diff --git a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php index 6ed5ff20df..d32a1f84e7 100644 --- a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php +++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php @@ -1,102 +1,124 @@ } public static function newFromStoredKey(PhabricatorAuthSSHKey $key) { $public_key = new PhabricatorAuthSSHPublicKey(); $public_key->type = $key->getKeyType(); $public_key->body = $key->getKeyBody(); $public_key->comment = $key->getKeyComment(); return $public_key; } public static function newFromRawKey($entire_key) { $entire_key = trim($entire_key); if (!strlen($entire_key)) { throw new Exception(pht('No public key was provided.')); } $parts = str_replace("\n", '', $entire_key); // The third field (the comment) can have spaces in it, so split this // into a maximum of three parts. $parts = preg_split('/\s+/', $parts, 3); if (preg_match('/private\s*key/i', $entire_key)) { // Try to give the user a better error message if it looks like // they uploaded a private key. throw new Exception(pht('Provide a public key, not a private key!')); } switch (count($parts)) { case 1: throw new Exception( pht('Provided public key is not properly formatted.')); case 2: // Add an empty comment part. $parts[] = ''; break; case 3: // This is the expected case. break; } list($type, $body, $comment) = $parts; $recognized_keys = array( 'ssh-dsa', 'ssh-dss', 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', ); if (!in_array($type, $recognized_keys)) { $type_list = implode(', ', $recognized_keys); throw new Exception( pht( 'Public key type should be one of: %s', $type_list)); } $public_key = new PhabricatorAuthSSHPublicKey(); $public_key->type = $type; $public_key->body = $body; $public_key->comment = $comment; return $public_key; } public function getType() { return $this->type; } public function getBody() { return $this->body; } public function getComment() { return $this->comment; } public function getHash() { $body = $this->getBody(); $body = trim($body); $body = rtrim($body, '='); return PhabricatorHash::digestForIndex($body); } + public function getEntireKey() { + $key = $this->type.' '.$this->body; + if (strlen($this->comment)) { + $key = $key.' '.$this->comment; + } + return $key; + } + + public function toPCKS8() { + + // TODO: Put a cache in front of this. + + $tmp = new TempFile(); + Filesystem::writeFile($tmp, $this->getEntireKey()); + list($pem_key) = execx( + 'ssh-keygen -e -m pcks8 -f %s', + $tmp); + unset($tmp); + + return $pem_key; + } + } diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php index 1a6080b0fe..9738237b82 100644 --- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php +++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php @@ -1,475 +1,553 @@ method = $data['method']; return $this; } public function processRequest() { $time_start = microtime(true); $request = $this->getRequest(); $method = $this->method; $api_request = null; $log = new PhabricatorConduitMethodCallLog(); $log->setMethod($method); $metadata = array(); try { $params = $this->decodeConduitParams($request, $method); $metadata = idx($params, '__conduit__', array()); unset($params['__conduit__']); $call = new ConduitCall( $method, $params, idx($metadata, 'isProxied', false)); $result = null; // TODO: Straighten out the auth pathway here. We shouldn't be creating // a ConduitAPIRequest at this level, but some of the auth code expects // it. Landing a halfway version of this to unblock T945. $api_request = new ConduitAPIRequest($params); $allow_unguarded_writes = false; $auth_error = null; $conduit_username = '-'; if ($call->shouldRequireAuthentication()) { $metadata['scope'] = $call->getRequiredScope(); $auth_error = $this->authenticateUser($api_request, $metadata); // If we've explicitly authenticated the user here and either done // CSRF validation or are using a non-web authentication mechanism. $allow_unguarded_writes = true; if (isset($metadata['actAsUser'])) { $this->actAsUser($api_request, $metadata['actAsUser']); } if ($auth_error === null) { $conduit_user = $api_request->getUser(); if ($conduit_user && $conduit_user->getPHID()) { $conduit_username = $conduit_user->getUsername(); } $call->setUser($api_request->getUser()); } } $access_log = PhabricatorAccessLog::getLog(); if ($access_log) { $access_log->setData( array( 'u' => $conduit_username, 'm' => $method, )); } if ($call->shouldAllowUnguardedWrites()) { $allow_unguarded_writes = true; } if ($auth_error === null) { if ($allow_unguarded_writes) { $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); } try { $result = $call->execute(); $error_code = null; $error_info = null; } catch (ConduitException $ex) { $result = null; $error_code = $ex->getMessage(); if ($ex->getErrorDescription()) { $error_info = $ex->getErrorDescription(); } else { $error_info = $call->getErrorDescription($error_code); } } if ($allow_unguarded_writes) { unset($unguarded); } } else { list($error_code, $error_info) = $auth_error; } } catch (Exception $ex) { if (!($ex instanceof ConduitMethodNotFoundException)) { phlog($ex); } $result = null; $error_code = ($ex instanceof ConduitException ? 'ERR-CONDUIT-CALL' : 'ERR-CONDUIT-CORE'); $error_info = $ex->getMessage(); } $time_end = microtime(true); $connection_id = null; if (idx($metadata, 'connectionID')) { $connection_id = $metadata['connectionID']; } else if (($method == 'conduit.connect') && $result) { $connection_id = idx($result, 'connectionID'); } $log ->setCallerPHID( isset($conduit_user) ? $conduit_user->getPHID() : null) ->setConnectionID($connection_id) ->setError((string)$error_code) ->setDuration(1000000 * ($time_end - $time_start)); $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); $log->save(); unset($unguarded); $response = id(new ConduitAPIResponse()) ->setResult($result) ->setErrorCode($error_code) ->setErrorInfo($error_info); switch ($request->getStr('output')) { case 'human': return $this->buildHumanReadableResponse( $method, $api_request, $response->toDictionary()); case 'json': default: return id(new AphrontJSONResponse()) ->setAddJSONShield(false) ->setContent($response->toDictionary()); } } /** * Change the api request user to the user that we want to act as. * Only admins can use actAsUser * * @param ConduitAPIRequest Request being executed. * @param string The username of the user we want to act as */ private function actAsUser( ConduitAPIRequest $api_request, $user_name) { $config_key = 'security.allow-conduit-act-as-user'; if (!PhabricatorEnv::getEnvConfig($config_key)) { throw new Exception('security.allow-conduit-act-as-user is disabled'); } if (!$api_request->getUser()->getIsAdmin()) { throw new Exception('Only administrators can use actAsUser'); } $user = id(new PhabricatorUser())->loadOneWhere( 'userName = %s', $user_name); if (!$user) { throw new Exception( "The actAsUser username '{$user_name}' is not a valid user." ); } $api_request->setUser($user); } /** * Authenticate the client making the request to a Phabricator user account. * * @param ConduitAPIRequest Request being executed. * @param dict Request metadata. * @return null|pair Null to indicate successful authentication, or * an error code and error message pair. */ private function authenticateUser( ConduitAPIRequest $api_request, array $metadata) { $request = $this->getRequest(); if ($request->getUser()->getPHID()) { $request->validateCSRF(); return $this->validateAuthenticatedUser( $api_request, $request->getUser()); } + $auth_type = idx($metadata, 'auth.type'); + if ($auth_type === ConduitClient::AUTH_ASYMMETRIC) { + $host = idx($metadata, 'auth.host'); + if (!$host) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Request is missing required "auth.host" parameter.'), + ); + } + + // TODO: Validate that we are the host! + + $raw_key = idx($metadata, 'auth.key'); + $public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($raw_key); + $ssl_public_key = $public_key->toPCKS8(); + + // First, verify the signature. + try { + $protocol_data = $metadata; + + // TODO: We should stop writing this into the protocol data when + // processing a request. + unset($protocol_data['scope']); + + ConduitClient::verifySignature( + $this->method, + $api_request->getAllParameters(), + $protocol_data, + $ssl_public_key); + } catch (Exception $ex) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Signature verification failure. %s', + $ex->getMessage()), + ); + } + + // If the signature is valid, find the user or device which is + // associated with this public key. + + $stored_key = id(new PhabricatorAuthSSHKeyQuery()) + ->setViewer(PhabricatorUser::getOmnipotentUser()) + ->withKeys(array($public_key)) + ->executeOne(); + if (!$stored_key) { + return array( + 'ERR-INVALID-AUTH', + pht( + 'No user or device is associated with that public key.'), + ); + } + + $object = $stored_key->getObject(); + + if ($object instanceof PhabricatorUser) { + $user = $object; + } else { + throw new Exception( + pht('Not Implemented: Would authenticate Almanac device.')); + } + + return $this->validateAuthenticatedUser( + $api_request, + $user); + } else if ($auth_type === null) { + // No specified authentication type, continue with other authentication + // methods below. + } else { + return array( + 'ERR-INVALID-AUTH', + pht( + 'Provided "auth.type" ("%s") is not recognized.', + $auth_type), + ); + } + // handle oauth $access_token = $request->getStr('access_token'); $method_scope = $metadata['scope']; if ($access_token && $method_scope != PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE) { $token = id(new PhabricatorOAuthServerAccessToken()) ->loadOneWhere('token = %s', $access_token); if (!$token) { return array( 'ERR-INVALID-AUTH', 'Access token does not exist.', ); } $oauth_server = new PhabricatorOAuthServer(); $valid = $oauth_server->validateAccessToken($token, $method_scope); if (!$valid) { return array( 'ERR-INVALID-AUTH', 'Access token is invalid.', ); } // valid token, so let's log in the user! $user_phid = $token->getUserPHID(); $user = id(new PhabricatorUser()) ->loadOneWhere('phid = %s', $user_phid); if (!$user) { return array( 'ERR-INVALID-AUTH', 'Access token is for invalid user.', ); } return $this->validateAuthenticatedUser( $api_request, $user); } // Handle sessionless auth. TOOD: This is super messy. if (isset($metadata['authUser'])) { $user = id(new PhabricatorUser())->loadOneWhere( 'userName = %s', $metadata['authUser']); if (!