revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-09 14:21:02 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/people/storage/PhabricatorUserLog.php

224 lines
6.9 KiB
PHP
Raw Normal View History

Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
<?php
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
final class PhabricatorUserLog extends PhabricatorUserDAO
implements PhabricatorPolicyInterface {
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
const ACTION_LOGIN = 'login';
Require multiple auth factors to establish web sessions Summary: Ref T4398. This prompts users for multi-factor auth on login. Roughly, this introduces the idea of "partial" sessions, which we haven't finished constructing yet. In practice, this means the session has made it through primary auth but not through multi-factor auth. Add a workflow for bringing a partial session up to a full one. Test Plan: - Used Conduit. - Logged in as multi-factor user. - Logged in as no-factor user. - Tried to do non-login-things with a partial session. - Reviewed account activity logs. {F149295} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8922
2014-05-01 19:23:02 +02:00
const ACTION_LOGIN_PARTIAL = 'login-partial';
const ACTION_LOGIN_FULL = 'login-full';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
const ACTION_LOGOUT = 'logout';
const ACTION_LOGIN_FAILURE = 'login-fail';
Legalpad - allow for legalpad documents to be required to be signed for using Phabricator Summary: Fixes T7159. Test Plan: Created a legalpad document that needed a signature and I was required to sign it no matter what page I hit. Signed it and things worked! Added a new legalpad document and I had to sign again! Ran unit tests and they passed! Logged out as a user who was roadblocked into signing a bunch of stuff and it worked! Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7159 Differential Revision: https://secure.phabricator.com/D11759
2015-02-13 00:22:56 +01:00
const ACTION_LOGIN_LEGALPAD = 'login-legalpad';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
const ACTION_RESET_PASSWORD = 'reset-pass';
const ACTION_CREATE = 'create';
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
const ACTION_EDIT = 'edit';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
const ACTION_ADMIN = 'admin';
bin/accountadmin - allow creation of system accounts and create workflow for system accounts that are in trouble Summary: the former is self explanatory. the latter is necessary for installations that require email verification. since many system agents are given bogus email address there can become a problem where these accounts can't be verified Test Plan: created system agent account from scratch. edited user and toggled system agent accountness. created system agent with unverified email address and verified it. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T1656 Differential Revision: https://secure.phabricator.com/D3401
2012-08-29 20:07:29 +02:00
const ACTION_SYSTEM_AGENT = 'system-agent';
Add "Mailing List" users Summary: Ref T8387. Adds new mailing list users. This doesn't migrate anything yet. I also need to update the "Email Addresses" panel to let administrators change the list address. Test Plan: - Created and edited a mailing list user. - Viewed profile. - Viewed People list. - Searched for lists / nonlists. - Grepped for all uses of `getIsDisabled()` / `getIsSystemAgent()` and added relevant corresponding behaviors. - Hit the web/api/ssh session blocks. Reviewers: btrahan Reviewed By: btrahan Subscribers: eadler, tycho.tatitscheff, epriestley Maniphest Tasks: T8387 Differential Revision: https://secure.phabricator.com/D13123
2015-06-02 17:52:00 +02:00
const ACTION_MAILING_LIST = 'mailing-list';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
const ACTION_DISABLE = 'disable';
Implement most of the administrative UI for approval queues Summary: Nothing fancy here, just: - UI to show users needing approval. - "Approve" and "Disable" actions. - Send "Approved" email on approve. - "Approve" edit + log operations. - "Wait for Approval" state for users who need approval. There's still no natural way for users to end up not-approved -- you have to write directly to the database. Test Plan: See screenshots. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D7573
2013-11-13 20:24:18 +01:00
const ACTION_APPROVE = 'approve';
