Forbid disabled devices from authenticating via SSH or HTTP

Summary:
Ref T13641. Phabricator sometimes makes intracluster requests that authenticate as a device.

Forbid these requests from authenticating as a disabled device.

Test Plan:
  - Ran `bin/ssh-exec --phabricator-ssh-device ...` as an enabled/disabled device (worked; sensible error).
  - Made Conduit calls as an enable/disabled device (worked; sensible error).

Maniphest Tasks: T13641

Differential Revision: https://secure.phabricator.com/D21635

Author: epriestley

scripts/ssh/ssh-exec.php

@@ -146,6 +146,14 @@
           $device_name));
     }
 
+    if ($device->isDisabled()) {
+      throw new Exception(
+        pht(
+          'This request has authenticated as a device ("%s"), but this '.
+          'device is disabled.',
+          $device->getName()));
+    }
+
     // We're authenticated as a device, but we're going to read the user out of
     // the command below.
     $is_cluster_request = true;

src/applications/conduit/controller/PhabricatorConduitAPIController.php

@@ -238,6 +238,16 @@ private function authenticateUser(
       if ($object instanceof PhabricatorUser) {
         $user = $object;
       } else {
+        if ($object->isDisabled()) {
+          return array(
+            'ERR-INVALID-AUTH',
+            pht(
+              'The key which signed this request is associated with a '.
+              'disabled device ("%s").',
+              $object->getName()),
+          );
+        }
+
         if (!$stored_key->getIsTrusted()) {
           return array(
             'ERR-INVALID-AUTH',