http://wiki.mipt.ru/index.php?action=history&feed=atom&title=Development%3AMNet_ProtocolDevelopment:MNet Protocol - История изменений2026-05-07T18:27:17ZИстория изменений этой страницы в викиMediaWiki 1.42.1http://wiki.mipt.ru/index.php?title=Development:MNet_Protocol&diff=11332&oldid=prevОлег Давидович: 1 версия импортирована2024-10-21T08:51:25Z<p>1 версия импортирована</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="ru">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Предыдущая версия</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Версия от 08:51, 21 октября 2024</td>
</tr><tr><td colspan="2" class="diff-notice" lang="ru"><div class="mw-diff-empty">(нет различий)</div>
</td></tr></table>Олег Давидовичhttp://wiki.mipt.ru/index.php?title=Development:MNet_Protocol&diff=11331&oldid=prev1>Tsala: category edit2010-02-18T20:17:42Z<p>category edit</p>
<p><b>Новая страница</b></p><div>== Overview ==<br />
<br />
Moodle Networks allows other sites to perform RPC calls on a Moodle instance in a secure fashion. (Most) requests are signed and encrypted for security. Sites are identified by their web root ($CFG->wwwroot in Moodle), and publish a public key (RSA). Requests and responses are encoded using XML-RPC, and signing and encryption are performed using XML-SIG and XML-ENC.<br />
<br />
<br />
== Application types ==<br />
<br />
* MNet supports different types of applications, with different access URLs<br />
* defined in mnet_application table<br />
* lists names and URLs for RPC<br />
<br />
== Log in flow ==<br />
<br />
* dramatis personae<br />
** user<br />
** IdP (identity provider) = site the user is logging in from<br />
** SP (service provider) = site the user is logging in to<br />
<br />
<br />
=== Basic successful log in ===<br />
<br />
# user clicks on link on IdP<br />
# user is taken to /auth/mnet/jump.php with hostid parameter set to SP's ID, and (optionally) wantsurl set<br />
# IdP generates token and creates MNet session (see below)<br />
# IdP redirects user to SP's "land" url (as defined in mnet_application table) with token, idp, and wantsurl parameters set<br />
# user visits SP's land url<br />
# SP calls "auth/mnet/auth.php/user_authorise" on IdP via XML-RPC with token and user's useragent string as parameters<br />
# IdP verifies MNet session and returns user data<br />
# SP may fetch additional data from IdP, add user to its own DB, update enrolments on IdP, etc.<br />
# SP redirects user to wantsurl<br />
<br />
== MNet session ==<br />
<br />
ID provider stores:<br />
* host<br />
* userid<br />
* username<br />
* sha1(useragent)<br />
* token<br />
* confirm timeout<br />
* expires<br />
* session id<br />
<br />
== Allowed RPC calls ==<br />
<br />
* permissions stored in mnet_host2service x mnet_service2rpc x mnet_rpc (except for "dangerous" calls)<br />
* modules/plugins must have ($module_)mnet_publishes function<br />
* system<br />
** system/listMethods<br />
** system/methodSignature<br />
** system/methodHelp<br />
** system/listServices<br />
** system/keyswap<br />
* auth<br />
** auth/$plugin/auth.php/$method -> file:/auth/$plugin/auth.php class:auth_plugin_$plugin method:$method<br />
* enrol<br />
** auth/$plugin/enrol.php/$method -> file:/enrol/$plugin/enrol.php class:enrolment_plugin_$plugin method:$method<br />
* portfolio (Moodle 2.0)<br />
** portfolio/$plugin/lib.php/$method -> file:/portfolio/type/$plugin/lib.php class:portfolio_plugin_$plugin method:$method<br />
* repository (Moodle 2.0)<br />
** repository/$plugin/repository.class.php/$method -> file:repository/$plugin/repository.class.php class:repository_$plugin method:$method<br />
* mod<br />
** mod/$module/rpclib.php/$function -> file:/mod/$module/rpclib.php function:$function<br />
* dangerous (only if sender has plaintext_is_ok set)<br />
** dangerous/$path/$function -> file:/$path function:$function (response is not encrypted/signed)<br />
<br />
see [[Development:MNet services]] for more information on the default available methods<br />
<br />
== Security ==<br />
<br />
* XML-RPC messages are encrypted/signed using public key cryptography<br />
* use wrappers based on XML-SEC<br />
* wrappers have "wwwroot" element to identify the sender<br />
* Note: security may be compromised by a man-in-the-middle and/or DNS attack<br />
* see also [[Mnet keys]]<br />
<br />
== encryption ==<br />
<br />
* uses openssl's seal routine<br />
* RC4-encrypted (128-bit key)<br />
* RC4 key encrypted (RSA) with public key<br />
<br />
== signature ==<br />
<br />
* digest: SHA-1<br />
* signature: RSA (despite the XML-SIG wrapper claiming to be DSA)<br />
<br />
<br />
== key generation ==<br />
<br />
* 1024 bit RSA<br />
* self-signed<br />
* send certificate as PEM-encoded<br />
* X.509 certificate fields (only CN is actually checked)<br />
* C (country name)<br />
* ST (state or province name)<br />
* L (locality name)<br />
* O (organization name)<br />
* OU (organizational unit name) = Moodle (or whatever software you are running)<br />
* CN (common name) = $wwwroot (no trailing slashes)<br />
* EMAILADDRESS (email address)<br />
<br />
== Error handling ==<br />
<br />
see also [[Development:MNet faults]]<br />
<br />
=== if signature does not match ===<br />
(see also http://moodle.org/mod/forum/discuss.php?d=102113)<br />
<br />
* server sends "system/listServices" to client<br />
* system/listServices is used so that the server will return a (signed) 7025 fault<br />
* server retrieves key from response<br />
<br />
=== if decryption fails ===<br />
* try decrypting against old keys<br />
* if able to decrypt, send fault #7025, signed with old private key, with certificate as content. This reduces an attacker's ability to perform a man-in-the-middle attack.<br />
* otherwise, send fault #7023<br />
<br />
[[Category:MNet]]</div>1>Tsala