[Rt-commit] rt branch, 4.2/rt-external-auth, created. rt-4.2.3-88-g1b45405
Alex Vandiver
alexmv at bestpractical.com
Tue Apr 22 19:07:43 EDT 2014
The branch, 4.2/rt-external-auth has been created
at 1b45405da4e2ba615587f4a18d119c4581bb96c4 (commit)
- Log -----------------------------------------------------------------
commit 1dadd320f0388c1957888586eb592dc2687be734
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Apr 22 18:56:27 2014 -0400
Prompt to password _after_ telling them how it will be sent
As written, if RTEXTERNALAUTH=1 was set, RT prompted for a password,
then told you if it was going to be sent in the clear, and immediately
sent it (while telling you that you could ^C it, but giving you no
opportunity to do so).
Reverse the order to match the non-externalauth case below, into the
useful order.
diff --git a/bin/rt.in b/bin/rt.in
index 22b38df..3d0a38d 100644
--- a/bin/rt.in
+++ b/bin/rt.in
@@ -1057,10 +1057,10 @@ sub submit {
my $how = $config{server} =~ /^https/ ? 'over SSL' : 'unencrypted';
(my $server = $config{server}) =~ s/^.*\/\/([^\/]+)\/?/$1/;
if ($config{externalauth}) {
- $h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
print " Password will be sent to $server $how\n",
" Press CTRL-C now if you do not want to continue\n"
if ! $config{passwd};
+ $h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
} elsif ( $no_strong_auth ) {
if (!defined $session->cookie) {
print " Strong encryption not available, $no_strong_auth\n",
commit 1b45405da4e2ba615587f4a18d119c4581bb96c4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Apr 22 19:01:18 2014 -0400
Allow GSSAPI authentication in bin/rt
dc653cb8, which introduced the optional GSSAPI authentication, did so in
a way that made it impossible to enable. It required externalauth=undef
(and the modules be loadable) in order for $no_strong_auth to be unset,
which is required to skip the HTTP Basic and username/password auth
paths. Unfortunately, it provided no way to _set_ an undef
externalauth, as the default value is set to 0 (despite the comment at
the top), and neither environment variables nor config file allow for
setting an undef value.
Rework the authentication paramters to bin/rt entirely, to clean this
up. Specifically, inspect an "auth" parameter, which may be set to
"rt", "basic", or "gssapi" and reacts appropriately. For backwards
compatibility, "externalauth=1" is equivalent to "auth=basic". Choosing
GSSAPI authentication also explicitly requires the GSSAPI and
LWP::Authen::Negotiate modules, and aborts if they fail to be found,
rather than falling back to sending RT's built-in auth.
diff --git a/bin/rt.in b/bin/rt.in
index 3d0a38d..464dc37 100644
--- a/bin/rt.in
+++ b/bin/rt.in
@@ -70,16 +70,6 @@ use Term::ReadLine;
use Time::Local; # used in prettyshow
use File::Temp;
-# strong (GSSAPI based) authentication is supported if the server does provide
-# it and the perl modules GSSAPI and LWP::Authen::Negotiate are installed
-# it can be suppressed by setting externalauth=0 (default is undef)
-eval { require GSSAPI };
-my $no_strong_auth = 'missing perl module GSSAPI';
-if ( ! $@ ) {
- eval {require LWP::Authen::Negotiate};
- $no_strong_auth = $@ ? 'missing perl module LWP::Authen::Negotiate' : 0;
-}
-
# We derive configuration information from hardwired defaults, dotfiles,
# and the RT* environment variables (in increasing order of precedence).
# Session information is stored in ~/.rt_sessions.
@@ -99,18 +89,16 @@ my %config = (
queue => undef,
# to protect against unlimited searches a better choice would be
# queue => 'Unknown_Queue',
-# setting externalauth => undef will try GSSAPI auth if the corresponding perl
-# modules are installed, externalauth => 0 is the backward compatible choice
- externalauth => 0,
+ auth => "rt",
),
config_from_file($ENV{RTCONFIG} || ".rtrc"),
config_from_env()
);
+
+$config{auth} = "basic" if delete $config{externalauth};
+
my $session = Session->new("$HOME/.rt_sessions");
my $REST = "$config{server}/REST/1.0";
-$no_strong_auth = 'switched off by externalauth=0'
- if defined $config{externalauth};
-
my $prompt = 'rt> ';
@@ -1056,20 +1044,23 @@ sub submit {
# Should we send authentication information to start a new session?
my $how = $config{server} =~ /^https/ ? 'over SSL' : 'unencrypted';
(my $server = $config{server}) =~ s/^.*\/\/([^\/]+)\/?/$1/;
- if ($config{externalauth}) {
+
+ if ($config{auth} eq "gssapi") {
+ die "GSSAPI support not available; failed to load perl module GSSAPI:\n$@\n"
+ unless eval { require GSSAPI; 1 };
+ die "GSSAPI support not available; failed to load perl module LWP::Authen::Negotiate:\n$@\n"
+ unless eval { require LWP::Authen::Negotiate; 1 };
+ } elsif ($config{auth} eq "basic") {
print " Password will be sent to $server $how\n",
" Press CTRL-C now if you do not want to continue\n"
if ! $config{passwd};
$h->authorization_basic($config{user}, $config{passwd} || read_passwd() );
- } elsif ( $no_strong_auth ) {
- if (!defined $session->cookie) {
- print " Strong encryption not available, $no_strong_auth\n",
- " Password will be sent to $server $how\n",
- " Press CTRL-C now if you do not want to continue\n"
- if ! $config{passwd};
- push @$data, ( user => $config{user} );
- push @$data, ( pass => $config{passwd} || read_passwd() );
- }
+ } elsif ( !defined $session->cookie ) {
+ print " Password will be sent to $server $how\n",
+ " Press CTRL-C now if you do not want to continue\n"
+ if ! $config{passwd};
+ push @$data, ( user => $config{user} );
+ push @$data, ( pass => $config{passwd} || read_passwd() );
}
# Now, we construct the request.
@@ -1080,9 +1071,7 @@ sub submit {
$req = GET($uri);
}
$session->add_cookie_header($req);
- if ($config{externalauth}) {
- $req->header(%$h);
- }
+ $req->header(%$h) if %$h;
# Then we send the request and parse the response.
DEBUG(3, $req->as_string);
@@ -1420,7 +1409,7 @@ sub Form::compose {
sub config_from_env {
my %env;
- foreach my $k (qw(EXTERNALAUTH DEBUG USER PASSWD SERVER QUERY ORDERBY)) {
+ foreach my $k (qw(EXTERNALAUTH AUTH DEBUG USER PASSWD SERVER QUERY ORDERBY)) {
if (exists $ENV{"RT$k"}) {
$env{lc $k} = $ENV{"RT$k"};
@@ -1474,7 +1463,7 @@ sub parse_config_file {
chomp;
next if (/^#/ || /^\s*$/);
- if (/^(externalauth|user|passwd|server|query|orderby|queue)\s+(.*)\s?$/) {
+ if (/^(externalauth|auth|user|passwd|server|query|orderby|queue)\s+(.*)\s?$/) {
$cfg{$1} = $2;
}
else {
@@ -1912,15 +1901,17 @@ Text:
The following directives may occur, one per line:
- - server <URL> URL to RT server.
- - user <username> RT username.
- - passwd <passwd> RT user's password.
- - query <RT Query> Default RT Query for list action
- - orderby <order> Default RT order for list action
- - queue <queuename> Default RT Queue for list action
- - externalauth <0|1> Use HTTP Basic authentication
- explicitely setting externalauth to 0 inhibits also GSSAPI based
- authentication, if LWP::Authen::Negotiate (and GSSAPI) is installed
+ - server <URL> URL to RT server.
+ - user <username> RT username.
+ - passwd <passwd> RT user's password.
+ - query <RT Query> Default RT Query for list action
+ - orderby <order> Default RT order for list action
+ - queue <queuename> Default RT Queue for list action
+ - auth <rt|basic|gssapi> Method to authenticate via; "basic"
+ means HTTP Basic authentication, "gssapi" means
+ Kerberos credentials, if your RT is configured
+ with $WebRemoteUserAuth. For backwards
+ compatibility, "externalauth 1" means "auth basic"
Blank and #-commented lines are ignored.
@@ -1939,7 +1930,7 @@ Text:
- RTUSER
- RTPASSWD
- - RTEXTERNALAUTH
+ - RTAUTH
- RTSERVER
- RTDEBUG Numeric debug level. (Set to 3 for full logs.)
- RTCONFIG Specifies a name other than ".rtrc" for the
-----------------------------------------------------------------------
More information about the rt-commit
mailing list