No OneTemporary
Actions

Size

46 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	index 53de32376b..718f48c42c 100644
	--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	@@ -1,658 +1,661 @@
	<?php

	/**
	*
	* @task use Using Sessions
	* @task new Creating Sessions
	* @task hisec High Security
	* @task partial Partial Sessions
	* @task onetime One Time Login URIs
	*/
	final class PhabricatorAuthSessionEngine extends Phobject {

	/**
	* Session issued to normal users after they login through a standard channel.
	* Associates the client with a standard user identity.
	*/
	const KIND_USER = 'U';


	/**
	* Session issued to users who login with some sort of credentials but do not
	* have full accounts. These are sometimes called "grey users".
	*
	* TODO: We do not currently issue these sessions, see T4310.
	*/
	const KIND_EXTERNAL = 'X';


	/**
	* Session issued to logged-out users which has no real identity information.
	* Its purpose is to protect logged-out users from CSRF.
	*/
	const KIND_ANONYMOUS = 'A';


	/**
	* Session kind isn't known.
	*/
	const KIND_UNKNOWN = '?';


	/**
	* Temporary tokens for one time logins.
	*/
	const ONETIME_TEMPORARY_TOKEN_TYPE = 'login:onetime';


	/**
	* Temporary tokens for password recovery after one time login.
	*/
	const PASSWORD_TEMPORARY_TOKEN_TYPE = 'login:password';

	const ONETIME_RECOVER = 'recover';
	const ONETIME_RESET = 'reset';
	const ONETIME_WELCOME = 'welcome';
	const ONETIME_USERNAME = 'rename';


	/**
	* Get the session kind (e.g., anonymous, user, external account) from a
	* session token. Returns a `KIND_` constant.
	*
	* @param string Session token.
	* @return const Session kind constant.
	*/
	public static function getSessionKindFromToken($session_token) {
	if (strpos($session_token, '/') === false) {
	// Old-style session, these are all user sessions.
	return self::KIND_USER;
	}

	list($kind, $key) = explode('/', $session_token, 2);

	switch ($kind) {
	case self::KIND_ANONYMOUS:
	case self::KIND_USER:
	case self::KIND_EXTERNAL:
	return $kind;
	default:
	return self::KIND_UNKNOWN;
	}
	}


	/**
	* Load the user identity associated with a session of a given type,
	* identified by token.
	*
	* When the user presents a session token to an API, this method verifies
	* it is of the correct type and loads the corresponding identity if the
	* session exists and is valid.
	*
	* NOTE: `$session_type` is the type of session that is required by the
	* loading context. This prevents use of a Conduit sesssion as a Web
	* session, for example.
	*
	* @param const The type of session to load.
	* @param string The session token.
	* @return PhabricatorUser\|null
	* @task use
	*/
	public function loadUserForSession($session_type, $session_token) {
	$session_kind = self::getSessionKindFromToken($session_token);
	switch ($session_kind) {
	case self::KIND_ANONYMOUS:
	// Don't bother trying to load a user for an anonymous session, since
	// neither the session nor the user exist.
	return null;
	case self::KIND_UNKNOWN:
	// If we don't know what kind of session this is, don't go looking for
	// it.
	return null;
	case self::KIND_USER:
	break;
	case self::KIND_EXTERNAL:
	// TODO: Implement these (T4310).
	return null;
	}

	$session_table = new PhabricatorAuthSession();
	$user_table = new PhabricatorUser();
	$conn_r = $session_table->establishConnection('r');
	$session_key = PhabricatorHash::digest($session_token);

	// NOTE: We're being clever here because this happens on every page load,
	// and by joining we can save a query. This might be getting too clever
	// for its own good, though...

	$info = queryfx_one(
	$conn_r,
	'SELECT
	s.id AS s_id,
	s.sessionExpires AS s_sessionExpires,
	s.sessionStart AS s_sessionStart,
	s.highSecurityUntil AS s_highSecurityUntil,
	s.isPartial AS s_isPartial,
	u.*
	FROM %T u JOIN %T s ON u.phid = s.userPHID
	AND s.type = %s AND s.sessionKey = %s',
	$user_table->getTableName(),
	$session_table->getTableName(),
	$session_type,
	$session_key);

	if (!$info) {
	return null;
	}

	$session_dict = array(
	'userPHID' => $info['phid'],
	'sessionKey' => $session_key,
	'type' => $session_type,
	);
	foreach ($info as $key => $value) {
	if (strncmp($key, 's_', 2) === 0) {
	unset($info[$key]);
	$session_dict[substr($key, 2)] = $value;
	}
	}
	$session = id(new PhabricatorAuthSession())->loadFromArray($session_dict);

	$ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);

	// If more than 20% of the time on this session has been used, refresh the
	// TTL back up to the full duration. The idea here is that sessions are
	// good forever if used regularly, but get GC'd when they fall out of use.

