1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 14:52:41 +01:00

Provide contextual help on auth provider configuration

Summary:
Ref T1536.

  - Move all the provider-specific help into contextual help in Auth.
  - This provides help much more contextually, and we can just tell the user the right values to use to configure things.
  - Rewrite account/registration help to reflect the newer state of the word.
  - Also clean up a few other loose ends.

Test Plan: {F46937}

Reviewers: chad, btrahan

Reviewed By: chad

CC: aran

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6247
This commit is contained in:
epriestley 2013-06-20 11:18:48 -07:00
parent 3b9ccf11f2
commit 1834584e98
18 changed files with 167 additions and 158 deletions

View file

@ -553,11 +553,6 @@ return array(
// -- Auth ------------------------------------------------------------------ //
// Can users login with a username/password, or by following the link from
// a password reset email? You can disable this and configure one or more
// OAuth providers instead.
'auth.password-auth-enabled' => true,
// Maximum number of simultaneous web sessions each user is permitted to have.
// Setting this to "1" will prevent a user from logging in on more than one
// browser at the same time.
@ -1032,10 +1027,6 @@ return array(
'aphront.default-application-configuration-class' =>
'AphrontDefaultApplicationConfiguration',
'controller.oauth-registration' =>
'PhabricatorOAuthDefaultRegistrationController',
// Directory that phd (the Phabricator daemon control script) should use to
// track running daemons.
'phd.pid-directory' => '/var/tmp/phd/pid',

View file

@ -14,6 +14,18 @@ final class PhabricatorApplicationAuth extends PhabricatorApplication {
return 'authentication';
}
public function getHelpURI() {
// NOTE: Although reasonable help exists for this in "Configuring Accounts
// and Registration", specifying a help URI here means we get the menu
// item in all the login/link interfaces, which is confusing and not
// helpful.
// TODO: Special case this, or split the auth and auth administration
// applications?
return null;
}
public function buildMainMenuItems(
PhabricatorUser $user,
PhabricatorController $controller = null) {

View file

@ -10,7 +10,7 @@ final class PhabricatorEmailLoginController
public function processRequest() {
$request = $this->getRequest();
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
return new Aphront400Response();
}

View file

@ -74,7 +74,7 @@ final class PhabricatorEmailTokenController
unset($unguarded);
$next = '/';
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
$next = '/settings/panel/external/';
} else if (PhabricatorEnv::getEnvConfig('account.editable')) {
$next = (string)id(new PhutilURI('/settings/panel/password/'))

View file

@ -224,6 +224,12 @@ final class PhabricatorAuthEditController
->addCancelButton($cancel_uri)
->setValue($button));
$help = $provider->getConfigurationHelp();
if ($help) {
$form->appendChild(id(new PHUIFormDividerControl()));
$form->appendRemarkupInstructions($help);
}
$crumbs = $this->buildApplicationCrumbs();
$crumbs->addCrumb(
id(new PhabricatorCrumbView())

View file

@ -21,6 +21,10 @@ abstract class PhabricatorAuthProvider {
return $this->providerConfig;
}
public function getConfigurationHelp() {
return null;
}
public function getDefaultProviderConfig() {
return id(new PhabricatorAuthProviderConfig())
->setProviderClass(get_class($this))

View file

@ -7,6 +7,24 @@ final class PhabricatorAuthProviderOAuthDisqus
return pht('Disqus');
}
public function getConfigurationHelp() {
$login_uri = $this->getLoginURI();
return pht(
"To configure Disqus OAuth, create a new application here:".
"\n\n".
"http://disqus.com/api/applications/".
"\n\n".
"Create an application, then adjust these settings:".
"\n\n".
" - **Callback URL:** Set this to `%s`".
"\n\n".
"After creating an application, copy the **Public Key** and ".
"**Secret Key** to the fields above (the **Public Key** goes in ".
"**OAuth App ID**).",
$login_uri);
}
protected function newOAuthAdapter() {
return new PhutilAuthAdapterOAuthDisqus();
}

