summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2015-08-24 20:50:16 +0200
committerDylan William Hardison <dylan@hardison.net>2015-08-24 20:50:16 +0200
commit07a68c6d4fa62432c9668176b4876133d45cce0e (patch)
tree9052bb9e238c10ba1fd803474d94a6e37d555f29
parent5fd2b62a573eb1eaef834367008be0e24e1fca57 (diff)
downloadbugzilla-07a68c6d4fa62432c9668176b4876133d45cce0e.tar.gz
bugzilla-07a68c6d4fa62432c9668176b4876133d45cce0e.tar.xz
Bug 1175643 - Rewrite auth delegation to use a server-side POST instead of a client-side GET to delegate API Key
r/a=dkl
-rwxr-xr-xauth.cgi39
-rw-r--r--template/en/default/global/user-error.html.tmpl9
2 files changed, 44 insertions, 4 deletions
diff --git a/auth.cgi b/auth.cgi
index 5da16a914..8bb6862dc 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -23,6 +23,8 @@ use Bugzilla::Mailer qw(MessageToMTA);
use URI;
use URI::QueryParam;
use Digest::SHA qw(sha256_hex);
+use LWP::UserAgent ();
+use JSON qw(decode_json encode_json);
Bugzilla->login(LOGIN_REQUIRED);
@@ -88,10 +90,39 @@ if ($confirmed || $skip_confirmation) {
MessageToMTA($message);
}
- $callback_uri->query_param(client_api_key => $api_key->api_key);
- $callback_uri->query_param(client_api_login => $user->login);
-
- print $cgi->redirect($callback_uri);
+ my $ua = LWP::UserAgent->new();
+ $ua->timeout(2);
+ $ua->protocols_allowed(['http', 'https']);
+ # If the URL of the proxy is given, use it, else get this information
+ # from the environment variable.
+ my $proxy_url = Bugzilla->params->{'proxy_url'};
+ if ($proxy_url) {
+ $ua->proxy(['http', 'https'], $proxy_url);
+ }
+ else {
+ $ua->env_proxy;
+ }
+ my $content = encode_json({ client_api_key => $api_key->api_key,
+ client_api_login => $user->login });
+ my $resp = $ua->post($callback_uri,
+ 'Content-Type' => 'application/json',
+ Content => $content);
+ if ($resp->code == 200) {
+ $callback_uri->query_param(client_api_login => $user->login);
+ eval {
+ my $data = decode_json($resp->content);
+ $callback_uri->query_param(callback_result => $data->{result});
+ };
+ if ($@) {
+ ThrowUserError('auth_delegation_json_error', { json_text => $resp->content });
+ }
+ else {
+ print $cgi->redirect($callback_uri);
+ }
+ }
+ else {
+ ThrowUserError('auth_delegation_post_error', { code => $resp->code });
+ }
}
else {
$args{token} = issue_auth_delegation_token($callback);
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 710928562..81d5055c6 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -140,6 +140,15 @@
[% title = "Auth delegation can't be confirmed" %]
Auth delegation cannot be confirmed due to missing or invalid token.
+ [% ELSIF error == "auth_delegation_json_error" %]
+ [% title = "Auth delegation received invalid JSON" %]
+ Auth delegation received an invalid JSON response from auth consumer:
+ <pre>[% json_text FILTER html %]</pre>
+
+ [% ELSIF error == "auth_delegation_post_error" %]
+ [% title = "Auth delegation received invalid status code" %]
+ Auth delegation received an HTTP response other than 200 OK from auth consumer. Code: [% code FILTER html %]
+
[% ELSIF error == "auth_failure" %]
[% title = "Authorization Required" %]
[% admindocslinks = {'groups.html' => 'Group Security'} %]