summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-03-09 07:29:44 +0100
committerByron Jones <glob@mozilla.com>2015-03-09 07:29:44 +0100
commitde0781fdf4a15d824d880afb012d548a084f79b8 (patch)
treecf250a41a4e45e47b622a608124fec731919dcba
parent243d66a36e96729452b031b0cf67eed53c221782 (diff)
downloadbugzilla-de0781fdf4a15d824d880afb012d548a084f79b8.tar.gz
bugzilla-de0781fdf4a15d824d880afb012d548a084f79b8.tar.xz
Bug 1139755: Allow API authentication with X-Headers
r=dkl,a=glob
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm2
-rw-r--r--Bugzilla/WebService/Server/REST.pm2
-rw-r--r--Bugzilla/WebService/Util.pm20
3 files changed, 21 insertions, 3 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 70b8fd96c..2b5c7ec9b 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -379,7 +379,7 @@ sub _argument_type_check {
# Update the params to allow for several convenience key/values
# use for authentication
- fix_credentials($params);
+ fix_credentials($params, $self->cgi);
Bugzilla->input_params($params);
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 940045b26..d02ba5523 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -76,7 +76,7 @@ sub handle {
my $params = $self->_retrieve_json_params;
- fix_credentials($params);
+ fix_credentials($params, $self->cgi);
# Fix includes/excludes for each call
rest_include_exclude($params);
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index a0a51a8de..5d7dd7dd6 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -16,6 +16,7 @@ use Bugzilla::FlagType;
use Bugzilla::Error;
use Storable qw(dclone);
+use URI::Escape qw(uri_unescape);
use parent qw(Exporter);
@@ -260,8 +261,25 @@ sub params_to_objects {
return \@objects;
}
+use constant X_HEADERS => {
+ X_BUGZILLA_LOGIN => 'Bugzilla_login',
+ X_BUGZILLA_PASSWORD => 'Bugzilla_password',
+ X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
+ X_BUGZILLA_TOKEN => 'Bugzilla_token',
+};
+
sub fix_credentials {
- my ($params) = @_;
+ my ($params, $cgi) = @_;
+
+ # Allow user to pass in authentication details in X-Headers
+ # This allows callers to keep credentials out of GET request query-strings
+ if ($cgi) {
+ foreach my $field (keys %{ X_HEADERS() }) {
+ next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) eq '';
+ $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field));
+ }
+ }
+
# Allow user to pass in login=foo&password=bar as a convenience
# even if not calling GET /login. We also do not delete them as
# GET /login requires "login" and "password".