When a user takes actions while in a high security session, note it on the resulting transactions

Summary: Ref T13197. See PHI873. Record when a user has MFA'd and add a little icon to the transaction, similar to the exiting "Silent" icon. For now, this just makes this stuff more auditable. Future changes may add ways to require MFA for certain specific transactions, outside of the ones that already always require MFA (like revealing credentials). Test Plan: {F5877960} Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13197 Differential Revision: https://secure.phabricator.com/D19665
2024-09-19 16:58:48 +02:00 · 2018-09-11 13:47:15 -07:00 · 2018-09-11 13:47:15 -07:00 · f5e90a363e
commit f5e90a363e
parent 8268abcb78
7 changed files with 63 additions and 3 deletions
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@ -490,8 +490,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
    PhabricatorAuthSession $session,
    $force = false) {

-    $until = $session->getHighSecurityUntil();
-    if ($until > time() || $force) {
+    if ($session->isHighSecuritySession() || $force) {
      return new PhabricatorAuthHighSecurityToken();
    }

--- a/src/applications/auth/storage/PhabricatorAuthSession.php
+++ b/src/applications/auth/storage/PhabricatorAuthSession.php
@ -74,6 +74,22 @@ final class PhabricatorAuthSession extends PhabricatorAuthDAO
    }
  }

+  public function isHighSecuritySession() {
+    $until = $this->getHighSecurityUntil();
+
+    if (!$until) {
+      return false;
+    }
+
+    $now = PhabricatorTime::getNow();
+    if ($until < $now) {
+      return false;
+    }
+
+    return true;
+  }
+
+
 /* -(  PhabricatorPolicyInterface  )----------------------------------------- */


--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@ -306,6 +306,14 @@ final class PhabricatorUser
    return ($this->session !== self::ATTACHABLE);
  }

+  public function hasHighSecuritySession() {
+    if (!$this->hasSession()) {
+      return false;
+    }
+
+    return $this->getSession()->isHighSecuritySession();
+  }
+
  private function generateConduitCertificate() {
    return Filesystem::readRandomCharacters(255);
  }
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@ -850,6 +850,10 @@ abstract class PhabricatorApplicationTransactionEditor
      $xaction->setIsSilentTransaction(true);
    }

+    if ($actor->hasHighSecuritySession()) {
+      $xaction->setIsMFATransaction(true);
+    }
+
    return $xaction;
  }

--- a/src/applications/transactions/storage/PhabricatorApplicationTransaction.php
+++ b/src/applications/transactions/storage/PhabricatorApplicationTransaction.php
@ -165,6 +165,14 @@ abstract class PhabricatorApplicationTransaction
    return (bool)$this->getMetadataValue('core.silent', false);
  }

+  public function setIsMFATransaction($mfa) {
+    return $this->setMetadataValue('core.mfa', $mfa);
+  }
+
+  public function getIsMFATransaction() {
+    return (bool)$this->getMetadataValue('core.mfa', false);
+  }
+
  public function attachComment(
    PhabricatorApplicationTransactionComment $comment) {
    $this->comment = $comment;
@ -1461,6 +1469,12 @@ abstract class PhabricatorApplicationTransaction
      if ($is_silent != $xaction->getIsSilentTransaction()) {
        return false;
      }
+
+      // Don't group MFA and non-MFA transactions together.
+      $is_mfa = $this->getIsMFATransaction();
+      if ($is_mfa != $xaction->getIsMFATransaction()) {
+        return false;
+      }
    }

    return true;
--- a/src/applications/transactions/view/PhabricatorApplicationTransactionView.php
+++ b/src/applications/transactions/view/PhabricatorApplicationTransactionView.php
@ -424,7 +424,8 @@ class PhabricatorApplicationTransactionView extends AphrontView {
      ->setIcon($xaction->getIcon())
      ->setColor($xaction->getColor())
      ->setHideCommentOptions($this->getHideCommentOptions())
-      ->setIsSilent($xaction->getIsSilentTransaction());
+      ->setIsSilent($xaction->getIsSilentTransaction())
+      ->setIsMFA($xaction->getIsMFATransaction());

    list($token, $token_removed) = $xaction->getToken();
    if ($token) {
--- a/src/view/phui/PHUITimelineEventView.php
+++ b/src/view/phui/PHUITimelineEventView.php
@ -30,6 +30,7 @@ final class PHUITimelineEventView extends AphrontView {
  private $badges = array();
  private $pinboardItems = array();
  private $isSilent;
+  private $isMFA;

  public function setAuthorPHID($author_phid) {
    $this->authorPHID = $author_phid;
@ -187,6 +188,15 @@ final class PHUITimelineEventView extends AphrontView {
    return $this->isSilent;
  }

+  public function setIsMFA($is_mfa) {
+    $this->isMFA = $is_mfa;
+    return $this;
+  }
+
+  public function getIsMFA() {
+    return $this->isMFA;
+  }
+
  public function setReallyMajorEvent($me) {
    $this->reallyMajorEvent = $me;
    return $this;
@ -590,6 +600,14 @@ final class PHUITimelineEventView extends AphrontView {
          ->setIcon('fa-bell-slash', 'red')
          ->setTooltip(pht('Silent Edit'));
      }
+
+      // If this edit was applied while the actor was in high-security mode,
+      // provide a hint that it was extra authentic.
+      if ($this->getIsMFA()) {
+        $extra[] = id(new PHUIIconView())
+          ->setIcon('fa-vcard', 'green')
+          ->setTooltip(pht('MFA Authenticated'));
+      }
    }

    $extra = javelin_tag(