ukamnya
/
Redmine-mod-perl-auth
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: ukamnya:master
Branches Tags
ukamnya:api-key-auth
ukamnya:master
ukamnya:1.x
...
pull from: ukamnya:api-key-auth
Branches Tags
ukamnya:api-key-auth
ukamnya:master
ukamnya:1.x

5 Commits
master ... api-key-au

Author SHA1 Message Date
inpos 7842558576 full-tested version 2018-07-18 16:20:52 +03:00
inpos c3b2b5a22f [from master] Update README 2018-07-18 15:37:50 +03:00
inpos 3b5b094b3e [from master] sets firstname, lastname, email address 2018-07-18 15:30:24 +03:00
Бородин Роман 6f85952dc3 repo = project.repo 2018-07-18 14:53:51 +03:00
Guillaume Perréal 47e5703f64 First try at authentication by API key. 2016-04-05 13:49:47 +02:00
2 changed files with 194 additions and 43 deletions
Show Stats Expand all files Collapse all files

18
README.pod
View File

@ -61,9 +61,9 @@ Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
# RedmineDbWhereClause "and members.role_id IN (1,2)"
## SCM transport protocol, used to detecte write requests
## Valid values: dav-svn, git-smart-http
## Default: dav-svn
# RedmineSCMProtocol dav-svn
## Valid values: Subversion, Git, None
## Default: Subversion
# RedmineRepositoryType Subversion
## Credentials cache size
## Default: 0 (disabled)
@ -97,9 +97,21 @@ Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
## Default: Off
# RedmineDenyNonMember On
## Allow authentication by API key
## Default: Off
# RedmineKeyAuthentication On
## Username for authentication by API key
## Default: api-key
# RedmineKeyUsername key
## Administrators have super-powers
## Default: On
# RedmineSuperAdmin Off
## Sets firstname, lastname, email address to environment variables.
## Default: Off
# RedmineSetUserAttributes Off
</Location>

219
Redmine.pm
View File

@ -99,6 +99,14 @@ Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
## Default: Off
# RedmineDenyNonMember On
## Allow authentication by API key
## Default: Off
# RedmineKeyAuthentication On
## Username for authentication by API key
## Default: api-key
# RedmineKeyUsername key
## Administrators have super-powers
## Default: On
# RedmineSuperAdmin Off
@ -239,6 +247,24 @@ my @directives = (
args_how => TAKE1,
errmsg => 'Indicate the type of Repository (Subversion or Git). This is used to properly detected write requests. Defaults to Subversion.',
},
{
name => 'RedmineKeyAuthentication',
req_override => OR_AUTHCFG,
args_how => FLAG,
errmsg => 'Allow authentication by API key. Defaults to no.'
},
{
name => 'RedmineKeyUsername',
req_override => OR_AUTHCFG,
args_how => TAKE1,
errmsg => 'USername to use for authenticiation with API KEY. Defaults to api-key.'
},
{
name => 'RedmineSetUserAttributes',
req_override => OR_AUTHCFG,
args_how => FLAG,
errmsg => 'Sets firstname, lastname, email address to environment variables. Defaults to no.',
},
);
# Initialize defaults configuration
@ -263,6 +289,10 @@ sub DIR_CREATE {
DenyAnonymous => 0,
DenyNonMember => 0,
SuperAdmin => 1,
KeyAuthentication => 0,
KeyUsername => 'api-key',
SetUserAttributes => 0,
AttributesCacheCredsCount => 0,
}, $class;
}
@ -278,6 +308,9 @@ sub RedmineCacheCredsMaxAge { set_val('CacheCredsMaxAge', @_); }
sub RedmineDenyAnonymous { set_val('DenyAnonymous', @_); }
sub RedmineDenyNonMember { set_val('DenyNonMember', @_); }
sub RedmineSuperAdmin { set_val('SuperAdmin', @_); }
sub RedmineKeyAuthentication { set_val('KeyAuthentication', @_); }
sub RedmineKeyUsername { set_val('KeyUsername', @_); }
sub RedmineSetUserAttributes { set_val('SetUserAttributes', @_); }
sub RedmineDbWhereClause {
my ($cfg, $parms, $arg) = @_;
@ -335,9 +368,15 @@ sub authen_handler {
# Used cached credentials if possible
my $cache_key = get_cache_key($r, $password);
if(defined $cache_key && cache_get($r, $cache_key)) {
my $cfg = get_config($r);
if(defined $cache_key && !$cfg->{SetUserAttributes} && cache_get($r, $cache_key)) {
$r->log->debug("reusing cached credentials for user '", $r->user, "'");
$r->set_handlers(PerlAuthzHandler => undef);
attributes_cache_get($r, $cache_key);
} elsif(defined $cache_key && $cfg->{SetUserAttributes} && cache_get($r, $cache_key) && attributes_cache_get($r, $cache_key)) {
$r->log->debug("reusing cached credentials for user '", $r->user, "' including attributes");
$r->set_handlers(PerlAuthzHandler => undef);
} else {
# Else check them
@ -374,60 +413,107 @@ sub authen_handler {
return $res;
}
sub check_login {
my ($r, $dbh, $password) = @_;
my $user = $r->user;
my $status;
my ($hashed_password, $status, $auth_source_id, $salt) = $dbh->selectrow_array('SELECT hashed_password, status, auth_source_id, salt FROM users WHERE login = ?', undef, $user)
or return (AUTH_REQUIRED, "unknown user '$user'");
my $cfg = get_config($r);
# Check password
if($auth_source_id) {
# LDAP authentication
my ($hashed_password, $auth_source_id, $salt, $id, $firstname, $lastname, $email_address);
# Ensure Authen::Simple::LDAP is available
return (SERVER_ERROR, "Redmine LDAP authentication requires Authen::Simple::LDAP")
unless $CanUseLDAPAuth;
# Get LDAP server informations
my($host, $port, $tls, $account, $account_password, $base_dn, $attr_login) = $dbh->selectrow_array(
"SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?",
undef,
$auth_source_id
)
or return (SERVER_ERROR, "Undefined authentication source for '$user'");
# Connect to the LDAP server
my $ldap = Authen::Simple::LDAP->new(
host => is_true($tls) ? "ldaps://$host:$port" : $host,
port => $port,
basedn => $base_dn,
binddn => $account || "",
bindpw => $account_password || "",
filter => '('.$attr_login.'=%s)'
);
# Finally check user login
return (AUTH_REQUIRED, "LDAP authentication failed (user: '$user', server: '$host')")
unless $ldap->authenticate($user, $password);
if ($cfg->{KeyAuthentication} && $user eq $cfg->{KeyUsername}) {
# API key auth
($user, $status) = $dbh->selectrow_array('SELECT u.login, u.status FROM users u INNER JOIN tokens t ON (t.user_id = u.id) WHERE t.action = \'api\' AND t.value = ?', undef, $password)
or return (AUTH_REQUIRED, "unknown api-key '$password'");
$r->user($user);
} else {
# Database authentication
my $pass_digest = Digest::SHA::sha1_hex($password);
return (AUTH_REQUIRED, "wrong password for '$user'")
unless $hashed_password eq Digest::SHA::sha1_hex($salt.$pass_digest);
# Login+password auth
($hashed_password, $status, $auth_source_id, $salt, $id, $firstname, $lastname, $email_address) =
$dbh->selectrow_array('SELECT users.hashed_password, users.status, users.auth_source_id, users.salt, users.id, users.firstname, users.lastname, email_addresses.address
FROM users
LEFT JOIN email_addresses on (email_addresses.user_id=users.id and email_addresses.is_default = true)
WHERE users.login = ?', undef, $user)
or return (AUTH_REQUIRED, "unknown user '$user'");
my ($res, $reason);
if ($auth_source_id) {
