Some formatting changes for showing auth provider config guidance

Summary:
Ref T7667. On the road to locking the auth config, also clean up some minor UI issues:

* Only show the warning about not Phacility instance auth if the user isn't a manager (see next diff).
* When rendering more than one warning in the guidance, add bullets.
* I didn't like the text in the `auth.config-lock` config setting.

Test Plan: Loaded the page, saw more reasonable-looking guidance: {F6369405}

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Maniphest Tasks: T7667

Differential Revision: https://secure.phabricator.com/D20400

resources/celerity/map.php

@@ -9,7 +9,7 @@ return array(
   'names' => array(
     'conpherence.pkg.css' => '3c8a0668',
     'conpherence.pkg.js' => '020aebcf',
-    'core.pkg.css' => '77c4f199',
+    'core.pkg.css' => '20f3fea5',
     'core.pkg.js' => '69247edd',
     'differential.pkg.css' => '8d8360fb',
     'differential.pkg.js' => '67e02996',
@@ -160,7 +160,7 @@ return array(
     'rsrc/css/phui/phui-icon-set-selector.css' => '7aa5f3ec',
     'rsrc/css/phui/phui-icon.css' => '4cbc684a',
     'rsrc/css/phui/phui-image-mask.css' => '62c7f4d2',
-    'rsrc/css/phui/phui-info-view.css' => '37b8d9ce',
+    'rsrc/css/phui/phui-info-view.css' => 'a10a909b',
     'rsrc/css/phui/phui-invisible-character-view.css' => 'c694c4a4',
     'rsrc/css/phui/phui-left-right.css' => '68513c34',
     'rsrc/css/phui/phui-lightbox.css' => '4ebf22da',
@@ -842,7 +842,7 @@ return array(
     'phui-icon-set-selector-css' => '7aa5f3ec',
     'phui-icon-view-css' => '4cbc684a',
     'phui-image-mask-css' => '62c7f4d2',
-    'phui-info-view-css' => '37b8d9ce',
+    'phui-info-view-css' => 'a10a909b',
     'phui-inline-comment-view-css' => '48acce5b',
     'phui-invisible-character-view-css' => 'c694c4a4',
     'phui-left-right-css' => '68513c34',

src/applications/auth/controller/config/PhabricatorAuthListController.php

@@ -13,6 +13,7 @@ final class PhabricatorAuthListController
     $list = new PHUIObjectItemListView();
     $can_manage = $this->hasApplicationCapability(
         AuthManageProvidersCapability::CAPABILITY);
+    $is_locked = PhabricatorEnv::getEnvConfig('auth.lock-config');
 
     foreach ($configs as $config) {
       $item = new PHUIObjectItemView();
@@ -69,7 +70,8 @@ final class PhabricatorAuthListController
     $crumbs->addTextCrumb(pht('Login and Registration'));
     $crumbs->setBorder(true);
 
-    $guidance_context = new PhabricatorAuthProvidersGuidanceContext();
+    $guidance_context = id(new PhabricatorAuthProvidersGuidanceContext())
+      ->setCanManage($can_manage);
 
     $guidance = id(new PhabricatorGuidanceEngine())
       ->setViewer($viewer)
@@ -81,7 +83,7 @@ final class PhabricatorAuthListController
       ->setButtonType(PHUIButtonView::BUTTONTYPE_SIMPLE)
       ->setHref($this->getApplicationURI('config/new/'))
       ->setIcon('fa-plus')
-      ->setDisabled(!$can_manage)
+      ->setDisabled(!$can_manage || $is_locked)
       ->setText(pht('Add Provider'));
 
     $list->setFlush(true);

src/applications/auth/guidance/PhabricatorAuthProvidersGuidanceContext.php

@@ -1,4 +1,17 @@
 <?php
 
 final class PhabricatorAuthProvidersGuidanceContext
-  extends PhabricatorGuidanceContext {}
+  extends PhabricatorGuidanceContext {
+
+  private $canManage = false;
+
+  public function setCanManage($can_manage) {
+    $this->canManage = $can_manage;
+    return $this;
+  }
+
+  public function getCanManage() {
+    return $this->canManage;
+  }
+
+}

src/applications/auth/guidance/PhabricatorAuthProvidersGuidanceEngineExtension.php

@@ -92,6 +92,25 @@ final class PhabricatorAuthProvidersGuidanceEngineExtension
         ->setMessage($message);
     }
 
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+    if ($is_locked) {
+      $message = pht(
+        'Authentication provider configuration is locked, and can not be '.
+        'changed without being unlocked. See the configuration setting %s '.
+        'for details.',
+        phutil_tag(
+          'a',
+          array(
+            'href' => '/config/edit/'.$locked_config_key,
+          ),
+          $locked_config_key));
+
+      $results[] = $this->newWarning('auth.locked-config')
+        ->setPriority(500)
+        ->setMessage($message);
+    }
+
     return $results;
   }
 

src/applications/config/option/PhabricatorAuthenticationConfigOptions.php

@@ -85,13 +85,13 @@ final class PhabricatorAuthenticationConfigOptions
             'configuration from the CLI before it can be edited.'))
         ->setDescription(
           pht(
-            'Normally, administrators configure authentication providers only '.
-            'once, immediately after instance creation. To further secure '.
-            'your instance, you can set this configuration option to `true`, '.
-            'which will require an adminstrator with CLI access to run '.
-            '`bin/auth unlock` to make any later changes to authentication '.
-            "provider configuration.\n\nAfter changing the config, you should ".
-            'run `bin/auth lock` again from the CLI.'))
+            'When set to `true`, the authentication provider configuration '.
+            'for this instance can not be modified without first running '.
+            '`bin/auth unlock` from the command line. This is to reduce '.
+            'the security impact of a compromised administrator account. '.
+            "\n\n".
+            'After running `bin/auth unlock` and making your changes to the '.
+            'authentication provider config, you should run `bin/auth lock`.'))
         ->setLocked(true),
       $this->newOption('account.editable', 'bool', true)
         ->setBoolOptions(

webroot/rsrc/css/phui/phui-info-view.css

@@ -74,8 +74,8 @@ h1.phui-info-view-head {
 }
 
 .phui-info-view-list {
-  margin: 0;
-  list-style: none;
+  margin-left: 30px;
+  list-style: disc;
   line-height: 1.6em;
 }