OAuth - Phabricator OAuth server and Phabricator client for new Phabricator OAuth Server

Summary: adds a Phabricator OAuth server, which has three big commands: - auth - allows $user to authorize a given client or application. if $user has already authorized, it hands an authoization code back to $redirect_uri - token - given a valid authorization code, this command returns an authorization token - whoami - Conduit.whoami, all nice and purdy relative to the oauth server. Also has a "test" handler, which I used to create some test data. T850 will delete this as it adds the ability to create this data in the Phabricator product. This diff also adds the corresponding client in Phabricator for the Phabricator OAuth Server. (Note that clients are known as "providers" in the Phabricator codebase but client makes more sense relative to the server nomenclature) Also, related to make this work well - clean up the diagnostics page by variabilizing the provider-specific information and extending the provider classes as appropriate. - augment Conduit.whoami for more full-featured OAuth support, at least where the Phabricator client is concerned What's missing here... See T844, T848, T849, T850, and T852. Test Plan: - created a dummy client via the test handler. setup development.conf to have have proper variables for this dummy client. went through authorization and de-authorization flows - viewed the diagnostics page for all known oauth providers and saw provider-specific debugging information Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T44, T797 Differential Revision: https://secure.phabricator.com/D1595
2012-02-03 16:21:40 -08:00
parent 9748520b0e
commit 7a3f33b5c2
34 changed files with 1161 additions and 14 deletions
--- a/src/applications/oauthserver/controller/auth/PhabricatorOAuthServerAuthController.php
+++ b/src/applications/oauthserver/controller/auth/PhabricatorOAuthServerAuthController.php
@@ -0,0 +1,130 @@
+<?php
+
+/*
+ * Copyright 2012 Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @group oauthserver
+ */
+final class PhabricatorOAuthServerAuthController
+extends PhabricatorAuthController {
+
+  public function shouldRequireLogin() {
+    return true;
+  }
+
+  public function processRequest() {
+    $request      = $this->getRequest();
+    $current_user = $request->getUser();
+    $server       = new PhabricatorOAuthServer($current_user);
+    $client_phid  = $request->getStr('client_id');
+    $scope        = $request->getStr('scope');
+    $redirect_uri = $request->getStr('redirect_uri');
+    $response     = new PhabricatorOAuthResponse();
+    $errors       = array();
+
+    if (!$client_phid) {
+      return $response->setMalformed(
+        'Required parameter client_id not specified.'
+      );
+    }
+    $client = id(new PhabricatorOAuthServerClient())
+      ->loadOneWhere('phid = %s', $client_phid);
+    if (!$client) {
+      return $response->setNotFound(
+        'Client with id '.$client_phid.' not found. '
+      );
+    }
+
+    if ($server->userHasAuthorizedClient($client)) {
+      $return_auth_code = true;
+      $unguarded_write  = AphrontWriteGuard::beginScopedUnguardedWrites();
+    } else if ($request->isFormPost()) {
+      $server->authorizeClient($client);
+      $return_auth_code = true;
+      $unguarded_write  = null;
+    } else {
+      $return_auth_code = false;
+      $unguarded_write  = null;
+    }
+
+    if ($return_auth_code) {
+      // step 1 -- generate authorization code
+      $auth_code =
+        $server->generateAuthorizationCode($client);
+
+      // step 2 -- error or return it
+      if (!$auth_code) {
+        $errors[] = 'Failed to generate an authorization code. '.
+                    'Try again.';
+      } else {
+        $client_uri = new PhutilURI($client->getRedirectURI());
+        if (!$redirect_uri) {
+          $uri = $client_uri;
+        } else {
+          $redirect_uri = new PhutilURI($redirect_uri);
+          if ($redirect_uri->getDomain() !=
+              $client_uri->getDomain()) {
+            $uri = $client_uri;
+          } else {
+            $uri = $redirect_uri;
+          }
+        }
+
+        $uri->setQueryParam('code', $auth_code->getCode());
+        return $response->setRedirect($uri);
+      }
+    }
+    unset($unguarded_write);
+
+    $error_view = null;
+    if ($errors) {
+      $error_view = new AphrontErrorView();
+      $error_view->setTitle('Authorization Code Errors');
+      $error_view->setErrors($errors);
+    }
+
+    $name  = phutil_escape_html($client->getName());
+    $title = 'Authorize ' . $name . '?';
+    $panel = new AphrontPanelView();
+    $panel->setWidth(AphrontPanelView::WIDTH_FORM);
+    $panel->setHeader($title);
+
+    // TODO -- T848 (add scope to Phabricator OAuth)
+    // generally inform user what this means as this fleshes out
+    $description =
+      "Do want to authorize {$name} to access your ".
+      "Phabricator account data?";
+
+    $form = id(new AphrontFormView())
+      ->setUser($current_user)
+      ->appendChild(
+        id(new AphrontFormStaticControl())
+        ->setValue($description))
+      ->appendChild(
+        id(new AphrontFormSubmitControl())
+        ->setValue('Authorize')
+        ->addCancelButton('/'));
+    // TODO -- T889 (make "cancel" do something more sensible)
+
+    $panel->appendChild($form);
+
+    return $this->buildStandardPageResponse(
+      array($error_view,
+            $panel),
+      array('title' => $title));
+  }
+}
--- a/src/applications/oauthserver/controller/auth/init.php
+++ b/src/applications/oauthserver/controller/auth/init.php
@@ -0,0 +1,25 @@
+<?php
+/**
+ * This file is automatically generated. Lint this module to rebuild it.
+ * @generated
+ */
+
+
+
+phutil_require_module('phabricator', 'aphront/writeguard');
+phutil_require_module('phabricator', 'applications/auth/controller/base');
+phutil_require_module('phabricator', 'applications/oauthserver/response');
+phutil_require_module('phabricator', 'applications/oauthserver/server');
+phutil_require_module('phabricator', 'applications/oauthserver/storage/client');
+phutil_require_module('phabricator', 'view/form/base');
+phutil_require_module('phabricator', 'view/form/control/static');
+phutil_require_module('phabricator', 'view/form/control/submit');
+phutil_require_module('phabricator', 'view/form/error');
+phutil_require_module('phabricator', 'view/layout/panel');
+
+phutil_require_module('phutil', 'markup');
+phutil_require_module('phutil', 'parser/uri');
+phutil_require_module('phutil', 'utils');
+
+
+phutil_require_source('PhabricatorOAuthServerAuthController.php');
--- a/src/applications/oauthserver/controller/test/PhabricatorOAuthServerTestController.php
+++ b/src/applications/oauthserver/controller/test/PhabricatorOAuthServerTestController.php
@@ -0,0 +1,88 @@
+<?php
+
+/*
+ * Copyright 2012 Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @group oauthserver
+ */
+final class PhabricatorOAuthServerTestController
+extends PhabricatorAuthController {
+
+  public function shouldRequireLogin() {
+    return true;
+  }
+
+  public function shouldRequireAdmin() {
+    return true;
+  }
+
+  public function processRequest() {
+    $request      = $this->getRequest();
+    $current_user = $request->getUser();
+    $server       = new PhabricatorOAuthServer($current_user);
+
+    $forms = array();
+    $form = id(new AphrontFormView())
+      ->setUser($current_user)
+      ->appendChild(
+        id(new AphrontFormStaticControl())
+        ->setValue('Create Test Client'))
+      ->appendChild(
+        id(new AphrontFormTextControl())
+        ->setLabel('Name')
+        ->setName('name')
+        ->setValue(''))
+      ->appendChild(
+        id(new AphrontFormTextControl())
+        ->setLabel('Redirect URI')
+        ->setName('redirect_uri')
+        ->setValue(''))
+      ->appendChild(
+        id(new AphrontFormSubmitControl())
+        ->setValue('Create Client'));
+    $forms[] = $form;
+    $result = array();
+    if ($request->isFormPost()) {
+      $name         = $request->getStr('name');
+      $redirect_uri = $request->getStr('redirect_uri');
+      $secret       = Filesystem::readRandomCharacters(32);
+      $client       = new PhabricatorOAuthServerClient();
+      $client->setName($name);
+      $client->setSecret($secret);
+      $client->setCreatorPHID($current_user->getPHID());
+      $client->setRedirectURI($redirect_uri);
+      $client->save();
+      $id      = $client->getID();
+      $phid    = $client->getPHID();
+      $name    = phutil_escape_html($name);
+      $results = array();
+      $results[] = "New client named {$name} with secret {$secret}.";
+      $results[] = "Client has id {$id} and phid {$phid}.";
+      $result = implode('<br />', $results);
+    }
+    $title = 'Test OAuthServer Stuff';
+    $panel = new AphrontPanelView();
+    $panel->setWidth(AphrontPanelView::WIDTH_FORM);
+    $panel->setHeader($title);
+    $panel->appendChild($result);
+    $panel->appendChild($forms);
+
+    return $this->buildStandardPageResponse(
+            $panel,
+      array('title' => $title));
+  }
+}
--- a/src/applications/oauthserver/controller/test/init.php
+++ b/src/applications/oauthserver/controller/test/init.php
@@ -0,0 +1,23 @@
+<?php
+/**
+ * This file is automatically generated. Lint this module to rebuild it.
+ * @generated
+ */
+
+
+
+phutil_require_module('phabricator', 'applications/auth/controller/base');
+phutil_require_module('phabricator', 'applications/oauthserver/server');
+phutil_require_module('phabricator', 'applications/oauthserver/storage/client');
+phutil_require_module('phabricator', 'view/form/base');
+phutil_require_module('phabricator', 'view/form/control/static');
+phutil_require_module('phabricator', 'view/form/control/submit');
+phutil_require_module('phabricator', 'view/form/control/text');
+phutil_require_module('phabricator', 'view/layout/panel');
+
+phutil_require_module('phutil', 'filesystem');
+phutil_require_module('phutil', 'markup');
+phutil_require_module('phutil', 'utils');
+
+
+phutil_require_source('PhabricatorOAuthServerTestController.php');
--- a/src/applications/oauthserver/controller/token/PhabricatorOAuthServerTokenController.php
+++ b/src/applications/oauthserver/controller/token/PhabricatorOAuthServerTokenController.php
@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * Copyright 2012 Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @group oauthserver
+ */
+final class PhabricatorOAuthServerTokenController
+extends PhabricatorAuthController {
+
+  public function shouldRequireLogin() {
+    return false;
+  }
+
+  public function processRequest() {
+    $request       = $this->getRequest();
+    $code          = $request->getStr('code');
+    $client_phid   = $request->getStr('client_id');
+    $client_secret = $request->getStr('client_secret');
+    $response      = new PhabricatorOAuthResponse();
+    if (!$code) {
+      return $response->setMalformed(
+        'Required parameter code missing.'
+      );
+    }
+    if (!$client_phid) {
+      return $response->setMalformed(
+        'Required parameter client_id missing.'
+      );
+    }
+    if (!$client_secret) {
+      return $response->setMalformed(
+        'Required parameter client_secret missing.'
+      );
+    }
+
+    $auth_code = id(new PhabricatorOAuthServerAuthorizationCode())
+      ->loadOneWhere('code = %s', $code);
+    if (!$auth_code) {
+      return $response->setNotFound(
+        'Authorization code '.$code.' not found.'
+      );
+    }
+    $user = id(new PhabricatorUser())
+      ->loadOneWhere('phid = %s', $auth_code->getUserPHID());
+    $server = new PhabricatorOAuthServer($user);
+    $test_code = new PhabricatorOAuthServerAuthorizationCode();
+    $test_code->setClientSecret($client_secret);
+    $test_code->setClientPHID($client_phid);
+    $is_good_code = $server->validateAuthorizationCode($auth_code,
+                                                       $test_code);
+    if (!$is_good_code) {
+      return $response->setMalformed(
+        'Invalid authorization code '.$code.'.'
+      );
+    }
+
+    $client = id(new PhabricatorOAuthServerClient())
+      ->loadOneWhere('phid = %s', $client_phid);
+    if (!$client) {
+      return $response->setNotFound(
+        'Client with client_id '.$client_phid.' not found.'
+      );
+    }
+
+    $scope = AphrontWriteGuard::beginScopedUnguardedWrites();
+    $access_token = $server->generateAccessToken($client);
+    if ($access_token) {
+      $auth_code->delete();
+      $result = array('access_token' => $access_token->getToken());
+      return $response->setContent($result);
+    }
+
+    return $response->setMalformed('Request is malformed in some way.');
+  }
+}
--- a/src/applications/oauthserver/controller/token/init.php
+++ b/src/applications/oauthserver/controller/token/init.php
@@ -0,0 +1,20 @@
+<?php
+/**
+ * This file is automatically generated. Lint this module to rebuild it.
+ * @generated
+ */
+
+
+
+phutil_require_module('phabricator', 'aphront/writeguard');
+phutil_require_module('phabricator', 'applications/auth/controller/base');
+phutil_require_module('phabricator', 'applications/oauthserver/response');
+phutil_require_module('phabricator', 'applications/oauthserver/server');
+phutil_require_module('phabricator', 'applications/oauthserver/storage/authorizationcode');
+phutil_require_module('phabricator', 'applications/oauthserver/storage/client');
+phutil_require_module('phabricator', 'applications/people/storage/user');
+
+phutil_require_module('phutil', 'utils');
+
+
+phutil_require_source('PhabricatorOAuthServerTokenController.php');