Add auth provider which uses Phabricator
The idea is to use it instead of a custom field approach.
This commit is contained in:
172
scripts/auth_provider/auth_provider.php
Executable file
172
scripts/auth_provider/auth_provider.php
Executable file
@@ -0,0 +1,172 @@
|
||||
#!/usr/bin/php
|
||||
<?php
|
||||
#
|
||||
# ***** BEGIN GPL LICENSE BLOCK *****
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# The Original Code is Copyright (C) 2019, Blender Foundation
|
||||
# All rights reserved.
|
||||
#
|
||||
# Contributor(s): Sergey Sharybin.
|
||||
#
|
||||
# ***** END GPL LICENSE BLOCK *****
|
||||
#
|
||||
# This scripts implements external AuthBasicProvider which can be used
|
||||
# to authentificate users using Phabricator's database.
|
||||
#
|
||||
# Example configuration:
|
||||
#
|
||||
# .htaccess file:
|
||||
#
|
||||
# AuthType Basic
|
||||
# AuthName "Please Enter Password"
|
||||
# AuthBasicProvider external
|
||||
# AuthExternal phabricator
|
||||
# Require valid-user
|
||||
#
|
||||
# It is also required to have the following provider registered in the
|
||||
# configuration. There are two ways to do it:
|
||||
#
|
||||
# 1. Separate conf file in /etc/apache2/conf-enabled
|
||||
# Create a file (say, authz_external_phabricator.conf) with the following
|
||||
# content:
|
||||
#
|
||||
# DefineExternalAuth phabricator pipe /path/to/auth_provider.php
|
||||
#
|
||||
# This method allows to use provider in any VHOST.
|
||||
#
|
||||
# Downside: from local tests .htaccess file picks the provider nicely,
|
||||
# but attempts to specifu the provider in virtual host configuration
|
||||
# resulted in issues (seems to be different initialization order between
|
||||
# global config in those files and virtual hosts).
|
||||
#
|
||||
# 2. Define provider in the virtual host definition:
|
||||
#
|
||||
# <IfModule mod_authnz_external.c>
|
||||
# AddExternalAuth phabricator /path/to/auth_provider.php
|
||||
# SetExternalAuthMethod phabricator pipe
|
||||
# </IfModule>
|
||||
#
|
||||
# This method allowed to use this auth provider for SVN DAV.
|
||||
|
||||
$IS_DEBUG = false;
|
||||
$PHABRICATOR_ROOT = dirname(dirname(dirname(__FILE__)));
|
||||
require_once $PHABRICATOR_ROOT.'/scripts/__init_script__.php';
|
||||
|
||||
function initLogging() {
|
||||
global $IS_DEBUG;
|
||||
global $argv;
|
||||
for ($i = 1; $i < count($argv); ++$i) {
|
||||
if ($argv[$i] == '--debug') {
|
||||
$IS_DEBUG = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function debugLog(string $text) {
|
||||
global $IS_DEBUG;
|
||||
if (!$IS_DEBUG) {
|
||||
return;
|
||||
}
|
||||
print("${text}\n");
|
||||
}
|
||||
|
||||
function removeSingleTrailingNewline(string $string) {
|
||||
if ($string === '') {
|
||||
return $string;
|
||||
}
|
||||
$length = strlen($string);
|
||||
if ($string[$length - 1] == "\n") {
|
||||
return substr($string, 0, -1);
|
||||
}
|
||||
return $string;
|
||||
}
|
||||
|
||||
class AuthRequest {
|
||||
public $user_name;
|
||||
public $password;
|
||||
|
||||
static function fromStdin() {
|
||||
$auth_request = new AuthRequest();
|
||||
$stdin = fopen('php://stdin', 'r');
|
||||
$auth_request->user_name = removeSingleTrailingNewline(fgets($stdin));
|
||||
$auth_request->password = removeSingleTrailingNewline(fgets($stdin));
|
||||
return $auth_request;
|
||||
}
|
||||
};
|
||||
|
||||
function getUserForAuthRequest(AuthRequest $auth_request) {
|
||||
if ($auth_request->user_name === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
$username_or_email = $auth_request->user_name;
|
||||
|
||||
$user = id(new PhabricatorUser())->loadOneWhere(
|
||||
'username = %s',
|
||||
$username_or_email);
|
||||
|
||||
if (!$user) {
|
||||
$user = PhabricatorUser::loadOneWithEmailAddress(
|
||||
$username_or_email);
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
function createContentSourceForAuth() {
|
||||
return PhabricatorContentSource::newForSource(
|
||||
PhabricatorUnitTestContentSource::SOURCECONST);
|
||||
}
|
||||
|
||||
function isValidAuth(AuthRequest $auth_request) {
|
||||
debugLog("Begin authentification check for user '$auth_request->user_name'");
|
||||
$user = getUserForAuthRequest($auth_request);
|
||||
if (!$user) {
|
||||
debugLog("No PhabricatorUser() object found for requested user.");
|
||||
return false;
|
||||
}
|
||||
|
||||
$content_source = createContentSourceForAuth();
|
||||
$envelope = new PhutilOpaqueEnvelope($auth_request->password);
|
||||
|
||||
$engine = id(new PhabricatorAuthPasswordEngine())
|
||||
->setViewer($user)
|
||||
->setContentSource($content_source)
|
||||
->setPasswordType(PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT)
|
||||
->setObject($user);
|
||||
|
||||
if (!$engine->isValidPassword($envelope)) {
|
||||
debugLog('Engine reported invalid password.');
|
||||
return false;
|
||||
}
|
||||
|
||||
debugLog('Authentirfication passed.');
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
function main() {
|
||||
initLogging();
|
||||
$auth_request = AuthRequest::fromStdin();
|
||||
if (!isValidAuth($auth_request)) {
|
||||
exit(1);
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
main();
|
||||
?>
|
||||
Reference in New Issue
Block a user