1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 01:32:42 +01:00
Commit graph

11402 commits

Author SHA1 Message Date
epriestley
128995f1ac Document all the hypothetical URI features we plan to support soon
Summary: Ref T10748. Ref T10366. This documents how everything is planned to work shortly.

Test Plan: Read documentation.

Reviewers: chad

Reviewed By: chad

Subscribers: eadler, scode

Maniphest Tasks: T10366, T10748

Differential Revision: https://secure.phabricator.com/D15817
2016-04-29 09:24:10 -07:00
epriestley
c8711da5ff Add repository URI view pages and IO/Display edit logic
Summary:
Ref T10748.

  - New View page for repository URIs.
  - Make display and I/O behavior (observe, mirror, read, read/write) editable.
  - Add a bunch of checks to prevent you from completely screwing up a repository by making it writable from a bunch of differnet sources.

Test Plan:
{F1249866}

{F1249867}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15816
2016-04-29 09:22:16 -07:00
epriestley
616c9ae887 Rough sketch of new repository URI editing
Summary:
Ref T10748. Ref T10366. This adds a new EditEngine, EditController, Editor, Query, and Transaction for RepositoryURIs.

None of these really do anything helpful yet, and these URIs are still unused in the actual application.

Test Plan: {F1249794}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10366, T10748

Differential Revision: https://secure.phabricator.com/D15815
2016-04-29 09:21:00 -07:00
epriestley
0459e95242 Give users a modal VCS choice when creating a new repository
Summary:
Ref T10748. Allow the new EditEngine workflow to create repositories by giving the user a modal repository type choice upfront.

(The rest of this flow is still confusing/weird, though.)

Test Plan:
  - Created a new repository.

{F1249626}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15813
2016-04-29 09:20:31 -07:00
epriestley
311de580d6 Port "Actions" to new Repository UI
Summary: Ref T10748. This brings the "Actions" items (publish/notify + autoclose enabled) into the new UI.

Test Plan:
  - Edited this stuff via EditEngine and Conduit.
  - Viewed via new Manage UI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15811
2016-04-27 17:35:36 -07:00
epriestley
4c66a92f92 Port Repository "Branches" to new UI
Summary: Ref T10748. Makes a "Branches" panel, enables these transactions in the EditEngine.

Test Plan:
  - Edited via EditEngine + Conduit.
  - Viewed via manage UI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15809
2016-04-27 17:35:19 -07:00
epriestley
8f81930b5d Port Repository "Symbols" to Manage/Panel UI
Summary: Ref T10748. Port this, add EditEngine support, add some type validation to the transaction.

Test Plan:
  - Edited via EditEngine.
  - Edited via Conduit.
  - Viewed via Management UI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15808
2016-04-27 17:35:03 -07:00
epriestley
fbc4967154 Improve cache behaviors for font files and other nonstandard resource types
Summary:
Ref T10843. There are actually two separate notions of cacheability here:

  - Is this cacheable by the browser (e.g., should we emit "Expires: long in the future")?
  - Is this cacheable locally (e.g., should we stick it in APC, or just read it off disk every time)?

These got a little mixed up by D15775, so we aren't currently emitting proper "Expires" headers on font files and a few other resource types.

Straighten this out so that we "Expires" these unusual resources correctly.

Test Plan: Verified that `.woff` files get a proper "Expires" header now, not just CSS/JS.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10843

Differential Revision: https://secure.phabricator.com/D15807
2016-04-27 07:48:40 -07:00
epriestley
63bbe6b129 Port "Allow Dangerous Changes" to new Manage UI
Summary: Ref T10748. Brings this forward in the UI and EditEngine.

Test Plan:
  - Edited via Conduit.
  - Viewed via Manage UI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15805
2016-04-27 03:58:10 -07:00
epriestley
57a76d8a70 Port "Automation" panel to new Repository Manage UI
Summary: Ref T10748. Ports this UI and exposes it on the EditEngine.

Test Plan:
  - Edited via EditEngine.
  - Viewed new manage UI.

Reviewers: chad

Reviewed By: chad

Subscribers: hach-que

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15804
2016-04-27 03:57:07 -07:00
epriestley
467c4e84e5 Add an edge table to the search database
Summary:
Fixes T10778. This is a result of T10262: when we save a form configuration and adjust the policy, we try to scramble attached file secrets.

There aren't going to be any attached files, but there's also no edge table, so we fail.

We could skip this code, but we'll likely need an edge table here sooner or later so it's probably simpler in the long run to just add an empty one.

Test Plan:
   - Ran `bin/storage upgrade`, got a clean bill of health.
   - Saved a form configuration after making a policy edit, no more `edge` exception.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10778

Differential Revision: https://secure.phabricator.com/D15803
2016-04-26 11:26:26 -07:00
epriestley
dc3a13c5e8 Add bin/repository clusterize and document setup and migration for clusters
Summary: Ref T4292. This provides at least some sort of hint about how to set up cluster repositories.

Test Plan:
  - Read documentation.
  - Ran `bin/repository clusterize` to add + remove clusters.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15798
2016-04-26 10:07:17 -07:00
epriestley
8d9bc401e4 Improve Diffusion hosting setup instructions somewhat?
Summary:
Ref T10866. Fixes T10386. This attempts to make it a little more plausible to follow these directions:

  - Use simpler language in general.
  - Remove language suggesting that HTTP requires no additional configuration.
  - Suggest using a load balancer or an ugly port number instead of swapping SSH to a different port.
  - Be more granular about `sudo` setup.
  - Organize better?

Test Plan: Read documentation.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10386, T10866

Differential Revision: https://secure.phabricator.com/D15796
2016-04-26 10:06:59 -07:00
epriestley
3fda965288 When multiple web hosts are in service, don't require setup warnings to be dismissed on each one
Summary:
Fixes T10876. Currently, we can end up with a setup warning banner sticking on each web device, since the state is stored in local cache.

Instead:

  - When we actually run the setup checks, save the current state in the database.
  - Before we show a cached banner, make sure the database still says the checks are a problem.

This could lead to some inconsistencies if setup checks legitimately pass on some hosts but not on others. For example, if you have `git` installed on one machine but not on another, we may raise a setup warning ("No Git Binary!") about it on one host only.

For now, assume users have their operational environments in some sort of reasonable shape and can install the same stuff everywhere. In the future, we could split the issues into "global" and "per-host" issues if we run into problems with this.

Test Plan:
This is somewhat tricky to test locally since you really need multiple webservers to test it properly, but I:

  - Created some setup issues, saw banner.
  - Ignored/cleared them, saw banner go away.
  - Verified database cache writes were occurring properly.

Then I sort of faked it like this:

  - Created a setup issue.
  - Manually set the database cache value to `[]` ("no issues").
  - Reloaded page.
  - No more banner.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10876

Differential Revision: https://secure.phabricator.com/D15802
2016-04-26 10:03:45 -07:00
epriestley
8606fb588f Port "Staging Area" repository section to new management UI
Summary: Ref T10748. Brings this over and adds EditEngine support for it.

Test Plan: Viewed and edited staging area information.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15801
2016-04-26 08:11:53 -07:00
epriestley
8e4a7742eb Port local storage path to new repository Manage UI
Summary: Ref T10748. This merges "Storage" and "Cluster" into a single UI which combines the information of both.

Test Plan: {F1246882}

Reviewers: chad

Reviewed By: chad

Subscribers: hach-que

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15800
2016-04-26 07:59:22 -07:00
epriestley
0630fef9fc Prevent web queries from running for more than 30 seconds
Summary:
Ref T10849. This enforces a global 30-second per-query time limit for anything not coming from the CLI.

If we run into another issue with MySQL hanging in the future, this should prevent it from being nearly as bad as it was.

Test Plan:
  - Set value to 0, verified the UI threw an exception immediately.
  - Set value back to 30, browsed around a bunch of pages.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10849

Differential Revision: https://secure.phabricator.com/D15799
2016-04-26 07:59:09 -07:00
epriestley
2c870bad86 Document how to register cluster devices with Almanac
Summary:
Ref T4292. This is a required step in configuring a cluster: document and explain it.

Previously `bin/almanac register` could //also// add and trust keys. I've removed this capability since I think it's needless and complicated. If there's some real use for it eventually, we could add a `bin/almanac add-key` or whatever. The workflow is simpler and has better guard rails that point you in the correct direction now.

Test Plan:
  - Read documentation.
  - Ran `bin/almanac` with various good/bad flags.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15795
2016-04-25 14:58:58 -07:00
epriestley
550a82d438 Fix two minor formatting issues with bin/repository move-paths
Summary: This gets over-escaped instead of bolded right now, but I only ever hit it when exporting/importing and never both cleaning it up.

Test Plan: Ran `bin/repository move-paths`, saw bolded "Move" instead of ANSI escape sequences.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15797
2016-04-25 12:29:15 -07:00
epriestley
892a9a1f07 Make cluster repositories more resistant to freezing
Summary:
Ref T10860. This allows us to recover if the connection to the database is lost during a push.

If we lose the connection to the master database during a push, we would previously freeze the repository. This is very safe, but not very operator-friendly since you have to go manually unfreeze it.

We don't need to be quite this aggressive about freezing things. The repository state is still consistent after we've "upgraded" the lock by setting `isWriting = 1`, so we're actually fine even if we lost the global lock.

Instead of just freezing the repository immediately, sit there in a loop waiting for the master to come back up for a few minutes. If it recovers, we can release the lock and everything will be OK again.

Basically, the changes are:

  - If we can't release the lock at first, sit in a loop trying really hard to release it for a while.
  - Add a unique lock identifier so we can be certain we're only releasing //our// lock no matter what else is going on.
  - Do the version reads on the same connection holding the lock, so we can be sure we haven't lost the lock before we do that read.

Test Plan:
  - Added a `sleep(10)` after accepting the write but before releasing the lock so I could run `mysqld stop` and force this issue to occur.
  - Pushed like this:

```
$ echo D >> record && git commit -am D && git push
[master 707ecc3] D
 1 file changed, 1 insertion(+)
# Push received by "local001.phacility.net", forwarding to cluster host.
# Waiting up to 120 second(s) for a cluster write lock...
# Acquired write lock immediately.
# Waiting up to 120 second(s) for a cluster read lock on "local001.phacility.net"...
# Acquired read lock immediately.
# Device "local001.phacility.net" is already a cluster leader and does not need to be synchronized.
# Ready to receive on cluster host "local001.phacility.net".
Counting objects: 3, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 254 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
BEGIN SLEEP
```

  - Here, I stopped `mysqld` from the CLI in another terminal window.

```
END SLEEP
# CRITICAL. Failed to release cluster write lock!
# The connection to the master database was lost while receiving the write.
# This process will spend 300 more second(s) attempting to recover, then give up.
```

  - Here, I started `mysqld` again.

```
# RECOVERED. Link to master database was restored.
# Released cluster write lock.
To ssh://local@localvault.phacility.com/diffusion/26/locktopia.git
   2cbf87c..707ecc3  master -> master
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10860

Differential Revision: https://secure.phabricator.com/D15792
2016-04-25 11:37:31 -07:00
epriestley
d0b5dac36b Make cluster repositories more chatty
Summary:
Ref T10860. At least in Git over SSH, we can freely echo a bunch of stuff to stderr and Git will print it to the console, so we can tell users what's going on.

This should make debugging, etc., easier. We could tone this down a little bit once things are more stable if it's a little too chatty.

Test Plan:
```
$ echo D >> record && git commit -am D && git push
[master ca5efff] D
 1 file changed, 1 insertion(+)
# Push received by "local001.phacility.net", forwarding to cluster host.
# Waiting up to 120 second(s) for a cluster write lock...
# Acquired write lock immediately.
# Waiting up to 120 second(s) for a cluster read lock on "local001.phacility.net"...
# Acquired read lock immediately.
# Device "local001.phacility.net" is already a cluster leader and does not need to be synchronized.
# Ready to receive on cluster host "local001.phacility.net".
Counting objects: 3, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 256 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To ssh://local@localvault.phacility.com/diffusion/26/locktopia.git
   8616189..ca5efff  master -> master
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10860

Differential Revision: https://secure.phabricator.com/D15791
2016-04-25 11:20:57 -07:00
epriestley
dc75b4bd06 Move all cluster locking logic to a separate class
Summary: Ref T10860. This doesn't change anything, it just separates all this stuff out of `PhabricatorRepository` since I'm planning to add a bit more state to it and it's already pretty big and fairly separable.

Test Plan: Pulled, pushed, browsed Diffusion.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10860

Differential Revision: https://secure.phabricator.com/D15790
2016-04-25 11:20:29 -07:00
epriestley
1c0980a26a Fix two issues with Remarkup in Pholio
Summary:
Fixes T10865.

  - Mock descriptions did not markup.
  - Image descriptions did not get a proper container `<div />`.

Test Plan:
  - Created a mock with remarkup in the mock description and in an image description.
  - Viewed mock detail.
  - Saw list styles render properly in both mock description and image description.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10865

Differential Revision: https://secure.phabricator.com/D15793
2016-04-25 08:16:23 -07:00
epriestley
623ed1f434 Include directory-ownership note in sshd setup instructions
Summary: Fixes T9560. We suggest a root-owned location, but users who choose their own location instead can run into trouble.

Test Plan:
  - Changed parent directory to have an non-root owner, verified that `ssh` no longer worked.
  - Changed parent directory back to a root owner, verified `ssh` worked again.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9560

Differential Revision: https://secure.phabricator.com/D15794
2016-04-25 08:16:14 -07:00
epriestley
aa9395e38f Fix bad variable causing aphlict to fail to start with no "logs" config
Summary: Fixes T10863. See that task for discussion.

Test Plan:
  - Configured `aphlict` with no "logs".
  - Started `aphlict`.
    - Before change: exception.
    - After change: worked.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10863

Differential Revision: https://secure.phabricator.com/D15788
2016-04-24 11:20:42 -07:00
epriestley
9d0891c7e1 Correct Aphlict documentation for Nginx proxying
Summary: Fixes T10857. This documentation did not accurately reflect proper configuration: in the Aphlict config, SSL is inferred from the presence of `ssl.*` configuration.

Test Plan: Read documentation.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10857

Differential Revision: https://secure.phabricator.com/D15787
2016-04-24 06:31:58 -07:00
epriestley
00885edc47 Don't try to synchronize repositories with no working copy
Summary:
Ref T4292. Sometimes, we may not have a working copy for a repository. The easiest way to get into this condition is to deactivate a repository.

We could try to clone + fetch in this case, but that's kind of complex, and there's an easy command that administrators can run manually. For now, just tell them to do that.

This affects the inactive repositories on `secure`, like rGITCOINS.

Test Plan: Removed working copy, got message.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15786
2016-04-22 08:12:19 -07:00
epriestley
ab20f243b3 Improve consistency of file access policies, particularly for LFS
Summary:
Ref T7789. Currently, we use different viewers if you have `security.alternate-file-domain` configured vs if you do not.

This is largely residual from the days of one-time-tokens, and can cause messy configuration-dependent bugs like the one in T7789#172057.

Instead, always use the omnipotent viewer. Knowledge of the secret key alone is sufficient to access a file.

Test Plan:
  - Disabled `security.alternate-file-domain`.
  - Reproduced an issue similar to the one described on T7789.
  - Applied change.
  - Clean LFS interaction.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15784
2016-04-22 08:12:08 -07:00
epriestley
711f13660e Synchronize working copies before doing a "bypassCache" commit read
Summary:
Ref T4292. When the daemons make a query for repository information, we need to make sure the working copy on disk is up to date before we serve the response, since we might not have the inforamtion we need to respond otherwise.

We do this automatically for almost all Diffusion methods, but this particular method is a little unusual and does not get this check for free. Add this check.

Test Plan:
  - Made this code throw.
  - Ran `bin/repository reparse --message ...`, saw the code get hit.
  - Ran `bin/repository lookup-user ...`, saw this code get hit.
  - Made this code not throw.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15783
2016-04-22 08:11:43 -07:00
epriestley
0f0105e783 Send the aphlict process log to the node log
Summary: I've possibly seen a couple of `aphlict` processes exit under suspicious circumstances (maybe?). Make sure any PHP errors get captured into the log.

Test Plan:
  - Added an exception after forking.
  - Before change: vanished into thin air.
  - After change: visible in the log.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15782
2016-04-21 17:50:47 -07:00
epriestley
43935d5916 Don't cache resources we can't generate properly
Summary:
Fixes T10843. In a multi-server setup, we can do this:

  - Two servers, A and B.
  - You push an update.
  - A gets pushed first.
  - After A has been pushed, but before B has been pushed, a user loads a page from A.
  - It generates resource URIs like `/stuff/new/package.css`.
  - Those requests hit B.
  - B doesn't have the new resources yet.
  - It responds with old resources.
  - Your CDN caches things. You now have a poisoned CDN: old data is saved in a new URL.

To try to avoid this with as little work as possible and generally make it hard to get wrong, check the URL hash against the hash we would generate.

If they don't match, serve our best guess at the resource, but don't cache it. This should make things mostly keep working during the push, but prevent caches from becoming poisoned, and everyone should get a working version of everything after the push finishes.

Test Plan:
  - `curl`'d a resource, got a cacheable one.
  - Changed the hash a little, `curl`'d again. This time: valid resource, but not cacheable.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10843

Differential Revision: https://secure.phabricator.com/D15775
2016-04-21 11:56:54 -07:00
epriestley
9656fe48bc Add a "Repository Servers" cluster administration panel
Summary: Ref T4292. This adds a new high-level overview panel.

Test Plan: {F1238854}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15772
2016-04-21 11:56:44 -07:00
lkassianik
bd8969a23c Calendar event list items 'Attending:' field should only show users who have confirmed attendance
Summary: Fixes T8897

Test Plan: Open any list view of Calendar events, every event should only show "Attending: ..." with users who are attending event.

Reviewers: chad, epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T8897

Differential Revision: https://secure.phabricator.com/D15779
2016-04-21 11:06:49 -07:00
epriestley
fb2b88a4a8 Fix Phriction link syntax a little more
Summary: This still wasn't quite right -- a link like `[[ Porcupine Facts ]]` with a space would not lookup correctly, and would render as `porcupine_facts`.

Test Plan: Verified that `[[ Porcupine Facts ]]` now works correctly.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15780
2016-04-21 10:29:08 -07:00
epriestley
c986caebb2 Put all cluster docs in the right documentation group
Summary: Some of these had the wrong `@group` header.

Test Plan: `grep`

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15778
2016-04-20 20:38:08 -07:00
epriestley
34c488e165 Normalize Phriction links when looking them up in remarkup
Summary: Fixes T10845.

Test Plan: Verified that `[[ quack ]]` and `[[ QUACK ]]` both work. Previously, the link had to exactly match the capitalization of the target.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10845

Differential Revision: https://secure.phabricator.com/D15777
2016-04-20 19:07:01 -07:00
Joshua Spence
93e341fbda Fix ./bin/aphlict status
Summary: Fixes T10844. After recent changes to Aphlict (T6915 and T10697), `./bin/status` needs to be aware of the configuration file. As such, it is now necessary to run `./bin/aphlict status --config /path/to/config.json` rather than `./bin/aphlict status`.

Test Plan: Ran `./bin/aphlict start ...` and `./bin/aphlict status` and saw "Aphlict (`$PID`) is running".

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10844

Differential Revision: https://secure.phabricator.com/D15776
2016-04-21 09:40:32 +10:00
epriestley
9419e4f13a Reduce strength of Herald and user subscription stories
Summary:
Fixes T8952. When Herald changes subscribers, it is zzzzz very boring.

When users change subscribers, it is still super boring (more boring than a merge, for example).

Test Plan: Viewed feed, saw fewer Herald stories.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T8952

Differential Revision: https://secure.phabricator.com/D15774
2016-04-20 14:40:49 -07:00
epriestley
df8c3c4fa5 Give application actors in feed reasonable icons
Summary:
Ref T8952. Currently, when an application (most commonly Herald, but sometimes Drydock, Diffusion, etc) publishes a feed story, we get an empty grey box for it in feed.

Instead, give the story a little application icon kind of "profile picture"-like thing.

Test Plan:
Here's how it looks:

{F1239003}

Feel free to tweak/counter-diff.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T8952

Differential Revision: https://secure.phabricator.com/D15773
2016-04-20 14:38:55 -07:00
epriestley
3b154a34c7 Use less hip lingo
Summary: Woah man.

Test Plan: spellcheck

Reviewers: chad, eadler

Reviewed By: chad, eadler

Differential Revision: https://secure.phabricator.com/D15771
2016-04-20 10:59:36 -07:00
epriestley
bd4fb3c9fa Implement bin/repository thaw for unfreezing cluster repositories
Summary:
Ref T10751. Add support tooling for manually prying your way out of trouble if disaster strikes.

Refine documentation, try to refer to devices as "devices" more consistently instead of sometimes calling them "nodes".

Test Plan: Promoted and demoted repository devices with `bin/repository thaw`.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15768
2016-04-20 10:45:58 -07:00
epriestley
11aa902bd1 Show "Last Writer" and "Last Write At" in the UI, add more documentation
Summary:
Ref T10751. Make the UI more useful and explain what failure states mean and how to get out of them.

The `bin/repository thaw` command does not exist yet, I'll write that soon.

Test Plan: {F1238241}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15766
2016-04-20 10:45:03 -07:00
lkassianik
d9275da2d4 Better wording for cancelling/reinstating recurring events
Summary: Fixes T10744

Test Plan: Create recurring event, cancel one instance, cancel the parent event, reinstate event. Wording in the reinstating dialog should be clear about reinstating only instances that haven't been individually cancelled.

Reviewers: chad, epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10744

Differential Revision: https://secure.phabricator.com/D15770
2016-04-20 10:10:59 -07:00
epriestley
7f15e8fbe8 Formally deprecate owners.query Conduit API method
Summary: This is completely obsoleted by `owners.search`. See D15472.

Test Plan: Viewed API method in UI console.

Reviewers: avivey, chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15769
2016-04-20 09:04:45 -07:00
epriestley
11f8fffe5b Fix Phriction document linking in mail bodies
Summary:
Fixes T10840. When rendering mail, this rule wasn't falling through in quite the right way.

Also adjust where the rules are for this so the special styles show up in Maniphest, etc.

Test Plan:
Made this comment:

{F1238266}

Which produced this HTML:

{F1238267}

...and sent this mail:

{F1238283}

Reviewers: hach-que, chad

Reviewed By: chad

Maniphest Tasks: T10840

Differential Revision: https://secure.phabricator.com/D15767
2016-04-20 06:55:00 -07:00
epriestley
b9cf9e6f0d Fix an issue with PHID/handle management in push logs
Summary: Ref T10751. This cleans this up so it's a little more modern, and fixes a possible bad access on the log detail page.

Test Plan: Viewed push log list, viewed push log detail.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15765
2016-04-20 04:47:10 -07:00
epriestley
48b015a3fa Add slightly more cluster repository documentation
Summary: Ref T10751. There are still some missing support tools here, but explain some of this a little better.

Test Plan: Read documentation.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15764
2016-04-20 04:46:40 -07:00
epriestley
bab3690b54 Fill in missing cluster database documentation
Summary:
Ref T10751. Provide some guidance on replicas and promotion.

I'm not trying to walk administrators through the gritty details of this. It's not too complex, they should understand it, and the MySQL documentation is pretty thorough.

Test Plan: Read documentation.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15763
2016-04-20 04:46:25 -07:00
Aviv Eyal
1344dda756 Parse Tags in commits message for revisions
Summary: This will stop breaking if you have subscribers and tags when updating a revision (`Error parsing field "Subscribers": The objects you have listed include objects which do not exist (Tags:)`), which I broke in D15749.

Test Plan: run through arc-diff --update that failed earlier.

Reviewers: chad, #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15762
2016-04-20 01:46:17 +00:00
epriestley
287e761f19 Make repository synchronization safer when leaders are ambiguous
Summary:
Ref T4292. Right now, repository versions only get marked when a write happens.

This potentially creates a problem: if I pushed all the sync code to `secure` and enabled `secure002` as a repository host, the daemons would create empty copies of all the repositories on that host.

Usually, this would be fine. Most repositories have already received a write on `secure001`, so that working copy has a verison and is a leader.

However, when a write happened to a rarely-used repository (say, rKEYSTORE) that hadn't received any write recently, it might be sent to `secure002` randomly. Now, we'd try to figure out if `secure002` has the most up-to-date copy of the repository or not.

We wouldn't be able to, since we don't have any information about which node has the data on it, since we never got a write before. The old code could guess wrong and decide that `secure002` is a leader, then accept the write. Since this would bump the version on `secure002`, that would //make// it an authoritative leader, and `secure001` would synchronize from it passively (or on the next read or write), which would potentially destroy data.

Instead:

  - Refuse to continue in situations like this.
  - When a repository is on exactly one device, mark it as a leader with version "0".
  - When a repository is created into a cluster service, mark its version as "0" on all devices (they're all leaders, since the repository is empty).

This should mean that we won't lose data no matter how much weird stuff we run into.

Test Plan:
  - In single-node mode, used `repository update` to verify that `0` was written properly.
  - With multiple nodes, used `repository update` to verify that we refuse to continue.
  - Created a new repository, verified versions were initialized correctly.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15761
2016-04-19 13:07:02 -07:00
epriestley
6edf181a7e Record which cluster host received a push
Summary: Ref T4292. When we write a push log, also log which node received the request.

Test Plan: {F1230467}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15759
2016-04-19 13:06:30 -07:00
epriestley
d87c500002 Synchronize (hosted, clustered, Git) repositories over Conduit + HTTP
Summary:
Ref T4292. We currently synchronize hosted, clustered, Git repositories when we receive an SSH pull or push.

Additionally:

  - Synchronize before HTTP reads and writes.
  - Synchronize reads before Conduit requests.

We could relax Conduit eventually and allow Diffusion to say "it's OK to give me stale data".

We could also redirect some set of these actions to just go to the up-to-date host instead of connecting to a random host and synchronizing it. However, this potentially won't work as well at scale: if you have a larger number of servers, it sends all of the traffic to the leader immediately following a write. That can cause "thundering herd" issues, and isn't efficient if replicas are in different geographical regions and the write just went to the east coast but most clients are on the west coast. In large-scale cases, it's better to go to the local replica, wait for an update, then serve traffic from it -- particularly given that writes are relatively rare. But we can finesse this later once things are solid.

Test Plan:
  - Pushed and pulled a Git repository over HTTP.
  - Browsed a Git repository from the web UI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15758
2016-04-19 13:05:45 -07:00
epriestley
31bc023eff Synchronize (hosted, git, clustered, SSH) repositories prior to reads
Summary:
Ref T4292. Before we write or read a hosted, clustered Git repository over SSH, check if another version of the repository exists on another node that is more up-to-date.

If such a version does exist, fetch that version first. This allows reads and writes of any node to always act on the most up-to-date code.

Test Plan: Faked my way through this and got a fetch via `bin/repository update`; this is difficult to test locally and needs more work before we can put it in production.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15757
2016-04-19 13:05:17 -07:00
epriestley
c70f4815a9 Allow cluster devices to SSH to one another without acting as a user
Summary:
Ref T4292. When you run `git fetch` and connect to, say, `repo001.west.company.com`, we'll look at the current version of the repository in other nodes in the cluster.

If `repo002.east.company.com` has a newer version of the repository, we'll fetch that version first, then respond to your request.

To do this, we need to run `git fetch repo002.east.company.com ...` and have that connect to the other host and be able to fetch data.

This change allows us to run `PHABRICATOR_AS_DEVICE=1 git fetch ...` to use device credentials to do this fetch. (Device credentials are already supported and used, they just always connect as a user right now, but these fetches should be doable without having a user. We will have a valid user when you run `git fetch` yourself, but we won't have one if the daemons notice that a repository is out of date and want to update it, so the update code should not depend on having a user.)

Test Plan:
```
$ PHABRICATOR_AS_DEVICE=1 ./bin/ssh-connect local.phacility.com
Warning: Permanently added 'local.phacility.com' (RSA) to the list of known hosts.
PTY allocation request failed on channel 0
phabricator-ssh-exec: Welcome to Phabricator.

You are logged in as device/daemon.phacility.net.

You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.

Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.

Supported commands are: conduit, git-lfs-authenticate, git-receive-pack, git-upload-pack, hg, svnserve.
Connection to local.phacility.com closed.
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15755
2016-04-19 13:04:41 -07:00
epriestley
0db6eaca41 Consolidate handling of SSH usernames
Summary:
Ref T4292. This consolidates code for figuring out which user we should connect to hosts with.

Also narrows a lock window.

Test Plan: Browsed Diffusion, pulled and pushed through an SSH proxy.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15754
2016-04-19 13:04:04 -07:00
Eitan Adler
c9daa2b0ad Consistently refer to 'Projects' as 'Tags'
Summary:
In calendar, dashboard, diffusion, diviner, feed, fund,
maniphest, pholio, ponder, and slowvote use the term 'tags' if possible.

This intenctionally skips diffusion, differential, and the projects application itself.

Ref T10326 Ref T10349

Test Plan: inspection on a running, locally modified, system

Reviewers: avivey, epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10835, T10326, T10349

Differential Revision: https://secure.phabricator.com/D15753
2016-04-19 16:48:21 +00:00
epriestley
c30fe65ee9 Remove the warning about the Git 2GB pathname issue
Summary:
Ref T10832. In practice, `git --version` is not a useful test for this issue:

  - Vendors like Debian have backported the patch into custom versions like `0.0.0.1-debian-lots-of-patches.3232`.
  - Vendors like Ubuntu distribute multiple different versions which report the same string from `git --version`, some of which are patched and some of which are not.

In other cases, we can perform an empirical test for the vulnerability. Here, we can not, because we can't write a 2GB path in a reasonable amount of time.

Since vendors (other than Apple) //generally// seem to be on top of this and any warning we try to raise based on `git --version` will frequently be incorrect, don't raise this warning.

I'll note this in the changelog instead.

Test Plan: Looked at setup issues, no more warning for vulnerable git version.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10832

Differential Revision: https://secure.phabricator.com/D15756
2016-04-19 07:01:45 -07:00
epriestley
575c01373e Extract repository command construction from Repositories
Summary:
Ref T4292. Ref T10366. Depends on D15751. Today, generating repository commands is purely a function of the repository, so they use protocols and credentials based on the repository configuration.

For example, a repository with an SSH "remote URI" always generate SSH "remote commands".

This needs to change in the future:

  - After T10366, repositories won't necessarily just have one type of remote URI. They can only have one at a time still, but the repository itself won't change based on which one is currently active.
  - For T4292, I need to generate intracluster commands, regardless of repository configuration. These will have different protocols and credentials.

Prepare for these cases by separating out command construction, so they'll be able to generate commands in a more flexible way.

Test Plan:
  - Added unit tests.
  - Browsed diffusion.
  - Ran `bin/phd debug pull` to pull a bunch of repos.
  - Ran daemons.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292, T10366

Differential Revision: https://secure.phabricator.com/D15752
2016-04-19 04:51:48 -07:00
Aviv Eyal
a3bb35e9d2 make Trigger Daemon sleep correctly when one-time triggers exist
Summary:
Trigger daemon is trying to find the next event to invoke before sleeping, but the query includes already-elapsed triggers.
It then tries to sleep for 0 seconds.

Test Plan:
On a new instance, schedule a single trigger of type `PhabricatorOneTimeTriggerClock` to a very near time.

Use top to see trigger daemon not going to 100% CPU once the event has elapsed.

Reviewers: #blessed_reviewers, epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15750
2016-04-18 14:17:10 -07:00
Aviv Eyal
091a64e91b Rename Differential field Projects to Tags
Summary: Users can't find the "Tags" field in the Edit Menu; Added keyword "Tag".

Test Plan: Looked in Edit page; I think this shouldn't change anything else?

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15749
2016-04-18 19:33:40 +00:00
epriestley
f424f9f2d2 Record more details about where a write is taking place while holding a cluster lock
Summary: Ref T4292. This will let the UI and future `bin/repository` tools give administrators more tools to understand problems when reporting or resolving them.

Test Plan:
  - Pushed fully clean repository.
  - Pushed previously-pushed repository.
  - Forced write to abort, inspected useful information in the database.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15748
2016-04-18 11:55:27 -07:00
epriestley
368d2d1ddb Improve robustness of cluster version bookkeeping
Summary:
Ref T4292. Small fixes:

  - There was a bug with the //first// write, where we'd write 1 but expect 0. Fix this.
  - Narrow the window where we hold the `isWriting` lock: we don't need to wait for the client to finish.
  - Release the lock even if something throws.
  - Use a more useful variable name.

Test Plan:
  - Made new writes to a fresh cluster repository.
  - Made sequential writes.
  - Made concurrent writes.
  - Made good writes and bad writes.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15747
2016-04-18 11:54:59 -07:00
epriestley
595f203816 Correct RepositoryURI schema and propagate adjust exit code correctly
Summary:
Fixes T10830.

  - The return code from `storage adjust` did not propagate correct.
  - There was one column issue which I missed the first time around because I had a bunch of unrelated stuff locally.

Test Plan:
  - Ran `bin/storage upgrade -f` with failures, used `echo $?` to make sure it exited nonzero.
  - Got fully clean `bin/storage adjust` by dropping all my extra local tables.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10830

Differential Revision: https://secure.phabricator.com/D15746
2016-04-18 08:11:22 -07:00
epriestley
d844e51127 Warn users about remote code execution in older Git
Summary: Ref T10832. Raise a setup warning for out-of-date versions of `git`.

Test Plan: {F1224632}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10832

Differential Revision: https://secure.phabricator.com/D15745
2016-04-18 07:54:13 -07:00
epriestley
9352ed8abb Add missing RepositoryURI table + run storage adjustments in tests
Summary:
Fixes T10830. Ref T10366. I wasn't writing to this table yet so I didn't build it, but the fact that `bin/storage adjust` would complain slipped my mind.

  - Add the table.
  - Make the tests run `adjust`. This is a little slow (a few extra seconds) but we could eventually move some steps like this to run server-side only.

Test Plan: Ran `bin/storage upgrade -f`, got a clean `adjust`.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10366, T10830

Differential Revision: https://secure.phabricator.com/D15744
2016-04-18 07:54:02 -07:00
epriestley
fbfe730452 Support more transactions types in RepositoryEditEngine
Summary:
Ref T10748. This supports more transaction types in the modern editor and improves validation so Conduit benefits.

You can technically create repositories via `diffusion.repository.edit` now, although they aren't very useful.

Test Plan:
  - Used `diffusion.repository.edit` to create and edit repositories.
  - Used `/editpro/` to edit repositories.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15740
2016-04-17 16:27:02 -07:00
epriestley
92c50de8aa Rough in the new custom URI panel
Summary: Ref T10748. Ref T10366. No support for editing and no impact on the UI, but get some of the basics in place.

Test Plan: {F1223279}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10366, T10748

Differential Revision: https://secure.phabricator.com/D15742
2016-04-17 16:03:24 -07:00
epriestley
51838f990f Copy repository status to a management panel
Summary: Ref T10748. Pretty straightforward. I'd like to put a little "!" icon in the menu if there's a warning/error eventually, but can deal with that latre.

Test Plan: {F1223096}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15741
2016-04-17 16:03:03 -07:00
epriestley
e582e9172b Rough in basics + policies + history repository management panels
Summary:
Ref T10748. This is roughly where I'm headed, if it makes some kind of sense? The "Edit" links in sub-sections don't work yet since I haven't built the thing.

Probably depends on D15736.

Test Plan: Manually navigated to `/manage/`, clicked around.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10748

Differential Revision: https://secure.phabricator.com/D15737
2016-04-17 16:02:35 -07:00
epriestley
adf42db5ea Trivially implement RepositoryEditEngine and API methods
Summary: Ref T10748. Ref T10337. This technically implements this stuff, but it does not do anything useful yet. This skips all the hard stuff.

Test Plan:
  - Technically used `diffusion.repository.search` to get repository information.
  - Technically used `diffusion.repository.edit` to change a repository name.
  - Used `editpro/` to edit a repository name.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10337, T10748

Differential Revision: https://secure.phabricator.com/D15736
2016-04-17 16:02:13 -07:00
epriestley
eef2172161 When a user tries to regsiter while logged in, just send them home
Summary: This error message is pointless and dead-ends logged-in users needlessly if they're sent to the register page by documentation or Advanced Enterprise Sales Funnels.

Test Plan: Visited `/auth/register/` while logged in, was sent home.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15739
2016-04-16 19:15:15 -07:00
epriestley
025b243e27 Document wiki relative link syntax
Summary: Also make `../` work to start relative a link so I don't have to document it as `./../path`.

Test Plan:
  - Used `./`, `../`. `./../`, and normal links (proper title pickup).
  - Used bad links (red).
  - Regenerated documentation:

{F1221692}

Reviewers: hach-que

Reviewed By: hach-que

Differential Revision: https://secure.phabricator.com/D15734
2016-04-16 18:54:55 -07:00
Austin Seipp
b2d2f03dea Tell users to avoid magical CloudFlare nonsense in the CDN documentation
Summary:
Fixes T9716. Doesn't go into too much detail, but will hopefully
save some pain.

Test Plan: Read all the wonderful text.

Reviewers: #blessed_committers, epriestley, #blessed_reviewers

Reviewed By: #blessed_committers, epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T9716

Differential Revision: https://secure.phabricator.com/D15738
2016-04-17 01:50:26 +00:00
June Rhodes
27227b8010 Show missing Phriction documents as red links, invisible documents with a lock
Summary: Ref T7691 (errata).  This shows links to Phriction documents in red if they're missing, and links to Phriction documents in grey with a lock icon if the user doesn't have the correct permissions to see the document.

Test Plan:
Tested a bunch of different configurations:

```
[[ ./../ ]] Back to Main Document
[[ ./../subdocument_2]] Mmmm more documents
[[ ./../invisible_document]] Mmmm more documents

[[ ./../ | Explicit Title ]] Back to Main Document
[[ ./../subdocument_2 | Explicit Title ]] Mmmm more documents
[[ ./../invisible_document | Explicit Title ]] Mmmm more documents

[[ ]] Absolute link
[[ subdocument_2 ]] Absolute link
[[ invisible_document ]] Absolute link

[[ | Explicit Title ]] Absolute link
[[ subdocument_2 | Explicit Title ]] Absolute link
[[ invisible_document | Explicit Title ]] Absolute link
```

Got the expected result:

{F1221106}

Reviewers: epriestley, chad, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T7691

Differential Revision: https://secure.phabricator.com/D15733
2016-04-17 01:49:54 +00:00
June Rhodes
dd1023e5a8 Support relative links in Phriction
Summary:
Resolves T7691.  This turned out more complex than I really wanted, mainly because I needed to feed the slug information through to both the document renderer and the preview window that appears in the edit controller.

After this change, you can now create relative links in Phriction by doing `[[ ./../some/relative/path ]]`.  Relative paths aren't handled anywhere else (they'll still render, but the dots are turned into a literal 'dot' as per existing behaviour).

Test Plan: Created some Phriction documents with relative links, saw them all link correctly.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin

Maniphest Tasks: T7691

Differential Revision: https://secure.phabricator.com/D15732
2016-04-16 03:15:01 +00:00
epriestley
d96b6506d7 Disable repository read/write synchronization for now
Summary:
This nearly works but I didn't have time to get back to it and it isn't stable enough to turn on in the cluster yet.

We have enough other stuff going out this week, so just disable it before `stable` gets cut. Should be ready by next week if things go well.

Test Plan: Fetched a Git SSH repo locally.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15731
2016-04-15 15:39:36 -07:00
epriestley
b2db1ec2ca Make bin/aphlict stop read new config properly
Summary: Ref T10697. I missed this so it isn't reading the new config properly.

Test Plan: Ran `bin/aphlict stop`, saw it read config.

Reviewers: chad, Mnkras

Reviewed By: Mnkras

Subscribers: Mnkras

Maniphest Tasks: T10697

Differential Revision: https://secure.phabricator.com/D15729
2016-04-15 15:15:03 -07:00
epriestley
fe40be7fc9 Allow users to be banished from Conpherence rooms
Summary: Fixes T9348. If you have edit permission, you can kick people out of a room.

Test Plan:
  - Kicked people out of a room.
  - As an unprivileged user, wasn't able to kick people out of a room.
  - Hit most (all?) of the various weird dialog sub-cases.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9348

Differential Revision: https://secure.phabricator.com/D15728
2016-04-15 14:57:29 -07:00
epriestley
f146f4577e Fail explicitly instead of continuing with a warning if "phd.user" is misconfigured
Summary: Fixes T6806. We haven't seen users having issues with `phd.user` in a very long time.

Test Plan:
  - Configured daemons to run as `notepriestley`, got a well-explained exception.
  - Configured daemons to run as `epriestley`, got a clean start.
  - Configured daemons with `phd.user=null`, got a clean start.

Reviewers: chad, areitz

Reviewed By: areitz

Subscribers: areitz

Maniphest Tasks: T6806

Differential Revision: https://secure.phabricator.com/D15726
2016-04-15 14:09:13 -07:00
epriestley
d9dd4d427d Improve daemon console for daemons on multiple hosts
Summary:
Ref T10756. This:

  - Fixes T7307. This UI is now admin-only.
  - Makes the main "running daemons" table more useful for multi-host setups (show where daemons are running).
  - Removes logs from the web UI: these are sometimes vaguely sensitive and shouldn't be visible. The UI tells you how to get them with `bin/phd log`.
  - Minor modernization.

Test Plan:
  - As a non-admin, viewed daemons (access error) and bulk jobs (worked great).
  - Browsed bulk job pages.
  - Ran a bulk job.
  - Viewed daemon console.
  - Viewed task detail / daemon detail / daemon list pages.

{F1220516}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7307, T10756

Differential Revision: https://secure.phabricator.com/D15724
2016-04-15 12:19:58 -07:00
lkassianik
7b27653f57 Fixing UI Example that use badge qualities
Summary: Fixes T10706

Test Plan: Open UI Example of badges. Shouldn't be broken

Reviewers: epriestley, #blessed_reviewers, chad

Reviewed By: #blessed_reviewers, chad

Subscribers: Korvin

Maniphest Tasks: T10706

Differential Revision: https://secure.phabricator.com/D15723
2016-04-15 11:05:45 -07:00
epriestley
cd8491ae93 Fix "daemons running as wrong user" setup issue
Summary:
Fixes T9385. This was accidentally mangled a bit a long time ago by D12797, which was a 1,000-file change which got almost everything right.

Simplify the message and fix all the `%s` conversions and how they map to parameters.

Test Plan: {F1220400}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9385

Differential Revision: https://secure.phabricator.com/D15722
2016-04-15 10:03:15 -07:00
epriestley
20bad9a4ba Reset umask to 022 for all Phabricator processes
Summary:
Fixes T7475. If you do something like:

  $ umask 123
  $ ./bin/phd start

...the daemons might inherit the weird umask, do a `git fetch` with the weird umask, and end up creating files with weird permissions in repositories.

Instead, just normalize the umask to 022 in all cases. This is overwhelmingly the most common setting, and the one we assume things are configured with.

(When we want to force permissions to a certain setting, we do so explicitly.)

Test Plan:
  - Added `var_dump(umask())` to observe umask.
  - Ran `bin/phd`, saw proper umask (`18`, which is decimal of `022` octal).
  - Set `umask 123`, then ran `bin/phd`, saw it correct properly again.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7475

Differential Revision: https://secure.phabricator.com/D15721
2016-04-15 10:03:01 -07:00
Povilas Balzaravicius Pawka
f05c3e41b9 Fixed localcommits include on getDiffDict
Summary: Ref T10808

Test Plan: Call `differential.querydiffs` method and expect 'local:commits' property be added to the result.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10808

Differential Revision: https://secure.phabricator.com/D15710
2016-04-15 18:06:32 +03:00
lkassianik
899856a1d4 Links on badge card should be accessible
Summary: Ref T10710

Test Plan: Open user profile with badge, flip badge card, open awarder link.

Reviewers: epriestley, chad, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: chad, Korvin

Maniphest Tasks: T10710

Differential Revision: https://secure.phabricator.com/D15699
2016-04-15 07:55:31 -07:00
epriestley
686c02d54a Add a "memory.hint" parameter to Aphlict
Summary:
Ref T10696. By default, `node` uses 1.5GB, which is enormous overkill for this service and can crowd out other services if it's running next to things like a database on the same host.

Provide a configuration option to adjust it via `--max-old-space-size` and default to 256MB. It only seems to need about 30M locally, so this should be plenty of headroom.

Test Plan:
Ran `bin/aphlict debug`, things seemed OK.

It takes a long time (days?) to grow to 1.5GB so I can't easily test this locally without a lot of work, but I'll keep an eye on it in production.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10696

Differential Revision: https://secure.phabricator.com/D15720
2016-04-15 07:14:45 -07:00
epriestley
0534002894 Add coverage tooltips in Diffusion file browse mode
Summary: Fixes T10816. The way these work is a little unusual since these chunks of file-rendering code are unusuall performance-sensitive, so the Differential version doesn't adapt directly to Diffusion. Both can possibly be unified at some point in the future, although they do slightly different things.

Test Plan: {F1220170}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10816

Differential Revision: https://secure.phabricator.com/D15719
2016-04-15 06:59:38 -07:00
epriestley
fad9e043c3 Fix bad cluster.database in documentation
Summary: This is mistaken.

Test Plan: Careful inspection, `grep` for other mistakes.

Reviewers: chad, eadler

Reviewed By: eadler

Differential Revision: https://secure.phabricator.com/D15717
2016-04-14 15:00:03 -07:00
epriestley
7852ec1619 Use --master-data, not --dump-slave, in bin/storage dump
Summary: These flags do slightly different things, I actually want --master-data here. My test databases are setup half-weird and work with either statement, which is why I missed this.

Test Plan: Ran a dump against master, got the right CHANGE MASTER statement with no warnings.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15716
2016-04-14 14:56:21 -07:00
epriestley
bbb321395a Support Aphlict clustering
Summary:
Ref T6915. This allows multiple notification servers to talk to each other:

  - Every server has a list of every other server, including itself.
  - Every server generates a unique fingerprint at startup, like "XjeHuPKPBKHUmXkB".
  - Every time a server gets a message, it marks it with its personal fingerprint, then sends it to every other server.
  - Servers do not retransmit messages that they've already seen (already marked with their fingerprint).
  - Servers learn other servers' fingerprints after they send them a message, and stop sending them messages they've already seen.

This is pretty crude, and the first message to a cluster will transmit N^2 times, but N is going to be like 3 or 4 in even the most extreme cases for a very long time.

The fingerprinting stops cycles, and stops servers from sending themselves copies of messages.

We don't need to do anything more sophisticated than this because it's fine if some notifications get lost when a server dies. Clients will reconnect after a short period of time and life will continue.

Test Plan:
  - Wrote two server configs.
  - Started two servers.
  - Told Phabricator about all four services.
  - Loaded Chrome and Safari.
  - Saw them connect to different servers.
  - Sent messages in one, got notifications in the other (magic!).
  - Saw the fingerprinting stuff work on the console, no infinite retransmission of messages, etc.

(This pretty much just worked when I ran it the first time so I probably missed something?)

{F1218835}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T6915

Differential Revision: https://secure.phabricator.com/D15711
2016-04-14 13:26:30 -07:00
epriestley
5a0b7398ca Give bin/storage some replica-aware options
Summary:
Fixes T10758.

  - Adds a "--host" flag. If you specify this, we read your cluster config. This lets you dump from a replica.
  - Adds a "--for-replica" flag to `storage dump`. This makes `mysqldump` include a `CHANGE MASTER ...` statement in the output, which is useful when setting up a replica for the first time.

Test Plan:
  - Dumped master and replica cluster databases.
  - Dumped non-cluster databases.
  - Ran various other commands (help, status, etc).

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10758

Differential Revision: https://secure.phabricator.com/D15714
2016-04-14 13:23:35 -07:00
epriestley
1b2b84ce1f Use monospaced font in Passphrase "Reveal Secret" dialog
Summary: Fixes T10812. Make it easier to disambiguate great passwords like `iI|l1oO()thenumber1nospellitout`.

Test Plan: {F1219074}

Reviewers: chad, yelirekim

Reviewed By: yelirekim

Maniphest Tasks: T10812

Differential Revision: https://secure.phabricator.com/D15715
2016-04-14 13:09:52 -07:00
Chad Little
7b16f5d807 Convert Project Pages to new UI
Summary: Updating the subproject and member pages in Projects to new UI

Test Plan: Visit a subproject parent page, visit members pages

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15687
2016-04-14 18:26:43 +00:00
Chad Little
eae82c51f5 Minor quality of life updates to Phurl
Summary: Default to "All" (maybe "Active" in the future). Adds more info to results.

Test Plan: visit /phurl/, see additional information about URL

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15713
2016-04-14 18:25:22 +00:00
epriestley
07fc8f17cc Support "ssl.chain" in Aphlict configuration
Summary: Fixes T10806. Although browsers don't seem to care about this, it's more correct to support it, and the new test console uses normal `cURL` and does care.

Test Plan:
  - Hit the error case for providing a chain but no key/cert.
  - Used `openssl s_client -connect localhost:22280` to connect to local Aphlict servers.
  - With SSL but no chain, saw `openssl` fail to verify the remote.
  - With SSL and a chain, saw `openssl` verify the identify of the remote.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10806

Differential Revision: https://secure.phabricator.com/D15709
2016-04-14 10:41:21 -07:00
epriestley
383ae7621f Fix a "websokket" typo
Summary: Typo fix from D15703 that I overlooked.

Test Plan: Careful inspection.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15708
2016-04-14 10:40:54 -07:00
epriestley
ca6da4c2be When proxying the SVN protocol, don't mutate URIs in protocol frames if we're an intracluster proxy
Summary:
Ref T10809. Currently, both the proxy and target may mutate URIs (rewriting "svn+ssh://x/diffusion/Y/" to a path on disk).

I believe this previously worked by fate/chance/luck since both URI variants contain the repository information, but the algorithms were tightened up recently with callsign removal.

Stop rewriting them if we're the intracluster proxy -- they only need to be rewritten on the target host.

Test Plan:
