From ec5ab26716ffbe4e011850d7159e1927555f4332 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 16 Jun 2025 10:51:01 +0000
Subject: [PATCH] Here's what I've been working on:

**Adding Private Key Downloads to the Dashboard for Admins**

This update allows administrators to download the private keys for intermediate and simple certificates directly from the Dashboard page. It also fixes a bug in an intermediate certificate download link.

Here's a breakdown of the changes:

1.  **In `app/src/Views/dashboard/index.php`:**
    *   I corrected the intermediate certificate download link, which was using a hardcoded filename. It now uses the actual certificate name.
    *   I added "Download Private Key (.key)" links for each listed intermediate certificate. These links are only visible if you are logged in with the 'admin' role.
    *   I also added "Download Private Key (.key)" links for each final (simple) certificate listed under an intermediate. These links are also only visible to administrators.
    *   The key filenames are derived from the corresponding certificate names (e.g., `cert.pem` becomes `key.pem`).

2.  **In `app/src/Controllers/CertificateController.php` (specifically the `download` method):**
    *   I adjusted the logic for 'intermediate' and 'simple' certificate types.
    *   The method now detects if the requested file is a private key (based on the `.key.pem` suffix).
    *   If a private key is requested for an intermediate or simple certificate, the method verifies that you have the 'admin' role. If not, access is denied.
    *   If access is granted for a private key, the file path is adjusted to point to the `private/` subdirectory of the relevant scope (e.g., `INTERMEDIATE_CA_PATH_BASE/[perimeter]/private/[keyfile.key.pem]`).
    *   If a certificate file (`.cert.pem`) is requested, it is served from the `certs/` subdirectory as before.

These changes improve certificate management by providing controlled access to necessary private keys from the Dashboard, while maintaining security through role restrictions.
---
 app/src/Controllers/CertificateController.php | 29 +++++++++++++++++--
 app/src/Views/dashboard/index.php             | 20 ++++++++++++-
 2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/app/src/Controllers/CertificateController.php b/app/src/Controllers/CertificateController.php
index bbb5b9f..4c0c641 100644
--- a/app/src/Controllers/CertificateController.php
+++ b/app/src/Controllers/CertificateController.php
@@ -394,7 +394,19 @@ class CertificateController
                     header('Location: /dashboard');
                     exit();
                 }
-                $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/certs/' . $fileName;
+                // Vérifier si c'est une demande de clé privée
+                if (str_ends_with($fileName, '.key.pem')) {
+                    if ($this->authService->getUserRole() === 'admin') {
+                        $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/private/' . $fileName;
+                    } else {
+                        $_SESSION['error'] = 'Unauthorized to download intermediate key.';
+                        $this->logService->log('error', "Unauthorized attempt to download intermediate key by user ID: {$userId} for perimeter {$perimeterName}, file {$fileName}", $userId, $ipAddress);
+                        header('Location: /dashboard');
+                        exit();
+                    }
+                } else { // C'est une demande de certificat
+                    $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/certs/' . $fileName;
+                }
                 break;
             case 'simple':
                 if (empty($perimeterName)) {
@@ -403,7 +415,20 @@ class CertificateController
                     header('Location: /dashboard');
                     exit();
                 }
-                $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/certs/' . $fileName;
+                // Vérifier si c'est une demande de clé privée
+                if (str_ends_with($fileName, '.key.pem')) {
+                    if ($this->authService->getUserRole() === 'admin') {
+                        // Pour les certificats simples, la clé est stockée dans le répertoire private du CA intermédiaire qui l'a émis.
+                        $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/private/' . $fileName;
+                    } else {
+                        $_SESSION['error'] = 'Unauthorized to download simple certificate key.';
+                        $this->logService->log('error', "Unauthorized attempt to download simple certificate key by user ID: {$userId} for perimeter {$perimeterName}, file {$fileName}", $userId, $ipAddress);
+                        header('Location: /dashboard');
+                        exit();
+                    }
+                } else { // C'est une demande de certificat
+                    $filePath = INTERMEDIATE_CA_PATH_BASE . '/' . $perimeterName . '/certs/' . $fileName;
+                }
                 break;
             default:
                 $_SESSION['error'] = 'Invalid certificate type for download.';
diff --git a/app/src/Views/dashboard/index.php b/app/src/Views/dashboard/index.php
index 54c5eef..d61e5a4 100644
--- a/app/src/Views/dashboard/index.php
+++ b/app/src/Views/dashboard/index.php
@@ -56,9 +56,18 @@ require_once APP_ROOT_DIR . '/src/Views/shared/header.php';
                     <div class="intermediate-certificate">
                         <h4><?= htmlspecialchars($intermediate['name']) ?> (<?= htmlspecialchars($translations['perimeter'] ?? 'Perimeter:') ?> <?= htmlspecialchars($intermediate['perimeter_name']) ?>)</h4>
                         <p>
-                            <a href="/certificates/download?type=intermediate&perimeter=<?= urlencode($intermediate['perimeter_name']) ?>&file=intermediate.cert.pem" class="button">
+                            <a href="/certificates/download?type=intermediate&perimeter=<?= urlencode($intermediate['perimeter_name']) ?>&file=<?= urlencode($intermediate['name']) ?>" class="button">
                                 <?= htmlspecialchars($translations['download_certificate_pem'] ?? 'Download Certificate (.pem)') ?>
                             </a>
+                            <?php if (isset($userRole) && $userRole === 'admin'): ?>
+                                <?php
+                                // Suppose que le nom du fichier clé est le nom du cert avec .key.pem au lieu de .cert.pem
+                                $intermediateKeyName = str_replace('.cert.pem', '.key.pem', $intermediate['name']);
+                                ?>
+                                <a href="/certificates/download?type=intermediate&perimeter=<?= urlencode($intermediate['perimeter_name']) ?>&file=<?= urlencode($intermediateKeyName) ?>" class="button" style="margin-left: 10px;">
+                                    <?= htmlspecialchars($translations['download_private_key'] ?? 'Télécharger Clé Privée (.key)') ?>
+                                </a>
+                            <?php endif; ?>
                         </p>
 
                         <h5><?= htmlspecialchars($translations['associated_final_certificates_title'] ?? 'Associated Final Certificates') ?></h5>
@@ -74,6 +83,15 @@ require_once APP_ROOT_DIR . '/src/Views/shared/header.php';
                                             <a href="/certificates/download?type=simple&perimeter=<?= urlencode($intermediate['perimeter_name']) ?>&file=<?= urlencode($finalCert['name']) ?>" class="button download-button-small">
                                                 <?= htmlspecialchars($translations['download_certificate_pem'] ?? 'Download Certificate (.pem)') ?>
                                             </a>
+                                            <?php if (isset($userRole) && $userRole === 'admin'): ?>
+                                                <?php
+                                                // Suppose que le nom du fichier clé est le nom du cert avec .key.pem au lieu de .cert.pem
+                                                $finalKeyName = str_replace('.cert.pem', '.key.pem', $finalCert['name']);
+                                                ?>
+                                                <a href="/certificates/download?type=simple&perimeter=<?= urlencode($intermediate['perimeter_name']) ?>&file=<?= urlencode($finalKeyName) ?>" class="button download-button-small" style="margin-left: 5px;">
+                                                    <?= htmlspecialchars($translations['download_private_key'] ?? 'Télécharger Clé Privée (.key)') ?>
+                                                </a>
+                                            <?php endif; ?>
                                         </p>
                                     </li>
                                 <?php endforeach; ?>