2011-07-22 10:17:57 -07:00
|
|
|
<?php
|
|
|
|
|
|
2015-01-02 15:20:08 +11:00
|
|
|
final class PhabricatorSSHKeysSettingsPanel extends PhabricatorSettingsPanel {
|
2011-07-22 10:17:57 -07:00
|
|
|
|
2014-04-02 12:06:05 -07:00
|
|
|
public function isEditableByAdministrators() {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-13 12:37:26 -07:00
|
|
|
public function getPanelKey() {
|
|
|
|
|
return 'ssh';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function getPanelName() {
|
|
|
|
|
return pht('SSH Public Keys');
|
|
|
|
|
}
|
2011-07-22 10:17:57 -07:00
|
|
|
|
2012-08-13 12:37:26 -07:00
|
|
|
public function getPanelGroup() {
|
|
|
|
|
return pht('Authentication');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function isEnabled() {
|
2015-06-02 08:52:00 -07:00
|
|
|
if ($this->getUser()->getIsMailingList()) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-26 14:32:47 -07:00
|
|
|
return true;
|
2011-07-24 11:02:08 -07:00
|
|
|
}
|
|
|
|
|
|
2012-08-13 12:37:26 -07:00
|
|
|
public function processRequest(AphrontRequest $request) {
|
2014-04-02 12:06:05 -07:00
|
|
|
$user = $this->getUser();
|
|
|
|
|
$viewer = $request->getUser();
|
2011-07-22 10:17:57 -07:00
|
|
|
|
Add a query/policy layer on top of SSH keys for Almanac
Summary:
Ref T5833. Currently, SSH keys are associated only with users, and are a bit un-modern. I want to let Almanac Devices have SSH keys so devices in a cluster can identify to one another.
For example, with hosted installs, initialization will go something like this:
- A request comes in for `company.phacility.com`.
- A SiteSource (from D10787) makes a Conduit call to Almanac on the master install to check if `company` is a valid install and pull config if it is.
- This call can be signed with an SSH key which identifies a trusted Almanac Device.
In the cluster case, a web host can make an authenticated call to a repository host with similar key signing.
To move toward this, put a proper Query class on top of SSH key access (this diff). In following diffs, I'll:
- Rename `userPHID` to `objectPHID`.
- Move this to the `auth` database.
- Provide UI for device/key association.
An alternative approach would be to build some kind of special token layer in Conduit, but I think that would be a lot harder to manage in the hosting case. This gives us a more direct attack on trusting requests from machines and recognizing machines as first (well, sort of second-class) actors without needing things like fake user accounts.
Test Plan:
- Added and removed SSH keys.
- Added and removed SSH keys from a bot account.
- Tried to edit an unonwned SSH key (denied).
- Ran `bin/ssh-auth`, got sensible output.
- Ran `bin/ssh-auth-key`, got sensible output.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T5833
Differential Revision: https://secure.phabricator.com/D10790
2014-11-06 12:37:02 -08:00
|
|
|
$keys = id(new PhabricatorAuthSSHKeyQuery())
|
|
|
|
|
->setViewer($viewer)
|
|
|
|
|
->withObjectPHIDs(array($user->getPHID()))
|
|
|
|
|
->execute();
|
2011-07-22 10:17:57 -07:00
|
|
|
|
2014-11-11 08:20:08 -08:00
|
|
|
$table = id(new PhabricatorAuthSSHKeyTableView())
|
|
|
|
|
->setUser($viewer)
|
|
|
|
|
->setKeys($keys)
|
|
|
|
|
->setCanEdit(true)
|
2015-05-22 17:27:56 +10:00
|
|
|
->setNoDataString(pht("You haven't added any SSH Public Keys."));
|
2011-07-22 10:17:57 -07:00
|
|
|
|
2014-01-07 16:16:30 -08:00
|
|
|
$panel = new PHUIObjectBoxView();
|
|
|
|
|
$header = new PHUIHeaderView();
|
|
|
|
|
|
2014-03-12 18:17:11 -07:00
|
|
|
$upload_button = id(new PHUIButtonView())
|
|
|
|
|
->setText(pht('Upload Public Key'))
|
2014-11-11 08:18:26 -08:00
|
|
|
->setHref('/auth/sshkey/upload/?objectPHID='.$user->getPHID())
|
|
|
|
|
->setWorkflow(true)
|
2014-03-12 18:17:11 -07:00
|
|
|
->setTag('a')
|
2016-01-27 20:38:01 -08:00
|
|
|
->setIcon('fa-upload');
|
2014-03-12 18:17:11 -07:00
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
PhabricatorSSHKeyGenerator::assertCanGenerateKeypair();
|
|
|
|
|
$can_generate = true;
|
|
|
|
|
} catch (Exception $ex) {
|
|
|
|
|
$can_generate = false;
|
|
|
|
|
}
|
2014-01-07 16:16:30 -08:00
|
|
|
|
2014-03-12 18:17:11 -07:00
|
|
|
$generate_button = id(new PHUIButtonView())
|
|
|
|
|
->setText(pht('Generate Keypair'))
|
2014-11-11 08:18:26 -08:00
|
|
|
->setHref('/auth/sshkey/generate/?objectPHID='.$user->getPHID())
|
2014-03-12 18:17:11 -07:00
|
|
|
->setTag('a')
|
|
|
|
|
->setWorkflow(true)
|
|
|
|
|
->setDisabled(!$can_generate)
|
2016-01-27 20:38:01 -08:00
|
|
|
->setIcon('fa-lock');
|
2014-01-07 16:16:30 -08:00
|
|
|
|
|
|
|
|
$header->setHeader(pht('SSH Public Keys'));
|
2014-03-12 18:17:11 -07:00
|
|
|
$header->addActionLink($generate_button);
|
|
|
|
|
$header->addActionLink($upload_button);
|
2014-01-07 16:16:30 -08:00
|
|
|
|
|
|
|
|
$panel->setHeader($header);
|
[Redesign] Add Table, Collapse support to ObjectBox
Summary: Converts most all tables to be directly set via `setTable` to an ObjectBox. I think this path is more flexible design wise, as we can change the box based on children, and not just CSS. We also already do this with PropertyList, Forms, ObjectList, and Header. `setCollapsed` is added to ObjectBox to all children objects to bleed to the edges (like diffs).
Test Plan: I did a grep of `appendChild($table)` as well as searches for `PHUIObjectBoxView`, also with manual opening of hundreds of files. I'm sure I missed 5-8 places. If you just appendChild($table) nothing breaks, it just looks a little funny.
Reviewers: epriestley, btrahan
Subscribers: Korvin, epriestley
Differential Revision: https://secure.phabricator.com/D12955
2015-05-20 12:43:34 -07:00
|
|
|
$panel->setTable($table);
|
2011-07-22 10:17:57 -07:00
|
|
|
|
|
|
|
|
return $panel;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
