[Rt-commit] rt branch, 4.4/update-external-auth-config, created. rt-4.4.0-90-g1978c53

Jim Brandt jbrandt at bestpractical.com
Fri May 13 14:52:33 EDT 2016


The branch, 4.4/update-external-auth-config has been created
        at  1978c53cc7d2e07f7791467520eb7f2a05c3523a (commit)

- Log -----------------------------------------------------------------
commit 4a588f963ca6ff9035bc99f41f04168cddd98799
Author: rachelkelly <rachel at bestpractical.com>
Date:   Tue May 3 10:05:24 2016 -0700

    Add Pod::Select to dependencies for shredder
    
    Pod::Select was removed from Perl core (5.18 and higher), so in order to
    continue to use Pod::Select we explicitly include it.
    
    Fixes: I#31873

diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in
index b930e47..326686c 100644
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@ -251,6 +251,7 @@ Net::CIDR
 Net::IP
 Plack 1.0002
 Plack::Handler::Starlet
+Pod::Select
 Regexp::Common
 Regexp::Common::net::CIDR
 Regexp::IPv6

commit 02b065978ec3a50b6f9f6af21cd79aa6ae6ffe2f
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu May 5 16:06:31 2016 -0400

    Automatically enable ExternalAuth when ExternalAuth options enabled
    
    ExternalAuth uses three configuration options to configure the
    service and also requires a flag, ExternalAuth, to be set to
    enable it. The presence of the three configuration options is
    enough to confirm the user would like to use ExternalAuth, so
    automatically enable it when these are selected.

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 2aad19c..65da8c5 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1000,16 +1000,6 @@ our %META;
         },
     },
 
-    ExternalAuth => {
-        PostLoadCheck => sub {
-            my $self = shift;
-            my $ExternalAuthEnabled = $self->Get('ExternalAuth');
-            if ( $ExternalAuthEnabled ) {
-                require RT::Authen::ExternalAuth;
-            }
-        }
-    },
-
     ExternalSettings => {
         Obfuscate => sub {
             # Ensure passwords are obfuscated on the System Configuration page
@@ -1026,6 +1016,7 @@ our %META;
         PostLoadCheck => sub {
             my $self = shift;
             my $settings = shift || {};
+            $self->EnableExternalAuth();
 
             my $remove = sub {
                 my ($service) = @_;
@@ -1075,6 +1066,8 @@ our %META;
         PostLoadCheck => sub {
             my $self = shift;
             my @values = @{ shift || [] };
+            $self->EnableExternalAuth();
+
             if (not @values) {
                 $self->Set( 'ExternalAuthPriority', \@values );
                 return;
@@ -1093,6 +1086,8 @@ our %META;
         PostLoadCheck => sub {
             my $self = shift;
             my @values = @{ shift || [] };
+            $self->EnableExternalAuth();
+
             if (not @values) {
                 $RT::Logger->debug("ExternalInfoPriority not defined. User information (including user enabled/disabled) cannot be externally-sourced");
                 $self->Set( 'ExternalInfoPriority', \@values );
@@ -1716,6 +1711,16 @@ sub ObjectHasCustomFieldGrouping {
     return 0;
 }
 
+# Internal method to activate ExtneralAuth if any ExternalAuth config
+# options are set.
+sub EnableExternalAuth {
+    my $self = shift;
+
+    $self->Set('ExternalAuth', 1);
+    require RT::Authen::ExternalAuth;
+    return;
+}
+
 RT::Base->_ImportOverlays();
 
 1;

commit 2bd8b433bf6ba39d357384fee1bb53ba35e6066f
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu May 5 16:12:29 2016 -0400

    Add messages to log ExternalAuth configuration errors

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 65da8c5..44453ea 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1069,11 +1069,18 @@ our %META;
             $self->EnableExternalAuth();
 
             if (not @values) {
+                $RT::Logger->debug("ExternalAuthPriority not defined. Attempting to create based on ExternalSettings");
                 $self->Set( 'ExternalAuthPriority', \@values );
                 return;
             }
-
-            my %settings = %{ $self->Get('ExternalSettings') };
+            my %settings;
+            if ( $self->Get('ExternalSettings') ){
+                %settings = %{ $self->Get('ExternalSettings') };
+            }
+            else{
+                $RT::Logger->error("ExternalSettings not defined. ExternalAuth requires the ExternalSettings configuration option to operate properly");
+                return;
+            }
             for my $key (grep {not $settings{$_}} @values) {
                 $RT::Logger->error("Removing '$key' from ExternalAuthPriority, as it is not defined in ExternalSettings");
             }
@@ -1094,7 +1101,14 @@ our %META;
                 return;
             }
 
-            my %settings = %{ $self->Get('ExternalSettings') };
+            my %settings;
+            if ( $self->Get('ExternalSettings') ){
+                %settings = %{ $self->Get('ExternalSettings') };
+            }
+            else{
+                $RT::Logger->error("ExternalSettings not defined. ExternalAuth requires the ExternalSettings configuration option to operate properly");
+                return;
+            }
             for my $key (grep {not $settings{$_}} @values) {
                 $RT::Logger->error("Removing '$key' from ExternalInfoPriority, as it is not defined in ExternalSettings");
             }

commit 401df010df49d13e66905644b1f1157f6d9051c1
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu May 5 16:20:51 2016 -0400

    Add tests for ExternalAuth configuration processing

diff --git a/t/externalauth/auth_config.t b/t/externalauth/auth_config.t
new file mode 100644
index 0000000..dda38c6
--- /dev/null
+++ b/t/externalauth/auth_config.t
@@ -0,0 +1,59 @@
+use strict;
+use warnings;
+use RT;
+my $config;
+BEGIN{
+    $config = <<'END';
+Set($ExternalSettings, {
+        'My_LDAP'       =>  {
+            'type'             =>  'ldap',
+            'server'           =>  'ldap.example.com',
+            # By not passing 'user' and 'pass' we are using an anonymous
+            # bind, which some servers to not allow
+            'base'             =>  'ou=Staff,dc=example,dc=com',
+            'filter'           =>  '(objectClass=inetOrgPerson)',
+            # Users are allowed to log in via email address or account
+            # name
+            'attr_match_list'  => [
+                'Name',
+                'EmailAddress',
+            ],
+            # Import the following properties of the user from LDAP upon
+            # login
+            'attr_map' => {
+                'Name'         => 'sAMAccountName',
+                'EmailAddress' => 'mail',
+                'RealName'     => 'cn',
+                'WorkPhone'    => 'telephoneNumber',
+                'Address1'     => 'streetAddress',
+                'City'         => 'l',
+                'State'        => 'st',
+                'Zip'          => 'postalCode',
+                'Country'      => 'co',
+            },
+        },
+    } );
+
+END
+
+}
+use RT::Test nodb => 1, tests => undef, config => $config;
+use Test::Warn;
+
+diag "Test ExternalAuth configuration processing";
+my $auth_settings = RT::Config->Get('ExternalSettings');
+ok( $auth_settings, 'Got ExternalSettings');
+is( $auth_settings->{'My_LDAP'}{'type'}, 'ldap', 'External Auth type is ldap');
+ok( RT::Config->Get('ExternalAuth'), 'ExternalAuth activated automatically');
+
+ok( RT::Config->Set('ExternalAuthPriority', ['My_LDAP']),'Set ExternalAuthPriority');
+ok( RT::Config->Set('ExternalInfoPriority', ['My_LDAP']),'Set ExternalInfoPriority');
+
+ok( RT::Config->Set( 'ExternalSettings', undef ), 'unset ExternalSettings' );
+ok( !(RT::Config->Get('ExternalSettings')), 'ExternalSettings removed');
+
+warnings_like {RT::Config->PostLoadCheck} [qr/ExternalSettings not defined/,
+    qr/ExternalSettings not defined/],
+  'Correct warnings with ExternalSettings missing';
+
+done_testing;

commit 8946b1b85418f25364a4ad41a2467bc434759720
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu May 5 16:29:33 2016 -0400

    Remove explicit setting of ExternalAuth in tests

diff --git a/t/externalauth/ldap.t b/t/externalauth/ldap.t
index 994563c..34dcf83 100644
--- a/t/externalauth/ldap.t
+++ b/t/externalauth/ldap.t
@@ -27,8 +27,6 @@ my $entry    = {
 $ldap->add( $base );
 $ldap->add( $dn, attr => [%$entry] );
 
-RT->Config->Set( ExternalAuth => 1 );
-
 RT->Config->Set( ExternalAuthPriority        => ['My_LDAP'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_LDAP'] );
 RT->Config->Set( AutoCreateNonExternalUsers  => 0 );
diff --git a/t/externalauth/ldap_escaping.t b/t/externalauth/ldap_escaping.t
index cce4e0c..0442313 100644
--- a/t/externalauth/ldap_escaping.t
+++ b/t/externalauth/ldap_escaping.t
@@ -48,8 +48,6 @@ $ldap->add(
     ],
 );
 
-RT->Config->Set( ExternalAuth => 1 );
-
 RT->Config->Set( ExternalAuthPriority        => ['My_LDAP'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_LDAP'] );
 RT->Config->Set( AutoCreateNonExternalUsers  => 0 );
diff --git a/t/externalauth/ldap_group.t b/t/externalauth/ldap_group.t
index ede53a2..a3d87a8 100644
--- a/t/externalauth/ldap_group.t
+++ b/t/externalauth/ldap_group.t
@@ -55,8 +55,6 @@ $ldap->add(
     ],
 );
 
-RT->Config->Set( ExternalAuth => 1 );
-
 #RT->Config->Set( Plugins                     => 'RT::Authen::ExternalAuth' );
 RT->Config->Set( ExternalAuthPriority        => ['My_LDAP'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_LDAP'] );
diff --git a/t/externalauth/ldap_privileged.t b/t/externalauth/ldap_privileged.t
index 26f1862..fe5e05a 100644
--- a/t/externalauth/ldap_privileged.t
+++ b/t/externalauth/ldap_privileged.t
@@ -26,8 +26,6 @@ my $entry    = {
 $ldap->add( $base );
 $ldap->add( $dn, attr => [%$entry] );
 
-RT->Config->Set( ExternalAuth => 1 );
-
 RT->Config->Set( ExternalAuthPriority        => ['My_LDAP'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_LDAP'] );
 RT->Config->Set( AutoCreateNonExternalUsers  => 0 );
diff --git a/t/externalauth/sessions.t b/t/externalauth/sessions.t
index 98eca0c..9b3ec36 100644
--- a/t/externalauth/sessions.t
+++ b/t/externalauth/sessions.t
@@ -94,8 +94,6 @@ sub setup_auth_source {
             SQL
     }
 
-    RT->Config->Set( ExternalAuth => 1 );
-
     RT->Config->Set( ExternalAuthPriority        => ['My_SQLite'] );
     RT->Config->Set( ExternalInfoPriority        => ['My_SQLite'] );
     RT->Config->Set( AutoCreateNonExternalUsers  => 0 );
diff --git a/t/externalauth/sqlite.t b/t/externalauth/sqlite.t
index 3214b7d..9e7c2cc 100644
--- a/t/externalauth/sqlite.t
+++ b/t/externalauth/sqlite.t
@@ -33,8 +33,6 @@ $dbh->do(
 "INSERT INTO $table VALUES ( 'testuser', '$password', 'testuser\@invalid.tld')"
 );
 
-RT->Config->Set( ExternalAuth => 1 );
-
 RT->Config->Set( ExternalAuthPriority        => ['My_SQLite'] );
 RT->Config->Set( ExternalInfoPriority        => ['My_SQLite'] );
 RT->Config->Set( AutoCreateNonExternalUsers  => 0 );

commit 97d8d9172b678db0cea911d994a395692a09f569
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Thu May 5 16:32:32 2016 -0400

    Remove ExternalAuth config option from upgrade notes

diff --git a/docs/UPGRADING-4.4 b/docs/UPGRADING-4.4
index f19c493..b641915 100644
--- a/docs/UPGRADING-4.4
+++ b/docs/UPGRADING-4.4
@@ -21,9 +21,8 @@ L<RT::Authen::ExternalAuth::DBI> documentation.
 
 Users of the existing
 L<RT::Authen::ExternalAuth|https://metacpan.org/pod/RT::Authen::ExternalAuth>
-extension should remove C<RT::Authen::ExternalAuth> from the plugins list,
-and add C<Set($ExternalAuth, 1);> to the F<RT_SiteConfig.pm> file. Please
-also remove F<local/plugins/RT-Authen-ExternalAuth> from your RT
+extension should remove C<RT::Authen::ExternalAuth> from the plugins list.
+Please also remove F<local/plugins/RT-Authen-ExternalAuth> from your RT
 installation.
 
 =item *

commit d91597ed06e582e533dcf57f51b3ec59882c8e31
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri May 6 15:03:52 2016 -0400

    Add ExternalAuth, LDAPImport options to RT_Config
    
    Fixes: I#31464

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 6852ff2..2861123 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2372,6 +2372,104 @@ Set($MinimumPasswordLength, 5);
 
 =back
 
+=head2 External Authentication and Authorization
+
+RT has a built-in module for integrating with a directory service like
+LDAP or Active Directory for authentication (login) and authorization
+(enabling/disabling users and setting user attributes). The core configuration
+settings for the service are listed here. Additional details are available
+in the L<RT::Authen::ExternalAuth> module documentation.
+
+=over 4
+
+=item C<$ExternalSettings>
+
+This option, along with the following options, activate and configure authentication
+via a resource external to RT. All of the configuration for your external authentication
+service, like LDAP or Active Directory, are defined in a data structure in this option.
+You can find full details on the configuration
+options in the L<RT::Authen::ExternalAuth> documentation.
+
+=cut
+
+# No defaults are set for ExternalAuth because this is an optional feature.
+
+=item C<$ExternalAuthPriority>
+
+Sets the priority of authentication resources if you have multiple configured.
+RT will attempt authorization with each resource, in order, until one succeeds or
+no more remain. See L<RT::Authen::ExternalAuth> for details.
+
+=item C<$ExternalInfoPriority>
+
+Sets the order of resources for querying user information if you have multiple
+configured. RT will query each resource, in order, until one succeeds or
+no more remain. See L<RT::Authen::ExternalAuth> for details.
+
+=item C<$UserAutocreateDefaultsOnLogin>
+
+A hashref of options to set for users who are autocreated on login via
+ExternalAuth. For example, you can automatically make "Privileged" users
+who were authenticated and created from LDAP or Active Directory.
+See L<RT::Authen::ExternalAuth> for details.
+
+=item C<$AutoCreateNonExternalUsers>
+
+Users should still be autocreated by RT as internal users if they
+fail to exist in an external service; this is so requestors who
+are not in LDAP can still be created when they email in.
+See L<RT::Authen::ExternalAuth> for details.
+
+=back
+
+=head2 Syncing Users and Groups with LDAP or AD
+
+In addition to the authentication services described above, RT also
+has a utility you can schedule to periodicially sync from your
+directory service additional user attributes, new users,
+disabled users, and group membership. Options for the
+LDAPImport tool are listed here. Additional information is
+available in the L<RT::LDAPImport> documentation.
+
+=over 4
+
+=item C<$LDAPHost>
+
+Your LDAP server hostname.
+
+=item C<$LDAPUser>
+
+The LDAP user to log in with.
+
+=item C<$LDAPPassword>
+
+Password for LDAPUser.
+
+=item C<$LDAPFilter>
+
+The filter to use when querying LDAP for the set of users to sync.
+
+=item C<$LDAPMapping>
+
+Mapping to apply between LDAP attributes retrieved and RT user
+record attributes. See the L<RT::LDAPImport> documentation
+for details.
+
+=item C<$LDAPGroupBase>
+
+The base for the LDAP group search.
+
+=item C<$LDAPGroupFilter>
+
+The filter to use when querying LDAP for groups to sync.
+
+=item C<$LDAPGroupMapping>
+
+Mapping to apply between LDAP group member attributes retrieved and
+RT groups. See the L<RT::LDAPImport> documentation
+for details.
+
+=back
 
 =head1 Internationalization
 

commit 1978c53cc7d2e07f7791467520eb7f2a05c3523a
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Tue May 10 14:09:38 2016 -0400

    Fix broken pod link in SLA docs

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 2861123..aac41e3 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -3543,7 +3543,7 @@ Read more about how to describe a schedule in L<Business::Hours>.
 
 =over 4
 
-=item Defining different business hours for service levels
+=item Configuring business hours
 
 Each level supports BusinessHours option to specify your own business
 hours.

-----------------------------------------------------------------------


More information about the rt-commit mailing list