1
0
Fork 0
mirror of https://we.phorge.it/source/arcanist.git synced 2024-12-29 00:40:57 +01:00
phorge-arcanist/scripts/arcanist.php
epriestley 5118987757 Support simpler, token-based Conduit authentication in Arcanist
Summary:
Ref T5955. If the server supports token-based authentication, prefer it over certificate-based authentication.

Also fixes T3117.

Test Plan:
  - Used `arc install-certificate` to install credentials from both token-based and certificate-based hosts.
  - Used `arc list` with a token-based host.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T3117, T2878, T5955

Differential Revision: https://secure.phabricator.com/D10988
2014-12-15 11:12:38 -08:00

657 lines
21 KiB
PHP
Executable file

#!/usr/bin/env php
<?php
sanity_check_environment();
require_once dirname(__FILE__).'/__init_script__.php';
ini_set('memory_limit', -1);
$original_argv = $argv;
$base_args = new PhutilArgumentParser($argv);
$base_args->parseStandardArguments();
$base_args->parsePartial(
array(
array(
'name' => 'load-phutil-library',
'param' => 'path',
'help' => 'Load a libphutil library.',
'repeat' => true,
),
array(
'name' => 'skip-arcconfig',
),
array(
'name' => 'arcrc-file',
'param' => 'filename',
),
array(
'name' => 'conduit-uri',
'param' => 'uri',
'help' => 'Connect to Phabricator install specified by __uri__.',
),
array(
'name' => 'conduit-version',
'param' => 'version',
'help' => '(Developers) Mock client version in protocol handshake.',
),
array(
'name' => 'conduit-timeout',
'param' => 'timeout',
'help' => 'Set Conduit timeout (in seconds).',
),
array(
'name' => 'config',
'param' => 'key=value',
'repeat' => true,
'help' =>
'Specify a runtime configuration value. This will take precedence '.
'over static values, and only affect the current arcanist invocation.',
),
));
$config_trace_mode = $base_args->getArg('trace');
$force_conduit = $base_args->getArg('conduit-uri');
$force_conduit_version = $base_args->getArg('conduit-version');
$conduit_timeout = $base_args->getArg('conduit-timeout');
$skip_arcconfig = $base_args->getArg('skip-arcconfig');
$custom_arcrc = $base_args->getArg('arcrc-file');
$load = $base_args->getArg('load-phutil-library');
$help = $base_args->getArg('help');
$args = array_values($base_args->getUnconsumedArgumentVector());
$working_directory = getcwd();
$console = PhutilConsole::getConsole();
$config = null;
$workflow = null;
try {
$console->writeLog(
"libphutil loaded from '%s'.\n",
phutil_get_library_root('phutil'));
$console->writeLog(
"arcanist loaded from '%s'.\n",
phutil_get_library_root('arcanist'));
if (!$args) {
if ($help) {
$args = array('help');
} else {
throw new ArcanistUsageException("No command provided. Try 'arc help'.");
}
} else if ($help) {
array_unshift($args, 'help');
}
$configuration_manager = new ArcanistConfigurationManager();
if ($custom_arcrc) {
$configuration_manager->setUserConfigurationFileLocation($custom_arcrc);
}
$global_config = $configuration_manager->readUserArcConfig();
$system_config = $configuration_manager->readSystemArcConfig();
$runtime_config = $configuration_manager->applyRuntimeArcConfig($base_args);
if ($skip_arcconfig) {
$working_copy = ArcanistWorkingCopyIdentity::newDummyWorkingCopy();
} else {
$working_copy =
ArcanistWorkingCopyIdentity::newFromPath($working_directory);
}
$configuration_manager->setWorkingCopyIdentity($working_copy);
reenter_if_this_is_arcanist_or_libphutil(
$console,
$working_copy,
$original_argv);
// Load additional libraries, which can provide new classes like configuration
// overrides, linters and lint engines, unit test engines, etc.
// If the user specified "--load-phutil-library" one or more times from
// the command line, we load those libraries **instead** of whatever else
// is configured. This is basically a debugging feature to let you force
// specific libraries to load regardless of the state of the world.
if ($load) {
$console->writeLog(
"Using '--load-phutil-library' flag, configuration will be ignored ".
"and configured libraries will not be loaded."."\n");
// Load the flag libraries. These must load, since the user specified them
// explicitly.
arcanist_load_libraries(
$load,
$must_load = true,
$lib_source = 'a "--load-phutil-library" flag',
$working_copy);
} else {
// Load libraries in system 'load' config. In contrast to global config, we
// fail hard here because this file is edited manually, so if 'arc' breaks
// that doesn't make it any more difficult to correct.
arcanist_load_libraries(
idx($system_config, 'load', array()),
$must_load = true,
$lib_source = 'the "load" setting in system config',
$working_copy);
// Load libraries in global 'load' config, as per "arc set-config load". We
// need to fail softly if these break because errors would prevent the user
// from running "arc set-config" to correct them.
arcanist_load_libraries(
idx($global_config, 'load', array()),
$must_load = false,
$lib_source = 'the "load" setting in global config',
$working_copy);
// Load libraries in ".arcconfig". Libraries here must load.
arcanist_load_libraries(
$working_copy->getProjectConfig('load'),
$must_load = true,
$lib_source = 'the "load" setting in ".arcconfig"',
$working_copy);
// Load libraries in ".arcconfig". Libraries here must load.
arcanist_load_libraries(
idx($runtime_config, 'load', array()),
$must_load = true,
$lib_source = 'the --config "load=[...]" argument',
$working_copy);
}
$user_config = $configuration_manager->readUserConfigurationFile();
$config_class = $working_copy->getProjectConfig('arcanist_configuration');
if ($config_class) {
$config = new $config_class();
} else {
$config = new ArcanistConfiguration();
}
$command = strtolower($args[0]);
$args = array_slice($args, 1);
$workflow = $config->selectWorkflow(
$command,
$args,
$configuration_manager,
$console);
$workflow->setConfigurationManager($configuration_manager);
$workflow->setArcanistConfiguration($config);
$workflow->setCommand($command);
$workflow->setWorkingDirectory($working_directory);
$workflow->parseArguments($args);
// Write the command into the environment so that scripts (for example, local
// Git commit hooks) can detect that they're being run via `arc` and change
// their behaviors.
putenv('ARCANIST='.$command);
if ($force_conduit_version) {
$workflow->forceConduitVersion($force_conduit_version);
}
if ($conduit_timeout) {
$workflow->setConduitTimeout($conduit_timeout);
}
$need_working_copy = $workflow->requiresWorkingCopy();
$need_conduit = $workflow->requiresConduit();
$need_auth = $workflow->requiresAuthentication();
$need_repository_api = $workflow->requiresRepositoryAPI();
$want_repository_api = $workflow->desiresRepositoryAPI();
$want_working_copy = $workflow->desiresWorkingCopy() ||
$want_repository_api;
$need_conduit = $need_conduit ||
$need_auth;
$need_working_copy = $need_working_copy ||
$need_repository_api;
if ($need_working_copy || $want_working_copy) {
if ($need_working_copy && !$working_copy->getVCSType()) {
throw new ArcanistUsageException(
'This command must be run in a Git, Mercurial or Subversion working '.
'copy.');
}
$configuration_manager->setWorkingCopyIdentity($working_copy);
}
if ($force_conduit) {
$conduit_uri = $force_conduit;
} else {
$conduit_uri = $configuration_manager->getConfigFromAnySource(
'phabricator.uri');
if ($conduit_uri === null) {
$conduit_uri = $configuration_manager->getConfigFromAnySource(
'default');
}
}
if ($conduit_uri) {
// Set the URI path to '/api/'. TODO: Originally, I contemplated letting
// you deploy Phabricator somewhere other than the domain root, but ended
// up never pursuing that. We should get rid of all "/api/" silliness
// in things users are expected to configure. This is already happening
// to some degree, e.g. "arc install-certificate" does it for you.
$conduit_uri = new PhutilURI($conduit_uri);
$conduit_uri->setPath('/api/');
$conduit_uri = (string)$conduit_uri;
}
$workflow->setConduitURI($conduit_uri);
// Apply global CA bundle from configs.
$ca_bundle = $configuration_manager->getConfigFromAnySource('https.cabundle');
if ($ca_bundle) {
$ca_bundle = Filesystem::resolvePath(
$ca_bundle, $working_copy->getProjectRoot());
HTTPSFuture::setGlobalCABundleFromPath($ca_bundle);
}
$blind_key = 'https.blindly-trust-domains';
$blind_trust = $configuration_manager->getConfigFromAnySource($blind_key);
if ($blind_trust) {
HTTPSFuture::setBlindlyTrustDomains($blind_trust);
}
if ($need_conduit) {
if (!$conduit_uri) {
$message = phutil_console_format(
"This command requires arc to connect to a Phabricator install, but ".
"no Phabricator installation is configured. To configure a ".
"Phabricator URI:\n\n".
" - set a default location with `arc set-config default <uri>`; or\n".
" - specify '--conduit-uri=uri' explicitly; or\n".
" - run 'arc' in a working copy with an '.arcconfig'.\n");
$message = phutil_console_wrap($message);
throw new ArcanistUsageException($message);
}
$workflow->establishConduit();
}
$hosts_config = idx($user_config, 'hosts', array());
$host_config = idx($hosts_config, $conduit_uri, array());
$user_name = idx($host_config, 'user');
$certificate = idx($host_config, 'cert');
$conduit_token = idx($host_config, 'token');
$description = implode(' ', $original_argv);
$credentials = array(
'user' => $user_name,
'certificate' => $certificate,
'description' => $description,
'token' => $conduit_token,
);
$workflow->setConduitCredentials($credentials);
if ($need_auth) {
if ((!$user_name || !$certificate) && (!$conduit_token)) {
$arc = 'arc';
if ($force_conduit) {
$arc .= csprintf(' --conduit-uri=%s', $conduit_uri);
}
$conduit_domain = id(new PhutilURI($conduit_uri))->getDomain();
throw new ArcanistUsageException(
phutil_console_format(
"YOU NEED TO AUTHENTICATE TO CONTINUE\n\n".
"You are trying to connect to a server ({$conduit_domain}) that you ".
"do not have any credentials stored for.\n\n".
"To retrieve and store credentials for this server, ".
"**run this command:**\n\n".
" $ **{$arc} install-certificate**\n"));
}
$workflow->authenticateConduit();
}
if ($need_repository_api ||
($want_repository_api && $working_copy->getVCSType())) {
$repository_api = ArcanistRepositoryAPI::newAPIFromConfigurationManager(
$configuration_manager);
$workflow->setRepositoryAPI($repository_api);
}
$listeners = $configuration_manager->getConfigFromAnySource(
'events.listeners');
if ($listeners) {
foreach ($listeners as $listener) {
$console->writeLog(
"Registering event listener '%s'.\n",
$listener);
try {
id(new $listener())->register();
} catch (PhutilMissingSymbolException $ex) {
// Continue anyway, since you may otherwise be unable to run commands
// like `arc set-config events.listeners` in order to repair the damage
// you've caused. We're writing out the entire exception here because
// it might not have been triggered by the listener itself (for example,
// the listener might use a bad class in its register() method).
$console->writeErr(
"ERROR: Failed to load event listener '%s': %s\n",
$listener,
$ex->getMessage());
}
}
}
$config->willRunWorkflow($command, $workflow);
$workflow->willRunWorkflow();
try {
$err = $workflow->run();
$config->didRunWorkflow($command, $workflow, $err);
} catch (Exception $e) {
$workflow->finalize();
throw $e;
}
$workflow->finalize();
exit((int)$err);
} catch (ArcanistNoEffectException $ex) {
echo $ex->getMessage()."\n";
} catch (Exception $ex) {
$is_usage = ($ex instanceof ArcanistUsageException);
if ($is_usage) {
echo phutil_console_format(
"**Usage Exception:** %s\n",
$ex->getMessage());
}
if ($config) {
$config->didAbortWorkflow($command, $workflow, $ex);
}
if ($config_trace_mode) {
echo "\n";
throw $ex;
}
if (!$is_usage) {
echo phutil_console_format("**Exception**\n");
while ($ex) {
echo $ex->getMessage()."\n";
if ($ex instanceof PhutilProxyException) {
$ex = $ex->getPreviousException();
} else {
$ex = null;
}
}
echo "(Run with --trace for a full exception trace.)\n";
}
exit(1);
}
/**
* Perform some sanity checks against the possible diversity of PHP builds in
* the wild, like very old versions and builds that were compiled with flags
* that exclude core functionality.
*/
function sanity_check_environment() {
// NOTE: We don't have phutil_is_windows() yet here.
$is_windows = (DIRECTORY_SEPARATOR != '/');
// We use stream_socket_pair() which is not available on Windows earlier.
$min_version = ($is_windows ? '5.3.0' : '5.2.3');
$cur_version = phpversion();
if (version_compare($cur_version, $min_version, '<')) {
die_with_bad_php(
"You are running PHP version '{$cur_version}', which is older than ".
"the minimum version, '{$min_version}'. Update to at least ".
"'{$min_version}'.");
}
if ($is_windows) {
$need_functions = array(
'curl_init' => array('builtin-dll', 'php_curl.dll'),
);
} else {
$need_functions = array(
'curl_init' => array(
'text',
"You need to install the cURL PHP extension, maybe with ".
"'apt-get install php5-curl' or 'yum install php53-curl' or ".
"something similar.",),
'json_decode' => array('flag', '--without-json'),
);
}
$problems = array();
$config = null;
$show_config = false;
foreach ($need_functions as $fname => $resolution) {
if (function_exists($fname)) {
continue;
}
static $info;
if ($info === null) {
ob_start();
phpinfo(INFO_GENERAL);
$info = ob_get_clean();
$matches = null;
if (preg_match('/^Configure Command =>\s*(.*?)$/m', $info, $matches)) {
$config = $matches[1];
}
}
$generic = true;
list($what, $which) = $resolution;
if ($what == 'flag' && strpos($config, $which) !== false) {
$show_config = true;
$generic = false;
$problems[] =
"This build of PHP was compiled with the configure flag '{$which}', ".
"which means it does not have the function '{$fname}()'. This ".
"function is required for arc to run. Rebuild PHP without this flag. ".
"You may also be able to build or install the relevant extension ".
"separately.";
}
if ($what == 'builtin-dll') {
$generic = false;
$problems[] =
"Your install of PHP does not have the '{$which}' extension enabled. ".
"Edit your php.ini file and uncomment the line which reads ".
"'extension={$which}'.";
}
if ($what == 'text') {
$generic = false;
$problems[] = $which;
}
if ($generic) {
$problems[] =
"This build of PHP is missing the required function '{$fname}()'. ".
"Rebuild PHP or install the extension which provides '{$fname}()'.";
}
}
if ($problems) {
if ($show_config) {
$problems[] = "PHP was built with this configure command:\n\n{$config}";
}
die_with_bad_php(implode("\n\n", $problems));
}
}
function die_with_bad_php($message) {
echo "\nPHP CONFIGURATION ERRORS\n\n";
echo $message;
echo "\n\n";
exit(1);
}
function arcanist_load_libraries(
$load,
$must_load,
$lib_source,
ArcanistWorkingCopyIdentity $working_copy) {
if (!$load) {
return;
}
if (!is_array($load)) {
$error = "Libraries specified by {$lib_source} are invalid; expected ".
"a list. Check your configuration.";
$console = PhutilConsole::getConsole();
$console->writeErr("WARNING: %s\n", $error);
return;
}
foreach ($load as $location) {
// Try to resolve the library location. We look in several places, in
// order:
//
// 1. Inside the working copy. This is for phutil libraries within the
// project. For instance "library/src" will resolve to
// "./library/src" if it exists.
// 2. In the same directory as the working copy. This allows you to
// check out a library alongside a working copy and reference it.
// If we haven't resolved yet, "library/src" will try to resolve to
// "../library/src" if it exists.
// 3. Using normal libphutil resolution rules. Generally, this means
// that it checks for libraries next to libphutil, then libraries
// in the PHP include_path.
//
// Note that absolute paths will just resolve absolutely through rule (1).
$resolved = false;
// Check inside the working copy. This also checks absolute paths, since
// they'll resolve absolute and just ignore the project root.
$resolved_location = Filesystem::resolvePath(
$location,
$working_copy->getProjectRoot());
if (Filesystem::pathExists($resolved_location)) {
$location = $resolved_location;
$resolved = true;
}
// If we didn't find anything, check alongside the working copy.
if (!$resolved) {
$resolved_location = Filesystem::resolvePath(
$location,
dirname($working_copy->getProjectRoot()));
if (Filesystem::pathExists($resolved_location)) {
$location = $resolved_location;
$resolved = true;
}
}
$console = PhutilConsole::getConsole();
$console->writeLog(
"Loading phutil library from '%s'...\n",
$location);
$error = null;
try {
phutil_load_library($location);
} catch (PhutilBootloaderException $ex) {
$error = "Failed to load phutil library at location '{$location}'. ".
"This library is specified by {$lib_source}. Check that the ".
"setting is correct and the library is located in the right ".
"place.";
if ($must_load) {
throw new ArcanistUsageException($error);
} else {
fwrite(STDERR, phutil_console_wrap('WARNING: '.$error."\n\n"));
}
} catch (PhutilLibraryConflictException $ex) {
if ($ex->getLibrary() != 'arcanist') {
throw $ex;
}
$arc_dir = dirname(dirname(__FILE__));
$error =
"You are trying to run one copy of Arcanist on another copy of ".
"Arcanist. This operation is not supported. To execute Arcanist ".
"operations against this working copy, run './bin/arc' (from the ".
"current working copy) not some other copy of 'arc' (you ran one ".
"from '{$arc_dir}').";
throw new ArcanistUsageException($error);
}
}
}
/**
* NOTE: SPOOKY BLACK MAGIC
*
* When arc is run in a copy of arcanist other than itself, or a copy of
* libphutil other than the one we loaded, reenter the script and force it
* to use the current working directory instead of the default.
*
* In the case of execution inside arcanist/, we force execution of the local
* arc binary.
*
* In the case of execution inside libphutil/, we force the local copy to load
* instead of the one selected by default rules.
*
* @param PhutilConsole Console.
* @param ArcanistWorkingCopyIdentity The current working copy.
* @param array Original arc arguments.
* @return void
*/
function reenter_if_this_is_arcanist_or_libphutil(
PhutilConsole $console,
ArcanistWorkingCopyIdentity $working_copy,
array $original_argv) {
$project_id = $working_copy->getProjectID();
if ($project_id != 'arcanist' && $project_id != 'libphutil') {
// We're not in a copy of arcanist or libphutil.
return;
}
$library_names = array(
'arcanist' => 'arcanist',
'libphutil' => 'phutil',
);
$library_root = phutil_get_library_root($library_names[$project_id]);
$project_root = $working_copy->getProjectRoot();
if (Filesystem::isDescendant($library_root, $project_root)) {
// We're in a copy of arcanist or libphutil, but already loaded the correct
// copy. Continue execution normally.
return;
}
if ($project_id == 'libphutil') {
$console->writeLog(
"This is libphutil! Forcing this copy to load...\n");
$original_argv[0] = dirname(phutil_get_library_root('arcanist')).'/bin/arc';
$libphutil_path = $project_root;
} else {
$console->writeLog(
"This is arcanist! Forcing this copy to run...\n");
$original_argv[0] = $project_root.'/bin/arc';
$libphutil_path = dirname(phutil_get_library_root('phutil'));
}
if (phutil_is_windows()) {
$err = phutil_passthru(
'set ARC_PHUTIL_PATH=%s & %Ls',
$libphutil_path,
$original_argv);
} else {
$err = phutil_passthru(
'ARC_PHUTIL_PATH=%s %Ls',
$libphutil_path,
$original_argv);
}
exit($err);
}