Device_W8_10 - Code Metrics - Inspection of "Adding Hotspot 2.0 support to Windows 10 and fixin..." - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 1fc2c0...45b4ae )

by Tomasz

created 2018-07-23 14:06 UTC

Device_W8_10 F

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	556
Duplicated Lines	0 %

Importance

Changes

Metric	Value
eloc	281
dl	0
loc	556
rs	2
c	0
b	0
f	0
wmc	81

21 Methods

Rating	Name	Size	Complexity
A	__construct()	12	1
A	tlsServerValidation()	14	3
A	addConsortia()	17	3
A	writeLANprofile()	24	2
A	tlsConfig()	24	2
F	writeInstaller()	58	14
A	msTtlsServerValidation()	14	3
A	glTtlsServerValidation()	17	2
A	peapConfig()	41	4
A	glTtlsConfig()	39	3
A	msTtlsConfig()	33	4
A	copyFiles()	19	5
A	peapServerValidation()	13	3
A	copyStandardNsi()	3	2
A	writeProfilesNSH()	21	5
A	eapConfigHeader()	13	1
A	pwdConfig()	2	1
B	prepareEapConfig()	33	9
A	setAuthorId()	11	3
A	writeWLANprofile()	51	4
B	writeMainNSH()	37	7

How to fix Complexity

<?php

/*
 * ******************************************************************************
 * Copyright 2011-2017 DANTE Ltd. and GÉANT on behalf of the GN3, GN3+, GN4-1
 * and GN4-2 consortia
 *
 * License: see the web/copyright.php file in the file structure
 * ******************************************************************************
 */

/**
 * This file creates MS Windows 8 installers
 * It supports EAP-TLS, TTLS, PEAP and EAP-pwd
 * @author Tomasz Wolniewicz <[email protected]>
 *
 * @package ModuleWriting
 */

namespace devices\ms;
use \Exception;

/**
 *
 * @author Tomasz Wolniewicz <[email protected]>
 * @package ModuleWriting
 */
 class Device_W8_10 extends WindowsCommon {
    final public function __construct() {
        parent::__construct();
        $this->setSupportedEapMethods(
                [
                    \core\common\EAP::EAPTYPE_TLS,
                    \core\common\EAP::EAPTYPE_PEAP_MSCHAP2,
                    \core\common\EAP::EAPTYPE_TTLS_PAP,
                    \core\common\EAP::EAPTYPE_TTLS_MSCHAP2,
                    \core\common\EAP::EAPTYPE_PWD,
                    \core\common\EAP::EAPTYPE_SILVERBULLET
                ]);
        $this->specialities['internal:use_anon_outer'][serialize(\core\common\EAP::EAPTYPE_PEAP_MSCHAP2)] = _("Anonymous identities do not use the realm as specified in the profile - it is derived from the suffix of the user's username input instead.");
    }
    public function writeInstaller() {
        $dom = textdomain(NULL);
        textdomain("devices");
        // create certificate files and save their names in $caFiles arrary
        $caFiles = $this->saveCertificateFiles('der');
        $this->caArray = $this->getAttibute('internal:CAs')[0];
        $this->useAnon = $this->attributes['internal:use_anon_outer'] [0] === NULL ? FALSE : TRUE;
        $this->servers = empty($this->attributes['eap:server_name']) ? '' :  implode(';', $this->attributes['eap:server_name']);
        $allSSID = $this->attributes['internal:SSID'];
        $delSSIDs = $this->attributes['internal:remove_SSID'];
        $this->prepareInstallerLang();
        $setWired = isset($this->attributes['media:wired'][0]) && $this->attributes['media:wired'][0] == 'on' ? 1 : 0;
//   create a list of profiles to be deleted after installation
        $delProfiles = [];
        foreach ($delSSIDs as $ssid => $cipher) {
            if ($cipher == 'DEL') {
                $delProfiles[] = $ssid;
            }
            if ($cipher == 'TKIP') {
                $delProfiles[] = $ssid . ' (TKIP)';
            }
        }
        $windowsProfile = [];
        $eapConfig = $this->prepareEapConfig();
        $iterator = 0;
        foreach ($allSSID as $ssid => $cipher) {
            if ($cipher == 'TKIP') {
                $windowsProfile[$iterator] = $this->writeWLANprofile($ssid . ' (TKIP)', $ssid, 'WPA', 'TKIP', $eapConfig, $iterator);
                $iterator++;
            }
            $windowsProfile[$iterator] = $this->writeWLANprofile($ssid, $ssid, 'WPA2', 'AES', $eapConfig, $iterator);
            $iterator++;
        }
        if (($this->device_id !== 'w8') && (count($this->attributes['internal:consortia']) > 0 )) {
            // this SSID name is later used in common.inc so if you decide to chage it here change it there as well
                $ssid = 'cat-passpoint-profile';
                $windowsProfile[$iterator] = $this->writeWLANprofile($ssid, $ssid, 'WPA2', 'AES', $eapConfig, $iterator, TRUE);
        }
        if ($setWired) {
            $this->writeLANprofile($eapConfig);
        }
        $this->loggerInstance->debug(4, "windowsProfile");
        $this->loggerInstance->debug(4, print_r($windowsProfile, true));

