[Bps-public-commit] rt-authen-externalauth branch, multiple-emails, created. 0.09-21-ga5a4f3c
Ruslan Zakirov
ruz at bestpractical.com
Mon May 9 08:40:41 EDT 2011
The branch, multiple-emails has been created
at a5a4f3ca58d257008ac62bdad94f0746a28285c0 (commit)
- Log -----------------------------------------------------------------
commit d1833809f409f2e56a837602970c7f9dfd37042c
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 02:05:39 2011 +0400
PerformSearch function, cut duplicated code
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 885c7dd..2eb70ef 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -9,7 +9,6 @@ use strict;
require Net::SSLeay if $RT::ExternalServiceUsesSSLorTLS;
sub GetAuth {
-
my ($service, $username, $password) = @_;
my $config = $RT::ExternalSettings->{$service};
@@ -31,36 +30,21 @@ sub GetAuth {
my $ldap = _GetBoundLdapObj($config);
return 0 unless ($ldap);
- $filter = Net::LDAP::Filter->new( '(&(' .
+ $filter = '(&(' .
$attr_map->{'Name'} .
'=' .
$username .
')' .
$filter .
')'
- );
-
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
- "== Filter:",
- $filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-
- my $ldap_msg = $ldap->search( base => $base,
- filter => $filter,
- attrs => \@attrs);
-
- unless ($ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS) {
- $RT::Logger->debug( "search for",
- $filter->as_string,
- "failed:",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
- # Didn't even get a partial result - jump straight to the next external auth service
- return 0;
- }
+ ;
+
+ my $ldap_msg = PerformSearch(
+ $ldap,
+ base => $base,
+ filter => $filter,
+ attrs => \@attrs
+ ) or return 0;;
unless ($ldap_msg->count == 1) {
$RT::Logger->info( $service,
@@ -95,33 +79,13 @@ sub GetAuth {
# The user is authenticated ok, but is there an LDAP Group to check?
if ($group) {
# If we've been asked to check a group...
- $filter = Net::LDAP::Filter->new("(${group_attr}=${ldap_dn})");
-
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
- "== Filter:",
- $filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-
- $ldap_msg = $ldap->search( base => $group,
- filter => $filter,
- attrs => \@attrs,
- scope => 'base');
-
- # And the user isn't a member:
- unless ($ldap_msg->code == LDAP_SUCCESS ||
- $ldap_msg->code == LDAP_PARTIAL_RESULTS) {
- $RT::Logger->critical( "Search for",
- $filter->as_string,
- "failed:",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
-
- # Fail auth - jump to next external auth service
- return 0;
- }
+ $ldap_msg = PerformSearch(
+ $ldap,
+ base => $group,
+ filter => "(${group_attr}=${ldap_dn})",
+ attrs => \@attrs,
+ scope => 'base'
+ ) or return 0;
unless ($ldap_msg->count == 1) {
$RT::Logger->info( $service,
@@ -191,31 +155,15 @@ sub CanonicalizeUserInfo {
# errors should be logged by _GetBoundLdapObj so we don't have to.
return ($found, %params) unless ($ldap);
- # Do a search for them in LDAP
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
- "== Filter:",
- $filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-
- my $ldap_msg = $ldap->search(base => $base,
- filter => $filter,
- attrs => \@attrs);
-
- # If we didn't get at LEAST a partial result, just die now.
- if ($ldap_msg->code != LDAP_SUCCESS and
- $ldap_msg->code != LDAP_PARTIAL_RESULTS) {
- $RT::Logger->critical( (caller(0))[3],
- ": Search for ",
- $filter->as_string,
- " failed: ",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
- # $found remains as 0
-
- # Drop out to the next external information service
+ my $ldap_msg = PerformSearch(
+ $ldap,
+ base => $base,
+ filter => $filter,
+ attrs => \@attrs
+ );
+
+ unless ( $ldap_msg ) {
+ # If we didn't get at LEAST a partial result, just die now.
$ldap_msg = $ldap->unbind();
if ($ldap_msg->code != LDAP_SUCCESS) {
$RT::Logger->critical( (caller(0))[3],
@@ -226,7 +174,6 @@ sub CanonicalizeUserInfo {
undef $ldap;
undef $ldap_msg;
return ($found, %params);
-
} else {
# If there's only one match, we're good; more than one and
# we don't know which is the right one so we skip it.
@@ -274,7 +221,6 @@ sub UserExists {
$RT::Logger->debug("UserExists params:\nusername: $username , service: $service");
my $config = $RT::ExternalSettings->{$service};
- my $base = $config->{'base'};
my $filter = $config->{'filter'};
# While LDAP filters must be surrounded by parentheses, an empty set
@@ -298,20 +244,13 @@ sub UserExists {
my $ldap = _GetBoundLdapObj($config);
return unless $ldap;
- my @attrs = values(%{$config->{'attr_map'}});
-
# Check that the user exists in the LDAP service
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
- "== Filter:",
- $filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-
- my $user_found = $ldap->search( base => $base,
- filter => $filter,
- attrs => \@attrs);
+ my $user_found = PerformSearch(
+ $ldap,
+ base => $config->{'base'},
+ filter => $filter,
+ attrs => ['uid'],
+ ) or return 0;
if($user_found->count < 1) {
# If 0 or negative integer, no user found or major failure
@@ -391,21 +330,13 @@ sub UserDisabled {
my $ldap = _GetBoundLdapObj($config);
next unless $ldap;
- # We only need the UID for confirmation now,
- # the other information would waste time and bandwidth
- my @attrs = ('uid');
-
- $RT::Logger->debug( "LDAP Search === ",
- "Base:",
- $base,
- "== Filter:",
- $search_filter->as_string,
- "== Attrs:",
- join(',', at attrs));
-
- my $disabled_users = $ldap->search(base => $base,
- filter => $search_filter,
- attrs => \@attrs);
+ my $disabled_users = PerformSearch(
+ $ldap,
+ base => $base,
+ filter => $search_filter,
+ attrs => ['uid'], # We only need the UID for confirmation now
+ ) or return 0;
+
# If ANY results are returned,
# we are going to assume the user should be disabled
if ($disabled_users->count) {
@@ -474,6 +405,38 @@ sub _GetBoundLdapObj {
}
}
+sub PerformSearch {
+ my $ldap = shift;
+ my %args = @_;
+
+ $args{'filter'} = Net::LDAP::Filter->new($args{'filter'})
+ if $args{'filter'} && !ref $args{'filter'};
+
+ $RT::Logger->debug(
+ "LDAP Search === ",
+ $args{'base'}? ("Base:", $args{'base'}) : (),
+ $args{'filter'}? ("== Filter:", $args{'filter'}->as_string) : (),
+ $args{'attrs'}? ("== Attrs:", join ',', @{ $args{'attrs'} }) : (),
+ );
+
+ my $res = $ldap->search( %args );
+ return undef unless $res;
+
+ # And the user isn't a member:
+ unless (
+ $res->code == LDAP_SUCCESS
+ || $res->code == LDAP_PARTIAL_RESULTS
+ ) {
+ $RT::Logger->error(
+ "Search for", $args{'filter'}->as_string, "failed:",
+ ldap_error_name($res->code), $res->code
+ );
+
+ return undef;
+ }
+ return $res;
+}
+
# }}}
1;
commit cb0bb4ac403f1c4490886e673f01c488936178b6
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 02:25:54 2011 +0400
Unbind function to get rid of repeated code
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 2eb70ef..3126d13 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -30,14 +30,10 @@ sub GetAuth {
my $ldap = _GetBoundLdapObj($config);
return 0 unless ($ldap);
- $filter = '(&(' .
- $attr_map->{'Name'} .
- '=' .
- $username .
- ')' .
- $filter .
- ')'
- ;
+ $filter = '(&'
+ .'('. $attr_map->{'Name'} . '=' . $username . ')' .
+ $filter
+ .')';
my $ldap_msg = PerformSearch(
$ldap,
@@ -164,15 +160,7 @@ sub CanonicalizeUserInfo {
unless ( $ldap_msg ) {
# If we didn't get at LEAST a partial result, just die now.
- $ldap_msg = $ldap->unbind();
- if ($ldap_msg->code != LDAP_SUCCESS) {
- $RT::Logger->critical( (caller(0))[3],
- ": Could not unbind: ",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
- }
- undef $ldap;
- undef $ldap_msg;
+ Unbind( $ldap );
return ($found, %params);
} else {
# If there's only one match, we're good; more than one and
@@ -190,28 +178,11 @@ sub CanonicalizeUserInfo {
$found = 1;
} else {
# Drop out to the next external information service
- $ldap_msg = $ldap->unbind();
- if ($ldap_msg->code != LDAP_SUCCESS) {
- $RT::Logger->critical( (caller(0))[3],
- ": Could not unbind: ",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
- }
- undef $ldap;
- undef $ldap_msg;
+ Unbind( $ldap );
return ($found, %params);
}
}
- $ldap_msg = $ldap->unbind();
- if ($ldap_msg->code != LDAP_SUCCESS) {
- $RT::Logger->critical( (caller(0))[3],
- ": Could not unbind: ",
- ldap_error_name($ldap_msg->code),
- $ldap_msg->code);
- }
-
- undef $ldap;
- undef $ldap_msg;
+ Unbind( $ldap );
return ($found, %params);
}
@@ -405,6 +376,19 @@ sub _GetBoundLdapObj {
}
}
+sub Unbind {
+ my $ldap = shift;
+ my $res = $ldap->unbind;
+ return $res if !$res || $res->code == LDAP_SUCCESS;
+
+ $RT::Logger->error(
+ (caller(1))[3], ": Could not unbind: ",
+ ldap_error_name($res->code),
+ $res->code
+ );
+ return $res;
+}
+
sub PerformSearch {
my $ldap = shift;
my %args = @_;
commit f909a6598a80172b230c75b4a52b5375135eb7a5
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 11:28:10 2011 +0400
several level 'if/else' -> one level 'if'
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 3126d13..ba35a71 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -158,29 +158,19 @@ sub CanonicalizeUserInfo {
attrs => \@attrs
);
- unless ( $ldap_msg ) {
- # If we didn't get at LEAST a partial result, just die now.
- Unbind( $ldap );
- return ($found, %params);
- } else {
- # If there's only one match, we're good; more than one and
- # we don't know which is the right one so we skip it.
- if ($ldap_msg->count == 1) {
- my $entry = $ldap_msg->first_entry();
- foreach my $key (keys(%{$config->{'attr_map'}})) {
- if ($RT::LdapAttrMap->{$key} eq 'dn') {
- $params{$key} = $entry->dn();
- } else {
- $params{$key} =
- ($entry->get_value($config->{'attr_map'}->{$key}))[0];
- }
+ # If there's only one match, we're good; more than one and
+ # we don't know which is the right one so we skip it.
+ if ($ldap_msg && $ldap_msg->count == 1) {
+ my $entry = $ldap_msg->first_entry();
+ foreach my $key (keys(%{$config->{'attr_map'}})) {
+ if ($RT::LdapAttrMap->{$key} eq 'dn') {
+ $params{$key} = $entry->dn();
+ } else {
+ $params{$key} =
+ ($entry->get_value($config->{'attr_map'}->{$key}))[0];
}
- $found = 1;
- } else {
- # Drop out to the next external information service
- Unbind( $ldap );
- return ($found, %params);
}
+ $found = 1;
}
Unbind( $ldap );
commit c553cc0ab13dcd6369449e827b6a0c218fd028b6
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 13:54:56 2011 +0400
avoid array with one undef when empty array expected
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index f07e17f..8da52d1 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -451,7 +451,7 @@ sub CanonicalizeUserInfo {
sort(keys(%$args))));
# Get the list of defined external services
- my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : undef;
+ my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : ();
# For each external service...
foreach my $service (@info_services) {
commit 2363dac2425fa98eb96dc7193f5c0e5a187b589b
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 14:28:39 2011 +0400
valid == 0 is only possible when key is undef
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index 8da52d1..86d4c68 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -482,23 +482,13 @@ sub CanonicalizeUserInfo {
# Else, use it as a canonicalization key and lookup the user info
my $key = $config->{'attr_map'}->{$rt_attr};
my $value = $args->{$rt_attr};
-
- # Check to see that the key being asked for is defined in the config's attr_map
- my $valid = 0;
- my ($attr_key, $attr_value);
- my $attr_map = $config->{'attr_map'};
- while (($attr_key, $attr_value) = each %$attr_map) {
- $valid = 1 if ($key eq $attr_value);
- }
- unless ($valid){
- $RT::Logger->debug( "This key (",
- $key,
- "is not a valid attribute key (",
- $service,
- ")");
+ unless ( $key ) {
+ $RT::Logger->warning(
+ "No mapping for $rt_attr in attr_map for this service ($service)"
+ );
next;
}
-
+
# Use an if/elsif structure to do a lookup with any custom code needed
# for any given type of external service, or die if no code exists for
# the service requested.
commit 1753b55d8258223775c31fcb0d0501ad3f92af3c
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 14:31:12 2011 +0400
correct log message
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index 86d4c68..d89ede6 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -460,7 +460,7 @@ sub CanonicalizeUserInfo {
# Get the config for the service so that we know what attrs we can canonicalize
my $config = $RT::ExternalSettings->{$service};
-
+
if($config->{'type'} eq 'cookie'){
$RT::Logger->debug("You cannot use SSO cookies as an information service!");
next;
@@ -473,7 +473,7 @@ sub CanonicalizeUserInfo {
unless(defined($args->{$rt_attr})) {
$RT::Logger->debug("This attribute (",
$rt_attr,
- ") is null or incorrectly defined in the attr_map for this service (",
+ ") is null or incorrectly defined in the attr_match_list for this service (",
$service,
")");
next;
commit 5d58aabce28111171234907c67aad9e7f32b2f89
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 14:39:57 2011 +0400
move $value declaration earlier, so we can re-use
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index d89ede6..ebca058 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -470,7 +470,8 @@ sub CanonicalizeUserInfo {
foreach my $rt_attr (@{$config->{'attr_match_list'}}) {
# Jump to the next attr in $args if this one isn't in the attr_match_list
$RT::Logger->debug( "Attempting to use this canonicalization key:",$rt_attr);
- unless(defined($args->{$rt_attr})) {
+ my $value = $args->{$rt_attr};
+ unless( defined $value && length $value ) {
$RT::Logger->debug("This attribute (",
$rt_attr,
") is null or incorrectly defined in the attr_match_list for this service (",
@@ -481,7 +482,6 @@ sub CanonicalizeUserInfo {
# Else, use it as a canonicalization key and lookup the user info
my $key = $config->{'attr_map'}->{$rt_attr};
- my $value = $args->{$rt_attr};
unless ( $key ) {
$RT::Logger->warning(
"No mapping for $rt_attr in attr_map for this service ($service)"
commit a5a4f3ca58d257008ac62bdad94f0746a28285c0
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon May 9 14:40:37 2011 +0400
pass all available info into XXXX::CanonicalizeUserInfo
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index ebca058..d5fab69 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -494,9 +494,9 @@ sub CanonicalizeUserInfo {
# the service requested.
if($config->{'type'} eq 'ldap'){
- ($found, %params) = RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo($service,$key,$value);
+ ($found, %params) = RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo($service,$key,$value, $args);
} elsif ($config->{'type'} eq 'db') {
- ($found, %params) = RT::Authen::ExternalAuth::DBI::CanonicalizeUserInfo($service,$key,$value);
+ ($found, %params) = RT::Authen::ExternalAuth::DBI::CanonicalizeUserInfo($service,$key,$value, $args);
} else {
$RT::Logger->debug( (caller(0))[3],
"does not consider",
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list