wcp/web/add/key/index.php at fa963ccdceed64e7f6b64e9ad56477e5697c767e · ghzhost/wcp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<?php
error_reporting(E_ALL);
$TAB = 'USER';

// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

//check for valid format ssh key. Doesn't check it is working!
//https://gist.github.com/jupeter/3248095
function validateKey($value)
{
    $key_parts = explode(' ', $value, 3);
    if (count($key_parts) < 2) {
        return false;
    }
    if (count($key_parts) > 3) {
        return false;
    }

    $algorithm = $key_parts[0];
    $key = $key_parts[1];

    if (!in_array($algorithm, array('ssh-rsa', 'ssh-dss'))) {
        return false;
    }

    $key_base64_decoded = base64_decode($key, true);
    if ($key_base64_decoded == FALSE) {
        return false;
    }

    $check = base64_decode(substr($key,0,16));
    $check = preg_replace("/[^\w\-]/","", $check);

    if((string) $check !== (string) $algorithm) {
        return false;
    }
    return true;
}

// Check POST request
if (!empty($_POST['ok'])) {
    // Check token
    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
        header('location: /login/');
        exit();
    }

    if (empty($_POST['v_key'])){
        $_SESSION['error_msg'] = __('Field SSH_KEY can not be blank.');
    }

    if(!$_SESSION['error_msg']){
        switch ($_POST['v_key']){
            default:
            //key if key already exisits
            exec (HESTIA_CMD . "v-list-user-ssh-key ".$user." json", $output, $return_var);
            $data = json_decode(implode('', $output), true);
            $keylist = array();
            foreach($data as $key => $value){
                $idlist[] = trim($data[$key]['ID']);
                $keylist[] = trim($data[$key]['KEY']);
            }

            if(!validateKey($_POST['v_key'])){
                $_SESSION['error_msg']  = __('SSH KEY is invalid');
                break;
            }

            $v_key_parts = explode(' ',$_POST['v_key']);
            $key_id = trim($v_key_parts[2]);
            if($v_key_parts[2] == ''){
                $_SESSION['error_msg']  = __('SSH KEY is invalid');
                break;
            }

            //for deleting / revoking key the last part user@domain is used therefore needs to be unique
            //maybe consider adding random generated message or even an human read able string set by user?
            if(in_array($v_key_parts[2], $idlist)){
                $_SESSION['error_msg']  =  __('SSH KEY already exists');
                break;
            }
            if(in_array($v_key_parts[1], $keylist)){
                $_SESSION['error_msg']  =  __('SSH KEY already exists');
                break;
            }
            $v_key = escapeshellarg(trim($_POST['v_key']));
        }
    }

    if (empty($_SESSION['error_msg'])) {
        exec (HESTIA_CMD."v-add-user-ssh-key ".$user." ".$v_key, $output, $return_var);
        check_return_code($return_var,$output);
    }

    unset($output);

    // Flush field values on success
    if (empty($_SESSION['error_msg'])) {
    $_SESSION['ok_msg'] = __('SSH KEY created');
    }

}

render_page($user, $TAB, 'add_key');

// Flush session messages
unset($_SESSION['error_msg']);
unset($_SESSION['ok_msg']);