mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-11 07:11:04 +01:00
Add a bin/auth revoke
revoker for SSH keys
Summary: Ref T13043. Adds CLI support for revoking SSH keys. Also retargets UI language from "Deactivate" to "Revoke" to make it more clear that this is a one-way operation. This operation is already correctly implemented as a "Revoke" operation. Test Plan: Used `bin/auth revoke --type ssh` to revoke keys, verified they became revoked (with proper transactions) in the UI. Revoked keys from the web UI flow. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13043 Differential Revision: https://secure.phabricator.com/D18893
This commit is contained in:
parent
39c3b10a2f
commit
fa1ecb7f66
8 changed files with 70 additions and 16 deletions
|
@ -2105,7 +2105,6 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php',
|
'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php',
|
||||||
'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php',
|
'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php',
|
||||||
'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php',
|
'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php',
|
||||||
'PhabricatorAuthSSHKeyDeactivateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyDeactivateController.php',
|
|
||||||
'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php',
|
'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php',
|
||||||
'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php',
|
'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php',
|
||||||
'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php',
|
'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php',
|
||||||
|
@ -2113,12 +2112,14 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
|
'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
|
||||||
'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php',
|
'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php',
|
||||||
'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php',
|
'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php',
|
||||||
|
'PhabricatorAuthSSHKeyRevokeController' => 'applications/auth/controller/PhabricatorAuthSSHKeyRevokeController.php',
|
||||||
'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php',
|
'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php',
|
||||||
'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php',
|
'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php',
|
||||||
'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php',
|
'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php',
|
||||||
'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php',
|
'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php',
|
||||||
'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php',
|
'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php',
|
||||||
'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php',
|
'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php',
|
||||||
|
'PhabricatorAuthSSHRevoker' => 'applications/auth/revoker/PhabricatorAuthSSHRevoker.php',
|
||||||
'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php',
|
'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php',
|
||||||
'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php',
|
'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php',
|
||||||
'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php',
|
'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php',
|
||||||
|
@ -7390,7 +7391,6 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorApplicationTransactionInterface',
|
'PhabricatorApplicationTransactionInterface',
|
||||||
),
|
),
|
||||||
'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
|
'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
|
||||||
'PhabricatorAuthSSHKeyDeactivateController' => 'PhabricatorAuthSSHKeyController',
|
|
||||||
'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController',
|
'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController',
|
||||||
'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor',
|
'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor',
|
||||||
'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
|
'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
|
||||||
|
@ -7398,12 +7398,14 @@ phutil_register_library_map(array(
|
||||||
'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
|
'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
|
||||||
'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
|
'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
|
||||||
'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler',
|
'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler',
|
||||||
|
'PhabricatorAuthSSHKeyRevokeController' => 'PhabricatorAuthSSHKeyController',
|
||||||
'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine',
|
'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine',
|
||||||
'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
|
'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
|
||||||
'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction',
|
'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction',
|
||||||
'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
|
'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
|
||||||
'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController',
|
'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController',
|
||||||
'PhabricatorAuthSSHPublicKey' => 'Phobject',
|
'PhabricatorAuthSSHPublicKey' => 'Phobject',
|
||||||
|
'PhabricatorAuthSSHRevoker' => 'PhabricatorAuthRevoker',
|
||||||
'PhabricatorAuthSession' => array(
|
'PhabricatorAuthSession' => array(
|
||||||
'PhabricatorAuthDAO',
|
'PhabricatorAuthDAO',
|
||||||
'PhabricatorPolicyInterface',
|
'PhabricatorPolicyInterface',
|
||||||
|
|
|
@ -80,8 +80,8 @@ final class PhabricatorAuthApplication extends PhabricatorApplication {
|
||||||
'generate/' => 'PhabricatorAuthSSHKeyGenerateController',
|
'generate/' => 'PhabricatorAuthSSHKeyGenerateController',
|
||||||
'upload/' => 'PhabricatorAuthSSHKeyEditController',
|
'upload/' => 'PhabricatorAuthSSHKeyEditController',
|
||||||
'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController',
|
'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController',
|
||||||
'deactivate/(?P<id>\d+)/'
|
'revoke/(?P<id>\d+)/'
|
||||||
=> 'PhabricatorAuthSSHKeyDeactivateController',
|
=> 'PhabricatorAuthSSHKeyRevokeController',
|
||||||
'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController',
|
'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController',
|
||||||
),
|
),
|
||||||
'password/' => 'PhabricatorAuthSetPasswordController',
|
'password/' => 'PhabricatorAuthSetPasswordController',
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
final class PhabricatorAuthSSHKeyDeactivateController
|
final class PhabricatorAuthSSHKeyRevokeController
|
||||||
extends PhabricatorAuthSSHKeyController {
|
extends PhabricatorAuthSSHKeyController {
|
||||||
|
|
||||||
public function handleRequest(AphrontRequest $request) {
|
public function handleRequest(AphrontRequest $request) {
|
||||||
|
@ -46,14 +46,14 @@ final class PhabricatorAuthSSHKeyDeactivateController
|
||||||
$name = phutil_tag('strong', array(), $key->getName());
|
$name = phutil_tag('strong', array(), $key->getName());
|
||||||
|
|
||||||
return $this->newDialog()
|
return $this->newDialog()
|
||||||
->setTitle(pht('Deactivate SSH Public Key'))
|
->setTitle(pht('Revoke SSH Public Key'))
|
||||||
->appendParagraph(
|
->appendParagraph(
|
||||||
pht(
|
pht(
|
||||||
'The key "%s" will be permanently deactivated, and you will no '.
|
'The key "%s" will be permanently revoked, and you will no '.
|
||||||
'longer be able to use the corresponding private key to '.
|
'longer be able to use the corresponding private key to '.
|
||||||
'authenticate.',
|
'authenticate.',
|
||||||
$name))
|
$name))
|
||||||
->addSubmitButton(pht('Deactivate Public Key'))
|
->addSubmitButton(pht('Revoke Public Key'))
|
||||||
->addCancelButton($cancel_uri);
|
->addCancelButton($cancel_uri);
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,7 +35,7 @@ final class PhabricatorAuthSSHKeyViewController
|
||||||
if ($ssh_key->getIsActive()) {
|
if ($ssh_key->getIsActive()) {
|
||||||
$header->setStatus('fa-check', 'bluegrey', pht('Active'));
|
$header->setStatus('fa-check', 'bluegrey', pht('Active'));
|
||||||
} else {
|
} else {
|
||||||
$header->setStatus('fa-ban', 'dark', pht('Deactivated'));
|
$header->setStatus('fa-ban', 'dark', pht('Revoked'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$header->addActionLink(
|
$header->addActionLink(
|
||||||
|
@ -80,7 +80,7 @@ final class PhabricatorAuthSSHKeyViewController
|
||||||
$id = $ssh_key->getID();
|
$id = $ssh_key->getID();
|
||||||
|
|
||||||
$edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/");
|
$edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/");
|
||||||
$deactivate_uri = $this->getApplicationURI("sshkey/deactivate/{$id}/");
|
$revoke_uri = $this->getApplicationURI("sshkey/revoke/{$id}/");
|
||||||
|
|
||||||
$curtain = $this->newCurtainView($ssh_key);
|
$curtain = $this->newCurtainView($ssh_key);
|
||||||
|
|
||||||
|
@ -95,8 +95,8 @@ final class PhabricatorAuthSSHKeyViewController
|
||||||
$curtain->addAction(
|
$curtain->addAction(
|
||||||
id(new PhabricatorActionView())
|
id(new PhabricatorActionView())
|
||||||
->setIcon('fa-times')
|
->setIcon('fa-times')
|
||||||
->setName(pht('Deactivate SSH Key'))
|
->setName(pht('Revoke SSH Key'))
|
||||||
->setHref($deactivate_uri)
|
->setHref($revoke_uri)
|
||||||
->setWorkflow(true)
|
->setWorkflow(true)
|
||||||
->setDisabled(!$can_edit));
|
->setDisabled(!$can_edit));
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ abstract class PhabricatorAuthRevoker
|
||||||
|
|
||||||
private $viewer;
|
private $viewer;
|
||||||
|
|
||||||
abstract public function revokeAlLCredentials();
|
abstract public function revokeAllCredentials();
|
||||||
abstract public function revokeCredentialsFrom($object);
|
abstract public function revokeCredentialsFrom($object);
|
||||||
|
|
||||||
public function setViewer(PhabricatorUser $viewer) {
|
public function setViewer(PhabricatorUser $viewer) {
|
||||||
|
|
52
src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
Normal file
52
src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
final class PhabricatorAuthSSHRevoker
|
||||||
|
extends PhabricatorAuthRevoker {
|
||||||
|
|
||||||
|
const REVOKERKEY = 'ssh';
|
||||||
|
|
||||||
|
public function revokeAllCredentials() {
|
||||||
|
$query = new PhabricatorAuthSSHKeyQuery();
|
||||||
|
return $this->revokeWithQuery($query);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function revokeCredentialsFrom($object) {
|
||||||
|
$query = id(new PhabricatorAuthSSHKeyQuery())
|
||||||
|
->withObjectPHIDs(array($object->getPHID()));
|
||||||
|
|
||||||
|
return $this->revokeWithQuery($query);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function revokeWithQuery(PhabricatorAuthSSHKeyQuery $query) {
|
||||||
|
$viewer = $this->getViewer();
|
||||||
|
|
||||||
|
// We're only going to revoke keys which have not already been revoked.
|
||||||
|
|
||||||
|
$ssh_keys = $query
|
||||||
|
->setViewer($viewer)
|
||||||
|
->withIsActive(true)
|
||||||
|
->execute();
|
||||||
|
|
||||||
|
$content_source = PhabricatorContentSource::newForSource(
|
||||||
|
PhabricatorDaemonContentSource::SOURCECONST);
|
||||||
|
|
||||||
|
$auth_phid = id(new PhabricatorAuthApplication())->getPHID();
|
||||||
|
foreach ($ssh_keys as $ssh_key) {
|
||||||
|
$xactions = array();
|
||||||
|
$xactions[] = $ssh_key->getApplicationTransactionTemplate()
|
||||||
|
->setTransactionType(PhabricatorAuthSSHKeyTransaction::TYPE_DEACTIVATE)
|
||||||
|
->setNewValue(1);
|
||||||
|
|
||||||
|
$editor = id(new PhabricatorAuthSSHKeyEditor())
|
||||||
|
->setActor($viewer)
|
||||||
|
->setActingAsPHID($auth_phid)
|
||||||
|
->setContinueOnNoEffect(true)
|
||||||
|
->setContinueOnMissingFields(true)
|
||||||
|
->setContentSource($content_source)
|
||||||
|
->applyTransactions($ssh_key, $xactions);
|
||||||
|
}
|
||||||
|
|
||||||
|
return count($ssh_keys);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -139,7 +139,7 @@ final class PhabricatorAuthSSHKey
|
||||||
public function describeAutomaticCapability($capability) {
|
public function describeAutomaticCapability($capability) {
|
||||||
if (!$this->getIsACtive()) {
|
if (!$this->getIsACtive()) {
|
||||||
return pht(
|
return pht(
|
||||||
'Deactivated SSH keys can not be edited or reactivated.');
|
'Revoked SSH keys can not be edited or reinstated.');
|
||||||
}
|
}
|
||||||
|
|
||||||
return pht(
|
return pht(
|
||||||
|
|
|
@ -43,11 +43,11 @@ final class PhabricatorAuthSSHKeyTransaction
|
||||||
case self::TYPE_DEACTIVATE:
|
case self::TYPE_DEACTIVATE:
|
||||||
if ($new) {
|
if ($new) {
|
||||||
return pht(
|
return pht(
|
||||||
'%s deactivated this key.',
|
'%s revoked this key.',
|
||||||
$this->renderHandleLink($author_phid));
|
$this->renderHandleLink($author_phid));
|
||||||
} else {
|
} else {
|
||||||
return pht(
|
return pht(
|
||||||
'%s activated this key.',
|
'%s reinstated this key.',
|
||||||
$this->renderHandleLink($author_phid));
|
$this->renderHandleLink($author_phid));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue