No OneTemporary
Actions

Size

77 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/resources/sql/patches/20130820.file-mailkey-populate.php b/resources/sql/patches/20130820.file-mailkey-populate.php
	index 0db10bef58..2cf6371c4d 100644
	--- a/resources/sql/patches/20130820.file-mailkey-populate.php
	+++ b/resources/sql/patches/20130820.file-mailkey-populate.php
	@@ -1,38 +1,38 @@
	<?php

	-echo pht('Populating Phabricator files with mail keys xactions...')."\n";
	+echo pht('Populating files with mail keys...')."\n";

	$table = new PhabricatorFile();
	$table_name = $table->getTableName();

	$conn_w = $table->establishConnection('w');
	$conn_w->openTransaction();

	$sql = array();
	foreach (new LiskRawMigrationIterator($conn_w, 'file') as $row) {
	// NOTE: MySQL requires that the INSERT specify all columns which don't
	// have default values when configured in strict mode. This query will
	// never actually insert rows, but we need to hand it values anyway.

	$sql[] = qsprintf(
	$conn_w,
	'(%d, %s, 0, 0, 0, 0, 0, 0, 0, 0)',
	$row['id'],
	Filesystem::readRandomCharacters(20));
	}

	if ($sql) {
	foreach (PhabricatorLiskDAO::chunkSQL($sql) as $chunk) {
	queryfx(
	$conn_w,
	'INSERT INTO %T
	(id, mailKey, phid, byteSize, storageEngine, storageFormat,
	storageHandle, dateCreated, dateModified, metadata) VALUES %LQ '.
	'ON DUPLICATE KEY UPDATE mailKey = VALUES(mailKey)',
	$table_name,
	$chunk);
	}
	}

	$table->saveTransaction();
	echo pht('Done.')."\n";
	diff --git a/scripts/sql/manage_storage.php b/scripts/sql/manage_storage.php
	index 20e006f348..c3de483d72 100755
	--- a/scripts/sql/manage_storage.php
	+++ b/scripts/sql/manage_storage.php
	@@ -1,249 +1,249 @@
	#!/usr/bin/env php
	<?php

	$root = dirname(dirname(dirname(__FILE__)));
	require_once $root.'/scripts/init/init-setup.php';

	$args = new PhutilArgumentParser($argv);
	-$args->setTagline(pht('manage Phabricator storage and schemata'));
	+$args->setTagline(pht('manage storage and schemata'));
	$args->setSynopsis(<<<EOHELP
	storage __workflow__ [__options__]
	-Manage Phabricator database storage and schema versioning.
	+Manage database storage and schema versioning.

	storage upgrade
	-Initialize or upgrade Phabricator storage.
	+Initialize or upgrade storage.

	storage upgrade --user __root__ --password __hunter2__
	Use administrative credentials for schema changes.
	EOHELP
	);
	$args->parseStandardArguments();

	$default_namespace = PhabricatorLiskDAO::getDefaultStorageNamespace();

	try {
	$args->parsePartial(
	array(
	array(
	'name' => 'force',
	'short' => 'f',
	'help' => pht(
	'Do not prompt before performing dangerous operations.'),
	),
	array(
	'name' => 'host',
	'param' => 'hostname',
	'help' => pht(
	'Operate on the database server identified by __hostname__.'),
	),
	array(
	'name' => 'ref',
	'param' => 'ref',
	'help' => pht(
	'Operate on the database identified by __ref__.'),
	),
	array(
	'name' => 'user',
	'short' => 'u',
	'param' => 'username',
	'help' => pht(
	'Connect with __username__ instead of the configured default.'),
	),
	array(
	'name' => 'password',
	'short' => 'p',
	'param' => 'password',
	'help' => pht('Use __password__ instead of the configured default.'),
	),
	array(
	'name' => 'namespace',
	'param' => 'name',
	'default' => $default_namespace,
	'help' => pht(
	"Use namespace __namespace__ instead of the configured ".
	"default ('%s'). This is an advanced feature used by unit tests; ".
	"you should not normally use this flag.",
	$default_namespace),
	),
	array(
	'name' => 'dryrun',
	'help' => pht(
	'Do not actually change anything, just show what would be changed.'),
	),
	array(
	'name' => 'disable-utf8mb4',
	'help' => pht(
	'Disable %s, even if the database supports it. This is an '.
	- 'advanced feature used for testing changes to Phabricator; you '.
	+ 'advanced feature used for testing internal changes; you '.
	'should not normally use this flag.',
	'utf8mb4'),
	),
	));
	} catch (PhutilArgumentUsageException $ex) {
	$args->printUsageException($ex);
	exit(77);
	}

	// First, test that the Phabricator configuration is set up correctly. After
	// we know this works we'll test any administrative credentials specifically.

	$refs = PhabricatorDatabaseRef::getActiveDatabaseRefs();
	if (!$refs) {
	throw new PhutilArgumentUsageException(
	pht('No databases are configured.'));
	}

	$host = $args->getArg('host');
	$ref_key = $args->getArg('ref');
	if (($host !== null) \|\| ($ref_key !== null)) {
	if ($host && $ref_key) {
	throw new PhutilArgumentUsageException(
	pht(
	'Use "--host" or "--ref" to select a database, but not both.'));
	}

	$refs = PhabricatorDatabaseRef::getActiveDatabaseRefs();

	$possible_refs = array();
	foreach ($refs as $possible_ref) {
	if ($host && ($possible_ref->getHost() == $host)) {
	$possible_refs[] = $possible_ref;
	break;
	}
	if ($ref_key && ($possible_ref->getRefKey() == $ref_key)) {
	$possible_refs[] = $possible_ref;
	break;
	}
	}

	if (!$possible_refs) {
	if ($host) {
	throw new PhutilArgumentUsageException(
	pht(
	'There is no configured database on host "%s". This command can '.
	'only interact with configured databases.',
	$host));
	} else {
	throw new PhutilArgumentUsageException(
	pht(
	'There is no configured database with ref "%s". This command can '.
	'only interact with configured databases.',
	$ref_key));
	}
	}

	if (count($possible_refs) > 1) {
	throw new PhutilArgumentUsageException(
	pht(
	'Host "%s" identifies more than one database. Use "--ref" to select '.
	'a specific database.',
	$host));
	}

	$refs = $possible_refs;
	}

	$apis = array();
	foreach ($refs as $ref) {
	$default_user = $ref->getUser();
	$default_host = $ref->getHost();
	$default_port = $ref->getPort();

	$test_api = id(new PhabricatorStorageManagementAPI())
	->setUser($default_user)
	->setHost($default_host)
	->setPort($default_port)
	->setPassword($ref->getPass())
	->setNamespace($args->getArg('namespace'));

	try {
	queryfx(
	$test_api->getConn(null),
	'SELECT 1');
	} catch (AphrontQueryException $ex) {
	$message = phutil_console_format(
	"%s\n\n%s\n\n%s\n\n%s\n\n%s: %s\n",
	pht('MySQL Credentials Not Configured'),
	pht(
	'Unable to connect to MySQL using the configured credentials. '.
	'You must configure standard credentials before you can upgrade '.
	'storage. Run these commands to set up credentials:'),
	- " phabricator/ $ ./bin/config set mysql.host __host__\n".
	- " phabricator/ $ ./bin/config set mysql.user __username__\n".
	- " phabricator/ $ ./bin/config set mysql.pass __password__",
	+ " $ ./bin/config set mysql.host __host__\n".
	+ " $ ./bin/config set mysql.user __username__\n".
	+ " $ ./bin/config set mysql.pass __password__",
	pht(
	'These standard credentials are separate from any administrative '.
	'credentials provided to this command with __%s__ or '.
	'__%s__, and must be configured correctly before you can proceed.',
	'--user',
	'--password'),
	pht('Raw MySQL Error'),
	$ex->getMessage());
	echo phutil_console_wrap($message);
	exit(1);
	}

	if ($args->getArg('password') === null) {
	// This is already a PhutilOpaqueEnvelope.
	$password = $ref->getPass();
	} else {
	// Put this in a PhutilOpaqueEnvelope.
	$password = new PhutilOpaqueEnvelope($args->getArg('password'));
	PhabricatorEnv::overrideConfig('mysql.pass', $args->getArg('password'));
	}

	$selected_user = $args->getArg('user');
	if ($selected_user === null) {
	$selected_user = $default_user;
	}

	$api = id(new PhabricatorStorageManagementAPI())
	->setUser($selected_user)
	->setHost($default_host)
	->setPort($default_port)
	->setPassword($password)
	->setNamespace($args->getArg('namespace'))
	->setDisableUTF8MB4($args->getArg('disable-utf8mb4'));
	PhabricatorEnv::overrideConfig('mysql.user', $api->getUser());

	$ref->setUser($selected_user);
	$ref->setPass($password);

	try {
	queryfx(
	$api->getConn(null),
	'SELECT 1');
	} catch (AphrontQueryException $ex) {
	$message = phutil_console_format(
	"%s\n\n%s\n\n%s: %s\n",
	pht('Bad Administrative Credentials'),
	pht(
	'Unable to connect to MySQL using the administrative credentials '.
	'provided with the __%s__ and __%s__ flags. Check that '.
	'you have entered them correctly.',
	'--user',
	'--password'),
	pht('Raw MySQL Error'),
	$ex->getMessage());
	echo phutil_console_wrap($message);
	exit(1);
	}

	$api->setRef($ref);
	$apis[] = $api;
	}

	$workflows = id(new PhutilClassMapQuery())
	->setAncestorClass('PhabricatorStorageManagementWorkflow')
	->execute();

	$patches = PhabricatorSQLPatchList::buildAllPatches();

	foreach ($workflows as $workflow) {
	$workflow->setAPIs($apis);
	$workflow->setPatches($patches);
	}

	$workflows[] = new PhutilHelpArgumentWorkflow();

	$args->parseWorkflows($workflows);
	diff --git a/scripts/ssh/ssh-exec.php b/scripts/ssh/ssh-exec.php
	index c3a85b399c..70c95d28da 100755
	--- a/scripts/ssh/ssh-exec.php
	+++ b/scripts/ssh/ssh-exec.php
	@@ -1,347 +1,349 @@
	#!/usr/bin/env php
	<?php

	$ssh_start_time = microtime(true);

	$root = dirname(dirname(dirname(__FILE__)));
	require_once $root.'/scripts/init/init-script.php';

	$error_log = id(new PhutilErrorLog())
	->setLogName(pht('SSH Error Log'))
	->setLogPath(PhabricatorEnv::getEnvConfig('log.ssh-error.path'))
	->activateLog();

	$ssh_log = PhabricatorSSHLog::getLog();

	$request_identifier = Filesystem::readRandomCharacters(12);
	$ssh_log->setData(
	array(
	'Q' => $request_identifier,
	));

	$args = new PhutilArgumentParser($argv);
	$args->setTagline(pht('execute SSH requests'));
	$args->setSynopsis(<<<EOSYNOPSIS
	ssh-exec --phabricator-ssh-user __user__ [--ssh-command __commmand__]
	ssh-exec --phabricator-ssh-device __device__ [--ssh-command __commmand__]
	Execute authenticated SSH requests. This script is normally invoked
	via SSHD, but can be invoked manually for testing.

	EOSYNOPSIS
	);

	$args->parseStandardArguments();
	$args->parse(
	array(
	array(
	'name' => 'phabricator-ssh-user',
	'param' => 'username',
	'help' => pht(
	'If the request authenticated with a user key, the name of the '.
	'user.'),
	),
	array(
	'name' => 'phabricator-ssh-device',
	'param' => 'name',
	'help' => pht(
	'If the request authenticated with a device key, the name of the '.
	'device.'),
	),
	array(
	'name' => 'phabricator-ssh-key',
	'param' => 'id',
	'help' => pht(
	'The ID of the SSH key which authenticated this request. This is '.
	'used to allow logs to report when specific keys were used, to make '.
	'it easier to manage credentials.'),
	),
	array(
	'name' => 'ssh-command',
	'param' => 'command',
	'help' => pht(
	'Provide a command to execute. This makes testing this script '.
	'easier. When running normally, the command is read from the '.
	'environment (%s), which is populated by sshd.',
	'SSH_ORIGINAL_COMMAND'),
	),
	));

	try {
	$remote_address = null;
	$ssh_client = getenv('SSH_CLIENT');
	if ($ssh_client) {
	// This has the format "<ip> <remote-port> <local-port>". Grab the IP.
	$remote_address = head(explode(' ', $ssh_client));
	$ssh_log->setData(
	array(
	'r' => $remote_address,
	));
	}

	$key_id = $args->getArg('phabricator-ssh-key');
	if ($key_id) {
	$ssh_log->setData(
	array(
	'k' => $key_id,
	));
	}

	$user_name = $args->getArg('phabricator-ssh-user');
	$device_name = $args->getArg('phabricator-ssh-device');

	$user = null;
	$device = null;
	$is_cluster_request = false;

	if ($user_name && $device_name) {
	throw new Exception(
	pht(
	'The %s and %s flags are mutually exclusive. You can not '.
	'authenticate as both a user ("%s") and a device ("%s"). '.
	'Specify one or the other, but not both.',
	'--phabricator-ssh-user',
	'--phabricator-ssh-device',
	$user_name,
	$device_name));
	} else if (strlen($user_name)) {
	$user = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withUsernames(array($user_name))
	->executeOne();
	if (!$user) {
	throw new Exception(
	pht(
	'Invalid username ("%s"). There is no user with this username.',
	$user_name));
	}

	id(new PhabricatorAuthSessionEngine())
	->willServeRequestForUser($user);
	} else if (strlen($device_name)) {
	if (!$remote_address) {
	throw new Exception(
	pht(
	'Unable to identify remote address from the %s environment '.
	'variable. Device authentication is accepted only from trusted '.
	'sources.',
	'SSH_CLIENT'));
	}

	if (!PhabricatorEnv::isClusterAddress($remote_address)) {
	throw new Exception(
	pht(
	- 'This request originates from outside of the Phabricator cluster '.
	- 'address range. Requests signed with a trusted device key must '.
	- 'originate from trusted hosts.'));
	+ 'This request originates from outside of the cluster address range. '.
	+ 'Requests signed with a trusted device key must originate from '.
	+ 'trusted hosts.'));
	}

	$device = id(new AlmanacDeviceQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withNames(array($device_name))
	->executeOne();
	if (!$device) {
	throw new Exception(
	pht(
	'Invalid device name ("%s"). There is no device with this name.',
	$device_name));
	}

	if ($device->isDisabled()) {
	throw new Exception(
	pht(
	'This request has authenticated as a device ("%s"), but this '.
	'device is disabled.',
	$device->getName()));
	}

	// We're authenticated as a device, but we're going to read the user out of
	// the command below.
	$is_cluster_request = true;
	} else {
	throw new Exception(
	pht(
	'This script must be invoked with either the %s or %s flag.',
	'--phabricator-ssh-user',
	'--phabricator-ssh-device'));
	}

	if ($args->getArg('ssh-command')) {
	$original_command = $args->getArg('ssh-command');
	} else {
	$original_command = getenv('SSH_ORIGINAL_COMMAND');
	}

	$original_argv = id(new PhutilShellLexer())
	->splitArguments($original_command);

	if ($device) {
	// If we're authenticating as a device, the first argument may be a
	// "@username" argument to act as a particular user.
	$first_argument = head($original_argv);
	if (preg_match('/^@/', $first_argument)) {
	$act_as_name = array_shift($original_argv);
	$act_as_name = substr($act_as_name, 1);
	$user = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withUsernames(array($act_as_name))
	->executeOne();
	if (!$user) {
	throw new Exception(
	pht(
	'Device request identifies an acting user with an invalid '.
	'username ("%s"). There is no user with this username.',
	$act_as_name));
	}
	} else {
	$user = PhabricatorUser::getOmnipotentUser();
	}
	}

	if ($user->isOmnipotent()) {
	$user_name = 'device/'.$device->getName();
	} else {
	$user_name = $user->getUsername();
	}

	$ssh_log->setData(
	array(
	'u' => $user_name,
	'P' => $user->getPHID(),
	));

	if (!$device) {
	if (!$user->canEstablishSSHSessions()) {
	throw new Exception(
	pht(
	'Your account ("%s") does not have permission to establish SSH '.
	'sessions. Visit the web interface for more information.',
	$user_name));
	}
	}

	$workflows = id(new PhutilClassMapQuery())
	->setAncestorClass('PhabricatorSSHWorkflow')
	->setUniqueMethod('getName')
	->execute();

	$command_list = array_keys($workflows);
	$command_list = implode(', ', $command_list);

	$error_lines = array();
	- $error_lines[] = pht('Welcome to Phabricator.');
	+ $error_lines[] = pht(
	+ 'Welcome to %s.',
	+ PlatformSymbols::getPlatformServerName());
	$error_lines[] = pht(
	'You are logged in as %s.',
	$user_name);

	if (!$original_argv) {
	$error_lines[] = pht(
	'You have not specified a command to run. This means you are requesting '.
	- 'an interactive shell, but Phabricator does not provide interactive '.
	+ 'an interactive shell, but this server does not provide interactive '.
	'shells over SSH.');
	$error_lines[] = pht(
	'(Usually, you should run a command like "git clone" or "hg push" '.
	'instead of connecting directly with SSH.)');
	$error_lines[] = pht(
	'Supported commands are: %s.',
	$command_list);

	$error_lines = implode("\n\n", $error_lines);
	throw new PhutilArgumentUsageException($error_lines);
	}

	$log_argv = implode(' ', $original_argv);
	$log_argv = id(new PhutilUTF8StringTruncator())
	->setMaximumCodepoints(128)
	->truncateString($log_argv);

	$ssh_log->setData(
	array(
	'C' => $original_argv[0],
	'U' => $log_argv,
	));

	$command = head($original_argv);

	$parseable_argv = $original_argv;
	array_unshift($parseable_argv, 'phabricator-ssh-exec');

	$parsed_args = new PhutilArgumentParser($parseable_argv);

	if (empty($workflows[$command])) {
	$error_lines[] = pht(
	'You have specified the command "%s", but that command is not '.
	- 'supported by Phabricator. As received by Phabricator, your entire '.
	+ 'supported by this server. As received by this server, your entire '.
	'argument list was:',
	$command);

	$error_lines[] = csprintf(' $ ssh ... -- %Ls', $parseable_argv);

	$error_lines[] = pht(
	'Supported commands are: %s.',
	$command_list);

	$error_lines = implode("\n\n", $error_lines);
	throw new PhutilArgumentUsageException($error_lines);
	}

	$workflow = $parsed_args->parseWorkflows($workflows);
	$workflow->setSSHUser($user);
	$workflow->setOriginalArguments($original_argv);
	$workflow->setIsClusterRequest($is_cluster_request);
	$workflow->setRequestIdentifier($request_identifier);

	$sock_stdin = fopen('php://stdin', 'r');
	if (!$sock_stdin) {
	throw new Exception(pht('Unable to open stdin.'));
	}

	$sock_stdout = fopen('php://stdout', 'w');
	if (!$sock_stdout) {
	throw new Exception(pht('Unable to open stdout.'));
	}

	$sock_stderr = fopen('php://stderr', 'w');
	if (!$sock_stderr) {
	throw new Exception(pht('Unable to open stderr.'));
	}

	$socket_channel = new PhutilSocketChannel(
	$sock_stdin,
	$sock_stdout);
	$error_channel = new PhutilSocketChannel(null, $sock_stderr);
	$metrics_channel = new PhutilMetricsChannel($socket_channel);
	$workflow->setIOChannel($metrics_channel);
	$workflow->setErrorChannel($error_channel);

	$rethrow = null;
	try {
	$err = $workflow->execute($parsed_args);

	$metrics_channel->flush();
	$error_channel->flush();
	} catch (Exception $ex) {
	$rethrow = $ex;
	}

	// Always write this if we got as far as building a metrics channel.
	$ssh_log->setData(
	array(
	'i' => $metrics_channel->getBytesRead(),
	'o' => $metrics_channel->getBytesWritten(),
	));

	if ($rethrow) {
	throw $rethrow;
	}
	} catch (Exception $ex) {
	fwrite(STDERR, "phabricator-ssh-exec: ".$ex->getMessage()."\n");
	$err = 1;
	}

	$ssh_log->setData(
	array(
	'c' => $err,
	'T' => phutil_microseconds_since($ssh_start_time),
	));

	exit($err);
	diff --git a/src/applications/almanac/servicetype/AlmanacClusterDatabaseServiceType.php b/src/applications/almanac/servicetype/AlmanacClusterDatabaseServiceType.php
	index ba06a78d52..10c84a628a 100644
	--- a/src/applications/almanac/servicetype/AlmanacClusterDatabaseServiceType.php
	+++ b/src/applications/almanac/servicetype/AlmanacClusterDatabaseServiceType.php
	@@ -1,21 +1,21 @@
	<?php

	final class AlmanacClusterDatabaseServiceType
	extends AlmanacClusterServiceType {

	const SERVICETYPE = 'cluster.database';

	public function getServiceTypeShortName() {
	return pht('Cluster Database');
	}

	public function getServiceTypeName() {
	- return pht('Phabricator Cluster: Database');
	+ return pht('Cluster: Database');
	}

	public function getServiceTypeDescription() {
	return pht(
	- 'Defines a database service for use in a Phabricator cluster.');
	+ 'Defines a database service for use in a cluster.');
	}

	}
	diff --git a/src/applications/almanac/servicetype/AlmanacClusterRepositoryServiceType.php b/src/applications/almanac/servicetype/AlmanacClusterRepositoryServiceType.php
	index 98947f56c1..2f5717f202 100644
	--- a/src/applications/almanac/servicetype/AlmanacClusterRepositoryServiceType.php
	+++ b/src/applications/almanac/servicetype/AlmanacClusterRepositoryServiceType.php
	@@ -1,68 +1,68 @@
	<?php

	final class AlmanacClusterRepositoryServiceType
	extends AlmanacClusterServiceType {

	const SERVICETYPE = 'cluster.repository';

	public function getServiceTypeShortName() {
	return pht('Cluster Repository');
	}

	public function getServiceTypeName() {
	- return pht('Phabricator Cluster: Repository');
	+ return pht('Cluster: Repository');
	}

	public function getServiceTypeDescription() {
	return pht(
	- 'Defines a repository service for use in a Phabricator cluster.');
	+ 'Defines a repository service for use in a cluster.');
	}

	public function getFieldSpecifications() {
	return array(
	'closed' => id(new PhabricatorBoolEditField())
	->setOptions(
	pht('Allow New Repositories'),
	pht('Prevent New Repositories'))
	->setValue(false),
	);
	}

	public function getBindingFieldSpecifications(AlmanacBinding $binding) {
	$protocols = array(
	array(
	'value' => 'http',
	'port' => 80,
	),
	array(
	'value' => 'https',
	'port' => 443,
	),
	array(
	'value' => 'ssh',
	'port' => 22,
	),
	);

	$default_value = 'http';
	if ($binding->hasInterface()) {
	$interface = $binding->getInterface();
	$port = $interface->getPort();

	$default_ports = ipull($protocols, 'value', 'port');
	$default_value = idx($default_ports, $port, $default_value);
	}

	return array(
	'protocol' => id(new PhabricatorSelectEditField())
	->setOptions(ipull($protocols, 'value', 'value'))
	->setValue($default_value),
	'writable' => id(new PhabricatorBoolEditField())
	->setOptions(
	pht('Prevent Writes'),
	pht('Allow Writes'))
	->setValue(true),
	);
	}

	}
	diff --git a/src/applications/auth/adapter/PhutilPhabricatorAuthAdapter.php b/src/applications/auth/adapter/PhutilPhabricatorAuthAdapter.php
	index e66ba32f94..8543675a62 100644
	--- a/src/applications/auth/adapter/PhutilPhabricatorAuthAdapter.php
	+++ b/src/applications/auth/adapter/PhutilPhabricatorAuthAdapter.php
	@@ -1,102 +1,101 @@
	<?php

	/**
	* Authentication adapter for Phabricator OAuth2.
	*/
	final class PhutilPhabricatorAuthAdapter extends PhutilOAuthAuthAdapter {

	private $phabricatorBaseURI;
	private $adapterDomain;

	public function setPhabricatorBaseURI($uri) {
	$this->phabricatorBaseURI = $uri;
	return $this;
	}

	public function getPhabricatorBaseURI() {
	return $this->phabricatorBaseURI;
	}

	public function getAdapterDomain() {
	return $this->adapterDomain;
	}

	public function setAdapterDomain($domain) {
	$this->adapterDomain = $domain;
	return $this;
	}

	public function getAdapterType() {
	return 'phabricator';
	}

	public function getAccountID() {
	return $this->getOAuthAccountData('phid');
	}

	public function getAccountEmail() {
	return $this->getOAuthAccountData('primaryEmail');
	}

	public function getAccountName() {
	return $this->getOAuthAccountData('userName');
	}

	public function getAccountImageURI() {
	return $this->getOAuthAccountData('image');
	}

	public function getAccountURI() {
	return $this->getOAuthAccountData('uri');
	}

	public function getAccountRealName() {
	return $this->getOAuthAccountData('realName');
	}

	protected function getAuthenticateBaseURI() {
	return $this->getPhabricatorURI('oauthserver/auth/');
	}

	protected function getTokenBaseURI() {
	return $this->getPhabricatorURI('oauthserver/token/');
	}

	public function getScope() {
	return '';
	}

	public function getExtraAuthenticateParameters() {
	return array(
	'response_type' => 'code',
	);
	}

	public function getExtraTokenParameters() {
	return array(
	'grant_type' => 'authorization_code',
	);
	}

	protected function loadOAuthAccountData() {
	$uri = id(new PhutilURI($this->getPhabricatorURI('api/user.whoami')))
	->replaceQueryParam('access_token', $this->getAccessToken());
	list($body) = id(new HTTPSFuture($uri))->resolvex();

	try {
	$data = phutil_json_decode($body);
	return $data['result'];
	} catch (PhutilJSONParserException $ex) {
	throw new Exception(
	pht(
	- 'Expected valid JSON response from Phabricator %s request.',
	- 'user.whoami'),
	+ 'Expected valid JSON response from "user.whoami" request.'),
	$ex);
	}
	}

	private function getPhabricatorURI($path) {
	return rtrim($this->phabricatorBaseURI, '/').'/'.ltrim($path, '/');
	}

	}
	diff --git a/src/applications/auth/controller/PhabricatorAuthController.php b/src/applications/auth/controller/PhabricatorAuthController.php
	index c3dc4e2d98..aee93b98d6 100644
	--- a/src/applications/auth/controller/PhabricatorAuthController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthController.php
	@@ -1,295 +1,299 @@
	<?php

	abstract class PhabricatorAuthController extends PhabricatorController {

	protected function renderErrorPage($title, array $messages) {
	$view = new PHUIInfoView();
	$view->setTitle($title);
	$view->setErrors($messages);

	return $this->newPage()
	->setTitle($title)
	->appendChild($view);

	}

	/**
	* Returns true if this install is newly setup (i.e., there are no user
	* accounts yet). In this case, we enter a special mode to permit creation
	* of the first account form the web UI.
	*/
	protected function isFirstTimeSetup() {
	// If there are any auth providers, this isn't first time setup, even if
	// we don't have accounts.
	if (PhabricatorAuthProvider::getAllEnabledProviders()) {
	return false;
	}

	// Otherwise, check if there are any user accounts. If not, we're in first
	// time setup.
	$any_users = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->setLimit(1)
	->execute();

	return !$any_users;
	}


	/**
	* Log a user into a web session and return an @{class:AphrontResponse} which
	* corresponds to continuing the login process.
	*
	* Normally, this is a redirect to the validation controller which makes sure
	* the user's cookies are set. However, event listeners can intercept this
	* event and do something else if they prefer.
	*
	* @param PhabricatorUser User to log the viewer in as.
	* @param bool True to issue a full session immediately, bypassing MFA.
	* @return AphrontResponse Response which continues the login process.
	*/
	protected function loginUser(
	PhabricatorUser $user,
	$force_full_session = false) {

	$response = $this->buildLoginValidateResponse($user);
	$session_type = PhabricatorAuthSession::TYPE_WEB;

	if ($force_full_session) {
	$partial_session = false;
	} else {
	$partial_session = true;
	}

	$session_key = id(new PhabricatorAuthSessionEngine())
	->establishSession($session_type, $user->getPHID(), $partial_session);

	// NOTE: We allow disabled users to login and roadblock them later, so
	// there's no check for users being disabled here.

	$request = $this->getRequest();
	$request->setCookie(
	PhabricatorCookies::COOKIE_USERNAME,
	$user->getUsername());
	$request->setCookie(
	PhabricatorCookies::COOKIE_SESSION,
	$session_key);

	$this->clearRegistrationCookies();

	return $response;
	}

	protected function clearRegistrationCookies() {
	$request = $this->getRequest();

	// Clear the registration key.
	$request->clearCookie(PhabricatorCookies::COOKIE_REGISTRATION);

	// Clear the client ID / OAuth state key.
	$request->clearCookie(PhabricatorCookies::COOKIE_CLIENTID);

	// Clear the invite cookie.
	$request->clearCookie(PhabricatorCookies::COOKIE_INVITE);
	}

	private function buildLoginValidateResponse(PhabricatorUser $user) {
	$validate_uri = new PhutilURI($this->getApplicationURI('validate/'));
	$validate_uri->replaceQueryParam('expect', $user->getUsername());

	return id(new AphrontRedirectResponse())->setURI((string)$validate_uri);
	}

	protected function renderError($message) {
	return $this->renderErrorPage(
	pht('Authentication Error'),
	array(
	$message,
	));
	}

	protected function loadAccountForRegistrationOrLinking($account_key) {
	$request = $this->getRequest();
	$viewer = $request->getUser();

	$account = null;
	$provider = null;
	$response = null;

	if (!$account_key) {
	$response = $this->renderError(
	pht('Request did not include account key.'));
	return array($account, $provider, $response);
	}

	// NOTE: We're using the omnipotent user because the actual user may not
	// be logged in yet, and because we want to tailor an error message to
	// distinguish between "not usable" and "does not exist". We do explicit
	// checks later on to make sure this account is valid for the intended
	// operation. This requires edit permission for completeness and consistency
	// but it won't actually be meaningfully checked because we're using the
	// omnipotent user.

	$account = id(new PhabricatorExternalAccountQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withAccountSecrets(array($account_key))
	->needImages(true)
	->requireCapabilities(
	array(
	PhabricatorPolicyCapability::CAN_VIEW,
	PhabricatorPolicyCapability::CAN_EDIT,
	))
	->executeOne();

	if (!$account) {
	$response = $this->renderError(pht('No valid linkable account.'));
	return array($account, $provider, $response);
	}

	if ($account->getUserPHID()) {
	if ($account->getUserPHID() != $viewer->getPHID()) {
	$response = $this->renderError(
	pht(
	'The account you are attempting to register or link is already '.
	'linked to another user.'));
	} else {
	$response = $this->renderError(
	pht(
	'The account you are attempting to link is already linked '.
	'to your account.'));
	}
	return array($account, $provider, $response);
	}

	$registration_key = $request->getCookie(
	PhabricatorCookies::COOKIE_REGISTRATION);

	// NOTE: This registration key check is not strictly necessary, because
	// we're only creating new accounts, not linking existing accounts. It
	// might be more hassle than it is worth, especially for email.
	//
	// The attack this prevents is getting to the registration screen, then
	// copy/pasting the URL and getting someone else to click it and complete
	// the process. They end up with an account bound to credentials you
	// control. This doesn't really let you do anything meaningful, though,
	// since you could have simply completed the process yourself.

	if (!$registration_key) {
	$response = $this->renderError(
	pht(
	'Your browser did not submit a registration key with the request. '.
	'You must use the same browser to begin and complete registration. '.
	'Check that cookies are enabled and try again.'));
	return array($account, $provider, $response);
	}

	// We store the digest of the key rather than the key itself to prevent a
	// theoretical attacker with read-only access to the database from
	// hijacking registration sessions.

	$actual = $account->getProperty('registrationKey');
	$expect = PhabricatorHash::weakDigest($registration_key);
	if (!phutil_hashes_are_identical($actual, $expect)) {
	$response = $this->renderError(
	pht(
	'Your browser submitted a different registration key than the one '.
	'associated with this account. You may need to clear your cookies.'));
	return array($account, $provider, $response);
	}

	$config = $account->getProviderConfig();
	if (!$config->getIsEnabled()) {
	$response = $this->renderError(
	pht(
	'The account you are attempting to register with uses a disabled '.
	'authentication provider ("%s"). An administrator may have '.
	'recently disabled this provider.',
	$config->getDisplayName()));
	return array($account, $provider, $response);
	}

	$provider = $config->getProvider();

	return array($account, $provider, null);
	}

	protected function loadInvite() {
	$invite_cookie = PhabricatorCookies::COOKIE_INVITE;
	$invite_code = $this->getRequest()->getCookie($invite_cookie);
	if (!$invite_code) {
	return null;
	}

	$engine = id(new PhabricatorAuthInviteEngine())
	->setViewer($this->getViewer())
	->setUserHasConfirmedVerify(true);

	try {
	return $engine->processInviteCode($invite_code);
	} catch (Exception $ex) {
	// If this fails for any reason, just drop the invite. In normal
	// circumstances, we gave them a detailed explanation of any error
	// before they jumped into this workflow.
	return null;
	}
	}

	protected function renderInviteHeader(PhabricatorAuthInvite $invite) {
	$viewer = $this->getViewer();

	// Since the user hasn't registered yet, they may not be able to see other
	// user accounts. Load the inviting user with the omnipotent viewer.
	$omnipotent_viewer = PhabricatorUser::getOmnipotentUser();

	$invite_author = id(new PhabricatorPeopleQuery())
	->setViewer($omnipotent_viewer)
	->withPHIDs(array($invite->getAuthorPHID()))
	->needProfileImage(true)
	->executeOne();

	// If we can't load the author for some reason, just drop this message.
	// We lose the value of contextualizing things without author details.
	if (!$invite_author) {
	return null;
	}

	$invite_item = id(new PHUIObjectItemView())
	- ->setHeader(pht('Welcome to Phabricator!'))
	+ ->setHeader(
	+ pht(
	+ 'Welcome to %s!',
	+ PlatformSymbols::getPlatformServerName()))
	->setImageURI($invite_author->getProfileImageURI())
	->addAttribute(
	pht(
	- '%s has invited you to join Phabricator.',
	- $invite_author->getFullName()));
	+ '%s has invited you to join %s.',
	+ $invite_author->getFullName(),
	+ PlatformSymbols::getPlatformServerName()));

	$invite_list = id(new PHUIObjectItemListView())
	->addItem($invite_item)
	->setFlush(true);

	return id(new PHUIBoxView())
	->addMargin(PHUI::MARGIN_LARGE)
	->appendChild($invite_list);
	}


	final protected function newCustomStartMessage() {
	$viewer = $this->getViewer();

	$text = PhabricatorAuthMessage::loadMessageText(
	$viewer,
	PhabricatorAuthLoginMessageType::MESSAGEKEY);

	if (!strlen($text)) {
	return null;
	}

	$remarkup_view = new PHUIRemarkupView($viewer, $text);

	return phutil_tag(
	'div',
	array(
	'class' => 'auth-custom-message',
	),
	$remarkup_view);
	}

	}
	diff --git a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	index d176a67119..8a3ad1afc9 100644
	--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	@@ -1,275 +1,279 @@
	<?php

	final class PhabricatorAuthOneTimeLoginController
	extends PhabricatorAuthController {

	public function shouldRequireLogin() {
	return false;
	}

	public function handleRequest(AphrontRequest $request) {
	$viewer = $this->getViewer();
	$id = $request->getURIData('id');
	$link_type = $request->getURIData('type');
	$key = $request->getURIData('key');
	$email_id = $request->getURIData('emailID');

	$target_user = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withIDs(array($id))
	->executeOne();
	if (!$target_user) {
	return new Aphront404Response();
	}

	// NOTE: We allow you to use a one-time login link for your own current
	// login account. This supports the "Set Password" flow.

	$is_logged_in = false;
	if ($viewer->isLoggedIn()) {
	if ($viewer->getPHID() !== $target_user->getPHID()) {
	return $this->renderError(
	pht('You are already logged in.'));
	} else {
	$is_logged_in = true;
	}
	}

	// NOTE: As a convenience to users, these one-time login URIs may also
	// be associated with an email address which will be verified when the
	// URI is used.

	// This improves the new user experience for users receiving "Welcome"
	// emails on installs that require verification: if we did not verify the
	// email, they'd immediately get roadblocked with a "Verify Your Email"
	// error and have to go back to their email account, wait for a
	// "Verification" email, and then click that link to actually get access to
	// their account. This is hugely unwieldy, and if the link was only sent
	// to the user's email in the first place we can safely verify it as a
	// side effect of login.

	// The email hashed into the URI so users can't verify some email they
	// do not own by doing this:
	//
	// - Add some address you do not own;
	// - request a password reset;
	// - change the URI in the email to the address you don't own;
	// - login via the email link; and
	// - get a "verified" address you don't control.

	$target_email = null;
	if ($email_id) {
	$target_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'userPHID = %s AND id = %d',
	$target_user->getPHID(),
	$email_id);
	if (!$target_email) {
	return new Aphront404Response();
	}
	}

	$engine = new PhabricatorAuthSessionEngine();
	$token = $engine->loadOneTimeLoginKey(
	$target_user,
	$target_email,
	$key);

	if (!$token) {
	return $this->newDialog()
	->setTitle(pht('Unable to Log In'))
	->setShortTitle(pht('Login Failure'))
	->appendParagraph(
	pht(
	'The login link you clicked is invalid, out of date, or has '.
	'already been used.'))
	->appendParagraph(
	pht(
	'Make sure you are copy-and-pasting the entire link into '.
	'your browser. Login links are only valid for 24 hours, and '.
	'can only be used once.'))
	->appendParagraph(
	pht('You can try again, or request a new link via email.'))
	->addCancelButton('/login/email/', pht('Send Another Email'));
	}

	if (!$target_user->canEstablishWebSessions()) {
	return $this->newDialog()
	->setTitle(pht('Unable to Establish Web Session'))
	->setShortTitle(pht('Login Failure'))
	->appendParagraph(
	pht(
	'You are trying to gain access to an account ("%s") that can not '.
	'establish a web session.',
	$target_user->getUsername()))
	->appendParagraph(
	pht(
	'Special users like daemons and mailing lists are not permitted '.
	'to log in via the web. Log in as a normal user instead.'))
	->addCancelButton('/');
	}

	if ($request->isFormPost() \|\| $is_logged_in) {
	// If we have an email bound into this URI, verify email so that clicking
	// the link in the "Welcome" email is good enough, without requiring users
	// to go through a second round of email verification.

	$editor = id(new PhabricatorUserEditor())
	->setActor($target_user);

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	// Nuke the token and all other outstanding password reset tokens.
	// There is no particular security benefit to destroying them all, but
	// it should reduce HackerOne reports of nebulous harm.
	$editor->revokePasswordResetLinks($target_user);

	if ($target_email) {
	$editor->verifyEmail($target_user, $target_email);
	}
	unset($unguarded);

	$next_uri = $this->getNextStepURI($target_user);

	// If the user is already logged in, we're just doing a "password set"
	// flow. Skip directly to the next step.
	if ($is_logged_in) {
	return id(new AphrontRedirectResponse())->setURI($next_uri);
	}

	PhabricatorCookies::setNextURICookie($request, $next_uri, $force = true);

	$force_full_session = false;
	if ($link_type === PhabricatorAuthSessionEngine::ONETIME_RECOVER) {
	$force_full_session = $token->getShouldForceFullSession();
	}

	return $this->loginUser($target_user, $force_full_session);
	}

	// NOTE: We need to CSRF here so attackers can't generate an email link,
	// then log a user in to an account they control via sneaky invisible
	// form submissions.

	switch ($link_type) {
	case PhabricatorAuthSessionEngine::ONETIME_WELCOME:
	- $title = pht('Welcome to Phabricator');
	+ $title = pht(
	+ 'Welcome to %s',
	+ PlatformSymbols::getPlatformServerName());
	break;
	case PhabricatorAuthSessionEngine::ONETIME_RECOVER:
	$title = pht('Account Recovery');
	break;
	case PhabricatorAuthSessionEngine::ONETIME_USERNAME:
	case PhabricatorAuthSessionEngine::ONETIME_RESET:
	default:
	- $title = pht('Log in to Phabricator');
	+ $title = pht(
	+ 'Log in to %s',
	+ PlatformSymbols::getPlatformServerName());
	break;
	}

	$body = array();
	$body[] = pht(
	'Use the button below to log in as: %s',
	phutil_tag('strong', array(), $target_user->getUsername()));

	if ($target_email && !$target_email->getIsVerified()) {
	$body[] = pht(
	'Logging in will verify %s as an email address you own.',
	phutil_tag('strong', array(), $target_email->getAddress()));

	}

	$body[] = pht(
	'After logging in you should set a password for your account, or '.
	'link your account to an external account that you can use to '.
	'authenticate in the future.');

	$dialog = $this->newDialog()
	->setTitle($title)
	->addSubmitButton(pht('Log In (%s)', $target_user->getUsername()))
	->addCancelButton('/');

	foreach ($body as $paragraph) {
	$dialog->appendParagraph($paragraph);
	}

	return id(new AphrontDialogResponse())->setDialog($dialog);
	}

	private function getNextStepURI(PhabricatorUser $user) {
	$request = $this->getRequest();

	// If we have password auth, let the user set or reset their password after
	// login.
	$have_passwords = PhabricatorPasswordAuthProvider::getPasswordProvider();
	if ($have_passwords) {
	// We're going to let the user reset their password without knowing
	// the old one. Generate a one-time token for that.
	$key = Filesystem::readRandomCharacters(16);
	$password_type =
	PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE;

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	id(new PhabricatorAuthTemporaryToken())
	->setTokenResource($user->getPHID())
	->setTokenType($password_type)
	->setTokenExpires(time() + phutil_units('1 hour in seconds'))
	->setTokenCode(PhabricatorHash::weakDigest($key))
	->save();
	unset($unguarded);

	$panel_uri = '/auth/password/';

	$request->setTemporaryCookie(PhabricatorCookies::COOKIE_HISEC, 'yes');

	$params = array(
	'key' => $key,
	);

	return (string)new PhutilURI($panel_uri, $params);
	}

	// Check if the user already has external accounts linked. If they do,
	// it's not obvious why they aren't using them to log in, but assume they
	// know what they're doing. We won't send them to the link workflow.
	$accounts = id(new PhabricatorExternalAccountQuery())
	->setViewer($user)
	->withUserPHIDs(array($user->getPHID()))
	->execute();

	$configs = id(new PhabricatorAuthProviderConfigQuery())
	->setViewer($user)
	->withIsEnabled(true)
	->execute();

	$linkable = array();
	foreach ($configs as $config) {
	if (!$config->getShouldAllowLink()) {
	continue;
	}

	$provider = $config->getProvider();
	if (!$provider->isLoginFormAButton()) {
	continue;
	}

	$linkable[] = $provider;
	}

	// If there's at least one linkable provider, and the user doesn't already
	// have accounts, send the user to the link workflow.
	if (!$accounts && $linkable) {
	return '/auth/external/';
	}

	// If there are no configured providers and the user is an administrator,
	// send them to Auth to configure a provider. This is probably where they
	// want to go. You can end up in this state by accidentally losing your
	// first session during initial setup, or after restoring exported data
	// from a hosted instance.
	if (!$configs && $user->getIsAdmin()) {
	return '/auth/';
	}

	// If we didn't find anywhere better to send them, give up and just send
	// them to the home page.
	return '/';
	}

	}
	diff --git a/src/applications/auth/controller/PhabricatorAuthRegisterController.php b/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	index 30aa770f30..9fbf30d092 100644
	--- a/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	@@ -1,751 +1,758 @@
	<?php

	final class PhabricatorAuthRegisterController
	extends PhabricatorAuthController {

	public function shouldRequireLogin() {
	return false;
	}

	public function handleRequest(AphrontRequest $request) {
	$viewer = $this->getViewer();
	$account_key = $request->getURIData('akey');

	if ($viewer->isLoggedIn()) {
	return id(new AphrontRedirectResponse())->setURI('/');
	}

	$invite = $this->loadInvite();

	$is_setup = false;
	if (strlen($account_key)) {
	$result = $this->loadAccountForRegistrationOrLinking($account_key);
	list($account, $provider, $response) = $result;
	$is_default = false;
	} else if ($this->isFirstTimeSetup()) {
	$account = null;
	$provider = null;
	$response = null;
	$is_default = true;
	$is_setup = true;
	} else {
	list($account, $provider, $response) = $this->loadDefaultAccount($invite);
	$is_default = true;
	}

	if ($response) {
	return $response;
	}

	if (!$is_setup) {
	if (!$provider->shouldAllowRegistration()) {
	if ($invite) {
	// If the user has an invite, we allow them to register with any
	// provider, even a login-only provider.
	} else {
	// TODO: This is a routine error if you click "Login" on an external
	// auth source which doesn't allow registration. The error should be
	// more tailored.

	return $this->renderError(
	pht(
	'The account you are attempting to register with uses an '.
	'authentication provider ("%s") which does not allow '.
	'registration. An administrator may have recently disabled '.
	'registration with this provider.',
	$provider->getProviderName()));
	}
	}
	}

	$errors = array();

	$user = new PhabricatorUser();

	if ($is_setup) {
	$default_username = null;
	$default_realname = null;
	$default_email = null;
	} else {
	$default_username = $account->getUsername();
	$default_realname = $account->getRealName();
	$default_email = $account->getEmail();
	}

	$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
	$content_source = PhabricatorContentSource::newFromRequest($request);

	if ($invite) {
	$default_email = $invite->getEmailAddress();
	}

	if ($default_email !== null) {
	if (!PhabricatorUserEmail::isValidAddress($default_email)) {
	$errors[] = pht(
	'The email address associated with this external account ("%s") is '.
	- 'not a valid email address and can not be used to register a '.
	- 'Phabricator account. Choose a different, valid address.',
	+ 'not a valid email address and can not be used to register an '.
	+ 'account. Choose a different, valid address.',
	phutil_tag('strong', array(), $default_email));
	$default_email = null;
	}
	}

	if ($default_email !== null) {
	// We should bypass policy here because e.g. limiting an application use
	// to a subset of users should not allow the others to overwrite
	// configured application emails.
	$application_email = id(new PhabricatorMetaMTAApplicationEmailQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withAddresses(array($default_email))
	->executeOne();
	if ($application_email) {
	$errors[] = pht(
	'The email address associated with this account ("%s") is '.
	'already in use by an application and can not be used to '.
	- 'register a new Phabricator account. Choose a different, valid '.
	- 'address.',
	+ 'register a new account. Choose a different, valid address.',
	phutil_tag('strong', array(), $default_email));
	$default_email = null;
	}
	}

	$show_existing = null;
	if ($default_email !== null) {
	// If the account source provided an email, but it's not allowed by
	// the configuration, roadblock the user. Previously, we let the user
	// pick a valid email address instead, but this does not align well with
	// user expectation and it's not clear the cases it enables are valuable.
	// See discussion in T3472.
	if (!PhabricatorUserEmail::isAllowedAddress($default_email)) {
	$debug_email = new PHUIInvisibleCharacterView($default_email);
	return $this->renderError(
	array(
	pht(
	'The account you are attempting to register with has an invalid '.
	- 'email address (%s). This Phabricator install only allows '.
	- 'registration with specific email addresses:',
	+ 'email address (%s). This server only allows registration with '.
	+ 'specific email addresses:',
	$debug_email),
	phutil_tag('br'),
	phutil_tag('br'),
	PhabricatorUserEmail::describeAllowedAddresses(),
	));
	}

	// If the account source provided an email, but another account already
	// has that email, just pretend we didn't get an email.
	if ($default_email !== null) {
	$same_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$default_email);
	if ($same_email) {
	if ($invite) {
	// We're allowing this to continue. The fact that we loaded the
	// invite means that the address is nonprimary and unverified and
	// we're OK to steal it.
	} else {
	$show_existing = $default_email;
	$default_email = null;
	}
	}
	}
	}

	if ($show_existing !== null) {
	if (!$request->getInt('phase')) {
	return $this->newDialog()
	->setTitle(pht('Email Address Already in Use'))
	->addHiddenInput('phase', 1)
	->appendParagraph(
	pht(
	- 'You are creating a new Phabricator account linked to an '.
	- 'existing external account from outside Phabricator.'))
	+ 'You are creating a new account linked to an existing '.
	+ 'external account.'))
	->appendParagraph(
	pht(
	'The email address ("%s") associated with the external account '.
	- 'is already in use by an existing Phabricator account. Multiple '.
	- 'Phabricator accounts may not have the same email address, so '.
	- 'you can not use this email address to register a new '.
	- 'Phabricator account.',
	- phutil_tag('strong', array(), $show_existing)))
	+ 'is already in use by an existing %s account. Multiple '.
	+ '%s accounts may not have the same email address, so '.
	+ 'you can not use this email address to register a new account.',
	+ phutil_tag('strong', array(), $show_existing),
	+ PlatformSymbols::getPlatformServerName(),
	+ PlatformSymbols::getPlatformServerName()))
	->appendParagraph(
	pht(
	'If you want to register a new account, continue with this '.
	'registration workflow and choose a new, unique email address '.
	'for the new account.'))
	->appendParagraph(
	pht(
	- 'If you want to link an existing Phabricator account to this '.
	+ 'If you want to link an existing %s account to this '.
	'external account, do not continue. Instead: log in to your '.
	'existing account, then go to "Settings" and link the account '.
	- 'in the "External Accounts" panel.'))
	+ 'in the "External Accounts" panel.',
	+ PlatformSymbols::getPlatformServerName()))
	->appendParagraph(
	pht(
	'If you continue, you will create a new account. You will not '.
	'be able to link this external account to an existing account.'))
	->addCancelButton('/auth/login/', pht('Cancel'))
	->addSubmitButton(pht('Create New Account'));
	} else {
	$errors[] = pht(
	'The external account you are registering with has an email address '.
	- 'that is already in use ("%s") by an existing Phabricator account. '.
	- 'Choose a new, valid email address to register a new Phabricator '.
	- 'account.',
	- phutil_tag('strong', array(), $show_existing));
	+ 'that is already in use ("%s") by an existing %s account. '.
	+ 'Choose a new, valid email address to register a new account.',
	+ phutil_tag('strong', array(), $show_existing),
	+ PlatformSymbols::getPlatformServerName());
	}
	}

	$profile = id(new PhabricatorRegistrationProfile())
	->setDefaultUsername($default_username)
	->setDefaultEmail($default_email)
	->setDefaultRealName($default_realname)
	->setCanEditUsername(true)
	->setCanEditEmail(($default_email === null))
	->setCanEditRealName(true)
	->setShouldVerifyEmail(false);

	$event_type = PhabricatorEventType::TYPE_AUTH_WILLREGISTERUSER;
	$event_data = array(
	'account' => $account,
	'profile' => $profile,
	);

	$event = id(new PhabricatorEvent($event_type, $event_data))
	->setUser($user);
	PhutilEventEngine::dispatchEvent($event);

	$default_username = $profile->getDefaultUsername();
	$default_email = $profile->getDefaultEmail();
	$default_realname = $profile->getDefaultRealName();

	$can_edit_username = $profile->getCanEditUsername();
	$can_edit_email = $profile->getCanEditEmail();
	$can_edit_realname = $profile->getCanEditRealName();

	if ($is_setup) {
	$must_set_password = false;
	} else {
	$must_set_password = $provider->shouldRequireRegistrationPassword();
	}

	$can_edit_anything = $profile->getCanEditAnything() \|\| $must_set_password;
	$force_verify = $profile->getShouldVerifyEmail();

	// Automatically verify the administrator's email address during first-time
	// setup.
	if ($is_setup) {
	$force_verify = true;
	}

	$value_username = $default_username;
	$value_realname = $default_realname;
	$value_email = $default_email;
	$value_password = null;

	$require_real_name = PhabricatorEnv::getEnvConfig('user.require-real-name');

	$e_username = strlen($value_username) ? null : true;
	$e_realname = $require_real_name ? true : null;
	$e_email = strlen($value_email) ? null : true;
	$e_password = true;
	$e_captcha = true;

	$skip_captcha = false;
	if ($invite) {
	// If the user is accepting an invite, assume they're trustworthy enough
	// that we don't need to CAPTCHA them.
	$skip_captcha = true;
	}

	$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
	$min_len = (int)$min_len;

	$from_invite = $request->getStr('invite');
	if ($from_invite && $can_edit_username) {
	$value_username = $request->getStr('username');
	$e_username = null;
	}

	$try_register =
	($request->isFormPost() \|\| !$can_edit_anything) &&
	!$from_invite &&
	($request->getInt('phase') != 1);

	if ($try_register) {
	$errors = array();

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();

	if ($must_set_password && !$skip_captcha) {
	$e_captcha = pht('Again');

	$captcha_ok = AphrontFormRecaptchaControl::processCaptcha($request);
	if (!$captcha_ok) {
	$errors[] = pht('Captcha response is incorrect, try again.');
	$e_captcha = pht('Invalid');
	}
	}

	if ($can_edit_username) {
	$value_username = $request->getStr('username');
	if (!strlen($value_username)) {
	$e_username = pht('Required');
	$errors[] = pht('Username is required.');
	} else if (!PhabricatorUser::validateUsername($value_username)) {
	$e_username = pht('Invalid');
	$errors[] = PhabricatorUser::describeValidUsername();
	} else {
	$e_username = null;
	}
	}

	if ($must_set_password) {
	$value_password = $request->getStr('password');
	$value_confirm = $request->getStr('confirm');

	$password_envelope = new PhutilOpaqueEnvelope($value_password);
	$confirm_envelope = new PhutilOpaqueEnvelope($value_confirm);

	$engine = id(new PhabricatorAuthPasswordEngine())
	->setViewer($user)
	->setContentSource($content_source)
	->setPasswordType($account_type)
	->setObject($user);

	try {
	$engine->checkNewPassword($password_envelope, $confirm_envelope);
	$e_password = null;
	} catch (PhabricatorAuthPasswordException $ex) {
	$errors[] = $ex->getMessage();
	$e_password = $ex->getPasswordError();
	}
	}

	if ($can_edit_email) {
	$value_email = $request->getStr('email');
	if (!strlen($value_email)) {
	$e_email = pht('Required');
	$errors[] = pht('Email is required.');
	} else if (!PhabricatorUserEmail::isValidAddress($value_email)) {
	$e_email = pht('Invalid');
	$errors[] = PhabricatorUserEmail::describeValidAddresses();
	} else if (!PhabricatorUserEmail::isAllowedAddress($value_email)) {
	$e_email = pht('Disallowed');
	$errors[] = PhabricatorUserEmail::describeAllowedAddresses();
	} else {
	$e_email = null;
	}
	}

	if ($can_edit_realname) {
	$value_realname = $request->getStr('realName');
	if (!strlen($value_realname) && $require_real_name) {
	$e_realname = pht('Required');
	$errors[] = pht('Real name is required.');
	} else {
	$e_realname = null;
	}
	}

	if (!$errors) {
	if (!$is_setup) {
	$image = $this->loadProfilePicture($account);
	if ($image) {
	$user->setProfileImagePHID($image->getPHID());
	}
	}

	try {
	$verify_email = false;

	if ($force_verify) {
	$verify_email = true;
	}

	if (!$is_setup) {
	if ($value_email === $default_email) {
	if ($account->getEmailVerified()) {
	$verify_email = true;
	}

	if ($provider->shouldTrustEmails()) {
	$verify_email = true;
	}

	if ($invite) {
	$verify_email = true;
	}
	}
	}

	$email_obj = null;
	if ($invite) {
	// If we have a valid invite, this email may exist but be
	// nonprimary and unverified, so we'll reassign it.
	$email_obj = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$value_email);
	}
	if (!$email_obj) {
	$email_obj = id(new PhabricatorUserEmail())
	->setAddress($value_email);
	}

	$email_obj->setIsVerified((int)$verify_email);

	$user->setUsername($value_username);
	$user->setRealname($value_realname);

	if ($is_setup) {
	$must_approve = false;
	} else if ($invite) {
	$must_approve = false;
	} else {
	$must_approve = PhabricatorEnv::getEnvConfig(
	'auth.require-approval');
	}

	if ($must_approve) {
	$user->setIsApproved(0);
	} else {
	$user->setIsApproved(1);
	}

	if ($invite) {
	$allow_reassign_email = true;
	} else {
	$allow_reassign_email = false;
	}

	$user->openTransaction();

	$editor = id(new PhabricatorUserEditor())
	->setActor($user);

	$editor->createNewUser($user, $email_obj, $allow_reassign_email);
	if ($must_set_password) {
	$password_object = PhabricatorAuthPassword::initializeNewPassword(
	$user,
	$account_type);

	$password_object
	->setPassword($password_envelope, $user)
	->save();
	}

	if ($is_setup) {
	$xactions = array();
	$xactions[] = id(new PhabricatorUserTransaction())
	->setTransactionType(
	PhabricatorUserEmpowerTransaction::TRANSACTIONTYPE)
	->setNewValue(true);

	$actor = PhabricatorUser::getOmnipotentUser();
	$content_source = PhabricatorContentSource::newFromRequest(
	$request);

	$people_application_phid = id(new PhabricatorPeopleApplication())
	->getPHID();

	$transaction_editor = id(new PhabricatorUserTransactionEditor())
	->setActor($actor)
	->setActingAsPHID($people_application_phid)
	->setContentSource($content_source)
	->setContinueOnMissingFields(true);

	$transaction_editor->applyTransactions($user, $xactions);
	}

	if (!$is_setup) {
	$account->setUserPHID($user->getPHID());
	$account->save();
	}

	$user->saveTransaction();

	if (!$email_obj->getIsVerified()) {
	$email_obj->sendVerificationEmail($user);
	}

	if ($must_approve) {
	$this->sendWaitingForApprovalEmail($user);
	}

	if ($invite) {
	$invite->setAcceptedByPHID($user->getPHID())->save();
	}

	return $this->loginUser($user);
	} catch (AphrontDuplicateKeyQueryException $exception) {
	$same_username = id(new PhabricatorUser())->loadOneWhere(
	'userName = %s',
	$user->getUserName());

	$same_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$value_email);

	if ($same_username) {
	$e_username = pht('Duplicate');
	$errors[] = pht('Another user already has that username.');
	}

	if ($same_email) {
	// TODO: See T3340.
	$e_email = pht('Duplicate');
	$errors[] = pht('Another user already has that email.');
	}

	if (!$same_username && !$same_email) {
	throw $exception;
	}
	}
	}

	unset($unguarded);
	}

	$form = id(new AphrontFormView())
	->setUser($request->getUser())
	->addHiddenInput('phase', 2);

	if (!$is_default) {
	$form->appendChild(
	id(new AphrontFormMarkupControl())
	->setLabel(pht('External Account'))
	->setValue(
	id(new PhabricatorAuthAccountView())
	->setUser($request->getUser())
	->setExternalAccount($account)
	->setAuthProvider($provider)));
	}

	if ($can_edit_username) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Username'))
	->setName('username')
	->setValue($value_username)
	->setError($e_username));
	} else {
	$form->appendChild(
	id(new AphrontFormMarkupControl())
	->setLabel(pht('Username'))
	->setValue($value_username)
	->setError($e_username));
	}

	if ($can_edit_realname) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Real Name'))
	->setName('realName')
	->setValue($value_realname)
	->setError($e_realname));
	}

	if ($must_set_password) {
	$form->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Password'))
	->setName('password')
	->setError($e_password));
	$form->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Confirm Password'))
	->setName('confirm')
	->setError($e_password)
	->setCaption(
	$min_len
	? pht('Minimum length of %d characters.', $min_len)
	: null));
	}

	if ($can_edit_email) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Email'))
	->setName('email')
	->setValue($value_email)
	->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
	->setError($e_email));
	}

	if ($must_set_password && !$skip_captcha) {
	$form->appendChild(
	id(new AphrontFormRecaptchaControl())
	->setLabel(pht('Captcha'))
	->setError($e_captcha));
	}

	$submit = id(new AphrontFormSubmitControl());

	if ($is_setup) {
	$submit
	->setValue(pht('Create Admin Account'));
	} else {
	$submit
	->addCancelButton($this->getApplicationURI('start/'))
	->setValue(pht('Register Account'));
	}


	$form->appendChild($submit);

	$crumbs = $this->buildApplicationCrumbs();

	if ($is_setup) {
	$crumbs->addTextCrumb(pht('Setup Admin Account'));
	- $title = pht('Welcome to Phabricator');
	+ $title = pht(
	+ 'Welcome to %s',
	+ PlatformSymbols::getPlatformServerName());
	} else {
	$crumbs->addTextCrumb(pht('Register'));
	$crumbs->addTextCrumb($provider->getProviderName());
	$title = pht('Create a New Account');
	}
	$crumbs->setBorder(true);

	$welcome_view = null;
	if ($is_setup) {
	$welcome_view = id(new PHUIInfoView())
	->setSeverity(PHUIInfoView::SEVERITY_NOTICE)
	- ->setTitle(pht('Welcome to Phabricator'))
	+ ->setTitle(
	+ pht(
	+ 'Welcome to %s',
	+ PlatformSymbols::getPlatformServerName()))
	->appendChild(
	pht(
	'Installation is complete. Register your administrator account '.
	'below to log in. You will be able to configure options and add '.
	'authentication mechanisms later on.'));
	}

	$object_box = id(new PHUIObjectBoxView())
	->setForm($form)
	->setFormErrors($errors);

	$invite_header = null;
	if ($invite) {
	$invite_header = $this->renderInviteHeader($invite);
	}

	$header = id(new PHUIHeaderView())
	->setHeader($title);

	$view = id(new PHUITwoColumnView())
	->setHeader($header)
	->setFooter(
	array(
	$welcome_view,
	$invite_header,
	$object_box,
	));

	return $this->newPage()
	->setTitle($title)
	->setCrumbs($crumbs)
	->appendChild($view);
	}

	private function loadDefaultAccount($invite) {
	$providers = PhabricatorAuthProvider::getAllEnabledProviders();
	$account = null;
	$provider = null;
	$response = null;

	foreach ($providers as $key => $candidate_provider) {
	if (!$invite) {
	if (!$candidate_provider->shouldAllowRegistration()) {
	unset($providers[$key]);
	continue;
	}
	}

	if (!$candidate_provider->isDefaultRegistrationProvider()) {
	unset($providers[$key]);
	}
	}

	if (!$providers) {
	$response = $this->renderError(
	pht(
	'There are no configured default registration providers.'));
	return array($account, $provider, $response);
	} else if (count($providers) > 1) {
	$response = $this->renderError(
	pht('There are too many configured default registration providers.'));
	return array($account, $provider, $response);
	}

	$provider = head($providers);
	$account = $provider->newDefaultExternalAccount();

	return array($account, $provider, $response);
	}

	private function loadProfilePicture(PhabricatorExternalAccount $account) {
	$phid = $account->getProfileImagePHID();
	if (!$phid) {
	return null;
	}

	// NOTE: Use of omnipotent user is okay here because the registering user
	// can not control the field value, and we can't use their user object to
	// do meaningful policy checks anyway since they have not registered yet.
	// Reaching this means the user holds the account secret key and the
	// registration secret key, and thus has permission to view the image.

	$file = id(new PhabricatorFileQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withPHIDs(array($phid))
	->executeOne();
	if (!$file) {
	return null;
	}

	$xform = PhabricatorFileTransform::getTransformByKey(
	PhabricatorFileThumbnailTransform::TRANSFORM_PROFILE);
	return $xform->executeTransform($file);
	}

	protected function renderError($message) {
	return $this->renderErrorPage(
	pht('Registration Failed'),
	array($message));
	}

	private function sendWaitingForApprovalEmail(PhabricatorUser $user) {
	- $title = '[Phabricator] '.pht(
	- 'New User "%s" Awaiting Approval',
	+ $title = pht(
	+ '[%s] New User "%s" Awaiting Approval',
	+ PlatformSymbols::getPlatformServerName(),
	$user->getUsername());

	$body = new PhabricatorMetaMTAMailBody();

	$body->addRawSection(
	pht(
	'Newly registered user "%s" is awaiting account approval by an '.
	'administrator.',
	$user->getUsername()));

	$body->addLinkSection(
	pht('APPROVAL QUEUE'),
	PhabricatorEnv::getProductionURI(
	'/people/query/approval/'));

	$body->addLinkSection(
	pht('DISABLE APPROVAL QUEUE'),
	PhabricatorEnv::getProductionURI(
	'/config/edit/auth.require-approval/'));

	$admins = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withIsAdmin(true)
	->execute();

	if (!$admins) {
	return;
	}

	$mail = id(new PhabricatorMetaMTAMail())
	->addTos(mpull($admins, 'getPHID'))
	->setSubject($title)
	->setBody($body->render())
	->saveAndSend();
	}

	}
	diff --git a/src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php b/src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php
	index 206a2f1c4a..4a48a666c2 100644
	--- a/src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php
	@@ -1,119 +1,119 @@
	<?php

	final class PhabricatorAuthSSHKeyGenerateController
	extends PhabricatorAuthSSHKeyController {

	public function handleRequest(AphrontRequest $request) {
	$viewer = $this->getViewer();

	$key = $this->newKeyForObjectPHID($request->getStr('objectPHID'));
	if (!$key) {
	return new Aphront404Response();
	}

	$cancel_uri = $key->getObject()->getSSHPublicKeyManagementURI($viewer);

	$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
	$viewer,
	$request,
	$cancel_uri);

	if ($request->isFormPost()) {
	$default_name = $key->getObject()->getSSHKeyDefaultName();

	$keys = PhabricatorSSHKeyGenerator::generateKeypair();
	list($public_key, $private_key) = $keys;

	$key_name = $default_name.'.key';

	$file = PhabricatorFile::newFromFileData(
	$private_key,
	array(
	'name' => $key_name,
	'ttl.relative' => phutil_units('10 minutes in seconds'),
	'viewPolicy' => $viewer->getPHID(),
	));

	$public_key = PhabricatorAuthSSHPublicKey::newFromRawKey($public_key);

	$type = $public_key->getType();
	$body = $public_key->getBody();
	$comment = pht('Generated');

	$entire_key = "{$type} {$body} {$comment}";

	$type_create = PhabricatorTransactions::TYPE_CREATE;
	$type_name = PhabricatorAuthSSHKeyTransaction::TYPE_NAME;
	$type_key = PhabricatorAuthSSHKeyTransaction::TYPE_KEY;

	$xactions = array();

	$xactions[] = id(new PhabricatorAuthSSHKeyTransaction())
	->setTransactionType(PhabricatorTransactions::TYPE_CREATE);

	$xactions[] = id(new PhabricatorAuthSSHKeyTransaction())
	->setTransactionType($type_name)
	->setNewValue($default_name);

	$xactions[] = id(new PhabricatorAuthSSHKeyTransaction())
	->setTransactionType($type_key)
	->setNewValue($entire_key);

	$editor = id(new PhabricatorAuthSSHKeyEditor())
	->setActor($viewer)
	->setContentSourceFromRequest($request)
	->applyTransactions($key, $xactions);

	$download_link = phutil_tag(
	'a',
	array(
	'href' => $file->getDownloadURI(),
	),
	array(
	id(new PHUIIconView())->setIcon('fa-download'),
	' ',
	pht('Download Private Key (%s)', $key_name),
	));
	$download_link = phutil_tag('strong', array(), $download_link);

	// NOTE: We're disabling workflow on cancel so the page reloads, showing
	// the new key.

	return $this->newDialog()
	->setTitle(pht('Download Private Key'))
	->appendParagraph(
	pht(
	'A keypair has been generated, and the public key has been '.
	'added as a recognized key.'))
	->appendParagraph($download_link)
	->appendParagraph(
	pht(
	'After you download the private key, it will be destroyed. '.
	'You will not be able to retrieve it if you lose your copy.'))
	->setDisableWorkflowOnCancel(true)
	->addCancelButton($cancel_uri, pht('Done'));
	}

	try {
	PhabricatorSSHKeyGenerator::assertCanGenerateKeypair();

	return $this->newDialog()
	->setTitle(pht('Generate New Keypair'))
	->addHiddenInput('objectPHID', $key->getObject()->getPHID())
	->appendParagraph(
	pht(
	'This workflow will generate a new SSH keypair, add the public '.
	'key, and let you download the private key.'))
	->appendParagraph(
	- pht('Phabricator will not retain a copy of the private key.'))
	+ pht('The private key will not be retained.'))
	->addSubmitButton(pht('Generate New Keypair'))
	->addCancelButton($cancel_uri);
	} catch (Exception $ex) {
	return $this->newDialog()
	->setTitle(pht('Unable to Generate Keys'))
	->appendParagraph($ex->getMessage())
	->addCancelButton($cancel_uri);
	}
	}

	}

File Metadata

Mime Type: text/x-diff
Expires: Sun, Jul 27, 11:58 AM (1 w, 7 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 185731
Default Alt Text: (77 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions