Access iOS Certificate in Keychain Programatically using PHP - php

We have a web app that creates iOS apps from a CMS. It builds the Xcode project and we need to be able to archive and export it using PHP. We are able to do this fine from terminal, but using shell_exec in PHP it doesn't work.
Code Sign error: No code signing identities found: No valid signing identities (i.e. certificate and private key pair) matching the team ID “XXXXXXXXX”
We think this is because PHP isn't running as the correct user account to have permission to access the certificates in the keychain. We can set the _www user to run as in particular group, but does anybody know which user it should run as?
I understand opening up access to the _www user is a huge security flaw, but it's for an isolated system unconnected to the outside world.

And why not copy the certificate in the _www user ?

Related

Google Cloud CDN with SignedUrl with gcloud compute sign-url gives 403

I have a google cloud storage bucket and I want to access it only using Cloud CDN.
I have created load balancer, created signing key and added service account to it almost all permissions like Storage Admin, Storage Bucket Admin, Storage Legacy Bucket Owner etc.
Now I'm trying to access bucket content using SignedUrl with Php. it generates the signedURL but it gives
403. That’s an error.
Your client does not have permission to get URL
I have even tried it through gcloud compute sign-url. it does generate a signed url but it also gives same error.
Reprocuction steps:
gcloud sign-url from cmd:
gcloud compute sign-url URL --expires-in=1566561600 --key-file=KEY_FILE --key-name=SIGNING_KEY
where URL is generated IP from load balancer, expire time is of course future timestamp, key--file is generated json key file from service account, --key-name is signing key from origin details details
Same thing I've applied to php code where I'm generating signed url, I've taken reference from https://github.com/GoogleCloudPlatform/php-docs-samples
Service account seems to works perfectly when I'm not using CDN, If I access bucket without CDN it works as expected
Is there something wrong with the process I've followed?
Cloud Storage has a built-in CDN, so using Cloud Storage signed URL for your use case should suffice. In regards to using signed URLs, internally they work approximately the same, and generate the URL almost the same way.

Secure storage of tennant/client id on application web server

Ive recently started looking into authenticating with azure active directory using client credentials grant with public/private certificates as detailed here: https://learn.microsoft.com/en-gb/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
Im running an external PHP/LEMP server outside of the azure hosting platform etc etc.
I've managed to get the connection to azure ad working successfully as seen below:
The question is more how we do the credential storage so i can actually do the authorisation. The ironic thing is, i need to store these credentials so i can access ones stored securely within the key vault! So im just wondering does anyone have any recommendations for storing of the:
Tennant ID
Client ID
Scope Uri (i guess i should include this to, as it's an id/guid as such)
Is it safe to store these values as plain text within a sites database?
Would you recommend environment variables? Just wondering what peoples approach is to this.
Many thanks!
I would suggest you store these variables in Key Vault, that's the most secure option. However, then obviously you need keys to access Key Vault.
If you were running your web app in Azure then this would be easy. You can use managed identity to give your web app an identity, and grant this access to KV, done. As your running outside of Azure, the next best method would be to generate a service principal that authenticates with a certificate, grant this service principal access to key vault, then store the private key on your web server and use this to auth. See here for details on creating a service principal.

Microsoft Graph REST API profilePhoto as deamon

i try to develop a web-service which displays some user information from an Office 365 instance using the Microsoft Graph.
I'm able to query groups, user details and so on, but i'm not able to get the user profile picture as described here http://graph.microsoft.io/docs/api-reference/v1.0/api/profilephoto_get. It always return a 403, even when my service had all rights (for testing purpose).
The webservice is a deamon as described here: http://graph.microsoft.io/docs/authorization/app_only, so no actual user is logged in. Could that be an issue? Is it possible to query the photo information using a deamon?
As mentioned above, the problem could be solved by two things:
Use app permissions istead of delegated
If implementation reuses the Auth-Token, restart the apache (or other webserver) running the app after changing permissions for the app. The cached token doesn't seem to get updated rights.

Add multiple domain Azure App via Code

Hi I have PHP CRM running in Azure server,my requirement is that user should be able to add there own custom domains(they will do the DNS configurations seperately) to app by themselves through CRM site,is there any REST API call to achieve that,i searched a lot but couldn't find any documents from Azure,
i did find these from stack
Programatically add domain name to azure website
Add a domain to an Azure web site via code
i tried above expample using Chrome Postman app
App(instanceName) name name is "example"
"https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{myResourceGroup}/providers/Microsoft.Web/sites/{instanceName}/config/web?api-version=2015-08-01"
used both POST and PUT method
{ "properties": { "HostNames":"example.com, crm.example.com" } }
i tried these methods but all i am getting a error "Authentication failed. The 'Authorization' header is not present or provided in an invalid format",i believe something wrong with json values,
example.com.au is my existing website and crm.example.com is my domain name i want to add,is it correct, am i missing anything,please help me
As all of the tasks that you do on resources using the Azure Resource Manager must be authenticated with Azure Active Directory. So To implement Azure Resource Manager Rest APIs, we need to follow the steps in authenticate Azure Recourse Manager requests first to set up authentication.
Generally:
Add an application to the Azure Active Directory tenant.
Set permissions for the application that you added.
Get the token for authenticating requests to Azure Resource Manager.
--Update--
To get the access token for Azure Resource Manager, we should follow the steps shows in Authorization Code Grant Flow:
1,Request an authorization code
The build-up URL will redirect to the sso page, after login we can get the code value which will be used in next step.
2,Use the Authorization Code to Request an Access Token:
3,We can leverage the access token for authorizing the resource REST API:
--update1--
To create an app-only without user ui application, you need to follow client_credentials flow, shown in https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx.
And to your authorization issue, you need to assign a Owner role for a written permission. you can leverage azure-cli to do this.
Install the
Azure-CLI.
Connect to the
Azure-CLI.
Authenticate to your Service Principal using the Azure-CLI.
And in the 4th step in this section, you need to change Reader to Owner,
like
azure role assignment create --objectId 47193a0a-63e4-46bd-9bee-6a9f6f9c03cb -o Owner -c /subscriptions/{subscriptionId}/ to assign a written permission.

Google Developer Console does not give password when creating Service Account

Overall goal is trying to access (my own) Google Sheets with a server-side PHP application (not for sheets owned by individual app visitors). For this I'm hoping to use https://github.com/asimlqt/php-google-spreadsheet-client, which mentions that it doesn't handle the OAuth2 stuff, for which I can use https://github.com/google/google-api-php-client.
So in trying to follow https://developers.google.com/api-client-library/php/auth/service-accounts , it says (step 5):
The Console shows your private key's password only at this initial moment of service account creation--the password will not be shown again
However when I do those steps, it sends me a .json (with private_key_id, private_key, client_email, client_id, type), but at no point does it show me any kind of password. I have tried this with both Firefox and Chromium, tried deleting my old Service Account, making a new Service Account. Is there something else I need to enable on my Developers Console? or something else that I'm missing?
When you create a service account on the Google Api Console, usually, the file randomname.p12 will get downloaded automatically, and the password for this file will be notasecret but, if you are authenticating using the service account i beleive you dont need the password, even tho i am using it, see here check out bram answer he is authenticating using a service account, which might be what you are looking for

Categories