        $this->writeProfilesNSH($windowsProfile, $caFiles);
        $this->writeAdditionalDeletes($delProfiles);
        if ($this->selectedEap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
            $this->writeClientP12File();
        }
        $this->copyFiles($this->selectedEap);
        $fedLogo = $this->attributes['fed:logo_file'] ?? NULL;
        $idpLogo = $this->attributes['internal:logo_file'] ?? NULL;
        $this->combineLogo($idpLogo, $fedLogo);
        $this->writeMainNSH($this->selectedEap, $this->attributes);
        $this->compileNSIS();
        $installerPath = $this->signInstaller();
        textdomain($dom);
        return($installerPath);
    }

    private function setAuthorId() {
        if ($this->selectedEap['OUTER'] === \core\common\EAP::TTLS) {
            if ($this->useGeantLink) {
                $authorId = "67532";
            } else {
                $authorId = "311";
            }
        } else {
            $authorId = 0;
        }
        return($authorId);
    }

    private function addConsortia() {
        if ($this->device_id == 'w8') {
            return('');
        }
        $retval = '<Hotspot2>';
        $retval .= '<DomainName>';
        if (empty($this->attributes['internal:realm'][0])) {
            $retval .= CONFIG_CONFASSISTANT['CONSORTIUM']['interworking-domainname-fallback'];
        } else {
            $retval .=  $this->attributes['internal:realm'][0];
        }
        $retval .= '</DomainName>';
        $retval .= '<RoamingConsortium><OUI>' . 
            implode('</OUI><OUI>', $this->attributes['internal:consortia']) .
            '</OUI></RoamingConsortium>';
        $retval .=  '</Hotspot2>';
        return($retval);
    }
    
    private function eapConfigHeader() {
        $authorId = $this->setAuthorId();
        $profileFileCont = '<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
';
        $profileFileCont .= '<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">' .
                $this->selectedEap["OUTER"] . '</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">' . $authorId . '</AuthorId>
</EapMethod>
';
        return($profileFileCont);
    }

    private function tlsServerValidation() {
        $profileFileCont = '
<eapTls:ServerValidation>
<eapTls:DisableUserPromptForServerValidation>true</eapTls:DisableUserPromptForServerValidation>
';
        $profileFileCont .= '<eapTls:ServerNames>' . $this->servers . '</eapTls:ServerNames>';
        foreach ($this->caArray as $certAuthority) {
            if ($certAuthority['root']) {
                $profileFileCont .= "<eapTls:TrustedRootCA>" . $certAuthority['sha1'] . "</eapTls:TrustedRootCA>\n";
            }
        }
        $profileFileCont .= '</eapTls:ServerValidation>
';
        return($profileFileCont);
    }
    
    private function msTtlsServerValidation() {
        $profileFileCont = '
        <ServerValidation>
';
        $profileFileCont .= '<ServerNames>' . $this->servers . '</ServerNames> ';
        foreach ($this->caArray as $certAuthority) {
            if ($certAuthority['root']) {
                $profileFileCont .= "<TrustedRootCAHash>" . chunk_split($certAuthority['sha1'], 2, ' ') . "</TrustedRootCAHash>\n";
            }
        }
        $profileFileCont .= '<DisablePrompt>true</DisablePrompt>
</ServerValidation>
';
        return($profileFileCont);
    }
    
    private function glTtlsServerValidation() {
        $servers = implode('</ServerName><ServerName>', $this->attributes['eap:server_name']);
        $profileFileCont = '
<ServerSideCredential>
';
        foreach ($this->caArray as $ca) {
            $profileFileCont .= '<CA><format>PEM</format><cert-data>';
            $profileFileCont .= base64_encode($ca['der']);
            $profileFileCont .= '</cert-data></CA>
';
        }
        $profileFileCont .= "<ServerName>$servers</ServerName>\n";

        $profileFileCont .= '
</ServerSideCredential>
';
        return($profileFileCont);
    }
    
    private function peapServerValidation() {
        $profileFileCont = '
        <ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames>' . $this->servers . '</ServerNames>';
        foreach ($this->caArray as $certAuthority) {
            if ($certAuthority['root']) {
                $profileFileCont .= "<TrustedRootCA>" . $certAuthority['sha1'] . "</TrustedRootCA>\n";
            }
        }
        $profileFileCont .= '</ServerValidation>
';
        return($profileFileCont);
    }
    
    private function tlsConfig() {
        $profileFileCont = '
<Config xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"
  xmlns:eapTls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<baseEap:Eap>
<baseEap:Type>13</baseEap:Type>
<eapTls:EapType>
<eapTls:CredentialsSource>
<eapTls:CertificateStore />
</eapTls:CredentialsSource>
';    
        $profileFileCont .= $this->tlsServerValidation();
        if (\core\common\Entity::getAttributeValue($this->attributes, 'eap-specific:tls_use_other_id', 0) === 'on') {
            $profileFileCont .= '<eapTls:DifferentUsername>true</eapTls:DifferentUsername>';
            $this->tlsOtherUsername = 1;
        } else {
            $profileFileCont .= '<eapTls:DifferentUsername>false</eapTls:DifferentUsername>';
        }
        $profileFileCont .= '
</eapTls:EapType>
</baseEap:Eap>
</Config>
';
        return($profileFileCont);
    }

    private function msTtlsConfig() {        
        $profileFileCont = '<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
';
        $profileFileCont .= $this->msTtlsServerValidation();
        $profileFileCont .= '<Phase2Authentication>
';
        if ($this->selectedEap == \core\common\EAP::EAPTYPE_TTLS_PAP) {
            $profileFileCont .= '<PAPAuthentication /> ';
        }
        if ($this->selectedEap == \core\common\EAP::EAPTYPE_TTLS_MSCHAP2) {
            $profileFileCont .= '<MSCHAPv2Authentication>
<UseWinlogonCredentials>false</UseWinlogonCredentials>
</MSCHAPv2Authentication>
';
        }
        $profileFileCont .= '</Phase2Authentication>
<Phase1Identity>
';
        if ($this->useAnon) {
            $profileFileCont .= '<IdentityPrivacy>true</IdentityPrivacy>
';
            $profileFileCont .= '<AnonymousIdentity>' . $this->outerId . '</AnonymousIdentity>
                ';
        } else {
            $profileFileCont .= '<IdentityPrivacy>false</IdentityPrivacy>
';
        }
        $profileFileCont .= '</Phase1Identity>
</EapTtls>
</Config>
';
        return($profileFileCont);
    }
    
    private function glTtlsConfig() {        
        $profileFileCont = '
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EAPIdentityProviderList xmlns="urn:ietf:params:xml:ns:yang:ietf-eap-metadata">
<EAPIdentityProvider ID="' . $this->deviceUUID . '" namespace="urn:UUID">

