diff --git a/src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php b/src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php index ea601a3096..ad26da8ebb 100644 --- a/src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php +++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPrivateKey.php @@ -1,210 +1,210 @@ } public function setPassphrase(PhutilOpaqueEnvelope $passphrase) { $this->passphrase = $passphrase; return $this; } public function getPassphrase() { return $this->passphrase; } public static function newFromRawKey(PhutilOpaqueEnvelope $entire_key) { $key = new self(); $key->body = $entire_key; return $key; } public function getKeyBody() { return $this->body; } public function newBarePrivateKey() { if (!Filesystem::binaryExists('ssh-keygen')) { throw new Exception( pht( 'Analyzing or decrypting SSH keys requires the "ssh-keygen" binary, '. 'but it is not available in "$PATH". Make it available to work with '. 'SSH private keys.')); } $old_body = $this->body; // Some versions of "ssh-keygen" are sensitive to trailing whitespace for // some keys. Trim any trailing whitespace and replace it with a single // newline. $raw_body = $old_body->openEnvelope(); $raw_body = rtrim($raw_body)."\n"; $old_body = new PhutilOpaqueEnvelope($raw_body); $tmp = $this->newTemporaryPrivateKeyFile($old_body); // See T13454 for discussion of why this is so awkward. In broad strokes, // we don't have a straightforward way to distinguish between keys with an // invalid format and keys with a passphrase which we don't know. // First, try to extract the public key from the file using the (possibly // empty) passphrase we were given. If everything is in good shape, this // should work. $passphrase = $this->getPassphrase(); if ($passphrase) { list($err, $stdout, $stderr) = exec_manual( 'ssh-keygen -y -P %P -f %R', $passphrase, $tmp); } else { list($err, $stdout, $stderr) = exec_manual( 'ssh-keygen -y -P %s -f %R', '', $tmp); } // If that worked, the key is good and the (possibly empty) passphrase is // correct. Strip the passphrase if we have one, then return the bare key. if (!$err) { if ($passphrase) { execx( - 'ssh-keygen -y -P %P -N %s -f %R', + 'ssh-keygen -p -P %P -N %s -f %R', $passphrase, '', $tmp); $new_body = new PhutilOpaqueEnvelope(Filesystem::readFile($tmp)); unset($tmp); } else { $new_body = $old_body; } return self::newFromRawKey($new_body); } // We were not able to extract the public key. Try to figure out why. The // reasons we expect are: // // - We were given a passphrase, but the key has no passphrase. // - We were given a passphrase, but the passphrase is wrong. // - We were not given a passphrase, but the key has a passphrase. // - The key format is invalid. // // Our ability to separate these cases varies a lot, particularly because // some versions of "ssh-keygen" return very similar diagnostic messages // for any error condition. Try our best. if ($passphrase) { // First, test for "we were given a passphrase, but the key has no // passphrase", since this is a conclusive test. list($err) = exec_manual( 'ssh-keygen -y -P %s -f %R', '', $tmp); if (!$err) { throw new PhabricatorAuthSSHPrivateKeySurplusPassphraseException( pht( 'A passphrase was provided for this private key, but it does '. 'not require a passphrase. Check that you supplied the correct '. 'key, or omit the passphrase.')); } } // We're out of conclusive tests, so try to guess why the error occurred. // In some versions of "ssh-keygen", we get a usable diagnostic message. In // other versions, not so much. $reason_format = 'format'; $reason_passphrase = 'passphrase'; $reason_unknown = 'unknown'; $patterns = array( // macOS 10.14.6 '/incorrect passphrase supplied to decrypt private key/' => $reason_passphrase, // macOS 10.14.6 '/invalid format/' => $reason_format, // Ubuntu 14 '/load failed/' => $reason_unknown, ); $reason = 'unknown'; foreach ($patterns as $pattern => $pattern_reason) { $ok = preg_match($pattern, $stderr); if ($ok === false) { throw new Exception( pht( 'Pattern "%s" is not valid.', $pattern)); } if ($ok) { $reason = $pattern_reason; break; } } if ($reason === $reason_format) { throw new PhabricatorAuthSSHPrivateKeyFormatException( pht( 'This private key is not formatted correctly. Check that you '. 'have provided the complete text of a valid private key.')); } if ($reason === $reason_passphrase) { if ($passphrase) { throw new PhabricatorAuthSSHPrivateKeyIncorrectPassphraseException( pht( 'This private key requires a passphrase, but the wrong '. 'passphrase was provided. Check that you supplied the correct '. 'key and passphrase.')); } else { throw new PhabricatorAuthSSHPrivateKeyIncorrectPassphraseException( pht( 'This private key requires a passphrase, but no passphrase was '. 'provided. Check that you supplied the correct key, or provide '. 'the passphrase.')); } } if ($passphrase) { throw new PhabricatorAuthSSHPrivateKeyUnknownException( pht( 'This private key could not be opened with the provided passphrase. '. 'This might mean that the passphrase is wrong or that the key is '. 'not formatted correctly. Check that you have supplied the '. 'complete text of a valid private key and the correct passphrase.')); } else { throw new PhabricatorAuthSSHPrivateKeyUnknownException( pht( 'This private key could not be opened. This might mean that the '. 'key requires a passphrase, or might mean that the key is not '. 'formatted correctly. Check that you have supplied the complete '. 'text of a valid private key and the correct passphrase.')); } } private function newTemporaryPrivateKeyFile(PhutilOpaqueEnvelope $key_body) { $tmp = new TempFile(); Filesystem::writeFile($tmp, $key_body->openEnvelope()); return $tmp; } } diff --git a/src/applications/passphrase/controller/PassphraseCredentialViewController.php b/src/applications/passphrase/controller/PassphraseCredentialViewController.php index 6688bef285..a5147295c8 100644 --- a/src/applications/passphrase/controller/PassphraseCredentialViewController.php +++ b/src/applications/passphrase/controller/PassphraseCredentialViewController.php @@ -1,211 +1,210 @@ getViewer(); $id = $request->getURIData('id'); $credential = id(new PassphraseCredentialQuery()) ->setViewer($viewer) ->withIDs(array($id)) ->executeOne(); if (!$credential) { return new Aphront404Response(); } $type = $credential->getImplementation(); $timeline = $this->buildTransactionTimeline( $credential, new PassphraseCredentialTransactionQuery()); $timeline->setShouldTerminate(true); $title = pht('%s %s', $credential->getMonogram(), $credential->getName()); $crumbs = $this->buildApplicationCrumbs(); $crumbs->addTextCrumb($credential->getMonogram()); $crumbs->setBorder(true); $header = $this->buildHeaderView($credential); $curtain = $this->buildCurtain($credential, $type); $subheader = $this->buildSubheaderView($credential); $content = $this->buildPropertySectionView($credential, $type); $view = id(new PHUITwoColumnView()) ->setHeader($header) ->setSubheader($subheader) ->setCurtain($curtain) ->setMainColumn($timeline) ->addPropertySection(pht('Properties'), $content); return $this->newPage() ->setTitle($title) ->setCrumbs($crumbs) ->appendChild($view); } private function buildHeaderView(PassphraseCredential $credential) { $viewer = $this->getRequest()->getUser(); $header = id(new PHUIHeaderView()) ->setUser($viewer) ->setHeader($credential->getName()) ->setPolicyObject($credential) ->setHeaderIcon('fa-user-secret'); if ($credential->getIsDestroyed()) { $header->setStatus('fa-ban', 'red', pht('Destroyed')); } return $header; } private function buildSubheaderView( PassphraseCredential $credential) { $viewer = $this->getViewer(); $author = $viewer->renderHandle($credential->getAuthorPHID())->render(); $date = phabricator_datetime($credential->getDateCreated(), $viewer); $author = phutil_tag('strong', array(), $author); $person = id(new PhabricatorPeopleQuery()) ->setViewer($viewer) ->withPHIDs(array($credential->getAuthorPHID())) ->needProfileImage(true) ->executeOne(); if (!$person) { return null; } $image_uri = $person->getProfileImageURI(); $image_href = '/p/'.$credential->getUsername(); $content = pht('Created by %s on %s.', $author, $date); return id(new PHUIHeadThingView()) ->setImage($image_uri) ->setImageHref($image_href) ->setContent($content); } private function buildCurtain( PassphraseCredential $credential, PassphraseCredentialType $type) { $viewer = $this->getViewer(); $id = $credential->getID(); $is_locked = $credential->getIsLocked(); if ($is_locked) { $credential_lock_text = pht('Locked Permanently'); $credential_lock_icon = 'fa-lock'; } else { $credential_lock_text = pht('Lock Permanently'); $credential_lock_icon = 'fa-unlock'; } $allow_conduit = $credential->getAllowConduit(); if ($allow_conduit) { $credential_conduit_text = pht('Prevent Conduit Access'); $credential_conduit_icon = 'fa-ban'; } else { $credential_conduit_text = pht('Allow Conduit Access'); $credential_conduit_icon = 'fa-wrench'; } $can_edit = PhabricatorPolicyFilter::hasCapability( $viewer, $credential, PhabricatorPolicyCapability::CAN_EDIT); $can_conduit = ($can_edit && !$is_locked); $curtain = $this->newCurtainView($credential); $curtain->addAction( id(new PhabricatorActionView()) ->setName(pht('Edit Credential')) ->setIcon('fa-pencil') ->setHref($this->getApplicationURI("edit/{$id}/")) ->setDisabled(!$can_edit) ->setWorkflow(!$can_edit)); if (!$credential->getIsDestroyed()) { $curtain->addAction( id(new PhabricatorActionView()) ->setName(pht('Destroy Credential')) ->setIcon('fa-times') ->setHref($this->getApplicationURI("destroy/{$id}/")) ->setDisabled(!$can_edit) ->setWorkflow(true)); $curtain->addAction( id(new PhabricatorActionView()) ->setName(pht('Show Secret')) ->setIcon('fa-eye') ->setHref($this->getApplicationURI("reveal/{$id}/")) ->setDisabled(!$can_edit || $is_locked) ->setWorkflow(true)); if ($type->hasPublicKey()) { $curtain->addAction( id(new PhabricatorActionView()) ->setName(pht('Show Public Key')) ->setIcon('fa-download') ->setHref($this->getApplicationURI("public/{$id}/")) - ->setDisabled(!$can_edit) ->setWorkflow(true)); } $curtain->addAction( id(new PhabricatorActionView()) ->setName($credential_conduit_text) ->setIcon($credential_conduit_icon) ->setHref($this->getApplicationURI("conduit/{$id}/")) ->setDisabled(!$can_conduit) ->setWorkflow(true)); $curtain->addAction( id(new PhabricatorActionView()) ->setName($credential_lock_text) ->setIcon($credential_lock_icon) ->setHref($this->getApplicationURI("lock/{$id}/")) ->setDisabled(!$can_edit || $is_locked) ->setWorkflow(true)); } return $curtain; } private function buildPropertySectionView( PassphraseCredential $credential, PassphraseCredentialType $type) { $viewer = $this->getRequest()->getUser(); $properties = id(new PHUIPropertyListView()) ->setUser($viewer); $properties->addProperty( pht('Credential Type'), $type->getCredentialTypeName()); if ($type->shouldRequireUsername()) { $properties->addProperty( pht('Username'), $credential->getUsername()); } $description = $credential->getDescription(); if (strlen($description)) { $properties->addSectionHeader( pht('Description'), PHUIPropertyListView::ICON_SUMMARY); $properties->addTextContent( new PHUIRemarkupView($viewer, $description)); } return $properties; } }