Add "bin/auth revoke --list" to explain what can be revoked

+59 -9

src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php

··· 7 7 $this 8 8 ->setName('revoke') 9 9 ->setExamples( 10 - "**revoke** --type __type__ --from __user__\n". 10 + "**revoke** --list\n". 11 + "**revoke** --type __type__ --from __@user__\n". 11 12 "**revoke** --everything --everywhere") 12 13 ->setSynopsis( 13 14 pht( ··· 16 17 array( 17 18 array( 18 19 'name' => 'from', 19 - 'param' => 'user', 20 + 'param' => 'object', 20 21 'help' => pht( 21 - 'Revoke credentials for the specified user.'), 22 + 'Revoke credentials for the specified object. To revoke '. 23 + 'credentials for a user, use "@username".'), 22 24 ), 23 25 array( 24 26 'name' => 'type', 25 27 'param' => 'type', 28 + 'help' => pht('Revoke credentials of the given type.'), 29 + ), 30 + array( 31 + 'name' => 'list', 26 32 'help' => pht( 27 - 'Revoke credentials of the given type.'), 33 + 'List information about available credential revokers.'), 28 34 ), 29 35 array( 30 36 'name' => 'everything', ··· 42 48 } 43 49 44 50 public function execute(PhutilArgumentParser $args) { 45 - $viewer = PhabricatorUser::getOmnipotentUser(); 51 + $viewer = $this->getViewer(); 46 52 47 53 $all_types = PhabricatorAuthRevoker::getAllRevokers(); 48 54 $is_force = $args->getArg('force'); 49 55 56 + // The "--list" flag is compatible with revoker selection flags like 57 + // "--type" to filter the list, but not compatible with target selection 58 + // flags like "--from". 59 + $is_list = $args->getArg('list'); 60 + 50 61 $type = $args->getArg('type'); 51 62 $is_everything = $args->getArg('everything'); 52 63 if (!strlen($type) && !$is_everything) { 53 - throw new PhutilArgumentUsageException( 54 - pht( 55 - 'Specify the credential type to revoke with "--type" or specify '. 56 - '"--everything".')); 64 + if ($is_list) { 65 + // By default, "bin/revoke --list" implies "--everything". 66 + $types = $all_types; 67 + } else { 68 + throw new PhutilArgumentUsageException( 69 + pht( 70 + 'Specify the credential type to revoke with "--type" or specify '. 71 + '"--everything". Use "--list" to list available credential '. 72 + 'types.')); 73 + } 57 74 } else if (strlen($type) && $is_everything) { 58 75 throw new PhutilArgumentUsageException( 59 76 pht( ··· 75 92 76 93 $is_everywhere = $args->getArg('everywhere'); 77 94 $from = $args->getArg('from'); 95 + 96 + if ($is_list) { 97 + if (strlen($from) || $is_everywhere) { 98 + throw new PhutilArgumentUsageException( 99 + pht( 100 + 'You can not "--list" and revoke credentials (with "--from" or '. 101 + '"--everywhere") in the same operation.')); 102 + } 103 + } 104 + 105 + if ($is_list) { 106 + $last_key = last_key($types); 107 + foreach ($types as $key => $type) { 108 + echo tsprintf( 109 + "**%s** (%s)\n\n", 110 + $type->getRevokerKey(), 111 + $type->getRevokerName()); 112 + 113 + id(new PhutilConsoleBlock()) 114 + ->addParagraph(tsprintf('%B', $type->getRevokerDescription())) 115 + ->draw(); 116 + } 117 + 118 + return 0; 119 + } 120 + 78 121 $target = null; 79 122 if (!strlen($from) && !$is_everywhere) { 80 123 throw new PhutilArgumentUsageException( ··· 133 176 'Destroyed %s credential(s) of type "%s".', 134 177 new PhutilNumber($count), 135 178 $type->getRevokerKey())); 179 + 180 + $guidance = $type->getRevokerNextSteps(); 181 + if ($guidance !== null) { 182 + echo tsprintf( 183 + "%s\n", 184 + $guidance); 185 + } 136 186 } 137 187 138 188 echo tsprintf(

+13

src/applications/auth/revoker/PhabricatorAuthConduitTokenRevoker.php

··· 5 5 6 6 const REVOKERKEY = 'conduit'; 7 7 8 + public function getRevokerName() { 9 + return pht('Conduit API Tokens'); 10 + } 11 + 12 + public function getRevokerDescription() { 13 + return pht( 14 + "Revokes all Conduit API tokens used to access the API.\n\n". 15 + "Users will need to use `arc install-certificate` to install new ". 16 + "API tokens before `arc` commands will work. Bots and scripts which ". 17 + "access the API will need to have new tokens generated and ". 18 + "installed."); 19 + } 20 + 8 21 public function revokeAllCredentials() { 9 22 $table = id(new PhabricatorConduitToken()); 10 23 $conn = $table->establishConnection('w');

+29

src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php

··· 5 5 6 6 const REVOKERKEY = 'password'; 7 7 8 + public function getRevokerName() { 9 + return pht('Passwords'); 10 + } 11 + 12 + public function getRevokerDescription() { 13 + return pht( 14 + "Revokes all stored passwords.\n\n". 15 + "Account passwords and VCS passwords (used to access repositories ". 16 + "over HTTP) will both be revoked. Passwords for any third party ". 17 + "applications which use shared password infrastructure will also ". 18 + "be revoked.\n\n". 19 + "Users will need to reset account passwords, possibly by using the ". 20 + "\"Forgot Password?\" link on the login page. They will also need ". 21 + "to reset VCS passwords.\n\n". 22 + "Passwords are revoked, not just removed. Users will be unable to ". 23 + "select the passwords they used previously and must choose new, ". 24 + "unique passwords.\n\n". 25 + "Revoking passwords will not terminate outstanding login sessions. ". 26 + "Use the \"session\" revoker in conjunction with this revoker to force ". 27 + "users to login again."); 28 + } 29 + 30 + public function getRevokerNextSteps() { 31 + return pht( 32 + 'NOTE: Revoking passwords does not terminate existing sessions which '. 33 + 'were established using the old passwords. To terminate existing '. 34 + 'sessions, run the "session" revoker now.'); 35 + } 36 + 8 37 public function revokeAllCredentials() { 9 38 $query = new PhabricatorAuthPasswordQuery(); 10 39 return $this->revokeWithQuery($query);

+7

src/applications/auth/revoker/PhabricatorAuthRevoker.php

··· 8 8 abstract public function revokeAllCredentials(); 9 9 abstract public function revokeCredentialsFrom($object); 10 10 11 + abstract public function getRevokerName(); 12 + abstract public function getRevokerDescription(); 13 + 14 + public function getRevokerNextSteps() { 15 + return null; 16 + } 17 + 11 18 public function setViewer(PhabricatorUser $viewer) { 12 19 $this->viewer = $viewer; 13 20 return $this;

+12

src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php

··· 5 5 6 6 const REVOKERKEY = 'ssh'; 7 7 8 + public function getRevokerName() { 9 + return pht('SSH Keys'); 10 + } 11 + 12 + public function getRevokerDescription() { 13 + return pht( 14 + "Revokes all SSH public keys.\n\n". 15 + "SSH public keys are revoked, not just removed. Users will need to ". 16 + "generate and upload new, unique keys before they can access ". 17 + "repositories or other services over SSH."); 18 + } 19 + 8 20 public function revokeAllCredentials() { 9 21 $query = new PhabricatorAuthSSHKeyQuery(); 10 22 return $this->revokeWithQuery($query);

+10

src/applications/auth/revoker/PhabricatorAuthSessionRevoker.php

··· 5 5 6 6 const REVOKERKEY = 'session'; 7 7 8 + public function getRevokerName() { 9 + return pht('Sessions'); 10 + } 11 + 12 + public function getRevokerDescription() { 13 + return pht( 14 + "Revokes all active login sessions.\n\n". 15 + "Affected users will be logged out and need to log in again."); 16 + } 17 + 8 18 public function revokeAllCredentials() { 9 19 $table = new PhabricatorAuthSession(); 10 20 $conn = $table->establishConnection('w');

+13

src/applications/auth/revoker/PhabricatorAuthTemporaryTokenRevoker.php

··· 5 5 6 6 const REVOKERKEY = 'temporary'; 7 7 8 + public function getRevokerName() { 9 + return pht('Temporary Tokens'); 10 + } 11 + 12 + public function getRevokerDescription() { 13 + return pht( 14 + "Revokes temporary authentication tokens.\n\n". 15 + "Temporary tokens are used in password reset mail, welcome mail, and ". 16 + "by some other systems like Git LFS. Revoking temporary tokens will ". 17 + "invalidate existing links in password reset and invite mail that ". 18 + "was sent before the revocation occurred."); 19 + } 20 + 8 21 public function revokeAllCredentials() { 9 22 $table = new PhabricatorAuthTemporaryToken(); 10 23 $conn = $table->establishConnection('w');

Configure Feed

Configure Feed