	+ // NOTE: If we begin rotating session keys when extending sessions, the
	+ // CSRF code needs to be updated so CSRF tokens survive session rotation.
	+
	if (time() + (0.80 * $ttl) > $session->getSessionExpires()) {
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$conn_w = $session_table->establishConnection('w');
	queryfx(
	$conn_w,
	'UPDATE %T SET sessionExpires = UNIX_TIMESTAMP() + %d WHERE id = %d',
	$session->getTableName(),
	$ttl,
	$session->getID());
	unset($unguarded);
	}

	$user = $user_table->loadFromArray($info);
	$user->attachSession($session);
	return $user;
	}


	/**
	* Issue a new session key for a given identity. Phabricator supports
	* different types of sessions (like "web" and "conduit") and each session
	* type may have multiple concurrent sessions (this allows a user to be
	* logged in on multiple browsers at the same time, for instance).
	*
	* Note that this method is transport-agnostic and does not set cookies or
	* issue other types of tokens, it ONLY generates a new session key.
	*
	* You can configure the maximum number of concurrent sessions for various
	* session types in the Phabricator configuration.
	*
	* @param const Session type constant (see
	* @{class:PhabricatorAuthSession}).
	* @param phid\|null Identity to establish a session for, usually a user
	* PHID. With `null`, generates an anonymous session.
	* @param bool True to issue a partial session.
	* @return string Newly generated session key.
	*/
	public function establishSession($session_type, $identity_phid, $partial) {
	// Consume entropy to generate a new session key, forestalling the eventual
	// heat death of the universe.
	$session_key = Filesystem::readRandomCharacters(40);

	if ($identity_phid === null) {
	return self::KIND_ANONYMOUS.'/'.$session_key;
	}

	$session_table = new PhabricatorAuthSession();
	$conn_w = $session_table->establishConnection('w');

	// This has a side effect of validating the session type.
	$session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);

	$digest_key = PhabricatorHash::digest($session_key);

	// Logging-in users don't have CSRF stuff yet, so we have to unguard this
	// write.
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	id(new PhabricatorAuthSession())
	->setUserPHID($identity_phid)
	->setType($session_type)
	->setSessionKey($digest_key)
	->setSessionStart(time())
	->setSessionExpires(time() + $session_ttl)
	->setIsPartial($partial ? 1 : 0)
	->save();

	$log = PhabricatorUserLog::initializeNewLog(
	null,
	$identity_phid,
	($partial
	? PhabricatorUserLog::ACTION_LOGIN_PARTIAL
	: PhabricatorUserLog::ACTION_LOGIN));

	$log->setDetails(
	array(
	'session_type' => $session_type,
	));
	$log->setSession($digest_key);
	$log->save();
	unset($unguarded);

	return $session_key;
	}


	/**
	* Terminate all of a user's login sessions.
	*
	* This is used when users change passwords, linked accounts, or add
	* multifactor authentication.
	*
	* @param PhabricatorUser User whose sessions should be terminated.
	* @param string\|null Optionally, one session to keep. Normally, the current
	* login session.
	*
	* @return void
	*/
	public function terminateLoginSessions(
	PhabricatorUser $user,
	$except_session = null) {

	$sessions = id(new PhabricatorAuthSessionQuery())
	->setViewer($user)
	->withIdentityPHIDs(array($user->getPHID()))
	->execute();

	if ($except_session !== null) {
	$except_session = PhabricatorHash::digest($except_session);
	}

	foreach ($sessions as $key => $session) {
	if ($except_session !== null) {
	if ($except_session == $session->getSessionKey()) {
	continue;
	}
	}

	$session->delete();
	}
	}


	/* -( High Security )------------------------------------------------------ */


	/**
	* Require high security, or prompt the user to enter high security.
	*
	* If the user's session is in high security, this method will return a
	* token. Otherwise, it will throw an exception which will eventually
	* be converted into a multi-factor authentication workflow.
	*
	* @param PhabricatorUser User whose session needs to be in high security.
	* @param AphrontReqeust Current request.
	* @param string URI to return the user to if they cancel.
	* @param bool True to jump partial sessions directly into high
	* security instead of just upgrading them to full
	* sessions.
	* @return PhabricatorAuthHighSecurityToken Security token.
	* @task hisec
	*/
	public function requireHighSecuritySession(
	PhabricatorUser $viewer,
	AphrontRequest $request,
	$cancel_uri,
	$jump_into_hisec = false) {

	if (!$viewer->hasSession()) {
	throw new Exception(
	pht('Requiring a high-security session from a user with no session!'));
	}

	$session = $viewer->getSession();

	// Check if the session is already in high security mode.
	$token = $this->issueHighSecurityToken($session);
	if ($token) {
	return $token;
	}

	// Load the multi-factor auth sources attached to this account.
	$factors = id(new PhabricatorAuthFactorConfig())->loadAllWhere(
	'userPHID = %s',
	$viewer->getPHID());

	// If the account has no associated multi-factor auth, just issue a token
	// without putting the session into high security mode. This is generally
	// easier for users. A minor but desirable side effect is that when a user
	// adds an auth factor, existing sessions won't get a free pass into hisec,
	// since they never actually got marked as hisec.
	if (!$factors) {
	return $this->issueHighSecurityToken($session, true);
	}

	// Check for a rate limit without awarding points, so the user doesn't
	// get partway through the workflow only to get blocked.
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	0);

	$validation_results = array();
	if ($request->isHTTPPost()) {
	$request->validateCSRF();
	if ($request->getExists(AphrontRequest::TYPE_HISEC)) {

	// Limit factor verification rates to prevent brute force attacks.
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	1);

	$ok = true;
	foreach ($factors as $factor) {
	$id = $factor->getID();
	$impl = $factor->requireImplementation();

	$validation_results[$id] = $impl->processValidateFactorForm(
	$factor,
	$viewer,
	$request);

	if (!$impl->isFactorValid($factor, $validation_results[$id])) {
	$ok = false;
	}
	}

	if ($ok) {
	// Give the user a credit back for a successful factor verification.
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	-1);

	if ($session->getIsPartial() && !$jump_into_hisec) {
	// If we have a partial session and are not jumping directly into
	// hisec, just issue a token without putting it in high security
	// mode.
	return $this->issueHighSecurityToken($session, true);
	}

	$until = time() + phutil_units('15 minutes in seconds');
	$session->setHighSecurityUntil($until);

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET highSecurityUntil = %d WHERE id = %d',
	$session->getTableName(),
	$until,
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_ENTER_HISEC);
	$log->save();
	} else {
	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_FAIL_HISEC);
	$log->save();
	}
	}
	}

	$token = $this->issueHighSecurityToken($session);
	if ($token) {
	return $token;
	}

	throw id(new PhabricatorAuthHighSecurityRequiredException())
	->setCancelURI($cancel_uri)
	->setFactors($factors)
	->setFactorValidationResults($validation_results);
	}


	/**
	* Issue a high security token for a session, if authorized.
	*
	* @param PhabricatorAuthSession Session to issue a token for.
	* @param bool Force token issue.
	* @return PhabricatorAuthHighSecurityToken\|null Token, if authorized.
	* @task hisec
	*/
	private function issueHighSecurityToken(
	PhabricatorAuthSession $session,
	$force = false) {

	$until = $session->getHighSecurityUntil();
	if ($until > time() \|\| $force) {
	return new PhabricatorAuthHighSecurityToken();
	}

	return null;
	}


	/**
	* Render a form for providing relevant multi-factor credentials.
	*
	* @param PhabricatorUser Viewing user.
	* @param AphrontRequest Current request.
	* @return AphrontFormView Renderable form.
	* @task hisec
	*/
	public function renderHighSecurityForm(
	array $factors,
	array $validation_results,
	PhabricatorUser $viewer,
	AphrontRequest $request) {

	$form = id(new AphrontFormView())
	->setUser($viewer)
	->appendRemarkupInstructions('');

	foreach ($factors as $factor) {
	$factor->requireImplementation()->renderValidateFactorForm(
	$factor,
	$form,
	$viewer,
	idx($validation_results, $factor->getID()));
	}

	$form->appendRemarkupInstructions('');

	return $form;
	}


	/**
	* Strip the high security flag from a session.
	*
	* Kicks a session out of high security and logs the exit.
	*
	* @param PhabricatorUser Acting user.
	* @param PhabricatorAuthSession Session to return to normal security.
	* @return void
	* @task hisec
	*/
	public function exitHighSecurity(
	PhabricatorUser $viewer,
	PhabricatorAuthSession $session) {

	if (!$session->getHighSecurityUntil()) {
	return;
	}

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET highSecurityUntil = NULL WHERE id = %d',
	$session->getTableName(),
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_EXIT_HISEC);
	$log->save();
	}


	/* -( Partial Sessions )--------------------------------------------------- */


	/**
	* Upgrade a partial session to a full session.
	*
	* @param PhabricatorAuthSession Session to upgrade.
	* @return void
	* @task partial
	*/
	public function upgradePartialSession(PhabricatorUser $viewer) {

	if (!$viewer->hasSession()) {
	throw new Exception(
	pht('Upgrading partial session of user with no session!'));
	}

	$session = $viewer->getSession();

	if (!$session->getIsPartial()) {
	throw new Exception(pht('Session is not partial!'));
	}

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$session->setIsPartial(0);

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET isPartial = %d WHERE id = %d',
	$session->getTableName(),
	0,
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_LOGIN_FULL);
	$log->save();
	unset($unguarded);
	}


	/* -( One Time Login URIs )------------------------------------------------ */


	/**
	* Retrieve a temporary, one-time URI which can log in to an account.
	*
	* These URIs are used for password recovery and to regain access to accounts
	* which users have been locked out of.
	*
	* @param PhabricatorUser User to generate a URI for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string Optional context string for the URI. This is purely cosmetic
	* and used only to customize workflow and error messages.
	* @return string Login URI.
	* @task onetime
	*/
	public function getOneTimeLoginURI(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$type = self::ONETIME_RESET) {

	$key = Filesystem::readRandomCharacters(32);
	$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	id(new PhabricatorAuthTemporaryToken())
	->setObjectPHID($user->getPHID())
	->setTokenType(self::ONETIME_TEMPORARY_TOKEN_TYPE)
	->setTokenExpires(time() + phutil_units('1 day in seconds'))
	->setTokenCode($key_hash)
	->save();
	unset($unguarded);

	$uri = '/login/once/'.$type.'/'.$user->getID().'/'.$key.'/';
	if ($email) {
	$uri = $uri.$email->getID().'/';
	}

	try {
	$uri = PhabricatorEnv::getProductionURI($uri);
	} catch (Exception $ex) {
	// If a user runs `bin/auth recover` before configuring the base URI,
	// just show the path. We don't have any way to figure out the domain.
	// See T4132.
	}

	return $uri;
	}


	/**
	* Load the temporary token associated with a given one-time login key.
	*
	* @param PhabricatorUser User to load the token for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string Key user is presenting as a valid one-time login key.
	* @return PhabricatorAuthTemporaryToken\|null Token, if one exists.
	* @task onetime
	*/
	public function loadOneTimeLoginKey(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$key = null) {

	$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);

	return id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer($user)
	->withObjectPHIDs(array($user->getPHID()))
	->withTokenTypes(array(self::ONETIME_TEMPORARY_TOKEN_TYPE))
	->withTokenCodes(array($key_hash))
	->withExpired(false)
	->executeOne();
	}


	/**
	* Hash a one-time login key for storage as a temporary token.
	*
	* @param PhabricatorUser User this key is for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string The one time login key.
	* @return string Hash of the key.
	* task onetime
	*/
	private function getOneTimeLoginKeyHash(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$key = null) {

	$parts = array(
	$key,
	$user->getAccountSecret(),
	);

	if ($email) {
	$parts[] = $email->getVerificationCode();
	}

	return PhabricatorHash::digest(implode(':', $parts));
	}

	}
	diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php
	index bbdc9dbdfe..5a0d7e47f1 100644
	--- a/src/applications/people/storage/PhabricatorUser.php
	+++ b/src/applications/people/storage/PhabricatorUser.php
	@@ -1,886 +1,890 @@
	<?php

	/**
	* @task factors Multi-Factor Authentication
	*/
	final class PhabricatorUser
	extends PhabricatorUserDAO
	implements
	PhutilPerson,
	PhabricatorPolicyInterface,
	PhabricatorCustomFieldInterface,
	PhabricatorDestructibleInterface {

	const SESSION_TABLE = 'phabricator_session';
	const NAMETOKEN_TABLE = 'user_nametoken';
	const MAXIMUM_USERNAME_LENGTH = 64;

	protected $userName;
	protected $realName;
	protected $sex;
	protected $translation;
	protected $passwordSalt;
	protected $passwordHash;
	protected $profileImagePHID;
	protected $timezoneIdentifier = '';

	protected $consoleEnabled = 0;
	protected $consoleVisible = 0;
	protected $consoleTab = '';

	protected $conduitCertificate;

	protected $isSystemAgent = 0;
	protected $isAdmin = 0;
	protected $isDisabled = 0;
	protected $isEmailVerified = 0;
	protected $isApproved = 0;
	protected $isEnrolledInMultiFactor = 0;

	protected $accountSecret;

	private $profileImage = self::ATTACHABLE;
	private $profile = null;
	private $status = self::ATTACHABLE;
	private $preferences = null;
	private $omnipotent = false;
	private $customFields = self::ATTACHABLE;

	private $alternateCSRFString = self::ATTACHABLE;
	private $session = self::ATTACHABLE;

	protected function readField($field) {
	switch ($field) {
	case 'timezoneIdentifier':
	// If the user hasn't set one, guess the server's time.
	return nonempty(
	$this->timezoneIdentifier,
	date_default_timezone_get());
	// Make sure these return booleans.
	case 'isAdmin':
	return (bool)$this->isAdmin;
	case 'isDisabled':
	return (bool)$this->isDisabled;
	case 'isSystemAgent':
	return (bool)$this->isSystemAgent;
	case 'isEmailVerified':
	return (bool)$this->isEmailVerified;
	case 'isApproved':
	return (bool)$this->isApproved;
	default:
	return parent::readField($field);
	}
	}


	/**
	* Is this a live account which has passed required approvals? Returns true
	* if this is an enabled, verified (if required), approved (if required)
	* account, and false otherwise.
	*
	* @return bool True if this is a standard, usable account.
	*/
	public function isUserActivated() {
	if ($this->getIsDisabled()) {
	return false;
	}

	if (!$this->getIsApproved()) {
	return false;
	}

	if (PhabricatorUserEmail::isEmailVerificationRequired()) {
	if (!$this->getIsEmailVerified()) {
	return false;
	}
	}

	return true;
	}

	/**
	* Returns `true` if this is a standard user who is logged in. Returns `false`
	* for logged out, anonymous, or external users.
	*
	* @return bool `true` if the user is a standard user who is logged in with
	* a normal session.
	*/
	public function getIsStandardUser() {
	$type_user = PhabricatorPeopleUserPHIDType::TYPECONST;
	return $this->getPHID() && (phid_get_type($this->getPHID()) == $type_user);
	}

	public function getConfiguration() {
	return array(
	self::CONFIG_AUX_PHID => true,
	) + parent::getConfiguration();
	}

	public function generatePHID() {
	return PhabricatorPHID::generateNewPHID(
	PhabricatorPeopleUserPHIDType::TYPECONST);
	}

	public function setPassword(PhutilOpaqueEnvelope $envelope) {
	if (!$this->getPHID()) {
	throw new Exception(
	'You can not set a password for an unsaved user because their PHID '.
	'is a salt component in the password hash.');
	}

	if (!strlen($envelope->openEnvelope())) {
	$this->setPasswordHash('');
	} else {
	$this->setPasswordSalt(md5(Filesystem::readRandomBytes(32)));
	$hash = $this->hashPassword($envelope);
	$this->setPasswordHash($hash->openEnvelope());
	}
	return $this;
	}