Add an administrative tool for deleting users Summary: Allow administrators to delete accounts if they jump through enough hoops. Also remove bogus caption about usernames being uneditable since we let admins edit those too now. Test Plan: Tried to delete myself. Deleted a non-myself user. Reviewers: csilvers, vrana Reviewed By: csilvers CC: aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2767
2012-06-16 02:02:20 +02:00
const ACTION_DELETE = 'delete';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
"arc install-certificate", server-side components Summary: Provides a new workflow for making it non-horrible to install certificates. Basically you run "arc install-certificate" and then copy/paste a short token off a webpage and it does the ~/.arcrc edits for you. Test Plan: Installed certificates, used bad tokens, hit rate limiting. Reviewed By: aran Reviewers: aran, jungejason, tuomaspelkonen CC: aran Differential Revision: 460
2011-06-14 21:17:14 +02:00
const ACTION_CONDUIT_CERTIFICATE = 'conduit-cert';
const ACTION_CONDUIT_CERTIFICATE_FAILURE = 'conduit-cert-fail';
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
const ACTION_EMAIL_PRIMARY = 'email-primary';
const ACTION_EMAIL_REMOVE = 'email-remove';
const ACTION_EMAIL_ADD = 'email-add';
Move email verification into PhabricatorUserEditor Summary: Both email verify and welcome links now verify email, centralize them and record them in the user activity log. Test Plan: - Followed a "verify email" link and got verified. - Followed a "welcome" (verifying) link. - Followed a "reset" (non-verifying) link. - Looked in the activity log for the verifications. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D9284
2014-06-04 01:45:18 +02:00
const ACTION_EMAIL_VERIFY = 'email-verify';
Add email invites to Phabricator (logic only) Summary: Ref T7152. This builds the core of email invites and implements all the hard logic for them, covering it with a pile of tests. There's no UI to create these yet, so users can't actually get invites (and administrators can't send them). This stuff is a complicated mess because there are so many interactions between accounts, email addresses, email verification, email primary-ness, and user verification. However, I think I got it right and got test coverage everwhere. The degree to which this is exception-driven is a little icky, but I think it's a reasonable way to get the testability we want while still making it hard for callers to get the flow wrong. In particular, I expect there to be at least two callers (one invite flow in the upstream, and one derived invite flow in Instances) so I believe there is merit in burying as much of this logic inside the Engine as is reasonably possible. Test Plan: Unit tests only. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7152 Differential Revision: https://secure.phabricator.com/D11723
2015-02-10 01:12:36 +01:00
const ACTION_EMAIL_REASSIGN = 'email-reassign';
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
const ACTION_CHANGE_PASSWORD = 'change-password';
Allow administrators to change usernames Summary: Give them a big essay about how it's dangerous, but allow them to do it formally. Because the username is part of the password salt, users must change their passwords after a username change. Make password reset links work for already-logged-in-users since there's no reason not to (if you have a reset link, you can log out and use it) and it's much less confusing if you get this email and are already logged in. Depends on: D2651 Test Plan: Changed a user's username to all kinds of crazy things. Clicked reset links in email. Tried to make invalid/nonsense name changes. Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran Maniphest Tasks: T1303 Differential Revision: https://secure.phabricator.com/D2657
2012-06-06 16:09:56 +02:00
const ACTION_CHANGE_USERNAME = 'change-username';
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
Let users review their own account activity logs Summary: Ref T4398. This adds a settings panel for account activity so users can review activity on their own account. Some goals are: - Make it easier for us to develop and support auth and credential information, see T4398. This is the primary driver. - Make it easier for users to understand and review auth and credential information (see T4842 for an example -- this isn't there yet, but builds toward it). - Improve user confidence in security by making logging more apparent and accessible. Minor corresponding changes: - Entering and exiting hisec mode is now logged. - This, sessions, and OAuth authorizations have moved to a new "Sessions and Logs" area, since "Authentication" was getting huge. Test Plan: - Viewed new panel. - Viewed old UI. - Entered/exited hisec and got prompted. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8871
