OAuth - Phabricator OAuth server and Phabricator client for new Phabricator OAuth Server

Summary:
adds a Phabricator OAuth server, which has three big commands:
 - auth - allows $user to authorize a given client or application.  if $user has already authorized, it hands an authoization code back to $redirect_uri
 - token - given a valid authorization code, this command returns an authorization token
 - whoami - Conduit.whoami, all nice and purdy relative to the oauth server.
Also has a "test" handler, which I used to create some test data.  T850 will
delete this as it adds the ability to create this data in the Phabricator
product.

This diff also adds the corresponding client in Phabricator for the Phabricator
OAuth Server.  (Note that clients are known as "providers" in the Phabricator
codebase but client makes more sense relative to the server nomenclature)

Also, related to make this work well
 - clean up the diagnostics page by variabilizing the provider-specific
information and extending the provider classes as appropriate.
 - augment Conduit.whoami for more full-featured OAuth support, at least where
the Phabricator client is concerned

What's missing here...   See T844, T848, T849, T850, and T852.

Test Plan:
- created a dummy client via the test handler.   setup development.conf to have
have proper variables for this dummy client.  went through authorization and
de-authorization flows
- viewed the diagnostics page for all known oauth providers and saw
provider-specific debugging information

Reviewers: epriestley

CC: aran, epriestley

Maniphest Tasks: T44, T797

Differential Revision: https://secure.phabricator.com/D1595

Author: bobtrahan

conf/default.conf.php

@@ -329,7 +329,7 @@
   'account.minimum-password-length'  => 8,
 
 
-// --  Facebook  ------------------------------------------------------------ //
+// -- Facebook OAuth -------------------------------------------------------- //
 
   // Can users use Facebook credentials to login to Phabricator?
   'facebook.auth-enabled'       => false,
@@ -348,7 +348,7 @@
   'facebook.application-secret' => null,
 
 
-// -- GitHub ---------------------------------------------------------------- //
+// -- GitHub OAuth ---------------------------------------------------------- //
 
   // Can users use GitHub credentials to login to Phabricator?
   'github.auth-enabled'         => false,
@@ -367,7 +367,7 @@
   'github.application-secret'   => null,
 
 
-// -- Google ---------------------------------------------------------------- //
+// -- Google OAuth ---------------------------------------------------------- //
 
   // Can users use Google credentials to login to Phabricator?
   'google.auth-enabled'         => false,
@@ -385,6 +385,30 @@
   // The Google "Client Secret" to use for Google API access.
   'google.application-secret'   => null,
 
+// -- Phabricator OAuth ----------------------------------------------------- //
+
+  // Meta-town -- Phabricator is itself an OAuth Provider
+  // TODO -- T887 -- make this support multiple Phabricator instances!
+
+  // The URI of the Phabricator instance to use as an OAuth server.
+  'phabricator.oauth-uri'            => null,
+
+  // Can users use Phabricator credentials to login to Phabricator?
+  'phabricator.auth-enabled'         => false,
+
+  // Can users use Phabricator credentials to create new Phabricator accounts?
+  'phabricator.registration-enabled' => true,
+
+  // Are Phabricator accounts permanently linked to Phabricator accounts, or can
+  // the user unlink them?
+  'phabricator.auth-permanent'       => false,
+
+  // The Phabricator "Client ID" to use for Phabricator API access.
+  'phabricator.application-id'       => null,
+
+  // The Phabricator "Client Secret" to use for Phabricator API access.
+  'phabricator.application-secret'   => null,
+
 // -- Recaptcha ------------------------------------------------------------- //
 
   // Is Recaptcha enabled? If disabled, captchas will not appear. You should

resources/sql/patches/106.chatlog.sql

@@ -8,4 +8,4 @@ CREATE TABLE phabricator_chatlog.chatlog_event (
   message LONGBLOB NOT NULL,
   loggedByPHID VARCHAR(64) BINARY NOT NULL,
   KEY (channel, epoch)
-);
+);

resources/sql/patches/107.oauthserver.sql

@@ -0,0 +1,51 @@
+CREATE DATABASE IF NOT EXISTS `phabricator_oauth_server`;
+
+CREATE TABLE `phabricator_oauth_server`.`oauth_server_oauthserverclient` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `phid` varchar(64) BINARY NOT NULL,
+  `name` varchar(255) NOT NULL,
+  `secret` varchar(32) NOT NULL,
+  `redirectURI` varchar(255) NOT NULL,
+  `creatorPHID` varchar(64) BINARY NOT NULL,
+  `dateCreated` int(10) unsigned NOT NULL,
+  `dateModified` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `phid` (`phid`)
+) ENGINE=InnoDB;
+
+CREATE TABLE `phabricator_oauth_server`.`oauth_server_oauthclientauthorization` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `phid` varchar(64) BINARY NOT NULL,
+  `userPHID` varchar(64) BINARY NOT NULL,
+  `clientPHID` varchar(64) BINARY NOT NULL,
+  `dateCreated` int(10) unsigned NOT NULL,
+  `dateModified` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `phid` (`phid`),
+  UNIQUE KEY `userPHID` (`userPHID`,`clientPHID`)
+) ENGINE=InnoDB;
+
+CREATE TABLE `phabricator_oauth_server`.`oauth_server_oauthserverauthorizationcode` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `code` varchar(32) NOT NULL,
+  `clientPHID` varchar(64) BINARY NOT NULL,
+  `clientSecret` varchar(32) NOT NULL,
+  `userPHID` varchar(64) BINARY NOT NULL,
+  `dateCreated` int(10) unsigned NOT NULL,
+  `dateModified` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `code` (`code`)
+) ENGINE=InnoDB;
+
+CREATE TABLE `phabricator_oauth_server`.`oauth_server_oauthserveraccesstoken` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `token` varchar(32) NOT NULL,
+  `userPHID` varchar(64) BINARY NOT NULL,
+  `clientPHID` varchar(64) BINARY NOT NULL,
+  `dateExpires` int(10) unsigned NOT NULL,
+  `dateCreated` int(10) unsigned NOT NULL,
+  `dateModified` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `token` (`token`)
+) ENGINE=InnoDB;
+

src/__phutil_library_map__.php

@@ -597,6 +597,7 @@
     'PhabricatorMetaMTASendGridReceiveController' => 'applications/metamta/controller/sendgridreceive',
     'PhabricatorMetaMTAViewController' => 'applications/metamta/controller/view',
     'PhabricatorMySQLFileStorageEngine' => 'applications/files/engine/mysql',
+    'PhabricatorOAuthClientAuthorization' => 'applications/oauthserver/storage/clientauthorization',
     'PhabricatorOAuthDefaultRegistrationController' => 'applications/auth/controller/oauthregistration/default',
     'PhabricatorOAuthDiagnosticsController' => 'applications/auth/controller/oauthdiagnostics',
     'PhabricatorOAuthFailureView' => 'applications/auth/view/oauthfailure',
@@ -605,7 +606,17 @@
     'PhabricatorOAuthProviderFacebook' => 'applications/auth/oauth/provider/facebook',
     'PhabricatorOAuthProviderGitHub' => 'applications/auth/oauth/provider/github',
     'PhabricatorOAuthProviderGoogle' => 'applications/auth/oauth/provider/google',
+    'PhabricatorOAuthProviderPhabricator' => 'applications/auth/oauth/provider/phabricator',
     'PhabricatorOAuthRegistrationController' => 'applications/auth/controller/oauthregistration/base',
+    'PhabricatorOAuthResponse' => 'applications/oauthserver/response',
+    'PhabricatorOAuthServer' => 'applications/oauthserver/server',
+    'PhabricatorOAuthServerAccessToken' => 'applications/oauthserver/storage/accesstoken',
+    'PhabricatorOAuthServerAuthController' => 'applications/oauthserver/controller/auth',
+    'PhabricatorOAuthServerAuthorizationCode' => 'applications/oauthserver/storage/authorizationcode',
+    'PhabricatorOAuthServerClient' => 'applications/oauthserver/storage/client',
+    'PhabricatorOAuthServerDAO' => 'applications/oauthserver/storage/base',
+    'PhabricatorOAuthServerTestController' => 'applications/oauthserver/controller/test',
+    'PhabricatorOAuthServerTokenController' => 'applications/oauthserver/controller/token',
     'PhabricatorOAuthUnlinkController' => 'applications/auth/controller/unlink',
     'PhabricatorObjectAttachmentEditor' => 'applications/search/editor/attach',
     'PhabricatorObjectGraph' => 'applications/phid/graph',
@@ -1324,14 +1335,24 @@
     'PhabricatorMetaMTASendGridReceiveController' => 'PhabricatorMetaMTAController',
     'PhabricatorMetaMTAViewController' => 'PhabricatorMetaMTAController',
     'PhabricatorMySQLFileStorageEngine' => 'PhabricatorFileStorageEngine',
+    'PhabricatorOAuthClientAuthorization' => 'PhabricatorOAuthServerDAO',
     'PhabricatorOAuthDefaultRegistrationController' => 'PhabricatorOAuthRegistrationController',
     'PhabricatorOAuthDiagnosticsController' => 'PhabricatorAuthController',
     'PhabricatorOAuthFailureView' => 'AphrontView',
     'PhabricatorOAuthLoginController' => 'PhabricatorAuthController',
     'PhabricatorOAuthProviderFacebook' => 'PhabricatorOAuthProvider',
     'PhabricatorOAuthProviderGitHub' => 'PhabricatorOAuthProvider',
     'PhabricatorOAuthProviderGoogle' => 'PhabricatorOAuthProvider',
+    'PhabricatorOAuthProviderPhabricator' => 'PhabricatorOAuthProvider',
     'PhabricatorOAuthRegistrationController' => 'PhabricatorAuthController',
+    'PhabricatorOAuthResponse' => 'AphrontResponse',
+    'PhabricatorOAuthServerAccessToken' => 'PhabricatorOAuthServerDAO',
+    'PhabricatorOAuthServerAuthController' => 'PhabricatorAuthController',
+    'PhabricatorOAuthServerAuthorizationCode' => 'PhabricatorOAuthServerDAO',
+    'PhabricatorOAuthServerClient' => 'PhabricatorOAuthServerDAO',
+    'PhabricatorOAuthServerDAO' => 'PhabricatorLiskDAO',
+    'PhabricatorOAuthServerTestController' => 'PhabricatorAuthController',
+    'PhabricatorOAuthServerTokenController' => 'PhabricatorAuthController',
     'PhabricatorOAuthUnlinkController' => 'PhabricatorAuthController',
     'PhabricatorObjectGraph' => 'AbstractDirectedGraph',
     'PhabricatorObjectHandleStatus' => 'PhabricatorObjectHandleConstants',

src/aphront/default/configuration/AphrontDefaultApplicationConfiguration.php

@@ -151,6 +151,12 @@ public function getURIMap() {
         ),
       ),
 
+      '/oauthserver/' => array(
+        'auth/' => 'PhabricatorOAuthServerAuthController',
+        'token/' => 'PhabricatorOAuthServerTokenController',
+        'test/' => 'PhabricatorOAuthServerTestController',
+      ),
+
       '/xhprof/' => array(
         'profile/(?P<phid>[^/]+)/$' => 'PhabricatorXHProfProfileController',
       ),

src/aphront/response/ajax/AphrontAjaxResponse.php

@@ -35,9 +35,8 @@ public function buildResponseString() {
       $this->content,
       $this->error);
 
-    return $this->encodeJSONForHTTPResponse(
-      $object,
-      $use_javelin_shield = true);
+    $response_json = $this->encodeJSONForHTTPResponse($object);
+    return $this->addJSONShield($response_json, $use_javelin_shield = true);
   }
 
   public function getHeaders() {

src/aphront/response/base/AphrontResponse.php

@@ -84,6 +84,11 @@ protected function encodeJSONForHTTPResponse(
       array('\u003c', '\u003e'),
       $response);
 
+    return $response;
+  }
+
+  protected function addJSONShield($json_response, $use_javelin_shield) {
+
     // Add a shield to prevent "JSON Hijacking" attacks where an attacker
     // requests a JSON response using a normal <script /> tag and then uses
     // Object.prototype.__defineSetter__() or similar to read response data.
@@ -96,7 +101,7 @@ protected function encodeJSONForHTTPResponse(
       ? 'for (;;);'
       : 'for(;;);';
 
-    $response = $shield.$response;
+    $response = $shield.$json_response;
 
     return $response;
   }

src/aphront/response/json/AphrontJSONResponse.php

@@ -29,10 +29,8 @@ public function setContent($content) {
   }
 
   public function buildResponseString() {
-    $response = $this->encodeJSONForHTTPResponse(
-      $this->content,
-      $use_javelin_shield = false);
-    return $response;
+    $response = $this->encodeJSONForHTTPResponse($this->content);
+    return $this->addJSONShield($response, $use_javelin_shield = false);
   }
 
   public function getHeaders() {

src/applications/auth/oauth/provider/base/PhabricatorOAuthProvider.php

@@ -21,6 +21,7 @@ abstract class PhabricatorOAuthProvider {
   const PROVIDER_FACEBOOK    = 'facebook';
   const PROVIDER_GITHUB      = 'github';
   const PROVIDER_GOOGLE      = 'google';
+  const PROVIDER_PHABRICATOR = 'phabricator';
 
   private $accessToken;
 
@@ -108,6 +109,9 @@ public static function newProvider($which) {
       case self::PROVIDER_GOOGLE:
         $class = 'PhabricatorOAuthProviderGoogle';
         break;
+      case self::PROVIDER_PHABRICATOR:
+        $class = 'PhabricatorOAuthProviderPhabricator';
+        break;
       default:
         throw new Exception('Unknown OAuth provider.');
     }
@@ -120,6 +124,7 @@ public static function getAllProviders() {
       self::PROVIDER_FACEBOOK,
       self::PROVIDER_GITHUB,
       self::PROVIDER_GOOGLE,
+      self::PROVIDER_PHABRICATOR,
     );
     $providers = array();
     foreach ($all as $provider) {

src/applications/auth/oauth/provider/phabricator/PhabricatorOAuthProviderPhabricator.php

@@ -0,0 +1,127 @@
+<?php
+
+/*
+ * Copyright 2012 Facebook, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+final class PhabricatorOAuthProviderPhabricator
+extends PhabricatorOAuthProvider {
+
+  private $userData;
+
+  public function decodeTokenResponse($response) {
+    $decoded = json_decode($response, true);
+    if (!is_array($decoded)) {
+      throw new Exception('Invalid token response.');
+    }
+    return $decoded;
+  }
+
+  public function getProviderKey() {
+    return self::PROVIDER_PHABRICATOR;
+  }
+
+  public function getProviderName() {
+    return 'Phabricator';
+  }
+
+  public function isProviderEnabled() {
+    return PhabricatorEnv::getEnvConfig('phabricator.auth-enabled');
+  }
+
+  public function isProviderLinkPermanent() {
+    return PhabricatorEnv::getEnvConfig('phabricator.auth-permanent');
+  }
+
+  public function isProviderRegistrationEnabled() {
+    return PhabricatorEnv::getEnvConfig('phabricator.registration-enabled');
+  }
+
+  public function getClientID() {
+    return PhabricatorEnv::getEnvConfig('phabricator.application-id');
+  }
+
+  public function renderGetClientIDHelp() {
+    return null;
+  }
+
+  public function getClientSecret() {
+    return PhabricatorEnv::getEnvConfig('phabricator.application-secret');
+  }
+
+  public function renderGetClientSecretHelp() {
+    return null;
+  }
+
+  public function getAuthURI() {
+    return $this->getURI('/oauthserver/auth/');
+  }
+
+  public function getTestURIs() {
+    return array(
+      $this->getURI('/'),
+      $this->getURI('/api/user.whoami/')
+    );
+  }
+
+  public function getTokenURI() {
+    return $this->getURI('/oauthserver/token/');
+  }
+
+  public function getUserInfoURI() {
+    return $this->getURI('/api/user.whoami/');
+  }
+
+  public function getMinimumScope() {
+    return 'email';
+  }
+
+  public function setUserData($data) {
+    $data = json_decode($data, true);
+    $this->userData = $data['result'];
+    return $this;
+  }
+
+  public function retrieveUserID() {
+    return $this->userData['phid'];
+  }
+
+  public function retrieveUserEmail() {
+    return $this->userData['email'];
+  }
+
+  public function retrieveUserAccountName() {
+    return $this->userData['userName'];
+  }
+
+  public function retrieveUserProfileImage() {
+    $uri = $this->userData['image'];
+    return @file_get_contents($uri);
+  }
+
+  public function retrieveUserAccountURI() {
+    return $this->userData['uri'];
+  }
+
+  public function retrieveUserRealName() {
+    return $this->userData['realName'];
+  }
+
+  private function getURI($path) {
+    return
+      rtrim(PhabricatorEnv::getEnvConfig('phabricator.oauth-uri'), '/') .
+      $path;
+  }
+}

src/applications/auth/oauth/provider/phabricator/__init__.php

@@ -0,0 +1,13 @@
+<?php
+/**
+ * This file is automatically generated. Lint this module to rebuild it.
+ * @generated
+ */
+
+
+
+phutil_require_module('phabricator', 'applications/auth/oauth/provider/base');
+phutil_require_module('phabricator', 'infrastructure/env');
+
+
+phutil_require_source('PhabricatorOAuthProviderPhabricator.php');