Add CSRF to SMS challenges, and pave the way for more MFA types (including Duo)

Summary:
Depends on D20026. Ref T13222. Ref T13231. The primary change here is that we'll no longer send you an SMS if you hit an MFA gate without CSRF tokens.

Then there's a lot of support for genralizing into Duo (and other push factors, potentially), I'll annotate things inline.

Test Plan: Implemented Duo, elsewhere.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13231, T13222

Differential Revision: https://secure.phabricator.com/D20028

Author: epriestley

resources/celerity/map.php

@@ -9,7 +9,7 @@
   'names' => array(
     'conpherence.pkg.css' => '3c8a0668',
     'conpherence.pkg.js' => '020aebcf',
-    'core.pkg.css' => 'a66ea2e7',
+    'core.pkg.css' => 'e0cb8094',
     'core.pkg.js' => '5c737607',
     'differential.pkg.css' => 'b8df73d4',
     'differential.pkg.js' => '67c9ea4c',
@@ -151,15 +151,15 @@
     'rsrc/css/phui/phui-document.css' => '52b748a5',
     'rsrc/css/phui/phui-feed-story.css' => 'a0c05029',
     'rsrc/css/phui/phui-fontkit.css' => '9b714a5e',
-    'rsrc/css/phui/phui-form-view.css' => '9508671e',
+    'rsrc/css/phui/phui-form-view.css' => '0807e7ac',
     'rsrc/css/phui/phui-form.css' => '159e2d9c',
     'rsrc/css/phui/phui-head-thing.css' => 'd7f293df',
     'rsrc/css/phui/phui-header-view.css' => '93cea4ec',
     'rsrc/css/phui/phui-hovercard.css' => '6ca90fa0',
     'rsrc/css/phui/phui-icon-set-selector.css' => '7aa5f3ec',
     'rsrc/css/phui/phui-icon.css' => '281f964d',
     'rsrc/css/phui/phui-image-mask.css' => '62c7f4d2',
-    'rsrc/css/phui/phui-info-view.css' => 'f9464caf',
+    'rsrc/css/phui/phui-info-view.css' => '37b8d9ce',
     'rsrc/css/phui/phui-invisible-character-view.css' => 'c694c4a4',
     'rsrc/css/phui/phui-left-right.css' => '68513c34',
     'rsrc/css/phui/phui-lightbox.css' => '4ebf22da',
@@ -817,15 +817,15 @@
     'phui-font-icon-base-css' => 'd7994e06',
     'phui-fontkit-css' => '9b714a5e',
     'phui-form-css' => '159e2d9c',
-    'phui-form-view-css' => '9508671e',
+    'phui-form-view-css' => '0807e7ac',
     'phui-head-thing-view-css' => 'd7f293df',
     'phui-header-view-css' => '93cea4ec',
     'phui-hovercard' => '074f0783',
     'phui-hovercard-view-css' => '6ca90fa0',
     'phui-icon-set-selector-css' => '7aa5f3ec',
     'phui-icon-view-css' => '281f964d',
     'phui-image-mask-css' => '62c7f4d2',
-    'phui-info-view-css' => 'f9464caf',
+    'phui-info-view-css' => '37b8d9ce',
     'phui-inline-comment-view-css' => '48acce5b',
     'phui-invisible-character-view-css' => 'c694c4a4',
     'phui-left-right-css' => '68513c34',

src/__phutil_library_map__.php

@@ -2239,6 +2239,7 @@
     'PhabricatorAuthFactorProviderTransactionType' => 'applications/auth/xaction/PhabricatorAuthFactorProviderTransactionType.php',
     'PhabricatorAuthFactorProviderViewController' => 'applications/auth/controller/mfa/PhabricatorAuthFactorProviderViewController.php',
     'PhabricatorAuthFactorResult' => 'applications/auth/factor/PhabricatorAuthFactorResult.php',
+    'PhabricatorAuthFactorResultException' => 'applications/auth/exception/PhabricatorAuthFactorResultException.php',
     'PhabricatorAuthFactorTestCase' => 'applications/auth/factor/__tests__/PhabricatorAuthFactorTestCase.php',
     'PhabricatorAuthFinishController' => 'applications/auth/controller/PhabricatorAuthFinishController.php',
     'PhabricatorAuthHMACKey' => 'applications/auth/storage/PhabricatorAuthHMACKey.php',
@@ -7965,6 +7966,7 @@
     'PhabricatorAuthFactorProviderTransactionType' => 'PhabricatorModularTransactionType',
     'PhabricatorAuthFactorProviderViewController' => 'PhabricatorAuthFactorProviderController',
     'PhabricatorAuthFactorResult' => 'Phobject',
+    'PhabricatorAuthFactorResultException' => 'Exception',
     'PhabricatorAuthFactorTestCase' => 'PhabricatorTestCase',
     'PhabricatorAuthFinishController' => 'PhabricatorAuthController',
     'PhabricatorAuthHMACKey' => 'PhabricatorAuthDAO',

src/aphront/handler/PhabricatorHighSecurityRequestExceptionHandler.php

@@ -38,10 +38,14 @@ public function handleRequestThrowable(
       $request);
 
     $is_wait = false;
+    $is_continue = false;
     foreach ($results as $result) {
       if ($result->getIsWait()) {
         $is_wait = true;
-        break;
+      }
+
+      if ($result->getIsContinue()) {
+        $is_continue = true;
       }
     }
 
@@ -55,7 +59,7 @@ public function handleRequestThrowable(
 
     if ($is_wait) {
       $submit = pht('Wait Patiently');
-    } else if ($is_upgrade) {
+    } else if ($is_upgrade && !$is_continue) {
       $submit = pht('Enter High Security');
     } else {
       $submit = pht('Continue');
@@ -74,19 +78,21 @@ public function handleRequestThrowable(
     $form_layout = $form->buildLayoutView();
 
     if ($is_upgrade) {
+      $messages = array(
+        pht(
+          'You are taking an action which requires you to enter '.
+          'high security.'),
+      );
+
+      $info_view = id(new PHUIInfoView())
+        ->setSeverity(PHUIInfoView::SEVERITY_MFA)
+        ->setErrors($messages);
+
       $dialog
-        ->setErrors(
-          array(
-            pht(
-              'You are taking an action which requires you to enter '.
-              'high security.'),
-          ))
+        ->appendChild($info_view)
         ->appendParagraph(
           pht(
-            'High security mode helps protect your account from security '.
-            'threats, like session theft or someone messing with your stuff '.
-            'while you\'re grabbing a coffee. To enter high security mode, '.
-            'confirm your credentials.'))
+            'To enter high security mode, confirm your credentials:'))
         ->appendChild($form_layout)
         ->appendParagraph(
           pht(

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

@@ -47,6 +47,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
 
 
   private $workflowKey;
+  private $request;
 
   public function setWorkflowKey($workflow_key) {
     $this->workflowKey = $workflow_key;
@@ -65,6 +66,10 @@ public function getWorkflowKey() {
     return $this->workflowKey;
   }
 
+  public function getRequest() {
+    return $this->request;
+  }
+
 
   /**
    * Get the session kind (e.g., anonymous, user, external account) from a
@@ -480,6 +485,7 @@ private function newHighSecurityToken(
       return $this->issueHighSecurityToken($session, true);
     }
 
+    $this->request = $request;
     foreach ($factors as $factor) {
       $factor->setSessionEngine($this);
     }
@@ -523,10 +529,17 @@ private function newHighSecurityToken(
       $provider = $factor->getFactorProvider();
       $impl = $provider->getFactor();
 
-      $new_challenges = $impl->getNewIssuedChallenges(
-        $factor,
-        $viewer,
-        $issued_challenges);
+      try {
+        $new_challenges = $impl->getNewIssuedChallenges(
+          $factor,
+          $viewer,
+          $issued_challenges);
+      } catch (PhabricatorAuthFactorResultException $ex) {
+        $ok = false;
+        $validation_results[$factor_phid] = $ex->getResult();
+        $challenge_map[$factor_phid] = $issued_challenges;
+        continue;
+      }
 
       foreach ($new_challenges as $new_challenge) {
         $issued_challenges[] = $new_challenge;
@@ -546,7 +559,10 @@ private function newHighSecurityToken(
         continue;
       }
 
-      $ok = false;
+      if (!$result->getIsValid()) {
+        $ok = false;
+      }
+
       $validation_results[$factor_phid] = $result;
     }
 

src/applications/auth/exception/PhabricatorAuthFactorResultException.php

@@ -0,0 +1,17 @@
+<?php
+
+final class PhabricatorAuthFactorResultException
+  extends Exception {
+
+  private $result;
+
+  public function __construct(PhabricatorAuthFactorResult $result) {
+    $this->result = $result;
+    parent::__construct();
+  }
+
+  public function getResult() {
+    return $this->result;
+  }
+
+}

src/applications/auth/factor/PhabricatorAuthFactor.php

@@ -232,6 +232,16 @@ abstract protected function newResultFromChallengeResponse(
   final protected function newAutomaticControl(
     PhabricatorAuthFactorResult $result) {
 
