Require MFA to edit MFA providers

Summary: Depends on D20037. Ref T13222. Ref T7667. Although administrators can now disable MFA from the web UI, at least require that they survive MFA gates to do so. T7667 (`bin/auth lock`) should provide a sturdier approach here in the long term. Test Plan: Created and edited MFA providers, was prompted for MFA. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222, T7667 Differential Revision: https://secure.phabricator.com/D20038
2024-11-10 08:52:39 +01:00 · 2019-01-25 10:42:31 -08:00 · 2019-01-25 10:42:31 -08:00 · d8d4efe89e
commit d8d4efe89e
parent 44a0b3e83d
3 changed files with 22 additions and 1 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -2232,6 +2232,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthFactorProviderEditEngine' => 'applications/auth/editor/PhabricatorAuthFactorProviderEditEngine.php',
    'PhabricatorAuthFactorProviderEditor' => 'applications/auth/editor/PhabricatorAuthFactorProviderEditor.php',
    'PhabricatorAuthFactorProviderListController' => 'applications/auth/controller/mfa/PhabricatorAuthFactorProviderListController.php',
+    'PhabricatorAuthFactorProviderMFAEngine' => 'applications/auth/engine/PhabricatorAuthFactorProviderMFAEngine.php',
    'PhabricatorAuthFactorProviderNameTransaction' => 'applications/auth/xaction/PhabricatorAuthFactorProviderNameTransaction.php',
    'PhabricatorAuthFactorProviderQuery' => 'applications/auth/query/PhabricatorAuthFactorProviderQuery.php',
    'PhabricatorAuthFactorProviderStatus' => 'applications/auth/constants/PhabricatorAuthFactorProviderStatus.php',
@ -7954,12 +7955,14 @@ phutil_register_library_map(array(
      'PhabricatorApplicationTransactionInterface',
      'PhabricatorPolicyInterface',
      'PhabricatorExtendedPolicyInterface',
+      'PhabricatorEditEngineMFAInterface',
    ),
    'PhabricatorAuthFactorProviderController' => 'PhabricatorAuthProviderController',
    'PhabricatorAuthFactorProviderEditController' => 'PhabricatorAuthFactorProviderController',
    'PhabricatorAuthFactorProviderEditEngine' => 'PhabricatorEditEngine',
    'PhabricatorAuthFactorProviderEditor' => 'PhabricatorApplicationTransactionEditor',
    'PhabricatorAuthFactorProviderListController' => 'PhabricatorAuthProviderController',
+    'PhabricatorAuthFactorProviderMFAEngine' => 'PhabricatorEditEngineMFAEngine',
    'PhabricatorAuthFactorProviderNameTransaction' => 'PhabricatorAuthFactorProviderTransactionType',
    'PhabricatorAuthFactorProviderQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
    'PhabricatorAuthFactorProviderStatus' => 'Phobject',
--- a/src/applications/auth/engine/PhabricatorAuthFactorProviderMFAEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthFactorProviderMFAEngine.php
@ -0,0 +1,10 @@
+<?php
+
+final class PhabricatorAuthFactorProviderMFAEngine
+  extends PhabricatorEditEngineMFAEngine {
+
+  public function shouldTryMFA() {
+    return true;
+  }
+
+}
--- a/src/applications/auth/storage/PhabricatorAuthFactorProvider.php
+++ b/src/applications/auth/storage/PhabricatorAuthFactorProvider.php
@ -5,7 +5,8 @@ final class PhabricatorAuthFactorProvider
  implements
     PhabricatorApplicationTransactionInterface,
     PhabricatorPolicyInterface,
-     PhabricatorExtendedPolicyInterface {
+     PhabricatorExtendedPolicyInterface,
+     PhabricatorEditEngineMFAInterface {

  protected $providerFactorKey;
  protected $name;
@ -188,4 +189,11 @@ final class PhabricatorAuthFactorProvider
  }


+/* -(  PhabricatorEditEngineMFAInterface  )---------------------------------- */
+
+
+  public function newEditEngineMFAEngine() {
+    return new PhabricatorAuthFactorProviderMFAEngine();
+  }
+
 }