[Bps-public-commit] rt-authen-externalauth branch, master, updated. 0.13-14-g3a1829d

Thomas Sibley trs at bestpractical.com
Wed May 22 17:13:03 EDT 2013 

The branch, master has been updated
       via  3a1829d2d6e7c569b010b10f1b1d8ed519912d36 (commit)
       via  eafd85c97ae85d36dc28971d529085a41aa95eb4 (commit)
       via  4036ec1baee042bf897add3a7d69bc4dafcb280c (commit)
       via  ed3db6430ee9dbbf109c6ced6b3dcb2042c06f08 (commit)
       via  add505a900bbfcc1a1a74357907c0bd5df61cf11 (commit)
       via  9ad1098c2ee6d2590e8fbee652d2a155ece746f9 (commit)
       via  be1de678940b2b64b3425c5c43740975b8bd9920 (commit)
       via  0983a4b31711e508203c32c7bc274fec2aea68e6 (commit)
       via  209803365b6da51ad014f43119d1efb3bcf15ae9 (commit)
       via  6515c048d4ef49db6b13be74e580364a0008f1d2 (commit)
       via  8991389d07c5f6e063cfa050db17717596cfe1f8 (commit)
       via  e5443b7188d8190722b75ce59e7cc95e04c34f2f (commit)
       via  282949ece773a6685093a31f5f42b5ec418c6c76 (commit)
       via  b7fa89ace1325b9a548d27c3cb9bda415844ce89 (commit)
      from  87351c38f2be2e11de1817fc48caa17ea2a591f4 (commit)

Summary of changes:
 ChangeLog                                       |   6 +
 etc/RT_SiteConfig.pm                            | 449 ++++++++++++++----------
 html/Callbacks/ExternalAuth/autohandler/Session |  14 +-
 html/Elements/DoAuth                            |  10 +
 lib/RT/Authen/ExternalAuth.pm                   |   6 +-
 lib/RT/Authen/ExternalAuth/DBI.pm               | 116 ++++++
 lib/RT/Authen/ExternalAuth/DBI/Cookie.pm        |  74 ++++
 lib/RT/Authen/ExternalAuth/LDAP.pm              | 133 +++++++
 xt/sessions.t                                   | 116 ++++++
 9 files changed, 734 insertions(+), 190 deletions(-)
 create mode 100644 xt/sessions.t

- Log -----------------------------------------------------------------
commit b7fa89ace1325b9a548d27c3cb9bda415844ce89
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Feb 21 17:42:00 2013 -0800

    Failing test showing the lack of a new session on successful auth
    
    This only occurs when Apache::Session::File is RT's session handler
    since it revivifies the session.  However, core RT's practice is to
    always instantiate a new session on successful auth, and this extension
    should follow suit.

diff --git a/xt/sessions.t b/xt/sessions.t
new file mode 100644
index 0000000..5379d8b
--- /dev/null
+++ b/xt/sessions.t
@@ -0,0 +1,116 @@
+use strict;
+use warnings;
+
+use RT::Test
+    testing => 'RT::Authen::ExternalAuth',
+    tests   => 'no_declare';
+
+setup_auth_source();
+
+RT->Config->Set("WebSessionClass" => "Apache::Session::File");
+
+{
+    my %sessions;
+    sub sessions_seen_is {
+        my ($agent, $expected, $msg) = @_;
+        $msg ||= "$expected sessions seen";
+
+        $agent->cookie_jar->scan(sub { $sessions{$_[2]}++ if $_[1] =~ /SID/; });
+        is scalar keys %sessions, $expected, $msg;
+    }
+}
+
+my ($base, $m) = RT::Test->started_ok();
+
+diag "Login as tom";
+{
+    sessions_seen_is($m, 0);
+
+    $m->get_ok("/");
+    $m->submit_form(
+        with_fields => {
+            user => 'tom',
+            pass => 'password',
+        },
+    );
+    $m->text_contains( 'Logout', 'logged in via form' );
+    sessions_seen_is($m, 1);
+
+    $m->get_ok("/NoAuth/Logout.html");
+    sessions_seen_is($m, 1);
+}
+
+diag "Login as alex";
+{
+    $m->get_ok("/");
+    $m->submit_form(
+        with_fields => {
+            user => 'alex',
+            pass => 'password',
+        },
+    );
+    $m->text_contains( 'Logout', 'logged in via form' );
+    sessions_seen_is($m, 2);
+
+    $m->get_ok("/NoAuth/Logout.html");
+}
+
+undef $m;
+done_testing;
+
+sub setup_auth_source {
+    require DBI;
+    require File::Temp;
+    require Digest::MD5;
+    require File::Spec;
+
+    eval { require DBD::SQLite; } or do {
+        plan skip_all => 'Unable to test without DBD::SQLite';
+    };
+
+    my $dir    = File::Temp::tempdir( CLEANUP => 1 );
+    my $dbname = File::Spec->catfile( $dir, 'rtauthtest' );
+    my $table  = 'users';
+    my $dbh = DBI->connect("dbi:SQLite:$dbname");
+    my $password = Digest::MD5::md5_hex('password');
+    my $schema = <<"    EOF";
+        CREATE TABLE users (
+          username varchar(200) NOT NULL,
+          password varchar(40) NULL,
+          email varchar(16) NULL
+        );
+    EOF
+    $dbh->do( $schema );
+    $dbh->do(<<"    SQL");
+        INSERT INTO $table VALUES
+            ( 'tom',  '$password', 'tom\@invalid.tld'),
+            ( 'alex', '$password', 'alex\@invalid.tld');
+    SQL
+
+    RT->Config->Set( ExternalAuthPriority        => ['My_SQLite'] );
+    RT->Config->Set( ExternalInfoPriority        => ['My_SQLite'] );
+    RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
+    RT->Config->Set( AutoCreateNonExternalUsers  => 0 );
+    RT->Config->Set( AutoCreate                  => undef );
+    RT->Config->Set(
+        ExternalSettings => {
+            'My_SQLite' => {
+                'type'   => 'db',
+                'database'        => $dbname,
+                'table'           => $table,
+                'dbi_driver'      => 'SQLite',
+                'u_field'         => 'username',
+                'p_field'         => 'password',
+                'p_enc_pkg'       => 'Digest::MD5',
+                'p_enc_sub'       => 'md5_hex',
+                'attr_match_list' => ['Name'],
+                'attr_map'        => {
+                    'Name'           => 'username',
+                    'EmailAddress'   => 'email',
+                    'ExternalAuthId' => 'username',
+                }
+            },
+        }
+    );
+}
+

commit 282949ece773a6685093a31f5f42b5ec418c6c76
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Feb 21 17:43:48 2013 -0800

    Instantiate a new session upon successful authentication
    
    This matches core RT's handling and ensures a fresh, clean session for
    the newly logged in user.  Resolves a problem where old sessions (and
    cached data) are reused under Apache::Session::File.

diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index 36f68a0..59fd85b 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -344,6 +344,10 @@ sub DoAuth {
                                 $ENV{'REMOTE_ADDR'});
             # Do not delete the session. User stays logged in and
             # autohandler will not check the password again
+
+            my $cu = $session->{CurrentUser};
+            RT::Interface::Web::InstantiateNewSession();
+            $session->{CurrentUser} = $cu;
     } else {
             # Make SURE the session is purged to an empty user.
             $session->{'CurrentUser'} = RT::CurrentUser->new;

commit e5443b7188d8190722b75ce59e7cc95e04c34f2f
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Feb 21 18:57:50 2013 -0800

    Continue to support the next page after login
    
    Instantiating a new session during auth now requires grabbing the next
    page key before we kill the old session.

diff --git a/html/Callbacks/ExternalAuth/autohandler/Session b/html/Callbacks/ExternalAuth/autohandler/Session
index e4020ba..695605e 100644
--- a/html/Callbacks/ExternalAuth/autohandler/Session
+++ b/html/Callbacks/ExternalAuth/autohandler/Session
@@ -1,13 +1 @@
-<%init>
-$m->comp('/Elements/DoAuth',%ARGS);
-
-# 3.8.9 doesn't redirect to the specified page if request has one.
-if (   $m->request_comp->path eq '/NoAuth/Login.html'
-    && RT::Interface::Web::_UserLoggedIn()
-    && $ARGS{next} )
-{
-    my $next = delete $session{'NextPage'}->{ $ARGS{'next'} };
-       $next = $next->{'url'} if ref $next;
-    RT::Interface::Web::Redirect( $next || RT->Config->Get('WebURL') );
-}
-</%init>
+% $m->comp('/Elements/DoAuth',%ARGS);
diff --git a/html/Elements/DoAuth b/html/Elements/DoAuth
index 0be9cc2..0f6050b 100644
--- a/html/Elements/DoAuth
+++ b/html/Elements/DoAuth
@@ -7,8 +7,18 @@ use RT::Authen::ExternalAuth;
 
 my ($val,$msg);
 unless($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
+    # It's important to nab the next page from the session before we
+    # potentially blow the session away below.
+    my $next = $session{'NextPage'}->{ $ARGS{'next'} || "" };
+       $next = $next->{'url'} if ref $next;
+
     ($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$user,$pass);
     $RT::Logger->debug("Autohandler called ExternalAuth. Response: ($val, $msg)");
+
+    # 3.8.9 doesn't redirect to the specified page if request has one.
+    RT::Interface::Web::Redirect( $next )
+        if $val and $next
+       and $m->request_comp->path eq '/NoAuth/Login.html';
 }
 
 return;

commit 4036ec1baee042bf897add3a7d69bc4dafcb280c
Merge: 87351c3 e5443b7
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed May 22 14:01:07 2013 -0700

    Merge branch 'session-reuse'


commit eafd85c97ae85d36dc28971d529085a41aa95eb4
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed May 22 14:12:44 2013 -0700

    Explain session handling changes in ChangeLog

diff --git a/ChangeLog b/ChangeLog
index e126f26..f5a3ff3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+0.14	2013-05-22	Thomas Sibley
+	* Prevent potential session reuse when Apache::Session::File is RT's
+	  $WebSessionClass.  This is also resolved by RT versions 4.0.13 and
+	  3.8.17 and by the May 2013 security patches.  Changes here are purely
+	  for correctness/bulletproofing down the road.
+
 0.13	2013-01-31	Thomas Sibley
 	* Cut down on code by using the core RT::Record->Update method
 

commit 3a1829d2d6e7c569b010b10f1b1d8ed519912d36
Merge: eafd85c ed3db64
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed May 22 14:12:51 2013 -0700

    Merge branch 'docs-improvements'


-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list