View file

@ -9,6 +9,25 @@ final class PhabricatorAuthProviderOAuthFacebook
return pht('Facebook');
}
public function getConfigurationHelp() {
$uri = new PhutilURI(PhabricatorEnv::getProductionURI('/'));
return pht(
'To configure Facebook OAuth, create a new Facebook Application here:'.
"\n\n".
'https://developers.facebook.com/apps'.
"\n\n".
'You should use these settings in your application:'.
"\n\n".
" - **Site URL**: Set this to your full domain with protocol. For ".
" this Phabricator install, the correct value is: `%s`\n".
" - **Site Domain**: Set this to the full domain without a protocol. ".
" For this Phabricator install, the correct value is: `%s`\n\n".
"After creating your new application, copy the **App ID** and ".
"**App Secret** to the fields above.",
(string)$uri,
$uri->getDomain());
}
public function getDefaultProviderConfig() {
return parent::getDefaultProviderConfig()
->setProperty(self::KEY_REQUIRE_SECURE, 1);

View file

@ -7,6 +7,27 @@ final class PhabricatorAuthProviderOAuthGitHub
return pht('GitHub');
}
public function getConfigurationHelp() {
$uri = PhabricatorEnv::getProductionURI('/');
$callback_uri = $this->getLoginURI();
return pht(
"To configure GitHub OAuth, create a new GitHub Application here:".
"\n\n".
"https://github.com/settings/applications/new".
"\n\n".
"You should use these settings in your application:".
"\n\n".
" - **URL:** Set this to your full domain with protocol. For this ".
" Phabricator install, the correct value is: `%s`\n".
" - **Callback URL**: Set this to: `%s`\n".
"\n\n".
"Once you've created an application, copy the **Client ID** and ".
"**Client Secret** into the fields above.",
$uri,
$callback_uri);
}
protected function newOAuthAdapter() {
return new PhutilAuthAdapterOAuthGitHub();
}

View file

@ -7,6 +7,27 @@ final class PhabricatorAuthProviderOAuthGoogle
return pht('Google');
}
public function getConfigurationHelp() {
$login_uri = $this->getLoginURI();
return pht(
"To configure Google OAuth, create a new 'API Project' here:".
"\n\n".
"https://code.google.com/apis/console/".
"\n\n".
"You don't need to enable any Services, just go to **API Access**, ".
"click **Create an OAuth 2.0 client ID...**, and configure these ".
"settings:".
"\n\n".
" - During initial setup click **More Options** (or after creating ".
" the client ID, click **Edit Settings...**), then add this to ".
" **Authorized Redirect URIs**: `%s`\n".
"\n\n".
"After completing configuration, copy the **Client ID** and ".
"**Client Secret** to the fields above.",
$login_uri);
}
protected function newOAuthAdapter() {
return new PhutilAuthAdapterOAuthGoogle();
}

View file

@ -9,6 +9,12 @@ final class PhabricatorAuthProviderPassword
return pht('Username/Password');
}
public function getConfigurationHelp() {
return pht(
'You can select a minimum password length by setting '.
'`account.minimum-password-length` in configuration.');
}
public function getDescriptionForCreate() {
return pht(
'Allow users to login or register using a username and password.');
@ -227,4 +233,16 @@ final class PhabricatorAuthProviderPassword
$account->setAccountID($account->getUserPHID());
}
public static function getPasswordProvider() {
$providers = self::getAllEnabledProviders();
foreach ($providers as $provider) {
if ($provider instanceof PhabricatorAuthProviderPassword) {
return $provider;
}
}
return null;
}
}

View file

@ -101,7 +101,7 @@ abstract class PhabricatorController extends AphrontController {
if ($this->shouldRequireLogin() && !$user->getPHID()) {
$login_controller = new PhabricatorAuthStartController($request);
$login_controller->setCurrentApplication(
$this->setCurrentApplication(
PhabricatorApplication::getByClass('PhabricatorApplicationAuth'));
return $this->delegateToController($login_controller);
}

View file

@ -13,19 +13,6 @@ final class PhabricatorAuthenticationConfigOptions
public function getOptions() {
return array(
$this->newOption(
'auth.password-auth-enabled', 'bool', true)
->setBoolOptions(
array(
pht("Allow password authentication"),
pht("Don't allow password authentication")
))
->setSummary(pht("Enables password-based authentication."))
->setDescription(
pht(
"Can users login with a username/password, or by following the ".
"link from a password reset email? You can disable this and ".
"configure one or more OAuth providers instead.")),
$this->newOption('auth.sessions.web', 'int', 5)
->setSummary(
pht("Number of web sessions a user can have simultaneously."))

