Bug 726696 - All authenticated WebServices methods should require username/pass, token or a valid API key for authentication

r=dkl, a=sgreen

5 files changed, 138 insertions, 1 deletions

diff --git a/template/en/default/account/prefs/apikey.html.tmpl b/template/en/default/account/prefs/apikey.html.tmpl
new file mode 100644
index 000000000..79b25560c
--- /dev/null
+++ b/template/en/default/account/prefs/apikey.html.tmpl
@@ -0,0 +1,84 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[%# INTERFACE:
+  # api_keys: array. Array of api keys this user has.
+  # any_revoked: boolean. True is any keys have been revoked.
+  #%]
+
+<p>
+  API keys are used to authenticate REST calls. You can create more than one
+  API key if required. Each API key has an optional description which can help
+  you record what each key is used for. Documentation on how to log in is
+  available from
+  <a href="docs/en/html/api/Bugzilla/WebService.html#LOGGING_IN">here</a>.
+</p>
+
+<h3>Existing API keys</h3>
+
+<p>You can update the description, and revoke or unrevoke existing API keys
+here.</p>
+
+<table id="email_prefs">
+  <tr class="column_header">
+    <th>API key</th>
+    <th>Description (optional)</th>
+    <th>Last used</th>
+    <th>Revoked?</th>
+  </tr>
+
+  [% FOREACH api_key IN api_keys %]
+    <tr[% IF api_key.revoked %] class="apikey_revoked"[% END %]>
+      <td>[% api_key.api_key FILTER html %]</td>
+      <td>
+        <input name="description_[% api_key.id FILTER html %]"
+          id="description_[% api_key.id FILTER html %]"
+          value="[% api_key.description FILTER html %]">
+      </td>
+      [% IF api_key.last_used %]
+        <td>[% api_key.last_used FILTER time %]</td>
+      [% ELSE %]
+        <td class="center"><i>never used</i></td>
+      [% END %]
+      <td class="center">
+        <input type="checkbox" value="1"
+          name="revoked_[% api_key.id FILTER html %]"
+          id="revoked_[% api_key.id FILTER html %]"
+          [% IF api_key.revoked %] checked="checked" [% END %]>
+      </td>
+    </tr>
+  [% END %]
+  [% UNLESS api_keys.size %]
+    <tr><td colspan="4">You don't have any API keys.</td></tr>
+  [% END %]
+</table>
+
+[% IF any_revoked %]
+  <a id="apikey_revoked_controller" class="bz_default_hidden"
+     href="javascript:TUI_toggle_class('apikey_revoked')">Hide Revoked Keys</a>
+  [%# Show the link if the browser supports JS %]
+  <script type="text/javascript">
+    TUI_hide_default('apikey_revoked');
+    TUI_alternates['apikey_revoked'] = 'Show Revoked Keys';
+    YAHOO.util.Dom.removeClass('apikey_revoked_controller',
+                               'bz_default_hidden');
+  </script>
+[% END %]
+
+<h3>New API key</h3>
+
+<p>You can generate a new API key by ticking the check box below and optionally
+providing a description for the API key. The API key will be randomly
+generated for you.</p>
+
+<p>
+  <input type="checkbox" name="new_key" id="new_key">
+  Generate a new API key with optional description
+  <input name="new_description" id="new_description">
+</p>
+
diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl
index faa18d581..8f11d0a6f 100644
--- a/template/en/default/account/prefs/prefs.html.tmpl
+++ b/template/en/default/account/prefs/prefs.html.tmpl
@@ -36,6 +36,9 @@
             { name => "account", label => "Account Information",
               link => "userprefs.cgi?tab=account", saveable => "1",
               doc_section => "using.html#account-information" },
+            { name => "apikey", label => "API Keys",
+              link => "userprefs.cgi?tab=apikey", saveable => "1",
+              doc_section => "using.html#apikey" },
             { name => "permissions", label => "Permissions",
               link => "userprefs.cgi?tab=permissions", saveable => "0",
               doc_section => "using.html#permissions" } ] %]
@@ -53,7 +56,7 @@
    title = current_tab.label
    subheader = filtered_login
    style_urls = ['skins/standard/admin.css']
-   javascript_urls = ['js/util.js', 'js/field.js']
+   javascript_urls = ['js/util.js', 'js/field.js', 'js/TUI.js']
    doc_section = current_tab.doc_section
    yui = ['autocomplete']
  %]
diff --git a/template/en/default/email/new-api-key.txt.tmpl b/template/en/default/email/new-api-key.txt.tmpl
new file mode 100644
index 000000000..cfccefdcc
--- /dev/null
+++ b/template/en/default/email/new-api-key.txt.tmpl
@@ -0,0 +1,33 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[%# INTERFACE:
+  # user: The Bugzilla::User object of the user being created
+  # new_key: The API key created
+  #%]
+
+From: [% Param('mailfrom') %]
+To: [% user.email %]
+Subject: [% terms.Bugzilla %]: New API key created
+X-Bugzilla-Type: admin
+
+[This e-mail has been automatically generated]
+
+A new [% terms.Bugzilla %] API key[% IF new_key.description %], with the
+description '[% new_key.description %]'[% END %] has been created. You can view
+or update the key at the following URL:
+
+[%+ urlbase %]userprefs.cgi?tab=apikey
+
+IMPORTANT: If you did not request a new key, your [% terms.Bugzilla %] account
+may have been compromised. In this case, please disable the key at the above
+URL, and change your password immediately.
+
+For security reasons, we have not included your new key in this e-mail.
+
+If you have any issues regarding your account, please contact [% Param('maintainer') %].
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index e6bd8f45d..f4a4b66b6 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -166,6 +166,9 @@
                 version_required:
                     'You must select a Version for this [% terms.bug %].'
             }
+            [% IF javascript_urls.containsany(['js/bug.js', 'js/field.js', 'js/comment-tagging.js']) %]
+              , api_token: '[% get_api_token FILTER js FILTER html %]'
+            [% END %]
         };
 
         [% FOREACH yui_name = yui %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 85e9fc488..48cbcad47 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -97,6 +97,15 @@
     [% terms.Bug %] aliases cannot be longer than 20 characters.
     Please choose a shorter alias.
 
+  [% ELSIF error == "api_key_not_valid" %]
+    [% title = "Invalid API key" %]
+    The API key you specified is invalid. Please check that you typed it
+    correctly.
+
+  [% ELSIF error == "api_key_revoked" %]
+    [% title = "Invalid API key" %]
+    The API key you specified has been revoked by the user that created it.
+
   [% ELSIF error == "attachment_bug_id_mismatch" %]
     [% title = "Invalid Attachments" %]
     You tried to perform an action on attachments from different [% terms.bugs %].
@@ -219,6 +228,11 @@
 
     [% Hook.process("auth_failure") %]
 
+  [% ELSIF error == "auth_invalid_token" %]
+    [% title = 'A token error occurred' %]
+    The token '[% token FILTER html %]' is not valid. It could be because
+    you loaded this page more than 3 days ago.
+
   [% ELSIF error == "auth_untrusted_request" %]
     [% title = "Untrusted Authentication Request" %]
     You tried to log in using the <em>[% login FILTER html %]</em> account,