[Rt-commit] rt branch, 5.0/disable-password-for-auth-token-config, created. rt-5.0.0-99-g8df779384a
? sunnavy
sunnavy at bestpractical.com
Fri Nov 6 14:42:16 EST 2020
The branch, 5.0/disable-password-for-auth-token-config has been created
at 8df779384a1814b759639b102fc741aafa28c3a2 (commit)
- Log -----------------------------------------------------------------
commit 9b90fbeac13feda8ff447c41a00dfa6ff9abb599
Author: Aaron Trevena <ast at bestpractical.com>
Date: Wed Jun 24 10:00:30 2020 +0100
Add config option to disable password for auth tokens
Added and documented new configuration option to not require a password
when adding a new auth token, this solves problems with requiring a password
in a hybrid RT where both external and local accounts are used.
diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..a6efb9f2f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line in
+C<RT_SiteConfig.pm>:
+
+ Set($DisablePasswordForAuthToken, 1);
+
+
You can find more information about tokens in L<RT::Authen::Token>.
=head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 2539240f4d..3cedfa8756 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1426,6 +1426,13 @@ passwords. Setting it to 0 disables this check.
Set($MinimumPasswordLength, 5);
+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line in
+C<etc/RT_SiteConfig.pm>. You can find more information about tokens in
+L<RT::Authen::Token>.
+
=back
=head3 External Authentication and Authorization
@@ -1478,6 +1485,10 @@ See L<RT::Authen::ExternalAuth> for details.
=back
+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+
=head2 Initialdata Formats
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 59ce078f1c..84bb6fcbd9 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,10 @@ our %META;
Widget => '/Widgets/Form/Boolean',
},
+ DisablePasswordForAuthToken => {
+ Widget => '/Widgets/Form/Boolean',
+ },
+
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index de32934bbb..650a81167a 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5002,15 +5002,20 @@ sub ProcessAuthToken {
if ( $args_ref->{Create} ) {
# Don't require password for systems with some form of federated auth
+ # or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+ my $require_password = 1;
+ if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+ }
if ( !length( $args_ref->{Description} ) ) {
push @results, loc("Description cannot be blank.");
}
- elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !length( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password.");
}
- elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password correctly.");
}
else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
<div class="modal-body">
<form method="POST">
<input type="hidden" name="Owner" value="<% $Owner %>">
-% if ( $res{'CanSet'} ){
+% if ( $require_password ){
<div class="form-row">
<div class="label col-4">
<&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
</div>
<%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+}
</%INIT>
<%ARGS>
commit 5b531648223c46988a624abdebea6fb374dd4489
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Nov 7 00:43:58 2020 +0800
Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
Previously we checked if the config name looks like password and
explicitly excluded MinimumPasswordLength, which didn't scale well: we
would have to exclude the new added $DisablePasswordForAuthToken in
various places to not obfuscate it.
This commit simplifies the logic: all configs that require obfuscation
need to set up Obfuscate callback accordingly.
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 84bb6fcbd9..09bb9cecb8 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -733,6 +733,10 @@ our %META;
DatabasePassword => {
Immutable => 1,
Widget => '/Widgets/Form/String',
+ Obfuscate => sub {
+ my ($config, $sources, $user) = @_;
+ return $user->loc('Password not printed');
+ },
},
DatabasePort => {
Immutable => 1,
@@ -1786,6 +1790,10 @@ our %META;
},
LDAPPassword => {
Widget => '/Widgets/Form/String',
+ Obfuscate => sub {
+ my ($config, $sources, $user) = @_;
+ return $user->loc('Password not printed');
+ },
},
LDAPBase => {
Widget => '/Widgets/Form/String',
diff --git a/share/html/Admin/Tools/Config/Elements/Option b/share/html/Admin/Tools/Config/Elements/Option
index f10e84e284..82acca3920 100644
--- a/share/html/Admin/Tools/Config/Elements/Option
+++ b/share/html/Admin/Tools/Config/Elements/Option
@@ -65,8 +65,7 @@ $doc_version =~ s/\.\d+-\d+-g\w+$//; # 4.4.3-1-g123 -> 4.4
my $name = $option->{Name};
my $meta = RT->Config->Meta( $name );
-return if $meta->{Invisible} || $meta->{Deprecated};
-return if $name =~ /Password/i && $name !~ /MinimumPasswordLength/;
+return if $meta->{Invisible} || $meta->{Deprecated} || $meta->{Obfuscate};
my $has_execute_code = $session{CurrentUser}->HasRight(Right => 'ExecuteCode', Object => RT->System);
diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index 5e6cdce28b..d5c0e14e27 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -90,13 +90,7 @@ foreach my $key ( RT->Config->Options( Overridable => undef, Sorted => 0 ) ) {
</%PERL>
<div class="form-row <% $index_conf%2 ? 'oddline' : 'evenline'%>">
<div class="value col-4 collection-as-table"><% $key %></div>
- <div class="value col-4 collection-as-table">
-% if ( $key =~ /Password/i and $key !~ /MinimumPasswordLength/ ) {
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% stringify($val) |n %>\
-% }
- </div>
+ <div class="value col-4 collection-as-table"><% stringify($val) |n %></div>
<div class="value col-4 collection-as-table">
% if ( $meta->{'Source'}{'SiteConfig'} ) {
<% $description %>
diff --git a/share/html/Admin/Tools/EditConfig.html b/share/html/Admin/Tools/EditConfig.html
index 2a33c93348..5de306fa45 100644
--- a/share/html/Admin/Tools/EditConfig.html
+++ b/share/html/Admin/Tools/EditConfig.html
@@ -94,7 +94,7 @@ if (delete $ARGS{Update}) {
next if !!$val eq !!$prev;
}
- if ( $meta->{Immutable} || $meta->{Obfuscate} || ($key =~ /Password/i and $key !~ /MinimumPasswordLength/ )) {
+ if ( $meta->{Immutable} || $meta->{Obfuscate} ) {
push @results, loc("Cannot change [_1]: Permission Denied", $key);
$has_error++;
next;
commit 8df779384a1814b759639b102fc741aafa28c3a2
Author: sunnavy <sunnavy at bestpractical.com>
Date: Sat Nov 7 02:55:32 2020 +0800
Remove special handling of password like core variables on configuration page
Config variables registered in %RT::Config::META have been skipped since
9bf93d26d4, so there is no need to do so any more.
diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index d5c0e14e27..c222129632 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -120,13 +120,7 @@ foreach my $key ( sort keys %{*RT::} ) {
</%PERL>
<div class="form-row collection-as-table <% $index_var%2 ? 'oddline' : 'evenline'%>">
<div class="value col-6 collection-as-table">RT::<% $key %></div>
- <div class="value col-6 collection-as-table">
-% if ( $key =~ /Password(?!Length)/i ) {
-<em><% loc('Password not printed' ) %></em>\
-% } else {
-<% ${'RT::'.$key} %>
-% }
- </div>
+ <div class="value col-6 collection-as-table"><% ${'RT::'.$key} %></div>
</div>
% }
% }
-----------------------------------------------------------------------
More information about the rt-commit
mailing list