	// To satisfy PhutilPerson.
	public function getSex() {
	return $this->sex;
	}

	public function getMonogram() {
	return '@'.$this->getUsername();
	}

	public function getTranslation() {
	try {
	if ($this->translation &&
	class_exists($this->translation) &&
	is_subclass_of($this->translation, 'PhabricatorTranslation')) {
	return $this->translation;
	}
	} catch (PhutilMissingSymbolException $ex) {
	return null;
	}
	return null;
	}

	public function isLoggedIn() {
	return !($this->getPHID() === null);
	}

	public function save() {
	if (!$this->getConduitCertificate()) {
	$this->setConduitCertificate($this->generateConduitCertificate());
	}

	if (!strlen($this->getAccountSecret())) {
	$this->setAccountSecret(Filesystem::readRandomCharacters(64));
	}

	$result = parent::save();

	if ($this->profile) {
	$this->profile->save();
	}

	$this->updateNameTokens();

	id(new PhabricatorSearchIndexer())
	->queueDocumentForIndexing($this->getPHID());

	return $result;
	}

	public function attachSession(PhabricatorAuthSession $session) {
	$this->session = $session;
	return $this;
	}

	public function getSession() {
	return $this->assertAttached($this->session);
	}

	public function hasSession() {
	return ($this->session !== self::ATTACHABLE);
	}

	private function generateConduitCertificate() {
	return Filesystem::readRandomCharacters(255);
	}

	public function comparePassword(PhutilOpaqueEnvelope $envelope) {
	if (!strlen($envelope->openEnvelope())) {
	return false;
	}
	if (!strlen($this->getPasswordHash())) {
	return false;
	}

	return PhabricatorPasswordHasher::comparePassword(
	$this->getPasswordHashInput($envelope),
	new PhutilOpaqueEnvelope($this->getPasswordHash()));
	}

	private function getPasswordHashInput(PhutilOpaqueEnvelope $password) {
	$input =
	$this->getUsername().
	$password->openEnvelope().
	$this->getPHID().
	$this->getPasswordSalt();

	return new PhutilOpaqueEnvelope($input);
	}

	private function hashPassword(PhutilOpaqueEnvelope $password) {
	$hasher = PhabricatorPasswordHasher::getBestHasher();

	$input_envelope = $this->getPasswordHashInput($password);
	return $hasher->getPasswordHashForStorage($input_envelope);
	}

	const CSRF_CYCLE_FREQUENCY = 3600;
	const CSRF_SALT_LENGTH = 8;
	const CSRF_TOKEN_LENGTH = 16;
	const CSRF_BREACH_PREFIX = 'B@';

	const EMAIL_CYCLE_FREQUENCY = 86400;
	const EMAIL_TOKEN_LENGTH = 24;

	private function getRawCSRFToken($offset = 0) {
	return $this->generateToken(
	time() + (self::CSRF_CYCLE_FREQUENCY * $offset),
	self::CSRF_CYCLE_FREQUENCY,
	PhabricatorEnv::getEnvConfig('phabricator.csrf-key'),
	self::CSRF_TOKEN_LENGTH);
	}

	/**
	* @phutil-external-symbol class PhabricatorStartup
	*/
	public function getCSRFToken() {
	$salt = PhabricatorStartup::getGlobal('csrf.salt');
	if (!$salt) {
	$salt = Filesystem::readRandomCharacters(self::CSRF_SALT_LENGTH);
	PhabricatorStartup::setGlobal('csrf.salt', $salt);
	}

	// Generate a token hash to mitigate BREACH attacks against SSL. See
	// discussion in T3684.
	$token = $this->getRawCSRFToken();
	$hash = PhabricatorHash::digest($token, $salt);
	return 'B@'.$salt.substr($hash, 0, self::CSRF_TOKEN_LENGTH);
	}

	public function validateCSRFToken($token) {
	$salt = null;
	$version = 'plain';

	// This is a BREACH-mitigating token. See T3684.
	$breach_prefix = self::CSRF_BREACH_PREFIX;
	$breach_prelen = strlen($breach_prefix);

	if (!strncmp($token, $breach_prefix, $breach_prelen)) {
	$version = 'breach';
	$salt = substr($token, $breach_prelen, self::CSRF_SALT_LENGTH);
	$token = substr($token, $breach_prelen + self::CSRF_SALT_LENGTH);
	}

	// When the user posts a form, we check that it contains a valid CSRF token.
	// Tokens cycle each hour (every CSRF_CYLCE_FREQUENCY seconds) and we accept
	// either the current token, the next token (users can submit a "future"
	// token if you have two web frontends that have some clock skew) or any of
	// the last 6 tokens. This means that pages are valid for up to 7 hours.
	// There is also some Javascript which periodically refreshes the CSRF
	// tokens on each page, so theoretically pages should be valid indefinitely.
	// However, this code may fail to run (if the user loses their internet
	// connection, or there's a JS problem, or they don't have JS enabled).
	// Choosing the size of the window in which we accept old CSRF tokens is
	// an issue of balancing concerns between security and usability. We could
	// choose a very narrow (e.g., 1-hour) window to reduce vulnerability to
	// attacks using captured CSRF tokens, but it's also more likely that real
	// users will be affected by this, e.g. if they close their laptop for an
	// hour, open it back up, and try to submit a form before the CSRF refresh
	// can kick in. Since the user experience of submitting a form with expired
	// CSRF is often quite bad (you basically lose data, or it's a big pain to
	// recover at least) and I believe we gain little additional protection
	// by keeping the window very short (the overwhelming value here is in
	// preventing blind attacks, and most attacks which can capture CSRF tokens
	// can also just capture authentication information [sniffing networks]
	// or act as the user [xss]) the 7 hour default seems like a reasonable
	// balance. Other major platforms have much longer CSRF token lifetimes,
	// like Rails (session duration) and Django (forever), which suggests this
	// is a reasonable analysis.
	$csrf_window = 6;

