From 3cf3faf600249981e3903978b1501fffaabf7e0f Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@mozilla.com>
Date: Mon, 1 Jun 2015 21:08:19 -0400
Subject: Bug 1163760: Backport upstream bug 1144468 to bmo to add
 authentication delegation

---
 Bugzilla/Token.pm | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

(limited to 'Bugzilla/Token.pm')

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 750c36435..7edcd4226 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -40,10 +40,12 @@ use Date::Format;
 use Date::Parse;
 use File::Basename;
 use Digest::MD5 qw(md5_hex);
+use Digest::SHA qw(hmac_sha256_base64);
 
 use base qw(Exporter);
 
 @Bugzilla::Token::EXPORT = qw(issue_api_token issue_session_token
+                              issue_auth_delegation_token check_auth_delegation_token
                               check_token_data delete_token
                               issue_hash_token check_hash_token);
 
@@ -65,6 +67,37 @@ sub issue_api_token {
     return $token // _create_token($user->id, 'api_token', '');
 }
 
+sub issue_auth_delegation_token {
+    my ($uri) = @_;
+    my $dbh  = Bugzilla->dbh;
+    my $user = Bugzilla->user;
+    my $checksum = hmac_sha256_base64($user->id, $uri, Bugzilla->localconfig->{'site_wide_secret'});
+
+    return _create_token($user->id, 'auth_delegation', $checksum);
+}
+
+sub check_auth_delegation_token {
+    my ($token, $uri) = @_;
+    my $dbh  = Bugzilla->dbh;
+    my $user = Bugzilla->user;
+
+    my ($eventdata) = $dbh->selectrow_array("
+        SELECT eventdata FROM tokens
+         WHERE token = ? AND tokentype = 'auth_delegation'
+               AND (" . $dbh->sql_date_math('issuedate', '+', (MAX_TOKEN_AGE * 24 - 12), 'HOUR') . ") > NOW()",
+        undef, $token);
+
+    if ($eventdata) {
+        my $checksum = hmac_sha256_base64($user->id, $uri, Bugzilla->localconfig->{'site_wide_secret'});
+        if ($eventdata eq $checksum) {
+            delete_token($token);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 # Creates and sends a token to create a new user account.
 # It assumes that the login has the correct format and is not already in use.
 sub issue_new_user_account_token {
@@ -628,6 +661,23 @@ although they can be used separately.
 
  Returns:     A unique token.
 
+=item C<issue_auth_delegation_token($uri)>
+
+ Description: Creates and returns a token used to validate auth delegation confirmations.
+
+ Params:      $uri - The uri that auth will be delegated to.
+
+ Returns:     A unique token.
+
+=item C<check_auth_delegation_token($token, $uri)>
+
+ Description: Checks if a token $token is a confirmation token for $uri.
+
+ Params:      $token - The token returned by issue_auth_delegation_token()
+              $uri - The uri that auth will be delegated to.
+
+ Returns:     a boolean value
+
 =item C<check_token_data($token, $event)>
 
  Description: Makes sure the $token has been created by the currently logged in
-- 
cgit v1.2.3-24-g4f1b