Page MenuHomePhabricator
Files F13180136

D18898.id45354.diff
No OneTemporary
Actions

D18898.id45354.diff
View Options

diff --git a/resources/sql/autopatches/20180120.auth.03.vcsdata.sql b/resources/sql/autopatches/20180120.auth.03.vcsdata.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20180120.auth.03.vcsdata.sql
@@ -0,0 +1,5 @@
+INSERT INTO {$NAMESPACE}_auth.auth_password
+ (objectPHID, phid, passwordType, passwordHash, isRevoked,
+ dateCreated, dateModified)
+ SELECT userPHID, '', 'vcs', passwordHash, 0, dateCreated, dateModified
+ FROM {$NAMESPACE}_repository.repository_vcspassword;
diff --git a/resources/sql/autopatches/20180120.auth.04.vcsphid.php b/resources/sql/autopatches/20180120.auth.04.vcsphid.php
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20180120.auth.04.vcsphid.php
@@ -0,0 +1,22 @@
+<?php
+
+// Populate VCS passwords (which we copied from the old "VCS Password" table
+// in the last migration) with new PHIDs.
+
+$table = new PhabricatorAuthPassword();
+$conn = $table->establishConnection('w');
+
+foreach (new LiskMigrationIterator($table) as $row) {
+ if ($row->getPHID()) {
+ continue;
+ }
+
+ $new_phid = $row->generatePHID();
+
+ queryfx(
+ $conn,
+ 'UPDATE %T SET phid = %s WHERE id = %d',
+ $table->getTableName(),
+ $new_phid,
+ $row->getID());
+}
diff --git a/src/applications/diffusion/controller/DiffusionServeController.php b/src/applications/diffusion/controller/DiffusionServeController.php
--- a/src/applications/diffusion/controller/DiffusionServeController.php
+++ b/src/applications/diffusion/controller/DiffusionServeController.php
@@ -715,28 +715,17 @@
return null;
}
- $password_entry = id(new PhabricatorRepositoryVCSPassword())
- ->loadOneWhere('userPHID = %s', $user->getPHID());
- if (!$password_entry) {
- // User doesn't have a password set.
- return null;
- }
-
- if (!$password_entry->comparePassword($password, $user)) {
- // Password doesn't match.
- return null;
- }
+ $request = $this->getRequest();
+ $content_source = PhabricatorContentSource::newFromRequest($request);
- // If the user's password is stored using a less-than-optimal hash, upgrade
- // them to the strongest available hash.
+ $engine = id(new PhabricatorAuthPasswordEngine())
+ ->setViewer($user)
+ ->setContentSource($content_source)
+ ->setPasswordType(PhabricatorAuthPassword::PASSWORD_TYPE_VCS)
+ ->setObject($user);
- $hash_envelope = new PhutilOpaqueEnvelope(
- $password_entry->getPasswordHash());
- if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
- $password_entry->setPassword($password, $user);
- $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
- $password_entry->save();
- unset($unguarded);
+ if (!$engine->isValidPassword($password)) {
+ return null;
}
return $user;
diff --git a/src/applications/diffusion/panel/DiffusionSetPasswordSettingsPanel.php b/src/applications/diffusion/panel/DiffusionSetPasswordSettingsPanel.php
--- a/src/applications/diffusion/panel/DiffusionSetPasswordSettingsPanel.php
+++ b/src/applications/diffusion/panel/DiffusionSetPasswordSettingsPanel.php
@@ -35,13 +35,20 @@
$request,
'/settings/');
- $vcspassword = id(new PhabricatorRepositoryVCSPassword())
- ->loadOneWhere(
- 'userPHID = %s',
- $user->getPHID());
- if (!$vcspassword) {
- $vcspassword = id(new PhabricatorRepositoryVCSPassword());
- $vcspassword->setUserPHID($user->getPHID());
+ $vcs_type = PhabricatorAuthPassword::PASSWORD_TYPE_VCS;
+
+ $vcspasswords = id(new PhabricatorAuthPasswordQuery())
+ ->setViewer($viewer)
+ ->withObjectPHIDs(array($user->getPHID()))
+ ->withPasswordTypes(array($vcs_type))
+ ->withIsRevoked(false)
+ ->execute();
+ if ($vcspasswords) {
+ $vcspassword = head($vcspasswords);
+ } else {
+ $vcspassword = PhabricatorAuthPassword::initializeNewPassword(
+ $user,
+ $vcs_type);
}
$panel_uri = $this->getPanelURI('?saved=true');
@@ -77,23 +84,32 @@
if (!$errors) {
$envelope = new PhutilOpaqueEnvelope($new_password);
+ $content_source = PhabricatorContentSource::newFromRequest($request);
- try {
- // NOTE: This test is against $viewer (not $user), so that the error
- // message below makes sense in the case that the two are different,
- // and because an admin reusing their own password is bad, while
- // system agents generally do not have passwords anyway.
+ // NOTE: This test is against $viewer (not $user), so that the error
+ // message below makes sense in the case that the two are different,
+ // and because an admin reusing their own password is bad, while
+ // system agents generally do not have passwords anyway.
- $same_password = $viewer->comparePassword($envelope);
- } catch (PhabricatorPasswordHasherUnavailableException $ex) {
- // If we're missing the hasher, just let the user continue.
- $same_password = false;
- }
+ $engine = id(new PhabricatorAuthPasswordEngine())
+ ->setViewer($viewer)
+ ->setContentSource($content_source)
+ ->setObject($viewer)
+ ->setPasswordType($vcs_type);
+
+ $same_password = !$engine->isUniquePassword($envelope);
+ $revoked_password = $engine->isRevokedPassword($envelope);
if ($new_password !== $confirm) {
$e_password = pht('Does Not Match');
$e_confirm = pht('Does Not Match');
$errors[] = pht('Password and confirmation do not match.');
+ } else if ($revoked_password) {
+ $e_password = pht('Revoked');
+ $e_confirm = pht('Revoked');
+ $errors[] = pht(
+ 'This password has been revoked. You must choose a new, unique '.
+ 'password.');
} else if ($same_password) {
$e_password = pht('Not Unique');
$e_confirm = pht('Not Unique');

File Metadata

Mime Type
text/plain
Expires
Thu, May 9, 10:27 PM (3 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6274132
Default Alt Text
D18898.id45354.diff (5 KB)

Event Timeline

Phabricator · Built by Phacility