mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 08:12:40 +01:00
af295e0b26
for scope Summary: this patch makes the access token response "complete" relative to spec by returning when it expires AND that the token_type is in fact 'Bearer'. This patch also lays the groundwork for scope by fixing the underlying data model and adding the first scope checks for "offline_access" relative to expires and the "whoami" method. Further, conduit is augmented to open up individual methods for access via OAuth generally to enable "whoami" access. There's also a tidy little scope class to keep track of all the various scopes we plan to have as well as strings for display (T849 - work undone) Somewhat of a hack but Conduit methods by default have SCOPE_NOT_ACCESSIBLE. We then don't even bother with the OAuth stuff within conduit if we're not supposed to be accessing the method via Conduit. Felt relatively clean to me in terms of additional code complexity, etc. Next up ends up being T848 (scope in OAuth) and T849 (let user's authorize clients for specific scopes which kinds of needs T850). There's also a bunch of work that needs to be done to return the appropriate, well-formatted error codes. All in due time...! Test Plan: verified that an access_token with no scope doesn't let me see anything anymore. :( verified that access_tokens made awhile ago expire. :( Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Maniphest Tasks: T888, T848 Differential Revision: https://secure.phabricator.com/D1657
103 lines
3 KiB
PHP
103 lines
3 KiB
PHP
<?php
|
|
|
|
/*
|
|
* Copyright 2012 Facebook, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @group conduit
|
|
*/
|
|
abstract class ConduitAPIMethod {
|
|
|
|
abstract public function getMethodDescription();
|
|
abstract public function defineParamTypes();
|
|
abstract public function defineReturnType();
|
|
abstract public function defineErrorTypes();
|
|
abstract protected function execute(ConduitAPIRequest $request);
|
|
|
|
public function __construct() {
|
|
|
|
}
|
|
|
|
public function getErrorDescription($error_code) {
|
|
return idx($this->defineErrorTypes(), $error_code, 'Unknown Error');
|
|
}
|
|
|
|
public function getRequiredScope() {
|
|
// by default, conduit methods are not accessible via OAuth
|
|
return PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE;
|
|
}
|
|
|
|
public function executeMethod(ConduitAPIRequest $request) {
|
|
return $this->execute($request);
|
|
}
|
|
|
|
public function getAPIMethodName() {
|
|
return self::getAPIMethodNameFromClassName(get_class($this));
|
|
}
|
|
|
|
public static function getClassNameFromAPIMethodName($method_name) {
|
|
$method_fragment = str_replace('.', '_', $method_name);
|
|
return 'ConduitAPI_'.$method_fragment.'_Method';
|
|
}
|
|
|
|
public function shouldRequireAuthentication() {
|
|
return true;
|
|
}
|
|
|
|
public function shouldAllowUnguardedWrites() {
|
|
return false;
|
|
}
|
|
|
|
public static function getAPIMethodNameFromClassName($class_name) {
|
|
$match = null;
|
|
$is_valid = preg_match(
|
|
'/^ConduitAPI_(.*)_Method$/',
|
|
$class_name,
|
|
$match);
|
|
if (!$is_valid) {
|
|
throw new Exception(
|
|
"Parameter '{$class_name}' is not a valid Conduit API method class.");
|
|
}
|
|
$method_fragment = $match[1];
|
|
return str_replace('_', '.', $method_fragment);
|
|
}
|
|
|
|
protected function validateHost($host) {
|
|
if (!$host) {
|
|
// If the client doesn't send a host key, don't complain. We should in
|
|
// the future, but this change isn't severe enough to bump the protocol
|
|
// version.
|
|
|
|
// TODO: Remove this once the protocol version gets bumped past 2 (i.e.,
|
|
// require the host key be present and valid).
|
|
return;
|
|
}
|
|
|
|
$host = new PhutilURI($host);
|
|
$host->setPath('/');
|
|
$host = (string)$host;
|
|
|
|
$self = PhabricatorEnv::getURI('/');
|
|
if ($self !== $host) {
|
|
throw new Exception(
|
|
"Your client is connecting to this install as '{$host}', but it is ".
|
|
"configured as '{$self}'. The client and server must use the exact ".
|
|
"same URI to identify the install. Edit your .arcconfig or ".
|
|
"phabricator/conf so they agree on the URI for the install.");
|
|
}
|
|
}
|
|
|
|
}
|