recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

When registering a device, write a device ID

Summary:
Ref T5833. In some cases, we need to know if an Almanac device is the localhost or not, so we can either handle or forward the request.

To accomplish this, write a device ID when running `bin/almanac register`.

Using `--allow-key-reuse` and `--identify-as`, multiple devices are permitted to //authenticate// as one device but //identify// as different devices. In the Phacility cluster, this allows all the `repoXXX` machines to have one keypair (making key management much easier) but still work as separate devices. This is an advanced feature; normal installs with 1-3 hosts would just generate a key + device per host and identify/authenticate as the same device.

Test Plan: Ran commands with lots of flags like `PHACILITY_INSTANCE=local sudo -E ./bin/almanac register --device daemon.phacility.net --private-key ~/dev/core/conf/keys/daemon.key --force --allow-key-reuse --identify-as local001.phacility.net`. Got a good result from `AlmanacKeys::getDeviceID()` afterward.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5833

Differential Revision: https://secure.phabricator.com/D11452

epriestley adf209e6 d6ed9c2f

+40 -2
+1
.gitignore
··· 15 15 /conf/local/VERSION 16 16 /conf/keys/device.pub 17 17 /conf/keys/device.key 18 + /conf/keys/device.id 18 19 19 20 # Impact Font 20 21 /resources/font/impact.ttf
+29 -2
src/applications/almanac/management/AlmanacManagementRegisterWorkflow.php
··· 23 23 'name' => 'allow-key-reuse', 24 24 'help' => pht( 25 25 'Register even if another host is already registered with this '. 26 - 'keypair.'), 26 + 'keypair. This is an advanced featuer which allows a pool of '. 27 + 'devices to share credentials.'), 28 + ), 29 + array( 30 + 'name' => 'identify-as', 31 + 'param' => 'name', 32 + 'help' => pht( 33 + 'Specify an alternate host identity. This is an advanced '. 34 + 'feature which allows a pool of devices to share credentials.'), 27 35 ), 28 36 array( 29 37 'name' => 'force', ··· 85 93 86 94 $stored_public_path = AlmanacKeys::getKeyPath('device.pub'); 87 95 $stored_private_path = AlmanacKeys::getKeyPath('device.key'); 96 + $stored_device_path = AlmanacKeys::getKeyPath('device.id'); 88 97 89 98 if (!$args->getArg('force')) { 90 99 if (Filesystem::pathExists($stored_public_path)) { ··· 171 180 Filesystem::writeFile($tmp_private, $raw_private_key); 172 181 execx('mv -f %s %s', $tmp_private, $stored_private_path); 173 182 183 + $raw_device = $device_name; 184 + $identify_as = $args->getArg('identify-as'); 185 + if (strlen($identify_as)) { 186 + $raw_device = $identify_as; 187 + } 188 + 189 + $console->writeOut( 190 + "%s\n", 191 + pht('Installing device ID...', $raw_device)); 192 + 193 + // The permissions on this file are more open because the webserver also 194 + // needs to read it. 195 + $tmp_device = new TempFile(); 196 + Filesystem::changePermissions($tmp_device, 0644); 197 + execx('chown %s %s', $phd_user, $tmp_device); 198 + Filesystem::writeFile($tmp_device, $raw_device); 199 + execx('mv -f %s %s', $tmp_device, $stored_device_path); 200 + 174 201 if (!$public_key->getID()) { 175 202 $console->writeOut( 176 203 "%s\n", ··· 184 211 pht( 185 212 'This host has been registered as "%s" and a trusted keypair '. 186 213 'has been installed.', 187 - $device_name)); 214 + $raw_device)); 188 215 } 189 216 190 217 }
+10
src/applications/almanac/util/AlmanacKeys.php
··· 9 9 return $keys.ltrim($key_name, '/'); 10 10 } 11 11 12 + public static function getDeviceID() { 13 + $device_id_path = self::getKeyPath('device.id'); 14 + 15 + if (Filesystem::pathExists($device_id_path)) { 16 + return trim(Filesystem::readFile($device_id_path)); 17 + } 18 + 19 + return null; 20 + } 21 + 12 22 }