Provide a more straightforward way to revoke SSH keys by finding and destroying the objects

Summary: Ref T9967 Test Plan: Ran migrations. Verified database populated properly with PHIDs (SELECT * FROM auth_sshkey;). Ran auth.querypublickeys conduit method to see phids show up Ran bin/remove destroy <phid>. Viewed the test key was gone. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: Korvin Maniphest Tasks: T9967 Differential Revision: https://secure.phabricator.com/D14823
2024-12-18 03:20:59 +01:00 · 2015-12-19 11:48:24 -08:00 · 2015-12-19 11:48:24 -08:00 · 8eec9e2c0e
commit 8eec9e2c0e
parent aeae0e7028
7 changed files with 111 additions and 22 deletions
--- a/resources/sql/autopatches/20151218.key.1.keyphid.sql
+++ b/resources/sql/autopatches/20151218.key.1.keyphid.sql
@ -0,0 +1,2 @@
+ALTER TABLE {$NAMESPACE}_auth.auth_sshkey
+  ADD phid VARBINARY(64) NOT NULL AFTER id;
--- a/resources/sql/autopatches/20151218.key.2.keyphid.php
+++ b/resources/sql/autopatches/20151218.key.2.keyphid.php
@ -0,0 +1,17 @@
+<?php
+
+$table = new PhabricatorAuthSSHKey();
+$conn_w = $table->establishConnection('w');
+
+foreach (new LiskMigrationIterator($table) as $cursor) {
+  if (strlen($cursor->getPHID())) {
+    continue;
+  }
+
+  queryfx(
+    $conn_w,
+    'UPDATE %T SET phid = %s WHERE id = %d',
+    $table->getTableName(),
+    $table->generatePHID(),
+    $cursor->getID());
+}
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -1684,6 +1684,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthApplication' => 'applications/auth/application/PhabricatorAuthApplication.php',
    'PhabricatorAuthAuthFactorPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthFactorPHIDType.php',
    'PhabricatorAuthAuthProviderPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthProviderPHIDType.php',
+    'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
    'PhabricatorAuthConduitAPIMethod' => 'applications/auth/conduit/PhabricatorAuthConduitAPIMethod.php',
    'PhabricatorAuthConfirmLinkController' => 'applications/auth/controller/PhabricatorAuthConfirmLinkController.php',
    'PhabricatorAuthController' => 'applications/auth/controller/PhabricatorAuthController.php',
@ -5833,6 +5834,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthSSHKey' => array(
      'PhabricatorAuthDAO',
      'PhabricatorPolicyInterface',
+      'PhabricatorDestructibleInterface',
    ),
    'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
    'PhabricatorAuthSSHKeyDeleteController' => 'PhabricatorAuthSSHKeyController',
@ -5840,6 +5842,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
    'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
    'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
+    'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
    'PhabricatorAuthSSHPublicKey' => 'Phobject',
    'PhabricatorAuthSession' => array(
      'PhabricatorAuthDAO',
--- a/src/applications/auth/conduit/PhabricatorAuthQueryPublicKeysConduitAPIMethod.php
+++ b/src/applications/auth/conduit/PhabricatorAuthQueryPublicKeysConduitAPIMethod.php
@ -14,6 +14,7 @@ final class PhabricatorAuthQueryPublicKeysConduitAPIMethod
  protected function defineParamTypes() {
    return array(
      'ids' => 'optional list<id>',
+      'phids' => 'optional list<phid>',
      'objectPHIDs' => 'optional list<phid>',
      'keys' => 'optional list<string>',
    ) + self::getPagerParamTypes();
@ -34,6 +35,11 @@ final class PhabricatorAuthQueryPublicKeysConduitAPIMethod
      $query->withIDs($ids);
    }

+    $phids = $request->getValue('phids');
+    if ($phids !== null) {
+      $query->withPHIDs($phids);
+    }
+
    $object_phids = $request->getValue('objectPHIDs');
    if ($object_phids !== null) {
      $query->withObjectPHIDs($object_phids);
@ -57,6 +63,7 @@ final class PhabricatorAuthQueryPublicKeysConduitAPIMethod
      $data[] = array(
        'id' => $public_key->getID(),
        'name' => $public_key->getName(),
+        'phid' => $public_key->getPHID(),
        'objectPHID' => $public_key->getObjectPHID(),
        'isTrusted' => (bool)$public_key->getIsTrusted(),
        'key' => $public_key->getEntireKey(),
--- a/src/applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php
+++ b/src/applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php
@ -0,0 +1,38 @@
+<?php
+
+final class PhabricatorAuthSSHKeyPHIDType
+  extends PhabricatorPHIDType {
+
+  const TYPECONST = 'AKEY';
+
+  public function getTypeName() {
+    return pht('Public SSH Key');
+  }
+
+  public function newObject() {
+    return new PhabricatorAuthSSHKey();
+  }
+
+  public function getPHIDTypeApplicationClass() {
+    return 'PhabricatorAuthApplication';
+  }
+
+  protected function buildQueryForObjects(
+    PhabricatorObjectQuery $query,
+    array $phids) {
+
+    return id(new PhabricatorAuthSSHKeyQuery())
+      ->withPHIDs($phids);
+  }
+
+  public function loadHandles(
+    PhabricatorHandleQuery $query,
+    array $handles,
+    array $objects) {
+    foreach ($handles as $phid => $handle) {
+      $key = $objects[$phid];
+      $handle->setName(pht('SSH Key %d', $key->getID()));
+    }
+  }
+
+}
--- a/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
+++ b/src/applications/auth/query/PhabricatorAuthSSHKeyQuery.php
@ -4,6 +4,7 @@ final class PhabricatorAuthSSHKeyQuery
  extends PhabricatorCursorPagedPolicyAwareQuery {

  private $ids;
+  private $phids;
  private $objectPHIDs;
  private $keys;

