mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-15 03:12:41 +01:00
0327a5fc69
Summary: This diff makes the OAuthServer more compliant with the spec by - making it return well-formatted error codes with error types from the spec. - making it respect the "state" variable, which is a transparent variable the client passes and the server passes back - making it be super, duper compliant with respect to redirect uris -- if specified in authorization step, check if its valid relative to the client registered URI and if so save it -- if specified in authorization step, check if its been specified in the access step and error if it doesn't match or doesn't exist -- note we don't make any use of it in the access step which seems strange but hey, that's what the spec says! This diff makes the OAuthServer suck less by - making the "cancel" button do something in the user authorization flow - making the client list view and client edit view be a bit more usable around client secrets - fixing a few bugs I managed to introduce along the way Test Plan: - create a test phabricator client, updated my conf, and then linked and unlinked phabricator to itself - wrote some tests for PhabricatorOAuthServer -- they pass! -- these validate the various validate URI checks - tried a few important authorization calls -- http://phabricator.dev/oauthserver/auth/?client_id=X&state=test&redirect_uri=http://www.evil.com --- verified error'd from mismatching redirect uri's --- verified state parameter in response --- verified did not redirect to client redirect uri -- http://phabricator.dev/oauthserver/auth/?client_id=X w/ existing authorization --- got redirected to proper client url with error that response_type not specified -- http://phabricator.dev/oauthserver/auth/?client_id=X&response_type=code w/ existing authorization --- got redirected to proper client url with pertinent code! - tried a few important access calls -- verified appropriate errors if missing any required parameters -- verified good access code with appropriate other variables resulted in an access token - verified that if redirect_uri set correctly in authorization required for access and errors if differs at all / only succeeds if exactly the same Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, ajtrichards Maniphest Tasks: T889, T906, T897 Differential Revision: https://secure.phabricator.com/D1727
215 lines
7.3 KiB
PHP
215 lines
7.3 KiB
PHP
<?php
|
|
|
|
/*
|
|
* Copyright 2012 Facebook, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @group oauthserver
|
|
*/
|
|
final class PhabricatorOAuthServerAuthController
|
|
extends PhabricatorAuthController {
|
|
|
|
public function shouldRequireLogin() {
|
|
return true;
|
|
}
|
|
|
|
public function processRequest() {
|
|
$request = $this->getRequest();
|
|
$current_user = $request->getUser();
|
|
$server = new PhabricatorOAuthServer();
|
|
$client_phid = $request->getStr('client_id');
|
|
$scope = $request->getStr('scope');
|
|
$redirect_uri = $request->getStr('redirect_uri');
|
|
$state = $request->getStr('state');
|
|
$response_type = $request->getStr('response_type');
|
|
$response = new PhabricatorOAuthResponse();
|
|
|
|
// state is an opaque value the client sent us for their own purposes
|
|
// we just need to send it right back to them in the response!
|
|
if ($state) {
|
|
$response->setState($state);
|
|
}
|
|
if (!$client_phid) {
|
|
$response->setError('invalid_request');
|
|
$response->setErrorDescription(
|
|
'Required parameter client_id not specified.'
|
|
);
|
|
return $response;
|
|
}
|
|
$server->setUser($current_user);
|
|
|
|
// one giant try / catch around all the exciting database stuff so we
|
|
// can return a 'server_error' response if something goes wrong!
|
|
try {
|
|
$client = id(new PhabricatorOAuthServerClient())
|
|
->loadOneWhere('phid = %s', $client_phid);
|
|
if (!$client) {
|
|
$response->setError('invalid_request');
|
|
$response->setErrorDescription(
|
|
'Client with id '.$client_phid.' not found.'
|
|
);
|
|
return $response;
|
|
}
|
|
$server->setClient($client);
|
|
if ($redirect_uri) {
|
|
$client_uri = new PhutilURI($client->getRedirectURI());
|
|
$redirect_uri = new PhutilURI($redirect_uri);
|
|
if (!($server->validateSecondaryRedirectURI($redirect_uri,
|
|
$client_uri))) {
|
|
$response->setError('invalid_request');
|
|
$response->setErrorDescription(
|
|
'The specified redirect URI is invalid. The redirect URI '.
|
|
'must be a fully-qualified domain with no fragments and '.
|
|
'must have the same domain and at least the same query '.
|
|
'parameters as the redirect URI the client registered.'
|
|
);
|
|
return $response;
|
|
}
|
|
$uri = $redirect_uri;
|
|
$access_token_uri = $uri;
|
|
} else {
|
|
$uri = new PhutilURI($client->getRedirectURI());
|
|
$access_token_uri = null;
|
|
}
|
|
// we've now validated this request enough overall such that we
|
|
// can safely redirect to the client with the response
|
|
$response->setClientURI($uri);
|
|
|
|
if (empty($response_type)) {
|
|
$response->setError('invalid_request');
|
|
$response->setErrorDescription(
|
|
'Required parameter response_type not specified.'
|
|
);
|
|
return $response;
|
|
}
|
|
if ($response_type != 'code') {
|
|
$response->setError('unsupported_response_type');
|
|
$response->setErrorDescription(
|
|
'The authorization server does not support obtaining an '.
|
|
'authorization code using the specified response_type. '.
|
|
'You must specify the response_type as "code".'
|
|
);
|
|
return $response;
|
|
}
|
|
if ($scope) {
|
|
if (!PhabricatorOAuthServerScope::validateScopesList($scope)) {
|
|
$response->setError('invalid_scope');
|
|
$response->setErrorDescription(
|
|
'The requested scope is invalid, unknown, or malformed.'
|
|
);
|
|
return $response;
|
|
}
|
|
$scope = PhabricatorOAuthServerScope::scopesListToDict($scope);
|
|
}
|
|
|
|
$authorization = $server->userHasAuthorizedClient($scope);
|
|
if ($authorization) {
|
|
$return_auth_code = true;
|
|
$unguarded_write = AphrontWriteGuard::beginScopedUnguardedWrites();
|
|
} else if ($request->isFormPost()) {
|
|
$scope = PhabricatorOAuthServerScope::getScopesFromRequest($request);
|
|
$authorization = $server->authorizeClient($scope);
|
|
$return_auth_code = true;
|
|
$unguarded_write = null;
|
|
} else {
|
|
$return_auth_code = false;
|
|
$unguarded_write = null;
|
|
}
|
|
|
|
if ($return_auth_code) {
|
|
// step 1 -- generate authorization code
|
|
$auth_code =
|
|
$server->generateAuthorizationCode($access_token_uri);
|
|
|
|
// step 2 return it
|
|
$content = array(
|
|
'code' => $auth_code->getCode(),
|
|
'scope' => $authorization->getScopeString(),
|
|
);
|
|
$response->setContent($content);
|
|
return $response->setClientURI($uri);
|
|
}
|
|
unset($unguarded_write);
|
|
} catch (Exception $e) {
|
|
// Note we could try harder to determine between a server_error
|
|
// vs temporarily_unavailable. Good enough though.
|
|
$response->setError('server_error');
|
|
$response->setErrorDescription(
|
|
'The authorization server encountered an unexpected condition '.
|
|
'which prevented it from fulfilling the request. '
|
|
);
|
|
return $response;
|
|
}
|
|
|
|
// display time -- make a nice form for the user to grant the client
|
|
// access to the granularity specified by $scope
|
|
$name = phutil_escape_html($client->getName());
|
|
$title = 'Authorize ' . $name . '?';
|
|
$panel = new AphrontPanelView();
|
|
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
|
$panel->setHeader($title);
|
|
|
|
$description =
|
|
"Do want to authorize {$name} to access your ".
|
|
"Phabricator account data?";
|
|
|
|
if ($scope) {
|
|
$desired_scopes = $scope;
|
|
if (!PhabricatorOAuthServerScope::validateScopesDict($desired_scopes)) {
|
|
$response->setError('invalid_scope');
|
|
$response->setErrorDescription(
|
|
'The requested scope is invalid, unknown, or malformed.'
|
|
);
|
|
return $response;
|
|
}
|
|
} else {
|
|
$desired_scopes = array(
|
|
PhabricatorOAuthServerScope::SCOPE_WHOAMI => 1,
|
|
PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS => 1
|
|
);
|
|
}
|
|
|
|
$cancel_uri = $this->getClientURI($client, $redirect_uri);
|
|
$cancel_params = array(
|
|
'error' => 'access_denied',
|
|
'error_description' =>
|
|
'The resource owner (aka the user) denied the request.'
|
|
);
|
|
$cancel_uri->setQueryParams($cancel_params);
|
|
|
|
$form = id(new AphrontFormView())
|
|
->setUser($current_user)
|
|
->appendChild(
|
|
id(new AphrontFormStaticControl())
|
|
->setValue($description)
|
|
)
|
|
->appendChild(
|
|
PhabricatorOAuthServerScope::getCheckboxControl()
|
|
)
|
|
->appendChild(
|
|
id(new AphrontFormSubmitControl())
|
|
->setValue('Authorize')
|
|
->addCancelButton($cancel_uri)
|
|
);
|
|
|
|
$panel->appendChild($form);
|
|
|
|
return $this->buildStandardPageResponse(
|
|
$panel,
|
|
array('title' => $title));
|
|
}
|
|
|
|
}
|