1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 18:22:41 +01:00

Add a garbage collector for MFA challenges

Summary:
Depends on D19886. Ref T13222. Clean up MFA challenges after they expire.

(There's maybe some argument to keeping these around for a little while for debugging/forensics, but I suspect it would never actually be valuable and figure we can cross that bridge if we come to it.)

Test Plan:
  - Ran `bin/garbage collect --collector ...` and saw old MFA challenges collected.
  - Triggered a new challenge, GC'd again, saw it survive GC while still active.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19888
This commit is contained in:
epriestley 2018-12-14 05:26:51 -08:00
parent b8cbfda07c
commit 5e94343c7d
3 changed files with 33 additions and 0 deletions

View file

@ -2188,6 +2188,7 @@ phutil_register_library_map(array(
'PhabricatorAuthAuthFactorPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthFactorPHIDType.php', 'PhabricatorAuthAuthFactorPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthFactorPHIDType.php',
'PhabricatorAuthAuthProviderPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthProviderPHIDType.php', 'PhabricatorAuthAuthProviderPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthProviderPHIDType.php',
'PhabricatorAuthChallenge' => 'applications/auth/storage/PhabricatorAuthChallenge.php', 'PhabricatorAuthChallenge' => 'applications/auth/storage/PhabricatorAuthChallenge.php',
'PhabricatorAuthChallengeGarbageCollector' => 'applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php',
'PhabricatorAuthChallengePHIDType' => 'applications/auth/phid/PhabricatorAuthChallengePHIDType.php', 'PhabricatorAuthChallengePHIDType' => 'applications/auth/phid/PhabricatorAuthChallengePHIDType.php',
'PhabricatorAuthChallengeQuery' => 'applications/auth/query/PhabricatorAuthChallengeQuery.php', 'PhabricatorAuthChallengeQuery' => 'applications/auth/query/PhabricatorAuthChallengeQuery.php',
'PhabricatorAuthChangePasswordAction' => 'applications/auth/action/PhabricatorAuthChangePasswordAction.php', 'PhabricatorAuthChangePasswordAction' => 'applications/auth/action/PhabricatorAuthChangePasswordAction.php',
@ -7830,6 +7831,7 @@ phutil_register_library_map(array(
'PhabricatorAuthDAO', 'PhabricatorAuthDAO',
'PhabricatorPolicyInterface', 'PhabricatorPolicyInterface',
), ),
'PhabricatorAuthChallengeGarbageCollector' => 'PhabricatorGarbageCollector',
'PhabricatorAuthChallengePHIDType' => 'PhabricatorPHIDType', 'PhabricatorAuthChallengePHIDType' => 'PhabricatorPHIDType',
'PhabricatorAuthChallengeQuery' => 'PhabricatorCursorPagedPolicyAwareQuery', 'PhabricatorAuthChallengeQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
'PhabricatorAuthChangePasswordAction' => 'PhabricatorSystemAction', 'PhabricatorAuthChangePasswordAction' => 'PhabricatorSystemAction',

View file

@ -0,0 +1,28 @@
<?php
final class PhabricatorAuthChallengeGarbageCollector
extends PhabricatorGarbageCollector {
const COLLECTORCONST = 'auth.challenges';
public function getCollectorName() {
return pht('Authentication Challenges');
}
public function hasAutomaticPolicy() {
return true;
}
protected function collectGarbage() {
$challenge_table = new PhabricatorAuthChallenge();
$conn = $challenge_table->establishConnection('w');
queryfx(
$conn,
'DELETE FROM %R WHERE challengeTTL < UNIX_TIMESTAMP() LIMIT 100',
$challenge_table);
return ($conn->getAffectedRows() == 100);
}
}

View file

@ -25,6 +25,9 @@ final class PhabricatorAuthChallenge
'key_issued' => array( 'key_issued' => array(
'columns' => array('userPHID', 'challengeTTL'), 'columns' => array('userPHID', 'challengeTTL'),
), ),
'key_collection' => array(
'columns' => array('challengeTTL'),
),
), ),
) + parent::getConfiguration(); ) + parent::getConfiguration();
} }