1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 
<?php
    declare(strict_types=1);
    /**
     *  +------------------------------------------------------------+
     *  | apnscp                                                     |
     *  +------------------------------------------------------------+
     *  | Copyright (c) Apis Networks                                |
     *  +------------------------------------------------------------+
     *  | Licensed under Artistic License 2.0                        |
     *  +------------------------------------------------------------+
     *  | Author: Matt Saladna (msaladna@apisnetworks.com)           |
     *  +------------------------------------------------------------+
     */

    use Module\Support\Auth;
    use Opcenter\Filesystem\Quota;

    /**
     * Provides site administrator-specific functionality
     *
     * @package core
     *
     */
    class Site_Module extends Auth
        implements Opcenter\Contracts\Hookable
    {
        use ImpersonableTrait;
        const MIN_STORAGE_AMNESTY = QUOTA_STORAGE_WAIT;

        // time in seconds between amnesty requests
        const AMNESTY_DURATION = QUOTA_STORAGE_DURATION;
        // 24 hours
        const AMNESTY_MULTIPLIER = QUOTA_STORAGE_BOOST;
        const DEPENDENCY_MAP = [];

        protected $exportedFunctions = [
            '*'               => PRIVILEGE_SITE,
            'get_admin_email' => PRIVILEGE_SITE | PRIVILEGE_USER,
            'ip_address'      => PRIVILEGE_SITE | PRIVILEGE_USER,
            'split_hostname'  => PRIVILEGE_SITE | PRIVILEGE_USER
        ];

        /**
         * bool user_service_enabled(string, string)
         *
         * @param string $mUser username
         * @param string $mSrvc service name, possible values are ssh proftpd and imap
         * @return bool
         */
        public function user_service_enabled(string $user, string $service): bool
        {
            $svc_cache = $this->user_svc_cache;
            $svc_file = $this->domain_fs_path() . '/etc/' . $service . '.pamlist';
            $site = $this->site_id;

            if (!file_exists($svc_file)) {
                return error("Invalid service name `%s'", $service);
            }

            /** check local cache */
            if (!isset($svc_cache[$site]) ||
                filemtime($svc_file) > $svc_cache[$site]['mtime']
            ) {
                $fp = fopen($svc_file, 'r');
                $contents = fread($fp, filesize($svc_file));
                foreach (explode("\n", $contents) as $line) {
                    $svc_cache[$site]['users'][trim($line)][$service] = 1;
                }

                fclose($fp);
                $svc_cache[$site]['mtime'] = filemtime($svc_file);
            }

            return isset($svc_cache[$site]['users'][$user][$service]);

        }

        /**
         *  array get_bandwidth_usage(string)
         *
         * @privilege PRIVILEGE_SITE
         * @param int $type type of bandwidth usage to retrieve
         * @return array|bool indexes begin, rollover, and threshold
         */
        public function get_bandwidth_usage(int $type = null)
        {
            deprecated_func("Use bandwidth_usage()");

            return $this->bandwidth_usage($type);
        }

        /**
         * Retrieve day on which banwidth rolls over to 0
         *
         * @return int
         */
        public function get_bandwidth_rollover(): int
        {
            deprecated_func("Use bandwidth_rollover");

            return $this->bandwidth_rollover();
        }

        // }}}

        /**
         * bool set_admin_email(string email)
         *
         * @privilege PRIVILEGE_SITE
         * @return bool true on success, false on failure
         * @param string $email e-mail address to update the record to
         *                      Backend PostgreSQL operation to update it in the db
         */
        public function set_admin_email(string $email): bool
        {
            if (!preg_match(Regex::EMAIL, $email)) {
                return error("Invalid e-mail address, " . $email);
            }
            $oldemail = $this->getConfig('siteinfo', 'email');
            $pgdb = \PostgreSQL::initialize();
            $pgdb->query("UPDATE siteinfo SET email = '" . $email . "' WHERE site_id = '" . $this->site_id . "';");
            // no need to trigger a costly account config rebuild
            $this->setConfig('siteinfo', 'email', $email);

