mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-22 05:20:56 +01:00
Forbid disabled devices from authenticating via SSH or HTTP
Summary: Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device. Forbid these requests from authenticating as a disabled device. Test Plan: - Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error). - Made Conduit calls as an enable/disabled device (worked; sensible error). Maniphest Tasks: T13641 Differential Revision: https://secure.phabricator.com/D21635
This commit is contained in:
parent
3267859aee
commit
12341e4bc8
2 changed files with 18 additions and 0 deletions
|
@ -146,6 +146,14 @@ try {
|
|||
$device_name));
|
||||
}
|
||||
|
||||
if ($device->isDisabled()) {
|
||||
throw new Exception(
|
||||
pht(
|
||||
'This request has authenticated as a device ("%s"), but this '.
|
||||
'device is disabled.',
|
||||
$device->getName()));
|
||||
}
|
||||
|
||||
// We're authenticated as a device, but we're going to read the user out of
|
||||
// the command below.
|
||||
$is_cluster_request = true;
|
||||
|
|
|
@ -238,6 +238,16 @@ final class PhabricatorConduitAPIController
|
|||
if ($object instanceof PhabricatorUser) {
|
||||
$user = $object;
|
||||
} else {
|
||||
if ($object->isDisabled()) {
|
||||
return array(
|
||||
'ERR-INVALID-AUTH',
|
||||
pht(
|
||||
'The key which signed this request is associated with a '.
|
||||
'disabled device ("%s").',
|
||||
$object->getName()),
|
||||
);
|
||||
}
|
||||
|
||||
if (!$stored_key->getIsTrusted()) {
|
||||
return array(
|
||||
'ERR-INVALID-AUTH',
|
||||
|
|
Loading…
Reference in a new issue