[Rt-commit] rt branch, 5.0/disable-password-for-auth-token-config, created. rt-5.0.0-99-g8df779384a

? sunnavy sunnavy at bestpractical.com
Fri Nov 6 14:42:16 EST 2020


The branch, 5.0/disable-password-for-auth-token-config has been created
        at  8df779384a1814b759639b102fc741aafa28c3a2 (commit)

- Log -----------------------------------------------------------------
commit 9b90fbeac13feda8ff447c41a00dfa6ff9abb599
Author: Aaron Trevena <ast at bestpractical.com>
Date:   Wed Jun 24 10:00:30 2020 +0100

    Add config option to disable password for auth tokens
    
    Added and documented new configuration option to not require a password
    when adding a new auth token, this solves problems with requiring a password
    in a hybrid RT where both external and local accounts are used.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..a6efb9f2f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
 
     SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
 
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line in
+C<RT_SiteConfig.pm>:
+
+   Set($DisablePasswordForAuthToken, 1);
+
+
 You can find more information about tokens in L<RT::Authen::Token>.
 
 =head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 2539240f4d..3cedfa8756 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1426,6 +1426,13 @@ passwords. Setting it to 0 disables this check.
 
 Set($MinimumPasswordLength, 5);
 
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line in
+C<etc/RT_SiteConfig.pm>. You can find more information about tokens in
+L<RT::Authen::Token>.
+
 =back
 
 =head3 External Authentication and Authorization
@@ -1478,6 +1485,10 @@ See L<RT::Authen::ExternalAuth> for details.
 
 =back
 
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+
 
 =head2 Initialdata Formats
 
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 59ce078f1c..84bb6fcbd9 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,10 @@ our %META;
         Widget    => '/Widgets/Form/Boolean',
     },
 
+    DisablePasswordForAuthToken => {
+        Widget => '/Widgets/Form/Boolean',
+    },
+
     ExternalSettings => {
         Immutable     => 1,
         Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index de32934bbb..650a81167a 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5002,15 +5002,20 @@ sub ProcessAuthToken {
     if ( $args_ref->{Create} ) {
 
         # Don't require password for systems with some form of federated auth
+        # or if configured to not require a password
         my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+        my $require_password = 1;
+        if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+            $require_password = 0;
+        }
 
         if ( !length( $args_ref->{Description} ) ) {
             push @results, loc("Description cannot be blank.");
         }
-        elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !length( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password.");
         }
-        elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+        elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
             push @results, loc("Please enter your current password correctly.");
         }
         else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
       <div class="modal-body">
         <form method="POST">
           <input type="hidden" name="Owner" value="<% $Owner %>">
-%         if ( $res{'CanSet'} ){
+%         if ( $require_password ){
           <div class="form-row">
             <div class="label col-4">
               <&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
 </div>
 
 <%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
 my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+   $require_password = 0;
+}
 </%INIT>
 
 <%ARGS>

commit 5b531648223c46988a624abdebea6fb374dd4489
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Sat Nov 7 00:43:58 2020 +0800

    Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
    
    Previously we checked if the config name looks like password and
    explicitly excluded MinimumPasswordLength, which didn't scale well: we
    would have to exclude the new added $DisablePasswordForAuthToken in
    various places to not obfuscate it.
    
    This commit simplifies the logic: all configs that require obfuscation
    need to set up Obfuscate callback accordingly.

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 84bb6fcbd9..09bb9cecb8 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -733,6 +733,10 @@ our %META;
     DatabasePassword => {
         Immutable => 1,
         Widget    => '/Widgets/Form/String',
+        Obfuscate => sub {
+            my ($config, $sources, $user) = @_;
+            return $user->loc('Password not printed');
+        },
     },
     DatabasePort => {
         Immutable => 1,
@@ -1786,6 +1790,10 @@ our %META;
     },
     LDAPPassword => {
         Widget => '/Widgets/Form/String',
+        Obfuscate => sub {
+            my ($config, $sources, $user) = @_;
+            return $user->loc('Password not printed');
+        },
     },
     LDAPBase => {
         Widget => '/Widgets/Form/String',
diff --git a/share/html/Admin/Tools/Config/Elements/Option b/share/html/Admin/Tools/Config/Elements/Option
index f10e84e284..82acca3920 100644
--- a/share/html/Admin/Tools/Config/Elements/Option
+++ b/share/html/Admin/Tools/Config/Elements/Option
@@ -65,8 +65,7 @@ $doc_version =~ s/\.\d+-\d+-g\w+$//;  # 4.4.3-1-g123 -> 4.4
 
 my $name = $option->{Name};
 my $meta = RT->Config->Meta( $name );
-return if $meta->{Invisible} || $meta->{Deprecated};
-return if $name =~ /Password/i && $name !~ /MinimumPasswordLength/;
+return if $meta->{Invisible} || $meta->{Deprecated} || $meta->{Obfuscate};
 
 my $has_execute_code = $session{CurrentUser}->HasRight(Right => 'ExecuteCode', Object => RT->System);
 
diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index 5e6cdce28b..d5c0e14e27 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -90,13 +90,7 @@ foreach my $key ( RT->Config->Options( Overridable => undef, Sorted => 0 ) ) {
 </%PERL>
   <div class="form-row <% $index_conf%2 ? 'oddline' : 'evenline'%>">
     <div class="value col-4 collection-as-table"><% $key %></div>
-    <div class="value col-4 collection-as-table">
-% if ( $key =~ /Password/i and $key !~ /MinimumPasswordLength/ ) {
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% stringify($val) |n %>\
-% }
-    </div>
+    <div class="value col-4 collection-as-table"><% stringify($val) |n %></div>
     <div class="value col-4 collection-as-table">
 % if ( $meta->{'Source'}{'SiteConfig'} ) {
 <% $description %>
diff --git a/share/html/Admin/Tools/EditConfig.html b/share/html/Admin/Tools/EditConfig.html
index 2a33c93348..5de306fa45 100644
--- a/share/html/Admin/Tools/EditConfig.html
+++ b/share/html/Admin/Tools/EditConfig.html
@@ -94,7 +94,7 @@ if (delete $ARGS{Update}) {
                 next if !!$val eq !!$prev;
             }
 
-            if ( $meta->{Immutable} || $meta->{Obfuscate} || ($key =~ /Password/i and $key !~ /MinimumPasswordLength/ )) {
+            if ( $meta->{Immutable} || $meta->{Obfuscate} ) {
                 push @results, loc("Cannot change [_1]: Permission Denied", $key);
                 $has_error++;
                 next;

commit 8df779384a1814b759639b102fc741aafa28c3a2
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Sat Nov 7 02:55:32 2020 +0800

    Remove special handling of password like core variables on configuration page
    
    Config variables registered in %RT::Config::META have been skipped since
    9bf93d26d4, so there is no need to do so any more.

diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index d5c0e14e27..c222129632 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -120,13 +120,7 @@ foreach my $key ( sort keys %{*RT::} ) {
 </%PERL>
       <div class="form-row collection-as-table <% $index_var%2 ? 'oddline' : 'evenline'%>">
         <div class="value col-6 collection-as-table">RT::<% $key %></div>
-        <div class="value col-6 collection-as-table">
-% if ( $key =~ /Password(?!Length)/i ) { 
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% ${'RT::'.$key} %>
-% }
-        </div>
+        <div class="value col-6 collection-as-table"><% ${'RT::'.$key} %></div>
       </div>
 % }
 % }

-----------------------------------------------------------------------


More information about the rt-commit mailing list