            $ret = $pgdb->affected_rows() > 0;
            if (!$ret) {
                return false;
            }
            parent::sendNotice('email', [
                'email' => $oldemail,
                'ip'    => \Auth::client_ip()
            ]);

            return true;
        }

        /**
         * Get admin email
         *
         * @return string
         */
        public function get_admin_email(): string
        {
            return $this->getConfig('siteinfo', 'email');
        }


        /* }}} */

        // {{{ ip_address()

        /**
         * Get IP address attached to account
         *
         * @return string
         */
        public function ip_address(): string
        {
            $addr = $this->common_get_ip_address();

            return is_array($addr) ? array_pop($addr) : $addr;
        }

        // }}}

        /**
         * Get quota for an account
         *
         * qused: disk quota used in KB
         * qsoft: disk quota soft limit in KB
         * qhard: disk quota hard limit in KB
         * fused: files used
         * fsoft: files soft limit
         * fhard: files hard limit
         *
         * @return array
         *@see User_Module::get_quota()
         */
        public function get_account_quota(): array
        {
            if (!IS_CLI) {
                return $this->query('site_get_account_quota');
            }
            return Quota::getGroup($this->group_id);
        }

        /**
         * Get port range allocated to account
         *
         * @deprecated see ssh_port_range()
         * @return array
         */
        public function get_port_range(): array
        {
            deprecated_func('Use ssh_port_range()');
            return $this->ssh_port_range();
        }

        /**
         * Wipe an account, reinitializing it to its pristine state
         *
         * @param string $token confirmation token
         * @return bool|string wipe status or confirmation token
         */
        public function wipe($token = '')
        {
            $token = strtolower((string)$token);
            $calctoken = $this->_calculateToken();
            if (!$token) {
                // allow wiping via AJAX, Account > Settings
                if (defined('AJAX') && AJAX) {
                    return $calctoken;
                }
                $msg = "This is the most nuclear of options. " .
                    "Respond with the following token `%s' to confirm";

                return warn($msg, $calctoken);
            }

            if ($token !== $calctoken) {
                $msg = "provided token `%s' does not match confirmation token `%s'";

                return error($msg, $token, $calctoken);
            }

            if (!IS_CLI) {
                return $this->query('site_wipe', $token);
            }
            if (!Crm_Module::COPY_ADMIN) {
                return error("Admin reminder address not setup - disallowing account reset");
            }
            $editor = new Util_Account_Editor($this->getAuthContext()->getAccount());
            // assemble domain creation cmd from current config
            $editor->importConfig();
            $afi = $this->getApnscpFunctionInterceptor();
            $modules = $afi->list_all_modules();
            foreach ($modules as $m) {
                $c = $afi->get_class_from_module($m);
                $class = $c::instantiateContexted($this->getAuthContext());
                $class->_reset($editor);
            }
            $addcmd = $editor->setMode('add')->getCommand();
            // send a copy of the command in case the account gets wiped and
            // never comes back from the dead
            Mail::send(Crm_Module::COPY_ADMIN, "Account Wipe", $addcmd);
            $delproc = new Util_Account_Editor($this->getAuthContext()->getAccount());
            if (!$delproc->delete()) {
                return false;
            }
            $proc = new Util_Process_Schedule('now');
            $ret = $proc->run($addcmd);

            return $ret['success'];
        }

        /**
         * Token confirmation to delete site
         *
         * @return string
         */
        private function _calculateToken(): string
        {

            $inode = fileinode($this->domain_info_path());
            $hash = hash('crc32', (string)$inode);

            return $hash;
        }

        /**
         * Request a temporary bump to account storage
         *
         * @see MIN_STORAGE_AMNESTY
         * @return bool
         */
        public function storage_amnesty(): bool
        {
            if (!IS_CLI) {
                return $this->query('site_storage_amnesty');
            }

            $last = $this->getServiceValue('diskquota', 'amnesty');
            $now = coalesce($_SERVER['REQUEST_TIME'], time());
            if (self::MIN_STORAGE_AMNESTY > ($now - $last)) {
                $aday = self::MIN_STORAGE_AMNESTY / 86400;

                return error("storage amnesty may be requested once every %d days, %d days remaining",
                    $aday,
                    $aday - ceil(($now - $last) / 86400)
                );
            }

