Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15435618
D14480.id35037.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
20 KB
Referenced Files
None
Subscribers
None
D14480.id35037.diff
View Options
diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.1.sql
@@ -0,0 +1,2 @@
+ALTER TABLE {$NAMESPACE}_passphrase.passphrase_credential
+ ADD revealPolicy VARBINARY(64) NOT NULL AFTER editPolicy;
diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.2.sql
@@ -0,0 +1,3 @@
+UPDATE {$NAMESPACE}_passphrase.passphrase_credential
+ SET revealPolicy = editPolicy
+ WHERE revealPolicy = '';
diff --git a/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql
new file mode 100644
--- /dev/null
+++ b/resources/sql/autopatches/20151114.passphrase.revealpolicy.3.sql
@@ -0,0 +1,3 @@
+UPDATE {$NAMESPACE}_passphrase.passphrase_credentialtransaction
+ SET transactionType = 'passphrase:revealed'
+ WHERE transactionType = 'passphrase:lookedAtSecret'
diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -1519,12 +1519,14 @@
'PassphraseCredentialViewController' => 'applications/passphrase/controller/PassphraseCredentialViewController.php',
'PassphraseDAO' => 'applications/passphrase/storage/PassphraseDAO.php',
'PassphraseDefaultEditCapability' => 'applications/passphrase/capability/PassphraseDefaultEditCapability.php',
+ 'PassphraseDefaultRevealCapability' => 'applications/passphrase/capability/PassphraseDefaultRevealCapability.php',
'PassphraseDefaultViewCapability' => 'applications/passphrase/capability/PassphraseDefaultViewCapability.php',
'PassphraseNoteCredentialType' => 'applications/passphrase/credentialtype/PassphraseNoteCredentialType.php',
'PassphrasePasswordCredentialType' => 'applications/passphrase/credentialtype/PassphrasePasswordCredentialType.php',
'PassphrasePasswordKey' => 'applications/passphrase/keys/PassphrasePasswordKey.php',
'PassphraseQueryConduitAPIMethod' => 'applications/passphrase/conduit/PassphraseQueryConduitAPIMethod.php',
'PassphraseRemarkupRule' => 'applications/passphrase/remarkup/PassphraseRemarkupRule.php',
+ 'PassphraseRevealCapability' => 'applications/passphrase/capability/PassphraseRevealCapability.php',
'PassphraseSSHGeneratedKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHGeneratedKeyCredentialType.php',
'PassphraseSSHKey' => 'applications/passphrase/keys/PassphraseSSHKey.php',
'PassphraseSSHPrivateKeyCredentialType' => 'applications/passphrase/credentialtype/PassphraseSSHPrivateKeyCredentialType.php',
@@ -5498,12 +5500,14 @@
'PassphraseCredentialViewController' => 'PassphraseController',
'PassphraseDAO' => 'PhabricatorLiskDAO',
'PassphraseDefaultEditCapability' => 'PhabricatorPolicyCapability',
+ 'PassphraseDefaultRevealCapability' => 'PhabricatorPolicyCapability',
'PassphraseDefaultViewCapability' => 'PhabricatorPolicyCapability',
'PassphraseNoteCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordCredentialType' => 'PassphraseCredentialType',
'PassphrasePasswordKey' => 'PassphraseAbstractKey',
'PassphraseQueryConduitAPIMethod' => 'PassphraseConduitAPIMethod',
'PassphraseRemarkupRule' => 'PhabricatorObjectRemarkupRule',
+ 'PassphraseRevealCapability' => 'PhabricatorPolicyCapability',
'PassphraseSSHGeneratedKeyCredentialType' => 'PassphraseSSHPrivateKeyCredentialType',
'PassphraseSSHKey' => 'PassphraseAbstractKey',
'PassphraseSSHPrivateKeyCredentialType' => 'PassphraseCredentialType',
diff --git a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
--- a/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
+++ b/src/applications/passphrase/application/PhabricatorPassphraseApplication.php
@@ -80,6 +80,13 @@
'capability' => PhabricatorPolicyCapability::CAN_EDIT,
'default' => $policy_key,
),
+ PassphraseDefaultRevealCapability::CAPABILITY => array(
+ 'caption' => pht(
+ 'Default reveal policy for newly created credentials.'),
+ 'template' => PassphraseCredentialPHIDType::TYPECONST,
+ 'capability' => PassphraseDefaultRevealCapability::CAPABILITY,
+ 'default' => $policy_key,
+ ),
);
}
diff --git a/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseDefaultRevealCapability.php
@@ -0,0 +1,12 @@
+<?php
+
+final class PassphraseDefaultRevealCapability
+ extends PhabricatorPolicyCapability {
+
+ const CAPABILITY = 'passphrase.default.reveal';
+
+ public function getCapabilityName() {
+ return pht('Default Reveal Policy');
+ }
+
+}
diff --git a/src/applications/passphrase/capability/PassphraseRevealCapability.php b/src/applications/passphrase/capability/PassphraseRevealCapability.php
new file mode 100644
--- /dev/null
+++ b/src/applications/passphrase/capability/PassphraseRevealCapability.php
@@ -0,0 +1,15 @@
+<?php
+
+final class PassphraseRevealCapability extends PhabricatorPolicyCapability {
+
+ const CAPABILITY = 'passphrase.reveal';
+
+ public function getCapabilityName() {
+ return pht('Revealable By');
+ }
+
+ public function describeCapabilityRejection() {
+ return pht('You do not have permission to reveal this secret.');
+ }
+
+}
diff --git a/src/applications/passphrase/controller/PassphraseCredentialEditController.php b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialEditController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialEditController.php
@@ -85,6 +85,7 @@
$v_username = $request->getStr('username');
$v_view_policy = $request->getStr('viewPolicy');
$v_edit_policy = $request->getStr('editPolicy');
+ $v_reveal_policy = $request->getStr('revealPolicy');
$v_is_locked = $request->getStr('lock');
$v_secret = $request->getStr('secret');
@@ -123,6 +124,8 @@
$type_is_locked = PassphraseCredentialTransaction::TYPE_LOCK;
$type_view_policy = PhabricatorTransactions::TYPE_VIEW_POLICY;
$type_edit_policy = PhabricatorTransactions::TYPE_EDIT_POLICY;
+ $type_reveal_policy =
+ PassphraseCredentialTransaction::TYPE_REVEAL_POLICY;
$type_space = PhabricatorTransactions::TYPE_SPACE;
$xactions = array();
@@ -144,6 +147,10 @@
->setNewValue($v_edit_policy);
$xactions[] = id(new PassphraseCredentialTransaction())
+ ->setTransactionType($type_reveal_policy)
+ ->setNewValue($v_reveal_policy);
+
+ $xactions[] = id(new PassphraseCredentialTransaction())
->setTransactionType($type_space)
->setNewValue($v_space);
@@ -212,6 +219,7 @@
$credential->setViewPolicy($v_view_policy);
$credential->setEditPolicy($v_edit_policy);
+ $credential->setRevealPolicy($v_reveal_policy);
}
}
}
@@ -258,6 +266,12 @@
->setPolicyObject($credential)
->setCapability(PhabricatorPolicyCapability::CAN_EDIT)
->setPolicies($policies))
+ ->appendControl(
+ id(new AphrontFormPolicyControl())
+ ->setName('revealPolicy')
+ ->setPolicyObject($credential)
+ ->setCapability(PassphraseRevealCapability::CAPABILITY)
+ ->setPolicies($policies))
->appendChild(
id(new AphrontFormDividerControl()));
diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -13,7 +13,7 @@
->requireCapabilities(
array(
PhabricatorPolicyCapability::CAN_VIEW,
- PhabricatorPolicyCapability::CAN_EDIT,
+ PassphraseRevealCapability::CAPABILITY,
))
->needSecrets(true)
->executeOne();
@@ -66,10 +66,10 @@
->setDisableWorkflowOnCancel(true)
->addCancelButton($view_uri, pht('Done'));
- $type_secret = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
+ $type_revealed = PassphraseCredentialTransaction::TYPE_REVEALED;
$xactions = array(
id(new PassphraseCredentialTransaction())
- ->setTransactionType($type_secret)
+ ->setTransactionType($type_revealed)
->setNewValue(true),
);
diff --git a/src/applications/passphrase/controller/PassphraseCredentialViewController.php b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
--- a/src/applications/passphrase/controller/PassphraseCredentialViewController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialViewController.php
@@ -97,6 +97,10 @@
$viewer,
$credential,
PhabricatorPolicyCapability::CAN_EDIT);
+ $can_reveal = PhabricatorPolicyFilter::hasCapability(
+ $viewer,
+ $credential,
+ PassphraseRevealCapability::CAPABILITY);
$actions->addAction(
id(new PhabricatorActionView())
@@ -117,10 +121,10 @@
$actions->addAction(
id(new PhabricatorActionView())
- ->setName(pht('Show Secret'))
+ ->setName(pht('Reveal Secret'))
->setIcon('fa-eye')
->setHref($this->getApplicationURI("reveal/{$id}/"))
- ->setDisabled(!$can_edit || $is_locked)
+ ->setDisabled(!$can_reveal || $is_locked)
->setWorkflow(true));
if ($type->hasPublicKey()) {
@@ -177,6 +181,10 @@
pht('Editable By'),
$descriptions[PhabricatorPolicyCapability::CAN_EDIT]);
+ $properties->addProperty(
+ pht('Revealable By'),
+ $descriptions[PassphraseRevealCapability::CAPABILITY]);
+
if ($type->shouldRequireUsername()) {
$properties->addProperty(
pht('Username'),
diff --git a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
--- a/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
+++ b/src/applications/passphrase/editor/PassphraseCredentialTransactionEditor.php
@@ -22,9 +22,10 @@
$types[] = PassphraseCredentialTransaction::TYPE_USERNAME;
$types[] = PassphraseCredentialTransaction::TYPE_SECRET_ID;
$types[] = PassphraseCredentialTransaction::TYPE_DESTROY;
- $types[] = PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET;
+ $types[] = PassphraseCredentialTransaction::TYPE_REVEALED;
$types[] = PassphraseCredentialTransaction::TYPE_LOCK;
$types[] = PassphraseCredentialTransaction::TYPE_CONDUIT;
+ $types[] = PassphraseCredentialTransaction::TYPE_REVEAL_POLICY;
return $types;
}
@@ -50,11 +51,11 @@
return (int)$object->getIsLocked();
case PassphraseCredentialTransaction::TYPE_CONDUIT:
return (int)$object->getAllowConduit();
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return null;
+ default:
+ return parent::getCustomTransactionOldValue($object, $xaction);
}
-
- return parent::getCustomTransactionOldValue($object, $xaction);
}
protected function getCustomTransactionNewValue(
@@ -65,15 +66,17 @@
case PassphraseCredentialTransaction::TYPE_DESCRIPTION:
case PassphraseCredentialTransaction::TYPE_USERNAME:
case PassphraseCredentialTransaction::TYPE_SECRET_ID:
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return $xaction->getNewValue();
case PassphraseCredentialTransaction::TYPE_DESTROY:
case PassphraseCredentialTransaction::TYPE_LOCK:
return (int)$xaction->getNewValue();
case PassphraseCredentialTransaction::TYPE_CONDUIT:
return (int)$xaction->getNewValue();
+
+ default:
+ return parent::getCustomTransactionNewValue($object, $xaction);
}
- return parent::getCustomTransactionNewValue($object, $xaction);
}
protected function applyCustomInternalTransaction(
@@ -108,7 +111,7 @@
}
}
return;
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
return;
case PassphraseCredentialTransaction::TYPE_LOCK:
$object->setIsLocked((int)$xaction->getNewValue());
@@ -116,9 +119,14 @@
case PassphraseCredentialTransaction::TYPE_CONDUIT:
$object->setAllowConduit((int)$xaction->getNewValue());
return;
- }
- return parent::applyCustomInternalTransaction($object, $xaction);
+ case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY:
+ $object->setRevealPolicy($xaction->getNewValue());
+ break;
+
+ default:
+ return parent::applyCustomInternalTransaction($object, $xaction);
+ }
}
protected function applyCustomExternalTransaction(
@@ -131,13 +139,15 @@
case PassphraseCredentialTransaction::TYPE_USERNAME:
case PassphraseCredentialTransaction::TYPE_SECRET_ID:
case PassphraseCredentialTransaction::TYPE_DESTROY:
- case PassphraseCredentialTransaction::TYPE_LOOKEDATSECRET:
+ case PassphraseCredentialTransaction::TYPE_REVEALED:
case PassphraseCredentialTransaction::TYPE_LOCK:
case PassphraseCredentialTransaction::TYPE_CONDUIT:
+ case PassphraseCredentialTransaction::TYPE_REVEAL_POLICY:
return;
- }
- return parent::applyCustomExternalTransaction($object, $xaction);
+ default:
+ return parent::applyCustomExternalTransaction($object, $xaction);
+ }
}
private function destroySecret($secret_id) {
diff --git a/src/applications/passphrase/storage/PassphraseCredential.php b/src/applications/passphrase/storage/PassphraseCredential.php
--- a/src/applications/passphrase/storage/PassphraseCredential.php
+++ b/src/applications/passphrase/storage/PassphraseCredential.php
@@ -14,6 +14,7 @@
protected $providesType;
protected $viewPolicy;
protected $editPolicy;
+ protected $revealPolicy;
protected $description;
protected $username;
protected $secretID;
@@ -33,6 +34,8 @@
$view_policy = $app->getPolicy(PassphraseDefaultViewCapability::CAPABILITY);
$edit_policy = $app->getPolicy(PassphraseDefaultEditCapability::CAPABILITY);
+ $reveal_policy = $app->getPolicy(
+ PassphraseDefaultRevealCapability::CAPABILITY);
return id(new PassphraseCredential())
->setName('')
@@ -42,6 +45,7 @@
->setAuthorPHID($actor->getPHID())
->setViewPolicy($view_policy)
->setEditPolicy($edit_policy)
+ ->setRevealPolicy($reveal_policy)
->setSpacePHID($actor->getDefaultSpacePHID());
}
@@ -62,6 +66,7 @@
'isDestroyed' => 'bool',
'isLocked' => 'bool',
'allowConduit' => 'bool',
+ 'revealPolicy' => 'policy',
),
self::CONFIG_KEY_SCHEMA => array(
'key_secret' => array(
@@ -128,6 +133,7 @@
return array(
PhabricatorPolicyCapability::CAN_VIEW,
PhabricatorPolicyCapability::CAN_EDIT,
+ PassphraseRevealCapability::CAPABILITY,
);
}
@@ -137,6 +143,8 @@
return $this->getViewPolicy();
case PhabricatorPolicyCapability::CAN_EDIT:
return $this->getEditPolicy();
+ case PassphraseRevealCapability::CAPABILITY:
+ return $this->getRevealPolicy();
}
}
diff --git a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
--- a/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
+++ b/src/applications/passphrase/storage/PassphraseCredentialTransaction.php
@@ -3,14 +3,15 @@
final class PassphraseCredentialTransaction
extends PhabricatorApplicationTransaction {
- const TYPE_NAME = 'passphrase:name';
- const TYPE_DESCRIPTION = 'passphrase:description';
- const TYPE_USERNAME = 'passphrase:username';
- const TYPE_SECRET_ID = 'passphrase:secretID';
- const TYPE_DESTROY = 'passphrase:destroy';
- const TYPE_LOOKEDATSECRET = 'passphrase:lookedAtSecret';
- const TYPE_LOCK = 'passphrase:lock';
- const TYPE_CONDUIT = 'passphrase:conduit';
+ const TYPE_NAME = 'passphrase:name';
+ const TYPE_DESCRIPTION = 'passphrase:description';
+ const TYPE_USERNAME = 'passphrase:username';
+ const TYPE_SECRET_ID = 'passphrase:secretID';
+ const TYPE_DESTROY = 'passphrase:destroy';
+ const TYPE_REVEALED = 'passphrase:revealed';
+ const TYPE_LOCK = 'passphrase:lock';
+ const TYPE_CONDUIT = 'passphrase:conduit';
+ const TYPE_REVEAL_POLICY = 'passphrase:reveal-policy';
public function getApplicationName() {
return 'passphrase';
@@ -24,6 +25,26 @@
return null;
}
+ public function getRequiredHandlePHIDs() {
+ $phids = parent::getRequiredHandlePHIDs();
+
+ $old = $this->getOldValue();
+ $new = $this->getNewValue();
+
+ switch ($this->getTransactionType()) {
+ case self::TYPE_REVEAL_POLICY:
+ if ($old) {
+ $phids[] = $old;
+ }
+ if ($new) {
+ $phids[] = $new;
+ }
+ break;
+ }
+
+ return $phids;
+ }
+
public function shouldHide() {
$old = $this->getOldValue();
switch ($this->getTransactionType()) {
@@ -33,7 +54,7 @@
return ($old === null);
case self::TYPE_USERNAME:
return !strlen($old);
- case self::TYPE_LOOKEDATSECRET:
+ case self::TYPE_REVEALED:
return false;
}
return parent::shouldHide();
@@ -84,9 +105,9 @@
return pht(
'%s destroyed this credential.',
$this->renderHandleLink($author_phid));
- case self::TYPE_LOOKEDATSECRET:
+ case self::TYPE_REVEALED:
return pht(
- '%s examined the secret plaintext for this credential.',
+ '%s revealed the secret plaintext for this credential.',
$this->renderHandleLink($author_phid));
case self::TYPE_LOCK:
return pht(
@@ -103,6 +124,12 @@
$this->renderHandleLink($author_phid));
}
break;
+ case self::TYPE_REVEAL_POLICY:
+ return pht(
+ '%s changed the reveal policy from "%s" to "%s".',
+ $this->renderHandleLink($author_phid),
+ $this->renderPolicyName($old, 'old'),
+ $this->renderPolicyName($new, 'new'));
}
return parent::getTitle();
diff --git a/src/applications/paste/storage/PhabricatorPaste.php b/src/applications/paste/storage/PhabricatorPaste.php
--- a/src/applications/paste/storage/PhabricatorPaste.php
+++ b/src/applications/paste/storage/PhabricatorPaste.php
@@ -183,12 +183,12 @@
}
public function getPolicy($capability) {
- if ($capability == PhabricatorPolicyCapability::CAN_VIEW) {
- return $this->viewPolicy;
- } else if ($capability == PhabricatorPolicyCapability::CAN_EDIT) {
- return $this->editPolicy;
+ switch ($capability) {
+ case PhabricatorPolicyCapability::CAN_VIEW:
+ return $this->viewPolicy;
+ case PhabricatorPolicyCapability::CAN_EDIT:
+ return $this->editPolicy;
}
- return PhabricatorPolicies::POLICY_NOONE;
}
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
diff --git a/src/applications/transactions/constants/PhabricatorTransactions.php b/src/applications/transactions/constants/PhabricatorTransactions.php
--- a/src/applications/transactions/constants/PhabricatorTransactions.php
+++ b/src/applications/transactions/constants/PhabricatorTransactions.php
@@ -12,7 +12,7 @@
const TYPE_BUILDABLE = 'harbormaster:buildable';
const TYPE_TOKEN = 'token:give';
const TYPE_INLINESTATE = 'core:inlinestate';
- const TYPE_SPACE = 'core:space';
+ const TYPE_SPACE = 'core:space';
const COLOR_RED = 'red';
const COLOR_ORANGE = 'orange';
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Mar 26, 9:20 AM (1 w, 3 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7491042
Default Alt Text
D14480.id35037.diff (20 KB)
Attached To
Mode
D14480: Add reveal policy for Passprase credentials
Attached
Detach File
Event Timeline
Log In to Comment