PHP Fatal error: Uncaught ErrorException:

[astgjrst]

Hello I use Ubuntu 20.04 i followed your installation guide and at Point 7 always this error occures.
PHP Fatal error: Uncaught ErrorException: Trying to access array offset on value of type null in /var/www/ska/core.php:86
Stack trace:
#0 /var/www/ska/core.php(86): exception_error_handler()
#1 /var/www/ska/core.php(41): path_join()
#2 [internal function]: autoload_model()
#3 /var/www/ska/core.php(61): spl_autoload_call()
#4 /var/www/ska/core.php(28): setup_database()
#5 /var/www/ska/scripts/cron.php(4): require('/var/www/ska/co...')
#6 {main}
thrown in /var/www/ska/core.php on line 86
Did you already test your software on ubuntu server 20.04?
Apache 2.4.41
MariaDB 10.3.2.22
PHP 7.4.3

[mettke]

Point 7 is about the following:

Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as config/keys-sync and config/keys-sync.pub for the private and public keys respectively.

So I do not see how you can get a php error from trying to do that step.

Anyhow as the error appears in the setup_databasecall my guess would be that the database connection is setup incorrectly. I need your apache config and the ska config to reproduce the error.

You also may want to take a look at the examples folder which shows how to setup httpd and ska. Even thou it is for alpine there won't be a lot of differences.

[astgjrst]

config.ini

; SSH Key Authority config file
[web]
enabled = 1
baseurl = https://10.40.20.252
logo = /logo-header-itmettke.png
; footer may contain HTML. Literal & " < and > should be escaped as &amp;
; &quot; &lt; $gt;
footer = 'Developed by <a href="https://github.com/mettke/ssh-key-authority">Marc Mettke</a>'
key_password_enabled = 0

[general]
; Use timeout --version to find out the current version
; used on e.g. debian
timeout_util = GNU coreutils
; used on e.g. alpine where busybox < 1.29
; timeout_util = BusyBox

key_expiration_enabled = 0
key_expiration_days = 180

minimum_rsa_key_size = 4096
minimum_ecdsa_key_size = 384

[security]
; It is important that SKA is able to verify that it has connected to the
; server that it expected to connect to (otherwise it could be tricked into
; syncing the wrong keys to a server). The simplest way to accomplish this is
; through SSH host key verification. Setting either of the 2 options below to
; '0' can weaken the protection that SSH host key verification provides.

; Determine who can reset a server's SSH host key in SKA:
;  0: Allow server admins to reset the SSH host key for servers that they
;     administer
;  1: Full SKA admin access is required to reset a server's host key
host_key_reset_restriction = 1

; Determine what happens if multiple servers have the same SSH host key:
;  0: Allow sync to proceed
;  1: Abort sync of affected servers and report an error
; It is not recommended to leave this set to '0' indefinitely
host_key_collision_protection = 1

; Determine what happens if multiple servers have the same ip address:
;  0: Abort sync of affected servers and report an error
;  1: Allow sync to proceed
disable_ip_collision_protection = 0

; Determine what happens if multiple servers have the same ip address
; but different ports:
;  0: Abort sync of affected servers and report an error
;  1: Allow sync to proceed
allow_different_ports_on_single_ip = 0

; Hostname verification is a supplement to SSH host key verification for
; making sure that the sync process has connected to the server that it
; expected to.

; Determine how hostname verification is performed:
;  0: Do not perform hostname verification
;  1: Compare with the result of `hostname -f`
;  2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
;     if the file does not exist
;  3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
;     does not exist
; The last option provides the most solid verification, as a server will only
; be synced to if it has been explicitly allowed on the server itself.
hostname_verification = 1

[defaults]
; This setting will cause new servers to always have a managed account called
; "root" and for that account to be automatically added into the
; "root-accounts" group:
;
; account_groups[root] = "root-accounts"
;
; Any number of these can be specified
account_groups[root] = "accounts-root"

[email]
enabled = 1
; The mail address that outgoing mails will be sent from
from_address = ska@example.com
from_name = "SSH Key Authority system"
; Where to mail security notifications to
report_address = reports@example.com
report_name = "SSH Key Authority reports"
; Where users should contact for help
admin_address = admin@example.com
admin_name = "SSH Key Authority administrators"
; You can use the reroute directive to redirect all outgoing mail to a single
; mail address - typically for temporary testing purposes
;reroute = test@example.com

[database]
; Connection details to the MySQL database
hostname = localhost
port     = 3306
username = ska-user
password = "dsfash349jdf131"
database = ska-db

[ldap]
enabled = 0
; Address to connect to LDAP server
host = ldaps://ldap.example.com:636
; Use StartTLS for connection security (recommended if using ldap:// instead
; of ldaps:// above)
starttls = 0
; LDAP subtree containing USER entries
dn_user = "ou=users,dc=example,dc=com"
; LDAP subtree containing GROUP entries
dn_group = "ou=groups,dc=example,dc=com"
; Set to 1 if the LDAP library should process referrals. In most cases this
; is not needed, and for AD servers it can cause errors when querying the
; whole tree.
follow_referrals = 0

; Leave bind_dn empty if binding is not required
bind_dn =
bind_password =

; User attributes
user_id = uid
user_name = cn
user_email = mail
;user_superior = superioremployee

; If inactive users exist in your LDAP directory, filter with the following
; settings:
; Field to filter on:
;user_active = organizationalstatus
; Use *one* of user_active_true or user_active_false
; user_active_true means user is active if the user_active field equals its
; value
;user_active_true = 'current'
; user_active_false means user is active if the user_active field does not
; equal its value
;user_active_false = 'former'

; Group membership attributes. Examples below are for typical setups:
;
; POSIX groups
;  group_member = memberUid
;  group_member_value = uid
;
; Group-of-names groups
;  group_member = member
;  group_member_value = dn
;
; Attribute of group where members are stored
group_member = memberUid
; User attribute to compare with
group_member_value = uid

; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = ska-administrators
; By default only the admin_group_cn will be synced. This option enabled
; synchronisation of every group a user is in
full_group_sync = 0

[inventory]
; SSH Key Authority will read the contents of the file /etc/uuid (if it
; exists) when syncing with a server. If a value is found, it can be used as a
; link to an inventory system.
; %s in the url directive will be replaced with the value found in /etc/uuid
;url = "https://inventory.example.com/device/%s"

[gpg]
; SSH Key Authority can GPG sign outgoing emails sent from the
; email.from_address. To do this it needs to know an appropriate key ID to use
;key_id = 0123456789ABCDEF0123456789ABCDEF01234567

apache2-vhost

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/ska/public_html

                DirectoryIndex init.php
                FallbackResource /init.php

                <Directory /var/www/ska/public_html>
                        AuthType Basic
                        AuthName "Restricted Files"
                        AuthUserFile "/etc/apache2/htaccess/basic"
                        AuthGroupFile "/etc/apache2/htaccess/group"
                        Require group internal

                        SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

Additionally i've tried to connect to the database via the used database credentials. This works as aspected. But we are still getting the above mentioned error.

[mettke]

Ok I had a look at it and the error says that it fails at the path_join function in the core.php file. The first parameter seems to be null.

The parameter should be $base_path which is set in the requesthandler.php by using $base_path = dirname(__FILE__);. So to me it seems that dirname is returning null.

To verify that I would like you to add two lines after the dirname in the requesthandler.php so that it looks like this:

$base_path = dirname(__FILE__);                                                              
echo $base_path;                                                                             
die; 

Afterwards reloading the page should print the path found by the application. That way we can see whether my assumption is correct

[astgjrst]

$base_path ist actually null, when used in core.php (Line 38). We changed the following code in core.php:

// Autoload needed model files
function autoload_model($classname) {
        global $base_path;
        $base_path = dirname(__FILE__); // <-- Otherwise this would be null

        $classname = preg_replace('/[^a-z]/', '', strtolower($classname)); # Prevent directory traversal and sanitiz>
        $filename = path_join($base_path, 'model', $classname.'.php');
        if(file_exists($filename)) {
                include($filename);
        } else {
                eval("class $classname {}");
                throw new InvalidArgumentException("Attempted to load a class $classname that did not exist.");
        }
}

This seems to fix this issue.

[astgjrst]

While this issue seems to be fixed, we now have a followup problem:

We created a "test"-htaccess User to access the application, but even when we enter correct credentials, we always see the above mentioned "Access denied"-Errorpage.

[mettke]

That's very weird. To me this sounds more like a misconfiguration on the php part because that variable should not be null. At the moment, however, I do not see any obvious misconfiguration. Lets keep an eye on that because if there is something wrong with the requesthandler.php file more stuff won't work.

About the permission error, that is expected behaviour. Authentication and authorisation is seperated in this application. The webserver handles authentication (you did that by adding the user and its password to the htaccess file) and the app handles authorisation (you have to do that by adding the user to the database). By default there is only one user called keys-sync. You have to give him a password using the htaccess file and then you can login and create new users. The alternativ is to use ldap which populates the user database for you.