	for ($ii = -$csrf_window; $ii <= 1; $ii++) {
	$valid = $this->getRawCSRFToken($ii);
	switch ($version) {
	// TODO: We can remove this after the BREACH version has been in the
	// wild for a while.
	case 'plain':
	if ($token == $valid) {
	return true;
	}
	break;
	case 'breach':
	$digest = PhabricatorHash::digest($valid, $salt);
	if (substr($digest, 0, self::CSRF_TOKEN_LENGTH) == $token) {
	return true;
	}
	break;
	default:
	throw new Exception('Unknown CSRF token format!');
	}
	}

	return false;
	}

	private function generateToken($epoch, $frequency, $key, $len) {
	if ($this->getPHID()) {
	$vec = $this->getPHID().$this->getAccountSecret();
	} else {
	$vec = $this->getAlternateCSRFString();
	}

	+ if ($this->hasSession()) {
	+ $vec = $vec.$this->getSession()->getSessionKey();
	+ }
	+
	$time_block = floor($epoch / $frequency);
	$vec = $vec.$key.$time_block;

	return substr(PhabricatorHash::digest($vec), 0, $len);
	}

	public function attachUserProfile(PhabricatorUserProfile $profile) {
	$this->profile = $profile;
	return $this;
	}

	public function loadUserProfile() {
	if ($this->profile) {
	return $this->profile;
	}

	$profile_dao = new PhabricatorUserProfile();
	$this->profile = $profile_dao->loadOneWhere('userPHID = %s',
	$this->getPHID());

	if (!$this->profile) {
	$profile_dao->setUserPHID($this->getPHID());
	$this->profile = $profile_dao;
	}

	return $this->profile;
	}

	public function loadPrimaryEmailAddress() {
	$email = $this->loadPrimaryEmail();
	if (!$email) {
	throw new Exception('User has no primary email address!');
	}
	return $email->getAddress();
	}

	public function loadPrimaryEmail() {
	return $this->loadOneRelative(
	new PhabricatorUserEmail(),
	'userPHID',
	'getPHID',
	'(isPrimary = 1)');
	}

	public function loadPreferences() {
	if ($this->preferences) {
	return $this->preferences;
	}

	$preferences = null;
	if ($this->getPHID()) {
	$preferences = id(new PhabricatorUserPreferences())->loadOneWhere(
	'userPHID = %s',
	$this->getPHID());
	}

	if (!$preferences) {
	$preferences = new PhabricatorUserPreferences();
	$preferences->setUserPHID($this->getPHID());

	$default_dict = array(
	PhabricatorUserPreferences::PREFERENCE_TITLES => 'glyph',
	PhabricatorUserPreferences::PREFERENCE_EDITOR => '',
	PhabricatorUserPreferences::PREFERENCE_MONOSPACED => '',
	PhabricatorUserPreferences::PREFERENCE_DARK_CONSOLE => 0);

	$preferences->setPreferences($default_dict);
	}

	$this->preferences = $preferences;
	return $preferences;
	}

	public function loadEditorLink($path, $line, $callsign) {
	$editor = $this->loadPreferences()->getPreference(
	PhabricatorUserPreferences::PREFERENCE_EDITOR);

	if (is_array($path)) {
	$multiedit = $this->loadPreferences()->getPreference(
	PhabricatorUserPreferences::PREFERENCE_MULTIEDIT);
	switch ($multiedit) {
	case '':
	$path = implode(' ', $path);
	break;
	case 'disable':
	return null;
	}
	}

	if (!strlen($editor)) {
	return null;
	}

	$uri = strtr($editor, array(
	'%%' => '%',
	'%f' => phutil_escape_uri($path),
	'%l' => phutil_escape_uri($line),
	'%r' => phutil_escape_uri($callsign),
	));

	// The resulting URI must have an allowed protocol. Otherwise, we'll return
	// a link to an error page explaining the misconfiguration.

	$ok = PhabricatorHelpEditorProtocolController::hasAllowedProtocol($uri);
	if (!$ok) {
	return '/help/editorprotocol/';
	}

	return (string)$uri;
	}

	public function getAlternateCSRFString() {
	return $this->assertAttached($this->alternateCSRFString);
	}

	public function attachAlternateCSRFString($string) {
	$this->alternateCSRFString = $string;
	return $this;
	}

	/**
	* Populate the nametoken table, which used to fetch typeahead results. When
	* a user types "linc", we want to match "Abraham Lincoln" from on-demand
	* typeahead sources. To do this, we need a separate table of name fragments.
	*/
	public function updateNameTokens() {
	$table = self::NAMETOKEN_TABLE;
	$conn_w = $this->establishConnection('w');

	$tokens = PhabricatorTypeaheadDatasource::tokenizeString(
	$this->getUserName().' '.$this->getRealName());

