Add revoke service.

2025-01-19 07:52:16 +01:00 · 2009-08-31 08:25:01 +00:00 · 2009-08-31 08:25:01 +00:00 · 49754a86cc
commit 49754a86cc
parent 96cefc53f2
3 changed files with 66 additions and 1 deletions
--- a/ykval-config.php
+++ b/ykval-config.php
@ -11,10 +11,17 @@ $baseParams['__YKVAL_DB_PW__'] = 'password';
 $baseParams['__YKGAK_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
 $baseParams['__YKGAK_DB_NAME__'] = $baseParams['__YKVAL_DB_NAME__'];
 $baseParams['__YKGAK_DB_USER__'] = 'ykval_getapikey';
-$baseParams['__YKGAK_DB_PW__'] = 'password';
+$baseParams['__YKGAK_DB_PW__'] = 'secondpassword';
 $baseParams['__YKGAK_ID__'] = '';
 $baseParams['__YKGAK_KEY__'] = '';

+# For the revoke service.
+$baseParams['__YKR_DB_HOST__'] = $baseParams['__YKVAL_DB_HOST__'];
+$baseParams['__YKR_DB_NAME__'] = $baseParams['__YKVAL_DB_NAME__'];
+$baseParams['__YKR_DB_USER__'] = 'ykval_revoke';
+$baseParams['__YKR_DB_PW__'] = 'thirdpassword';
+$baseParams['__YKR_IP__'] = '1.2.3.4';
+
 // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
 // CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
 // itself.
--- a/ykval-db.sql
+++ b/ykval-db.sql
@ -40,4 +40,11 @@ CREATE USER 'ykval_getapikey'@'localhost';
 GRANT SELECT(id),INSERT
 	ON ykval.clients to 'ykval_getapikey'@'localhost';

+-- DROP USER 'ykval_revoke'@'localhost';
+CREATE USER 'ykval_revoke'@'localhost';
+GRANT UPDATE(active)
+        ON ykval.yubikeys to 'ykval_revoke'@'localhost';
+GRANT SELECT(publicName)
+        ON ykval.yubikeys to 'ykval_revoke'@'localhost';
+
 FLUSH PRIVILEGES;
--- a/ykval-revoke.php
+++ b/ykval-revoke.php
@ -0,0 +1,51 @@
+<?php
+require_once 'ykval-common.php';
+require_once 'ykval-config.php';
+
+header("content-type: text/plain");
+
+debug("Request: " . $_SERVER['QUERY_STRING']);
+
+if ($baseParams['__YKR_IP__'] != $_SERVER["REMOTE_ADDR"]) {
+  logdie("ERROR Authorization failed");
+}
+
+# Connect to db
+$conn = mysql_connect($baseParams['__YKR_DB_HOST__'],
+                      $baseParams['__YKR_DB_USER__'],
+                      $baseParams['__YKR_DB_PW__'])
+  or die('Could not connect to database: ' . mysql_error());
+mysql_select_db($baseParams['__YKR_DB_NAME__'], $conn)
+or die('Could not select database');
+
+# Parse input
+$yk = $_REQUEST["yk"];
+$do = $_REQUEST["do"];
+if (!$yk) {
+  logdie("ERROR Missing parameter");
+}
+if ($do != "enable" && $do != "disable") {
+  logdie("ERROR Unknown do value: $do");
+}
+
+# Check if key exists
+$stmt = 'SELECT publicName FROM yubikeys WHERE publicName=' .
+  mysql_quote (modhex2b64($yk));
+$r = query($conn, $stmt);
+if (mysql_num_rows($r) != 1) {
+  logdie("ERROR Unknown yubikey $yk");
+}
+
+# Enable/Disable the yubikey
+$stmt = 'UPDATE yubikeys SET active = ' .
+  ($do == "enable" ? "TRUE" : "FALSE") .
+  ' WHERE publicName=' . mysql_quote (modhex2b64($yk));
+query($conn, $stmt);
+$rows = mysql_affected_rows();
+if ($rows != 1) {
+  logdie("ERROR Could not $do for $yk (rows $rows)");
+}
+
+# We are done
+logdie("OK Processed $yk with $do");
+?>