[Bps-public-commit] rt-authen-externalauth branch, multiple-emails, updated. 0.17-73-ga1de887
Kevin Falcone
falcone at bestpractical.com
Fri Mar 7 17:13:47 EST 2014
The branch, multiple-emails has been updated
via a1de887e21117befa93dc945dbb4cf274d73a2e3 (commit)
via df54802d377b856c449a44ee83acb445ac0c49ed (commit)
via 8bb41fd398a41f5f790886543bf974e376a2d1a6 (commit)
via 6b2c0b1fd4206a0f2a5eabe9c9a24b06d187448c (commit)
via 4214e8c4d45f8afe0c39b766ca2e563ae7506cf6 (commit)
via bcd5861674db4f5a1b2a5bae5dacae6724629e8d (commit)
via f68491e812f10cfffa7829a19c7c3c8d4fb32a2f (commit)
via 3d8222005d3e6cafa3067c4f5b7ec7a357131918 (commit)
via f5eafe0cf2a2cac4cd8dc35f05ef25ab83e19799 (commit)
via 7a27ef1479f25ea7dfc50db13af1b975eeed5519 (commit)
via 44c25ec2e2d1362602c952c93d7d29a07e0d8db7 (commit)
via d7ed5f1cceebee2470172c92f57d1e35683193bf (commit)
via 94055334d050e490ea1d9eab67fbd33a575c39d4 (commit)
via 8d110445c968a01c97e1b8e8f7ec11cba8eaa80a (commit)
via 24702da1dadc40f35c017dceda9bfb8e4cc8e1f4 (commit)
via 97f97231aa82d57beb3caf34b5645549cfdaaff2 (commit)
via 642cb8667d74a948f2e693277749d536312bbe53 (commit)
via 8f6d6adbe653d6ed2c88c898afcb5b5dcee5a1c6 (commit)
via 5261f0547c16a95525b9e85bdbdcbb98a48db2c4 (commit)
via a137b57f039fbeecf48c29adb289e31ec966b1ee (commit)
via 17ee221285c4a856bc0930a44b4699d8d866e7f0 (commit)
via 94370064f8e351338c946195fcdb8f0adebf0001 (commit)
via 3a1829d2d6e7c569b010b10f1b1d8ed519912d36 (commit)
via eafd85c97ae85d36dc28971d529085a41aa95eb4 (commit)
via 4036ec1baee042bf897add3a7d69bc4dafcb280c (commit)
via ed3db6430ee9dbbf109c6ced6b3dcb2042c06f08 (commit)
via add505a900bbfcc1a1a74357907c0bd5df61cf11 (commit)
via 9ad1098c2ee6d2590e8fbee652d2a155ece746f9 (commit)
via be1de678940b2b64b3425c5c43740975b8bd9920 (commit)
via 0983a4b31711e508203c32c7bc274fec2aea68e6 (commit)
via 209803365b6da51ad014f43119d1efb3bcf15ae9 (commit)
via 6515c048d4ef49db6b13be74e580364a0008f1d2 (commit)
via 8991389d07c5f6e063cfa050db17717596cfe1f8 (commit)
via e5443b7188d8190722b75ce59e7cc95e04c34f2f (commit)
via 282949ece773a6685093a31f5f42b5ec418c6c76 (commit)
via b7fa89ace1325b9a548d27c3cb9bda415844ce89 (commit)
via 87351c38f2be2e11de1817fc48caa17ea2a591f4 (commit)
via 1dcb308728945b1174765ce459266d1d3229ef7f (commit)
via f85b348dab935c4ea582f56a87e0908ecfb62ff9 (commit)
via 857dcc53caf42c6da9d314357cc48e77c45fc0d0 (commit)
via a33d1b6bcd29b7594b3bbb562e950fd15c93c7f1 (commit)
via fe97ee4c7395fca62c90d516764604c800deda6c (commit)
via 61fd793d7eb1b756ca90a5b259a3af7e9595c742 (commit)
via 8fb97bb703ba6ed85349ed8bc324b1688897085c (commit)
from 79f99cf24c6e0c8bd6b01fed2b003e66b32629bf (commit)
Summary of changes:
ChangeLog | 26 ++
MANIFEST | 3 +
MANIFEST.SKIP | 64 ++++
META.yml | 3 +-
README | 37 +-
etc/RT_SiteConfig.pm | 450 +++++++++++++++---------
html/Callbacks/ExternalAuth/autohandler/Session | 13 +-
html/Elements/DoAuth | 10 +
inc/Module/Install/RTx.pm | 106 +++---
inc/Module/Install/ReadmeFromPod.pm | 2 +-
lib/RT/Authen/ExternalAuth.pm | 60 ++--
lib/RT/Authen/ExternalAuth/DBI.pm | 173 +++++++++
lib/RT/Authen/ExternalAuth/DBI/Cookie.pm | 78 ++++
lib/RT/Authen/ExternalAuth/LDAP.pm | 137 ++++++++
xt/ldap_escaping.t | 1 +
xt/ldap_group.t | 1 +
xt/obfuscate-password.t | 2 +-
xt/sessions.t | 119 +++++++
18 files changed, 1011 insertions(+), 274 deletions(-)
create mode 100644 MANIFEST.SKIP
create mode 100644 xt/sessions.t
- Log -----------------------------------------------------------------
commit 6b2c0b1fd4206a0f2a5eabe9c9a24b06d187448c
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Fri Mar 7 16:53:18 2014 -0500
Remove erroneous docs.
These were written on the docs-improvements branch and describe code
from the multiple-emails branch, which has not been merged.
Shipping these docs makes end users believe that this extension contains
code that it does not.
Backing these out to a separate branch. Unfortunately, multiple-emails
doesn't have a PODified RT_SiteConfig.pm so storing it there is hard and
this merge will be really interesting.
diff --git a/etc/RT_SiteConfig.pm b/etc/RT_SiteConfig.pm
index c539d23..801409a 100644
--- a/etc/RT_SiteConfig.pm
+++ b/etc/RT_SiteConfig.pm
@@ -156,53 +156,6 @@ For example, an LDAP mapping might look like:
...
},
-Since version 0.10 it's possible to map one RT field to multiple
-external attributes, for example:
-
- attr_map => {
- EmailAddress => ['mail', 'alias'],
- ...
- },
-
-Note that only one value is stored in RT, so this doesn't enable RT
-users to have multiple email addresses defined. However, the search
-will use all of the attributes to try to match a user if the field is
-defined in the C<attr_match_list>.
-
-On create or update, the original value input by the user, from an email
-or login attempt, is used as long as it's valid. If user didn't enter a
-value for that attribute, then the value retrieved from the first external
-attribute is used.
-
-For example, for the following configuration:
-
- attr_match_list => ['Name', 'EmailAddress'],
- attr_map => {
- Name => 'account',
- EmailAddress => ['mail', 'alias'],
- ...
- },
-
-If a new user sent an email to RT from an email alias, the search
-would match on the alias and that alias would be set as the user's
-EmailAddress in RT when the new account is created.
-
-However, if a user with an existing RT account with EmailAddress set to the
-C<mail> address, sent mail from C<alias>, it would still match. The user's
-EmailAddress in RT would remain the primary C<mail> address.
-
-This feature is useful for LDAP configurations where users have
-a primary institutional email address, but might also use aliases from
-subdomains or other email services. This prevents RT from creating
-multiple accounts for the same person.
-
-If you want the RT user accounts to always have the primary C<mail>
-address for EmailAddress, you likely want to run
-L<RT::Extension::LDAPImport> to make sure the user accounts are
-created with the desired email address set.
-
-=back
-
=back
=cut
commit 8bb41fd398a41f5f790886543bf974e376a2d1a6
Merge: 79f99cf 6b2c0b1
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Fri Mar 7 17:03:05 2014 -0500
Merge branch 'master' into multiple-emails
Conflicts:
ChangeLog
MANIFEST
inc/Module/Install/ReadmeFromPod.pm
lib/RT/Authen/ExternalAuth.pm
xt/ldap.t
xt/ldap_escaping.t
xt/ldap_group.t
xt/ldap_privileged.t
diff --cc ChangeLog
index 1888960,070b881..3a6ec7d
--- a/ChangeLog
+++ b/ChangeLog
@@@ -1,13 -1,29 +1,39 @@@
+
+ * avoid some user create/update conflicts when module enabled
+ on old system
+ * enable $AutoCreate config option for accounts created through
+ email submission
+ * external info update was only possible by Name, now it
+ works for any field from attr_match_list
+ * support mapping fields in RT to multiple attributes
+ in external source (LDAP/DBI)
+
+ 0.17 2013-07-10 Thomas Sibley
+ * Forbid using RT's internal Users table as an auth service
+
+ 0.16 2013-06-27 Thomas Sibley
+ * Add new p_check option to DBI authentication module
+
+ 0.15 2013-05-22 Thomas Sibley
+ * Minor documentation updates to add NAME sections for MetaCPAN
+
+ 0.14 2013-05-22 Thomas Sibley
+ * Prevent potential session reuse when Apache::Session::File is RT's
+ $WebSessionClass. This is also resolved by RT versions 4.0.13 and
+ 3.8.17 and by the May 2013 security patches. Changes here are purely
+ for correctness/bulletproofing down the road.
+
+ * Moved much documentation from comments into POD; cleanups are still
+ needed, but this is a good start.
+
+ 0.13 2013-01-31 Thomas Sibley
+ * Cut down on code by using the core RT::Record->Update method
+
+ 0.12 2012-10-26 Thomas Sibley
+ * Redirect correctly after login on RT 4.0.8, 3.8.15, and the 2012-10-25 security patches
+ * Added "group_scope" as a configurable option.
+ * Tests: Add to LDAP the base DN under which we search for users/groups
+
0.11 2012-07-03 Alex Vandiver
* Obfuscate passwords in RT's System Configuration page
* Set an empty CurrentUser on failure, instead of removing it entirely
diff --cc MANIFEST
index 75e9baa,9bbc5bf..45b01e8
--- a/MANIFEST
+++ b/MANIFEST
@@@ -27,14 -25,13 +27,17 @@@ lib/RT/Authen/ExternalAuth/Test.p
LICENSE
Makefile.PL
MANIFEST This list of files
+ MANIFEST.SKIP
META.yml
README
-xt/ldap.t
+xt/ldap/basics.t
+xt/ldap/late-sync.t
+xt/ldap/multiple-emails.t
+xt/ldap/privileged.t
+xt/ldap/user-create.t
xt/ldap_escaping.t
xt/ldap_group.t
+ xt/ldap_privileged.t
xt/obfuscate-password.t
+ xt/sessions.t
xt/sqlite.t
diff --cc lib/RT/Authen/ExternalAuth/LDAP.pm
index 2569018,02fd3d5..450003c
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@@ -8,7 -8,145 +8,144 @@@ use strict
require Net::SSLeay if $RT::ExternalServiceUsesSSLorTLS;
+ =head1 NAME
+
+ RT::Authen::ExternalAuth::LDAP - LDAP source for RT authentication
+
+ =head1 DESCRIPTION
+
+ Provides the LDAP implementation for L<RT::Authen::ExternalAuth>.
+
+ =head1 SYNOPSIS
+
+ Set($ExternalSettings, {
+ # AN EXAMPLE LDAP SERVICE
+ 'My_LDAP' => {
+ 'type' => 'ldap',
+
+ 'server' => 'server.domain.tld',
+ 'user' => 'rt_ldap_username',
+ 'pass' => 'rt_ldap_password',
+
+ 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD',
+ 'filter' => '(FILTER_STRING)',
+ 'd_filter' => '(FILTER_STRING)',
+
+ 'group' => 'GROUP_NAME',
+ 'group_attr' => 'GROUP_ATTR',
+
+ 'tls' => 0,
+ 'ssl_version' => 3,
+
+ 'net_ldap_args' => [ version => 3 ],
+
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ 'RealName',
+ 'WorkPhone',
+ 'Address2'
+ ],
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ 'ExternalAuthId' => 'sAMAccountName',
+ 'Gecos' => 'sAMAccountName',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co'
+ },
+ },
+ } );
+
+ =head1 CONFIGURATION
+
+ LDAP-specific options are described here. Shared options
+ are described in the F<etc/RT_SiteConfig.pm> file included
+ in this distribution.
+
+ The example in the L</SYNOPSIS> lists all available options
+ and they are described below. Note that many of these values
+ are specific to LDAP, so you should consult your LDAP
+ documentation for details.
+
+ =over 4
+
+ =item server
+
+ The server hosting the LDAP or AD service.
+
+ =item user, pass
+
+ The username and password RT should use to connect to the LDAP
+ server.
+
+ If you can bind to your LDAP server anonymously you shouldn't
+ set these options.
+
+ =item base
+
+ The LDAP search base.
+
+ =item filter
+
+ The filter to use to match RT users. You B<must> specify it
+ and it B<must> be a valid LDAP filter encased in parentheses.
+
+ For example:
+
+ filter => '(objectClass=*)',
+
+ =item d_filter
+
+ The filter that will only match disabled users. Optional.
+ B<Must> be a valid LDAP filter encased in parentheses.
+
+ For example with Active Directory the following can be used:
+
+ d_filter => '(userAccountControl:1.2.840.113556.1.4.803:=2)'
+
+ =item group
+
+ Does authentication depend on group membership? What group name?
+
+ =item group_attr
+
+ What is the attribute for the group object that determines membership?
+
+ =item group_scope
+
+ What is the scope of the group search? C<base>, C<one> or C<sub>.
+ Optional; defaults to C<base>, which is good enough for most cases.
+ C<sub> is appropriate when you have nested groups.
+
+ =item group_attr_value
+
+ What is the attribute of the user entry that should be matched against
+ group_attr above? Optional; defaults to C<dn>.
+
+ =item tls
+
+ Should we try to use TLS to encrypt connections?
+
+ =item ssl_version
+
+ SSL Version to provide to Net::SSLeay *if* using SSL.
+
+ =item net_ldap_args
+
+ What other args should be passed to Net::LDAP->new($host, at args)?
+
+ =back
+
+ =cut
+
sub GetAuth {
-
my ($service, $username, $password) = @_;
my $config = $RT::ExternalSettings->{$service};
commit df54802d377b856c449a44ee83acb445ac0c49ed
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Fri Mar 7 17:11:51 2014 -0500
regen README and update scaffolding
diff --git a/META.yml b/META.yml
index 8dd0749..314aa08 100644
--- a/META.yml
+++ b/META.yml
@@ -20,7 +20,6 @@ no_index:
- etc
- html
- inc
- - t
- xt
recommends:
CGI::Cookie: 0
diff --git a/README b/README
index 297b942..f568ce3 100644
--- a/README
+++ b/README
@@ -129,11 +129,10 @@ CONFIGURATION
...
},
- Note that only one value storred in RT. However, search goes by all
- external attributes if such RT field list in "attr_match_list". On
- create or update entered value is used as long as it's valid. If user
- didn't enter value then value stored in the first external attribute is
- used. Config example:
+ Note that only one value is stored in RT. However, the search includes
+ all external attributes if the RT field is listed in "attr_match_list".
+ On create or update, the entered value is used as long as it's valid.
+ Below is an example configuration:
attr_match_list => ['Name', 'EmailAddress'],
attr_map => {
@@ -142,6 +141,32 @@ CONFIGURATION
...
},
+ If the user didn't enter a value then the value stored in the first
+ external attribute is used, in the example above 'mail'. In the common
+ case of email, if an email comes in from an address matched via an
+ 'alias' entry, after the match the value in 'mail' will be used for
+ EmailAddress. So when mapping LDAP entries to RT, make sure the first
+ entry in the array of options to EmailAddress is the one you want RT to
+ use internally as the EmailAddress.
+
+ attr_prefix
+ In some cases, multiple-value LDAP attributes may have a prefix on the
+ values in the LDAP entry. The "attr_prefix" allows you to set values to
+ prepend to filter terms before searching. For example, if you want an
+ email address to match 'alias' in an LDAP entry that prepends 'other:'
+ to the email address, you can do the following:
+
+ attr_prefix => {
+ alias => ['other:'],
+ ...
+ },
+
+ The key must be included in the "attr_map" or it won't be checked. To
+ search on an attribute with no value prepended in addition to some
+ prepended values, include an empty string '' in the list. The most
+ common case for this is the proxyAddresses needing the value 'smtp:'
+ prepended, so that happens automatically.
+
AUTHOR
Mike Peachey
Jennic Ltd.
diff --git a/inc/Module/Install/RTx.pm b/inc/Module/Install/RTx.pm
index c9fe996..469eb42 100644
--- a/inc/Module/Install/RTx.pm
+++ b/inc/Module/Install/RTx.pm
@@ -8,7 +8,7 @@ no warnings 'once';
use Module::Install::Base;
use base 'Module::Install::Base';
-our $VERSION = '0.31';
+our $VERSION = '0.32_02';
use FindBin;
use File::Glob ();
@@ -136,6 +136,9 @@ install ::
$has_etc{acl}++;
}
if ( -e 'etc/initialdata' ) { $has_etc{initialdata}++; }
+ if ( grep { /\d+\.\d+\.\d+.*$/ } glob('etc/upgrade/*.*.*') ) {
+ $has_etc{upgrade}++;
+ }
$self->postamble("$postamble\n");
unless ( $subdirs{'lib'} ) {
@@ -164,49 +167,59 @@ install ::
.
$self->postamble("initdb ::\n$initdb\n");
$self->postamble("initialize-database ::\n$initdb\n");
+ if ($has_etc{upgrade}) {
+ print "To upgrade from a previous version of this extension, use 'make upgrade-database'\n";
+ my $upgradedb = qq|\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(upgrade \$(NAME) \$(VERSION)))"\n|;
+ $self->postamble("upgrade-database ::\n$upgradedb\n");
+ $self->postamble("upgradedb ::\n$upgradedb\n");
+ }
}
}
-# stolen from RT::Handle so we work on 3.6 (cmp_versions came in with 3.8)
-{ my %word = (
- a => -4,
- alpha => -4,
- b => -3,
- beta => -3,
- pre => -2,
- rc => -1,
- head => 9999,
-);
-sub cmp_version($$) {
- my ($a, $b) = (@_);
- my @a = grep defined, map { /^[0-9]+$/? $_ : /^[a-zA-Z]+$/? $word{$_}|| -10 : undef }
- split /([^0-9]+)/, $a;
- my @b = grep defined, map { /^[0-9]+$/? $_ : /^[a-zA-Z]+$/? $word{$_}|| -10 : undef }
- split /([^0-9]+)/, $b;
- @a > @b
- ? push @b, (0) x (@a- at b)
- : push @a, (0) x (@b- at a);
- for ( my $i = 0; $i < @a; $i++ ) {
- return $a[$i] <=> $b[$i] if $a[$i] <=> $b[$i];
- }
- return 0;
-}}
sub requires_rt {
my ($self,$version) = @_;
# if we're exactly the same version as what we want, silently return
return if ($version eq $RT::VERSION);
- my @sorted = sort cmp_version $version,$RT::VERSION;
+ _load_rt_handle();
+ my @sorted = sort RT::Handle::cmp_version $version,$RT::VERSION;
if ($sorted[-1] eq $version) {
# should we die?
- warn "\nWarning: prerequisite RT $version not found. Your installed version of RT ($RT::VERSION) is too old.\n\n";
+ die "\nWarning: prerequisite RT $version not found. Your installed version of RT ($RT::VERSION) is too old.\n\n";
+ }
+}
+
+sub rt_too_new {
+ my ($self,$version,$msg) = @_;
+ $msg ||= "Your version %s is too new, this extension requires a release of RT older than %s\n";
+
+ _load_rt_handle();
+ my @sorted = sort RT::Handle::cmp_version $version,$RT::VERSION;
+
+ if ($sorted[0] eq $version) {
+ die sprintf($msg,$RT::VERSION,$version);
+ }
+}
+
+# RT::Handle runs FinalizeDatabaseType which calls RT->Config->Get
+# On 3.8, this dies. On 4.0/4.2 ->Config transparently runs LoadConfig.
+# LoadConfig requires being able to read RT_SiteConfig.pm (root) so we'd
+# like to avoid pushing that on users.
+# Fake up just enough Config to let FinalizeDatabaseType finish, and
+# anyone later calling LoadConfig will overwrite our shenanigans.
+sub _load_rt_handle {
+ unless ($RT::Config) {
+ require RT::Config;
+ $RT::Config = RT::Config->new;
+ RT->Config->Set('DatabaseType','mysql');
}
+ require RT::Handle;
}
1;
__END__
-#line 329
+#line 362
diff --git a/inc/Module/Install/ReadmeFromPod.pm b/inc/Module/Install/ReadmeFromPod.pm
index 6a80818..b5e03c3 100644
--- a/inc/Module/Install/ReadmeFromPod.pm
+++ b/inc/Module/Install/ReadmeFromPod.pm
@@ -7,7 +7,7 @@ use warnings;
use base qw(Module::Install::Base);
use vars qw($VERSION);
-$VERSION = '0.20';
+$VERSION = '0.22';
sub readme_from {
my $self = shift;
commit a1de887e21117befa93dc945dbb4cf274d73a2e3
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Fri Mar 7 17:12:06 2014 -0500
Update SiteConfig with docs removed from master
diff --git a/etc/RT_SiteConfig.pm b/etc/RT_SiteConfig.pm
index 801409a..eb0b776 100644
--- a/etc/RT_SiteConfig.pm
+++ b/etc/RT_SiteConfig.pm
@@ -156,6 +156,51 @@ For example, an LDAP mapping might look like:
...
},
+It's possible to map one RT field to multiple external attributes,
+for example:
+
+ attr_map => {
+ EmailAddress => ['mail', 'alias'],
+ ...
+ },
+
+Note that only one value is stored in RT, so this doesn't enable RT
+users to have multiple email addresses defined. However, the search
+will use all of the attributes to try to match a user if the field is
+defined in the C<attr_match_list>.
+
+On create or update, the original value input by the user, from an email
+or login attempt, is used as long as it's valid. If user didn't enter a
+value for that attribute, then the value retrieved from the first external
+attribute is used.
+
+For example, for the following configuration:
+
+ attr_match_list => ['Name', 'EmailAddress'],
+ attr_map => {
+ Name => 'account',
+ EmailAddress => ['mail', 'alias'],
+ ...
+ },
+
+If a new user sent an email to RT from an email alias, the search
+would match on the alias and that alias would be set as the user's
+EmailAddress in RT when the new account is created.
+
+However, if a user with an existing RT account with EmailAddress set to the
+C<mail> address, sent mail from C<alias>, it would still match. The user's
+EmailAddress in RT would remain the primary C<mail> address.
+
+This feature is useful for LDAP configurations where users have
+a primary institutional email address, but might also use aliases from
+subdomains or other email services. This prevents RT from creating
+multiple accounts for the same person.
+
+If you want the RT user accounts to always have the primary C<mail>
+address for EmailAddress, you likely want to run
+L<RT::Extension::LDAPImport> to make sure the user accounts are
+created with the desired email address set.
+
=back
=cut
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list