From d3c2d0935b93a6f28abf7181b7e7073e2e7c6df1 Mon Sep 17 00:00:00 2001
From: "Skylar \"The Cobra\" Widulski" <cobra@vern.cc>
Date: Wed, 22 Nov 2023 16:45:25 -0500
Subject: [PATCH] Initial testing of PGP account recovery

Signed-off-by: Skylar "The Cobra" Widulski <cobra@vern.cc>
---
 en/recovery-challenge.cgi            | 138 +++++++++++++++++++++++++++
 en/recovery-scripts/pgp/default.html |  25 +++++
 en/recovery-scripts/pgp/submit.html  |  32 +++++++
 en/recovery-scripts/pgp/success.html |  19 ++++
 4 files changed, 214 insertions(+)
 create mode 100755 en/recovery-challenge.cgi
 create mode 100644 en/recovery-scripts/pgp/default.html
 create mode 100644 en/recovery-scripts/pgp/submit.html
 create mode 100644 en/recovery-scripts/pgp/success.html

diff --git a/en/recovery-challenge.cgi b/en/recovery-challenge.cgi
new file mode 100755
index 0000000..65ff092
--- /dev/null
+++ b/en/recovery-challenge.cgi
@@ -0,0 +1,138 @@
+#!/usr/bin/env -S bash -x
+saveIFS=$IFS
+IFS='=&'
+parm=($POST_STRING)
+IFS=$saveIFS
+for ((i=0; i<${#parm[@]}; i+=2))
+do
+    declare arg_${parm[i]}=${parm[i+1]}
+done
+
+urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; }
+sig="$(urldecode "$arg_signature")"
+key="$(urldecode "$arg_newkey")"
+if [[ $arg_username ]]; then
+	keyid="$(gpg --import-options show-only --import "/vm/$arg_username/.pgp.asc" 2>&1 | grep '^ ' | xargs)"
+fi
+
+generate_challenge() {
+	if [[ -z "$arg_username" ]]; then
+		nouser=1
+		page=default
+		return
+	fi
+	if ! gpg --import-options show-only --import "/vm/$arg_username/.pgp.asc" &> /dev/null; then
+		nokey=1
+		page=default
+		return
+	fi
+	openssl rand -hex 32 > "/var/log/challenges/$arg_username"
+	page=submit
+	return
+}
+
+submit_challenge() {
+	if [[ -z "$arg_username" ]]; then
+		nouser=1
+		page=default
+		return
+	fi
+	if [[ -z "$key" ]]; then
+		nossh=1
+		page=default
+		return
+	fi
+	if ! ssh-keygen -l -f /dev/stdin <<< "$key" &> /dev/null; then
+		badssh=1
+		page=default
+		return
+	fi
+	if ! gpg --import-options show-only --import "/vm/$arg_username/.pgp.asc" &> /dev/null; then
+		nokey=1
+		page=default
+		return
+	fi
+	if [[ -z "$sig" ]]; then
+		nosig=1
+		page=default
+		return
+	fi
+	echo "$sig" > "/var/log/challenges/$arg_username.gpg"
+	gpg --homedir /var/log/challenges --import "/vm/$arg_username/.pgp.asc"
+	if gpg --homedir /var/log/challenges \
+		--trust-model always \
+		--verify "/var/log/challenges/$arg_username.gpg" \
+		"/var/log/challenges/$arg_username"; then
+		if [[ "$(gpg --homedir /var/log/challenges \
+			--trust-model always \
+			--verify "/var/log/challenges/$arg_username.gpg" \
+			"/var/log/challenges/$arg_username" 2>&1 | 
+			sed -n 's/.*using.*key \(.*\)/\1/p')" == \
+			"$keyid" ]]; then
+			echo "$key" >> "/vm/$username/.ssh/authorized_keys"
+			page=success
+			return
+		else
+			badsig=1
+			page=submit
+			return
+		fi
+	else
+		badsig=1
+		page=submit
+		return
+	fi
+	exit
+}
+
+nouser=0
+nokey=0
+nossh=0
+badssh=0
+nosig=0
+badsig=0
+
+case "$arg_method" in
+	generate)
+		generate_challenge
+		;;
+	submit)
+		submit_challenge
+		;;
+esac
+
+sedcmd=" -e 's/USERNAME/$arg_username/' -e 's/CHALLENGE/$(</var/log/challenges/$arg_username)/' -e 's/KEYID/$keyid/'"
+sedcmd="$sedcmd $(if [[ $nokey == 1 ]]; then
+	printf '%s' '-e "s/NOKEY/This user has no <code>.pgp.asc</code> file/"'
+else
+	printf '%s' '-e "s/NOKEY//"'
+fi)"
+sedcmd="$sedcmd $(if [[ $nouser == 1 ]]; then
+	printf '%s' '-e "s/NOUSER/No such user/"'
+else
+	printf '%s' '-e "s/NOUSER//"'
+fi)"
+sedcmd="$sedcmd $(if [[ $nossh == 1 ]]; then
+	printf '%s' '-e "s/NOSSH/No SSH key(s) supplied/"'
+else
+	printf '%s' '-e "s/NOSSH//"'
+fi)"
+sedcmd="$sedcmd $(if [[ $badssh == 1 ]]; then
+	printf '%s' '-e "s/BADSSH/Invalid SSH keyfile/"'
+else
+	printf '%s' '-e "s/BADSSH//"'
+fi)"
+sedcmd="$sedcmd $(if [[ $nosig == 1 ]]; then
+	printf '%s' '-e "s/NOSIG/No signature supplied/"'
+else
+	printf '%s' '-e "s/NOSIG//"'
+fi)"
+sedcmd="$sedcmd $(if [[ $badsig == 1 ]]; then
+	printf '%s' '-e "s/BADSIG/Bad signature/"'
+else
+	printf '%s' '-e "s/BADSIG//"'
+fi)"
+
+sedcmd="${sedcmd:+sed$sedcmd}"
+
+eval ${sedcmd:-cat} $(dirname $0)/recovery-scripts/pgp/"$page".html
diff --git a/en/recovery-scripts/pgp/default.html b/en/recovery-scripts/pgp/default.html
new file mode 100644
index 0000000..2edf5dd
--- /dev/null
+++ b/en/recovery-scripts/pgp/default.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta name="viewport" content="width=device-width">
+	<meta charset="UTF-8">
+	<meta name="description" content="~vern account recovery process">
+	<meta name="keywords" content="~vern, vern, free software, privacy, tilde, tildeverse">
+	<link rel="stylesheet" href="//gcdn.vern.cc/vernsite/style.css">
+	<title>PGP-based Account Recovery | ~vern</title>
+</head>
+<body>
+	<!--#include file="nav.php" -->
+	<div class=h><h1 id=pgp-recovery>PGP-based Account Recovery</h1> <a aria-hidden=true href=#pgp-recovery>#pgp-recovery</a></div>
+	<p>Fill out this form, and follow the steps given.</p>
+	<form method="post" action="/en/recovery-challenge">
+		<input hidden type=text name=method default="generate">
+		<p>Username:
+		<input type=text name=username>
+		<span class=red>NOUSERNOKEY</span></p>
+		<br>
+		<span><input type=submit value=Submit style="width:100px;height:40px;font-size:20px"></span>
+	</form>
+	<!--#include file="footer.cgi" -->
+</body>
+</html>
diff --git a/en/recovery-scripts/pgp/submit.html b/en/recovery-scripts/pgp/submit.html
new file mode 100644
index 0000000..41ceac0
--- /dev/null
+++ b/en/recovery-scripts/pgp/submit.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta name="viewport" content="width=device-width">
+	<meta charset="UTF-8">
+	<meta name="description" content="~vern account recovery process">
+	<meta name="keywords" content="~vern, vern, free software, privacy, tilde, tildeverse">
+	<link rel="stylesheet" href="//gcdn.vern.cc/vernsite/style.css">
+	<title>PGP-based Account Recovery | ~vern</title>
+</head>
+<body>
+	<!--#include file="nav.php" -->
+	<div class=h><h1 id=pgp-recovery>PGP-based Account Recovery</h1> <a aria-hidden=true href=#pgp-recovery>#pgp-recovery</a></div>
+	<p>Generate your signature by going into a terminal and running the following:</p>
+	<pre><code>echo 'CHALLENGE' | gpg -a --detach-sig --default-key KEYID</code></pre>
+	<form method="post" action="/en/recovery-challenge">
+		<input hidden type=text name=method default="submit">
+		<p>Username:
+		<input type=text name=username default=USERNAME>
+		<span class=red>NOUSERNOKEY</span></p>
+		
+		<p>New SSH key(s): <span class=red>NOSSHBADSSH</span>
+		<textarea name=newkey rows=3 cols=50></textarea></p>
+		<p>Signature: <span class=red>NOSIGBADSIG</span>
+		<textarea name=singature rows=10 cols=50></textarea></p>
+
+		<br>
+		<span><input type=submit value=Submit style="width:100px;height:40px;font-size:20px"></span>
+	</form>
+	<!--#include file="footer.cgi" -->
+</body>
+</html>
diff --git a/en/recovery-scripts/pgp/success.html b/en/recovery-scripts/pgp/success.html
new file mode 100644
index 0000000..141de34
--- /dev/null
+++ b/en/recovery-scripts/pgp/success.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta name="viewport" content="width=device-width">
+	<meta charset="UTF-8">
+	<meta name="description" content="~vern account recovery process">
+	<meta name="keywords" content="~vern, vern, free software, privacy, tilde, tildeverse">
+	<link rel="stylesheet" href="//gcdn.vern.cc/vernsite/style.css">
+	<meta http-equiv=refresh content='5;url=/en/' />
+	<title>Success | ~vern</title>
+</head>
+<body>
+	<!--#include file="nav.php" -->
+	<div class=h><h1 id=pgp-recovery>PGP-based Account Recovery</h1> <a aria-hidden=true href=#pgp-recovery>#pgp-recovery</a></div>
+	<p>Your new key has successfully been added.</p>
+	<p>You will be redirected back <a href=/en/>home</a> in 5 seconds.</p>
+	<!--#include file="footer.cgi" -->
+</body>
+</html>