--- /dev/null
+v0.08 2009-01-24 Mike Peachey <zordrak@cpan.org>
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.08
+
+ * ChangeLog
+
+ Added entry for v0.08
+
+ * etc/RT_SiteConfig.pm
+
+ Added ssl_version to example LDAP config as it is used by
+ the code, but had not been demonstrated.
+
+ s/Crypt::MD5::md5_hex/Digest::MD5::md5_hex/ in example DBI
+ config.
+
+ Added the ability to provide a static salt to the p_enc_sub
+ however this behavious may be reviewed in future releases
+ to allow integration with better encryption methods.
+
+ s/userSupportAccess/disabled/ in example DBI config.
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Modified the log message regarding the RT-3.8.[01] plugin
+ bug from error level to debug level and modified the text
+ of the message to be more clear for RT-3.8.2+ users.
+
+
+v0.08_01 2009-01-20 Mike Peachey <zordrak@cpan.org>
+
+ * ChangeLog
+
+ Added entry for v0.08_01
+
+ Tabs-to-spaces conversion made where needed.
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.08_01
+
+ DoAuth method created to inherit the work that used to be
+ performed by the Auth callback for autohandler.
+
+ GetAuth reduced to an interface. Its purpose is now just to
+ check what type of service was passed and then call the
+ GetAuth method from the right package.
+
+ Authentication now halts and returns with error if
+ ExternalAuthPriority is not set. This prevents a fairly
+ useless compile error and logs an explanation instead.
+
+ Information lookup is now bypassed and logged if
+ ExternalInfoPriority is not set, preventing another useless
+ compile error and replacing it with an explanation.
+
+ SSO Cookie authentication now available following the
+ integration of RT::Authen::CookieAuth. Methods updated
+ to reflect the availability of this service.
+
+ * lib/RT/Authen/ExternalAuth/DBI/Cookie.pm
+
+ File added to house the cookie grab. While SSO cookies are
+ a function of DBI authentication (at the moment at least)
+ there is no need for DBI.pm to use CGI::Cookie for this one
+ purpose. With the future possibility of futher cookie
+ functions as well, I decided it deserved its own module.
+
+ * lib/RT/Authen/ExternalAuth/LDAP.pm
+
+ Changed an unless($base) to unless(defined($base)) to allow
+ for the use of a defined, but empty, baseDN so that an LDAP
+ directory may be searched from the root.
+
+ * etc/RT_SiteConfig.pm
+
+ CookieAuth settings have been merged into the ExternalAuth
+ settings hash. Example from CookieAuth has been merged in.
+
+ 'auth' and 'info' settings have been deprecated and so have
+ been removed from the examples. The function they served has
+ been replaced by the ExternalAuthPriority and
+ ExternalInfoPriority variables.
+
+ * lib/RT/Authen/User_Vendor.pm
+
+ The override for the IsPassword method has been deprecated
+ and deleted. It is no longer necessary to do password tests
+ as a call to the User object. The equivalent function is
+ now provided by GetAuth in ExternalAuth.pm and is called
+ with an ExternalAuth service name, username and password.
+ Currently, this only needs to be called by DoAuth in
+ ExternalAuth.pm
+
+ While RT::Authen::ExternalAuth used to be used to integrate
+ internal RT authentication with an external method as a single
+ operation, this causes a lack of modularity. Now ExternalAuth
+ is only concerned with its own authentication methods and if
+ they fail then RT will decide to do fallback to internal
+ authentication on its own.
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Workaround for RT versions 3.8.0 and 3.8.1 removed.
+ RT::Authen::ExternalAuth v0.08 will be officially compatible
+ only with versions 3.8.2 and up.
+
+ All functionality has been replaced by a call to ExternalAuth.pm's
+ DoAuth method. This is permitted by the passing of a reference to
+ the current session variable. DoAuth simply modifies that variable
+ as necessary to perform its function. Any data returned is purely
+ informational.
+
+ * README
+
+ Updated to include basic information on SSO cookies.
+
+ * Makefile.PL
+
+ Updated to reflect the integration of RT::Authen::CookieAuth.
+
+v0.07_02 2008-12-22 Kevin Falcone <falcone@cpan.org>
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Make the workaround needed for 3.8.1 work on 3.8.2
+
+v0.07_01 2008-11-06 Mike Peachey <zordrak@cpan.org>
+ Kevin Falcone <falcone@cpan.org>
+
+ * ALL
+
+ Complete code refactoring and updates for RT-3.8.x
+ compatability.
+
+v0.06 2008-11-01 Mike Peachey <zordrak@cpan.org>
+
+ * README
+
+ A few minor tweaks.
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.06
+
+ * etc/RT_SiteConfig.pm
+
+ A number of clarifications added to the example config comments
+ such as making clear the fact that a valid d_filter is required.
+
+v0.06_03 2008-10-31 Mike Peachey <zordrak@cpan.org>
+ Kevin Falcone <falcone@cpan.org>
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Add fix to work around a plugin bug in RT-3.8.0 & RT-3.8.1
+ preventing User_Vendor.pm overlay being required before
+ RT::User is loaded.
+
+ Check the return value from calling RT::User::Create.
+
+ Check the return value when loading an autocreated user.
+
+ * README
+
+ Updated to talk about removing old files in local/.
+
+ * lib/RT/Authen/User_Vendor.pm
+
+ Added error-checking to complain if a an LDAP configuration is
+ in use, but no d_filter has been specified.
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.06_03.
+
+ * ChangeLog
+
+ General clean-up.
+
+
+v0.06_02 2008-10-01 Kevin Falcone <falcone@cpan.org>
+
+ * ChangeLog
+
+ Updates to previous release.
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.06_02.
+
+
+v0.06_01 2008-10-17 Kevin Falcone <falcone@cpan.org>
+
+ * lib/RT/Authen/User_Vendor.pm
+
+ Add a patch to be compatible with 3.8
+
+ * Upgrade Module::Install::RTx to work better with RT-3.8.x
+
+
+v0.05 2008-04-09 Mike Peachey <zordrak@cpan.org>
+
+ * lib/RT/Authen/User_Vendor.pm
+
+ Typo on line 962. s/servicen/service/
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Deprecated $user_autocreated. It was being used to prevent a call
+ to RT::User::UpdateFromExternal in User_Vendor.pm because it was
+ deemed an unecessary expense to set the user's info and then look
+ it up again straight after. However, I have since realised that
+ UpdateFromExternal is the only code doing a check to see if the
+ user has been disabled in the external source and so bypassing
+ it when users are created allows new users to log in once even
+ if they have not been "enabled".
+
+ I will be doing a small rewrite of this code in the future to
+ abstract the External disable-lookup code from UpdateFromExternal
+ and perhaps remove the function altogether, but for now everything
+ will work fine.
+
+ * ChangeLog
+
+ I did it again. I added a / on the front of the path to
+ ExternalAuth.pm. What a plonker!
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.05
+
+
+v0.04 2008-04-03 Mike Peachey <zordrak@cpan.org>
+
+ * etc/RT_SiteConfig.pm
+
+ The example LDAP ExternalSettings configuration did not contain
+ example values for user and pass for RT's connection to an LDAP
+ server. These have now been added.
+
+ Thanks to Andrew Fay <andrew.fay@hotmail.com> for noticing this one.
+
+ * ChangeLog
+
+ Removed a "/" from the start of the ExternalAuth.pm file line in 0.03
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.04
+
+
+v0.03 2008-03-31 Mike Peachey <zordrak@cpan.org>
+
+ * html/Callbacks/ExternalAuth/autohandler/Auth
+
+ Bug found on lines 94-100.
+
+ The ELSE block starting on line 95 was assigned to the IF starting
+ on 85 instead of the IF block starting on line 86. This meant that
+ if the user entered at the login screen exists no password would
+ be checked.
+
+ It was doing this:
+
+ If session has current user who has an ID
+ If password has already been validated
+ SUCCESS
+ Else
+ Return to autohandler with valid session & implicit auth
+ Else delete session
+
+
+ This has now been corrected to this:
+
+ If session has current user who has an ID
+ If password has already been validated
+ SUCCESS
+ Else
+ Delete session
+ Else return to autohandler with whatever we had before the block
+
+ * lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.03
+
+
+v0.02 2008-03-17 Mike Peachey <zordrak@cpan.org>
+
+ * lib/RT/User_Vendor.pm
+
+ Bug #1 found on line 446.
+
+ CanonicalizeUserInfo was being called directly, instead of being
+ called on the $self user object.
+
+ This was causing CanonicalizeUserInfo to shift the e-mail address
+ it was passed into the $self var instead of the $email var. It was
+ therefore returning a blank e-mail address regardless of the input.
+
+ * lib/RT/User_Vendor.pm
+
+ Header comments altered to reflect that the file is part of the
+ RT::Authen::ExternalAuth extension.
+
+ * /lib/RT/Authen/ExternalAuth.pm
+
+ Version updated to 0.02
+
+
+v0.01 2008-03-13 Mike Peachey <zordrak@cpan.org>
+
+ * Initial Release
--- /dev/null
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software
+ interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Program does not specify a
+version number of this License, you may choose any version ever
+published by the Free Software Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+ChangeLog
+etc/RT_SiteConfig.pm
+html/Callbacks/ExternalAuth/autohandler/Auth
+inc/Module/Install.pm
+inc/Module/Install/Base.pm
+inc/Module/Install/Can.pm
+inc/Module/Install/Fetch.pm
+inc/Module/Install/Makefile.pm
+inc/Module/Install/Metadata.pm
+inc/Module/Install/RTx.pm
+inc/Module/Install/Win32.pm
+inc/Module/Install/WriteAll.pm
+lib/RT/Authen/ExternalAuth.pm
+lib/RT/Authen/ExternalAuth/DBI.pm
+lib/RT/Authen/ExternalAuth/LDAP.pm
+lib/RT/Authen/ExternalAuth/DBI/Cookie.pm
+lib/RT/User_Vendor.pm
+LICENSE
+Makefile.PL
+MANIFEST This list of files
+META.yml
+README
--- /dev/null
+---
+abstract: RT Authen-ExternalAuth Extension
+author:
+ - Mike Peachey <zordrak@cpan.org>
+distribution_type: module
+generated_by: Module::Install version 0.70
+license: GPL version 2
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.3.html
+ version: 1.3
+name: RT-Authen-ExternalAuth
+no_index:
+ directory:
+ - etc
+ - html
+ - po
+ - var
+ - inc
+requires:
+ RT: 0
+version: 0.07_02
--- /dev/null
+use inc::Module::Install;
+
+RTx('RT-Authen-ExternalAuth');
+
+license('GPL version 2');
+author('Mike Peachey <zordrak@cpan.org>');
+
+all_from('lib/RT/Authen/ExternalAuth.pm');
+
+requires('RT');
+
+features(
+ 'SSL LDAP Connections' => [
+ -default => 0,
+ 'Net::SSLeay' => 0],
+ 'External LDAP Sources' => [
+ -default => 1,
+ 'Net::LDAP' => 0],
+ 'External DBI Sources' => [
+ -default => 1,
+ 'DBI' => 0],
+ 'SSO Cookie Sources' => [
+ -default => 1,
+ 'CGI::Cookies' => 0]
+);
+&WriteAll;
--- /dev/null
+RT-Authen-ExternalAuth
+
+This module provides the ability to authenticate RT users
+against one or more external data sources at once. It will
+also allow information about that user to be loaded from
+the same, or any other available, source as well as allowing
+multple redundant servers for each method.
+
+The extension currently supports authentication and
+information from LDAP via the Net::LDAP module, and from
+any data source that an installed DBI driver is available
+for.
+
+It is also possible to use cookies set by an alternate
+application for Single Sign-On (SSO) with that application.
+For example, you may integrate RT with your own website login
+system so that once users log in to your website, they will be
+automagically logged in to RT when they access it.
+
+It was originally designed and tested against:
+
+MySQL v4.1.21-standard
+MySQL v5.0.22
+Windows Active Directory v2003
+
+But it has been designed so that it should work with ANY
+LDAP service and ANY DBI-drivable database, based upon the
+configuration given in your $RTHOME/etc/RT_SiteConfig.pm
+
+As of v0.08 ExternalAuth also allows you to pull a browser
+cookie value and test it against a DBI data source allowing
+the use of cookies for Single Sign-On (SSO) authentication
+with another application or website login system. This is
+due to the merging of RT::Authen::ExternalAuth and
+RT::Authen::CookieAuth. For example, you may integrate RT
+with your own website login system so that once users log in
+to your website, they will be automagically logged in to RT
+when they access it.
+
+
+INSTALLATION
+
+To install this module, run the following commands:
+
+ perl Makefile.PL
+ make
+ make install
+
+I recommend:
+RT::Authen::ExternalAuth v0.05 for RT-3.6.x
+RT::Authen::ExternalAuth v0.08+ for RT-3.8.x
+
+If you are using RT 3.8.x, you need to enable this
+module by adding RT::Authen::ExternalAuth to your
+@Plugins configuration:
+
+Set( @Plugins, qw(RT::Authen::ExternalAuth) );
+
+Once installed, you should view the file:
+
+3.4/3.6 $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm
+3.8 $RTHOME/local/plugins/RT-Auth-ExternalAuth/etc/RT_SiteConfig.pm
+
+Then use the examples provided to prepare your own custom
+configuration which should be added to your site configuration in
+$RTHOME/etc/RT_SiteConfig.pm
+
+Alternatively, you may alter the provided examples directly
+and then include the extra directives by 'requiring' the
+example file's path at the end of your RT_SiteConfig.pm
+
+
+UPGRADING
+
+If you are upgrading from 0.05 you may have some leftover
+parts of the module in
+
+$RTHOME/local/lib/RT/User_Vendor.pm
+$RTHOME/local/lib/RT/Authen/External_Auth.pm
+
+that will conflict with the new install and these should be removed
+
+AUTHOR
+ Mike Peachey
+ Jennic Ltd.
+ zordrak@cpan.org
+
+COPYRIGHT AND LICENCE
+
+Copyright (C) 2008, Jennic Ltd.
+
+This software is released under version 2 of the GNU
+General Public License. The license is distributed with
+this package in the LICENSE file found in the directory
+root.
--- /dev/null
+# The order in which the services defined in ExternalSettings
+# should be used to authenticate users. User is authenticated
+# if successfully confirmed by any service - no more services
+# are checked.
+Set($ExternalAuthPriority, [ 'My_LDAP',
+ 'My_MySQL',
+ 'My_SSO_Cookie'
+ ]
+);
+
+# The order in which the services defined in ExternalSettings
+# should be used to get information about users. This includes
+# RealName, Tel numbers etc, but also whether or not the user
+# should be considered disabled.
+#
+# Once user info is found, no more services are checked.
+#
+# You CANNOT use a SSO cookie for authentication.
+Set($ExternalInfoPriority, [ 'My_MySQL',
+ 'My_LDAP'
+ ]
+);
+
+# If this is set to true, then the relevant packages will
+# be loaded to use SSL/TLS connections. At the moment,
+# this just means "use Net::SSLeay;"
+Set($ExternalServiceUsesSSLorTLS, 0);
+
+# If this is set to 1, then users should be autocreated by RT
+# as internal users if they fail to authenticate from an
+# external service.
+Set($AutoCreateNonExternalUsers, 0);
+
+# These are the full settings for each external service as a HashOfHashes
+# Note that you may have as many external services as you wish. They will
+# be checked in the order specified in the Priority directives above.
+# e.g.
+# Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
+#
+Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
+ 'My_MySQL' => { ## GENERIC SECTION
+ # The type of service (db/ldap/cookie)
+ 'type' => 'db',
+ # The server hosting the service
+ 'server' => 'server.domain.tld',
+ ## SERVICE-SPECIFIC SECTION
+ # The database name
+ 'database' => 'DB_NAME',
+ # The database table
+ 'table' => 'USERS_TABLE',
+ # The user to connect to the database as
+ 'user' => 'DB_USER',
+ # The password to use to connect with
+ 'pass' => 'DB_PASS',
+ # The port to use to connect with (e.g. 3306)
+ 'port' => 'DB_PORT',
+ # The name of the Perl DBI driver to use (e.g. mysql)
+ 'dbi_driver' => 'DBI_DRIVER',
+ # The field in the table that holds usernames
+ 'u_field' => 'username',
+ # The field in the table that holds passwords
+ 'p_field' => 'password',
+ # The Perl package & subroutine used to encrypt passwords
+ # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD"
+ # function, then you will need Crypt::MySQL::password, but for the
+ # MySQL4+ password function you will need Crypt::MySQL::password41
+ # Alternatively, you could use Digest::MD5::md5_hex or any other
+ # encryption subroutine you can load in your perl installation
+ 'p_enc_pkg' => 'Crypt::MySQL',
+ 'p_enc_sub' => 'password',
+ # If your p_enc_sub takes a salt as a second parameter,
+ # uncomment this line to add your salt
+ #'p_salt' => 'SALT',
+ #
+ # The field and values in the table that determines if a user should
+ # be disabled. For example, if the field is 'user_status' and the values
+ # are ['0','1','2','disabled'] then the user will be disabled if their
+ # user_status is set to '0','1','2' or the string 'disabled'.
+ # Otherwise, they will be considered enabled.
+ 'd_field' => 'disabled',
+ 'd_values' => ['0'],
+ ## RT ATTRIBUTE MATCHING SECTION
+ # The list of RT attributes that uniquely identify a user
+ 'attr_match_list' => [ 'Gecos',
+ 'Name'
+ ],
+ # The mapping of RT attributes on to field names
+ 'attr_map' => { 'Name' => 'username',
+ 'EmailAddress' => 'email',
+ 'ExternalAuthId' => 'username',
+ 'Gecos' => 'userID'
+ }
+ },
+ # AN EXAMPLE LDAP SERVICE
+ 'My_LDAP' => { ## GENERIC SECTION
+ # The type of service (db/ldap/cookie)
+ 'type' => 'ldap',
+ # The server hosting the service
+ 'server' => 'server.domain.tld',
+ ## SERVICE-SPECIFIC SECTION
+ # If you can bind to your LDAP server anonymously you should
+ # remove the user and pass config lines, otherwise specify them here:
+ #
+ # The username RT should use to connect to the LDAP server
+ 'user' => 'rt_ldap_username',
+ # The password RT should use to connect to the LDAP server
+ 'pass' => 'rt_ldap_password',
+ #
+ # The LDAP search base
+ 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD',
+ #
+ # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
+ # YOU **MUST** SPECIFY A filter AND A d_filter!!
+ #
+ # The filter to use to match RT-Users
+ 'filter' => '(FILTER_STRING)',
+ # A catch-all example filter: '(objectClass=*)'
+ #
+ # The filter that will only match disabled users
+ 'd_filter' => '(FILTER_STRING)',
+ # A catch-none example d_filter: '(objectClass=FooBarBaz)'
+ #
+ # Should we try to use TLS to encrypt connections?
+ 'tls' => 0,
+ # SSL Version to provide to Net::SSLeay *if* using SSL
+ 'ssl_version' => 3,
+ # What other args should I pass to Net::LDAP->new($host,@args)?
+ 'net_ldap_args' => [ version => 3 ],
+ # Does authentication depend on group membership? What group name?
+ 'group' => 'GROUP_NAME',
+ # What is the attribute for the group object that determines membership?
+ 'group_attr' => 'GROUP_ATTR',
+ ## RT ATTRIBUTE MATCHING SECTION
+ # The list of RT attributes that uniquely identify a user
+ # This example shows what you *can* specify.. I recommend reducing this
+ # to just the Name and EmailAddress to save encountering problems later.
+ 'attr_match_list' => [ 'Name',
+ 'EmailAddress',
+ 'RealName',
+ 'WorkPhone',
+ 'Address2'
+ ],
+ # The mapping of RT attributes on to LDAP attributes
+ 'attr_map' => { 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ 'ExternalAuthId' => 'sAMAccountName',
+ 'Gecos' => 'sAMAccountName',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co'
+ }
+ },
+ # An example SSO cookie service
+ 'My_SSO_Cookie' => { # # The type of service (db/ldap/cookie)
+ 'type' => 'cookie',
+ # The name of the cookie to be used
+ 'name' => 'loginCookieValue',
+ # The users table
+ 'u_table' => 'users',
+ # The username field in the users table
+ 'u_field' => 'username',
+ # The field in the users table that uniquely identifies a user
+ # and also exists in the cookies table
+ 'u_match_key' => 'userID',
+ # The cookies table
+ 'c_table' => 'login_cookie',
+ # The field that stores cookie values
+ 'c_field' => 'loginCookieValue',
+ # The field in the cookies table that uniquely identifies a user
+ # and also exists in the users table
+ 'c_match_key' => 'loginCookieUserID',
+ # The DB service in this configuration to use to lookup the cookie information
+ 'db_service_name' => 'My_MySQL'
+ }
+ }
+);
+
+1;
--- /dev/null
+<%once>
+my $loaded_user = 0;
+</%once>
+<%init>
+
+use RT::Authen::ExternalAuth;
+
+###################################################################################
+# Work around a bug in the RT 3.8.0 and 3.8.1 plugin system (fixed in 3.8.2) #
+# Temporarily force RT to reload RT::User, since it isn't being loaded #
+# correctly as a plugin. #
+###################################################################################
+unless ($loaded_user) {
+ $RT::Logger->debug("Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1");
+ $loaded_user++;
+ delete $INC{'RT/User.pm'};
+ delete $INC{'RT/User_Overlay.pm'};
+ delete $INC{'RT/User_Vendor.pm'};
+ require RT::User;
+}
+###################################################################################
+
+my ($val,$msg);
+unless($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
+ ($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$user,$pass);
+ $RT::Logger->debug("Autohandler called ExternalAuth. Response: ($val, $msg)");
+}
+
+return;
+</%init>
+
+<%ARGS>
+$user => undef
+$pass => undef
+$menu => undef
+</%ARGS>
--- /dev/null
+#line 1
+package Module::Install;
+
+# For any maintainers:
+# The load order for Module::Install is a bit magic.
+# It goes something like this...
+#
+# IF ( host has Module::Install installed, creating author mode ) {
+# 1. Makefile.PL calls "use inc::Module::Install"
+# 2. $INC{inc/Module/Install.pm} set to installed version of inc::Module::Install
+# 3. The installed version of inc::Module::Install loads
+# 4. inc::Module::Install calls "require Module::Install"
+# 5. The ./inc/ version of Module::Install loads
+# } ELSE {
+# 1. Makefile.PL calls "use inc::Module::Install"
+# 2. $INC{inc/Module/Install.pm} set to ./inc/ version of Module::Install
+# 3. The ./inc/ version of Module::Install loads
+# }
+
+BEGIN {
+ require 5.004;
+}
+use strict 'vars';
+
+use vars qw{$VERSION};
+BEGIN {
+ # All Module::Install core packages now require synchronised versions.
+ # This will be used to ensure we don't accidentally load old or
+ # different versions of modules.
+ # This is not enforced yet, but will be some time in the next few
+ # releases once we can make sure it won't clash with custom
+ # Module::Install extensions.
+ $VERSION = '0.70';
+}
+
+
+
+
+
+# Whether or not inc::Module::Install is actually loaded, the
+# $INC{inc/Module/Install.pm} is what will still get set as long as
+# the caller loaded module this in the documented manner.
+# If not set, the caller may NOT have loaded the bundled version, and thus
+# they may not have a MI version that works with the Makefile.PL. This would
+# result in false errors or unexpected behaviour. And we don't want that.
+my $file = join( '/', 'inc', split /::/, __PACKAGE__ ) . '.pm';
+unless ( $INC{$file} ) { die <<"END_DIE" }
+
+Please invoke ${\__PACKAGE__} with:
+
+ use inc::${\__PACKAGE__};
+
+not:
+
+ use ${\__PACKAGE__};
+
+END_DIE
+
+
+
+
+
+# If the script that is loading Module::Install is from the future,
+# then make will detect this and cause it to re-run over and over
+# again. This is bad. Rather than taking action to touch it (which
+# is unreliable on some platforms and requires write permissions)
+# for now we should catch this and refuse to run.
+if ( -f $0 and (stat($0))[9] > time ) { die <<"END_DIE" }
+
+Your installer $0 has a modification time in the future.
+
+This is known to create infinite loops in make.
+
+Please correct this, then run $0 again.
+
+END_DIE
+
+
+
+
+
+# Build.PL was formerly supported, but no longer is due to excessive
+# difficulty in implementing every single feature twice.
+if ( $0 =~ /Build.PL$/i or -f 'Build.PL' ) { die <<"END_DIE" }
+
+Module::Install no longer supports Build.PL.
+
+It was impossible to maintain duel backends, and has been deprecated.
+
+Please remove all Build.PL files and only use the Makefile.PL installer.
+
+END_DIE
+
+
+
+
+
+use Cwd ();
+use File::Find ();
+use File::Path ();
+use FindBin;
+
+*inc::Module::Install::VERSION = *VERSION;
+@inc::Module::Install::ISA = __PACKAGE__;
+
+sub autoload {
+ my $self = shift;
+ my $who = $self->_caller;
+ my $cwd = Cwd::cwd();
+ my $sym = "${who}::AUTOLOAD";
+ $sym->{$cwd} = sub {
+ my $pwd = Cwd::cwd();
+ if ( my $code = $sym->{$pwd} ) {
+ # delegate back to parent dirs
+ goto &$code unless $cwd eq $pwd;
+ }
+ $$sym =~ /([^:]+)$/ or die "Cannot autoload $who - $sym";
+ unshift @_, ( $self, $1 );
+ goto &{$self->can('call')} unless uc($1) eq $1;
+ };
+}
+
+sub import {
+ my $class = shift;
+ my $self = $class->new(@_);
+ my $who = $self->_caller;
+
+ unless ( -f $self->{file} ) {
+ require "$self->{path}/$self->{dispatch}.pm";
+ File::Path::mkpath("$self->{prefix}/$self->{author}");
+ $self->{admin} = "$self->{name}::$self->{dispatch}"->new( _top => $self );
+ $self->{admin}->init;
+ @_ = ($class, _self => $self);
+ goto &{"$self->{name}::import"};
+ }
+
+ *{"${who}::AUTOLOAD"} = $self->autoload;
+ $self->preload;
+
+ # Unregister loader and worker packages so subdirs can use them again
+ delete $INC{"$self->{file}"};
+ delete $INC{"$self->{path}.pm"};
+
+ return 1;
+}
+
+sub preload {
+ my ($self) = @_;
+
+ unless ( $self->{extensions} ) {
+ $self->load_extensions(
+ "$self->{prefix}/$self->{path}", $self
+ );
+ }
+
+ my @exts = @{$self->{extensions}};
+ unless ( @exts ) {
+ my $admin = $self->{admin};
+ @exts = $admin->load_all_extensions;
+ }
+
+ my %seen;
+ foreach my $obj ( @exts ) {
+ while (my ($method, $glob) = each %{ref($obj) . '::'}) {
+ next unless $obj->can($method);
+ next if $method =~ /^_/;
+ next if $method eq uc($method);
+ $seen{$method}++;
+ }
+ }
+
+ my $who = $self->_caller;
+ foreach my $name ( sort keys %seen ) {
+ *{"${who}::$name"} = sub {
+ ${"${who}::AUTOLOAD"} = "${who}::$name";
+ goto &{"${who}::AUTOLOAD"};
+ };
+ }
+}
+
+sub new {
+ my ($class, %args) = @_;
+
+ # ignore the prefix on extension modules built from top level.
+ my $base_path = Cwd::abs_path($FindBin::Bin);
+ unless ( Cwd::abs_path(Cwd::cwd()) eq $base_path ) {
+ delete $args{prefix};
+ }
+
+ return $args{_self} if $args{_self};
+
+ $args{dispatch} ||= 'Admin';
+ $args{prefix} ||= 'inc';
+ $args{author} ||= ($^O eq 'VMS' ? '_author' : '.author');
+ $args{bundle} ||= 'inc/BUNDLES';
+ $args{base} ||= $base_path;
+ $class =~ s/^\Q$args{prefix}\E:://;
+ $args{name} ||= $class;
+ $args{version} ||= $class->VERSION;
+ unless ( $args{path} ) {
+ $args{path} = $args{name};
+ $args{path} =~ s!::!/!g;
+ }
+ $args{file} ||= "$args{base}/$args{prefix}/$args{path}.pm";
+
+ bless( \%args, $class );
+}
+
+sub call {
+ my ($self, $method) = @_;
+ my $obj = $self->load($method) or return;
+ splice(@_, 0, 2, $obj);
+ goto &{$obj->can($method)};
+}
+
+sub load {
+ my ($self, $method) = @_;
+
+ $self->load_extensions(
+ "$self->{prefix}/$self->{path}", $self
+ ) unless $self->{extensions};
+
+ foreach my $obj (@{$self->{extensions}}) {
+ return $obj if $obj->can($method);
+ }
+
+ my $admin = $self->{admin} or die <<"END_DIE";
+The '$method' method does not exist in the '$self->{prefix}' path!
+Please remove the '$self->{prefix}' directory and run $0 again to load it.
+END_DIE
+
+ my $obj = $admin->load($method, 1);
+ push @{$self->{extensions}}, $obj;
+
+ $obj;
+}
+
+sub load_extensions {
+ my ($self, $path, $top) = @_;
+
+ unless ( grep { lc $_ eq lc $self->{prefix} } @INC ) {
+ unshift @INC, $self->{prefix};
+ }
+
+ foreach my $rv ( $self->find_extensions($path) ) {
+ my ($file, $pkg) = @{$rv};
+ next if $self->{pathnames}{$pkg};
+
+ local $@;
+ my $new = eval { require $file; $pkg->can('new') };
+ unless ( $new ) {
+ warn $@ if $@;
+ next;
+ }
+ $self->{pathnames}{$pkg} = delete $INC{$file};
+ push @{$self->{extensions}}, &{$new}($pkg, _top => $top );
+ }
+
+ $self->{extensions} ||= [];
+}
+
+sub find_extensions {
+ my ($self, $path) = @_;
+
+ my @found;
+ File::Find::find( sub {
+ my $file = $File::Find::name;
+ return unless $file =~ m!^\Q$path\E/(.+)\.pm\Z!is;
+ my $subpath = $1;
+ return if lc($subpath) eq lc($self->{dispatch});
+
+ $file = "$self->{path}/$subpath.pm";
+ my $pkg = "$self->{name}::$subpath";
+ $pkg =~ s!/!::!g;
+
+ # If we have a mixed-case package name, assume case has been preserved
+ # correctly. Otherwise, root through the file to locate the case-preserved
+ # version of the package name.
