From 7450b47683d0aa972a522f5b70353e14269a95e6 Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Mon, 26 Aug 2013 23:54:32 -0400 Subject: Bug 893195 - Allow token based authentication for webservices r=glob,a=sgreen --- Bugzilla/Auth/Login/Cookie.pm | 68 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 54 insertions(+), 14 deletions(-) (limited to 'Bugzilla/Auth/Login/Cookie.pm') diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 56bc34f40..130fab8e3 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -20,7 +20,8 @@ use List::Util qw(first); use constant requires_persistence => 0; use constant requires_verification => 0; use constant can_login => 0; -use constant is_automatic => 1; + +sub is_automatic { return $_[0]->login_token ? 0 : 1; } # Note that Cookie never consults the Verifier, it always assumes # it has a valid DB account or it fails. @@ -28,24 +29,35 @@ sub get_login_info { my ($self) = @_; my $cgi = Bugzilla->cgi; my $dbh = Bugzilla->dbh; + my ($user_id, $login_cookie); - my $ip_addr = remote_ip(); - my $login_cookie = $cgi->cookie("Bugzilla_logincookie"); - my $user_id = $cgi->cookie("Bugzilla_login"); + if (!Bugzilla->request_cache->{auth_no_automatic_login}) { + $login_cookie = $cgi->cookie("Bugzilla_logincookie"); + $user_id = $cgi->cookie("Bugzilla_login"); - # If cookies cannot be found, this could mean that they haven't - # been made available yet. In this case, look at Bugzilla_cookie_list. - unless ($login_cookie) { - my $cookie = first {$_->name eq 'Bugzilla_logincookie'} - @{$cgi->{'Bugzilla_cookie_list'}}; - $login_cookie = $cookie->value if $cookie; + # If cookies cannot be found, this could mean that they haven't + # been made available yet. In this case, look at Bugzilla_cookie_list. + unless ($login_cookie) { + my $cookie = first {$_->name eq 'Bugzilla_logincookie'} + @{$cgi->{'Bugzilla_cookie_list'}}; + $login_cookie = $cookie->value if $cookie; + } + unless ($user_id) { + my $cookie = first {$_->name eq 'Bugzilla_login'} + @{$cgi->{'Bugzilla_cookie_list'}}; + $user_id = $cookie->value if $cookie; + } } - unless ($user_id) { - my $cookie = first {$_->name eq 'Bugzilla_login'} - @{$cgi->{'Bugzilla_cookie_list'}}; - $user_id = $cookie->value if $cookie; + + # If no cookies were provided, we also look for a login token + # passed in the parameters of a webservice + my $token = $self->login_token; + if ($token && (!$login_cookie || !$user_id)) { + ($user_id, $login_cookie) = ($token->{'user_id'}, $token->{'login_token'}); } + my $ip_addr = remote_ip(); + if ($login_cookie && $user_id) { # Anything goes for these params - they're just strings which # we're going to verify against the db @@ -78,4 +90,32 @@ sub get_login_info { return { failure => AUTH_NODATA }; } +sub login_token { + my ($self) = @_; + my $input = Bugzilla->input_params; + my $usage_mode = Bugzilla->usage_mode; + + return $self->{'_login_token'} if exists $self->{'_login_token'}; + + if ($usage_mode ne USAGE_MODE_XMLRPC + && $usage_mode ne USAGE_MODE_JSON + && $usage_mode ne USAGE_MODE_REST) { + return $self->{'_login_token'} = undef; + } + + # Check if a token was passed in via requests for WebServices + my $token = trim(delete $input->{'Bugzilla_token'}); + return $self->{'_login_token'} = undef if !$token; + + my ($user_id, $login_token) = split('-', $token, 2); + if (!detaint_natural($user_id) || !$login_token) { + return $self->{'_login_token'} = undef; + } + + return $self->{'_login_token'} = { + user_id => $user_id, + login_token => $login_token + }; +} + 1; -- cgit v1.2.3-24-g4f1b