From 7bdd1cbe564883cd12abee3657e671e97e85a8e5 Mon Sep 17 00:00:00 2001 From: "bugreport%peshkin.net" <> Date: Wed, 21 Jul 2004 05:41:18 +0000 Subject: Bug 241900: Allow Bugzilla::Auth to have multiple login and validation styles patch by erik r=joel, kiko a=myk --- Bugzilla/Auth.pm | 126 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 98 insertions(+), 28 deletions(-) (limited to 'Bugzilla/Auth.pm') diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm index dcea8189a..71b125e45 100644 --- a/Bugzilla/Auth.pm +++ b/Bugzilla/Auth.pm @@ -18,6 +18,7 @@ # Rights Reserved. # # Contributor(s): Bradley Baetz +# Erik Stambaugh package Bugzilla::Auth; @@ -26,23 +27,34 @@ use strict; use Bugzilla::Config; use Bugzilla::Constants; -# 'inherit' from the main loginmethod +# The verification method that was successfully used upon login, if any +my $current_verify_class = undef; + +# 'inherit' from the main verify method BEGIN { - my $loginmethod = Param("loginmethod"); - if ($loginmethod =~ /^([A-Za-z0-9_\.\-]+)$/) { - $loginmethod = $1; - } - else { - die "Badly-named loginmethod '$loginmethod'"; + for my $verifyclass (split /,\s*/, Param("user_verify_class")) { + if ($verifyclass =~ /^([A-Za-z0-9_\.\-]+)$/) { + $verifyclass = $1; + } else { + die "Badly-named user_verify_class '$verifyclass'"; + } + require "Bugzilla/Auth/Verify/" . $verifyclass . ".pm"; } - require "Bugzilla/Auth/" . $loginmethod . ".pm"; - - our @ISA; - push (@ISA, "Bugzilla::Auth::" . $loginmethod); } # PRIVATE +# A number of features, like password change requests, require the DB +# verification method to be on the list. +sub has_db { + for (split (/[\s,]+/, Param("user_verify_class"))) { + if (/^DB$/) { + return 1; + } + } + return 0; +} + # Returns the network address for a given ip sub get_netaddr { my $ipaddr = shift; @@ -61,6 +73,53 @@ sub get_netaddr { return join(".", unpack("CCCC", pack("N", $addr))); } +# This is a replacement for the inherited authenticate function +# go through each of the available methods for each function +sub authenticate { + my $class = shift; + my @args = @_; + my @firstresult = (); + my @result = (); + for my $method (split /,\s*/, Param("user_verify_class")) { + $method = "Bugzilla::Auth::Verify::" . $method; + @result = $method->authenticate(@args); + @firstresult = @result unless @firstresult; + + if (($result[0] != AUTH_NODATA)&&($result[0] != AUTH_LOGINFAILED)) { + $current_verify_class = $method; + return @result; + } + } + @result = @firstresult; + # no auth match + + # see if we can set $current to the first verify method that + # will allow a new login + + for my $method (split /,\s*/, Param("user_verify_class")) { + $method = "Bugzilla::Auth::Verify::" . $method; + if ($method->can_edit('new')) { + $current_verify_class = $method; + } + } + + return @result; +} + +sub can_edit { + my ($class, $type) = @_; + if ($current_verify_class) { + return $current_verify_class->can_edit($type); + } + # $current_verify_class will not be set if the user isn't logged in. That + # happens when the user is trying to create a new account, which (for now) + # is hard-coded to work with DB. + elsif (has_db) { + return Bugzilla::Auth::Verify::DB->can_edit($type); + } + return 0; +} + 1; __END__ @@ -78,16 +137,8 @@ used to obtain the data (from CGI, email, etc), and the other set uses this data to authenticate against the datasource (the Bugzilla DB, LDAP, cookies, etc). -The handlers for the various types of authentication -(DB/LDAP/cookies/etc) provide the actual code for each specific method -of authentication. - -The source modules (currently, only -L) then use those methods to do -the authentication. - -I itself inherits from the default authentication handler, -identified by the I param. +Modules for obtaining the data are located under L, and +modules for authenticating are located in L. =head1 METHODS @@ -108,7 +159,9 @@ only some addresses. =head1 AUTHENTICATION Authentication modules check a user's credentials (username, password, -etc) to verify who the user is. +etc) to verify who the user is. The methods that C uses for +authentication are wrappers that check all configured modules (via the +C and C) in sequence. =head2 METHODS @@ -175,19 +228,36 @@ Note that this argument is a string, not a tag. =back +=item C + +This scalar gets populated with the full name (eg., +C) of the verification method being used by the +current user. If no user is logged in, it will contain the name of the first +method that allows new users, if any. Otherwise, it carries an undefined +value. + =item C -This determines if the user's account details can be modified. If this -method returns a C value, then accounts can be created and -modified through the Bugzilla user interface. Forgotten passwords can -also be retrieved through the L. +This determines if the user's account details can be modified. It returns a +reference to a hash with the keys C, C, and C, +which determine whether their respective profile values may be altered, and +C, which determines if new accounts may be created. + +Each user verification method (chosen with C has +its own set of can_edit values. Calls to can_edit return the appropriate +values for the current user's login method. + +If a user is not logged in, C will contain the values of the first +verify method that allows new users to be created, if available. Otherwise it +returns an empty hash. =back =head1 LOGINS A login module can be used to try to log in a Bugzilla user in a -particular way. For example, L +particular way. For example, +L logs in users from CGI scripts, first by using form variables, and then by trying cookies as a fallback. @@ -250,5 +320,5 @@ user-performed password changes. =head1 SEE ALSO -L, L, L +L, L, L -- cgit v1.2.3-24-g4f1b