diff --git a/src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php b/src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php
--- a/src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php
+++ b/src/applications/auth/management/PhabricatorAuthManagementRevokeWorkflow.php
@@ -7,7 +7,8 @@
$this
->setName('revoke')
->setExamples(
- "**revoke** --type __type__ --from __user__\n".
+ "**revoke** --list\n".
+ "**revoke** --type __type__ --from __@user__\n".
"**revoke** --everything --everywhere")
->setSynopsis(
pht(
@@ -16,15 +17,20 @@
array(
array(
'name' => 'from',
- 'param' => 'user',
+ 'param' => 'object',
'help' => pht(
- 'Revoke credentials for the specified user.'),
+ 'Revoke credentials for the specified object. To revoke '.
+ 'credentials for a user, use "@username".'),
),
array(
'name' => 'type',
'param' => 'type',
+ 'help' => pht('Revoke credentials of the given type.'),
+ ),
+ array(
+ 'name' => 'list',
'help' => pht(
- 'Revoke credentials of the given type.'),
+ 'List information about available credential revokers.'),
),
array(
'name' => 'everything',
@@ -42,18 +48,29 @@
}
public function execute(PhutilArgumentParser $args) {
- $viewer = PhabricatorUser::getOmnipotentUser();
+ $viewer = $this->getViewer();
$all_types = PhabricatorAuthRevoker::getAllRevokers();
$is_force = $args->getArg('force');
+ // The "--list" flag is compatible with revoker selection flags like
+ // "--type" to filter the list, but not compatible with target selection
+ // flags like "--from".
+ $is_list = $args->getArg('list');
+
$type = $args->getArg('type');
$is_everything = $args->getArg('everything');
if (!strlen($type) && !$is_everything) {
- throw new PhutilArgumentUsageException(
- pht(
- 'Specify the credential type to revoke with "--type" or specify '.
- '"--everything".'));
+ if ($is_list) {
+ // By default, "bin/revoke --list" implies "--everything".
+ $types = $all_types;
+ } else {
+ throw new PhutilArgumentUsageException(
+ pht(
+ 'Specify the credential type to revoke with "--type" or specify '.
+ '"--everything". Use "--list" to list available credential '.
+ 'types.'));
+ }
} else if (strlen($type) && $is_everything) {
throw new PhutilArgumentUsageException(
pht(
@@ -75,6 +92,32 @@
$is_everywhere = $args->getArg('everywhere');
$from = $args->getArg('from');
+
+ if ($is_list) {
+ if (strlen($from) || $is_everywhere) {
+ throw new PhutilArgumentUsageException(
+ pht(
+ 'You can not "--list" and revoke credentials (with "--from" or '.
+ '"--everywhere") in the same operation.'));
+ }
+ }
+
+ if ($is_list) {
+ $last_key = last_key($types);
+ foreach ($types as $key => $type) {
+ echo tsprintf(
+ "**%s** (%s)\n\n",
+ $type->getRevokerKey(),
+ $type->getRevokerName());
+
+ id(new PhutilConsoleBlock())
+ ->addParagraph(tsprintf('%B', $type->getRevokerDescription()))
+ ->draw();
+ }
+
+ return 0;
+ }
+
$target = null;
if (!strlen($from) && !$is_everywhere) {
throw new PhutilArgumentUsageException(
@@ -133,6 +176,13 @@
'Destroyed %s credential(s) of type "%s".',
new PhutilNumber($count),
$type->getRevokerKey()));
+
+ $guidance = $type->getRevokerNextSteps();
+ if ($guidance !== null) {
+ echo tsprintf(
+ "%s\n",
+ $guidance);
+ }
}
echo tsprintf(
diff --git a/src/applications/auth/revoker/PhabricatorAuthConduitTokenRevoker.php b/src/applications/auth/revoker/PhabricatorAuthConduitTokenRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthConduitTokenRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthConduitTokenRevoker.php
@@ -5,6 +5,19 @@
const REVOKERKEY = 'conduit';
+ public function getRevokerName() {
+ return pht('Conduit API Tokens');
+ }
+
+ public function getRevokerDescription() {
+ return pht(
+ "Revokes all Conduit API tokens used to access the API.\n\n".
+ "Users will need to use `arc install-certificate` to install new ".
+ "API tokens before `arc` commands will work. Bots and scripts which ".
+ "access the API will need to have new tokens generated and ".
+ "installed.");
+ }
+
public function revokeAllCredentials() {
$table = id(new PhabricatorConduitToken());
$conn = $table->establishConnection('w');
diff --git a/src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php b/src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php
@@ -5,6 +5,35 @@
const REVOKERKEY = 'password';
+ public function getRevokerName() {
+ return pht('Passwords');
+ }
+
+ public function getRevokerDescription() {
+ return pht(
+ "Revokes all stored passwords.\n\n".
+ "Account passwords and VCS passwords (used to access repositories ".
+ "over HTTP) will both be revoked. Passwords for any third party ".
+ "applications which use shared password infrastructure will also ".
+ "be revoked.\n\n".
+ "Users will need to reset account passwords, possibly by using the ".
+ "\"Forgot Password?\" link on the login page. They will also need ".
+ "to reset VCS passwords.\n\n".
+ "Passwords are revoked, not just removed. Users will be unable to ".
+ "select the passwords they used previously and must choose new, ".
+ "unique passwords.\n\n".
+ "Revoking passwords will not terminate outstanding login sessions. ".
+ "Use the \"session\" revoker in conjunction with this revoker to force ".
+ "users to login again.");
+ }
+
+ public function getRevokerNextSteps() {
+ return pht(
+ 'NOTE: Revoking passwords does not terminate existing sessions which '.
+ 'were established using the old passwords. To terminate existing '.
+ 'sessions, run the "session" revoker now.');
+ }
+
public function revokeAllCredentials() {
$query = new PhabricatorAuthPasswordQuery();
return $this->revokeWithQuery($query);
diff --git a/src/applications/auth/revoker/PhabricatorAuthRevoker.php b/src/applications/auth/revoker/PhabricatorAuthRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthRevoker.php
@@ -8,6 +8,13 @@
abstract public function revokeAllCredentials();
abstract public function revokeCredentialsFrom($object);
+ abstract public function getRevokerName();
+ abstract public function getRevokerDescription();
+
+ public function getRevokerNextSteps() {
+ return null;
+ }
+
public function setViewer(PhabricatorUser $viewer) {
$this->viewer = $viewer;
return $this;
diff --git a/src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php b/src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthSSHRevoker.php
@@ -5,6 +5,18 @@
const REVOKERKEY = 'ssh';
+ public function getRevokerName() {
+ return pht('SSH Keys');
+ }
+
+ public function getRevokerDescription() {
+ return pht(
+ "Revokes all SSH public keys.\n\n".
+ "SSH public keys are revoked, not just removed. Users will need to ".
+ "generate and upload new, unique keys before they can access ".
+ "repositories or other services over SSH.");
+ }
+
public function revokeAllCredentials() {
$query = new PhabricatorAuthSSHKeyQuery();
return $this->revokeWithQuery($query);
diff --git a/src/applications/auth/revoker/PhabricatorAuthSessionRevoker.php b/src/applications/auth/revoker/PhabricatorAuthSessionRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthSessionRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthSessionRevoker.php
@@ -5,6 +5,16 @@
const REVOKERKEY = 'session';
+ public function getRevokerName() {
+ return pht('Sessions');
+ }
+
+ public function getRevokerDescription() {
+ return pht(
+ "Revokes all active login sessions.\n\n".
+ "Affected users will be logged out and need to log in again.");
+ }
+
public function revokeAllCredentials() {
$table = new PhabricatorAuthSession();
$conn = $table->establishConnection('w');
diff --git a/src/applications/auth/revoker/PhabricatorAuthTemporaryTokenRevoker.php b/src/applications/auth/revoker/PhabricatorAuthTemporaryTokenRevoker.php
--- a/src/applications/auth/revoker/PhabricatorAuthTemporaryTokenRevoker.php
+++ b/src/applications/auth/revoker/PhabricatorAuthTemporaryTokenRevoker.php
@@ -5,6 +5,19 @@
const REVOKERKEY = 'temporary';
+ public function getRevokerName() {
+ return pht('Temporary Tokens');
+ }
+
+ public function getRevokerDescription() {
+ return pht(
+ "Revokes temporary authentication tokens.\n\n".
+ "Temporary tokens are used in password reset mail, welcome mail, and ".
+ "by some other systems like Git LFS. Revoking temporary tokens will ".
+ "invalidate existing links in password reset and invite mail that ".
+ "was sent before the revocation occurred.");
+ }
+
public function revokeAllCredentials() {
$table = new PhabricatorAuthTemporaryToken();
$conn = $table->establishConnection('w');