From ad557cc91140f293fdf83865726c7e8044ef569d Mon Sep 17 00:00:00 2001 From: Andrew Ruthven Date: Fri, 2 Jul 2010 21:32:28 +1200 Subject: [PATCH] Imported Upstream version 0.08 --- ChangeLog | 315 +++++++++++ LICENSE | 344 ++++++++++++ MANIFEST | 22 + META.yml | 21 + Makefile.PL | 26 + README | 95 ++++ etc/RT_SiteConfig.pm | 183 +++++++ html/Callbacks/ExternalAuth/autohandler/Auth | 36 ++ inc/Module/Install.pm | 313 +++++++++++ inc/Module/Install/Base.pm | 70 +++ inc/Module/Install/Can.pm | 82 +++ inc/Module/Install/Fetch.pm | 93 ++++ inc/Module/Install/Makefile.pm | 245 +++++++++ inc/Module/Install/Metadata.pm | 318 +++++++++++ inc/Module/Install/RTx.pm | 191 +++++++ inc/Module/Install/Win32.pm | 64 +++ inc/Module/Install/WriteAll.pm | 40 ++ lib/RT/Authen/ExternalAuth.pm | 548 +++++++++++++++++++ lib/RT/Authen/ExternalAuth/DBI.pm | 451 +++++++++++++++ lib/RT/Authen/ExternalAuth/DBI/Cookie.pm | 31 ++ lib/RT/Authen/ExternalAuth/LDAP.pm | 479 ++++++++++++++++ lib/RT/User_Vendor.pm | 27 + 22 files changed, 3994 insertions(+) create mode 100755 ChangeLog create mode 100755 LICENSE create mode 100755 MANIFEST create mode 100755 META.yml create mode 100755 Makefile.PL create mode 100755 README create mode 100755 etc/RT_SiteConfig.pm create mode 100755 html/Callbacks/ExternalAuth/autohandler/Auth create mode 100755 inc/Module/Install.pm create mode 100755 inc/Module/Install/Base.pm create mode 100755 inc/Module/Install/Can.pm create mode 100755 inc/Module/Install/Fetch.pm create mode 100755 inc/Module/Install/Makefile.pm create mode 100755 inc/Module/Install/Metadata.pm create mode 100755 inc/Module/Install/RTx.pm create mode 100755 inc/Module/Install/Win32.pm create mode 100755 inc/Module/Install/WriteAll.pm create mode 100755 lib/RT/Authen/ExternalAuth.pm create mode 100755 lib/RT/Authen/ExternalAuth/DBI.pm create mode 100755 lib/RT/Authen/ExternalAuth/DBI/Cookie.pm create mode 100755 lib/RT/Authen/ExternalAuth/LDAP.pm create mode 100755 lib/RT/User_Vendor.pm diff --git a/ChangeLog b/ChangeLog new file mode 100755 index 0000000..183d94b --- /dev/null +++ b/ChangeLog @@ -0,0 +1,315 @@ +v0.08 2009-01-24 Mike Peachey + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.08 + + * ChangeLog + + Added entry for v0.08 + + * etc/RT_SiteConfig.pm + + Added ssl_version to example LDAP config as it is used by + the code, but had not been demonstrated. + + s/Crypt::MD5::md5_hex/Digest::MD5::md5_hex/ in example DBI + config. + + Added the ability to provide a static salt to the p_enc_sub + however this behavious may be reviewed in future releases + to allow integration with better encryption methods. + + s/userSupportAccess/disabled/ in example DBI config. + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Modified the log message regarding the RT-3.8.[01] plugin + bug from error level to debug level and modified the text + of the message to be more clear for RT-3.8.2+ users. + + +v0.08_01 2009-01-20 Mike Peachey + + * ChangeLog + + Added entry for v0.08_01 + + Tabs-to-spaces conversion made where needed. + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.08_01 + + DoAuth method created to inherit the work that used to be + performed by the Auth callback for autohandler. + + GetAuth reduced to an interface. Its purpose is now just to + check what type of service was passed and then call the + GetAuth method from the right package. + + Authentication now halts and returns with error if + ExternalAuthPriority is not set. This prevents a fairly + useless compile error and logs an explanation instead. + + Information lookup is now bypassed and logged if + ExternalInfoPriority is not set, preventing another useless + compile error and replacing it with an explanation. + + SSO Cookie authentication now available following the + integration of RT::Authen::CookieAuth. Methods updated + to reflect the availability of this service. + + * lib/RT/Authen/ExternalAuth/DBI/Cookie.pm + + File added to house the cookie grab. While SSO cookies are + a function of DBI authentication (at the moment at least) + there is no need for DBI.pm to use CGI::Cookie for this one + purpose. With the future possibility of futher cookie + functions as well, I decided it deserved its own module. + + * lib/RT/Authen/ExternalAuth/LDAP.pm + + Changed an unless($base) to unless(defined($base)) to allow + for the use of a defined, but empty, baseDN so that an LDAP + directory may be searched from the root. + + * etc/RT_SiteConfig.pm + + CookieAuth settings have been merged into the ExternalAuth + settings hash. Example from CookieAuth has been merged in. + + 'auth' and 'info' settings have been deprecated and so have + been removed from the examples. The function they served has + been replaced by the ExternalAuthPriority and + ExternalInfoPriority variables. + + * lib/RT/Authen/User_Vendor.pm + + The override for the IsPassword method has been deprecated + and deleted. It is no longer necessary to do password tests + as a call to the User object. The equivalent function is + now provided by GetAuth in ExternalAuth.pm and is called + with an ExternalAuth service name, username and password. + Currently, this only needs to be called by DoAuth in + ExternalAuth.pm + + While RT::Authen::ExternalAuth used to be used to integrate + internal RT authentication with an external method as a single + operation, this causes a lack of modularity. Now ExternalAuth + is only concerned with its own authentication methods and if + they fail then RT will decide to do fallback to internal + authentication on its own. + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Workaround for RT versions 3.8.0 and 3.8.1 removed. + RT::Authen::ExternalAuth v0.08 will be officially compatible + only with versions 3.8.2 and up. + + All functionality has been replaced by a call to ExternalAuth.pm's + DoAuth method. This is permitted by the passing of a reference to + the current session variable. DoAuth simply modifies that variable + as necessary to perform its function. Any data returned is purely + informational. + + * README + + Updated to include basic information on SSO cookies. + + * Makefile.PL + + Updated to reflect the integration of RT::Authen::CookieAuth. + +v0.07_02 2008-12-22 Kevin Falcone + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Make the workaround needed for 3.8.1 work on 3.8.2 + +v0.07_01 2008-11-06 Mike Peachey + Kevin Falcone + + * ALL + + Complete code refactoring and updates for RT-3.8.x + compatability. + +v0.06 2008-11-01 Mike Peachey + + * README + + A few minor tweaks. + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.06 + + * etc/RT_SiteConfig.pm + + A number of clarifications added to the example config comments + such as making clear the fact that a valid d_filter is required. + +v0.06_03 2008-10-31 Mike Peachey + Kevin Falcone + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Add fix to work around a plugin bug in RT-3.8.0 & RT-3.8.1 + preventing User_Vendor.pm overlay being required before + RT::User is loaded. + + Check the return value from calling RT::User::Create. + + Check the return value when loading an autocreated user. + + * README + + Updated to talk about removing old files in local/. + + * lib/RT/Authen/User_Vendor.pm + + Added error-checking to complain if a an LDAP configuration is + in use, but no d_filter has been specified. + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.06_03. + + * ChangeLog + + General clean-up. + + +v0.06_02 2008-10-01 Kevin Falcone + + * ChangeLog + + Updates to previous release. + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.06_02. + + +v0.06_01 2008-10-17 Kevin Falcone + + * lib/RT/Authen/User_Vendor.pm + + Add a patch to be compatible with 3.8 + + * Upgrade Module::Install::RTx to work better with RT-3.8.x + + +v0.05 2008-04-09 Mike Peachey + + * lib/RT/Authen/User_Vendor.pm + + Typo on line 962. s/servicen/service/ + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Deprecated $user_autocreated. It was being used to prevent a call + to RT::User::UpdateFromExternal in User_Vendor.pm because it was + deemed an unecessary expense to set the user's info and then look + it up again straight after. However, I have since realised that + UpdateFromExternal is the only code doing a check to see if the + user has been disabled in the external source and so bypassing + it when users are created allows new users to log in once even + if they have not been "enabled". + + I will be doing a small rewrite of this code in the future to + abstract the External disable-lookup code from UpdateFromExternal + and perhaps remove the function altogether, but for now everything + will work fine. + + * ChangeLog + + I did it again. I added a / on the front of the path to + ExternalAuth.pm. What a plonker! + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.05 + + +v0.04 2008-04-03 Mike Peachey + + * etc/RT_SiteConfig.pm + + The example LDAP ExternalSettings configuration did not contain + example values for user and pass for RT's connection to an LDAP + server. These have now been added. + + Thanks to Andrew Fay for noticing this one. + + * ChangeLog + + Removed a "/" from the start of the ExternalAuth.pm file line in 0.03 + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.04 + + +v0.03 2008-03-31 Mike Peachey + + * html/Callbacks/ExternalAuth/autohandler/Auth + + Bug found on lines 94-100. + + The ELSE block starting on line 95 was assigned to the IF starting + on 85 instead of the IF block starting on line 86. This meant that + if the user entered at the login screen exists no password would + be checked. + + It was doing this: + + If session has current user who has an ID + If password has already been validated + SUCCESS + Else + Return to autohandler with valid session & implicit auth + Else delete session + + + This has now been corrected to this: + + If session has current user who has an ID + If password has already been validated + SUCCESS + Else + Delete session + Else return to autohandler with whatever we had before the block + + * lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.03 + + +v0.02 2008-03-17 Mike Peachey + + * lib/RT/User_Vendor.pm + + Bug #1 found on line 446. + + CanonicalizeUserInfo was being called directly, instead of being + called on the $self user object. + + This was causing CanonicalizeUserInfo to shift the e-mail address + it was passed into the $self var instead of the $email var. It was + therefore returning a blank e-mail address regardless of the input. + + * lib/RT/User_Vendor.pm + + Header comments altered to reflect that the file is part of the + RT::Authen::ExternalAuth extension. + + * /lib/RT/Authen/ExternalAuth.pm + + Version updated to 0.02 + + +v0.01 2008-03-13 Mike Peachey + + * Initial Release diff --git a/LICENSE b/LICENSE new file mode 100755 index 0000000..6401887 --- /dev/null +++ b/LICENSE @@ -0,0 +1,344 @@ + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software + interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Program does not specify a +version number of this License, you may choose any version ever +published by the Free Software Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these +terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/MANIFEST b/MANIFEST new file mode 100755 index 0000000..0673a83 --- /dev/null +++ b/MANIFEST @@ -0,0 +1,22 @@ +ChangeLog +etc/RT_SiteConfig.pm +html/Callbacks/ExternalAuth/autohandler/Auth +inc/Module/Install.pm +inc/Module/Install/Base.pm +inc/Module/Install/Can.pm +inc/Module/Install/Fetch.pm +inc/Module/Install/Makefile.pm +inc/Module/Install/Metadata.pm +inc/Module/Install/RTx.pm +inc/Module/Install/Win32.pm +inc/Module/Install/WriteAll.pm +lib/RT/Authen/ExternalAuth.pm +lib/RT/Authen/ExternalAuth/DBI.pm +lib/RT/Authen/ExternalAuth/LDAP.pm +lib/RT/Authen/ExternalAuth/DBI/Cookie.pm +lib/RT/User_Vendor.pm +LICENSE +Makefile.PL +MANIFEST This list of files +META.yml +README diff --git a/META.yml b/META.yml new file mode 100755 index 0000000..f5e16ed --- /dev/null +++ b/META.yml @@ -0,0 +1,21 @@ +--- +abstract: RT Authen-ExternalAuth Extension +author: + - Mike Peachey +distribution_type: module +generated_by: Module::Install version 0.70 +license: GPL version 2 +meta-spec: + url: http://module-build.sourceforge.net/META-spec-v1.3.html + version: 1.3 +name: RT-Authen-ExternalAuth +no_index: + directory: + - etc + - html + - po + - var + - inc +requires: + RT: 0 +version: 0.07_02 diff --git a/Makefile.PL b/Makefile.PL new file mode 100755 index 0000000..2ad8ebf --- /dev/null +++ b/Makefile.PL @@ -0,0 +1,26 @@ +use inc::Module::Install; + +RTx('RT-Authen-ExternalAuth'); + +license('GPL version 2'); +author('Mike Peachey '); + +all_from('lib/RT/Authen/ExternalAuth.pm'); + +requires('RT'); + +features( + 'SSL LDAP Connections' => [ + -default => 0, + 'Net::SSLeay' => 0], + 'External LDAP Sources' => [ + -default => 1, + 'Net::LDAP' => 0], + 'External DBI Sources' => [ + -default => 1, + 'DBI' => 0], + 'SSO Cookie Sources' => [ + -default => 1, + 'CGI::Cookies' => 0] +); +&WriteAll; diff --git a/README b/README new file mode 100755 index 0000000..511e453 --- /dev/null +++ b/README @@ -0,0 +1,95 @@ +RT-Authen-ExternalAuth + +This module provides the ability to authenticate RT users +against one or more external data sources at once. It will +also allow information about that user to be loaded from +the same, or any other