	$sql = array();
	foreach ($tokens as $token) {
	$sql[] = qsprintf(
	$conn_w,
	'(%d, %s)',
	$this->getID(),
	$token);
	}

	queryfx(
	$conn_w,
	'DELETE FROM %T WHERE userID = %d',
	$table,
	$this->getID());
	if ($sql) {
	queryfx(
	$conn_w,
	'INSERT INTO %T (userID, token) VALUES %Q',
	$table,
	implode(', ', $sql));
	}
	}

	public function sendWelcomeEmail(PhabricatorUser $admin) {
	$admin_username = $admin->getUserName();
	$admin_realname = $admin->getRealName();
	$user_username = $this->getUserName();
	$is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business');

	$base_uri = PhabricatorEnv::getProductionURI('/');

	$engine = new PhabricatorAuthSessionEngine();
	$uri = $engine->getOneTimeLoginURI(
	$this,
	$this->loadPrimaryEmail(),
	PhabricatorAuthSessionEngine::ONETIME_WELCOME);

	$body = <<<EOBODY
	Welcome to Phabricator!

	{$admin_username} ({$admin_realname}) has created an account for you.

	Username: {$user_username}

	To login to Phabricator, follow this link and set a password:

	{$uri}

	After you have set a password, you can login in the future by going here:

	{$base_uri}

	EOBODY;

	if (!$is_serious) {
	$body .= <<<EOBODY

	Love,
	Phabricator

	EOBODY;
	}

	$mail = id(new PhabricatorMetaMTAMail())
	->addTos(array($this->getPHID()))
	->setSubject('[Phabricator] Welcome to Phabricator')
	->setBody($body)
	->saveAndSend();
	}

	public function sendUsernameChangeEmail(
	PhabricatorUser $admin,
	$old_username) {

	$admin_username = $admin->getUserName();
	$admin_realname = $admin->getRealName();
	$new_username = $this->getUserName();

	$password_instructions = null;
	if (PhabricatorPasswordAuthProvider::getPasswordProvider()) {
	$engine = new PhabricatorAuthSessionEngine();
	$uri = $engine->getOneTimeLoginURI(
	$this,
	null,
	PhabricatorAuthSessionEngine::ONETIME_USERNAME);
	$password_instructions = <<<EOTXT
	If you use a password to login, you'll need to reset it before you can login
	again. You can reset your password by following this link:

	{$uri}

	And, of course, you'll need to use your new username to login from now on. If
	you use OAuth to login, nothing should change.

	EOTXT;
	}

	$body = <<<EOBODY
	{$admin_username} ({$admin_realname}) has changed your Phabricator username.

	Old Username: {$old_username}
	New Username: {$new_username}

	{$password_instructions}
	EOBODY;

	$mail = id(new PhabricatorMetaMTAMail())
	->addTos(array($this->getPHID()))
	->setSubject('[Phabricator] Username Changed')
	->setBody($body)
	->saveAndSend();
	}

	public static function describeValidUsername() {
	return pht(
	'Usernames must contain only numbers, letters, period, underscore and '.
	'hyphen, and can not end with a period. They must have no more than %d '.
	'characters.',
	new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));
	}

	public static function validateUsername($username) {
	// NOTE: If you update this, make sure to update:
	//
	// - Remarkup rule for @mentions.
	// - Routing rule for "/p/username/".
	// - Unit tests, obviously.
	// - describeValidUsername() method, above.

	if (strlen($username) > self::MAXIMUM_USERNAME_LENGTH) {
	return false;
	}

	return (bool)preg_match('/^[a-zA-Z0-9._-]*[a-zA-Z0-9_-]\z/', $username);
	}

	public static function getDefaultProfileImageURI() {
	return celerity_get_resource_uri('/rsrc/image/avatar.png');
	}

	public function attachStatus(PhabricatorCalendarEvent $status) {
	$this->status = $status;
	return $this;
	}

	public function getStatus() {
	return $this->assertAttached($this->status);
	}

	public function hasStatus() {
	return $this->status !== self::ATTACHABLE;
	}

	public function attachProfileImageURI($uri) {
	$this->profileImage = $uri;
	return $this;
	}

	public function getProfileImageURI() {
	return $this->assertAttached($this->profileImage);
	}

	public function loadProfileImageURI() {
	if ($this->profileImage && ($this->profileImage !== self::ATTACHABLE)) {
	return $this->profileImage;
	}

	$src_phid = $this->getProfileImagePHID();

	if ($src_phid) {
	// TODO: (T603) Can we get rid of this entirely and move it to
	// PeopleQuery with attach/attachable?
	$file = id(new PhabricatorFile())->loadOneWhere('phid = %s', $src_phid);
	if ($file) {
	$this->profileImage = $file->getBestURI();
	return $this->profileImage;
	}
	}

	$this->profileImage = self::getDefaultProfileImageURI();
	return $this->profileImage;
	}

	public function getFullName() {
	if (strlen($this->getRealName())) {
	return $this->getUsername().' ('.$this->getRealName().')';
	} else {
	return $this->getUsername();
	}
	}

	public function __toString() {
	return $this->getUsername();
	}

	public static function loadOneWithEmailAddress($address) {
	$email = id(new PhabricatorUserEmail())->loadOneWhere(
	'address = %s',
	$address);
	if (!$email) {
	return null;
	}
	return id(new PhabricatorUser())->loadOneWhere(
	'phid = %s',
	$email->getUserPHID());
	}