<ProviderInfo>
<DisplayName>' . $this->translateString($this->attributes['general:instname'][0], $this->codePage) . '</DisplayName>
</ProviderInfo>
<AuthenticationMethods>
<AuthenticationMethod>
<EAPMethod>21</EAPMethod>
<ClientSideCredential>
<allow-save>true</allow-save>
';
        if ($this->useAnon) {
            if ($this->outerUser == '') {
                $profileFileCont .= '<AnonymousIdentity>@</AnonymousIdentity>';
            } else {
                $profileFileCont .= '<AnonymousIdentity>' . $this->outerId . '</AnonymousIdentity>';
            }
        }
        $profileFileCont .= '</ClientSideCredential>
';
        $profileFileCont .= $this->glTtlsServerValidation();
        $profileFileCont .= '
<InnerAuthenticationMethod>
<NonEAPAuthMethod>' . \core\common\EAP::eapDisplayName($this->selectedEap)['INNER'] . '</NonEAPAuthMethod>
</InnerAuthenticationMethod>
<VendorSpecific>
<SessionResumption>false</SessionResumption>
</VendorSpecific>
</AuthenticationMethod>
</AuthenticationMethods>
</EAPIdentityProvider>
</EAPIdentityProviderList>
</Config>
';
        return($profileFileCont);
    }

    private function peapConfig() {
        $nea = (\core\common\Entity::getAttributeValue($this->attributes, 'media:wired', 0) == 'on') ? 'true' : 'false';
        $profileFileCont = '<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>25</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
';
        $profileFileCont .= $this->peapServerValidation();
        $profileFileCont .= '
<FastReconnect>true</FastReconnect>
<InnerEapOptional>false</InnerEapOptional>
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>26</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
<UseWinLogonCredentials>false</UseWinLogonCredentials>
</EapType>
</Eap>
<EnableQuarantineChecks>' . $nea . '</EnableQuarantineChecks>
<RequireCryptoBinding>false</RequireCryptoBinding>
';
        if ($this->useAnon) {
            $profileFileCont .= '<PeapExtensions>
<IdentityPrivacy xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">
<EnableIdentityPrivacy>true</EnableIdentityPrivacy>
';
            if ($this->outerUser == '') {
                $profileFileCont .= '<AnonymousUserName/>
';
            } else {
                $profileFileCont .= '<AnonymousUserName>' . $this->outerUser . '</AnonymousUserName>
                ';
            }
            $profileFileCont .= '</IdentityPrivacy>
</PeapExtensions>
';
        }
        $profileFileCont .= '</EapType>
</Eap>
</Config>
';
        return($profileFileCont);
    }
    
    private function pwdConfig() {
        return('<ConfigBlob></ConfigBlob>');
    }

    private function prepareEapConfig() {
        if ($this->useAnon) {
            $this->outerUser = $this->attributes['internal:anon_local_value'][0];
            $this->outerId = $this->outerUser . '@' . $this->attributes['internal:realm'][0];
        }
        if (isset($this->options['args']) && $this->options['args'] == 'gl') {
            $this->useGeantLink = TRUE;
        } else {
            $this->useGeantLink = FALSE;
        }
        $profileFileCont = $this->eapConfigHeader();

        switch ($this->selectedEap['OUTER']) {
            case \core\common\EAP::TLS:
                $profileFileCont .= $this->tlsConfig();
                break;
            case \core\common\EAP::PEAP:
                $profileFileCont .= $this->peapConfig();
                break;
            case \core\common\EAP::TTLS:
                if ($this->useGeantLink) {
                    $profileFileCont .= $this->glTtlsConfig();
                } else {
                    $profileFileCont .= $this->msTtlsConfig();
                }
                break;
            case \core\common\EAP::PWD:
                $profileFileCont .= $this->pwdConfig();
                break;
            default:
                break;
        }
        return(['win' => $profileFileCont . '</EapHostConfig></EAPConfig>']);
    }

    /**
     * produce PEAP, TLS and TTLS configuration files for Windows 8
     *
     * @param string $wlanProfileName
     * @param string $ssid
     * @param string $auth can be one of "WPA", "WPA2"
     * @param string $encryption can be one of: "TKIP", "AES"
     * @param array $eapConfig XML configuration block with EAP config data
     * @param int $profileNumber counter, which profile number is this
     * @return string
     */
    private function writeWLANprofile($wlanProfileName, $ssid, $auth, $encryption, $eapConfig, $profileNumber, $hs20 = FALSE) {
        $profileFileCont = '<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>' . $wlanProfileName . '</name>
<SSIDConfig>
<SSID>
<name>' . $ssid . '</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>';
        if ($hs20) {
            $profileFileCont .= $this->addConsortia();
        }
        $profileFileCont .= '
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>' . $auth . '</authentication>
<encryption>' . $encryption . '</encryption>
<useOneX>true</useOneX>
</authEncryption>
';
        if ($auth == 'WPA2') {
            $profileFileCont .= '<PMKCacheMode>enabled</PMKCacheMode>
<PMKCacheTTL>720</PMKCacheTTL>
<PMKCacheSize>128</PMKCacheSize>
<preAuthMode>disabled</preAuthMode>
        ';
        }
        $profileFileCont .= '<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>true</cacheUserData>
<authMode>user</authMode>
';

