recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

When a user takes actions while in a high security session, note it on the resulting transactions

Summary:
Ref T13197. See PHI873. Record when a user has MFA'd and add a little icon to the transaction, similar to the exiting "Silent" icon.

For now, this just makes this stuff more auditable. Future changes may add ways to require MFA for certain specific transactions, outside of the ones that already always require MFA (like revealing credentials).

Test Plan: {F5877960}

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13197

Differential Revision: https://secure.phabricator.com/D19665

epriestley f5e90a36 8268abcb

+63 -3
+1 -2
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
··· 490 490 PhabricatorAuthSession $session, 491 491 $force = false) { 492 492 493 - $until = $session->getHighSecurityUntil(); 494 - if ($until > time() || $force) { 493 + if ($session->isHighSecuritySession() || $force) { 495 494 return new PhabricatorAuthHighSecurityToken(); 496 495 } 497 496
+16
src/applications/auth/storage/PhabricatorAuthSession.php
··· 74 74 } 75 75 } 76 76 77 + public function isHighSecuritySession() { 78 + $until = $this->getHighSecurityUntil(); 79 + 80 + if (!$until) { 81 + return false; 82 + } 83 + 84 + $now = PhabricatorTime::getNow(); 85 + if ($until < $now) { 86 + return false; 87 + } 88 + 89 + return true; 90 + } 91 + 92 + 77 93 /* -( PhabricatorPolicyInterface )----------------------------------------- */ 78 94 79 95
+8
src/applications/people/storage/PhabricatorUser.php
··· 306 306 return ($this->session !== self::ATTACHABLE); 307 307 } 308 308 309 + public function hasHighSecuritySession() { 310 + if (!$this->hasSession()) { 311 + return false; 312 + } 313 + 314 + return $this->getSession()->isHighSecuritySession(); 315 + } 316 + 309 317 private function generateConduitCertificate() { 310 318 return Filesystem::readRandomCharacters(255); 311 319 }
+4
src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
··· 850 850 $xaction->setIsSilentTransaction(true); 851 851 } 852 852 853 + if ($actor->hasHighSecuritySession()) { 854 + $xaction->setIsMFATransaction(true); 855 + } 856 + 853 857 return $xaction; 854 858 } 855 859
+14
src/applications/transactions/storage/PhabricatorApplicationTransaction.php
··· 165 165 return (bool)$this->getMetadataValue('core.silent', false); 166 166 } 167 167 168 + public function setIsMFATransaction($mfa) { 169 + return $this->setMetadataValue('core.mfa', $mfa); 170 + } 171 + 172 + public function getIsMFATransaction() { 173 + return (bool)$this->getMetadataValue('core.mfa', false); 174 + } 175 + 168 176 public function attachComment( 169 177 PhabricatorApplicationTransactionComment $comment) { 170 178 $this->comment = $comment; ··· 1459 1467 // Don't group silent and nonsilent transactions together. 1460 1468 $is_silent = $this->getIsSilentTransaction(); 1461 1469 if ($is_silent != $xaction->getIsSilentTransaction()) { 1470 + return false; 1471 + } 1472 + 1473 + // Don't group MFA and non-MFA transactions together. 1474 + $is_mfa = $this->getIsMFATransaction(); 1475 + if ($is_mfa != $xaction->getIsMFATransaction()) { 1462 1476 return false; 1463 1477 } 1464 1478 }
+2 -1
src/applications/transactions/view/PhabricatorApplicationTransactionView.php
··· 424 424 ->setIcon($xaction->getIcon()) 425 425 ->setColor($xaction->getColor()) 426 426 ->setHideCommentOptions($this->getHideCommentOptions()) 427 - ->setIsSilent($xaction->getIsSilentTransaction()); 427 + ->setIsSilent($xaction->getIsSilentTransaction()) 428 + ->setIsMFA($xaction->getIsMFATransaction()); 428 429 429 430 list($token, $token_removed) = $xaction->getToken(); 430 431 if ($token) {
+18
src/view/phui/PHUITimelineEventView.php
··· 30 30 private $badges = array(); 31 31 private $pinboardItems = array(); 32 32 private $isSilent; 33 + private $isMFA; 33 34 34 35 public function setAuthorPHID($author_phid) { 35 36 $this->authorPHID = $author_phid; ··· 185 186 186 187 public function getIsSilent() { 187 188 return $this->isSilent; 189 + } 190 + 191 + public function setIsMFA($is_mfa) { 192 + $this->isMFA = $is_mfa; 193 + return $this; 194 + } 195 + 196 + public function getIsMFA() { 197 + return $this->isMFA; 188 198 } 189 199 190 200 public function setReallyMajorEvent($me) { ··· 589 599 $extra[] = id(new PHUIIconView()) 590 600 ->setIcon('fa-bell-slash', 'red') 591 601 ->setTooltip(pht('Silent Edit')); 602 + } 603 + 604 + // If this edit was applied while the actor was in high-security mode, 605 + // provide a hint that it was extra authentic. 606 + if ($this->getIsMFA()) { 607 + $extra[] = id(new PHUIIconView()) 608 + ->setIcon('fa-vcard', 'green') 609 + ->setTooltip(pht('MFA Authenticated')); 592 610 } 593 611 } 594 612