mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-15 19:32:40 +01:00
26f283fe21
Summary: Resolves T5868. This implements `passphrase.query` and a mechanism for allowing Conduit access to credentials. Test Plan: Tested locally. Reviewers: epriestley, #blessed_reviewers Reviewed By: epriestley, #blessed_reviewers Subscribers: talshiri, epriestley, Korvin Maniphest Tasks: T5868 Differential Revision: https://secure.phabricator.com/D10262
81 lines
2.5 KiB
PHP
81 lines
2.5 KiB
PHP
<?php
|
|
|
|
final class PassphraseCredentialConduitController
|
|
extends PassphraseController {
|
|
|
|
private $id;
|
|
|
|
public function willProcessRequest(array $data) {
|
|
$this->id = $data['id'];
|
|
}
|
|
|
|
public function processRequest() {
|
|
$request = $this->getRequest();
|
|
$viewer = $request->getUser();
|
|
|
|
$credential = id(new PassphraseCredentialQuery())
|
|
->setViewer($viewer)
|
|
->withIDs(array($this->id))
|
|
->requireCapabilities(
|
|
array(
|
|
PhabricatorPolicyCapability::CAN_VIEW,
|
|
PhabricatorPolicyCapability::CAN_EDIT,
|
|
))
|
|
->executeOne();
|
|
if (!$credential) {
|
|
return new Aphront404Response();
|
|
}
|
|
|
|
$view_uri = '/K'.$credential->getID();
|
|
|
|
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
|
$viewer,
|
|
$request,
|
|
$view_uri);
|
|
|
|
$type = PassphraseCredentialType::getTypeByConstant(
|
|
$credential->getCredentialType());
|
|
if (!$type) {
|
|
throw new Exception(pht('Credential has invalid type "%s"!', $type));
|
|
}
|
|
|
|
if ($request->isFormPost()) {
|
|
$xactions = array();
|
|
$xactions[] = id(new PassphraseCredentialTransaction())
|
|
->setTransactionType(PassphraseCredentialTransaction::TYPE_CONDUIT)
|
|
->setNewValue(!$credential->getAllowConduit());
|
|
|
|
$editor = id(new PassphraseCredentialTransactionEditor())
|
|
->setActor($viewer)
|
|
->setContinueOnMissingFields(true)
|
|
->setContentSourceFromRequest($request)
|
|
->applyTransactions($credential, $xactions);
|
|
|
|
return id(new AphrontRedirectResponse())->setURI($view_uri);
|
|
}
|
|
|
|
if ($credential->getAllowConduit()) {
|
|
return $this->newDialog()
|
|
->setTitle(pht('Prevent Conduit access?'))
|
|
->appendChild(
|
|
pht(
|
|
'This credential and its secret will no longer be able '.
|
|
'to be retrieved using the `passphrase.query` method '.
|
|
'in Conduit.'))
|
|
->addSubmitButton(pht('Prevent Conduit Access'))
|
|
->addCancelButton($view_uri);
|
|
} else {
|
|
return $this->newDialog()
|
|
->setTitle(pht('Allow Conduit access?'))
|
|
->appendChild(
|
|
pht(
|
|
'This credential will be able to be retrieved via the Conduit '.
|
|
'API by users who have access to this credential. You should '.
|
|
'only enable this for credentials which need to be accessed '.
|
|
'programmatically (such as from build agents).'))
|
|
->addSubmitButton(pht('Allow Conduit Access'))
|
|
->addCancelButton($view_uri);
|
|
}
|
|
}
|
|
|
|
}
|