1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-11 07:11:04 +01:00

Add a bin/auth revoke revoker for SSH keys

Summary: Ref T13043. Adds CLI support for revoking SSH keys. Also retargets UI language from "Deactivate" to "Revoke" to make it more clear that this is a one-way operation. This operation is already correctly implemented as a "Revoke" operation.

Test Plan: Used `bin/auth revoke --type ssh` to revoke keys, verified they became revoked (with proper transactions) in the UI. Revoked keys from the web UI flow.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13043

Differential Revision: https://secure.phabricator.com/D18893
This commit is contained in:
epriestley 2018-01-20 09:08:30 -08:00
parent 39c3b10a2f
commit fa1ecb7f66
8 changed files with 70 additions and 16 deletions

View file

@ -2105,7 +2105,6 @@ phutil_register_library_map(array(
'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php', 'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php',
'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php', 'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php',
'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php', 'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php',
'PhabricatorAuthSSHKeyDeactivateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyDeactivateController.php',
'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php', 'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php',
'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php', 'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php',
'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php', 'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php',
@ -2113,12 +2112,14 @@ phutil_register_library_map(array(
'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php', 'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php', 'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php',
'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php', 'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php',
'PhabricatorAuthSSHKeyRevokeController' => 'applications/auth/controller/PhabricatorAuthSSHKeyRevokeController.php',
'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php', 'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php',
'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php', 'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php',
'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php', 'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php',
'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php', 'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php',
'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php', 'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php',
'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php', 'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php',
'PhabricatorAuthSSHRevoker' => 'applications/auth/revoker/PhabricatorAuthSSHRevoker.php',
'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php', 'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php',
'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php', 'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php',
'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php', 'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php',
@ -7390,7 +7391,6 @@ phutil_register_library_map(array(
'PhabricatorApplicationTransactionInterface', 'PhabricatorApplicationTransactionInterface',
), ),
'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController', 'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
'PhabricatorAuthSSHKeyDeactivateController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController', 'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor', 'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor',
'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController', 'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
@ -7398,12 +7398,14 @@ phutil_register_library_map(array(
'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType', 'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery', 'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler', 'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler',
'PhabricatorAuthSSHKeyRevokeController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine', 'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine',
'PhabricatorAuthSSHKeyTableView' => 'AphrontView', 'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction', 'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction',
'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery', 'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController', 'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHPublicKey' => 'Phobject', 'PhabricatorAuthSSHPublicKey' => 'Phobject',
'PhabricatorAuthSSHRevoker' => 'PhabricatorAuthRevoker',
'PhabricatorAuthSession' => array( 'PhabricatorAuthSession' => array(
'PhabricatorAuthDAO', 'PhabricatorAuthDAO',
'PhabricatorPolicyInterface', 'PhabricatorPolicyInterface',

View file

@ -80,8 +80,8 @@ final class PhabricatorAuthApplication extends PhabricatorApplication {
'generate/' => 'PhabricatorAuthSSHKeyGenerateController', 'generate/' => 'PhabricatorAuthSSHKeyGenerateController',
'upload/' => 'PhabricatorAuthSSHKeyEditController', 'upload/' => 'PhabricatorAuthSSHKeyEditController',
'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController', 'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController',
'deactivate/(?P<id>\d+)/' 'revoke/(?P<id>\d+)/'
=> 'PhabricatorAuthSSHKeyDeactivateController', => 'PhabricatorAuthSSHKeyRevokeController',
'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController', 'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController',
), ),
'password/' => 'PhabricatorAuthSetPasswordController', 'password/' => 'PhabricatorAuthSetPasswordController',

View file

@ -1,6 +1,6 @@
<?php <?php
final class PhabricatorAuthSSHKeyDeactivateController final class PhabricatorAuthSSHKeyRevokeController
extends PhabricatorAuthSSHKeyController { extends PhabricatorAuthSSHKeyController {
public function handleRequest(AphrontRequest $request) { public function handleRequest(AphrontRequest $request) {
@ -46,14 +46,14 @@ final class PhabricatorAuthSSHKeyDeactivateController
$name = phutil_tag('strong', array(), $key->getName()); $name = phutil_tag('strong', array(), $key->getName());
return $this->newDialog() return $this->newDialog()
->setTitle(pht('Deactivate SSH Public Key')) ->setTitle(pht('Revoke SSH Public Key'))
->appendParagraph( ->appendParagraph(
pht( pht(
'The key "%s" will be permanently deactivated, and you will no '. 'The key "%s" will be permanently revoked, and you will no '.
'longer be able to use the corresponding private key to '. 'longer be able to use the corresponding private key to '.
'authenticate.', 'authenticate.',
$name)) $name))
->addSubmitButton(pht('Deactivate Public Key')) ->addSubmitButton(pht('Revoke Public Key'))
->addCancelButton($cancel_uri); ->addCancelButton($cancel_uri);
} }

View file

@ -35,7 +35,7 @@ final class PhabricatorAuthSSHKeyViewController
if ($ssh_key->getIsActive()) { if ($ssh_key->getIsActive()) {
$header->setStatus('fa-check', 'bluegrey', pht('Active')); $header->setStatus('fa-check', 'bluegrey', pht('Active'));
} else { } else {
$header->setStatus('fa-ban', 'dark', pht('Deactivated')); $header->setStatus('fa-ban', 'dark', pht('Revoked'));
} }
$header->addActionLink( $header->addActionLink(
@ -80,7 +80,7 @@ final class PhabricatorAuthSSHKeyViewController
$id = $ssh_key->getID(); $id = $ssh_key->getID();
$edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/"); $edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/");
$deactivate_uri = $this->getApplicationURI("sshkey/deactivate/{$id}/"); $revoke_uri = $this->getApplicationURI("sshkey/revoke/{$id}/");
$curtain = $this->newCurtainView($ssh_key); $curtain = $this->newCurtainView($ssh_key);
@ -95,8 +95,8 @@ final class PhabricatorAuthSSHKeyViewController
$curtain->addAction( $curtain->addAction(
id(new PhabricatorActionView()) id(new PhabricatorActionView())
->setIcon('fa-times') ->setIcon('fa-times')
->setName(pht('Deactivate SSH Key')) ->setName(pht('Revoke SSH Key'))
->setHref($deactivate_uri) ->setHref($revoke_uri)
->setWorkflow(true) ->setWorkflow(true)
->setDisabled(!$can_edit)); ->setDisabled(!$can_edit));

View file

@ -5,7 +5,7 @@ abstract class PhabricatorAuthRevoker
private $viewer; private $viewer;
abstract public function revokeAlLCredentials(); abstract public function revokeAllCredentials();
abstract public function revokeCredentialsFrom($object); abstract public function revokeCredentialsFrom($object);
public function setViewer(PhabricatorUser $viewer) { public function setViewer(PhabricatorUser $viewer) {

View file

@ -0,0 +1,52 @@
<?php
final class PhabricatorAuthSSHRevoker
extends PhabricatorAuthRevoker {
const REVOKERKEY = 'ssh';
public function revokeAllCredentials() {
$query = new PhabricatorAuthSSHKeyQuery();
return $this->revokeWithQuery($query);
}
public function revokeCredentialsFrom($object) {
$query = id(new PhabricatorAuthSSHKeyQuery())
->withObjectPHIDs(array($object->getPHID()));
return $this->revokeWithQuery($query);
}
private function revokeWithQuery(PhabricatorAuthSSHKeyQuery $query) {
$viewer = $this->getViewer();
// We're only going to revoke keys which have not already been revoked.
$ssh_keys = $query
->setViewer($viewer)
->withIsActive(true)
->execute();
$content_source = PhabricatorContentSource::newForSource(
PhabricatorDaemonContentSource::SOURCECONST);
$auth_phid = id(new PhabricatorAuthApplication())->getPHID();
foreach ($ssh_keys as $ssh_key) {
$xactions = array();
$xactions[] = $ssh_key->getApplicationTransactionTemplate()
->setTransactionType(PhabricatorAuthSSHKeyTransaction::TYPE_DEACTIVATE)
->setNewValue(1);
$editor = id(new PhabricatorAuthSSHKeyEditor())
->setActor($viewer)
->setActingAsPHID($auth_phid)
->setContinueOnNoEffect(true)
->setContinueOnMissingFields(true)
->setContentSource($content_source)
->applyTransactions($ssh_key, $xactions);
}
return count($ssh_keys);
}
}

View file

@ -139,7 +139,7 @@ final class PhabricatorAuthSSHKey
public function describeAutomaticCapability($capability) { public function describeAutomaticCapability($capability) {
if (!$this->getIsACtive()) { if (!$this->getIsACtive()) {
return pht( return pht(
'Deactivated SSH keys can not be edited or reactivated.'); 'Revoked SSH keys can not be edited or reinstated.');
} }
return pht( return pht(

View file

@ -43,11 +43,11 @@ final class PhabricatorAuthSSHKeyTransaction
case self::TYPE_DEACTIVATE: case self::TYPE_DEACTIVATE:
if ($new) { if ($new) {
return pht( return pht(
'%s deactivated this key.', '%s revoked this key.',
$this->renderHandleLink($author_phid)); $this->renderHandleLink($author_phid));
} else { } else {
return pht( return pht(
'%s activated this key.', '%s reinstated this key.',
$this->renderHandleLink($author_phid)); $this->renderHandleLink($author_phid));
} }