	/* -( Multi-Factor Authentication )---------------------------------------- */


	/**
	* Update the flag storing this user's enrollment in multi-factor auth.
	*
	* With certain settings, we need to check if a user has MFA on every page,
	* so we cache MFA enrollment on the user object for performance. Calling this
	* method synchronizes the cache by examining enrollment records. After
	* updating the cache, use @{method:getIsEnrolledInMultiFactor} to check if
	* the user is enrolled.
	*
	* This method should be called after any changes are made to a given user's
	* multi-factor configuration.
	*
	* @return void
	* @task factors
	*/
	public function updateMultiFactorEnrollment() {
	$factors = id(new PhabricatorAuthFactorConfig())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());

	$enrolled = count($factors) ? 1 : 0;
	if ($enrolled !== $this->isEnrolledInMultiFactor) {
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	queryfx(
	$this->establishConnection('w'),
	'UPDATE %T SET isEnrolledInMultiFactor = %d WHERE id = %d',
	$this->getTableName(),
	$enrolled,
	$this->getID());
	unset($unguarded);

	$this->isEnrolledInMultiFactor = $enrolled;
	}
	}


	/**
	* Check if the user is enrolled in multi-factor authentication.
	*
	* Enrolled users have one or more multi-factor authentication sources
	* attached to their account. For performance, this value is cached. You
	* can use @{method:updateMultiFactorEnrollment} to update the cache.
	*
	* @return bool True if the user is enrolled.
	* @task factors
	*/
	public function getIsEnrolledInMultiFactor() {
	return $this->isEnrolledInMultiFactor;
	}


	/* -( Omnipotence )-------------------------------------------------------- */


	/**
	* Returns true if this user is omnipotent. Omnipotent users bypass all policy
	* checks.
	*
	* @return bool True if the user bypasses policy checks.
	*/
	public function isOmnipotent() {
	return $this->omnipotent;
	}


	/**
	* Get an omnipotent user object for use in contexts where there is no acting
	* user, notably daemons.
	*
	* @return PhabricatorUser An omnipotent user.
	*/
	public static function getOmnipotentUser() {
	static $user = null;
	if (!$user) {
	$user = new PhabricatorUser();
	$user->omnipotent = true;
	$user->makeEphemeral();
	}
	return $user;
	}


	/* -( PhabricatorPolicyInterface )----------------------------------------- */


	public function getCapabilities() {
	return array(
	PhabricatorPolicyCapability::CAN_VIEW,
	PhabricatorPolicyCapability::CAN_EDIT,
	);
	}

	public function getPolicy($capability) {
	switch ($capability) {
	case PhabricatorPolicyCapability::CAN_VIEW:
	return PhabricatorPolicies::POLICY_PUBLIC;
	case PhabricatorPolicyCapability::CAN_EDIT:
	if ($this->getIsSystemAgent()) {
	return PhabricatorPolicies::POLICY_ADMIN;
	} else {
	return PhabricatorPolicies::POLICY_NOONE;
	}
	}
	}

	public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
	return $this->getPHID() && ($viewer->getPHID() === $this->getPHID());
	}

	public function describeAutomaticCapability($capability) {
	switch ($capability) {
	case PhabricatorPolicyCapability::CAN_EDIT:
	return pht('Only you can edit your information.');
	default:
	return null;
	}
	}


	/* -( PhabricatorCustomFieldInterface )------------------------------------ */


	public function getCustomFieldSpecificationForRole($role) {
	return PhabricatorEnv::getEnvConfig('user.fields');
	}

	public function getCustomFieldBaseClass() {
	return 'PhabricatorUserCustomField';
	}

	public function getCustomFields() {
	return $this->assertAttached($this->customFields);
	}

	public function attachCustomFields(PhabricatorCustomFieldAttachment $fields) {
	$this->customFields = $fields;
	return $this;
	}


	/* -( PhabricatorDestructibleInterface )----------------------------------- */


	public function destroyObjectPermanently(
	PhabricatorDestructionEngine $engine) {

	$this->openTransaction();
	$this->delete();

	$externals = id(new PhabricatorExternalAccount())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($externals as $external) {
	$external->delete();
	}

	$prefs = id(new PhabricatorUserPreferences())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($prefs as $pref) {
	$pref->delete();
	}

	$profiles = id(new PhabricatorUserProfile())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($profiles as $profile) {
	$profile->delete();
	}

	$keys = id(new PhabricatorUserSSHKey())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($keys as $key) {
	$key->delete();
	}

	$emails = id(new PhabricatorUserEmail())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($emails as $email) {
	$email->delete();
	}

	$sessions = id(new PhabricatorAuthSession())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($sessions as $session) {
	$session->delete();
	}

	$factors = id(new PhabricatorAuthFactorConfig())->loadAllWhere(
	'userPHID = %s',
	$this->getPHID());
	foreach ($factors as $factor) {
	$factor->delete();
	}

	$this->saveTransaction();
	}


	}

File Metadata

Mime Type: text/x-diff
Expires: Sun, Jul 27, 5:18 PM (1 w, 8 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 186038
Default Alt Text: (46 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions