From 987611195db12b9c42cdfdbb383811f99322cdd7 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Fri, 14 Nov 2014 19:45:46 +0000 Subject: Bug 1097813: backport upstream bug 1001462 to bmo/4.2 to fix issue with using tokens with webservice rest api --- Bugzilla/Auth.pm | 2 +- Bugzilla/Auth/Login.pm | 1 - Bugzilla/Auth/Login/Cookie.pm | 2 ++ Bugzilla/Auth/Persist/Cookie.pm | 4 +-- Bugzilla/WebService/Server/XMLRPC.pm | 7 +++++ Bugzilla/WebService/User.pm | 50 +++++++++++++----------------------- Bugzilla/WebService/Util.pm | 6 ++--- 7 files changed, 33 insertions(+), 39 deletions(-) diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm index 2c58b52a8..9f4fb8fa3 100644 --- a/Bugzilla/Auth.pm +++ b/Bugzilla/Auth.pm @@ -168,7 +168,7 @@ sub _handle_login_result { if ($self->{_info_getter}->{successful}->requires_persistence and !Bugzilla->request_cache->{auth_no_automatic_login}) { - $self->{_persister}->persist_login($user); + $user->{_login_token} = $self->{_persister}->persist_login($user); } } elsif ($fail_code == AUTH_ERROR) { diff --git a/Bugzilla/Auth/Login.pm b/Bugzilla/Auth/Login.pm index 7e03778b3..09830da25 100644 --- a/Bugzilla/Auth/Login.pm +++ b/Bugzilla/Auth/Login.pm @@ -17,7 +17,6 @@ package Bugzilla::Auth::Login; use strict; -use fields qw(_login_token); # Determines whether or not a user can logout. It's really a subroutine, # but we implement it here as a constant. Override it in subclasses if diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 62a6c58a9..e3b86d384 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -17,7 +17,9 @@ package Bugzilla::Auth::Login::Cookie; use strict; + use base qw(Bugzilla::Auth::Login); +use fields qw(_login_token); use Bugzilla::Constants; use Bugzilla::Util; diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index c1d133772..a064a231a 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -36,8 +36,6 @@ use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Token; -use Bugzilla::Auth::Login::Cookie qw(login_token); - use List::Util qw(first); sub new { @@ -102,6 +100,8 @@ sub persist_login { $cgi->send_cookie(-name => 'Bugzilla_logincookie', -value => $login_cookie, %cookieargs); + + return $login_cookie; } sub logout { diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 8d9108122..f56fa3439 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -123,6 +123,7 @@ our @ISA = qw(XMLRPC::Deserializer); use Bugzilla::Error; use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); +use Bugzilla::WebService::Util qw(fix_credentials); use Scalar::Util qw(tainted); sub deserialize { @@ -146,7 +147,13 @@ sub deserialize { my $params = $som->paramsin; # This allows positional parameters for Testopia. $params = {} if ref $params ne 'HASH'; + + # Update the params to allow for several convenience key/values + # use for authentication + fix_credentials($params); + Bugzilla->input_params($params); + return $som; } diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 1e6de143c..b6351635c 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -64,44 +64,21 @@ use constant MAPPED_RETURNS => { sub login { my ($self, $params) = @_; - my $remember = $params->{remember}; + + # Check to see if we are already logged in + my $user = Bugzilla->user; + if ($user->id) { + return $self->_login_to_hash($user); + } # Username and password params are required foreach my $param ("login", "password") { - defined $params->{$param} + (defined $params->{$param} || defined $params->{'Bugzilla_' . $param}) || ThrowCodeError('param_required', { param => $param }); } - # Convert $remember from a boolean 0/1 value to a CGI-compatible one. - if (defined($remember)) { - $remember = $remember? 'on': ''; - } - else { - # Use Bugzilla's default if $remember is not supplied. - $remember = - Bugzilla->params->{'rememberlogin'} eq 'defaulton'? 'on': ''; - } - - # Make sure the CGI user info class works if necessary. - my $input_params = Bugzilla->input_params; - $input_params->{'Bugzilla_login'} = $params->{login}; - $input_params->{'Bugzilla_password'} = $params->{password}; - $input_params->{'Bugzilla_remember'} = $remember; - - my $user = Bugzilla->login(); - - my $result = { id => $self->type('int', $user->id) }; - - # We will use the stored cookie value combined with the user id - # to create a token that can be used with future requests in the - # query parameters - my $login_cookie = first { $_->name eq 'Bugzilla_logincookie' } - @{ Bugzilla->cgi->{'Bugzilla_cookie_list'} }; - if ($login_cookie) { - $result->{'token'} = $user->id . "-" . $login_cookie->value; - } - - return $result; + $user = Bugzilla->login(); + return $self->_login_to_hash($user); } sub logout { @@ -419,6 +396,15 @@ sub _query_to_hash { return $item; } +sub _login_to_hash { + my ($self, $user) = @_; + my $item = { id => $self->type('int', $user->id) }; + if (my $login_token = $user->{_login_token}) { + $item->{'token'} = $user->id . "-" . $login_token; + } + return $item; +} + 1; __END__ diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm index 856fd3481..c21bcd344 100644 --- a/Bugzilla/WebService/Util.pm +++ b/Bugzilla/WebService/Util.pm @@ -276,13 +276,13 @@ sub fix_credentials { # even if not calling GET /login. We also do not delete them as # GET /login requires "login" and "password". if (exists $params->{'login'} && exists $params->{'password'}) { - $params->{'Bugzilla_login'} = $params->{'login'}; - $params->{'Bugzilla_password'} = $params->{'password'}; + $params->{'Bugzilla_login'} = delete $params->{'login'}; + $params->{'Bugzilla_password'} = delete $params->{'password'}; } # Allow user to pass token=12345678 as a convenience which becomes # "Bugzilla_token" which is what the auth code looks for. if (exists $params->{'token'}) { - $params->{'Bugzilla_token'} = $params->{'token'}; + $params->{'Bugzilla_token'} = delete $params->{'token'}; } # Allow extensions to modify the credential data before login -- cgit v1.2.3-24-g4f1b