From 12341e4bc8b4a3d9ba15e51a217b9506df1bbbd7 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Tue, 16 Mar 2021 15:33:32 -0700
Subject: [PATCH] Forbid disabled devices from authenticating via SSH or HTTP

Summary:
Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device.

Forbid these requests from authenticating as a disabled device.

Test Plan:
  - Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error).
  - Made Conduit calls as an enable/disabled device (worked; sensible error).

Maniphest Tasks: T13641

Differential Revision: https://secure.phabricator.com/D21635
---
 scripts/ssh/ssh-exec.php                               |  8 ++++++++
 .../controller/PhabricatorConduitAPIController.php     | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/scripts/ssh/ssh-exec.php b/scripts/ssh/ssh-exec.php
index 4a46e7562d..c3a85b399c 100755
--- a/scripts/ssh/ssh-exec.php
+++ b/scripts/ssh/ssh-exec.php
@@ -146,6 +146,14 @@ try {
           $device_name));
     }
 
+    if ($device->isDisabled()) {
+      throw new Exception(
+        pht(
+          'This request has authenticated as a device ("%s"), but this '.
+          'device is disabled.',
+          $device->getName()));
+    }
+
     // We're authenticated as a device, but we're going to read the user out of
     // the command below.
     $is_cluster_request = true;
diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
index 9ca84fff3d..bc200e7078 100644
--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
@@ -238,6 +238,16 @@ final class PhabricatorConduitAPIController
       if ($object instanceof PhabricatorUser) {
         $user = $object;
       } else {
+        if ($object->isDisabled()) {
+          return array(
+            'ERR-INVALID-AUTH',
+            pht(
+              'The key which signed this request is associated with a '.
+              'disabled device ("%s").',
+              $object->getName()),
+          );
+        }
+
         if (!$stored_key->getIsTrusted()) {
           return array(
             'ERR-INVALID-AUTH',