mirror of https://github.com/itflow-org/itflow
WIP: Allow decrypting logins/credentials via the API
This commit is contained in:
wrongecho
parent
a6113dc371
commit
d37bdcdbcb
|
|
@ -0,0 +1,30 @@
|
|||
<?php
|
||||
|
||||
require_once '../validate_api_key.php';
|
||||
|
||||
require_once '../require_post_method.php';
|
||||
|
||||
// Parse info
|
||||
require_once 'credential_model.php';
|
||||
|
||||
// Default
|
||||
$insert_id = false;
|
||||
|
||||
if (!empty($api_key_decrypt_password) && !empty($name) && !(empty($password))) {
|
||||
|
||||
// Add credential
|
||||
$insert_sql = mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id");
|
||||
|
||||
// Check insert & get insert ID
|
||||
if ($insert_sql) {
|
||||
$insert_id = mysqli_insert_id($mysqli);
|
||||
|
||||
//Logging
|
||||
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Create', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
|
||||
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created credential $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Output
|
||||
require_once '../create_output.php';
|
||||
|
|
@ -1 +1,120 @@
|
|||
<?php
|
||||
|
||||
|
||||
// Variable assignment from POST (or: blank/from DB is updating)
|
||||
|
||||
$api_key_decrypt_password = '';
|
||||
if (isset($_POST['api_key_decrypt_password'])) {
|
||||
$api_key_decrypt_password = $_POST['api_key_decrypt_password']; // No sanitization
|
||||
}
|
||||
|
||||
if (isset($_POST['login_name'])) {
|
||||
$name = sanitizeInput($_POST['login_name']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_name'])) {
|
||||
$name = $credential_row['login_name'];
|
||||
} else {
|
||||
$name = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_description'])) {
|
||||
$description = sanitizeInput($_POST['login_description']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_description'])) {
|
||||
$description = $credential_row['login_description'];
|
||||
} else {
|
||||
$description = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_uri'])) {
|
||||
$uri = sanitizeInput($_POST['login_uri']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_uri'])) {
|
||||
$uri = $credential_row['login_uri'];
|
||||
} else {
|
||||
$uri = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_uri_2'])) {
|
||||
$uri_2 = sanitizeInput($_POST['login_uri_2']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_uri_2'])) {
|
||||
$uri_2 = $credential_row['login_uri_2'];
|
||||
} else {
|
||||
$uri_2 = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_username'])) {
|
||||
$username = $_POST['login_username'];
|
||||
$username = apiEncryptLoginEntry($username, $api_key_decrypt_hash, $api_key_decrypt_password);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_username'])) {
|
||||
$username = $credential_row['login_username'];
|
||||
} else {
|
||||
$username = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_password'])) {
|
||||
$password = $_POST['login_password'];
|
||||
$password = apiEncryptLoginEntry($password, $api_key_decrypt_hash, $api_key_decrypt_password);
|
||||
$password_changed = true;
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_password'])) {
|
||||
$password = $credential_row['login_password'];
|
||||
$password_changed = false;
|
||||
} else {
|
||||
$password = '';
|
||||
$password_changed = false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (isset($_POST['login_otp_secret'])) {
|
||||
$otp_secret = sanitizeInput($_POST['login_otp_secret']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_otp_secret'])) {
|
||||
$otp_secret = $credential_row['login_otp_secret'];
|
||||
} else {
|
||||
$otp_secret = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_note'])) {
|
||||
$note = sanitizeInput($_POST['login_note']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_note'])) {
|
||||
$note = $credential_row['login_note'];
|
||||
} else {
|
||||
$note = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_important'])) {
|
||||
$important = intval($_POST['login_important']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_important'])) {
|
||||
$important = $credential_row['login_important'];
|
||||
} else {
|
||||
$important = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_contact_id'])) {
|
||||
$contact_id = intval($_POST['login_contact_id']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_contact_id'])) {
|
||||
$contact_id = $credential_row['login_contact_id'];
|
||||
} else {
|
||||
$contact_id = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_vendor_id'])) {
|
||||
$vendor_id = intval($_POST['login_vendor_id']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_vendor_id'])) {