View file

@ -47,12 +47,6 @@ final class PhabricatorExtendingPhabricatorConfigOptions
->setBaseClass('AphrontApplicationConfiguration')
// TODO: This could probably use some better documentation.
->setDescription(pht("Application configuration class.")),
$this->newOption(
'controller.oauth-registration',
'class',
'PhabricatorOAuthDefaultRegistrationController')
->setBaseClass('PhabricatorOAuthRegistrationController')
->setDescription(pht("OAuth registration controller.")),
);
}

View file

@ -612,7 +612,7 @@ EOBODY;
$new_username = $this->getUserName();
$password_instructions = null;
if (PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
if (PhabricatorAuthProviderPassword::getPasswordProvider()) {
$uri = $this->getEmailLoginURI();
$password_instructions = <<<EOTXT
If you use a password to login, you'll need to reset it before you can login

View file

@ -25,7 +25,7 @@ final class PhabricatorSettingsPanelPassword
// ...or this install doesn't support password authentication at all.
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
return false;
}

View file

@ -150,8 +150,11 @@ Now, navigate to whichever subdomain you set up. You should see instructions to
continue setup. The rest of this document contains additional instructions for
specific setup steps.
When you see the login screen, continue with @{article:Configuring Accounts and
Registration}.
When you resolve any issues and see the welcome screen, enter credentials to
create your initial administrator account. After you log in, you'll want to
configure how other users will be able to log in or register -- until you do,
no one else will be able to sign up or log in. For more information, see
@{article:Configuring Accounts and Registration}.
= Storage: Configuring MySQL =

