No OneTemporary
Actions

Size

89 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/controller/PhabricatorAuthRegisterController.php b/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	index 5a46d0e604..30aa770f30 100644
	--- a/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthRegisterController.php
	@@ -1,752 +1,751 @@
	<?php

	final class PhabricatorAuthRegisterController
	extends PhabricatorAuthController {

	public function shouldRequireLogin() {
	return false;
	}

	public function handleRequest(AphrontRequest $request) {
	$viewer = $this->getViewer();
	$account_key = $request->getURIData('akey');

	if ($viewer->isLoggedIn()) {
	return id(new AphrontRedirectResponse())->setURI('/');
	}

	$invite = $this->loadInvite();

	$is_setup = false;
	if (strlen($account_key)) {
	$result = $this->loadAccountForRegistrationOrLinking($account_key);
	list($account, $provider, $response) = $result;
	$is_default = false;
	} else if ($this->isFirstTimeSetup()) {
	$account = null;
	$provider = null;
	$response = null;
	$is_default = true;
	$is_setup = true;
	} else {
	list($account, $provider, $response) = $this->loadDefaultAccount($invite);
	$is_default = true;
	}

	if ($response) {
	return $response;
	}

	if (!$is_setup) {
	if (!$provider->shouldAllowRegistration()) {
	if ($invite) {
	// If the user has an invite, we allow them to register with any
	// provider, even a login-only provider.
	} else {
	// TODO: This is a routine error if you click "Login" on an external
	// auth source which doesn't allow registration. The error should be
	// more tailored.

	return $this->renderError(
	pht(
	'The account you are attempting to register with uses an '.
	'authentication provider ("%s") which does not allow '.
	'registration. An administrator may have recently disabled '.
	'registration with this provider.',
	$provider->getProviderName()));
	}
	}
	}

	$errors = array();

	$user = new PhabricatorUser();

	if ($is_setup) {
	$default_username = null;
	$default_realname = null;
	$default_email = null;
	} else {
	$default_username = $account->getUsername();
	$default_realname = $account->getRealName();
	$default_email = $account->getEmail();
	}

	$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
	$content_source = PhabricatorContentSource::newFromRequest($request);

	if ($invite) {
	$default_email = $invite->getEmailAddress();
	}

	if ($default_email !== null) {
	if (!PhabricatorUserEmail::isValidAddress($default_email)) {
	$errors[] = pht(
	'The email address associated with this external account ("%s") is '.
	'not a valid email address and can not be used to register a '.
	'Phabricator account. Choose a different, valid address.',
	phutil_tag('strong', array(), $default_email));
	$default_email = null;
	}
	}

	if ($default_email !== null) {
	// We should bypass policy here because e.g. limiting an application use
	// to a subset of users should not allow the others to overwrite
	// configured application emails.
	$application_email = id(new PhabricatorMetaMTAApplicationEmailQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withAddresses(array($default_email))
	->executeOne();
	if ($application_email) {
	$errors[] = pht(
	'The email address associated with this account ("%s") is '.
	'already in use by an application and can not be used to '.
	'register a new Phabricator account. Choose a different, valid '.
	'address.',
	phutil_tag('strong', array(), $default_email));
	$default_email = null;
	}
	}

	$show_existing = null;
	if ($default_email !== null) {
	// If the account source provided an email, but it's not allowed by
	// the configuration, roadblock the user. Previously, we let the user
	// pick a valid email address instead, but this does not align well with
	// user expectation and it's not clear the cases it enables are valuable.
	// See discussion in T3472.
	if (!PhabricatorUserEmail::isAllowedAddress($default_email)) {
	$debug_email = new PHUIInvisibleCharacterView($default_email);
	return $this->renderError(
	array(
	pht(
	'The account you are attempting to register with has an invalid '.
	'email address (%s). This Phabricator install only allows '.
	'registration with specific email addresses:',
	$debug_email),
	phutil_tag('br'),
	phutil_tag('br'),
	PhabricatorUserEmail::describeAllowedAddresses(),
	));
	}

	// If the account source provided an email, but another account already
	// has that email, just pretend we didn't get an email.
	if ($default_email !== null) {
	$same_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$default_email);
	if ($same_email) {
	if ($invite) {
	// We're allowing this to continue. The fact that we loaded the
	// invite means that the address is nonprimary and unverified and
	// we're OK to steal it.
	} else {
	$show_existing = $default_email;
	$default_email = null;
	}
	}
	}
	}

	if ($show_existing !== null) {
	if (!$request->getInt('phase')) {
	return $this->newDialog()
	->setTitle(pht('Email Address Already in Use'))
	->addHiddenInput('phase', 1)
	->appendParagraph(
	pht(
	'You are creating a new Phabricator account linked to an '.
	'existing external account from outside Phabricator.'))
	->appendParagraph(
	pht(
	'The email address ("%s") associated with the external account '.
	'is already in use by an existing Phabricator account. Multiple '.
	'Phabricator accounts may not have the same email address, so '.
	'you can not use this email address to register a new '.
	'Phabricator account.',
	phutil_tag('strong', array(), $show_existing)))
	->appendParagraph(
	pht(
	'If you want to register a new account, continue with this '.
	'registration workflow and choose a new, unique email address '.
	'for the new account.'))
	->appendParagraph(
	pht(
	'If you want to link an existing Phabricator account to this '.
	'external account, do not continue. Instead: log in to your '.
	'existing account, then go to "Settings" and link the account '.
	'in the "External Accounts" panel.'))
	->appendParagraph(
	pht(
	'If you continue, you will create a new account. You will not '.
	'be able to link this external account to an existing account.'))
	->addCancelButton('/auth/login/', pht('Cancel'))
	->addSubmitButton(pht('Create New Account'));
	} else {
	$errors[] = pht(
	'The external account you are registering with has an email address '.
	'that is already in use ("%s") by an existing Phabricator account. '.
	'Choose a new, valid email address to register a new Phabricator '.
	'account.',
	phutil_tag('strong', array(), $show_existing));
	}
	}

	$profile = id(new PhabricatorRegistrationProfile())
	->setDefaultUsername($default_username)
	->setDefaultEmail($default_email)
	->setDefaultRealName($default_realname)
	->setCanEditUsername(true)
	->setCanEditEmail(($default_email === null))
	->setCanEditRealName(true)
	->setShouldVerifyEmail(false);

	$event_type = PhabricatorEventType::TYPE_AUTH_WILLREGISTERUSER;
	$event_data = array(
	'account' => $account,
	'profile' => $profile,
	);

	$event = id(new PhabricatorEvent($event_type, $event_data))
	->setUser($user);
	PhutilEventEngine::dispatchEvent($event);

	$default_username = $profile->getDefaultUsername();
	$default_email = $profile->getDefaultEmail();
	$default_realname = $profile->getDefaultRealName();

	$can_edit_username = $profile->getCanEditUsername();
	$can_edit_email = $profile->getCanEditEmail();
	$can_edit_realname = $profile->getCanEditRealName();

	if ($is_setup) {
	$must_set_password = false;
	} else {
	$must_set_password = $provider->shouldRequireRegistrationPassword();
	}

	$can_edit_anything = $profile->getCanEditAnything() \|\| $must_set_password;
	$force_verify = $profile->getShouldVerifyEmail();

	// Automatically verify the administrator's email address during first-time
	// setup.
	if ($is_setup) {
	$force_verify = true;
	}

	$value_username = $default_username;
	$value_realname = $default_realname;
	$value_email = $default_email;
	$value_password = null;

	$require_real_name = PhabricatorEnv::getEnvConfig('user.require-real-name');

	$e_username = strlen($value_username) ? null : true;
	$e_realname = $require_real_name ? true : null;
	$e_email = strlen($value_email) ? null : true;
	$e_password = true;
	$e_captcha = true;

	$skip_captcha = false;
	if ($invite) {
	// If the user is accepting an invite, assume they're trustworthy enough
	// that we don't need to CAPTCHA them.
	$skip_captcha = true;
	}

	$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
	$min_len = (int)$min_len;

	$from_invite = $request->getStr('invite');
	if ($from_invite && $can_edit_username) {
	$value_username = $request->getStr('username');
	$e_username = null;
	}

	$try_register =
	($request->isFormPost() \|\| !$can_edit_anything) &&
	!$from_invite &&
	($request->getInt('phase') != 1);

	if ($try_register) {
	$errors = array();

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();

	if ($must_set_password && !$skip_captcha) {
	$e_captcha = pht('Again');

	$captcha_ok = AphrontFormRecaptchaControl::processCaptcha($request);
	if (!$captcha_ok) {
	$errors[] = pht('Captcha response is incorrect, try again.');
	$e_captcha = pht('Invalid');
	}
	}

	if ($can_edit_username) {
	$value_username = $request->getStr('username');
	if (!strlen($value_username)) {
	$e_username = pht('Required');
	$errors[] = pht('Username is required.');
	} else if (!PhabricatorUser::validateUsername($value_username)) {
	$e_username = pht('Invalid');
	$errors[] = PhabricatorUser::describeValidUsername();
	} else {
	$e_username = null;
	}
	}

	if ($must_set_password) {
	$value_password = $request->getStr('password');
	$value_confirm = $request->getStr('confirm');

	$password_envelope = new PhutilOpaqueEnvelope($value_password);
	$confirm_envelope = new PhutilOpaqueEnvelope($value_confirm);