available, source as well as allowing +multple redundant servers for each method. + +The extension currently supports authentication and +information from LDAP via the Net::LDAP module, and from +any data source that an installed DBI driver is available +for. + +It is also possible to use cookies set by an alternate +application for Single Sign-On (SSO) with that application. +For example, you may integrate RT with your own website login +system so that once users log in to your website, they will be +automagically logged in to RT when they access it. + +It was originally designed and tested against: + +MySQL v4.1.21-standard +MySQL v5.0.22 +Windows Active Directory v2003 + +But it has been designed so that it should work with ANY +LDAP service and ANY DBI-drivable database, based upon the +configuration given in your $RTHOME/etc/RT_SiteConfig.pm + +As of v0.08 ExternalAuth also allows you to pull a browser +cookie value and test it against a DBI data source allowing +the use of cookies for Single Sign-On (SSO) authentication +with another application or website login system. This is +due to the merging of RT::Authen::ExternalAuth and +RT::Authen::CookieAuth. For example, you may integrate RT +with your own website login system so that once users log in +to your website, they will be automagically logged in to RT +when they access it. + + +INSTALLATION + +To install this module, run the following commands: + + perl Makefile.PL + make + make install + +I recommend: +RT::Authen::ExternalAuth v0.05 for RT-3.6.x +RT::Authen::ExternalAuth v0.08+ for RT-3.8.x + +If you are using RT 3.8.x, you need to enable this +module by adding RT::Authen::ExternalAuth to your +@Plugins configuration: + +Set( @Plugins, qw(RT::Authen::ExternalAuth) ); + +Once installed, you should view the file: + +3.4/3.6 $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm +3.8 $RTHOME/local/plugins/RT-Auth-ExternalAuth/etc/RT_SiteConfig.pm + +Then use the examples provided to prepare your own custom +configuration which should be added to your site configuration in +$RTHOME/etc/RT_SiteConfig.pm + +Alternatively, you may alter the provided examples directly +and then include the extra directives by 'requiring' the +example file's path at the end of your RT_SiteConfig.pm + + +UPGRADING + +If you are upgrading from 0.05 you may have some leftover +parts of the module in + +$RTHOME/local/lib/RT/User_Vendor.pm +$RTHOME/local/lib/RT/Authen/External_Auth.pm + +that will conflict with the new install and these should be removed + +AUTHOR + Mike Peachey + Jennic Ltd. + zordrak@cpan.org + +COPYRIGHT AND LICENCE + +Copyright (C) 2008, Jennic Ltd. + +This software is released under version 2 of the GNU +General Public License. The license is distributed with +this package in the LICENSE file found in the directory +root. diff --git a/etc/RT_SiteConfig.pm b/etc/RT_SiteConfig.pm new file mode 100755 index 0000000..4c38a5d --- /dev/null +++ b/etc/RT_SiteConfig.pm @@ -0,0 +1,183 @@ +# The order in which the services defined in ExternalSettings +# should be used to authenticate users. User is authenticated +# if successfully confirmed by any service - no more services +# are checked. +Set($ExternalAuthPriority, [ 'My_LDAP', + 'My_MySQL', + 'My_SSO_Cookie' + ] +); + +# The order in which the services defined in ExternalSettings +# should be used to get information about users. This includes +# RealName, Tel numbers etc, but also whether or not the user +# should be considered disabled. +# +# Once user info is found, no more services are checked. +# +# You CANNOT use a SSO cookie for authentication. +Set($ExternalInfoPriority, [ 'My_MySQL', + 'My_LDAP' + ] +); + +# If this is set to true, then the relevant packages will +# be loaded to use SSL/TLS connections. At the moment, +# this just means "use Net::SSLeay;" +Set($ExternalServiceUsesSSLorTLS, 0); + +# If this is set to 1, then users should be autocreated by RT +# as internal users if they fail to authenticate from an +# external service. +Set($AutoCreateNonExternalUsers, 0); + +# These are the full settings for each external service as a HashOfHashes +# Note that you may have as many external services as you wish. They will +# be checked in the order specified in the Priority directives above. +# e.g. +# Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); +# +Set($ExternalSettings, { # AN EXAMPLE DB SERVICE + 'My_MySQL' => { ## GENERIC SECTION + # The type of service (db/ldap/cookie) + 'type' => 'db', + # The server hosting the service + 'server' => 'server.domain.tld', + ## SERVICE-SPECIFIC SECTION + # The database name + 'database' => 'DB_NAME', + # The database table + 'table' => 'USERS_TABLE', + # The user to connect to the database as + 'user' => 'DB_USER', + # The password to use to connect with + 'pass' => 'DB_PASS', + # The port to use to connect with (e.g. 3306) + 'port' => 'DB_PORT', + # The name of the Perl DBI driver to use (e.g. mysql) + 'dbi_driver' => 'DBI_DRIVER', + # The field in the table that holds usernames + 'u_field' => 'username', + # The field in the table that holds passwords + 'p_field' => 'password', + # The Perl package & subroutine used to encrypt passwords + # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD" + # function, then you will need Crypt::MySQL::password, but for the + # MySQL4+ password function you will need Crypt::MySQL::password41 + # Alternatively, you could use Digest::MD5::md5_hex or any other + # encryption subroutine you can load in your perl installation + 'p_enc_pkg' => 'Crypt::MySQL', + 'p_enc_sub' => 'password', + # If your p_enc_sub takes a salt as a second parameter, + # uncomment this line to add your salt + #'p_salt' => 'SALT', + # + # The field and values in the table that determines if a user should + # be disabled. For example, if the field is 'user_status' and the values + # are ['0','1','2','disabled'] then the user will be disabled if their + # user_status is set to '0','1','2' or the string 'disabled'. + # Otherwise, they will be considered enabled. + 'd_field' => 'disabled', + 'd_values' => ['0'], + ## RT ATTRIBUTE MATCHING SECTION + # The list of RT attributes that uniquely identify a user + 'attr_match_list' => [ 'Gecos', + 'Name' + ], + # The mapping of RT attributes on to field names + 'attr_map' => { 'Name' => 'username', + 'EmailAddress' => 'email', + 'ExternalAuthId' => 'username', + 'Gecos' => 'userID' + } + }, + # AN EXAMPLE LDAP SERVICE + 'My_LDAP' => { ## GENERIC SECTION + # The type of service (db/ldap/cookie) + 'type' => 'ldap', + # The server hosting the service + 'server' => 'server.domain.tld', + ## SERVICE-SPECIFIC SECTION + # If you can bind to your LDAP server anonymously you should + # remove the user and pass config lines, otherwise specify them here: + # + # The username RT should use to connect to the LDAP server + 'user' => 'rt_ldap_username', + # The password RT should use to connect to the LDAP server + 'pass' => 'rt_ldap_password', + # + # The LDAP search base + 'base' => 'ou=Organisational Unit,dc=domain,dc=TLD', + # + # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! + # YOU **MUST** SPECIFY A filter AND A d_filter!! + # + # The filter to use to match RT-Users + 'filter' => '(FILTER_STRING)', + # A catch-all example filter: '(objectClass=*)' + # + # The filter that will only match disabled users + 'd_filter' => '(FILTER_STRING)', + # A catch-none example d_filter: '(objectClass=FooBarBaz)' + # + # Should we try to use TLS to encrypt connections? + 'tls' => 0, + # SSL Version to provide to Net::SSLeay *if* using SSL + 'ssl_version' => 3, + # What other args should I pass to Net::LDAP->new($host,@args)? + 'net_ldap_args' => [ version => 3 ], + # Does authentication depend on group membership? What group name? + 'group' => 'GROUP_NAME', + # What is the attribute for the group object that determines membership? + 'group_attr' => 'GROUP_ATTR', + ## RT ATTRIBUTE MATCHING SECTION + # The list of RT attributes that uniquely identify a user + # This example shows what you *can* specify.. I recommend reducing this + # to just the Name and EmailAddress to save encountering problems later. + 'attr_match_list' => [ 'Name', + 'EmailAddress', + 'RealName', + 'WorkPhone', + 'Address2' + ], + # The mapping of RT attributes on to LDAP attributes + 'attr_map' => { 'Name' => 'sAMAccountName', + 'EmailAddress' => 'mail', + 'Organization' => 'physicalDeliveryOfficeName', + 'RealName' => 'cn', + 'ExternalAuthId' => 'sAMAccountName', + 'Gecos' => 'sAMAccountName', + 'WorkPhone' => 'telephoneNumber', + 'Address1' => 'streetAddress', + 'City' => 'l', + 'State' => 'st', + 'Zip' => 'postalCode', + 'Country' => 'co' + } + }, + # An example SSO cookie service + 'My_SSO_Cookie' => { # # The type of service (db/ldap/cookie) + 'type' => 'cookie', + # The name of the cookie to be used + 'name' => 'loginCookieValue', + # The users table + 'u_table' => 'users', + # The username field in the users table + 'u_field' => 'username', + # The field in the users table that uniquely identifies a user + # and also exists in the cookies table + 'u_match_key' => 'userID', + # The cookies table + 'c_table' => 'login_cookie', + # The field that stores cookie values + 'c_field' => 'loginCookieValue', + # The field in the cookies table that uniquely identifies a user + # and also exists in the users table + 'c_match_key' => 'loginCookieUserID', + # The DB service in this configuration to use to lookup the cookie information + 'db_service_name' => 'My_MySQL' + } + } +); + +1; diff --git a/html/Callbacks/ExternalAuth/autohandler/Auth b/html/Callbacks/ExternalAuth/autohandler/Auth new file mode 100755 index 0000000..e188be4 --- /dev/null +++ b/html/Callbacks/ExternalAuth/autohandler/Auth @@ -0,0 +1,36 @@ +<%once> +my $loaded_user = 0; + +<%init> + +use RT::Authen::ExternalAuth; + +################################################################################### +# Work around a bug in the RT 3.8.0 and 3.8.1 plugin system (fixed in 3.8.2) # +# Temporarily force RT to reload RT::User, since it isn't being loaded # +# correctly as a plugin. # +################################################################################### +unless ($loaded_user) { + $RT::Logger->debug("Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1"); + $loaded_user++; + delete $INC{'RT/User.pm'}; + delete $INC{'RT/User_Overlay.pm'}; + delete $INC{'RT/User_Vendor.pm'}; + require RT::User; +} +################################################################################### + +my ($val,$msg); +unless($session{'CurrentUser'} && $session{'CurrentUser'}->Id) { + ($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$user,$pass); + $RT::Logger->debug("Autohandler called ExternalAuth. Response: ($val, $msg)"); +} + +return; + + +<%ARGS> +$user => undef +$pass => undef +$menu => undef + diff --git a/inc/Module/Install.pm b/inc/Module/Install.pm new file mode 100755 index 0000000..e6758c9 --- /dev/null +++ b/inc/Module/Install.pm @@ -0,0 +1,313 @@ +#line 1 +package Module::Install; + +# For any maintainers: +# The load order for Module::Install is a bit magic. +# It goes something like this... +# +# IF ( host has Module::Install installed, creating author mode ) { +# 1. Makefile.PL calls "use inc::Module::Install" +# 2. $INC{inc/Module/Install.pm} set to installed version of inc::Module::Install +# 3. The installed version of inc::Module::Install loads +# 4. inc::Module::Install calls "require Module::Install" +# 5. The ./inc/ version of Module::Install loads +# } ELSE { +# 1. Makefile.PL calls "use inc::Module::Install" +# 2. $INC{inc/Module/Install.pm} set to ./inc/ version of Module::Install +# 3. The ./inc/ version of Module::Install loads +# } + +BEGIN { + require 5.004; +} +use strict 'vars'; + +use vars qw{$VERSION}; +BEGIN { + # All Module::Install core packages now require synchronised versions. + # This will be used to ensure we don't accidentally load old or + # different versions of modules. + # This is not enforced yet, but will be some time in the next few + # releases once we can make sure it won't clash with custom + # Module::Install extensions. + $VERSION = '0.70'; +} + + + + + +# Whether or not inc::Module::Install is actually loaded, the +# $INC{inc/Module/Install.pm} is what will still get set as long as +# the caller loaded module this in the documented manner. +# If not set, the caller may NOT have loaded the bundled version, and thus +# they may not have a MI version that works with the Makefile.PL. This would +# result in false errors or unexpected behaviour. And we don't want that. +my $file = join( '/', 'inc', split /::/, __PACKAGE__ ) . '.pm'; +unless ( $INC{$file} ) { die <<"END_DIE" } + +Please invoke ${\__PACKAGE__} with: + + use inc::${\__PACKAGE__}; + +not: + + use ${\__PACKAGE__}; + +END_DIE + + + + + +# If the script that is loading Module::Install is from the future, +# then make will detect this and cause it to re-run over and over +# again. This is bad. Rather than taking action to touch it (which +# is unreliable on some platforms and requires write permissions) +# for now we should catch this and refuse to run. +if ( -f $0 and (stat($0))[9] > time ) { die <<"END_DIE" } + +Your installer $0 has a modification time in the future. + +This is known to create infinite loops in make. + +Please correct this, then run $0 again. + +END_DIE + + + + + +# Build.PL was formerly supported, but no longer