2014-04-28 02:32:09 +02:00
const ACTION_ENTER_HISEC = 'hisec-enter';
const ACTION_EXIT_HISEC = 'hisec-exit';
Make two-factor auth actually work Summary: Ref T4398. Allows auth factors to render and validate when prompted to take a hi-sec action. This has a whole lot of rough edges still (see D8875) but does fundamentally work correctly. Test Plan: - Added two different TOTP factors to my account for EXTRA SECURITY. - Took hisec actions with no auth factors, and with attached auth factors. - Hit all the error/failure states of the hisec entry process. - Verified hisec failures appear in activity logs. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8886
2014-04-28 19:20:54 +02:00
const ACTION_FAIL_HISEC = 'hisec-fail';
Let users review their own account activity logs Summary: Ref T4398. This adds a settings panel for account activity so users can review activity on their own account. Some goals are: - Make it easier for us to develop and support auth and credential information, see T4398. This is the primary driver. - Make it easier for users to understand and review auth and credential information (see T4842 for an example -- this isn't there yet, but builds toward it). - Improve user confidence in security by making logging more apparent and accessible. Minor corresponding changes: - Entering and exiting hisec mode is now logged. - This, sessions, and OAuth authorizations have moved to a new "Sessions and Logs" area, since "Authentication" was getting huge. Test Plan: - Viewed new panel. - Viewed old UI. - Entered/exited hisec and got prompted. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8871
2014-04-28 02:32:09 +02:00
Add multi-factor auth and TOTP support Summary: Ref T4398. This is still pretty rough and isn't exposed in the UI yet, but basically works. Some missing features / areas for improvement: - Rate limiting attempts (see TODO). - Marking tokens used after they're used once (see TODO), maybe. I can't think of ways an attacker could capture a token without also capturing a session, offhand. - Actually turning this on (see TODO). - This workflow is pretty wordy. It would be nice to calm it down a bit. - But also add more help/context to help users figure out what's going on here, I think it's not very obvious if you don't already know what "TOTP" is. - Add admin tool to strip auth factors off an account ("Help, I lost my phone and can't log in!"). - Add admin tool to show users who don't have multi-factor auth? (so you can pester them) - Generate QR codes to make the transfer process easier (they're fairly complicated). - Make the "entering hi-sec" workflow actually check for auth factors and use them correctly. - Turn this on so users can use it. - Adding SMS as an option would be nice eventually. - Adding "password" as an option, maybe? TOTP feels fairly good to me. I'll post a couple of screens... Test Plan: - Added TOTP token with Google Authenticator. - Added TOTP token with Authy. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8875
2014-04-28 18:27:11 +02:00
const ACTION_MULTI_ADD = 'multi-add';
const ACTION_MULTI_REMOVE = 'multi-remove';
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
protected $actorPHID;
protected $userPHID;
protected $action;
protected $oldValue;
protected $newValue;
protected $details = array();
protected $remoteAddr;
protected $session;
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
public static function getActionTypeMap() {
return array(
self::ACTION_LOGIN => pht('Login'),
Require multiple auth factors to establish web sessions Summary: Ref T4398. This prompts users for multi-factor auth on login. Roughly, this introduces the idea of "partial" sessions, which we haven't finished constructing yet. In practice, this means the session has made it through primary auth but not through multi-factor auth. Add a workflow for bringing a partial session up to a full one. Test Plan: - Used Conduit. - Logged in as multi-factor user. - Logged in as no-factor user. - Tried to do non-login-things with a partial session. - Reviewed account activity logs. {F149295} Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8922
2014-05-01 19:23:02 +02:00
self::ACTION_LOGIN_PARTIAL => pht('Login: Partial Login'),