$user) { return array( 'ERR-INVALID-AUTH', 'Authentication is invalid.', ); } $token = idx($metadata, 'authToken'); $signature = idx($metadata, 'authSignature'); $certificate = $user->getConduitCertificate(); if (sha1($token.$certificate) !== $signature) { return array( 'ERR-INVALID-AUTH', 'Authentication is invalid.', ); } return $this->validateAuthenticatedUser( $api_request, $user); } $session_key = idx($metadata, 'sessionKey'); if (!$session_key) { return array( 'ERR-INVALID-SESSION', 'Session key is not present.', ); } $user = id(new PhabricatorAuthSessionEngine()) ->loadUserForSession(PhabricatorAuthSession::TYPE_CONDUIT, $session_key); if (!$user) { return array( 'ERR-INVALID-SESSION', 'Session key is invalid.', ); } return $this->validateAuthenticatedUser( $api_request, $user); } private function validateAuthenticatedUser( ConduitAPIRequest $request, PhabricatorUser $user) { if (!$user->isUserActivated()) { return array( 'ERR-USER-DISABLED', pht('User account is not activated.'), ); } $request->setUser($user); return null; } private function buildHumanReadableResponse( $method, ConduitAPIRequest $request = null, $result = null) { $param_rows = array(); $param_rows[] = array('Method', $this->renderAPIValue($method)); if ($request) { foreach ($request->getAllParameters() as $key => $value) { $param_rows[] = array( $key, $this->renderAPIValue($value), ); } } $param_table = new AphrontTableView($param_rows); $param_table->setDeviceReadyTable(true); $param_table->setColumnClasses( array( 'header', 'wide', )); $result_rows = array(); foreach ($result as $key => $value) { $result_rows[] = array( $key, $this->renderAPIValue($value), ); } $result_table = new AphrontTableView($result_rows); $result_table->setDeviceReadyTable(true); $result_table->setColumnClasses( array( 'header', 'wide', )); $param_panel = new AphrontPanelView(); $param_panel->setHeader('Method Parameters'); $param_panel->appendChild($param_table); $result_panel = new AphrontPanelView(); $result_panel->setHeader('Method Result'); $result_panel->appendChild($result_table); $param_head = id(new PHUIHeaderView()) ->setHeader(pht('Method Parameters')); $result_head = id(new PHUIHeaderView()) ->setHeader(pht('Method Result')); $method_uri = $this->getApplicationURI('method/'.$method.'/'); $crumbs = $this->buildApplicationCrumbs() ->addTextCrumb($method, $method_uri) ->addTextCrumb(pht('Call')); return $this->buildApplicationPage( array( $crumbs, $param_head, $param_table, $result_head, $result_table, ), array( 'title' => 'Method Call Result', )); } private function renderAPIValue($value) { $json = new PhutilJSON(); if (is_array($value)) { $value = $json->encodeFormatted($value); } $value = phutil_tag( 'pre', array('style' => 'white-space: pre-wrap;'), $value); return $value; } private function decodeConduitParams( AphrontRequest $request, $method) { // Look for parameters from the Conduit API Console, which are encoded // as HTTP POST parameters in an array, e.g.: // // params[name]=value¶ms[name2]=value2 // // The fields are individually JSON encoded, since we require users to // enter JSON so that we avoid type ambiguity. $params = $request->getArr('params', null); if ($params !== null) { foreach ($params as $key => $value) { if ($value == '') { // Interpret empty string null (e.g., the user didn't type anything // into the box). $value = 'null'; } $decoded_value = json_decode($value, true); if ($decoded_value === null && strtolower($value) != 'null') { // When json_decode() fails, it returns null. This almost certainly // indicates that a user was using the web UI and didn't put quotes // around a string value. We can either do what we think they meant // (treat it as a string) or fail. For now, err on the side of // caution and fail. In the future, if we make the Conduit API // actually do type checking, it might be reasonable to treat it as // a string if the parameter type is string. throw new Exception( "The value for parameter '{$key}' is not valid JSON. All ". "parameters must be encoded as JSON values, including strings ". "(which means you need to surround them in double quotes). ". "Check your syntax. Value was: {$value}"); } $params[$key] = $decoded_value; } return $params; } // Otherwise, look for a single parameter called 'params' which has the // entire param dictionary JSON encoded. This is the usual case for remote // requests. $params_json = $request->getStr('params'); if (!strlen($params_json)) { if ($request->getBool('allowEmptyParams')) { // TODO: This is a bit messy, but otherwise you can't call // "conduit.ping" from the web console. $params = array(); } else { throw new Exception( "Request has no 'params' key. This may mean that an extension like ". "Suhosin has dropped data from the request. Check the PHP ". "configuration on your server. If you are developing a Conduit ". "client, you MUST provide a 'params' parameter when making a ". "Conduit request, even if the value is empty (e.g., provide '{}')."); } } else { $params = json_decode($params_json, true); if (!is_array($params)) { throw new Exception( "Invalid parameter information was passed to method ". "'{$method}', could not decode JSON serialization. Data: ". $params_json); } } return $params; } }