new: [advanced authkey] API key copy to the new system added to diagnostics

app/Controller/UsersController.php

@@ -2681,4 +2681,42 @@ class UsersController extends AppController
             }
         }
     }
+
+    public function updateToAdvancedAuthKeys()
+    {
+        if (!$this->request->is('post')) {
+            throw new MethodNotAllowedException(__('This endpoint can only be triggered via POST requests.'));
+        }
+        $users = $this->User->find('all', [
+            'recursive' => -1,
+            'contain' => ['AuthKey'],
+            'fields' => ['id', 'authkey']
+        ]);
+        $updated = 0;
+        foreach ($users as $user) {
+            if (!empty($user['AuthKey'])) {
+                $currentKeyStart = substr($user['User']['authkey'], 0, 4);
+                $currentKeyEnd = substr($user['User']['authkey'], -4);
+                foreach ($user['AuthKey'] as $authkey) {
+                    if ($authkey['authkey_start'] === $currentKeyStart && $authkey['authkey_end'] === $currentKeyEnd) {
+                        continue 2;
+                    }
+                }
+            }
+            $this->User->AuthKey->create();
+            $this->User->AuthKey->save([
+                'authkey' => $user['User']['authkey'],
+                'expiration' => 0,
+                'user_id' => $user['User']['id']
+            ]);
+            $updated += 1;
+        }
+        $message = __('The upgrade process is complete, %s authkey(s) generated.', $updated);
+        if ($this->_isRest()) {
+            return $this->RestResponse->saveSuccessResponse('User', 'acceptRegistrations', false, $this->response->type(), $message);
+        } else {
+            $this->Flash->success($message);
+            $this->redirect($this->referer());
+        }
+    }
 }

app/Model/AppModel.php

@@ -86,7 +86,7 @@ class AppModel extends Model
         39 => false, 40 => false, 41 => false, 42 => false, 43 => false, 44 => false,
         45 => false, 46 => false, 47 => false, 48 => false, 49 => false, 50 => false,
         51 => false, 52 => false, 53 => false, 54 => false, 55 => false, 56 => false,
-        57 => false, 58 => false, 59 => false
+        57 => false, 58 => false, 59 => false, 60 => false
     );
 
     public $advanced_updates_description = array(
@@ -1436,6 +1436,25 @@ class AppModel extends Model
                     INDEX `name` (`name`)
                 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;";
                 break;
+            case 60:
+                $sqlArray[] = "CREATE TABLE IF NOT EXISTS `auth_keys` (
+                    `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+                    `uuid` varchar(40) COLLATE utf8mb4_unicode_ci NOT NULL,
+                    `authkey` varchar(72) CHARACTER SET ascii DEFAULT NULL,
+                    `authkey_start` varchar(4) CHARACTER SET ascii DEFAULT NULL,
+                    `authkey_end` varchar(4) CHARACTER SET ascii DEFAULT NULL,
+                    `created` int(10) unsigned NOT NULL,
+                    `expiration` int(10) unsigned NOT NULL,
+                    `user_id` int(10) unsigned NOT NULL,
+                    `comment` text COLLATE utf8mb4_unicode_ci,
+                    PRIMARY KEY (`id`),
+                    KEY `authkey_start` (`authkey_start`),
+                    KEY `authkey_end` (`authkey_end`),
+                    KEY `created` (`created`),
+                    KEY `expiration` (`expiration`),
+                    KEY `user_id` (`user_id`)
+                ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;";
+                break;
             case 'fixNonEmptySharingGroupID':
                 $sqlArray[] = 'UPDATE `events` SET `sharing_group_id` = 0 WHERE `distribution` != 4;';
                 $sqlArray[] = 'UPDATE `attributes` SET `sharing_group_id` = 0 WHERE `distribution` != 4;';

app/Model/AuthKey.php

@@ -41,13 +41,15 @@ class AuthKey extends AppModel
             }
             if (empty($this->data['AuthKey']['authkey'])) {
                 $authkey = (new RandomTool())->random_str(true, 40);
-                $passwordHasher = new BlowfishPasswordHasher();
-                $this->data['AuthKey']['authkey'] = $passwordHasher->hash($authkey);
-                $this->data['AuthKey']['authkey_start'] = substr($authkey, 0, 4);
-                $this->data['AuthKey']['authkey_end'] = substr($authkey, -4);
-                $this->data['AuthKey']['authkey_raw'] = $authkey;
-                $this->authkey_raw = $authkey;
+            } else {
+                $authkey = $this->data['AuthKey']['authkey'];
             }
+            $passwordHasher = new BlowfishPasswordHasher();
+            $this->data['AuthKey']['authkey'] = $passwordHasher->hash($authkey);
+            $this->data['AuthKey']['authkey_start'] = substr($authkey, 0, 4);
+            $this->data['AuthKey']['authkey_end'] = substr($authkey, -4);
+            $this->data['AuthKey']['authkey_raw'] = $authkey;
+            $this->authkey_raw = $authkey;
             if (empty($this->data['AuthKey']['expiration'])) {
                 $this->data['AuthKey']['expiration'] = 0;
             } else {

app/Model/Server.php

@@ -1281,7 +1281,7 @@ class Server extends AppModel
                         ),
                         'advanced_authkeys' => array(
                                 'level' => 1,
-                                'description' => __('Advanced authkeys will allow each user to create and manage a set of authkeys for themselves, each with individual expirations and comments. API keys are stored in a hashed state and can no longer be recovered from MISP. Users will be prompted to note down their key when creating a new authkey.'),
+                                'description' => __('Advanced authkeys will allow each user to create and manage a set of authkeys for themselves, each with individual expirations and comments. API keys are stored in a hashed state and can no longer be recovered from MISP. Users will be prompted to note down their key when creating a new authkey. You can generate a new set of API keys for all users on demand in the diagnostics page, or by triggering /admin/users/updateToAdvancedAuthKeys.'),
                                 'value' => false,
                                 'errorMessage' => '',
                                 'test' => 'testBool',

app/View/Elements/healthElements/diagnostics.ctp

@@ -418,6 +418,13 @@
     <?php
         endif;
     ?>
+    <h3><?php echo __('Upgrade authkeys keys to the advanced keys format'); ?></h3>
+    <p>
+        <?php
+            echo __('MISP can store the user API keys either in the clear directly attached to the users, or as of recently, it can generate a list of hashed keys for different purposes. If the latter feature is enabled, it might be useful to move all existing keys over to the new format so that users do not lose access to the system. In order to do so, run the following functionality.');
+        ?>
+        <?php echo $this->Form->postLink('<span class="btn btn-inverse" style="padding-top:1px;padding-bottom:1px;">' . __('Update Authkeys to advanced Authkeys') . '</span>', $baseurl . '/users/updateToAdvancedAuthKeys', array('escape' => false));?>
+    </p>
     <h3><?php echo __('Clean model cache');?></h3>
     <p><?php echo __('If you ever run into issues with missing database fields / tables, please run the following script to clean the model cache.');?></p>
     <?php echo $this->Form->postLink('<span class="btn btn-inverse" style="padding-top:1px;padding-bottom:1px;">' . __('Clean cache') . '</span>', $baseurl . '/events/cleanModelCaches', array('escape' => false));?>