diff --git a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php index 6ed5ff20df..d32a1f84e7 100644 --- a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php +++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php @@ -99,4 +99,26 @@ final class PhabricatorAuthSSHPublicKey extends Phobject { return PhabricatorHash::digestForIndex($body); } + public function getEntireKey() { + $key = $this->type.' '.$this->body; + if (strlen($this->comment)) { + $key = $key.' '.$this->comment; + } + return $key; + } + + public function toPCKS8() { + + // TODO: Put a cache in front of this. + + $tmp = new TempFile(); + Filesystem::writeFile($tmp, $this->getEntireKey()); + list($pem_key) = execx( + 'ssh-keygen -e -m pcks8 -f %s', + $tmp); + unset($tmp); + + return $pem_key; + } + } diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php index 1a6080b0fe..9738237b82 100644 --- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php +++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php @@ -209,6 +209,84 @@ final class PhabricatorConduitAPIController $request->getUser()); } + $auth_type = idx($metadata, 'auth.type'); + if ($auth_type === ConduitClient::AUTH_ASYMMETRIC) { + $host = idx($metadata, 'auth.host'); + if (!$host) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Request is missing required "auth.host" parameter.'), + ); + } + + // TODO: Validate that we are the host! + + $raw_key = idx($metadata, 'auth.key'); + $public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($raw_key); + $ssl_public_key = $public_key->toPCKS8(); + + // First, verify the signature. + try { + $protocol_data = $metadata; + + // TODO: We should stop writing this into the protocol data when + // processing a request. + unset($protocol_data['scope']); + + ConduitClient::verifySignature( + $this->method, + $api_request->getAllParameters(), + $protocol_data, + $ssl_public_key); + } catch (Exception $ex) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Signature verification failure. %s', + $ex->getMessage()), + ); + } + + // If the signature is valid, find the user or device which is + // associated with this public key. + + $stored_key = id(new PhabricatorAuthSSHKeyQuery()) + ->setViewer(PhabricatorUser::getOmnipotentUser()) + ->withKeys(array($public_key)) + ->executeOne(); + if (!$stored_key) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'No user or device is associated with that public key.'), + ); + } + + $object = $stored_key->getObject(); + + if ($object instanceof PhabricatorUser) { + $user = $object; + } else { + throw new Exception( + pht('Not Implemented: Would authenticate Almanac device.')); + } + + return $this->validateAuthenticatedUser( + $api_request, + $user); + } else if ($auth_type === null) { + // No specified authentication type, continue with other authentication + // methods below. + } else { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Provided "auth.type" ("%s") is not recognized.', + $auth_type), + ); + } + // handle oauth $access_token = $request->getStr('access_token'); $method_scope = $metadata['scope'];