OAuthServer polish and random sauce

Summary:
This diff makes the OAuthServer more compliant with the spec by
- making it return well-formatted error codes with error types from the spec.
- making it respect the "state" variable, which is a transparent variable the
client passes and the server passes back
- making it be super, duper compliant with respect to redirect uris
-- if specified in authorization step, check if its valid relative to the client
registered URI and if so save it
-- if specified in authorization step, check if its been specified in the access
step and error if it doesn't match or doesn't exist
-- note we don't make any use of it in the access step which seems strange but
hey, that's what the spec says!
This diff makes the OAuthServer suck less by
- making the "cancel" button do something in the user authorization flow
- making the client list view and client edit view be a bit more usable around
client secrets
- fixing a few bugs I managed to introduce along the way

Test Plan:
- create a test phabricator client, updated my conf, and then linked and
unlinked phabricator to itself
- wrote some tests for PhabricatorOAuthServer -- they pass!
-- these validate the various validate URI checks
- tried a few important authorization calls
--
http://phabricator.dev/oauthserver/auth/?client_id=X&state=test&redirect_uri=http://www.evil.com
--- verified error'd from mismatching redirect uri's
--- verified state parameter in response
--- verified did not redirect to client redirect uri
-- http://phabricator.dev/oauthserver/auth/?client_id=X w/ existing
authorization
--- got redirected to proper client url with error that response_type not
specified
-- http://phabricator.dev/oauthserver/auth/?client_id=X&response_type=code w/
existing authorization
--- got redirected to proper client url with pertinent code!
- tried a few important access calls
-- verified appropriate errors if missing any required parameters
-- verified good access code with appropriate other variables resulted in an
access token
- verified that if redirect_uri set correctly in authorization required for
access and errors if differs at all / only succeeds if exactly the same

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley, ajtrichards

Maniphest Tasks: T889, T906, T897

Differential Revision: https://secure.phabricator.com/D1727

Author: bobtrahan

resources/sql/patches/112.oauthaccesscoderedirecturi.sql

@@ -0,0 +1,3 @@
+ALTER TABLE `phabricator_oauth_server`.`oauth_server_oauthserverauthorizationcode`
+  ADD `redirectURI` varchar(255) NOT NULL
+

src/__phutil_library_map__.php

@@ -645,6 +645,7 @@
     'PhabricatorOAuthServerController' => 'applications/oauthserver/controller/base',
     'PhabricatorOAuthServerDAO' => 'applications/oauthserver/storage/base',
     'PhabricatorOAuthServerScope' => 'applications/oauthserver/scope',
+    'PhabricatorOAuthServerTestCase' => 'applications/oauthserver/server/__tests__',
     'PhabricatorOAuthServerTestController' => 'applications/oauthserver/controller/test',
     'PhabricatorOAuthServerTokenController' => 'applications/oauthserver/controller/token',
     'PhabricatorOAuthUnlinkController' => 'applications/auth/controller/unlink',
@@ -1408,6 +1409,7 @@
     'PhabricatorOAuthServerClient' => 'PhabricatorOAuthServerDAO',
     'PhabricatorOAuthServerController' => 'PhabricatorController',
     'PhabricatorOAuthServerDAO' => 'PhabricatorLiskDAO',
+    'PhabricatorOAuthServerTestCase' => 'PhabricatorTestCase',
     'PhabricatorOAuthServerTestController' => 'PhabricatorOAuthServerController',
     'PhabricatorOAuthServerTokenController' => 'PhabricatorAuthController',
     'PhabricatorOAuthUnlinkController' => 'PhabricatorAuthController',

src/aphront/response/base/AphrontResponse.php

@@ -114,6 +114,9 @@ public function getCacheHeaders() {
       $headers[] = array(
         'Cache-Control',
         'private, no-cache, no-store, must-revalidate');
+      $headers[] = array(
+        'Pragma',
+        'no-cache');
       $headers[] = array(
         'Expires',
         'Sat, 01 Jan 2000 00:00:00 GMT');

src/applications/auth/oauth/provider/phabricator/PhabricatorOAuthProviderPhabricator.php

@@ -18,9 +18,20 @@
 
 final class PhabricatorOAuthProviderPhabricator
 extends PhabricatorOAuthProvider {
-
   private $userData;
 
+  public function getExtraAuthParameters() {
+    return array(
+      'response_type' => 'code',
+    );
+  }
+
+  public function getExtraTokenParameters() {
+    return array(
+      'grant_type' => 'authorization_code',
+    );
+
+  }
   public function decodeTokenResponse($response) {
     $decoded = json_decode($response, true);
     if (!is_array($decoded)) {
@@ -85,7 +96,7 @@ public function getUserInfoURI() {
   }
 
   public function getMinimumScope() {
-    return 'email';
+    return 'whoami';
   }
 
   public function setUserData($data) {

src/applications/oauthserver/controller/auth/PhabricatorOAuthServerAuthController.php

@@ -27,78 +27,135 @@ public function shouldRequireLogin() {
   }
 
   public function processRequest() {
-    $request      = $this->getRequest();
-    $current_user = $request->getUser();
-    $server       = new PhabricatorOAuthServer($current_user);
-    $client_phid  = $request->getStr('client_id');
-    $scope        = $request->getStr('scope');
-    $redirect_uri = $request->getStr('redirect_uri');
-    $response     = new PhabricatorOAuthResponse();
-    $errors       = array();
+    $request       = $this->getRequest();
+    $current_user  = $request->getUser();
+    $server        = new PhabricatorOAuthServer();
+    $client_phid   = $request->getStr('client_id');
+    $scope         = $request->getStr('scope');
+    $redirect_uri  = $request->getStr('redirect_uri');
+    $state         = $request->getStr('state');
+    $response_type = $request->getStr('response_type');
+    $response      = new PhabricatorOAuthResponse();
 
+    // state is an opaque value the client sent us for their own purposes
+    // we just need to send it right back to them in the response!
+    if ($state) {
+      $response->setState($state);
+    }
     if (!$client_phid) {
-      return $response->setMalformed(
+      $response->setError('invalid_request');
+      $response->setErrorDescription(
         'Required parameter client_id not specified.'
       );
+      return $response;
     }
-    $client = id(new PhabricatorOAuthServerClient())
-      ->loadOneWhere('phid = %s', $client_phid);
-    if (!$client) {
-      return $response->setNotFound(
-        'Client with id '.$client_phid.' not found. '
-      );
-    }
-
-    $server->setClient($client);
-    if ($server->userHasAuthorizedClient()) {
-      $return_auth_code = true;
-      $unguarded_write  = AphrontWriteGuard::beginScopedUnguardedWrites();
-    } else if ($request->isFormPost()) {
-      $scope = PhabricatorOAuthServerScope::getScopesFromRequest($request);
-      $server->authorizeClient($scope);
-      $return_auth_code = true;
-      $unguarded_write  = null;
-    } else {
-      $return_auth_code = false;
-      $unguarded_write  = null;
-    }
-
-    if ($return_auth_code) {
-      // step 1 -- generate authorization code
-      $auth_code =
-        $server->generateAuthorizationCode();
+    $server->setUser($current_user);
 
-      // step 2 -- error or return it
-      if (!$auth_code) {
-        $errors[] = 'Failed to generate an authorization code. '.
-                    'Try again.';
+    // one giant try / catch around all the exciting database stuff so we
+    // can return a 'server_error' response if something goes wrong!
+    try {
+      $client = id(new PhabricatorOAuthServerClient())
+        ->loadOneWhere('phid = %s', $client_phid);
+      if (!$client) {
+        $response->setError('invalid_request');
+        $response->setErrorDescription(
+          'Client with id '.$client_phid.' not found.'
+        );
+        return $response;
+      }
+      $server->setClient($client);
+      if ($redirect_uri) {
+        $client_uri   = new PhutilURI($client->getRedirectURI());
+        $redirect_uri = new PhutilURI($redirect_uri);
+        if (!($server->validateSecondaryRedirectURI($redirect_uri,
+                                                    $client_uri))) {
+          $response->setError('invalid_request');
+          $response->setErrorDescription(
+            'The specified redirect URI is invalid. The redirect URI '.
+            'must be a fully-qualified domain with no fragments and '.
+            'must have the same domain and at least the same query '.
+            'parameters as the redirect URI the client registered.'
+          );
+          return $response;
+        }
+        $uri              = $redirect_uri;
+        $access_token_uri = $uri;
       } else {
-        $client_uri = new PhutilURI($client->getRedirectURI());
-        if (!$redirect_uri) {
-          $uri = $client_uri;
-        } else {
-          $redirect_uri = new PhutilURI($redirect_uri);
-          if ($redirect_uri->getDomain() !=
-              $client_uri->getDomain()) {
-            $uri = $client_uri;
-          } else {
-            $uri = $redirect_uri;
-          }
+        $uri              = new PhutilURI($client->getRedirectURI());
+        $access_token_uri = null;
+      }
+      // we've now validated this request enough overall such that we
+      // can safely redirect to the client with the response
+      $response->setClientURI($uri);
+
+      if (empty($response_type)) {
+        $response->setError('invalid_request');
+        $response->setErrorDescription(
+          'Required parameter response_type not specified.'
+        );
+        return $response;
+      }
+      if ($response_type != 'code') {
+        $response->setError('unsupported_response_type');
+        $response->setErrorDescription(
+          'The authorization server does not support obtaining an '.
+          'authorization code using the specified response_type. '.
+          'You must specify the response_type as "code".'
+        );
+        return $response;
+      }
+      if ($scope) {
+        if (!PhabricatorOAuthServerScope::validateScopesList($scope)) {
+          $response->setError('invalid_scope');
+          $response->setErrorDescription(
+            'The requested scope is invalid, unknown, or malformed.'
+          );
+          return $response;
         }
+        $scope = PhabricatorOAuthServerScope::scopesListToDict($scope);
+      }
 
-        $uri->setQueryParam('code', $auth_code->getCode());
-        return $response->setRedirect($uri);
+      $authorization = $server->userHasAuthorizedClient($scope);
+      if ($authorization) {
+        $return_auth_code = true;
+        $unguarded_write  = AphrontWriteGuard::beginScopedUnguardedWrites();
+      } else if ($request->isFormPost()) {
+        $scope = PhabricatorOAuthServerScope::getScopesFromRequest($request);
+        $authorization    = $server->authorizeClient($scope);
+        $return_auth_code = true;
+        $unguarded_write  = null;
+      } else {
+        $return_auth_code = false;
+        $unguarded_write  = null;
       }
-    }
-    unset($unguarded_write);
 
-    $error_view = null;
-    if ($errors) {
-      $error_view = new AphrontErrorView();
-      $error_view->setTitle('Authorization Code Errors');
-      $error_view->setErrors($errors);
+      if ($return_auth_code) {
+        // step 1 -- generate authorization code
+        $auth_code =
+          $server->generateAuthorizationCode($access_token_uri);
+
+        // step 2 return it
+        $content = array(
+          'code'  => $auth_code->getCode(),
+          'scope' => $authorization->getScopeString(),
+        );
+        $response->setContent($content);
+        return $response->setClientURI($uri);
+      }
+      unset($unguarded_write);
+    } catch (Exception $e) {
+      // Note we could try harder to determine between a server_error
+      // vs temporarily_unavailable.  Good enough though.
+      $response->setError('server_error');
+      $response->setErrorDescription(
+        'The authorization server encountered an unexpected condition '.
+        'which prevented it from fulfilling the request. '
+      );
+      return $response;
     }
 
+    // display time -- make a nice form for the user to grant the client
+    // access to the granularity specified by $scope
     $name  = phutil_escape_html($client->getName());
     $title = 'Authorize ' . $name . '?';
     $panel = new AphrontPanelView();
@@ -109,10 +166,30 @@ public function processRequest() {
       "Do want to authorize {$name} to access your ".
       "Phabricator account data?";
 
-    $desired_scopes = array(
-      PhabricatorOAuthServerScope::SCOPE_WHOAMI => 1,
-      PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS => 1
+    if ($scope) {
+      $desired_scopes = $scope;
+      if (!PhabricatorOAuthServerScope::validateScopesDict($desired_scopes)) {
+        $response->setError('invalid_scope');
+        $response->setErrorDescription(
+          'The requested scope is invalid, unknown, or malformed.'
+        );
+        return $response;
+      }
+    } else {
+      $desired_scopes = array(
+        PhabricatorOAuthServerScope::SCOPE_WHOAMI         => 1,
+        PhabricatorOAuthServerScope::SCOPE_OFFLINE_ACCESS => 1
+      );
+    }
+
+    $cancel_uri = $this->getClientURI($client, $redirect_uri);
+    $cancel_params = array(
+      'error' => 'access_denied',
+      'error_description' =>
+        'The resource owner (aka the user) denied the request.'
     );
+    $cancel_uri->setQueryParams($cancel_params);
+
     $form = id(new AphrontFormView())
       ->setUser($current_user)
       ->appendChild(
@@ -125,15 +202,14 @@ public function processRequest() {
       ->appendChild(
         id(new AphrontFormSubmitControl())
         ->setValue('Authorize')
-        ->addCancelButton('/')
+        ->addCancelButton($cancel_uri)
       );
-    // TODO -- T889 (make "cancel" do something more sensible)
 
     $panel->appendChild($form);
 
     return $this->buildStandardPageResponse(
-      array($error_view,
-            $panel),
+            $panel,
       array('title' => $title));
   }
+
 }

src/applications/oauthserver/controller/auth/__init__.php

@@ -15,7 +15,6 @@
 phutil_require_module('phabricator', 'view/form/base');
 phutil_require_module('phabricator', 'view/form/control/static');
 phutil_require_module('phabricator', 'view/form/control/submit');
-phutil_require_module('phabricator', 'view/form/error');
 phutil_require_module('phabricator', 'view/layout/panel');
 
 phutil_require_module('phutil', 'markup');

src/applications/oauthserver/controller/client/edit/PhabricatorOAuthClientEditController.php

@@ -78,25 +78,33 @@ public function processRequest() {
           ->setForbiddenText($message);
       }
       $submit_button = 'Save OAuth Client';
+      $secret        = null;
     // new client - much simpler
     } else {
-      $client = new PhabricatorOAuthServerClient();
-      $title  = 'Create OAuth Client';
+      $client        = new PhabricatorOAuthServerClient();
+      $title         = 'Create OAuth Client';
       $submit_button = 'Create OAuth Client';
+      $secret        = Filesystem::readRandomCharacters(32);
     }
 
     if ($request->isFormPost()) {
       $redirect_uri = $request->getStr('redirect_uri');
       $client->setName($request->getStr('name'));
       $client->setRedirectURI($redirect_uri);
-      $client->setSecret(Filesystem::readRandomCharacters(32));
+      if ($secret) {
+        $client->setSecret($secret);
+      }
       $client->setCreatorPHID($current_user->getPHID());
       $uri = new PhutilURI($redirect_uri);
-      if (!$this->validateRedirectURI($uri)) {
+      $server = new PhabricatorOAuthServer();
+      if (!$server->validateRedirectURI($uri)) {
         $error = new AphrontErrorView();
         $error->setSeverity(AphrontErrorView::SEVERITY_ERROR);
         $error->setTitle(
-          'Redirect URI must be a fully qualified domain name.'
+          'Redirect URI must be a fully qualified domain name '.
+          'with no fragments. See '.
+          'http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 '.
+          'for more information on the correct format.'
         );
         $bad_redirect = true;
       } else {
@@ -140,7 +148,7 @@ public function processRequest() {
           ->setValue($phid)
         )
         ->appendChild(
-          id(new AphrontFormTextControl())
+          id(new AphrontFormStaticControl())
           ->setLabel('Secret')
           ->setValue($client->getSecret())
         );
@@ -185,13 +193,4 @@ public function processRequest() {
     );
   }
 
-  private function validateRedirectURI(PhutilURI $uri) {
-    if (PhabricatorEnv::isValidRemoteWebResource($uri)) {
-      if ($uri->getDomain()) {
-        return true;
-      }
-    }
-    return false;
-  }
-
 }

src/applications/oauthserver/controller/client/edit/__init__.php

@@ -10,8 +10,8 @@
 phutil_require_module('phabricator', 'aphront/response/404');
 phutil_require_module('phabricator', 'aphront/response/redirect');
 phutil_require_module('phabricator', 'applications/oauthserver/controller/client/base');
+phutil_require_module('phabricator', 'applications/oauthserver/server');
 phutil_require_module('phabricator', 'applications/oauthserver/storage/client');
-phutil_require_module('phabricator', 'infrastructure/env');
 phutil_require_module('phabricator', 'view/form/base');
 phutil_require_module('phabricator', 'view/form/control/static');
 phutil_require_module('phabricator', 'view/form/control/submit');