summaryrefslogtreecommitdiffstats
path: root/extensions/Persona/lib/Login.pm
blob: 9a5e3a5b724ab99d44434f387f0a4486cba558b7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

package Bugzilla::Extension::Persona::Login;

use 5.10.1;
use strict;
use warnings;

use base qw(Bugzilla::Auth::Login);

use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Error;
use Bugzilla::Token;

use JSON;
use LWP::UserAgent;

use constant requires_verification   => 0;
use constant is_automatic            => 1;
use constant user_can_create_account => 1;

sub get_login_info {
    my ($self) = @_;

    my $cgi = Bugzilla->cgi;

    my $assertion = $cgi->param("persona_assertion");
    # Avoid the assertion being copied into any 'echoes' of the current URL
    # in the page.
    $cgi->delete('persona_assertion');

    if (!$assertion || !Bugzilla->params->{persona_verify_url}) {
        return { failure => AUTH_NODATA };
    }

    my $token = $cgi->param("token");
    $cgi->delete('token');
    check_hash_token($token, ['login']);

    my $urlbase = new URI(Bugzilla->localconfig->{urlbase});
    my $audience = $urlbase->scheme . "://" . $urlbase->host_port;

    my $ua = new LWP::UserAgent( timeout => 10 );
    if (Bugzilla->params->{persona_proxy_url}) {
        $ua->proxy('https', Bugzilla->params->{persona_proxy_url});
    }

    my $response = $ua->post(Bugzilla->params->{persona_verify_url},
                             [ assertion => $assertion,
                               audience  => $audience ]);
    if ($response->is_error) {
        return { failure    => AUTH_ERROR,
                 user_error => 'persona_server_fail',
                 details    => { reason => $response->message }};
    }

    my $info;
    eval {
        $info = decode_json($response->decoded_content());
    };
    if ($@) {
        return { failure    => AUTH_ERROR,
                 user_error => 'persona_server_fail',
                 details    => { reason => 'Received a malformed response.' }};
    }
    if ($info->{'status'} eq 'failure') {
        return { failure    => AUTH_ERROR,
                 user_error => 'persona_server_fail',
                 details    => { reason => $info->{reason} }};
    }

    if ($info->{'status'} eq "okay" &&
        $info->{'audience'} eq $audience &&
        ($info->{'expires'} / 1000) > time())
    {
        my $login_data = {
            'username' => $info->{'email'}
        };

        my $result = Bugzilla::Auth::Verify->create_or_update_user($login_data);
        return $result if $result->{'failure'};

        my $user = $result->{'user'};

        # You can restrict people in a particular group from logging in using
        # Persona by making that group a member of a group called
        # "no-browser-id".
        #
        # If you have your "createemailregexp" set up in such a way that a
        # newly-created account is a member of "no-browser-id", this code will
        # create an account for them and then fail their login. Which isn't
        # great, but they can still use normal-Bugzilla-login password
        # recovery.
        if ($user->in_group('no-browser-id')) {
            return { failure    => AUTH_ERROR,
                     user_error => 'persona_account_too_powerful' };
        }

        if ($user->mfa) {
            return { failure    => AUTH_ERROR,
                     user_error => 'mfa_prevents_login',
                     details    => { provider => 'Persona' } };
        }

        $login_data->{'user'} = $user;
        $login_data->{'user_id'} = $user->id;

        return $login_data;
    }
    else {
        return { failure => AUTH_LOGINFAILED };
    }
}

# Pinched from Bugzilla::Auth::Login::CGI
sub fail_nodata {
    my ($self) = @_;
    my $cgi = Bugzilla->cgi;
    my $template = Bugzilla->template;

    if (Bugzilla->usage_mode != USAGE_MODE_BROWSER) {
        ThrowUserError('login_required');
    }

    print $cgi->header();
    $template->process("account/auth/login.html.tmpl", { 'target' => $cgi->url(-relative=>1) })
        || ThrowTemplateError($template->error());
    exit;
}

1;