Bug 241900: Allow Bugzilla::Auth to have multiple login and validation styles

patch by erik r=joel, kiko a=myk
author: bugreport%peshkin.net <> 2004-07-21 07:41:18 +0200
committer: bugreport%peshkin.net <> 2004-07-21 07:41:18 +0200
commit: 7bdd1cbe564883cd12abee3657e671e97e85a8e5 (patch)
tree: 06dd7387c408735c32fa425489ace9a50115dd5d /Bugzilla/Auth
parent: 899f61d64550dfd9452972cea600505cc8c7d4e3 (diff)
download: bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.gz
bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.xz
6 files changed, 296 insertions, 20 deletions
diff --git a/Bugzilla/Auth/Login/WWW.pm b/Bugzilla/Auth/Login/WWW.pm
new file mode 100644
index 000000000..2c45562d2
--- /dev/null
+++ b/Bugzilla/Auth/Login/WWW.pm
@@ -0,0 +1,109 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Erik Stambaugh <erik@dasbistro.com>
+
+package Bugzilla::Auth::Login::WWW;
+
+use strict;
+
+use Bugzilla::Constants;
+use Bugzilla::Config;
+
+# $current_login_class stores the name of the login style that succeeded.
+my $current_login_class = undef;
+sub login_class {
+    my ($class, $type) = @_;
+    if ($type) {
+        $current_login_class = $type;
+    }
+    return $current_login_class;
+}
+
+sub login {
+    my ($class, $type) = @_;
+
+    my $user = Bugzilla->user;
+
+    # Avoid double-logins, which may confuse the auth code
+    # (double cookies, odd compat code settings, etc)
+    # This is particularly important given the munging for
+    # $::COOKIE{'Bugzilla_login'} from a userid to a loginname
+    # (for backwards compat)
+    if (defined $user) {
+        return $user;
+    }
+
+    $type = LOGIN_NORMAL unless defined $type;
+
+    # Log in using whatever methods are defined in user_info_class.
+    # Please note the particularly strange way require() and the function
+    # calls are being done, because we're calling a module that's named in
+    # a string. I assure you it works, and it avoids the need for an eval().
+    my $userid;
+    for my $login_class (split(/,\s*/, Param('user_info_class'))) {
+        require "Bugzilla/Auth/Login/WWW/" . $login_class . ".pm";
+        $userid = "Bugzilla::Auth::Login::WWW::$login_class"->login($type);
+        if ($userid) {
+            $class->login_class("Bugzilla::Auth::Login::WWW::$login_class");
+            last;
+        }
+    }
+
+    if ($userid) {
+        $user = new Bugzilla::User($userid);
+
+        # Compat stuff
+        $::userid = $userid;
+
+        # Evil compat hack. The cookie stores the id now, not the name, but
+        # old code still looks at this to get the current user's email
+        # so it needs to be set.
+        $::COOKIE{'Bugzilla_login'} = $user->login;
+    } else {
+        Bugzilla->logout_request();
+    }
+    return $user;
+}
+
+sub logout {
+    my ($class, $user, $option) = @_;
+    if ($class->login_class) {
+        $class->login_class->logout($user, $option);
+    }
+}
+
+1;
+
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::Login::WWW - WWW login information gathering module
+
+=head1 METHODS
+
+=item C<login>
+
+Passes C<login> calls to each class defined in the param C<user_info_class>
+and returns a C<Bugzilla::User> object from the first one that successfully
+gathers user login information.
+
+
diff --git a/Bugzilla/Auth/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm
index 471e538e9..fb00cd018 100644
--- a/Bugzilla/Auth/CGI.pm
+++ b/Bugzilla/Auth/Login/WWW/CGI.pm
@@ -25,8 +25,9 @@
 #                 Gervase Markham <gerv@gerv.net>
 #                 Christian Reis <kiko@async.com.br>
 #                 Bradley Baetz <bbaetz@acm.org>
+#                 Erik Stambaugh <erik@dasbistro.com>
 
-package Bugzilla::Auth::CGI;
+package Bugzilla::Auth::Login::WWW::CGI;
 
 use strict;
 
@@ -49,7 +50,7 @@ sub login {
     my $username = $cgi->param("Bugzilla_login");
     my $passwd = $cgi->param("Bugzilla_password");
 
-    my $authmethod = Param("loginmethod");
+    my $authmethod = Param("user_verify_class");
     my ($authres, $userid, $extra, $info) =
       Bugzilla::Auth->authenticate($username, $passwd);
 
@@ -98,11 +99,11 @@ sub login {
         $username = $cgi->cookie("Bugzilla_login");
         $passwd = $cgi->cookie("Bugzilla_logincookie");
 
-        require Bugzilla::Auth::Cookie;
+        require Bugzilla::Auth::Login::WWW::CGI::Cookie;
         my $authmethod = "Cookie";
 
         ($authres, $userid, $extra) =
-          Bugzilla::Auth::Cookie->authenticate($username, $passwd);
+          Bugzilla::Auth::Login::WWW::CGI::Cookie->authenticate($username, $passwd);
 
         # If the data for the cookie was incorrect, then treat that as
         # NODATA. This could occur if the user's IP changed, for example.
@@ -143,7 +144,8 @@ sub login {
                            { 'target' => $cgi->url(-relative=>1),
                              'form' => \%::FORM,
                              'mform' => \%::MFORM,
-                             'caneditaccount' => Bugzilla::Auth->can_edit,
+                             'caneditaccount' => Bugzilla::Auth->can_edit('new'),
+                             'has_db' => Bugzilla::Auth->has_db,
                            }
                           )
           || ThrowTemplateError($template->error());
@@ -216,7 +218,12 @@ sub logout {
                  undef, $cookie, $user->id);
     } else {
         die("Invalid option $option supplied to logout()");
-  }
+    }
+
+    if ($option != LOGOUT_KEEP_CURRENT) {
+        clear_browser_cookies();
+        Bugzilla->logout_request();
+    }
 }
 
 sub clear_browser_cookies {
@@ -233,7 +240,7 @@ __END__
 
 =head1 NAME
 
-Bugzilla::Auth::CGI - CGI-based logins for Bugzilla
+Bugzilla::Auth::Login::WWW::CGI - CGI-based logins for Bugzilla
 
 =head1 SUMMARY
 
@@ -246,7 +253,7 @@ Users are first authenticated against the default authentication handler,
 using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>.
 
 If no data is present for that, then cookies are tried, using
-L<Bugzilla::Auth::Cookie>.
+L<Bugzilla::Auth::Login::WWW::CGI::Cookie>.
 
 =head1 SEE ALSO
 
diff --git a/Bugzilla/Auth/Cookie.pm b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm
index b50acbe24..84f2b27a8 100644
--- a/Bugzilla/Auth/Cookie.pm
+++ b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm
@@ -26,7 +26,7 @@
 #                 Christian Reis <kiko@async.com.br>
 #                 Bradley Baetz <bbaetz@acm.org>
 
-package Bugzilla::Auth::Cookie;
+package Bugzilla::Auth::Login::WWW::CGI::Cookie;
 
 use strict;
 
@@ -93,7 +93,7 @@ __END__
 
 =head1 NAME
 
-Bugzilla::Cookie - cookie authentication for Bugzilla
+Bugzilla::Auth::Login::WWW::CGI::Cookie - cookie authentication for Bugzilla
 
 =head1 SUMMARY
 
@@ -108,8 +108,8 @@ restricted to certain IP addresses as a security meaure. The exact
 restriction can be specified by the admin via the C<loginnetmask> parameter.
 
 This module does not ever send a cookie (It has no way of knowing when a user
-is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this.
+is successfully logged in). Instead L<Bugzilla::Auth::Login::WWW::CGI> handles this.
 
