OAuth - add concept of "trusted" clients that get auto redirects

Summary: Fixes T7153.

Test Plan:
used `bin/auth trust-oauth-client` and `bin/auth untrust-oauth-client` to set the bit and verify error states.

registered via oauth with `bin/auth trust-oauth-client` set and I did not have the confirmation screen
registered via oauth with `bin/auth untrust-oauth-client` set and I did have the confirmation screen

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7153

Differential Revision: https://secure.phabricator.com/D11724

resources/sql/autopatches/20150209.oauthclient.trust.sql

@@ -0,0 +1,2 @@
+ALTER TABLE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
+  ADD isTrusted TINYINT(1) NOT NULL DEFAULT '0' AFTER creatorPHID;

src/__phutil_library_map__.php

@@ -1353,6 +1353,8 @@ phutil_register_library_map(array(
     'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
     'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
     'PhabricatorAuthManagementStripWorkflow' => 'applications/auth/management/PhabricatorAuthManagementStripWorkflow.php',
+    'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php',
+    'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php',
     'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
     'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
     'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
@@ -4557,6 +4559,8 @@ phutil_register_library_map(array(
     'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
     'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
     'PhabricatorAuthManagementStripWorkflow' => 'PhabricatorAuthManagementWorkflow',
+    'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
+    'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
     'PhabricatorAuthManagementWorkflow' => 'PhabricatorManagementWorkflow',
     'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
     'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',

src/applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php

@@ -0,0 +1,62 @@
+<?php
+
+final class PhabricatorAuthManagementTrustOAuthClientWorkflow
+  extends PhabricatorAuthManagementWorkflow {
+
+  protected function didConstruct() {
+    $this
+      ->setName('trust-oauth-client')
+      ->setExamples('**trust-oauth-client** [--id client_id]')
+      ->setSynopsis(
+        pht(
+          'Set Phabricator to trust an OAuth client. Phabricator '.
+          'redirects to trusted OAuth clients that users have authorized '.
+          'without user intervention.'))
+      ->setArguments(
+        array(
+          array(
+            'name' => 'id',
+            'param' => 'id',
+            'help' => pht('The id of the OAuth client.'),
+          ),));
+  }
+
+  public function execute(PhutilArgumentParser $args) {
+    $id = $args->getArg('id');
+
+    if (!$id) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Specify an OAuth client id with --id.'));
+    }
+
+    $client = id(new PhabricatorOAuthServerClientQuery())
+      ->setViewer($this->getViewer())
+      ->withIDs(array($id))
+      ->executeOne();
+
+    if (!$client) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Failed to find an OAuth client with id %s.', $id));
+    }
+
+    if ($client->getIsTrusted()) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Phabricator already trusts OAuth client "%s".',
+          $client->getName()));
+    }
+
+    $client->setIsTrusted(1);
+    $client->save();
+
+    $console = PhutilConsole::getConsole();
+    $console->writeOut(
+      "%s\n",
+      pht(
+        'Updated; Phabricator trusts OAuth client %s.',
+        $client->getName()));
+  }
+
+}

src/applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php

@@ -0,0 +1,62 @@
+<?php
+
+final class PhabricatorAuthManagementUntrustOAuthClientWorkflow
+  extends PhabricatorAuthManagementWorkflow {
+
+  protected function didConstruct() {
+    $this
+      ->setName('untrust-oauth-client')
+      ->setExamples('**untrust-oauth-client** [--id client_id]')
+      ->setSynopsis(
+        pht(
+          'Set Phabricator to not trust an OAuth client. Phabricator '.
+          'redirects to trusted OAuth clients that users have authorized '.
+          'without user intervention.'))
+      ->setArguments(
+        array(
+          array(
+            'name' => 'id',
+            'param' => 'id',
+            'help' => pht('The id of the OAuth client.'),
+          ),));
+  }
+
+  public function execute(PhutilArgumentParser $args) {
+    $id = $args->getArg('id');
+
+    if (!$id) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Specify an OAuth client id with --id.'));
+    }
+
+    $client = id(new PhabricatorOAuthServerClientQuery())
+      ->setViewer($this->getViewer())
+      ->withIDs(array($id))
+      ->executeOne();
+
+    if (!$client) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Failed to find an OAuth client with id %s.', $id));
+    }
+
+    if (!$client->getIsTrusted()) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'Phabricator already does not trust OAuth client "%s".',
+          $client->getName()));
+    }
+
+    $client->setIsTrusted(0);
+    $client->save();
+
+    $console = PhutilConsole::getConsole();
+    $console->writeOut(
+      "%s\n",
+      pht(
+        'Updated; Phabricator does not trust OAuth client %s.',
+        $client->getName()));
+  }
+
+}

src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php

@@ -182,6 +182,12 @@ final class PhabricatorOAuthServerAuthController
           'state' => $state,
         ));
 
+      if ($client->getIsTrusted()) {
+        return id(new AphrontRedirectResponse())
+          ->setIsExternal(true)
+          ->setURI((string)$full_uri);
+      }
+
       // TODO: It would be nice to give the user more options here, like
       // reviewing permissions, canceling the authorization, or aborting
       // the workflow.

src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php

@@ -10,6 +10,7 @@ final class PhabricatorOAuthServerClient
   protected $name;
   protected $redirectURI;
   protected $creatorPHID;
+  protected $isTrusted = 0;
   protected $viewPolicy;
   protected $editPolicy;
 
@@ -40,6 +41,7 @@ final class PhabricatorOAuthServerClient
         'name' => 'text255',
         'secret' => 'text32',
         'redirectURI' => 'text255',
+        'isTrusted' => 'bool',
       ),
       self::CONFIG_KEY_SCHEMA => array(
         'key_phid' => null,