mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-15 01:01:09 +01:00
OAuth - add concept of "trusted" clients that get auto redirects
Summary: Fixes T7153. Test Plan: used `bin/auth trust-oauth-client` and `bin/auth untrust-oauth-client` to set the bit and verify error states. registered via oauth with `bin/auth trust-oauth-client` set and I did not have the confirmation screen registered via oauth with `bin/auth untrust-oauth-client` set and I did have the confirmation screen Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7153 Differential Revision: https://secure.phabricator.com/D11724
This commit is contained in:
parent
7cbdfbee24
commit
03639a7c1e
6 changed files with 138 additions and 0 deletions
2
resources/sql/autopatches/20150209.oauthclient.trust.sql
Normal file
2
resources/sql/autopatches/20150209.oauthclient.trust.sql
Normal file
|
@ -0,0 +1,2 @@
|
|||
ALTER TABLE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
|
||||
ADD isTrusted TINYINT(1) NOT NULL DEFAULT '0' AFTER creatorPHID;
|
|
@ -1353,6 +1353,8 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
|
||||
'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
|
||||
'PhabricatorAuthManagementStripWorkflow' => 'applications/auth/management/PhabricatorAuthManagementStripWorkflow.php',
|
||||
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php',
|
||||
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php',
|
||||
'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
|
||||
'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
|
||||
'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
|
||||
|
@ -4557,6 +4559,8 @@ phutil_register_library_map(array(
|
|||
'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
|
||||
'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
|
||||
'PhabricatorAuthManagementStripWorkflow' => 'PhabricatorAuthManagementWorkflow',
|
||||
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
|
||||
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
|
||||
'PhabricatorAuthManagementWorkflow' => 'PhabricatorManagementWorkflow',
|
||||
'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
|
||||
'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorAuthManagementTrustOAuthClientWorkflow
|
||||
extends PhabricatorAuthManagementWorkflow {
|
||||
|
||||
protected function didConstruct() {
|
||||
$this
|
||||
->setName('trust-oauth-client')
|
||||
->setExamples('**trust-oauth-client** [--id client_id]')
|
||||
->setSynopsis(
|
||||
pht(
|
||||
'Set Phabricator to trust an OAuth client. Phabricator '.
|
||||
'redirects to trusted OAuth clients that users have authorized '.
|
||||
'without user intervention.'))
|
||||
->setArguments(
|
||||
array(
|
||||
array(
|
||||
'name' => 'id',
|
||||
'param' => 'id',
|
||||
'help' => pht('The id of the OAuth client.'),
|
||||
),));
|
||||
}
|
||||
|
||||
public function execute(PhutilArgumentParser $args) {
|
||||
$id = $args->getArg('id');
|
||||
|
||||
if (!$id) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Specify an OAuth client id with --id.'));
|
||||
}
|
||||
|
||||
$client = id(new PhabricatorOAuthServerClientQuery())
|
||||
->setViewer($this->getViewer())
|
||||
->withIDs(array($id))
|
||||
->executeOne();
|
||||
|
||||
if (!$client) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Failed to find an OAuth client with id %s.', $id));
|
||||
}
|
||||
|
||||
if ($client->getIsTrusted()) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Phabricator already trusts OAuth client "%s".',
|
||||
$client->getName()));
|
||||
}
|
||||
|
||||
$client->setIsTrusted(1);
|
||||
$client->save();
|
||||
|
||||
$console = PhutilConsole::getConsole();
|
||||
$console->writeOut(
|
||||
"%s\n",
|
||||
pht(
|
||||
'Updated; Phabricator trusts OAuth client %s.',
|
||||
$client->getName()));
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,62 @@
|
|||
<?php
|
||||
|
||||
final class PhabricatorAuthManagementUntrustOAuthClientWorkflow
|
||||
extends PhabricatorAuthManagementWorkflow {
|
||||
|
||||
protected function didConstruct() {
|
||||
$this
|
||||
->setName('untrust-oauth-client')
|
||||
->setExamples('**untrust-oauth-client** [--id client_id]')
|
||||
->setSynopsis(
|
||||
pht(
|
||||
'Set Phabricator to not trust an OAuth client. Phabricator '.
|
||||
'redirects to trusted OAuth clients that users have authorized '.
|
||||
'without user intervention.'))
|
||||
->setArguments(
|
||||
array(
|
||||
array(
|
||||
'name' => 'id',
|
||||
'param' => 'id',
|
||||
'help' => pht('The id of the OAuth client.'),
|
||||
),));
|
||||
}
|
||||
|
||||
public function execute(PhutilArgumentParser $args) {
|
||||
$id = $args->getArg('id');
|
||||
|
||||
if (!$id) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Specify an OAuth client id with --id.'));
|
||||
}
|
||||
|
||||
$client = id(new PhabricatorOAuthServerClientQuery())
|
||||
->setViewer($this->getViewer())
|
||||
->withIDs(array($id))
|
||||
->executeOne();
|
||||
|
||||
if (!$client) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Failed to find an OAuth client with id %s.', $id));
|
||||
}
|
||||
|
||||
if (!$client->getIsTrusted()) {
|
||||
throw new PhutilArgumentUsageException(
|
||||
pht(
|
||||
'Phabricator already does not trust OAuth client "%s".',
|
||||
$client->getName()));
|
||||
}
|
||||
|
||||
$client->setIsTrusted(0);
|
||||
$client->save();
|
||||
|
||||
$console = PhutilConsole::getConsole();
|
||||
$console->writeOut(
|
||||
"%s\n",
|
||||
pht(
|
||||
'Updated; Phabricator does not trust OAuth client %s.',
|
||||
$client->getName()));
|
||||
}
|
||||
|
||||
}
|
|
@ -182,6 +182,12 @@ final class PhabricatorOAuthServerAuthController
|
|||
'state' => $state,
|
||||
));
|
||||
|
||||
if ($client->getIsTrusted()) {
|
||||
return id(new AphrontRedirectResponse())
|
||||
->setIsExternal(true)
|
||||
->setURI((string)$full_uri);
|
||||
}
|
||||
|
||||
// TODO: It would be nice to give the user more options here, like
|
||||
// reviewing permissions, canceling the authorization, or aborting
|
||||
// the workflow.
|
||||
|
|
|
@ -10,6 +10,7 @@ final class PhabricatorOAuthServerClient
|
|||
protected $name;
|
||||
protected $redirectURI;
|
||||
protected $creatorPHID;
|
||||
protected $isTrusted = 0;
|
||||
protected $viewPolicy;
|
||||
protected $editPolicy;
|
||||
|
||||
|
@ -40,6 +41,7 @@ final class PhabricatorOAuthServerClient
|
|||
'name' => 'text255',
|
||||
'secret' => 'text32',
|
||||
'redirectURI' => 'text255',
|
||||
'isTrusted' => 'bool',
|
||||
),
|
||||
self::CONFIG_KEY_SCHEMA => array(
|
||||
'key_phid' => null,
|
||||
|
|
Loading…
Reference in a new issue