Correct a possible fatal in the non-CSRF Duo MFA workflow

Summary: Ref T13259. If we miss the separate CSRF step in Duo and proceed directly to prompting, we may fail to build a response which turns into a real control and fatal on `null->setLabel()`. Instead, let MFA providers customize their "bare prompt dialog" response, then make Duo use the same "you have an outstanding request" response for the CSRF and no-CSRF workflows. Test Plan: Hit Duo auth on a non-CSRF workflow (e.g., edit an MFA provider with Duo enabled). Previously: `setLabel()` fatal. After patch: smooth sailing. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13259 Differential Revision: https://secure.phabricator.com/D20234
2024-11-22 14:52:41 +01:00 · 2019-02-28 19:13:53 -08:00 · 2019-02-28 19:13:53 -08:00 · 920ab13cfb
commit 920ab13cfb
parent d192d04586
3 changed files with 55 additions and 1 deletions
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@ -714,7 +714,14 @@ final class PhabricatorAuthSessionEngine extends Phobject {
      if (isset($validation_results[$factor_phid])) {
        continue;
      }
-      $validation_results[$factor_phid] = new PhabricatorAuthFactorResult();
+
+      $issued_challenges = idx($challenge_map, $factor_phid, array());
+
+      $validation_results[$factor_phid] = $impl->getResultForPrompt(
+        $factor,
+        $viewer,
+        $request,
+        $issued_challenges);
    }

    throw id(new PhabricatorAuthHighSecurityRequiredException())
--- a/src/applications/auth/factor/PhabricatorAuthFactor.php
+++ b/src/applications/auth/factor/PhabricatorAuthFactor.php
@ -221,6 +221,40 @@ abstract class PhabricatorAuthFactor extends Phobject {
    return $result;
  }

+  final public function getResultForPrompt(
+    PhabricatorAuthFactorConfig $config,
+    PhabricatorUser $viewer,
+    AphrontRequest $request,
+    array $challenges) {
+    assert_instances_of($challenges, 'PhabricatorAuthChallenge');
+
+    $result = $this->newResultForPrompt(
+      $config,
+      $viewer,
+      $request,
+      $challenges);
+
+    if (!$this->isAuthResult($result)) {
+      throw new Exception(
+        pht(
+          'Expected "newResultForPrompt()" to return an object of class "%s", '.
+          'but it returned something else ("%s"; in "%s").',
+          'PhabricatorAuthFactorResult',
+          phutil_describe_type($result),
+          get_class($this)));
+    }
+
+    return $result;
+  }
+
+  protected function newResultForPrompt(
+    PhabricatorAuthFactorConfig $config,
+    PhabricatorUser $viewer,
+    AphrontRequest $request,
+    array $challenges) {
+    return $this->newResult();
+  }
+
  abstract protected function newResultFromIssuedChallenges(
    PhabricatorAuthFactorConfig $config,
    PhabricatorUser $viewer,
--- a/src/applications/auth/factor/PhabricatorDuoAuthFactor.php
+++ b/src/applications/auth/factor/PhabricatorDuoAuthFactor.php
@ -681,6 +681,19 @@ final class PhabricatorDuoAuthFactor
    AphrontRequest $request,
    array $challenges) {

+    return $this->getResultForPrompt(
+      $config,
+      $viewer,
+      $request,
+      $challenges);
+  }
+
+  protected function newResultForPrompt(
+    PhabricatorAuthFactorConfig $config,
+    PhabricatorUser $viewer,
+    AphrontRequest $request,
+    array $challenges) {
+
    $result = $this->newResult()
      ->setIsContinue(true)
      ->setErrorMessage(