	$engine = id(new PhabricatorAuthPasswordEngine())
	->setViewer($user)
	->setContentSource($content_source)
	->setPasswordType($account_type)
	->setObject($user);

	try {
	$engine->checkNewPassword($password_envelope, $confirm_envelope);
	$e_password = null;
	} catch (PhabricatorAuthPasswordException $ex) {
	$errors[] = $ex->getMessage();
	$e_password = $ex->getPasswordError();
	}
	}

	if ($can_edit_email) {
	$value_email = $request->getStr('email');
	if (!strlen($value_email)) {
	$e_email = pht('Required');
	$errors[] = pht('Email is required.');
	} else if (!PhabricatorUserEmail::isValidAddress($value_email)) {
	$e_email = pht('Invalid');
	$errors[] = PhabricatorUserEmail::describeValidAddresses();
	} else if (!PhabricatorUserEmail::isAllowedAddress($value_email)) {
	$e_email = pht('Disallowed');
	$errors[] = PhabricatorUserEmail::describeAllowedAddresses();
	} else {
	$e_email = null;
	}
	}

	if ($can_edit_realname) {
	$value_realname = $request->getStr('realName');
	if (!strlen($value_realname) && $require_real_name) {
	$e_realname = pht('Required');
	$errors[] = pht('Real name is required.');
	} else {
	$e_realname = null;
	}
	}

	if (!$errors) {
	if (!$is_setup) {
	$image = $this->loadProfilePicture($account);
	if ($image) {
	$user->setProfileImagePHID($image->getPHID());
	}
	}

	try {
	$verify_email = false;

	if ($force_verify) {
	$verify_email = true;
	}

	if (!$is_setup) {
	if ($value_email === $default_email) {
	if ($account->getEmailVerified()) {
	$verify_email = true;
	}

	if ($provider->shouldTrustEmails()) {
	$verify_email = true;
	}

	if ($invite) {
	$verify_email = true;
	}
	}
	}

	$email_obj = null;
	if ($invite) {
	// If we have a valid invite, this email may exist but be
	// nonprimary and unverified, so we'll reassign it.
	$email_obj = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$value_email);
	}
	if (!$email_obj) {
	$email_obj = id(new PhabricatorUserEmail())
	->setAddress($value_email);
	}

	$email_obj->setIsVerified((int)$verify_email);

	$user->setUsername($value_username);
	$user->setRealname($value_realname);

	if ($is_setup) {
	$must_approve = false;
	} else if ($invite) {
	$must_approve = false;
	} else {
	$must_approve = PhabricatorEnv::getEnvConfig(
	'auth.require-approval');
	}

	if ($must_approve) {
	$user->setIsApproved(0);
	} else {
	$user->setIsApproved(1);
	}

	if ($invite) {
	$allow_reassign_email = true;
	} else {
	$allow_reassign_email = false;
	}

	$user->openTransaction();

	$editor = id(new PhabricatorUserEditor())
	->setActor($user);

	$editor->createNewUser($user, $email_obj, $allow_reassign_email);
	if ($must_set_password) {
	$password_object = PhabricatorAuthPassword::initializeNewPassword(
	$user,
	$account_type);

	$password_object
	->setPassword($password_envelope, $user)
	->save();
	}

	if ($is_setup) {
	$xactions = array();
	$xactions[] = id(new PhabricatorUserTransaction())
	->setTransactionType(
	PhabricatorUserEmpowerTransaction::TRANSACTIONTYPE)
	->setNewValue(true);

	$actor = PhabricatorUser::getOmnipotentUser();
	$content_source = PhabricatorContentSource::newFromRequest(
	$request);

	$people_application_phid = id(new PhabricatorPeopleApplication())
	->getPHID();

	$transaction_editor = id(new PhabricatorUserTransactionEditor())
	->setActor($actor)
	->setActingAsPHID($people_application_phid)
	->setContentSource($content_source)
	->setContinueOnMissingFields(true);

	$transaction_editor->applyTransactions($user, $xactions);
	}

	if (!$is_setup) {
	$account->setUserPHID($user->getPHID());
	- $provider->willRegisterAccount($account);
	$account->save();
	}

	$user->saveTransaction();

	if (!$email_obj->getIsVerified()) {
	$email_obj->sendVerificationEmail($user);
	}

	if ($must_approve) {
	$this->sendWaitingForApprovalEmail($user);
	}

	if ($invite) {
	$invite->setAcceptedByPHID($user->getPHID())->save();
	}

	return $this->loginUser($user);
	} catch (AphrontDuplicateKeyQueryException $exception) {
	$same_username = id(new PhabricatorUser())->loadOneWhere(
	'userName = %s',
	$user->getUserName());

	$same_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$value_email);

	if ($same_username) {
	$e_username = pht('Duplicate');
	$errors[] = pht('Another user already has that username.');
	}

	if ($same_email) {
	// TODO: See T3340.
	$e_email = pht('Duplicate');
	$errors[] = pht('Another user already has that email.');
	}

	if (!$same_username && !$same_email) {
	throw $exception;
	}
	}
	}

	unset($unguarded);
	}

	$form = id(new AphrontFormView())
	->setUser($request->getUser())
	->addHiddenInput('phase', 2);

	if (!$is_default) {
	$form->appendChild(
	id(new AphrontFormMarkupControl())
	->setLabel(pht('External Account'))
	->setValue(
	id(new PhabricatorAuthAccountView())
	->setUser($request->getUser())
	->setExternalAccount($account)
	->setAuthProvider($provider)));
	}

	if ($can_edit_username) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Username'))
	->setName('username')
	->setValue($value_username)
	->setError($e_username));
	} else {
	$form->appendChild(
	id(new AphrontFormMarkupControl())
	->setLabel(pht('Username'))
	->setValue($value_username)
	->setError($e_username));
	}

	if ($can_edit_realname) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Real Name'))
	->setName('realName')
	->setValue($value_realname)
	->setError($e_realname));
	}

	if ($must_set_password) {
	$form->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Password'))
	->setName('password')
	->setError($e_password));
	$form->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Confirm Password'))
	->setName('confirm')
	->setError($e_password)
	->setCaption(
	$min_len
	? pht('Minimum length of %d characters.', $min_len)
	: null));
	}

	if ($can_edit_email) {
	$form->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Email'))
	->setName('email')
	->setValue($value_email)
	->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
	->setError($e_email));
	}

	if ($must_set_password && !$skip_captcha) {
	$form->appendChild(
	id(new AphrontFormRecaptchaControl())
	->setLabel(pht('Captcha'))
	->setError($e_captcha));
	}

	$submit = id(new AphrontFormSubmitControl());

	if ($is_setup) {
	$submit
	->setValue(pht('Create Admin Account'));
	} else {
	$submit
	->addCancelButton($this->getApplicationURI('start/'))
	->setValue(pht('Register Account'));
	}


	$form->appendChild($submit);

	$crumbs = $this->buildApplicationCrumbs();

	if ($is_setup) {
	$crumbs->addTextCrumb(pht('Setup Admin Account'));
	$title = pht('Welcome to Phabricator');
	} else {
	$crumbs->addTextCrumb(pht('Register'));
	$crumbs->addTextCrumb($provider->getProviderName());
	$title = pht('Create a New Account');
	}
	$crumbs->setBorder(true);

	$welcome_view = null;
	if ($is_setup) {
	$welcome_view = id(new PHUIInfoView())
	->setSeverity(PHUIInfoView::SEVERITY_NOTICE)
	->setTitle(pht('Welcome to Phabricator'))
	->appendChild(
	pht(
	'Installation is complete. Register your administrator account '.
	'below to log in. You will be able to configure options and add '.
	'authentication mechanisms later on.'));
	}

	$object_box = id(new PHUIObjectBoxView())
	->setForm($form)
	->setFormErrors($errors);

	$invite_header = null;
	if ($invite) {
	$invite_header = $this->renderInviteHeader($invite);
	}

	$header = id(new PHUIHeaderView())
	->setHeader($title);

	$view = id(new PHUITwoColumnView())
	->setHeader($header)
	->setFooter(
	array(
	$welcome_view,
	$invite_header,
	$object_box,
	));

	return $this->newPage()
	->setTitle($title)
	->setCrumbs($crumbs)
	->appendChild($view);
	}

	private function loadDefaultAccount($invite) {
	$providers = PhabricatorAuthProvider::getAllEnabledProviders();
	$account = null;
	$provider = null;
	$response = null;

	foreach ($providers as $key => $candidate_provider) {
	if (!$invite) {
	if (!$candidate_provider->shouldAllowRegistration()) {
	unset($providers[$key]);
	continue;
	}
	}

	if (!$candidate_provider->isDefaultRegistrationProvider()) {
	unset($providers[$key]);
	}
	}

	if (!$providers) {
	$response = $this->renderError(
	pht(
	'There are no configured default registration providers.'));
	return array($account, $provider, $response);
	} else if (count($providers) > 1) {
	$response = $this->renderError(
	pht('There are too many configured default registration providers.'));
	return array($account, $provider, $response);
	}

	$provider = head($providers);
	$account = $provider->newDefaultExternalAccount();

	return array($account, $provider, $response);
	}

	private function loadProfilePicture(PhabricatorExternalAccount $account) {
	$phid = $account->getProfileImagePHID();
	if (!$phid) {
	return null;
	}

	// NOTE: Use of omnipotent user is okay here because the registering user
	// can not control the field value, and we can't use their user object to
	// do meaningful policy checks anyway since they have not registered yet.
	// Reaching this means the user holds the account secret key and the
	// registration secret key, and thus has permission to view the image.

	$file = id(new PhabricatorFileQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withPHIDs(array($phid))
	->executeOne();
	if (!$file) {
	return null;
	}

	$xform = PhabricatorFileTransform::getTransformByKey(
	PhabricatorFileThumbnailTransform::TRANSFORM_PROFILE);
	return $xform->executeTransform($file);
	}

	protected function renderError($message) {
	return $this->renderErrorPage(
	pht('Registration Failed'),
	array($message));
	}

	private function sendWaitingForApprovalEmail(PhabricatorUser $user) {
	$title = '[Phabricator] '.pht(
	'New User "%s" Awaiting Approval',
	$user->getUsername());

	$body = new PhabricatorMetaMTAMailBody();

	$body->addRawSection(
	pht(
	'Newly registered user "%s" is awaiting account approval by an '.
	'administrator.',
	$user->getUsername()));

	$body->addLinkSection(
	pht('APPROVAL QUEUE'),
	PhabricatorEnv::getProductionURI(
	'/people/query/approval/'));

	$body->addLinkSection(
	pht('DISABLE APPROVAL QUEUE'),
	PhabricatorEnv::getProductionURI(
	'/config/edit/auth.require-approval/'));

	$admins = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withIsAdmin(true)
	->execute();

	if (!$admins) {
	return;
	}

	$mail = id(new PhabricatorMetaMTAMail())
	->addTos(mpull($admins, 'getPHID'))
	->setSubject($title)
	->setBody($body->render())
	->saveAndSend();
	}

