1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Add a bin/auth revoke revoker for SSH keys

Summary: Ref T13043. Adds CLI support for revoking SSH keys. Also retargets UI language from "Deactivate" to "Revoke" to make it more clear that this is a one-way operation. This operation is already correctly implemented as a "Revoke" operation.

Test Plan: Used `bin/auth revoke --type ssh` to revoke keys, verified they became revoked (with proper transactions) in the UI. Revoked keys from the web UI flow.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13043

Differential Revision: https://secure.phabricator.com/D18893
This commit is contained in:
epriestley 2018-01-20 09:08:30 -08:00
parent 39c3b10a2f
commit fa1ecb7f66
8 changed files with 70 additions and 16 deletions

View file

@ -2105,7 +2105,6 @@ phutil_register_library_map(array(
'PhabricatorAuthRevoker' => 'applications/auth/revoker/PhabricatorAuthRevoker.php',
'PhabricatorAuthSSHKey' => 'applications/auth/storage/PhabricatorAuthSSHKey.php',
'PhabricatorAuthSSHKeyController' => 'applications/auth/controller/PhabricatorAuthSSHKeyController.php',
'PhabricatorAuthSSHKeyDeactivateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyDeactivateController.php',
'PhabricatorAuthSSHKeyEditController' => 'applications/auth/controller/PhabricatorAuthSSHKeyEditController.php',
'PhabricatorAuthSSHKeyEditor' => 'applications/auth/editor/PhabricatorAuthSSHKeyEditor.php',
'PhabricatorAuthSSHKeyGenerateController' => 'applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php',
@ -2113,12 +2112,14 @@ phutil_register_library_map(array(
'PhabricatorAuthSSHKeyPHIDType' => 'applications/auth/phid/PhabricatorAuthSSHKeyPHIDType.php',
'PhabricatorAuthSSHKeyQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyQuery.php',
'PhabricatorAuthSSHKeyReplyHandler' => 'applications/auth/mail/PhabricatorAuthSSHKeyReplyHandler.php',
'PhabricatorAuthSSHKeyRevokeController' => 'applications/auth/controller/PhabricatorAuthSSHKeyRevokeController.php',
'PhabricatorAuthSSHKeySearchEngine' => 'applications/auth/query/PhabricatorAuthSSHKeySearchEngine.php',
'PhabricatorAuthSSHKeyTableView' => 'applications/auth/view/PhabricatorAuthSSHKeyTableView.php',
'PhabricatorAuthSSHKeyTransaction' => 'applications/auth/storage/PhabricatorAuthSSHKeyTransaction.php',
'PhabricatorAuthSSHKeyTransactionQuery' => 'applications/auth/query/PhabricatorAuthSSHKeyTransactionQuery.php',
'PhabricatorAuthSSHKeyViewController' => 'applications/auth/controller/PhabricatorAuthSSHKeyViewController.php',
'PhabricatorAuthSSHPublicKey' => 'applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php',
'PhabricatorAuthSSHRevoker' => 'applications/auth/revoker/PhabricatorAuthSSHRevoker.php',
'PhabricatorAuthSession' => 'applications/auth/storage/PhabricatorAuthSession.php',
'PhabricatorAuthSessionEngine' => 'applications/auth/engine/PhabricatorAuthSessionEngine.php',
'PhabricatorAuthSessionEngineExtension' => 'applications/auth/engine/PhabricatorAuthSessionEngineExtension.php',
@ -7390,7 +7391,6 @@ phutil_register_library_map(array(
'PhabricatorApplicationTransactionInterface',
),
'PhabricatorAuthSSHKeyController' => 'PhabricatorAuthController',
'PhabricatorAuthSSHKeyDeactivateController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeyEditController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeyEditor' => 'PhabricatorApplicationTransactionEditor',
'PhabricatorAuthSSHKeyGenerateController' => 'PhabricatorAuthSSHKeyController',
@ -7398,12 +7398,14 @@ phutil_register_library_map(array(
'PhabricatorAuthSSHKeyPHIDType' => 'PhabricatorPHIDType',
'PhabricatorAuthSSHKeyQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
'PhabricatorAuthSSHKeyReplyHandler' => 'PhabricatorApplicationTransactionReplyHandler',
'PhabricatorAuthSSHKeyRevokeController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHKeySearchEngine' => 'PhabricatorApplicationSearchEngine',
'PhabricatorAuthSSHKeyTableView' => 'AphrontView',
'PhabricatorAuthSSHKeyTransaction' => 'PhabricatorApplicationTransaction',
'PhabricatorAuthSSHKeyTransactionQuery' => 'PhabricatorApplicationTransactionQuery',
'PhabricatorAuthSSHKeyViewController' => 'PhabricatorAuthSSHKeyController',
'PhabricatorAuthSSHPublicKey' => 'Phobject',
'PhabricatorAuthSSHRevoker' => 'PhabricatorAuthRevoker',
'PhabricatorAuthSession' => array(
'PhabricatorAuthDAO',
'PhabricatorPolicyInterface',

View file

@ -80,8 +80,8 @@ final class PhabricatorAuthApplication extends PhabricatorApplication {
'generate/' => 'PhabricatorAuthSSHKeyGenerateController',
'upload/' => 'PhabricatorAuthSSHKeyEditController',
'edit/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyEditController',
'deactivate/(?P<id>\d+)/'
=> 'PhabricatorAuthSSHKeyDeactivateController',
'revoke/(?P<id>\d+)/'
=> 'PhabricatorAuthSSHKeyRevokeController',
'view/(?P<id>\d+)/' => 'PhabricatorAuthSSHKeyViewController',
),
'password/' => 'PhabricatorAuthSetPasswordController',

View file

@ -1,6 +1,6 @@
<?php
final class PhabricatorAuthSSHKeyDeactivateController
final class PhabricatorAuthSSHKeyRevokeController
extends PhabricatorAuthSSHKeyController {
public function handleRequest(AphrontRequest $request) {
@ -46,14 +46,14 @@ final class PhabricatorAuthSSHKeyDeactivateController
$name = phutil_tag('strong', array(), $key->getName());
return $this->newDialog()
->setTitle(pht('Deactivate SSH Public Key'))
->setTitle(pht('Revoke SSH Public Key'))
->appendParagraph(
pht(
'The key "%s" will be permanently deactivated, and you will no '.
'The key "%s" will be permanently revoked, and you will no '.
'longer be able to use the corresponding private key to '.
'authenticate.',
$name))
->addSubmitButton(pht('Deactivate Public Key'))
->addSubmitButton(pht('Revoke Public Key'))
->addCancelButton($cancel_uri);
}

View file

@ -35,7 +35,7 @@ final class PhabricatorAuthSSHKeyViewController
if ($ssh_key->getIsActive()) {
$header->setStatus('fa-check', 'bluegrey', pht('Active'));
} else {
$header->setStatus('fa-ban', 'dark', pht('Deactivated'));
$header->setStatus('fa-ban', 'dark', pht('Revoked'));
}
$header->addActionLink(
@ -80,7 +80,7 @@ final class PhabricatorAuthSSHKeyViewController
$id = $ssh_key->getID();
$edit_uri = $this->getApplicationURI("sshkey/edit/{$id}/");
$deactivate_uri = $this->getApplicationURI("sshkey/deactivate/{$id}/");
$revoke_uri = $this->getApplicationURI("sshkey/revoke/{$id}/");
$curtain = $this->newCurtainView($ssh_key);
@ -95,8 +95,8 @@ final class PhabricatorAuthSSHKeyViewController
$curtain->addAction(
id(new PhabricatorActionView())
->setIcon('fa-times')
->setName(pht('Deactivate SSH Key'))
->setHref($deactivate_uri)
->setName(pht('Revoke SSH Key'))
->setHref($revoke_uri)
->setWorkflow(true)
->setDisabled(!$can_edit));

View file

@ -5,7 +5,7 @@ abstract class PhabricatorAuthRevoker
private $viewer;
abstract public function revokeAlLCredentials();
abstract public function revokeAllCredentials();
abstract public function revokeCredentialsFrom($object);
public function setViewer(PhabricatorUser $viewer) {

View file

@ -0,0 +1,52 @@
<?php
final class PhabricatorAuthSSHRevoker
extends PhabricatorAuthRevoker {
const REVOKERKEY = 'ssh';
public function revokeAllCredentials() {
$query = new PhabricatorAuthSSHKeyQuery();
return $this->revokeWithQuery($query);
}
public function revokeCredentialsFrom($object) {
$query = id(new PhabricatorAuthSSHKeyQuery())
->withObjectPHIDs(array($object->getPHID()));
return $this->revokeWithQuery($query);
}
private function revokeWithQuery(PhabricatorAuthSSHKeyQuery $query) {
$viewer = $this->getViewer();
// We're only going to revoke keys which have not already been revoked.
$ssh_keys = $query
->setViewer($viewer)
->withIsActive(true)
->execute();
$content_source = PhabricatorContentSource::newForSource(
PhabricatorDaemonContentSource::SOURCECONST);
$auth_phid = id(new PhabricatorAuthApplication())->getPHID();
foreach ($ssh_keys as $ssh_key) {
$xactions = array();
$xactions[] = $ssh_key->getApplicationTransactionTemplate()
->setTransactionType(PhabricatorAuthSSHKeyTransaction::TYPE_DEACTIVATE)
->setNewValue(1);
$editor = id(new PhabricatorAuthSSHKeyEditor())
->setActor($viewer)
->setActingAsPHID($auth_phid)
->setContinueOnNoEffect(true)
->setContinueOnMissingFields(true)
->setContentSource($content_source)
->applyTransactions($ssh_key, $xactions);
}
return count($ssh_keys);
}
}

View file

@ -139,7 +139,7 @@ final class PhabricatorAuthSSHKey
public function describeAutomaticCapability($capability) {
if (!$this->getIsACtive()) {
return pht(
'Deactivated SSH keys can not be edited or reactivated.');
'Revoked SSH keys can not be edited or reinstated.');
}
return pht(

View file

@ -43,11 +43,11 @@ final class PhabricatorAuthSSHKeyTransaction
case self::TYPE_DEACTIVATE:
if ($new) {
return pht(
'%s deactivated this key.',
'%s revoked this key.',
$this->renderHandleLink($author_phid));
} else {
return pht(
'%s activated this key.',
'%s reinstated this key.',
$this->renderHandleLink($author_phid));
}