self::ACTION_LOGIN_FULL => pht('Login: Upgrade to Full'),
self::ACTION_LOGIN_FAILURE => pht('Login: Failure'),
Legalpad - allow for legalpad documents to be required to be signed for using Phabricator Summary: Fixes T7159. Test Plan: Created a legalpad document that needed a signature and I was required to sign it no matter what page I hit. Signed it and things worked! Added a new legalpad document and I had to sign again! Ran unit tests and they passed! Logged out as a user who was roadblocked into signing a bunch of stuff and it worked! Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7159 Differential Revision: https://secure.phabricator.com/D11759
2015-02-13 00:22:56 +01:00
self::ACTION_LOGIN_LEGALPAD =>
pht('Login: Signed Required Legalpad Documents'),
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
self::ACTION_LOGOUT => pht('Logout'),
self::ACTION_RESET_PASSWORD => pht('Reset Password'),
self::ACTION_CREATE => pht('Create Account'),
self::ACTION_EDIT => pht('Edit Account'),
self::ACTION_ADMIN => pht('Add/Remove Administrator'),
self::ACTION_SYSTEM_AGENT => pht('Add/Remove System Agent'),
Add "Mailing List" users Summary: Ref T8387. Adds new mailing list users. This doesn't migrate anything yet. I also need to update the "Email Addresses" panel to let administrators change the list address. Test Plan: - Created and edited a mailing list user. - Viewed profile. - Viewed People list. - Searched for lists / nonlists. - Grepped for all uses of `getIsDisabled()` / `getIsSystemAgent()` and added relevant corresponding behaviors. - Hit the web/api/ssh session blocks. Reviewers: btrahan Reviewed By: btrahan Subscribers: eadler, tycho.tatitscheff, epriestley Maniphest Tasks: T8387 Differential Revision: https://secure.phabricator.com/D13123
2015-06-02 17:52:00 +02:00
self::ACTION_MAILING_LIST => pht('Add/Remove Mailing List'),
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
self::ACTION_DISABLE => pht('Enable/Disable'),
self::ACTION_APPROVE => pht('Approve Registration'),
self::ACTION_DELETE => pht('Delete User'),
self::ACTION_CONDUIT_CERTIFICATE
=> pht('Conduit: Read Certificate'),
self::ACTION_CONDUIT_CERTIFICATE_FAILURE
=> pht('Conduit: Read Certificate Failure'),
self::ACTION_EMAIL_PRIMARY => pht('Email: Change Primary'),
self::ACTION_EMAIL_ADD => pht('Email: Add Address'),
self::ACTION_EMAIL_REMOVE => pht('Email: Remove Address'),
Move email verification into PhabricatorUserEditor Summary: Both email verify and welcome links now verify email, centralize them and record them in the user activity log. Test Plan: - Followed a "verify email" link and got verified. - Followed a "welcome" (verifying) link. - Followed a "reset" (non-verifying) link. - Looked in the activity log for the verifications. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D9284
2014-06-04 01:45:18 +02:00
self::ACTION_EMAIL_VERIFY => pht('Email: Verify'),
Add email invites to Phabricator (logic only) Summary: Ref T7152. This builds the core of email invites and implements all the hard logic for them, covering it with a pile of tests. There's no UI to create these yet, so users can't actually get invites (and administrators can't send them). This stuff is a complicated mess because there are so many interactions between accounts, email addresses, email verification, email primary-ness, and user verification. However, I think I got it right and got test coverage everwhere. The degree to which this is exception-driven is a little icky, but I think it's a reasonable way to get the testability we want while still making it hard for callers to get the flow wrong. In particular, I expect there to be at least two callers (one invite flow in the upstream, and one derived invite flow in Instances) so I believe there is merit in burying as much of this logic inside the Engine as is reasonably possible. Test Plan: Unit tests only. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7152 Differential Revision: https://secure.phabricator.com/D11723
2015-02-10 01:12:36 +01:00
self::ACTION_EMAIL_REASSIGN => pht('Email: Reassign'),
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
self::ACTION_CHANGE_PASSWORD => pht('Change Password'),
self::ACTION_CHANGE_USERNAME => pht('Change Username'),
Let users review their own account activity logs Summary: Ref T4398. This adds a settings panel for account activity so users can review activity on their own account. Some goals are: - Make it easier for us to develop and support auth and credential information, see T4398. This is the primary driver. - Make it easier for users to understand and review auth and credential information (see T4842 for an example -- this isn't there yet, but builds toward it). - Improve user confidence in security by making logging more apparent and accessible. Minor corresponding changes: - Entering and exiting hisec mode is now logged. - This, sessions, and OAuth authorizations have moved to a new "Sessions and Logs" area, since "Authentication" was getting huge. Test Plan: - Viewed new panel. - Viewed old UI. - Entered/exited hisec and got prompted. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8871
2014-04-28 02:32:09 +02:00
self::ACTION_ENTER_HISEC => pht('Hisec: Enter'),
self::ACTION_EXIT_HISEC => pht('Hisec: Exit'),
Make two-factor auth actually work Summary: Ref T4398. Allows auth factors to render and validate when prompted to take a hi-sec action. This has a whole lot of rough edges still (see D8875) but does fundamentally work correctly. Test Plan: - Added two different TOTP factors to my account for EXTRA SECURITY. - Took hisec actions with no auth factors, and with attached auth factors. - Hit all the error/failure states of the hisec entry process. - Verified hisec failures appear in activity logs. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8886
2014-04-28 19:20:54 +02:00
self::ACTION_FAIL_HISEC => pht('Hisec: Failed Attempt'),
Add multi-factor auth and TOTP support Summary: Ref T4398. This is still pretty rough and isn't exposed in the UI yet, but basically works. Some missing features / areas for improvement: - Rate limiting attempts (see TODO). - Marking tokens used after they're used once (see TODO), maybe. I can't think of ways an attacker could capture a token without also capturing a session, offhand. - Actually turning this on (see TODO). - This workflow is pretty wordy. It would be nice to calm it down a bit. - But also add more help/context to help users figure out what's going on here, I think it's not very obvious if you don't already know what "TOTP" is. - Add admin tool to strip auth factors off an account ("Help, I lost my phone and can't log in!"). - Add admin tool to show users who don't have multi-factor auth? (so you can pester them) - Generate QR codes to make the transfer process easier (they're fairly complicated). - Make the "entering hi-sec" workflow actually check for auth factors and use them correctly. - Turn this on so users can use it. - Adding SMS as an option would be nice eventually. - Adding "password" as an option, maybe? TOTP feels fairly good to me. I'll post a couple of screens... Test Plan: - Added TOTP token with Google Authenticator. - Added TOTP token with Authy. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8875
2014-04-28 18:27:11 +02:00
self::ACTION_MULTI_ADD => pht('Multi-Factor: Add Factor'),
self::ACTION_MULTI_REMOVE => pht('Multi-Factor: Remove Factor'),
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
);
}
Allow PhabricatorUserLog to store non-user PHIDs Summary: Ref T4310. This is a small step toward separating out the session code so we can establish sessions for `ExternalAccount` and not just `User`. Also fix an issue with strict MySQL and un-admin / un-disable from web UI. Test Plan: Logged in, logged out, admined/de-admin'd user, added email address, checked user log for all those events. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310 Differential Revision: https://secure.phabricator.com/D7953
2014-01-14 20:05:26 +01:00
public static function initializeNewLog(
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
PhabricatorUser $actor = null,
Fix some method signatures Summary: Fix some method signatures so that arguments with default values are at the end of the argument list (see D12418). Test Plan: Eyeballed the callsites. Reviewers: epriestley, #blessed_reviewers, hach-que Reviewed By: epriestley, #blessed_reviewers, hach-que Subscribers: hach-que, Korvin, epriestley Differential Revision: https://secure.phabricator.com/D12782
2015-05-18 22:57:21 +02:00
$object_phid = null,
$action = null) {
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
$log = new PhabricatorUserLog();
if ($actor) {
$log->setActorPHID($actor->getPHID());
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
if ($actor->hasSession()) {
$session = $actor->getSession();
// NOTE: This is a hash of the real session value, so it's safe to
// store it directly in the logs.
$log->setSession($session->getSessionKey());
}
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
}
Allow PhabricatorUserLog to store non-user PHIDs Summary: Ref T4310. This is a small step toward separating out the session code so we can establish sessions for `ExternalAccount` and not just `User`. Also fix an issue with strict MySQL and un-admin / un-disable from web UI. Test Plan: Logged in, logged out, admined/de-admin'd user, added email address, checked user log for all those events. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310 Differential Revision: https://secure.phabricator.com/D7953
2014-01-14 20:05:26 +01:00
$log->setUserPHID((string)$object_phid);
$log->setAction($action);
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
Normalize remote IP addresses when writing to logs, etc Summary: Ref T11939. IPv4 addresses can normally only be written in one way, but IPv6 addresses have several formats. For example, the addresses "FFF::", "FfF::", "fff::", "0ffF::", "0fFf:0::", and "0FfF:0:0:0:0:0:0:0" are all the same address. Normalize all addresses before writing them to logs, etc, so we store the most-preferred form ("fff::", above). Test Plan: Ran an SSH clone over IPv6: ``` $ git fetch ssh://local@::1/diffusion/26/locktopia.git ``` It worked; verified that address read out of `SSH_CLIENT` sensibly. Faked my remote address as a non-preferred-form IPv6 address using `preamble.php`. Failed to login, verified that the preferred-form version of the address appeared in the user activity log. Made IPv6 requests over HTTP: ``` $ curl -H "Host: local.phacility.com" "http://[::1]/" ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T11939 Differential Revision: https://secure.phabricator.com/D16987
2016-12-05 19:25:18 +01:00
$address = PhabricatorEnv::getRemoteAddress();
if ($address) {
$log->remoteAddr = $address->getAddress();
} else {
$log->remoteAddr = '';
}
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
return $log;
}
"arc install-certificate", server-side components Summary: Provides a new workflow for making it non-horrible to install certificates. Basically you run "arc install-certificate" and then copy/paste a short token off a webpage and it does the ~/.arcrc edits for you. Test Plan: Installed certificates, used bad tokens, hit rate limiting. Reviewed By: aran Reviewers: aran, jungejason, tuomaspelkonen CC: aran Differential Revision: 460
2011-06-14 21:17:14 +02:00
public static function loadRecentEventsFromThisIP($action, $timespan) {
Normalize remote IP addresses when writing to logs, etc Summary: Ref T11939. IPv4 addresses can normally only be written in one way, but IPv6 addresses have several formats. For example, the addresses "FFF::", "FfF::", "fff::", "0ffF::", "0fFf:0::", and "0FfF:0:0:0:0:0:0:0" are all the same address. Normalize all addresses before writing them to logs, etc, so we store the most-preferred form ("fff::", above). Test Plan: Ran an SSH clone over IPv6: ``` $ git fetch ssh://local@::1/diffusion/26/locktopia.git ``` It worked; verified that address read out of `SSH_CLIENT` sensibly. Faked my remote address as a non-preferred-form IPv6 address using `preamble.php`. Failed to login, verified that the preferred-form version of the address appeared in the user activity log. Made IPv6 requests over HTTP: ``` $ curl -H "Host: local.phacility.com" "http://[::1]/" ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T11939 Differential Revision: https://secure.phabricator.com/D16987
2016-12-05 19:25:18 +01:00
$address = PhabricatorEnv::getRemoteAddress();
if (!$address) {
return array();
}
"arc install-certificate", server-side components Summary: Provides a new workflow for making it non-horrible to install certificates. Basically you run "arc install-certificate" and then copy/paste a short token off a webpage and it does the ~/.arcrc edits for you. Test Plan: Installed certificates, used bad tokens, hit rate limiting. Reviewed By: aran Reviewers: aran, jungejason, tuomaspelkonen CC: aran Differential Revision: 460
2011-06-14 21:17:14 +02:00
return id(new PhabricatorUserLog())->loadAllWhere(
'action = %s AND remoteAddr = %s AND dateCreated > %d
ORDER BY dateCreated DESC',
$action,
Normalize remote IP addresses when writing to logs, etc Summary: Ref T11939. IPv4 addresses can normally only be written in one way, but IPv6 addresses have several formats. For example, the addresses "FFF::", "FfF::", "fff::", "0ffF::", "0fFf:0::", and "0FfF:0:0:0:0:0:0:0" are all the same address. Normalize all addresses before writing them to logs, etc, so we store the most-preferred form ("fff::", above). Test Plan: Ran an SSH clone over IPv6: ``` $ git fetch ssh://local@::1/diffusion/26/locktopia.git ``` It worked; verified that address read out of `SSH_CLIENT` sensibly. Faked my remote address as a non-preferred-form IPv6 address using `preamble.php`. Failed to login, verified that the preferred-form version of the address appeared in the user activity log. Made IPv6 requests over HTTP: ``` $ curl -H "Host: local.phacility.com" "http://[::1]/" ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T11939 Differential Revision: https://secure.phabricator.com/D16987
2016-12-05 19:25:18 +01:00
$address->getAddress(),
PhabricatorTime::getNow() - $timespan);
"arc install-certificate", server-side components Summary: Provides a new workflow for making it non-horrible to install certificates. Basically you run "arc install-certificate" and then copy/paste a short token off a webpage and it does the ~/.arcrc edits for you. Test Plan: Installed certificates, used bad tokens, hit rate limiting. Reviewed By: aran Reviewers: aran, jungejason, tuomaspelkonen CC: aran Differential Revision: 460
2011-06-14 21:17:14 +02:00
}
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
public function save() {
$this->details['host'] = php_uname('n');
Consolidate HTTP header access Summary: Route all `$_SERVER['HTTP_...']` stuff through AphrontRequest (it would be nice to make this non-static, but the stack is a bit tangled right now...) Test Plan: Verified CSRF and cascading profiling. `var_dump()`'d User-Agent and Referer and verified they are populated and returned correct values when accessed. Restarted server to trigger setup checks. Reviewers: vrana Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D4888
2013-02-10 00:01:57 +01:00
$this->details['user_agent'] = AphrontRequest::getHTTPHeader('User-Agent');
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
return parent::save();
}
Fix visiblity of `LiskDAO::getConfiguration()` Summary: Ref T6822. Test Plan: `grep` Reviewers: epriestley, #blessed_reviewers Reviewed By: epriestley, #blessed_reviewers Subscribers: hach-que, Korvin, epriestley Maniphest Tasks: T6822 Differential Revision: https://secure.phabricator.com/D11370
2015-01-13 20:47:05 +01:00
protected function getConfiguration() {
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
return array(
self::CONFIG_SERIALIZATION => array(
'oldValue' => self::SERIALIZATION_JSON,
'newValue' => self::SERIALIZATION_JSON,
'details' => self::SERIALIZATION_JSON,
),
Generate expected schemata for User/People tables Summary: Ref T1191. Some notes here: - Drops the old LDAP and OAuth info tables. These were migrated to the ExternalAccount table a very long time ago. - Separates surplus/missing keys from other types of surplus/missing things. In the long run, my plan is to have only two notice levels: - Error: something we can't fix (missing database, table, or column; overlong key). - Warning: something we can fix (surplus anything, missing key, bad column type, bad key columns, bad uniqueness, bad collation or charset). - For now, retaining three levels is helpful in generating all the expected scheamta. Test Plan: - Saw ~200 issues resolve, leaving ~1,300. - Grepped for removed tables. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T1191 Differential Revision: https://secure.phabricator.com/D10580
2014-10-01 16:36:47 +02:00
self::CONFIG_COLUMN_SCHEMA => array(
'actorPHID' => 'phid?',
'action' => 'text64',
'remoteAddr' => 'text64',
Upgrade sessions digests to HMAC256, retaining compatibility with old digests Summary: Ref T13222. Ref T13225. We store a digest of the session key in the session table (not the session key itself) so that users with access to this table can't easily steal sessions by just setting their cookies to values from the table. Users with access to the database can //probably// do plenty of other bad stuff (e.g., T13134 mentions digesting Conduit tokens) but there's very little cost to storing digests instead of live tokens. We currently digest session keys with HMAC-SHA1. This is fine, but HMAC-SHA256 is better. Upgrade: - Always write new digests. - We still match sessions with either digest. - When we read a session with an old digest, upgrade it to a new digest. In a few months we can throw away the old code. When we do, installs that skip upgrades for a long time may suffer a one-time logout, but I'll note this in the changelog. We could avoid this by storing `hmac256(hmac1(key))` instead and re-hashing in a migration, but I think the cost of a one-time logout for some tiny subset of users is very low, and worth keeping things simpler in the long run. Test Plan: - Hit a page with an old session, got a session upgrade. - Reviewed sessions in Settings. - Reviewed user logs. - Logged out. - Logged in. - Terminated other sessions individually. - Terminated all other sessions. - Spot checked session table for general sanity. Reviewers: amckinley Reviewed By: amckinley Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam Maniphest Tasks: T13225, T13222 Differential Revision: https://secure.phabricator.com/D19883
2018-12-13 19:52:54 +01:00
'session' => 'text64?',
Generate expected schemata for User/People tables Summary: Ref T1191. Some notes here: - Drops the old LDAP and OAuth info tables. These were migrated to the ExternalAccount table a very long time ago. - Separates surplus/missing keys from other types of surplus/missing things. In the long run, my plan is to have only two notice levels: - Error: something we can't fix (missing database, table, or column; overlong key). - Warning: something we can fix (surplus anything, missing key, bad column type, bad key columns, bad uniqueness, bad collation or charset). - For now, retaining three levels is helpful in generating all the expected scheamta. Test Plan: - Saw ~200 issues resolve, leaving ~1,300. - Grepped for removed tables. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T1191 Differential Revision: https://secure.phabricator.com/D10580
2014-10-01 16:36:47 +02:00
),
self::CONFIG_KEY_SCHEMA => array(
'actorPHID' => array(
'columns' => array('actorPHID', 'dateCreated'),
),
'userPHID' => array(
'columns' => array('userPHID', 'dateCreated'),
),
'action' => array(
'columns' => array('action', 'dateCreated'),
),
'dateCreated' => array(
'columns' => array('dateCreated'),
),
'remoteAddr' => array(
'columns' => array('remoteAddr', 'dateCreated'),
),
'session' => array(
'columns' => array('session', 'dateCreated'),
),
),
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
) + parent::getConfiguration();
}
Modernize user activity logs (ApplicationSearch, policies) Summary: Ref T4398. Ref T4842. I want to let users review their own account activity, partly as a general security measure and partly to make some of the multi-factor stuff easier to build and debug. To support this, implement modern policies and application search. I also removed the "old" and "new" columns from this output, since they had limited utility and revealed email addresses to administrators for some actions. We don't let administrators access email addresses from other UIs, and the value of doing so here seems very small. Test Plan: Used interface to issue a bunch of queries against user logs, got reasonable/expected results. Reviewers: btrahan Reviewed By: btrahan Subscribers: keir, epriestley Maniphest Tasks: T4842, T4398 Differential Revision: https://secure.phabricator.com/D8856
2014-04-28 02:31:35 +02:00
/* -( PhabricatorPolicyInterface )----------------------------------------- */
public function getCapabilities() {
return array(
PhabricatorPolicyCapability::CAN_VIEW,
);
}
public function getPolicy($capability) {
switch ($capability) {
case PhabricatorPolicyCapability::CAN_VIEW:
return PhabricatorPolicies::POLICY_NOONE;
}
}
public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
if ($viewer->getIsAdmin()) {
return true;
}
$viewer_phid = $viewer->getPHID();
if ($viewer_phid) {
$user_phid = $this->getUserPHID();
if ($viewer_phid == $user_phid) {
return true;
}
$actor_phid = $this->getActorPHID();
if ($viewer_phid == $actor_phid) {
return true;
}
}
return false;
}
public function describeAutomaticCapability($capability) {
return array(
pht('Users can view their activity and activity that affects them.'),
pht('Administrators can always view all activity.'),
);
}
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302
2011-05-18 03:42:21 +02:00
}
Copy permalink