[Rt-commit] rt branch, 5.0/disable-password-for-auth-token-config, created. rt-5.0.0-98-gb148f34f9e
Jim Brandt
jbrandt at bestpractical.com
Mon Dec 21 17:04:04 EST 2020
The branch, 5.0/disable-password-for-auth-token-config has been created
at b148f34f9e3ccc32dba18181ee031497aecd3804 (commit)
- Log -----------------------------------------------------------------
commit 8b6872cfe15e8d13efe74b16ca2eba271c48e49c
Author: Blaine Motsinger <blaine at bestpractical.com>
Date: Thu Oct 29 18:45:26 2020 -0500
Align "Time to display" in footer
This commit fixes the alignment of the undocumented
"Time to display" output in the footer. To enable, add the
following CSS to the Custom CSS in Admin > Tools > Theme.
div#footer #time {
display: inline;
}
diff --git a/share/html/Elements/Footer b/share/html/Elements/Footer
index f65a192422..aea5948b0e 100644
--- a/share/html/Elements/Footer
+++ b/share/html/Elements/Footer
@@ -50,14 +50,16 @@
</div>
% $m->callback( %ARGS );
<div id="footer" title="Best Practical Solutions, LLC, copyright" class="row">
-% if ($m->{'rt_base_time'}) {
- <p id="time"><span><&|/l&>Time to display</&>: <%Time::HiRes::tv_interval( $m->{'rt_base_time'} )%></span></p>
-%}
% # display 3 columns on login page
% # display 1 column center aligned once logged in, without the "For support and sales..." section
% my $cols = ( $Menu ? '12' : '4' );
<div class="col-<% $cols %>">
- <p id="version" class="text-center <% $Menu ? 'pb-1' : 'text-md-left' %>"><span><&|/l_unsafe, $RT::VERSION, &>RT Version [_1]</&></span></p>
+ <p id="version" class="text-center <% $Menu ? 'pb-1' : 'text-md-left' %>">
+% if ($m->{'rt_base_time'}) {
+ <span id="time"><&|/l&>Time to display</&>: <%Time::HiRes::tv_interval( $m->{'rt_base_time'} )%> -</span>
+% }
+ <span><&|/l_unsafe, $RT::VERSION, &>RT Version [_1]</&></span>
+ </p>
</div>
<div class="col-<% $cols %>">
<p id="bpscredits" class="text-center"><span><&|/l_unsafe, '2020', '»|«', '<a href="https://bestpractical.com/about">Best Practical Solutions, LLC</a>', &>Copyright 1996-[_1] [_2] [_3].</&></span></p>
commit c466142ae3e34b9bc597835998ff608e20581051
Author: Aaron Trevena <ast at bestpractical.com>
Date: Wed Jun 24 10:00:30 2020 +0100
Add option to disable password prompt when creating tokens
If RT allows both local RT auth and federated auth, we
can't automatically determine when to supress the password
prompt during token creation. RT can't run a password check
against a federated auth system, so users can be blocked from
creating tokens. Provide an option to allow admins to explicitly
omit the password check to prevent this.
diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..ccf2b1263c 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,7 +31,11 @@ your RT Apache configuration to allow RT to access the Authorization header.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-You can find more information about tokens in L<RT::Authen::Token>.
+Since tokens grant access on behalf of a user, RT prompts for a password
+when a user is creating a token. However, if you have a mix of RT and
+federated authentication, RT can't authenticate users via the federated
+password system. For this case, you can explicitly disable the password
+check with the C<$DisablePasswordForAuthToken> configuration option.
=head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 2539240f4d..871f16d105 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1476,8 +1476,18 @@ fail to exist in an external service; this is so requestors who
are not in LDAP can still be created when they email in.
See L<RT::Authen::ExternalAuth> for details.
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of RT and federated authentication, RT can't directly
+verify a user's password against the federated IdP. You can explicitly
+disable the password prompt when creating a token by setting this option
+to true (1).
+
=back
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
=head2 Initialdata Formats
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 59ce078f1c..84bb6fcbd9 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,10 @@ our %META;
Widget => '/Widgets/Form/Boolean',
},
+ DisablePasswordForAuthToken => {
+ Widget => '/Widgets/Form/Boolean',
+ },
+
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index de32934bbb..650a81167a 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5002,15 +5002,20 @@ sub ProcessAuthToken {
if ( $args_ref->{Create} ) {
# Don't require password for systems with some form of federated auth
+ # or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+ my $require_password = 1;
+ if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+ }
if ( !length( $args_ref->{Description} ) ) {
push @results, loc("Description cannot be blank.");
}
- elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !length( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password.");
}
- elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password correctly.");
}
else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
<div class="modal-body">
<form method="POST">
<input type="hidden" name="Owner" value="<% $Owner %>">
-% if ( $res{'CanSet'} ){
+% if ( $require_password ){
<div class="form-row">
<div class="label col-4">
<&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
</div>
<%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+}
</%INIT>
<%ARGS>
commit 27e2eeb6a139e882adbc78022da3ac583defd87d
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Nov 7 00:43:58 2020 +0800
Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
Previously we checked if the config name looks like password and
explicitly excluded MinimumPasswordLength, which didn't scale well: we
would have to exclude the new added $DisablePasswordForAuthToken in
various places to not obfuscate it.
This commit simplifies the logic: all configs that require obfuscation
need to set up Obfuscate callback accordingly.
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 84bb6fcbd9..09bb9cecb8 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -733,6 +733,10 @@ our %META;
DatabasePassword => {
Immutable => 1,
Widget => '/Widgets/Form/String',
+ Obfuscate => sub {
+ my ($config, $sources, $user) = @_;
+ return $user->loc('Password not printed');
+ },
},
DatabasePort => {
Immutable => 1,
@@ -1786,6 +1790,10 @@ our %META;
},
LDAPPassword => {
Widget => '/Widgets/Form/String',
+ Obfuscate => sub {
+ my ($config, $sources, $user) = @_;
+ return $user->loc('Password not printed');
+ },
},
LDAPBase => {
Widget => '/Widgets/Form/String',
diff --git a/share/html/Admin/Tools/Config/Elements/Option b/share/html/Admin/Tools/Config/Elements/Option
index f10e84e284..82acca3920 100644
--- a/share/html/Admin/Tools/Config/Elements/Option
+++ b/share/html/Admin/Tools/Config/Elements/Option
@@ -65,8 +65,7 @@ $doc_version =~ s/\.\d+-\d+-g\w+$//; # 4.4.3-1-g123 -> 4.4
my $name = $option->{Name};
my $meta = RT->Config->Meta( $name );
-return if $meta->{Invisible} || $meta->{Deprecated};
-return if $name =~ /Password/i && $name !~ /MinimumPasswordLength/;
+return if $meta->{Invisible} || $meta->{Deprecated} || $meta->{Obfuscate};
my $has_execute_code = $session{CurrentUser}->HasRight(Right => 'ExecuteCode', Object => RT->System);
diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index 5e6cdce28b..d5c0e14e27 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -90,13 +90,7 @@ foreach my $key ( RT->Config->Options( Overridable => undef, Sorted => 0 ) ) {
</%PERL>
<div class="form-row <% $index_conf%2 ? 'oddline' : 'evenline'%>">
<div class="value col-4 collection-as-table"><% $key %></div>
- <div class="value col-4 collection-as-table">
-% if ( $key =~ /Password/i and $key !~ /MinimumPasswordLength/ ) {
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% stringify($val) |n %>\
-% }
- </div>
+ <div class="value col-4 collection-as-table"><% stringify($val) |n %></div>
<div class="value col-4 collection-as-table">
% if ( $meta->{'Source'}{'SiteConfig'} ) {
<% $description %>
diff --git a/share/html/Admin/Tools/EditConfig.html b/share/html/Admin/Tools/EditConfig.html
index 2a33c93348..5de306fa45 100644
--- a/share/html/Admin/Tools/EditConfig.html
+++ b/share/html/Admin/Tools/EditConfig.html
@@ -94,7 +94,7 @@ if (delete $ARGS{Update}) {
next if !!$val eq !!$prev;
}
- if ( $meta->{Immutable} || $meta->{Obfuscate} || ($key =~ /Password/i and $key !~ /MinimumPasswordLength/ )) {
+ if ( $meta->{Immutable} || $meta->{Obfuscate} ) {
push @results, loc("Cannot change [_1]: Permission Denied", $key);
$has_error++;
next;
commit b148f34f9e3ccc32dba18181ee031497aecd3804
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Nov 7 02:55:32 2020 +0800
Remove special handling of password like core variables on configuration page
Config variables registered in %RT::Config::META have been skipped since
9bf93d26d4, so there is no need to do so any more.
diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index d5c0e14e27..c222129632 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -120,13 +120,7 @@ foreach my $key ( sort keys %{*RT::} ) {
</%PERL>
<div class="form-row collection-as-table <% $index_var%2 ? 'oddline' : 'evenline'%>">
<div class="value col-6 collection-as-table">RT::<% $key %></div>
- <div class="value col-6 collection-as-table">
-% if ( $key =~ /Password(?!Length)/i ) {
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% ${'RT::'.$key} %>
-% }
- </div>
+ <div class="value col-6 collection-as-table"><% ${'RT::'.$key} %></div>
</div>
% }
% }
-----------------------------------------------------------------------
More information about the rt-commit
mailing list