        $closing = '
</OneX>
</security>
</MSM>
</WLANProfile>
';

        if (!is_dir('w8')) {
            mkdir('w8');
        }
        $xmlFname = "w8/wlan_prof-$profileNumber.xml";
        file_put_contents($xmlFname, $profileFileCont . $eapConfig['win'] . $closing);
        $this->loggerInstance->debug(2, "Installer has been written into directory $this->FPATH\n");
        return("\"$wlanProfileName\" \"$encryption\"");
    }

    private function writeLANprofile($eapConfig) {
        $profileFileCont = '<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
<MSM>
<security>
<OneXEnforced>false</OneXEnforced>
<OneXEnabled>true</OneXEnabled>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>true</cacheUserData>
<authMode>user</authMode>
';
        $closing = '
</OneX>
</security>
</MSM>
</LANProfile>
';

        if (!is_dir('w8')) {
            mkdir('w8');
        }
        $xmlFname = "w8/lan_prof.xml";
        file_put_contents($xmlFname, $profileFileCont . $eapConfig['win'] . $closing);
        $this->loggerInstance->debug(2, "Installer has been written into directory $this->FPATH\n");
    }

    private function writeProfilesNSH($wlanProfiles, $caArray) {
        $this->loggerInstance->debug(4, "writeProfilesNSH");
        $this->loggerInstance->debug(4, $wlanProfiles);
        $fcontentsProfile = '';
        foreach ($wlanProfiles as $wlanProfile) {
            $fcontentsProfile .= "!insertmacro define_wlan_profile $wlanProfile\n";
        }

        file_put_contents('profiles.nsh', $fcontentsProfile);

        $fcontentsCerts = '';
        $fileHandleCerts = fopen('certs.nsh', 'w');
        if ($fileHandleCerts === FALSE) {
            throw new Exception("Unable to open new certs.nsh file for writing CAs.");
        }
        foreach ($caArray as $certAuthority) {
            $store = $certAuthority['root'] ? "root" : "ca";
            $fcontentsCerts .= '!insertmacro install_ca_cert "' . $certAuthority['file'] . '" "' . $certAuthority['sha1'] . '" "' . $store . "\"\n";
        }
        fwrite($fileHandleCerts, $fcontentsCerts);
        fclose($fileHandleCerts);
    }

    private function writeMainNSH($eap, $attr) {
        $this->loggerInstance->debug(4, "writeMainNSH");
        $this->loggerInstance->debug(4, $attr);
        $this->loggerInstance->debug(4, "Device_id = " . $this->device_id . "\n");
        $fcontents = "!define W8\n";
        if ($this->device_id == 'w10') {
            $fcontents .= "!define W10\n";
        }
        if (CONFIG_CONFASSISTANT['NSIS_VERSION'] >= 3) {
            $fcontents .= "Unicode true\n";
        }
        $eapOptions = [
            \core\common\EAP::PEAP => ['str' => 'PEAP', 'exec' => 'user'],
            \core\common\EAP::TLS => ['str' => 'TLS', 'exec' => 'user'],
            \core\common\EAP::TTLS => ['str' => 'TTLS', 'exec' => 'user'],
            \core\common\EAP::PWD => ['str' => 'PWD', 'exec' => 'user'],
        ];
        if (isset($this->options['args']) && $this->options['args'] == 'gl') {
            $eapOptions[\core\common\EAP::TTLS]['str'] = 'GEANTLink';
        }

// Uncomment the line below if you want this module to run under XP (only displaying a warning)
// $fcontents .= "!define ALLOW_XP\n";
// Uncomment the line below if you want this module to produce debugging messages on the client
// $fcontents .= "!define DEBUG_CAT\n";
        if ($this->tlsOtherUsername == 1) {
            $fcontents .= "!define PFX_USERNAME\n";
        }
        $execLevel = $eapOptions[$eap["OUTER"]]['exec'];
        $eapStr = $eapOptions[$eap["OUTER"]]['str'];
        if ($eap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
            $fcontents .= "!define SILVERBULLET\n";
        }
        $fcontents .= '!define ' . $eapStr;
        $fcontents .= "\n" . '!define EXECLEVEL "' . $execLevel . '"';
        $fcontents .= $this->writeNsisDefines($attr);
        file_put_contents('main.nsh', $fcontents);
    }

    private function copyStandardNsi() {
        if (!$this->translateFile('eap_w8.inc', 'cat.NSI', $this->codePage)) {
            throw new Exception("Translating needed file eap_w8.inc failed!");
        }
    }

    private function copyFiles($eap) {
        $this->loggerInstance->debug(4, "copyFiles start\n");
        $this->copyBasicFiles();
        switch ($eap["OUTER"]) {
            case \core\common\EAP::TTLS:
                if (isset($this->options['args']) && $this->options['args'] == 'gl') {
                    $this->copyGeantLinkFiles();
                } else {
                    $this->copyStandardNsi();
                }
                break;
            case \core\common\EAP::PWD:
                $this->copyPwdFiles();
                break;
            default:
                $this->copyStandardNsi();
        }
        $this->loggerInstance->debug(4, "copyFiles end\n");
        return TRUE;
    }

    private $tlsOtherUsername = 0;
    private $caArray;
    private $useAnon;
    private $servers;
    private $outerUser;
    private $outerId;

}



1			<?php
2
3			/*
4			* ******************************************************************************
5			* Copyright 2011-2017 DANTE Ltd. and GÉANT on behalf of the GN3, GN3+, GN4-1
6			* and GN4-2 consortia
7			*
8			* License: see the web/copyright.php file in the file structure
9			* ******************************************************************************
10			*/
11
12			/**
13			* This file creates MS Windows 8 installers
14			* It supports EAP-TLS, TTLS, PEAP and EAP-pwd
15			* @author Tomasz Wolniewicz <[email protected]>
16			*
17			* @package ModuleWriting
18			*/
19
20			namespace devices\ms;
21			use \Exception;
22
23			/**
24			*
25			* @author Tomasz Wolniewicz <[email protected]>
26			* @package ModuleWriting
27			*/
28			class Device_W8_10 extends WindowsCommon {
29			final public function __construct() {
30			parent::__construct();
31			$this->setSupportedEapMethods(
32			[
33			\core\common\EAP::EAPTYPE_TLS,
34			\core\common\EAP::EAPTYPE_PEAP_MSCHAP2,
35			\core\common\EAP::EAPTYPE_TTLS_PAP,
36			\core\common\EAP::EAPTYPE_TTLS_MSCHAP2,
37			\core\common\EAP::EAPTYPE_PWD,
38			\core\common\EAP::EAPTYPE_SILVERBULLET
39			]);
40			$this->specialities['internal:use_anon_outer'][serialize(\core\common\EAP::EAPTYPE_PEAP_MSCHAP2)] = _("Anonymous identities do not use the realm as specified in the profile - it is derived from the suffix of the user's username input instead.");
41			}
42			public function writeInstaller() {
43			$dom = textdomain(NULL);
44			textdomain("devices");
45			// create certificate files and save their names in $caFiles arrary
46			$caFiles = $this->saveCertificateFiles('der');
47			$this->caArray = $this->getAttibute('internal:CAs')[0];
48			$this->useAnon = $this->attributes['internal:use_anon_outer'] [0] === NULL ? FALSE : TRUE;
49			$this->servers = empty($this->attributes['eap:server_name']) ? '' : implode(';', $this->attributes['eap:server_name']);
50			$allSSID = $this->attributes['internal:SSID'];
51			$delSSIDs = $this->attributes['internal:remove_SSID'];
52			$this->prepareInstallerLang();
53			$setWired = isset($this->attributes['media:wired'][0]) && $this->attributes['media:wired'][0] == 'on' ? 1 : 0;
54			// create a list of profiles to be deleted after installation
55			$delProfiles = [];
56			foreach ($delSSIDs as $ssid => $cipher) {
57			if ($cipher == 'DEL') {
58			$delProfiles[] = $ssid;
59			}
60			if ($cipher == 'TKIP') {
61			$delProfiles[] = $ssid . ' (TKIP)';
62			}
63			}
64			$windowsProfile = [];
65			$eapConfig = $this->prepareEapConfig();
66			$iterator = 0;
67			foreach ($allSSID as $ssid => $cipher) {
68			if ($cipher == 'TKIP') {
69			$windowsProfile[$iterator] = $this->writeWLANprofile($ssid . ' (TKIP)', $ssid, 'WPA', 'TKIP', $eapConfig, $iterator);
70			$iterator++;
71			}
72			$windowsProfile[$iterator] = $this->writeWLANprofile($ssid, $ssid, 'WPA2', 'AES', $eapConfig, $iterator);
73			$iterator++;
74			}
75			if (($this->device_id !== 'w8') && (count($this->attributes['internal:consortia']) > 0 )) {
76			// this SSID name is later used in common.inc so if you decide to chage it here change it there as well
77			$ssid = 'cat-passpoint-profile';
78			$windowsProfile[$iterator] = $this->writeWLANprofile($ssid, $ssid, 'WPA2', 'AES', $eapConfig, $iterator, TRUE);
79			}
80			if ($setWired) {
81			$this->writeLANprofile($eapConfig);
82			}
83			$this->loggerInstance->debug(4, "windowsProfile");
84			$this->loggerInstance->debug(4, print_r($windowsProfile, true));
85
86			$this->writeProfilesNSH($windowsProfile, $caFiles);
87			$this->writeAdditionalDeletes($delProfiles);
88			if ($this->selectedEap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
89			$this->writeClientP12File();
90			}
91			$this->copyFiles($this->selectedEap);
92			$fedLogo = $this->attributes['fed:logo_file'] ?? NULL;
93			$idpLogo = $this->attributes['internal:logo_file'] ?? NULL;
94			$this->combineLogo($idpLogo, $fedLogo);
95			$this->writeMainNSH($this->selectedEap, $this->attributes);
96			$this->compileNSIS();
97			$installerPath = $this->signInstaller();
98			textdomain($dom);
99			return($installerPath);
100			}
101
102			private function setAuthorId() {
103			if ($this->selectedEap['OUTER'] === \core\common\EAP::TTLS) {
104			if ($this->useGeantLink) {
105			$authorId = "67532";
106			} else {
107			$authorId = "311";
108			}
109			} else {
110			$authorId = 0;
111			}
112			return($authorId);
113			}
114
115			private function addConsortia() {
116			if ($this->device_id == 'w8') {
117			return('');
118			}
119			$retval = '<Hotspot2>';
120			$retval .= '<DomainName>';
121			if (empty($this->attributes['internal:realm'][0])) {
122			$retval .= CONFIG_CONFASSISTANT['CONSORTIUM']['interworking-domainname-fallback'];
123			} else {
124			$retval .= $this->attributes['internal:realm'][0];
125			}
126			$retval .= '</DomainName>';
127			$retval .= '<RoamingConsortium><OUI>' .
128			implode('</OUI><OUI>', $this->attributes['internal:consortia']) .
129			'</OUI></RoamingConsortium>';
130			$retval .= '</Hotspot2>';
131			return($retval);
132			}
133
134			private function eapConfigHeader() {
135			$authorId = $this->setAuthorId();
136			$profileFileCont = '<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
137			<EapMethod>
138			';
