public function handleRequest(AphrontRequest $request)
{
$viewer = $request->getViewer();
$id = $request->getURIData('id');
$credential = id(new PassphraseCredentialQuery())->setViewer($viewer)->withIDs(array($id))->requireCapabilities(array(PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT))->executeOne();
if (!$credential) {
return new Aphront404Response();
}
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
throw new Exception(pht('Credential has invalid type "%s"!', $type));
}
$view_uri = '/K' . $credential->getID();
if ($credential->getIsLocked()) {
return $this->newDialog()->setTitle(pht('Credential Already Locked'))->appendChild(pht('This credential is already locked.'))->addCancelButton($view_uri, pht('Close'));
}
if ($request->isFormPost()) {
$xactions = array();
$xactions[] = id(new PassphraseCredentialTransaction())->setTransactionType(PassphraseCredentialTransaction::TYPE_CONDUIT)->setNewValue(0);
$xactions[] = id(new PassphraseCredentialTransaction())->setTransactionType(PassphraseCredentialTransaction::TYPE_LOCK)->setNewValue(1);
$editor = id(new PassphraseCredentialTransactionEditor())->setActor($viewer)->setContinueOnMissingFields(true)->setContinueOnNoEffect(true)->setContentSourceFromRequest($request)->applyTransactions($credential, $xactions);
return id(new AphrontRedirectResponse())->setURI($view_uri);
}
return $this->newDialog()->setTitle(pht('Lock Credential'))->appendChild(pht('This credential will be locked and the secret will be hidden ' . 'forever. If Conduit access is enabled, it will be revoked. ' . 'Anything relying on this credential will still function. This ' . 'operation can not be undone.'))->addSubmitButton(pht('Lock Credential'))->addCancelButton($view_uri);
}
public function handleRequest(AphrontRequest $request)
{
$viewer = $request->getViewer();
$types = PassphraseCredentialType::getAllCreateableTypes();
$types = mpull($types, null, 'getCredentialType');
$types = msort($types, 'getCredentialTypeName');
$errors = array();
$e_type = null;
if ($request->isFormPost()) {
$type = $request->getStr('type');
if (empty($types[$type])) {
$errors[] = pht('You must choose a credential type.');
$e_type = pht('Required');
}
if (!$errors) {
$uri = $this->getApplicationURI('edit/?type=' . $type);
return id(new AphrontRedirectResponse())->setURI($uri);
}
}
$types_control = id(new AphrontFormRadioButtonControl())->setName('type')->setLabel(pht('Credential Type'))->setError($e_type);
foreach ($types as $type) {
$types_control->addButton($type->getCredentialType(), $type->getCredentialTypeName(), $type->getCredentialTypeDescription());
}
$form = id(new AphrontFormView())->setUser($viewer)->appendChild($types_control)->appendChild(id(new AphrontFormSubmitControl())->setValue(pht('Continue'))->addCancelButton($this->getApplicationURI()));
$title = pht('New Credential');
$crumbs = $this->buildApplicationCrumbs();
$crumbs->addTextCrumb(pht('Create'));
$box = id(new PHUIObjectBoxView())->setHeaderText(pht('Create New Credential'))->setFormErrors($errors)->setForm($form);
return $this->buildApplicationPage(array($crumbs, $box), array('title' => $title));
}
public function handleRequest(AphrontRequest $request)
{
$viewer = $request->getViewer();
$id = $request->getURIData('id');
$credential = id(new PassphraseCredentialQuery())->setViewer($viewer)->withIDs(array($id))->requireCapabilities(array(PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT))->executeOne();
if (!$credential) {
return new Aphront404Response();
}
$view_uri = '/K' . $credential->getID();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession($viewer, $request, $view_uri);
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
throw new Exception(pht('Credential has invalid type "%s"!', $type));
}
if ($request->isFormPost()) {
$xactions = array();
$xactions[] = id(new PassphraseCredentialTransaction())->setTransactionType(PassphraseCredentialTransaction::TYPE_CONDUIT)->setNewValue(!$credential->getAllowConduit());