+ if ( $subpath eq lc($subpath) || $subpath eq uc($subpath) ) {
+ open PKGFILE, "<$subpath.pm" or die "find_extensions: Can't open $subpath.pm: $!";
+ my $in_pod = 0;
+ while ( <PKGFILE> ) {
+ $in_pod = 1 if /^=\w/;
+ $in_pod = 0 if /^=cut/;
+ next if ($in_pod || /^=cut/); # skip pod text
+ next if /^\s*#/; # and comments
+ if ( m/^\s*package\s+($pkg)\s*;/i ) {
+ $pkg = $1;
+ last;
+ }
+ }
+ close PKGFILE;
+ }
+
+ push @found, [ $file, $pkg ];
+ }, $path ) if -d $path;
+
+ @found;
+}
+
+sub _caller {
+ my $depth = 0;
+ my $call = caller($depth);
+ while ( $call eq __PACKAGE__ ) {
+ $depth++;
+ $call = caller($depth);
+ }
+ return $call;
+}
+
+1;
+
+# Copyright 2008 Adam Kennedy.
--- /dev/null
+#line 1
+package Module::Install::Base;
+
+$VERSION = '0.70';
+
+# Suspend handler for "redefined" warnings
+BEGIN {
+ my $w = $SIG{__WARN__};
+ $SIG{__WARN__} = sub { $w };
+}
+
+### This is the ONLY module that shouldn't have strict on
+# use strict;
+
+#line 41
+
+sub new {
+ my ($class, %args) = @_;
+
+ foreach my $method ( qw(call load) ) {
+ *{"$class\::$method"} = sub {
+ shift()->_top->$method(@_);
+ } unless defined &{"$class\::$method"};
+ }
+
+ bless( \%args, $class );
+}
+
+#line 61
+
+sub AUTOLOAD {
+ my $self = shift;
+ local $@;
+ my $autoload = eval { $self->_top->autoload } or return;
+ goto &$autoload;
+}
+
+#line 76
+
+sub _top { $_[0]->{_top} }
+
+#line 89
+
+sub admin {
+ $_[0]->_top->{admin} or Module::Install::Base::FakeAdmin->new;
+}
+
+sub is_admin {
+ $_[0]->admin->VERSION;
+}
+
+sub DESTROY {}
+
+package Module::Install::Base::FakeAdmin;
+
+my $Fake;
+sub new { $Fake ||= bless(\@_, $_[0]) }
+
+sub AUTOLOAD {}
+
+sub DESTROY {}
+
+# Restore warning handler
+BEGIN {
+ $SIG{__WARN__} = $SIG{__WARN__}->();
+}
+
+1;
+
+#line 138
--- /dev/null
+#line 1
+package Module::Install::Can;
+
+use strict;
+use Module::Install::Base;
+use Config ();
+### This adds a 5.005 Perl version dependency.
+### This is a bug and will be fixed.
+use File::Spec ();
+use ExtUtils::MakeMaker ();
+
+use vars qw{$VERSION $ISCORE @ISA};
+BEGIN {
+ $VERSION = '0.70';
+ $ISCORE = 1;
+ @ISA = qw{Module::Install::Base};
+}
+
+# check if we can load some module
+### Upgrade this to not have to load the module if possible
+sub can_use {
+ my ($self, $mod, $ver) = @_;
+ $mod =~ s{::|\\}{/}g;
+ $mod .= '.pm' unless $mod =~ /\.pm$/i;
+
+ my $pkg = $mod;
+ $pkg =~ s{/}{::}g;
+ $pkg =~ s{\.pm$}{}i;
+
+ local $@;
+ eval { require $mod; $pkg->VERSION($ver || 0); 1 };
+}
+
+# check if we can run some command
+sub can_run {
+ my ($self, $cmd) = @_;
+
+ my $_cmd = $cmd;
+ return $_cmd if (-x $_cmd or $_cmd = MM->maybe_command($_cmd));
+
+ for my $dir ((split /$Config::Config{path_sep}/, $ENV{PATH}), '.') {
+ my $abs = File::Spec->catfile($dir, $_[1]);
+ return $abs if (-x $abs or $abs = MM->maybe_command($abs));
+ }
+
+ return;
+}
+
+# can we locate a (the) C compiler
+sub can_cc {
+ my $self = shift;
+ my @chunks = split(/ /, $Config::Config{cc}) or return;
+
+ # $Config{cc} may contain args; try to find out the program part
+ while (@chunks) {
+ return $self->can_run("@chunks") || (pop(@chunks), next);
+ }
+
+ return;
+}
+
+# Fix Cygwin bug on maybe_command();
+if ( $^O eq 'cygwin' ) {
+ require ExtUtils::MM_Cygwin;
+ require ExtUtils::MM_Win32;
+ if ( ! defined(&ExtUtils::MM_Cygwin::maybe_command) ) {
+ *ExtUtils::MM_Cygwin::maybe_command = sub {
+ my ($self, $file) = @_;
+ if ($file =~ m{^/cygdrive/}i and ExtUtils::MM_Win32->can('maybe_command')) {
+ ExtUtils::MM_Win32->maybe_command($file);
+ } else {
+ ExtUtils::MM_Unix->maybe_command($file);
+ }
+ }
+ }
+}
+
+1;
+
+__END__
+
+#line 157
--- /dev/null
+#line 1
+package Module::Install::Fetch;
+
+use strict;
+use Module::Install::Base;
+
+use vars qw{$VERSION $ISCORE @ISA};
+BEGIN {
+ $VERSION = '0.70';
+ $ISCORE = 1;
+ @ISA = qw{Module::Install::Base};
+}
+
+sub get_file {
+ my ($self, %args) = @_;
+ my ($scheme, $host, $path, $file) =
+ $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return;
+
+ if ( $scheme eq 'http' and ! eval { require LWP::Simple; 1 } ) {
+ $args{url} = $args{ftp_url}
+ or (warn("LWP support unavailable!\n"), return);
+ ($scheme, $host, $path, $file) =
+ $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return;
+ }
+
+ $|++;
+ print "Fetching '$file' from $host... ";
+
+ unless (eval { require Socket; Socket::inet_aton($host) }) {
+ warn "'$host' resolve failed!\n";
+ return;
+ }
+
+ return unless $scheme eq 'ftp' or $scheme eq 'http';
+
+ require Cwd;
+ my $dir = Cwd::getcwd();
+ chdir $args{local_dir} or return if exists $args{local_dir};
+
+ if (eval { require LWP::Simple; 1 }) {
+ LWP::Simple::mirror($args{url}, $file);
+ }
+ elsif (eval { require Net::FTP; 1 }) { eval {
+ # use Net::FTP to get past firewall
+ my $ftp = Net::FTP->new($host, Passive => 1, Timeout => 600);
+ $ftp->login("anonymous", 'anonymous@example.com');
+ $ftp->cwd($path);
+ $ftp->binary;
+ $ftp->get($file) or (warn("$!\n"), return);
+ $ftp->quit;
+ } }
+ elsif (my $ftp = $self->can_run('ftp')) { eval {
+ # no Net::FTP, fallback to ftp.exe
+ require FileHandle;
+ my $fh = FileHandle->new;
+
+ local $SIG{CHLD} = 'IGNORE';
+ unless ($fh->open("|$ftp -n")) {
+ warn "Couldn't open ftp: $!\n";
+ chdir $dir; return;
+ }
+
+ my @dialog = split(/\n/, <<"END_FTP");
+open $host
+user anonymous anonymous\@example.com
+cd $path
+binary
+get $file $file
+quit
+END_FTP
+ foreach (@dialog) { $fh->print("$_\n") }
+ $fh->close;
+ } }
+ else {
+ warn "No working 'ftp' program available!\n";
+ chdir $dir; return;
+ }
+
+ unless (-f $file) {
+ warn "Fetching failed: $@\n";
+ chdir $dir; return;
+ }
+
+ return if exists $args{size} and -s $file != $args{size};
+ system($args{run}) if exists $args{run};
+ unlink($file) if $args{remove};
+
+ print(((!exists $args{check_for} or -e $args{check_for})
+ ? "done!" : "failed! ($!)"), "\n");
+ chdir $dir; return !$?;
+}
+
+1;
--- /dev/null
+#line 1
+package Module::Install::Makefile;
+
+use strict 'vars';
+use Module::Install::Base;
+use ExtUtils::MakeMaker ();
+
+use vars qw{$VERSION $ISCORE @ISA};
+BEGIN {
+ $VERSION = '0.70';
+ $ISCORE = 1;
+ @ISA = qw{Module::Install::Base};
+}
+
+sub Makefile { $_[0] }
+
+my %seen = ();
+
+sub prompt {
+ shift;
+
+ # Infinite loop protection
+ my @c = caller();
+ if ( ++$seen{"$c[1]|$c[2]|$_[0]"} > 3 ) {
+ die "Caught an potential prompt infinite loop ($c[1]|$c[2]|$_[0])";
+ }
+
+ # In automated testing, always use defaults
+ if ( $ENV{AUTOMATED_TESTING} and ! $ENV{PERL_MM_USE_DEFAULT} ) {
+ local $ENV{PERL_MM_USE_DEFAULT} = 1;
+ goto &ExtUtils::MakeMaker::prompt;
+ } else {
+ goto &ExtUtils::MakeMaker::prompt;
+ }
+}
+
+sub makemaker_args {
+ my $self = shift;
+ my $args = ($self->{makemaker_args} ||= {});
+ %$args = ( %$args, @_ ) if @_;
+ $args;
+}
+
+# For mm args that take multiple space-seperated args,
+# append an argument to the current list.
+sub makemaker_append {
+ my $self = sShift;
+ my $name = shift;
+ my $args = $self->makemaker_args;
+ $args->{name} = defined $args->{$name}
+ ? join( ' ', $args->{name}, @_ )
+ : join( ' ', @_ );
+}
+
+sub build_subdirs {
+ my $self = shift;
+ my $subdirs = $self->makemaker_args->{DIR} ||= [];
+ for my $subdir (@_) {
+ push @$subdirs, $subdir;
+ }
+}
+
+sub clean_files {
+ my $self = shift;
+ my $clean = $self->makemaker_args->{clean} ||= {};
+ %$clean = (
+ %$clean,
+ FILES => join(' ', grep length, $clean->{FILES}, @_),
+ );
+}
+
+sub realclean_files {
+ my $self = shift;
+ my $realclean = $self->makemaker_args->{realclean} ||= {};
+ %$realclean = (
+ %$realclean,
+ FILES => join(' ', grep length, $realclean->{FILES}, @_),
+ );
+}
+
+sub libs {
+ my $self = shift;
+ my $libs = ref $_[0] ? shift : [ shift ];
+ $self->makemaker_args( LIBS => $libs );
+}
+
+sub inc {
+ my $self = shift;
+ $self->makemaker_args( INC => shift );
+}
+
+my %test_dir = ();
+
+sub _wanted_t {
+ /\.t$/ and -f $_ and $test_dir{$File::Find::dir} = 1;
+}
+
+sub tests_recursive {
+ my $self = shift;
+ if ( $self->tests ) {
+ die "tests_recursive will not work if tests are already defined";
+ }
+ my $dir = shift || 't';
+ unless ( -d $dir ) {
+ die "tests_recursive dir '$dir' does not exist";
+ }
+ %test_dir = ();
+ require File::Find;
+ File::Find::find( \&_wanted_t, $dir );
+ $self->tests( join ' ', map { "$_/*.t" } sort keys %test_dir );
+}
+
+sub write {
+ my $self = shift;
+ die "&Makefile->write() takes no arguments\n" if @_;
+
+ # Make sure we have a new enough
+ require ExtUtils::MakeMaker;
+ $self->configure_requires( 'ExtUtils::MakeMaker' => $ExtUtils::MakeMaker::VERSION );
+
+ # Generate the
+ my $args = $self->makemaker_args;
+ $args->{DISTNAME} = $self->name;
+ $args->{NAME} = $self->module_name || $self->name || $self->determine_NAME($args);
+ $args->{VERSION} = $self->version || $self->determine_VERSION($args);
+ $args->{NAME} =~ s/-/::/g;
+ if ( $self->tests ) {
+ $args->{test} = { TESTS => $self->tests };
+ }
+ if ($] >= 5.005) {
+ $args->{ABSTRACT} = $self->abstract;
+ $args->{AUTHOR} = $self->author;
+ }
+ if ( eval($ExtUtils::MakeMaker::VERSION) >= 6.10 ) {
+ $args->{NO_META} = 1;
+ }
+ if ( eval($ExtUtils::MakeMaker::VERSION) > 6.17 and $self->sign ) {
+ $args->{SIGN} = 1;
+ }
+ unless ( $self->is_admin ) {
+ delete $args->{SIGN};
+ }
+
+ # merge both kinds of requires into prereq_pm
+ my $prereq = ($args->{PREREQ_PM} ||= {});
+ %$prereq = ( %$prereq,
+ map { @$_ }
+ map { @$_ }
+ grep $_,
+ ($self->configure_requires, $self->build_requires, $self->requires)
+ );
+
+ # Remove any reference to perl, PREREQ_PM doesn't support it
+ delete $args->{PREREQ_PM}->{perl};
+
+ # merge both kinds of requires into prereq_pm
+ my $subdirs = ($args->{DIR} ||= []);
+ if ($self->bundles) {
+ foreach my $bundle (@{ $self->bundles }) {
+ my ($file, $dir) = @$bundle;
+ push @$subdirs, $dir if -d $dir;
+ delete $prereq->{$file};
+ }
+ }
+
+ if ( my $perl_version = $self->perl_version ) {
+ eval "use $perl_version; 1"
+ or die "ERROR: perl: Version $] is installed, "
+ . "but we need version >= $perl_version";
+ }
+
+ $args->{INSTALLDIRS} = $self->installdirs;
+
+ my %args = map { ( $_ => $args->{$_} ) } grep {defined($args->{$_})} keys %$args;
+
+ my $user_preop = delete $args{dist}->{PREOP};
+ if (my $preop = $self->admin->preop($user_preop)) {
+ $args{dist} = $preop;
+ }
+
+ my $mm = ExtUtils::MakeMaker::WriteMakefile(%args);
+ $self->fix_up_makefile($mm->{FIRST_MAKEFILE} || 'Makefile');
+}
+
+sub fix_up_makefile {
+ my $self = shift;
+ my $makefile_name = shift;
+ my $top_class = ref($self->_top) || '';
+ my $top_version = $self->_top->VERSION || '';
+
+ my $preamble = $self->preamble
+ ? "# Preamble by $top_class $top_version\n"
+ . $self->preamble
+ : '';
+ my $postamble = "# Postamble by $top_class $top_version\n"
+ . ($self->postamble || '');
+
+ local *MAKEFILE;
+ open MAKEFILE, "< $makefile_name" or die "fix_up_makefile: Couldn't open $makefile_name: $!";
+ my $makefile = do { local $/; <MAKEFILE> };
+ close MAKEFILE or die $!;
+
+ $makefile =~ s/\b(test_harness\(\$\(TEST_VERBOSE\), )/$1'inc', /;
+ $makefile =~ s/( -I\$\(INST_ARCHLIB\))/ -Iinc$1/g;
+ $makefile =~ s/( "-I\$\(INST_LIB\)")/ "-Iinc"$1/g;
+ $makefile =~ s/^(FULLPERL = .*)/$1 "-Iinc"/m;
+ $makefile =~ s/^(PERL = .*)/$1 "-Iinc"/m;
+
+ # Module::Install will never be used to build the Core Perl
+ # Sometimes PERL_LIB and PERL_ARCHLIB get written anyway, which breaks
+ # PREFIX/PERL5LIB, and thus, install_share. Blank them if they exist
+ $makefile =~ s/^PERL_LIB = .+/PERL_LIB =/m;
+ #$makefile =~ s/^PERL_ARCHLIB = .+/PERL_ARCHLIB =/m;
+
+ # Perl 5.005 mentions PERL_LIB explicitly, so we have to remove that as well.
