2011-01-24 20:30:10 +01:00
|
|
|
<?php
|
|
|
|
|
|
Rename Conduit classes
Summary: Ref T5655. Rename Conduit classes and provide a `getAPIMethodName` method to declare the API method.
Test Plan:
```
> echo '{}' | arc --conduit-uri='http://phabricator.joshuaspence.com' call-conduit user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-lioqffnwn6y475mu5ndb","userName":"josh","realName":"Joshua Spence","image":"http:\/\/phabricator.joshuaspence.com\/res\/1404425321T\/phabricator\/3eb28cd9\/rsrc\/image\/avatar.png","uri":"http:\/\/phabricator.joshuaspence.com\/p\/josh\/","roles":["admin","verified","approved","activated"]}}
```
Reviewers: epriestley, #blessed_reviewers
Reviewed By: epriestley, #blessed_reviewers
Subscribers: epriestley, Korvin, hach-que
Maniphest Tasks: T5655
Differential Revision: https://secure.phabricator.com/D9991
2014-07-25 02:54:15 +02:00
|
|
|
final class ConduitConnectConduitAPIMethod extends ConduitAPIMethod {
|
|
|
|
|
|
|
|
|
|
public function getAPIMethodName() {
|
|
|
|
|
return 'conduit.connect';
|
|
|
|
|
}
|
2011-01-24 20:30:10 +01:00
|
|
|
|
2011-02-06 07:36:21 +01:00
|
|
|
public function shouldRequireAuthentication() {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
Create AphrontWriteGuard, a backup mechanism for CSRF validation
Summary:
Provide a catchall mechanism to find unprotected writes.
- Depends on D758.
- Similar to WriteOnHTTPGet stuff from Facebook's stack.
- Since we have a small number of storage mechanisms and highly structured
read/write pathways, we can explicitly answer the question "is this page
performing a write?".
- Never allow writes without CSRF checks.
- This will probably break some things. That's fine: they're CSRF
vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
for a few days unless you're prepared to deal with this.
- **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
<<<**
Test Plan:
- Ran some scripts that perform writes (scripts/search indexers), no issues.
- Performed normal CSRF submits.
- Added writes to an un-CSRF'd page, got an exception.
- Executed conduit methods.
- Did login/logout (this works because the logged-out user validates the
logged-out csrf "token").
- Did OAuth login.
- Did OAuth registration.
Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
codeblock
Commenters: pedram
CC: aran, epriestley, pedram
Differential Revision: 777
2011-08-03 20:49:27 +02:00
|
|
|
public function shouldAllowUnguardedWrites() {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-24 20:30:10 +01:00
|
|
|
public function getMethodDescription() {
|
2014-06-09 20:36:49 +02:00
|
|
|
return 'Connect a session-based client.';
|
2011-01-24 20:30:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function defineParamTypes() {
|
|
|
|
|
return array(
|
|
|
|
|
'client' => 'required string',
|
|
|
|
|
'clientVersion' => 'required int',
|
|
|
|
|
'clientDescription' => 'optional string',
|
|
|
|
|
'user' => 'optional string',
|
2011-02-06 07:36:21 +01:00
|
|
|
'authToken' => 'optional int',
|
|
|
|
|
'authSignature' => 'optional string',
|
2014-06-24 02:41:02 +02:00
|
|
|
'host' => 'deprecated',
|
2011-01-24 20:30:10 +01:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function defineReturnType() {
|
|
|
|
|
return 'dict<string, any>';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function defineErrorTypes() {
|
|
|
|
|
return array(
|
2014-06-09 20:36:49 +02:00
|
|
|
'ERR-BAD-VERSION' =>
|
|
|
|
|
'Client/server version mismatch. Upgrade your server or downgrade '.
|
|
|
|
|
'your client.',
|
|
|
|
|
'NEW-ARC-VERSION' =>
|
|
|
|
|
'Client/server version mismatch. Upgrade your client.',
|
|
|
|
|
'ERR-UNKNOWN-CLIENT' =>
|
|
|
|
|
'Client is unknown.',
|
|
|
|
|
'ERR-INVALID-USER' =>
|
|
|
|
|
'The username you are attempting to authenticate with is not valid.',
|
|
|
|
|
'ERR-INVALID-CERTIFICATE' =>
|
|
|
|
|
'Your authentication certificate for this server is invalid.',
|
|
|
|
|
'ERR-INVALID-TOKEN' =>
|
2011-02-06 07:36:21 +01:00
|
|
|
"The challenge token you are authenticating with is outside of the ".
|
|
|
|
|
"allowed time range. Either your system clock is out of whack or ".
|
|
|
|
|
"you're executing a replay attack.",
|
2014-06-09 20:36:49 +02:00
|
|
|
'ERR-NO-CERTIFICATE' => 'This server requires authentication.',
|
2011-01-24 20:30:10 +01:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected function execute(ConduitAPIRequest $request) {
|
|
|
|
|
$client = $request->getValue('client');
|
|
|
|
|
$client_version = (int)$request->getValue('clientVersion');
|
|
|
|
|
$client_description = (string)$request->getValue('clientDescription');
|
2014-02-25 21:35:03 +01:00
|
|
|
// TODO: This should be character-oriented, not display-oriented.
|
|
|
|
|
// See T3307.
|
|
|
|
|
$client_description = phutil_utf8_shorten($client_description, 255);
|
2011-02-06 07:36:21 +01:00
|
|
|
$username = (string)$request->getValue('user');
|
2011-01-24 20:30:10 +01:00
|
|
|
|
|
|
|
|
// Log the connection, regardless of the outcome of checks below.
|
|
|
|
|
$connection = new PhabricatorConduitConnectionLog();
|
|
|
|
|
$connection->setClient($client);
|
|
|
|
|
$connection->setClientVersion($client_version);
|
|
|
|
|
$connection->setClientDescription($client_description);
|
2011-02-06 07:36:21 +01:00
|
|
|
$connection->setUsername($username);
|
2011-01-24 20:30:10 +01:00
|
|
|
$connection->save();
|
|
|
|
|
|
|
|
|
|
switch ($client) {
|
|
|
|
|
case 'arc':
|
2012-12-04 02:58:01 +01:00
|
|
|
$server_version = 6;
|
2012-05-22 01:43:43 +02:00
|
|
|
$supported_versions = array(
|
|
|
|
|
$server_version => true,
|
2012-12-04 02:58:01 +01:00
|
|
|
// Client version 5 introduced "user.query" call
|
2012-05-22 01:43:43 +02:00
|
|
|
4 => true,
|
2012-12-04 02:58:01 +01:00
|
|
|
// Client version 6 introduced "diffusion.getlintmessages" call
|
|
|
|
|
5 => true,
|
2012-05-22 01:43:43 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (empty($supported_versions[$client_version])) {
|
|
|
|
|
if ($server_version < $client_version) {
|
|
|
|
|
$ex = new ConduitException('ERR-BAD-VERSION');
|
|
|
|
|
$ex->setErrorDescription(
|
|
|
|
|
"Your 'arc' client version is '{$client_version}', which ".
|
|
|
|
|
"is newer than the server version, '{$server_version}'. ".
|
|
|
|
|
"Upgrade your Phabricator install.");
|
|
|
|
|
} else {
|
|
|
|
|
$ex = new ConduitException('NEW-ARC-VERSION');
|
|
|
|
|
$ex->setErrorDescription(
|
|
|
|
|
"A new version of arc is available! You need to upgrade ".
|
|
|
|
|
"to connect to this server (you are running version ".
|
|
|
|
|
"{$client_version}, the server is running version ".
|
|
|
|
|
"{$server_version}).");
|
|
|
|
|
}
|
|
|
|
|
throw $ex;
|
2011-01-24 20:30:10 +01:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2011-04-14 03:56:32 +02:00
|
|
|
// Allow new clients by default.
|
|
|
|
|
break;
|
2011-01-24 20:30:10 +01:00
|
|
|
}
|
|
|
|
|
|
2011-02-06 07:36:21 +01:00
|
|
|
$token = $request->getValue('authToken');
|
|
|
|
|
$signature = $request->getValue('authSignature');
|
|
|
|
|
|
2014-07-10 00:12:48 +02:00
|
|
|
$user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username);
|
2011-02-06 07:36:21 +01:00
|
|
|
if (!$user) {
|
|
|
|
|
throw new ConduitException('ERR-INVALID-USER');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$session_key = null;
|
|
|
|
|
if ($token && $signature) {
|
2013-08-02 16:38:59 +02:00
|
|
|
$threshold = 60 * 15;
|
|
|
|
|
$now = time();
|
|
|
|
|
if (abs($token - $now) > $threshold) {
|
|
|
|
|
throw id(new ConduitException('ERR-INVALID-TOKEN'))
|
|
|
|
|
->setErrorDescription(
|
|
|
|
|
pht(
|
2014-06-09 20:36:49 +02:00
|
|
|
'The request you submitted is signed with a timestamp, but that '.
|
|
|
|
|
'timestamp is not within %s of the current time. The '.
|
|
|
|
|
'signed timestamp is %s (%s), and the current server time is '.
|
|
|
|
|
'%s (%s). This is a difference of %s seconds, but the '.
|
|
|
|
|
'timestamp must differ from the server time by no more than '.
|
|
|
|
|
'%s seconds. Your client or server clock may not be set '.
|
|
|
|
|
'correctly.',
|
2014-07-13 04:03:17 +02:00
|
|
|
phutil_format_relative_time($threshold),
|
2013-08-02 16:38:59 +02:00
|
|
|
$token,
|
|
|
|
|
date('r', $token),
|
|
|
|
|
$now,
|
|
|
|
|
date('r', $now),
|
|
|
|
|
($token - $now),
|
|
|
|
|
$threshold));
|
2011-02-06 07:36:21 +01:00
|
|
|
}
|
|
|
|
|
$valid = sha1($token.$user->getConduitCertificate());
|
|
|
|
|
if ($valid != $signature) {
|
|
|
|
|
throw new ConduitException('ERR-INVALID-CERTIFICATE');
|
|
|
|
|
}
|
2014-05-01 19:23:02 +02:00
|
|
|
$session_key = id(new PhabricatorAuthSessionEngine())->establishSession(
|
|
|
|
|
PhabricatorAuthSession::TYPE_CONDUIT,
|
|
|
|
|
$user->getPHID(),
|
|
|
|
|
$partial = false);
|
2011-02-06 07:36:21 +01:00
|
|
|
} else {
|
|
|
|
|
throw new ConduitException('ERR-NO-CERTIFICATE');
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-24 20:30:10 +01:00
|
|
|
return array(
|
2011-02-06 07:36:21 +01:00
|
|
|
'connectionID' => $connection->getID(),
|
|
|
|
|
'sessionKey' => $session_key,
|
|
|
|
|
'userPHID' => $user->getPHID(),
|
2011-01-24 20:30:10 +01:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
