Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14754213
D10401.id26084.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
D10401.id26084.diff
View Options
diff --git a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php
--- a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php
+++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php
@@ -99,4 +99,26 @@
return PhabricatorHash::digestForIndex($body);
}
+ public function getEntireKey() {
+ $key = $this->type.' '.$this->body;
+ if (strlen($this->comment)) {
+ $key = $key.' '.$this->comment;
+ }
+ return $key;
+ }
+
+ public function toPCKS8() {
+
+ // TODO: Put a cache in front of this.
+
+ $tmp = new TempFile();
+ Filesystem::writeFile($tmp, $this->getEntireKey());
+ list($pem_key) = execx(
+ 'ssh-keygen -e -m pcks8 -f %s',
+ $tmp);
+ unset($tmp);
+
+ return $pem_key;
+ }
+
}
diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -209,6 +209,84 @@
$request->getUser());
}
+ $auth_type = idx($metadata, 'auth.type');
+ if ($auth_type === ConduitClient::AUTH_ASYMMETRIC) {
+ $host = idx($metadata, 'auth.host');
+ if (!$host) {
+ return array(
+ 'ERR-INVALID-AUTH',
+ pht(
+ 'Request is missing required "auth.host" parameter.'),
+ );
+ }
+
+ // TODO: Validate that we are the host!
+
+ $raw_key = idx($metadata, 'auth.key');
+ $public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($raw_key);
+ $ssl_public_key = $public_key->toPCKS8();
+
+ // First, verify the signature.
+ try {
+ $protocol_data = $metadata;
+
+ // TODO: We should stop writing this into the protocol data when
+ // processing a request.
+ unset($protocol_data['scope']);
+
+ ConduitClient::verifySignature(
+ $this->method,
+ $api_request->getAllParameters(),
+ $protocol_data,
+ $ssl_public_key);
+ } catch (Exception $ex) {
+ return array(
+ 'ERR-INVALID-AUTH',
+ pht(
+ 'Signature verification failure. %s',
+ $ex->getMessage()),
+ );
+ }
+
+ // If the signature is valid, find the user or device which is
+ // associated with this public key.
+
+ $stored_key = id(new PhabricatorAuthSSHKeyQuery())
+ ->setViewer(PhabricatorUser::getOmnipotentUser())
+ ->withKeys(array($public_key))
+ ->executeOne();
+ if (!$stored_key) {
+ return array(
+ 'ERR-INVALID-AUTH',
+ pht(
+ 'No user or device is associated with that public key.'),
+ );
+ }
+
+ $object = $stored_key->getObject();
+
+ if ($object instanceof PhabricatorUser) {
+ $user = $object;
+ } else {
+ throw new Exception(
+ pht('Not Implemented: Would authenticate Almanac device.'));
+ }
+
+ return $this->validateAuthenticatedUser(
+ $api_request,
+ $user);
+ } else if ($auth_type === null) {
+ // No specified authentication type, continue with other authentication
+ // methods below.
+ } else {
+ return array(
+ 'ERR-INVALID-AUTH',
+ pht(
+ 'Provided "auth.type" ("%s") is not recognized.',
+ $auth_type),
+ );
+ }
+
// handle oauth
$access_token = $request->getStr('access_token');
$method_scope = $metadata['scope'];
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Jan 22, 3:27 PM (26 m, 35 s)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7033277
Default Alt Text
D10401.id26084.diff (3 KB)
Attached To
Mode
D10401: Allow Phabricator to accept Conduit requests signed with an SSH key
Attached
Detach File
Event Timeline
Log In to Comment