+    $is_error = $result->getIsError();
+    if ($is_error) {
+      return $this->newErrorControl($result);
+    }
+
+    $is_continue = $result->getIsContinue();
+    if ($is_continue) {
+      return $this->newContinueControl($result);
+    }
+
     $is_answered = (bool)$result->getAnsweredChallenge();
     if ($is_answered) {
       return $this->newAnsweredControl($result);
@@ -271,6 +281,34 @@ private function newAnsweredControl(
         pht('You responded to this challenge correctly.'));
   }
 
+  private function newErrorControl(
+    PhabricatorAuthFactorResult $result) {
+
+    $error = $result->getErrorMessage();
+
+    $icon = id(new PHUIIconView())
+      ->setIcon('fa-times', 'red');
+
+    return id(new PHUIFormTimerControl())
+      ->setIcon($icon)
+      ->appendChild($error)
+      ->setError(pht('Error'));
+  }
+
+  private function newContinueControl(
+    PhabricatorAuthFactorResult $result) {
+
+    $error = $result->getErrorMessage();
+
+    $icon = id(new PHUIIconView())
+      ->setIcon('fa-commenting', 'green');
+
+    return id(new PHUIFormTimerControl())
+      ->setIcon($icon)
+      ->appendChild($error);
+  }
+
+
 
 /* -(  Synchronizing New Factors  )------------------------------------------ */
 
@@ -400,4 +438,86 @@ final protected function getChallengeForCurrentContext(
     return null;
   }
 
+
+  /**
+   * @phutil-external-symbol class QRcode
+   */
+  final protected function newQRCode($uri) {
+    $root = dirname(phutil_get_library_root('phabricator'));
+    require_once $root.'/externals/phpqrcode/phpqrcode.php';
+
+    $lines = QRcode::text($uri);
+
+    $total_width = 240;
+    $cell_size = floor($total_width / count($lines));
+
+    $rows = array();
+    foreach ($lines as $line) {
+      $cells = array();
+      for ($ii = 0; $ii < strlen($line); $ii++) {
+        if ($line[$ii] == '1') {
+          $color = '#000';
+        } else {
+          $color = '#fff';
+        }
+
+        $cells[] = phutil_tag(
+          'td',
+          array(
+            'width' => $cell_size,
+            'height' => $cell_size,
+            'style' => 'background: '.$color,
+          ),
+          '');
+      }
+      $rows[] = phutil_tag('tr', array(), $cells);
+    }
+
+    return phutil_tag(
+      'table',
+      array(
+        'style' => 'margin: 24px auto;',
+      ),
+      $rows);
+  }
+
+  final protected function throwResult(PhabricatorAuthFactorResult $result) {
+    throw new PhabricatorAuthFactorResultException($result);
+  }
+
+  final protected function getInstallDisplayName() {
+    $uri = PhabricatorEnv::getURI('/');
+    $uri = new PhutilURI($uri);
+    return $uri->getDomain();
+  }
+
+  final protected function getChallengeResponseParameterName(
+    PhabricatorAuthFactorConfig $config) {
+    return $this->getParameterName($config, 'mfa.response');
+  }
+
+  final protected function getChallengeResponseFromRequest(
+    PhabricatorAuthFactorConfig $config,
+    AphrontRequest $request) {
+
+    $name = $this->getChallengeResponseParameterName($config);
+
+    $value = $request->getStr($name);
+    $value = (string)$value;
+    $value = trim($value);
+
+    return $value;
+  }
+
+  final protected function hasCSRF(PhabricatorAuthFactorConfig $config) {
+    $engine = $config->getSessionEngine();
+    $request = $engine->getRequest();
+
+    if (!$request->isHTTPPost()) {
+      return false;
+    }
+
+    return $request->validateCSRF();
+  }
+
 }

src/applications/auth/factor/PhabricatorAuthFactorResult.php

@@ -5,6 +5,8 @@ final class PhabricatorAuthFactorResult
 
   private $answeredChallenge;
   private $isWait = false;
+  private $isError = false;
+  private $isContinue = false;
   private $errorMessage;
   private $value;
   private $issuedChallenges = array();
@@ -44,6 +46,24 @@ public function getIsWait() {
     return $this->isWait;
   }
 
+  public function setIsError($is_error) {
+    $this->isError = $is_error;
+    return $this;
+  }
+
+  public function getIsError() {
+    return $this->isError;
+  }
+
+  public function setIsContinue($is_continue) {
+    $this->isContinue = $is_continue;
+    return $this;
+  }
+
+  public function getIsContinue() {
+    return $this->isContinue;
+  }
+
   public function setErrorMessage($error_message) {
     $this->errorMessage = $error_message;
     return $this;