 =head1 SEE ALSO
 
-L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI>
+L<Bugzilla::Auth>, L<Bugzilla::Auth::Login::WWW::CGI>
diff --git a/Bugzilla/Auth/README b/Bugzilla/Auth/README
new file mode 100644
index 000000000..c765d4971
--- /dev/null
+++ b/Bugzilla/Auth/README
@@ -0,0 +1,138 @@
+How Auth Works
+==============
+Christian Reis <kiko@async.com.br>
+
+Overview
+--------
+
+Authentication in Bugzilla is handled by a collection of modules that live in
+the Bugzilla::Auth package.  These modules are organized hierarchically based
+upon their responsibility.
+
+The authentication scheme is divided in two tasks: Login and Verify.  Login
+involves gathering credentials from a user, while Verify validates them
+against an authentication service.
+
+The Bugzilla parameters user_info_class and user_verify_class contain a
+list of Login and Verify modules, respectively.
+
+Task: Login
+-----------
+
+This task obtains user credentials based on a request. Examples of requests
+include CGI access from the Bugzilla web interface, email submissions and
+credentials supplied by standalone scripts.
+
+Each type of Bugzilla front-end should have its own package.  For instance,
+access via the Bugzilla web pages should go through Bugzilla::Auth::WWW.
+These packages would contain modules of their own to perform whatever extra
+functions are needed, like the CGI and Cookie modules in the case of WWW.
+
+Task: Verify
+------------
+
+This task validates user credentials against a user authentication service.
+
+The default service in Bugzilla has been the database, which stores the
+login_name and cryptpasswd fields in the profiles table.  An alternative means
+of validation, LDAP, is already supported, and other contributions would be
+appreciated.
+
+The module layout is similar to the Login package, but there is no need for a
+sub-level as there is with Login request types.
+
+Params
+------
+
+There are two params that define behaviour for each authentication task.  Each
+of them defines a comma-separated list of modules to be tried in order.
+
+    - user_info_class determines the module(s) used to obtain user
+      credentials. This param is specific to the requests from Bugzilla web
+      pages, so all of the listed modules live under
+      Bugzilla::Auth::Login::WWW
+
+    - user_verify_class determines the module(s) used to verify credentials.
+      This param is general and concerns the whole Bugzilla instance, since
+      the same back end should be used regardless of what front end is used.
+
+Responsibilities
+----------------
+
+Bugzilla::Auth
+
+    This module is responsible for abstracting away as much as possible the
+    login and logout tasks in Bugzilla.
+
+    It offers  login() and logout() methods that are proxied to the selected
+    login and verify packages.
+
+Bugzilla::Auth::Login
+
+    This is a container to hold the various modules for each request type.
+
+Bugzilla::Auth::Login::WWW
+
+    This module is responsible for abstracting away details of which web-based
+    login modules exist and are in use. It offers login() and logout() methods
+    that proxy through to whatever specific modules
+
+Bugzilla::Auth::Verify
+
+    This module is responsible for abstracting away details of which
+    credential verification modules exist, and should proxy calls through to
+    them. There is a method that is particularly important, and which should
+    be proxied through to the specific:
+
+        can_edit($type)
+
+            This method takes an argument that specifies what sort of change
+            is being requested; the specific module should return 1 or 0 based
+            on the fact that it implements or not the required change.
+
+            Current values for $type are "new" for new accounts, and "userid",
+            "login_name", "realname" for their respective fields.
+
+Specific Login Modules
+----------------------
+
+    WWW
+
+        The main authentication frontend; regular pages (CGIs) should use only
+        this module. It offers a convenient frontend to the main functionality
+        that CGIs need, using form parameters and cookies.
+
+        - Cookie
+
+            Implements part of the backend code that deals with browser
+            cookies. It's actually tied in to DB.pm, so Cookie logins that use
+            LDAP won't work at all.
+
+    LDAP
+
+        The other authentication module is LDAP-based; it is *only* used for
+        password authentication and not for any other login-related task (it
+        actually relies on the database to handle the profile information).
+
+Legacy
+------
+
+Bugzilla.pm
+
+    There is glue code that currently lives in the top-level module
+    Bugzilla.pm; this module handles backwards-compatibility data that is used
+    in a number of CGIs. This data has been slowly removed from the Bugzilla
+    pages and eventually should go away completely, at which point Bugzilla.pm
+    will be just a wrapper to conveniently offer template, cgi, dbh and user
+    variables.
+
+    This module is meant to be used only by Bugzilla pages, and in the case of
+    a reorganization which moves CGI-specific code to a subdirectory,
+    Bugzilla.pm should go with it.
+
+$::COOKIE
+
+    There are still instances of use of $::COOKIE to obtain Logincookie
+    information; these should be removed as well.
+
+
diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index dee3b5db9..ec13bacf8 100644
--- a/Bugzilla/Auth/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -25,8 +25,9 @@
 #                 Gervase Markham <gerv@gerv.net>
 #                 Christian Reis <kiko@async.com.br>
 #                 Bradley Baetz <bbaetz@acm.org>
+#                 Erik Stambaugh <erik@dasbistro.com>
 
-package Bugzilla::Auth::DB;
+package Bugzilla::Auth::Verify::DB;
 
 use strict;
 
@@ -34,6 +35,18 @@ use Bugzilla::Config;
 use Bugzilla::Constants;
 use Bugzilla::Util;
 
+my $edit_options = {
+    'new' => 1,
+    'userid' => 0,
+    'login_name' => 1,
+    'realname' => 1,
+};
+
+sub can_edit {
+    my ($class, $type) = @_;
+    return $edit_options->{$type};
+}
+
 sub authenticate {
     my ($class, $username, $passwd) = @_;
 
@@ -61,8 +74,6 @@ sub authenticate {
     return (AUTH_OK, $userid);
 }
 
-sub can_edit { return 1; }
-
 sub get_id_from_username {
     my ($class, $username) = @_;
     my $dbh = Bugzilla->dbh;
@@ -111,7 +122,7 @@ __END__
 
 =head1 NAME
 
-Bugzilla::Auth::DB - database authentication for Bugzilla
+Bugzilla::Auth::Verify::DB - database authentication for Bugzilla
 
 =head1 SUMMARY
 
diff --git a/Bugzilla/Auth/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm
index c34c3698f..d5b115ca0 100644
--- a/Bugzilla/Auth/LDAP.pm
+++ b/Bugzilla/Auth/Verify/LDAP.pm
@@ -25,8 +25,9 @@
 #                 Gervase Markham <gerv@gerv.net>
 #                 Christian Reis <kiko@async.com.br>
 #                 Bradley Baetz <bbaetz@acm.org>
+#                 Erik Stambaugh <erik@dasbistro.com>
 
-package Bugzilla::Auth::LDAP;
+package Bugzilla::Auth::Verify::LDAP;
 
 use strict;
 
@@ -35,6 +36,18 @@ use Bugzilla::Constants;
 
 use Net::LDAP;
 
+my $edit_options = {
+    'new' => 0,
+    'userid' => 0,
+    'login_name' => 0,
+    'realname' => 0,
+};
+
+sub can_edit {
+    my ($class, $type) = @_;
+    return $edit_options->{$type};
+}
+
 sub authenticate {
     my ($class, $username, $passwd) = @_;
 
@@ -156,15 +169,13 @@ sub authenticate {
     return (AUTH_OK, $userid);
 }
 
-sub can_edit { return 0; }
-
 1;
 
 __END__
 
 =head1 NAME
 
-Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla
+Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla
 
 This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
 Bugzilla, which logs the user in using an LDAP directory.
author	bugreport%peshkin.net <>	2004-07-21 07:41:18 +0200
committer	bugreport%peshkin.net <>	2004-07-21 07:41:18 +0200
commit	7bdd1cbe564883cd12abee3657e671e97e85a8e5 (patch)
tree	06dd7387c408735c32fa425489ace9a50115dd5d /Bugzilla/Auth
parent	899f61d64550dfd9452972cea600505cc8c7d4e3 (diff)
download	bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.gz bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.xz