diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql new file mode 100644 --- /dev/null +++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql @@ -0,0 +1,2 @@ +ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential + ADD revealPolicy VARBINARY(64) NOT NULL AFTER editPolicy; diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql new file mode 100644 --- /dev/null +++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql @@ -0,0 +1,3 @@ +UPDATE {$NAMESPACE}_passphrase.passphrase_credential + SET revealPolicy = editPolicy + WHERE revealPolicy = ''; diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql new file mode 100644 --- /dev/null +++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql @@ -0,0 +1,3 @@ +UPDATE {$NAMESPACE}_passphrase.passphrase_credentialtransaction + SET transactionType = 'passphrase:revealed' + WHERE transactionType = 'passphrase:lookedAtSecret' diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php --- a/src/__phutil_library_map__.php +++ b/src/__phutil_library_map__.php @@ -1519,12 +1519,14 @@ 'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php', 'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php', 'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php', + 'PassphraseDefaultRevealCapability' => 'applications/passphrase/capability/PassphraseDefaultRevealCapability.php', 'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php', 'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php', 'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php', 'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php', 'PassphraseQueryConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php', 'PassphraseRemarkupRule' => 'applications/passphrase/remarkup/PassphraseRemarkupRule.php', + 'PassphraseRevealCapability' => 'applications/passphrase/capability/PassphraseRevealCapability.php', 'PassphraseSSHGeneratedKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHGeneratedKeyCredentialType.php', 'PassphraseSSHKey' => 'applications/passphrase/keys/PassphraseSSHKey.php', 'PassphraseSSHPrivateKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHPrivateKeyCredentialType.php', @@ -5498,12 +5500,14 @@ 'PassphraseCredentialViewController' => 'PassphraseController', 'PassphraseDAO' => 'PhabricatorLiskDAO', 'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability', + 'PassphraseDefaultRevealCapability' => 'PhabricatorPolicyCapability', 'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability', 'PassphraseNoteCredentialType' => 'PassphraseCredentialType', 'PassphrasePasswordCredentialType' => 'PassphraseCredentialType', 'PassphrasePasswordKey' => 'PassphraseAbstractKey', 'PassphraseQueryConduitAPIMethod' => 'PassphraseConduitAPIMethod', 'PassphraseRemarkupRule' => 'PhabricatorObjectRemarkupRule', + 'PassphraseRevealCapability' => 'PhabricatorPolicyCapability', 'PassphraseSSHGeneratedKeyCredentialType' => 'PassphraseSSHPrivateKeyCredentialType', 'PassphraseSSHKey' => 'PassphraseAbstractKey', 'PassphraseSSHPrivateKeyCredentialType' => 'PassphraseCredentialType', diff --git a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php --- a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php +++ b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php @@ -80,6 +80,13 @@ 'capability' => PhabricatorPolicyCapability::CAN_EDIT, 'default' => $policy_key, ), + PassphraseDefaultRevealCapability::CAPABILITY => array( + 'caption' => pht( + 'Default reveal policy for newly created credentials.'), + 'template' => PassphraseCredentialPHIDType::TYPECONST, + 'capability' => PassphraseDefaultRevealCapability::CAPABILITY, + 'default' => $policy_key, + ), ); } diff --git a/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php new file mode 100644 --- /dev/null +++ b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php @@ -0,0 +1,12 @@ +getStr('username'); $v_view_policy = $request->getStr('viewPolicy'); $v_edit_policy = $request->getStr('editPolicy'); + $v_reveal_policy = $request->getStr('revealPolicy'); $v_is_locked = $request->getStr('lock'); $v_secret = $request->getStr('secret'); @@ -123,6 +124,8 @@ $type_is_locked = PassphraseCredentialTransaction::TYPE_LOCK; $type_view_policy = PhabricatorTransactions::TYPE_VIEW_POLICY; $type_edit_policy = PhabricatorTransactions::TYPE_EDIT_POLICY; + $type_reveal_policy = + PassphraseCredentialTransaction::TYPE_REVEAL_POLICY; $type_space = PhabricatorTransactions::TYPE_SPACE; $xactions = array(); @@ -144,6 +147,10 @@ ->setNewValue($v_edit_policy); $xactions[] = id(new PassphraseCredentialTransaction()) + ->setTransactionType($type_reveal_policy) + ->setNewValue($v_reveal_policy); + + $xactions[] = id(new PassphraseCredentialTransaction()) ->setTransactionType($type_space) ->setNewValue($v_space); @@ -212,6 +219,7 @@ $credential->setViewPolicy($v_view_policy); $credential->setEditPolicy($v_edit_policy); + $credential->setRevealPolicy($v_reveal_policy); } } } @@ -258,6 +266,12 @@ ->setPolicyObject($credential) ->setCapability(PhabricatorPolicyCapability::CAN_EDIT) ->setPolicies($policies)) + ->appendControl( + id(new AphrontFormPolicyControl()) + ->setName('revealPolicy') + ->setPolicyObject($credential) + ->setCapability(PassphraseRevealCapability::CAPABILITY) + ->setPolicies($policies)) ->appendChild( id(new AphrontFormDividerControl())); diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php --- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php +++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php @@ -13,7 +13,7 @@ ->requireCapabilities( array( PhabricatorPolicyCapability::CAN_VIEW, - PhabricatorPolicyCapability::CAN_EDIT, + PassphraseRevealCapability::CAPABILITY, )) ->needSecrets(true) ->executeOne(); @@ -66,10 +66,10 @@ ->setDisableWorkflowOnCancel(true) ->addCancelButton($view_uri, pht('Done')); - $type_secret = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET; + $type_revealed = PassphraseCredentialTransaction::TYPE_REVEALED; $xactions = array( id(new PassphraseCredentialTransaction()) - ->setTransactionType($type_secret) + ->setTransactionType($type_revealed) ->setNewValue(true), ); diff --git a/src/applications/passphrase/controller/PassphraseCredentialViewController.php b/src/applications/passphrase/controller/PassphraseCredentialViewController.php --- a/src/applications/passphrase/controller/PassphraseCredentialViewController.php +++ b/src/applications/passphrase/controller/PassphraseCredentialViewController.php @@ -97,6 +97,10 @@ $viewer, $credential, PhabricatorPolicyCapability::CAN_EDIT); + $can_reveal = PhabricatorPolicyFilter::hasCapability( + $viewer, + $credential, + PassphraseRevealCapability::CAPABILITY); $actions->addAction( id(new PhabricatorActionView()) @@ -117,10 +121,10 @@ $actions->addAction( id(new PhabricatorActionView()) - ->setName(pht('Show Secret')) + ->setName(pht('Reveal Secret')) ->setIcon('fa-eye') ->setHref($this->getApplicationURI("reveal/{$id}/")) - ->setDisabled(!$can_edit || $is_locked) + ->setDisabled(!$can_reveal || $is_locked) ->setWorkflow(true)); if ($type->hasPublicKey()) { @@ -177,6 +181,10 @@ pht('Editable By'), $descriptions[PhabricatorPolicyCapability::CAN_EDIT]); + $properties->addProperty( + pht('Revealable By'), + $descriptions[PassphraseRevealCapability::CAPABILITY]); + if ($type->shouldRequireUsername()) { $properties->addProperty( pht('Username'), diff --git a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php --- a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php +++ b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php @@ -22,9 +22,10 @@ $types[] = PassphraseCredentialTransaction::TYPE_USERNAME; $types[] = PassphraseCredentialTransaction::TYPE_SECRET_ID; $types[] = PassphraseCredentialTransaction::TYPE_DESTROY; - $types[] = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET; + $types[] = PassphraseCredentialTransaction::TYPE_REVEALED; $types[] = PassphraseCredentialTransaction::TYPE_LOCK; $types[] = PassphraseCredentialTransaction::TYPE_CONDUIT; + $types[] = PassphraseCredentialTransaction::TYPE_REVEAL_POLICY; return $types; } @@ -50,11 +51,11 @@ return (int)$object->getIsLocked(); case PassphraseCredentialTransaction::TYPE_CONDUIT: return (int)$object->getAllowConduit(); - case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET: + case PassphraseCredentialTransaction::TYPE_REVEALED: return null; + default: + return parent::getCustomTransactionOldValue($object, $xaction); } - - return parent::getCustomTransactionOldValue($object, $xaction); } protected function getCustomTransactionNewValue( @@ -65,15 +66,17 @@ case PassphraseCredentialTransaction::TYPE_DESCRIPTION: case PassphraseCredentialTransaction::TYPE_USERNAME: case PassphraseCredentialTransaction::TYPE_SECRET_ID: - case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET: + case PassphraseCredentialTransaction::TYPE_REVEALED: return $xaction->getNewValue(); case PassphraseCredentialTransaction::TYPE_DESTROY: case PassphraseCredentialTransaction::TYPE_LOCK: return (int)$xaction->getNewValue(); case PassphraseCredentialTransaction::TYPE_CONDUIT: return (int)$xaction->getNewValue(); + + default: + return parent::getCustomTransactionNewValue($object, $xaction); } - return parent::getCustomTransactionNewValue($object, $xaction); } protected function applyCustomInternalTransaction( @@ -108,7 +111,7 @@ } } return; - case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET: + case PassphraseCredentialTransaction::TYPE_REVEALED: return; case PassphraseCredentialTransaction::TYPE_LOCK: $object->setIsLocked((int)$xaction->getNewValue()); @@ -116,9 +119,14 @@ case PassphraseCredentialTransaction::TYPE_CONDUIT: $object->setAllowConduit((int)$xaction->getNewValue()); return; - } - return parent::applyCustomInternalTransaction($object, $xaction); + case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY: + $object->setRevealPolicy($xaction->getNewValue()); + break; + + default: + return parent::applyCustomInternalTransaction($object, $xaction); + } } protected function applyCustomExternalTransaction( @@ -131,13 +139,15 @@ case PassphraseCredentialTransaction::TYPE_USERNAME: case PassphraseCredentialTransaction::TYPE_SECRET_ID: case PassphraseCredentialTransaction::TYPE_DESTROY: - case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET: + case PassphraseCredentialTransaction::TYPE_REVEALED: case PassphraseCredentialTransaction::TYPE_LOCK: case PassphraseCredentialTransaction::TYPE_CONDUIT: + case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY: return; - } - return parent::applyCustomExternalTransaction($object, $xaction); + default: + return parent::applyCustomExternalTransaction($object, $xaction); + } } private function destroySecret($secret_id) { diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php --- a/src/applications/passphrase/storage/PassphraseCredential.php +++ b/src/applications/passphrase/storage/PassphraseCredential.php @@ -14,6 +14,7 @@ protected $providesType; protected $viewPolicy; protected $editPolicy; + protected $revealPolicy; protected $description; protected $username; protected $secretID; @@ -33,6 +34,8 @@ $view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY); $edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY); + $reveal_policy = $app->getPolicy( + PassphraseDefaultRevealCapability::CAPABILITY); return id(new PassphraseCredential()) ->setName('') @@ -42,6 +45,7 @@ ->setAuthorPHID($actor->getPHID()) ->setViewPolicy($view_policy) ->setEditPolicy($edit_policy) + ->setRevealPolicy($reveal_policy) ->setSpacePHID($actor->getDefaultSpacePHID()); } @@ -62,6 +66,7 @@ 'isDestroyed' => 'bool', 'isLocked' => 'bool', 'allowConduit' => 'bool', + 'revealPolicy' => 'policy', ), self::CONFIG_KEY_SCHEMA => array( 'key_secret' => array( @@ -128,6 +133,7 @@ return array( PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT, + PassphraseRevealCapability::CAPABILITY, ); } @@ -137,6 +143,8 @@ return $this->getViewPolicy(); case PhabricatorPolicyCapability::CAN_EDIT: return $this->getEditPolicy(); + case PassphraseRevealCapability::CAPABILITY: + return $this->getRevealPolicy(); } } diff --git a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php --- a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php +++ b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php @@ -3,14 +3,15 @@ final class PassphraseCredentialTransaction extends PhabricatorApplicationTransaction { - const TYPE_NAME = 'passphrase:name'; - const TYPE_DESCRIPTION = 'passphrase:description'; - const TYPE_USERNAME = 'passphrase:username'; - const TYPE_SECRET_ID = 'passphrase:secretID'; - const TYPE_DESTROY = 'passphrase:destroy'; - const TYPE_LOOKEDATSECRET = 'passphrase:lookedAtSecret'; - const TYPE_LOCK = 'passphrase:lock'; - const TYPE_CONDUIT = 'passphrase:conduit'; + const TYPE_NAME = 'passphrase:name'; + const TYPE_DESCRIPTION = 'passphrase:description'; + const TYPE_USERNAME = 'passphrase:username'; + const TYPE_SECRET_ID = 'passphrase:secretID'; + const TYPE_DESTROY = 'passphrase:destroy'; + const TYPE_REVEALED = 'passphrase:revealed'; + const TYPE_LOCK = 'passphrase:lock'; + const TYPE_CONDUIT = 'passphrase:conduit'; + const TYPE_REVEAL_POLICY = 'passphrase:reveal-policy'; public function getApplicationName() { return 'passphrase'; @@ -24,6 +25,26 @@ return null; } + public function getRequiredHandlePHIDs() { + $phids = parent::getRequiredHandlePHIDs(); + + $old = $this->getOldValue(); + $new = $this->getNewValue(); + + switch ($this->getTransactionType()) { + case self::TYPE_REVEAL_POLICY: + if ($old) { + $phids[] = $old; + } + if ($new) { + $phids[] = $new; + } + break; + } + + return $phids; + } + public function shouldHide() { $old = $this->getOldValue(); switch ($this->getTransactionType()) { @@ -33,7 +54,7 @@ return ($old === null); case self::TYPE_USERNAME: return !strlen($old); - case self::TYPE_LOOKEDATSECRET: + case self::TYPE_REVEALED: return false; } return parent::shouldHide(); @@ -84,9 +105,9 @@ return pht( '%s destroyed this credential.', $this->renderHandleLink($author_phid)); - case self::TYPE_LOOKEDATSECRET: + case self::TYPE_REVEALED: return pht( - '%s examined the secret plaintext for this credential.', + '%s revealed the secret plaintext for this credential.', $this->renderHandleLink($author_phid)); case self::TYPE_LOCK: return pht( @@ -103,6 +124,12 @@ $this->renderHandleLink($author_phid)); } break; + case self::TYPE_REVEAL_POLICY: + return pht( + '%s changed the reveal policy from "%s" to "%s".', + $this->renderHandleLink($author_phid), + $this->renderPolicyName($old, 'old'), + $this->renderPolicyName($new, 'new')); } return parent::getTitle(); diff --git a/src/applications/paste/storage/PhabricatorPaste.php b/src/applications/paste/storage/PhabricatorPaste.php --- a/src/applications/paste/storage/PhabricatorPaste.php +++ b/src/applications/paste/storage/PhabricatorPaste.php @@ -183,12 +183,12 @@ } public function getPolicy($capability) { - if ($capability == PhabricatorPolicyCapability::CAN_VIEW) { - return $this->viewPolicy; - } else if ($capability == PhabricatorPolicyCapability::CAN_EDIT) { - return $this->editPolicy; + switch ($capability) { + case PhabricatorPolicyCapability::CAN_VIEW: + return $this->viewPolicy; + case PhabricatorPolicyCapability::CAN_EDIT: + return $this->editPolicy; } - return PhabricatorPolicies::POLICY_NOONE; } public function hasAutomaticCapability($capability, PhabricatorUser $user) { diff --git a/src/applications/transactions/constants/PhabricatorTransactions.php b/src/applications/transactions/constants/PhabricatorTransactions.php --- a/src/applications/transactions/constants/PhabricatorTransactions.php +++ b/src/applications/transactions/constants/PhabricatorTransactions.php @@ -12,7 +12,7 @@ const TYPE_BUILDABLE = 'harbormaster:buildable'; const TYPE_TOKEN = 'token:give'; const TYPE_INLINESTATE = 'core:inlinestate'; - const TYPE_SPACE = 'core:space'; + const TYPE_SPACE = 'core:space'; const COLOR_RED = 'red'; const COLOR_ORANGE = 'orange';