is due to excessive +# difficulty in implementing every single feature twice. +if ( $0 =~ /Build.PL$/i or -f 'Build.PL' ) { die <<"END_DIE" } + +Module::Install no longer supports Build.PL. + +It was impossible to maintain duel backends, and has been deprecated. + +Please remove all Build.PL files and only use the Makefile.PL installer. + +END_DIE + + + + + +use Cwd (); +use File::Find (); +use File::Path (); +use FindBin; + +*inc::Module::Install::VERSION = *VERSION; +@inc::Module::Install::ISA = __PACKAGE__; + +sub autoload { + my $self = shift; + my $who = $self->_caller; + my $cwd = Cwd::cwd(); + my $sym = "${who}::AUTOLOAD"; + $sym->{$cwd} = sub { + my $pwd = Cwd::cwd(); + if ( my $code = $sym->{$pwd} ) { + # delegate back to parent dirs + goto &$code unless $cwd eq $pwd; + } + $$sym =~ /([^:]+)$/ or die "Cannot autoload $who - $sym"; + unshift @_, ( $self, $1 ); + goto &{$self->can('call')} unless uc($1) eq $1; + }; +} + +sub import { + my $class = shift; + my $self = $class->new(@_); + my $who = $self->_caller; + + unless ( -f $self->{file} ) { + require "$self->{path}/$self->{dispatch}.pm"; + File::Path::mkpath("$self->{prefix}/$self->{author}"); + $self->{admin} = "$self->{name}::$self->{dispatch}"->new( _top => $self ); + $self->{admin}->init; + @_ = ($class, _self => $self); + goto &{"$self->{name}::import"}; + } + + *{"${who}::AUTOLOAD"} = $self->autoload; + $self->preload; + + # Unregister loader and worker packages so subdirs can use them again + delete $INC{"$self->{file}"}; + delete $INC{"$self->{path}.pm"}; + + return 1; +} + +sub preload { + my ($self) = @_; + + unless ( $self->{extensions} ) { + $self->load_extensions( + "$self->{prefix}/$self->{path}", $self + ); + } + + my @exts = @{$self->{extensions}}; + unless ( @exts ) { + my $admin = $self->{admin}; + @exts = $admin->load_all_extensions; + } + + my %seen; + foreach my $obj ( @exts ) { + while (my ($method, $glob) = each %{ref($obj) . '::'}) { + next unless $obj->can($method); + next if $method =~ /^_/; + next if $method eq uc($method); + $seen{$method}++; + } + } + + my $who = $self->_caller; + foreach my $name ( sort keys %seen ) { + *{"${who}::$name"} = sub { + ${"${who}::AUTOLOAD"} = "${who}::$name"; + goto &{"${who}::AUTOLOAD"}; + }; + } +} + +sub new { + my ($class, %args) = @_; + + # ignore the prefix on extension modules built from top level. + my $base_path = Cwd::abs_path($FindBin::Bin); + unless ( Cwd::abs_path(Cwd::cwd()) eq $base_path ) { + delete $args{prefix}; + } + + return $args{_self} if $args{_self}; + + $args{dispatch} ||= 'Admin'; + $args{prefix} ||= 'inc'; + $args{author} ||= ($^O eq 'VMS' ? '_author' : '.author'); + $args{bundle} ||= 'inc/BUNDLES'; + $args{base} ||= $base_path; + $class =~ s/^\Q$args{prefix}\E:://; + $args{name} ||= $class; + $args{version} ||= $class->VERSION; + unless ( $args{path} ) { + $args{path} = $args{name}; + $args{path} =~ s!::!/!g; + } + $args{file} ||= "$args{base}/$args{prefix}/$args{path}.pm"; + + bless( \%args, $class ); +} + +sub call { + my ($self, $method) = @_; + my $obj = $self->load($method) or return; + splice(@_, 0, 2, $obj); + goto &{$obj->can($method)}; +} + +sub load { + my ($self, $method) = @_; + + $self->load_extensions( + "$self->{prefix}/$self->{path}", $self + ) unless $self->{extensions}; + + foreach my $obj (@{$self->{extensions}}) { + return $obj if $obj->can($method); + } + + my $admin = $self->{admin} or die <<"END_DIE"; +The '$method' method does not exist in the '$self->{prefix}' path! +Please remove the '$self->{prefix}' directory and run $0 again to load it. +END_DIE + + my $obj = $admin->load($method, 1); + push @{$self->{extensions}}, $obj; + + $obj; +} + +sub load_extensions { + my ($self, $path, $top) = @_; + + unless ( grep { lc $_ eq lc $self->{prefix} } @INC ) { + unshift @INC, $self->{prefix}; + } + + foreach my $rv ( $self->find_extensions($path) ) { + my ($file, $pkg) = @{$rv}; + next if $self->{pathnames}{$pkg}; + + local $@; + my $new = eval { require $file; $pkg->can('new') }; + unless ( $new ) { + warn $@ if $@; + next; + } + $self->{pathnames}{$pkg} = delete $INC{$file}; + push @{$self->{extensions}}, &{$new}($pkg, _top => $top ); + } + + $self->{extensions} ||= []; +} + +sub find_extensions { + my ($self, $path) = @_; + + my @found; + File::Find::find( sub { + my $file = $File::Find::name; + return unless $file =~ m!^\Q$path\E/(.+)\.pm\Z!is; + my $subpath = $1; + return if lc($subpath) eq lc($self->{dispatch}); + + $file = "$self->{path}/$subpath.pm"; + my $pkg = "$self->{name}::$subpath"; + $pkg =~ s!/!::!g; + + # If we have a mixed-case package name, assume case has been preserved + # correctly. Otherwise, root through the file to locate the case-preserved + # version of the package name. + if ( $subpath eq lc($subpath) || $subpath eq uc($subpath) ) { + open PKGFILE, "<$subpath.pm" or die "find_extensions: Can't open $subpath.pm: $!"; + my $in_pod = 0; + while ( ) { + $in_pod = 1 if /^=\w/; + $in_pod = 0 if /^=cut/; + next if ($in_pod || /^=cut/); # skip pod text + next if /^\s*#/; # and comments + if ( m/^\s*package\s+($pkg)\s*;/i ) { + $pkg = $1; + last; + } + } + close PKGFILE; + } + + push @found, [ $file, $pkg ]; + }, $path ) if -d $path; + + @found; +} + +sub _caller { + my $depth = 0; + my $call = caller($depth); + while ( $call eq __PACKAGE__ ) { + $depth++; + $call = caller($depth); + } + return $call; +} + +1; + +# Copyright 2008 Adam Kennedy. diff --git a/inc/Module/Install/Base.pm b/inc/Module/Install/Base.pm new file mode 100755 index 0000000..5e24ae1 --- /dev/null +++ b/inc/Module/Install/Base.pm @@ -0,0 +1,70 @@ +#line 1 +package Module::Install::Base; + +$VERSION = '0.70'; + +# Suspend handler for "redefined" warnings +BEGIN { + my $w = $SIG{__WARN__}; + $SIG{__WARN__} = sub { $w }; +} + +### This is the ONLY module that shouldn't have strict on +# use strict; + +#line 41 + +sub new { + my ($class, %args) = @_; + + foreach my $method ( qw(call load) ) { + *{"$class\::$method"} = sub { + shift()->_top->$method(@_); + } unless defined &{"$class\::$method"}; + } + + bless( \%args, $class ); +} + +#line 61 + +sub AUTOLOAD { + my $self = shift; + local $@; + my $autoload = eval { $self->_top->autoload } or return; + goto &$autoload; +} + +#line 76 + +sub _top { $_[0]->{_top} } + +#line 89 + +sub admin { + $_[0]->_top->{admin} or Module::Install::Base::FakeAdmin->new; +} + +sub is_admin { + $_[0]->admin->VERSION; +} + +sub DESTROY {} + +package Module::Install::Base::FakeAdmin; + +my $Fake; +sub new { $Fake ||= bless(\@_, $_[0]) } + +sub AUTOLOAD {} + +sub DESTROY {} + +# Restore warning handler +BEGIN { + $SIG{__WARN__} = $SIG{__WARN__}->(); +} + +1; + +#line 138 diff --git a/inc/Module/Install/Can.pm b/inc/Module/Install/Can.pm new file mode 100755 index 0000000..9ce21a4 --- /dev/null +++ b/inc/Module/Install/Can.pm @@ -0,0 +1,82 @@ +#line 1 +package Module::Install::Can; + +use strict; +use Module::Install::Base; +use Config (); +### This adds a 5.005 Perl version dependency. +### This is a bug and will be fixed. +use File::Spec (); +use ExtUtils::MakeMaker (); + +use vars qw{$VERSION $ISCORE @ISA}; +BEGIN { + $VERSION = '0.70'; + $ISCORE = 1; + @ISA = qw{Module::Install::Base}; +} + +# check if we can load some module +### Upgrade this to not have to load the module if possible +sub can_use { + my ($self, $mod, $ver) = @_; + $mod =~ s{::|\\}{/}g; + $mod .= '.pm' unless $mod =~ /\.pm$/i; + + my $pkg = $mod; + $pkg =~ s{/}{::}g; + $pkg =~ s{\.pm$}{}i; + + local $@; + eval { require $mod; $pkg->VERSION($ver || 0); 1 }; +} + +# check if we can run some command +sub can_run { + my ($self, $cmd) = @_; + + my $_cmd = $cmd; + return $_cmd if (-x $_cmd or $_cmd = MM->maybe_command($_cmd)); + + for my $dir ((split /$Config::Config{path_sep}/, $ENV{PATH}), '.') { + my $abs = File::Spec->catfile($dir, $_[1]); + return $abs if (-x $abs or $abs = MM->maybe_command($abs)); + } + + return; +} + +# can we locate a (the) C compiler +sub can_cc { + my $self = shift; + my @chunks = split(/ /, $Config::Config{cc}) or return; + + # $Config{cc} may contain args; try to find out the program part + while (@chunks) { + return $self->can_run("@chunks") || (pop(@chunks), next); + } + + return; +} + +# Fix Cygwin bug on maybe_command(); +if ( $^O eq 'cygwin' ) { + require ExtUtils::MM_Cygwin; + require ExtUtils::MM_Win32; + if ( ! defined(&ExtUtils::MM_Cygwin::maybe_command) ) { + *ExtUtils::MM_Cygwin::maybe_command = sub { + my ($self, $file) = @_; + if ($file =~ m{^/cygdrive/}i and ExtUtils::MM_Win32->can('maybe_command')) { + ExtUtils::MM_Win32->maybe_command($file); + } else { + ExtUtils::MM_Unix->maybe_command($file); + } + } + } +} + +1; + +__END__ + +#line 157 diff --git a/inc/Module/Install/Fetch.pm b/inc/Module/Install/Fetch.pm new file mode 100755 index 0000000..2b8f6e8 --- /dev/null +++ b/inc/Module/Install/Fetch.pm @@ -0,0 +1,93 @@ +#line 1 +package Module::Install::Fetch; + +use strict; +use Module::Install::Base; + +use vars qw{$VERSION $ISCORE @ISA}; +BEGIN { + $VERSION = '0.70'; + $ISCORE = 1; + @ISA = qw{Module::Install::Base}; +} + +sub get_file { + my ($self, %args) = @_; + my ($scheme, $host, $path, $file) = + $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return; + + if ( $scheme eq 'http' and ! eval { require LWP::Simple; 1 } ) { + $args{url} = $args{ftp_url} + or (warn("LWP support unavailable!\n"), return); + ($scheme, $host, $path, $file) = + $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return; + } + + $|++; + print "Fetching '$file' from $host... "; + + unless (eval { require Socket; Socket::inet_aton($host) }) { + warn "'$host' resolve failed!\n"; + return; + } + + return unless $scheme eq 'ftp' or $scheme eq 'http'; + + require Cwd; + my $dir = Cwd::getcwd(); + chdir $args{local_dir} or return if exists $args{local_dir}; + + if (eval { require LWP::Simple; 1 }) { + LWP::Simple::mirror($args{url}, $file); + } + elsif (eval { require Net::FTP; 1 }) { eval { + # use Net::FTP to get past firewall + my $ftp = Net::FTP->new($host, Passive => 1, Timeout => 600); + $ftp->login("anonymous", 'anonymous@example.com'); + $ftp->cwd($path); + $ftp->binary; + $ftp->get($file) or (warn("$!\n"), return); + $ftp->quit; + } } + elsif (my $ftp = $self->can_run('ftp')) { eval { + # no Net::FTP, fallback to ftp.exe + require FileHandle; + my $fh = FileHandle->new; + + local $SIG{CHLD} = 'IGNORE'; + unless ($fh->open("|$ftp -n")) { + warn "Couldn't open ftp: $!\n"; + chdir $dir; return; + } + + my @dialog = split(/\n/, <<"END_FTP"); +open $host +user anonymous anonymous\@example.com +cd $path +binary +get $file $file +quit +END_FTP + foreach (@dialog) { $fh->print("$_\n") } + $fh->close; + } } + else { + warn "No working 'ftp' program available!\n"; + chdir $dir; return; + } + + unless (-f $file) { + warn "Fetching failed: $@\n"; + chdir $dir; return; + } + + return if exists $args{size} and -s $file != $args{size}; + system($args{run}) if exists $args{run}; + unlink($file) if $args{remove}; + + print(((!exists $args{check_for} or -e $args{check_for}) + ? "done!" : "failed! ($!)"), "\n"); + chdir $dir; return !$?; +} + +1; diff --git a/inc/Module/Install/Makefile.pm b/inc/Module/Install/Makefile.pm new file mode 100755 index 0000000..27bbace --- /dev/null +++ b/inc/Module/Install/Makefile.pm @@ -0,0 +1,245 @@ +#line 1 +package Module::Install::Makefile; + +use strict 'vars'; +use Module::Install::Base; +use ExtUtils::MakeMaker (); + +use vars qw{$VERSION $ISCORE @ISA}; +BEGIN { + $VERSION = '0.70'; + $ISCORE = 1; + @ISA = qw{Module::Install::Base}; +} + +sub Makefile { $_[0] } + +my %seen = (); + +sub prompt { + shift; + + # Infinite loop protection + my @c = caller(); + if ( ++$seen{"$c[1]|$c[2]|$_[0]"} > 3 ) { + die "Caught an potential prompt infinite loop ($c[1]|$c[2]|$_[0])"; + } + + # In automated testing, always use defaults + if ( $ENV{AUTOMATED_TESTING} and ! $ENV{PERL_MM_USE_DEFAULT} ) { + local $ENV{PERL_MM_USE_DEFAULT} = 1; + goto &ExtUtils::MakeMaker::prompt; + } else { + goto &ExtUtils::MakeMaker::prompt; + } +} + +sub makemaker_args { + my $self = shift; + my $args = ($self->{makemaker_args} ||= {}); + %$args = ( %$args, @_ ) if @_; + $args; +} + +# For mm args that take multiple space-seperated args, +# append an argument to the current list. +sub makemaker_append { + my $self = sShift; + my $name = shift; + my $args = $self->makemaker_args; + $args->{name} = defined $args->{$name} + ? join( ' ', $args->{name}, @_ ) + : join( ' ', @_ ); +} + +sub build_subdirs { + my $self = shift; + my $subdirs = $self->makemaker_args->{DIR} ||= []; + for my $subdir (@_) { + push @$subdirs, $subdir; + } +} + +sub clean_files { + my $self = shift; + my $clean = $self->makemaker_args->{clean} ||= {}; + %$clean = ( + %$clean, + FILES => join(' ', grep length, $clean->{FILES}, @_), + ); +} + +sub realclean_files { + my $self = shift; + my $realclean = $self->makemaker_args->{realclean} ||= {}; + %$realclean = ( + %$realclean, + FILES => join(' ', grep length, $realclean->{FILES}, @_), + ); +} + +sub libs { + my $self = shift; + my $libs = ref $_[0] ? shift : [ shift ]; + $self->makemaker_args( LIBS => $libs ); +} + +sub inc { + my $self = shift; + $self->makemaker_args( INC => shift ); +} + +my %test_dir = (); + +sub _wanted_t { + /\.t$/ and -f $_ and $test_dir{$File::Find::dir} = 1; +} + +sub tests_recursive { + my $self = shift; + if ( $self->tests ) { + die "tests_recursive will not work if tests are already defined"; + } + my $dir = shift || 't'; + unless ( -d $dir ) { + die "tests_recursive dir '$dir' does not exist"; + } + %test_dir = (); + require File::Find; + File::Find::find( \&_wanted_t, $dir ); + $self->tests( join ' ', map { "$_/*.t" } sort keys %test_dir ); +} + +sub write { + my $self = shift; + die "&Makefile->write() takes no arguments\n" if @_; + + # Make sure we have a new enough + require ExtUtils::MakeMaker; + $self->configure_requires( 'ExtUtils::MakeMaker' => $ExtUtils::MakeMaker::VERSION ); + + # Generate the + my $args = $self->makemaker_args; + $args->{DISTNAME} = $self->name; + $args->{NAME} = $self->module_name || $self->name || $self->determine_NAME($args); + $args->{VERSION} = $self->version || $self->determine_VERSION($args); + $args->{NAME} =~ s/-/::/g; + if ( $self->tests ) { + $args->{test} = { TESTS => $self->tests }; + } + if ($] >= 5.005) { + $args->{ABSTRACT} = $self->abstract; + $args->{AUTHOR} = $self->author; + } + if ( eval($ExtUtils::MakeMaker::VERSION) >= 6.10 ) { + $args->{NO_META} = 1; + } + if ( eval($ExtUtils::MakeMaker::VERSION) > 6.17 and $self->sign ) { + $args->{SIGN} = 1; + } + unless ( $self->is_admin ) { + delete $args->{SIGN}; + } + + # merge both kinds of requires into prereq_pm + my $prereq = ($args->{PREREQ_PM} ||= {}); + %$prereq = ( %$prereq, + map { @$_ } + map { @$_ } + grep $_, + ($self->configure_requires, $self->build_requires, $self->requires) + ); + + # Remove any reference to perl, PREREQ_PM doesn't support it + delete $args->{PREREQ_PM}->{perl}; + + # merge both kinds of requires into prereq_pm + my $subdirs = ($args->{DIR} ||= []); + if ($self->bundles) { + foreach my $bundle (@{ $self->bundles }) { + my ($file, $dir) = @$bundle; + push @$subdirs, $dir if -d $dir; + delete $prereq->{$file}; + } + } + + if ( my $perl_version = $self->perl_version ) { + eval "use $perl_version; 1" + or die "ERROR: perl: Version $] is installed, " + . "but we need version >= $perl_version"; + } + + $args->{INSTALLDIRS} = $self->installdirs; + + my %args = map { ( $_ => $args->{$_} ) } grep {defined($args->{$_})} keys %$args; + + my $user_preop = delete $args{dist}->{PREOP}; + if (my $preop = $self->admin->preop($user_preop)) { + $args{dist} = $preop; + } + + my $mm = ExtUtils::MakeMaker::WriteMakefile(%args); + $self->fix_up_makefile($mm->{FIRST_MAKEFILE} || 'Makefile'); +} + +sub fix_up_makefile { + my $self = shift; + my $makefile_name = shift; + my $top_class = ref($self->_top) || ''; + my $top_version = $self->_top->VERSION || ''; + + my $preamble = $self->preamble + ? "# Preamble by $top_class $top_version\n" + . $self->preamble + : ''; + my $postamble = "# Postamble by $top_class $top_version\n" + . ($self->postamble || ''); + + local *MAKEFILE; + open MAKEFILE, "< $makefile_name" or die "fix_up_makefile: Couldn't open $makefile_name: $!"; + my $makefile = do { local $/; }; + close MAKEFILE or die $!; + + $makefile =~ s/\b(test_harness\(\$\(TEST_VERBOSE\), )/$1'inc', /; + $makefile =~ s/( -I\$\(INST_ARCHLIB\))/ -Iinc$1/g; + $makefile =~ s/( "-I\$\(INST_LIB\)")/ "-Iinc"$1/g; + $makefile =~ s/^(FULLPERL = .*)/$1 "-Iinc"/m; + $makefile =~ s/^(PERL = .*)/$1 "-Iinc"/m; + + # Module::Install will never be used to build the Core Perl + # Sometimes PERL_LIB and PERL_ARCHLIB get written anyway, which breaks + # PREFIX/PERL5LIB, and thus, install_share. Blank them if they exist + $makefile =~ s/^PERL_LIB = .+/PERL_LIB =/m; + #$makefile =~ s/^PERL_ARCHLIB = .+/PERL_ARCHLIB =/m; + + # Perl 5.005 mentions PERL_LIB explicitly, so we have to remove that as well. + $makefile =~ s/(\"?)-I\$\(PERL_LIB\)\1//g; + + # XXX - This is currently unused; not sure if it breaks other MM-users + # $makefile =~ s/^pm_to_blib\s+:\s+/pm_to_blib :: /mg; + + open MAKEFILE, "> $makefile_name" or die "fix_up_makefile: Couldn't open $makefile_name: $!"; + print MAKEFILE "$preamble$makefile$postamble" or die $!; + close MAKEFILE or die $!; + + 1; +} + +sub preamble { + my ($self, $text) = @_; + $self->{preamble} = $text . $self->{preamble} if defined $text; + $self->{preamble}; +} + +sub postamble { + my ($self, $text) = @_; + $self->{postamble} ||= $self->admin->postamble; + $self->{postamble} .= $text if defined $text; + $self->{postamble} +} + +1; + +__END__ + +#line 371 diff --git a/inc/Module/Install/Metadata.pm b/inc/Module/Install/Metadata.pm new file mode 100755 index 0000000..a39ffde --- /dev/null +++ b/inc/Module/Install/Metadata.pm @@ -0,0 +1,318 @@ +#line 1 +package Module::Install::Metadata; + +use strict 'vars'; +use Module::Install::Base; + +use vars qw{$VERSION $ISCORE @ISA}; +BEGIN { + $VERSION = '0.70'; + $ISCORE = 1; + @ISA = qw{Module::Install::Base}; +} + +my @scalar_keys = qw{ + name module_name abstract author version license + distribution_type perl_version tests installdirs +}; + +my @tuple_keys = qw{ + configure_requires build_requires requires recommends bundles +}; + +sub Meta { shift } +sub Meta_ScalarKeys { @scalar_keys } +sub Meta_TupleKeys { @tuple_keys } + +foreach my $key (@scalar_keys) { + *$key = sub { + my $self = shift; + return $self->{values}{$key} if defined wantarray and !@_; + $self->{values}{$key} = shift; + return $self; + }; +} + +foreach my $key (@tuple_keys) { + *$key = sub { + my $self = shift; + return $self->{values}{$key} unless @_; + + my @rv; + while (@_) { + my $module = shift or last; + my $version = shift || 0; + if ( $module eq 'perl' ) { + $version =~ s{^(\d+)\.(\d+)\.(\d+)} + {$1 + $2/1_000 + $3/1_000_000}e; + $self->perl_version($version); + next; + } + my $rv = [ $module, $version ]; + push @rv, $rv; + } + push @{ $self->{values}{$key} }, @rv; + @rv; + }; +} + +# Aliases for build_requires that will have alternative +# meanings in some future version of META.yml. +sub test_requires { shift->build_requires(@_) } +sub install_requires { shift->build_requires(@_) } + +# Aliases for installdirs options +sub install_as_core { $_[0]->installdirs('perl') } +sub install_as_cpan { $_[0]->installdirs('site') } +sub install_as_site { $_[0]->installdirs('site') } +sub install_as_vendor { $_[0]->installdirs('vendor') } + +sub sign { + my $self = shift; + return $self->{'values'}{'sign'} if defined wantarray and ! @_; + $self->{'values'}{'sign'} = ( @_ ? $_[0] : 1 ); + return $self; +} + +sub dynamic_config { + my $self = shift; + unless ( @_ ) { + warn "You MUST provide an explicit true/false value to dynamic_config, skipping\n"; + return $self; + } + $self->{'values'}{'dynamic_config'} = $_[0] ? 1 : 0; + return $self; +} + +sub all_from { + my ( $self, $file ) = @_; + + unless ( defined($file) ) { + my $name = $self->name + or die "all_from called with no args without setting name() first"; + $file = join('/', 'lib', split(/-/, $name)) . '.pm'; + $file =~ s{.*/}{} unless -e $file; + die "all_from: cannot find $file from $name" unless -e $file; + } + + $self->version_from($file) unless $self->version; + $self->perl_version_from($file) unless $self->perl_version; + + # The remaining probes read from POD sections; if the file + # has an accompanying .pod, use that instead + my $pod = $file; + if ( $pod =~ s/\.pm$/.pod/i and -e $pod ) { + $file = $pod; + } + + $self->author_from($file) unless $self->author; + $self->license_from($file) unless $self->license; + $self->abstract_from($file) unless $self->abstract; +} + +sub provides { + my $self = shift; + my $provides = ( $self->{values}{provides} ||= {} ); + %$provides = (%$provides, @_) if @_; + return $provides; +} + +sub auto_provides { + my $self = shift; + return $self unless $self->is_admin; + unless (-e 'MANIFEST') { + warn "Cannot deduce auto_provides without a MANIFEST, skipping\n"; + return $self; + } + # Avoid spurious warnings as we are not checking manifest here. + local $SIG{__WARN__} = sub {1}; + require ExtUtils::Manifest; + local *ExtUtils::Manifest::manicheck = sub { return }; + + require Module::Build; + my $build = Module::Build->new( + dist_name => $self->name, + dist_version => $self->version, + license => $self->license, + ); + $self->provides( %{ $build->find_dist_packages || {} } ); +} + +sub feature { + my $self = shift; + my $name = shift; + my $features = ( $self->{values}{features} ||= [] ); + my $mods; + + if ( @_ == 1 and ref( $_[0] ) ) { + # The user used ->feature like ->features by passing in the second + # argument as a reference. Accomodate for that. + $mods = $_[0]; + } else { + $mods = \@_; + } + + my $count = 0; + push @$features, ( + $name => [ + map { + ref($_) ? ( ref($_) eq 'HASH' ) ? %$_ : @$_ : $_ + } @$mods + ] + ); + + return @$features; +} + +sub features { + my $self = shift; + while ( my ( $name, $mods ) = splice( @_, 0, 2 ) ) { + $self->feature( $name, @$mods ); + } + return $self->{values}->{features} + ? @{ $self->{values}->{features} } + : (); +} + +sub no_index { + my $self = shift; + my $type = shift; + push @{ $self->{values}{no_index}{$type} }, @_ if $type; + return $self->{values}{no_index}; +} + +sub read { + my $self = shift; + $self->include_deps( 'YAML', 0 ); + + require YAML; + my $data = YAML::LoadFile('META.yml'); + + # Call methods explicitly in case user has already set some values. + while ( my ( $key, $value ) = each %$data ) { + next unless $self->can($key); + if ( ref $value eq 'HASH' ) { + while ( my ( $module, $version ) = each %$value ) { + $self->can($key)->($self, $module => $version ); + } + } else { + $self->can($key)->($self, $value); + } + } + return $self; +} + +sub write { + my $self = shift; + return $self unless $self->is_admin; + $self->admin->write_meta; + return $self; +} + +sub version_from { + require ExtUtils::MM_Unix; + my ( $self, $file ) = @_; + $self->version( ExtUtils::MM_Unix->parse_version($file) ); +} + +sub abstract_from { + require ExtUtils::MM_Unix; + my ( $self, $file ) = @_; + $self->abstract( + bless( + { DISTNAME => $self->name }, + 'ExtUtils::MM_Unix' + )->parse_abstract($file) + ); +} + +sub _slurp { + local *FH; + open FH, "< $_[1]" or die "Cannot open $_[1].pod: $!"; + do { local $/; }; +} + +sub perl_version_from { + my ( $self, $file ) = @_; + if ( + $self->_slurp($file) =~ m/ + ^ + use \s* + v? + ([\d_\.]+) + \s* ; + /ixms + ) { + my $v = $1; + $v =~ s{_}{}g; + $self->perl_version($1); + } else { + warn "Cannot determine perl version info from $file\n"; + return; + } +} + +sub author_from { + my ( $self, $file ) = @_; + my $content = $self->_slurp($file); + if ($content =~ m/ + =head \d \s+ (?:authors?)\b \s* + ([^\n]*) + | + =head \d \s+ (?:licen[cs]e|licensing|copyright|legal)\b \s* + .*? copyright .*? \d\d\d[\d.]+ \s* (?:\bby\b)? \s* + ([^\n]*) + /ixms) { + my $author = $1 || $2; + $author =~ s{E}{<}g; + $author =~ s{E}{>}g; + $self->author($author); + } else { + warn "Cannot determine author info from $file\n"; + } +} + +sub license_from { + my ( $self, $file ) = @_; + + if ( + $self->_slurp($file) =~ m/ + ( + =head \d \s+ + (?:licen[cs]e|licensing|copyright|legal)\b + .*? + ) + (=head\\d.*|=cut.*|) + \z + /ixms ) { + my $license_text = $1; + my @phrases = ( + 'under the same (?:terms|license) as perl itself' => 'perl', 1, + 'GNU public license' => 'gpl', 1, + 'GNU lesser public license' => 'lgpl', 1, + 'BSD license' => 'bsd', 1, + 'Artistic license' => 'artistic', 1, + 'GPL' => 'gpl', 1, + 'LGPL' => 'lgpl', 1, + 'BSD' => 'bsd', 1, + 'Artistic' => 'artistic', 1, + 'MIT' => 'mit', 1, + 'proprietary' => 'proprietary', 0, + ); + while ( my ($pattern, $license, $osi) = splice(@phrases, 0, 3) ) { + $pattern =~ s{\s+}{\\s+}g; + if ( $license_text =~ /\b$pattern\b/i ) { + if ( $osi and $license_text =~ /All rights reserved/i ) { + warn "LEGAL WARNING: 'All rights reserved' may invalidate Open Source licenses. Consider removing it."; + } + $self->license($license); + return 1; + } + } + } + + warn "Cannot determine license info from $file\n"; + return 'unknown'; +} + +1; diff --git a/inc/Module/Install/RTx.pm b/inc/Module/Install/RTx.pm new file mode 100755 index 0000000..20a354b --- /dev/null +++ b/inc/Module/Install/RTx.pm @@ -0,0 +1,191 @@ +#line 1 +package Module::Install::RTx; + +use 5.008; +use strict; +use warnings; +no warnings 'once'; + +use Module::Install::Base; +use base 'Module::Install::Base'; +our $VERSION = '0.24'; + +use FindBin; +use File::Glob (); +use File::Basename (); + +my @DIRS = qw(etc lib html bin sbin po var); +my @INDEX_DIRS = qw(lib bin sbin); + +sub RTx { + my ( $self, $name ) = @_; + + my $original_name = $name; + my $RTx = 'RTx'; + $RTx = $1 if $name =~ s/^(\w+)-//; + my $fname = $name; + $fname =~ s!-!/!g; + + $self->name("$RTx-$name") + unless $self->name; + $self->all_from( -e "$name.pm" ? "$name.pm" : "lib/$RTx/$fname.pm" ) + unless $self->version; + $self->abstract("RT $name Extension") + unless $self->abstract; + + my @prefixes = (qw(/opt /usr/local /home /usr /sw )); + my $prefix = $ENV{PREFIX}; + @ARGV = grep { /PREFIX=(.*)/ ? ( ( $prefix = $1 ), 0 ) : 1 } @ARGV; + + if ($prefix) { + $RT::LocalPath = $prefix; + $INC{'RT.pm'} = "$RT::LocalPath/lib/RT.pm"; + } else { + local @INC = ( + @INC, + $ENV{RTHOME} ? ( $ENV{RTHOME}, "$ENV{RTHOME}/lib" ) : (), + map { ( "$_/rt3/lib", "$_/lib/rt3", "$_/lib" ) } grep $_, + @prefixes + ); + until ( eval { require RT; $RT::LocalPath } ) { + warn + "Cannot find the location of RT.pm that defines \$RT::LocalPath in: @INC\n"; + $_ = $self->prompt("Path to your RT.pm:") or exit; + push @INC, $_, "$_/rt3/lib", "$_/lib/rt3", "$_/lib"; + } + } + + my $lib_path = File::Basename::dirname( $INC{'RT.pm'} ); + my $local_lib_path = "$RT::LocalPath/lib"; + print "Using RT configuration from $INC{'RT.pm'}:\n"; + unshift @INC, "$RT::LocalPath/lib" if $RT::LocalPath; + + $RT::LocalVarPath ||= $RT::VarPath; + $RT::LocalPoPath ||= $RT::LocalLexiconPath; + $RT::LocalHtmlPath ||= $RT::MasonComponentRoot; + $RT::LocalLibPath ||= "$RT::LocalPath/lib"; + + my $with_subdirs = $ENV{WITH_SUBDIRS}; + @ARGV = grep { /WITH_SUBDIRS=(.*)/ ? ( ( $with_subdirs = $1 ), 0 ) : 1 } + @ARGV; + + my %subdirs; + %subdirs = map { $_ => 1 } split( /\s*,\s*/, $with_subdirs ) + if defined $with_subdirs; + unless ( keys %subdirs ) { + $subdirs{$_} = 1 foreach grep -d "$FindBin::Bin/$_", @DIRS; + } + + # If we're running on RT 3.8 with plugin support, we really wany + # to install libs, mason templates and po files into plugin specific + # directories + my %path; + if ( $RT::LocalPluginPath ) { + die "Because of bugs in RT 3.8.0 this extension can not be installed.\n" + ."Upgrade to RT 3.8.1 or newer.\n" if $RT::VERSION =~ /^3\.8\.0/; + $path{$_} = $RT::LocalPluginPath . "/$original_name/$_" + foreach @DIRS; + } else { + foreach ( @DIRS ) { + no strict 'refs'; + my $varname = "RT::Local" . ucfirst($_) . "Path"; + $path{$_} = ${$varname} || "$RT::LocalPath/$_"; + } + + $path{$_} .= "/$name" for grep $path{$_}, qw(etc po var); + } + + my %index = map { $_ => 1 } @INDEX_DIRS; + $self->no_index( directory => $_ ) foreach grep !$index{$_}, @DIRS; + + my $args = join ', ', map "q($_)", map { ($_, $path{$_}) } + grep $subdirs{$_}, keys %path; + + print "./$_\t=> $path{$_}\n" for sort keys %subdirs; + + if ( my @dirs = map { ( -D => $_ ) } grep $subdirs{$_}, qw(bin html sbin) ) { + my @po = map { ( -o => $_ ) } + grep -f, + File::Glob::bsd_glob("po/*.po"); + $self->postamble(<< ".") if @po; +lexicons :: +\t\$(NOECHO) \$(PERL) -MLocale::Maketext::Extract::Run=xgettext -e \"xgettext(qw(@dirs @po))\" +. + } + + my $postamble = << "."; +install :: +\t\$(NOECHO) \$(PERL) -MExtUtils::Install -e \"install({$args})\" +. + + if ( $subdirs{var} and -d $RT::MasonDataDir ) { + my ( $uid, $gid ) = ( stat($RT::MasonDataDir) )[ 4, 5 ]; + $postamble .= << "."; +\t\$(NOECHO) chown -R $uid:$gid $path{var} +. + } + + my %has_etc; + if ( File::Glob::bsd_glob("$FindBin::Bin/etc/schema.*") ) { + + # got schema, load factory module + $has_etc{schema}++; + $self->load('RTxFactory'); + $self->postamble(<< "."); +factory :: +\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxFactory(qw($RTx $name))" + +dropdb :: +\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxFactory(qw($RTx $name drop))" + +. + } + if ( File::Glob::bsd_glob("$FindBin::Bin/etc/acl.*") ) { + $has_etc{acl}++; + } + if ( -e 'etc/initialdata' ) { $has_etc{initialdata}++; } + + $self->postamble("$postamble\n"); + unless ( $subdirs{'lib'} ) { + $self->makemaker_args( PM => { "" => "" }, ); + } else { + $self->makemaker_args( INSTALLSITELIB => $path{'lib'} ); + $self->makemaker_args( INSTALLARCHLIB => $path{'lib'} ); + } + + $self->makemaker_args( INSTALLSITEMAN1DIR => "$RT::LocalPath/man/man1" ); + $self->makemaker_args( INSTALLSITEMAN3DIR => "$RT::LocalPath/man/man3" ); + $self->makemaker_args( INSTALLSITEARCH => "$RT::LocalPath/man" ); + + if (%has_etc) { + $self->load('RTxInitDB'); + print "For first-time installation, type 'make initdb'.\n"; + my $initdb = ''; + $initdb .= <<"." if $has_etc{schema}; +\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(schema))" +. + $initdb .= <<"." if $has_etc{acl}; +\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(acl))" +. + $initdb .= <<"." if $has_etc{initialdata}; +\t\$(NOECHO) \$(PERL) -Ilib -I"$local_lib_path" -I"$lib_path" -Minc::Module::Install -e"RTxInitDB(qw(insert))" +. + $self->postamble("initdb ::\n$initdb\n"); + $self->postamble("initialize-database ::\n$initdb\n"); + } +} + +sub RTxInit { + unshift @INC, substr( delete( $INC{'RT.pm'} ), 0, -5 ) if $INC{'RT.pm'}; + require RT; + RT::LoadConfig(); + RT::ConnectToDatabase(); + + die "Cannot load RT" unless $RT::Handle and $RT::DatabaseType; +} + +1; + +__END__ + +#line 302 diff --git a/inc/Module/Install/Win32.pm b/inc/Module/Install/Win32.pm new file mode 100755 index 0000000..21a81ab --- /dev/null +++ b/inc/Module/Install/Win32.pm @@ -0,0 +1,64 @@ +#line 1 +package Module::Install::Win32; + +use strict; +use Module::Install::Base; + +use vars qw{$VERSION @ISA $ISCORE}; +BEGIN { + $VERSION = '0.70'; + @ISA = qw{Module::Install::Base}; + $ISCORE = 1; +} + +# determine if the user needs nmake, and download it if needed +sub check_nmake { + my $self = shift; + $self->load('can_run'); + $self->load('get_file'); + + require Config; + return unless ( + $^O eq 'MSWin32' and + $Config::Config{make} and + $Config::Config{make} =~ /^nmake\b/i and + ! $self->can_run('nmake') + ); + + print "The required 'nmake' executable not found, fetching it...\n"; + + require File::Basename; + my $rv = $self->get_file( + url => 'http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe', + ftp_url => 'ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe', + local_dir => File::Basename::dirname($^X), + size => 51928, + run => 'Nmake15.exe /o > nul', + check_for => 'Nmake.exe', + remove => 1, + ); + + die <<'END_MESSAGE' unless $rv; + +------------------------------------------------------------------------------- + +Since you are using Microsoft Windows, you will need the 'nmake' utility +before installation. It's available at: + + http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe + or + ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe + +Please download the file manually, save it to a directory in %PATH% (e.g. +C:\WINDOWS\COMMAND\), then launch the MS-DOS command line shell, "cd" to +that directory, and run "Nmake15.exe" from there; that will create the +'nmake.exe' file needed by this module. + +You may then resume the installation process described in README. + +------------------------------------------------------------------------------- +END_MESSAGE + +} + +1; diff --git a/inc/Module/Install/WriteAll.pm b/inc/Module/Install/WriteAll.pm new file mode 100755 index 0000000..a05592d --- /dev/null +++ b/inc/Module/Install/WriteAll.pm @@ -0,0 +1,40 @@ +#line 1 +package Module::Install::WriteAll; + +use strict; +use Module::Install::Base; + +use vars qw{$VERSION @ISA $ISCORE}; +BEGIN { + $VERSION = '0.70'; + @ISA = qw{Module::Install::Base}; + $ISCORE = 1; +} + +sub WriteAll { + my $self = shift; + my %args = ( + meta => 1, + sign => 0, + inline => 0, + check_nmake => 1, + @_, + ); + + $self->sign(1) if $args{sign}; + $self->Meta->write if $args{meta}; + $self->admin->WriteAll(%args) if $self->is_admin; + + $self->check_nmake if $args{check_nmake}; + unless ( $self->makemaker_args->{PL_FILES} ) { + $self->makemaker_args( PL_FILES => {} ); + } + + if ( $args{inline} ) { + $self->Inline->write; + } else { + $self->Makefile->write; + } +} + +1; diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm new file mode 100755 index 0000000..55dc8ad --- /dev/null +++ b/lib/RT/Authen/ExternalAuth.pm @@ -0,0 +1,548 @@ +package RT::Authen::ExternalAuth; + +our $VERSION = '0.08'; + +=head1 NAME + + RT::Authen::ExternalAuth - RT Authentication using External Sources + +=head1 DESCRIPTION + + A complete package for adding external authentication mechanisms + to RT. It currently supports LDAP via Net::LDAP and External Database + authentication for any database with an installed DBI driver. + + It also allows for authenticating cookie information against an + external database through the use of the RT-Authen-CookieAuth extension. + +=begin testing + +ok(require RT::Authen::ExternalAuth); + +=end testing + +=cut + +use RT::Authen::ExternalAuth::LDAP; +use RT::Authen::ExternalAuth::DBI; + +use strict; + +sub DoAuth { + my ($session,$given_user,$given_pass) = @_; + + unless(defined($RT::ExternalAuthPriority)) { + return (0, "ExternalAuthPriority not defined, please check your configuration file."); + } + + my $no_info_check = 0; + unless(defined($RT::ExternalInfoPriority)) { + $RT::Logger->debug("ExternalInfoPriority not defined. User information (including user enabled/disabled cannot be externally-sourced"); + $no_info_check = 1; + } + + # This may be used by single sign-on (SSO) authentication mechanisms for bypassing a password check. + my $pass_bypass = 0; + my $success = 0; + + # Should have checked if user is already logged in before calling this function, + # but just in case, we'll check too. + return (0, "User already logged in!") if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id); + # We don't have a logged in user. Let's try all our available methods in order. + # last if success, next if not. + + # Get the prioritised list of external authentication services + my @auth_services = @$RT::ExternalAuthPriority; + + # For each of those services.. + foreach my $service (@auth_services) { + + $pass_bypass = 0; + + # Get the full configuration for that service as a hashref + my $config = $RT::ExternalSettings->{$service}; + $RT::Logger->debug( "Attempting to use external auth service:", + $service); + + # $username will be the final username we decide to check + # This will not necessarily be $given_user + my $username = undef; + + ############################################################# + ####################### SSO Check ########################### + ############################################################# + if ($config->{'type'} eq 'cookie') { + # Currently, Cookie authentication is our only SSO method + $username = RT::Authen::ExternalAuth::DBI::GetCookieAuth($config); + } + ############################################################# + + # If $username is defined, we have a good SSO $username and can + # safely bypass the password checking later on; primarily because + # it's VERY unlikely we even have a password to check if an SSO succeeded. + $pass_bypass = 0; + if(defined($username)) { + $RT::Logger->debug("Pass not going to be checked, attempting SSO"); + $pass_bypass = 1; + } else { + + # SSO failed and no $user was passed for a login attempt + # We only don't return here because the next iteration could be an SSO attempt + unless(defined($given_user)) { + $RT::Logger->debug("SSO Failed and no user to test with. Nexting"); + next; + } + + # We don't have an SSO login, so we will be using the credentials given + # on RT's login page to do our authentication. + $username = $given_user; + + # Don't continue unless the service works. + # next unless RT::Authen::ExternalAuth::TestConnection($config); + + # Don't continue unless the $username exists in the external service + + $RT::Logger->debug("Calling UserExists with \$username ($username) and \$service ($service)"); + next unless RT::Authen::ExternalAuth::UserExists($username, $service); + } + + #################################################################### + ########## Load / Auto-Create ###################################### + #################################################################### + # We are now sure that we're talking about a valid RT user. + # If the user already exists, load up their info. If they don't + # then we need to create the user in RT. + + # Does user already exist internally to RT? + $session->{'CurrentUser'} = RT::CurrentUser->new(); + $session->{'CurrentUser'}->Load($username); + + # Unless we have loaded a valid user with a UserID create one. + unless ($session->{'CurrentUser'}->Id) { + my $UserObj = RT::User->new($RT::SystemUser); + my ($val, $msg) = + $UserObj->Create(%{ref($RT::AutoCreate) ? $RT::AutoCreate : {}}, + Name => $username, + Gecos => $username, + ); + unless ($val) { + $RT::Logger->error( "Couldn't create user $username: $msg" ); + next; + } + $RT::Logger->info( "Autocreated external user", + $UserObj->Name, + "(", + $UserObj->Id, + ")"); + + $RT::Logger->debug("Loading new user (", + $username, + ") into current session"); + $session->{'CurrentUser'}->Load($username); + } + + #################################################################### + ########## Authentication ########################################## + #################################################################### + # If we successfully used an SSO service, then authentication + # succeeded. If we didn't then, success is determined by a password + # test. + $success = 0; + if($pass_bypass) { + $RT::Logger->debug("Password check bypassed due to SSO method being in use"); + $success = 1; + } else { + $RT::Logger->debug("Password validation required for service - Executing..."); + $success = RT::Authen::ExternalAuth::GetAuth($service,$username,$given_pass); + } + + $RT::Logger->debug("Password Validation Check Result: ",$success); + + # If the password check succeeded then this is our authoritative service + # and we proceed to user information update and login. + last if $success; + } + + # If we got here and don't have a user loaded we must have failed to + # get a full, valid user from an authoritative external source. + unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) { + delete $session->{'CurrentUser'}; + return (0, "No User"); + } + + unless($success) { + delete $session->{'CurrentUser'}; + return (0, "Password Invalid"); + } + + # Otherwise we succeeded. + $RT::Logger->debug("Authentication successful. Now updating user information and attempting login."); + + #################################################################################################### + ############################### The following is auth-method agnostic ############################## + #################################################################################################### + + # If we STILL have a completely valid RT user to play with... + # and therefore password has been validated... + if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) { + + # Even if we have JUST created the user in RT, we are going to + # reload their information from an external source. This allows us + # to be sure that the user the cookie gave us really does exist in + # the database, but more importantly, UpdateFromExternal will check + # whether the user is disabled or not which we have not been able to + # do during auto-create + + # These are not currently used, but may be used in the future. + my $info_updated = 0; + my $info_updated_msg = "User info not updated"; + + unless($no_info_check) { + # Note that UpdateUserInfo does not care how we authenticated the user + # It will look up user info from whatever is specified in $RT::ExternalInfoPriority + ($info_updated,$info_updated_msg) = RT::Authen::ExternalAuth::UpdateUserInfo($session->{'CurrentUser'}->Name); + } + + # Now that we definitely have up-to-date user information, + # if the user is disabled, kick them out. Now! + if ($session->{'CurrentUser'}->UserObj->Disabled) { + delete $session->{'CurrentUser'}; + return (0, "User account disabled, login denied"); + } + } + + # If we **STILL** have a full user and the session hasn't already been deleted + # This If/Else is logically unnecessary, but it doesn't hurt to leave it here + # just in case. Especially to be a double-check to future modifications. + if ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) { + + $RT::Logger->info( "Successful login for", + $session->{'CurrentUser'}->Name, + "from", + $ENV{'REMOTE_ADDR'}); + # Do not delete the session. User stays logged in and + # autohandler will not check the password again + } else { + # Make SURE the session is deleted. + delete $session->{'CurrentUser'}; + return (0, "Failed to authenticate externally"); + # This will cause autohandler to request IsPassword + # which will in turn call IsExternalPassword + } + + return (1, "Successful login"); +} + +sub UpdateUserInfo { + my $username = shift; + + # Prepare for the worst... + my $found = 0; + my $updated = 0; + my $msg = "User NOT updated"; + + my $user_disabled = RT::Authen::ExternalAuth::UserDisabled($username); + + my $UserObj = RT::User->new($RT::SystemUser); + $UserObj->Load($username); + + # If user is disabled, set the RT::Principle to disabled and return out of the function. + # I think it's a waste of time and energy to update a user's information if they are disabled + # and it could be a security risk if they've updated their external information with some + # carefully concocted code to try to break RT - worst case scenario, but they have been + # denied access after all, don't take any chances. + + # If someone gives me a good enough reason to do it, + # then I'll update all the info for disabled users + + if ($user_disabled) { + # Make sure principle is disabled in RT + my ($val, $message) = $UserObj->SetDisabled(1); + # Log what has happened + $RT::Logger->info("User marked as DISABLED (", + $username, + ") per External Service", + "($val, $message)\n"); + $msg = "User Disabled"; + + return ($updated, $msg); + } + + # Make sure principle is not disabled in RT + my ($val, $message) = $UserObj->SetDisabled(0); + # Log what has happened + $RT::Logger->info("User marked as ENABLED (", + $username, + ") per External Service", + "($val, $message)\n"); + + # Update their info from external service using the username as the lookup key + # CanonicalizeUserInfo will work out for itself which service to use + # Passing it a service instead could break other RT code + my %args = (Name => $username); + $UserObj->CanonicalizeUserInfo(\%args); + + # For each piece of information returned by CanonicalizeUserInfo, + # run the Set method for that piece of info to change it for the user + foreach my $key (sort(keys(%args))) { + next unless $args{$key}; + my $method = "Set$key"; + # We do this on the UserObj from above, not self so that there + # are no permission restrictions on setting information + my ($method_success,$method_msg) = $UserObj->$method($args{$key}); + + # If your user information is not getting updated, + # uncomment the following logging statements + if ($method_success) { + # At DEBUG level, log that method succeeded + # $RT::Logger->debug((caller(0))[3],"$method Succeeded. $method_msg"); + } else { + # At DEBUG level, log that method failed + # $RT::Logger->debug((caller(0))[3],"$method Failed. $method_msg"); + } + } + + # Confirm update success + $updated = 1; + $RT::Logger->debug( "UPDATED user (", + $username, + ") from External Service\n"); + $msg = 'User updated'; + + return ($updated, $msg); +} + +sub GetAuth { + + # Request a username/password check from the specified service + # This is only valid for non-SSO services. + + my ($service,$username,$password) = @_; + + my $success = 0; + + # Get the full configuration for that service as a hashref + my $config = $RT::ExternalSettings->{$service}; + + # And then act accordingly depending on what type of service it is. + # Right now, there is only code for DBI and LDAP non-SSO services + if ($config->{'type'} eq 'db') { + $success = RT::Authen::ExternalAuth::DBI::GetAuth($service,$username,$password); + $RT::Logger->debug("DBI password validation result:",$success); + } elsif ($config->{'type'} eq 'ldap') { + $success = RT::Authen::ExternalAuth::LDAP::GetAuth($service,$username,$password); + $RT::Logger->debug("LDAP password validation result:",$success); + } else { + $RT::Logger->error("Invalid service type for GetAuth:",$service); + } + + return $success; +} + +sub UserExists { + + # Request a username/password check from the specified service + # This is only valid for non-SSO services. + + my ($username,$service) = @_; + + my $success = 0; + + # Get the full configuration for that service as a hashref + my $config = $RT::ExternalSettings->{$service}; + + # And then act accordingly depending on what type of service it is. + # Right now, there is only code for DBI and LDAP non-SSO services + if ($config->{'type'} eq 'db') { + $success = RT::Authen::ExternalAuth::DBI::UserExists($username,$service); + } elsif ($config->{'type'} eq 'ldap') { + $success = RT::Authen::ExternalAuth::LDAP::UserExists($username,$service); + } else { + $RT::Logger->debug("Invalid service type for UserExists:",$service); + } + + return $success; +} + +sub UserDisabled { + + my $username = shift; + my $user_disabled = 0; + + my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : undef; + + # For each named service in the list + # Check to see if the user is found in the external service + # If not found, jump to next service + # If found, check to see if user is considered disabled by the service + # Then update the user's info in RT and return + foreach my $service (@info_services) { + + # Get the external config for this service as a hashref + my $config = $RT::ExternalSettings->{$service}; + + # If the config doesn't exist, don't bother doing anything, skip to next in list. + unless(defined($config)) { + $RT::Logger->debug("You haven't defined a configuration for the service named \"", + $service, + "\" so I'm not going to try to get user information from it. Skipping..."); + next; + } + + # If it's a DBI config: + if ($config->{'type'} eq 'db') { + + unless(RT::Authen::ExternalAuth::DBI::UserExists($username,$service)) { + $RT::Logger->debug("User (", + $username, + ") doesn't exist in service (", + $service, + ") - Cannot update information - Skipping..."); + next; + } + $user_disabled = RT::Authen::ExternalAuth::DBI::UserDisabled($username,$service); + + } elsif ($config->{'type'} eq 'ldap') { + + unless(RT::Authen::ExternalAuth::LDAP::UserExists($username,$service)) { + $RT::Logger->debug("User (", + $username, + ") doesn't exist in service (", + $service, + ") - Cannot update information - Skipping..."); + next; + } + $user_disabled = RT::Authen::ExternalAuth::LDAP::UserDisabled($username,$service); + + } elsif ($config->{'type'} eq 'cookie') { + RT::Logger->error("You cannot use SSO Cookies as an information service."); + next; + } else { + # The type of external service doesn't currently have any methods associated with it. Or it's a typo. + RT::Logger->error("Invalid type specification for config %config->{'name'}"); + # Drop out to next service in list + next; + } + + } + return $user_disabled; +} + +sub CanonicalizeUserInfo { + + # Careful, this $args hashref was given to RT::User::CanonicalizeUserInfo and + # then transparently passed on to this function. The whole purpose is to update + # the original hash as whatever passed it to RT::User is expecting to continue its + # code with an update args hash. + + my $UserObj = shift; + my $args = shift; + + my $found = 0; + my %params = (Name => undef, + EmailAddress => undef, + RealName => undef); + + $RT::Logger->debug( (caller(0))[3], + "called by", + caller, + "with:", + join(", ", map {sprintf("%s: %s", $_, $args->{$_})} + sort(keys(%$args)))); + + # Get the list of defined external services + my @info_services = $RT::ExternalInfoPriority ? @{$RT::ExternalInfoPriority} : undef; + # For each external service... + foreach my $service (@info_services) { + + $RT::Logger->debug( "Attempting to get user info using this external service:", + $service); + + # Get the config for the service so that we know what attrs we can canonicalize + my $config = $RT::ExternalSettings->{$service}; + + if($config->{'type'} eq 'cookie'){ + $RT::Logger->debug("You cannot use SSO cookies as an information service!"); + next; + } + + # For each attr we've been told to canonicalize in the match list + foreach my $rt_attr (@{$config->{'attr_match_list'}}) { + # Jump to the next attr in $args if this one isn't in the attr_match_list + $RT::Logger->debug( "Attempting to use this canonicalization key:",$rt_attr); + unless(defined($args->{$rt_attr})) { + $RT::Logger->debug("This attribute (", + $rt_attr, + ") is null or incorrectly defined in the attr_map for this service (", + $service, + ")"); + next; + } + + # Else, use it as a canonicalization key and lookup the user info + my $key = $config->{'attr_map'}->{$rt_attr}; + my $value = $args->{$rt_attr}; + + # Check to see that the key being asked for is defined in the config's attr_map + my $valid = 0; + my ($attr_key, $attr_value); + my $attr_map = $config->{'attr_map'}; + while (($attr_key, $attr_value) = each %$attr_map) { + $valid = 1 if ($key eq $attr_value); + } + unless ($valid){ + $RT::Logger->debug( "This key (", + $key, + "is not a valid attribute key (", + $service, + ")"); + next; + } + + # Use an if/elsif structure to do a lookup with any custom code needed + # for any given type of external service, or die if no code exists for + # the service requested. + + if($config->{'type'} eq 'ldap'){ + ($found, %params) = RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo($service,$key,$value); + } elsif ($config->{'type'} eq 'db') { + ($found, %params) = RT::Authen::ExternalAuth::DBI::CanonicalizeUserInfo($service,$key,$value); + } else { + $RT::Logger->debug( (caller(0))[3], + "does not consider", + $service, + "a valid information service"); + } + + # Don't Check any more attributes + last if $found; + } + # Don't Check any more services + last if $found; + } + + # If found, Canonicalize Email Address and + # update the args hash that we were given the hashref for + if ($found) { + # It's important that we always have a canonical email address + if ($params{'EmailAddress'}) { + $params{'EmailAddress'} = $UserObj->CanonicalizeEmailAddress($params{'EmailAddress'}); + } + %$args = (%$args, %params); + } + + $RT::Logger->info( (caller(0))[3], + "returning", + join(", ", map {sprintf("%s: %s", $_, $args->{$_})} + sort(keys(%$args)))); + + ### HACK: The config var below is to overcome the (IMO) bug in + ### RT::User::Create() which expects this function to always + ### return true or rejects the user for creation. This should be + ### a different config var (CreateUncanonicalizedUsers) and + ### should be honored in RT::User::Create() + return($found || $RT::AutoCreateNonExternalUsers); + +} + +1; diff --git a/lib/RT/Authen/ExternalAuth/DBI.pm b/lib/RT/Authen/ExternalAuth/DBI.pm new file mode 100755 index 0000000..a707d5e --- /dev/null +++ b/lib/RT/Authen/ExternalAuth/DBI.pm @@ -0,0 +1,451 @@ +package RT::Authen::ExternalAuth::DBI; + +use DBI; +use RT::Authen::ExternalAuth::DBI::Cookie; + +use strict; + +sub GetAuth { + + my ($service, $username, $password) = @_; + + my $config = $RT::ExternalSettings->{$service}; + $RT::Logger->debug( "Trying external auth service:",$service); + + my $db_table = $config->{'table'}; + my $db_u_field = $config->{'u_field'}; + my $db_p_field = $config->{'p_field'}; + my $db_p_enc_pkg = $config->{'p_enc_pkg'}; + my $db_p_enc_sub = $config->{'p_enc_sub'}; + my $db_p_salt = $config->{'p_salt'}; + + # Set SQL query and bind parameters + my $query = "SELECT $db_u_field,$db_p_field FROM $db_table WHERE $db_u_field=?"; + my @params = ($username); + + # Uncomment this to trace basic DBI information and drop it in a log for debugging + # DBI->trace(1,'/tmp/dbi.log'); + + # Get DBI handle object (DBH), do SQL query, kill DBH + my $dbh = _GetBoundDBIObj($config); + return 0 unless $dbh; + + my $results_hashref = $dbh->selectall_hashref($query,$db_u_field,{},@params); + $dbh->disconnect(); + + my $num_users_returned = scalar keys %$results_hashref; + if($num_users_returned != 1) { # FAIL + # FAIL because more than one user returned. Users MUST be unique! + if ((scalar keys %$results_hashref) > 1) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "More than one user with that username!"); + } + + # FAIL because no users returned. Users MUST exist! + if ((scalar keys %$results_hashref) < 1) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "User not found in database!"); + } + + # Drop out to next external authentication service + return 0; + } + + # Get the user's password from the database query result + my $pass_from_db = $results_hashref->{$username}->{$db_p_field}; + + # This is the encryption package & subroutine passed in by the config file + $RT::Logger->debug( "Encryption Package:", + $db_p_enc_pkg); + $RT::Logger->debug( "Encryption Subroutine:", + $db_p_enc_sub); + + # Use config info to auto-load the perl package needed for password encryption + # I know it uses a string eval - but I don't think there's a better way to do this + # Jump to next external authentication service on failure + eval "require $db_p_enc_pkg" or + $RT::Logger->error("AUTH FAILED, Couldn't Load Password Encryption Package. Error: $@") && return 0; + + my $encrypt = $db_p_enc_pkg->can($db_p_enc_sub); + if (defined($encrypt)) { + # If the package given can perform the subroutine given, then use it to compare the + # password given with the password pulled from the database. + # Jump to the next external authentication service if they don't match + if(defined($db_p_salt)) { + $RT::Logger->debug("Using salt:",$db_p_salt); + if(${encrypt}->($password,$db_p_salt) ne $pass_from_db){ + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "Password Incorrect"); + return 0; + } + } else { + if(${encrypt}->($password) ne $pass_from_db){ + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "Password Incorrect"); + return 0; + } + } + } else { + # If the encryption package can't perform the request subroutine, + # dump an error and jump to the next external authentication service. + $RT::Logger->error($service, + "AUTH FAILED", + "The encryption package you gave me (", + $db_p_enc_pkg, + ") does not support the encryption method you specified (", + $db_p_enc_sub, + ")"); + return 0; + } + + # Any other checks you want to add? Add them here. + + # If we've survived to this point, we're good. + $RT::Logger->info( (caller(0))[3], + "External Auth OK (", + $service, + "):", + $username); + + return 1; +} + +sub CanonicalizeUserInfo { + + my ($service, $key, $value) = @_; + + my $found = 0; + my %params = (Name => undef, + EmailAddress => undef, + RealName => undef); + + # Load the config + my $config = $RT::ExternalSettings->{$service}; + + # Figure out what's what + my $table = $config->{'table'}; + + unless ($table) { + $RT::Logger->critical( (caller(0))[3], + "No table given"); + # Drop out to the next external information service + return ($found, %params); + } + + unless ($key && $value){ + $RT::Logger->critical( (caller(0))[3], + " Nothing to look-up given"); + # Drop out to the next external information service + return ($found, %params); + } + + # "where" refers to WHERE section of SQL query + my ($where_key,$where_value) = ("@{[ $key ]}",$value); + + # Get the list of unique attrs we need + my %db_attrs = map {$_ => 1} values(%{$config->{'attr_map'}}); + my @attrs = keys(%db_attrs); + my $fields = join(',',@attrs); + my $query = "SELECT $fields FROM $table WHERE $where_key=?"; + my @bind_params = ($where_value); + + # Uncomment this to trace basic DBI throughput in a log + # DBI->trace(1,'/tmp/dbi.log'); + my $dbh = _GetBoundDBIObj($config); + my $results_hashref = $dbh->selectall_hashref($query,$key,{},@bind_params); + $dbh->disconnect(); + + if ((scalar keys %$results_hashref) != 1) { + # If returned users <> 1, we have no single unique user, so prepare to die + my $death_msg; + + if ((scalar keys %$results_hashref) == 0) { + # If no user... + $death_msg = "No User Found in External Database!"; + } else { + # If more than one user... + $death_msg = "More than one user found in External Database with that unique identifier!"; + } + + # Log the death + $RT::Logger->info( (caller(0))[3], + "INFO CHECK FAILED", + "Key: $key", + "Value: $value", + $death_msg); + + # $found remains as 0 + + # Drop out to next external information service + return ($found, %params); + } + + # We haven't dropped out, so DB search must have succeeded with + # exactly 1 result. Get the result and set $found to 1 + my $result = $results_hashref->{$value}; + + # Use the result to populate %params for every key we're given in the config + foreach my $key (keys(%{$config->{'attr_map'}})) { + $params{$key} = ($result->{$config->{'attr_map'}->{$key}})[0]; + } + + $found = 1; + + return ($found, %params); +} + +sub UserExists { + + my ($username,$service) = @_; + my $config = $RT::ExternalSettings->{$service}; + my $table = $config->{'table'}; + my $u_field = $config->{'u_field'}; + my $query = "SELECT $u_field FROM $table WHERE $u_field=?"; + my @bind_params = ($username); + + # Uncomment this to do a basic trace on DBI information and log it + # DBI->trace(1,'/tmp/dbi.log'); + + # Get DBI Object, do the query, disconnect + my $dbh = _GetBoundDBIObj($config); + my $results_hashref = $dbh->selectall_hashref($query,$u_field,{},@bind_params); + $dbh->disconnect(); + + my $num_of_results = scalar keys %$results_hashref; + + if ($num_of_results > 1) { + # If more than one result returned, die because we the username field should be unique! + $RT::Logger->debug( "Disable Check Failed :: (", + $service, + ")", + $username, + "More than one user with that username!"); + return 0; + } elsif ($num_of_results < 1) { + # If 0 or negative integer, no user found or major failure + $RT::Logger->debug( "Disable Check Failed :: (", + $service, + ")", + $username, + "User not found"); + return 0; + } + + # Number of results is exactly one, so we found the user we were looking for + return 1; +} + +sub UserDisabled { + + my ($username,$service) = @_; + + # FIRST, check that the user exists in the DBI service + unless(UserExists($username,$service)) { + $RT::Logger->debug("User (",$username,") doesn't exist! - Assuming not disabled for the purposes of disable checking"); + return 0; + } + + # Get the necessary config info + my $config = $RT::ExternalSettings->{$service}; + my $table = $config->{'table'}; + my $u_field = $config->{'u_field'}; + my $disable_field = $config->{'d_field'}; + my $disable_values_list = $config->{'d_values'}; + + unless ($disable_field) { + # If we don't know how to check for disabled users, consider them all enabled. + $RT::Logger->debug("No d_field specified for this DBI service (", + $service, + "), so considering all users enabled"); + return 0; + } + + my $query = "SELECT $u_field,$disable_field FROM $table WHERE $u_field=?"; + my @bind_params = ($username); + + # Uncomment this to do a basic trace on DBI information and log it + # DBI->trace(1,'/tmp/dbi.log'); + + # Get DBI Object, do the query, disconnect + my $dbh = _GetBoundDBIObj($config); + my $results_hashref = $dbh->selectall_hashref($query,$u_field,{},@bind_params); + $dbh->disconnect(); + + my $num_of_results = scalar keys %$results_hashref; + + if ($num_of_results > 1) { + # If more than one result returned, die because we the username field should be unique! + $RT::Logger->debug( "Disable Check Failed :: (", + $service, + ")", + $username, + "More than one user with that username! - Assuming not disabled"); + # Drop out to next service for an info check + return 0; + } elsif ($num_of_results < 1) { + # If 0 or negative integer, no user found or major failure + $RT::Logger->debug( "Disable Check Failed :: (", + $service, + ")", + $username, + "User not found - Assuming not disabled"); + # Drop out to next service for an info check + return 0; + } else { + # otherwise all should be well + + # $user_db_disable_value = The value for "disabled" returned from the DB + my $user_db_disable_value = $results_hashref->{$username}->{$disable_field}; + + # For each of the values in the (list of values that we consider to mean the user is disabled).. + foreach my $disable_value (@{$disable_values_list}){ + $RT::Logger->debug( "DB Disable Check:", + "User's Val is $user_db_disable_value,", + "Checking against: $disable_value"); + + # If the value from the DB matches a value from the list, the user is disabled. + if ($user_db_disable_value eq $disable_value) { + return 1; + } + } + + # If we've not returned yet, the user can't be disabled + return 0; + } + $RT::Logger->crit("It is seriously not possible to run this code.. what the hell did you do?!"); + return 0; +} + +sub GetCookieAuth { + + $RT::Logger->debug( (caller(0))[3], + "Checking Browser Cookies for an Authenticated User"); + + # Get our cookie and database info... + my $config = shift; + + my $username = undef; + my $cookie_name = $config->{'name'}; + + my $cookie_value = RT::Authen::ExternalAuth::DBI::Cookie::GetCookieVal($cookie_name); + + unless($cookie_value){ + return $username; + } + + # The table mapping usernames to the Username Match Key + my $u_table = $config->{'u_table'}; + # The username field in that table + my $u_field = $config->{'u_field'}; + # The field that contains the Username Match Key + my $u_match_key = $config->{'u_match_key'}; + + # The table mapping cookie values to the Cookie Match Key + my $c_table = $config->{'c_table'}; + # The cookie field in that table - The same as the cookie name if unspecified + my $c_field = $config->{'c_field'}; + # The field that connects the Cookie Match Key + my $c_match_key = $config->{'c_match_key'}; + + # These are random characters to assign as table aliases in SQL + # It saves a lot of garbled code later on + my $u_table_alias = "u"; + my $c_table_alias = "c"; + + # $tables will be passed straight into the SQL query + # I don't see this as a security issue as only the admin may modify the config file anyway + my $tables; + + # If the tables are the same, then the aliases should be the same + # and the match key becomes irrelevant. Ensure this all works out + # fine by setting both sides the same. In either case, set an + # appropriate value for $tables. + if ($u_table eq $c_table) { + $u_table_alias = $c_table_alias; + $u_match_key = $c_match_key; + $tables = "$c_table $c_table_alias"; + } else { + $tables = "$c_table $c_table_alias, $u_table $u_table_alias"; + } + + my $select_fields = "$u_table_alias.$u_field"; + my $where_statement = "$c_table_alias.$c_field = ? AND $c_table_alias.$c_match_key = $u_table_alias.$u_match_key"; + + my $query = "SELECT $select_fields FROM $tables WHERE $where_statement"; + my @params = ($cookie_value); + + # Use this if you need to debug the DBI SQL process + # DBI->trace(1,'/tmp/dbi.log'); + + my $dbh = _GetBoundDBIObj($RT::ExternalSettings->{$config->{'db_service_name'}}); + my $query_result_arrayref = $dbh->selectall_arrayref($query,{},@params); + $dbh->disconnect(); + + # The log messages say it all here... + my $num_rows = scalar @$query_result_arrayref; + if ($num_rows < 1) { + $RT::Logger->info( "AUTH FAILED", + $cookie_name, + "Cookie value not found in database.", + "User passed an authentication token they were not given by us!", + "Is this nefarious activity?"); + } elsif ($num_rows > 1) { + $RT::Logger->error( "AUTH FAILED", + $cookie_name, + "Cookie's value is duplicated in the database! This should not happen!!"); + } else { + $username = $query_result_arrayref->[0][0]; + } + + if ($username) { + $RT::Logger->debug( "User (", + $username, + ") was authenticated by a browser cookie"); + } else { + $RT::Logger->debug( "No user was authenticated by browser cookie"); + } + + return $username; + +} + + +# {{{ sub _GetBoundDBIObj + +sub _GetBoundDBIObj { + + # Config as hashref. + my $config = shift; + + # Extract the relevant information from the config. + my $db_server = $config->{'server'}; + my $db_user = $config->{'user'}; + my $db_pass = $config->{'pass'}; + my $db_database = $config->{'database'}; + my $db_port = $config->{'port'}; + my $dbi_driver = $config->{'dbi_driver'}; + + # Use config to create a DSN line for the DBI connection + my $dsn = "dbi:$dbi_driver:database=$db_database;host=$db_server;port=$db_port"; + + # Now let's get connected + my $dbh = DBI->connect($dsn, $db_user, $db_pass,{RaiseError => 1, AutoCommit => 0 }) + or die $DBI::errstr; + + # If we didn't die, return the DBI object handle + # and hope it's treated sensibly and correctly + # destroyed by the calling code + return $dbh; +} + +# }}} + +1; diff --git a/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm b/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm new file mode 100755 index 0000000..3a2b0f3 --- /dev/null +++ b/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm @@ -0,0 +1,31 @@ +package RT::Authen::ExternalAuth::DBI::Cookie; + +use CGI::Cookie; + +use strict; + +# {{{ sub GetCookieVal +sub GetCookieVal { + + # The name of the cookie + my $cookie_name = shift; + my $cookie_value; + + # Pull in all cookies from browser within our cookie domain + my %cookies = CGI::Cookie->fetch(); + + # If the cookie is set, get the value, if it's not set, get out now! + if (defined $cookies{$cookie_name}) { + $cookie_value = $cookies{$cookie_name}->value; + $RT::Logger->debug( "Cookie Found", + ":: $cookie_name"); + } else { + $RT::Logger->debug( "Cookie Not Found"); + } + + return $cookie_value; +} + +# }}} + +1; diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm new file mode 100755 index 0000000..885c7dd --- /dev/null +++ b/lib/RT/Authen/ExternalAuth/LDAP.pm @@ -0,0 +1,479 @@ +package RT::Authen::ExternalAuth::LDAP; + +use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS); +use Net::LDAP::Util qw(ldap_error_name); +use Net::LDAP::Filter; + +use strict; + +require Net::SSLeay if $RT::ExternalServiceUsesSSLorTLS; + +sub GetAuth { + + my ($service, $username, $password) = @_; + + my $config = $RT::ExternalSettings->{$service}; + $RT::Logger->debug( "Trying external auth service:",$service); + + my $base = $config->{'base'}; + my $filter = $config->{'filter'}; + my $group = $config->{'group'}; + my $group_attr = $config->{'group_attr'}; + my $attr_map = $config->{'attr_map'}; + my @attrs = ('dn'); + + # Empty parentheses as filters cause Net::LDAP to barf. + # We take care of this by using Net::LDAP::Filter, but + # there's no harm in fixing this right now. + if ($filter eq "()") { undef($filter) }; + + # Now let's get connected + my $ldap = _GetBoundLdapObj($config); + return 0 unless ($ldap); + + $filter = Net::LDAP::Filter->new( '(&(' . + $attr_map->{'Name'} . + '=' . + $username . + ')' . + $filter . + ')' + ); + + $RT::Logger->debug( "LDAP Search === ", + "Base:", + $base, + "== Filter:", + $filter->as_string, + "== Attrs:", + join(',',@attrs)); + + my $ldap_msg = $ldap->search( base => $base, + filter => $filter, + attrs => \@attrs); + + unless ($ldap_msg->code == LDAP_SUCCESS || $ldap_msg->code == LDAP_PARTIAL_RESULTS) { + $RT::Logger->debug( "search for", + $filter->as_string, + "failed:", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + # Didn't even get a partial result - jump straight to the next external auth service + return 0; + } + + unless ($ldap_msg->count == 1) { + $RT::Logger->info( $service, + "AUTH FAILED:", + $username, + "User not found or more than one user found"); + # We got no user, or too many users.. jump straight to the next external auth service + return 0; + } + + my $ldap_dn = $ldap_msg->first_entry->dn; + $RT::Logger->debug( "Found LDAP DN:", + $ldap_dn); + + # THIS bind determines success or failure on the password. + $ldap_msg = $ldap->bind($ldap_dn, password => $password); + + unless ($ldap_msg->code == LDAP_SUCCESS) { + $RT::Logger->info( $service, + "AUTH FAILED", + $username, + "(can't bind:", + ldap_error_name($ldap_msg->code), + $ldap_msg->code, + ")"); + # Could not bind to the LDAP server as the user we found with the password + # we were given, therefore the password must be wrong so we fail and + # jump straight to the next external auth service + return 0; + } + + # The user is authenticated ok, but is there an LDAP Group to check? + if ($group) { + # If we've been asked to check a group... + $filter = Net::LDAP::Filter->new("(${group_attr}=${ldap_dn})"); + + $RT::Logger->debug( "LDAP Search === ", + "Base:", + $base, + "== Filter:", + $filter->as_string, + "== Attrs:", + join(',',@attrs)); + + $ldap_msg = $ldap->search( base => $group, + filter => $filter, + attrs => \@attrs, + scope => 'base'); + + # And the user isn't a member: + unless ($ldap_msg->code == LDAP_SUCCESS || + $ldap_msg->code == LDAP_PARTIAL_RESULTS) { + $RT::Logger->critical( "Search for", + $filter->as_string, + "failed:", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + + # Fail auth - jump to next external auth service + return 0; + } + + unless ($ldap_msg->count == 1) { + $RT::Logger->info( $service, + "AUTH FAILED:", + $username); + + # Fail auth - jump to next external auth service + return 0; + } + } + + # Any other checks you want to add? Add them here. + + # If we've survived to this point, we're good. + $RT::Logger->info( (caller(0))[3], + "External Auth OK (", + $service, + "):", + $username); + return 1; + +} + + +sub CanonicalizeUserInfo { + + my ($service, $key, $value) = @_; + + my $found = 0; + my %params = (Name => undef, + EmailAddress => undef, + RealName => undef); + + # Load the config + my $config = $RT::ExternalSettings->{$service}; + + # Figure out what's what + my $base = $config->{'base'}; + my $filter = $config->{'filter'}; + + # Get the list of unique attrs we need + my @attrs = values(%{$config->{'attr_map'}}); + + # This is a bit confusing and probably broken. Something to revisit.. + my $filter_addition = ($key && $value) ? "(". $key . "=$value)" : ""; + if(defined($filter) && ($filter ne "()")) { + $filter = Net::LDAP::Filter->new( "(&" . + $filter . + $filter_addition . + ")" + ); + } else { + $RT::Logger->debug( "LDAP Filter invalid or not present."); + } + + unless (defined($base)) { + $RT::Logger->critical( (caller(0))[3], + "LDAP baseDN not defined"); + # Drop out to the next external information service + return ($found, %params); + } + + # Get a Net::LDAP object based on the config we provide + my $ldap = _GetBoundLdapObj($config); + + # Jump to the next external information service if we can't get one, + # errors should be logged by _GetBoundLdapObj so we don't have to. + return ($found, %params) unless ($ldap); + + # Do a search for them in LDAP + $RT::Logger->debug( "LDAP Search === ", + "Base:", + $base, + "== Filter:", + $filter->as_string, + "== Attrs:", + join(',',@attrs)); + + my $ldap_msg = $ldap->search(base => $base, + filter => $filter, + attrs => \@attrs); + + # If we didn't get at LEAST a partial result, just die now. + if ($ldap_msg->code != LDAP_SUCCESS and + $ldap_msg->code != LDAP_PARTIAL_RESULTS) { + $RT::Logger->critical( (caller(0))[3], + ": Search for ", + $filter->as_string, + " failed: ", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + # $found remains as 0 + + # Drop out to the next external information service + $ldap_msg = $ldap->unbind(); + if ($ldap_msg->code != LDAP_SUCCESS) { + $RT::Logger->critical( (caller(0))[3], + ": Could not unbind: ", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + } + undef $ldap; + undef $ldap_msg; + return ($found, %params); + + } else { + # If there's only one match, we're good; more than one and + # we don't know which is the right one so we skip it. + if ($ldap_msg->count == 1) { + my $entry = $ldap_msg->first_entry(); + foreach my $key (keys(%{$config->{'attr_map'}})) { + if ($RT::LdapAttrMap->{$key} eq 'dn') { + $params{$key} = $entry->dn(); + } else { + $params{$key} = + ($entry->get_value($config->{'attr_map'}->{$key}))[0]; + } + } + $found = 1; + } else { + # Drop out to the next external information service + $ldap_msg = $ldap->unbind(); + if ($ldap_msg->code != LDAP_SUCCESS) { + $RT::Logger->critical( (caller(0))[3], + ": Could not unbind: ", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + } + undef $ldap; + undef $ldap_msg; + return ($found, %params); + } + } + $ldap_msg = $ldap->unbind(); + if ($ldap_msg->code != LDAP_SUCCESS) { + $RT::Logger->critical( (caller(0))[3], + ": Could not unbind: ", + ldap_error_name($ldap_msg->code), + $ldap_msg->code); + } + + undef $ldap; + undef $ldap_msg; + + return ($found, %params); +} + +sub UserExists { + my ($username,$service) = @_; + $RT::Logger->debug("UserExists params:\nusername: $username , service: $service"); + my $config = $RT::ExternalSettings->{$service}; + + my $base = $config->{'base'}; + my $filter = $config->{'filter'}; + + # While LDAP filters must be surrounded by parentheses, an empty set + # of parentheses is an invalid filter and will cause failure + # This shouldn't matter since we are now using Net::LDAP::Filter below, + # but there's no harm in doing this to be sure + if ($filter eq "()") { undef($filter) }; + + if (defined($config->{'attr_map'}->{'Name'})) { + # Construct the complex filter + $filter = Net::LDAP::Filter->new( '(&' . + $filter . + '(' . + $config->{'attr_map'}->{'Name'} . + '=' . + $username . + '))' + ); + } + + my $ldap = _GetBoundLdapObj($config); + return unless $ldap; + + my @attrs = values(%{$config->{'attr_map'}}); + + # Check that the user exists in the LDAP service + $RT::Logger->debug( "LDAP Search === ", + "Base:", + $base, + "== Filter:", + $filter->as_string, + "== Attrs:", + join(',',@attrs)); + + my $user_found = $ldap->search( base => $base, + filter => $filter, + attrs => \@attrs); + + if($user_found->count < 1) { + # If 0 or negative integer, no user found or major failure + $RT::Logger->debug( "User Check Failed :: (", + $service, + ")", + $username, + "User not found"); + return 0; + } elsif ($user_found->count > 1) { + # If more than one result returned, die because we the username field should be unique! + $RT::Logger->debug( "User Check Failed :: (", + $service, + ")", + $username, + "More than one user with that username!"); + return 0; + } + undef $user_found; + + # If we havent returned now, there must be a valid user. + return 1; +} + +sub UserDisabled { + + my ($username,$service) = @_; + + # FIRST, check that the user exists in the LDAP service + unless(UserExists($username,$service)) { + $RT::Logger->debug("User (",$username,") doesn't exist! - Assuming not disabled for the purposes of disable checking"); + return 0; + } + + my $config = $RT::ExternalSettings->{$service}; + my $base = $config->{'base'}; + my $filter = $config->{'filter'}; + my $d_filter = $config->{'d_filter'}; + my $search_filter; + + # While LDAP filters must be surrounded by parentheses, an empty set + # of parentheses is an invalid filter and will cause failure + # This shouldn't matter since we are now using Net::LDAP::Filter below, + # but there's no harm in doing this to be sure + if ($filter eq "()") { undef($filter) }; + if ($d_filter eq "()") { undef($d_filter) }; + + unless ($d_filter) { + # If we don't know how to check for disabled users, consider them all enabled. + $RT::Logger->debug("No d_filter specified for this LDAP service (", + $service, + "), so considering all users enabled"); + return 0; + } + + if (defined($config->{'attr_map'}->{'Name'})) { + # Construct the complex filter + $search_filter = Net::LDAP::Filter->new( '(&' . + $filter . + $d_filter . + '(' . + $config->{'attr_map'}->{'Name'} . + '=' . + $username . + '))' + ); + } else { + $RT::Logger->debug("You haven't specified an LDAP attribute to match the RT \"Name\" attribute for this service (", + $service, + "), so it's impossible look up the disabled status of this user (", + $username, + ") so I'm just going to assume the user is not disabled"); + return 0; + + } + + my $ldap = _GetBoundLdapObj($config); + next unless $ldap; + + # We only need the UID for confirmation now, + # the other information would waste time and bandwidth + my @attrs = ('uid'); + + $RT::Logger->debug( "LDAP Search === ", + "Base:", + $base, + "== Filter:", + $search_filter->as_string, + "== Attrs:", + join(',',@attrs)); + + my $disabled_users = $ldap->search(base => $base, + filter => $search_filter, + attrs => \@attrs); + # If ANY results are returned, + # we are going to assume the user should be disabled + if ($disabled_users->count) { + undef $disabled_users; + return 1; + } else { + undef $disabled_users; + return 0; + } +} +# {{{ sub _GetBoundLdapObj + +sub _GetBoundLdapObj { + + # Config as hashref + my $config = shift; + + # Figure out what's what + my $ldap_server = $config->{'server'}; + my $ldap_user = $config->{'user'}; + my $ldap_pass = $config->{'pass'}; + my $ldap_tls = $config->{'tls'}; + my $ldap_ssl_ver = $config->{'ssl_version'}; + my $ldap_args = $config->{'net_ldap_args'}; + + my $ldap = new Net::LDAP($ldap_server, @$ldap_args); + + unless ($ldap) { + $RT::Logger->critical( (caller(0))[3], + ": Cannot connect to", + $ldap_server); + return undef; + } + + if ($ldap_tls) { + $Net::SSLeay::ssl_version = $ldap_ssl_ver; + # Thanks to David Narayan for the fault tolerance bits + eval { $ldap->start_tls; }; + if ($@) { + $RT::Logger->critical( (caller(0))[3], + "Can't start TLS: ", + $@); + return; + } + + } + + my $msg = undef; + + if (($ldap_user) and ($ldap_pass)) { + $msg = $ldap->bind($ldap_user, password => $ldap_pass); + } elsif (($ldap_user) and ( ! $ldap_pass)) { + $msg = $ldap->bind($ldap_user); + } else { + $msg = $ldap->bind; + } + + unless ($msg->code == LDAP_SUCCESS) { + $RT::Logger->critical( (caller(0))[3], + "Can't bind:", + ldap_error_name($msg->code), + $msg->code); + return undef; + } else { + return $ldap; + } +} + +# }}} + +1; diff --git a/lib/RT/User_Vendor.pm b/lib/RT/User_Vendor.pm new file mode 100755 index 0000000..bc7110c --- /dev/null +++ b/lib/RT/User_Vendor.pm @@ -0,0 +1,27 @@ +no warnings qw(redefine); +use strict; +use RT::Authen::ExternalAuth; + +# {{{ sub CanonicalizeUserInfo + +=head2 CanonicalizeUserInfo HASHREF + +Get all ExternalDB attrs listed in $RT::ExternalDBAttrMap and put them into +the hash referred to by HASHREF. + +returns true (1) if ExternalDB lookup was successful, false (undef) +in all other cases. + +=cut + +sub CanonicalizeUserInfo { + my $self = shift; + my $args = shift; + return(RT::Authen::ExternalAuth::CanonicalizeUserInfo($self,$args)); +} +# }}} + + + + +1; -- 2.30.2