+ $makefile =~ s/(\"?)-I\$\(PERL_LIB\)\1//g;
+
+ # XXX - This is currently unused; not sure if it breaks other MM-users
+ # $makefile =~ s/^pm_to_blib\s+:\s+/pm_to_blib :: /mg;
+
+ open MAKEFILE, "> $makefile_name" or die "fix_up_makefile: Couldn't open $makefile_name: $!";
+ print MAKEFILE "$preamble$makefile$postamble" or die $!;
+ close MAKEFILE or die $!;
+
+ 1;
+}
+
+sub preamble {
+ my ($self, $text) = @_;
+ $self->{preamble} = $text . $self->{preamble} if defined $text;
+ $self->{preamble};
+}
+
+sub postamble {
+ my ($self, $text) = @_;
+ $self->{postamble} ||= $self->admin->postamble;
+ $self->{postamble} .= $text if defined $text;
+ $self->{postamble}
+}
+
+1;
+
+__END__
+
+#line 371
--- /dev/null
+#line 1
+package Module::Install::Metadata;
+
+use strict 'vars';
+use Module::Install::Base;
+
+use vars qw{$VERSION $ISCORE @ISA};
+BEGIN {
+ $VERSION = '0.70';
+ $ISCORE = 1;
+ @ISA = qw{Module::Install::Base};
+}
+
+my @scalar_keys = qw{
+ name module_name abstract author version license
+ distribution_type perl_version tests installdirs
+};
+
+my @tuple_keys = qw{
+ configure_requires build_requires requires recommends bundles
+};
+
+sub Meta { shift }
+sub Meta_ScalarKeys { @scalar_keys }
+sub Meta_TupleKeys { @tuple_keys }
+
+foreach my $key (@scalar_keys) {
+ *$key = sub {
+ my $self = shift;
+ return $self->{values}{$key} if defined wantarray and !@_;
+ $self->{values}{$key} = shift;
+ return $self;
+ };
+}
+
+foreach my $key (@tuple_keys) {
+ *$key = sub {
+ my $self = shift;
+ return $self->{values}{$key} unless @_;
+
+ my @rv;
+ while (@_) {
+ my $module = shift or last;
+ my $version = shift || 0;
+ if ( $module eq 'perl' ) {
+ $version =~ s{^(\d+)\.(\d+)\.(\d+)}
+ {$1 + $2/1_000 + $3/1_000_000}e;
+ $self->perl_version($version);
+ next;
+ }
+ my $rv = [ $module, $version ];
+ push @rv, $rv;
+ }
+ push @{ $self->{values}{$key} }, @rv;
+ @rv;
+ };
+}
+
+# Aliases for build_requires that will have alternative
+# meanings in some future version of META.yml.
+sub test_requires { shift->build_requires(@_) }
+sub install_requires { shift->build_requires(@_) }
+
+# Aliases for installdirs options
+sub install_as_core { $_[0]->installdirs('perl') }
+sub install_as_cpan { $_[0]->installdirs('site') }
+sub install_as_site { $_[0]->installdirs('site') }
+sub install_as_vendor { $_[0]->installdirs('vendor') }
+
+sub sign {
+ my $self = shift;
+ return $self->{'values'}{'sign'} if defined wantarray and ! @_;
+ $self->{'values'}{'sign'} = ( @_ ? $_[0] : 1 );
+ return $self;
+}
+
+sub dynamic_config {
+ my $self = shift;
+ unless ( @_ ) {
+ warn "You MUST provide an explicit true/false value to dynamic_config, skipping\n";
+ return $self;
+ }
+ $self->{'values'}{'dynamic_config'} = $_[0] ? 1 : 0;
+ return $self;
+}
+
+sub all_from {
+ my ( $self, $file ) = @_;
+
+ unless ( defined($file) ) {
+ my $name = $self->name
+ or die "all_from called with no args without setting name() first";
+ $file = join('/', 'lib', split(/-/, $name)) . '.pm';
+ $file =~ s{.*/}{} unless -e $file;
+ die "all_from: cannot find $file from $name" unless -e $file;
+ }
+
+ $self->version_from($file) unless $self->version;
+ $self->perl_version_from($file) unless $self->perl_version;
+
+ # The remaining probes read from POD sections; if the file
+ # has an accompanying .pod, use that instead
+ my $pod = $file;
+ if ( $pod =~ s/\.pm$/.pod/i and -e $pod ) {
+ $file = $pod;
+ }
+
+ $self->author_from($file) unless $self->author;
+ $self->license_from($file) unless $self->license;
+ $self->abstract_from($file) unless $self->abstract;
+}
+
+sub provides {
+ my $self = shift;
+ my $provides = ( $self->{values}{provides} ||= {} );
+ %$provides = (%$provides, @_) if @_;
+ return $provides;
+}
+
+sub auto_provides {
+ my $self = shift;
+ return $self unless $self->is_admin;
+ unless (-e 'MANIFEST') {
+ warn "Cannot deduce auto_provides without a MANIFEST, skipping\n";
+ return $self;
+ }
+ # Avoid spurious warnings as we are not checking manifest here.
+ local $SIG{__WARN__} = sub {1};
+ require ExtUtils::Manifest;
+ local *ExtUtils::Manifest::manicheck = sub { return };
+
+ require Module::Build;
+ my $build = Module::Build->new(
+ dist_name => $self->name,
+ dist_version => $self->version,
+ license => $self->license,
+ );
+ $self->provides( %{ $build->find_dist_packages || {} } );
+}
+
+sub feature {
+ my $self = shift;
+ my $name = shift;
+ my $features = ( $self->{values}{features} ||= [] );
+ my $mods;
+
+ if ( @_ == 1 and ref( $_[0] ) ) {
+ # The user used ->feature like ->features by passing in the second
+ # argument as a reference. Accomodate for that.
+ $mods = $_[0];
+ } else {
+ $mods = \@_;
+ }
+
+ my $count = 0;
+ push @$features, (
+ $name => [
+ map {
+ ref($_) ? ( ref($_) eq 'HASH' ) ? %$_ : @$_ : $_
+ } @$mods
+ ]
+ );
+
+ return @$features;
+}
+
+sub features {
+ my $self = shift;
+ while ( my ( $name, $mods ) = splice( @_, 0, 2 ) ) {
+ $self->feature( $name, @$mods );
+ }
+ return $self->{values}->{features}
+ ? @{ $self->{values}->{features} }
+ : ();
+}
+
+sub no_index {
+ my $self = shift;
+ my $type = shift;
+ push @{ $self->{values}{no_index}{$type} }, @_ if $type;
+ return $self->{values}{no_index};
+}
+
+sub read {
+ my $self = shift;
+ $self->include_deps( 'YAML', 0 );
+
+ require YAML;
+ my $data = YAML::LoadFile('META.yml');
+
+ # Call methods explicitly in case user has already set some values.
+ while ( my ( $key, $value ) = each %$data ) {
+ next unless $self->can($key);
+ if ( ref $value eq 'HASH' ) {
+ while ( my ( $module, $version ) = each %$value ) {
+ $self->can($key)->($self, $module => $version );
+ }
+ } else {
+ $self->can($key)->($self, $value);
+ }
+ }
+ return $self;
+}
+
+sub write {
+ my $self = shift;
+ return $self unless $self->is_admin;
+ $self->admin->write_meta;
+ return $self;
+}
+
+sub version_from {
+ require ExtUtils::MM_Unix;
+ my ( $self, $file ) = @_;
+ $self->version( ExtUtils::MM_Unix->parse_version($file) );
+}
+
+sub abstract_from {
+ require ExtUtils::MM_Unix;
+ my ( $self, $file ) = @_;
+ $self->abstract(
+ bless(
+ { DISTNAME => $self->name },
+ 'ExtUtils::MM_Unix'
+ )->parse_abstract($file)
+ );
+}
+
+sub _slurp {
+ local *FH;
+ open FH, "< $_[1]" or die "Cannot open $_[1].pod: $!";
+ do { local $/; <FH> };
+}
+
+sub perl_version_from {
+ my ( $self, $file ) = @_;
+ if (
+ $self->_slurp($file) =~ m/
+ ^
+ use \s*
+ v?
+ ([\d_\.]+)
+ \s* ;
+ /ixms
+ ) {
+ my $v = $1;
+ $v =~ s{_}{}g;
+ $self->perl_version($1);
+ } else {
+ warn "Cannot determine perl version info from $file\n";
+ return;
+ }
+}
+
+sub author_from {
+ my ( $self, $file ) = @_;
+ my $content = $self->_slurp($file);
+ if ($content =~ m/
+ =head \d \s+ (?:authors?)\b \s*
+ ([^\n]*)
+ |
+ =head \d \s+ (?:licen[cs]e|licensing|copyright|legal)\b \s*
+ .*? copyright .*? \d\d\d[\d.]+ \s* (?:\bby\b)? \s*
+ ([^\n]*)
+ /ixms) {
+ my $author = $1 || $2;
+ $author =~ s{E<lt>}{<}g;
+ $author =~ s{E<gt>}{>}g;
+ $self->author($author);
+ } else {
+ warn "Cannot determine author info from $file\n";
+ }
+}
+
+sub license_from {
+ my ( $self, $file ) = @_;
+
+ if (
+ $self->_slurp($file) =~ m/
+ (
+ =head \d \s+
+ (?:licen[cs]e|licensing|copyright|legal)\b
+ .*?
+ )
+ (=head\\d.*|=cut.*|)
+ \z
+ /ixms ) {
+ my $license_text = $1;
+ my @phrases = (
+ 'under the same (?:terms|license) as perl itself' => 'perl', 1,
+ 'GNU public license' => 'gpl', 1,
+ 'GNU lesser public license' => 'lgpl', 1,
+ 'BSD license' => 'bsd', 1,
+ 'Artistic license' => 'artistic', 1,
+ 'GPL' => 'gpl', 1,
+ 'LGPL' => 'lgpl', 1,
+ 'BSD' => 'bsd', 1,
+ 'Artistic' => 'artistic', 1,
+ 'MIT' => 'mit', 1,
+ 'proprietary' => 'proprietary', 0,
+ );
+ while ( my ($pattern, $license, $osi) = splice(@phrases, 0, 3) ) {
+ $pattern =~ s{\s+}{\\s+}g;
+ if ( $license_text =~ /\b$pattern\b/i ) {
+ if ( $osi and $license_text =~ /All rights reserved/i ) {
+ warn "LEGAL WARNING: 'All rights reserved' may invalidate Open Source licenses. Consider removing it.";
+ }
+ $self->license($license);
+ return 1;
+ }
+ }
+ }
+
+ warn "Cannot determine license info from $file\n";
+ return 'unknown';
+}
+
+1;
--- /dev/null
+#line 1
+package Module::Install::RTx;
+
+use 5.008;
+use strict;
+use warnings;
+no warnings 'once';
+
+use Module::Install::Base;
+use base 'Module::Install::Base';
+our $VERSION = '0.24';
+
+use FindBin;
+use File::Glob ();
+use File::Basename ();
+
+my @DIRS = qw(etc lib html bin sbin po var);
+my @INDEX_DIRS = qw(lib bin sbin);
+
+sub RTx {
+ my ( $self, $name ) = @_;
+
+ my $original_name = $name;
+ my $RTx = 'RTx';
+ $RTx = $1 if $name =~ s/^(\w+)-//;
+ my $fname = $name;
+ $fname =~ s!-!/!g;
+
+ $self->name("$RTx-$name")
+ unless $self->name;
+ $self->all_from( -e "$name.pm" ? "$name.pm" : "lib/$RTx/$fname.pm" )
+ unless $self->version;
+ $self->abstract("RT $name Extension")
+ unless $self->abstract;
+
+ my @prefixes = (qw(/opt /usr/local /home /usr /sw ));
+ my $prefix = $ENV{PREFIX};
+ @ARGV = grep { /PREFIX=(.*)/ ? ( ( $prefix = $1 ), 0 ) : 1 } @ARGV;
+
+ if ($prefix) {
+ $RT::LocalPath = $prefix;
+ $INC{'RT.pm'} = "$RT::LocalPath/lib/RT.pm";
+ } else {
+ local @INC = (
+ @INC,
+ $ENV{RTHOME} ? ( $ENV{RTHOME}, "$ENV{RTHOME}/lib" ) : (),
+ map { ( "$_/rt3/lib", "$_/lib/rt3", "$_/lib" ) } grep $_,
+ @prefixes
+ );
+ until ( eval { require RT; $RT::LocalPath } ) {
+ warn
+ "Cannot find the location of RT.pm that defines \$RT::LocalPath in: @INC\n";
+ $_ = $self->prompt("Path to your RT.pm:") or exit;
+ push @INC, $_, "$_/rt3/lib", "$_/lib/rt3", "$_/lib";
+ }
+ }
+
+ my $lib_path = File::Basename::dirname( $INC{'RT.pm'} );
+ my $local_lib_path = "$RT::LocalPath/lib";
+ print "Using RT configuration from $INC{'RT.pm'}:\n";
+ unshift @INC, "$RT::LocalPath/lib" if $RT::LocalPath;
+
+ $RT::LocalVarPath ||= $RT::VarPath;
+ $RT::LocalPoPath ||= $RT::LocalLexiconPath;
+ $RT::LocalHtmlPath ||= $RT::MasonComponentRoot;
+ $RT::LocalLibPath ||= "$RT::LocalPath/lib";
+
+ my $with_subdirs = $ENV{WITH_SUBDIRS};
+ @ARGV = grep { /WITH_SUBDIRS=(.*)/ ? ( ( $with_subdirs = $1 ), 0 ) : 1 }
+ @ARGV;
+
+ my %subdirs;
+ %subdirs = map { $_ => 1 } split( /\s*,\s*/, $with_subdirs )
+ if defined $with_subdirs;
+ unless ( keys %subdirs ) {
+ $subdirs{$_} = 1 foreach grep -d "$FindBin::Bin/$_", @DIRS;
+ }
+
+ # If we're running on RT 3.8 with plugin support, we really wany
+ # to install libs, mason templates and po files into plugin specific
+ # directories
+ my %path;
+ if ( $RT::LocalPluginPath ) {
+ die "Because of bugs in RT 3.8.0 this extension can not be installed.\n"
+ ."Upgrade to RT 3.8.1 or newer.\n" if $RT::VERSION =~ /^3\.8\.0/;
+ $path{$_} = $RT::LocalPluginPath . "/$original_name/$_"
+ foreach @DIRS;
+ } else {
+ foreach ( @DIRS ) {
+ no strict 'refs';
+ my $varname = "RT::Local" . ucfirst($_) . "Path";
+ $path{$_} = ${$varname} || "$RT::LocalPath/$_";
+ }
+
+ $path{$_} .= "/$name" for grep $path{$_}, qw(etc po var);
+ }
+
+ my %index = map { $_ => 1 } @INDEX_DIRS;
+ $self->no_index( directory => $_ ) foreach grep !$index{$_}, @DIRS;
+
+ my $args = join ', ', map "q($_)", map { ($_, $path{$_}) }
+ grep $subdirs{$_}, keys %path;
+
+ print "./$_\t=> $path{$_}\n" for sort keys %subdirs;
+
+ if ( my @dirs = map { ( -D => $_ ) } grep $subdirs{$_}, qw(bin html sbin) ) {
+ my @po = map { ( -o => $_ ) }
+ grep -f,
+ File::Glob::bsd_glob("po/*.po");
+ $self->postamble(<< ".") if @po;
+lexicons ::
+\t\$(NOECHO) \$(PERL) -MLocale::Maketext::Extract::Run=xgettext -e \"xgettext(qw(@dirs @po))\"
+.
