OAuthServer polish and random sauce

Summary: This diff makes the OAuthServer more compliant with the spec by - making it return well-formatted error codes with error types from the spec. - making it respect the "state" variable, which is a transparent variable the client passes and the server passes back - making it be super, duper compliant with respect to redirect uris -- if specified in authorization step, check if its valid relative to the client registered URI and if so save it -- if specified in authorization step, check if its been specified in the access step and error if it doesn't match or doesn't exist -- note we don't make any use of it in the access step which seems strange but hey, that's what the spec says! This diff makes the OAuthServer suck less by - making the "cancel" button do something in the user authorization flow - making the client list view and client edit view be a bit more usable around client secrets - fixing a few bugs I managed to introduce along the way Test Plan: - create a test phabricator client, updated my conf, and then linked and unlinked phabricator to itself - wrote some tests for PhabricatorOAuthServer -- they pass! -- these validate the various validate URI checks - tried a few important authorization calls -- http://phabricator.dev/oauthserver/auth/?client_id=X&state=test&redirect_uri=http://www.evil.com --- verified error'd from mismatching redirect uri's --- verified state parameter in response --- verified did not redirect to client redirect uri -- http://phabricator.dev/oauthserver/auth/?client_id=X w/ existing authorization --- got redirected to proper client url with error that response_type not specified -- http://phabricator.dev/oauthserver/auth/?client_id=X&response_type=code w/ existing authorization --- got redirected to proper client url with pertinent code! - tried a few important access calls -- verified appropriate errors if missing any required parameters -- verified good access code with appropriate other variables resulted in an access token - verified that if redirect_uri set correctly in authorization required for access and errors if differs at all / only succeeds if exactly the same Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, ajtrichards Maniphest Tasks: T889, T906, T897 Differential Revision: https://secure.phabricator.com/D1727
2012-03-01 14:46:18 -08:00
parent e9dedb0c88
commit 0327a5fc69
19 changed files with 537 additions and 172 deletions
--- a/src/applications/oauthserver/controller/client/edit/PhabricatorOAuthClientEditController.php
+++ b/src/applications/oauthserver/controller/client/edit/PhabricatorOAuthClientEditController.php
@@ -78,25 +78,33 @@ extends PhabricatorOAuthClientBaseController {
          ->setForbiddenText($message);
      }
      $submit_button = 'Save OAuth Client';
+      $secret        = null;
    // new client - much simpler
    } else {
-      $client = new PhabricatorOAuthServerClient();
-      $title  = 'Create OAuth Client';
+      $client        = new PhabricatorOAuthServerClient();
+      $title         = 'Create OAuth Client';
      $submit_button = 'Create OAuth Client';
+      $secret        = Filesystem::readRandomCharacters(32);
    }

    if ($request->isFormPost()) {
      $redirect_uri = $request->getStr('redirect_uri');
      $client->setName($request->getStr('name'));
      $client->setRedirectURI($redirect_uri);
-      $client->setSecret(Filesystem::readRandomCharacters(32));
+      if ($secret) {
+        $client->setSecret($secret);
+      }
      $client->setCreatorPHID($current_user->getPHID());
      $uri = new PhutilURI($redirect_uri);
-      if (!$this->validateRedirectURI($uri)) {
+      $server = new PhabricatorOAuthServer();
+      if (!$server->validateRedirectURI($uri)) {
        $error = new AphrontErrorView();
        $error->setSeverity(AphrontErrorView::SEVERITY_ERROR);
        $error->setTitle(
-          'Redirect URI must be a fully qualified domain name.'
+          'Redirect URI must be a fully qualified domain name '.
+          'with no fragments. See '.
+          'http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 '.
+          'for more information on the correct format.'
        );
        $bad_redirect = true;
      } else {
@@ -140,7 +148,7 @@ extends PhabricatorOAuthClientBaseController {
          ->setValue($phid)
        )
        ->appendChild(
-          id(new AphrontFormTextControl())
+          id(new AphrontFormStaticControl())
          ->setLabel('Secret')
          ->setValue($client->getSecret())
        );
@@ -185,13 +193,4 @@ extends PhabricatorOAuthClientBaseController {
    );
  }

-  private function validateRedirectURI(PhutilURI $uri) {
-    if (PhabricatorEnv::isValidRemoteWebResource($uri)) {
-      if ($uri->getDomain()) {
-        return true;
-      }
-    }
-    return false;
-  }
-
 }