1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-04 20:52:43 +01:00
Commit graph

155 commits

Author SHA1 Message Date
epriestley
969587f7b0 Log unexpected exceptions raised by Conduit calls
Summary:
Ref T13581. Currently, unexpected exceptions inside Conduit calls are passed to the client, but not logged on the server.

These exceptions should generally be unexpected, and producing a server-side trace is potentially useful.

Test Plan: Simulated a during-execution exception, saw it get logged on the server.

Maniphest Tasks: T13581

Differential Revision: https://secure.phabricator.com/D21464
2020-09-15 17:36:43 -07:00
epriestley
0ea6d131e0 In Conduit responses, assert that Phabricator supports a "gzip" capability
Summary: Ref T13507. If we believe the server can accept "Content-Encoding: gzip" requests, make the claim in an "X-Conduit-Capabilities" header in responses. Clients can use request compression on subsequent requests.

Test Plan: See D21119 for the client piece.

Maniphest Tasks: T13507

Differential Revision: https://secure.phabricator.com/D21120
2020-04-14 16:51:03 -07:00
epriestley
eb6df7a209 Remove "phlog()" of exeptions during Conduit calls
Summary: Fixes T13465. This "phlog()" made some degree of sense at one time, but is no longer useful or consistent. Get rid of it. See T13465 for discussion.

Test Plan: Made a conduit call that hit a policy error, no longer saw error in log.

Maniphest Tasks: T13465

Differential Revision: https://secure.phabricator.com/D20924
2019-11-22 12:03:08 -08:00
Austin McKinley
05a9474138 Raise warning when accidentally submitting Conduit parameters as a JSON-encoded body
Summary: See T12447 for discussion. It is reasonably intuitive to try and pass Conduit parameters via a JSON-encoded HTTP body, but if you do so, you'll get an unhelpful messsage about how method so-and-so does not accept a parameter named "your_entire_json_body". Instead, detect this mistake and advise developers to use form-encoded parameters.

Test Plan:
Got a better error when attempting to make Conduit calls from React code. Tested the following additional invocations of Conduit and got the expected results without an error:

* From the Conduit UI
* With cURL:
```
~ $ curl http://local.phacility.com:8080/api/conpherence.querythread \
>     -d api.token=api-tvv2zb565zrtueab5ddprmpxvrwb \
>     -d ids[0]=1
```
* With `arc call-conduit`:
```
~ $ echo '{
>   "ids": [
>     1
>   ]
> }' | arc call-conduit --conduit-uri http://local.phacility.com:8080/ --conduit-token api-tvv2zb565zrtueab5ddprmpxvrwb conpherence.querythread
```

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D19944
2019-01-02 17:31:16 -08:00
epriestley
c32fa06266 Use phutil_microseconds_since(...) to simplify some timing arithmetic
Summary: Depends on D19796. Simplify some timing code by using phutil_microseconds_since() instead of duplicate casting and arithmetic.

Test Plan: Grepped for `1000000` to find these. Pulled, pushed, made a conduit call. This isn't exhaustive but it should be hard for these to break in a bad way since they're all just diagnostic.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D19797
2018-11-08 16:46:32 -08:00
epriestley
eb80a5ede1 Make the Conduit auth error for an unrecognized public key a little more useful
Summary: Ref T13168. This is just a small quality-of-life fix: we can disclose which public key we're talking about because public keys are public.

Test Plan:
  - Hit public key error (through my own bumbling / not reading or following instructions). Specifically, I haven't associated the key with a device in Almanac.
  - Before: vague error.
  - After: more specific error with enough key material that I could grep for it.

Reviewers: amckinley

Reviewed By: amckinley

Subscribers: yelirekim

Maniphest Tasks: T13168

Differential Revision: https://secure.phabricator.com/D19516
2018-07-20 09:43:54 -07:00
epriestley
4d1ed12a9e Skip Conduit call log writes in read-only mode, allowing "conduit.ping" to run
Summary: Ref T10769. See PHI8. We have an unconditional logging write which we can skip in read-only mode.

Test Plan:
  - Put Phabricator in read-only mode with `cluster.read-only`.
  - Called `conduit.ping` via web UI.
    - Before: write-on-read-only exception.
    - After: good result.

Reviewers: chad, amckinley

Reviewed By: chad

Maniphest Tasks: T10769

Differential Revision: https://secure.phabricator.com/D18233
2017-07-18 13:32:52 -07:00
epriestley
3cdabb9588 Provide a hint that submitting a Conduit call shows you how to encode particular parameters
Summary: Ref T12447.

Test Plan: {F4270003}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12447

Differential Revision: https://secure.phabricator.com/D17557
2017-03-24 13:15:03 -07:00
Jakub Vrana
a778151f28 Fix errors found by PHPStan
Test Plan: Ran `phpstan analyze -a autoload.php phabricator/src`.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin, hach-que

Differential Revision: https://secure.phabricator.com/D17371
2017-02-17 10:10:15 +00:00
epriestley
aa6e788f36 Mark "v3" API methods as stable; mark obsoleted methods as "Frozen"
Summary:
Ref T12074. The "v3" API methods (`*.search`, `*.edit`) are currently marked as "unstable", but they're pretty stable and essentially all new code should be using them.

Although these methods are seeing some changes, almost all changes are additive (support for new constraints or attachemnts) and do not break backward compatibility. We have no major, compatibility-breaking changes planned.

I don't want to mark the older methods "deprecated" yet since `arc` still uses a lot of them and there are some capabilities not yet available on the v3 methods, but introduce a new "frozen" status with pointers to the new methods.

Overall, this should gently push users toward the newer methods.

Test Plan: {F2325323}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12074

Differential Revision: https://secure.phabricator.com/D17158
2017-01-09 07:16:27 -08:00
Giedrius Dubinskas
c71bb0550c Conduit accept int/bool parameters as strings
Summary: Accept Conduit parameter values as strings (e.g. from `curl`) and convert to required type.

Test Plan:
Call conduit method with int/bool parameter iusing `curl` and make sure it does not result in validation error, e.g.
```
$ curl http://$PHABRICATOR_HOST/api/maniphest.search -d api.token=$CONDUIT_TOKEN -d constraints[modifiedEnd]=$(date +%s) -d constraints[hasParents]=true -d limit=1
```

Fixes T10456.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin

Maniphest Tasks: T10456

Differential Revision: https://secure.phabricator.com/D16694
2016-10-14 14:45:57 +00:00
epriestley
65980ac683 Convert all remaining old tabs to new PHUITabGroupViews
Summary: Ref T10628. This moves everything else over. I'll clean up the cruft in the next diff.

Test Plan:
- Viewed Conduit API page, toggled tabs.
- Viewed Harbormaster build, toggled tabs.
- Viewed a Drydock lease, swapped tabs.
- Viewed a Drydock resource, swapped tabs.
- Viewed mail, swapped tabs.
- Grepped for `addPropertyList(...)`, looked for any remaining calls with a second argument.
- Also checked rSAAS for any calls, but we don't have anything there that uses tabs.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10628

Differential Revision: https://secure.phabricator.com/D16207
2016-06-30 18:50:09 -07:00
epriestley
ec8581ab62 Clean up redirect URIs for "Temporary Tokens" and "API Tokens" settings panels
Summary: Fixes T11223. I missed a few of these; most of them kept working anyway because we have redirects in place, but make them a bit more modern/not-hard-coded.

Test Plan:
  - Generated and revoked API tokens for myself.
  - Generated and revoked API tokens for bots.
  - Revoked temporary tokens for myself.
  - Clicked the link to the API tokens panel from the Conduit console.
  - Clicked all the cancel buttons in all the dialogs, too.

In all cases, everything now points at the correct URIs. Previously, some things pointed at the wrong URIs (mostly dealing with stuff for bots).

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11223

Differential Revision: https://secure.phabricator.com/D16185
2016-06-28 14:51:04 -07:00
epriestley
814fa135b0 Centralize "this is the current user for the request" code
Summary:
Ref T11098. This primarily fixes Conduit calls to `*.edit` methods failing when trying to access user preferences.

(The actual access is a little weird, since it seems like we're building some UI stuff inside a policy query, but that's an issue for another time.)

To fix this, consolidate the "we're about to run some kind of request with this user" code and run it consistently for web, conduit, and SSH sessions.

Additionally, make sure we swap things to the user's translation.

Test Plan:
  - Ran `maniphest.edit` via `arc call-conduit`, no more settings exception.
  - Set translation to ALL CAPS, got all caps output from `ssh` and Conduit.

Reviewers: avivey, chad

Reviewed By: chad

Maniphest Tasks: T11098

Differential Revision: https://secure.phabricator.com/D16066
2016-06-07 07:43:50 -07:00
epriestley
0308d580d7 Deactivate SSH keys instead of destroying them completely
Summary:
Ref T10917. Currently, when you delete an SSH key, we really truly delete it forever.

This isn't very consistent with other applications, but we built this stuff a long time ago before we were as rigorous about retaining data and making it auditable.

In partiular, destroying data isn't good for auditing after security issues, since it means we can't show you logs of any changes an attacker might have made to your keys.

To prepare to improve this, stop destoying data. This will allow later changes to become transaction-oriented and show normal transaction logs.

The tricky part here is that we have a `UNIQUE KEY` on the public key part of the key.

Instead, I changed this to `UNIQUE (key, isActive)`, where `isActive` is a nullable boolean column. This works because MySQL does not enforce "unique" if part of the key is `NULL`.

So you can't have two rows with `("A", 1)`, but you can have as many rows as you want with `("A", null)`. This lets us keep the "each key may only be active for one user/object" rule without requiring us to delete any data.

Test Plan:
- Ran schema changes.
- Viewed public keys.
- Tried to add a duplicate key, got rejected (already associated with another object).
- Deleted SSH key.
- Verified that the key was no longer actually deleted from the database, just marked inactive (in future changes, I'll update the UI to be more clear about this).
- Uploaded a new copy of the same public key, worked fine (no duplicate key rejection).
- Tried to upload yet another copy, got rejected.
- Generated a new keypair.
- Tried to upload a duplicate to an Almanac device, got rejected.
- Generated a new pair for a device.
- Trusted a device key.
- Untrusted a device key.
- "Deleted" a device key.
- Tried to trust a deleted device key, got "inactive" message.
- Ran `bin/ssh-auth`, got good output with unique keys.
- Ran `cat ~/.ssh/id_rsa.pub | ./bin/ssh-auth-key`, got good output with one key.
- Used `auth.querypublickeys` Conduit method to query keys, got good active keys.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10917

Differential Revision: https://secure.phabricator.com/D15943
2016-05-18 14:54:28 -07:00
epriestley
7f15e8fbe8 Formally deprecate owners.query Conduit API method
Summary: This is completely obsoleted by `owners.search`. See D15472.

Test Plan: Viewed API method in UI console.

Reviewers: avivey, chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D15769
2016-04-20 09:04:45 -07:00
epriestley
99be132ea2 Allow public users to make intracluster API requests
Summary:
Ref T10784. On `secure`, logged-out users currently can't browse repositories when cluster/service mode is enabled because they aren't permitted to make intracluster requests.

We don't allow totally public external requests (they're hard to rate limit and users might write bots that polled `feed.query` or whatever which we'd have no way to easily disable) but it's fine to allow intracluster public requests.

Test Plan: Browsed a clustered repository while logged out locally.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10784

Differential Revision: https://secure.phabricator.com/D15695
2016-04-13 12:51:16 -07:00
Chad Little
e2685a248b Update Conduit for new UI
Summary: View various conduit pages and update to new UI and add calls to newPage

Test Plan: View list, view method, make a call.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D15613
2016-04-04 16:39:23 -07:00
epriestley
e55522cade Implement "auth.logout" Conduit API method
Summary:
Ref T7303. Ref T7673. This implements an "auth.logout" which:

  - terminates all web sessions;
  - terminates the current OAuth token if called via OAuth; and
  - may always be called via OAuth.

(Since it consumes an OAuth token, even a "malicious" OAuth application can't really be that much of a jerk with this: it can't continuously log you out, since calling the method once kills the token. The application would need to ask your permission again to get a fresh token.)

The primary goal here is to let Phacility instances call this against the Phacility upstream, so that when you log out of an instance it also logs you out of your Phacility account (possibly with a checkbox or something).

This also smooths over the session token code. Before this change, your sessions would get logged out but when you reloaded we'd tell you your session was invalid.

Instead, try to clear the invalid session before telling the user there's an issue. I think that ssentially 100% of invalid sessions are a result of something in this vein (e.g., forced logout via Settings) nowadays, since the session code is generally stable and sane and has been for a long time.

Test Plan:
  - Called `auth.logout` via console, got a reasonable logout experience.
  - Called `auth.logout` via OAuth.
    - Tried to make another call, verified OAuth token had been invalidated.
    - Verified web session had been invalidated.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7303, T7673

Differential Revision: https://secure.phabricator.com/D15594
2016-04-04 09:12:06 -07:00
epriestley
60133b6fa5 Begin cleaning up OAuth scope handling
Summary:
Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess.

Also introduce implicit "ALWAYS" and "NEVER" scopes.

Always give tokens access to meta-methods like `conduit.getcapabilities` and `conduit.query`. These do not expose user information.

Test Plan:
  - Used a token to call `user.whoami`.
  - Used a token to call `conduit.query`.
  - Used a token to try to call `user.query`, got rebuffed.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7303

Differential Revision: https://secure.phabricator.com/D15593
2016-04-04 09:11:51 -07:00
epriestley
4a147dcbfb Move ConduitLogs to ApplicationSearch
Summary:
Ref T9980. Start making this UI more useful and powerful so we can give administrators a better toolset for reacting to API changes.

Fixes T9755. We were logging the caller, just not rendering it properly.

Test Plan: {F1025799}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9755, T9980

Differential Revision: https://secure.phabricator.com/D14779
2015-12-14 14:45:08 -08:00
epriestley
fdd2d802d2 Clean up "*.search" API method documentation pages
Summary:
Ref T9964. Building tables in Remarkup is kind of neat-ish but ends up feeling kind of hacky, and requires weird workarounds if any of the values have `|` in them.

Switch to normal elements instead.

Also move the magic "ids" and "phids" to be more like real fields. I'll clean this up fully in a diff or two, it's just a little tricky because Maniphest has an "ids" field.

Test Plan: {F1024294}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9964

Differential Revision: https://secure.phabricator.com/D14768
2015-12-14 04:24:39 -08:00
epriestley
d1a1d48001 Give ConduitAPIMethod->getMethodDescription() access to a real Viewer
Summary:
Ref T9964. The new `*.search` and `*.edit` methods generate documentation which depends on the viewer.

For example, the `*.search` methods show a reference table of the keys for all your saved queries.

Give them a real viewer to work with.

During normal execution, just populate this viewer with the request's viewer, so `$request->getViewer()` and `$this->getViewer()` both work and mean the same thing.

Test Plan: {F1023780}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9964

Differential Revision: https://secure.phabricator.com/D14761
2015-12-14 04:20:11 -08:00
Chad Little
a8e9da4a56 Update Conduit for handleRequest
Summary: Ref T8628. Updates Conduit for handleRequest

Test Plan: Use Conduit, test list, method calls, try a query, post this diff.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Maniphest Tasks: T8628

Differential Revision: https://secure.phabricator.com/D14265
2015-10-18 16:07:07 -07:00
epriestley
4b43667086 Introduce PHUIRemarkupView, a sane way to work with Remarkup
Summary:
Fixes T9273. Remarkup has reasonably good fundamentals but the API is a giant pain to work with.

