Differential D20905 Diff 49826 src/applications/passphrase/controller/PassphraseCredentialEditController.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/passphrase/controller/PassphraseCredentialEditController.php
Show First 20 Lines • Show All 74 Lines • ▼ Show 20 Lines | if ($is_new && ($v_secret === null)) { | ||||
} catch (Exception $ex) { | } catch (Exception $ex) { | ||||
// Ignore this. | // Ignore this. | ||||
} | } | ||||
} | } | ||||
$validation_exception = null; | $validation_exception = null; | ||||
$errors = array(); | $errors = array(); | ||||
$e_password = null; | $e_password = null; | ||||
$e_secret = null; | |||||
if ($request->isFormPost()) { | if ($request->isFormPost()) { | ||||
$v_name = $request->getStr('name'); | $v_name = $request->getStr('name'); | ||||
$v_desc = $request->getStr('description'); | $v_desc = $request->getStr('description'); | ||||
$v_username = $request->getStr('username'); | $v_username = $request->getStr('username'); | ||||
$v_view_policy = $request->getStr('viewPolicy'); | $v_view_policy = $request->getStr('viewPolicy'); | ||||
$v_edit_policy = $request->getStr('editPolicy'); | $v_edit_policy = $request->getStr('editPolicy'); | ||||
$v_is_locked = $request->getStr('lock'); | $v_is_locked = $request->getStr('lock'); | ||||
$v_secret = $request->getStr('secret'); | $v_secret = $request->getStr('secret'); | ||||
$v_space = $request->getStr('spacePHID'); | $v_space = $request->getStr('spacePHID'); | ||||
$v_password = $request->getStr('password'); | $v_password = $request->getStr('password'); | ||||
$v_decrypt = $v_secret; | $v_decrypt = $v_secret; | ||||
$env_secret = new PhutilOpaqueEnvelope($v_secret); | $env_secret = new PhutilOpaqueEnvelope($v_secret); | ||||
$env_password = new PhutilOpaqueEnvelope($v_password); | $env_password = new PhutilOpaqueEnvelope($v_password); | ||||
if ($type->requiresPassword($env_secret)) { | $has_secret = !preg_match('/^('.$bullet.')+$/', trim($v_decrypt)); | ||||
// Validate and repair SSH private keys, and apply passwords if they | |||||
// are provided. See T13454 for discussion. | |||||
// This should eventually be refactored to be modular rather than a | |||||
// hard-coded set of behaviors here in the Controller, but this is | |||||
// likely a fairly extensive change. | |||||
$is_ssh = ($type instanceof PassphraseSSHPrivateKeyTextCredentialType); | |||||
if ($is_ssh && $has_secret) { | |||||
$old_object = PhabricatorAuthSSHPrivateKey::newFromRawKey($env_secret); | |||||
if (strlen($v_password)) { | if (strlen($v_password)) { | ||||
$v_decrypt = $type->decryptSecret($env_secret, $env_password); | $old_object->setPassphrase($env_password); | ||||
if ($v_decrypt === null) { | } | ||||
$e_password = pht('Incorrect'); | |||||
$errors[] = pht( | try { | ||||
'This key requires a password, but the password you provided '. | $new_object = $old_object->newBarePrivateKey(); | ||||
'is incorrect.'); | $v_decrypt = $new_object->getKeyBody()->openEnvelope(); | ||||
} else { | } catch (PhabricatorAuthSSHPrivateKeyException $ex) { | ||||
$v_decrypt = $v_decrypt->openEnvelope(); | $errors[] = $ex->getMessage(); | ||||
if ($ex->isFormatException()) { | |||||
$e_secret = pht('Invalid'); | |||||
} | |||||
if ($ex->isPassphraseException()) { | |||||
$e_password = pht('Invalid'); | |||||
} | } | ||||
} else { | |||||
$e_password = pht('Required'); | |||||
$errors[] = pht( | |||||
'This key requires a password. You must provide the password '. | |||||
'for the key.'); | |||||
} | } | ||||
} | } | ||||
if (!$errors) { | if (!$errors) { | ||||
$type_name = | $type_name = | ||||
PassphraseCredentialNameTransaction::TRANSACTIONTYPE; | PassphraseCredentialNameTransaction::TRANSACTIONTYPE; | ||||
$type_desc = | $type_desc = | ||||
