From abdd4eba8b321e66d9a86d2d3592893f69632618 Mon Sep 17 00:00:00 2001 From: "bugreport%peshkin.net" <> Date: Mon, 12 Jul 2004 10:48:45 +0000 Subject: Backing out bug 241900 --- Bugzilla/Auth/Verify/DB.pm | 132 ----------------------------- Bugzilla/Auth/Verify/LDAP.pm | 193 ------------------------------------------- 2 files changed, 325 deletions(-) delete mode 100644 Bugzilla/Auth/Verify/DB.pm delete mode 100644 Bugzilla/Auth/Verify/LDAP.pm (limited to 'Bugzilla/Auth/Verify') diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm deleted file mode 100644 index 4db34b5cf..000000000 --- a/Bugzilla/Auth/Verify/DB.pm +++ /dev/null @@ -1,132 +0,0 @@ -# -*- Mode: perl; indent-tabs-mode: nil -*- -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Bugzilla Bug Tracking System. -# -# The Initial Developer of the Original Code is Netscape Communications -# Corporation. Portions created by Netscape are -# Copyright (C) 1998 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): Terry Weissman -# Dan Mosedale -# Joe Robins -# Dave Miller -# Christopher Aillon -# Gervase Markham -# Christian Reis -# Bradley Baetz -# Erik Stambaugh - -package Bugzilla::Auth::Verify::DB; - -use strict; - -use Bugzilla::Config; -use Bugzilla::Constants; -use Bugzilla::Util; - -# can_edit is now a hash. - -my $can_edit = { - 'new' => 1, - 'userid' => 0, - 'login_name' => 1, - 'realname' => 1, -}; - -sub authenticate { - my ($class, $username, $passwd) = @_; - - return (AUTH_NODATA) unless defined $username && defined $passwd; - - # We're just testing against the db: any value is ok - trick_taint($username); - - my $userid = $class->get_id_from_username($username); - return (AUTH_LOGINFAILED) unless defined $userid; - - return (AUTH_LOGINFAILED, $userid) - unless $class->check_password($userid, $passwd); - - # The user's credentials are okay, so delete any outstanding - # password tokens they may have generated. - require Bugzilla::Token; - Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in"); - - # Account may have been disabled - my $disabledtext = $class->get_disabled($userid); - return (AUTH_DISABLED, $userid, $disabledtext) - if $disabledtext ne ''; - - return (AUTH_OK, $userid); -} - -sub get_id_from_username { - my ($class, $username) = @_; - my $dbh = Bugzilla->dbh; - my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " . - "WHERE login_name=?"); - my ($userid) = $dbh->selectrow_array($sth, undef, $username); - return $userid; -} - -sub get_disabled { - my ($class, $userid) = @_; - my $dbh = Bugzilla->dbh; - my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " . - "WHERE userid=?"); - my ($text) = $dbh->selectrow_array($sth, undef, $userid); - return $text; -} - -sub check_password { - my ($class, $userid, $passwd) = @_; - my $dbh = Bugzilla->dbh; - my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " . - "WHERE userid=?"); - my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid); - - # Get the salt from the user's crypted password. - my $salt = $realcryptpwd; - - # Using the salt, crypt the password the user entered. - my $enteredCryptedPassword = crypt($passwd, $salt); - - return $enteredCryptedPassword eq $realcryptpwd; -} - -sub change_password { - my ($class, $userid, $password) = @_; - my $dbh = Bugzilla->dbh; - my $cryptpassword = Crypt($password); - $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", - undef, $cryptpassword, $userid); -} - -1; - -__END__ - -=head1 NAME - -Bugzilla::Auth::Verify::DB - database authentication for Bugzilla - -=head1 SUMMARY - -This is an L for -Bugzilla, which logs the user in using the password stored in the C -table. This is the most commonly used authentication module. - -=head1 SEE ALSO - -L diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm deleted file mode 100644 index 737827ee0..000000000 --- a/Bugzilla/Auth/Verify/LDAP.pm +++ /dev/null @@ -1,193 +0,0 @@ -# -*- Mode: perl; indent-tabs-mode: nil -*- -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Bugzilla Bug Tracking System. -# -# The Initial Developer of the Original Code is Netscape Communications -# Corporation. Portions created by Netscape are -# Copyright (C) 1998 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): Terry Weissman -# Dan Mosedale -# Joe Robins -# Dave Miller -# Christopher Aillon -# Gervase Markham -# Christian Reis -# Bradley Baetz -# Erik Stambaugh - -package Bugzilla::Auth::Verify::LDAP; - -use strict; - -use Bugzilla::Config; -use Bugzilla::Constants; - -use Net::LDAP; - -# can_edit is now a hash. - -my $can_edit = { - 'new' => 0, - 'userid' => 0, - 'login_name' => 0, - 'realname' => 0, -}; - -sub authenticate { - my ($class, $username, $passwd) = @_; - - # If no password was provided, then fail the authentication. - # While it may be valid to not have an LDAP password, when you - # bind without a password (regardless of the binddn value), you - # will get an anonymous bind. I do not know of a way to determine - # whether a bind is anonymous or not without making changes to the - # LDAP access control settings - return (AUTH_NODATA) unless $username && $passwd; - - # We need to bind anonymously to the LDAP server. This is - # because we need to get the Distinguished Name of the user trying - # to log in. Some servers (such as iPlanet) allow you to have unique - # uids spread out over a subtree of an area (such as "People"), so - # just appending the Base DN to the uid isn't sufficient to get the - # user's DN. For servers which don't work this way, there will still - # be no harm done. - my $LDAPserver = Param("LDAPserver"); - if ($LDAPserver eq "") { - return (AUTH_ERROR, undef, "server_not_defined"); - } - - my $LDAPport = "389"; # default LDAP port - if($LDAPserver =~ /:/) { - ($LDAPserver, $LDAPport) = split(":",$LDAPserver); - } - my $LDAPconn = Net::LDAP->new($LDAPserver, port => $LDAPport, version => 3); - if(!$LDAPconn) { - return (AUTH_ERROR, undef, "connect_failed"); - } - - my $mesg; - if (Param("LDAPbinddn")) { - my ($LDAPbinddn,$LDAPbindpass) = split(":",Param("LDAPbinddn")); - $mesg = $LDAPconn->bind($LDAPbinddn, password => $LDAPbindpass); - } - else { - $mesg = $LDAPconn->bind(); - } - if($mesg->code) { - return (AUTH_ERROR, undef, - "connect_failed", - { errstr => $mesg->error }); - } - - # We've got our anonymous bind; let's look up this user. - $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"), - scope => "sub", - filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')', - attrs => ['dn'], - ); - return (AUTH_LOGINFAILED, undef, "lookup_failure") - unless $mesg->count; - - # Now we get the DN from this search. - my $userDN = $mesg->shift_entry->dn; - - # Now we attempt to bind as the specified user. - $mesg = $LDAPconn->bind( $userDN, password => $passwd); - - return (AUTH_LOGINFAILED) if $mesg->code; - - # And now we're going to repeat the search, so that we can get the - # mail attribute for this user. - $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"), - scope => "sub", - filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')', - ); - my $user_entry = $mesg->shift_entry if !$mesg->code && $mesg->count; - if(!$user_entry || !$user_entry->exists(Param("LDAPmailattribute"))) { - return (AUTH_ERROR, undef, - "cannot_retreive_attr", - { attr => Param("LDAPmailattribute") }); - } - - # get the mail attribute - $username = $user_entry->get_value(Param("LDAPmailattribute")); - # OK, so now we know that the user is valid. Lets try finding them in the - # Bugzilla database - - # XXX - should this part be made more generic, and placed in - # Bugzilla::Auth? Lots of login mechanisms may have to do this, although - # until we actually get some more, its hard to know - BB - - my $dbh = Bugzilla->dbh; - my $sth = $dbh->prepare_cached("SELECT userid, disabledtext " . - "FROM profiles " . - "WHERE login_name=?"); - my ($userid, $disabledtext) = - $dbh->selectrow_array($sth, - undef, - $username); - - # If the user doesn't exist, then they need to be added - unless ($userid) { - # We'll want the user's name for this. - my $userRealName = $user_entry->get_value("displayName"); - if($userRealName eq "") { - $userRealName = $user_entry->get_value("cn"); - } - &::InsertNewUser($username, $userRealName); - - ($userid, $disabledtext) = $dbh->selectrow_array($sth, - undef, - $username); - return (AUTH_ERROR, $userid, "no_userid") - unless $userid; - } - - # we're done, so disconnect - $LDAPconn->unbind; - - # Test for disabled account - return (AUTH_DISABLED, $userid, $disabledtext) - if $disabledtext ne ''; - - # If we get to here, then the user is allowed to login, so we're done! - return (AUTH_OK, $userid); -} - -1; - -__END__ - -=head1 NAME - -Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla - -This is an L for -Bugzilla, which logs the user in using an LDAP directory. - -=head1 DISCLAIMER - -B. It is poorly documented, and not very flexible. -Search L for a list of known LDAP bugs. - -None of the core Bugzilla developers, nor any of the large installations, use -this module, and so it has received less testing. (In fact, this iteration -hasn't been tested at all) - -Patches are accepted. - -=head1 SEE ALSO - -L -- cgit v1.2.3-24-g4f1b