@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
OAuth - add concept of "trusted" clients that get auto redirects
Summary: Fixes T7153.
Test Plan:
used `bin/auth trust-oauth-client` and `bin/auth untrust-oauth-client` to set the bit and verify error states.
registered via oauth with `bin/auth trust-oauth-client` set and I did not have the confirmation screen
registered via oauth with `bin/auth untrust-oauth-client` set and I did have the confirmation screen
Reviewers: epriestley
Reviewed By: epriestley
Subscribers: Korvin, epriestley
Maniphest Tasks: T7153
Differential Revision: https://secure.phabricator.com/D11724
+138
+2
resources/sql/autopatches/20150209.oauthclient.trust.sql
+2
resources/sql/autopatches/20150209.oauthclient.trust.sql
+4
src/__phutil_library_map__.php
+4
src/__phutil_library_map__.php
···
1353
1353
'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
1354
1354
'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
1355
1355
'PhabricatorAuthManagementStripWorkflow' => 'applications/auth/management/PhabricatorAuthManagementStripWorkflow.php',
1356
+
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php',
1357
+
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php',
1356
1358
'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
1357
1359
'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
1358
1360
'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
···
4557
4559
'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
4558
4560
'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
4559
4561
'PhabricatorAuthManagementStripWorkflow' => 'PhabricatorAuthManagementWorkflow',
4562
+
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
4563
+
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
4560
4564
'PhabricatorAuthManagementWorkflow' => 'PhabricatorManagementWorkflow',
4561
4565
'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
4562
4566
'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',
+62
src/applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php
+62
src/applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php
···
1
+
<?php
2
+
3
+
final class PhabricatorAuthManagementTrustOAuthClientWorkflow
4
+
extends PhabricatorAuthManagementWorkflow {
5
+
6
+
protected function didConstruct() {
7
+
$this
8
+
->setName('trust-oauth-client')
9
+
->setExamples('**trust-oauth-client** [--id client_id]')
10
+
->setSynopsis(
11
+
pht(
12
+
'Set Phabricator to trust an OAuth client. Phabricator '.
13
+
'redirects to trusted OAuth clients that users have authorized '.
14
+
'without user intervention.'))
15
+
->setArguments(
16
+
array(
17
+
array(
18
+
'name' => 'id',
19
+
'param' => 'id',
20
+
'help' => pht('The id of the OAuth client.'),
21
+
),));
22
+
}
23
+
24
+
public function execute(PhutilArgumentParser $args) {
25
+
$id = $args->getArg('id');
26
+
27
+
if (!$id) {
28
+
throw new PhutilArgumentUsageException(
29
+
pht(
30
+
'Specify an OAuth client id with --id.'));
31
+
}
32
+
33
+
$client = id(new PhabricatorOAuthServerClientQuery())
34
+
->setViewer($this->getViewer())
35
+
->withIDs(array($id))
36
+
->executeOne();
37
+
38
+
if (!$client) {
39
+
throw new PhutilArgumentUsageException(
40
+
pht(
41
+
'Failed to find an OAuth client with id %s.', $id));
42
+
}
43
+
44
+
if ($client->getIsTrusted()) {
45
+
throw new PhutilArgumentUsageException(
46
+
pht(
47
+
'Phabricator already trusts OAuth client "%s".',
48
+
$client->getName()));
49
+
}
50
+
51
+
$client->setIsTrusted(1);
52
+
$client->save();
53
+
54
+
$console = PhutilConsole::getConsole();
55
+
$console->writeOut(
56
+
"%s\n",
57
+
pht(
58
+
'Updated; Phabricator trusts OAuth client %s.',
59
+
$client->getName()));
60
+
}
61
+
62
+
}
+62
src/applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php
+62
src/applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php
···
1
+
<?php
2
+
3
+
final class PhabricatorAuthManagementUntrustOAuthClientWorkflow
4
+
extends PhabricatorAuthManagementWorkflow {
5
+
6
+
protected function didConstruct() {
7
+
$this
8
+
->setName('untrust-oauth-client')
9
+
->setExamples('**untrust-oauth-client** [--id client_id]')
10
+
->setSynopsis(
11
+
pht(
12
+
'Set Phabricator to not trust an OAuth client. Phabricator '.
13
+
'redirects to trusted OAuth clients that users have authorized '.
14
+
'without user intervention.'))
15
+
->setArguments(
16
+
array(
17
+
array(
18
+
'name' => 'id',
19
+
'param' => 'id',
20
+
'help' => pht('The id of the OAuth client.'),
21
+
),));
22
+
}
23
+
24
+
public function execute(PhutilArgumentParser $args) {
25
+
$id = $args->getArg('id');
26
+
27
+
if (!$id) {
28
+
throw new PhutilArgumentUsageException(
29
+
pht(
30
+
'Specify an OAuth client id with --id.'));
31
+
}
32
+
33
+
$client = id(new PhabricatorOAuthServerClientQuery())
34
+
->setViewer($this->getViewer())
35
+
->withIDs(array($id))
36
+
->executeOne();
37
+
38
+
if (!$client) {
39
+
throw new PhutilArgumentUsageException(
40
+
pht(
41
+
'Failed to find an OAuth client with id %s.', $id));
42
+
}
43
+
44
+
if (!$client->getIsTrusted()) {
45
+
throw new PhutilArgumentUsageException(
46
+
pht(
47
+
'Phabricator already does not trust OAuth client "%s".',
48
+
$client->getName()));
49
+
}
50
+
51
+
$client->setIsTrusted(0);
52
+
$client->save();
53
+
54
+
$console = PhutilConsole::getConsole();
55
+
$console->writeOut(
56
+
"%s\n",
57
+
pht(
58
+
'Updated; Phabricator does not trust OAuth client %s.',
59
+
$client->getName()));
60
+
}
61
+
62
+
}
+6
src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
+6
src/applications/oauthserver/controller/PhabricatorOAuthServerAuthController.php
···
182
182
'state' => $state,
183
183
));
184
184
185
+
if ($client->getIsTrusted()) {
186
+
return id(new AphrontRedirectResponse())
187
+
->setIsExternal(true)
188
+
->setURI((string)$full_uri);
189
+
}
190
+
185
191
// TODO: It would be nice to give the user more options here, like
186
192
// reviewing permissions, canceling the authorization, or aborting
187
193
// the workflow.
+2
src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php
+2
src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php
···
10
10
protected $name;
11
11
protected $redirectURI;
12
12
protected $creatorPHID;
13
+
protected $isTrusted = 0;
13
14
protected $viewPolicy;
14
15
protected $editPolicy;
15
16
···
40
41
'name' => 'text255',
41
42
'secret' => 'text32',
42
43
'redirectURI' => 'text255',
44
+
'isTrusted' => 'bool',
43
45
),
44
46
self::CONFIG_KEY_SCHEMA => array(
45
47
'key_phid' => null,