1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-15 01:01:09 +01:00

OAuth - add concept of "trusted" clients that get auto redirects

Summary: Fixes T7153.

Test Plan:
used `bin/auth trust-oauth-client` and `bin/auth untrust-oauth-client` to set the bit and verify error states.

registered via oauth with `bin/auth trust-oauth-client` set and I did not have the confirmation screen
registered via oauth with `bin/auth untrust-oauth-client` set and I did have the confirmation screen

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7153

Differential Revision: https://secure.phabricator.com/D11724
This commit is contained in:
Bob Trahan 2015-02-09 14:23:49 -08:00
parent 7cbdfbee24
commit 03639a7c1e
6 changed files with 138 additions and 0 deletions

View file

@ -0,0 +1,2 @@
ALTER TABLE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
ADD isTrusted TINYINT(1) NOT NULL DEFAULT '0' AFTER creatorPHID;

View file

@ -1353,6 +1353,8 @@ phutil_register_library_map(array(
'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
'PhabricatorAuthManagementStripWorkflow' => 'applications/auth/management/PhabricatorAuthManagementStripWorkflow.php',
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php',
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php',
'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
@ -4557,6 +4559,8 @@ phutil_register_library_map(array(
'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
'PhabricatorAuthManagementStripWorkflow' => 'PhabricatorAuthManagementWorkflow',
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
'PhabricatorAuthManagementWorkflow' => 'PhabricatorManagementWorkflow',
'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',

View file

@ -0,0 +1,62 @@
<?php
final class PhabricatorAuthManagementTrustOAuthClientWorkflow
extends PhabricatorAuthManagementWorkflow {
protected function didConstruct() {
$this
->setName('trust-oauth-client')
->setExamples('**trust-oauth-client** [--id client_id]')
->setSynopsis(
pht(
'Set Phabricator to trust an OAuth client. Phabricator '.
'redirects to trusted OAuth clients that users have authorized '.
'without user intervention.'))
->setArguments(
array(
array(
'name' => 'id',
'param' => 'id',
'help' => pht('The id of the OAuth client.'),
),));
}
public function execute(PhutilArgumentParser $args) {
$id = $args->getArg('id');
if (!$id) {
throw new PhutilArgumentUsageException(
pht(
'Specify an OAuth client id with --id.'));
}
$client = id(new PhabricatorOAuthServerClientQuery())
->setViewer($this->getViewer())
->withIDs(array($id))
->executeOne();
if (!$client) {
throw new PhutilArgumentUsageException(
pht(
'Failed to find an OAuth client with id %s.', $id));
}
if ($client->getIsTrusted()) {
throw new PhutilArgumentUsageException(
pht(
'Phabricator already trusts OAuth client "%s".',
$client->getName()));
}
$client->setIsTrusted(1);
$client->save();
$console = PhutilConsole::getConsole();
$console->writeOut(
"%s\n",
pht(
'Updated; Phabricator trusts OAuth client %s.',
$client->getName()));
}
}

View file

@ -0,0 +1,62 @@
<?php
final class PhabricatorAuthManagementUntrustOAuthClientWorkflow
extends PhabricatorAuthManagementWorkflow {
protected function didConstruct() {
$this
->setName('untrust-oauth-client')
->setExamples('**untrust-oauth-client** [--id client_id]')
->setSynopsis(
pht(
'Set Phabricator to not trust an OAuth client. Phabricator '.
'redirects to trusted OAuth clients that users have authorized '.
'without user intervention.'))
->setArguments(
array(
array(
'name' => 'id',
'param' => 'id',
'help' => pht('The id of the OAuth client.'),
),));
}
public function execute(PhutilArgumentParser $args) {
$id = $args->getArg('id');
if (!$id) {
throw new PhutilArgumentUsageException(
pht(
'Specify an OAuth client id with --id.'));
}
$client = id(new PhabricatorOAuthServerClientQuery())
->setViewer($this->getViewer())
->withIDs(array($id))
->executeOne();
if (!$client) {
throw new PhutilArgumentUsageException(
pht(
'Failed to find an OAuth client with id %s.', $id));
}
if (!$client->getIsTrusted()) {
throw new PhutilArgumentUsageException(
pht(
'Phabricator already does not trust OAuth client "%s".',
$client->getName()));
}
$client->setIsTrusted(0);
$client->save();
$console = PhutilConsole::getConsole();
$console->writeOut(
"%s\n",
pht(
'Updated; Phabricator does not trust OAuth client %s.',
$client->getName()));
}
}

View file

@ -182,6 +182,12 @@ final class PhabricatorOAuthServerAuthController
'state' => $state,
));
if ($client->getIsTrusted()) {
return id(new AphrontRedirectResponse())
->setIsExternal(true)
->setURI((string)$full_uri);
}
// TODO: It would be nice to give the user more options here, like
// reviewing permissions, canceling the authorization, or aborting
// the workflow.

View file

@ -10,6 +10,7 @@ final class PhabricatorOAuthServerClient
protected $name;
protected $redirectURI;
protected $creatorPHID;
protected $isTrusted = 0;
protected $viewPolicy;
protected $editPolicy;
@ -40,6 +41,7 @@ final class PhabricatorOAuthServerClient
'name' => 'text255',
'secret' => 'text32',
'redirectURI' => 'text255',
'isTrusted' => 'bool',
),
self::CONFIG_KEY_SCHEMA => array(
'key_phid' => null,