mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-21 22:32:41 +01:00
Forbid disabled devices from authenticating via SSH or HTTP
Summary: Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device. Forbid these requests from authenticating as a disabled device. Test Plan: - Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error). - Made Conduit calls as an enable/disabled device (worked; sensible error). Maniphest Tasks: T13641 Differential Revision: https://secure.phabricator.com/D21635
This commit is contained in:
parent
3267859aee
commit
12341e4bc8
2 changed files with 18 additions and 0 deletions
|
@ -146,6 +146,14 @@ try {
|
||||||
$device_name));
|
$device_name));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($device->isDisabled()) {
|
||||||
|
throw new Exception(
|
||||||
|
pht(
|
||||||
|
'This request has authenticated as a device ("%s"), but this '.
|
||||||
|
'device is disabled.',
|
||||||
|
$device->getName()));
|
||||||
|
}
|
||||||
|
|
||||||
// We're authenticated as a device, but we're going to read the user out of
|
// We're authenticated as a device, but we're going to read the user out of
|
||||||
// the command below.
|
// the command below.
|
||||||
$is_cluster_request = true;
|
$is_cluster_request = true;
|
||||||
|
|
|
@ -238,6 +238,16 @@ final class PhabricatorConduitAPIController
|
||||||
if ($object instanceof PhabricatorUser) {
|
if ($object instanceof PhabricatorUser) {
|
||||||
$user = $object;
|
$user = $object;
|
||||||
} else {
|
} else {
|
||||||
|
if ($object->isDisabled()) {
|
||||||
|
return array(
|
||||||
|
'ERR-INVALID-AUTH',
|
||||||
|
pht(
|
||||||
|
'The key which signed this request is associated with a '.
|
||||||
|
'disabled device ("%s").',
|
||||||
|
$object->getName()),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
if (!$stored_key->getIsTrusted()) {
|
if (!$stored_key->getIsTrusted()) {
|
||||||
return array(
|
return array(
|
||||||
'ERR-INVALID-AUTH',
|
'ERR-INVALID-AUTH',
|
||||||
|
|
Loading…
Reference in a new issue