1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-02-10 05:48:30 +01:00
phorge-phorge/src/applications/auth
epriestley 3dea92081b Fix an issue where passphrase-protected private keys were stored without discarding passphrases
Summary:
Ref T13454. See <https://discourse.phabricator-community.org/t/newly-created-ssh-private-keys-with-passphrase-not-working-anymore/3883>.

After changes to distinguish between invalid and passphrase-protected keys, SSH private key management code incorrectly uses "-y ..." ("print public key") when it means "-p ..." ("modify input file, removing passphrase"). This results in the command having no effect, and Passphrase stores the raw input credential, not the stripped version.

We can't recover the keys because we don't store the passphrase, so no migration here is really possible. (We could add more code to detect this case, but it's presumably rare.)

Also, correct the behavior of the "Show Public Key" action: this is available for users who can see the credential and does not require edit permission.

Test Plan:
  - Created a new credential with a passphrase, then showed the public key.

Maniphest Tasks: T13006, T13454

Differential Revision: https://secure.phabricator.com/D21245
2020-05-13 08:14:37 -07:00
..
__tests__ Prevent users from selecting excessively bad passwords based on their username or email address 2018-11-06 12:44:07 -08:00
action Simplify implementation of "SysetemAction->getSystemActionConstant()" 2019-07-19 15:45:37 -07:00
adapter Use "rest/api/3/myself" to retrieve JIRA profile details, not "rest/auth/1/session" 2020-04-25 14:05:22 -07:00
application Replace old hard-coded URI-based "changes saved" jank with new overgeneralized cookie-based "changes saved" jank 2020-04-19 09:04:31 -07:00
capability Auth - add "manage providers" capability 2015-01-12 14:37:58 -08:00
conduit Deactivate SSH keys instead of destroying them completely 2016-05-18 14:54:28 -07:00
constants Replace old hard-coded URI-based "changes saved" jank with new overgeneralized cookie-based "changes saved" jank 2020-04-19 09:04:31 -07:00
controller Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount" 2020-02-22 17:48:46 -08:00
data When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge 2020-01-30 07:35:40 -08:00
editor Actually enforce auth.lock-config 2019-07-15 11:52:55 -07:00
engine When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge 2020-01-30 07:35:40 -08:00
engineextension Allow "Sign with MFA" to be applied as a comment action without requiring "CAN_EDIT" 2019-06-17 10:41:42 -07:00
exception Correctly identify more SSH private key problems as "formatting" or "passphrase" related 2019-11-13 10:22:00 -08:00
extension Replace all "setQueryParam()" calls with "remove/replaceQueryParam()" 2019-02-14 11:56:39 -08:00
factor Autofocus the "App Code" input on the TOTP prompt during MFA gates after login 2019-08-08 12:54:22 -07:00
future Replace "URI->setQueryParams()" after initialization with a constructor argument 2019-02-14 11:46:37 -08:00
garbagecollector Add a garbage collector for MFA challenges 2018-12-17 07:00:55 -08:00
guidance Some formatting changes for showing auth provider config guidance 2019-04-17 11:08:16 -07:00
mail Send forced mail on SSH key edits 2016-05-19 15:01:25 -07:00
management Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount" 2020-02-22 17:48:46 -08:00
message Allow installs to provide "Request a Username Change" instructions 2019-09-24 11:09:26 -07:00
password Prevent users from selecting excessively bad passwords based on their username or email address 2018-11-06 12:44:07 -08:00
phid Set a URI on Auth Messages, so the "Change Details" dialog from the transaction record has a cancel button 2019-04-30 06:59:04 -07:00
provider According to Jira Project keys must start with an uppercase letter, followed by one or more uppercase alphanumeric characters 2020-03-09 22:04:23 +02:00
query Remove all readers and writers of "accountID" on "ExternalAccount" 2020-02-22 17:49:22 -08:00
revoker Add "bin/auth revoke --list" to explain what can be revoked 2018-01-23 14:01:39 -08:00
sshkey Fix an issue where passphrase-protected private keys were stored without discarding passphrases 2020-05-13 08:14:37 -07:00
storage Make AuthProvider, ExternalAccount, and ExternalAccountIdentifier all Destructible 2020-02-22 17:46:29 -08:00
tokentype Redesign Config Application 2016-08-29 15:49:49 -07:00
view Stop exposing raw "accountID" values directly in the web UI 2020-02-22 17:41:55 -08:00
worker Send emails for email invites 2015-02-11 06:06:09 -08:00
xaction Fix an issue where Duo validation could incorrectly apply to other factor types 2019-02-03 06:36:49 -08:00