$editor = id(new PassphraseCredentialTransactionEditor())->setActor($viewer)->setContinueOnMissingFields(true)->setContentSourceFromRequest($request)->applyTransactions($credential, $xactions);
return id(new AphrontRedirectResponse())->setURI($view_uri);
}
if ($credential->getAllowConduit()) {
return $this->newDialog()->setTitle(pht('Prevent Conduit access?'))->appendChild(pht('This credential and its secret will no longer be able ' . 'to be retrieved using the `%s` method in Conduit.', 'passphrase.query'))->addSubmitButton(pht('Prevent Conduit Access'))->addCancelButton($view_uri);
} else {
return $this->newDialog()->setTitle(pht('Allow Conduit access?'))->appendChild(pht('This credential will be able to be retrieved via the Conduit ' . 'API by users who have access to this credential. You should ' . 'only enable this for credentials which need to be accessed ' . 'programmatically (such as from build agents).'))->addSubmitButton(pht('Allow Conduit Access'))->addCancelButton($view_uri);
}
}
public function renderEditControl(array $handles)
{
$provides_type = $this->getFieldConfigValue('credential.provides');
$credential_type = $this->getFieldConfigValue('credential.type');
$all_types = PassphraseCredentialType::getAllProvidesTypes();
if (!in_array($provides_type, $all_types)) {
$provides_type = PassphraseCredentialTypePassword::PROVIDES_TYPE;
}
$credentials = id(new PassphraseCredentialQuery())->setViewer($this->getViewer())->withIsDestroyed(false)->withProvidesTypes(array($provides_type))->execute();
return id(new PassphraseCredentialControl())->setLabel($this->getFieldName())->setName($this->getFieldKey())->setCaption($this->getCaption())->setAllowNull(!$this->getRequired())->setCredentialType($credential_type)->setValue($this->getFieldValue())->setError($this->getFieldError())->setOptions($credentials);
}
private function buildPropertyView(PassphraseCredential $credential, PassphraseCredentialType $type, PhabricatorActionListView $actions)
{
$viewer = $this->getRequest()->getUser();
$properties = id(new PHUIPropertyListView())->setUser($viewer)->setObject($credential)->setActionList($actions);
$properties->addProperty(pht('Credential Type'), $type->getCredentialTypeName());
$descriptions = PhabricatorPolicyQuery::renderPolicyDescriptions($viewer, $credential);
$properties->addProperty(pht('Editable By'), $descriptions[PhabricatorPolicyCapability::CAN_EDIT]);
$properties->addProperty(pht('Username'), $credential->getUsername());
$used_by_phids = PhabricatorEdgeQuery::loadDestinationPHIDs($credential->getPHID(), PhabricatorEdgeConfig::TYPE_CREDENTIAL_USED_BY_OBJECT);
if ($used_by_phids) {
$this->loadHandles($used_by_phids);
$properties->addProperty(pht('Used By'), $this->renderHandlesForPHIDs($used_by_phids));
}
$description = $credential->getDescription();
if (strlen($description)) {
$properties->addSectionHeader(pht('Description'), PHUIPropertyListView::ICON_SUMMARY);
$properties->addTextContent(PhabricatorMarkupEngine::renderOneObject(id(new PhabricatorMarkupOneOff())->setContent($description), 'default', $viewer));
}
return $properties;
}
private function buildPropertyView(PassphraseCredential $credential, PassphraseCredentialType $type, PhabricatorActionListView $actions)
{
$viewer = $this->getRequest()->getUser();
$properties = id(new PHUIPropertyListView())->setUser($viewer)->setObject($credential)->setActionList($actions);
$properties->addProperty(pht('Credential Type'), $type->getCredentialTypeName());
$descriptions = PhabricatorPolicyQuery::renderPolicyDescriptions($viewer, $credential);
$properties->addProperty(pht('Editable By'), $descriptions[PhabricatorPolicyCapability::CAN_EDIT]);
if ($type->shouldRequireUsername()) {
$properties->addProperty(pht('Username'), $credential->getUsername());
}
$used_by_phids = PhabricatorEdgeQuery::loadDestinationPHIDs($credential->getPHID(), PhabricatorCredentialsUsedByObjectEdgeType::EDGECONST);
if ($used_by_phids) {
$properties->addProperty(pht('Used By'), $viewer->renderHandleList($used_by_phids));
}
$properties->invokeWillRenderEvent();
$description = $credential->getDescription();
if (strlen($description)) {
$properties->addSectionHeader(pht('Description'), PHUIPropertyListView::ICON_SUMMARY);
$properties->addTextContent(new PHUIRemarkupView($viewer, $description));
}
return $properties;
}
public function handleRequest(AphrontRequest $request)
{
$viewer = $request->getViewer();
$id = $request->getURIData('id');
$credential = id(new PassphraseCredentialQuery())->setViewer($viewer)->withIDs(array($id))->requireCapabilities(array(PhabricatorPolicyCapability::CAN_VIEW))->executeOne();
if (!$credential) {
return new Aphront404Response();
}
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
throw new Exception(pht('Credential has invalid type "%s"!', $type));
}
if (!$type->hasPublicKey()) {
throw new Exception(pht('Credential has no public key!'));
}
$view_uri = '/' . $credential->getMonogram();
$public_key = $type->getPublicKey($viewer, $credential);
$body = id(new PHUIFormLayoutView())->appendChild(id(new AphrontFormTextAreaControl())->setLabel(pht('Public Key'))->setReadOnly(true)->setValue($public_key));
return $this->newDialog()->setWidth(AphrontDialogView::WIDTH_FORM)->setTitle(pht('Public Key (%s)', $credential->getMonogram()))->appendChild($body)->addCancelButton($view_uri, pht('Done'));
}
protected function renderResultList(array $credentials, PhabricatorSavedQuery $query, array $handles)
{
assert_instances_of($credentials, 'PassphraseCredential');
$viewer = $this->requireViewer();
$list = new PHUIObjectItemListView();
$list->setUser($viewer);
foreach ($credentials as $credential) {
$item = id(new PHUIObjectItemView())->setObjectName('K' . $credential->getID())->setHeader($credential->getName())->setHref('/K' . $credential->getID())->setObject($credential);
$item->addAttribute(pht('Login: %s', $credential->getUsername()));
if ($credential->getIsDestroyed()) {
$item->addIcon('fa-ban', pht('Destroyed'));
$item->setDisabled(true);
}
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if ($type) {
$item->addIcon('fa-wrench', $type->getCredentialTypeName());
}
$list->addItem($item);
}
return $list;
}
public function processRequest()
{
$request = $this->getRequest();
$viewer = $request->getUser();
$credential = id(new PassphraseCredentialQuery())->setViewer($viewer)->withIDs(array($this->id))->requireCapabilities(array(PhabricatorPolicyCapability::CAN_VIEW, PhabricatorPolicyCapability::CAN_EDIT))->executeOne();
if (!$credential) {
return new Aphront404Response();
}
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
throw new Exception(pht('Credential has invalid type "%s"!', $type));
}
$view_uri = '/K' . $credential->getID();
if ($request->isFormPost()) {
$xactions = array();
$xactions[] = id(new PassphraseCredentialTransaction())->setTransactionType(PassphraseCredentialTransaction::TYPE_DESTROY)->setNewValue(1);
$editor = id(new PassphraseCredentialTransactionEditor())->setActor($viewer)->setContinueOnMissingFields(true)->setContentSourceFromRequest($request)->applyTransactions($credential, $xactions);
return id(new AphrontRedirectResponse())->setURI($view_uri);
}
return $this->newDialog()->setUser($viewer)->setTitle(pht('Really destroy credential?'))->appendChild(pht('This credential will be deactivated and the secret will be ' . 'unrecoverably destroyed. Anything relying on this credential ' . 'will cease to function. This operation can not be undone.'))->addSubmitButton(pht('Destroy Credential'))->addCancelButton($view_uri);
}
public function getCredentialTypeImplementation()
{
$type = $this->getCredentialType();
return PassphraseCredentialType::getTypeByConstant($type);
}
protected function execute(ConduitAPIRequest $request)
{
$query = $this->newQueryForRequest($request);
if ($request->getValue('ids')) {
$query->withIDs($request->getValue('ids'));
}
if ($request->getValue('phids')) {
$query->withPHIDs($request->getValue('phids'));
}
if ($request->getValue('needSecrets')) {
$query->needSecrets(true);
}
$pager = $this->newPager($request);
$credentials = $query->executeWithCursorPager($pager);
$results = array();
foreach ($credentials as $credential) {
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
continue;
}
$public_key = null;
if ($request->getValue('needPublicKeys') && $type->hasPublicKey()) {
$public_key = $type->getPublicKey($request->getUser(), $credential);
}
$material = array();
$is_locked = $credential->getIsLocked();
$allow_api = $credential->getAllowConduit() && !$is_locked;
$secret = null;
if ($request->getValue('needSecrets')) {
if ($allow_api) {
$secret = $credential->getSecret();
if ($secret) {
$secret = $secret->openEnvelope();
} else {
$material['destroyed'] = pht('The private material for this credential has been ' . 'destroyed.');
}
}
}
switch ($credential->getCredentialType()) {
case PassphraseSSHPrivateKeyFileCredentialType::CREDENTIAL_TYPE:
if ($secret !== null) {
$material['file'] = $secret;
}
if ($public_key) {
$material['publicKey'] = $public_key;
}
break;
case PassphraseSSHGeneratedKeyCredentialType::CREDENTIAL_TYPE:
case PassphraseSSHPrivateKeyTextCredentialType::CREDENTIAL_TYPE:
if ($secret !== null) {
$material['privateKey'] = $secret;
}
if ($public_key) {
$material['publicKey'] = $public_key;
}
break;
case PassphrasePasswordCredentialType::CREDENTIAL_TYPE:
if ($secret !== null) {
$material['password'] = $secret;
}
break;
case PassphraseTokenCredentialType::CREDENTIAL_TYPE:
if ($secret !== null) {
$material['token'] = $secret;
}
break;
}
if (!$allow_api) {
$material['noAPIAccess'] = pht('This private material for this credential is not accessible via ' . 'API calls.');
}
$results[$credential->getPHID()] = array('id' => $credential->getID(), 'phid' => $credential->getPHID(), 'type' => $credential->getCredentialType(), 'name' => $credential->getName(), 'description' => $credential->getDescription(), 'uri' => PhabricatorEnv::getProductionURI('/' . $credential->getMonogram()), 'monogram' => $credential->getMonogram(), 'username' => $credential->getUsername(), 'material' => $material);
}
$result = array('data' => $results);
return $this->addPagerResults($result, $pager);
}
public function testGetAllTypes()
{
PassphraseCredentialType::getAllTypes();
$this->assertTrue(true);
}
$secret = $repository->getDetail('ssh-key');
$type = PassphraseSSHPrivateKeyTextCredentialType::CREDENTIAL_TYPE;
}
}
if (!$username || !$secret) {
echo pht('...no credentials set.') . "\n";
continue;
}
$map[$type][$username][$secret][] = $repository;
echo pht('...will migrate.') . "\n";
}
$passphrase = new PassphraseSecret();
$passphrase->openTransaction();
$table->openTransaction();
foreach ($map as $credential_type => $credential_usernames) {
$type = PassphraseCredentialType::getTypeByConstant($credential_type);
foreach ($credential_usernames as $username => $credential_secrets) {
foreach ($credential_secrets as $secret_plaintext => $repositories) {
$callsigns = mpull($repositories, 'getCallsign');
$signs = implode(', ', $callsigns);
$name = pht('Migrated Repository Credential (%s)', id(new PhutilUTF8StringTruncator())->setMaximumGlyphs(128)->truncateString($signs));
echo pht('Creating: %s...', $name) . "\n";
$secret = id(new PassphraseSecret())->setSecretData($secret_plaintext)->save();
$secret_id = $secret->getID();
$credential = PassphraseCredential::initializeNewCredential($viewer)->setCredentialType($type->getCredentialType())->setProvidesType($type->getProvidesType())->setViewPolicy(PhabricatorPolicies::POLICY_ADMIN)->setEditPolicy(PhabricatorPolicies::POLICY_ADMIN)->setName($name)->setUsername($username)->setSecretID($secret_id);
$credential->setPHID($credential->generatePHID());
queryfx($credential->establishConnection('w'), 'INSERT INTO %T (name, credentialType, providesType, viewPolicy,
editPolicy, description, username, secretID, isDestroyed,
phid, dateCreated, dateModified)
VALUES (%s, %s, %s, %s, %s, %s, %s, %d, %d, %s, %d, %d)', $credential->getTableName(), $credential->getName(), $credential->getCredentialType(), $credential->getProvidesType(), $credential->getViewPolicy(), $credential->getEditPolicy(), $credential->getDescription(), $credential->getUsername(), $credential->getSecretID(), $credential->getIsDestroyed(), $credential->getPHID(), time(), time());
foreach ($repositories as $repository) {
private function getCredentialType($type_const)
{
$type = PassphraseCredentialType::getTypeByConstant($type_const);
if (!$type) {
throw new Exception(pht('Credential has invalid type "%s"!', $type_const));
}
return $type;
}
protected function execute(ConduitAPIRequest $request)
{
$query = id(new PassphraseCredentialQuery())->setViewer($request->getUser());
if ($request->getValue('ids')) {
$query->withIDs($request->getValue('ids'));
}
if ($request->getValue('phids')) {
$query->withPHIDs($request->getValue('phids'));
}
if ($request->getValue('needSecrets')) {
$query->needSecrets(true);
}
$pager = $this->newPager($request);
$credentials = $query->executeWithCursorPager($pager);
$results = array();
foreach ($credentials as $credential) {
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
continue;
}
$public_key = null;
if ($request->getValue('needPublicKeys') && $type->hasPublicKey()) {
$public_key = $type->getPublicKey($request->getUser(), $credential);
}
$secret = null;
if ($request->getValue('needSecrets')) {
if ($credential->getAllowConduit()) {
$secret = $credential->getSecret()->openEnvelope();
}
}
$material = array();
switch ($credential->getCredentialType()) {
case PassphraseCredentialTypeSSHPrivateKeyFile::CREDENTIAL_TYPE:
if ($secret) {
$material['file'] = $secret;
}
if ($public_key) {
$material['publicKey'] = $public_key;
}
break;
case PassphraseCredentialTypeSSHPrivateKeyText::CREDENTIAL_TYPE:
if ($secret) {
$material['privateKey'] = $secret;
}
if ($public_key) {
$material['publicKey'] = $public_key;
}
break;
case PassphraseCredentialTypePassword::CREDENTIAL_TYPE:
if ($secret) {
$material['password'] = $secret;
}
break;
}
if (!$credential->getAllowConduit()) {
$material['noAPIAccess'] = pht('This credential\'s private material ' . 'is not accessible via API calls.');
}
$results[$credential->getPHID()] = array('id' => $credential->getID(), 'phid' => $credential->getPHID(), 'type' => $credential->getCredentialType(), 'name' => $credential->getName(), 'uri' => PhabricatorEnv::getProductionURI('/' . $credential->getMonogram()), 'monogram' => $credential->getMonogram(), 'username' => $credential->getUsername(), 'material' => $material);
}
$result = array('data' => $results);
return $this->addPagerResults($result, $pager);
}
protected function willFilterPage(array $page)
{
if ($this->needSecrets) {
$secret_ids = mpull($page, 'getSecretID');
$secret_ids = array_filter($secret_ids);
$secrets = array();
if ($secret_ids) {
$secret_objects = id(new PassphraseSecret())->loadAllWhere('id IN (%Ld)', $secret_ids);
foreach ($secret_objects as $secret) {
$secret_data = $secret->getSecretData();
$secrets[$secret->getID()] = new PhutilOpaqueEnvelope($secret_data);
}
}
foreach ($page as $key => $credential) {
$secret_id = $credential->getSecretID();
if (!$secret_id) {
$credential->attachSecret(null);
} else {
if (isset($secrets[$secret_id])) {
$credential->attachSecret($secrets[$secret_id]);
} else {
unset($page[$key]);
}
}
}
}
foreach ($page as $key => $credential) {
$type = PassphraseCredentialType::getTypeByConstant($credential->getCredentialType());
if (!$type) {
unset($page[$key]);
continue;
}
$credential->attachImplementation(clone $type);
}
return $page;
}
