Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13194139
D16744.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
6 KB
Referenced Files
None
Subscribers
None
D16744.diff
View Options
diff --git a/scripts/ssh/ssh-auth.php b/scripts/ssh/ssh-auth.php
--- a/scripts/ssh/ssh-auth.php
+++ b/scripts/ssh/ssh-auth.php
@@ -4,74 +4,84 @@
$root = dirname(dirname(dirname(__FILE__)));
require_once $root.'/scripts/__init_script__.php';
-$keys = id(new PhabricatorAuthSSHKeyQuery())
- ->setViewer(PhabricatorUser::getOmnipotentUser())
- ->withIsActive(true)
- ->execute();
-
-if (!$keys) {
- echo pht('No keys found.')."\n";
- exit(1);
-}
+$cache = PhabricatorCaches::getMutableCache();
+$authfile_key = PhabricatorAuthSSHKeyQuery::AUTHFILE_CACHEKEY;
+$authfile = $cache->getKey($authfile_key);
+
+if ($authfile === null) {
+ $keys = id(new PhabricatorAuthSSHKeyQuery())
+ ->setViewer(PhabricatorUser::getOmnipotentUser())
+ ->withIsActive(true)
+ ->execute();
+
+ if (!$keys) {
+ echo pht('No keys found.')."\n";
+ exit(1);
+ }
-$bin = $root.'/bin/ssh-exec';
-foreach ($keys as $ssh_key) {
- $key_argv = array();
- $object = $ssh_key->getObject();
- if ($object instanceof PhabricatorUser) {
- $key_argv[] = '--phabricator-ssh-user';
- $key_argv[] = $object->getUsername();
- } else if ($object instanceof AlmanacDevice) {
- if (!$ssh_key->getIsTrusted()) {
- // If this key is not a trusted device key, don't allow SSH
- // authentication.
+ $bin = $root.'/bin/ssh-exec';
+ foreach ($keys as $ssh_key) {
+ $key_argv = array();
+ $object = $ssh_key->getObject();
+ if ($object instanceof PhabricatorUser) {
+ $key_argv[] = '--phabricator-ssh-user';
+ $key_argv[] = $object->getUsername();
+ } else if ($object instanceof AlmanacDevice) {
+ if (!$ssh_key->getIsTrusted()) {
+ // If this key is not a trusted device key, don't allow SSH
+ // authentication.
+ continue;
+ }
+ $key_argv[] = '--phabricator-ssh-device';
+ $key_argv[] = $object->getName();
+ } else {
+ // We don't know what sort of key this is; don't permit SSH auth.
continue;
}
- $key_argv[] = '--phabricator-ssh-device';
- $key_argv[] = $object->getName();
- } else {
- // We don't know what sort of key this is; don't permit SSH auth.
- continue;
- }
- $key_argv[] = '--phabricator-ssh-key';
- $key_argv[] = $ssh_key->getID();
+ $key_argv[] = '--phabricator-ssh-key';
+ $key_argv[] = $ssh_key->getID();
- $cmd = csprintf('%s %Ls', $bin, $key_argv);
+ $cmd = csprintf('%s %Ls', $bin, $key_argv);
- $instance = PhabricatorEnv::getEnvConfig('cluster.instance');
- if (strlen($instance)) {
- $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd);
- }
+ $instance = PhabricatorEnv::getEnvConfig('cluster.instance');
+ if (strlen($instance)) {
+ $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd);
+ }
- // This is additional escaping for the SSH 'command="..."' string.
- $cmd = addcslashes($cmd, '"\\');
+ // This is additional escaping for the SSH 'command="..."' string.
+ $cmd = addcslashes($cmd, '"\\');
- // Strip out newlines and other nonsense from the key type and key body.
+ // Strip out newlines and other nonsense from the key type and key body.
- $type = $ssh_key->getKeyType();
- $type = preg_replace('@[\x00-\x20]+@', '', $type);
- if (!strlen($type)) {
- continue;
- }
+ $type = $ssh_key->getKeyType();
+ $type = preg_replace('@[\x00-\x20]+@', '', $type);
+ if (!strlen($type)) {
+ continue;
+ }
- $key = $ssh_key->getKeyBody();
- $key = preg_replace('@[\x00-\x20]+@', '', $key);
- if (!strlen($key)) {
- continue;
- }
+ $key = $ssh_key->getKeyBody();
+ $key = preg_replace('@[\x00-\x20]+@', '', $key);
+ if (!strlen($key)) {
+ continue;
+ }
+
+ $options = array(
+ 'command="'.$cmd.'"',
+ 'no-port-forwarding',
+ 'no-X11-forwarding',
+ 'no-agent-forwarding',
+ 'no-pty',
+ );
+ $options = implode(',', $options);
- $options = array(
- 'command="'.$cmd.'"',
- 'no-port-forwarding',
- 'no-X11-forwarding',
- 'no-agent-forwarding',
- 'no-pty',
- );
- $options = implode(',', $options);
+ $lines[] = $options.' '.$type.' '.$key."\n";
+ }
- $lines[] = $options.' '.$type.' '.$key."\n";
+ $authfile = implode('', $lines);
+ $ttl = phutil_units('24 hours in seconds');
+ $cache->setKey($authfile_key, $authfile, $ttl);
}
-echo implode('', $lines);
+echo $authfile;
exit(0);
diff --git a/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php b/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php
--- a/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php
+++ b/src/applications/auth/editor/PhabricatorAuthSSHKeyEditor.php
@@ -191,6 +191,20 @@
return 'ssh-key-'.$object->getPHID();
}
+ protected function applyFinalEffects(
+ PhabricatorLiskDAO $object,
+ array $xactions) {
+
+ // After making any change to an SSH key, drop the authfile cache so it
+ // is regenerated the next time anyone authenticates.
+ $cache = PhabricatorCaches::getMutableCache();
+ $authfile_key = PhabricatorAuthSSHKeyQuery::AUTHFILE_CACHEKEY;
+ $cache->deleteKey($authfile_key);
+
+ return $xactions;
+ }
+
+
protected function getMailTo(PhabricatorLiskDAO $object) {
return $object->getObject()->getSSHKeyNotifyPHIDs();
}
diff --git a/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php b/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
--- a/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
+++ b/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
@@ -3,6 +3,8 @@
final class PhabricatorAuthSSHKeyQuery
extends PhabricatorCursorPagedPolicyAwareQuery {
+ const AUTHFILE_CACHEKEY = 'ssh.authfile';
+
private $ids;
private $phids;
private $objectPHIDs;
diff --git a/src/applications/cache/PhabricatorCaches.php b/src/applications/cache/PhabricatorCaches.php
--- a/src/applications/cache/PhabricatorCaches.php
+++ b/src/applications/cache/PhabricatorCaches.php
@@ -99,6 +99,23 @@
return $caches;
}
+ public static function getMutableCache() {
+ static $cache;
+ if (!$cache) {
+ $caches = self::buildMutableCaches();
+ $cache = self::newStackFromCaches($caches);
+ }
+ return $cache;
+ }
+
+ private static function buildMutableCaches() {
+ $caches = array();
+
+ $caches[] = new PhabricatorKeyValueDatabaseCache();
+
+ return $caches;
+ }
+
/* -( Repository Graph Cache )--------------------------------------------- */
diff --git a/src/applications/cache/PhabricatorKeyValueDatabaseCache.php b/src/applications/cache/PhabricatorKeyValueDatabaseCache.php
--- a/src/applications/cache/PhabricatorKeyValueDatabaseCache.php
+++ b/src/applications/cache/PhabricatorKeyValueDatabaseCache.php
@@ -98,7 +98,7 @@
$this->establishConnection('w'),
'DELETE FROM %T WHERE cacheKeyHash IN (%Ls)',
$this->getTableName(),
- $keys);
+ $map);
}
return $this;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, May 13, 9:21 PM (1 w, 2 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6277149
Default Alt Text
D16744.diff (6 KB)
Attached To
Mode
D16744: Cache generation of the SSH authentication keyfile for sshd
Attached
Detach File
Event Timeline
Log In to Comment