mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Minor cleanup of some session code
Summary: Ref T4398. Add some documentation and use `phutil_units()`. Test Plan: - Established a web session. - Established a conduit session. - Entered and exited hisec. - Used "Sessions" panel to examine results. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8924
This commit is contained in:
parent
e146958217
commit
a04e138ae2
2 changed files with 52 additions and 6 deletions
|
@ -1,7 +1,11 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @task hisec High Security Mode
|
*
|
||||||
|
* @task use Using Sessions
|
||||||
|
* @task new Creating Sessions
|
||||||
|
* @task hisec High Security
|
||||||
|
* @task partial Partial Sessions
|
||||||
*/
|
*/
|
||||||
final class PhabricatorAuthSessionEngine extends Phobject {
|
final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
|
|
||||||
|
@ -60,6 +64,23 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Load the user identity associated with a session of a given type,
|
||||||
|
* identified by token.
|
||||||
|
*
|
||||||
|
* When the user presents a session token to an API, this method verifies
|
||||||
|
* it is of the correct type and loads the corresponding identity if the
|
||||||
|
* session exists and is valid.
|
||||||
|
*
|
||||||
|
* NOTE: `$session_type` is the type of session that is required by the
|
||||||
|
* loading context. This prevents use of a Conduit sesssion as a Web
|
||||||
|
* session, for example.
|
||||||
|
*
|
||||||
|
* @param const The type of session to load.
|
||||||
|
* @param string The session token.
|
||||||
|
* @return PhabricatorUser|null
|
||||||
|
* @task use
|
||||||
|
*/
|
||||||
public function loadUserForSession($session_type, $session_token) {
|
public function loadUserForSession($session_type, $session_token) {
|
||||||
$session_kind = self::getSessionKindFromToken($session_token);
|
$session_kind = self::getSessionKindFromToken($session_token);
|
||||||
switch ($session_kind) {
|
switch ($session_kind) {
|
||||||
|
@ -211,6 +232,9 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* -( High Security )------------------------------------------------------ */
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Require high security, or prompt the user to enter high security.
|
* Require high security, or prompt the user to enter high security.
|
||||||
*
|
*
|
||||||
|
@ -222,6 +246,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
* @param AphrontReqeust Current request.
|
* @param AphrontReqeust Current request.
|
||||||
* @param string URI to return the user to if they cancel.
|
* @param string URI to return the user to if they cancel.
|
||||||
* @return PhabricatorAuthHighSecurityToken Security token.
|
* @return PhabricatorAuthHighSecurityToken Security token.
|
||||||
|
* @task hisec
|
||||||
*/
|
*/
|
||||||
public function requireHighSecuritySession(
|
public function requireHighSecuritySession(
|
||||||
PhabricatorUser $viewer,
|
PhabricatorUser $viewer,
|
||||||
|
@ -344,6 +369,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
* @param PhabricatorAuthSession Session to issue a token for.
|
* @param PhabricatorAuthSession Session to issue a token for.
|
||||||
* @param bool Force token issue.
|
* @param bool Force token issue.
|
||||||
* @return PhabricatorAuthHighSecurityToken|null Token, if authorized.
|
* @return PhabricatorAuthHighSecurityToken|null Token, if authorized.
|
||||||
|
* @task hisec
|
||||||
*/
|
*/
|
||||||
private function issueHighSecurityToken(
|
private function issueHighSecurityToken(
|
||||||
PhabricatorAuthSession $session,
|
PhabricatorAuthSession $session,
|
||||||
|
@ -353,6 +379,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
if ($until > time() || $force) {
|
if ($until > time() || $force) {
|
||||||
return new PhabricatorAuthHighSecurityToken();
|
return new PhabricatorAuthHighSecurityToken();
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -360,9 +387,10 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
/**
|
/**
|
||||||
* Render a form for providing relevant multi-factor credentials.
|
* Render a form for providing relevant multi-factor credentials.
|
||||||
*
|
*
|
||||||
* @param PhabricatorUser Viewing user.
|
* @param PhabricatorUser Viewing user.
|
||||||
* @param AphrontRequest Current request.
|
* @param AphrontRequest Current request.
|
||||||
* @return AphrontFormView Renderable form.
|
* @return AphrontFormView Renderable form.
|
||||||
|
* @task hisec
|
||||||
*/
|
*/
|
||||||
public function renderHighSecurityForm(
|
public function renderHighSecurityForm(
|
||||||
array $factors,
|
array $factors,
|
||||||
|
@ -388,10 +416,24 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Strip the high security flag from a session.
|
||||||
|
*
|
||||||
|
* Kicks a session out of high security and logs the exit.
|
||||||
|
*
|
||||||
|
* @param PhabricatorUser Acting user.
|
||||||
|
* @param PhabricatorAuthSession Session to return to normal security.
|
||||||
|
* @return void
|
||||||
|
* @task hisec
|
||||||
|
*/
|
||||||
public function exitHighSecurity(
|
public function exitHighSecurity(
|
||||||
PhabricatorUser $viewer,
|
PhabricatorUser $viewer,
|
||||||
PhabricatorAuthSession $session) {
|
PhabricatorAuthSession $session) {
|
||||||
|
|
||||||
|
if (!$session->getHighSecurityUntil()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
queryfx(
|
queryfx(
|
||||||
$session->establishConnection('w'),
|
$session->establishConnection('w'),
|
||||||
'UPDATE %T SET highSecurityUntil = NULL WHERE id = %d',
|
'UPDATE %T SET highSecurityUntil = NULL WHERE id = %d',
|
||||||
|
@ -406,11 +448,15 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* -( Partial Sessions )--------------------------------------------------- */
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Upgrade a partial session to a full session.
|
* Upgrade a partial session to a full session.
|
||||||
*
|
*
|
||||||
* @param PhabricatorAuthSession Session to upgrade.
|
* @param PhabricatorAuthSession Session to upgrade.
|
||||||
* @return void
|
* @return void
|
||||||
|
* @task partial
|
||||||
*/
|
*/
|
||||||
public function upgradePartialSession(PhabricatorUser $viewer) {
|
public function upgradePartialSession(PhabricatorUser $viewer) {
|
||||||
if (!$viewer->hasSession()) {
|
if (!$viewer->hasSession()) {
|
||||||
|
|
|
@ -44,9 +44,9 @@ final class PhabricatorAuthSession extends PhabricatorAuthDAO
|
||||||
public static function getSessionTypeTTL($session_type) {
|
public static function getSessionTypeTTL($session_type) {
|
||||||
switch ($session_type) {
|
switch ($session_type) {
|
||||||
case self::TYPE_WEB:
|
case self::TYPE_WEB:
|
||||||
return (60 * 60 * 24 * 30); // 30 days
|
return phutil_units('30 days in seconds');
|
||||||
case self::TYPE_CONDUIT:
|
case self::TYPE_CONDUIT:
|
||||||
return (60 * 60 * 24); // 24 hours
|
return phutil_units('24 hours in seconds');
|
||||||
default:
|
default:
|
||||||
throw new Exception(pht('Unknown session type "%s".', $session_type));
|
throw new Exception(pht('Unknown session type "%s".', $session_type));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue