src/applications/auth/management/PhabricatorAuthManagementCachePKCS8Workflow.php

   1 <?php
   2
   3 final class PhabricatorAuthManagementCachePKCS8Workflow
   4   extends PhabricatorAuthManagementWorkflow {
   5
   6   protected function didConstruct() {
   7     $this
   8       ->setName('cache-pkcs8')
   9       ->setExamples('**cache-pkcs8** --public __keyfile__ --pkcs8 __keyfile__')
  10       ->setSynopsis(
  11         pht(
  12           'Cache the PKCS8 format of a public key. When developing on OSX, '.
  13           'this can be used to work around issues with ssh-keygen. Use '.
  14           '`%s` to generate a PKCS8 key to feed to this command.',
  15           'ssh-keygen -e -m PKCS8 -f key.pub'))
  16       ->setArguments(
  17         array(
  18           array(
  19             'name' => 'public',
  20             'param' => 'keyfile',
  21             'help' => pht('Path to public keyfile.'),
  22           ),
  23           array(
  24             'name' => 'pkcs8',
  25             'param' => 'keyfile',
  26             'help' => pht('Path to corresponding PKCS8 key.'),
  27           ),
  28         ));
  29   }
  30
  31   public function execute(PhutilArgumentParser $args) {
  32     $console = PhutilConsole::getConsole();
  33
  34     $public_keyfile = $args->getArg('public');
  35     if (!strlen($public_keyfile)) {
  36       throw new PhutilArgumentUsageException(
  37         pht(
  38           'You must specify the path to a public keyfile with %s.',
  39           '--public'));
  40     }
  41
  42     if (!Filesystem::pathExists($public_keyfile)) {
  43       throw new PhutilArgumentUsageException(
  44         pht(
  45           'Specified public keyfile "%s" does not exist!',
  46           $public_keyfile));
  47     }
  48
  49     $public_key = Filesystem::readFile($public_keyfile);
  50
  51     $pkcs8_keyfile = $args->getArg('pkcs8');
  52     if (!strlen($pkcs8_keyfile)) {
  53       throw new PhutilArgumentUsageException(
  54         pht(
  55           'You must specify the path to a pkcs8 keyfile with %s.',
  56           '--pkc8s'));
  57     }
  58
  59     if (!Filesystem::pathExists($pkcs8_keyfile)) {
  60       throw new PhutilArgumentUsageException(
  61         pht(
  62           'Specified pkcs8 keyfile "%s" does not exist!',
  63           $pkcs8_keyfile));
  64     }
  65
  66     $pkcs8_key = Filesystem::readFile($pkcs8_keyfile);
  67
  68     $warning = pht(
  69       'Adding a PKCS8 keyfile to the cache can be very dangerous. If the '.
  70       'PKCS8 file really encodes a different public key than the one '.
  71       'specified, an attacker could use it to gain unauthorized access.'.
  72       "\n\n".
  73       'Generally, you should use this option only in a development '.
  74       'environment where ssh-keygen is broken and it is inconvenient to '.
  75       'fix it, and only if you are certain you understand the risks. You '.
  76       'should never cache a PKCS8 file you did not generate yourself.');
  77
  78     $console->writeOut(
  79       "%s\n",
  80       phutil_console_wrap($warning));
  81
  82     $prompt = pht('Really trust this PKCS8 keyfile?');
  83     if (!phutil_console_confirm($prompt)) {
  84       throw new PhutilArgumentUsageException(
  85         pht('Aborted workflow.'));
  86     }
  87
  88     $key = PhabricatorAuthSSHPublicKey::newFromRawKey($public_key);
  89     $key->forcePopulatePKCS8Cache($pkcs8_key);
  90
  91     $console->writeOut(
  92       "%s\n",
  93       pht('Cached PKCS8 key for public key.'));
  94
  95     return 0;
  96   }
  97
  98 }