Changeset View
Changeset View
Standalone View
Standalone View
scripts/ssh/ssh-auth.php
| #!/usr/bin/env php | #!/usr/bin/env php | ||||
| <?php | <?php | ||||
| $root = dirname(dirname(dirname(__FILE__))); | $root = dirname(dirname(dirname(__FILE__))); | ||||
| require_once $root.'/scripts/__init_script__.php'; | require_once $root.'/scripts/__init_script__.php'; | ||||
| $keys = id(new PhabricatorAuthSSHKeyQuery()) | $keys = id(new PhabricatorAuthSSHKeyQuery()) | ||||
| ->setViewer(PhabricatorUser::getOmnipotentUser()) | ->setViewer(PhabricatorUser::getOmnipotentUser()) | ||||
| ->execute(); | ->execute(); | ||||
| foreach ($keys as $key => $ssh_key) { | |||||
| // For now, filter out any keys which don't belong to users. Eventually we | |||||
| // may allow devices to use this channel. | |||||
| if (!($ssh_key->getObject() instanceof PhabricatorUser)) { | |||||
| unset($keys[$key]); | |||||
| continue; | |||||
| } | |||||
| } | |||||
| if (!$keys) { | if (!$keys) { | ||||
| echo pht('No keys found.')."\n"; | echo pht('No keys found.')."\n"; | ||||
| exit(1); | exit(1); | ||||
| } | } | ||||
| $bin = $root.'/bin/ssh-exec'; | $bin = $root.'/bin/ssh-exec'; | ||||
| foreach ($keys as $ssh_key) { | foreach ($keys as $ssh_key) { | ||||
| $user = $ssh_key->getObject()->getUsername(); | |||||
| $key_argv = array(); | $key_argv = array(); | ||||
| $object = $ssh_key->getObject(); | |||||
| if ($object instanceof PhabricatorUser) { | |||||
| $key_argv[] = '--phabricator-ssh-user'; | $key_argv[] = '--phabricator-ssh-user'; | ||||
| $key_argv[] = $user; | $key_argv[] = $object->getUsername(); | ||||
| } else if ($object instanceof AlmanacDevice) { | |||||
| if (!$ssh_key->getIsTrusted()) { | |||||
| // If this key is not a trusted device key, don't allow SSH | |||||
| // authentication. | |||||
| continue; | |||||
| } | |||||
| $key_argv[] = '--phabricator-ssh-device'; | |||||
| $key_argv[] = $object->getName(); | |||||
| } else { | |||||
epriestley: I'll add a "throw the key away" `else` here to future proof this. | |||||
| // We don't know what sort of key this is; don't permit SSH auth. | |||||
| continue; | |||||
| } | |||||
Not Done Inline ActionsI just added this for logging, it doesn't do anything authentication-related. epriestley: I just added this for logging, it doesn't do anything authentication-related. | |||||
| $key_argv[] = '--phabricator-ssh-key'; | |||||
| $key_argv[] = $ssh_key->getID(); | |||||
| $cmd = csprintf('%s %Ls', $bin, $key_argv); | $cmd = csprintf('%s %Ls', $bin, $key_argv); | ||||
| $instance = PhabricatorEnv::getEnvConfig('cluster.instance'); | $instance = PhabricatorEnv::getEnvConfig('cluster.instance'); | ||||
| if (strlen($instance)) { | if (strlen($instance)) { | ||||
| $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd); | $cmd = csprintf('PHABRICATOR_INSTANCE=%s %C', $instance, $cmd); | ||||
| } | } | ||||
| Show All 31 Lines | |||||
I'll add a "throw the key away" else here to future proof this.