summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Auth.pm17
-rw-r--r--Bugzilla/Auth/Login.pm2
-rw-r--r--Bugzilla/Auth/Login/Cookie.pm68
-rw-r--r--Bugzilla/Auth/Persist/Cookie.pm32
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm6
-rw-r--r--Bugzilla/WebService/Server/REST.pm38
-rw-r--r--Bugzilla/WebService/Server/REST/Resources/User.pm10
-rw-r--r--Bugzilla/WebService/User.pm29
-rw-r--r--Bugzilla/WebService/Util.pm23
9 files changed, 178 insertions, 47 deletions
diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index 7775a03c9..2c58b52a8 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -124,6 +124,15 @@ sub can_logout {
return $getter->can_logout;
}
+sub login_token {
+ my ($self) = @_;
+ my $getter = $self->{_info_getter}->{successful};
+ if ($getter && $getter->isa('Bugzilla::Auth::Login::Cookie')) {
+ return $getter->login_token;
+ }
+ return undef;
+}
+
sub user_can_create_account {
my ($self) = @_;
my $verifier = $self->{_verifier}->{successful};
@@ -426,6 +435,14 @@ Params: None
Returns: C<true> if users can change their own email address,
C<false> otherwise.
+=item C<login_token>
+
+Description: If a login token was used instead of a cookie then this
+ will return the current login token data such as user id
+ and the token itself.
+Params: None
+Returns: A hash containing C<login_token> and C<user_id>.
+
=back
=head1 STRUCTURE
diff --git a/Bugzilla/Auth/Login.pm b/Bugzilla/Auth/Login.pm
index 42ce51c62..7e03778b3 100644
--- a/Bugzilla/Auth/Login.pm
+++ b/Bugzilla/Auth/Login.pm
@@ -17,7 +17,7 @@
package Bugzilla::Auth::Login;
use strict;
-use fields qw();
+use fields qw(_login_token);
# Determines whether or not a user can logout. It's really a subroutine,
# but we implement it here as a constant. Override it in subclasses if
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index 91fb820fb..88c48e236 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -27,7 +27,8 @@ use List::Util qw(first);
use constant requires_persistence => 0;
use constant requires_verification => 0;
use constant can_login => 0;
-use constant is_automatic => 1;
+
+sub is_automatic { return $_[0]->login_token ? 0 : 1; }
# Note that Cookie never consults the Verifier, it always assumes
# it has a valid DB account or it fails.
@@ -35,24 +36,35 @@ sub get_login_info {
my ($self) = @_;
my $cgi = Bugzilla->cgi;
my $dbh = Bugzilla->dbh;
+ my ($user_id, $login_cookie);
- my $ip_addr = remote_ip();
- my $login_cookie = $cgi->cookie("Bugzilla_logincookie");
- my $user_id = $cgi->cookie("Bugzilla_login");
+ if (!Bugzilla->request_cache->{auth_no_automatic_login}) {
+ $login_cookie = $cgi->cookie("Bugzilla_logincookie");
+ $user_id = $cgi->cookie("Bugzilla_login");
- # If cookies cannot be found, this could mean that they haven't
- # been made available yet. In this case, look at Bugzilla_cookie_list.
- unless ($login_cookie) {
- my $cookie = first {$_->name eq 'Bugzilla_logincookie'}
- @{$cgi->{'Bugzilla_cookie_list'}};
- $login_cookie = $cookie->value if $cookie;
+ # If cookies cannot be found, this could mean that they haven't
+ # been made available yet. In this case, look at Bugzilla_cookie_list.
+ unless ($login_cookie) {
+ my $cookie = first {$_->name eq 'Bugzilla_logincookie'}
+ @{$cgi->{'Bugzilla_cookie_list'}};
+ $login_cookie = $cookie->value if $cookie;
+ }
+ unless ($user_id) {
+ my $cookie = first {$_->name eq 'Bugzilla_login'}
+ @{$cgi->{'Bugzilla_cookie_list'}};
+ $user_id = $cookie->value if $cookie;
+ }
}
- unless ($user_id) {
- my $cookie = first {$_->name eq 'Bugzilla_login'}
- @{$cgi->{'Bugzilla_cookie_list'}};
- $user_id = $cookie->value if $cookie;
+
+ # If no cookies were provided, we also look for a login token
+ # passed in the parameters of a webservice
+ my $token = $self->login_token;
+ if ($token && (!$login_cookie || !$user_id)) {
+ ($user_id, $login_cookie) = ($token->{'user_id'}, $token->{'login_token'});
}
+ my $ip_addr = remote_ip();
+
if ($login_cookie && $user_id) {
# Anything goes for these params - they're just strings which
# we're going to verify against the db
@@ -85,4 +97,32 @@ sub get_login_info {
return { failure => AUTH_NODATA };
}
+sub login_token {
+ my ($self) = @_;
+ my $input = Bugzilla->input_params;
+ my $usage_mode = Bugzilla->usage_mode;
+
+ return $self->{'_login_token'} if exists $self->{'_login_token'};
+
+ if ($usage_mode ne USAGE_MODE_XMLRPC
+ && $usage_mode ne USAGE_MODE_JSON
+ && $usage_mode ne USAGE_MODE_REST) {
+ return $self->{'_login_token'} = undef;
+ }
+
+ # Check if a token was passed in via requests for WebServices
+ my $token = trim(delete $input->{'Bugzilla_token'});
+ return $self->{'_login_token'} = undef if !$token;
+
+ my ($user_id, $login_token) = split('-', $token, 2);
+ if (!detaint_natural($user_id) || !$login_token) {
+ return $self->{'_login_token'} = undef;
+ }
+
+ return $self->{'_login_token'} = {
+ user_id => $user_id,
+ login_token => $login_token
+ };
+}
+
1;
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 57fa9624e..1daaf57f7 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -36,6 +36,8 @@ use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Token;
+use Bugzilla::Auth::Login::Cookie qw(login_token);
+
use List::Util qw(first);
sub new {
@@ -107,6 +109,7 @@ sub logout {
my $dbh = Bugzilla->dbh;
my $cgi = Bugzilla->cgi;
+ my $input = Bugzilla->input_params;
$param = {} unless $param;
my $user = $param->{user} || Bugzilla->user;
my $type = $param->{type} || LOGOUT_ALL;
@@ -120,16 +123,23 @@ sub logout {
# The LOGOUT_*_CURRENT options require the current login cookie.
# If a new cookie has been issued during this run, that's the current one.
# If not, it's the one we've received.
+ my @login_cookies;
my $cookie = first {$_->name eq 'Bugzilla_logincookie'}
@{$cgi->{'Bugzilla_cookie_list'}};
- my $login_cookie;
if ($cookie) {
- $login_cookie = $cookie->value;
+ push(@login_cookies, $cookie->value);
}
else {
- $login_cookie = $cgi->cookie("Bugzilla_logincookie");
+ push(@login_cookies, $cgi->cookie("Bugzilla_logincookie"));
+ }
+
+ # If we are a webservice using a token instead of cookie
+ # then add that as well to the login cookies to delete
+ if (my $login_token = $user->authorizer->login_token) {
+ push(@login_cookies, $login_token->{'login_token'});
}
- trick_taint($login_cookie);
+
+ return if !@login_cookies;
# These queries use both the cookie ID and the user ID as keys. Even
# though we know the userid must match, we still check it in the SQL
@@ -138,12 +148,18 @@ sub logout {
# logged in and got the same cookie, we could be logging the other
# user out here. Yes, this is very very very unlikely, but why take
# chances? - bbaetz
+ map { trick_taint($_) } @login_cookies;
+ @login_cookies = map { $dbh->quote($_) } @login_cookies;
if ($type == LOGOUT_KEEP_CURRENT) {
- $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?",
- undef, $login_cookie, $user->id);
+ $dbh->do("DELETE FROM logincookies WHERE " .
+ $dbh->sql_in('cookie', \@login_cookies, 1) .
+ " AND userid = ?",
+ undef, $user->id);
} elsif ($type == LOGOUT_CURRENT) {
- $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?",
- undef, $login_cookie, $user->id);
+ $dbh->do("DELETE FROM logincookies WHERE " .
+ $dbh->sql_in('cookie', \@login_cookies) .
+ " AND userid = ?",
+ undef, $user->id);
} else {
die("Invalid type $type supplied to logout()");
}
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 4bf3fb191..109c530b7 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -37,7 +37,7 @@ BEGIN {
use Bugzilla::Error;
use Bugzilla::WebService::Constants;
-use Bugzilla::WebService::Util qw(taint_data);
+use Bugzilla::WebService::Util qw(taint_data fix_credentials);
use Bugzilla::Util;
use HTTP::Message;
@@ -385,6 +385,10 @@ sub _argument_type_check {
}
}
+ # Update the params to allow for several convenience key/values
+ # use for authentication
+ fix_credentials($params);
+
Bugzilla->input_params($params);
if ($self->request->method eq 'POST') {
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 454749b5d..4145455ec 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -16,7 +16,7 @@ use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::WebService::Constants;
-use Bugzilla::WebService::Util qw(taint_data);
+use Bugzilla::WebService::Util qw(taint_data fix_credentials);
use Bugzilla::Util qw(correct_urlbase html_quote);
# Load resource modules
@@ -69,7 +69,7 @@ sub handle {
my $params = $self->_retrieve_json_params;
- $self->_fix_credentials($params);
+ fix_credentials($params);
# Fix includes/excludes for each call
rest_include_exclude($params);
@@ -131,7 +131,7 @@ sub response {
# If accessing through web browser, then display in readable format
if ($self->content_type eq 'text/html') {
- $result = $self->json->pretty->canonical->encode($result);
+ $result = $self->json->pretty->canonical->allow_nonref->encode($result);
my $template = Bugzilla->template;
$content = "";
@@ -162,8 +162,15 @@ sub handle_login {
# explicitly gives that site their username and password. (This is
# particularly important for JSONP, which would allow a remote site
# to use private data without the user's knowledge, unless we had this
- # protection in place.)
- if (!grep($_ eq $self->request->method, ('POST', 'PUT'))) {
+ # protection in place.) We do allow this for GET /login as we need to
+ # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
+ # can also use for Bugzilla_token support. This is OK as it requires
+ # a login and password to be supplied and will fail if they are not
+ # valid for the user.
+ if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
+ && !($self->bz_class_name eq 'Bugzilla::WebService::User'
+ && $self->bz_method_name eq 'login'))
+ {
# XXX There's no particularly good way for us to get a parameter
# to Bugzilla->login at this point, so we pass this information
# around using request_cache, which is a bit of a hack. The
@@ -424,15 +431,6 @@ sub _find_resource {
return $handler_found;
}
-sub _fix_credentials {
- my ($self, $params) = @_;
- # Allow user to pass in &username=foo&password=bar
- if (exists $params->{'username'} && exists $params->{'password'}) {
- $params->{'Bugzilla_login'} = delete $params->{'username'};
- $params->{'Bugzilla_password'} = delete $params->{'password'};
- }
-}
-
sub _best_content_type {
my ($self, @types) = @_;
return ($self->_simple_content_negotiation(@types))[0] || '*/*';
@@ -545,15 +543,23 @@ if you have a Bugzilla account by providing your login credentials.
=over
-=item Username and password
+=item Login name and password
Pass in as query parameters of any request:
-username=fred@bedrock.com&password=ilovewilma
+login=fred@example.com&password=ilovecheese
Remember to URL encode any special characters, which are often seen in passwords and to
also enable SSL support.
+=item Login token
+
+By calling GET /login?login=fred@example.com&password=ilovecheese, you get back
+a C<token> value which can then be passed to each subsequent call as
+authentication. This is useful for third party clients that cannot use cookies
+and do not want to store a user's login and password in the client. You can also
+pass in "token" as a convenience.
