diff options
author | David Lawrence <dkl@mozilla.com> | 2015-03-09 07:38:38 +0100 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-03-09 07:38:38 +0100 |
commit | 1049c71f1ae6ed9404501675b1faf5d92ead05a0 (patch) | |
tree | f39baab1fe611a4f03bb4d4b0940f51584df16e9 | |
parent | 66a30b69f73012e64cfe1f78710cf095ddab2a3d (diff) | |
download | bugzilla-1049c71f1ae6ed9404501675b1faf5d92ead05a0.tar.gz bugzilla-1049c71f1ae6ed9404501675b1faf5d92ead05a0.tar.xz |
Bug 1140458: backport upstream bug 1139755 to bmo/master to allow API authentication with X-Headers
-rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 2 | ||||
-rw-r--r-- | Bugzilla/WebService/Server/REST.pm | 2 | ||||
-rw-r--r-- | Bugzilla/WebService/Util.pm | 20 |
3 files changed, 21 insertions, 3 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index b0928960b..aa3d1ee75 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -390,7 +390,7 @@ sub _argument_type_check { # Update the params to allow for several convenience key/values # use for authentication - fix_credentials($params); + fix_credentials($params, $self->cgi); Bugzilla->input_params($params); diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm index 5f1a6a321..72d94acf6 100644 --- a/Bugzilla/WebService/Server/REST.pm +++ b/Bugzilla/WebService/Server/REST.pm @@ -74,7 +74,7 @@ sub handle { my $params = $self->_retrieve_json_params; - fix_credentials($params); + fix_credentials($params, $self->cgi); # Fix includes/excludes for each call rest_include_exclude($params); diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm index 44bfb1f70..9bd079330 100644 --- a/Bugzilla/WebService/Util.pm +++ b/Bugzilla/WebService/Util.pm @@ -27,6 +27,7 @@ use Bugzilla::FlagType; use Bugzilla::Error; use Storable qw(dclone); +use URI::Escape qw(uri_unescape); use base qw(Exporter); @@ -270,8 +271,25 @@ sub params_to_objects { return \@objects; } +use constant X_HEADERS => { + X_BUGZILLA_LOGIN => 'Bugzilla_login', + X_BUGZILLA_PASSWORD => 'Bugzilla_password', + X_BUGZILLA_API_KEY => 'Bugzilla_api_key', + X_BUGZILLA_TOKEN => 'Bugzilla_token', +}; + sub fix_credentials { - my ($params) = @_; + my ($params, $cgi) = @_; + + # Allow user to pass in authentication details in X-Headers + # This allows callers to keep credentials out of GET request query-strings + if ($cgi) { + foreach my $field (keys %{ X_HEADERS() }) { + next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) eq ''; + $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field)); + } + } + # Allow user to pass in login=foo&password=bar as a convenience # even if not calling GET /login. We also do not delete them as # GET /login requires "login" and "password". |