            $storage = $this->getServiceValue('diskquota', 'quota');
            $newstorage = $storage * self::AMNESTY_MULTIPLIER;
            $acct = new Util_Account_Editor($this->getAuthContext()->getAccount(), $this->getAuthContext());
            $acct->setConfig('diskquota', 'quota', $newstorage)->
            setConfig('diskquota', 'amnesty', $now);
            $ret = $acct->edit();
            if ($ret !== true) {
                Error_Reporter::report(var_export($ret, true));

                return error("failed to set amnesty on account");
            }
            $acct->setConfig('diskquota', 'quota', $storage);
            $cmd = $acct->getCommand();
            $proc = new Util_Process_Schedule('+' . self::AMNESTY_DURATION . ' seconds');
            $ret = $proc->run($cmd);
            $msg = sprintf("Domain: %s\r\nSite: %d\r\nServer: %s", $this->domain, $this->site_id, SERVER_NAME_SHORT);
            Mail::send(Crm_Module::COPY_ADMIN, "Amnesty Request", $msg);

            return $ret['success'];
        }

        /**
         * Account is under amnesty
         *
         * @return bool
         */
        public function amnesty_active(): bool
        {
            $time = isset($_SERVER['REQUEST_TIME']) ? $_SERVER['REQUEST_TIME'] : time();
            $amnesty = $this->getServiceValue('diskquota', 'amnesty');
            if (!$amnesty) {
                return false;
            }
            return ($time - $amnesty) <= self::AMNESTY_DURATION;
        }

        /**
         * Assume the role of a secondary user
         *
         * @param string $user username or domain if parentage supported
         * @return string
         */
        public function hijack(string $user): string
        {
            if ($this->user_exists($user)) {
                if ($user === $this->username) {
                    return $this->session_id;
                }

                return $this->impersonateRole($this->site, $user);
            }

            if (AUTH_SUBORDINATE_SITE_SSO && ($invoice = $this->getServiceValue('billing', 'invoice'))
                && ($siteid = \Auth::get_site_id_from_anything($user)))
            {
                // permit SSO if config.ini permits, billing,invoice is set, and target site
                // is within invoice cluster
                $site = "site${siteid}";
                $map = \Opcenter\Map::load(Opcenter\Service\Validators\Billing\Invoice::MAP_FILE, 'rd');
                $parentage = preg_split('/\s*,\s*/', (string)$map->fetch($invoice), -1, PREG_SPLIT_NO_EMPTY);
                if (\in_array($site, $parentage, true)) {
                    return $this->impersonateRole($site);
                }
            }

            error("unknown user `%s'", $user);

            return $this->session_id;
        }

        public function _create()
        {
            $conf = $this->getServiceValue('siteinfo');
            $db = \Opcenter\Map::load(\Opcenter\Map::DOMAIN_MAP, 'wd');
            if (!$db->exists($conf['domain'])) {
                // @TODO remove once Opcenter is done
                $db->set($conf['domain'], $this->site);
            }
            $db->close();
        }

        public function _delete()
        {
            $db = \Opcenter\Map::load(\Opcenter\Map::DOMAIN_MAP, 'wd');
            $domain = array_get($this->getAuthContext()->conf('siteinfo'), 'domain', []);
            $db->delete($domain);
            $db->close();
        }

        public function _edit()
        {
            $new = $this->getAuthContext()->conf('siteinfo', 'new');
            $old = $this->getAuthContext()->conf('siteinfo', 'old');
            if ($new['domain'] === $old['domain']) {
                return;
            }
            // domain rename
            $db = \Opcenter\Map::load(\Opcenter\Map::DOMAIN_MAP, 'wd');
            $db->delete($old['domain']);
            $db->insert($new['domain'], $this->site);
            $db->close();
        }

        /**
         * Configuration verification
         *
         * @param \Opcenter\Service\ConfigurationContext $ctx
         * @return bool
         */
        public function _verify_conf(\Opcenter\Service\ConfigurationContext $ctx): bool
        {
            return true;
        }

        public function _edit_user(string $userold, string $usernew, array $oldpwd)
        {
            if ($usernew === $userold) {
                return;
            }
        }

        public function _create_user(string $user)
        {
        }

        public function _delete_user(string $user)
        {
        }


    }