139			$profileFileCont .= '<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">' .
140			$this->selectedEap["OUTER"] . '</Type>
141			<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
142			<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
143			<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">' . $authorId . '</AuthorId>
144			</EapMethod>
145			';
146			return($profileFileCont);
147			}
148
149			private function tlsServerValidation() {
150			$profileFileCont = '
151			<eapTls:ServerValidation>
152			<eapTls:DisableUserPromptForServerValidation>true</eapTls:DisableUserPromptForServerValidation>
153			';
154			$profileFileCont .= '<eapTls:ServerNames>' . $this->servers . '</eapTls:ServerNames>';
155			foreach ($this->caArray as $certAuthority) {
156			if ($certAuthority['root']) {
157			$profileFileCont .= "<eapTls:TrustedRootCA>" . $certAuthority['sha1'] . "</eapTls:TrustedRootCA>\n";
158			}
159			}
160			$profileFileCont .= '</eapTls:ServerValidation>
161			';
162			return($profileFileCont);
163			}
164
165			private function msTtlsServerValidation() {
166			$profileFileCont = '
167			<ServerValidation>
168			';
169			$profileFileCont .= '<ServerNames>' . $this->servers . '</ServerNames> ';
170			foreach ($this->caArray as $certAuthority) {
171			if ($certAuthority['root']) {
172			$profileFileCont .= "<TrustedRootCAHash>" . chunk_split($certAuthority['sha1'], 2, ' ') . "</TrustedRootCAHash>\n";
173			}
174			}
175			$profileFileCont .= '<DisablePrompt>true</DisablePrompt>
176			</ServerValidation>
177			';
178			return($profileFileCont);
179			}
180
181			private function glTtlsServerValidation() {
182			$servers = implode('</ServerName><ServerName>', $this->attributes['eap:server_name']);
183			$profileFileCont = '
184			<ServerSideCredential>
185			';
186			foreach ($this->caArray as $ca) {
187			$profileFileCont .= '<CA><format>PEM</format><cert-data>';
188			$profileFileCont .= base64_encode($ca['der']);
189			$profileFileCont .= '</cert-data></CA>
190			';
191			}
192			$profileFileCont .= "<ServerName>$servers</ServerName>\n";
193
194			$profileFileCont .= '
195			</ServerSideCredential>
196			';
197			return($profileFileCont);
198			}
199
200			private function peapServerValidation() {
201			$profileFileCont = '
202			<ServerValidation>
203			<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
204			<ServerNames>' . $this->servers . '</ServerNames>';
205			foreach ($this->caArray as $certAuthority) {
206			if ($certAuthority['root']) {
207			$profileFileCont .= "<TrustedRootCA>" . $certAuthority['sha1'] . "</TrustedRootCA>\n";
208			}
209			}
210			$profileFileCont .= '</ServerValidation>
211			';
212			return($profileFileCont);
213			}
214
215			private function tlsConfig() {
216			$profileFileCont = '
217			<Config xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"
218			xmlns:eapTls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
219			<baseEap:Eap>
220			<baseEap:Type>13</baseEap:Type>
221			<eapTls:EapType>
222			<eapTls:CredentialsSource>
223			<eapTls:CertificateStore />
224			</eapTls:CredentialsSource>
225			';
226			$profileFileCont .= $this->tlsServerValidation();
227			if (\core\common\Entity::getAttributeValue($this->attributes, 'eap-specific:tls_use_other_id', 0) === 'on') {
228			$profileFileCont .= '<eapTls:DifferentUsername>true</eapTls:DifferentUsername>';
229			$this->tlsOtherUsername = 1;
230			} else {
231			$profileFileCont .= '<eapTls:DifferentUsername>false</eapTls:DifferentUsername>';
232			}
233			$profileFileCont .= '
234			</eapTls:EapType>
235			</baseEap:Eap>
236			</Config>
237			';
238			return($profileFileCont);
239			}
240
241			private function msTtlsConfig() {
242			$profileFileCont = '<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
243			<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
244			';
245			$profileFileCont .= $this->msTtlsServerValidation();
246			$profileFileCont .= '<Phase2Authentication>
247			';
248			if ($this->selectedEap == \core\common\EAP::EAPTYPE_TTLS_PAP) {
249			$profileFileCont .= '<PAPAuthentication /> ';
250			}
251			if ($this->selectedEap == \core\common\EAP::EAPTYPE_TTLS_MSCHAP2) {
252			$profileFileCont .= '<MSCHAPv2Authentication>
253			<UseWinlogonCredentials>false</UseWinlogonCredentials>
254			</MSCHAPv2Authentication>
255			';
256			}
257			$profileFileCont .= '</Phase2Authentication>
258			<Phase1Identity>
259			';
260			if ($this->useAnon) {
261			$profileFileCont .= '<IdentityPrivacy>true</IdentityPrivacy>
262			';
263			$profileFileCont .= '<AnonymousIdentity>' . $this->outerId . '</AnonymousIdentity>
264			';
265			} else {
266			$profileFileCont .= '<IdentityPrivacy>false</IdentityPrivacy>
267			';
268			}
269			$profileFileCont .= '</Phase1Identity>
270			</EapTtls>
271			</Config>
272			';
273			return($profileFileCont);
274			}
275
276			private function glTtlsConfig() {
277			$profileFileCont = '
278			<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
279			<EAPIdentityProviderList xmlns="urn:ietf:params:xml:ns:yang:ietf-eap-metadata">
280			<EAPIdentityProvider ID="' . $this->deviceUUID . '" namespace="urn:UUID">
281
282			<ProviderInfo>
283			<DisplayName>' . $this->translateString($this->attributes['general:instname'][0], $this->codePage) . '</DisplayName>
284			</ProviderInfo>
285			<AuthenticationMethods>