@ -12,6 +13,11 @@ final class PhabricatorAuthSSHKeyQuery
    return $this;
  }

+  public function withPHIDs(array $phids) {
+    $this->phids = $phids;
+    return $this;
+  }
+
  public function withObjectPHIDs(array $object_phids) {
    $this->objectPHIDs = $object_phids;
    return $this;
@ -23,19 +29,12 @@ final class PhabricatorAuthSSHKeyQuery
    return $this;
  }

+  public function newResultObject() {
+    return new PhabricatorAuthSSHKey();
+  }
+
  protected function loadPage() {
-    $table = new PhabricatorAuthSSHKey();
-    $conn_r = $table->establishConnection('r');
-
-    $data = queryfx_all(
-      $conn_r,
-      'SELECT * FROM %T %Q %Q %Q',
-      $table->getTableName(),
-      $this->buildWhereClause($conn_r),
-      $this->buildOrderClause($conn_r),
-      $this->buildLimitClause($conn_r));
-
-    return $table->loadAllFromArray($data);
+    return $this->loadStandardPage($this->newResultObject());
  }

  protected function willFilterPage(array $keys) {
@ -54,6 +53,7 @@ final class PhabricatorAuthSSHKeyQuery
      // We must have an object, and that object must be a valid object for
      // SSH keys.
      if (!$object || !($object instanceof PhabricatorSSHPublicKeyInterface)) {
+        $this->didRejectResult($ssh_key);
        unset($keys[$key]);
        continue;
      }
@ -64,19 +64,26 @@ final class PhabricatorAuthSSHKeyQuery
    return $keys;
  }

-  protected function buildWhereClause(AphrontDatabaseConnection $conn_r) {
-    $where = array();
+  protected function buildWhereClauseParts(AphrontDatabaseConnection $conn) {
+    $where = parent::buildWhereClauseParts($conn);

    if ($this->ids !== null) {
      $where[] = qsprintf(
-        $conn_r,
+        $conn,
        'id IN (%Ld)',
        $this->ids);
    }

+    if ($this->phids !== null) {
+      $where[] = qsprintf(
+        $conn,
+        'phid IN (%Ls)',
+        $this->phids);
+    }
+
    if ($this->objectPHIDs !== null) {
      $where[] = qsprintf(
-        $conn_r,
+        $conn,
        'objectPHID IN (%Ls)',
        $this->objectPHIDs);
    }
@ -85,7 +92,7 @@ final class PhabricatorAuthSSHKeyQuery
      $sql = array();
      foreach ($this->keys as $key) {
        $sql[] = qsprintf(
-          $conn_r,
+          $conn,
          '(keyType = %s AND keyIndex = %s)',
          $key->getType(),
          $key->getHash());
@ -93,9 +100,8 @@ final class PhabricatorAuthSSHKeyQuery
      $where[] = implode(' OR ', $sql);
    }

-    $where[] = $this->buildPagingClause($conn_r);
+    return $where;

-    return $this->formatWhereClause($where);
  }

  public function getQueryApplicationClass() {
--- a/src/applications/auth/storage/PhabricatorAuthSSHKey.php
+++ b/src/applications/auth/storage/PhabricatorAuthSSHKey.php
@ -2,7 +2,9 @@

 final class PhabricatorAuthSSHKey
  extends PhabricatorAuthDAO
-  implements PhabricatorPolicyInterface {
+  implements
+    PhabricatorPolicyInterface,
+    PhabricatorDestructibleInterface {

  protected $objectPHID;
  protected $name;
@ -16,6 +18,7 @@ final class PhabricatorAuthSSHKey

  protected function getConfiguration() {
    return array(
+      self::CONFIG_AUX_PHID => true,
      self::CONFIG_COLUMN_SCHEMA => array(
        'name' => 'text255',
        'keyType' => 'text255',
@ -63,8 +66,10 @@ final class PhabricatorAuthSSHKey
    return $this;
  }

-
-
+  public function generatePHID() {
+    return PhabricatorPHID::generateNewPHID(
+      PhabricatorAuthSSHKeyPHIDType::TYPECONST);
+  }

 /* -(  PhabricatorPolicyInterface  )----------------------------------------- */

@ -89,4 +94,15 @@ final class PhabricatorAuthSSHKey
      'SSH keys inherit the policies of the user or object they authenticate.');
  }

+/* -(  PhabricatorDestructibleInterface  )----------------------------------- */
+
+
+  public function destroyObjectPermanently(
+    PhabricatorDestructionEngine $engine) {
+
+    $this->openTransaction();
+    $this->delete();
+    $this->saveTransaction();
+  }
+
 }