View file

@ -5,32 +5,41 @@ Describes how to configure user access to Phabricator.
= Overview =
Phabricator supports a number of login systems, like traditional
username/password, Facebook OAuth, GitHub OAuth, and Google OAuth. You can
enable or disable these systems to configure who can register for and access
your install, and how users with existing accounts can login.
Phabricator supports a number of login systems. You can enable or disable these
systems to configure who can register for and access your install, and how users
with existing accounts can login.
By default, only username/password auth is enabled, and there are no valid
accounts. Start by creating a new account with the
##phabricator/bin/accountadmin## script.
Methods of logging in are called **Authentication Providers**. For example,
there is a "Username/Password" authentication provider available, which allows
users to log in with a traditional username and password. Other providers
support logging in with other credentials. For example:
= Using accountadmin =
- **Username/Password:** Users use a username and password to log in or
register.
- **LDAP:** Users use LDAP credentials to log in or register.
- **OAuth:** Users use accounts on a supported OAuth2 provider (like
GitHub, Facebook, or Google) to log in or register.
- **Other Providers:** More providers are available, and Phabricator
can be extended with custom providers. See the "Auth" application for
a list of available providers.
##accountadmin## is a user-friendly command line interface for creating and
editing accounts. To use ##accountadmin##, just run the script:
By default, no providers are enabled. You must use the "Auth" application to
add one or more providers after you complete the installation process.
$ ./phabricator/bin/accountadmin
Enter a username to create a new account or edit an existing account.
After you add a provider, you can link it to existing accounts (for example,
associate an existing Phabricator account with a GitHub OAuth account) or users
can use it to register new accounts (assuming you enable these options).
Enter a username:
= Recovering Administrator Accounts =
This will walk you through the process of creating an initial user account.
Once you've created an account, you can login with it and use the web console
to create and manage accounts more easily (provided you make your first account
an administrator).
If you accidentally lock yourself out of Phabricator, you can use the `bin/auth`
script to recover access to an administrator account. To recover access, run:
You can use this script later to create or edit accounts if you, for example,
accidentally remove your admin flag.
phabricator/ $ ./bin/auth recover <username>
...where `<username>` is the admin account username you want to recover access
to. This will give you a link which will log you in as the specified
administrative user.
= Managing Accounts with the Web Console =
@ -38,114 +47,20 @@ To manage accounts from the web, login as an administrator account and go to
##/people/## or click "People" on the homepage. Provided you're an admin,
you'll see options to create or edit accounts.
= Managing Accounts from the Command Line =
= Manually Creating New Accounts =
You can use ##scripts/user/add_user.php## to batch create accounts. Run it
like:
There are two ways to manually create new accounts: via the web UI using
the "People" application (this is easiest), or via the CLI using the
`accountadmin` binary (this has a few more options).
$ ./add_user.php <username> <email> <realname> <admin>
To use the CLI script, run:
For example:
phabricator/ $ ./bin/accountadmin
$ ./add_user.php alincoln alincoln@logcabin.com 'Abraham Lincoln' tjefferson
This will create a new ##alincoln## user and send them a "Welcome to
Phabricator" email from ##tjefferson## with instructions on how to log in and
set a password.
= Configuring Facebook OAuth =
You can configure Facebook OAuth to allow login, login and registration, or
nothing (the default). If registration is not allowed, users must have an
existing account in order to link a Facebook account to it, but can use
Facebook to login once the accounts are linked.
To configure Facebook OAuth, create a new Facebook Application:
https://developers.facebook.com/apps
You should set these things in your application:
- **Site URL**: Set this to your full domain with protocol, like
"##https://phabricator.example.com/##".
- **Site Domain**: Set this to the entire domain, like ##example.com##. You
might be able to get away with including the subdomain if you want to
scope more tightly.
Once that is set up, edit your Phabricator configuration and set these keys:
- **facebook.auth-enabled**: set this to ##true##.
- **facebook.application-id**: set to your Facebook application's ID. Make
sure you set this as a string.
- **facebook.application-secret**: set to your Facebook application's
secret key.
- **facebook.registration-enabled**: set this to ##true## to let users
register for your install with a Facebook account (this is a very open
setting) or ##false## to prevent users from registering with Facebook.
- **facebook.auth-permanent**: you can set this to prevent account unlinking.
It is unlikely you want to prevent it, but Facebook's internal install uses
this option since Facebook uses Facebook as its only auth mechanism.
= Configuring GitHub OAuth =
You can configure GitHub OAuth to allow login, login and registration, or
nothing (the default).
To configure GitHub OAuth, create a new GitHub Application:
https://github.com/settings/applications/new
You should set these things in your application:
- **URL**: Set this to the full domain with protocol, like
"##https://phabricator.example.com/##".
- **Callback URL**: Set this to your domain plus "##/oauth/github/login/##",
like "##https://phabricator.example.com/oauth/github/login/##".
Once you've created an application, edit your Phabricator configuration and
set these keys:
- **github.auth-enabled**: set this to ##true##.
- **github.application-id**: set this to your application/client ID.
- **github.application-secret**: set this to your application secret.
- **github.registration-enabled**: set to ##true## to let users register with
just GitHub credentials (this is a very open setting) or ##false## to
prevent users from registering. If set to ##false##, users may still link
existing accounts and use GitHub to login, they just can't create new
accounts.
- **github.auth-permanent**: set to ##true## to prevent unlinking Phabricator
accounts from GitHub accounts.
= Configuring Google OAuth =
You can configure Google OAuth to allow login, login and registration, or
nothing (the default).
To configure Google OAuth, create a new Google "API Project":
https://code.google.com/apis/console/
You don't need to enable any **Services**, just go to **API Access**, click
**"Create an OAuth 2.0 client ID..."**, and configure these settings:
- Click **More Options** next to **Authorized Redirect APIs** and add the
full domain (with protocol) plus ##/oauth/google/login/## to the list.
For example, ##https://phabricator.example.com/oauth/google/login/##
- Click **Create Client ID**.
Once you've created a client ID, edit your Phabricator configuration and set
these keys:
- **google.auth-enabled**: set this to ##true##.
- **google.application-id**: set this to your Client ID (from above).
- **google.application-secret**: set this to your Client Secret (from above).
- **google.registration-enabled**: set this to ##true## to let users register
with just Google credentials (this is a very open setting) or ##false## to
prevent users from registering. If set to ##false##, users may still link
existing accounts and use Google to login, they jus can't create new
accounts.
- **google.auth-permanent**: set this to ##true## to prevent unlinking
Phabricator accounts from Google accounts.
Some options (like setting passwords and changing certain account flags) are
only available from the CLI. You can also use this script to make a user
an administrator (if you accidentally remove your admin flag) or create an
administrative account.
= Next Steps =