liam-linux-account-manager/model/publickey.php

275 lines
9.9 KiB
PHP
Raw Permalink Normal View History

2021-11-16 15:11:32 +01:00
<?php
/**
* Class that represents a stored SSH public key
*/
class PublicKey extends Record {
/**
* Defines the database table that this object is stored in
*/
protected $table = 'public_key';
/**
* Import all key data from a provided OpenSSH-text-format public key.
* Cope with some possible correctable whitespace data issues.
* @param string $key data to import
* @param string|null $uid if not null, used if key has no comment to generate a standard comment
* @param bool $force if true, enable the use of lower security keys
* @throws InvalidArgumentException if the public key cannot be parsed or is not sufficiently secure
*/
public function import($key, $uid = null, $force = false) {
// Remove newlines (often included by accident) and trim
$key = str_replace(array("\r", "\n"), array(), trim($key));
// Initial sanity check and determine minimum length for algorithm
if(preg_match('|^(ssh-[a-z]{3}) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 4096;
} elseif(preg_match('|^(ecdsa-sha2-nistp[0-9]+) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 384;
} elseif(preg_match('|^(ssh-ed25519) ([A-Za-z0-9+/]+={0,2})(?: (.*))?$|', $key, $matches)) {
$minbits = 256;
} else {
throw new InvalidArgumentException("Public key doesn't look valid");
}
$this->type = $matches[1];
$this->keydata = $matches[2];
if(isset($matches[3])) {
$this->comment = $matches[3];
} elseif(is_null($uid)) {
$this->comment = date('Y-m-d');
} else {
$this->comment = $uid.'-'.date('Y-m-d');
}
$algorithm = $this->get_openssh_info();
$hash_md5 = md5(base64_decode($this->keydata));
$hash_sha256 = hash('sha256', base64_decode($this->keydata), true);
$this->fingerprint_md5 = rtrim(chunk_split($hash_md5, 2, ':'), ':');
$this->fingerprint_sha256 = rtrim(base64_encode($hash_sha256), '=');
$this->randomart_md5 = $this->generate_randomart($hash_md5, "{$algorithm} {$this->keysize}", 'MD5');
$this->randomart_sha256 = $this->generate_randomart(bin2hex($hash_sha256), "{$algorithm} {$this->keysize}", 'SHA256');
if($this->keysize < $minbits && !$force) {
throw new InvalidArgumentException("Insufficient bits in public key");
}
}
/**
* Determine the algorithm and keysize of a key by passing it to OpenSSH's ssh-keygen utility.
* @return string algorithm in use
*/
public function get_openssh_info() {
$filename = tempnam('/tmp', 'key-test-');
$file = fopen($filename, 'w');
fwrite($file, $this->export());
fclose($file);
exec('/usr/bin/ssh-keygen -lf '.escapeshellarg($filename).' 2>/dev/null', $output);
unlink($filename);
if(count($output) == 1 && preg_match('|^([0-9]+) .* \(([A-Z0-9]+)\)$|', $output[0], $matches)) {
$this->keysize = intval($matches[1]);
return $matches[2];
} else {
throw new InvalidArgumentException("Public key doesn't look valid");
}
}
/**
* Generate random art for the key in the same way that OpenSSH does
* OpenSSH random art uses the 'drunken bishop' algorithm as explained at
* https://pthree.org/2013/05/30/openssh-keys-and-the-drunken-bishop/
* @param string $string key hash to generate randomart of
* @param string $keytype string containing text to include at the top of the randomart
* @param string $algo string containing text to include at the bottom of the randomart
* @return string containing generated randomart
*/
function generate_randomart($string, $keytype, $algo) {
// Basic constants
$max_x = 16; // Map size, x dimension
$max_y = 8; // Map size, y dimension
$s_x = 8; // Starting position, x coord
$s_y = 4; // Starting position, y coord
// Character mapping
$char_map = array(' ', '.', 'o', '+', '=', '*', 'B', 'O', 'X', '@', '%', '&', '#', '/', '^');
// Build empty map
$map = array();
for($x = 0; $x <= $max_x; $x++) {
$map[$x] = array();
for($y = 0; $y <= $max_y; $y++) {
$map[$x][$y] = 0;
}
}
// Set the bishop to his starting position
$b_x = $s_x; // Bishop position, x coord
$b_y = $s_y; // Bishop position, y coord
// Let him wander
$chunks = str_split($string, 2);
foreach($chunks as $chunk) {
$binary = str_pad(base_convert($chunk, 16, 2), 8, '0', STR_PAD_LEFT);
foreach(array_reverse(str_split($binary, 2)) as $bit_pair) {
// Work out which diagonal direction he will move based on the bit pair
$dx = ($bit_pair[1] == 0 ? -1 : 1);
$dy = ($bit_pair[0] == 0 ? -1 : 1);
$b_x += $dx;
$b_y += $dy;
// Stop him wandering outside the map
$b_x = min(max($b_x, 0), 16);
$b_y = min(max($b_y, 0), 8);
// Increment count at his new position
$map[$b_x][$b_y]++;
}
}
// Output his path within the map
$output = "+".str_pad('['.$keytype.']', $max_x + 1, '-', STR_PAD_BOTH)."+\n";
for($y = 0; $y <= $max_y; $y++) {
$output .= "|";
for($x = 0; $x <= $max_x; $x++) {
if($x == $b_x && $y == $b_y) {
// End position
$output .= 'E';
} elseif($x == $s_x && $y == $s_y) {
// Start position
$output .= 'S';
} else {
// Output character corresponding to number of passes
if(isset($char_map[$map[$x][$y]])) {
$output .= $char_map[$map[$x][$y]];
} else {
$output .= '^';
}
}
}
$output .= "|\n";
}
$output .= "+".str_pad('['.$algo.']', $max_x + 1, '-', STR_PAD_BOTH)."+";
return $output;
}
/**
* Provide the key in OpenSSH-text-format.
* @return string key in OpenSSH-text-format
*/
public function export() {
return "{$this->type} {$this->keydata} {$this->comment}";
}
/**
* Provide a text summary of details about the key, including hashes, randomart and link to view it.
* @return string text summary
*/
public function summarize_key_information() {
global $config;
$url = $config['web']['baseurl'].'/pubkeys/'.urlencode($this->id);
$output = "The key fingerprint is:\n";
$output .= " MD5:{$this->fingerprint_md5}\n";
$output .= " SHA256:{$this->fingerprint_sha256}\n\n";
$output .= "The key randomart is:\n";
$randomart_md5 = explode("\n", $this->randomart_md5);
$randomart_sha256 = explode("\n", $this->randomart_sha256);
foreach($randomart_md5 as $ref => $line) {
$output .= $line.' '.$randomart_sha256[$ref]."\n";
}
$output .= "\nYou can also view the key at <$url>";
return $output;
}
/**
* Add a GPG signature for this public key.
* @param PublicKeySignature $sig GPG signature to add
*/
public function add_signature(PublicKeySignature $sig) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before signatures can be added');
$sig->validate();
$stmt = $this->database->prepare("INSERT INTO public_key_signature SET public_key_id = ?, signature = ?, upload_date = UTC_TIMESTAMP(), fingerprint = ?, sign_date = ?");
$stmt->bind_param('dsss', $this->id, $sig->signature, $sig->fingerprint, $sig->sign_date);
$stmt->execute();
$sig->id = $stmt->insert_id;
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* Delete a GPG signature for this public key.
* @param PublicKeySignature $sig GPG signature to remove
*/
public function delete_signature(PublicKeySignature $sig) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before signatures can be deleted');
$stmt = $this->database->prepare("DELETE FROM public_key_signature WHERE public_key_id = ? AND id = ?");
$stmt->bind_param('dd', $this->id, $sig->id);
$stmt->execute();
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* List all GPG signatures stored for this public key.
* @return array of PublicKeySignature objects
*/
public function list_signatures() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Public key must be in directory before signatures can be listed');
$stmt = $this->database->prepare("SELECT * FROM public_key_signature WHERE public_key_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$sigs = array();
while($row = $result->fetch_assoc()) {
$sig = new PublicKeySignature($row['id'], $row);
$sig->public_key = $this;
$sigs[] = $sig;
}
$stmt->close();
return $sigs;
}
/**
* Add a destination rule specifying where this key is allowed to be synced to.
* @param PublicKeyDestRule $rule destination rule to be added
*/
public function add_destination_rule(PublicKeyDestRule $rule) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be added');
$stmt = $this->database->prepare("INSERT INTO public_key_dest_rule SET public_key_id = ?, account_name_filter = ?, hostname_filter = ?");
$stmt->bind_param('dss', $this->id, $rule->account_name_filter, $rule->hostname_filter);
$stmt->execute();
$rule->id = $stmt->insert_id;
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* Delete a destination rule that specified where this key was allowed to be synced to.
* @param PublicKeyDestRule $rule destination rule to be removed
*/
public function delete_destination_rule(PublicKeyDestRule $rule) {
if(is_null($this->id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be added');
$stmt = $this->database->prepare("DELETE FROM public_key_dest_rule WHERE public_key_id = ? AND id = ?");
$stmt->bind_param('dd', $this->id, $rule->id);
$stmt->execute();
$stmt->close();
$this->owner->sync_remote_access();
}
/**
* List all destination rule currently applying to this key.
* @return array of PublicKeyDestRule objects
*/
public function list_destination_rules() {
if(is_null($this->entity_id)) throw new BadMethodCallException('Public key must be in directory before destination rules can be listed');
$stmt = $this->database->prepare("SELECT * FROM public_key_dest_rule WHERE public_key_id = ?");
$stmt->bind_param('d', $this->id);
$stmt->execute();
$result = $stmt->get_result();
$rules = array();
while($row = $result->fetch_assoc()) {
$rules[] = new PublicKeyDestRule($row['id'], $row);
}
$stmt->close();
return $rules;
}
}