no key sharing (#719)

simonLeary42 · web-flow · commit 1535d4a1ce0b · 2026-05-12T13:43:34.000-04:00
diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php
@@ -356,4 +356,29 @@ public function getUsersAttributes(
         ksort($output);
         return $output;
     }
+
+    /** @return string[] */
+    public function whoIsUsingKey(string $target_key): array
+    {
+        $who = [];
+        [$target_type, $target_data, $target_comment] = tokenizeSSHKey($target_key);
+        $attributes = $this->getAllNativeUsersAttributes(
+            ["uid", "sshPublicKey"],
+            ["sshPublicKey" => []],
+        );
+        foreach ($attributes as $attrs) {
+            foreach ($attrs["sshpublickey"] as $key) {
+                try {
+                    [$type, $data, $comment] = tokenizeSSHKey((string) $key);
+                } catch (\Throwable) {
+                    // if someone's key is invalid, assume it doesn't match
+                    continue;
+                }
+                if ($type === $target_type && $data === $target_data) {
+                    array_push($who, (string) $attrs["uid"][0]);
+                }
+            }
+        }
+        return array_unique($who);
+    }
 }
diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php
@@ -248,9 +248,6 @@ public function getMail(): string
      */
     public function addSSHKey(string $key, bool $send_mail = true): bool
     {
-        if ($this->SSHKeyExists($key)) {
-            return false;
-        }
         $this->setSSHKeys(array_merge($this->getSSHKeys(), [$key]), $send_mail);
         $key_info = formatSSHKeyInfoInternal($key);
         $this->SQL->addLog("sshkey_added", _json_encode(["uid" => $this->uid, "key" => $key_info]));
diff --git a/test/functional/SSHKeyAddTest.php b/test/functional/SSHKeyAddTest.php
@@ -3,26 +3,27 @@
 use UnityWebPortal\lib\UnityGithub;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use UnityWebPortal\lib\UnityHTTPDMessageLevel;
 
 #[AllowMockObjectsWithoutExpectations]
 class SSHKeyAddTest extends UnityWebPortalTestCase
 {
     public static function keyProvider()
     {
         $validKey =
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a foobar";
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar";
         $invalidKey = "foobar";
         return [[false, $invalidKey], [true, $validKey]];
     }
 
     public static function keysProvider()
     {
         $validKey =
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a foobar";
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar";
         $validKeyDuplicateDifferentComment =
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a foobar2";
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar2";
         $validKey2 =
-            "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF/dSI9/7YWeyB8wa4rEWRdeb9pQbrGxZwYFV2ulr0agXdbiJIApp0MWDYlIc9XI+4Y+cVAj66PQ2YaRz44BV+o=";
+            "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF5Ossk5huH48Gdyw1nuC+1TKajZzF+83rwbFhml0b915mWzYbKqFtjFze8+4uW+xBjLmwx4e+vGiZbNR4ucm6w=";
         $invalidKey = "foobar";
         return [
             [0, []],
@@ -161,4 +162,73 @@ public function testAddSshKeysGithub(int $expectedKeysAdded, array $keys)
             callPrivateMethod($USER, "setSSHKeys", []);
         }
     }
+
+    public function testShareKeysBetweenUsers()
+    {
+        global $USER;
+        $key =
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar";
+        $this->switchUser("Admin");
+        $user1 = $USER;
+        $this->switchUser("Blank");
+        $user2 = $USER;
+        $user1_keys_before = $user1->getSSHKeys();
+        $user2_keys_before = $user2->getSSHKeys();
+        try {
+            $user1->addSSHKey($key);
+            // as user2, try to add the key that user1 already added
+            $this->http_post(
+                __DIR__ . "/../../webroot/panel/account.php",
+                [
+                    "form_type" => "addKey",
+                    "add_type" => "paste",
+                    "key" => $key,
+                ],
+                do_validate_messages: false,
+            );
+            $this->assertMessageExists(
+                UnityHTTPDMessageLevel::WARNING,
+                "/.*/",
+                "/This incident has been reported/",
+            );
+            $this->assertEquals($user2_keys_before, $user2->getSSHKeys());
+        } finally {
+            callPrivateMethod($user1, "setSSHKeys", $user1_keys_before);
+            callPrivateMethod($user2, "setSSHKeys", $user2_keys_before);
+        }
+    }
+
+    /*
+    while attempting to share keys between users says "this incident has been reported"
+    you should not see this message if you add the same key to your account twice
+    */
+    public function testAddDuplicateKey()
+    {
+        global $USER;
+        $key =
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar";
+        $this->switchUser("Blank");
+        $this->assertEmpty($USER->getSSHKeys());
+        try {
+            $USER->addSSHKey($key);
+            $this->assertEquals([$key], $USER->getSSHKeys());
+            $this->http_post(
+                __DIR__ . "/../../webroot/panel/account.php",
+                [
+                    "form_type" => "addKey",
+                    "add_type" => "paste",
+                    "key" => $key,
+                ],
+                do_validate_messages: false,
+            );
+            $this->assertMessageExists(
+                UnityHTTPDMessageLevel::WARNING,
+                "/Key Already Added/",
+                "/.*/",
+            );
+            $this->assertEquals([$key], $USER->getSSHKeys());
+        } finally {
+            callPrivateMethod($USER, "setSSHKeys", []);
+        }
+    }
 }
diff --git a/test/unit/AjaxSshValidateTest.php b/test/unit/AjaxSshValidateTest.php
@@ -11,7 +11,7 @@ public static function providerTestSshValidate()
             [false, "foobar"],
             [
                 true,
-                "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a",
+                "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p",
             ],
         ];
     }
diff --git a/test/unit/UtilsTest.php b/test/unit/UtilsTest.php
@@ -9,10 +9,10 @@ public static function SSHKeyProvider()
         global $HTTP_HEADER_TEST_INPUTS;
         // these key types must all be in CONFIG["ldap"]["allowed_ssh_key_types"]
         $validKeys = [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a",
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a foobar",
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a foo bar baz",
-            "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF/dSI9/7YWeyB8wa4rEWRdeb9pQbrGxZwYFV2ulr0agXdbiJIApp0MWDYlIc9XI+4Y+cVAj66PQ2YaRz44BV+o=",
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p",
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foobar",
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p foo bar baz",
+            "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF5Ossk5huH48Gdyw1nuC+1TKajZzF+83rwbFhml0b915mWzYbKqFtjFze8+4uW+xBjLmwx4e+vGiZbNR4ucm6w=",
             "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOr8ZnJPs/mP/1c74P8NsiPL2pq/vKo6u0vtkgqgyZjqJJpPS5rP6EFJkT8DI0Fx9/70jvyH8wGK6tx+/gNElMlZ6P2RyHbDvL4Nh2LAEW3BQ2lbULyElP/ZeXIEQzPxng==",
             "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFmNNrz+B6exxuReTXQJzXUzJ4zB5JTuB8Xtcr79P4tk4SlA5a5ufQlsqMdPRhA76KFaLmONGF1e+vwcQWsj/MbRQE0H56tkZRNa+ch5/YI6iKSffkzpRKogl/uTP4rlpRb1vppsURRYxQ2JBzLYolj8VUV+N0sCwM+8maiOGJYuc4dlQ==",
             "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC6RjRhmaBfCN9l9qsnjplvatK/a7zb2tdbg7kDj8mWXfbC1zkELLLX/L+5hAySbm8QXPgr18CqcyV9LqK+vJ/aPHRNo3E/mp14pxp0nHpPlMzUV8ybl2uk2kBMXWRweOYfAcA5eJToHVAXJEVBvcwDI1WVG9Nfo5w1UhGSqcn4oQ==",
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
@@ -54,14 +54,28 @@
                     UnityHTTPD::messageError("SSH Key Not Added: $explanation", $key_short);
                     continue;
                 }
-                $keyWasAdded = $USER->addSSHKey($key);
-                if ($keyWasAdded) {
-                    $sha256_fingerprint = getSSHKeyInfo($key)[1];
-                    $stub_fingprint = substr($sha256_fingerprint, 0, 6);
-                    UnityHTTPD::messageSuccess("SSH Key Added", $stub_fingprint);
-                } else {
-                    UnityHTTPD::messageInfo("SSH Key Not Added: Already Exists", $key_short);
+                $already_using_this_key = $LDAP->whoIsUsingKey($key);
+                if (count($already_using_this_key) > 0) {
+                    if ($already_using_this_key === [$USER->uid]) {
+                        UnityHTTPD::messageWarning("SSH Key Not Added: Key Already Added", $key_short);
+                        continue;
+                    } else {
+                        UnityHTTPD::errorLog(
+                            "security warning",
+                            "attempted SSH public key sharing between users",
+                            data: ["already using this key" => $already_using_this_key]
+                        );
+                        UnityHTTPD::messageWarning(
+                            "SSH Key Not Added: Another User Is Already Using This Key",
+                            "Sharing SSH keys with other users is against terms of service. This incident has been reported.",
+                        );
+                        continue;
+                    }
                 }
+                $USER->addSSHKey($key);
+                $sha256_fingerprint = getSSHKeyInfo($key)[1];
+                $stub_fingprint = substr($sha256_fingerprint, 0, 6);
+                UnityHTTPD::messageSuccess("SSH Key Added", $stub_fingprint);
             }
             UnityHTTPD::redirect();
             break; /** @phpstan-ignore deadCode.unreachable */

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ public static function providerTestSshValidate()`
`11`	`11`	`[false, "foobar"],`
`12`	`12`	`[`
`13`	`13`	`true,`
`14`		`- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a",`
	`14`	`+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUef6kU0/P0lTO5KBZq6aFVm7nBHhB85SaG4HB0nh7p",`
`15`	`15`	`],`
`16`	`16`	`];`
`17`	`17`	`}`