1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-09 16:32:39 +01:00

Forbid disabled devices from authenticating via SSH or HTTP

Summary:
Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device.

Forbid these requests from authenticating as a disabled device.

Test Plan:
  - Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error).
  - Made Conduit calls as an enable/disabled device (worked; sensible error).

Maniphest Tasks: T13641

Differential Revision: https://secure.phabricator.com/D21635
This commit is contained in:
epriestley 2021-03-16 15:33:32 -07:00
parent 3267859aee
commit 12341e4bc8
2 changed files with 18 additions and 0 deletions

View file

@ -146,6 +146,14 @@ try {
$device_name));
}
if ($device->isDisabled()) {
throw new Exception(
pht(
'This request has authenticated as a device ("%s"), but this '.
'device is disabled.',
$device->getName()));
}
// We're authenticated as a device, but we're going to read the user out of
// the command below.
$is_cluster_request = true;

View file

@ -238,6 +238,16 @@ final class PhabricatorConduitAPIController
if ($object instanceof PhabricatorUser) {
$user = $object;
} else {
if ($object->isDisabled()) {
return array(
'ERR-INVALID-AUTH',
pht(
'The key which signed this request is associated with a '.
'disabled device ("%s").',
$object->getName()),
);
}
if (!$stored_key->getIsTrusted()) {
return array(
'ERR-INVALID-AUTH',