From 4555f18c41e47d5b84885d40bf9fb5bc77011e51 Mon Sep 17 00:00:00 2001
From: Sergey Sharybin <sergey.vfx@gmail.com>
Date: Mon, 30 Sep 2019 15:23:45 +0200
Subject: [PATCH] Add auth provider which uses Phabricator

The idea is to use it instead of a custom field approach.
---
 scripts/auth_provider/auth_provider.php | 172 ++++++++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100755 scripts/auth_provider/auth_provider.php

diff --git a/scripts/auth_provider/auth_provider.php b/scripts/auth_provider/auth_provider.php
new file mode 100755
index 0000000000..02366a2a02
--- /dev/null
+++ b/scripts/auth_provider/auth_provider.php
@@ -0,0 +1,172 @@
+#!/usr/bin/php
+<?php
+#
+# ***** BEGIN GPL LICENSE BLOCK *****
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# The Original Code is Copyright (C) 2019, Blender Foundation
+# All rights reserved.
+#
+# Contributor(s): Sergey Sharybin.
+#
+# ***** END GPL LICENSE BLOCK *****
+#
+# This scripts implements external AuthBasicProvider which can be used
+# to authentificate users using Phabricator's database.
+#
+# Example configuration:
+#
+# .htaccess file:
+#
+#   AuthType Basic
+#   AuthName "Please Enter Password"
+#   AuthBasicProvider external
+#   AuthExternal phabricator
+#   Require valid-user
+#
+# It is also required to have the following provider registered in the
+# configuration. There are two ways to do it:
+#
+#  1. Separate conf file in /etc/apache2/conf-enabled
+#     Create a file (say, authz_external_phabricator.conf) with the following
+#     content:
+#
+#       DefineExternalAuth phabricator pipe /path/to/auth_provider.php
+#
+#     This method allows to use provider in any VHOST.
+#
+#     Downside: from local tests .htaccess file picks the provider nicely,
+#     but attempts to specifu the provider in virtual host configuration
+#     resulted in issues (seems to be different initialization order between
+#     global config in those files and virtual hosts).
+#
+#  2. Define provider in the virtual host definition:
+#
+#       <IfModule mod_authnz_external.c>
+#         AddExternalAuth phabricator /path/to/auth_provider.php
+#         SetExternalAuthMethod phabricator pipe
+#       </IfModule>
+#
+#     This method allowed to use this auth provider for SVN DAV.
+
+$IS_DEBUG = false;
+$PHABRICATOR_ROOT = dirname(dirname(dirname(__FILE__)));
+require_once $PHABRICATOR_ROOT.'/scripts/__init_script__.php';
+
+function initLogging() {
+  global $IS_DEBUG;
+  global $argv;
+  for ($i = 1; $i < count($argv); ++$i) {
+    if ($argv[$i] == '--debug') {
+      $IS_DEBUG = true;
+    }
+  }
+}
+
+function debugLog(string $text) {
+  global $IS_DEBUG;
+  if (!$IS_DEBUG) {
+    return;
+  }
+  print("${text}\n");
+}
+
+function removeSingleTrailingNewline(string $string) {
+  if ($string === '') {
+    return $string;
+  }
+  $length = strlen($string);
+  if ($string[$length - 1] == "\n") {
+    return substr($string, 0, -1);
+  }
+  return $string;
+}
+
+class AuthRequest {
+  public $user_name;
+  public $password;
+
+  static function fromStdin() {
+    $auth_request = new AuthRequest();
+    $stdin = fopen('php://stdin', 'r');
+    $auth_request->user_name = removeSingleTrailingNewline(fgets($stdin));
+    $auth_request->password = removeSingleTrailingNewline(fgets($stdin));
+    return $auth_request;
+  }
+};
+
+function getUserForAuthRequest(AuthRequest $auth_request) {
+  if ($auth_request->user_name === '') {
+    return null;
+  }
+
+  $username_or_email = $auth_request->user_name;
+
+  $user = id(new PhabricatorUser())->loadOneWhere(
+    'username = %s',
+    $username_or_email);
+
+  if (!$user) {
+    $user = PhabricatorUser::loadOneWithEmailAddress(
+    $username_or_email);
+  }
+
+  return $user;
+}
+
+function createContentSourceForAuth() {
+  return PhabricatorContentSource::newForSource(
+      PhabricatorUnitTestContentSource::SOURCECONST);
+}
+
+function isValidAuth(AuthRequest $auth_request) {
+  debugLog("Begin authentification check for user '$auth_request->user_name'");
+  $user = getUserForAuthRequest($auth_request);
+  if (!$user) {
+    debugLog("No PhabricatorUser() object found for requested user.");
+    return false;
+  }
+
+  $content_source = createContentSourceForAuth();
+  $envelope = new PhutilOpaqueEnvelope($auth_request->password);
+
+  $engine = id(new PhabricatorAuthPasswordEngine())
+      ->setViewer($user)
+      ->setContentSource($content_source)
+      ->setPasswordType(PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT)
+      ->setObject($user);
+
+  if (!$engine->isValidPassword($envelope)) {
+    debugLog('Engine reported invalid password.');
+    return false;
+  }
+
+  debugLog('Authentirfication passed.');
+
+  return true;
+}
+
+function main() {
+  initLogging();
+  $auth_request = AuthRequest::fromStdin();
+  if (!isValidAuth($auth_request)) {
+    exit(1);
+  }
+  exit(0);
+}
+
+main();
+?>