[Rt-commit] rt branch, 4.2/rt-external-auth, created. rt-4.2.3-88-g1b45405

Alex Vandiver alexmv at bestpractical.com
Tue Apr 22 19:07:43 EDT 2014


The branch, 4.2/rt-external-auth has been created
        at  1b45405da4e2ba615587f4a18d119c4581bb96c4 (commit)

- Log -----------------------------------------------------------------
commit 1dadd320f0388c1957888586eb592dc2687be734
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Apr 22 18:56:27 2014 -0400

    Prompt to password _after_ telling them how it will be sent
    
    As written, if RTEXTERNALAUTH=1 was set, RT prompted for a password,
    then told you if it was going to be sent in the clear, and immediately
    sent it (while telling you that you could ^C it, but giving you no
    opportunity to do so).
    
    Reverse the order to match the non-externalauth case below, into the
    useful order.

diff --git a/bin/rt.in b/bin/rt.in
index 22b38df..3d0a38d 100644
--- a/bin/rt.in
+++ b/bin/rt.in
@@ -1057,10 +1057,10 @@ sub submit {
     my $how = $config{server} =~ /^https/ ? 'over SSL' : 'unencrypted';
     (my $server = $config{server}) =~ s/^.*\/\/([^\/]+)\/?/$1/;
     if ($config{externalauth}) {
-        $h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
         print "   Password will be sent to $server $how\n",
               "   Press CTRL-C now if you do not want to continue\n"
             if ! $config{passwd};
+        $h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
     } elsif ( $no_strong_auth ) {
         if (!defined $session->cookie) {
             print "   Strong encryption not available, $no_strong_auth\n",

commit 1b45405da4e2ba615587f4a18d119c4581bb96c4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Apr 22 19:01:18 2014 -0400

    Allow GSSAPI authentication in bin/rt
    
    dc653cb8, which introduced the optional GSSAPI authentication, did so in
    a way that made it impossible to enable.  It required externalauth=undef
    (and the modules be loadable) in order for $no_strong_auth to be unset,
    which is required to skip the HTTP Basic and username/password auth
    paths.  Unfortunately, it provided no way to _set_ an undef
    externalauth, as the default value is set to 0 (despite the comment at
    the top), and neither environment variables nor config file allow for
    setting an undef value.
    
    Rework the authentication paramters to bin/rt entirely, to clean this
    up.  Specifically, inspect an "auth" parameter, which may be set to
    "rt", "basic", or "gssapi" and reacts appropriately.  For backwards
    compatibility, "externalauth=1" is equivalent to "auth=basic".  Choosing
    GSSAPI authentication also explicitly requires the GSSAPI and
    LWP::Authen::Negotiate modules, and aborts if they fail to be found,
    rather than falling back to sending RT's built-in auth.

diff --git a/bin/rt.in b/bin/rt.in
index 3d0a38d..464dc37 100644
--- a/bin/rt.in
+++ b/bin/rt.in
@@ -70,16 +70,6 @@ use Term::ReadLine;
 use Time::Local; # used in prettyshow
 use File::Temp;
 
-# strong (GSSAPI based) authentication is supported if the server does provide
-# it and the perl modules GSSAPI and LWP::Authen::Negotiate are installed
-# it can be suppressed by setting externalauth=0 (default is undef)
-eval { require GSSAPI };
-my $no_strong_auth = 'missing perl module GSSAPI';
-if ( ! $@ ) {
-    eval {require LWP::Authen::Negotiate};
-    $no_strong_auth = $@ ? 'missing perl module LWP::Authen::Negotiate' : 0;
-}
-
 # We derive configuration information from hardwired defaults, dotfiles,
 # and the RT* environment variables (in increasing order of precedence).
 # Session information is stored in ~/.rt_sessions.
@@ -99,18 +89,16 @@ my %config = (
         queue        => undef,
 # to protect against unlimited searches a better choice would be
 #       queue        => 'Unknown_Queue',
-# setting externalauth => undef will try GSSAPI auth if the corresponding perl
-# modules are installed, externalauth => 0 is the backward compatible choice 
-        externalauth => 0,
+        auth         => "rt",
     ),
     config_from_file($ENV{RTCONFIG} || ".rtrc"),
     config_from_env()
 );
+
+$config{auth} = "basic" if delete $config{externalauth};
+
 my $session = Session->new("$HOME/.rt_sessions");
 my $REST = "$config{server}/REST/1.0";
-$no_strong_auth = 'switched off by externalauth=0'
-    if defined $config{externalauth};
-
 
 my $prompt = 'rt> ';
 
@@ -1056,20 +1044,23 @@ sub submit {
     # Should we send authentication information to start a new session?
     my $how = $config{server} =~ /^https/ ? 'over SSL' : 'unencrypted';
     (my $server = $config{server}) =~ s/^.*\/\/([^\/]+)\/?/$1/;
-    if ($config{externalauth}) {
+
+    if ($config{auth} eq "gssapi") {
+        die "GSSAPI support not available; failed to load perl module GSSAPI:\n$@\n"
+            unless eval { require GSSAPI; 1 };
+        die "GSSAPI support not available; failed to load perl module LWP::Authen::Negotiate:\n$@\n"
+            unless eval { require LWP::Authen::Negotiate; 1 };
+    } elsif ($config{auth} eq "basic") {
         print "   Password will be sent to $server $how\n",
               "   Press CTRL-C now if you do not want to continue\n"
             if ! $config{passwd};
         $h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
-    } elsif ( $no_strong_auth ) {
-        if (!defined $session->cookie) {
-            print "   Strong encryption not available, $no_strong_auth\n",
-                  "   Password will be sent to $server $how\n",
-                  "   Press CTRL-C now if you do not want to continue\n"
-                if ! $config{passwd};
-            push @$data, ( user => $config{user} );
-            push @$data, ( pass => $config{passwd} || read_passwd() );
-        }
+    } elsif ( !defined $session->cookie ) {
+        print "   Password will be sent to $server $how\n",
+              "   Press CTRL-C now if you do not want to continue\n"
+            if ! $config{passwd};
+        push @$data, ( user => $config{user} );
+        push @$data, ( pass => $config{passwd} || read_passwd() );
     }
 
     # Now, we construct the request.
@@ -1080,9 +1071,7 @@ sub submit {
         $req = GET($uri);
     }
     $session->add_cookie_header($req);
-    if ($config{externalauth}) {
-        $req->header(%$h);
-    }
+    $req->header(%$h) if %$h;
 
     # Then we send the request and parse the response.
     DEBUG(3, $req->as_string);
@@ -1420,7 +1409,7 @@ sub Form::compose {
 sub config_from_env {
     my %env;
 
-    foreach my $k (qw(EXTERNALAUTH DEBUG USER PASSWD SERVER QUERY ORDERBY)) {
+    foreach my $k (qw(EXTERNALAUTH AUTH DEBUG USER PASSWD SERVER QUERY ORDERBY)) {
 
         if (exists $ENV{"RT$k"}) {
             $env{lc $k} = $ENV{"RT$k"};
@@ -1474,7 +1463,7 @@ sub parse_config_file {
         chomp;
         next if (/^#/ || /^\s*$/);
 
-        if (/^(externalauth|user|passwd|server|query|orderby|queue)\s+(.*)\s?$/) {
+        if (/^(externalauth|auth|user|passwd|server|query|orderby|queue)\s+(.*)\s?$/) {
             $cfg{$1} = $2;
         }
         else {
@@ -1912,15 +1901,17 @@ Text:
 
         The following directives may occur, one per line:
 
-        - server <URL>          URL to RT server.
-        - user <username>       RT username.
-        - passwd <passwd>       RT user's password.
-        - query <RT Query>      Default RT Query for list action
-        - orderby <order>       Default RT order for list action
-        - queue <queuename>     Default RT Queue for list action
-        - externalauth <0|1>    Use HTTP Basic authentication
-         explicitely setting externalauth to 0 inhibits also GSSAPI based
-         authentication, if LWP::Authen::Negotiate (and GSSAPI) is installed
+        - server <URL>           URL to RT server.
+        - user <username>        RT username.
+        - passwd <passwd>        RT user's password.
+        - query <RT Query>       Default RT Query for list action
+        - orderby <order>        Default RT order for list action
+        - queue <queuename>      Default RT Queue for list action
+        - auth <rt|basic|gssapi> Method to authenticate via; "basic"
+                     means HTTP Basic authentication, "gssapi" means
+                     Kerberos credentials, if your RT is configured
+                     with $WebRemoteUserAuth.  For backwards
+                     compatibility, "externalauth 1" means "auth basic"
 
         Blank and #-commented lines are ignored.
 
@@ -1939,7 +1930,7 @@ Text:
 
         - RTUSER
         - RTPASSWD
-        - RTEXTERNALAUTH
+        - RTAUTH
         - RTSERVER
         - RTDEBUG       Numeric debug level. (Set to 3 for full logs.)
         - RTCONFIG      Specifies a name other than ".rtrc" for the

-----------------------------------------------------------------------


More information about the rt-commit mailing list