From c8447e9f4b7c17ab0e04af34dbd5583e78b23677 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Thu, 29 Jan 2015 17:33:12 +0000
Subject: Bug 1045145: backport upstream bug 726696 to bmo/4.2 to allow use of
 api keys for authentication

---
 Bugzilla/Token.pm | 34 ++++++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)

(limited to 'Bugzilla/Token.pm')

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 24df470ac..769cb8800 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -43,13 +43,28 @@ use Digest::MD5 qw(md5_hex);
 
 use base qw(Exporter);
 
-@Bugzilla::Token::EXPORT = qw(issue_session_token check_token_data delete_token
+@Bugzilla::Token::EXPORT = qw(issue_api_token issue_session_token
+                              check_token_data delete_token
                               issue_hash_token check_hash_token);
 
 ################################################################################
 # Public Functions
 ################################################################################
 
+# Create a token used for internal API authentication
+sub issue_api_token {
+    # Generates a random token, adds it to the tokens table if one does not
+    # already exist, and returns the token to the caller.
+    my $dbh  = Bugzilla->dbh;
+    my $user = Bugzilla->user;
+    my ($token) = $dbh->selectrow_array("
+        SELECT token FROM tokens
+         WHERE userid = ? AND tokentype = 'api_token'
+               AND (" . $dbh->sql_date_math('issuedate', '+', (MAX_TOKEN_AGE * 24 - 12), 'HOUR') . ") > NOW()",
+        undef, $user->id);
+    return $token // _create_token($user->id, 'api_token', '');
+}
+
 # Creates and sends a token to create a new user account.
 # It assumes that the login has the correct format and is not already in use.
 sub issue_new_user_account_token {
@@ -233,10 +248,9 @@ sub check_hash_token {
 
 sub CleanTokenTable {
     my $dbh = Bugzilla->dbh;
-    $dbh->do('DELETE FROM tokens
-              WHERE ' . $dbh->sql_to_days('NOW()') . ' - ' .
-                        $dbh->sql_to_days('issuedate') . ' >= ?',
-              undef, MAX_TOKEN_AGE);
+    $dbh->do("DELETE FROM tokens WHERE " .
+             $dbh->sql_date_math('issuedate', '+', '?', 'HOUR') . " <= NOW()",
+             undef, MAX_TOKEN_AGE * 24);
 }
 
 sub GenerateUniqueToken {
@@ -354,7 +368,7 @@ sub GetTokenData {
     trick_taint($token);
 
     my @token_data = $dbh->selectrow_array(
-        "SELECT token, userid, " . $dbh->sql_date_format('issuedate') . ", eventdata
+        "SELECT token, userid, " . $dbh->sql_date_format('issuedate') . ", eventdata, tokentype
          FROM   tokens
          WHERE  token = ?", undef, $token);
 
@@ -486,6 +500,14 @@ Bugzilla::Token - Provides different routines to manage tokens.
 
 =over
 
+=item C<issue_api_token($login_name)>
+
+ Description: Creates a token that can be used for API calls on the web page.
+
+ Params:      None.
+
+ Returns:     The token.
+
 =item C<issue_new_user_account_token($login_name)>
 
  Description: Creates and sends a token per email to the email address
-- 
cgit v1.2.3-24-g4f1b