1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 12:30:56 +01:00

Upgrade "masked" config to "hidden"

Summary:
Ref T7185. We currently have "locked", "masked", and "hidden" config.

However, "masked" does not really do anything. It was intended to mask values in DarkConsole, but Config got built out instead and "hidden" is strictly better in modern usage and protects against compromised administrator accounts. "hidden" implies "locked", so it's now strictly more powerful than just locked.

Remove "masked" and upgrade all "masked" config to "hidden". In particular, this hides some API keys and secret keys much more aggressively in Config, which is desirable.

Test Plan: Browsed things like S3 API keys in config and could no longer see them.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7185

Differential Revision: https://secure.phabricator.com/D11763
This commit is contained in:
epriestley 2015-02-13 10:59:50 -08:00
parent f74fa49636
commit ebebeb8f7c
12 changed files with 14 additions and 44 deletions

View file

@ -206,6 +206,8 @@ final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck {
'translation.provider' => pht(
'The translation implementation has changed and providers are no '.
'longer used or supported.'),
'config.mask' => pht(
'Use `config.hide` instead of this option.'),
);
return $ancient_config;

View file

@ -17,9 +17,7 @@ final class PhabricatorConfigAllController
foreach ($options as $option) {
$key = $option->getKey();
if ($option->getMasked()) {
$value = phutil_tag('em', array(), pht('Masked'));
} else if ($option->getHidden()) {
if ($option->getHidden()) {
$value = phutil_tag('em', array(), pht('Hidden'));
} else {
$value = PhabricatorEnv::getEnvConfig($key);

View file

@ -72,7 +72,7 @@ final class PhabricatorConfigGroupController
->setHref('/config/edit/'.$option->getKey().'/')
->addAttribute($summary);
if (!$option->getHidden() && !$option->getMasked()) {
if (!$option->getHidden()) {
$current_value = PhabricatorEnv::getEnvConfig($option->getKey());
$current_value = PhabricatorConfigJSON::prettyPrintJSON(
$current_value);
@ -96,8 +96,6 @@ final class PhabricatorConfigGroupController
if ($option->getHidden()) {
$item->addIcon('unpublish', pht('Hidden'));
} else if ($option->getMasked()) {
$item->addIcon('unpublish-grey', pht('Masked'));
} else if ($option->getLocked()) {
$item->addIcon('lock', pht('Locked'));
}

View file

@ -25,13 +25,13 @@ final class PhabricatorAWSConfigOptions
->setLocked(true)
->setDescription(pht('Access key for Amazon SES.')),
$this->newOption('amazon-ses.secret-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('Secret key for Amazon SES.')),
$this->newOption('amazon-s3.access-key', 'string', null)
->setLocked(true)
->setDescription(pht('Access key for Amazon S3.')),
$this->newOption('amazon-s3.secret-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('Secret key for Amazon S3.')),
$this->newOption('amazon-s3.endpoint', 'string', null)
->setLocked(true)
@ -45,7 +45,7 @@ final class PhabricatorAWSConfigOptions
->setLocked(true)
->setDescription(pht('Access key for Amazon EC2.')),
$this->newOption('amazon-ec2.secret-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('Secret key for Amazon EC2.')),
);
}

View file

@ -16,7 +16,6 @@ final class PhabricatorConfigOption
private $locked;
private $lockedMessage;
private $hidden;
private $masked;
private $baseClass;
private $customData;
private $customObject;
@ -30,26 +29,6 @@ final class PhabricatorConfigOption
return $this->baseClass;
}
public function setMasked($masked) {
$this->masked = $masked;
return $this;
}
public function getMasked() {
if ($this->masked) {
return true;
}
if ($this->getHidden()) {
return true;
}
return idx(
PhabricatorEnv::getEnvConfig('config.mask'),
$this->getKey(),
false);
}
public function setHidden($hidden) {
$this->hidden = $hidden;
return $this;

View file

@ -179,9 +179,6 @@ final class PhabricatorCoreConfigOptions
$this->newOption('config.hide', 'set', array())
->setLocked(true)
->setDescription(pht('Additional configuration options to hide.')),
$this->newOption('config.mask', 'set', array())
->setLocked(true)
->setDescription(pht('Additional configuration options to mask.')),
$this->newOption('config.ignore-issues', 'set', array())
->setLocked(true)
->setDescription(pht('Setup issues to ignore.')),

View file

@ -28,7 +28,7 @@ final class PhabricatorMailgunConfigOptions
'Mailgun domain name. See https://mailgun.com/cp/domains'))
->addExample('mycompany.com', 'Use specific domain'),
$this->newOption('mailgun.api-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('Mailgun API key.')),
);

View file

@ -50,7 +50,7 @@ final class PhabricatorPHPMailerConfigOptions
->setLocked(true)
->setDescription(pht('Username for SMTP.')),
$this->newOption('phpmailer.smtp-password', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('Password for SMTP.')),
$this->newOption('phpmailer.smtp-encoding', 'string', '8bit')
->setSummary(pht('Configure how mail is encoded.'))

View file

@ -38,7 +38,7 @@ final class PhabricatorRecaptchaConfigOptions
->setDescription(
pht('Recaptcha public key, obtained by signing up for Recaptcha.')),
$this->newOption('recaptcha.private-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(
pht('Recaptcha private key, obtained by signing up for Recaptcha.')),
);

View file

@ -54,7 +54,6 @@ EODOC
'string',
null)
->setDescription(pht('Authorization token from Twilio service.'))
->setLocked(true)
->setHidden(true)
->addExample('f3jsi4i67wiwt6w54hf2zwvy3fjf5h', pht('30 characters')),
);

View file

@ -45,8 +45,7 @@ final class PhabricatorSecurityConfigOptions
'security.hmac-key',
'string',
'[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw')
->setMasked(true)
->setLocked(true)
->setHidden(true)
->setSummary(
pht('Key for HMAC digests.'))
->setDescription(
@ -104,8 +103,7 @@ final class PhabricatorSecurityConfigOptions
'phabricator.csrf-key',
'string',
'0b7ec0592e0a2829d8b71df2fa269b2c6172eca3')
->setMasked(true)
->setLocked(true)
->setHidden(true)
->setSummary(
pht('Hashed with other inputs to generate CSRF tokens.'))
->setDescription(
@ -120,8 +118,7 @@ final class PhabricatorSecurityConfigOptions
'phabricator.mail-key',
'string',
'5ce3e7e8787f6e40dfae861da315a5cdf1018f12')
->setMasked(true)
->setLocked(true)
->setHidden(true)
->setSummary(
pht('Hashed with other inputs to generate mail tokens.'))
->setDescription(

View file

@ -25,7 +25,7 @@ final class PhabricatorSendGridConfigOptions
->setLocked(true)
->setDescription(pht('SendGrid API username.')),
$this->newOption('sendgrid.api-key', 'string', null)
->setMasked(true)
->setHidden(true)
->setDescription(pht('SendGrid API key.')),
);
}