diff options
| author | bugreport%peshkin.net <> | 2004-07-21 07:41:18 +0200 |
|---|---|---|
| committer | bugreport%peshkin.net <> | 2004-07-21 07:41:18 +0200 |
| commit | 7bdd1cbe564883cd12abee3657e671e97e85a8e5 (patch) | |
| tree | 06dd7387c408735c32fa425489ace9a50115dd5d /Bugzilla | |
| parent | 899f61d64550dfd9452972cea600505cc8c7d4e3 (diff) | |
| download | bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.gz bugzilla-7bdd1cbe564883cd12abee3657e671e97e85a8e5.tar.xz | |
Bug 241900: Allow Bugzilla::Auth to have multiple login and validation styles
patch by erik
r=joel, kiko
a=myk
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Auth.pm | 126 | ||||
| -rw-r--r-- | Bugzilla/Auth/Login/WWW.pm | 109 | ||||
| -rw-r--r-- | Bugzilla/Auth/Login/WWW/CGI.pm (renamed from Bugzilla/Auth/CGI.pm) | 23 | ||||
| -rw-r--r-- | Bugzilla/Auth/Login/WWW/CGI/Cookie.pm (renamed from Bugzilla/Auth/Cookie.pm) | 8 | ||||
| -rw-r--r-- | Bugzilla/Auth/README | 138 | ||||
| -rw-r--r-- | Bugzilla/Auth/Verify/DB.pm (renamed from Bugzilla/Auth/DB.pm) | 19 | ||||
| -rw-r--r-- | Bugzilla/Auth/Verify/LDAP.pm (renamed from Bugzilla/Auth/LDAP.pm) | 19 | ||||
| -rw-r--r-- | Bugzilla/Config.pm | 7 |
8 files changed, 401 insertions, 48 deletions
diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm index dcea8189a..71b125e45 100644 --- a/Bugzilla/Auth.pm +++ b/Bugzilla/Auth.pm @@ -18,6 +18,7 @@ # Rights Reserved. # # Contributor(s): Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> package Bugzilla::Auth; @@ -26,23 +27,34 @@ use strict; use Bugzilla::Config; use Bugzilla::Constants; -# 'inherit' from the main loginmethod +# The verification method that was successfully used upon login, if any +my $current_verify_class = undef; + +# 'inherit' from the main verify method BEGIN { - my $loginmethod = Param("loginmethod"); - if ($loginmethod =~ /^([A-Za-z0-9_\.\-]+)$/) { - $loginmethod = $1; - } - else { - die "Badly-named loginmethod '$loginmethod'"; + for my $verifyclass (split /,\s*/, Param("user_verify_class")) { + if ($verifyclass =~ /^([A-Za-z0-9_\.\-]+)$/) { + $verifyclass = $1; + } else { + die "Badly-named user_verify_class '$verifyclass'"; + } + require "Bugzilla/Auth/Verify/" . $verifyclass . ".pm"; } - require "Bugzilla/Auth/" . $loginmethod . ".pm"; - - our @ISA; - push (@ISA, "Bugzilla::Auth::" . $loginmethod); } # PRIVATE +# A number of features, like password change requests, require the DB +# verification method to be on the list. +sub has_db { + for (split (/[\s,]+/, Param("user_verify_class"))) { + if (/^DB$/) { + return 1; + } + } + return 0; +} + # Returns the network address for a given ip sub get_netaddr { my $ipaddr = shift; @@ -61,6 +73,53 @@ sub get_netaddr { return join(".", unpack("CCCC", pack("N", $addr))); } +# This is a replacement for the inherited authenticate function +# go through each of the available methods for each function +sub authenticate { + my $class = shift; + my @args = @_; + my @firstresult = (); + my @result = (); + for my $method (split /,\s*/, Param("user_verify_class")) { + $method = "Bugzilla::Auth::Verify::" . $method; + @result = $method->authenticate(@args); + @firstresult = @result unless @firstresult; + + if (($result[0] != AUTH_NODATA)&&($result[0] != AUTH_LOGINFAILED)) { + $current_verify_class = $method; + return @result; + } + } + @result = @firstresult; + # no auth match + + # see if we can set $current to the first verify method that + # will allow a new login + + for my $method (split /,\s*/, Param("user_verify_class")) { + $method = "Bugzilla::Auth::Verify::" . $method; + if ($method->can_edit('new')) { + $current_verify_class = $method; + } + } + + return @result; +} + +sub can_edit { + my ($class, $type) = @_; + if ($current_verify_class) { + return $current_verify_class->can_edit($type); + } + # $current_verify_class will not be set if the user isn't logged in. That + # happens when the user is trying to create a new account, which (for now) + # is hard-coded to work with DB. + elsif (has_db) { + return Bugzilla::Auth::Verify::DB->can_edit($type); + } + return 0; +} + 1; __END__ @@ -78,16 +137,8 @@ used to obtain the data (from CGI, email, etc), and the other set uses this data to authenticate against the datasource (the Bugzilla DB, LDAP, cookies, etc). -The handlers for the various types of authentication -(DB/LDAP/cookies/etc) provide the actual code for each specific method -of authentication. - -The source modules (currently, only -L<Bugzilla::Auth::CGI|Bugzilla::Auth::CGI>) then use those methods to do -the authentication. - -I<Bugzilla::Auth> itself inherits from the default authentication handler, -identified by the I<loginmethod> param. +Modules for obtaining the data are located under L<Bugzilla::Auth::Login>, and +modules for authenticating are located in L<Bugzilla::Auth::Verify>. =head1 METHODS @@ -108,7 +159,9 @@ only some addresses. =head1 AUTHENTICATION Authentication modules check a user's credentials (username, password, -etc) to verify who the user is. +etc) to verify who the user is. The methods that C<Bugzilla::Auth> uses for +authentication are wrappers that check all configured modules (via the +C<Param('user_info_class')> and C<Param('user_verify_class')>) in sequence. =head2 METHODS @@ -175,19 +228,36 @@ Note that this argument is a string, not a tag. =back +=item C<current_verify_class> + +This scalar gets populated with the full name (eg., +C<Bugzilla::Auth::Verify::DB>) of the verification method being used by the +current user. If no user is logged in, it will contain the name of the first +method that allows new users, if any. Otherwise, it carries an undefined +value. + =item C<can_edit> -This determines if the user's account details can be modified. If this -method returns a C<true> value, then accounts can be created and -modified through the Bugzilla user interface. Forgotten passwords can -also be retrieved through the L<Token interface|Bugzilla::Token>. +This determines if the user's account details can be modified. It returns a +reference to a hash with the keys C<userid>, C<login_name>, and C<realname>, +which determine whether their respective profile values may be altered, and +C<new>, which determines if new accounts may be created. + +Each user verification method (chosen with C<Param('user_verify_class')> has +its own set of can_edit values. Calls to can_edit return the appropriate +values for the current user's login method. + +If a user is not logged in, C<can_edit> will contain the values of the first +verify method that allows new users to be created, if available. Otherwise it +returns an empty hash. =back =head1 LOGINS A login module can be used to try to log in a Bugzilla user in a -particular way. For example, L<Bugzilla::Auth::CGI|Bugzilla::Auth::CGI> +particular way. For example, +L<Bugzilla::Auth::Login::WWW::CGI|Bugzilla::Auth::Login::WWW::CGI> logs in users from CGI scripts, first by using form variables, and then by trying cookies as a fallback. @@ -250,5 +320,5 @@ user-performed password changes. =head1 SEE ALSO -L<Bugzilla::Auth::CGI>, L<Bugzilla::Auth::Cookie>, L<Bugzilla::Auth::DB> +L<Bugzilla::Auth::Login::WWW::CGI>, L<Bugzilla::Auth::Login::WWW::CGI::Cookie>, L<Bugzilla::Auth::Verify::DB> diff --git a/Bugzilla/Auth/Login/WWW.pm b/Bugzilla/Auth/Login/WWW.pm new file mode 100644 index 000000000..2c45562d2 --- /dev/null +++ b/Bugzilla/Auth/Login/WWW.pm @@ -0,0 +1,109 @@ +# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Erik Stambaugh <erik@dasbistro.com> + +package Bugzilla::Auth::Login::WWW; + +use strict; + +use Bugzilla::Constants; +use Bugzilla::Config; + +# $current_login_class stores the name of the login style that succeeded. +my $current_login_class = undef; +sub login_class { + my ($class, $type) = @_; + if ($type) { + $current_login_class = $type; + } + return $current_login_class; +} + +sub login { + my ($class, $type) = @_; + + my $user = Bugzilla->user; + + # Avoid double-logins, which may confuse the auth code + # (double cookies, odd compat code settings, etc) + # This is particularly important given the munging for + # $::COOKIE{'Bugzilla_login'} from a userid to a loginname + # (for backwards compat) + if (defined $user) { + return $user; + } + + $type = LOGIN_NORMAL unless defined $type; + + # Log in using whatever methods are defined in user_info_class. + # Please note the particularly strange way require() and the function + # calls are being done, because we're calling a module that's named in + # a string. I assure you it works, and it avoids the need for an eval(). + my $userid; + for my $login_class (split(/,\s*/, Param('user_info_class'))) { + require "Bugzilla/Auth/Login/WWW/" . $login_class . ".pm"; + $userid = "Bugzilla::Auth::Login::WWW::$login_class"->login($type); + if ($userid) { + $class->login_class("Bugzilla::Auth::Login::WWW::$login_class"); + last; + } + } + + if ($userid) { + $user = new Bugzilla::User($userid); + + # Compat stuff + $::userid = $userid; + + # Evil compat hack. The cookie stores the id now, not the name, but + # old code still looks at this to get the current user's email + # so it needs to be set. + $::COOKIE{'Bugzilla_login'} = $user->login; + } else { + Bugzilla->logout_request(); + } + return $user; +} + +sub logout { + my ($class, $user, $option) = @_; + if ($class->login_class) { + $class->login_class->logout($user, $option); + } +} + +1; + + +__END__ + +=head1 NAME + +Bugzilla::Auth::Login::WWW - WWW login information gathering module + +=head1 METHODS + +=item C<login> + +Passes C<login> calls to each class defined in the param C<user_info_class> +and returns a C<Bugzilla::User> object from the first one that successfully +gathers user login information. + + diff --git a/Bugzilla/Auth/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm index 471e538e9..fb00cd018 100644 --- a/Bugzilla/Auth/CGI.pm +++ b/Bugzilla/Auth/Login/WWW/CGI.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::CGI; +package Bugzilla::Auth::Login::WWW::CGI; use strict; @@ -49,7 +50,7 @@ sub login { my $username = $cgi->param("Bugzilla_login"); my $passwd = $cgi->param("Bugzilla_password"); - my $authmethod = Param("loginmethod"); + my $authmethod = Param("user_verify_class"); my ($authres, $userid, $extra, $info) = Bugzilla::Auth->authenticate($username, $passwd); @@ -98,11 +99,11 @@ sub login { $username = $cgi->cookie("Bugzilla_login"); $passwd = $cgi->cookie("Bugzilla_logincookie"); - require Bugzilla::Auth::Cookie; + require Bugzilla::Auth::Login::WWW::CGI::Cookie; my $authmethod = "Cookie"; ($authres, $userid, $extra) = - Bugzilla::Auth::Cookie->authenticate($username, $passwd); + Bugzilla::Auth::Login::WWW::CGI::Cookie->authenticate($username, $passwd); # If the data for the cookie was incorrect, then treat that as # NODATA. This could occur if the user's IP changed, for example. @@ -143,7 +144,8 @@ sub login { { 'target' => $cgi->url(-relative=>1), 'form' => \%::FORM, 'mform' => \%::MFORM, - 'caneditaccount' => Bugzilla::Auth->can_edit, + 'caneditaccount' => Bugzilla::Auth->can_edit('new'), + 'has_db' => Bugzilla::Auth->has_db, } ) || ThrowTemplateError($template->error()); @@ -216,7 +218,12 @@ sub logout { undef, $cookie, $user->id); } else { die("Invalid option $option supplied to logout()"); - } + } + + if ($option != LOGOUT_KEEP_CURRENT) { + clear_browser_cookies(); + Bugzilla->logout_request(); + } } sub clear_browser_cookies { @@ -233,7 +240,7 @@ __END__ =head1 NAME -Bugzilla::Auth::CGI - CGI-based logins for Bugzilla +Bugzilla::Auth::Login::WWW::CGI - CGI-based logins for Bugzilla =head1 SUMMARY @@ -246,7 +253,7 @@ Users are first authenticated against the default authentication handler, using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>. If no data is present for that, then cookies are tried, using -L<Bugzilla::Auth::Cookie>. +L<Bugzilla::Auth::Login::WWW::CGI::Cookie>. =head1 SEE ALSO diff --git a/Bugzilla/Auth/Cookie.pm b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm index b50acbe24..84f2b27a8 100644 --- a/Bugzilla/Auth/Cookie.pm +++ b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm @@ -26,7 +26,7 @@ # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> -package Bugzilla::Auth::Cookie; +package Bugzilla::Auth::Login::WWW::CGI::Cookie; use strict; @@ -93,7 +93,7 @@ __END__ =head1 NAME -Bugzilla::Cookie - cookie authentication for Bugzilla +Bugzilla::Auth::Login::WWW::CGI::Cookie - cookie authentication for Bugzilla =head1 SUMMARY @@ -108,8 +108,8 @@ restricted to certain IP addresses as a security meaure. The exact restriction can be specified by the admin via the C<loginnetmask> parameter. This module does not ever send a cookie (It has no way of knowing when a user -is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this. +is successfully logged in). Instead L<Bugzilla::Auth::Login::WWW::CGI> handles this. =head1 SEE ALSO -L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI> +L<Bugzilla::Auth>, L<Bugzilla::Auth::Login::WWW::CGI> diff --git a/Bugzilla/Auth/README b/Bugzilla/Auth/README new file mode 100644 index 000000000..c765d4971 --- /dev/null +++ b/Bugzilla/Auth/README @@ -0,0 +1,138 @@ +How Auth Works +============== +Christian Reis <kiko@async.com.br> + +Overview +-------- + +Authentication in Bugzilla is handled by a collection of modules that live in +the Bugzilla::Auth package. These modules are organized hierarchically based +upon their responsibility. + +The authentication scheme is divided in two tasks: Login and Verify. Login +involves gathering credentials from a user, while Verify validates them +against an authentication service. + +The Bugzilla parameters user_info_class and user_verify_class contain a +list of Login and Verify modules, respectively. + +Task: Login +----------- + +This task obtains user credentials based on a request. Examples of requests +include CGI access from the Bugzilla web interface, email submissions and +credentials supplied by standalone scripts. + +Each type of Bugzilla front-end should have its own package. For instance, +access via the Bugzilla web pages should go through Bugzilla::Auth::WWW. +These packages would contain modules of their own to perform whatever extra +functions are needed, like the CGI and Cookie modules in the case of WWW. + +Task: Verify +------------ + +This task validates user credentials against a user authentication service. + +The default service in Bugzilla has been the database, which stores the +login_name and cryptpasswd fields in the profiles table. An alternative means +of validation, LDAP, is already supported, and other contributions would be +appreciated. + +The module layout is similar to the Login package, but there is no need for a +sub-level as there is with Login request types. + +Params +------ + +There are two params that define behaviour for each authentication task. Each +of them defines a comma-separated list of modules to be tried in order. + + - user_info_class determines the module(s) used to obtain user + credentials. This param is specific to the requests from Bugzilla web + pages, so all of the listed modules live under + Bugzilla::Auth::Login::WWW + + - user_verify_class determines the module(s) used to verify credentials. + This param is general and concerns the whole Bugzilla instance, since + the same back end should be used regardless of what front end is used. + +Responsibilities +---------------- + +Bugzilla::Auth + + This module is responsible for abstracting away as much as possible the + login and logout tasks in Bugzilla. + + It offers login() and logout() methods that are proxied to the selected + login and verify packages. + +Bugzilla::Auth::Login + + This is a container to hold the various modules for each request type. + +Bugzilla::Auth::Login::WWW + + This module is responsible for abstracting away details of which web-based + login modules exist and are in use. It offers login() and logout() methods + that proxy through to whatever specific modules + +Bugzilla::Auth::Verify + + This module is responsible for abstracting away details of which + credential verification modules exist, and should proxy calls through to + them. There is a method that is particularly important, and which should + be proxied through to the specific: + + can_edit($type) + + This method takes an argument that specifies what sort of change + is being requested; the specific module should return 1 or 0 based + on the fact that it implements or not the required change. + + Current values for $type are "new" for new accounts, and "userid", + "login_name", "realname" for their respective fields. + +Specific Login Modules +---------------------- + + WWW + + The main authentication frontend; regular pages (CGIs) should use only + this module. It offers a convenient frontend to the main functionality + that CGIs need, using form parameters and cookies. + + - Cookie + + Implements part of the backend code that deals with browser + cookies. It's actually tied in to DB.pm, so Cookie logins that use + LDAP won't work at all. + + LDAP + + The other authentication module is LDAP-based; it is *only* used for + password authentication and not for any other login-related task (it + actually relies on the database to handle the profile information). + +Legacy +------ + +Bugzilla.pm + + There is glue code that currently lives in the top-level module + Bugzilla.pm; this module handles backwards-compatibility data that is used + in a number of CGIs. This data has been slowly removed from the Bugzilla + pages and eventually should go away completely, at which point Bugzilla.pm + will be just a wrapper to conveniently offer template, cgi, dbh and user + variables. + + This module is meant to be used only by Bugzilla pages, and in the case of + a reorganization which moves CGI-specific code to a subdirectory, + Bugzilla.pm should go with it. + +$::COOKIE + + There are still instances of use of $::COOKIE to obtain Logincookie + information; these should be removed as well. + + diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/Verify/DB.pm index dee3b5db9..ec13bacf8 100644 --- a/Bugzilla/Auth/DB.pm +++ b/Bugzilla/Auth/Verify/DB.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::DB; +package Bugzilla::Auth::Verify::DB; use strict; @@ -34,6 +35,18 @@ use Bugzilla::Config; use Bugzilla::Constants; use Bugzilla::Util; +my $edit_options = { + 'new' => 1, + 'userid' => 0, + 'login_name' => 1, + 'realname' => 1, +}; + +sub can_edit { + my ($class, $type) = @_; + return $edit_options->{$type}; +} + sub authenticate { my ($class, $username, $passwd) = @_; @@ -61,8 +74,6 @@ sub authenticate { return (AUTH_OK, $userid); } -sub can_edit { return 1; } - sub get_id_from_username { my ($class, $username) = @_; my $dbh = Bugzilla->dbh; @@ -111,7 +122,7 @@ __END__ =head1 NAME -Bugzilla::Auth::DB - database authentication for Bugzilla +Bugzilla::Auth::Verify::DB - database authentication for Bugzilla =head1 SUMMARY diff --git a/Bugzilla/Auth/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm index c34c3698f..d5b115ca0 100644 --- a/Bugzilla/Auth/LDAP.pm +++ b/Bugzilla/Auth/Verify/LDAP.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::LDAP; +package Bugzilla::Auth::Verify::LDAP; use strict; @@ -35,6 +36,18 @@ use Bugzilla::Constants; use Net::LDAP; +my $edit_options = { + 'new' => 0, + 'userid' => 0, + 'login_name' => 0, + 'realname' => 0, +}; + +sub can_edit { + my ($class, $type) = @_; + return $edit_options->{$type}; +} + sub authenticate { my ($class, $username, $passwd) = @_; @@ -156,15 +169,13 @@ sub authenticate { return (AUTH_OK, $userid); } -sub can_edit { return 0; } - 1; __END__ =head1 NAME -Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla +Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for Bugzilla, which logs the user in using an LDAP directory. diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index b568918e3..71bac4225 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -25,6 +25,7 @@ # J. Paul Reed <preed@sigkill.com> # Bradley Baetz <bbaetz@student.usyd.edu.au> # Christopher Aillon <christopher@aillon.com> +# Erik Stambaugh <erik@dasbistro.com> package Bugzilla::Config; @@ -217,6 +218,12 @@ sub UpdateParams { $param{'loginmethod'} = $param{'useLDAP'} ? "LDAP" : "DB"; } + # set verify method to whatever loginmethod was + if (exists $param{'loginmethod'} && !exists $param{'user_verify_class'}) { + $param{'user_verify_class'} = $param{'loginmethod'}; + delete $param{'loginmethod'}; + } + # --- DEFAULTS FOR NEW PARAMS --- foreach my $item (@param_list) { |