XMLRPC sync fixes and improvements

- Fix CARP/HA sync option (port/protocol)
- Add enable/disable checkbox per replication target
- Add protocol/port selection
- Fix literal IPv6 handling for sync targets
- Do settings validation and only try to sync when configuration is valid
- Nuke obsolete pfSense 2.0 cruft

1 files changed, 93 insertions, 83 deletions

diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index ed5596d6..4ec13bd0 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -1,19 +1,20 @@
 <?php
 /*
 	apache_mod_security.inc
-	part of apache_mod_security package (http://www.pfSense.com)
+	part of pfSense (https://www.pfSense.org/)
 	Copyright (C) 2009, 2010 Scott Ullrich
 	Copyright (C) 2012-2013 Marcello Coutinho
 	Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com>
+	Copyright (C) 2015 ESF, LLC
 	All rights reserved.
 
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
 
-	1. Redistributions of source code MUST retain the above copyright notice,
+	1. Redistributions of source code must retain the above copyright notice,
 	   this list of conditions and the following disclaimer.
 
-	2. Redistributions in binary form MUST reproduce the above copyright
+	2. Redistributions in binary form must reproduce the above copyright
 	   notice, this list of conditions and the following disclaimer in the
 	   documentation and/or other materials provided with the distribution.
 
@@ -28,7 +29,6 @@
 	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 	POSSIBILITY OF SUCH DAMAGE.
 */
-
 require_once("service-utils.inc");
 
 $shortcut_section = "apache";
@@ -157,27 +157,38 @@ function apache_mod_security_resync() {
 	if (is_array($config['installedpackages']['apachesync']['config'])){
 		$apache_sync = $config['installedpackages']['apachesync']['config'][0];
 		$synconchanges = $apache_sync['synconchanges'];
-		$synctimeout = $apache_sync['synctimeout'];
-		switch ($synconchanges){
+		$synctimeout = $apache_sync['synctimeout'] ?: '250';
+		switch ($synconchanges) {
 			case "manual":
-				if (is_array($apache_sync[row])){
-					$rs = $apache_sync[row];
+				if (is_array($apache_sync['row'])) {
+					$rs = $apache_sync['row'];
 				} else {
-					log_error("apache_mod_security_package: XMLRPC sync is enabled, but there is no local host to push on apache config.");
+					log_error("apache_mod_security_package:  XMLRPC sync is enabled but there are no hosts configured as replication targets.");
 					return;
 				}
 				break;
 			case "auto":
-				if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x
-					$system_carp = $config['installedpackages']['carpsettings']['config'][0];
-					$rs[0]['ipaddress'] = $system_carp['synchronizetoip'];
-					$rs[0]['username'] = $system_carp['username'];
-					$rs[0]['password'] = $system_carp['password'];
-				} else if (is_array($config['hasync'])) { // pfSense 2.1
+				if (is_array($config['hasync'])) {
 					$system_carp = $config['hasync'];
 					$rs[0]['ipaddress'] = $system_carp['synchronizetoip'];
 					$rs[0]['username'] = $system_carp['username'];
 					$rs[0]['password'] = $system_carp['password'];
+					$rs[0]['syncdestinenable'] = FALSE;
+
+					// XMLRPC sync is currently only supported over connections using the same protocol and port as this system
+					if ($config['system']['webgui']['protocol'] == "http") {
+						$rs[0]['syncprotocol'] = "http";
+						$rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80';
+					} else {
+						$rs[0]['syncprotocol'] = "https";
+						$rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443';
+					}
+					if ($system_carp['synchronizetoip'] == "") {
+						log_error("apache_mod_security_package: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
+						return;
+					} else {
+						$rs[0]['syncdestinenable'] = TRUE;
+					}
 				} else {
 					log_error("apache_mod_security_package: XMLRPC sync is enabled, but there is no global backup host to push apache config.");
 					return;
@@ -185,55 +196,63 @@ function apache_mod_security_resync() {
 				break;
 			default:
 				return;
-			break;
+				break;
 		}
-	}
-	if (is_array($rs)){
-		foreach($rs as $sh){
-			$sync_to_ip = $sh['ipaddress'];
-			$password = $sh['password'];
-			if ($sh['username'])
-				$username = $sh['username'];
-			else
-				$username = 'admin';
-			if ($password && $sync_to_ip)
-				apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout);
+		if (is_array($rs)) {
+			log_error("apache_mod_security_package: XMLRPC sync is starting.");
+			foreach ($rs as $sh) {
+				// Only sync enabled replication targets
+				if ($sh['syncdestinenable']) {
+					$sync_to_ip = $sh['ipaddress'];
+					$port = $sh['syncport'];
+					$username = $sh['username'] ?: 'admin';
+					$password = $sh['password'];
+					$protocol = $sh['syncprotocol'];
+
+					$error = '';
+					$valid = TRUE;
+
+					if ($password == "") {
+						$error = "Password parameter is empty. ";
+						$valid = FALSE;
+					}
+					if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) {
+						$error .= "Misconfigured Replication Target IP Address or Hostname. ";
+						$valid = FALSE;
+					}
+					if (!is_port($port)) {
+						$error .= "Misconfigured Replication Target Port. ";
+						$valid = FALSE;
+					}
+					if ($valid) {
+						apache_mod_security_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout);
+					} else {
+						log_error("apache_mod_security_package: XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}");
+					}
+				}
+			}
+			log_error("apache_mod_security_package: XMLRPC sync completed.");
 		}
 	}
 }
 
 // Do the actual XMLRPC Sync
-function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
+function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) {
         global $config, $g;
 
-	if(!$username)
-		return;
-
-        if(!$password)
-		return;
-
-	if(!$sync_to_ip)
+	if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") {
+		log_error("apache_mod_security_package: A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync");
 		return;
-
-	if(!$synctimeout)
-		$synctimeout=25;
-
-	$xmlrpc_sync_neighbor = $sync_to_ip;
-	if($config['system']['webgui']['protocol'] != "") {
-		$synchronizetoip = $config['system']['webgui']['protocol'];
-		$synchronizetoip .= "://";
 	}
-	$port = $config['system']['webgui']['port'];
-	/* if port is empty lets rely on the protocol selection */
-	if($port == "") {
-		if($config['system']['webgui']['protocol'] == "http")
-			$port = "80";
-		else
-			$port = "443";
+
+	// Take care of IPv6 literal address
+	if (is_ipaddrv6($sync_to_ip)) {
+		$sync_to_ip = "[{$sync_to_ip}]";
 	}
-	$synchronizetoip .= $sync_to_ip;
 
-	/* xml will hold the sections to sync */
+	$url = "{$protocol}://{$sync_to_ip}";
+
+	/* XML will hold the sections to sync. */
 	$xml = array();
 	$xml['apachesettings'] = $config['installedpackages']['apachesettings'];
 	$xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity'];
@@ -243,67 +262,58 @@ function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $
 	$xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost'];
 	$xml['apachelisten'] = $config['installedpackages']['apachelisten'];
 
-	/* assemble xmlrpc payload */
-	$params = array(
-		XML_RPC_encode($password),
-		XML_RPC_encode($xml)
-	);
+	/* Assemble XMLRPC payload. */
+	$params = array(XML_RPC_encode($password), XML_RPC_encode($xml));
 
-	/* set a few variables needed for sync code borrowed from filter.inc */
-	$url = $synchronizetoip;
-	log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}.");
+	/* Set a few variables needed for sync code */
 	$method = 'pfsense.merge_installedpackages_section_xmlrpc';
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials($username, $password);
-	if($g['debug'])
+	if ($g['debug']) {
 		$cli->setDebug(1);
-	/* send our XMLRPC message and timeout after defined sync timeout value*/
+	}
+	/* Send our XMLRPC message and timeout after defined sync timeout value */
 	$resp = $cli->send($msg, $synctimeout);
-	if(!$resp) {
-		$error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}.";
-		log_error($error);
+	if (!$resp) {
+		$error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}.";
+		log_error("apache_mod_security_package: {$error}");
 		file_notice("sync_settings", $error, "apache_mod_security Settings Sync", "");
-	} elseif($resp->faultCode()) {
+	} elseif ($resp->faultCode()) {
 		$cli->setDebug(1);
 		$resp = $cli->send($msg, $synctimeout);
-		$error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
-		log_error($error);
+		$error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+		log_error("apache_mod_security_package: {$error}");
 		file_notice("sync_settings", $error, "apache_mod_security Settings Sync", "");
 	} else {
 		log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}.");
 	}
 
-	/* tell apache_mod_security to reload our settings on the destination sync host. */
+	/* Tell apache_mod_security to reload our settings on the destination sync host. */
 	$method = 'pfsense.exec_php';
 	$execcmd  = "require_once('/usr/local/pkg/apache_mod_security.inc');\n";
 	$execcmd .= "apache_mod_security_resync();";
-	/* assemble xmlrpc payload */
-	$params = array(
-		XML_RPC_encode($password),
-		XML_RPC_encode($execcmd)
-	);
+	/* Assemble XMLRPC payload. */
+	$params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd));
 
-	log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}.");
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials($username, $password);
 	$resp = $cli->send($msg, $synctimeout);
-	if(!$resp) {
-		$error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
-		log_error($error);
+	if (!$resp) {
+		$error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+		log_error("apache_mod_security_package: {$error}");
 		file_notice("sync_settings", $error, "apache_mod_security Settings Sync", "");
-	} elseif($resp->faultCode()) {
+	} elseif ($resp->faultCode()) {
 		$cli->setDebug(1);
 		$resp = $cli->send($msg, $synctimeout);
-		$error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
-		log_error($error);
+		$error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+		log_error("apache_mod_security_package: {$error}");
 		file_notice("sync_settings", $error, "apache_mod_security Settings Sync", "");
 	} else {
-		log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+		log_error("apache_mod_security_package: XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
 	}
 
-
 }
 
 function apache_mod_security_checkconfig() {