phorge-phorge/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php

<?php

/**
 * Data structure representing a raw public key.
 */
final class PhabricatorAuthSSHPublicKey extends Phobject {

  private $type;
  private $body;
  private $comment;

  private function __construct() {
    // <internal>
  }

  public static function newFromStoredKey(PhabricatorAuthSSHKey $key) {
    $public_key = new PhabricatorAuthSSHPublicKey();
    $public_key->type = $key->getKeyType();
    $public_key->body = $key->getKeyBody();
    $public_key->comment = $key->getKeyComment();

    return $public_key;
  }

  public static function newFromRawKey($entire_key) {
    $entire_key = trim($entire_key);
    if (!strlen($entire_key)) {
      throw new Exception(pht('No public key was provided.'));
    }

    $parts = str_replace("\n", '', $entire_key);

    // The third field (the comment) can have spaces in it, so split this
    // into a maximum of three parts.
    $parts = preg_split('/\s+/', $parts, 3);

    if (preg_match('/private\s*key/i', $entire_key)) {
      // Try to give the user a better error message if it looks like
      // they uploaded a private key.
      throw new Exception(pht('Provide a public key, not a private key!'));
    }

    switch (count($parts)) {
      case 1:
        throw new Exception(
          pht('Provided public key is not properly formatted.'));
      case 2:
        // Add an empty comment part.
        $parts[] = '';
        break;
      case 3:
        // This is the expected case.
        break;
    }

    list($type, $body, $comment) = $parts;

    $recognized_keys = array(
      'ssh-dsa',
      'ssh-dss',
      'ssh-rsa',
      'ssh-ed25519',
      'ecdsa-sha2-nistp256',
      'ecdsa-sha2-nistp384',
      'ecdsa-sha2-nistp521',
    );

    if (!in_array($type, $recognized_keys)) {
      $type_list = implode(', ', $recognized_keys);
      throw new Exception(
        pht(
          'Public key type should be one of: %s',
          $type_list));
    }

    $public_key = new PhabricatorAuthSSHPublicKey();
    $public_key->type = $type;
    $public_key->body = $body;
    $public_key->comment = $comment;

    return $public_key;
  }

  public function getType() {
    return $this->type;
  }

  public function getBody() {
    return $this->body;
  }

  public function getComment() {
    return $this->comment;
  }

  public function getHash() {
    $body = $this->getBody();
    $body = trim($body);
    $body = rtrim($body, '=');
    return PhabricatorHash::digestForIndex($body);
  }

  public function getEntireKey() {
    $key = $this->type.' '.$this->body;
    if (strlen($this->comment)) {
      $key = $key.' '.$this->comment;
    }
    return $key;
  }

  public function toPKCS8() {
    $entire_key = $this->getEntireKey();
    $cache_key = $this->getPKCS8CacheKey($entire_key);

    $cache = PhabricatorCaches::getImmutableCache();
    $pkcs8_key = $cache->getKey($cache_key);
    if ($pkcs8_key) {
      return $pkcs8_key;
    }

    $tmp = new TempFile();
    Filesystem::writeFile($tmp, $this->getEntireKey());
    try {
      list($pkcs8_key) = execx(
        'ssh-keygen -e -m PKCS8 -f %s',
        $tmp);
    } catch (CommandException $ex) {
      unset($tmp);
      throw new PhutilProxyException(
        pht(
          'Failed to convert public key into PKCS8 format. If you are '.
          'developing on OSX, you may be able to use `bin/auth cache-pkcs8` '.
          'to work around this issue. %s',
          $ex->getMessage()),
        $ex);
    }
    unset($tmp);

    $cache->setKey($cache_key, $pkcs8_key);

    return $pkcs8_key;
  }

  public function forcePopulatePKCS8Cache($pkcs8_key) {
    $entire_key = $this->getEntireKey();
    $cache_key = $this->getPKCS8CacheKey($entire_key);

    $cache = PhabricatorCaches::getImmutableCache();
    $cache->setKey($cache_key, $pkcs8_key);
  }

  private function getPKCS8CacheKey($entire_key) {
    return 'pkcs8:'.PhabricatorHash::digestForIndex($entire_key);
  }

}
Add a query/policy layer on top of SSH keys for Almanac Summary: Ref T5833. Currently, SSH keys are associated only with users, and are a bit un-modern. I want to let Almanac Devices have SSH keys so devices in a cluster can identify to one another. For example, with hosted installs, initialization will go something like this: - A request comes in for `company.phacility.com`. - A SiteSource (from D10787) makes a Conduit call to Almanac on the master install to check if `company` is a valid install and pull config if it is. - This call can be signed with an SSH key which identifies a trusted Almanac Device. In the cluster case, a web host can make an authenticated call to a repository host with similar key signing. To move toward this, put a proper Query class on top of SSH key access (this diff). In following diffs, I'll: - Rename `userPHID` to `objectPHID`. - Move this to the `auth` database. - Provide UI for device/key association. An alternative approach would be to build some kind of special token layer in Conduit, but I think that would be a lot harder to manage in the hosting case. This gives us a more direct attack on trusting requests from machines and recognizing machines as first (well, sort of second-class) actors without needing things like fake user accounts. Test Plan: - Added and removed SSH keys. - Added and removed SSH keys from a bot account. - Tried to edit an unonwned SSH key (denied). - Ran `bin/ssh-auth`, got sensible output. - Ran `bin/ssh-auth-key`, got sensible output. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10790 2014-11-06 21:37:02 +01:00			`<?php`

			`/**`
			`* Data structure representing a raw public key.`
			`*/`
			`final class PhabricatorAuthSSHPublicKey extends Phobject {`

			`private $type;`
			`private $body;`
			`private $comment;`

			`private function __construct() {`
			`// <internal>`
			`}`

Standardize SSH key storage Summary: Ref T5833. This fixes a few weird things with this table: - A bunch of columns were nullable for no reason. - We stored an MD5 hash of the key (unusual) but never used it and callers were responsible for manually populating it. - We didn't perform known-key-text lookups by using an index. Test Plan: - Ran migrations. - Faked duplicate keys, saw them clean up correctly. - Added new keys. - Generated new keys. - Used `bin/auth-ssh` and `bin/auth-ssh-key`. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10805 2014-11-08 00:34:44 +01:00			`public static function newFromStoredKey(PhabricatorAuthSSHKey $key) {`
			`$public_key = new PhabricatorAuthSSHPublicKey();`
			`$public_key->type = $key->getKeyType();`
			`$public_key->body = $key->getKeyBody();`
			`$public_key->comment = $key->getKeyComment();`

			`return $public_key;`
			`}`

Add a query/policy layer on top of SSH keys for Almanac Summary: Ref T5833. Currently, SSH keys are associated only with users, and are a bit un-modern. I want to let Almanac Devices have SSH keys so devices in a cluster can identify to one another. For example, with hosted installs, initialization will go something like this: - A request comes in for `company.phacility.com`. - A SiteSource (from D10787) makes a Conduit call to Almanac on the master install to check if `company` is a valid install and pull config if it is. - This call can be signed with an SSH key which identifies a trusted Almanac Device. In the cluster case, a web host can make an authenticated call to a repository host with similar key signing. To move toward this, put a proper Query class on top of SSH key access (this diff). In following diffs, I'll: - Rename `userPHID` to `objectPHID`. - Move this to the `auth` database. - Provide UI for device/key association. An alternative approach would be to build some kind of special token layer in Conduit, but I think that would be a lot harder to manage in the hosting case. This gives us a more direct attack on trusting requests from machines and recognizing machines as first (well, sort of second-class) actors without needing things like fake user accounts. Test Plan: - Added and removed SSH keys. - Added and removed SSH keys from a bot account. - Tried to edit an unonwned SSH key (denied). - Ran `bin/ssh-auth`, got sensible output. - Ran `bin/ssh-auth-key`, got sensible output. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10790 2014-11-06 21:37:02 +01:00			`public static function newFromRawKey($entire_key) {`
			`$entire_key = trim($entire_key);`
			`if (!strlen($entire_key)) {`
			`throw new Exception(pht('No public key was provided.'));`
			`}`

			`$parts = str_replace("\n", '', $entire_key);`

			`// The third field (the comment) can have spaces in it, so split this`
			`// into a maximum of three parts.`
			`$parts = preg_split('/\s+/', $parts, 3);`

			`if (preg_match('/private\s*key/i', $entire_key)) {`
			`// Try to give the user a better error message if it looks like`
			`// they uploaded a private key.`
			`throw new Exception(pht('Provide a public key, not a private key!'));`
			`}`

			`switch (count($parts)) {`
			`case 1:`
			`throw new Exception(`
			`pht('Provided public key is not properly formatted.'));`
			`case 2:`
			`// Add an empty comment part.`
			`$parts[] = '';`
			`break;`
			`case 3:`
			`// This is the expected case.`
			`break;`
			`}`

			`list($type, $body, $comment) = $parts;`

			`$recognized_keys = array(`
			`'ssh-dsa',`
			`'ssh-dss',`
			`'ssh-rsa',`
Support ssh-ed25519 SSH keys Summary: Fixes T7121. Test Plan: Used `ssh-keygen -t ed25519` on an Ubuntu 14 box to generate a key; verified this is the header on the corresponding public key. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7121 Differential Revision: https://secure.phabricator.com/D11930 2015-03-02 18:57:26 +01:00			`'ssh-ed25519',`
Add a query/policy layer on top of SSH keys for Almanac Summary: Ref T5833. Currently, SSH keys are associated only with users, and are a bit un-modern. I want to let Almanac Devices have SSH keys so devices in a cluster can identify to one another. For example, with hosted installs, initialization will go something like this: - A request comes in for `company.phacility.com`. - A SiteSource (from D10787) makes a Conduit call to Almanac on the master install to check if `company` is a valid install and pull config if it is. - This call can be signed with an SSH key which identifies a trusted Almanac Device. In the cluster case, a web host can make an authenticated call to a repository host with similar key signing. To move toward this, put a proper Query class on top of SSH key access (this diff). In following diffs, I'll: - Rename `userPHID` to `objectPHID`. - Move this to the `auth` database. - Provide UI for device/key association. An alternative approach would be to build some kind of special token layer in Conduit, but I think that would be a lot harder to manage in the hosting case. This gives us a more direct attack on trusting requests from machines and recognizing machines as first (well, sort of second-class) actors without needing things like fake user accounts. Test Plan: - Added and removed SSH keys. - Added and removed SSH keys from a bot account. - Tried to edit an unonwned SSH key (denied). - Ran `bin/ssh-auth`, got sensible output. - Ran `bin/ssh-auth-key`, got sensible output. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10790 2014-11-06 21:37:02 +01:00			`'ecdsa-sha2-nistp256',`
			`'ecdsa-sha2-nistp384',`
			`'ecdsa-sha2-nistp521',`
			`);`

			`if (!in_array($type, $recognized_keys)) {`
			`$type_list = implode(', ', $recognized_keys);`
			`throw new Exception(`
			`pht(`
			`'Public key type should be one of: %s',`
			`$type_list));`
			`}`

			`$public_key = new PhabricatorAuthSSHPublicKey();`
			`$public_key->type = $type;`
			`$public_key->body = $body;`
			`$public_key->comment = $comment;`

			`return $public_key;`
			`}`

			`public function getType() {`
			`return $this->type;`
			`}`

			`public function getBody() {`
			`return $this->body;`
			`}`

			`public function getComment() {`
			`return $this->comment;`
			`}`

Standardize SSH key storage Summary: Ref T5833. This fixes a few weird things with this table: - A bunch of columns were nullable for no reason. - We stored an MD5 hash of the key (unusual) but never used it and callers were responsible for manually populating it. - We didn't perform known-key-text lookups by using an index. Test Plan: - Ran migrations. - Faked duplicate keys, saw them clean up correctly. - Added new keys. - Generated new keys. - Used `bin/auth-ssh` and `bin/auth-ssh-key`. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10805 2014-11-08 00:34:44 +01:00			`public function getHash() {`
			`$body = $this->getBody();`
			`$body = trim($body);`
			`$body = rtrim($body, '=');`
			`return PhabricatorHash::digestForIndex($body);`
			`}`

Allow Phabricator to accept Conduit requests signed with an SSH key Summary: Ref T4209. Depends on D10402. This updates Conduit to support authenticating calls from other servers by signing the request parameters with the sending server's private key and verifying it with the public key stored in the database. Test Plan: - Made like 500 bad calls using the stuff in D10402. - Made a few valid calls using the stuff in D10402. Reviewers: hach-que, btrahan, #blessed_reviewers Reviewed By: btrahan, #blessed_reviewers Subscribers: epriestley, Korvin Maniphest Tasks: T6240, T4209 Differential Revision: https://secure.phabricator.com/D10401 2014-11-17 22:11:52 +01:00			`public function getEntireKey() {`
			`$key = $this->type.' '.$this->body;`
			`if (strlen($this->comment)) {`
			`$key = $key.' '.$this->comment;`
			`}`
			`return $key;`
			`}`

Minor, correct spelling of PKCS8 key format Summary: I faked this out locally because of the OSX stuff and goofed the key format spelling. Auditors: btrahan 2014-11-18 04:54:17 +01:00			`public function toPKCS8() {`
Work around lack of PKCS8 support in OSX ssh-keygen Summary: Ref T4209. Ref T6240. Ref T6238. See D10401 for original discussion. On OSX, `ssh-keygen` doesn't support PKCS8: - When we hit an issue with this, raise a more tailored message about it. - Allow the user to work around the problem with `auth cache-pkcs8 ...`, providing reasonable guidance / warnings. In practice, this only really matters very much for one key, which I'm just going to make the services extension cache automatically. So it's sort of moot, but good to have around for weird cases and to make testing easier. Test Plan: Hit error, cached key, got clean asymmetric auth. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4209, T6240, T6238 Differential Revision: https://secure.phabricator.com/D11021 2014-12-20 01:36:40 +01:00			`$entire_key = $this->getEntireKey();`
			`$cache_key = $this->getPKCS8CacheKey($entire_key);`
Allow Phabricator to accept Conduit requests signed with an SSH key Summary: Ref T4209. Depends on D10402. This updates Conduit to support authenticating calls from other servers by signing the request parameters with the sending server's private key and verifying it with the public key stored in the database. Test Plan: - Made like 500 bad calls using the stuff in D10402. - Made a few valid calls using the stuff in D10402. Reviewers: hach-que, btrahan, #blessed_reviewers Reviewed By: btrahan, #blessed_reviewers Subscribers: epriestley, Korvin Maniphest Tasks: T6240, T4209 Differential Revision: https://secure.phabricator.com/D10401 2014-11-17 22:11:52 +01:00
Work around lack of PKCS8 support in OSX ssh-keygen Summary: Ref T4209. Ref T6240. Ref T6238. See D10401 for original discussion. On OSX, `ssh-keygen` doesn't support PKCS8: - When we hit an issue with this, raise a more tailored message about it. - Allow the user to work around the problem with `auth cache-pkcs8 ...`, providing reasonable guidance / warnings. In practice, this only really matters very much for one key, which I'm just going to make the services extension cache automatically. So it's sort of moot, but good to have around for weird cases and to make testing easier. Test Plan: Hit error, cached key, got clean asymmetric auth. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4209, T6240, T6238 Differential Revision: https://secure.phabricator.com/D11021 2014-12-20 01:36:40 +01:00			`$cache = PhabricatorCaches::getImmutableCache();`
			`$pkcs8_key = $cache->getKey($cache_key);`
			`if ($pkcs8_key) {`
			`return $pkcs8_key;`
			`}`
Allow Phabricator to accept Conduit requests signed with an SSH key Summary: Ref T4209. Depends on D10402. This updates Conduit to support authenticating calls from other servers by signing the request parameters with the sending server's private key and verifying it with the public key stored in the database. Test Plan: - Made like 500 bad calls using the stuff in D10402. - Made a few valid calls using the stuff in D10402. Reviewers: hach-que, btrahan, #blessed_reviewers Reviewed By: btrahan, #blessed_reviewers Subscribers: epriestley, Korvin Maniphest Tasks: T6240, T4209 Differential Revision: https://secure.phabricator.com/D10401 2014-11-17 22:11:52 +01:00
			`$tmp = new TempFile();`
			`Filesystem::writeFile($tmp, $this->getEntireKey());`
Work around lack of PKCS8 support in OSX ssh-keygen Summary: Ref T4209. Ref T6240. Ref T6238. See D10401 for original discussion. On OSX, `ssh-keygen` doesn't support PKCS8: - When we hit an issue with this, raise a more tailored message about it. - Allow the user to work around the problem with `auth cache-pkcs8 ...`, providing reasonable guidance / warnings. In practice, this only really matters very much for one key, which I'm just going to make the services extension cache automatically. So it's sort of moot, but good to have around for weird cases and to make testing easier. Test Plan: Hit error, cached key, got clean asymmetric auth. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4209, T6240, T6238 Differential Revision: https://secure.phabricator.com/D11021 2014-12-20 01:36:40 +01:00			`try {`
			`list($pkcs8_key) = execx(`
			`'ssh-keygen -e -m PKCS8 -f %s',`
			`$tmp);`
			`} catch (CommandException $ex) {`
			`unset($tmp);`
			`throw new PhutilProxyException(`
			`pht(`
			`'Failed to convert public key into PKCS8 format. If you are '.`
			'developing on OSX, you may be able to use `bin/auth cache-pkcs8` '.
			`'to work around this issue. %s',`
			`$ex->getMessage()),`
			`$ex);`
			`}`
Allow Phabricator to accept Conduit requests signed with an SSH key Summary: Ref T4209. Depends on D10402. This updates Conduit to support authenticating calls from other servers by signing the request parameters with the sending server's private key and verifying it with the public key stored in the database. Test Plan: - Made like 500 bad calls using the stuff in D10402. - Made a few valid calls using the stuff in D10402. Reviewers: hach-que, btrahan, #blessed_reviewers Reviewed By: btrahan, #blessed_reviewers Subscribers: epriestley, Korvin Maniphest Tasks: T6240, T4209 Differential Revision: https://secure.phabricator.com/D10401 2014-11-17 22:11:52 +01:00			`unset($tmp);`

Work around lack of PKCS8 support in OSX ssh-keygen Summary: Ref T4209. Ref T6240. Ref T6238. See D10401 for original discussion. On OSX, `ssh-keygen` doesn't support PKCS8: - When we hit an issue with this, raise a more tailored message about it. - Allow the user to work around the problem with `auth cache-pkcs8 ...`, providing reasonable guidance / warnings. In practice, this only really matters very much for one key, which I'm just going to make the services extension cache automatically. So it's sort of moot, but good to have around for weird cases and to make testing easier. Test Plan: Hit error, cached key, got clean asymmetric auth. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4209, T6240, T6238 Differential Revision: https://secure.phabricator.com/D11021 2014-12-20 01:36:40 +01:00			`$cache->setKey($cache_key, $pkcs8_key);`

			`return $pkcs8_key;`
			`}`

			`public function forcePopulatePKCS8Cache($pkcs8_key) {`
			`$entire_key = $this->getEntireKey();`
			`$cache_key = $this->getPKCS8CacheKey($entire_key);`

			`$cache = PhabricatorCaches::getImmutableCache();`
			`$cache->setKey($cache_key, $pkcs8_key);`
			`}`

			`private function getPKCS8CacheKey($entire_key) {`
			`return 'pkcs8:'.PhabricatorHash::digestForIndex($entire_key);`
Allow Phabricator to accept Conduit requests signed with an SSH key Summary: Ref T4209. Depends on D10402. This updates Conduit to support authenticating calls from other servers by signing the request parameters with the sending server's private key and verifying it with the public key stored in the database. Test Plan: - Made like 500 bad calls using the stuff in D10402. - Made a few valid calls using the stuff in D10402. Reviewers: hach-que, btrahan, #blessed_reviewers Reviewed By: btrahan, #blessed_reviewers Subscribers: epriestley, Korvin Maniphest Tasks: T6240, T4209 Differential Revision: https://secure.phabricator.com/D10401 2014-11-17 22:11:52 +01:00			`}`

Add a query/policy layer on top of SSH keys for Almanac Summary: Ref T5833. Currently, SSH keys are associated only with users, and are a bit un-modern. I want to let Almanac Devices have SSH keys so devices in a cluster can identify to one another. For example, with hosted installs, initialization will go something like this: - A request comes in for `company.phacility.com`. - A SiteSource (from D10787) makes a Conduit call to Almanac on the master install to check if `company` is a valid install and pull config if it is. - This call can be signed with an SSH key which identifies a trusted Almanac Device. In the cluster case, a web host can make an authenticated call to a repository host with similar key signing. To move toward this, put a proper Query class on top of SSH key access (this diff). In following diffs, I'll: - Rename `userPHID` to `objectPHID`. - Move this to the `auth` database. - Provide UI for device/key association. An alternative approach would be to build some kind of special token layer in Conduit, but I think that would be a lot harder to manage in the hosting case. This gives us a more direct attack on trusting requests from machines and recognizing machines as first (well, sort of second-class) actors without needing things like fake user accounts. Test Plan: - Added and removed SSH keys. - Added and removed SSH keys from a bot account. - Tried to edit an unonwned SSH key (denied). - Ran `bin/ssh-auth`, got sensible output. - Ran `bin/ssh-auth-key`, got sensible output. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D10790 2014-11-06 21:37:02 +01:00			`}`