private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
{
if ($user->getIsDisabled()) {
return array('ERR-USER-DISABLED', 'User is disabled.');
}
if (PhabricatorUserEmail::isEmailVerificationRequired()) {
$email = $user->loadPrimaryEmail();
if (!$email) {
return array('ERR-USER-NOEMAIL', 'User has no primary email address.');
}
if (!$email->getIsVerified()) {
return array('ERR-USER-UNVERIFIED', 'User has unverified email address.');
}
}
$request->setUser($user);
return null;
}
private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
{
if (!$user->canEstablishAPISessions()) {
return array('ERR-INVALID-AUTH', pht('User account is not permitted to use the API.'));
}
$request->setUser($user);
return null;
}
$method_class = newv($method_class_str, array());
} catch (Exception $e) {
echo "usage: api.php <user_phid> <method>\n" . "method {$method_class_str} does not exist\n";
exit(1);
}
$log = new PhabricatorConduitMethodCallLog();
$log->setMethod($method);
$params = @file_get_contents('php://stdin');
$params = json_decode($params, true);
if (!is_array($params)) {
echo "provide method parameters on stdin as a JSON blob";
exit(1);
}
// build a quick ConduitAPIRequest from stdin PLUS the authenticated user
$conduit_request = new ConduitAPIRequest($params);
$conduit_request->setUser($user);
try {
$result = $method_class->executeMethod($conduit_request);
$error_code = null;
$error_info = null;
} catch (ConduitException $ex) {
$result = null;
$error_code = $ex->getMessage();
if ($ex->getErrorDescription()) {
$error_info = $ex->getErrorDescription();
} else {
$error_info = $method_handler->getErrorDescription($error_code);
}
}
$time_end = microtime(true);
$response = id(new ConduitAPIResponse())->setResult($result)->setErrorCode($error_code)->setErrorInfo($error_info);
/**
* Authenticate the client making the request to a Phabricator user account.
*
* @param ConduitAPIRequest Request being executed.
* @param dict Request metadata.
* @return null|pair Null to indicate successful authentication, or
* an error code and error message pair.
*/
private function authenticateUser(ConduitAPIRequest $api_request, array $metadata)
{
$request = $this->getRequest();
if ($request->getUser()->getPHID()) {
$api_request->setUser($request->getUser());
return null;
}
// Handle sessionless auth. TOOD: This is super messy.
if (isset($metadata['authUser'])) {
$user = id(new PhabricatorUser())->loadOneWhere('userName = %s', $metadata['authUser']);
if (!$user) {
return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
}
$token = idx($metadata, 'authToken');
$signature = idx($metadata, 'authSignature');
$certificate = $user->getConduitCertificate();
if (sha1($token . $certificate) !== $signature) {
return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
}
$api_request->setUser($user);
return null;
}
$session_key = idx($metadata, 'sessionKey');
if (!$session_key) {
return array('ERR-INVALID-SESSION', 'Session key is not present.');
}
$session = queryfx_one(id(new PhabricatorUser())->establishConnection('r'), 'SELECT * FROM %T WHERE sessionKey = %s', PhabricatorUser::SESSION_TABLE, $session_key);
if (!$session) {
return array('ERR-INVALID-SESSION', 'Session key is invalid.');
}
// TODO: Make sessions timeout.
// TODO: When we pull a session, read connectionID from the session table.
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $session['userPHID']);
if (!$user) {
return array('ERR-INVALID-SESSION', 'Session is for nonexistent user.');
}
$api_request->setUser($user);
return null;
}
/**
* Authenticate the client making the request to a Phabricator user account.
*
* @param ConduitAPIRequest Request being executed.
* @param dict Request metadata.
* @return null|pair Null to indicate successful authentication, or
* an error code and error message pair.
*/
private function authenticateUser(ConduitAPIRequest $api_request, array $metadata)
{
$request = $this->getRequest();
if ($request->getUser()->getPHID()) {
$request->validateCSRF();
$api_request->setUser($request->getUser());
return null;
}
// handle oauth
// TODO - T897 (make error codes for OAuth more correct to spec)
// and T891 (strip shield from Conduit response)
$access_token = $request->getStr('access_token');
$method_scope = $metadata['scope'];
if ($access_token && $method_scope != PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE) {
$token = id(new PhabricatorOAuthServerAccessToken())->loadOneWhere('token = %s', $access_token);
if (!$token) {
return array('ERR-INVALID-AUTH', 'Access token does not exist.');
}
$oauth_server = new PhabricatorOAuthServer();
$valid = $oauth_server->validateAccessToken($token, $method_scope);
if (!$valid) {
return array('ERR-INVALID-AUTH', 'Access token is invalid.');
}
// valid token, so let's log in the user!
$user_phid = $token->getUserPHID();
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $user_phid);
if (!$user) {
return array('ERR-INVALID-AUTH', 'Access token is for invalid user.');
}
$api_request->setUser($user);
return null;
}
// Handle sessionless auth. TOOD: This is super messy.
if (isset($metadata['authUser'])) {
$user = id(new PhabricatorUser())->loadOneWhere('userName = %s', $metadata['authUser']);
if (!$user) {
return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
}
$token = idx($metadata, 'authToken');
$signature = idx($metadata, 'authSignature');
$certificate = $user->getConduitCertificate();
if (sha1($token . $certificate) !== $signature) {
return array('ERR-INVALID-AUTH', 'Authentication is invalid.');
}
$api_request->setUser($user);
return null;
}
$session_key = idx($metadata, 'sessionKey');
if (!$session_key) {
return array('ERR-INVALID-SESSION', 'Session key is not present.');
}
$session = queryfx_one(id(new PhabricatorUser())->establishConnection('r'), 'SELECT * FROM %T WHERE sessionKey = %s', PhabricatorUser::SESSION_TABLE, $session_key);
if (!$session) {
return array('ERR-INVALID-SESSION', 'Session key is invalid.');
}
// TODO: Make sessions timeout.
// TODO: When we pull a session, read connectionID from the session table.
$user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $session['userPHID']);
if (!$user) {
return array('ERR-INVALID-SESSION', 'Session is for nonexistent user.');
}
$api_request->setUser($user);
return null;
}
private function validateAuthenticatedUser(ConduitAPIRequest $request, PhabricatorUser $user)
{
if (!$user->isUserActivated()) {
return array('ERR-USER-DISABLED', pht('User account is not activated.'));
}
$request->setUser($user);
return null;
}
