@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
1<?php
2
3final class PhabricatorAuthSetupCheck extends PhabricatorSetupCheck {
4
5 public function getDefaultGroup() {
6 return self::GROUP_IMPORTANT;
7 }
8
9 protected function executeChecks() {
10 // NOTE: We're not actually building these providers. Building providers
11 // can require additional configuration to be present (e.g., to build
12 // redirect and login URIs using `phabricator.base-uri`) and it won't
13 // necessarily be available when running setup checks.
14
15 // Since this check is only meant as a hint to new administrators about
16 // steps they should take, we don't need to be thorough about checking
17 // that providers are enabled, available, correctly configured, etc. As
18 // long as they've created some kind of provider in the auth app before,
19 // they know that it exists and don't need the hint to go check it out.
20
21 $configs = id(new PhabricatorAuthProviderConfigQuery())
22 ->setViewer(PhabricatorUser::getOmnipotentUser())
23 ->execute();
24
25 $did_warn = false;
26 if (!$configs) {
27 $message = pht(
28 'You have not configured any authentication providers yet. You '.
29 'should add a provider (like username/password, LDAP, or GitHub '.
30 'OAuth) so users can register and log in. You can add and configure '.
31 'providers using the Auth Application.');
32
33 $this
34 ->newIssue('auth.noproviders')
35 ->setShortName(pht('No Auth Providers'))
36 ->setName(pht('No Authentication Providers Configured'))
37 ->setMessage($message)
38 ->addLink('/auth/', pht('Auth Application'));
39
40 $did_warn = true;
41 }
42
43 // This check is meant for new administrators, but we don't want to
44 // show both this warning and the "No Auth Providers" warning. Also,
45 // show this as a reminder to go back and do a `bin/auth lock` after
46 // they make their desired changes.
47 $is_locked = PhabricatorEnv::getEnvConfig('auth.lock-config');
48 if (!$is_locked && !$did_warn) {
49 $message = pht(
50 'Your authentication provider configuration is unlocked. Once you '.
51 'finish setting up or modifying authentication, you should lock the '.
52 'configuration to prevent unauthorized changes.'.
53 "\n\n".
54 'Leaving your authentication provider configuration unlocked '.
55 'increases the damage that a compromised administrator account can '.
56 'do to your install. For example, an attacker who compromises an '.
57 'administrator account can change authentication providers to point '.
58 'at a server they control and attempt to intercept usernames and '.
59 'passwords.'.
60 "\n\n".
61 'To prevent this attack, you should configure authentication, and '.
62 'then lock the configuration by running "bin/auth lock" from the '.
63 'command line. This will prevent changing the authentication config '.
64 'without first running "bin/auth unlock".');
65 $this
66 ->newIssue('auth.config-unlocked')
67 ->setShortName(pht('Auth Config Unlocked'))
68 ->setName(pht('Authentication Configuration Unlocked'))
69 ->setSummary(
70 pht(
71 'Authentication configuration is currently unlocked. Once you '.
72 'finish configuring authentication, you should lock it.'))
73 ->setMessage($message)
74 ->addRelatedPhabricatorConfig('auth.lock-config')
75 ->addCommand(
76 hsprintf(
77 '<samp>%s $</samp><kbd>./bin/auth lock</kbd>',
78 PlatformSymbols::getPlatformServerPath()));
79 }
80 }
81}