PassphraseCredentialDescriptionTransaction::TRANSACTIONTYPE; | PassphraseCredentialDescriptionTransaction::TRANSACTIONTYPE; | ||||
Show All 37 Lines | if ($request->isFormPost()) { | ||||
$credential->openTransaction(); | $credential->openTransaction(); | ||||
if (!$credential->getIsLocked()) { | if (!$credential->getIsLocked()) { | ||||
if ($type->shouldRequireUsername()) { | if ($type->shouldRequireUsername()) { | ||||
$xactions[] = id(new PassphraseCredentialTransaction()) | $xactions[] = id(new PassphraseCredentialTransaction()) | ||||
->setTransactionType($type_username) | ->setTransactionType($type_username) | ||||
->setNewValue($v_username); | ->setNewValue($v_username); | ||||
} | } | ||||
// If some value other than a sequence of bullets was provided for | // If some value other than a sequence of bullets was provided for | ||||
// the credential, update it. In particular, note that we are | // the credential, update it. In particular, note that we are | ||||
// explicitly allowing empty secrets: one use case is HTTP auth where | // explicitly allowing empty secrets: one use case is HTTP auth where | ||||
// the username is a secret token which covers both identity and | // the username is a secret token which covers both identity and | ||||
// authentication. | // authentication. | ||||
if (!preg_match('/^('.$bullet.')+$/', trim($v_decrypt))) { | if ($has_secret) { | ||||
// If the credential was previously destroyed, restore it when it is | // If the credential was previously destroyed, restore it when it is | ||||
// edited if a secret is provided. | // edited if a secret is provided. | ||||
$xactions[] = id(new PassphraseCredentialTransaction()) | $xactions[] = id(new PassphraseCredentialTransaction()) | ||||
->setTransactionType($type_destroy) | ->setTransactionType($type_destroy) | ||||
->setNewValue(0); | ->setNewValue(0); | ||||
$new_secret = id(new PassphraseSecret()) | $new_secret = id(new PassphraseSecret()) | ||||
->setSecretData($v_decrypt) | ->setSecretData($v_decrypt) | ||||
->save(); | ->save(); | ||||
$xactions[] = id(new PassphraseCredentialTransaction()) | $xactions[] = id(new PassphraseCredentialTransaction()) | ||||
->setTransactionType($type_secret_id) | ->setTransactionType($type_secret_id) | ||||
->setNewValue($new_secret->getID()); | ->setNewValue($new_secret->getID()); | ||||
} | } | ||||
$xactions[] = id(new PassphraseCredentialTransaction()) | $xactions[] = id(new PassphraseCredentialTransaction()) | ||||
->setTransactionType($type_is_locked) | ->setTransactionType($type_is_locked) | ||||
->setNewValue($v_is_locked); | ->setNewValue($v_is_locked); | ||||
▲ Show 20 Lines • Show All 89 Lines • ▼ Show 20 Lines | if ($type->shouldRequireUsername()) { | ||||
->setError($e_username)); | ->setError($e_username)); | ||||
} | } | ||||
$form->appendChild( | $form->appendChild( | ||||
$secret_control | $secret_control | ||||
->setName('secret') | ->setName('secret') | ||||
->setLabel($type->getSecretLabel()) | ->setLabel($type->getSecretLabel()) | ||||
->setDisabled($credential_is_locked) | ->setDisabled($credential_is_locked) | ||||
->setValue($v_secret)); | ->setValue($v_secret) | ||||
->setError($e_secret)); | |||||
if ($type->shouldShowPasswordField()) { | if ($type->shouldShowPasswordField()) { | ||||
$form->appendChild( | $form->appendChild( | ||||
id(new AphrontFormPasswordControl()) | id(new AphrontFormPasswordControl()) | ||||
->setDisableAutocomplete(true) | ->setDisableAutocomplete(true) | ||||
->setName('password') | ->setName('password') | ||||
->setLabel($type->getPasswordLabel()) | ->setLabel($type->getPasswordLabel()) | ||||
->setDisabled($credential_is_locked) | ->setDisabled($credential_is_locked) | ||||
▲ Show 20 Lines • Show All 83 Lines • Show Last 20 Lines |