Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13987143
D11401.id27385.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
10 KB
Referenced Files
None
Subscribers
None
D11401.id27385.diff
View Options
diff --git a/resources/sql/autopatches/20150114.oauthserver.client.policy.sql b/resources/sql/autopatches/20150114.oauthserver.client.policy.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20150114.oauthserver.client.policy.sql
@@ -0,0 +1,11 @@
+ALTER TABLE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
+ ADD viewPolicy VARBINARY(64) NOT NULL AFTER creatorPHID;
+
+UPDATE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
+ SET viewPolicy = 'users' WHERE viewPolicy = '';
+
+ALTER TABLE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
+ ADD editPolicy VARBINARY(64) NOT NULL AFTER viewPolicy;
+
+UPDATE {$NAMESPACE}_oauth_server.oauth_server_oauthserverclient
+ SET editPolicy = creatorPHID WHERE viewPolicy = '';
diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -2003,6 +2003,7 @@
'PhabricatorOAuthClientDeleteController' => 'applications/oauthserver/controller/client/PhabricatorOAuthClientDeleteController.php',
'PhabricatorOAuthClientEditController' => 'applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php',
'PhabricatorOAuthClientListController' => 'applications/oauthserver/controller/client/PhabricatorOAuthClientListController.php',
+ 'PhabricatorOAuthClientSecretController' => 'applications/oauthserver/controller/client/PhabricatorOAuthClientSecretController.php',
'PhabricatorOAuthClientViewController' => 'applications/oauthserver/controller/client/PhabricatorOAuthClientViewController.php',
'PhabricatorOAuthResponse' => 'applications/oauthserver/PhabricatorOAuthResponse.php',
'PhabricatorOAuthServer' => 'applications/oauthserver/PhabricatorOAuthServer.php',
@@ -5203,6 +5204,7 @@
'PhabricatorOAuthClientDeleteController' => 'PhabricatorOAuthClientController',
'PhabricatorOAuthClientEditController' => 'PhabricatorOAuthClientController',
'PhabricatorOAuthClientListController' => 'PhabricatorOAuthClientController',
+ 'PhabricatorOAuthClientSecretController' => 'PhabricatorOAuthClientController',
'PhabricatorOAuthClientViewController' => 'PhabricatorOAuthClientController',
'PhabricatorOAuthResponse' => 'AphrontResponse',
'PhabricatorOAuthServerAccessToken' => 'PhabricatorOAuthServerDAO',
diff --git a/src/applications/oauthserver/application/PhabricatorOAuthServerApplication.php b/src/applications/oauthserver/application/PhabricatorOAuthServerApplication.php
--- a/src/applications/oauthserver/application/PhabricatorOAuthServerApplication.php
+++ b/src/applications/oauthserver/application/PhabricatorOAuthServerApplication.php
@@ -51,6 +51,7 @@
'delete/(?P<phid>[^/]+)/' => 'PhabricatorOAuthClientDeleteController',
'edit/(?P<phid>[^/]+)/' => 'PhabricatorOAuthClientEditController',
'view/(?P<phid>[^/]+)/' => 'PhabricatorOAuthClientViewController',
+ 'secret/(?P<phid>[^/]+)/' => 'PhabricatorOAuthClientSecretController',
),
),
);
diff --git a/src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php
--- a/src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php
+++ b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientEditController.php
@@ -64,6 +64,8 @@
$e_redirect = pht('Invalid');
}
+ $client->setViewPolicy($request->getStr('viewPolicy'));
+ $client->setEditPolicy($request->getStr('editPolicy'));
if (!$errors) {
$client->save();
$view_uri = $client->getViewURI();
@@ -71,6 +73,11 @@
}
}
+ $policies = id(new PhabricatorPolicyQuery())
+ ->setViewer($viewer)
+ ->setObject($client)
+ ->execute();
+
$form = id(new AphrontFormView())
->setUser($viewer)
->appendChild(
@@ -86,6 +93,20 @@
->setValue($client->getRedirectURI())
->setError($e_redirect))
->appendChild(
+ id(new AphrontFormPolicyControl())
+ ->setUser($viewer)
+ ->setCapability(PhabricatorPolicyCapability::CAN_VIEW)
+ ->setPolicyObject($client)
+ ->setPolicies($policies)
+ ->setName('viewPolicy'))
+ ->appendChild(
+ id(new AphrontFormPolicyControl())
+ ->setUser($viewer)
+ ->setCapability(PhabricatorPolicyCapability::CAN_EDIT)
+ ->setPolicyObject($client)
+ ->setPolicies($policies)
+ ->setName('editPolicy'))
+ ->appendChild(
id(new AphrontFormSubmitControl())
->addCancelButton($cancel_uri)
->setValue($submit_button));
diff --git a/src/applications/oauthserver/controller/client/PhabricatorOAuthClientSecretController.php b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientSecretController.php
new file mode 100644
--- /dev/null
+++ b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientSecretController.php
@@ -0,0 +1,70 @@
+<?php
+
+final class PhabricatorOAuthClientSecretController
+ extends PhabricatorOAuthClientController {
+
+ public function handleRequest(AphrontRequest $request) {
+ $viewer = $request->getUser();
+
+ $client = id(new PhabricatorOAuthServerClientQuery())
+ ->setViewer($viewer)
+ ->withPHIDs(array($this->getClientPHID()))
+ ->requireCapabilities(
+ array(
+ PhabricatorPolicyCapability::CAN_VIEW,
+ PhabricatorPolicyCapability::CAN_EDIT,
+ ))
+ ->executeOne();
+ if (!$client) {
+ return new Aphront404Response();
+ }
+
+ $view_uri = $client->getViewURI();
+ $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+ $viewer,
+ $request,
+ $view_uri);
+
+ if ($request->isFormPost()) {
+ $secret = $client->getSecret();
+ $body = id(new PHUIFormLayoutView())
+ ->appendChild(
+ id(new AphrontFormTextAreaControl())
+ ->setLabel(pht('Plaintext'))
+ ->setReadOnly(true)
+ ->setHeight(AphrontFormTextAreaControl::HEIGHT_VERY_SHORT)
+ ->setValue($secret));
+
+ $dialog = id(new AphrontDialogView())
+ ->setUser($viewer)
+ ->setWidth(AphrontDialogView::WIDTH_FORM)
+ ->setTitle(pht('Application Secret'))
+ ->appendChild($body)
+ ->addCancelButton($view_uri, pht('Done'));
+
+ return id(new AphrontDialogResponse())->setDialog($dialog);
+ }
+
+
+ $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');
+
+ if ($is_serious) {
+ $body = pht(
+ 'The secret associated with this oauth application will be shown in '.
+ 'plain text on your screen.');
+ } else {
+ $body = pht(
+ 'The secret associated with this oauth application will be shown in '.
+ 'plain text on your screen. Before continuing, wrap your arms around '.
+ 'your monitor to create a human shield, keeping it safe from prying '.
+ 'eyes. Protect company secrets!');
+ }
+ return $this->newDialog()
+ ->setUser($viewer)
+ ->setTitle(pht('Really show application secret?'))
+ ->appendChild($body)
+ ->addSubmitButton(pht('Show Application Secret'))
+ ->addCancelButton($view_uri);
+ }
+
+}
diff --git a/src/applications/oauthserver/controller/client/PhabricatorOAuthClientViewController.php b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientViewController.php
--- a/src/applications/oauthserver/controller/client/PhabricatorOAuthClientViewController.php
+++ b/src/applications/oauthserver/controller/client/PhabricatorOAuthClientViewController.php
@@ -62,6 +62,8 @@
->withClientPHIDs(array($client->getPHID()))
->executeOne();
$is_authorized = (bool)$authorization;
+ $id = $client->getID();
+ $phid = $client->getPHID();
$view = id(new PhabricatorActionListView())
->setUser($viewer);
@@ -76,6 +78,14 @@
$view->addAction(
id(new PhabricatorActionView())
+ ->setName(pht('Show Application Secret'))
+ ->setIcon('fa-eye')
+ ->setHref($this->getApplicationURI("client/secret/{$phid}/"))
+ ->setDisabled(!$can_edit)
+ ->setWorkflow(true));
+
+ $view->addAction(
+ id(new PhabricatorActionView())
->setName(pht('Delete Application'))
->setIcon('fa-times')
->setWorkflow(true)
@@ -88,7 +98,7 @@
->setIcon('fa-wrench')
->setWorkflow(true)
->setDisabled($is_authorized)
- ->setHref($this->getApplicationURI('test/'.$client->getID().'/')));
+ ->setHref($this->getApplicationURI('test/'.$id.'/')));
return $view;
}
@@ -104,10 +114,6 @@
$client->getPHID());
$view->addProperty(
- pht('Client Secret'),
- $client->getSecret());
-
- $view->addProperty(
pht('Redirect URI'),
$client->getRedirectURI());
diff --git a/src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php b/src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php
--- a/src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php
+++ b/src/applications/oauthserver/storage/PhabricatorOAuthServerClient.php
@@ -10,6 +10,8 @@
protected $name;
protected $redirectURI;
protected $creatorPHID;
+ protected $viewPolicy;
+ protected $editPolicy;
public function getEditURI() {
return '/oauthserver/client/edit/'.$this->getPHID().'/';
@@ -26,7 +28,9 @@
public static function initializeNewClient(PhabricatorUser $actor) {
return id(new PhabricatorOAuthServerClient())
->setCreatorPHID($actor->getPHID())
- ->setSecret(Filesystem::readRandomCharacters(32));
+ ->setSecret(Filesystem::readRandomCharacters(32))
+ ->setViewPolicy(PhabricatorPolicies::POLICY_USER)
+ ->setEditPolicy($actor->getPHID());
}
protected function getConfiguration() {
@@ -69,25 +73,17 @@
public function getPolicy($capability) {
switch ($capability) {
case PhabricatorPolicyCapability::CAN_VIEW:
- return PhabricatorPolicies::POLICY_USER;
+ return $this->getViewPolicy();
case PhabricatorPolicyCapability::CAN_EDIT:
- return PhabricatorPolicies::POLICY_NOONE;
+ return $this->getEditPolicy();
}
}
public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
- switch ($capability) {
- case PhabricatorPolicyCapability::CAN_EDIT:
- return ($viewer->getPHID() == $this->getCreatorPHID());
- }
return false;
}
public function describeAutomaticCapability($capability) {
- switch ($capability) {
- case PhabricatorPolicyCapability::CAN_EDIT:
- return pht("Only an application's creator can edit it.");
- }
return null;
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Oct 22, 7:43 AM (3 w, 17 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6740937
Default Alt Text
D11401.id27385.diff (10 KB)
Attached To
Mode
D11401: OAuthServer - hide client secret behind a "View Secret" action
Attached
Detach File
Event Timeline
Log In to Comment