[Bps-public-commit] rt-authen-externalauth branch, master, updated. 0.13-14-g3a1829d
Thomas Sibley
trs at bestpractical.com
Wed May 22 17:13:03 EDT 2013
The branch, master has been updated
via 3a1829d2d6e7c569b010b10f1b1d8ed519912d36 (commit)
via eafd85c97ae85d36dc28971d529085a41aa95eb4 (commit)
via 4036ec1baee042bf897add3a7d69bc4dafcb280c (commit)
via ed3db6430ee9dbbf109c6ced6b3dcb2042c06f08 (commit)
via add505a900bbfcc1a1a74357907c0bd5df61cf11 (commit)
via 9ad1098c2ee6d2590e8fbee652d2a155ece746f9 (commit)
via be1de678940b2b64b3425c5c43740975b8bd9920 (commit)
via 0983a4b31711e508203c32c7bc274fec2aea68e6 (commit)
via 209803365b6da51ad014f43119d1efb3bcf15ae9 (commit)
via 6515c048d4ef49db6b13be74e580364a0008f1d2 (commit)
via 8991389d07c5f6e063cfa050db17717596cfe1f8 (commit)
via e5443b7188d8190722b75ce59e7cc95e04c34f2f (commit)
via 282949ece773a6685093a31f5f42b5ec418c6c76 (commit)
via b7fa89ace1325b9a548d27c3cb9bda415844ce89 (commit)
from 87351c38f2be2e11de1817fc48caa17ea2a591f4 (commit)
Summary of changes:
ChangeLog | 6 +
etc/RT_SiteConfig.pm | 449 ++++++++++++++----------
html/Callbacks/ExternalAuth/autohandler/Session | 14 +-
html/Elements/DoAuth | 10 +
lib/RT/Authen/ExternalAuth.pm | 6 +-
lib/RT/Authen/ExternalAuth/DBI.pm | 116 ++++++
lib/RT/Authen/ExternalAuth/DBI/Cookie.pm | 74 ++++
lib/RT/Authen/ExternalAuth/LDAP.pm | 133 +++++++
xt/sessions.t | 116 ++++++
9 files changed, 734 insertions(+), 190 deletions(-)
create mode 100644 xt/sessions.t
- Log -----------------------------------------------------------------
commit b7fa89ace1325b9a548d27c3cb9bda415844ce89
Author: Thomas Sibley <trs at bestpractical.com>
Date: Thu Feb 21 17:42:00 2013 -0800
Failing test showing the lack of a new session on successful auth
This only occurs when Apache::Session::File is RT's session handler
since it revivifies the session. However, core RT's practice is to
always instantiate a new session on successful auth, and this extension
should follow suit.
diff --git a/xt/sessions.t b/xt/sessions.t
new file mode 100644
index 0000000..5379d8b
--- /dev/null
+++ b/xt/sessions.t
@@ -0,0 +1,116 @@
+use strict;
+use warnings;
+
+use RT::Test
+ testing => 'RT::Authen::ExternalAuth',
+ tests => 'no_declare';
+
+setup_auth_source();
+
+RT->Config->Set("WebSessionClass" => "Apache::Session::File");
+
+{
+ my %sessions;
+ sub sessions_seen_is {
+ my ($agent, $expected, $msg) = @_;
+ $msg ||= "$expected sessions seen";
+
+ $agent->cookie_jar->scan(sub { $sessions{$_[2]}++ if $_[1] =~ /SID/; });
+ is scalar keys %sessions, $expected, $msg;
+ }
+}
+
+my ($base, $m) = RT::Test->started_ok();
+
+diag "Login as tom";
+{
+ sessions_seen_is($m, 0);
+
+ $m->get_ok("/");
+ $m->submit_form(
+ with_fields => {
+ user => 'tom',
+ pass => 'password',
+ },
+ );
+ $m->text_contains( 'Logout', 'logged in via form' );
+ sessions_seen_is($m, 1);
+
+ $m->get_ok("/NoAuth/Logout.html");
+ sessions_seen_is($m, 1);
+}
+
+diag "Login as alex";
+{
+ $m->get_ok("/");
+ $m->submit_form(
+ with_fields => {
+ user => 'alex',
+ pass => 'password',
+ },
+ );
+ $m->text_contains( 'Logout', 'logged in via form' );
+ sessions_seen_is($m, 2);
+
+ $m->get_ok("/NoAuth/Logout.html");
+}
+
+undef $m;
+done_testing;
+
+sub setup_auth_source {
+ require DBI;
+ require File::Temp;
+ require Digest::MD5;
+ require File::Spec;
+
+ eval { require DBD::SQLite; } or do {
+ plan skip_all => 'Unable to test without DBD::SQLite';
+ };
+
+ my $dir = File::Temp::tempdir( CLEANUP => 1 );
+ my $dbname = File::Spec->catfile( $dir, 'rtauthtest' );
+ my $table = 'users';
+ my $dbh = DBI->connect("dbi:SQLite:$dbname");
+ my $password = Digest::MD5::md5_hex('password');
+ my $schema = <<" EOF";
+ CREATE TABLE users (
+ username varchar(200) NOT NULL,
+ password varchar(40) NULL,
+ email varchar(16) NULL
+ );
+ EOF
+ $dbh->do( $schema );
+ $dbh->do(<<" SQL");
+ INSERT INTO $table VALUES
+ ( 'tom', '$password', 'tom\@invalid.tld'),
+ ( 'alex', '$password', 'alex\@invalid.tld');
+ SQL
+
+ RT->Config->Set( ExternalAuthPriority => ['My_SQLite'] );
+ RT->Config->Set( ExternalInfoPriority => ['My_SQLite'] );
+ RT->Config->Set( ExternalServiceUsesSSLorTLS => 0 );
+ RT->Config->Set( AutoCreateNonExternalUsers => 0 );
+ RT->Config->Set( AutoCreate => undef );
+ RT->Config->Set(
+ ExternalSettings => {
+ 'My_SQLite' => {
+ 'type' => 'db',
+ 'database' => $dbname,
+ 'table' => $table,
+ 'dbi_driver' => 'SQLite',
+ 'u_field' => 'username',
+ 'p_field' => 'password',
+ 'p_enc_pkg' => 'Digest::MD5',
+ 'p_enc_sub' => 'md5_hex',
+ 'attr_match_list' => ['Name'],
+ 'attr_map' => {
+ 'Name' => 'username',
+ 'EmailAddress' => 'email',
+ 'ExternalAuthId' => 'username',
+ }
+ },
+ }
+ );
+}
+
commit 282949ece773a6685093a31f5f42b5ec418c6c76
Author: Thomas Sibley <trs at bestpractical.com>
Date: Thu Feb 21 17:43:48 2013 -0800
Instantiate a new session upon successful authentication
This matches core RT's handling and ensures a fresh, clean session for
the newly logged in user. Resolves a problem where old sessions (and
cached data) are reused under Apache::Session::File.
diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm
index 36f68a0..59fd85b 100644
--- a/lib/RT/Authen/ExternalAuth.pm
+++ b/lib/RT/Authen/ExternalAuth.pm
@@ -344,6 +344,10 @@ sub DoAuth {
$ENV{'REMOTE_ADDR'});
# Do not delete the session. User stays logged in and
# autohandler will not check the password again
+
+ my $cu = $session->{CurrentUser};
+ RT::Interface::Web::InstantiateNewSession();
+ $session->{CurrentUser} = $cu;
} else {
# Make SURE the session is purged to an empty user.
$session->{'CurrentUser'} = RT::CurrentUser->new;
commit e5443b7188d8190722b75ce59e7cc95e04c34f2f
Author: Thomas Sibley <trs at bestpractical.com>
Date: Thu Feb 21 18:57:50 2013 -0800
Continue to support the next page after login
Instantiating a new session during auth now requires grabbing the next
page key before we kill the old session.
diff --git a/html/Callbacks/ExternalAuth/autohandler/Session b/html/Callbacks/ExternalAuth/autohandler/Session
index e4020ba..695605e 100644
--- a/html/Callbacks/ExternalAuth/autohandler/Session
+++ b/html/Callbacks/ExternalAuth/autohandler/Session
@@ -1,13 +1 @@
-<%init>
-$m->comp('/Elements/DoAuth',%ARGS);
-
-# 3.8.9 doesn't redirect to the specified page if request has one.
-if ( $m->request_comp->path eq '/NoAuth/Login.html'
- && RT::Interface::Web::_UserLoggedIn()
- && $ARGS{next} )
-{
- my $next = delete $session{'NextPage'}->{ $ARGS{'next'} };
- $next = $next->{'url'} if ref $next;
- RT::Interface::Web::Redirect( $next || RT->Config->Get('WebURL') );
-}
-</%init>
+% $m->comp('/Elements/DoAuth',%ARGS);
diff --git a/html/Elements/DoAuth b/html/Elements/DoAuth
index 0be9cc2..0f6050b 100644
--- a/html/Elements/DoAuth
+++ b/html/Elements/DoAuth
@@ -7,8 +7,18 @@ use RT::Authen::ExternalAuth;
my ($val,$msg);
unless($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
+ # It's important to nab the next page from the session before we
+ # potentially blow the session away below.
+ my $next = $session{'NextPage'}->{ $ARGS{'next'} || "" };
+ $next = $next->{'url'} if ref $next;
+
($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$user,$pass);
$RT::Logger->debug("Autohandler called ExternalAuth. Response: ($val, $msg)");
+
+ # 3.8.9 doesn't redirect to the specified page if request has one.
+ RT::Interface::Web::Redirect( $next )
+ if $val and $next
+ and $m->request_comp->path eq '/NoAuth/Login.html';
}
return;
commit 4036ec1baee042bf897add3a7d69bc4dafcb280c
Merge: 87351c3 e5443b7
Author: Thomas Sibley <trs at bestpractical.com>
Date: Wed May 22 14:01:07 2013 -0700
Merge branch 'session-reuse'
commit eafd85c97ae85d36dc28971d529085a41aa95eb4
Author: Thomas Sibley <trs at bestpractical.com>
Date: Wed May 22 14:12:44 2013 -0700
Explain session handling changes in ChangeLog
diff --git a/ChangeLog b/ChangeLog
index e126f26..f5a3ff3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+0.14 2013-05-22 Thomas Sibley
+ * Prevent potential session reuse when Apache::Session::File is RT's
+ $WebSessionClass. This is also resolved by RT versions 4.0.13 and
+ 3.8.17 and by the May 2013 security patches. Changes here are purely
+ for correctness/bulletproofing down the road.
+
0.13 2013-01-31 Thomas Sibley
* Cut down on code by using the core RT::Record->Update method
commit 3a1829d2d6e7c569b010b10f1b1d8ed519912d36
Merge: eafd85c ed3db64
Author: Thomas Sibley <trs at bestpractical.com>
Date: Wed May 22 14:12:51 2013 -0700
Merge branch 'docs-improvements'
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list