+ }
+
+ my $postamble = << ".";
+install ::
+\t\$(NOECHO) \$(PERL) -MExtUtils::Install -e \"install({$args})\"
+.
+
+ if ( $subdirs{var} and -d $RT::MasonDataDir ) {
+ my ( $uid, $gid ) = ( stat($RT::MasonDataDir) )[ 4, 5 ];
+ $postamble .= << ".";
+\t\$(NOECHO) chown -R $uid:$gid $path{var}
+.
+ }
+
+ my %has_etc;
+ if ( File::Glob::bsd_glob("$FindBin::Bin/etc/schema.*") ) {
+
+ # got schema, load factory module
+ $has_etc{schema}++;
+ $self->load('RTxFactory');
+ $self->postamble(<< ".");
+factory ::
+\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxFactory(qw($RTx $name))"
+
+dropdb ::
+\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxFactory(qw($RTx $name drop))"
+
+.
+ }
+ if ( File::Glob::bsd_glob("$FindBin::Bin/etc/acl.*") ) {
+ $has_etc{acl}++;
+ }
+ if ( -e 'etc/initialdata' ) { $has_etc{initialdata}++; }
+
+ $self->postamble("$postamble\n");
+ unless ( $subdirs{'lib'} ) {
+ $self->makemaker_args( PM => { "" => "" }, );
+ } else {
+ $self->makemaker_args( INSTALLSITELIB => $path{'lib'} );
+ $self->makemaker_args( INSTALLARCHLIB => $path{'lib'} );
+ }
+
+ $self->makemaker_args( INSTALLSITEMAN1DIR => "$RT::LocalPath/man/man1" );
+ $self->makemaker_args( INSTALLSITEMAN3DIR => "$RT::LocalPath/man/man3" );
+ $self->makemaker_args( INSTALLSITEARCH => "$RT::LocalPath/man" );
+
+ if (%has_etc) {
+ $self->load('RTxInitDB');
+ print "For first-time installation, type 'make initdb'.\n";
+ my $initdb = '';
+ $initdb .= <<"." if $has_etc{schema};
+\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(schema))"
+.
+ $initdb .= <<"." if $has_etc{acl};
+\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(acl))"
+.
+ $initdb .= <<"." if $has_etc{initialdata};
+\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(insert))"
+.
+ $self->postamble("initdb ::\n$initdb\n");
+ $self->postamble("initialize-database ::\n$initdb\n");
+ }
+}
+
+sub RTxInit {
+ unshift @INC, substr( delete( $INC{'RT.pm'} ), 0, -5 ) if $INC{'RT.pm'};
+ require RT;
+ RT::LoadConfig();
+ RT::ConnectToDatabase();
+
+ die "Cannot load RT" unless $RT::Handle and $RT::DatabaseType;
+}
+
+1;
+
+__END__
+
+#line 302
--- /dev/null
+#line 1
+package Module::Install::Win32;
+
+use strict;
+use Module::Install::Base;
+
+use vars qw{$VERSION @ISA $ISCORE};
+BEGIN {
+ $VERSION = '0.70';
+ @ISA = qw{Module::Install::Base};
+ $ISCORE = 1;
+}
+
+# determine if the user needs nmake, and download it if needed
+sub check_nmake {
+ my $self = shift;
+ $self->load('can_run');
+ $self->load('get_file');
+
+ require Config;
+ return unless (
+ $^O eq 'MSWin32' and
+ $Config::Config{make} and
+ $Config::Config{make} =~ /^nmake\b/i and
+ ! $self->can_run('nmake')
+ );
+
+ print "The required 'nmake' executable not found, fetching it...\n";
+
+ require File::Basename;
+ my $rv = $self->get_file(
+ url => 'http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe',
+ ftp_url => 'ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe',
+ local_dir => File::Basename::dirname($^X),
+ size => 51928,
+ run => 'Nmake15.exe /o > nul',
+ check_for => 'Nmake.exe',
+ remove => 1,
+ );
+
+ die <<'END_MESSAGE' unless $rv;
+
+-------------------------------------------------------------------------------
+
+Since you are using Microsoft Windows, you will need the 'nmake' utility
+before installation. It's available at:
+
+ http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe
+ or
+ ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe
+
+Please download the file manually, save it to a directory in %PATH% (e.g.
+C:\WINDOWS\COMMAND\), then launch the MS-DOS command line shell, "cd" to
+that directory, and run "Nmake15.exe" from there; that will create the
+'nmake.exe' file needed by this module.
+
+You may then resume the installation process described in README.
+
+-------------------------------------------------------------------------------
+END_MESSAGE
+
+}
+
+1;
--- /dev/null
+#line 1
+package Module::Install::WriteAll;
+
+use strict;
+use Module::Install::Base;
+
+use vars qw{$VERSION @ISA $ISCORE};
+BEGIN {
+ $VERSION = '0.70';
+ @ISA = qw{Module::Install::Base};
+ $ISCORE = 1;
+}
+
+sub WriteAll {
+ my $self = shift;
+ my %args = (
+ meta => 1,
+ sign => 0,
+ inline => 0,
+ check_nmake => 1,
+ @_,
+ );
+
+ $self->sign(1) if $args{sign};
+ $self->Meta->write if $args{meta};
+ $self->admin->WriteAll(%args) if $self->is_admin;
+
+ $self->check_nmake if $args{check_nmake};
+ unless ( $self->makemaker_args->{PL_FILES} ) {
+ $self->makemaker_args( PL_FILES => {} );
+ }
+
+ if ( $args{inline} ) {
+ $self->Inline->write;
+ } else {
+ $self->Makefile->write;
+ }
+}
+
+1;
--- /dev/null
+package RT::Authen::ExternalAuth;
+
+our $VERSION = '0.08';
+
+=head1 NAME
+
+ RT::Authen::ExternalAuth - RT Authentication using External Sources
+
+=head1 DESCRIPTION
+
+ A complete package for adding external authentication mechanisms
+ to RT. It currently supports LDAP via Net::LDAP and External Database
+ authentication for any database with an installed DBI driver.
+
+ It also allows for authenticating cookie information against an
+ external database through the use of the RT-Authen-CookieAuth extension.
+
+=begin testing
+
+ok(require RT::Authen::ExternalAuth);
+
+=end testing
+
+=cut
+
+use RT::Authen::ExternalAuth::LDAP;
+use RT::Authen::ExternalAuth::DBI;
+
+use strict;
+
+sub DoAuth {
+ my ($session,$given_user,$given_pass) = @_;
+
+ unless(defined($RT::ExternalAuthPriority)) {
+ return (0, "ExternalAuthPriority not defined, please check your configuration file.");
+ }
+
+ my $no_info_check = 0;
+ unless(defined($RT::ExternalInfoPriority)) {
+ $RT::Logger->debug("ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced");
+ $no_info_check = 1;
+ }
+
+ # This may be used by single sign-on (SSO) authentication mechanisms for bypassing a password check.
+ my $pass_bypass = 0;
+ my $success = 0;
+
+ # Should have checked if user is already logged in before calling this function,
+ # but just in case, we'll check too.
+ return (0, "User already logged in!") if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id);
+ # We don't have a logged in user. Let's try all our available methods in order.
+ # last if success, next if not.
+
+ # Get the prioritised list of external authentication services
+ my @auth_services = @$RT::ExternalAuthPriority;
+
+ # For each of those services..
+ foreach my $service (@auth_services) {
+
+ $pass_bypass = 0;
+
+ # Get the full configuration for that service as a hashref
+ my $config = $RT::ExternalSettings->{$service};
+ $RT::Logger->debug( "Attempting to use external auth service:",
+ $service);
+
+ # $username will be the final username we decide to check
+ # This will not necessarily be $given_user
+ my $username = undef;
+
+ #############################################################
+ ####################### SSO Check ###########################
+ #############################################################
+ if ($config->{'type'} eq 'cookie') {
+ # Currently, Cookie authentication is our only SSO method
+ $username = RT::Authen::ExternalAuth::DBI::GetCookieAuth($config);
+ }
+ #############################################################
+
+ # If $username is defined, we have a good SSO $username and can
+ # safely bypass the password checking later on; primarily because
+ # it's VERY unlikely we even have a password to check if an SSO succeeded.
+ $pass_bypass = 0;
+ if(defined($username)) {
+ $RT::Logger->debug("Pass not going to be checked, attempting SSO");
+ $pass_bypass = 1;
+ } else {
+
+ # SSO failed and no $user was passed for a login attempt
+ # We only don't return here because the next iteration could be an SSO attempt
+ unless(defined($given_user)) {
+ $RT::Logger->debug("SSO Failed and no user to test with. Nexting");
+ next;
+ }
+
+ # We don't have an SSO login, so we will be using the credentials given
+ # on RT's login page to do our authentication.
+ $username = $given_user;
+
+ # Don't continue unless the service works.
+ # next unless RT::Authen::ExternalAuth::TestConnection($config);
+
+ # Don't continue unless the $username exists in the external service
+
+ $RT::Logger->debug("Calling UserExists with \$username ($username) and \$service ($service)");
+ next unless RT::Authen::ExternalAuth::UserExists($username, $service);
+ }
+
+ ####################################################################
+ ########## Load / Auto-Create ######################################
+ ####################################################################
+ # We are now sure that we're talking about a valid RT user.
+ # If the user already exists, load up their info. If they don't
+ # then we need to create the user in RT.
+
+ # Does user already exist internally to RT?
+ $session->{'CurrentUser'} = RT::CurrentUser->new();
+ $session->{'CurrentUser'}->Load($username);
+
+ # Unless we have loaded a valid user with a UserID create one.
+ unless ($session->{'CurrentUser'}->Id) {
+ my $UserObj = RT::User->new($RT::SystemUser);
+ my ($val, $msg) =
+ $UserObj->Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}},
+ Name => $username,
+ Gecos => $username,
+ );
+ unless ($val) {
+ $RT::Logger->error( "Couldn't create user $username: $msg" );
+ next;
+ }
+ $RT::Logger->info( "Autocreated external user",
+ $UserObj->Name,
+ "(",
+ $UserObj->Id,
+ ")");
+
+ $RT::Logger->debug("Loading new user (",
+ $username,
+ ") into current session");
+ $session->{'CurrentUser'}->Load($username);
+ }
+
+ ####################################################################
+ ########## Authentication ##########################################
+ ####################################################################
+ # If we successfully used an SSO service, then authentication
+ # succeeded. If we didn't then, success is determined by a password
+ # test.
+ $success = 0;
+ if($pass_bypass) {
+ $RT::Logger->debug("Password check bypassed due to SSO method being in use");
+ $success = 1;
+ } else {
+ $RT::Logger->debug("Password validation required for service - Executing...");
+ $success = RT::Authen::ExternalAuth::GetAuth($service,$username,$given_pass);
+ }
+
+ $RT::Logger->debug("Password Validation Check Result: ",$success);
+
+ # If the password check succeeded then this is our authoritative service
+ # and we proceed to user information update and login.
+ last if $success;
+ }
+
+ # If we got here and don't have a user loaded we must have failed to
+ # get a full, valid user from an authoritative external source.
+ unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
+ delete $session->{'CurrentUser'};
+ return (0, "No User");
+ }
+
+ unless($success) {
+ delete $session->{'CurrentUser'};
+ return (0, "Password Invalid");
+ }
+
+ # Otherwise we succeeded.
+ $RT::Logger->debug("Authentication successful. Now updating user information and attempting login.");
+
+ ####################################################################################################
+ ############################### The following is auth-method agnostic ##############################
+ ####################################################################################################
+
+ # If we STILL have a completely valid RT user to play with...
+ # and therefore password has been validated...
+ if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
+
+ # Even if we have JUST created the user in RT, we are going to
+ # reload their information from an external source. This allows us
+ # to be sure that the user the cookie gave us really does exist in
+ # the database, but more importantly, UpdateFromExternal will check
+ # whether the user is disabled or not which we have not been able to
+ # do during auto-create
+
+ # These are not currently used, but may be used in the future.
+ my $info_updated = 0;
+ my $info_updated_msg = "User info not updated";
+
+ unless($no_info_check) {
+ # Note that UpdateUserInfo does not care how we authenticated the user
+ # It will look up user info from whatever is specified in $RT::ExternalInfoPriority
+ ($info_updated,$info_updated_msg) = RT::Authen::ExternalAuth::UpdateUserInfo($session->{'CurrentUser'}->Name);
+ }
+
+ # Now that we definitely have up-to-date user information,
+ # if the user is disabled, kick them out. Now!
+ if ($session->{'CurrentUser'}->UserObj->Disabled) {
+ delete $session->{'CurrentUser'};
+ return (0, "User account disabled, login denied");
+ }
+ }
+
+ # If we **STILL** have a full user and the session hasn't already been deleted
+ # This If/Else is logically unnecessary, but it doesn't hurt to leave it here
+ # just in case. Especially to be a double-check to future modifications.
+ if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
+
+ $RT::Logger->info( "Successful login for",
+ $session->{'CurrentUser'}->Name,
+ "from",
+ $ENV{'REMOTE_ADDR'});
+ # Do not delete the session. User stays logged in and
+ # autohandler will not check the password again
+ } else {
+ # Make SURE the session is deleted.
+ delete $session->{'CurrentUser'};
+ return (0, "Failed to authenticate externally");
+ # This will cause autohandler to request IsPassword
+ # which will in turn call IsExternalPassword
+ }
+
+ return (1, "Successful login");
+}
+
+sub UpdateUserInfo {
+ my $username = shift;
+
+ # Prepare for the worst...
+ my $found = 0;
+ my $updated = 0;
+ my $msg = "User NOT updated";
+
+ my $user_disabled = RT::Authen::ExternalAuth::UserDisabled($username);
+
+ my $UserObj = RT::User->new($RT::SystemUser);
+ $UserObj->Load($username);
+
+ # If user is disabled, set the RT::Principle to disabled and return out of the function.
+ # I think it's a waste of time and energy to update a user's information if they are disabled
+ # and it could be a security risk if they've updated their external information with some
+ # carefully concocted code to try to break RT - worst case scenario, but they have been
+ # denied access after all, don't take any chances.
+
+ # If someone gives me a good enough reason to do it,
+ # then I'll update all the info for disabled users
+
+ if ($user_disabled) {
+ # Make sure principle is disabled in RT
+ my ($val, $message) = $UserObj->SetDisabled(1);
+ # Log what has happened
+ $RT::Logger->info("User marked as DISABLED (",
+ $username,
+ ") per External Service",
+ "($val, $message)\n");
+ $msg = "User Disabled";
+
+ return ($updated, $msg);
+ }
+
+ # Make sure principle is not disabled in RT
+ my ($val, $message) = $UserObj->SetDisabled(0);
+ # Log what has happened
+ $RT::Logger->info("User marked as ENABLED (",
+ $username,
+ ") per External Service",
+ "($val, $message)\n");
+
+ # Update their info from external service using the username as the lookup key
+ # CanonicalizeUserInfo will work out for itself which service to use
+ # Passing it a service instead could break other RT code
+ my %args = (Name => $username);
+ $UserObj->CanonicalizeUserInfo(\%args);
+
+ # For each piece of information returned by CanonicalizeUserInfo,
+ # run the Set method for that piece of info to change it for the user
+ foreach my $key (sort(keys(%args))) {
+ next unless $args{$key};
+ my $method = "Set$key";
+ # We do this on the UserObj from above, not self so that there
+ # are no permission restrictions on setting information
+ my ($method_success,$method_msg) = $UserObj->$method($args{$key});
+
+ # If your user information is not getting updated,
+ # uncomment the following logging statements
+ if ($method_success) {
+ # At DEBUG level, log that method succeeded
+ # $RT::Logger->debug((caller(0))[3],"$method Succeeded. $method_msg");
+ } else {
+ # At DEBUG level, log that method failed
+ # $RT::Logger->debug((caller(0))[3],"$method Failed. $method_msg");
+ }
+ }
+
+ # Confirm update success
+ $updated = 1;
+ $RT::Logger->debug( "UPDATED user (",
+ $username,
+ ") from External Service\n");
+ $msg = 'User updated';
+
+ return ($updated, $msg);
+}
+
+sub GetAuth {
+
+ # Request a username/password check from the specified service
+ # This is only valid for non-SSO services.
+
+ my ($service,$username,$password) = @_;
+
+ my $success = 0;
+
+ # Get the full configuration for that service as a hashref
+ my $config = $RT::ExternalSettings->{$service};
+
+ # And then act accordingly depending on what type of service it is.
+ # Right now, there is only code for DBI and LDAP non-SSO services
+ if ($config->{'type'} eq 'db') {
+ $success = RT::Authen::ExternalAuth::DBI::GetAuth($service,$username,$password);
+ $RT::Logger->debug("DBI password validation result:",$success);
+ } elsif ($config->{'type'} eq 'ldap') {
+ $success = RT::Authen::ExternalAuth::LDAP::GetAuth($service,$username,$password);
+ $RT::Logger->debug("LDAP password validation result:",$success);
+ } else {
+ $RT::Logger->error("Invalid service type for GetAuth:",$service);
+ }
+
+ return $success;
+}
+
+sub UserExists {
+
+ # Request a username/password check from the specified service
+ # This is only valid for non-SSO services.
+
+ my ($username,$service) = @_;
+
+ my $success = 0;
+
+ # Get the full configuration for that service as a hashref
+ my $config = $RT::ExternalSettings->{$service};
+
+ # And then act accordingly depending on what type of service it is.
+ # Right now, there is only code for DBI and LDAP non-SSO services
+ if ($config->{'type'} eq 'db') {
+ $success = RT::Authen::ExternalAuth::DBI::UserExists($username,$service);
+ } elsif ($config->{'type'} eq 'ldap') {
+ $success = RT::Authen::ExternalAuth::LDAP::UserExists($username,$service);
+ } else {
+ $RT::Logger->debug("Invalid service type for UserExists:",$service);
+ }
+
+ return $success;
+}
+
+sub UserDisabled {
+
+ my $username = shift;
+ my $user_disabled = 0;
+
+ my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : undef;
+
+ # For each named service in the list
+ # Check to see if the user is found in the external service
+ # If not found, jump to next service
+ # If found, check to see if user is considered disabled by the service
+ # Then update the user's info in RT and return
+ foreach my $service (@info_services) {
+
+ # Get the external config for this service as a hashref
+ my $config = $RT::ExternalSettings->{$service};
+
+ # If the config doesn't exist, don't bother doing anything, skip to next in list.
+ unless(defined($config)) {
+ $RT::Logger->debug("You haven't defined a configuration for the service named \"",
+ $service,
+ "\" so I'm not going to try to get user information from it. Skipping...");
+ next;
+ }
+
+ # If it's a DBI config:
+ if ($config->{'type'} eq 'db') {
+
+ unless(RT::Authen::ExternalAuth::DBI::UserExists($username,$service)) {
+ $RT::Logger->debug("User (",
+ $username,
+ ") doesn't exist in service (",
+ $service,
+ ") - Cannot update information - Skipping...");
+ next;
+ }
+ $user_disabled = RT::Authen::ExternalAuth::DBI::UserDisabled($username,$service);
+
+ } elsif ($config->{'type'} eq 'ldap') {
+
+ unless(RT::Authen::ExternalAuth::LDAP::UserExists($username,$service)) {
+ $RT::Logger->debug("User (",
+ $username,
+ ") doesn't exist in service (",
+ $service,
+ ") - Cannot update information - Skipping...");
+ next;
+ }
+ $user_disabled = RT::Authen::ExternalAuth::LDAP::UserDisabled($username,$service);
+
+ } elsif ($config->{'type'} eq 'cookie') {
+ RT::Logger->error("You cannot use SSO Cookies as an information service.");
+ next;
+ } else {
+ # The type of external service doesn't currently have any methods associated with it. Or it's a typo.
+ RT::Logger->error("Invalid type specification for config %config->{'name'}");
+ # Drop out to next service in list
+ next;
+ }
+
+ }
+ return $user_disabled;
+}
+
+sub CanonicalizeUserInfo {
+
+ # Careful, this $args hashref was given to RT::User::CanonicalizeUserInfo and
+ # then transparently passed on to this function. The whole purpose is to update
+ # the original hash as whatever passed it to RT::User is expecting to continue its
+ # code with an update args hash.
+
+ my $UserObj = shift;
+ my $args = shift;
+
+ my $found = 0;
+ my %params = (Name => undef,
+ EmailAddress => undef,
+ RealName => undef);
+
+ $RT::Logger->debug( (caller(0))[3],
+ "called by",
+ caller,
+ "with:",
+ join(", ", map {sprintf("%s: %s", $_, $args->{$_})}
+ sort(keys(%$args))));
+
+ # Get the list of defined external services
+ my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : undef;
+ # For each external service...
+ foreach my $service (@info_services) {
+
+ $RT::Logger->debug( "Attempting to get user info using this external service:",
+ $service);
+
+ # Get the config for the service so that we know what attrs we can canonicalize
+ my $config = $RT::ExternalSettings->{$service};
+
+ if($config->{'type'} eq 'cookie'){
+ $RT::Logger->debug("You cannot use SSO cookies as an information service!");
+ next;
+ }
+
+ # For each attr we've been told to canonicalize in the match list
+ foreach my $rt_attr (@{$config->{'attr_match_list'}}) {
+ # Jump to the next attr in $args if this one isn't in the attr_match_list
+ $RT::Logger->debug( "Attempting to use this canonicalization key:",$rt_attr);
+ unless(defined($args->{$rt_attr})) {
+ $RT::Logger->debug("This attribute (",
+ $rt_attr,
+ ") is null or incorrectly defined in the attr_map for this service (",
+ $service,
+ ")");
+ next;
+ }
+
+ # Else, use it as a canonicalization key and lookup the user info
+ my $key = $config->{'attr_map'}->{$rt_attr};
+ my $value = $args->{$rt_attr};
+
+ # Check to see that the key being asked for is defined in the config's attr_map
+ my $valid = 0;
+ my ($attr_key, $attr_value);
+ my $attr_map = $config->{'attr_map'};
+ while (($attr_key, $attr_value) = each %$attr_map) {
+ $valid = 1 if ($key eq $attr_value);
+ }
+ unless ($valid){
+ $RT::Logger->debug( "This key (",
+ $key,
+ "is not a valid attribute key (",
+ $service,
+ ")");
+ next;
+ }
+
+ # Use an if/elsif structure to do a lookup with any custom code needed
+ # for any given type of external service, or die if no code exists for
+ # the service requested.
+
+ if($config->{'type'} eq 'ldap'){
+ ($found, %params) = RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo($service,$key,$value);
+ } elsif ($config->{'type'} eq 'db') {
+ ($found, %params) = RT::Authen::ExternalAuth::DBI::CanonicalizeUserInfo($service,$key,$value);
+ } else {
+ $RT::Logger->debug( (caller(0))[3],
+ "does not consider",
+ $service,
+ "a valid information service");
+ }
+
+ # Don't Check any more attributes
+ last if $found;
+ }
+ # Don't Check any more services
+ last if $found;
+ }
+
+ # If found, Canonicalize Email Address and
+ # update the args hash that we were given the hashref for
+ if ($found) {
+ # It's important that we always have a canonical email address
+ if ($params{'EmailAddress'}) {
+ $params{'EmailAddress'} = $UserObj->CanonicalizeEmailAddress($params{'EmailAddress'});
+ }
+ %$args = (%$args, %params);
+ }
+
+ $RT::Logger->info( (caller(0))[3],
+ "returning",
+ join(", ", map {sprintf("%s: %s", $_, $args->{$_})}
+ sort(keys(%$args))));
+
+ ### HACK: The config var below is to overcome the (IMO) bug in
+ ### RT::User::Create() which expects this function to always
+ ### return true or rejects the user for creation. This should be
+ ### a different config var (CreateUncanonicalizedUsers) and
+ ### should be honored in RT::User::Create()
+ return($found || $RT::AutoCreateNonExternalUsers);
+
+}
+
+1;
--- /dev/null
+package RT::Authen::ExternalAuth::DBI;\r
+\r
+use DBI;\r
+use RT::Authen::ExternalAuth::DBI::Cookie;\r
+\r
+use strict;\r
+\r
+sub GetAuth {\r
+\r
+ my ($service, $username, $password) = @_;\r
+ \r
+ my $config = $RT::ExternalSettings->{$service};\r
+ $RT::Logger->debug( "Trying external auth service:",$service);\r
+\r
+ my $db_table = $config->{'table'};\r
+ my $db_u_field = $config->{'u_field'};\r
+ my $db_p_field = $config->{'p_field'};\r
+ my $db_p_enc_pkg = $config->{'p_enc_pkg'};\r
+ my $db_p_enc_sub = $config->{'p_enc_sub'};\r
+ my $db_p_salt = $config->{'p_salt'};\r
+\r
+ # Set SQL query and bind parameters\r
+ my $query = "SELECT $db_u_field,$db_p_field FROM $db_table WHERE $db_u_field=?";\r
+ my @params = ($username);\r
+ \r
+ # Uncomment this to trace basic DBI information and drop it in a log for debugging\r
+ # DBI->trace(1,'/tmp/dbi.log');\r
+\r
+ # Get DBI handle object (DBH), do SQL query, kill DBH\r
+ my $dbh = _GetBoundDBIObj($config);\r
+ return 0 unless $dbh;\r
+ \r
+ my $results_hashref = $dbh->selectall_hashref($query,$db_u_field,{},@params);\r
+ $dbh->disconnect();\r
+\r
+ my $num_users_returned = scalar keys %$results_hashref;\r
+ if($num_users_returned != 1) { # FAIL\r
+ # FAIL because more than one user returned. Users MUST be unique! \r
+ if ((scalar keys %$results_hashref) > 1) {\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED",\r
+ $username,\r
+ "More than one user with that username!");\r
+ }\r
+\r
+ # FAIL because no users returned. Users MUST exist! \r
+ if ((scalar keys %$results_hashref) < 1) {\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED",\r
+ $username,\r
+ "User not found in database!");\r
+ }\r
+\r
+ # Drop out to next external authentication service\r
+ return 0;\r
+ }\r
+ \r
+ # Get the user's password from the database query result\r
+ my $pass_from_db = $results_hashref->{$username}->{$db_p_field}; \r
+\r
+ # This is the encryption package & subroutine passed in by the config file\r
+ $RT::Logger->debug( "Encryption Package:",\r
+ $db_p_enc_pkg);\r
+ $RT::Logger->debug( "Encryption Subroutine:",\r
+ $db_p_enc_sub);\r
+\r
+ # Use config info to auto-load the perl package needed for password encryption\r
+ # I know it uses a string eval - but I don't think there's a better way to do this\r
+ # Jump to next external authentication service on failure\r
+ eval "require $db_p_enc_pkg" or \r
+ $RT::Logger->error("AUTH FAILED, Couldn't Load Password Encryption Package. Error: $@") && return 0;\r
+ \r
+ my $encrypt = $db_p_enc_pkg->can($db_p_enc_sub);\r
+ if (defined($encrypt)) {\r
+ # If the package given can perform the subroutine given, then use it to compare the\r
+ # password given with the password pulled from the database.\r
+ # Jump to the next external authentication service if they don't match\r
+ if(defined($db_p_salt)) {\r
+ $RT::Logger->debug("Using salt:",$db_p_salt);\r
+ if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED", \r
+ $username, \r
+ "Password Incorrect");\r
+ return 0;\r
+ }\r
+ } else {\r
+ if(${encrypt}->($password) ne $pass_from_db){\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED", \r
+ $username, \r
+ "Password Incorrect");\r
+ return 0;\r
+ }\r
+ }\r
+ } else {\r
+ # If the encryption package can't perform the request subroutine,\r
+ # dump an error and jump to the next external authentication service.\r
+ $RT::Logger->error($service,\r
+ "AUTH FAILED",\r
+ "The encryption package you gave me (",\r
+ $db_p_enc_pkg,\r
+ ") does not support the encryption method you specified (",\r
+ $db_p_enc_sub,\r
+ ")");\r
+ return 0;\r
+ }\r
+ \r
+ # Any other checks you want to add? Add them here.\r
+\r
+ # If we've survived to this point, we're good.\r
+ $RT::Logger->info( (caller(0))[3], \r
+ "External Auth OK (",\r
+ $service,\r
+ "):", \r
+ $username);\r
+ \r
+ return 1; \r
+}\r
+\r
+sub CanonicalizeUserInfo {\r
+ \r
+ my ($service, $key, $value) = @_;\r
+\r
+ my $found = 0;\r
+ my %params = (Name => undef,\r
+ EmailAddress => undef,\r
+ RealName => undef);\r
+ \r
+ # Load the config\r
+ my $config = $RT::ExternalSettings->{$service};\r
+ \r
+ # Figure out what's what\r
+ my $table = $config->{'table'};\r
+\r
+ unless ($table) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ "No table given");\r
+ # Drop out to the next external information service\r
+ return ($found, %params);\r
+ }\r
+\r
+ unless ($key && $value){\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ " Nothing to look-up given");\r
+ # Drop out to the next external information service\r
+ return ($found, %params);\r
+ }\r
+ \r
+ # "where" refers to WHERE section of SQL query\r
+ my ($where_key,$where_value) = ("@{[ $key ]}",$value);\r
+\r
+ # Get the list of unique attrs we need\r
+ my %db_attrs = map {$_ => 1} values(%{$config->{'attr_map'}});\r
+ my @attrs = keys(%db_attrs);\r
+ my $fields = join(',',@attrs);\r
+ my $query = "SELECT $fields FROM $table WHERE $where_key=?";\r
+ my @bind_params = ($where_value);\r
+\r
+ # Uncomment this to trace basic DBI throughput in a log\r
+ # DBI->trace(1,'/tmp/dbi.log');\r
+ my $dbh = _GetBoundDBIObj($config);\r
+ my $results_hashref = $dbh->selectall_hashref($query,$key,{},@bind_params);\r
+ $dbh->disconnect();\r
+\r
+ if ((scalar keys %$results_hashref) != 1) {\r
+ # If returned users <> 1, we have no single unique user, so prepare to die\r
+ my $death_msg;\r
+ \r
+ if ((scalar keys %$results_hashref) == 0) {\r
+ # If no user...\r
+ $death_msg = "No User Found in External Database!";\r
+ } else {\r
+ # If more than one user...\r
+ $death_msg = "More than one user found in External Database with that unique identifier!";\r
+ }\r
+\r
+ # Log the death\r
+ $RT::Logger->info( (caller(0))[3],\r
+ "INFO CHECK FAILED",\r
+ "Key: $key",\r
+ "Value: $value",\r
+ $death_msg);\r
+ \r
+ # $found remains as 0\r
+ \r
+ # Drop out to next external information service\r
+ return ($found, %params);\r
+ }\r
+\r
+ # We haven't dropped out, so DB search must have succeeded with \r
+ # exactly 1 result. Get the result and set $found to 1\r
+ my $result = $results_hashref->{$value};\r
+ \r
+ # Use the result to populate %params for every key we're given in the config\r
+ foreach my $key (keys(%{$config->{'attr_map'}})) {\r
+ $params{$key} = ($result->{$config->{'attr_map'}->{$key}})[0];\r
+ }\r
+ \r
+ $found = 1;\r
+ \r
+ return ($found, %params);\r
+}\r
+\r
+sub UserExists {\r
+ \r
+ my ($username,$service) = @_;\r
+ my $config = $RT::ExternalSettings->{$service};\r
+ my $table = $config->{'table'};\r
+ my $u_field = $config->{'u_field'};\r
+ my $query = "SELECT $u_field FROM $table WHERE $u_field=?";\r
+ my @bind_params = ($username);\r
+\r
+ # Uncomment this to do a basic trace on DBI information and log it\r
+ # DBI->trace(1,'/tmp/dbi.log');\r
+ \r
+ # Get DBI Object, do the query, disconnect\r
+ my $dbh = _GetBoundDBIObj($config);\r
+ my $results_hashref = $dbh->selectall_hashref($query,$u_field,{},@bind_params);\r
+ $dbh->disconnect();\r
+\r
+ my $num_of_results = scalar keys %$results_hashref;\r
+ \r
+ if ($num_of_results > 1) { \r
+ # If more than one result returned, die because we the username field should be unique!\r
+ $RT::Logger->debug( "Disable Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "More than one user with that username!");\r
+ return 0;\r
+ } elsif ($num_of_results < 1) { \r
+ # If 0 or negative integer, no user found or major failure\r
+ $RT::Logger->debug( "Disable Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "User not found"); \r
+ return 0; \r
+ }\r
+ \r
+ # Number of results is exactly one, so we found the user we were looking for\r
+ return 1; \r
+}\r
+\r
+sub UserDisabled {\r
+\r
+ my ($username,$service) = @_;\r
+ \r
+ # FIRST, check that the user exists in the DBI service\r
+ unless(UserExists($username,$service)) {\r
+ $RT::Logger->debug("User (",$username,") doesn't exist! - Assuming not disabled for the purposes of disable checking");\r
+ return 0;\r
+ }\r
+ \r
+ # Get the necessary config info\r
+ my $config = $RT::ExternalSettings->{$service};\r
+ my $table = $config->{'table'};\r
+ my $u_field = $config->{'u_field'};\r
+ my $disable_field = $config->{'d_field'};\r
+ my $disable_values_list = $config->{'d_values'};\r
+\r
+ unless ($disable_field) {\r
+ # If we don't know how to check for disabled users, consider them all enabled.\r
+ $RT::Logger->debug("No d_field specified for this DBI service (",\r
+ $service,\r
+ "), so considering all users enabled");\r
+ return 0;\r
+ } \r
+ \r
+ my $query = "SELECT $u_field,$disable_field FROM $table WHERE $u_field=?";\r
+ my @bind_params = ($username);\r
+\r
+ # Uncomment this to do a basic trace on DBI information and log it\r
+ # DBI->trace(1,'/tmp/dbi.log');\r
+ \r
+ # Get DBI Object, do the query, disconnect\r
+ my $dbh = _GetBoundDBIObj($config);\r
+ my $results_hashref = $dbh->selectall_hashref($query,$u_field,{},@bind_params);\r
+ $dbh->disconnect();\r
+\r
+ my $num_of_results = scalar keys %$results_hashref;\r
+ \r
+ if ($num_of_results > 1) { \r
+ # If more than one result returned, die because we the username field should be unique!\r
+ $RT::Logger->debug( "Disable Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "More than one user with that username! - Assuming not disabled");\r
+ # Drop out to next service for an info check\r
+ return 0;\r
+ } elsif ($num_of_results < 1) { \r
+ # If 0 or negative integer, no user found or major failure\r
+ $RT::Logger->debug( "Disable Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "User not found - Assuming not disabled"); \r
+ # Drop out to next service for an info check\r
+ return 0; \r
+ } else { \r
+ # otherwise all should be well\r
+ \r
+ # $user_db_disable_value = The value for "disabled" returned from the DB\r
+ my $user_db_disable_value = $results_hashref->{$username}->{$disable_field};\r
+ \r
+ # For each of the values in the (list of values that we consider to mean the user is disabled)..\r
+ foreach my $disable_value (@{$disable_values_list}){\r
+ $RT::Logger->debug( "DB Disable Check:", \r
+ "User's Val is $user_db_disable_value,",\r
+ "Checking against: $disable_value");\r
+ \r
+ # If the value from the DB matches a value from the list, the user is disabled.\r
+ if ($user_db_disable_value eq $disable_value) {\r
+ return 1;\r
+ }\r
+ }\r
+ \r
+ # If we've not returned yet, the user can't be disabled\r
+ return 0;\r
+ }\r
+ $RT::Logger->crit("It is seriously not possible to run this code.. what the hell did you do?!");\r
+ return 0;\r
+}\r
+\r
+sub GetCookieAuth {\r
+\r
+ $RT::Logger->debug( (caller(0))[3],\r
+ "Checking Browser Cookies for an Authenticated User");\r
+ \r
+ # Get our cookie and database info...\r
+ my $config = shift;\r
+\r
+ my $username = undef;\r
+ my $cookie_name = $config->{'name'};\r
+\r
+ my $cookie_value = RT::Authen::ExternalAuth::DBI::Cookie::GetCookieVal($cookie_name);\r
+\r
+ unless($cookie_value){\r
+ return $username;\r
+ }\r
+\r
+ # The table mapping usernames to the Username Match Key\r
+ my $u_table = $config->{'u_table'};\r
+ # The username field in that table\r
+ my $u_field = $config->{'u_field'};\r
+ # The field that contains the Username Match Key\r
+ my $u_match_key = $config->{'u_match_key'};\r
+\r
+ # The table mapping cookie values to the Cookie Match Key\r
+ my $c_table = $config->{'c_table'};\r
+ # The cookie field in that table - The same as the cookie name if unspecified\r
+ my $c_field = $config->{'c_field'};\r
+ # The field that connects the Cookie Match Key\r
+ my $c_match_key = $config->{'c_match_key'};\r
+\r
+ # These are random characters to assign as table aliases in SQL\r
+ # It saves a lot of garbled code later on\r
+ my $u_table_alias = "u";\r
+ my $c_table_alias = "c";\r
+\r
+ # $tables will be passed straight into the SQL query\r
+ # I don't see this as a security issue as only the admin may modify the config file anyway\r
+ my $tables;\r
+\r
+ # If the tables are the same, then the aliases should be the same\r
+ # and the match key becomes irrelevant. Ensure this all works out\r
+ # fine by setting both sides the same. In either case, set an\r
+ # appropriate value for $tables.\r
+ if ($u_table eq $c_table) {\r
+ $u_table_alias = $c_table_alias;\r
+ $u_match_key = $c_match_key;\r
+ $tables = "$c_table $c_table_alias";\r
+ } else {\r
+ $tables = "$c_table $c_table_alias, $u_table $u_table_alias";\r
+ }\r
+\r
+ my $select_fields = "$u_table_alias.$u_field";\r
+ my $where_statement = "$c_table_alias.$c_field = ? AND $c_table_alias.$c_match_key = $u_table_alias.$u_match_key";\r
+\r
+ my $query = "SELECT $select_fields FROM $tables WHERE $where_statement";\r
+ my @params = ($cookie_value);\r
+\r
+ # Use this if you need to debug the DBI SQL process\r
+ # DBI->trace(1,'/tmp/dbi.log');\r
+\r
+ my $dbh = _GetBoundDBIObj($RT::ExternalSettings->{$config->{'db_service_name'}});\r
+ my $query_result_arrayref = $dbh->selectall_arrayref($query,{},@params);\r
+ $dbh->disconnect();\r
+\r
+ # The log messages say it all here...\r
+ my $num_rows = scalar @$query_result_arrayref;\r
+ if ($num_rows < 1) {\r
+ $RT::Logger->info( "AUTH FAILED",\r
+ $cookie_name,\r
+ "Cookie value not found in database.",\r
+ "User passed an authentication token they were not given by us!",\r
+ "Is this nefarious activity?");\r
+ } elsif ($num_rows > 1) {\r
+ $RT::Logger->error( "AUTH FAILED",\r
+ $cookie_name,\r
+ "Cookie's value is duplicated in the database! This should not happen!!");\r
+ } else {\r
+ $username = $query_result_arrayref->[0][0];\r
+ }\r
+\r
+ if ($username) {\r
+ $RT::Logger->debug( "User (",\r
+ $username,\r
+ ") was authenticated by a browser cookie");\r
+ } else {\r
+ $RT::Logger->debug( "No user was authenticated by browser cookie");\r
+ }\r
+\r
+ return $username;\r
+\r
+}\r
+\r
+\r
+# {{{ sub _GetBoundDBIObj\r
+\r
+sub _GetBoundDBIObj {\r
+ \r
+ # Config as hashref. \r
+ my $config = shift;\r
+\r
+ # Extract the relevant information from the config.\r
+ my $db_server = $config->{'server'};\r
+ my $db_user = $config->{'user'};\r
+ my $db_pass = $config->{'pass'};\r
+ my $db_database = $config->{'database'};\r
+ my $db_port = $config->{'port'};\r
+ my $dbi_driver = $config->{'dbi_driver'};\r
+\r
+ # Use config to create a DSN line for the DBI connection\r
+ my $dsn = "dbi:$dbi_driver:database=$db_database;host=$db_server;port=$db_port";\r
+\r
+ # Now let's get connected\r
+ my $dbh = DBI->connect($dsn, $db_user, $db_pass,{RaiseError => 1, AutoCommit => 0 })\r
+ or die $DBI::errstr;\r
+\r
+ # If we didn't die, return the DBI object handle \r
+ # and hope it's treated sensibly and correctly \r
+ # destroyed by the calling code\r
+ return $dbh;\r
+}\r
+\r
+# }}}\r
+\r
+1;\r
--- /dev/null
+package RT::Authen::ExternalAuth::DBI::Cookie;
+
+use CGI::Cookie;
+
+use strict;
+
+# {{{ sub GetCookieVal
+sub GetCookieVal {
+
+ # The name of the cookie
+ my $cookie_name = shift;
+ my $cookie_value;
+
+ # Pull in all cookies from browser within our cookie domain
+ my %cookies = CGI::Cookie->fetch();
+
+ # If the cookie is set, get the value, if it's not set, get out now!
+ if (defined $cookies{$cookie_name}) {
+ $cookie_value = $cookies{$cookie_name}->value;
+ $RT::Logger->debug( "Cookie Found",
+ ":: $cookie_name");
+ } else {
+ $RT::Logger->debug( "Cookie Not Found");
+ }
+
+ return $cookie_value;
+}
+
+# }}}
+
+1;
--- /dev/null
+package RT::Authen::ExternalAuth::LDAP;\r
+\r
+use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);\r
+use Net::LDAP::Util qw(ldap_error_name);\r
+use Net::LDAP::Filter;\r
+\r
+use strict;\r
+\r
+require Net::SSLeay if $RT::ExternalServiceUsesSSLorTLS;\r
+\r
+sub GetAuth {\r
+ \r
+ my ($service, $username, $password) = @_;\r
+ \r
+ my $config = $RT::ExternalSettings->{$service};\r
+ $RT::Logger->debug( "Trying external auth service:",$service);\r
+\r
+ my $base = $config->{'base'};\r
+ my $filter = $config->{'filter'};\r
+ my $group = $config->{'group'};\r
+ my $group_attr = $config->{'group_attr'};\r
+ my $attr_map = $config->{'attr_map'};\r
+ my @attrs = ('dn');\r
+\r
+ # Empty parentheses as filters cause Net::LDAP to barf.\r
+ # We take care of this by using Net::LDAP::Filter, but\r
+ # there's no harm in fixing this right now.\r
+ if ($filter eq "()") { undef($filter) };\r
+\r
+ # Now let's get connected\r
+ my $ldap = _GetBoundLdapObj($config);\r
+ return 0 unless ($ldap);\r
+\r
+ $filter = Net::LDAP::Filter->new( '(&(' . \r
+ $attr_map->{'Name'} . \r
+ '=' . \r
+ $username . \r
+ ')' . \r
+ $filter . \r
+ ')'\r
+ );\r
+\r
+ $RT::Logger->debug( "LDAP Search === ",\r
+ "Base:",\r
+ $base,\r
+ "== Filter:", \r
+ $filter->as_string,\r
+ "== Attrs:", \r
+ join(',',@attrs));\r
+\r
+ my $ldap_msg = $ldap->search( base => $base,\r
+ filter => $filter,\r
+ attrs => \@attrs);\r
+\r
+ unless ($ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS) {\r
+ $RT::Logger->debug( "search for", \r
+ $filter->as_string, \r
+ "failed:", \r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+ # Didn't even get a partial result - jump straight to the next external auth service\r
+ return 0;\r
+ }\r
+\r
+ unless ($ldap_msg->count == 1) {\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED:", \r
+ $username,\r
+ "User not found or more than one user found");\r
+ # We got no user, or too many users.. jump straight to the next external auth service\r
+ return 0;\r
+ }\r
+\r
+ my $ldap_dn = $ldap_msg->first_entry->dn;\r
+ $RT::Logger->debug( "Found LDAP DN:", \r
+ $ldap_dn);\r
+\r
+ # THIS bind determines success or failure on the password.\r
+ $ldap_msg = $ldap->bind($ldap_dn, password => $password);\r
+\r
+ unless ($ldap_msg->code == LDAP_SUCCESS) {\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED", \r
+ $username, \r
+ "(can't bind:", \r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code, \r
+ ")");\r
+ # Could not bind to the LDAP server as the user we found with the password\r
+ # we were given, therefore the password must be wrong so we fail and\r
+ # jump straight to the next external auth service\r
+ return 0;\r
+ }\r
+\r
+ # The user is authenticated ok, but is there an LDAP Group to check?\r
+ if ($group) {\r
+ # If we've been asked to check a group...\r
+ $filter = Net::LDAP::Filter->new("(${group_attr}=${ldap_dn})");\r
+ \r
+ $RT::Logger->debug( "LDAP Search === ",\r
+ "Base:",\r
+ $base,\r
+ "== Filter:", \r
+ $filter->as_string,\r
+ "== Attrs:", \r
+ join(',',@attrs));\r
+ \r
+ $ldap_msg = $ldap->search( base => $group,\r
+ filter => $filter,\r
+ attrs => \@attrs,\r
+ scope => 'base');\r
+\r
+ # And the user isn't a member:\r
+ unless ($ldap_msg->code == LDAP_SUCCESS || \r
+ $ldap_msg->code == LDAP_PARTIAL_RESULTS) {\r
+ $RT::Logger->critical( "Search for", \r
+ $filter->as_string, \r
+ "failed:",\r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+\r
+ # Fail auth - jump to next external auth service\r
+ return 0;\r
+ }\r
+\r
+ unless ($ldap_msg->count == 1) {\r
+ $RT::Logger->info( $service,\r
+ "AUTH FAILED:", \r
+ $username);\r
+ \r
+ # Fail auth - jump to next external auth service\r
+ return 0;\r
+ }\r
+ }\r
+ \r
+ # Any other checks you want to add? Add them here.\r
+\r
+ # If we've survived to this point, we're good.\r
+ $RT::Logger->info( (caller(0))[3], \r
+ "External Auth OK (",\r
+ $service,\r
+ "):", \r
+ $username);\r
+ return 1;\r
+\r
+}\r
+\r
+\r
+sub CanonicalizeUserInfo {\r
+ \r
+ my ($service, $key, $value) = @_;\r
+\r
+ my $found = 0;\r
+ my %params = (Name => undef,\r
+ EmailAddress => undef,\r
+ RealName => undef);\r
+\r
+ # Load the config\r
+ my $config = $RT::ExternalSettings->{$service};\r
+ \r
+ # Figure out what's what\r
+ my $base = $config->{'base'};\r
+ my $filter = $config->{'filter'};\r
+\r
+ # Get the list of unique attrs we need\r
+ my @attrs = values(%{$config->{'attr_map'}});\r
+\r
+ # This is a bit confusing and probably broken. Something to revisit..\r
+ my $filter_addition = ($key && $value) ? "(". $key . "=$value)" : "";\r
+ if(defined($filter) && ($filter ne "()")) {\r
+ $filter = Net::LDAP::Filter->new( "(&" . \r
+ $filter . \r
+ $filter_addition . \r
+ ")"\r
+ ); \r
+ } else {\r
+ $RT::Logger->debug( "LDAP Filter invalid or not present.");\r
+ }\r
+\r
+ unless (defined($base)) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ "LDAP baseDN not defined");\r
+ # Drop out to the next external information service\r
+ return ($found, %params);\r
+ }\r
+\r
+ # Get a Net::LDAP object based on the config we provide\r
+ my $ldap = _GetBoundLdapObj($config);\r
+\r
+ # Jump to the next external information service if we can't get one, \r
+ # errors should be logged by _GetBoundLdapObj so we don't have to.\r
+ return ($found, %params) unless ($ldap);\r
+\r
+ # Do a search for them in LDAP\r
+ $RT::Logger->debug( "LDAP Search === ",\r
+ "Base:",\r
+ $base,\r
+ "== Filter:", \r
+ $filter->as_string,\r
+ "== Attrs:", \r
+ join(',',@attrs));\r
+\r
+ my $ldap_msg = $ldap->search(base => $base,\r
+ filter => $filter,\r
+ attrs => \@attrs);\r
+\r
+ # If we didn't get at LEAST a partial result, just die now.\r
+ if ($ldap_msg->code != LDAP_SUCCESS and \r
+ $ldap_msg->code != LDAP_PARTIAL_RESULTS) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ ": Search for ",\r
+ $filter->as_string,\r
+ " failed: ",\r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+ # $found remains as 0\r
+ \r
+ # Drop out to the next external information service\r
+ $ldap_msg = $ldap->unbind();\r
+ if ($ldap_msg->code != LDAP_SUCCESS) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ ": Could not unbind: ", \r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+ }\r
+ undef $ldap;\r
+ undef $ldap_msg;\r
+ return ($found, %params);\r
+ \r
+ } else {\r
+ # If there's only one match, we're good; more than one and\r
+ # we don't know which is the right one so we skip it.\r
+ if ($ldap_msg->count == 1) {\r
+ my $entry = $ldap_msg->first_entry();\r
+ foreach my $key (keys(%{$config->{'attr_map'}})) {\r
+ if ($RT::LdapAttrMap->{$key} eq 'dn') {\r
+ $params{$key} = $entry->dn();\r
+ } else {\r
+ $params{$key} = \r
+ ($entry->get_value($config->{'attr_map'}->{$key}))[0];\r
+ }\r
+ }\r
+ $found = 1;\r
+ } else {\r
+ # Drop out to the next external information service\r
+ $ldap_msg = $ldap->unbind();\r
+ if ($ldap_msg->code != LDAP_SUCCESS) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ ": Could not unbind: ", \r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+ }\r
+ undef $ldap;\r
+ undef $ldap_msg;\r
+ return ($found, %params);\r
+ }\r
+ }\r
+ $ldap_msg = $ldap->unbind();\r
+ if ($ldap_msg->code != LDAP_SUCCESS) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ ": Could not unbind: ", \r
+ ldap_error_name($ldap_msg->code), \r
+ $ldap_msg->code);\r
+ }\r
+\r
+ undef $ldap;\r
+ undef $ldap_msg;\r
+\r
+ return ($found, %params);\r
+}\r
+\r
+sub UserExists {\r
+ my ($username,$service) = @_;\r
+ $RT::Logger->debug("UserExists params:\nusername: $username , service: $service"); \r
+ my $config = $RT::ExternalSettings->{$service};\r
+ \r
+ my $base = $config->{'base'};\r
+ my $filter = $config->{'filter'};\r
+\r
+ # While LDAP filters must be surrounded by parentheses, an empty set\r
+ # of parentheses is an invalid filter and will cause failure\r
+ # This shouldn't matter since we are now using Net::LDAP::Filter below,\r
+ # but there's no harm in doing this to be sure\r
+ if ($filter eq "()") { undef($filter) };\r
+\r
+ if (defined($config->{'attr_map'}->{'Name'})) {\r
+ # Construct the complex filter\r
+ $filter = Net::LDAP::Filter->new( '(&' . \r
+ $filter . \r
+ '(' . \r
+ $config->{'attr_map'}->{'Name'} . \r
+ '=' . \r
+ $username . \r
+ '))'\r
+ );\r
+ }\r
+\r
+ my $ldap = _GetBoundLdapObj($config);\r
+ return unless $ldap;\r
+\r
+ my @attrs = values(%{$config->{'attr_map'}});\r
+\r
+ # Check that the user exists in the LDAP service\r
+ $RT::Logger->debug( "LDAP Search === ",\r
+ "Base:",\r
+ $base,\r
+ "== Filter:", \r
+ $filter->as_string,\r
+ "== Attrs:", \r
+ join(',',@attrs));\r
+ \r
+ my $user_found = $ldap->search( base => $base,\r
+ filter => $filter,\r
+ attrs => \@attrs);\r
+\r
+ if($user_found->count < 1) {\r
+ # If 0 or negative integer, no user found or major failure\r
+ $RT::Logger->debug( "User Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "User not found"); \r
+ return 0; \r
+ } elsif ($user_found->count > 1) {\r
+ # If more than one result returned, die because we the username field should be unique!\r
+ $RT::Logger->debug( "User Check Failed :: (",\r
+ $service,\r
+ ")",\r
+ $username,\r
+ "More than one user with that username!");\r
+ return 0;\r
+ }\r
+ undef $user_found;\r
+ \r
+ # If we havent returned now, there must be a valid user.\r
+ return 1;\r
+}\r
+\r
+sub UserDisabled {\r
+\r
+ my ($username,$service) = @_;\r
+\r
+ # FIRST, check that the user exists in the LDAP service\r
+ unless(UserExists($username,$service)) {\r
+ $RT::Logger->debug("User (",$username,") doesn't exist! - Assuming not disabled for the purposes of disable checking");\r
+ return 0;\r
+ }\r
+ \r
+ my $config = $RT::ExternalSettings->{$service};\r
+ my $base = $config->{'base'};\r
+ my $filter = $config->{'filter'};\r
+ my $d_filter = $config->{'d_filter'};\r
+ my $search_filter;\r
+\r
+ # While LDAP filters must be surrounded by parentheses, an empty set\r
+ # of parentheses is an invalid filter and will cause failure\r
+ # This shouldn't matter since we are now using Net::LDAP::Filter below,\r
+ # but there's no harm in doing this to be sure\r
+ if ($filter eq "()") { undef($filter) };\r
+ if ($d_filter eq "()") { undef($d_filter) };\r
+\r
+ unless ($d_filter) {\r
+ # If we don't know how to check for disabled users, consider them all enabled.\r
+ $RT::Logger->debug("No d_filter specified for this LDAP service (",\r
+ $service,\r
+ "), so considering all users enabled");\r
+ return 0;\r
+ }\r
+\r
+ if (defined($config->{'attr_map'}->{'Name'})) {\r
+ # Construct the complex filter\r
+ $search_filter = Net::LDAP::Filter->new( '(&' . \r
+ $filter . \r
+ $d_filter . \r
+ '(' . \r
+ $config->{'attr_map'}->{'Name'} . \r
+ '=' . \r
+ $username . \r
+ '))'\r
+ );\r
+ } else {\r
+ $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (",\r
+ $service,\r
+ "), so it's impossible look up the disabled status of this user (",\r
+ $username,\r
+ ") so I'm just going to assume the user is not disabled");\r
+ return 0;\r
+ \r
+ }\r
+\r
+ my $ldap = _GetBoundLdapObj($config);\r
+ next unless $ldap;\r
+\r
+ # We only need the UID for confirmation now, \r
+ # the other information would waste time and bandwidth\r
+ my @attrs = ('uid'); \r
+ \r
+ $RT::Logger->debug( "LDAP Search === ",\r
+ "Base:",\r
+ $base,\r
+ "== Filter:", \r
+ $search_filter->as_string,\r
+ "== Attrs:", \r
+ join(',',@attrs));\r
+ \r
+ my $disabled_users = $ldap->search(base => $base, \r
+ filter => $search_filter, \r
+ attrs => \@attrs);\r
+ # If ANY results are returned, \r
+ # we are going to assume the user should be disabled\r
+ if ($disabled_users->count) {\r
+ undef $disabled_users;\r
+ return 1;\r
+ } else {\r
+ undef $disabled_users;\r
+ return 0;\r
+ }\r
+}\r
+# {{{ sub _GetBoundLdapObj\r
+\r
+sub _GetBoundLdapObj {\r
+\r
+ # Config as hashref\r
+ my $config = shift;\r
+\r
+ # Figure out what's what\r
+ my $ldap_server = $config->{'server'};\r
+ my $ldap_user = $config->{'user'};\r
+ my $ldap_pass = $config->{'pass'};\r
+ my $ldap_tls = $config->{'tls'};\r
+ my $ldap_ssl_ver = $config->{'ssl_version'};\r
+ my $ldap_args = $config->{'net_ldap_args'};\r
+ \r
+ my $ldap = new Net::LDAP($ldap_server, @$ldap_args);\r
+ \r
+ unless ($ldap) {\r
+ $RT::Logger->critical( (caller(0))[3],\r
+ ": Cannot connect to",\r
+ $ldap_server);\r
+ return undef;\r
+ }\r
+\r
+ if ($ldap_tls) {\r
+ $Net::SSLeay::ssl_version = $ldap_ssl_ver;\r
+ # Thanks to David Narayan for the fault tolerance bits\r
+ eval { $ldap->start_tls; };\r
+ if ($@) {\r
+ $RT::Logger->critical( (caller(0))[3], \r
+ "Can't start TLS: ",\r
+ $@);\r
+ return;\r
+ }\r
+\r
+ }\r
+\r
+ my $msg = undef;\r
+\r
+ if (($ldap_user) and ($ldap_pass)) {\r
+ $msg = $ldap->bind($ldap_user, password => $ldap_pass);\r
+ } elsif (($ldap_user) and ( ! $ldap_pass)) {\r
+ $msg = $ldap->bind($ldap_user);\r
+ } else {\r
+ $msg = $ldap->bind;\r
+ }\r
+\r
+ unless ($msg->code == LDAP_SUCCESS) {\r
+ $RT::Logger->critical( (caller(0))[3], \r
+ "Can't bind:", \r
+ ldap_error_name($msg->code), \r
+ $msg->code);\r
+ return undef;\r
+ } else {\r
+ return $ldap;\r
+ }\r
+}\r
+\r
+# }}}\r
+\r
+1;\r
--- /dev/null
+no warnings qw(redefine);
+use strict;
+use RT::Authen::ExternalAuth;
+
+# {{{ sub CanonicalizeUserInfo
+
+=head2 CanonicalizeUserInfo HASHREF
+
+Get all ExternalDB attrs listed in $RT::ExternalDBAttrMap and put them into
+the hash referred to by HASHREF.
+
+returns true (1) if ExternalDB lookup was successful, false (undef)
+in all other cases.
+
+=cut
+
+sub CanonicalizeUserInfo {
+ my $self = shift;
+ my $args = shift;
+ return(RT::Authen::ExternalAuth::CanonicalizeUserInfo($self,$args));
+}
+# }}}
+
+
+
+
+1;
projects / librt-authen-externalauth-perl.git / commitdiff