mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 12:30:56 +01:00
Upgrade "masked" config to "hidden"
Summary: Ref T7185. We currently have "locked", "masked", and "hidden" config. However, "masked" does not really do anything. It was intended to mask values in DarkConsole, but Config got built out instead and "hidden" is strictly better in modern usage and protects against compromised administrator accounts. "hidden" implies "locked", so it's now strictly more powerful than just locked. Remove "masked" and upgrade all "masked" config to "hidden". In particular, this hides some API keys and secret keys much more aggressively in Config, which is desirable. Test Plan: Browsed things like S3 API keys in config and could no longer see them. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7185 Differential Revision: https://secure.phabricator.com/D11763
This commit is contained in:
parent
f74fa49636
commit
ebebeb8f7c
12 changed files with 14 additions and 44 deletions
|
@ -206,6 +206,8 @@ final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck {
|
|||
'translation.provider' => pht(
|
||||
'The translation implementation has changed and providers are no '.
|
||||
'longer used or supported.'),
|
||||
'config.mask' => pht(
|
||||
'Use `config.hide` instead of this option.'),
|
||||
);
|
||||
|
||||
return $ancient_config;
|
||||
|
|
|
@ -17,9 +17,7 @@ final class PhabricatorConfigAllController
|
|||
foreach ($options as $option) {
|
||||
$key = $option->getKey();
|
||||
|
||||
if ($option->getMasked()) {
|
||||
$value = phutil_tag('em', array(), pht('Masked'));
|
||||
} else if ($option->getHidden()) {
|
||||
if ($option->getHidden()) {
|
||||
$value = phutil_tag('em', array(), pht('Hidden'));
|
||||
} else {
|
||||
$value = PhabricatorEnv::getEnvConfig($key);
|
||||
|
|
|
@ -72,7 +72,7 @@ final class PhabricatorConfigGroupController
|
|||
->setHref('/config/edit/'.$option->getKey().'/')
|
||||
->addAttribute($summary);
|
||||
|
||||
if (!$option->getHidden() && !$option->getMasked()) {
|
||||
if (!$option->getHidden()) {
|
||||
$current_value = PhabricatorEnv::getEnvConfig($option->getKey());
|
||||
$current_value = PhabricatorConfigJSON::prettyPrintJSON(
|
||||
$current_value);
|
||||
|
@ -96,8 +96,6 @@ final class PhabricatorConfigGroupController
|
|||
|
||||
if ($option->getHidden()) {
|
||||
$item->addIcon('unpublish', pht('Hidden'));
|
||||
} else if ($option->getMasked()) {
|
||||
$item->addIcon('unpublish-grey', pht('Masked'));
|
||||
} else if ($option->getLocked()) {
|
||||
$item->addIcon('lock', pht('Locked'));
|
||||
}
|
||||
|
|
|
@ -25,13 +25,13 @@ final class PhabricatorAWSConfigOptions
|
|||
->setLocked(true)
|
||||
->setDescription(pht('Access key for Amazon SES.')),
|
||||
$this->newOption('amazon-ses.secret-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('Secret key for Amazon SES.')),
|
||||
$this->newOption('amazon-s3.access-key', 'string', null)
|
||||
->setLocked(true)
|
||||
->setDescription(pht('Access key for Amazon S3.')),
|
||||
$this->newOption('amazon-s3.secret-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('Secret key for Amazon S3.')),
|
||||
$this->newOption('amazon-s3.endpoint', 'string', null)
|
||||
->setLocked(true)
|
||||
|
@ -45,7 +45,7 @@ final class PhabricatorAWSConfigOptions
|
|||
->setLocked(true)
|
||||
->setDescription(pht('Access key for Amazon EC2.')),
|
||||
$this->newOption('amazon-ec2.secret-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('Secret key for Amazon EC2.')),
|
||||
);
|
||||
}
|
||||
|
|
|
@ -16,7 +16,6 @@ final class PhabricatorConfigOption
|
|||
private $locked;
|
||||
private $lockedMessage;
|
||||
private $hidden;
|
||||
private $masked;
|
||||
private $baseClass;
|
||||
private $customData;
|
||||
private $customObject;
|
||||
|
@ -30,26 +29,6 @@ final class PhabricatorConfigOption
|
|||
return $this->baseClass;
|
||||
}
|
||||
|
||||
public function setMasked($masked) {
|
||||
$this->masked = $masked;
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getMasked() {
|
||||
if ($this->masked) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($this->getHidden()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return idx(
|
||||
PhabricatorEnv::getEnvConfig('config.mask'),
|
||||
$this->getKey(),
|
||||
false);
|
||||
}
|
||||
|
||||
public function setHidden($hidden) {
|
||||
$this->hidden = $hidden;
|
||||
return $this;
|
||||
|
|
|
@ -179,9 +179,6 @@ final class PhabricatorCoreConfigOptions
|
|||
$this->newOption('config.hide', 'set', array())
|
||||
->setLocked(true)
|
||||
->setDescription(pht('Additional configuration options to hide.')),
|
||||
$this->newOption('config.mask', 'set', array())
|
||||
->setLocked(true)
|
||||
->setDescription(pht('Additional configuration options to mask.')),
|
||||
$this->newOption('config.ignore-issues', 'set', array())
|
||||
->setLocked(true)
|
||||
->setDescription(pht('Setup issues to ignore.')),
|
||||
|
|
|
@ -28,7 +28,7 @@ final class PhabricatorMailgunConfigOptions
|
|||
'Mailgun domain name. See https://mailgun.com/cp/domains'))
|
||||
->addExample('mycompany.com', 'Use specific domain'),
|
||||
$this->newOption('mailgun.api-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('Mailgun API key.')),
|
||||
);
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ final class PhabricatorPHPMailerConfigOptions
|
|||
->setLocked(true)
|
||||
->setDescription(pht('Username for SMTP.')),
|
||||
$this->newOption('phpmailer.smtp-password', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('Password for SMTP.')),
|
||||
$this->newOption('phpmailer.smtp-encoding', 'string', '8bit')
|
||||
->setSummary(pht('Configure how mail is encoded.'))
|
||||
|
|
|
@ -38,7 +38,7 @@ final class PhabricatorRecaptchaConfigOptions
|
|||
->setDescription(
|
||||
pht('Recaptcha public key, obtained by signing up for Recaptcha.')),
|
||||
$this->newOption('recaptcha.private-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(
|
||||
pht('Recaptcha private key, obtained by signing up for Recaptcha.')),
|
||||
);
|
||||
|
|
|
@ -54,7 +54,6 @@ EODOC
|
|||
'string',
|
||||
null)
|
||||
->setDescription(pht('Authorization token from Twilio service.'))
|
||||
->setLocked(true)
|
||||
->setHidden(true)
|
||||
->addExample('f3jsi4i67wiwt6w54hf2zwvy3fjf5h', pht('30 characters')),
|
||||
);
|
||||
|
|
|
@ -45,8 +45,7 @@ final class PhabricatorSecurityConfigOptions
|
|||
'security.hmac-key',
|
||||
'string',
|
||||
'[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw')
|
||||
->setMasked(true)
|
||||
->setLocked(true)
|
||||
->setHidden(true)
|
||||
->setSummary(
|
||||
pht('Key for HMAC digests.'))
|
||||
->setDescription(
|
||||
|
@ -104,8 +103,7 @@ final class PhabricatorSecurityConfigOptions
|
|||
'phabricator.csrf-key',
|
||||
'string',
|
||||
'0b7ec0592e0a2829d8b71df2fa269b2c6172eca3')
|
||||
->setMasked(true)
|
||||
->setLocked(true)
|
||||
->setHidden(true)
|
||||
->setSummary(
|
||||
pht('Hashed with other inputs to generate CSRF tokens.'))
|
||||
->setDescription(
|
||||
|
@ -120,8 +118,7 @@ final class PhabricatorSecurityConfigOptions
|
|||
'phabricator.mail-key',
|
||||
'string',
|
||||
'5ce3e7e8787f6e40dfae861da315a5cdf1018f12')
|
||||
->setMasked(true)
|
||||
->setLocked(true)
|
||||
->setHidden(true)
|
||||
->setSummary(
|
||||
pht('Hashed with other inputs to generate mail tokens.'))
|
||||
->setDescription(
|
||||
|
|
|
@ -25,7 +25,7 @@ final class PhabricatorSendGridConfigOptions
|
|||
->setLocked(true)
|
||||
->setDescription(pht('SendGrid API username.')),
|
||||
$this->newOption('sendgrid.api-key', 'string', null)
|
||||
->setMasked(true)
|
||||
->setHidden(true)
|
||||
->setDescription(pht('SendGrid API key.')),
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue