src/applications/conduit/storage/PhabricatorConduitToken.php

   1 <?php
   2
   3 final class PhabricatorConduitToken
   4   extends PhabricatorConduitDAO
   5   implements PhabricatorPolicyInterface {
   6
   7   protected $objectPHID;
   8   protected $tokenType;
   9   protected $token;
  10   protected $expires;
  11
  12   private $object = self::ATTACHABLE;
  13
  14   const TYPE_STANDARD = 'api';
  15   const TYPE_COMMANDLINE = 'cli';
  16   const TYPE_CLUSTER = 'clr';
  17
  18   protected function getConfiguration() {
  19     return array(
  20       self::CONFIG_COLUMN_SCHEMA => array(
  21         'tokenType' => 'text32',
  22         'token' => 'text32',
  23         'expires' => 'epoch?',
  24       ),
  25       self::CONFIG_KEY_SCHEMA => array(
  26         'key_object' => array(
  27           'columns' => array('objectPHID', 'tokenType'),
  28         ),
  29         'key_token' => array(
  30           'columns' => array('token'),
  31           'unique' => true,
  32         ),
  33         'key_expires' => array(
  34           'columns' => array('expires'),
  35         ),
  36       ),
  37     ) + parent::getConfiguration();
  38   }
  39
  40   public static function loadClusterTokenForUser(PhabricatorUser $user) {
  41     if (!$user->isLoggedIn()) {
  42       return null;
  43     }
  44
  45     if ($user->hasConduitClusterToken()) {
  46       return $user->getConduitClusterToken();
  47     }
  48
  49     $tokens = id(new PhabricatorConduitTokenQuery())
  50       ->setViewer($user)
  51       ->withObjectPHIDs(array($user->getPHID()))
  52       ->withTokenTypes(array(self::TYPE_CLUSTER))
  53       ->withExpired(false)
  54       ->execute();
  55
  56     // Only return a token if it has at least 5 minutes left before
  57     // expiration. Cluster tokens cycle regularly, so we don't want to use
  58     // one that's going to expire momentarily.
  59     $now = PhabricatorTime::getNow();
  60     $must_expire_after = $now + phutil_units('5 minutes in seconds');
  61
  62     $valid_token = null;
  63     foreach ($tokens as $token) {
  64       if ($token->getExpires() > $must_expire_after) {
  65         $valid_token = $token;
  66         break;
  67       }
  68     }
  69
  70     // We didn't find any existing tokens (or the existing tokens are all about
  71     // to expire) so generate a new token.
  72     if (!$valid_token) {
  73       $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
  74         $valid_token = self::initializeNewToken(
  75           $user->getPHID(),
  76           self::TYPE_CLUSTER);
  77         $valid_token->save();
  78       unset($unguarded);
  79     }
  80
  81     $user->attachConduitClusterToken($valid_token);
  82
  83     return $valid_token;
  84   }
  85
  86   public static function initializeNewToken($object_phid, $token_type) {
  87     $token = new PhabricatorConduitToken();
  88     $token->objectPHID = $object_phid;
  89     $token->tokenType = $token_type;
  90     $token->expires = $token->getTokenExpires($token_type);
  91
  92     $secret = $token_type.'-'.Filesystem::readRandomCharacters(32);
  93     $secret = substr($secret, 0, 32);
  94     $token->token = $secret;
  95
  96     return $token;
  97   }
  98
  99   public static function getTokenTypeName($type) {
 100     $map = array(
 101       self::TYPE_STANDARD => pht('Standard API Token'),
 102       self::TYPE_COMMANDLINE => pht('Command Line API Token'),
 103       self::TYPE_CLUSTER => pht('Cluster API Token'),
 104     );
 105
 106     return idx($map, $type, $type);
 107   }
 108
 109   public static function getAllTokenTypes() {
 110     return array(
 111       self::TYPE_STANDARD,
 112       self::TYPE_COMMANDLINE,
 113       self::TYPE_CLUSTER,
 114     );
 115   }
 116
 117   private function getTokenExpires($token_type) {
 118     $now = PhabricatorTime::getNow();
 119     switch ($token_type) {
 120       case self::TYPE_STANDARD:
 121         return null;
 122       case self::TYPE_COMMANDLINE:
 123         return $now + phutil_units('1 hour in seconds');
 124       case self::TYPE_CLUSTER:
 125         return $now + phutil_units('30 minutes in seconds');
 126       default:
 127         throw new Exception(
 128           pht('Unknown Conduit token type "%s"!', $token_type));
 129     }
 130   }
 131
 132   public function getPublicTokenName() {
 133     switch ($this->getTokenType()) {
 134       case self::TYPE_CLUSTER:
 135         return pht('Cluster API Token');
 136       default:
 137         return substr($this->getToken(), 0, 8).'...';
 138     }
 139   }
 140
 141   public function getObject() {
 142     return $this->assertAttached($this->object);
 143   }
 144
 145   public function attachObject(PhabricatorUser $object) {
 146     $this->object = $object;
 147     return $this;
 148   }
 149
 150
 151 /* -(  PhabricatorPolicyInterface  )----------------------------------------- */
 152
 153
 154   public function getCapabilities() {
 155     return array(
 156       PhabricatorPolicyCapability::CAN_VIEW,
 157       PhabricatorPolicyCapability::CAN_EDIT,
 158     );
 159   }
 160
 161   public function getPolicy($capability) {
 162     return $this->getObject()->getPolicy($capability);
 163   }
 164
 165   public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
 166     return $this->getObject()->hasAutomaticCapability($capability, $viewer);
 167   }
 168
 169   public function describeAutomaticCapability($capability) {
 170     return pht(
 171       'Conduit tokens inherit the policies of the user they authenticate.');
 172   }
 173
 174 }