From f1dd24933cf7a9e23761ba37b07ff09f5c3639ab Mon Sep 17 00:00:00 2001
From: Jakub Onderka <jakub.onderka@gmail.com>
Date: Sat, 26 Mar 2022 11:20:55 +0100
Subject: [PATCH] fix: [sign] Allow to sign event by key stored in gpg homedir

---
 .github/workflows/main.yml            | 45 ++++++++++++++-------------
 app/Model/CryptographicKey.php        | 16 +++++++++-
 app/Model/Server.php                  |  9 ++++++
 tests/testlive_comprehensive_local.py |  4 ++-
 4 files changed, 50 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c3533193b..e5d210e5b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -145,32 +145,33 @@ jobs:
 
       - name: Configure MISP
         run: |
-              sudo -E su $USER -c 'app/Console/cake userInit -q | sudo tee ./key.txt'
+              sudo -u $USER app/Console/cake userInit -q | sudo tee ./key.txt
               echo "AUTH=`cat key.txt`" >> $GITHUB_ENV
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Session.autoRegenerate" 0'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Session.timeout" 600'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Session.cookieTimeout" 3600'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.host_org_id" 1'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.email" "info@admin.test"'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.disable_emailing" false'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting --force "debug" true'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" false'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.redis_port" 6379'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.redis_database" 13'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "MISP.redis_password" ""'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "GnuPG.email" "info@admin.test"'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "GnuPG.homedir" "`pwd`/.gnupg"'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "GnuPG.password" "travistest"'
+              sudo -u $USER app/Console/cake Admin setSetting "Session.autoRegenerate" 0
+              sudo -u $USER app/Console/cake Admin setSetting "Session.timeout" 600
+              sudo -u $USER app/Console/cake Admin setSetting "Session.cookieTimeout" 3600
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.host_org_id" 1
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.disable_emailing" false
+              sudo -u $USER app/Console/cake Admin setSetting --force "debug" true
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" false
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.redis_port" 6379
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.redis_database" 13
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.redis_password" ""
+              sudo -u $USER app/Console/cake Admin setSetting "GnuPG.email" "info@admin.test"
+              sudo -u $USER app/Console/cake Admin setSetting "GnuPG.homedir" "`pwd`/.gnupg"
+              sudo -u $USER app/Console/cake Admin setSetting "GnuPG.password" "travistest"
+              sudo -u $USER app/Console/cake Admin setSetting "MISP.download_gpg_from_homedir" 1
 
       - name: Configure ZMQ
         run: |
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "127.0.0.1"'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_password" ""'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" 1'
-              sudo -E su $USER -c 'app/Console/cake Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" 1'
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "127.0.0.1"
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_password" ""
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" 1
+              sudo -u $USER app/Console/cake Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" 1
 
       - name: Update Galaxies
         run: sudo -E su $USER -c 'app/Console/cake Admin updateGalaxies'
diff --git a/app/Model/CryptographicKey.php b/app/Model/CryptographicKey.php
index 9d7f9aec9..c0d8f1564 100644
--- a/app/Model/CryptographicKey.php
+++ b/app/Model/CryptographicKey.php
@@ -89,12 +89,26 @@ class CryptographicKey extends AppModel
     }
 
     /**
-     * @return string
+     * @return string Instance key fingerprint
      * @throws Crypt_GPG_BadPassphraseException
      * @throws Crypt_GPG_Exception
      */
     public function ingestInstanceKey()
     {
+        // If instance just key stored just in GPG homedir, use that key.
+        if (Configure::read('MISP.download_gpg_from_homedir')) {
+            if (!$this->gpg) {
+                throw new Exception("Could not initiate GPG");
+            }
+            /** @var Crypt_GPG_Key[] $keys */
+            $keys = $this->gpg->getKeys(Configure::read('GnuPG.email'));
+            if (empty($keys)) {
+                return false;
+            }
+            $this->gpg->addSignKey($keys[0], Configure::read('GnuPG.password'));
+            return $keys[0]->getPrimaryKey()->getFingerprint();
+        }
+
         try {
             $redis = $this->setupRedisWithException();
         } catch (Exception $e) {
diff --git a/app/Model/Server.php b/app/Model/Server.php
index c32b16cca..e9e60098a 100644
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@@ -5666,6 +5666,15 @@ class Server extends AppModel
                     'type' => 'boolean',
                     'null' => true,
                 ],
+                'download_gpg_from_homedir' => [
+                    'level' => self::SETTING_OPTIONAL,
+                    'description' => __('Fetch GPG instance key from GPG homedir.'),
+                    'value' => false,
+                    'test' => 'testBool',
+                    'type' => 'boolean',
+                    'null' => true,
+                    'cli_only' => true,
+                ],
             ),
             'GnuPG' => array(
                 'branch' => 1,
diff --git a/tests/testlive_comprehensive_local.py b/tests/testlive_comprehensive_local.py
index 0326fd3fe..f554ab615 100644
--- a/tests/testlive_comprehensive_local.py
+++ b/tests/testlive_comprehensive_local.py
@@ -733,7 +733,9 @@ class TestComprehensive(unittest.TestCase):
         check_response(response)
 
         response = self.admin_misp_connector._prepare_request('GET', f'events/view/{event.id}')
-        print(response.headers)
+        self.assertIn('x-pgp-signature', response.headers)
+        self.assertTrue(len(response.headers['x-pgp-signature']) > 0, response.headers['x-pgp-signature'])
+        print(response.headers['x-pgp-signature'])
 
     def _search(self, query: dict):
         response = self.admin_misp_connector._prepare_request('POST', 'events/restSearch', data=query)