+
=back
=head1 ERRORS
diff --git a/Bugzilla/WebService/Server/REST/Resources/User.pm b/Bugzilla/WebService/Server/REST/Resources/User.pm
index 9424b517e..0a2fe455f 100644
--- a/Bugzilla/WebService/Server/REST/Resources/User.pm
+++ b/Bugzilla/WebService/Server/REST/Resources/User.pm
@@ -19,6 +19,16 @@ BEGIN {
sub _rest_resources {
my $rest_resources = [
+ qr{^/login$}, {
+ GET => {
+ method => 'login'
+ }
+ },
+ qr{^/logout$}, {
+ GET => {
+ method => 'logout'
+ }
+ },
qr{^/user$}, {
GET => {
method => 'get'
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index c826e4f1b..78d34a209 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -31,6 +31,8 @@ use Bugzilla::Util qw(trim);
use Bugzilla::WebService::Util qw(filter validate);
use Bugzilla::Hook;
+use List::Util qw(first);
+
# Don't need auth to login
use constant LOGIN_EXEMPT => {
login => 1,
@@ -71,14 +73,25 @@ sub login {
$input_params->{'Bugzilla_password'} = $params->{password};
$input_params->{'Bugzilla_remember'} = $remember;
- Bugzilla->login();
- return { id => $self->type('int', Bugzilla->user->id) };
+ my $user = Bugzilla->login();
+
+ my $result = { id => $self->type('int', $user->id) };
+
+ # We will use the stored cookie value combined with the user id
+ # to create a token that can be used with future requests in the
+ # query parameters
+ my $login_cookie = first { $_->name eq 'Bugzilla_logincookie' }
+ @{ Bugzilla->cgi->{'Bugzilla_cookie_list'} };
+ if ($login_cookie) {
+ $result->{'token'} = $user->id . "-" . $login_cookie->value;
+ }
+
+ return $result;
}
sub logout {
my $self = shift;
Bugzilla->logout;
- return undef;
}
#################
@@ -358,10 +371,12 @@ management of cookies across sessions.
=item B<Returns>
-On success, a hash containing one item, C<id>, the numeric id of the
-user that was logged in. A set of http cookies is also sent with the
-response. These cookies must be sent along with any future requests
-to the webservice, for the duration of the session.
+On success, a hash containing two items, C<id>, the numeric id of the
+user that was logged in, and a C<token> which can be passed in
+the parameters as authentication in other calls. A set of http cookies
+is also sent with the response. These cookies *or* the token can be sent
+along with any future requests to the webservice, for the duration of the
+session.
=item B<Errors>
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index cda88e260..622e6890b 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -33,6 +33,7 @@ our @EXPORT_OK = qw(
taint_data
validate
params_to_objects
+ fix_credentials
);
sub filter ($$;$) {
@@ -146,6 +147,22 @@ sub params_to_objects {
return \@objects;
}
+sub fix_credentials {
+ my ($params) = @_;
+ # Allow user to pass in login=foo&password=bar as a convenience
+ # even if not calling GET /login. We also do not delete them as
+ # GET /login requires "login" and "password".
+ if (exists $params->{'login'} && exists $params->{'password'}) {
+ $params->{'Bugzilla_login'} = $params->{'login'};
+ $params->{'Bugzilla_password'} = $params->{'password'};
+ }
+ # Allow user to pass token=12345678 as a convenience which becomes
+ # "Bugzilla_token" which is what the auth code looks for.
+ if (exists $params->{'token'}) {
+ $params->{'Bugzilla_token'} = $params->{'token'};
+ }
+}
+
__END__
=head1 NAME
@@ -201,6 +218,12 @@ Helps make life simpler for WebService methods that internally create objects
via both "ids" and "names" fields. Also de-duplicates objects that were loaded
by both "ids" and "names". Returns an arrayref of objects.
+=head2 fix_credentials
+
+Allows for certain parameters related to authentication such as Bugzilla_login,
+Bugzilla_password, and Bugzilla_token to have shorter named equivalents passed in.
+This function converts the shorter versions to their respective internal names.
+
=head1 B<Methods in need of POD>
=over