  - Checked out a proxied SVN repository, with and without a callsign.
  - Checked out an unproxied SVN repository, with and without a callsign.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10809

Differential Revision: https://secure.phabricator.com/D15712
2016-04-14 10:15:23 -07:00
epriestley
d4bf2a147b Make paths and Aphlict instance names less ambiguous
Summary:
Fixes T10783 (what little of it remains). Ref T10697.

Aphlict currently uses request paths for two different things:

  - multi-tenant instancing in the Phacility cluster (each instance gets its own namespace within an Aphlict server);
  - some users configure nginx and apache to do proxying or SSL termination based on the path.

Currently, these can collide.

Put a "~" before the instance name to make it unambiguous. At some point we can possibly just use a GET parameter, but I think there was some reason I didn't do that originally and this sequence of changes is disruptive enough already.

Test Plan: Saw local Aphlict unambiguously recognize "local.phacility.com" as instance "local", with a "~"-style URI.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10697, T10783

Differential Revision: https://secure.phabricator.com/D15705
2016-04-14 04:57:21 -07:00
epriestley
2930733ac9 Complete modernization of Aphlict configuration
Summary:
Fixes T10697. This finishes bringing the rest of the config up to cluster power levels.

Phabricator is now given an arbitrarily long list of notification servers.

Each Aphlict server is given an arbitrarily long list of ports to run services on.

Users are free to make them meet in the middle by proxying whatever they want to whatever else they want.

This should also accommodate clustering fairly easily in the future.

Also rewrote the status UI and changed a million other things. 🐗

Test Plan:
{F1217864}

{F1217865}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10697

Differential Revision: https://secure.phabricator.com/D15703
2016-04-14 04:57:00 -07:00
epriestley
c6b0925954 Move Aphlict logging and PID configuration options to config file
Summary: Ref T10697. Mostly straightforward. Also allow the server to have multiple logs and log options in the future (e.g., different verbosities or separate admin/client logs or whatever). No specific plans for this, but the default log is pretty noisy today.

Test Plan: Set up a couple of logs, started server, saw it log to them.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10697

Differential Revision: https://secure.phabricator.com/D15702
2016-04-14 04:55:19 -07:00
epriestley
c84dee522b Move server-related Aphlict options to a configuration file
Summary: Ref T10697. This isn't everything but starts generalizing options and moving us toward a cluster-ready state of affairs.

Test Plan: Started server in various configurations, hit most (all?) of the error cases with bad configs, sent test notifications.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10697

Differential Revision: https://secure.phabricator.com/D15701
2016-04-14 04:54:42 -07:00
epriestley
a2588d62e7 Minor bin/aphlict cleanup
Summary: Ref T10697. This just improves a couple of minor `bin/aphlict` things: make argument parsing more explicit/consistent, consolidate a little bit of duplicated code.

Test Plan: Ran all `bin/aphlict` commands.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10697

Differential Revision: https://secure.phabricator.com/D15698
2016-04-14 04:53:55 -07:00
June Rhodes
7150aa8e19 Use Conduit in PhabricatorRepositoryGitCommitChangeParserWorker
Summary:
Ref T2783.  This allows this worker to run on a machine different to the one that stores the repository, by routing the execution of Git over Conduit calls.

This API method is super gross, but fixing it isn't straightforward and it runs into other complicated considerations. We can fix it later; for now, just define it as "internal" to limit how much mess this creates.

"Internal" methods do not appear on the console.

Test Plan: Ran `bin/repository reparse --change <commit> --trace` on several commits, saw daemons make a Conduit call instead of running a `git` command.

Reviewers: hach-que, chad

Reviewed By: chad

Subscribers: joshuaspence, Korvin, epriestley

Maniphest Tasks: T2783

Differential Revision: https://secure.phabricator.com/D11874
2016-04-14 04:53:03 -07:00
epriestley
0379cc10ac Fixes T10805. When clustering is not configured, this check should just
return.

Auditors: chad
2016-04-14 04:32:20 -07:00
Chad Little
91479e2832 Fix header in Badges
Summary: Use normal casing

Test Plan: Read

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15707
2016-04-13 20:44:43 -07:00
epriestley
c0428b4d6d Make Git prompt for passwords when the user provides a username but not a password
Summary: Fixes T10797. This seems to fix things on my local system.

Test Plan:
  - Cloned with a username, got prompted for a password.
  - Cloned with a username + password.
  - Cloned with a username + bad password (error).

Reviewers: chad

Reviewed By: chad

Subscribers: Grimeh

Maniphest Tasks: T10797

Differential Revision: https://secure.phabricator.com/D15706
2016-04-13 18:59:45 -07:00
Andy Reitz
3876d6b439 Fix some typos in the new cluster docs
Summary:
While reading the new cluster docs, I noticed a few minor typos, and one
section that seemed to be incomplete and redundant, so I just removed it.

Test Plan: none.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: chad, Korvin, jshirley

Differential Revision: https://secure.phabricator.com/D15704
2016-04-13 16:30:40 -07:00
epriestley
66366137ff Don't apply security.require-https to intracluster requests
Summary:
Ref T10784. Currently, if you terminate SSL at a load balancer (very common) and use HTTP beyond that, you have to fiddle with this setting in your premable or a `SiteConfig`.

On the balance I think this makes stuff much harder to configure without any real security benefit, so don't apply this option to intracluster requests.

Also document a lot of stuff.

Test Plan: Poked around locally but this is hard to test outside of a production cluster, I'll vet it more thoroughly on `secure`.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10784

Differential Revision: https://secure.phabricator.com/D15696
2016-04-13 12:51:41 -07:00
epriestley
99be132ea2 Allow public users to make intracluster API requests
Summary:
Ref T10784. On `secure`, logged-out users currently can't browse repositories when cluster/service mode is enabled because they aren't permitted to make intracluster requests.

We don't allow totally public external requests (they're hard to rate limit and users might write bots that polled `feed.query` or whatever which we'd have no way to easily disable) but it's fine to allow intracluster public requests.

Test Plan: Browsed a clustered repository while logged out locally.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10784

Differential Revision: https://secure.phabricator.com/D15695
2016-04-13 12:51:16 -07:00
Chad Little
abf37aa979 Fix Passphrase Credential dialog
Summary: Fixes T10772, not sure why this fails, but reverting the code back to old dialog call works.

Test Plan:
  - Try to add a new credential when importing a repository.
  - Also created a new credential normally, via Passphrase.
  - Also edited a credential.

Reviewers: chad

Reviewed By: chad

Subscribers: Korvin

Maniphest Tasks: T10772

Differential Revision: https://secure.phabricator.com/D15691
2016-04-12 20:09:55 -07:00
epriestley
afb0f7c7af Clean up some old cluster-ish documentation
Summary:
Ref T10751. We currently have a placeholder Almanac document, and a fairly-bad-advice section in Daemons.

Pull these into the modern cluster documentation.

Test Plan: 17 phabricator PHDs

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10751

Differential Revision: https://secure.phabricator.com/D15689
2016-04-12 19:14:08 -07:00
epriestley
33060d1652 Ignore post-write repository synchronization if no devices are configured
Summary: Fixes T10789. If we aren't configured with a device, we never grabbed a lock in the first place, and should not expect one to be held.

Test Plan: Pushed non-cluster-configured Git SSH repository.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10789

Differential Revision: https://secure.phabricator.com/D15692
2016-04-12 18:31:11 -07:00
epriestley
110223c1a7 Fix pretty drawings
Summary: Changes elsewhere which support spaces before "|" when defining a table so that tables quote properly also accidentally changed these beautiful drawings into remarkup tables.

Test Plan: (( o.O ))

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15690
2016-04-12 10:55:03 -07:00
epriestley
4244cad990 Move toward multi-master replicated repositories
Summary:
Ref T4292. This mostly implements the locking/versioning logic for multi-master repositories. It is only active on Git SSH pathways, and doesn't actually do anything useful yet: it just does bookkeeping so far.

When we read (e.g., `git fetch`) the logic goes like this:

- Get the read lock (unique to device + repository).
  - Read all the versions of the repository on every other device.
  - If any node has a newer version:
    - Fetch the newer version.
    - Increment our version to be the same as the version we fetched.
- Release the read lock.
- Actually do the fetch.

This makes sure that any time you do a read, you always read the most recently acknowledged write. You may have to wait for an internal fetch to happen (this isn't actually implemented yet) but the operation will always work like you expect it to.

When we write (e.g., `git push`) the logic goes like this:

- Get the write lock (unique to the repository).
  - Do all the read steps so we're up to date.
  - Mark a write pending.
    - Do the actual write.
  - Bump our version and mark our write finished.
- Release the write lock.

This allows you to write to any replica. Again, you might have to wait for a fetch first, but everything will work like you expect.

There's one notable failure mode here: if the network connection between the repository node and the database fails during the write, the write lock might be released even though a write is ongoing.

The "isWriting" column protects against that, by staying locked if we lose our connection to the database. This will currently "freeze" the repository (prevent any new writes) until an administrator can sort things out, since it'd dangerous to continue doing writes (we may lose data).

(Since we won't actually acknowledge the write, I think, we could probably smooth this out a bit and make it self-healing //most// of the time: basically, have the broken node rewind itself by updating from another good node. But that's a little more complex.)

Test Plan:
  - Pushed changes to a cluster-mode repository.
  - Viewed web interface, saw "writing" flag and version changes.
  - Pulled changes.
  - Faked various failures, got sensible states.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15688
2016-04-12 08:57:57 -07:00
epriestley
58eef68b7c Rough cut of repository cluster status panel
Summary:
Ref T4292. This adds some very basic cluster/device data to the new management view. Nothing interesting yet.

Also deal with disabled bindings a little more cleanly.

Test Plan: {F1214619}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15685
2016-04-12 05:38:10 -07:00
epriestley
8a153c1fe9 Rough cut at new "pro" Diffusion edit UI skeleton
Summary:
Ref T4292. This puts a very rough skeleton in place for the new "Manage Repository" UI, somewhat similar to the "Settings" UI.

Right now, it has one panel with no content, and is not reachable from the UI.

Test Plan: {F1214525}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4292

Differential Revision: https://secure.phabricator.com/D15683
2016-04-12 05:37:54 -07:00
epriestley
0216fac30a Make PullLocal smart about which repositories it should pull
Summary:
Ref T10756. When repositories are properly configured for the cluster (which is hard to set up today), be smart about which repositories are expected to exist on the current host, and only pull them.

This generally allows daemons to pretty much do the right thing no matter how many copies are running, although there may still be some lock contention issues that need to be sorted out.

Test Plan: {F1214483}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10756

Differential Revision: https://secure.phabricator.com/D15682
2016-04-12 05:37:30 -07:00
Chad Little
75ba6058b9 Update to FontAwesome 4.6.0
Summary: Updates to the latest icon packages

Test Plan: View UIExamples, find new Icons

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15684
2016-04-11 11:34:59 -07:00
lkassianik
85d2fda082 First stab at a badges typeahead
Summary: Ref T10702

Test Plan: Open a user profile, attempt to award an archived or previously awarded badge, badges dialog should provide a typeahead, and the suggestions should offer details about whether a badge is archived or already awarded.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10702

Differential Revision: https://secure.phabricator.com/D15665
2016-04-11 10:33:07 -07:00
Chad Little
6b40cfaa60 Fix spelling error
Summary: Ran into this, correct spelling.

Test Plan: read

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15681
2016-04-11 09:26:08 -07:00
epriestley
ac35246d0d Never sever non-cluster database; write more read-only documentation
Summary:
Ref T4571. Write more of the missing documentation sections and clarify a few things.

Since the "replicating master" check needs a special permission, imposes a performance penalty, is probably very difficult to misconfigure, and likely not a big deal anyway, just drop the idea of trying to automatically detect + prevent it. We still show if it's an issue on the status page, provided we have permission to check.

When you don't have any cluster databases configured, never stop trying to connect to the default master database. We might want to do this eventually as load reduction, but just don't muddy the waters too much for now while things stabilize.

Test Plan:
  - Tested functionality in cluster, non-cluster, and degraded-cluster modes.
  - Used status console to monitor a health check cycle.
  - Read docs.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15679
2016-04-11 08:44:11 -07:00
epriestley
ebff07d019 Automatically sever databases after prolonged unreachability
Summary:
Ref T4571. When a database goes down briefly, we fall back to replicas.

However, this fallback is slow (not good for users) and keeps sending a lot of traffic to the master (might be bad if the root cause is load-related).

Keep track of recent connections and fully degrade into "severed" mode if we see a sequence of failures over a reasonable period of time. In this mode, we send much less traffic to the master (faster for users; less load for the database).

We do send a little bit of traffic still, and if the master recovers we'll recover back into normal mode seeing several connections in a row succeed.

This is similar to what most load balancers do when pulling web servers in and out of pools.

For now, the specific numbers are:

  - We do at most one health check every 3 seconds.
  - If 5 checks in a row fail or succeed, we sever or un-sever the database (so it takes about 15 seconds to switch modes).
  - If the database is currently marked unhealthy, we reduce timeouts and retries when connecting to it.

Test Plan:
  - Configured a bad `master`.
  - Browsed around for a bit, initially saw "unrechable master" errors.
  - After about 15 seconds, saw "major interruption" errors instead.
  - Fixed the config for `master`.
  - Browsed around for a while longer.
  - After about 15 seconds, things recovered.
  - Used "Cluster Databases" console to keep an eye on health checks: it now shows how many recent health checks were good:

{F1213397}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15677
2016-04-11 08:43:52 -07:00
epriestley
5cf09f567a Fix an issue with date parsing when viewer timezone differs from server timezone
Summary:
The way `DateTime` works with epochs is weird, I goofed this by having my server/viewer timezone the same and not noticing.

Also fix an issue where you do `?epoch=...` and then manually fiddle with the control: the control should win.

Test Plan:
  - Set viewer and server timezone to different vlaues.
  - Created a countdown using `?epoch=...`.
  - Created a countdown using `?epoch=...` and fiddling with date controls.
  - Created and edited a countdown using date/time control.
  - Poked around Calendar to make sure I didn't ruin anything this time (browsed, created event, edited event).

Reviewers: lpriestley, chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15680
2016-04-11 07:47:37 -07:00
epriestley
146fb646f9 Automatically degrade to read-only mode when unable to connect to the master
Summary:
Ref T4571. If we fail to connect to the master, automatically try to degrade into a temporary read-only mode ("UNREACHABLE") for the remainder of the request, if possible.

If the request was something like "load the homepage", that'll work fine. If it was something like "submit a comment", there's nothing we can do and we just have to fail.

Detecting this condition imposes a performance penalty: every request checks the connection and gives the database a long time to respond, since we don't want to drop writes unless we have to. So the degraded mode works, but it's really slow, and may perpetuate the problem if the root issue is load-related.

This lays the groundwork for improving this case by degrading futher into a "SEVERED" mode which will persist across requests. In the future, if several requests in a short period of time fail, we'll sever the database host and refuse to try to connect to it for a little while, connecting directly to replicas instead (basically, we're "health checking" the master, like a load balancer would health check a web application server). This will give us a better (much faster) degraded mode in a major service disruption, and reduce load on the master if the root cause is load-related, giving it a better chance of recovering on its own.

Test Plan:
  - Disabled master in config by changing the host/username, got degraded automatically to UNREACAHBLE mode immediately.
  - Faked full SEVERED mode, requests hit replicas and put me in the mode properly.
  - Made stuff work, hit some good pages.
  - Hit some non-cluster pages.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15674
2016-04-10 12:20:13 -07:00
epriestley
e0a8cac703 When no master database is configured, automatically degrade to read-only mode
Summary: Ref T4571. If `cluster.databases` is configured but only has replicas, implicitly drop to read-only mode and send writes to a replica.

Test Plan:
  - Disabled the `master`, saw Phabricator automatically degrade into read-only mode against replicas.
  - (Also tested: explicit read-only mode, non-cluster mode, properly configured cluster mode).

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15672
2016-04-10 12:19:55 -07:00
epriestley
071741c61d When Phabricator is in read-only mode, explain why
Summary:
Ref T4571. Allows users to click the "read-only mode" notification to get more information about why an install is in read-only mode.

Installs can be in this mode for several reasons (explicit administrative action, no masters defined, no masters reachable), and it's useful to be able to tell the difference.

Test Plan: {F1212930}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15671
2016-04-10 12:19:18 -07:00
epriestley
c178f29cdb Use new first-class MySQL timeout support in Phabricator
Summary: Fixes T6710. After D15669, we support a proper timeout parameter, so we don't need this hack anymore.

Test Plan: See D15669: forced a MySQL connector, set a low timeout, set a bad database, saw fast failures.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T6710

Differential Revision: https://secure.phabricator.com/D15670
2016-04-10 12:19:00 -07:00
epriestley
6a4a9bb2d2 When cluster.databases is configured, read the master connection from it
Summary:
Ref T4571. Ref T10759. Ref T10758. This isn't complete, but gets most of the job done:

  - When `cluster.databases` is set up, most things ignore `mysql.host` now.
  - You can `bin/storage upgrade` and stuff works.
  - You can browse around in the web UI and stuff works.

There's still a lot of weird tricky stuff to navigate, and this has real no advantages over configuring a single server yet (no automatic failover, etc).

Test Plan:
  - Configured `cluster.databases` to point at my `t1.micro` hosts in EC2 (master + replica).
  - Ran `bin/storage upgrade`, got a new install setup on them properly.
  - Survived setup warnings, browsed around.
  - Switched back to local config, ran `bin/storage upgrade`, browsed around, went through setup checks.
  - Intentionally broke config (bad hosts, no masters) and things seemed to react reasonably well.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571, T10758, T10759

Differential Revision: https://secure.phabricator.com/D15668
2016-04-10 12:18:42 -07:00
epriestley
0439645d5b Add a "Database Cluster Status" console in Config
Summary: Ref T4571. The configuration option still doesn't do anything, but add a status panel for basic setup monitoring.

Test Plan:
Here's what a good version looks like:

{F1212291}

Also faked most of the errors it can detect and got helpful diagnostic messages like this:

{F1212292}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15667
2016-04-09 20:34:13 -07:00
epriestley
3f51b78539 Lay cluster.databases configuration groundwork for database clustering
Summary:
Ref T4571. This adds a new option which allows you to upgrade your one-host configuration to a multi-host configuration by configuring it.

Doing this currently does nothing. I wrote a lot of words about what it is //supposed// to do in the future, though.

Test Plan:
  - Tried to configure the option in all the possible bad ways, got errors.
  - Read documentation.

Reviewers: chad

Reviewed By: chad

Subscribers: eadler

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15663
2016-04-09 13:41:16 -07:00
epriestley
49d93dcf98 Add a cluster.read-only option
Summary:
Ref T4571. There will be a very long path beyond this, but add a basic read-only mode. You can explicitly enable this to put Phabricator in a sort of "maintenance" mode today if you're swapping databases or something.

In the long term, we'll automatically degrade into this mode if the master database is down.

Test Plan:
  - Enabled read-only mode.
  - Browsed around.
  - Didn't immediately see anything that was totally 100% broken.

Most stuff is 80-90% broken right now. For example:

  - Stuff like submitting comments doesn't work, and gives you a confusing, unhelpful error.
  - None of the UI really knows that it's read-only. EditEngine stuff should all hide itself and say "you can't add new comments while an install is in read-only mode", for example, but currently does not.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T4571

Differential Revision: https://secure.phabricator.com/D15662
2016-04-09 13:40:47 -07:00
Chad Little
2bdf8ae5a2 Set time and date on Calendar Date Control form
Summary: Recurring events will fatal a Calendar with this not set. `newDateTime` requires a date and time to be called property. I think this is correct fix? Fixes T10766

Test Plan: Build a recurring event, pull up /calendar/, see recurring events as expected. Previously, fatal.

Reviewers: lpriestley, epriestley

Reviewed By: epriestley

Subscribers: CodeMouse92, Korvin

Maniphest Tasks: T10766

Differential Revision: https://secure.phabricator.com/D15666
2016-04-09 12:01:00 -07:00
epriestley
997460f12f When proxying cluster HTTP requests, forward only selected headers
In the live cluster, some subset of the forwarded headers are creating
some issues for HTTP repository operations.
2016-04-09 03:39:17 -07:00
Chad Little
57e606b395 Update Settings/Config UI
Summary: Testing out a new 'nav' layout in Settings / Config. Spent a few days here and couldn't find much better overall.

Test Plan: View each page in Settings and in Config. Save some config options. Test mobile, desktop, tablet.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15659
2016-04-08 22:00:38 +00:00
epriestley
60e91d3934 Fix an issue with passing HTTP headers through in proxied cluster requests
Summary:
I think this fixes the Mercurial + HTTP cluster issue. PHP adds `HTTP_` but we were not stripping it, so we would convert an `X-Whatever-Zebra` header into an `Http-X-Whatever-Zebra` header.

I don't think this behavior has changed? So maybe it just never worked? Git is more popular than Mercurial and SSH is easier to configure than HTTP, so it's plausible. I'll keep a careful eye on this when it deploys.

Test Plan:
  - Set up local service-based Mercurial repository.
  - Tried to clone, got similar error to cluster.
  - Applied patch, clean clone.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15660
2016-04-08 11:03:28 -07:00
epriestley
0900ffe9cb Support sorting countdowns by end date
Summary: Fixes T5813, while I'm in here...

Test Plan: Sorted stuff by end date.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T5813

Differential Revision: https://secure.phabricator.com/D15657
2016-04-07 12:37:55 -07:00
epriestley
cdec319143 Convert Countdown to EditEngine
Summary: Fixes T10684. Fixes T10520. This primarily implements a date/epoch field, and then does a bunch of standard plumbing.

Test Plan:
  - Created countdowns.
  - Edited countdowns.
  - Used HTTP prefilling.
  - Created a countdown ending on "Christmas Morning", etc.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10520, T10684

Differential Revision: https://secure.phabricator.com/D15655
2016-04-07 12:34:07 -07:00
lkassianik
1f423c3bd1 Make badges searchable by name
Summary: Closes T10690

Test Plan: Open Badges application, go to Advanced Search, search for a badge by its name and see result.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin

Maniphest Tasks: T10690

Differential Revision: https://secure.phabricator.com/D15656
2016-04-07 12:25:11 -07:00
epriestley
37b93f4262 Don't require POST to download LFS files from main domain
Summary:
Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET.

This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan:
Fetched files over GET with and without the LFS header.

```
$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
```

```
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15654
2016-04-07 08:55:32 -07:00
epriestley
27104b57c8 Account for raw limits properly in CalendarEventQuery
Summary:
Fixes T8613. This was pretty straightforward, I just never dug into it originally.

`rawResultLimit = 0` just means "no limit", so the fix is to only apply a limit if it is set to some nonzero value.

Also modernize a few pieces of code.

Test Plan: I'm actually not sure this can actually be hit normally? I faked `setGenerateGhosts(true)` into an unrelated query, hit the fatal, then fixed it.

Reviewers: lpriestley, chad

Reviewed By: chad

Maniphest Tasks: T8613

Differential Revision: https://secure.phabricator.com/D15653
2016-04-07 08:39:27 -07:00
epriestley
8d6488f290 Fix a typo in bin/repository help update
Summary: Fixes T10741. The workflow is `refs`, not `ref`.

Test Plan: o.O

Reviewers: chad, cspeckmim

Reviewed By: cspeckmim

Maniphest Tasks: T10741

Differential Revision: https://secure.phabricator.com/D15652
2016-04-07 05:39:37 -07:00
Chad Little
437ff2a718 Normalize case on active operations
Summary: Found another bouncing around.

Test Plan: Review in diff

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15651
2016-04-06 17:33:59 -07:00
epriestley
5938d768d6 Don't dead-end users with out-of-date links to files
Summary: Ref T10262. Instead of dumping an unhelpful 403 "ACCESS DENIED" page on users, explain the most likely cause of the issue and give them a link to return to the file detail page to learn more or get an up-to-date link.

Test Plan: Hit both errors, had a lovely experience with the helpful dialog text.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10262

Differential Revision: https://secure.phabricator.com/D15650
2016-04-06 16:29:30 -07:00
epriestley
39dfcf4c89 Provide nicer string for trying to move a task to its current columns
Summary: Ref T6027. We got a not-very-user-friendly default string before.

Test Plan: Selected "Move", didn't change the dropdown, hit submit. Now, got a nice human-readable description of the issue.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T6027

Differential Revision: https://secure.phabricator.com/D15649
2016-04-06 16:11:45 -07:00
Chad Little
8f67d59d28 Bump font size on property headers
Summary: Bumps to 14px, fixes some on Differential

Test Plan: view various headers in Differential

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15647
2016-04-06 23:08:20 +00:00
epriestley
0650f725f1 Fix getInterestingMoves() fatal?
Summary: Fixes T10740. Probably?

Test Plan: No you

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10740

Differential Revision: https://secure.phabricator.com/D15648
2016-04-06 16:03:22 -07:00
epriestley
5664c838fb Reduce thumbnail flickering in comment previews
Summary:
Ref T10262. Currently, we always render a tag like this when you `{F123}` an image in remarkup:

```
<img src="/xform/preview/abcdef/" />
```

This either generates the preview or redirects to an existing preview. This is a good behavior in general, because the preview may take a while to generate and we don't want to wait for it to generate on the server side.

However, this flickers a lot in Safari. We might be able to cache this, but we really shouldn't, since the preview URI isn't a legitimately stable/permanent one.

Instead, do a (cheap) server-side check to see if the preview already exists. If it does, return a direct URI. This gives us a stable thumbnail in Safari.

Test Plan:
  - Dragged a dog picture into comment box.
  - Typed text.
  - Thing didn't flicker like crazy all the time in Safari.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10262

Differential Revision: https://secure.phabricator.com/D15646
2016-04-06 15:52:52 -07:00
Chad Little
8aad862cd4 Normalize casing on property boxes
Summary: Going to render these all normal case instead of all caps, and bump up the font size. Should be more consistent. Yellow if you green anything orange.

Test Plan: grep, lint

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15645
2016-04-06 15:33:15 -07:00
epriestley
439821c7b2 Don't require one-time tokens to view file resources
Summary:
Ref T10262. This removes one-time tokens and makes file data responses always-cacheable (for 30 days).

The URI will stop working once any attached object changes its view policy, or the file view policy itself changes.

Files with `canCDN` (totally public data like profile images, CSS, JS, etc) use "cache-control: public" so they can be CDN'd.

Files without `canCDN` use "cache-control: private" so they won't be cached by the CDN. They could still be cached by a misbehaving local cache, but if you don't want your users seeing one anothers' secret files you should configure your local network properly.

Our "Cache-Control" headers were also from 1999 or something, update them to be more modern/sane. I can't find any evidence that any browser has done the wrong thing with this simpler ruleset in the last ~10 years.

Test Plan:
  - Configured alternate file domain.
  - Viewed site: stuff worked.
  - Accessed a file on primary domain, got redirected to alternate domain.
  - Verified proper cache headers for `canCDN` (public) and non-`canCDN` (private) files.
  - Uploaded a file to a task, edited task policy, verified it scrambled the old URI.
  - Reloaded task, new URI generated transparently.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10262

Differential Revision: https://secure.phabricator.com/D15642
2016-04-06 14:14:36 -07:00
epriestley
f9836cb646 Scramble file secrets when related objects change policies
Summary:
Ref T10262. Files have an internal secret key which is partially used to control access to them, and determines part of the URL you need to access them. Scramble (regenerate) the secret when:

  - the view policy for the file itself changes (and the new policy is not "public" or "all users"); or
  - the view policy or space for an object the file is attached to changes (and the file policy is not "public" or "all users").

This basically means that when you change the visibility of a task, any old URLs for attached files stop working and new ones are implicitly generated.

Test Plan:
  - Attached a file to a task, used `SELECT * FROM file WHERE id = ...` to inspect the secret.
  - Set view policy to public, same secret.
  - Set view policy to me, new secret.
  - Changed task view policy, new secret.
  - Changed task space, new secret.
  - Changed task title, same old secret.
  - Added and ran unit tests which cover this behavior.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10262

Differential Revision: https://secure.phabricator.com/D15641
2016-04-06 14:14:16 -07:00