@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Add a workflow and a new config option for locking authentication providers
Summary:
Ref T7667. Adds new flows `bin/auth lock` and `bin/auth unlock` to prevent compromised administrator accounts from doing additional damage by altering the authentication provider configuration.
Note that this currently doesn't actually do anything because we aren't checking this config key in any of the edit controllers yet.
Test Plan: Ran `lock` and `unlock`, checked for correct DB state, observed expected setup warning.
Reviewers: epriestley
Reviewed By: epriestley
Subscribers: Korvin
Maniphest Tasks: T7667
Differential Revision: https://secure.phabricator.com/D20394
+126
+4
src/__phutil_library_map__.php
+4
src/__phutil_library_map__.php
···
2306
2306
'PhabricatorAuthManagementLDAPWorkflow' => 'applications/auth/management/PhabricatorAuthManagementLDAPWorkflow.php',
2307
2307
'PhabricatorAuthManagementListFactorsWorkflow' => 'applications/auth/management/PhabricatorAuthManagementListFactorsWorkflow.php',
2308
2308
'PhabricatorAuthManagementListMFAProvidersWorkflow' => 'applications/auth/management/PhabricatorAuthManagementListMFAProvidersWorkflow.php',
2309
+
'PhabricatorAuthManagementLockWorkflow' => 'applications/auth/management/PhabricatorAuthManagementLockWorkflow.php',
2309
2310
'PhabricatorAuthManagementRecoverWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php',
2310
2311
'PhabricatorAuthManagementRefreshWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRefreshWorkflow.php',
2311
2312
'PhabricatorAuthManagementRevokeWorkflow' => 'applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php',
2312
2313
'PhabricatorAuthManagementStripWorkflow' => 'applications/auth/management/PhabricatorAuthManagementStripWorkflow.php',
2313
2314
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementTrustOAuthClientWorkflow.php',
2314
2315
'PhabricatorAuthManagementUnlimitWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUnlimitWorkflow.php',
2316
+
'PhabricatorAuthManagementUnlockWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUnlockWorkflow.php',
2315
2317
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'applications/auth/management/PhabricatorAuthManagementUntrustOAuthClientWorkflow.php',
2316
2318
'PhabricatorAuthManagementVerifyWorkflow' => 'applications/auth/management/PhabricatorAuthManagementVerifyWorkflow.php',
2317
2319
'PhabricatorAuthManagementWorkflow' => 'applications/auth/management/PhabricatorAuthManagementWorkflow.php',
···
8174
8176
'PhabricatorAuthManagementLDAPWorkflow' => 'PhabricatorAuthManagementWorkflow',
8175
8177
'PhabricatorAuthManagementListFactorsWorkflow' => 'PhabricatorAuthManagementWorkflow',
8176
8178
'PhabricatorAuthManagementListMFAProvidersWorkflow' => 'PhabricatorAuthManagementWorkflow',
8179
+
'PhabricatorAuthManagementLockWorkflow' => 'PhabricatorAuthManagementWorkflow',
8177
8180
'PhabricatorAuthManagementRecoverWorkflow' => 'PhabricatorAuthManagementWorkflow',
8178
8181
'PhabricatorAuthManagementRefreshWorkflow' => 'PhabricatorAuthManagementWorkflow',
8179
8182
'PhabricatorAuthManagementRevokeWorkflow' => 'PhabricatorAuthManagementWorkflow',
8180
8183
'PhabricatorAuthManagementStripWorkflow' => 'PhabricatorAuthManagementWorkflow',
8181
8184
'PhabricatorAuthManagementTrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
8182
8185
'PhabricatorAuthManagementUnlimitWorkflow' => 'PhabricatorAuthManagementWorkflow',
8186
+
'PhabricatorAuthManagementUnlockWorkflow' => 'PhabricatorAuthManagementWorkflow',
8183
8187
'PhabricatorAuthManagementUntrustOAuthClientWorkflow' => 'PhabricatorAuthManagementWorkflow',
8184
8188
'PhabricatorAuthManagementVerifyWorkflow' => 'PhabricatorAuthManagementWorkflow',
8185
8189
'PhabricatorAuthManagementWorkflow' => 'PhabricatorManagementWorkflow',
+32
src/applications/auth/management/PhabricatorAuthManagementLockWorkflow.php
+32
src/applications/auth/management/PhabricatorAuthManagementLockWorkflow.php
···
1
+
<?php
2
+
3
+
final class PhabricatorAuthManagementLockWorkflow
4
+
extends PhabricatorAuthManagementWorkflow {
5
+
6
+
protected function didConstruct() {
7
+
$this
8
+
->setName('lock')
9
+
->setExamples('**lock**')
10
+
->setSynopsis(
11
+
pht(
12
+
'Lock authentication provider config, to prevent changes to '.
13
+
'the config without doing **bin/auth unlock**.'));
14
+
}
15
+
16
+
public function execute(PhutilArgumentParser $args) {
17
+
$console = PhutilConsole::getConsole();
18
+
19
+
$key = 'auth.lock-config';
20
+
$config_entry = PhabricatorConfigEntry::loadConfigEntry($key);
21
+
$config_entry->setValue(true);
22
+
23
+
// If the entry has been deleted, resurrect it.
24
+
$config_entry->setIsDeleted(0);
25
+
26
+
$config_entry->save();
27
+
28
+
echo tsprintf(
29
+
"%s\n",
30
+
pht('Locked the authentication provider configuration.'));
31
+
}
32
+
}
+33
src/applications/auth/management/PhabricatorAuthManagementUnlockWorkflow.php
+33
src/applications/auth/management/PhabricatorAuthManagementUnlockWorkflow.php
···
1
+
<?php
2
+
3
+
final class PhabricatorAuthManagementUnlockWorkflow
4
+
extends PhabricatorAuthManagementWorkflow {
5
+
6
+
protected function didConstruct() {
7
+
$this
8
+
->setName('unlock')
9
+
->setExamples('**unlock**')
10
+
->setSynopsis(
11
+
pht(
12
+
'Unlock the authentication provider config, to make it possible '.
13
+
'to edit the config using the web UI. Make sure to do '.
14
+
'**bin/auth lock** when done editing the configuration.'));
15
+
}
16
+
17
+
public function execute(PhutilArgumentParser $args) {
18
+
$console = PhutilConsole::getConsole();
19
+
20
+
$key = 'auth.lock-config';
21
+
$config_entry = PhabricatorConfigEntry::loadConfigEntry($key);
22
+
$config_entry->setValue(false);
23
+
24
+
// If the entry has been deleted, resurrect it.
25
+
$config_entry->setIsDeleted(0);
26
+
27
+
$config_entry->save();
28
+
29
+
echo tsprintf(
30
+
"%s\n",
31
+
pht('Unlocked the authentication provider configuration.'));
32
+
}
33
+
}
+37
src/applications/config/check/PhabricatorAuthSetupCheck.php
+37
src/applications/config/check/PhabricatorAuthSetupCheck.php
···
22
22
->setViewer(PhabricatorUser::getOmnipotentUser())
23
23
->execute();
24
24
25
+
$did_warn = false;
25
26
if (!$configs) {
26
27
$message = pht(
27
28
'You have not configured any authentication providers yet. You '.
···
35
36
->setName(pht('No Authentication Providers Configured'))
36
37
->setMessage($message)
37
38
->addLink('/auth/', pht('Auth Application'));
39
+
40
+
$did_warn = true;
41
+
}
42
+
43
+
// This check is meant for new administrators, but we don't want to
44
+
// show both this warning and the "No Auth Providers" warning. Also,
45
+
// show this as a reminder to go back and do a `bin/auth lock` after
46
+
// they make their desired changes.
47
+
$is_locked = PhabricatorEnv::getEnvConfig('auth.lock-config');
48
+
if (!$is_locked && !$did_warn) {
49
+
$message = pht(
50
+
'Your authentication provider configuration is unlocked. Once you '.
51
+
'finish setting up or modifying authentication, you should lock the '.
52
+
'configuration to prevent unauthorized changes.'.
53
+
"\n\n".
54
+
'Leaving your authentication provider configuration unlocked '.
55
+
'increases the damage that a compromised administrator account can '.
56
+
'do to your install, by, for example, changing the authentication '.
57
+
'provider to a server they control and intercepting usernames and '.
58
+
'passwords.'.
59
+
"\n\n".
60
+
'To prevent this attack, you should configure your authentication '.
61
+
'providers, and then lock the configuration by doing `%s` '.
62
+
'from the command line. This will prevent changing the '.
63
+
'authentication provider config without first doing `%s`.',
64
+
'bin/auth lock',
65
+
'bin/auth unlock');
66
+
$this
67
+
->newIssue('auth.config-unlocked')
68
+
->setShortName(pht('Auth Config Unlocked'))
69
+
->setName(pht('Authenticaton Provider Configuration Unlocked'))
70
+
->setMessage($message)
71
+
->addRelatedPhabricatorConfig('auth.lock-config')
72
+
->addCommand(
73
+
hsprintf(
74
+
'<tt>phabricator/ $</tt> ./bin/auth lock'));
38
75
}
39
76
}
40
77
}
+20
src/applications/config/option/PhabricatorAuthenticationConfigOptions.php
+20
src/applications/config/option/PhabricatorAuthenticationConfigOptions.php
···
73
73
->addExample(
74
74
"yourcompany.com\nmail.yourcompany.com",
75
75
pht('Valid Setting')),
76
+
$this->newOption('auth.lock-config', 'bool', false)
77
+
->setBoolOptions(
78
+
array(
79
+
pht('Auth provider config must be unlocked before editing'),
80
+
pht('Auth provider config can be edited without unlocking'),
81
+
))
82
+
->setSummary(
83
+
pht(
84
+
'Require administrators to unlock the authentication provider '.
85
+
'configuration from the CLI before it can be edited.'))
86
+
->setDescription(
87
+
pht(
88
+
'Normally, administrators configure authentication providers only '.
89
+
'once, immediately after instance creation. To further secure '.
90
+
'your instance, you can set this configuration option to `true`, '.
91
+
'which will require an adminstrator with CLI access to run '.
92
+
'`bin/auth unlock` to make any later changes to authentication '.
93
+
"provider configuration.\n\nAfter changing the config, you should ".
94
+
'run `bin/auth lock` again from the CLI.'))
95
+
->setLocked(true),
76
96
$this->newOption('account.editable', 'bool', true)
77
97
->setBoolOptions(
78
98
array(