From c8447e9f4b7c17ab0e04af34dbd5583e78b23677 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Thu, 29 Jan 2015 17:33:12 +0000
Subject: Bug 1045145: backport upstream bug 726696 to bmo/4.2 to allow use of
 api keys for authentication

---
 Bugzilla/Auth/Login/APIKey.pm | 52 +++++++++++++++++++++++++++++++++++++++++++
 Bugzilla/Auth/Login/Cookie.pm | 17 +++++++++++++-
 2 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 Bugzilla/Auth/Login/APIKey.pm

(limited to 'Bugzilla/Auth')

diff --git a/Bugzilla/Auth/Login/APIKey.pm b/Bugzilla/Auth/Login/APIKey.pm
new file mode 100644
index 000000000..902ce4da7
--- /dev/null
+++ b/Bugzilla/Auth/Login/APIKey.pm
@@ -0,0 +1,52 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+package Bugzilla::Auth::Login::APIKey;
+
+use 5.10.1;
+use strict;
+
+use base qw(Bugzilla::Auth::Login);
+
+use Bugzilla::Constants;
+use Bugzilla::User::APIKey;
+use Bugzilla::Util;
+use Bugzilla::Error;
+
+use constant requires_persistence  => 0;
+use constant requires_verification => 0;
+use constant can_login             => 0;
+use constant can_logout            => 0;
+
+# This method is only available to web services. An API key can never
+# be used to authenticate a Web request.
+sub get_login_info {
+    my ($self) = @_;
+    my $params = Bugzilla->input_params;
+    my ($user_id, $login_cookie);
+
+    my $api_key_text = trim(delete $params->{'Bugzilla_api_key'});
+    if (!i_am_webservice() || !$api_key_text) {
+        return { failure => AUTH_NODATA };
+    }
+
+    my $api_key = Bugzilla::User::APIKey->new({ name => $api_key_text });
+
+    if (!$api_key or $api_key->api_key ne $api_key_text) {
+        # The second part checks the correct capitalisation. Silly MySQL
+        ThrowUserError("api_key_not_valid");
+    }
+    elsif ($api_key->revoked) {
+        ThrowUserError('api_key_revoked');
+    }
+
+    $api_key->update_last_used();
+
+    return { user_id => $api_key->user_id };
+}
+
+1;
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index e3b86d384..11d9012b8 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -22,8 +22,9 @@ use base qw(Bugzilla::Auth::Login);
 use fields qw(_login_token);
 
 use Bugzilla::Constants;
-use Bugzilla::Util;
 use Bugzilla::Error;
+use Bugzilla::Token;
+use Bugzilla::Util;
 
 use List::Util qw(first);
 
@@ -57,6 +58,20 @@ sub get_login_info {
                                 @{$cgi->{'Bugzilla_cookie_list'}};
             $user_id = $cookie->value if $cookie;
         }
+
+        # If the call is for a web service, and an api token is provided, check
+        # it is valid.
+        if (i_am_webservice() && Bugzilla->input_params->{Bugzilla_api_token}) {
+            my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
+            my ($token_user_id, undef, undef, $token_type)
+                = Bugzilla::Token::GetTokenData($api_token);
+            if (!defined $token_type
+                || $token_type ne 'api_token'
+                || $user_id != $token_user_id)
+            {
+                ThrowUserError('auth_invalid_token', { token => $api_token });
+            }
+        }
     }
 
     # If no cookies were provided, we also look for a login token
-- 
cgit v1.2.3-24-g4f1b