From: Dylan William Hardison <dylan@hardison.net>
Date: Mon, 24 Aug 2015 18:50:16 +0000 (-0400)
Subject: Bug 1175643 - Rewrite auth delegation to use a server-side POST instead of a client... 
X-Git-Tag: release-5.1.1~184
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07a68c6d4fa62432c9668176b4876133d45cce0e;p=thirdparty%2Fbugzilla.git

Bug 1175643 - Rewrite auth delegation to use a server-side POST instead of a client-side GET to delegate API Key
r/a=dkl
---

diff --git a/auth.cgi b/auth.cgi
index 5da16a914a..8bb6862dc9 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -23,6 +23,8 @@ use Bugzilla::Mailer qw(MessageToMTA);
 use URI;
 use URI::QueryParam;
 use Digest::SHA qw(sha256_hex);
+use LWP::UserAgent ();
+use JSON qw(decode_json encode_json);
 
 Bugzilla->login(LOGIN_REQUIRED);
 
@@ -88,10 +90,39 @@ if ($confirmed || $skip_confirmation) {
         MessageToMTA($message);
     }
 
-    $callback_uri->query_param(client_api_key   => $api_key->api_key);
-    $callback_uri->query_param(client_api_login => $user->login);
-
-    print $cgi->redirect($callback_uri);
+    my $ua = LWP::UserAgent->new();
+    $ua->timeout(2);
+    $ua->protocols_allowed(['http', 'https']);
+    # If the URL of the proxy is given, use it, else get this information
+    # from the environment variable.
+    my $proxy_url = Bugzilla->params->{'proxy_url'};
+    if ($proxy_url) {
+        $ua->proxy(['http', 'https'], $proxy_url);
+    }
+    else {
+        $ua->env_proxy;
+    }
+    my $content = encode_json({ client_api_key => $api_key->api_key,
+                                client_api_login => $user->login });
+    my $resp = $ua->post($callback_uri,
+                         'Content-Type' => 'application/json',
+                         Content => $content);
+    if ($resp->code == 200) {
+        $callback_uri->query_param(client_api_login => $user->login);
+        eval {
+            my $data = decode_json($resp->content);
+            $callback_uri->query_param(callback_result => $data->{result});
+        };
+        if ($@) {
+            ThrowUserError('auth_delegation_json_error', { json_text => $resp->content });
+        }
+        else {
+            print $cgi->redirect($callback_uri);
+        }
+    }
+    else {
+        ThrowUserError('auth_delegation_post_error', { code => $resp->code });
+    }
 }
 else {
     $args{token} = issue_auth_delegation_token($callback);
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 7109285625..81d5055c63 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -140,6 +140,15 @@
     [% title = "Auth delegation can't be confirmed" %]
     Auth delegation cannot be confirmed due to missing or invalid token.
 
+  [% ELSIF error == "auth_delegation_json_error" %]
+    [% title = "Auth delegation received invalid JSON" %]
+    Auth delegation received an invalid JSON response from auth consumer:
+    <pre>[% json_text FILTER html %]</pre>
+
+  [% ELSIF error == "auth_delegation_post_error" %]
+    [% title = "Auth delegation received invalid status code" %]
+    Auth delegation received an HTTP response other than 200 OK from auth consumer. Code: [% code FILTER html %]
+
   [% ELSIF error == "auth_failure" %]
     [% title = "Authorization Required" %]
     [% admindocslinks = {'groups.html' => 'Group Security'} %]