286			<AuthenticationMethod>
287			<EAPMethod>21</EAPMethod>
288			<ClientSideCredential>
289			<allow-save>true</allow-save>
290			';
291			if ($this->useAnon) {
292			if ($this->outerUser == '') {
293			$profileFileCont .= '<AnonymousIdentity>@</AnonymousIdentity>';
294			} else {
295			$profileFileCont .= '<AnonymousIdentity>' . $this->outerId . '</AnonymousIdentity>';
296			}
297			}
298			$profileFileCont .= '</ClientSideCredential>
299			';
300			$profileFileCont .= $this->glTtlsServerValidation();
301			$profileFileCont .= '
302			<InnerAuthenticationMethod>
303			<NonEAPAuthMethod>' . \core\common\EAP::eapDisplayName($this->selectedEap)['INNER'] . '</NonEAPAuthMethod>
304			</InnerAuthenticationMethod>
305			<VendorSpecific>
306			<SessionResumption>false</SessionResumption>
307			</VendorSpecific>
308			</AuthenticationMethod>
309			</AuthenticationMethods>
310			</EAPIdentityProvider>
311			</EAPIdentityProviderList>
312			</Config>
313			';
314			return($profileFileCont);
315			}
316
317			private function peapConfig() {
318			$nea = (\core\common\Entity::getAttributeValue($this->attributes, 'media:wired', 0) == 'on') ? 'true' : 'false';
319			$profileFileCont = '<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
320			<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
321			<Type>25</Type>
322			<EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1">
323			';
324			$profileFileCont .= $this->peapServerValidation();
325			$profileFileCont .= '
326			<FastReconnect>true</FastReconnect>
327			<InnerEapOptional>false</InnerEapOptional>
328			<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
329			<Type>26</Type>
330			<EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
331			<UseWinLogonCredentials>false</UseWinLogonCredentials>
332			</EapType>
333			</Eap>
334			<EnableQuarantineChecks>' . $nea . '</EnableQuarantineChecks>
335			<RequireCryptoBinding>false</RequireCryptoBinding>
336			';
337			if ($this->useAnon) {
338			$profileFileCont .= '<PeapExtensions>
339			<IdentityPrivacy xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">
340			<EnableIdentityPrivacy>true</EnableIdentityPrivacy>
341			';
342			if ($this->outerUser == '') {
343			$profileFileCont .= '<AnonymousUserName/>
344			';
345			} else {
346			$profileFileCont .= '<AnonymousUserName>' . $this->outerUser . '</AnonymousUserName>
347			';
348			}
349			$profileFileCont .= '</IdentityPrivacy>
350			</PeapExtensions>
351			';
352			}
353			$profileFileCont .= '</EapType>
354			</Eap>
355			</Config>
356			';
357			return($profileFileCont);
358			}
359
360			private function pwdConfig() {
361			return('<ConfigBlob></ConfigBlob>');
362			}
363
364			private function prepareEapConfig() {
365			if ($this->useAnon) {
366			$this->outerUser = $this->attributes['internal:anon_local_value'][0];
367			$this->outerId = $this->outerUser . '@' . $this->attributes['internal:realm'][0];
368			}
369			if (isset($this->options['args']) && $this->options['args'] == 'gl') {
370			$this->useGeantLink = TRUE;
371			} else {
372			$this->useGeantLink = FALSE;
373			}
374			$profileFileCont = $this->eapConfigHeader();
375
376			switch ($this->selectedEap['OUTER']) {
377			case \core\common\EAP::TLS:
378			$profileFileCont .= $this->tlsConfig();
379			break;
380			case \core\common\EAP::PEAP:
381			$profileFileCont .= $this->peapConfig();
382			break;
383			case \core\common\EAP::TTLS:
384			if ($this->useGeantLink) {
385			$profileFileCont .= $this->glTtlsConfig();
386			} else {
387			$profileFileCont .= $this->msTtlsConfig();
388			}
389			break;
390			case \core\common\EAP::PWD:
391			$profileFileCont .= $this->pwdConfig();
392			break;
393			default:
394			break;
395			}
396			return(['win' => $profileFileCont . '</EapHostConfig></EAPConfig>']);
397			}
398
399			/**
400			* produce PEAP, TLS and TTLS configuration files for Windows 8
401			*
402			* @param string $wlanProfileName
403			* @param string $ssid
404			* @param string $auth can be one of "WPA", "WPA2"
405			* @param string $encryption can be one of: "TKIP", "AES"
406			* @param array $eapConfig XML configuration block with EAP config data
407			* @param int $profileNumber counter, which profile number is this
408			* @return string
409			*/
410			private function writeWLANprofile($wlanProfileName, $ssid, $auth, $encryption, $eapConfig, $profileNumber, $hs20 = FALSE) {
411			$profileFileCont = '<?xml version="1.0"?>
412			<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
413			<name>' . $wlanProfileName . '</name>
414			<SSIDConfig>
415			<SSID>
416			<name>' . $ssid . '</name>
417			</SSID>
418			<nonBroadcast>true</nonBroadcast>
419			</SSIDConfig>';
420			if ($hs20) {
421			$profileFileCont .= $this->addConsortia();
422			}
423			$profileFileCont .= '
424			<connectionType>ESS</connectionType>
425			<connectionMode>auto</connectionMode>
426			<autoSwitch>false</autoSwitch>
427			<MSM>
428			<security>
429			<authEncryption>
430			<authentication>' . $auth . '</authentication>
431			<encryption>' . $encryption . '</encryption>
432			<useOneX>true</useOneX>
433			</authEncryption>
434			';
435			if ($auth == 'WPA2') {
436			$profileFileCont .= '<PMKCacheMode>enabled</PMKCacheMode>
437			<PMKCacheTTL>720</PMKCacheTTL>
438			<PMKCacheSize>128</PMKCacheSize>
439			<preAuthMode>disabled</preAuthMode>
440			';
441			}
442			$profileFileCont .= '<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
443			<cacheUserData>true</cacheUserData>
444			<authMode>user</authMode>
445			';
446
447			$closing = '
448			</OneX>
449			</security>
450			</MSM>
451			</WLANProfile>
452			';
453
454			if (!is_dir('w8')) {
455			mkdir('w8');
456			}
457			$xmlFname = "w8/wlan_prof-$profileNumber.xml";
458			file_put_contents($xmlFname, $profileFileCont . $eapConfig['win'] . $closing);
459			$this->loggerInstance->debug(2, "Installer has been written into directory $this->FPATH\n");
460			return("\"$wlanProfileName\" \"$encryption\"");
461			}
462
463			private function writeLANprofile($eapConfig) {
464			$profileFileCont = '<?xml version="1.0"?>
465			<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
466			<MSM>
467			<security>
468			<OneXEnforced>false</OneXEnforced>
469			<OneXEnabled>true</OneXEnabled>
470			<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
471			<cacheUserData>true</cacheUserData>
472			<authMode>user</authMode>
473			';
474			$closing = '
475			</OneX>
476			</security>
477			</MSM>
478			</LANProfile>
479			';
480
481			if (!is_dir('w8')) {
482			mkdir('w8');
483			}
484			$xmlFname = "w8/lan_prof.xml";
485			file_put_contents($xmlFname, $profileFileCont . $eapConfig['win'] . $closing);
486			$this->loggerInstance->debug(2, "Installer has been written into directory $this->FPATH\n");
487			}
488
489			private function writeProfilesNSH($wlanProfiles, $caArray) {
490			$this->loggerInstance->debug(4, "writeProfilesNSH");
491			$this->loggerInstance->debug(4, $wlanProfiles);
492			$fcontentsProfile = '';
493			foreach ($wlanProfiles as $wlanProfile) {
494			$fcontentsProfile .= "!insertmacro define_wlan_profile $wlanProfile\n";
495			}
496
497			file_put_contents('profiles.nsh', $fcontentsProfile);
498
499			$fcontentsCerts = '';
500			$fileHandleCerts = fopen('certs.nsh', 'w');
501			if ($fileHandleCerts === FALSE) {
502			throw new Exception("Unable to open new certs.nsh file for writing CAs.");
503			}
504			foreach ($caArray as $certAuthority) {
505			$store = $certAuthority['root'] ? "root" : "ca";
506			$fcontentsCerts .= '!insertmacro install_ca_cert "' . $certAuthority['file'] . '" "' . $certAuthority['sha1'] . '" "' . $store . "\"\n";
507			}
508			fwrite($fileHandleCerts, $fcontentsCerts);
509			fclose($fileHandleCerts);
510			}
511
512			private function writeMainNSH($eap, $attr) {
513			$this->loggerInstance->debug(4, "writeMainNSH");
514			$this->loggerInstance->debug(4, $attr);
515			$this->loggerInstance->debug(4, "Device_id = " . $this->device_id . "\n");
516			$fcontents = "!define W8\n";
517			if ($this->device_id == 'w10') {
518			$fcontents .= "!define W10\n";
519			}
520			if (CONFIG_CONFASSISTANT['NSIS_VERSION'] >= 3) {
521			$fcontents .= "Unicode true\n";
522			}
523			$eapOptions = [
524			\core\common\EAP::PEAP => ['str' => 'PEAP', 'exec' => 'user'],
525			\core\common\EAP::TLS => ['str' => 'TLS', 'exec' => 'user'],
526			\core\common\EAP::TTLS => ['str' => 'TTLS', 'exec' => 'user'],
527			\core\common\EAP::PWD => ['str' => 'PWD', 'exec' => 'user'],
528			];
529			if (isset($this->options['args']) && $this->options['args'] == 'gl') {
530			$eapOptions[\core\common\EAP::TTLS]['str'] = 'GEANTLink';
531			}
532
533			// Uncomment the line below if you want this module to run under XP (only displaying a warning)
534			// $fcontents .= "!define ALLOW_XP\n";
535			// Uncomment the line below if you want this module to produce debugging messages on the client
536			// $fcontents .= "!define DEBUG_CAT\n";
537			if ($this->tlsOtherUsername == 1) {
538			$fcontents .= "!define PFX_USERNAME\n";
539			}
540			$execLevel = $eapOptions[$eap["OUTER"]]['exec'];
541			$eapStr = $eapOptions[$eap["OUTER"]]['str'];
542			if ($eap == \core\common\EAP::EAPTYPE_SILVERBULLET) {
543			$fcontents .= "!define SILVERBULLET\n";
544			}
545			$fcontents .= '!define ' . $eapStr;
546			$fcontents .= "\n" . '!define EXECLEVEL "' . $execLevel . '"';
547			$fcontents .= $this->writeNsisDefines($attr);
548			file_put_contents('main.nsh', $fcontents);
549			}
550
551			private function copyStandardNsi() {
552			if (!$this->translateFile('eap_w8.inc', 'cat.NSI', $this->codePage)) {
553			throw new Exception("Translating needed file eap_w8.inc failed!");
554			}
555			}
556
557			private function copyFiles($eap) {
558			$this->loggerInstance->debug(4, "copyFiles start\n");
559			$this->copyBasicFiles();
560			switch ($eap["OUTER"]) {
561			case \core\common\EAP::TTLS:
562			if (isset($this->options['args']) && $this->options['args'] == 'gl') {
563			$this->copyGeantLinkFiles();
564			} else {
565			$this->copyStandardNsi();
566			}
567			break;
568			case \core\common\EAP::PWD:
569			$this->copyPwdFiles();
570			break;
571			default:
572			$this->copyStandardNsi();
573			}
574			$this->loggerInstance->debug(4, "copyFiles end\n");
575			return TRUE;
576			}
577
578			private $tlsOtherUsername = 0;
579			private $caArray;
580			private $useAnon;
581			private $servers;
582			private $outerUser;
583			private $outerId;
584
585			}
586
587

GEANT / CAT

Push — master ( 1fc2c0...45b4ae )

Device_W8_10 F

Complexity

Size/Duplication

Importance

21 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like