1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-07 05:11:05 +01:00
phorge-phorge/resources/sql/autopatches/20190115.mfa.02.migrate.php
epriestley 0fcff78253 Convert user MFA factors to point at configurable "MFA Providers", not raw "MFA Factors"
Summary:
Ref T13222. Users configure "Factor Configs", which say "I have an entry on my phone for TOTP secret key XYZ".

Currently, these point at raw implementations -- always "TOTP" in practice.

To support configuring available MFA types (like "no MFA") and adding MFA types that need some options set (like "Duo", which needs API keys), bind "Factor Configs" to a "Factor Provider" instead.

In the future, several "Factors" will be available (TOTP, SMS, Duo, Postal Mail, ...). Administrators configure zero or more "MFA Providers" they want to use (e.g., "Duo" + here's my API key). Then users can add configs for these providers (e.g., "here's my Duo account").

Upshot:

  - Factor: a PHP subclass, implements the technical details of a type of MFA factor (TOTP, SMS, Duo, etc).
  - FactorProvider: a storage object, owned by administrators, configuration of a Factor that says "this should be available on this install", plus provides API keys, a human-readable name, etc.
  - FactorConfig: a storage object, owned by a user, says "I have a factor for provider X on my phone/whatever with secret key Q / my duo account is X / my address is Y".

Couple of things not covered here:

  - Statuses for providers ("Disabled", "Deprecated") don't do anything yet, but you can't edit them anyway.
  - Some `bin/auth` tools need to be updated.
  - When no providers are configured, the MFA panel should probably vanish.
  - Documentation.

Test Plan:
  - Ran migration with providers, saw configs point at the first provider.
  - Ran migration without providers, saw a provider created and configs pointed at it.
  - Added/removed factors and providers. Passed MFA gates. Spot-checked database for general sanity.

Reviewers: amckinley

Reviewed By: amckinley

Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19975
2019-01-23 13:37:43 -08:00

72 lines
2.2 KiB
PHP

<?php
// Previously, MFA factors for individual users were bound to raw factor types.
// The only factor type ever implemented in the upstream was "totp".
// Going forward, individual factors are bound to a provider instead. This
// allows factor types to have some configuration, like API keys for
// service-based MFA. It also allows installs to select which types of factors
// they want users to be able to set up.
// Migrate all existing TOTP factors to the first available TOTP provider,
// creating one if none exists. This migration is a little bit messy, but
// gives us a clean slate going forward with no "builtin" providers.
$table = new PhabricatorAuthFactorConfig();
$conn = $table->establishConnection('w');
$provider_table = new PhabricatorAuthFactorProvider();
$provider_phid = null;
$iterator = new LiskRawMigrationIterator($conn, $table->getTableName());
$totp_key = 'totp';
foreach ($iterator as $row) {
// This wasn't a TOTP factor, so skip it.
if ($row['factorKey'] !== $totp_key) {
continue;
}
// This factor already has an associated provider.
if (strlen($row['factorProviderPHID'])) {
continue;
}
// Find (or create) a suitable TOTP provider. Note that we can't "save()"
// an object or this migration will break if the object ever gets new
// columns; just INSERT the raw fields instead.
if ($provider_phid === null) {
$provider_row = queryfx_one(
$conn,
'SELECT phid FROM %R WHERE providerFactorKey = %s LIMIT 1',
$provider_table,
$totp_key);
if ($provider_row) {
$provider_phid = $provider_row['phid'];
} else {
$provider_phid = $provider_table->generatePHID();
queryfx(
$conn,
'INSERT INTO %R
(phid, providerFactorKey, name, status, properties,
dateCreated, dateModified)
VALUES (%s, %s, %s, %s, %s, %d, %d)',
$provider_table,
$provider_phid,
$totp_key,
'',
'active',
'{}',
PhabricatorTime::getNow(),
PhabricatorTime::getNow());
}
}
queryfx(
$conn,
'UPDATE %R SET factorProviderPHID = %s WHERE id = %d',
$table,
$provider_phid,
$row['id']);
}