revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-02-08 12:58:31 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/management/PhabricatorAuthManagementStripWorkflow.php

223 lines
6.7 KiB
PHP
Raw Normal View History

Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
<?php
final class PhabricatorAuthManagementStripWorkflow
extends PhabricatorAuthManagementWorkflow {
protected function didConstruct() {
$this
->setName('strip')
->setExamples('**strip** [--user username] [--type type]')
phtize all the things Summary: `pht`ize a whole bunch of strings in rP. Test Plan: Intense eyeballing. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: hach-que, Korvin, epriestley Differential Revision: https://secure.phabricator.com/D12797
2015-05-22 17:27:56 +10:00
->setSynopsis(pht('Remove multi-factor authentication from an account.'))
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
->setArguments(
array(
array(
'name' => 'user',
'param' => 'username',
'repeat' => true,
'help' => pht('Strip factors from specified users.'),
),
array(
'name' => 'all-users',
'help' => pht('Strip factors from all users.'),
),
array(
'name' => 'type',
'param' => 'factortype',
'repeat' => true,
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
'help' => pht(
'Strip a specific factor type. Use `bin/auth list-factors` for '.
'a list of factor types.'),
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
),
array(
'name' => 'all-types',
'help' => pht('Strip all factors, regardless of type.'),
),
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
array(
'name' => 'provider',
'param' => 'phid',
'repeat' => true,
'help' => pht(
'Strip factors for a specific provider. Use '.
'`bin/auth list-mfa-providers` for a list of providers.'),
),
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
array(
'name' => 'force',
'help' => pht('Strip factors without prompting.'),
),
array(
'name' => 'dry-run',
'help' => pht('Show factors, but do not strip them.'),
),
));
}
public function execute(PhutilArgumentParser $args) {
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$viewer = $this->getViewer();
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
$usernames = $args->getArg('user');
$all_users = $args->getArg('all-users');
if ($usernames && $all_users) {
throw new PhutilArgumentUsageException(
pht(
phtize all the things Summary: `pht`ize a whole bunch of strings in rP. Test Plan: Intense eyeballing. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: hach-que, Korvin, epriestley Differential Revision: https://secure.phabricator.com/D12797
2015-05-22 17:27:56 +10:00
'Specify either specific users with %s, or all users with '.
'%s, but not both.',
'--user',
'--all-users'));
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
} else if (!$usernames && !$all_users) {
throw new PhutilArgumentUsageException(
pht(
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
'Use "--user <username>" to specify which user to strip factors '.
'from, or "--all-users" to strip factors from all users.'));
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
} else if ($usernames) {
$users = id(new PhabricatorPeopleQuery())
->setViewer($this->getViewer())
->withUsernames($usernames)
->execute();
$users_by_username = mpull($users, null, 'getUsername');
foreach ($usernames as $username) {
if (empty($users_by_username[$username])) {
throw new PhutilArgumentUsageException(
pht(
'No user exists with username "%s".',
$username));
}
}
} else {
$users = null;
}
$types = $args->getArg('type');
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$provider_phids = $args->getArg('provider');
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
$all_types = $args->getArg('all-types');
if ($types && $all_types) {
throw new PhutilArgumentUsageException(
pht(
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
'Specify either specific factors with "--type", or all factors with '.
'"--all-types", but not both.'));
} else if ($provider_phids && $all_types) {
throw new PhutilArgumentUsageException(
pht(
'Specify either specific factors with "--provider", or all factors '.
'with "--all-types", but not both.'));
} else if (!$types && !$all_types && !$provider_phids) {
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
throw new PhutilArgumentUsageException(
pht(
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
'Use "--type <type>" or "--provider <phid>" to specify which '.
'factors to strip, or "--all-types" to strip all factors. '.
'Use `bin/auth list-factors` to show the available factor types '.
'or `bin/auth list-mfa-providers` to show available providers.'));
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
}
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$type_map = PhabricatorAuthFactor::getAllFactors();
if ($types) {
foreach ($types as $type) {
if (!isset($type_map[$type])) {
throw new PhutilArgumentUsageException(
pht(
'Factor type "%s" is unknown. Use `bin/auth list-factors` to '.
'get a list of known factor types.',
$type));
}
}
}
$provider_query = id(new PhabricatorAuthFactorProviderQuery())
->setViewer($viewer);
if ($provider_phids) {
$provider_query->withPHIDs($provider_phids);
}
if ($types) {
$provider_query->withProviderFactorKeys($types);
}
$providers = $provider_query->execute();
$providers = mpull($providers, null, 'getPHID');
if ($provider_phids) {
foreach ($provider_phids as $provider_phid) {
if (!isset($providers[$provider_phid])) {
throw new PhutilArgumentUsageException(
pht(
'No provider with PHID "%s" exists. '.
'Use `bin/auth list-mfa-providers` to list providers.',
$provider_phid));
}
}
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
} else {
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
if (!$providers) {
throw new PhutilArgumentUsageException(
pht(
'There are no configured multi-factor providers.'));
}
}
$factor_query = id(new PhabricatorAuthFactorConfigQuery())
->setViewer($viewer)
->withFactorProviderPHIDs(array_keys($providers));
if ($users) {
$factor_query->withUserPHIDs(mpull($users, 'getPHID'));
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
}
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$factors = $factor_query->execute();
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
if (!$factors) {
throw new PhutilArgumentUsageException(
pht('There are no matching factors to strip.'));
}
$handles = id(new PhabricatorHandleQuery())
->setViewer($this->getViewer())
->withPHIDs(mpull($factors, 'getUserPHID'))
->execute();
$console = PhutilConsole::getConsole();
Change double quotes to single quotes. Summary: Ran `arc lint --apply-patches --everything` over rP, mainly to change double quotes to single quotes where appropriate. These changes also validate that the `ArcanistXHPASTLinter::LINT_DOUBLE_QUOTE` rule is working as expected. Test Plan: Eyeballed it. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, Korvin, hach-que Differential Revision: https://secure.phabricator.com/D9431
2014-06-09 11:36:49 -07:00
$console->writeOut("%s\n\n", pht('These auth factors will be stripped:'));
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
foreach ($factors as $factor) {
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$provider = $factor->getFactorProvider();
echo tsprintf(
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
" %s\t%s\t%s\n",
$handles[$factor->getUserPHID()]->getName(),
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$provider->getProviderFactorKey(),
$provider->getDisplayName());
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
}
$is_dry_run = $args->getArg('dry-run');
if ($is_dry_run) {
$console->writeOut(
"\n%s\n",
pht('End of dry run.'));
return 0;
}
$force = $args->getArg('force');
if (!$force) {
if (!$console->confirm(pht('Strip these authentication factors?'))) {
throw new PhutilArgumentUsageException(
pht('User aborted the workflow.'));
}
}
$console->writeOut("%s\n", pht('Stripping authentication factors...'));
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$engine = new PhabricatorDestructionEngine();
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
foreach ($factors as $factor) {
Update `bin/auth` MFA commands for the new "MFA Provider" indirection layer Summary: Ref T13222. This updates the CLI tools and documentation for the changes in D19975. The flags `--type` and `--all-types` retain their current meaning. In most cases, `bin/auth strip --type totp` is sufficient and you don't need to bother looking up the relevant provider PHID. The existing `bin/auth list-factors` is also unchanged. The new `--provider` flag allows you to select configs from a particular provider in a more granular way. The new `bin/auth list-mfa-providers` provides an easy way to get PHIDs. (In the Phacility cluster, the "Strip MFA" action just reaches into the database and deletes rows manually, so this isn't terribly important. I verified that the code should still work properly.) Test Plan: - Ran `bin/auth list-mfa-providers`. - Stripped by user / type / provider. - Grepped for `list-factors` and `auth strip`. - Hit all (?) of the various possible error cases. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19976
2019-01-15 13:34:31 -08:00
$engine->destroyObject($factor);
Add `bin/auth list-factors` and `bin/auth strip` to remove multi-factor auth Summary: Ref T4398. The major goals here is to let administrators strip auth factors in two cases: - A user lost their phone and needs access restored to their account; or - an install previously used an API-based factor like SMS, but want to stop supporting it (this isn't possible today). Test Plan: - Used `bin/auth list-factors` to show installed factors. - Used `bin/auth strip` with various mixtures of flags to selectively choose and strip factors from accounts. - Also ran `bin/auth refresh` to verify refreshing OAuth tokens works (small `OAuth` vs `OAuth2` tweak). Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8909
2014-04-30 14:30:00 -07:00
}
$console->writeOut("%s\n", pht('Done.'));
return 0;
}
}
Copy permalink