diff options
Diffstat (limited to 'Bugzilla/Auth')
-rw-r--r-- | Bugzilla/Auth/Login/WWW.pm | 109 | ||||
-rw-r--r-- | Bugzilla/Auth/Login/WWW/CGI.pm (renamed from Bugzilla/Auth/CGI.pm) | 23 | ||||
-rw-r--r-- | Bugzilla/Auth/Login/WWW/CGI/Cookie.pm (renamed from Bugzilla/Auth/Cookie.pm) | 8 | ||||
-rw-r--r-- | Bugzilla/Auth/README | 138 | ||||
-rw-r--r-- | Bugzilla/Auth/Verify/DB.pm (renamed from Bugzilla/Auth/DB.pm) | 19 | ||||
-rw-r--r-- | Bugzilla/Auth/Verify/LDAP.pm (renamed from Bugzilla/Auth/LDAP.pm) | 19 |
6 files changed, 296 insertions, 20 deletions
diff --git a/Bugzilla/Auth/Login/WWW.pm b/Bugzilla/Auth/Login/WWW.pm new file mode 100644 index 000000000..2c45562d2 --- /dev/null +++ b/Bugzilla/Auth/Login/WWW.pm @@ -0,0 +1,109 @@ +# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Erik Stambaugh <erik@dasbistro.com> + +package Bugzilla::Auth::Login::WWW; + +use strict; + +use Bugzilla::Constants; +use Bugzilla::Config; + +# $current_login_class stores the name of the login style that succeeded. +my $current_login_class = undef; +sub login_class { + my ($class, $type) = @_; + if ($type) { + $current_login_class = $type; + } + return $current_login_class; +} + +sub login { + my ($class, $type) = @_; + + my $user = Bugzilla->user; + + # Avoid double-logins, which may confuse the auth code + # (double cookies, odd compat code settings, etc) + # This is particularly important given the munging for + # $::COOKIE{'Bugzilla_login'} from a userid to a loginname + # (for backwards compat) + if (defined $user) { + return $user; + } + + $type = LOGIN_NORMAL unless defined $type; + + # Log in using whatever methods are defined in user_info_class. + # Please note the particularly strange way require() and the function + # calls are being done, because we're calling a module that's named in + # a string. I assure you it works, and it avoids the need for an eval(). + my $userid; + for my $login_class (split(/,\s*/, Param('user_info_class'))) { + require "Bugzilla/Auth/Login/WWW/" . $login_class . ".pm"; + $userid = "Bugzilla::Auth::Login::WWW::$login_class"->login($type); + if ($userid) { + $class->login_class("Bugzilla::Auth::Login::WWW::$login_class"); + last; + } + } + + if ($userid) { + $user = new Bugzilla::User($userid); + + # Compat stuff + $::userid = $userid; + + # Evil compat hack. The cookie stores the id now, not the name, but + # old code still looks at this to get the current user's email + # so it needs to be set. + $::COOKIE{'Bugzilla_login'} = $user->login; + } else { + Bugzilla->logout_request(); + } + return $user; +} + +sub logout { + my ($class, $user, $option) = @_; + if ($class->login_class) { + $class->login_class->logout($user, $option); + } +} + +1; + + +__END__ + +=head1 NAME + +Bugzilla::Auth::Login::WWW - WWW login information gathering module + +=head1 METHODS + +=item C<login> + +Passes C<login> calls to each class defined in the param C<user_info_class> +and returns a C<Bugzilla::User> object from the first one that successfully +gathers user login information. + + diff --git a/Bugzilla/Auth/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm index 471e538e9..fb00cd018 100644 --- a/Bugzilla/Auth/CGI.pm +++ b/Bugzilla/Auth/Login/WWW/CGI.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::CGI; +package Bugzilla::Auth::Login::WWW::CGI; use strict; @@ -49,7 +50,7 @@ sub login { my $username = $cgi->param("Bugzilla_login"); my $passwd = $cgi->param("Bugzilla_password"); - my $authmethod = Param("loginmethod"); + my $authmethod = Param("user_verify_class"); my ($authres, $userid, $extra, $info) = Bugzilla::Auth->authenticate($username, $passwd); @@ -98,11 +99,11 @@ sub login { $username = $cgi->cookie("Bugzilla_login"); $passwd = $cgi->cookie("Bugzilla_logincookie"); - require Bugzilla::Auth::Cookie; + require Bugzilla::Auth::Login::WWW::CGI::Cookie; my $authmethod = "Cookie"; ($authres, $userid, $extra) = - Bugzilla::Auth::Cookie->authenticate($username, $passwd); + Bugzilla::Auth::Login::WWW::CGI::Cookie->authenticate($username, $passwd); # If the data for the cookie was incorrect, then treat that as # NODATA. This could occur if the user's IP changed, for example. @@ -143,7 +144,8 @@ sub login { { 'target' => $cgi->url(-relative=>1), 'form' => \%::FORM, 'mform' => \%::MFORM, - 'caneditaccount' => Bugzilla::Auth->can_edit, + 'caneditaccount' => Bugzilla::Auth->can_edit('new'), + 'has_db' => Bugzilla::Auth->has_db, } ) || ThrowTemplateError($template->error()); @@ -216,7 +218,12 @@ sub logout { undef, $cookie, $user->id); } else { die("Invalid option $option supplied to logout()"); - } + } + + if ($option != LOGOUT_KEEP_CURRENT) { + clear_browser_cookies(); + Bugzilla->logout_request(); + } } sub clear_browser_cookies { @@ -233,7 +240,7 @@ __END__ =head1 NAME -Bugzilla::Auth::CGI - CGI-based logins for Bugzilla +Bugzilla::Auth::Login::WWW::CGI - CGI-based logins for Bugzilla =head1 SUMMARY @@ -246,7 +253,7 @@ Users are first authenticated against the default authentication handler, using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>. If no data is present for that, then cookies are tried, using -L<Bugzilla::Auth::Cookie>. +L<Bugzilla::Auth::Login::WWW::CGI::Cookie>. =head1 SEE ALSO diff --git a/Bugzilla/Auth/Cookie.pm b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm index b50acbe24..84f2b27a8 100644 --- a/Bugzilla/Auth/Cookie.pm +++ b/Bugzilla/Auth/Login/WWW/CGI/Cookie.pm @@ -26,7 +26,7 @@ # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> -package Bugzilla::Auth::Cookie; +package Bugzilla::Auth::Login::WWW::CGI::Cookie; use strict; @@ -93,7 +93,7 @@ __END__ =head1 NAME -Bugzilla::Cookie - cookie authentication for Bugzilla +Bugzilla::Auth::Login::WWW::CGI::Cookie - cookie authentication for Bugzilla =head1 SUMMARY @@ -108,8 +108,8 @@ restricted to certain IP addresses as a security meaure. The exact restriction can be specified by the admin via the C<loginnetmask> parameter. This module does not ever send a cookie (It has no way of knowing when a user -is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this. +is successfully logged in). Instead L<Bugzilla::Auth::Login::WWW::CGI> handles this. =head1 SEE ALSO -L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI> +L<Bugzilla::Auth>, L<Bugzilla::Auth::Login::WWW::CGI> diff --git a/Bugzilla/Auth/README b/Bugzilla/Auth/README new file mode 100644 index 000000000..c765d4971 --- /dev/null +++ b/Bugzilla/Auth/README @@ -0,0 +1,138 @@ +How Auth Works +============== +Christian Reis <kiko@async.com.br> + +Overview +-------- + +Authentication in Bugzilla is handled by a collection of modules that live in +the Bugzilla::Auth package. These modules are organized hierarchically based +upon their responsibility. + +The authentication scheme is divided in two tasks: Login and Verify. Login +involves gathering credentials from a user, while Verify validates them +against an authentication service. + +The Bugzilla parameters user_info_class and user_verify_class contain a +list of Login and Verify modules, respectively. + +Task: Login +----------- + +This task obtains user credentials based on a request. Examples of requests +include CGI access from the Bugzilla web interface, email submissions and +credentials supplied by standalone scripts. + +Each type of Bugzilla front-end should have its own package. For instance, +access via the Bugzilla web pages should go through Bugzilla::Auth::WWW. +These packages would contain modules of their own to perform whatever extra +functions are needed, like the CGI and Cookie modules in the case of WWW. + +Task: Verify +------------ + +This task validates user credentials against a user authentication service. + +The default service in Bugzilla has been the database, which stores the +login_name and cryptpasswd fields in the profiles table. An alternative means +of validation, LDAP, is already supported, and other contributions would be +appreciated. + +The module layout is similar to the Login package, but there is no need for a +sub-level as there is with Login request types. + +Params +------ + +There are two params that define behaviour for each authentication task. Each +of them defines a comma-separated list of modules to be tried in order. + + - user_info_class determines the module(s) used to obtain user + credentials. This param is specific to the requests from Bugzilla web + pages, so all of the listed modules live under + Bugzilla::Auth::Login::WWW + + - user_verify_class determines the module(s) used to verify credentials. + This param is general and concerns the whole Bugzilla instance, since + the same back end should be used regardless of what front end is used. + +Responsibilities +---------------- + +Bugzilla::Auth + + This module is responsible for abstracting away as much as possible the + login and logout tasks in Bugzilla. + + It offers login() and logout() methods that are proxied to the selected + login and verify packages. + +Bugzilla::Auth::Login + + This is a container to hold the various modules for each request type. + +Bugzilla::Auth::Login::WWW + + This module is responsible for abstracting away details of which web-based + login modules exist and are in use. It offers login() and logout() methods + that proxy through to whatever specific modules + +Bugzilla::Auth::Verify + + This module is responsible for abstracting away details of which + credential verification modules exist, and should proxy calls through to + them. There is a method that is particularly important, and which should + be proxied through to the specific: + + can_edit($type) + + This method takes an argument that specifies what sort of change + is being requested; the specific module should return 1 or 0 based + on the fact that it implements or not the required change. + + Current values for $type are "new" for new accounts, and "userid", + "login_name", "realname" for their respective fields. + +Specific Login Modules +---------------------- + + WWW + + The main authentication frontend; regular pages (CGIs) should use only + this module. It offers a convenient frontend to the main functionality + that CGIs need, using form parameters and cookies. + + - Cookie + + Implements part of the backend code that deals with browser + cookies. It's actually tied in to DB.pm, so Cookie logins that use + LDAP won't work at all. + + LDAP + + The other authentication module is LDAP-based; it is *only* used for + password authentication and not for any other login-related task (it + actually relies on the database to handle the profile information). + +Legacy +------ + +Bugzilla.pm + + There is glue code that currently lives in the top-level module + Bugzilla.pm; this module handles backwards-compatibility data that is used + in a number of CGIs. This data has been slowly removed from the Bugzilla + pages and eventually should go away completely, at which point Bugzilla.pm + will be just a wrapper to conveniently offer template, cgi, dbh and user + variables. + + This module is meant to be used only by Bugzilla pages, and in the case of + a reorganization which moves CGI-specific code to a subdirectory, + Bugzilla.pm should go with it. + +$::COOKIE + + There are still instances of use of $::COOKIE to obtain Logincookie + information; these should be removed as well. + + diff --git a/Bugzilla/Auth/DB.pm b/Bugzilla/Auth/Verify/DB.pm index dee3b5db9..ec13bacf8 100644 --- a/Bugzilla/Auth/DB.pm +++ b/Bugzilla/Auth/Verify/DB.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::DB; +package Bugzilla::Auth::Verify::DB; use strict; @@ -34,6 +35,18 @@ use Bugzilla::Config; use Bugzilla::Constants; use Bugzilla::Util; +my $edit_options = { + 'new' => 1, + 'userid' => 0, + 'login_name' => 1, + 'realname' => 1, +}; + +sub can_edit { + my ($class, $type) = @_; + return $edit_options->{$type}; +} + sub authenticate { my ($class, $username, $passwd) = @_; @@ -61,8 +74,6 @@ sub authenticate { return (AUTH_OK, $userid); } -sub can_edit { return 1; } - sub get_id_from_username { my ($class, $username) = @_; my $dbh = Bugzilla->dbh; @@ -111,7 +122,7 @@ __END__ =head1 NAME -Bugzilla::Auth::DB - database authentication for Bugzilla +Bugzilla::Auth::Verify::DB - database authentication for Bugzilla =head1 SUMMARY diff --git a/Bugzilla/Auth/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm index c34c3698f..d5b115ca0 100644 --- a/Bugzilla/Auth/LDAP.pm +++ b/Bugzilla/Auth/Verify/LDAP.pm @@ -25,8 +25,9 @@ # Gervase Markham <gerv@gerv.net> # Christian Reis <kiko@async.com.br> # Bradley Baetz <bbaetz@acm.org> +# Erik Stambaugh <erik@dasbistro.com> -package Bugzilla::Auth::LDAP; +package Bugzilla::Auth::Verify::LDAP; use strict; @@ -35,6 +36,18 @@ use Bugzilla::Constants; use Net::LDAP; +my $edit_options = { + 'new' => 0, + 'userid' => 0, + 'login_name' => 0, + 'realname' => 0, +}; + +sub can_edit { + my ($class, $type) = @_; + return $edit_options->{$type}; +} + sub authenticate { my ($class, $username, $passwd) = @_; @@ -156,15 +169,13 @@ sub authenticate { return (AUTH_OK, $userid); } -sub can_edit { return 0; } - 1; __END__ =head1 NAME -Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla +Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for Bugzilla, which logs the user in using an LDAP directory. |