Skip to content

Commit

Permalink
WIP: Allow decrypting logins/credentials via the API
Browse files Browse the repository at this point in the history
  • Loading branch information
wrongecho committed Aug 25, 2024
1 parent a6113dc commit d37bdcd
Show file tree
Hide file tree
Showing 5 changed files with 211 additions and 5 deletions.
30 changes: 30 additions & 0 deletions api/v1/credentials/create.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
<?php

require_once '../validate_api_key.php';

require_once '../require_post_method.php';

// Parse info
require_once 'credential_model.php';

// Default
$insert_id = false;

if (!empty($api_key_decrypt_password) && !empty($name) && !(empty($password))) {

// Add credential
$insert_sql = mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id");

// Check insert & get insert ID
if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli);

//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Create', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created credential $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
}

}

// Output
require_once '../create_output.php';
119 changes: 119 additions & 0 deletions api/v1/credentials/credential_model.php
Original file line number Diff line number Diff line change
@@ -1 +1,120 @@
<?php


// Variable assignment from POST (or: blank/from DB is updating)

$api_key_decrypt_password = '';
if (isset($_POST['api_key_decrypt_password'])) {
$api_key_decrypt_password = $_POST['api_key_decrypt_password']; // No sanitization
}

if (isset($_POST['login_name'])) {
$name = sanitizeInput($_POST['login_name']);
} elseif (isset($credential_row) && isset($credential_row['login_name'])) {
$name = $credential_row['login_name'];
} else {
$name = '';
}

if (isset($_POST['login_description'])) {
$description = sanitizeInput($_POST['login_description']);
} elseif (isset($credential_row) && isset($credential_row['login_description'])) {
$description = $credential_row['login_description'];
} else {
$description = '';
}

if (isset($_POST['login_uri'])) {
$uri = sanitizeInput($_POST['login_uri']);
} elseif (isset($credential_row) && isset($credential_row['login_uri'])) {
$uri = $credential_row['login_uri'];
} else {
$uri = '';
}

if (isset($_POST['login_uri_2'])) {
$uri_2 = sanitizeInput($_POST['login_uri_2']);
} elseif (isset($credential_row) && isset($credential_row['login_uri_2'])) {
$uri_2 = $credential_row['login_uri_2'];
} else {
$uri_2 = '';
}

if (isset($_POST['login_username'])) {
$username = $_POST['login_username'];
$username = apiEncryptLoginEntry($username, $api_key_decrypt_hash, $api_key_decrypt_password);
} elseif (isset($credential_row) && isset($credential_row['login_username'])) {
$username = $credential_row['login_username'];
} else {
$username = '';
}

if (isset($_POST['login_password'])) {
$password = $_POST['login_password'];
$password = apiEncryptLoginEntry($password, $api_key_decrypt_hash, $api_key_decrypt_password);
$password_changed = true;
} elseif (isset($credential_row) && isset($credential_row['login_password'])) {
$password = $credential_row['login_password'];
$password_changed = false;
} else {
$password = '';
$password_changed = false;
}



if (isset($_POST['login_otp_secret'])) {
$otp_secret = sanitizeInput($_POST['login_otp_secret']);
} elseif (isset($credential_row) && isset($credential_row['login_otp_secret'])) {
$otp_secret = $credential_row['login_otp_secret'];
} else {
$otp_secret = '';
}

if (isset($_POST['login_note'])) {
$note = sanitizeInput($_POST['login_note']);
} elseif (isset($credential_row) && isset($credential_row['login_note'])) {
$note = $credential_row['login_note'];
} else {
$note = '';
}

if (isset($_POST['login_important'])) {
$important = intval($_POST['login_important']);
} elseif (isset($credential_row) && isset($credential_row['login_important'])) {
$important = $credential_row['login_important'];
} else {
$important = '';
}

if (isset($_POST['login_contact_id'])) {
$contact_id = intval($_POST['login_contact_id']);
} elseif (isset($credential_row) && isset($credential_row['login_contact_id'])) {
$contact_id = $credential_row['login_contact_id'];
} else {
$contact_id = '';
}

if (isset($_POST['login_vendor_id'])) {
$vendor_id = intval($_POST['login_vendor_id']);
} elseif (isset($credential_row) && isset($credential_row['login_vendor_id'])) {
$vendor_id = $credential_row['login_vendor_id'];
} else {
$vendor_id = '';
}

if (isset($_POST['login_asset_id'])) {
$asset_id = intval($_POST['login_asset_id']);
} elseif (isset($credential_row) && isset($credential_row['login_asset_id'])) {
$asset_id = $credential_row['login_asset_id'];
} else {
$asset_id = '';
}

if (isset($_POST['login_software_id'])) {
$software_id = intval($_POST['login_software_id']);
} elseif (isset($credential_row) && isset($credential_row['login_software_id'])) {
$software_id = $credential_row['login_software_id'];
} else {
$software_id = '';
}
14 changes: 10 additions & 4 deletions api/v1/credentials/read.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,26 @@

require_once '../require_get_method.php';

// Default
// Defaults
$sql = false;

$api_key_decrypt_password = '';
if (isset($_GET['api_key_decrypt_password'])) {
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization
}

// Specific credential/login via ID (single)
if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
if (isset($_GET['login_id']) && !empty($api_key_decrypt_password)) {

$id = intval($_GET['login_id']);
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization

$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id' LIMIT 1");


} elseif (isset($_GET['api_key_decrypt_password'])) {
} elseif (!empty($api_key_decrypt_password)) {
// All credentials ("logins")
$api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization

$sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id LIKE '$client_id' ORDER BY login_id LIMIT $limit OFFSET $offset");

}
Expand Down
38 changes: 38 additions & 0 deletions api/v1/credentials/update.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
<?php

require_once '../validate_api_key.php';

require_once '../require_post_method.php';

// Parse ID
$login_id = intval($_POST['login_id']);

// Default
$update_count = false;

if (!empty($_POST['api_key_decrypt_password']) && !empty($login_id)) {

$credential_row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$login_id' AND login_client_id = $client_id LIMIT 1"));

// Variable assignment from POST - assigning the current database value if a value is not provided
require_once 'credential_model.php';

$update_sql = mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_description = '$description', login_uri = '$uri', login_uri_2 = '$uri_2', login_username = '$username', login_password = '$password', login_otp_secret = '$otp_secret', login_note = '$note', login_important = $important, login_contact_id = $contact_id, login_vendor_id = $vendor_id, login_asset_id = $asset_id, login_software_id = $software_id, login_client_id = $client_id WHERE login_id = '$login_id' AND login_client_id = $client_id LIMIT 1");

// Check insert & get insert ID
if ($update_sql) {
$update_count = mysqli_affected_rows($mysqli);

if ($password_changed) {
mysqli_query($mysqli, "UPDATE logins SET login_password_changed_at = NOW() WHERE login_id = $login_id LIMIT 1");
}

//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Credential', log_action = 'Update', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Updated credential $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
}

}

// Output
require_once '../update_output.php';
15 changes: 14 additions & 1 deletion functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -382,7 +382,7 @@ function encryptLoginEntry($login_password_cleartext)

function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key_decrypt_password)
{
// TODO: try marking $api_key_decrypt_password as sensitive
// TODO: try marking $api_key_decrypt_password as sensitive - new in PHP 8.2

// Split the login entry (username/password) into IV and Ciphertext
$login_iv = substr($login_ciphertext, 0, 16);
Expand All @@ -395,6 +395,19 @@ function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key
return openssl_decrypt($login_ciphertext, 'aes-128-cbc', $site_encryption_master_key, 0, $login_iv);
}

function apiEncryptLoginEntry($credential_cleartext, $api_key_decrypt_hash, $api_key_decrypt_password)
{
$iv = randomString();

// Decrypt the api hash to get the master key
$site_encryption_master_key = decryptUserSpecificKey($api_key_decrypt_hash, $api_key_decrypt_password);

// Encrypt the credential using the master key
$ciphertext = openssl_encrypt($credential_cleartext, 'aes-128-cbc', $site_encryption_master_key, 0, $iv);

return $iv . $ciphertext;
}

// Get domain general info (whois + NS/A/MX records)
function getDomainRecords($name)
{
Expand Down

0 comments on commit d37bdcd

Please sign in to comment.