# Rights Reserved.
#
# Contributor(s): Bradley Baetz <bbaetz@student.usyd.edu.au>
+# Erik Stambaugh <erik@dasbistro.com>
#
package Bugzilla;
return $_user;
}
+
+
+my $current_login_method = undef;
+
sub login {
my ($class, $type) = @_;
$type = LOGIN_NORMAL unless defined $type;
- # For now, we can only log in from a cgi
- # One day, we'll be able to log in via apache auth, an email message's
- # PGP signature, and so on
+ # Log in using whatever methods are defined in user_info_method
+
+ my $userid;
+ for my $method (split(/,\s*/, Param('user_info_method'))) {
+ require "Bugzilla/Auth/Login/" . $method . ".pm";
+ $userid = "Bugzilla::Auth::Login::$method"->login($type);
+ if ($userid) {
+ $current_login_method = "Bugzilla::Auth::Login::$method";
+ last;
+ }
+ }
- use Bugzilla::Auth::CGI;
- my $userid = Bugzilla::Auth::CGI->login($type);
if ($userid) {
$_user = new Bugzilla::User($userid);
}
$option = LOGOUT_CURRENT unless defined $option;
- use Bugzilla::Auth::CGI;
- Bugzilla::Auth::CGI->logout($_user, $option);
- if ($option != LOGOUT_KEEP_CURRENT) {
- Bugzilla::Auth::CGI->clear_browser_cookies();
- logout_request();
+ # $current_login_method is defined when the user's login information is
+ # found. If it's not defined, the user shouldn't be logged in.
+ if ($current_login_method) {
+ $current_login_method->logout($_user, $option);
+ if ($option != LOGOUT_KEEP_CURRENT) {
+ $current_login_method->clear_browser_cookies();
+ logout_request();
+ }
}
}
my ($class, $user) = @_;
# When we're logging out another user we leave cookies alone, and
# therefore avoid calling logout() directly.
- use Bugzilla::Auth::CGI;
- Bugzilla::Auth::CGI->logout($user, LOGOUT_ALL);
+ if ($current_login_method) {
+ $current_login_method->logout($_user, LOGOUT_ALL);
+ }
}
# just a compatibility front-end to logout_user that gets a user by id
# XXX clean these up eventually
delete $::COOKIE{"Bugzilla_login"};
# NB - Can't delete from $cgi->cookie, so the logincookie data will
- # remain there; it's only used in Bugzilla::Auth::CGI->logout anyway
+ # remain there; it's only used in Bugzilla::Auth::Login::CGI->logout anyway
# People shouldn't rely on the cookie param for the username
# - use Bugzilla->user instead!
}
# Rights Reserved.
#
# Contributor(s): Bradley Baetz <bbaetz@acm.org>
+# Erik Stambaugh <erik@dasbistro.com>
package Bugzilla::Auth;
use Bugzilla::Config;
use Bugzilla::Constants;
-# 'inherit' from the main loginmethod
+# This is here for lack of a better place for it. I considered making it
+# part of the user object, but that object doesn't necessarily point to a
+# currently authenticated user.
+#
+# I'm willing to accept suggestions for somewhere else to put it.
+my $current_verify_method = undef;
+
+# 'inherit' from the main verify method
BEGIN {
- my $loginmethod = Param("loginmethod");
- if ($loginmethod =~ /^([A-Za-z0-9_\.\-]+)$/) {
- $loginmethod = $1;
+ for my $verifymethod (split /,\s*/, Param("user_verify_method")) {
+ if ($verifymethod =~ /^([A-Za-z0-9_\.\-]+)$/) {
+ $verifymethod = $1;
}
else {
- die "Badly-named loginmethod '$loginmethod'";
+ die "Badly-named user_verify_method '$verifymethod'";
}
- require "Bugzilla/Auth/" . $loginmethod . ".pm";
+ require "Bugzilla/Auth/Verify/" . $verifymethod . ".pm";
- our @ISA;
- push (@ISA, "Bugzilla::Auth::" . $loginmethod);
+ }
}
# PRIVATE
return join(".", unpack("CCCC", pack("N", $addr)));
}
+# This is a replacement for the inherited authenticate function
+# go through each of the available methods for each function
+sub authenticate {
+ my $self = shift;
+ my @args = @_;
+ my @firstresult = ();
+ my @result = ();
+ for my $method (split /,\s*/, Param("user_verify_method")) {
+ $method = "Bugzilla::Auth::Verify::" . $method;
+ @result = $method->authenticate(@args);
+ @firstresult = @result unless @firstresult;
+
+ if (($result[0] != AUTH_NODATA)&&($result[0] != AUTH_LOGINFAILED)) {
+ $current_verify_method = $method;
+ return @result;
+ }
+ }
+ @result = @firstresult;
+ # no auth match
+
+ # see if we can set $current to the first verify method that
+ # will allow a new login
+
+ for my $method (split /,\s*/, Param("user_verify_method")) {
+ $method = "Bugzilla::Auth::Verify::" . $method;
+ if ($method::can_edit->{'new'}) {
+ $current_verify_method = $method;
+ }
+ }
+
+ return @result;
+}
+
+sub can_edit {
+ if ($current_verify_method) {
+ return $current_verify_method->{'can_edit'};
+ }
+ return {};
+}
+
1;
__END__
this data to authenticate against the datasource (the Bugzilla DB, LDAP,
cookies, etc).
-The handlers for the various types of authentication
-(DB/LDAP/cookies/etc) provide the actual code for each specific method
-of authentication.
-
-The source modules (currently, only
-L<Bugzilla::Auth::CGI|Bugzilla::Auth::CGI>) then use those methods to do
-the authentication.
-
-I<Bugzilla::Auth> itself inherits from the default authentication handler,
-identified by the I<loginmethod> param.
+Modules for obtaining the data are located under L<Bugzilla::Auth::Login>, and
+modules for authenticating are located in L<Bugzilla::Auth::Verify>.
=head1 METHODS
=head1 AUTHENTICATION
Authentication modules check a user's credentials (username, password,
-etc) to verify who the user is.
+etc) to verify who the user is. The methods that C<Bugzilla::Auth> uses for
+authentication are wrappers that check all configured modules (via the
+C<Param('user_info_method')> and C<Param('user_verify_method')>) in sequence.
=head2 METHODS
=back
+=item C<current_verify_method>
+
+This scalar gets populated with the full name (eg.,
+C<Bugzilla::Auth::Verify::DB>) of the verification method being used by the
+current user. If no user is logged in, it will contain the name of the first
+method that allows new users, if any. Otherwise, it carries an undefined
+value.
+
=item C<can_edit>
-This determines if the user's account details can be modified. If this
-method returns a C<true> value, then accounts can be created and
-modified through the Bugzilla user interface. Forgotten passwords can
-also be retrieved through the L<Token interface|Bugzilla::Token>.
+This determines if the user's account details can be modified. It returns a
+reference to a hash with the keys C<userid>, C<login_name>, and C<realname>,
+which determine whether their respective profile values may be altered, and
+C<new>, which determines if new accounts may be created.
+
+Each user verification method (chosen with C<Param('user_verify_method')> has
+its own set of can_edit values. Calls to can_edit return the appropriate
+values for the current user's login method.
+
+If a user is not logged in, C<can_edit> will contain the values of the first
+verify method that allows new users to be created, if available. Otherwise it
+returns an empty hash.
=back
=head1 LOGINS
A login module can be used to try to log in a Bugzilla user in a
-particular way. For example, L<Bugzilla::Auth::CGI|Bugzilla::Auth::CGI>
+particular way. For example,
+L<Bugzilla::Auth::Login::CGI|Bugzilla::Auth::Login::CGI>
logs in users from CGI scripts, first by using form variables, and then
by trying cookies as a fallback.
=head1 SEE ALSO
-L<Bugzilla::Auth::CGI>, L<Bugzilla::Auth::Cookie>, L<Bugzilla::Auth::DB>
+L<Bugzilla::Auth::Login::CGI>, L<Bugzilla::Auth::Login::CGI::Cookie>, L<Bugzilla::Auth::Verify::DB>
# Gervase Markham <gerv@gerv.net>
# Christian Reis <kiko@async.com.br>
# Bradley Baetz <bbaetz@acm.org>
+# Erik Stambaugh <erik@dasbistro.com>
-package Bugzilla::Auth::CGI;
+package Bugzilla::Auth::Login::CGI;
use strict;
my $username = $cgi->param("Bugzilla_login");
my $passwd = $cgi->param("Bugzilla_password");
- my $authmethod = Param("loginmethod");
+ my $authmethod = Param("user_verify_method");
my ($authres, $userid, $extra, $info) =
Bugzilla::Auth->authenticate($username, $passwd);
$username = $cgi->cookie("Bugzilla_login");
$passwd = $cgi->cookie("Bugzilla_logincookie");
- require Bugzilla::Auth::Cookie;
+ require Bugzilla::Auth::Login::CGI::Cookie;
my $authmethod = "Cookie";
($authres, $userid, $extra) =
- Bugzilla::Auth::Cookie->authenticate($username, $passwd);
+ Bugzilla::Auth::Login::CGI::Cookie->authenticate($username, $passwd);
# If the data for the cookie was incorrect, then treat that as
# NODATA. This could occur if the user's IP changed, for example.
{ 'target' => $cgi->url(-relative=>1),
'form' => \%::FORM,
'mform' => \%::MFORM,
- 'caneditaccount' => Bugzilla::Auth->can_edit,
+ 'caneditaccount' => Bugzilla::Auth->can_edit->{'new'},
}
)
|| ThrowTemplateError($template->error());
=head1 NAME
-Bugzilla::Auth::CGI - CGI-based logins for Bugzilla
+Bugzilla::Auth::Login::CGI - CGI-based logins for Bugzilla
=head1 SUMMARY
using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>.
If no data is present for that, then cookies are tried, using
-L<Bugzilla::Auth::Cookie>.
+L<Bugzilla::Auth::Login::CGI::Cookie>.
=head1 SEE ALSO
# Christian Reis <kiko@async.com.br>
# Bradley Baetz <bbaetz@acm.org>
-package Bugzilla::Auth::Cookie;
+package Bugzilla::Auth::Login::CGI::Cookie;
use strict;
=head1 NAME
-Bugzilla::Cookie - cookie authentication for Bugzilla
+Bugzilla::Auth::Login::CGI::Cookie - cookie authentication for Bugzilla
=head1 SUMMARY
restriction can be specified by the admin via the C<loginnetmask> parameter.
This module does not ever send a cookie (It has no way of knowing when a user
-is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this.
+is successfully logged in). Instead L<Bugzilla::Auth::Login::CGI> handles this.
=head1 SEE ALSO
-L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI>
+L<Bugzilla::Auth>, L<Bugzilla::Auth::Login::CGI>
# Gervase Markham <gerv@gerv.net>
# Christian Reis <kiko@async.com.br>
# Bradley Baetz <bbaetz@acm.org>
+# Erik Stambaugh <erik@dasbistro.com>
-package Bugzilla::Auth::DB;
+package Bugzilla::Auth::Verify::DB;
use strict;
use Bugzilla::Constants;
use Bugzilla::Util;
+# can_edit is now a hash.
+
+my $can_edit = {
+ 'new' => 1,
+ 'userid' => 0,
+ 'login_name' => 1,
+ 'realname' => 1,
+};
+
sub authenticate {
my ($class, $username, $passwd) = @_;
return (AUTH_OK, $userid);
}
-sub can_edit { return 1; }
-
sub get_id_from_username {
my ($class, $username) = @_;
my $dbh = Bugzilla->dbh;
=head1 NAME
-Bugzilla::Auth::DB - database authentication for Bugzilla
+Bugzilla::Auth::Verify::DB - database authentication for Bugzilla
=head1 SUMMARY
# Gervase Markham <gerv@gerv.net>
# Christian Reis <kiko@async.com.br>
# Bradley Baetz <bbaetz@acm.org>
+# Erik Stambaugh <erik@dasbistro.com>
-package Bugzilla::Auth::LDAP;
+package Bugzilla::Auth::Verify::LDAP;
use strict;
use Net::LDAP;
+# can_edit is now a hash.
+
+my $can_edit = {
+ 'new' => 0,
+ 'userid' => 0,
+ 'login_name' => 0,
+ 'realname' => 0,
+};
+
sub authenticate {
my ($class, $username, $passwd) = @_;
return (AUTH_OK, $userid);
}
-sub can_edit { return 0; }
-
1;
__END__
=head1 NAME
-Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla
+Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla
This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
Bugzilla, which logs the user in using an LDAP directory.
# J. Paul Reed <preed@sigkill.com>
# Bradley Baetz <bbaetz@student.usyd.edu.au>
# Christopher Aillon <christopher@aillon.com>
+# Erik Stambaugh <erik@dasbistro.com>
package Bugzilla::Config;
$param{'loginmethod'} = $param{'useLDAP'} ? "LDAP" : "DB";
}
+ # set verify method to whatever loginmethod was
+ if (exists $param{'loginmethod'} && !exists $param{'user_verify_method'}) {
+ $param{'user_verify_method'} = $param{'loginmethod'};
+ delete $param{'loginmethod'};
+ }
+
# --- DEFAULTS FOR NEW PARAMS ---
foreach my $item (@param_list) {
# Bradley Baetz <bbaetz@student.usyd.edu.au>
# Tobias Burnus <burnus@net-b.de>
# Gervase Markham <gerv@gerv.net>
+# Erik Stambaugh <erik@dasbistro.com>
#
#
# Direct any questions on this source code to
# Check for LDAP
###########################################################################
-if (Param('loginmethod') eq 'LDAP') {
- my $netLDAP = have_vers("Net::LDAP", 0);
- if (!$netLDAP && !$silent) {
- print "If you wish to use LDAP authentication, then you must install Net::LDAP\n\n";
+for my $verifymethod (split /,\s*/, Param('user_verify_method')) {
+ if ($verifymethod eq 'LDAP') {
+ my $netLDAP = have_vers("Net::LDAP", 0);
+ if (!$netLDAP && !$silent) {
+ print "If you wish to use LDAP authentication, then you must install Net::LDAP\n\n";
+ }
}
}
# J. Paul Reed <preed@sigkill.com>
# Bradley Baetz <bbaetz@student.usyd.edu.au>
# Joseph Heenan <joseph@heenan.me.uk>
+# Erik Stambaugh <erik@dasbistro.com>
#
# This file defines all the parameters that we have a GUI to edit within
return "";
}
-sub check_loginmethod {
+sub check_user_verify_method {
# doeditparams traverses the list of params, and for each one it checks,
# then updates. This means that if one param checker wants to look at
# other params, it must be below that other one. So you can't have two
# the login method as LDAP, we won't notice, but all logins will fail.
# So don't do that.
- my ($method, $entry) = @_;
- my $res = check_multi($method, $entry);
- return $res if $res;
- if ($method eq 'DB') {
- # No params
- } elsif ($method eq 'LDAP') {
- eval "require Net::LDAP";
- return "Error requiring Net::LDAP: '$@'" if $@;
- return "LDAP servername is missing" unless Param("LDAPserver");
- return "LDAPBaseDN is empty" unless Param("LDAPBaseDN");
- } else {
- return "Unknown loginmethod '$method' in check_loginmethod";
+ my ($list, $entry) = @_;
+ for my $method (split /,\s*/, $list) {
+ my $res = check_multi($method, $entry);
+ return $res if $res;
+ if ($method eq 'DB') {
+ # No params
+ } elsif ($method eq 'LDAP') {
+ eval "require Net::LDAP";
+ return "Error requiring Net::LDAP: '$@'" if $@;
+ return "LDAP servername is missing" unless Param("LDAPserver");
+ return "LDAPBaseDN is empty" unless Param("LDAPBaseDN");
+ } else {
+ return "Unknown user_verify_method '$method' in check_user_verify_method";
+ }
}
return "";
}
default => '',
},
+ # in the future:
+ #
+ # user_verify_method and user_info_method should have choices gathered from
+ # whatever sits in their respective directories
+ #
+ # rather than comma-separated lists, these two should eventually become
+ # arrays, but that requires alterations to editparams first
+
+ {
+ name => 'user_info_method',
+ desc => 'Methods to be used for gathering a user\'s login information.
+ <add>
+ More than one may be selected. If the first one returns nothing,
+ the second is tried, and so on.<br />
+ The types are:
+ <dl>
+ <dt>CGI</dt>
+ <dd>
+ Asks for username and password via CGI form interface.
+ </dd>
+ </dl>',
+ type => 's',
+ choices => [ 'CGI' ],
+ default => 'CGI',
+ checker => \&check_multi
+ },
+
{
- name => 'loginmethod',
- desc => 'The type of login authentication to use:
+ name => 'user_verify_method',
+ desc => 'Methods to be used for verifying (authenticating) information
+ gathered by user_info_method.
+ More than one may be selected. If the first one cannot find the
+ user, the second is tried, and so on.<br />
+ The types are:
<dl>
<dt>DB</dt>
<dd>
</dd>
</dl>',
type => 's',
- choices => [ 'DB', 'LDAP' ],
+ choices => [ 'DB', 'LDAP', 'DB,LDAP', 'LDAP,DB' ],
default => 'DB',
- checker => \&check_loginmethod
+ checker => \&check_user_verify_method
},
{
# Joe Robins <jmrobins@tgix.com>
# Dan Mosedale <dmose@mozilla.org>
# Joel Peshkin <bugreport@peshkin.net>
+# Erik Stambaugh <erik@dasbistro.com>
#
# Direct any questions on this source code to
#
if ($editall) {
print "</TR><TR>\n";
print " <TH ALIGN=\"right\">Password:</TH>\n";
- if(!Bugzilla::Auth->can_edit) {
- print " <TD><FONT COLOR=RED>This site's authentication method does not allow password changes through Bugzilla!</FONT></TD>\n";
- } else {
print qq|
<TD><INPUT TYPE="PASSWORD" SIZE="16" MAXLENGTH="16" NAME="password" VALUE=""><br>
(enter new password to change)
</TD>
|;
- }
print "</TR><TR>\n";
print " <TH ALIGN=\"right\">Disable text:</TH>\n";
sub PutTrailer (@)
{
my (@links) = ("Back to the <a href=\"./\">index</a>");
- if($editall && Bugzilla::Auth->can_edit) {
+ if($editall) {
push(@links,
"<a href=\"editusers.cgi?action=add\">add</a> a new user");
}
}
print "</TR>";
}
- if ($editall && Bugzilla::Auth->can_edit) {
+ if ($editall) {
print "<TR>\n";
my $span = $candelete ? 3 : 2;
print qq{
exit;
}
- if(!Bugzilla::Auth->can_edit) {
- print "The authentication mechanism you are using does not permit accounts to be created from Bugzilla";
- PutTrailer();
- exit;
- }
-
print "<FORM METHOD=POST ACTION=editusers.cgi>\n";
print "<TABLE BORDER=0 CELLPADDING=4 CELLSPACING=0><TR>\n";
exit;
}
- if (!Bugzilla::Auth->can_edit) {
- print "This site's authentication mechanism does not allow new users to be added.";
- PutTrailer();
- exit;
- }
-
# Cleanups and valididy checks
my $realname = trim($::FORM{realname} || '');
# We don't trim the password since that could falsely lead the user
# Update the database with the user's new password if they changed it.
- if ( Bugzilla::Auth->can_edit && $editall && $password ) {
+ if ( $editall && $password ) {
my $passworderror = ValidatePassword($password);
if ( !$passworderror ) {
my $cryptpassword = SqlQuote(Crypt($password));
@additional_files = ();
%exclude_deps = (
'XML::Parser' => ['importxml.pl'],
- 'Net::LDAP' => ['Bugzilla/Auth/LDAP.pm'],
+ 'Net::LDAP' => ['Bugzilla/Auth/Verify/LDAP.pm'],
);
projects / thirdparty / bugzilla.git / commitdiff