Provide a `PHUIRemarkupView` to make it easier. This object is way simpler to use by default.

It's not currently as powerful, but we can expand the power level later by adding more setters.

Eventually I'd expect to replace `PhabricatorRemarkupInterface` and `PhabricatorMarkupOneOff` with this, but no rush on those.

I converted a few callsites as a sanity check that it works OK.

Test Plan:
- Viewed remarkup in Passphrase.
- Viewed remarkup in Badges.
- Viewed a Conduit method.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T9273

Differential Revision: https://secure.phabricator.com/D14289
2015-10-15 10:20:19 -07:00
Chad Little
666f19e504 Make icon setting in Section Headers easier/consistent
Summary: You can already pass other icons, but this makes it a bit simpler.

Test Plan: Test Maniphest, Badges

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Differential Revision: https://secure.phabricator.com/D14131
2015-09-19 11:29:01 -07:00
epriestley
29948eaa5b Use phutil_hashes_are_identical() when comparing hashes in Phabricator
Summary: See D14025. In all cases where we compare hashes, use strict, constant-time comparisons.

Test Plan: Logged in, logged out, added TOTP, ran Conduit, terminated sessions, submitted forms, changed password. Tweaked CSRF token, got rejected.

Reviewers: chad

Reviewed By: chad

Subscribers: chenxiruanhai

Differential Revision: https://secure.phabricator.com/D14026
2015-09-01 15:52:44 -07:00
epriestley
57b898af9a Merge branch 'master' into redesign-2015 2015-06-10 07:44:58 -07:00
epriestley
992c199577 Add "Mailing List" users
Summary:
Ref T8387. Adds new mailing list users.

This doesn't migrate anything yet. I also need to update the "Email Addresses" panel to let administrators change the list address.

Test Plan:
  - Created and edited a mailing list user.
  - Viewed profile.
  - Viewed People list.
  - Searched for lists / nonlists.
  - Grepped for all uses of `getIsDisabled()` / `getIsSystemAgent()` and added relevant corresponding behaviors.
  - Hit the web/api/ssh session blocks.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: eadler, tycho.tatitscheff, epriestley

Maniphest Tasks: T8387

Differential Revision: https://secure.phabricator.com/D13123
2015-06-03 18:42:33 -07:00
epriestley
8440b3efc0 Update account roles documentation and remove actAsUser
Summary:
Ref T8387. This describes changes I haven't made yet, but plan to make.

Also removes the long-deprecated actAsUser capability so I can remove the caveat about it from the documentation.

Test Plan: `grep`, reading

Reviewers: btrahan, eadler

Reviewed By: btrahan, eadler

Subscribers: eadler, epriestley

Maniphest Tasks: T8387

Differential Revision: https://secure.phabricator.com/D13120
2015-06-03 18:42:09 -07:00
epriestley
3699253e49 Merge branch 'master' into redesign-2015 2015-05-28 12:00:06 -07:00
epriestley
7d757483a0 Make everything 1000x or 1000000x slower
Summary:
In the great `pht()` conversion, some strings like "123,456" are now being printed as numbers with "%d". These come out as "123" instead of "123,456".

Use "%s" and "PhutilNumber" to present numbers with comma groupings.

Test Plan:
  - Viewed DarkConsole.
  - Viewed conduit logs.
  - Viewed daemon logs.
  - Grepped for `%d ms` and `%d us`.

Reviewers: btrahan, joshuaspence

Reviewed By: joshuaspence

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12979
2015-05-23 05:36:02 -07:00
epriestley
bfca11dbba Merge branch 'master' into redesign-2015 2015-05-22 12:57:32 -07:00
Joshua Spence
36e2d02d6e phtize all the things
Summary: `pht`ize a whole bunch of strings in rP.

Test Plan: Intense eyeballing.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: hach-que, Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12797
2015-05-22 21:16:39 +10:00
Chad Little
a4784e03ff [Redesign] Add Table, Collapse support to ObjectBox
Summary: Converts most all tables to be directly set via `setTable` to an ObjectBox. I think this path is more flexible design wise, as we can change the box based on children, and not just CSS. We also already do this with PropertyList, Forms, ObjectList, and Header. `setCollapsed` is added to ObjectBox to all children objects to bleed to the edges (like diffs).

Test Plan: I did a grep of `appendChild($table)` as well as searches for `PHUIObjectBoxView`, also with manual opening of hundreds of files. I'm sure I missed 5-8 places. If you just appendChild($table) nothing breaks, it just looks a little funny.

Reviewers: epriestley, btrahan

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12955
2015-05-20 12:48:43 -07:00
epriestley
3a34d948b9 Show how to call Conduit API methods from clients
Summary: Fixes T3628. Ref T5955.

Test Plan:
On the method page, you see a generic example:

{F396471}

After making a call, you see a specific example with your parameters:

{F396472}

{F396474}

{F396475}

Reviewers: chad, btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T3628, T5955

Differential Revision: https://secure.phabricator.com/D12770
2015-05-08 12:19:52 -07:00
Joshua Spence
70c8649142 Use phutil_json_decode instead of json_decode
Summary: Generally, `phutil_json_decode` should be preferred over `json_decode`.

Test Plan: Eyellballed.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12680
2015-05-05 20:48:55 +10:00
epriestley
ba6b1376f2 Provide an "api" context to Multimeter for API events
Summary: Ref T6930. This gives us a better context for API calls -- "api.call.name" instead of always "web.ConduitAPIController".

Test Plan: {F391658}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6930

Differential Revision: https://secure.phabricator.com/D12677
2015-05-04 10:06:57 -07:00
epriestley
09ad69238e Drive conduit result ordering through Query order specifications
Summary:
Ref T7803. Ref T5873. Allows Query methods to expose orderings from the underlying Query class nearly-for-free.

Callers can specify a string to use a builtin ordering, or an array to use a low-level column ordering.

Test Plan: {F368236}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5873, T7803

Differential Revision: https://secure.phabricator.com/D12381
2015-04-13 11:58:37 -07:00
epriestley
156b156e77 Give Conduit params/return/errors protected visibility
Summary:
Ref T7803. Ref T5873. I want to drive Conduit through more shared infrastructure, but can't currently add parameters automatically.

Put a `getX()` around the `defineX()` methods so the parent can provide default behaviors.

Also like 60% of methods don't define any special error types; don't require them to implement this method. I want to move away from this in general.

Test Plan:
  - Ran `arc unit --everything`.
  - Called `conduit.query`.
  - Browsed Conduit UI.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: hach-que, epriestley

Maniphest Tasks: T5873, T7803

Differential Revision: https://secure.phabricator.com/D12380
2015-04-13 11:58:35 -07:00
Joshua Spence
ea376685ae Fix some odd looking arrays
Summary: These arrays looks a little odd, most likely due to the autofix applied by `ArcanistXHPASTLinter::LINT_ARRAY_SEPARATOR`. See D12296 in which I attempt to improve the autocorrection from this linter rule.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12281
2015-04-05 22:29:39 +10:00
Chad Little
423180430e Modernize Conduit app a bit
Summary: Remove some AphrontPanels, add some phts, fix some table layouts.

Test Plan: Browse many Conduit pages, test a few calls.

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7427

Differential Revision: https://secure.phabricator.com/D11957
2015-03-03 11:09:59 -08:00
epriestley
d94d1da610 Proxy Diffusion Conduit API calls
Summary:
Fixes T7020. When an external user makes a Conduit request to Diffusion but the repository isn't hosted locally, we need to proxy it.

This also adds a guard layer to prevent requests from getting infinitely proxied inside the cluster.

In "trivial" configurations (where the repository is a service repository, but the service is on the local device) I'm making us always proxy anyway. This basically makes it reasonable to test this stuff (otherwise you'd have to set up two different installs) and this configuration doesn't make much sense in real life (if you're using multiple machines, making one a dedicating daemons+repo box is almost certainly the most reasonable configuration, even for a cluster size of 2).

Test Plan:
  - With a service-hosted repository, made Diffusion conduit calls and browsed the UI. Verified requests got proxied once, then resovled.
  - With a non-service repository, made Diffusion conduit calls and browsed UI. Verified requests were handled in-process immediately.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7020

Differential Revision: https://secure.phabricator.com/D11475
2015-01-23 13:30:52 -08:00
Joshua Spence
c2ac63e9ad Increase visibility of PhabricatorController::buildApplicationMenu methods
Summary: Ref T6822. This method needs to be `public` because it is called from `PhabricatorApplicationSearchController::buildApplicationMenu()`.

Test Plan: I wouldn't expect //increasing// method visibility to break anything.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6822

Differential Revision: https://secure.phabricator.com/D11416
2015-01-16 07:41:26 +11:00
Bob Trahan
6de8fe418c Conduit - document that ERR-CONDUIT-CORE is coming atchya
Summary: Fixes T6863. Seems like this belongs there?

Test Plan: loaded up an API in conduit console and saw the new error text

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6863

Differential Revision: https://secure.phabricator.com/D11261
2015-01-06 14:41:28 -08:00
epriestley
fa7bb8ff7a Add cluster.addresses and require membership before accepting cluster authentication tokens
Summary:
Ref T2783. Ref T6706.

  - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
  - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
    - This provides a general layer of security for these mechanisms.
    - In particular, it means they do not work by default on unconfigured hosts.
  - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
    - This provides a general layer of security for getting the Ops side of cluster configuration correct.
    - If cluster nodes have public IPs and are listening on them, we'll reject requests.
    - Basically, this means that any requests which bypass the LB get rejected.

Test Plan:
  - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
  - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
  - With addresses configured correctly, made valid requests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6706, T2783

Differential Revision: https://secure.phabricator.com/D11159
2015-01-02 15:13:41 -08:00
epriestley
f18ee5c237 Generate and use "cluster" Conduit API tokens
Summary:
Ref T5955. Ref T2783.

  - Removes the "temporary" type. I was going to use this for T3628 but it started taking more time than I wanted to spend on it.
  - Add a "cluster" type, which is an internal-only token type used within a cluster. This token value is never shown to the user.
  - Automatically generate, use, and cycle cluster tokens.

Test Plan:
  - Diffusion (mostly) works with a repository configured to use a remote service.
  - Saw cluster tokens generate; terminated a cluster token and saw it regenerate.
  - Viewed cluster token in settings panel and saw nice explanatory text instead, as expected (we might just hide these eventually).

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2783, T5955

Differential Revision: https://secure.phabricator.com/D10990
2014-12-15 11:15:14 -08:00
epriestley
288498f8d0 Add conduit.getcapabilities and a modern CLI handshake workflow
Summary:
Ref T5955.

  - Add `conduit.getcapabilities` to help arc (and other clients) determine formats, protocols, etc., the server supports.
  - Fixes T3117. Add a more modern version of the handshake workflow that allows all generated tokens to remain valid for an hour.
  - Generally, add a CLI token type. This token type expires after an hour when generated, then becomes permanent if used.

Test Plan:
  - See D10988.
  - Ran `conduit.getcapabilities` and inspected output.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T3117, T5955

Differential Revision: https://secure.phabricator.com/D10989
2014-12-15 11:14:53 -08:00
epriestley
0507626f01 Accept Conduit tokens as an authentication mechanism
Summary:
  - Ref T5955. Accept the tokens introduced in D10985 as an authentication token.
  - Ref T3628. Permit simple `curl`-compatible decoding of parameters.

Test Plan:
  - Ran some sensible `curl` API commands:

```
epriestley@orbital ~/dev/phabricator $ curl -g "http://local.phacility.com/api/user.whoami?api.token=api-f7dfpoyelk4mmz6vxcueb6hcbtbk" ; echo
{"result":{"phid":"PHID-USER-cvfydnwadpdj7vdon36z","userName":"admin","realName":"asdf","image":"http:\/\/local.phacility.com\/res\/1410737307T\/phabricator\/3eb28cd9\/rsrc\/image\/avatar.png","uri":"http:\/\/local.phacility.com\/p\/admin\/","roles":["admin","verified","approved","activated"]},"error_code":null,"error_info":null}
```

```
epriestley@orbital ~/dev/phabricator $ curl -g "http://local.phacility.com/api/differential.query?api.token=api-f7dfpoyelk4mmz6vxcueb6hcbtbk&ids[]=1" ; echo
{"result":[{"id":"1","phid":"PHID-DREV-v3a67ixww3ccg5lqbxee","title":"zxcb","uri":"http:\/\/local.phacility.com\/D1","dateCreated":"1418405590","dateModified":"1418405590","authorPHID":"PHID-USER-cvfydnwadpdj7vdon36z","status":"0","statusName":"Needs Review","branch":null,"summary":"","testPlan":"zxcb","lineCount":"6","activeDiffPHID":"PHID-DIFF-pzbtc5rw6pe5j2kxtlr2","diffs":["1"],"commits":[],"reviewers":[],"ccs":[],"hashes":[],"auxiliary":{"phabricator:projects":[],"phabricator:depends-on":[],"organization.sqlmigration":null},"arcanistProjectPHID":null,"repositoryPHID":null,"sourcePath":null}],"error_code":null,"error_info":null}
```

  - Ran older-style commands like `arc list` against the local install.
  - Ran commands via web console.
  - Added and ran a unit test to make sure nothing is using forbidden parameter names.
  - Terminated a token and verified it no longer works.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T3628, T5955

Differential Revision: https://secure.phabricator.com/D10986
2014-12-15 11:14:41 -08:00
epriestley
39f2bbaeea Add Conduit Tokens to make authentication in Conduit somewhat more sane
Summary:
Ref T5955. Summary of intended changes:

**Improve Granularity of Authorization**: Currently, users have one Conduit Certificate. This isn't very flexible, and means that you can't ever generate an API token with limited permissions or IP block controls (see T6706). This moves toward a world where you can generate multiple tokens, revoke them individually, and assign disparate privileges to them.

**Standardize Token Management**: This moves Conduit to work the same way that sessions, OAuth authorizations, and temporary tokens already work, instead of being this crazy bizarre mess.

**Make Authentication Faster**: Authentication currently requires a handshake (conduit.connect) to establish a session, like the web UI. This is unnecessary from a security point of view and puts an extra round trip in front of all Conduit activity. Essentially no other API anywhere works like this.

**Make Authentication Simpler**: The handshake is complex, and involves deriving hashes. The session is also complex, and creates issues like T4377. Handshake and session management require different inputs.

**Make Token Management Simpler**: The certificate is this huge long thing right now, which is not necessary from a security perspective. There are separate Arcanist handshake tokens, but they have a different set of issues. We can move forward to a token management world where neither of these problems exist.

**Lower Protocol Barrier**: The simplest possible API client is very complex right now. It should be `curl`. Simplifying authentication is a necessary step toward this.

**Unblock T2783**: T2783 is blocked on nodes in the cluster making authenticated API calls to other nodes. This provides a simpler way forward than the handshake mess (or enormous-hack-mess) which would currently be required.

Test Plan:
  - Generated tokens.
  - Generated tokens for a bot account.
  - Terminated tokens (and for a bot account).
  - Terminated all tokens (and for a bot account).
  - Ran GC and saw it reap all the expired tokens.

NOTE: These tokens can not actually be used to authenticate yet!

{F249658}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5955

Differential Revision: https://secure.phabricator.com/D10985
2014-12-15 11:14:23 -08:00