Homec4science
Diffusion Phabricator 5e0f218fe480

Allow device SSH keys to be trusted
5e0f218fe480
Actions

Authored by epriestley <git@epriestley.com> on Nov 21 2014, 02:33.

Description

Allow device SSH keys to be trusted

Summary:
Ref T6240. Some discussion in that task. In instance/cluster environments, daemons need to make Conduit calls that bypass policy checks.

We can't just let anyone add SSH keys with this capability to the web directly, because then an adminstrator could just add a key they own and start signing requests with it, bypassing policy checks.

Add a bin/almanac trust-key --id <x> workflow for trusting keys. Only trusted keys can sign requests.

Test Plan:

  • Generated a user key.
  • Generated a device key.
  • Trusted a device key.
  • Untrusted a device key.
  • Hit the various errors on trust/untrust.
  • Tried to edit a trusted key.

{F236010}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6240

Differential Revision: https://secure.phabricator.com/D10878

Details

Committed
epriestley <git@epriestley.com>Nov 21 2014, 02:33
Pushed
aubortJan 31 2017, 17:16
Parents
rPHc2f0955e9bd2: Add workboard link to emails about workboard changes
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH5e0f218fe480: Allow device SSH keys to be trusted (authored by epriestley <git@epriestley.com>).Nov 21 2014, 02:33

Changes (15)

Path
Presources/sql/autopatches/20141119.sshtrust.sql
Copied from resources/sql/autopatches/20141107.ssh.2.keyhash.sql
Msrc/__phutil_library_map__.php
Msrc/applications/almanac/controller/AlmanacDeviceViewController.php
Dsrc/applications/almanac/management/AlmanacManagementRegisterWorkflow.php
Asrc/applications/almanac/management/AlmanacManagementTrustKeyWorkflow.php
Asrc/applications/almanac/management/AlmanacManagementUntrustKeyWorkflow.php
Msrc/applications/almanac/storage/AlmanacDevice.php
Dsrc/applications/almanac/util/AlmanacConduitUtil.php
Msrc/applications/auth/controller/PhabricatorAuthSSHKeyEditController.php
Msrc/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php
Msrc/applications/auth/sshkey/PhabricatorSSHPublicKeyInterface.php
Msrc/applications/auth/storage/PhabricatorAuthSSHKey.php
Msrc/applications/auth/view/PhabricatorAuthSSHKeyTableView.php
Msrc/applications/conduit/controller/PhabricatorConduitAPIController.php
Msrc/applications/people/storage/PhabricatorUser.php

rPH5e0f218fe480

View Options

resources/sql/autopatches/20141119.sshtrust.sql

Loading...
View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/almanac/controller/AlmanacDeviceViewController.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementRegisterWorkflow.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementTrustKeyWorkflow.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementUntrustKeyWorkflow.php

Loading...
View Options

src/applications/almanac/storage/AlmanacDevice.php

Loading...
View Options

src/applications/almanac/util/AlmanacConduitUtil.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthSSHKeyEditController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php

Loading...
View Options

src/applications/auth/sshkey/PhabricatorSSHPublicKeyInterface.php

Loading...
View Options

src/applications/auth/storage/PhabricatorAuthSSHKey.php

Loading...
View Options

src/applications/auth/view/PhabricatorAuthSSHKeyTableView.php

Loading...
View Options

src/applications/conduit/controller/PhabricatorConduitAPIController.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
c4science ยท Help