual representation of the private key.
- certificate : textual representation of the public key.
- privatekey : OpenSSLAsymmetricKey representation of the private key,
generated from keypair_PEM. See get_private_key().
- publickey : OpenSSLAsymmetricKey representation if the public key,
generated from certificate. See get_public_key().
The last 2 elements in the array are only used as "caching", to avoid
having to call to openssl_pkey_get_private() and
openssl_pkey_get_public() to convert from the textual representation
to the OpenSSLAsymmetricKey representation that is the one required
by a number of openssl functions.
Problems arrive when, as part of the MNet protocol, the mnet_environment
is serialised, because, since PHP 8.0 those OpenSSLAsymmetricKey objects
aren't serialisable any more.
So, as far as they are only used for internal caching it's perfectly ok
to remove the caching bits and use the openssl_pkey_get_xxx() methods
to calculate them under demand.
The alternative to this would be to implement into the mnet_environment
some custom serialisation, skipping those OpenSSLAsymmetricKey
instances, using __sleep(), the Serializabla interface or __serialize(),
but that seems unnecessary because, as explained above, the uses are
really limited and easily replaceable.
That's what this patch does.
Since php80 the 5th parameter (cypher) in the following functions:
- openssl_seal
- openssl_open
is mandatory, hence:
- adding it.
- with value 'RC4' to keep BC.
So we are putting them under a standard PHP_MAJOR_VERSION < 8 condition.
Also, added TODO comments to remember to delete that block of code when
php80 becomes the minimum required versions in the future (Moodle 4.3?).
When possible, an issue has been created upstream, else a comment in
readme_moodle files has been added.
Finally, when the keys being freed were class or object attributes, also
nullify them (but when the calls were part of destructor methods).
This patch adds the missing 'escaping' option to all remaining
xmlrpc_encode_request() calls in the moodle core code.
Without this, the xmlrpc_decode_request() call on the server side may
lead to wrongly decoded non-ascii characters.
Using core_text::substr instead of substr for trimming certificate
data. Is needed for sites with long unicode sitename to prevent
breaking line between unicode pair.
The patch highlights the undelete radio selector at the host edit form.
It moves it to the end of the form (near the submit button) and displays
an explanation above the radio selector.
Also, the list of deleted hosts is now displayed below the table of
active peers at the Manage peers page.
The data returned by mnet_get_hosts() function now contain the deleted
status, too. It is possible to obtain deleted hosts from that function
now.
The 'confirmed' field can't be optional. If the identity provider did
not export it, the new remote user would be created with 'confirmed' set
to default zero and as such could be a subject of scheduled deletion.
- The way that mnet rpc functions are registered. Plugins must now
create db/mnet.php which is an array, similar to services.php. This
*replaces* the old mnet_publishes() functions. version.php must be
bumped to trigger this.
- More information about each rpc-available function is stored in the
database, including the class it belongs to, the file it is found in,
and whether or not it is static. Methods that are not static must be
in a class with a constructor that takes no arguments (this can easily
be achieved with a small wrapper if necessary)
- The xmlrpc dispatcher has been rewritten to remove all the
dependencies on hardcoded information about auth,mnet,portfolio and
repository, and just use the information in the database.
- The old hardcoded hidden mnet/testclient.php has been moved to the
Admin menu under "Development" and rewritten.
- The xmlrpc introspection method profiling is now using php and zend
reflection - which is a lot nicer than the old way, which was using a
php-based php parser. This fixes some inconsistent handling of
methods without arguments that were advertising their return value as
the only method parameter. While this is a *fix*, it breaks BC
slightly - the old 1.9 broken mnet/testclient.php will now not work
properly with 2.0
- Dangerous mode is still supported, but old mod/*/rpclib.php is
now unsupported, due to the fact that any plugin can export mnet
functions with db/mnet.php. This is a slight BC break.
Still TODO:
- TEST TEST TEST
- Document the two small BC breaks in release notes
- Document the contract for db/mnet.php
* Allow multiple roles to be allocated by identity provider
* Allow existing enrolment plugins to manage mnet enrolments
Author: Peter Bulmer <peter.bulmer@catalyst.net.nz>
Where Moodle sites had a path in their wwwroot, the MNET function that
forced remote users to go via their identity provider (to make sure they
were logged in) previously directed the user back to a URL like
contentprovider.com/moodle/moodle/mod/forum/view.php?f=7 where there
should only be one /moodle in the middle of the URL.
