No OneTemporary
Actions

Size

26 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/conduit/controller/PhabricatorConduitAPIController.php b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
	index 5a65b1fe71..816343b7a6 100644
	--- a/src/applications/conduit/controller/PhabricatorConduitAPIController.php
	+++ b/src/applications/conduit/controller/PhabricatorConduitAPIController.php
	@@ -1,468 +1,473 @@
	<?php

	final class PhabricatorConduitAPIController
	extends PhabricatorConduitController {

	public function shouldRequireLogin() {
	return false;
	}

	private $method;

	public function willProcessRequest(array $data) {
	$this->method = $data['method'];
	return $this;
	}

	public function processRequest() {
	$time_start = microtime(true);
	$request = $this->getRequest();

	$method = $this->method;

	$api_request = null;

	$log = new PhabricatorConduitMethodCallLog();
	$log->setMethod($method);
	$metadata = array();

	try {

	$params = $this->decodeConduitParams($request, $method);
	$metadata = idx($params, '__conduit__', array());
	unset($params['__conduit__']);

	$call = new ConduitCall(
	$method, $params, idx($metadata, 'isProxied', false));

	$result = null;

	// TODO: Straighten out the auth pathway here. We shouldn't be creating
	// a ConduitAPIRequest at this level, but some of the auth code expects
	// it. Landing a halfway version of this to unblock T945.

	$api_request = new ConduitAPIRequest($params);

	$allow_unguarded_writes = false;
	$auth_error = null;
	$conduit_username = '-';
	if ($call->shouldRequireAuthentication()) {
	$metadata['scope'] = $call->getRequiredScope();
	$auth_error = $this->authenticateUser($api_request, $metadata);
	// If we've explicitly authenticated the user here and either done
	// CSRF validation or are using a non-web authentication mechanism.
	$allow_unguarded_writes = true;

	if (isset($metadata['actAsUser'])) {
	$this->actAsUser($api_request, $metadata['actAsUser']);
	}

	if ($auth_error === null) {
	$conduit_user = $api_request->getUser();
	if ($conduit_user && $conduit_user->getPHID()) {
	$conduit_username = $conduit_user->getUsername();
	}
	$call->setUser($api_request->getUser());
	}
	}

	$access_log = PhabricatorAccessLog::getLog();
	if ($access_log) {
	$access_log->setData(
	array(
	'u' => $conduit_username,
	'm' => $method,
	));
	}

	if ($call->shouldAllowUnguardedWrites()) {
	$allow_unguarded_writes = true;
	}

	if ($auth_error === null) {
	if ($allow_unguarded_writes) {
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	}

	try {
	$result = $call->execute();
	$error_code = null;
	$error_info = null;
	} catch (ConduitException $ex) {
	$result = null;
	$error_code = $ex->getMessage();
	if ($ex->getErrorDescription()) {
	$error_info = $ex->getErrorDescription();
	} else {
	$error_info = $call->getErrorDescription($error_code);
	}
	}
	if ($allow_unguarded_writes) {
	unset($unguarded);
	}
	} else {
	list($error_code, $error_info) = $auth_error;
	}
	} catch (Exception $ex) {
	phlog($ex);
	$result = null;
	$error_code = ($ex instanceof ConduitException
	? 'ERR-CONDUIT-CALL'
	: 'ERR-CONDUIT-CORE');
	$error_info = $ex->getMessage();
	}

	$time_end = microtime(true);

	$connection_id = null;
	if (idx($metadata, 'connectionID')) {
	$connection_id = $metadata['connectionID'];
	} else if (($method == 'conduit.connect') && $result) {
	$connection_id = idx($result, 'connectionID');
	}

	$log
	->setCallerPHID(
	isset($conduit_user)
	? $conduit_user->getPHID()
	: null)
	->setConnectionID($connection_id)
	->setError((string)$error_code)
	->setDuration(1000000 * ($time_end - $time_start));

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$log->save();
	unset($unguarded);

	$response = id(new ConduitAPIResponse())
	->setResult($result)
	->setErrorCode($error_code)
	->setErrorInfo($error_info);

	switch ($request->getStr('output')) {
	case 'human':
	return $this->buildHumanReadableResponse(
	$method,
	$api_request,
	$response->toDictionary());
	case 'json':
	default:
	return id(new AphrontJSONResponse())
	->setAddJSONShield(false)
	->setContent($response->toDictionary());
	}
	}

	/**
	* Change the api request user to the user that we want to act as.
	* Only admins can use actAsUser
	*
	* @param ConduitAPIRequest Request being executed.
	* @param string The username of the user we want to act as
	*/
	private function actAsUser(
	ConduitAPIRequest $api_request,
	$user_name) {

	+ $config_key = 'security.allow-conduit-act-as-user';
	+ if (!PhabricatorEnv::getEnvConfig($config_key)) {
	+ throw new Exception('security.allow-conduit-act-as-user is disabled');
	+ }
	+
	if (!$api_request->getUser()->getIsAdmin()) {
	throw new Exception('Only administrators can use actAsUser');
	}

	$user = id(new PhabricatorUser())->loadOneWhere(
	'userName = %s',
	$user_name);

	if (!$user) {
	throw new Exception(
	"The actAsUser username '{$user_name}' is not a valid user."
	);
	}

	$api_request->setUser($user);
	}

	/**
	* Authenticate the client making the request to a Phabricator user account.
	*
	* @param ConduitAPIRequest Request being executed.
	* @param dict Request metadata.
	* @return null\|pair Null to indicate successful authentication, or
	* an error code and error message pair.
	*/
	private function authenticateUser(
	ConduitAPIRequest $api_request,
	array $metadata) {

	$request = $this->getRequest();

	if ($request->getUser()->getPHID()) {
	$request->validateCSRF();
	return $this->validateAuthenticatedUser(
	$api_request,
	$request->getUser());
	}

	// handle oauth
	$access_token = $request->getStr('access_token');
	$method_scope = $metadata['scope'];
	if ($access_token &&
	$method_scope != PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE) {
	$token = id(new PhabricatorOAuthServerAccessToken())
	->loadOneWhere('token = %s',
	$access_token);
	if (!$token) {
	return array(
	'ERR-INVALID-AUTH',
	'Access token does not exist.',
	);
	}

	$oauth_server = new PhabricatorOAuthServer();
	$valid = $oauth_server->validateAccessToken($token,
	$method_scope);
	if (!$valid) {
	return array(
	'ERR-INVALID-AUTH',
	'Access token is invalid.',
	);
	}

	// valid token, so let's log in the user!
	$user_phid = $token->getUserPHID();
	$user = id(new PhabricatorUser())
	->loadOneWhere('phid = %s',
	$user_phid);
	if (!$user) {
	return array(
	'ERR-INVALID-AUTH',
	'Access token is for invalid user.',
	);
	}
	return $this->validateAuthenticatedUser(
	$api_request,
	$user);
	}

	// Handle sessionless auth. TOOD: This is super messy.
	if (isset($metadata['authUser'])) {
	$user = id(new PhabricatorUser())->loadOneWhere(
	'userName = %s',
	$metadata['authUser']);
	if (!$user) {
	return array(
	'ERR-INVALID-AUTH',
	'Authentication is invalid.',
	);
	}
	$token = idx($metadata, 'authToken');
	$signature = idx($metadata, 'authSignature');
	$certificate = $user->getConduitCertificate();
	if (sha1($token.$certificate) !== $signature) {
	return array(
	'ERR-INVALID-AUTH',
	'Authentication is invalid.',
	);
	}
	return $this->validateAuthenticatedUser(
	$api_request,
	$user);
	}

	$session_key = idx($metadata, 'sessionKey');
	if (!$session_key) {
	return array(
	'ERR-INVALID-SESSION',
	'Session key is not present.'
	);
	}

	$user = id(new PhabricatorAuthSessionEngine())
	->loadUserForSession(PhabricatorAuthSession::TYPE_CONDUIT, $session_key);

	if (!$user) {
	return array(
	'ERR-INVALID-SESSION',
	'Session key is invalid.',
	);
	}

	return $this->validateAuthenticatedUser(
	$api_request,
	$user);
	}

	private function validateAuthenticatedUser(
	ConduitAPIRequest $request,
	PhabricatorUser $user) {

	if (!$user->isUserActivated()) {
	return array(
	'ERR-USER-DISABLED',
	pht('User account is not activated.'),
	);
	}

	$request->setUser($user);
	return null;
	}

	private function buildHumanReadableResponse(
	$method,
	ConduitAPIRequest $request = null,
	$result = null) {

	$param_rows = array();
	$param_rows[] = array('Method', $this->renderAPIValue($method));
	if ($request) {
	foreach ($request->getAllParameters() as $key => $value) {
	$param_rows[] = array(
	$key,
	$this->renderAPIValue($value),
	);
	}
	}

	$param_table = new AphrontTableView($param_rows);
	$param_table->setDeviceReadyTable(true);
	$param_table->setColumnClasses(
	array(
	'header',
	'wide',
	));

	$result_rows = array();
	foreach ($result as $key => $value) {
	$result_rows[] = array(
	$key,
	$this->renderAPIValue($value),
	);
	}

	$result_table = new AphrontTableView($result_rows);
	$result_table->setDeviceReadyTable(true);
	$result_table->setColumnClasses(
	array(
	'header',
	'wide',
	));

	$param_panel = new AphrontPanelView();
	$param_panel->setHeader('Method Parameters');
	$param_panel->appendChild($param_table);

	$result_panel = new AphrontPanelView();
	$result_panel->setHeader('Method Result');
	$result_panel->appendChild($result_table);

	$param_head = id(new PHUIHeaderView())
	->setHeader(pht('Method Parameters'));

	$result_head = id(new PHUIHeaderView())
	->setHeader(pht('Method Result'));

	$method_uri = $this->getApplicationURI('method/'.$method.'/');

	$crumbs = $this->buildApplicationCrumbs()
	->addTextCrumb($method, $method_uri)
	->addTextCrumb(pht('Call'));

	return $this->buildApplicationPage(
	array(
	$crumbs,
	$param_head,
	$param_table,
	$result_head,
	$result_table,
	),
	array(
	'title' => 'Method Call Result',
	));
	}

	private function renderAPIValue($value) {
	$json = new PhutilJSON();
	if (is_array($value)) {
	$value = $json->encodeFormatted($value);
	}

	$value = phutil_tag(
	'pre',
	array('style' => 'white-space: pre-wrap;'),
	$value);

	return $value;
	}

	private function decodeConduitParams(
	AphrontRequest $request,
	$method) {

	// Look for parameters from the Conduit API Console, which are encoded
	// as HTTP POST parameters in an array, e.g.:
	//
	// params[name]=value&params[name2]=value2
	//
	// The fields are individually JSON encoded, since we require users to
	// enter JSON so that we avoid type ambiguity.

	$params = $request->getArr('params', null);
	if ($params !== null) {
	foreach ($params as $key => $value) {
	if ($value == '') {
	// Interpret empty string null (e.g., the user didn't type anything
	// into the box).
	$value = 'null';
	}
	$decoded_value = json_decode($value, true);
	if ($decoded_value === null && strtolower($value) != 'null') {
	// When json_decode() fails, it returns null. This almost certainly
	// indicates that a user was using the web UI and didn't put quotes
	// around a string value. We can either do what we think they meant
	// (treat it as a string) or fail. For now, err on the side of
	// caution and fail. In the future, if we make the Conduit API
	// actually do type checking, it might be reasonable to treat it as
	// a string if the parameter type is string.
	throw new Exception(
	"The value for parameter '{$key}' is not valid JSON. All ".
	"parameters must be encoded as JSON values, including strings ".
	"(which means you need to surround them in double quotes). ".
	"Check your syntax. Value was: {$value}");
	}
	$params[$key] = $decoded_value;
	}

	return $params;
	}

	// Otherwise, look for a single parameter called 'params' which has the
	// entire param dictionary JSON encoded. This is the usual case for remote
	// requests.

	$params_json = $request->getStr('params');
	if (!strlen($params_json)) {
	if ($request->getBool('allowEmptyParams')) {
	// TODO: This is a bit messy, but otherwise you can't call
	// "conduit.ping" from the web console.
	$params = array();
	} else {
	throw new Exception(
	"Request has no 'params' key. This may mean that an extension like ".
	"Suhosin has dropped data from the request. Check the PHP ".
	"configuration on your server. If you are developing a Conduit ".
	"client, you MUST provide a 'params' parameter when making a ".
	"Conduit request, even if the value is empty (e.g., provide '{}').");
	}
	} else {
	$params = json_decode($params_json, true);
	if (!is_array($params)) {
	throw new Exception(
	"Invalid parameter information was passed to method ".
	"'{$method}', could not decode JSON serialization. Data: ".
	$params_json);
	}
	}

	return $params;
	}

	}
	diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
	index 7e5150a282..fedd7a1842 100644
	--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
	+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
	@@ -1,273 +1,289 @@
	<?php

	final class PhabricatorSecurityConfigOptions
	extends PhabricatorApplicationConfigOptions {

	public function getName() {
	return pht('Security');
	}

	public function getDescription() {
	return pht('Security options.');
	}

	public function getOptions() {
	$support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!');

	return array(
	$this->newOption('security.alternate-file-domain', 'string', null)
	->setLocked(true)
	->setSummary(pht('Alternate domain to serve files from.'))
	->setDescription(
	pht(
	"IMPORTANT: By default, Phabricator serves files from the same ".
	"domain the application lives on. This is convenient but not ".
	"secure: it creates a large class of vulnerabilities which can ".
	"not be generally mitigated.\n\n".

	"To avoid this, you should configure a second domain in the same ".
	"way you have the primary domain configured (i.e., point it at ".
	"the same machine and set up the same vhost rules) and provide ".
	"it here. For instance, if your primary install is on ".
	"'http://www.phabricator-example.com/', you could configure ".
	"'http://www.phabricator-files.com/' and specify the entire ".
	"domain (with protocol) here. This will enforce that files are ".
	"served only from the alternate domain. Ideally, you should use ".
	"a completely separate domain name rather than just a different ".
	"subdomain.\n\n".

	"It is STRONGLY RECOMMENDED that you configure this. Your ".
	"install is NOT SECURE unless you do so."))
	->addExample('http://www.phabricator-files.com/', pht('Valid Setting')),
	$this->newOption(
	'security.hmac-key',
	'string',
	'[D\t~Y7eNmnQGJ;rnH6aF;m2!vJ8@v8C=Cs:aQS\.Qw')
	->setMasked(true)
	->setLocked(true)
	->setSummary(
	pht('Key for HMAC digests.'))
	->setDescription(
	pht(
	'Default key for HMAC digests where the key is not important '.
	'(i.e., the hash itself is secret). You can change this if you '.
	'want (to any other string), but doing so will break existing '.
	'sessions and CSRF tokens.')),
	$this->newOption('security.require-https', 'bool', false)
	->setLocked(true)
	->setSummary(
	pht('Force users to connect via HTTPS instead of HTTP.'))
	->setDescription(
	pht(
	"If the web server responds to both HTTP and HTTPS requests but ".
	"you want users to connect with only HTTPS, you can set this ".
	"to true to make Phabricator redirect HTTP requests to HTTPS.\n\n".

	"Normally, you should just configure your server not to accept ".
	"HTTP traffic, but this setting may be useful if you originally ".
	"used HTTP and have now switched to HTTPS but don't want to ".
	"break old links, or if your webserver sits behind a load ".
	"balancer which terminates HTTPS connections and you can not ".
	"reasonably configure more granular behavior there.\n\n".

	"IMPORTANT: Phabricator determines if a request is HTTPS or not ".
	"by examining the PHP \$_SERVER['HTTPS'] variable. If you run ".
	"Apache/mod_php this will probably be set correctly for you ".
	"automatically, but if you run Phabricator as CGI/FCGI (e.g., ".
	"through nginx or lighttpd), you need to configure your web ".
	"server so that it passes the value correctly based on the ".
	"connection type."))
	->setBoolOptions(
	array(
	pht('Force HTTPS'),
	pht('Allow HTTP'),
	)),
	$this->newOption('security.require-multi-factor-auth', 'bool', false)
	->setLocked(true)
	->setSummary(
	pht('Require all users to configure multi-factor authentication.'))
	->setDescription(
	pht(
	'By default, Phabricator allows users to add multi-factor '.
	'authentication to their accounts, but does not require it. '.
	'By enabling this option, you can force all users to add '.
	'at least one authentication factor before they can use their '.
	'accounts.'))
	->setBoolOptions(
	array(
	pht('Multi-Factor Required'),
	pht('Multi-Factor Optional'),
	)),
	$this->newOption(
	'phabricator.csrf-key',
	'string',
	'0b7ec0592e0a2829d8b71df2fa269b2c6172eca3')
	->setMasked(true)
	->setLocked(true)
	->setSummary(
	pht('Hashed with other inputs to generate CSRF tokens.'))
	->setDescription(
	pht(
	'This is hashed with other inputs to generate CSRF tokens. If '.
	'you want, you can change it to some other string which is '.
	'unique to your install. This will make your install more secure '.
	'in a vague, mostly theoretical way. But it will take you like 3 '.
	'seconds of mashing on your keyboard to set it up so you might '.
	'as well.')),
	$this->newOption(
	'phabricator.mail-key',
	'string',
	'5ce3e7e8787f6e40dfae861da315a5cdf1018f12')
	->setMasked(true)
	->setLocked(true)
	->setSummary(
	pht('Hashed with other inputs to generate mail tokens.'))
	->setDescription(
	pht(
	"This is hashed with other inputs to generate mail tokens. If ".
	"you want, you can change it to some other string which is ".
	"unique to your install. In particular, you will want to do ".
	"this if you accidentally send a bunch of mail somewhere you ".
	"shouldn't have, to invalidate all old reply-to addresses.")),
	$this->newOption(
	'uri.allowed-protocols',
	'set',
	array(
	'http' => true,
	'https' => true,
	'mailto' => true,
	))
	->setSummary(
	pht('Determines which URI protocols are auto-linked.'))
	->setDescription(
	pht(
	"When users write comments which have URIs, they'll be ".
	"automatically linked if the protocol appears in this set. This ".
	"whitelist is primarily to prevent security issues like ".
	"javascript:// URIs."))
	->addExample("http\nhttps", pht('Valid Setting'))
	->setLocked(true),
	$this->newOption(
	'uri.allowed-editor-protocols',
	'set',
	array(
	'http' => true,
	'https' => true,

	// This handler is installed by Textmate.
	'txmt' => true,

	// This handler is for MacVim.
	'mvim' => true,

	// Unofficial handler for Vim.
	'vim' => true,

	// Unofficial handler for Sublime.
	'subl' => true,

	// Unofficial handler for Emacs.
	'emacs' => true,

	// This isn't a standard handler installed by an application, but
	// is a reasonable name for a user-installed handler.
	'editor' => true,
	))
	->setSummary(pht('Whitelists editor protocols for "Open in Editor".'))
	->setDescription(
	pht(
	"Users can configure a URI pattern to open files in a text ".
	"editor. The URI must use a protocol on this whitelist.\n\n".
	"(If you use an editor which defines a protocol not on this ".
	"list, [[ %s \| let us know ]] and we'll update the defaults.)",
	$support_href))
	->setLocked(true),
	$this->newOption(
	'celerity.resource-hash',
	'string',
	'd9455ea150622ee044f7931dabfa52aa')
	->setSummary(
	pht('An input to the hash function when building resource hashes.'))
	->setDescription(
	pht(
	'This value is an input to the hash function when building '.
	'resource hashes. It has no security value, but if you '.
	'accidentally poison user caches (by pushing a bad patch or '.
	'having something go wrong with a CDN, e.g.) you can change this '.
	'to something else and rebuild the Celerity map to break user '.
	'caches. Unless you are doing Celerity development, it is '.
	'exceptionally unlikely that you need to modify this.')),
	$this->newOption('remarkup.enable-embedded-youtube', 'bool', false)
	->setBoolOptions(
	array(
	pht('Embed YouTube videos'),
	pht("Don't embed YouTube videos"),
	))
	->setSummary(
	pht('Determines whether or not YouTube videos get embedded.'))
	->setDescription(
	pht(
	"If you enable this, linked YouTube videos will be embeded ".
	"inline. This has mild security implications (you'll leak ".
	"referrers to YouTube) and is pretty silly (but sort of ".
	"awesome).")),
	$this->newOption('security.allow-outbound-http', 'bool', true)
	->setBoolOptions(
	array(
	pht('Allow'),
	pht('Disallow'),
	))
	->setLocked(true)
	->setSummary(
	- pht('Allow outbound HTTP requests'))
	+ pht('Allow outbound HTTP requests.'))
	->setDescription(
	pht(
	'If you enable this, you are allowing Phabricator to '.
	'potentially make requests to external servers.')),
	+ $this->newOption('security.allow-conduit-act-as-user', 'bool', false)
	+ ->setBoolOptions(
	+ array(
	+ pht('Allow'),
	+ pht('Disallow'),
	+ ))
	+ ->setLocked(true)
	+ ->setSummary(
	+ pht('Allow administrators to use the Conduit API as other users.'))
	+ ->setDescription(
	+ pht(
	+ 'DEPRECATED - if you enable this, you are allowing '.
	+ 'administrators to act as any user via the Conduit API. '.
	+ 'Enabling this is not advised as it introduces a huge policy '.
	+ 'violation and has been obsoleted in functionality.')),
	+
	);
	}

	protected function didValidateOption(
	PhabricatorConfigOption $option,
	$value) {

	$key = $option->getKey();
	if ($key == 'security.alternate-file-domain') {

	$uri = new PhutilURI($value);
	$protocol = $uri->getProtocol();
	if ($protocol !== 'http' && $protocol !== 'https') {
	throw new PhabricatorConfigValidationException(
	pht(
	"Config option '%s' is invalid. The URI must start with ".
	"'http://' or 'https://'.",
	$key));
	}

	$domain = $uri->getDomain();
	if (strpos($domain, '.') === false) {
	throw new PhabricatorConfigValidationException(
	pht(
	"Config option '%s' is invalid. The URI must contain a dot ('.'), ".
	"like 'http://example.com/', not just a bare name like ".
	"'http://example/'. Some web browsers will not set cookies on ".
	"domains with no TLD.",
	$key));
	}

	$path = $uri->getPath();
	if ($path !== '' && $path !== '/') {
	throw new PhabricatorConfigValidationException(
	pht(
	"Config option '%s' is invalid. The URI must NOT have a path, ".
	"e.g. 'http://phabricator.example.com/' is OK, but ".
	"'http://example.com/phabricator/' is not. Phabricator must be ".
	"installed on an entire domain; it can not be installed on a ".
	"path.",
	$key));
	}
	}
	}


	}

File Metadata

Mime Type: text/x-diff
Expires: Tue, Jul 29, 5:54 AM (2 w, 4 d ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 188093
Default Alt Text: (26 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions