diff options
| author | Dylan William Hardison <dylan@mozilla.com> | 2015-05-22 18:54:38 +0200 |
|---|---|---|
| committer | Dylan William Hardison <dylan@hardison.net> | 2015-05-22 18:55:10 +0200 |
| commit | d8cbd5b5c59f0c66772df100a4b28d4e26450771 (patch) | |
| tree | c328d1a5b84989ab0c98d9975d8eefa51e1a477a /Bugzilla | |
| parent | 42d961c8712af7cbbb08d5eff1e55aa2c81c01a8 (diff) | |
| download | bugzilla-d8cbd5b5c59f0c66772df100a4b28d4e26450771.tar.gz bugzilla-d8cbd5b5c59f0c66772df100a4b28d4e26450771.tar.xz | |
Bug 1144468: Bugzilla Auth Delegation via API Keys
r=dkl,a=glob
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Config/Auth.pm | 5 | ||||
| -rw-r--r-- | Bugzilla/Token.pm | 49 |
2 files changed, 54 insertions, 0 deletions
diff --git a/Bugzilla/Config/Auth.pm b/Bugzilla/Config/Auth.pm index 78d719b15..3c9ee31f2 100644 --- a/Bugzilla/Config/Auth.pm +++ b/Bugzilla/Config/Auth.pm @@ -121,6 +121,11 @@ sub get_param_list { type => 'b', default => '1' }, + { + name => 'auth_delegation', + type => 'b', + default => 0, + }, ); return @param_list; } diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index a8358d4a7..c43ba9f07 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -25,6 +25,7 @@ use Digest::SHA qw(hmac_sha256_base64); use parent qw(Exporter); @Bugzilla::Token::EXPORT = qw(issue_api_token issue_session_token + issue_auth_delegation_token check_auth_delegation_token check_token_data delete_token issue_hash_token check_hash_token); @@ -46,6 +47,37 @@ sub issue_api_token { return $token // _create_token($user->id, 'api_token', ''); } +sub issue_auth_delegation_token { + my ($uri) = @_; + my $dbh = Bugzilla->dbh; + my $user = Bugzilla->user; + my $checksum = hmac_sha256_base64($user->id, $uri, Bugzilla->localconfig->{'site_wide_secret'}); + + return _create_token($user->id, 'auth_delegation', $checksum); +} + +sub check_auth_delegation_token { + my ($token, $uri) = @_; + my $dbh = Bugzilla->dbh; + my $user = Bugzilla->user; + + my ($eventdata) = $dbh->selectrow_array(" + SELECT eventdata FROM tokens + WHERE token = ? AND tokentype = 'auth_delegation' + AND (" . $dbh->sql_date_math('issuedate', '+', (MAX_TOKEN_AGE * 24 - 12), 'HOUR') . ") > NOW()", + undef, $token); + + if ($eventdata) { + my $checksum = hmac_sha256_base64($user->id, $uri, Bugzilla->localconfig->{'site_wide_secret'}); + if ($eventdata eq $checksum) { + delete_token($token); + return 1; + } + } + + return 0; +} + # Creates and sends a token to create a new user account. # It assumes that the login has the correct format and is not already in use. sub issue_new_user_account_token { @@ -608,6 +640,23 @@ although they can be used separately. Returns: A unique token. +=item C<issue_auth_delegation_token($uri)> + + Description: Creates and returns a token used to validate auth delegation confirmations. + + Params: $uri - The uri that auth will be delegated to. + + Returns: A unique token. + +=item C<check_auth_delegation_token($token, $uri)> + + Description: Checks if a token $token is a confirmation token for $uri. + + Params: $token - The token returned by issue_auth_delegation_token() + $uri - The uri that auth will be delegated to. + + Returns: a boolean value + =item C<check_token_data($token, $event)> Description: Makes sure the $token has been created by the currently logged in |