Make SSH key revocation actually prevent adding the same key back

Summary: Ref T13043. In an earlier change I updated this langauge from "Deactivate" to "Revoke", but the behavior doesn't quite match. This table has a unique key on `<isActive, keyBody>`, which enforces the rule that "a key can only be active for one unique user". However, we set `isActive` to `null` when we revoke a key, and multiple rows are allowed to have the value `<null, "asdf">` (since a `null` column in a unique key basically means "don't enforce this unique key"). This is intentional, to support this workflow: - You add key X to bot A. - Whoops, wrong account. - You revoke key X from bot A. - You add key X to bot B. This isn't necessarily a great workflow -- ideally, you'd throw key X away and go generate a new key after you realize you made a mistake -- but it's the sort of practical workflow that users are likely to expect and want to see work ("I don't want to generate a new key, it's already being used by 5 other services and cycling it is a ton of work and this is just a test install for my dog anyway."), and there's no technical reason we can't support it. To prevent users from adding keys on the revocation list back to their account, just check explicitly. (This is probably better in general anyway, because "cert-authority" support from PHI269 may mean that two keys are "equivalent" even if their text differs, and we may not be able to rely on a database test anyway.) Test Plan: - Added the key `ssh-rsa asdf` to my account. - Revoked it. - Tried to add it again. - Before patch: worked. - After patch: error, "this key has been revoked". - Added it to a different account (the "I put it on the wrong bot" workflow). Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13043 Differential Revision: https://secure.phabricator.com/D18928
2024-11-26 08:42:41 +01:00 · 2018-01-25 06:33:26 -08:00 · 2018-01-25 06:33:26 -08:00 · deb754dfe1
commit deb754dfe1
parent 1059fae6c9
1 changed files with 25 additions and 0 deletions
--- a/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php
+++ b/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php
@ -104,6 +104,7 @@ final class PhabricatorAuthSSHKeyEditor
    array $xactions) {

    $errors = parent::validateTransaction($object, $type, $xactions);
+    $viewer = $this->requireActor();

    switch ($type) {
      case PhabricatorAuthSSHKeyTransaction::TYPE_NAME:
@ -149,6 +150,30 @@ final class PhabricatorAuthSSHKeyEditor
                pht('Invalid'),
                $ex->getMessage(),
                $xaction);
+              continue;
+            }
+
+            // The database does not have a unique key on just the <keyBody>
+            // column because we allow multiple accounts to revoke the same
+            // key, so we can't rely on database constraints to prevent users
+            // from adding keys that are on the revocation list back to their
+            // accounts. Explicitly check for a revoked copy of the key.
+
+            $revoked_keys = id(new PhabricatorAuthSSHKeyQuery())
+              ->setViewer($viewer)
+              ->withObjectPHIDs(array($object->getObjectPHID()))
+              ->withIsActive(0)
+              ->withKeys(array($public_key))
+              ->execute();
+            if ($revoked_keys) {
+              $errors[] = new PhabricatorApplicationTransactionValidationError(
+                $type,
+                pht('Revoked'),
+                pht(
+                  'This key has been revoked. Choose or generate a new, '.
+                  'unique key.'),
+                $xaction);
+              continue;
            }
          }
        }