|
||||
$vendor_id = $credential_row['login_vendor_id'];
|
||||
} else {
|
||||
$vendor_id = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_asset_id'])) {
|
||||
$asset_id = intval($_POST['login_asset_id']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_asset_id'])) {
|
||||
$asset_id = $credential_row['login_asset_id'];
|
||||
} else {
|
||||
$asset_id = '';
|
||||
}
|
||||
|
||||
if (isset($_POST['login_software_id'])) {
|
||||
$software_id = intval($_POST['login_software_id']);
|
||||
} elseif (isset($credential_row) && isset($credential_row['login_software_id'])) {
|
||||
$software_id = $credential_row['login_software_id'];
|
||||
} else {
|
||||
$software_id = '';
|
||||
}
|
||||
|
|
@ -4,20 +4,26 @@ require_once '../validate_api_key.php';
|
|||
|
||||
require_once '../require_get_method.php';
|
||||
|
||||
// Default
|
||||
// Defaults
|
||||
$sql = false;
|
||||
|
||||
$api_key_decrypt_password = '';
|
||||
if (isset($_GET['api_key_decrypt_password'])) {
|
||||
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization
|
||||
}
|
||||
|
||||
// Specific credential/login via ID (single)
|
||||
if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
|
||||
if (isset($_GET['login_id']) && !empty($api_key_decrypt_password)) {
|
||||
|
||||
$id = intval($_GET['login_id']);
|
||||
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization
|
||||
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id' LIMIT 1");
|
||||
|
||||
|
||||
} elseif (isset($_GET['api_key_decrypt_password'])) {
|
||||
} elseif (!empty($api_key_decrypt_password)) {
|
||||
// All credentials ("logins")
|
||||
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization
|
||||
|
||||
$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset");
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
<?php
|
||||
|
||||
require_once '../validate_api_key.php';
|
||||
|
||||
require_once '../require_post_method.php';
|
||||
|
||||
// Parse ID
|
||||
$login_id = intval($_POST['login_id']);
|
||||
|
||||
// Default
|
||||
$update_count = false;
|
||||
|
||||
if (!empty($_POST['api_key_decrypt_password']) && !empty($login_id)) {
|
||||
|
||||
$credential_row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$login_id' AND login_client_id = $client_id LIMIT 1"));
|
||||
|
||||
// Variable assignment from POST - assigning the current database value if a value is not provided
|
||||
require_once 'credential_model.php';
|
||||
|
||||
$update_sql = mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id WHERE login_id = '$login_id' AND login_client_id = $client_id LIMIT 1");
|
||||
|
||||
// Check insert & get insert ID
|
||||
if ($update_sql) {
|
||||
$update_count = mysqli_affected_rows($mysqli);
|
||||
|
||||
if ($password_changed) {
|
||||
mysqli_query($mysqli, "UPDATE logins SET login_password_changed_at = NOW() WHERE login_id = $login_id LIMIT 1");
|
||||
}
|
||||
|
||||
//Logging
|
||||
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Update', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
|
||||
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated credential $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Output
|
||||
require_once '../update_output.php';
|
||||
|
|
@ -382,7 +382,7 @@ function encryptLoginEntry($login_password_cleartext)
|
|||
|
||||
function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key_decrypt_password)
|
||||
{
|
||||
// TODO: try marking $api_key_decrypt_password as sensitive
|
||||
// TODO: try marking $api_key_decrypt_password as sensitive - new in PHP 8.2
|
||||
|
||||
// Split the login entry (username/password) into IV and Ciphertext
|
||||
$login_iv = substr($login_ciphertext, 0, 16);
|
||||
|
|
@ -395,6 +395,19 @@ function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key
|
|||
return openssl_decrypt($login_ciphertext, 'aes-128-cbc', $site_encryption_master_key, 0, $login_iv);
|
||||
}
|
||||
|
||||
function apiEncryptLoginEntry($credential_cleartext, $api_key_decrypt_hash, $api_key_decrypt_password)
|
||||
{
|
||||
$iv = randomString();
|
||||
|
||||
// Decrypt the api hash to get the master key
|
||||
$site_encryption_master_key = decryptUserSpecificKey($api_key_decrypt_hash, $api_key_decrypt_password);
|
||||
|
||||
// Encrypt the credential using the master key
|
||||
$ciphertext = openssl_encrypt($credential_cleartext, 'aes-128-cbc', $site_encryption_master_key, 0, $iv);
|
||||
|
||||
return $iv . $ciphertext;
|
||||
}
|
||||
|
||||
// Get domain general info (whois + NS/A/MX records)
|
||||
function getDomainRecords($name)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue