[Bps-public-commit] rt-authen-externalauth branch, obfuscate-passwords, created. 0.10_01-1-gb1c4b88

Thomas Sibley trs at bestpractical.com
Wed Apr 11 11:26:18 EDT 2012


The branch, obfuscate-passwords has been created
        at  b1c4b88d423254f8ed0bfff2f2298ef3e893b9d0 (commit)

- Log -----------------------------------------------------------------
commit b1c4b88d423254f8ed0bfff2f2298ef3e893b9d0
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed Apr 11 11:25:11 2012 -0400

    Obfuscate external source passwords on RT's System Configuration page
    
    RT takes care to obfuscate top-level keys that look like passwords, but
    doesn't dig deep into data structures.

diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index f434ebf..948939a 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -136,6 +136,20 @@ use RT::Authen::ExternalAuth::DBI;
 
 use strict;
 
+# Ensure passwords are obfuscated on the System Configuration page
+$RT::Config::META{ExternalSettings}->{Obfuscate} = sub {
+    my ($config, $sources, $user) = @_;
+
+    # XXX $user is never passed from RT as of 4.0.5 :(
+    my $msg = 'Password not printed';
+       $msg = $user->loc($msg) if $user and $user->Id;
+
+    for my $source (values %$sources) {
+        $source->{pass} = $msg;
+    }
+    return $sources;
+};
+
 sub DoAuth {
     my ($session,$given_user,$given_pass) = @_;
 
diff --git a/xt/obfuscate-password.t b/xt/obfuscate-password.t
new file mode 100644
index 0000000..ff5c636
--- /dev/null
+++ b/xt/obfuscate-password.t
@@ -0,0 +1,30 @@
+use strict;
+use warnings;
+
+use RT::Test testing => 'RT::Authen::ExternalAuth';
+
+RT->Config->Set(
+    ExternalSettings => {
+        'My_LDAP' => {
+            type => 'ldap',
+            user => 'ldap_bind',
+            pass => 'sekrit',
+        },
+        'My_DBI' => {
+            type => 'dbi',
+            user => 'external_db_user',
+            pass => 'nottelling',
+        },
+    }
+);
+
+my ($base, $m) = RT::Test->started_ok();
+ok( $m->login, 'logged in' );
+
+$m->follow_link_ok({ id_regex => qr/config-tools-configuration$/i }, 'config page');
+$m->content_lacks('sekrit', 'external source 1 pass obfuscated');
+$m->content_lacks('nottelling', 'external source 2 pass obfuscated');
+$m->content_contains('ldap_bind', 'sanity check: we do have external config dumped');
+$m->content_contains('external_db_user', 'sanity check: we do have external config dumped');
+
+undef $m;

-----------------------------------------------------------------------



More information about the Bps-public-commit mailing list