($res, $reason) = check_ldap_login($dbh, $auth_source_id, $user, $password);
} else {
($res, $reason) = check_db_login($user, $password, $hashed_password, $salt);
}
# Bail out if authentication failed
return ($res, $reason) unless $res == OK;
}
# Password is ok, check if account if locked
return (FORBIDDEN, "inactive account: '$user'") unless $status == 1;
$r->log->debug("successfully authenticated as active redmine user '$user'");
if ($cfg->{SetUserAttributes}) {
if (defined $email_address) {
$r->subprocess_env->set("REDMINE_DEFAULT_EMAIL_ADDRESS" => $email_address);
} else {
$r->subprocess_env->set("REDMINE_DEFAULT_EMAIL_ADDRESS" => "");
}
$r->subprocess_env->set("REDMINE_FIRSTNAME" => $firstname);
$r->subprocess_env->set("REDMINE_LASTNAME" => $lastname);
$r->log->debug("successfully authenticated as active redmine user '$user'");
}
# Everything's ok
return OK;
}
sub check_ldap_login {
# Ensure Authen::Simple::LDAP is available
return (SERVER_ERROR, "Redmine LDAP authentication requires Authen::Simple::LDAP")
unless $CanUseLDAPAuth;
my ($dbh, $auth_source_id, $user, $password) = @_;
# Get LDAP server informations
my($host, $port, $tls, $account, $account_password, $base_dn, $attr_login) = $dbh->selectrow_array(
"SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?",
undef,
$auth_source_id
)
or return (SERVER_ERROR, "Undefined authentication source for '$user'");
# Connect to the LDAP server
my $ldap = Authen::Simple::LDAP->new(
host => is_true($tls) ? "ldaps://$host:$port" : $host,
port => $port,
basedn => $base_dn,
binddn => $account || "",
bindpw => $account_password || "",
filter => '('.$attr_login.'=%s)'
);
# Finally check user login
return (AUTH_REQUIRED, "LDAP authentication failed (user: '$user', server: '$host')")
unless $ldap->authenticate($user, $password);
# LDAP auth is ok
return OK;
}
sub check_db_login {
my ($user, $password, $hashed_password, $salt) = @_ ;
# Database authentication
my $pass_digest = Digest::SHA::sha1_hex($password);
return (AUTH_REQUIRED, "wrong password for '$user'")
unless $hashed_password eq Digest::SHA::sha1_hex($salt.$pass_digest);
# Database password is ok
return OK;
}
# check if authentication is forced
sub is_authentication_forced {
my $dbh = shift;
@ -462,11 +548,12 @@ sub authz_handler {
}
} elsif(my $repo_id = get_repository_identifier($r)) {
my @pr_id = split(/\./, $repo_id);
($identifier, $project_id, $is_public, $status) = $dbh->selectrow_array(
"SELECT p.identifier, p.id, p.is_public, p.status
FROM projects p JOIN repositories r ON (p.id = r.project_id)
WHERE ((r.is_default AND p.identifier = ?) OR r.identifier = ?) AND r.type = ?",
undef, $repo_id, $repo_id, $cfg->{RepositoryType}
undef, $pr_id[0], $repo_id, $cfg->{RepositoryType}
);
unless(defined $project_id) {
$r->log_reason("No matching project for ${repo_id}");
@ -530,6 +617,7 @@ sub authz_handler {
# Put successful credentials in cache
if(my $cache_key = $r->pnotes("RedmineCacheKey")) {
cache_set($r, $cache_key);
attributes_cache_set($r, $cache_key);
}
} else {
@ -603,7 +691,10 @@ sub connect_database {
my $r = shift;
my $cfg = get_config($r);
my $dbh = DBI->connect($cfg->{DSN}, $cfg->{DbUser}, $cfg->{DbPass})
my $dbh = DBI->connect($cfg->{DSN}, $cfg->{DbUser}, $cfg->{DbPass}, {
pg_enable_utf8 => 1,
mysql_enable_utf8 => 1,
})
or $r->log->error("Connection to database failed: $DBI::errstr.");
return $dbh;
@ -641,6 +732,30 @@ sub cache_get {
return 1;
}
sub attributes_cache_get {
my($r, $key) = @_;
my $cfg = get_config($r);
return unless $cfg->{CacheCredsMax} && $cfg->{AttributesCacheCreds};
my $cache_text = $cfg->{AttributesCacheCreds}->get($key)
or return 0;
$r->log->error("cache_text:$cache_text");
my($time, $email_address, $firstname, $lastname) = split(":", $cache_text);
if($cfg->{CacheCredsMaxAge} && ($r->request_time - $time) > $cfg->{CacheCredsMaxAge}) {
$cfg->{AttributesCacheCreds}->unset($key);
$cfg->{AttributesCacheCredsCount}--;
return 0;
}
$r->subprocess_env->set("REDMINE_DEFAULT_EMAIL_ADDRESS", $email_address . "");
$r->subprocess_env->set("REDMINE_FIRSTNAME", $firstname . "");
$r->subprocess_env->set("REDMINE_LASTNAME", $lastname . "");
return 1;
}
# put credentials in cache
sub cache_set {
my($r, $key) = @_;
@ -661,6 +776,30 @@ sub cache_set {
$cfg->{CacheCredsCount}++;
}
sub attributes_cache_set {
my($r, $key) = @_;
my $cfg = get_config($r);
return unless $cfg->{CacheCredsMax};
unless($cfg->{AttributesCacheCreds}) {
$cfg->{AttributesCachePool} = APR::Pool->new;
$cfg->{AttributesCacheCreds} = APR::Table::make($cfg->{AttributesCachePool}, $cfg->{CacheCredsMax});
}
if($cfg->{AttributesCacheCredsCount} >= $cfg->{CacheCredsMax}) {
$cfg->{AttributesCacheCreds}->clear;
$cfg->{AttributesCacheCredsCount} = 0;
}
my $cache_text = join(":", $r->request_time,
$r->subprocess_env->get("REDMINE_DEFAULT_EMAIL_ADDRESS"),
$r->subprocess_env->get("REDMINE_FIRSTNAME"),
$r->subprocess_env->get("REDMINE_LASTNAME"),
);
$cfg->{AttributesCacheCreds}->set($key, $cache_text);
$cfg->{AttributesCacheCredsCount}++;
}
1;
# vim: set noexpandtab ts=4