	}
	diff --git a/src/applications/auth/provider/PhabricatorAuthProvider.php b/src/applications/auth/provider/PhabricatorAuthProvider.php
	index 6ac6846148..01ed5ca8d0 100644
	--- a/src/applications/auth/provider/PhabricatorAuthProvider.php
	+++ b/src/applications/auth/provider/PhabricatorAuthProvider.php
	@@ -1,547 +1,577 @@
	<?php

	abstract class PhabricatorAuthProvider extends Phobject {

	private $providerConfig;

	public function attachProviderConfig(PhabricatorAuthProviderConfig $config) {
	$this->providerConfig = $config;
	return $this;
	}

	public function hasProviderConfig() {
	return (bool)$this->providerConfig;
	}

	public function getProviderConfig() {
	if ($this->providerConfig === null) {
	throw new PhutilInvalidStateException('attachProviderConfig');
	}
	return $this->providerConfig;
	}

	public function getConfigurationHelp() {
	return null;
	}

	public function getDefaultProviderConfig() {
	return id(new PhabricatorAuthProviderConfig())
	->setProviderClass(get_class($this))
	->setIsEnabled(1)
	->setShouldAllowLogin(1)
	->setShouldAllowRegistration(1)
	->setShouldAllowLink(1)
	->setShouldAllowUnlink(1);
	}

	public function getNameForCreate() {
	return $this->getProviderName();
	}

	public function getDescriptionForCreate() {
	return null;
	}

	public function getProviderKey() {
	return $this->getAdapter()->getAdapterKey();
	}

	public function getProviderType() {
	return $this->getAdapter()->getAdapterType();
	}

	public function getProviderDomain() {
	return $this->getAdapter()->getAdapterDomain();
	}

	public static function getAllBaseProviders() {
	return id(new PhutilClassMapQuery())
	->setAncestorClass(__CLASS__)
	->execute();
	}

	public static function getAllProviders() {
	static $providers;

	if ($providers === null) {
	$objects = self::getAllBaseProviders();

	$configs = id(new PhabricatorAuthProviderConfigQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->execute();

	$providers = array();
	foreach ($configs as $config) {
	if (!isset($objects[$config->getProviderClass()])) {
	// This configuration is for a provider which is not installed.
	continue;
	}

	$object = clone $objects[$config->getProviderClass()];
	$object->attachProviderConfig($config);

	$key = $object->getProviderKey();
	if (isset($providers[$key])) {
	throw new Exception(
	pht(
	"Two authentication providers use the same provider key ".
	"('%s'). Each provider must be identified by a unique key.",
	$key));
	}
	$providers[$key] = $object;
	}
	}

	return $providers;
	}

	public static function getAllEnabledProviders() {
	$providers = self::getAllProviders();
	foreach ($providers as $key => $provider) {
	if (!$provider->isEnabled()) {
	unset($providers[$key]);
	}
	}
	return $providers;
	}

	public static function getEnabledProviderByKey($provider_key) {
	return idx(self::getAllEnabledProviders(), $provider_key);
	}

	abstract public function getProviderName();
	abstract public function getAdapter();

	public function isEnabled() {
	return $this->getProviderConfig()->getIsEnabled();
	}

	public function shouldAllowLogin() {
	return $this->getProviderConfig()->getShouldAllowLogin();
	}

	public function shouldAllowRegistration() {
	if (!$this->shouldAllowLogin()) {
	return false;
	}

	return $this->getProviderConfig()->getShouldAllowRegistration();
	}

	public function shouldAllowAccountLink() {
	return $this->getProviderConfig()->getShouldAllowLink();
	}

	public function shouldAllowAccountUnlink() {
	return $this->getProviderConfig()->getShouldAllowUnlink();
	}

	public function shouldTrustEmails() {
	return $this->shouldAllowEmailTrustConfiguration() &&
	$this->getProviderConfig()->getShouldTrustEmails();
	}

	/**
	* Should we allow the adapter to be marked as "trusted". This is true for
	* all adapters except those that allow the user to type in emails (see
	* @{class:PhabricatorPasswordAuthProvider}).
	*/
	public function shouldAllowEmailTrustConfiguration() {
	return true;
	}

	public function buildLoginForm(PhabricatorAuthStartController $controller) {
	return $this->renderLoginForm($controller->getRequest(), $mode = 'start');
	}

	public function buildInviteForm(PhabricatorAuthStartController $controller) {
	return $this->renderLoginForm($controller->getRequest(), $mode = 'invite');
	}

	abstract public function processLoginRequest(
	PhabricatorAuthLoginController $controller);

	public function buildLinkForm($controller) {
	return $this->renderLoginForm($controller->getRequest(), $mode = 'link');
	}

	public function shouldAllowAccountRefresh() {
	return true;
	}

	public function buildRefreshForm(
	PhabricatorAuthLinkController $controller) {
	return $this->renderLoginForm($controller->getRequest(), $mode = 'refresh');
	}

	protected function renderLoginForm(AphrontRequest $request, $mode) {
	throw new PhutilMethodNotImplementedException();
	}

	public function createProviders() {
	return array($this);
	}

	protected function willSaveAccount(PhabricatorExternalAccount $account) {
	return;
	}

	- public function willRegisterAccount(PhabricatorExternalAccount $account) {
	- return;
	- }
	+ final protected function newExternalAccountForIdentifiers(
	+ array $identifiers) {

	- protected function loadOrCreateAccount(array $identifiers) {
	assert_instances_of($identifiers, 'PhabricatorExternalAccountIdentifier');

	if (!$identifiers) {
	throw new Exception(
	pht(
	'Authentication provider (of class "%s") is attempting to '.
	'load or create an external account, but provided no account '.
	'identifiers.',
	get_class($this)));
	}

	if (count($identifiers) !== 1) {
	throw new Exception(
	pht(
	'Unexpected number of account identifiers returned (by class "%s").',
	get_class($this)));
	}

	$config = $this->getProviderConfig();
	$viewer = PhabricatorUser::getOmnipotentUser();

	$raw_identifiers = mpull($identifiers, 'getIdentifierRaw');

	$accounts = id(new PhabricatorExternalAccountQuery())
	->setViewer($viewer)
	->withProviderConfigPHIDs(array($config->getPHID()))
	->withAccountIDs($raw_identifiers)
	->execute();
	if (!$accounts) {
	$account = $this->newExternalAccount()
	->setAccountID(head($raw_identifiers));
	} else if (count($accounts) === 1) {
	$account = head($accounts);
	} else {
	throw new Exception(
	pht(
	'Authentication provider (of class "%s") is attempting to load '.
	'or create an external account, but provided a list of '.
	'account identifiers which map to more than one account: %s.',
	get_class($this),
	implode(', ', $raw_identifiers)));
	}

	+ return $this->didUpdateAccount($account);
	+ }
	+
	+ final protected function newExternalAccountForUser(PhabricatorUser $user) {
	+ $config = $this->getProviderConfig();
	+
	+ // When a user logs in with a provider like username/password, they
	+ // always already have a Phabricator account (since there's no way they
	+ // could have a username otherwise).
	+
	+ // These users should never go to registration, so we're building a
	+ // dummy "external account" which just links directly back to their
	+ // internal account.
	+
	+ $account = id(new PhabricatorExternalAccountQuery())
	+ ->setViewer($user)
	+ ->withProviderConfigPHIDs(array($config->getPHID()))
	+ ->withUserPHIDs(array($user->getPHID()))
	+ ->executeOne();
	+ if (!$account) {
	+ $account = $this->newExternalAccount()
	+ ->setUserPHID($user->getPHID());
	+
	+ // TODO: Remove this when "accountID" is removed; the column is not
	+ // nullable.
	+ $account->setAccountID('');
	+ }
	+
	+ return $this->didUpdateAccount($account);
	+ }
	+
	+ private function didUpdateAccount(PhabricatorExternalAccount $account) {
	$adapter = $this->getAdapter();

	$account->setUsername($adapter->getAccountName());
	$account->setRealName($adapter->getAccountRealName());
	$account->setEmail($adapter->getAccountEmail());
	$account->setAccountURI($adapter->getAccountURI());

	$account->setProfileImagePHID(null);
	$image_uri = $adapter->getAccountImageURI();
	if ($image_uri) {
	try {
	$name = PhabricatorSlug::normalize($this->getProviderName());
	$name = $name.'-profile.jpg';

	// TODO: If the image has not changed, we do not need to make a new
	// file entry for it, but there's no convenient way to do this with
	// PhabricatorFile right now. The storage will get shared, so the impact
	// here is negligible.

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$image_file = PhabricatorFile::newFromFileDownload(
	$image_uri,
	array(
	'name' => $name,
	'viewPolicy' => PhabricatorPolicies::POLICY_NOONE,
	));
	if ($image_file->isViewableImage()) {
	$image_file
	->setViewPolicy(PhabricatorPolicies::getMostOpenPolicy())
	->setCanCDN(true)
	->save();
	$account->setProfileImagePHID($image_file->getPHID());
	} else {
	$image_file->delete();
	}
	unset($unguarded);

	} catch (Exception $ex) {
	// Log this but proceed, it's not especially important that we
	// be able to pull profile images.
	phlog($ex);
	}
	}

	$this->willSaveAccount($account);

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$account->save();
	unset($unguarded);

	return $account;
	}

	public function getLoginURI() {
	$app = PhabricatorApplication::getByClass('PhabricatorAuthApplication');
	return $app->getApplicationURI('/login/'.$this->getProviderKey().'/');
	}

	public function getSettingsURI() {
	return '/settings/panel/external/';
	}

	public function getStartURI() {
	$app = PhabricatorApplication::getByClass('PhabricatorAuthApplication');
	$uri = $app->getApplicationURI('/start/');
	return $uri;
	}

	public function isDefaultRegistrationProvider() {
	return false;
	}

	public function shouldRequireRegistrationPassword() {
	return false;
	}

	public function newDefaultExternalAccount() {
	return $this->newExternalAccount();
	}

	protected function newExternalAccount() {
	$config = $this->getProviderConfig();
	$adapter = $this->getAdapter();

	return id(new PhabricatorExternalAccount())
	->setAccountType($adapter->getAdapterType())
	->setAccountDomain($adapter->getAdapterDomain())
	->setProviderConfigPHID($config->getPHID());
	}

	public function getLoginOrder() {
	return '500-'.$this->getProviderName();
	}

	protected function getLoginIcon() {
	return 'Generic';
	}

	public function newIconView() {
	return id(new PHUIIconView())
	->setSpriteSheet(PHUIIconView::SPRITE_LOGIN)
	->setSpriteIcon($this->getLoginIcon());
	}

	public function isLoginFormAButton() {
	return false;
	}

	public function renderConfigPropertyTransactionTitle(
	PhabricatorAuthProviderConfigTransaction $xaction) {

	return null;
	}

	public function readFormValuesFromProvider() {
	return array();
	}

	public function readFormValuesFromRequest(AphrontRequest $request) {
	return array();
	}

	public function processEditForm(
	AphrontRequest $request,
	array $values) {

	$errors = array();
	$issues = array();

	return array($errors, $issues, $values);
	}

	public function extendEditForm(
	AphrontRequest $request,
	AphrontFormView $form,
	array $values,
	array $issues) {

	return;
	}

	public function willRenderLinkedAccount(
	PhabricatorUser $viewer,
	PHUIObjectItemView $item,
	PhabricatorExternalAccount $account) {

	$account_view = id(new PhabricatorAuthAccountView())
	->setExternalAccount($account)
	->setAuthProvider($this);

	$item->appendChild(
	phutil_tag(
	'div',
	array(
	'class' => 'mmr mml mst mmb',
	),
	$account_view));
	}

	/**
	* Return true to use a two-step configuration (setup, configure) instead of
	* the default single-step configuration. In practice, this means that
	* creating a new provider instance will redirect back to the edit page
	* instead of the provider list.
	*
	* @return bool True if this provider uses two-step configuration.
	*/
	public function hasSetupStep() {
	return false;
	}

	/**
	* Render a standard login/register button element.
	*
	* The `$attributes` parameter takes these keys:
	*
	* - `uri`: URI the button should take the user to when clicked.
	* - `method`: Optional HTTP method the button should use, defaults to GET.
	*
	* @param AphrontRequest HTTP request.
	* @param string Request mode string.
	* @param map Additional parameters, see above.
	* @return wild Log in button.
	*/
	protected function renderStandardLoginButton(
	AphrontRequest $request,
	$mode,
	array $attributes = array()) {

	PhutilTypeSpec::checkMap(
	$attributes,
	array(
	'method' => 'optional string',
	'uri' => 'string',
	'sigil' => 'optional string',
	));

	$viewer = $request->getUser();
	$adapter = $this->getAdapter();

	if ($mode == 'link') {
	$button_text = pht('Link External Account');
	} else if ($mode == 'refresh') {
	$button_text = pht('Refresh Account Link');
	} else if ($mode == 'invite') {
	$button_text = pht('Register Account');
	} else if ($this->shouldAllowRegistration()) {
	$button_text = pht('Log In or Register');
	} else {
	$button_text = pht('Log In');
	}

	$icon = id(new PHUIIconView())
	->setSpriteSheet(PHUIIconView::SPRITE_LOGIN)
	->setSpriteIcon($this->getLoginIcon());

	$button = id(new PHUIButtonView())
	->setSize(PHUIButtonView::BIG)
	->setColor(PHUIButtonView::GREY)
	->setIcon($icon)
	->setText($button_text)
	->setSubtext($this->getProviderName());

	$uri = $attributes['uri'];
	$uri = new PhutilURI($uri);
	$params = $uri->getQueryParamsAsPairList();
	$uri->removeAllQueryParams();

	$content = array($button);

	foreach ($params as $pair) {
	list($key, $value) = $pair;
	$content[] = phutil_tag(
	'input',
	array(
	'type' => 'hidden',
	'name' => $key,
	'value' => $value,
	));
	}

	$static_response = CelerityAPI::getStaticResourceResponse();
	$static_response->addContentSecurityPolicyURI('form-action', (string)$uri);

	foreach ($this->getContentSecurityPolicyFormActions() as $csp_uri) {
	$static_response->addContentSecurityPolicyURI('form-action', $csp_uri);
	}

	return phabricator_form(
	$viewer,
	array(
	'method' => idx($attributes, 'method', 'GET'),
	'action' => (string)$uri,
	'sigil' => idx($attributes, 'sigil'),
	),
	$content);
	}

	public function renderConfigurationFooter() {
	return null;
	}

	public function getAuthCSRFCode(AphrontRequest $request) {
	$phcid = $request->getCookie(PhabricatorCookies::COOKIE_CLIENTID);
	if (!strlen($phcid)) {
	throw new AphrontMalformedRequestException(
	pht('Missing Client ID Cookie'),
	pht(
	'Your browser did not submit a "%s" cookie with client state '.
	'information in the request. Check that cookies are enabled. '.
	'If this problem persists, you may need to clear your cookies.',
	PhabricatorCookies::COOKIE_CLIENTID),
	true);
	}

	return PhabricatorHash::weakDigest($phcid);
	}

	protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {
	$expect = $this->getAuthCSRFCode($request);

	if (!strlen($actual)) {
	throw new Exception(
	pht(
	'The authentication provider did not return a client state '.
	'parameter in its response, but one was expected. If this '.
	'problem persists, you may need to clear your cookies.'));
	}

	if (!phutil_hashes_are_identical($actual, $expect)) {
	throw new Exception(
	pht(
	'The authentication provider did not return the correct client '.
	'state parameter in its response. If this problem persists, you may '.
	'need to clear your cookies.'));
	}
	}

	public function supportsAutoLogin() {
	return false;
	}

	public function getAutoLoginURI(AphrontRequest $request) {
	throw new PhutilMethodNotImplementedException();
	}

	protected function getContentSecurityPolicyFormActions() {
	return array();
	}

	}
	diff --git a/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php b/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php
	index 1132f99857..c899caca71 100644
	--- a/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php
	+++ b/src/applications/auth/provider/PhabricatorLDAPAuthProvider.php
	@@ -1,494 +1,496 @@
	<?php

	final class PhabricatorLDAPAuthProvider extends PhabricatorAuthProvider {

	private $adapter;

	public function getProviderName() {
	return pht('LDAP');
	}

	public function getDescriptionForCreate() {
	return pht(
	'Configure a connection to an LDAP server so that users can use their '.
	'LDAP credentials to log in to Phabricator.');
	}

	public function getDefaultProviderConfig() {
	return parent::getDefaultProviderConfig()
	->setProperty(self::KEY_PORT, 389)
	->setProperty(self::KEY_VERSION, 3);
	}

	public function getAdapter() {
	if (!$this->adapter) {
	$conf = $this->getProviderConfig();

	$realname_attributes = $conf->getProperty(self::KEY_REALNAME_ATTRIBUTES);
	if (!is_array($realname_attributes)) {
	$realname_attributes = array();
	}

	$search_attributes = $conf->getProperty(self::KEY_SEARCH_ATTRIBUTES);
	$search_attributes = phutil_split_lines($search_attributes, false);
	$search_attributes = array_filter($search_attributes);

	$adapter = id(new PhutilLDAPAuthAdapter())
	->setHostname(
	$conf->getProperty(self::KEY_HOSTNAME))
	->setPort(
	$conf->getProperty(self::KEY_PORT))
	->setBaseDistinguishedName(
	$conf->getProperty(self::KEY_DISTINGUISHED_NAME))
	->setSearchAttributes($search_attributes)
	->setUsernameAttribute(
	$conf->getProperty(self::KEY_USERNAME_ATTRIBUTE))
	->setRealNameAttributes($realname_attributes)
	->setLDAPVersion(
	$conf->getProperty(self::KEY_VERSION))
	->setLDAPReferrals(
	$conf->getProperty(self::KEY_REFERRALS))
	->setLDAPStartTLS(
	$conf->getProperty(self::KEY_START_TLS))
	->setAlwaysSearch($conf->getProperty(self::KEY_ALWAYS_SEARCH))
	->setAnonymousUsername(
	$conf->getProperty(self::KEY_ANONYMOUS_USERNAME))
	->setAnonymousPassword(
	new PhutilOpaqueEnvelope(
	$conf->getProperty(self::KEY_ANONYMOUS_PASSWORD)))
	->setActiveDirectoryDomain(
	$conf->getProperty(self::KEY_ACTIVEDIRECTORY_DOMAIN));
	$this->adapter = $adapter;
	}
	return $this->adapter;
	}

	protected function renderLoginForm(AphrontRequest $request, $mode) {
	$viewer = $request->getUser();

	$dialog = id(new AphrontDialogView())
	->setSubmitURI($this->getLoginURI())
	->setUser($viewer);

	if ($mode == 'link') {
	$dialog->setTitle(pht('Link LDAP Account'));
	$dialog->addSubmitButton(pht('Link Accounts'));
	$dialog->addCancelButton($this->getSettingsURI());
	} else if ($mode == 'refresh') {
	$dialog->setTitle(pht('Refresh LDAP Account'));
	$dialog->addSubmitButton(pht('Refresh Account'));
	$dialog->addCancelButton($this->getSettingsURI());
	} else {
	if ($this->shouldAllowRegistration()) {
	$dialog->setTitle(pht('Log In or Register with LDAP'));
	$dialog->addSubmitButton(pht('Log In or Register'));
	} else {
	$dialog->setTitle(pht('Log In with LDAP'));
	$dialog->addSubmitButton(pht('Log In'));
	}
	if ($mode == 'login') {
	$dialog->addCancelButton($this->getStartURI());
	}
	}

	$v_user = $request->getStr('ldap_username');

	$e_user = null;
	$e_pass = null;

	$errors = array();
	if ($request->isHTTPPost()) {
	// NOTE: This is intentionally vague so as not to disclose whether a
	// given username exists.
	$e_user = pht('Invalid');
	$e_pass = pht('Invalid');
	$errors[] = pht('Username or password are incorrect.');
	}

	$form = id(new PHUIFormLayoutView())
	->setUser($viewer)
	->setFullWidth(true)
	->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('LDAP Username'))
	->setName('ldap_username')
	->setAutofocus(true)
	->setValue($v_user)
	->setError($e_user))
	->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('LDAP Password'))
	->setName('ldap_password')
	->setError($e_pass));

	if ($errors) {
	$errors = id(new PHUIInfoView())->setErrors($errors);
	}

	$dialog->appendChild($errors);
	$dialog->appendChild($form);


	return $dialog;
	}

	public function processLoginRequest(
	PhabricatorAuthLoginController $controller) {

	$request = $controller->getRequest();
	$viewer = $request->getUser();
	$response = null;
	$account = null;

	$username = $request->getStr('ldap_username');
	$password = $request->getStr('ldap_password');
	$has_password = strlen($password);
	$password = new PhutilOpaqueEnvelope($password);

	if (!strlen($username) \|\| !$has_password) {
	$response = $controller->buildProviderPageResponse(
	$this,
	$this->renderLoginForm($request, 'login'));
	return array($account, $response);
	}

	if ($request->isFormPost()) {
	try {
	if (strlen($username) && $has_password) {
	$adapter = $this->getAdapter();
	$adapter->setLoginUsername($username);
	$adapter->setLoginPassword($password);

	// TODO: This calls ldap_bind() eventually, which dumps cleartext
	// passwords to the error log. See note in PhutilLDAPAuthAdapter.
	// See T3351.

	DarkConsoleErrorLogPluginAPI::enableDiscardMode();
	$identifiers = $adapter->getAccountIdentifiers();
	DarkConsoleErrorLogPluginAPI::disableDiscardMode();
	} else {
	throw new Exception(pht('Username and password are required!'));
	}
	} catch (PhutilAuthCredentialException $ex) {
	$response = $controller->buildProviderPageResponse(
	$this,
	$this->renderLoginForm($request, 'login'));
	return array($account, $response);
	} catch (Exception $ex) {
	// TODO: Make this cleaner.
	throw $ex;
	}
	}

	- return array($this->loadOrCreateAccount($identifiers), $response);
	+ $account = $this->newExternalAccountForIdentifiers($identifiers);
	+
	+ return array($account, $response);
	}


	const KEY_HOSTNAME = 'ldap:host';
	const KEY_PORT = 'ldap:port';
	const KEY_DISTINGUISHED_NAME = 'ldap:dn';
	const KEY_SEARCH_ATTRIBUTES = 'ldap:search-attribute';
	const KEY_USERNAME_ATTRIBUTE = 'ldap:username-attribute';
	const KEY_REALNAME_ATTRIBUTES = 'ldap:realname-attributes';
	const KEY_VERSION = 'ldap:version';
	const KEY_REFERRALS = 'ldap:referrals';
	const KEY_START_TLS = 'ldap:start-tls';
	// TODO: This is misspelled! See T13005.
	const KEY_ANONYMOUS_USERNAME = 'ldap:anoynmous-username';
	const KEY_ANONYMOUS_PASSWORD = 'ldap:anonymous-password';
	const KEY_ALWAYS_SEARCH = 'ldap:always-search';
	const KEY_ACTIVEDIRECTORY_DOMAIN = 'ldap:activedirectory-domain';

	private function getPropertyKeys() {
	return array_keys($this->getPropertyLabels());
	}

	private function getPropertyLabels() {
	return array(
	self::KEY_HOSTNAME => pht('LDAP Hostname'),
	self::KEY_PORT => pht('LDAP Port'),
	self::KEY_DISTINGUISHED_NAME => pht('Base Distinguished Name'),
	self::KEY_SEARCH_ATTRIBUTES => pht('Search Attributes'),
	self::KEY_ALWAYS_SEARCH => pht('Always Search'),
	self::KEY_ANONYMOUS_USERNAME => pht('Anonymous Username'),
	self::KEY_ANONYMOUS_PASSWORD => pht('Anonymous Password'),
	self::KEY_USERNAME_ATTRIBUTE => pht('Username Attribute'),
	self::KEY_REALNAME_ATTRIBUTES => pht('Realname Attributes'),
	self::KEY_VERSION => pht('LDAP Version'),
	self::KEY_REFERRALS => pht('Enable Referrals'),
	self::KEY_START_TLS => pht('Use TLS'),
	self::KEY_ACTIVEDIRECTORY_DOMAIN => pht('ActiveDirectory Domain'),
	);
	}

	public function readFormValuesFromProvider() {
	$properties = array();
	foreach ($this->getPropertyLabels() as $key => $ignored) {
	$properties[$key] = $this->getProviderConfig()->getProperty($key);
	}
	return $properties;
	}

	public function readFormValuesFromRequest(AphrontRequest $request) {
	$values = array();
	foreach ($this->getPropertyKeys() as $key) {
	switch ($key) {
	case self::KEY_REALNAME_ATTRIBUTES:
	$values[$key] = $request->getStrList($key, array());
	break;
	default:
	$values[$key] = $request->getStr($key);
	break;
	}
	}

	return $values;
	}

	public function processEditForm(
	AphrontRequest $request,
	array $values) {
	$errors = array();
	$issues = array();
	return array($errors, $issues, $values);
	}

	public static function assertLDAPExtensionInstalled() {
	if (!function_exists('ldap_bind')) {
	throw new Exception(
	pht(
	'Before you can set up or use LDAP, you need to install the PHP '.
	'LDAP extension. It is not currently installed, so PHP can not '.
	'talk to LDAP. Usually you can install it with '.
	'`%s`, `%s`, or a similar package manager command.',
	'yum install php-ldap',
	'apt-get install php5-ldap'));
	}
	}

	public function extendEditForm(
	AphrontRequest $request,
	AphrontFormView $form,
	array $values,
	array $issues) {

	self::assertLDAPExtensionInstalled();

	$labels = $this->getPropertyLabels();

	$captions = array(
	self::KEY_HOSTNAME =>
	pht('Example: %s%sFor LDAPS, use: %s',
	phutil_tag('tt', array(), pht('ldap.example.com')),
	phutil_tag('br'),
	phutil_tag('tt', array(), pht('ldaps://ldaps.example.com/'))),
	self::KEY_DISTINGUISHED_NAME =>
	pht('Example: %s',
	phutil_tag('tt', array(), pht('ou=People, dc=example, dc=com'))),
	self::KEY_USERNAME_ATTRIBUTE =>
	pht('Example: %s',
	phutil_tag('tt', array(), pht('sn'))),
	self::KEY_REALNAME_ATTRIBUTES =>
	pht('Example: %s',
	phutil_tag('tt', array(), pht('firstname, lastname'))),
	self::KEY_REFERRALS =>
	pht('Follow referrals. Disable this for Windows AD 2003.'),
	self::KEY_START_TLS =>
	pht('Start TLS after binding to the LDAP server.'),
	self::KEY_ALWAYS_SEARCH =>
	pht('Always bind and search, even without a username and password.'),
	);

	$types = array(
	self::KEY_REFERRALS => 'checkbox',
	self::KEY_START_TLS => 'checkbox',
	self::KEY_SEARCH_ATTRIBUTES => 'textarea',
	self::KEY_REALNAME_ATTRIBUTES => 'list',
	self::KEY_ANONYMOUS_PASSWORD => 'password',
	self::KEY_ALWAYS_SEARCH => 'checkbox',
	);

	$instructions = array(
	self::KEY_SEARCH_ATTRIBUTES => pht(
	"When a user types their LDAP username and password into Phabricator, ".
	"Phabricator can either bind to LDAP with those credentials directly ".
	"(which is simpler, but not as powerful) or bind to LDAP with ".
	"anonymous credentials, then search for record matching the supplied ".
	"credentials (which is more complicated, but more powerful).\n\n".
	"For many installs, direct binding is sufficient. However, you may ".
	"want to search first if:\n\n".
	" - You want users to be able to log in with either their username ".
	" or their email address.\n".
	" - The login/username is not part of the distinguished name in ".
	" your LDAP records.\n".
	" - You want to restrict logins to a subset of users (like only ".
	" those in certain departments).\n".
	" - Your LDAP server is configured in some other way that prevents ".
	" direct binding from working correctly.\n\n".
	"To bind directly, enter the LDAP attribute corresponding to the ".
	"login name into the Search Attributes box below. Often, this is ".
	"something like `sn` or `uid`. This is the simplest configuration, ".
	"but will only work if the username is part of the distinguished ".
	"name, and won't let you apply complex restrictions to logins.\n\n".
	" lang=text,name=Simple Direct Binding\n".
	" sn\n\n".
	"To search first, provide an anonymous username and password ".
	"below (or check the Always Search checkbox), then enter one ".
	"or more search queries into this field, one per line. ".
	"After binding, these queries will be used to identify the ".
	"record associated with the login name the user typed.\n\n".
	"Searches will be tried in order until a matching record is found. ".
	"Each query can be a simple attribute name (like `sn` or `mail`), ".
	"which will search for a matching record, or it can be a complex ".
	"query that uses the string `\${login}` to represent the login ".
	"name.\n\n".
	"A common simple configuration is just an attribute name, like ".
	"`sn`, which will work the same way direct binding works:\n\n".
	" lang=text,name=Simple Example\n".
	" sn\n\n".
	"A slightly more complex configuration might let the user log in with ".
	"either their login name or email address:\n\n".
	" lang=text,name=Match Several Attributes\n".
	" mail\n".
	" sn\n\n".
	"If your LDAP directory is more complex, or you want to perform ".
	"sophisticated filtering, you can use more complex queries. Depending ".
	"on your directory structure, this example might allow users to log ".
	"in with either their email address or username, but only if they're ".
	"in specific departments:\n\n".
	" lang=text,name=Complex Example\n".
	" (&(mail=\${login})(\|(departmentNumber=1)(departmentNumber=2)))\n".
	" (&(sn=\${login})(\|(departmentNumber=1)(departmentNumber=2)))\n\n".
	"All of the attribute names used here are just examples: your LDAP ".
	"server may use different attribute names."),
	self::KEY_ALWAYS_SEARCH => pht(
	'To search for an LDAP record before authenticating, either check '.
	'the Always Search checkbox or enter an anonymous '.
	'username and password to use to perform the search.'),
	self::KEY_USERNAME_ATTRIBUTE => pht(
	'Optionally, specify a username attribute to use to prefill usernames '.
	'when registering a new account. This is purely cosmetic and does not '.
	'affect the login process, but you can configure it to make sure '.
	'users get the same default username as their LDAP username, so '.
	'usernames remain consistent across systems.'),
	self::KEY_REALNAME_ATTRIBUTES => pht(
	'Optionally, specify one or more comma-separated attributes to use to '.
	'prefill the "Real Name" field when registering a new account. This '.
	'is purely cosmetic and does not affect the login process, but can '.
	'make registration a little easier.'),
	);

	foreach ($labels as $key => $label) {
	$caption = idx($captions, $key);
	$type = idx($types, $key);
	$value = idx($values, $key);

	$control = null;
	switch ($type) {
	case 'checkbox':
	$control = id(new AphrontFormCheckboxControl())
	->addCheckbox(
	$key,
	1,
	hsprintf('<strong>%s:</strong> %s', $label, $caption),
	$value);
	break;
	case 'list':
	$control = id(new AphrontFormTextControl())
	->setName($key)
	->setLabel($label)
	->setCaption($caption)
	->setValue($value ? implode(', ', $value) : null);
	break;
	case 'password':
	$control = id(new AphrontFormPasswordControl())
	->setName($key)
	->setLabel($label)
	->setCaption($caption)
	->setDisableAutocomplete(true)
	->setValue($value);
	break;
	case 'textarea':
	$control = id(new AphrontFormTextAreaControl())
	->setName($key)
	->setLabel($label)
	->setCaption($caption)
	->setValue($value);
	break;
	default:
	$control = id(new AphrontFormTextControl())
	->setName($key)
	->setLabel($label)
	->setCaption($caption)
	->setValue($value);
	break;
	}

	$instruction_text = idx($instructions, $key);
	if (strlen($instruction_text)) {
	$form->appendRemarkupInstructions($instruction_text);
	}

	$form->appendChild($control);
	}
	}

	public function renderConfigPropertyTransactionTitle(
	PhabricatorAuthProviderConfigTransaction $xaction) {

	$author_phid = $xaction->getAuthorPHID();
	$old = $xaction->getOldValue();
	$new = $xaction->getNewValue();
	$key = $xaction->getMetadataValue(
	PhabricatorAuthProviderConfigTransaction::PROPERTY_KEY);

	$labels = $this->getPropertyLabels();
	if (isset($labels[$key])) {
	$label = $labels[$key];

	$mask = false;
	switch ($key) {
	case self::KEY_ANONYMOUS_PASSWORD:
	$mask = true;
	break;
	}

	if ($mask) {
	return pht(
	'%s updated the "%s" value.',
	$xaction->renderHandleLink($author_phid),
	$label);
	}

	if ($old === null \|\| $old === '') {
	return pht(
	'%s set the "%s" value to "%s".',
	$xaction->renderHandleLink($author_phid),
	$label,
	$new);
	} else {
	return pht(
	'%s changed the "%s" value from "%s" to "%s".',
	$xaction->renderHandleLink($author_phid),
	$label,
	$old,
	$new);
	}
	}

	return parent::renderConfigPropertyTransactionTitle($xaction);
	}

	public static function getLDAPProvider() {
	$providers = self::getAllEnabledProviders();

	foreach ($providers as $provider) {
	if ($provider instanceof PhabricatorLDAPAuthProvider) {
	return $provider;
	}
	}

	return null;
	}

	}
	diff --git a/src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php b/src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php
	index 2e603162c3..ef1991e8d7 100644
	--- a/src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php
	+++ b/src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php
	@@ -1,283 +1,285 @@
	<?php

	abstract class PhabricatorOAuth1AuthProvider
	extends PhabricatorOAuthAuthProvider {

	protected $adapter;

	const PROPERTY_CONSUMER_KEY = 'oauth1:consumer:key';
	const PROPERTY_CONSUMER_SECRET = 'oauth1:consumer:secret';
	const PROPERTY_PRIVATE_KEY = 'oauth1:private:key';

	protected function getIDKey() {
	return self::PROPERTY_CONSUMER_KEY;
	}

	protected function getSecretKey() {
	return self::PROPERTY_CONSUMER_SECRET;
	}

	protected function configureAdapter(PhutilOAuth1AuthAdapter $adapter) {
	$config = $this->getProviderConfig();
	$adapter->setConsumerKey($config->getProperty(self::PROPERTY_CONSUMER_KEY));
	$secret = $config->getProperty(self::PROPERTY_CONSUMER_SECRET);
	if (strlen($secret)) {
	$adapter->setConsumerSecret(new PhutilOpaqueEnvelope($secret));
	}
	$adapter->setCallbackURI(PhabricatorEnv::getURI($this->getLoginURI()));
	return $adapter;
	}

	protected function renderLoginForm(AphrontRequest $request, $mode) {
	$attributes = array(
	'method' => 'POST',
	'uri' => $this->getLoginURI(),
	);
	return $this->renderStandardLoginButton($request, $mode, $attributes);
	}

	public function processLoginRequest(
	PhabricatorAuthLoginController $controller) {

	$request = $controller->getRequest();
	$adapter = $this->getAdapter();
	$account = null;
	$response = null;

	if ($request->isHTTPPost()) {
	// Add a CSRF code to the callback URI, which we'll verify when
	// performing the login.

	$client_code = $this->getAuthCSRFCode($request);

	$callback_uri = $adapter->getCallbackURI();
	$callback_uri = $callback_uri.$client_code.'/';
	$adapter->setCallbackURI($callback_uri);

	$uri = $adapter->getClientRedirectURI();

	$this->saveHandshakeTokenSecret(
	$client_code,
	$adapter->getTokenSecret());

	$response = id(new AphrontRedirectResponse())
	->setIsExternal(true)
	->setURI($uri);
	return array($account, $response);
	}

	$denied = $request->getStr('denied');
	if (strlen($denied)) {
	// Twitter indicates that the user cancelled the login attempt by
	// returning "denied" as a parameter.
	throw new PhutilAuthUserAbortedException();
	}

	// NOTE: You can get here via GET, this should probably be a bit more
	// user friendly.

	$this->verifyAuthCSRFCode($request, $controller->getExtraURIData());

	$token = $request->getStr('oauth_token');
	$verifier = $request->getStr('oauth_verifier');

	if (!$token) {
	throw new Exception(pht("Expected '%s' in request!", 'oauth_token'));
	}

	if (!$verifier) {
	throw new Exception(pht("Expected '%s' in request!", 'oauth_verifier'));
	}

	$adapter->setToken($token);
	$adapter->setVerifier($verifier);

	$client_code = $this->getAuthCSRFCode($request);
	$token_secret = $this->loadHandshakeTokenSecret($client_code);
	$adapter->setTokenSecret($token_secret);

	// NOTE: As a side effect, this will cause the OAuth adapter to request
	// an access token.

	try {
	$identifiers = $adapter->getAccountIdentifiers();
	} catch (Exception $ex) {
	// TODO: Handle this in a more user-friendly way.
	throw $ex;
	}

	if (!$identifiers) {
	$response = $controller->buildProviderErrorResponse(
	$this,
	pht(
	'The OAuth provider failed to retrieve an account ID.'));

	return array($account, $response);
	}

	- return array($this->loadOrCreateAccount($identifiers), $response);
	+ $account = $this->newExternalAccountForIdentifiers($identifiers);
	+
	+ return array($account, $response);
	}

	public function processEditForm(
	AphrontRequest $request,
	array $values) {

	$key_ckey = self::PROPERTY_CONSUMER_KEY;
	$key_csecret = self::PROPERTY_CONSUMER_SECRET;

	return $this->processOAuthEditForm(
	$request,
	$values,
	pht('Consumer key is required.'),
	pht('Consumer secret is required.'));
	}

	public function extendEditForm(
	AphrontRequest $request,
	AphrontFormView $form,
	array $values,
	array $issues) {

	return $this->extendOAuthEditForm(
	$request,
	$form,
	$values,
	$issues,
	pht('OAuth Consumer Key'),
	pht('OAuth Consumer Secret'));
	}

	public function renderConfigPropertyTransactionTitle(
	PhabricatorAuthProviderConfigTransaction $xaction) {

	$author_phid = $xaction->getAuthorPHID();
	$old = $xaction->getOldValue();
	$new = $xaction->getNewValue();
	$key = $xaction->getMetadataValue(
	PhabricatorAuthProviderConfigTransaction::PROPERTY_KEY);

	switch ($key) {
	case self::PROPERTY_CONSUMER_KEY:
	if (strlen($old)) {
	return pht(
	'%s updated the OAuth consumer key for this provider from '.
	'"%s" to "%s".',
	$xaction->renderHandleLink($author_phid),
	$old,
	$new);
	} else {
	return pht(
	'%s set the OAuth consumer key for this provider to '.
	'"%s".',
	$xaction->renderHandleLink($author_phid),
	$new);
	}
	case self::PROPERTY_CONSUMER_SECRET:
	if (strlen($old)) {
	return pht(
	'%s updated the OAuth consumer secret for this provider.',
	$xaction->renderHandleLink($author_phid));
	} else {
	return pht(
	'%s set the OAuth consumer secret for this provider.',
	$xaction->renderHandleLink($author_phid));
	}
	}

	return parent::renderConfigPropertyTransactionTitle($xaction);
	}

	protected function synchronizeOAuthAccount(
	PhabricatorExternalAccount $account) {
	$adapter = $this->getAdapter();

	$oauth_token = $adapter->getToken();
	$oauth_token_secret = $adapter->getTokenSecret();

	$account->setProperty('oauth1.token', $oauth_token);
	$account->setProperty('oauth1.token.secret', $oauth_token_secret);
	}

	public function willRenderLinkedAccount(
	PhabricatorUser $viewer,
	PHUIObjectItemView $item,
	PhabricatorExternalAccount $account) {

	$item->addAttribute(pht('OAuth1 Account'));

	parent::willRenderLinkedAccount($viewer, $item, $account);
	}

	protected function getContentSecurityPolicyFormActions() {
	return $this->getAdapter()->getContentSecurityPolicyFormActions();
	}

	/* -( Temporary Secrets )-------------------------------------------------- */


	private function saveHandshakeTokenSecret($client_code, $secret) {
	$secret_type = PhabricatorOAuth1SecretTemporaryTokenType::TOKENTYPE;
	$key = $this->getHandshakeTokenKeyFromClientCode($client_code);
	$type = $this->getTemporaryTokenType($secret_type);

	// Wipe out an existing token, if one exists.
	$token = id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withTokenResources(array($key))
	->withTokenTypes(array($type))
	->executeOne();
	if ($token) {
	$token->delete();
	}

	// Save the new secret.
	id(new PhabricatorAuthTemporaryToken())
	->setTokenResource($key)
	->setTokenType($type)
	->setTokenExpires(time() + phutil_units('1 hour in seconds'))
	->setTokenCode($secret)
	->save();
	}

	private function loadHandshakeTokenSecret($client_code) {
	$secret_type = PhabricatorOAuth1SecretTemporaryTokenType::TOKENTYPE;
	$key = $this->getHandshakeTokenKeyFromClientCode($client_code);
	$type = $this->getTemporaryTokenType($secret_type);

	$token = id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withTokenResources(array($key))
	->withTokenTypes(array($type))
	->withExpired(false)
	->executeOne();

	if (!$token) {
	throw new Exception(
	pht(
	'Unable to load your OAuth1 token secret from storage. It may '.
	'have expired. Try authenticating again.'));
	}

	return $token->getTokenCode();
	}

	private function getTemporaryTokenType($core_type) {
	// Namespace the type so that multiple providers don't step on each
	// others' toes if a user starts Mediawiki and Bitbucket auth at the
	// same time.

	// TODO: This isn't really a proper use of the table and should get
	// cleaned up some day: the type should be constant.

	return $core_type.':'.$this->getProviderConfig()->getID();
	}

	private function getHandshakeTokenKeyFromClientCode($client_code) {
	// NOTE: This is very slightly coercive since the TemporaryToken table
	// expects an "objectPHID" as an identifier, but nothing about the storage
	// is bound to PHIDs.

	return 'oauth1:secret/'.$client_code;
	}

	}
	diff --git a/src/applications/auth/provider/PhabricatorOAuth2AuthProvider.php b/src/applications/auth/provider/PhabricatorOAuth2AuthProvider.php
	index 7d56506339..d61fbc7149 100644
	--- a/src/applications/auth/provider/PhabricatorOAuth2AuthProvider.php
	+++ b/src/applications/auth/provider/PhabricatorOAuth2AuthProvider.php
	@@ -1,289 +1,291 @@
	<?php

	abstract class PhabricatorOAuth2AuthProvider
	extends PhabricatorOAuthAuthProvider {

	const PROPERTY_APP_ID = 'oauth:app:id';
	const PROPERTY_APP_SECRET = 'oauth:app:secret';

	protected function getIDKey() {
	return self::PROPERTY_APP_ID;
	}

	protected function getSecretKey() {
	return self::PROPERTY_APP_SECRET;
	}


	protected function configureAdapter(PhutilOAuthAuthAdapter $adapter) {
	$config = $this->getProviderConfig();
	$adapter->setClientID($config->getProperty(self::PROPERTY_APP_ID));
	$adapter->setClientSecret(
	new PhutilOpaqueEnvelope(
	$config->getProperty(self::PROPERTY_APP_SECRET)));
	$adapter->setRedirectURI(PhabricatorEnv::getURI($this->getLoginURI()));
	return $adapter;
	}

	protected function renderLoginForm(AphrontRequest $request, $mode) {
	$adapter = $this->getAdapter();
	$adapter->setState($this->getAuthCSRFCode($request));

	$scope = $request->getStr('scope');
	if ($scope) {
	$adapter->setScope($scope);
	}

	$attributes = array(
	'method' => 'GET',
	'uri' => $adapter->getAuthenticateURI(),
	);

	return $this->renderStandardLoginButton($request, $mode, $attributes);
	}

	public function processLoginRequest(
	PhabricatorAuthLoginController $controller) {

	$request = $controller->getRequest();
	$adapter = $this->getAdapter();
	$account = null;
	$response = null;

	$error = $request->getStr('error');
	if ($error) {
	$response = $controller->buildProviderErrorResponse(
	$this,
	pht(
	'The OAuth provider returned an error: %s',
	$error));

	return array($account, $response);
	}

	$this->verifyAuthCSRFCode($request, $request->getStr('state'));

	$code = $request->getStr('code');
	if (!strlen($code)) {
	$response = $controller->buildProviderErrorResponse(
	$this,
	pht(
	'The OAuth provider did not return a "code" parameter in its '.
	'response.'));

	return array($account, $response);
	}

	$adapter->setCode($code);

	// NOTE: As a side effect, this will cause the OAuth adapter to request
	// an access token.

	try {
	$identifiers = $adapter->getAccountIdentifiers();
	} catch (Exception $ex) {
	// TODO: Handle this in a more user-friendly way.
	throw $ex;
	}

	if (!$identifiers) {
	$response = $controller->buildProviderErrorResponse(
	$this,
	pht(
	'The OAuth provider failed to retrieve an account ID.'));

	return array($account, $response);
	}

	- return array($this->loadOrCreateAccount($identifiers), $response);
	+ $account = $this->newExternalAccountForIdentifiers($identifiers);
	+
	+ return array($account, $response);
	}

	public function processEditForm(
	AphrontRequest $request,
	array $values) {

	return $this->processOAuthEditForm(
	$request,
	$values,
	pht('Application ID is required.'),
	pht('Application secret is required.'));
	}

	public function extendEditForm(
	AphrontRequest $request,
	AphrontFormView $form,
	array $values,
	array $issues) {

	return $this->extendOAuthEditForm(
	$request,
	$form,
	$values,
	$issues,
	pht('OAuth App ID'),
	pht('OAuth App Secret'));
	}

	public function renderConfigPropertyTransactionTitle(
	PhabricatorAuthProviderConfigTransaction $xaction) {

	$author_phid = $xaction->getAuthorPHID();
	$old = $xaction->getOldValue();
	$new = $xaction->getNewValue();
	$key = $xaction->getMetadataValue(
	PhabricatorAuthProviderConfigTransaction::PROPERTY_KEY);

	switch ($key) {
	case self::PROPERTY_APP_ID:
	if (strlen($old)) {
	return pht(
	'%s updated the OAuth application ID for this provider from '.
	'"%s" to "%s".',
	$xaction->renderHandleLink($author_phid),
	$old,
	$new);
	} else {
	return pht(
	'%s set the OAuth application ID for this provider to '.
	'"%s".',
	$xaction->renderHandleLink($author_phid),
	$new);
	}
	case self::PROPERTY_APP_SECRET:
	if (strlen($old)) {
	return pht(
	'%s updated the OAuth application secret for this provider.',
	$xaction->renderHandleLink($author_phid));
	} else {
	return pht(
	'%s set the OAuth application secret for this provider.',
	$xaction->renderHandleLink($author_phid));
	}
	case self::PROPERTY_NOTE:
	if (strlen($old)) {
	return pht(
	'%s updated the OAuth application notes for this provider.',
	$xaction->renderHandleLink($author_phid));
	} else {
	return pht(
	'%s set the OAuth application notes for this provider.',
	$xaction->renderHandleLink($author_phid));
	}

	}

	return parent::renderConfigPropertyTransactionTitle($xaction);
	}

	protected function synchronizeOAuthAccount(
	PhabricatorExternalAccount $account) {
	$adapter = $this->getAdapter();

	$oauth_token = $adapter->getAccessToken();
	$account->setProperty('oauth.token.access', $oauth_token);

	if ($adapter->supportsTokenRefresh()) {
	$refresh_token = $adapter->getRefreshToken();
	$account->setProperty('oauth.token.refresh', $refresh_token);
	} else {
	$account->setProperty('oauth.token.refresh', null);
	}

	$expires = $adapter->getAccessTokenExpires();
	$account->setProperty('oauth.token.access.expires', $expires);
	}

	public function getOAuthAccessToken(
	PhabricatorExternalAccount $account,
	$force_refresh = false) {

	if ($account->getProviderKey() !== $this->getProviderKey()) {
	throw new Exception(pht('Account does not match provider!'));
	}

	if (!$force_refresh) {
	$access_expires = $account->getProperty('oauth.token.access.expires');
	$access_token = $account->getProperty('oauth.token.access');

	// Don't return a token with fewer than this many seconds remaining until
	// it expires.
	$shortest_token = 60;
	if ($access_token) {
	if ($access_expires === null \|\|
	$access_expires > (time() + $shortest_token)) {
	return $access_token;
	}
	}
	}

	$refresh_token = $account->getProperty('oauth.token.refresh');
	if ($refresh_token) {
	$adapter = $this->getAdapter();
	if ($adapter->supportsTokenRefresh()) {
	$adapter->refreshAccessToken($refresh_token);

	$this->synchronizeOAuthAccount($account);
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$account->save();
	unset($unguarded);

	return $account->getProperty('oauth.token.access');
	}
	}

	return null;
	}

	public function willRenderLinkedAccount(
	PhabricatorUser $viewer,
	PHUIObjectItemView $item,
	PhabricatorExternalAccount $account) {

	// Get a valid token, possibly refreshing it. If we're unable to refresh
	// it, render a message to that effect. The user may be able to repair the
	// link by manually reconnecting.

	$is_invalid = false;
	try {
	$oauth_token = $this->getOAuthAccessToken($account);
	} catch (Exception $ex) {
	$oauth_token = null;
	$is_invalid = true;
	}

	$item->addAttribute(pht('OAuth2 Account'));

	if ($oauth_token) {
	$oauth_expires = $account->getProperty('oauth.token.access.expires');
	if ($oauth_expires) {
	$item->addAttribute(
	pht(
	'Active OAuth Token (Expires: %s)',
	phabricator_datetime($oauth_expires, $viewer)));
	} else {
	$item->addAttribute(
	pht('Active OAuth Token'));
	}
	} else if ($is_invalid) {
	$item->addAttribute(pht('Invalid OAuth Access Token'));
	} else {
	$item->addAttribute(pht('No OAuth Access Token'));
	}

	parent::willRenderLinkedAccount($viewer, $item, $account);
	}

	public function supportsAutoLogin() {
	return true;
	}

	public function getAutoLoginURI(AphrontRequest $request) {
	$csrf_code = $this->getAuthCSRFCode($request);

	$adapter = $this->getAdapter();
	$adapter->setState($csrf_code);

	return $adapter->getAuthenticateURI();
	}

	}
	diff --git a/src/applications/auth/provider/PhabricatorPasswordAuthProvider.php b/src/applications/auth/provider/PhabricatorPasswordAuthProvider.php
	index 6b2681eea8..4513787d89 100644
	--- a/src/applications/auth/provider/PhabricatorPasswordAuthProvider.php
	+++ b/src/applications/auth/provider/PhabricatorPasswordAuthProvider.php
	@@ -1,378 +1,369 @@
	<?php

	final class PhabricatorPasswordAuthProvider extends PhabricatorAuthProvider {

	private $adapter;

	public function getProviderName() {
	return pht('Username/Password');
	}

	public function getConfigurationHelp() {
	return pht(
	"(WARNING) Examine the table below for information on how password ".
	"hashes will be stored in the database.\n\n".
	"(NOTE) You can select a minimum password length by setting ".
	"`%s` in configuration.",
	'account.minimum-password-length');
	}

	public function renderConfigurationFooter() {
	$hashers = PhabricatorPasswordHasher::getAllHashers();
	$hashers = msort($hashers, 'getStrength');
	$hashers = array_reverse($hashers);

	$yes = phutil_tag(
	'strong',
	array(
	'style' => 'color: #009900',
	),
	pht('Yes'));

	$no = phutil_tag(
	'strong',
	array(
	'style' => 'color: #990000',
	),
	pht('Not Installed'));

	$best_hasher_name = null;
	try {
	$best_hasher = PhabricatorPasswordHasher::getBestHasher();
	$best_hasher_name = $best_hasher->getHashName();
	} catch (PhabricatorPasswordHasherUnavailableException $ex) {
	// There are no suitable hashers. The user might be able to enable some,
	// so we don't want to fatal here. We'll fatal when users try to actually
	// use this stuff if it isn't fixed before then. Until then, we just
	// don't highlight a row. In practice, at least one hasher should always
	// be available.
	}

	$rows = array();
	$rowc = array();
	foreach ($hashers as $hasher) {
	$is_installed = $hasher->canHashPasswords();

	$rows[] = array(
	$hasher->getHumanReadableName(),
	$hasher->getHashName(),
	$hasher->getHumanReadableStrength(),
	($is_installed ? $yes : $no),
	($is_installed ? null : $hasher->getInstallInstructions()),
	);
	$rowc[] = ($best_hasher_name == $hasher->getHashName())
	? 'highlighted'
	: null;
	}

	$table = new AphrontTableView($rows);
	$table->setRowClasses($rowc);
	$table->setHeaders(
	array(
	pht('Algorithm'),
	pht('Name'),
	pht('Strength'),
	pht('Installed'),
	pht('Install Instructions'),
	));

	$table->setColumnClasses(
	array(
	'',
	'',
	'',
	'',
	'wide',
	));

	$header = id(new PHUIHeaderView())
	->setHeader(pht('Password Hash Algorithms'))
	->setSubheader(
	pht(
	'Stronger algorithms are listed first. The highlighted algorithm '.
	'will be used when storing new hashes. Older hashes will be '.
	'upgraded to the best algorithm over time.'));

	return id(new PHUIObjectBoxView())
	->setHeader($header)
	->setTable($table);
	}

	public function getDescriptionForCreate() {
	return pht(
	'Allow users to log in or register using a username and password.');
	}

	public function getAdapter() {
	if (!$this->adapter) {
	$adapter = new PhutilEmptyAuthAdapter();
	$adapter->setAdapterType('password');
	$adapter->setAdapterDomain('self');
	$this->adapter = $adapter;
	}
	return $this->adapter;
	}

	public function getLoginOrder() {
	// Make sure username/password appears first if it is enabled.
	return '100-'.$this->getProviderName();
	}

	public function shouldAllowAccountLink() {
	return false;
	}

	public function shouldAllowAccountUnlink() {
	return false;
	}

	public function isDefaultRegistrationProvider() {
	return true;
	}

	public function buildLoginForm(
	PhabricatorAuthStartController $controller) {
	$request = $controller->getRequest();
	return $this->renderPasswordLoginForm($request);
	}

	public function buildInviteForm(
	PhabricatorAuthStartController $controller) {
	$request = $controller->getRequest();
	$viewer = $request->getViewer();

	$form = id(new AphrontFormView())
	->setUser($viewer)
	->addHiddenInput('invite', true)
	->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Username'))
	->setName('username'));

	$dialog = id(new AphrontDialogView())
	->setUser($viewer)
	->setTitle(pht('Register an Account'))
	->appendForm($form)
	->setSubmitURI('/auth/register/')
	->addSubmitButton(pht('Continue'));

	return $dialog;
	}

	public function buildLinkForm($controller) {
	throw new Exception(pht("Password providers can't be linked."));
	}

	private function renderPasswordLoginForm(
	AphrontRequest $request,
	$require_captcha = false,
	$captcha_valid = false) {

	$viewer = $request->getUser();

	$dialog = id(new AphrontDialogView())
	->setSubmitURI($this->getLoginURI())
	->setUser($viewer)
	->setTitle(pht('Log In'))
	->addSubmitButton(pht('Log In'));

	if ($this->shouldAllowRegistration()) {
	$dialog->addCancelButton(
	'/auth/register/',
	pht('Register New Account'));
	}

	$dialog->addFooter(
	phutil_tag(
	'a',
	array(
	'href' => '/login/email/',
	),
	pht('Forgot your password?')));

	$v_user = nonempty(
	$request->getStr('username'),
	$request->getCookie(PhabricatorCookies::COOKIE_USERNAME));

	$e_user = null;
	$e_pass = null;
	$e_captcha = null;

	$errors = array();
	if ($require_captcha && !$captcha_valid) {
	if (AphrontFormRecaptchaControl::hasCaptchaResponse($request)) {
	$e_captcha = pht('Invalid');
	$errors[] = pht('CAPTCHA was not entered correctly.');
	} else {
	$e_captcha = pht('Required');
	$errors[] = pht(
	'Too many login failures recently. You must '.
	'submit a CAPTCHA with your login request.');
	}
	} else if ($request->isHTTPPost()) {
	// NOTE: This is intentionally vague so as not to disclose whether a
	// given username or email is registered.
	$e_user = pht('Invalid');
	$e_pass = pht('Invalid');
	$errors[] = pht('Username or password are incorrect.');
	}

	if ($errors) {
	$errors = id(new PHUIInfoView())->setErrors($errors);
	}

	$form = id(new PHUIFormLayoutView())
	->setFullWidth(true)
	->appendChild($errors)
	->appendChild(
	id(new AphrontFormTextControl())
	->setLabel(pht('Username or Email'))
	->setName('username')
	->setAutofocus(true)
	->setValue($v_user)
	->setError($e_user))
	->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Password'))
	->setName('password')
	->setError($e_pass));

	if ($require_captcha) {
	$form->appendChild(
	id(new AphrontFormRecaptchaControl())
	->setError($e_captcha));
	}

	$dialog->appendChild($form);

	return $dialog;
	}

	public function processLoginRequest(
	PhabricatorAuthLoginController $controller) {

	$request = $controller->getRequest();
	$viewer = $request->getUser();
	$content_source = PhabricatorContentSource::newFromRequest($request);

	$rate_actor = PhabricatorSystemActionEngine::newActorFromRequest($request);

	PhabricatorSystemActionEngine::willTakeAction(
	array($rate_actor),
	new PhabricatorAuthTryPasswordAction(),
	1);

	// If the same remote address has submitted several failed login attempts
	// recently, require they provide a CAPTCHA response for new attempts.
	$require_captcha = false;
	$captcha_valid = false;
	if (AphrontFormRecaptchaControl::isRecaptchaEnabled()) {
	try {
	PhabricatorSystemActionEngine::willTakeAction(
	array($rate_actor),
	new PhabricatorAuthTryPasswordWithoutCAPTCHAAction(),
	1);
	} catch (PhabricatorSystemActionRateLimitException $ex) {
	$require_captcha = true;
	$captcha_valid = AphrontFormRecaptchaControl::processCaptcha($request);
	}
	}

	$response = null;
	$account = null;
	$log_user = null;

	if ($request->isFormPost()) {
	if (!$require_captcha \|\| $captcha_valid) {
	$username_or_email = $request->getStr('username');
	if (strlen($username_or_email)) {
	$user = id(new PhabricatorUser())->loadOneWhere(
	'username = %s',
	$username_or_email);

	if (!$user) {
	$user = PhabricatorUser::loadOneWithEmailAddress(
	$username_or_email);
	}

	if ($user) {
	$envelope = new PhutilOpaqueEnvelope($request->getStr('password'));

	$engine = id(new PhabricatorAuthPasswordEngine())
	->setViewer($user)
	->setContentSource($content_source)
	->setPasswordType(PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT)
	->setObject($user);

	if ($engine->isValidPassword($envelope)) {
	- $account = $this->loadOrCreateAccount($user->getPHID());
	+ $account = $this->newExternalAccountForUser($user);
	$log_user = $user;
	}
	}
	}
	}
	}

	if (!$account) {
	if ($request->isFormPost()) {
	$log = PhabricatorUserLog::initializeNewLog(
	null,
	$log_user ? $log_user->getPHID() : null,
	PhabricatorLoginFailureUserLogType::LOGTYPE);
	$log->save();
	}

	$request->clearCookie(PhabricatorCookies::COOKIE_USERNAME);

	$response = $controller->buildProviderPageResponse(
	$this,
	$this->renderPasswordLoginForm(
	$request,
	$require_captcha,
	$captcha_valid));
	}

	return array($account, $response);
	}

	public function shouldRequireRegistrationPassword() {
	return true;
	}

	- protected function willSaveAccount(PhabricatorExternalAccount $account) {
	- parent::willSaveAccount($account);
	- $account->setUserPHID($account->getAccountID());
	- }
	-
	- public function willRegisterAccount(PhabricatorExternalAccount $account) {
	- parent::willRegisterAccount($account);
	- $account->setAccountID($account->getUserPHID());
	- }
	-
	public static function getPasswordProvider() {
	$providers = self::getAllEnabledProviders();

	foreach ($providers as $provider) {
	if ($provider instanceof PhabricatorPasswordAuthProvider) {
	return $provider;
	}
	}

	return null;
	}

	public function willRenderLinkedAccount(
	PhabricatorUser $viewer,
	PHUIObjectItemView $item,
	PhabricatorExternalAccount $account) {
	return;
	}

	public function shouldAllowAccountRefresh() {
	return false;
	}

	public function shouldAllowEmailTrustConfiguration() {
	return false;
	}
	+
	}

File Metadata

Mime Type: text/x-diff
Expires: Mon, Jul 28, 7:45 PM (1 w, 3 d ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 187438
Default Alt Text: (89 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions