0012458: Problem with HTTP_AUTH and Web Services

From 028b683b3659090898b333de368ccfd0146d5b65 Mon Sep 17 00:00:00 2001 From: Alberto Zigoni <alberto.zigoni@gmail.com> Date: Tue, 19 Oct 2010 12:14:33 +0200 Subject: [PATCH] patch for HTTP_AUTH and web services --- api/soap/mc_api.php | 10 +++++++++- core/authentication_api.php | 18 ++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php index bcd8cc4..2d0f999 100644 --- a/api/soap/mc_api.php +++ b/api/soap/mc_api.php @@ -36,12 +36,20 @@ function mci_is_mantis_offline() { # return user_id if successful, otherwise false. function mci_check_login( $p_username, $p_password ) { + + # Alberto Zigoni: patch for HTTP authentication + $t_login_method = config_get( 'login_method' ); + if(HTTP_AUTH == $t_login_method) { + $p_username = auth_prepare_username(''); + } + # End patch + if( mci_is_mantis_offline() ) { return false; } # if no user name supplied, then attempt to login as anonymous user. - if( is_blank( $p_username ) ) { + if( is_blank( $p_username )) { $t_anon_allowed = config_get( 'allow_anonymous_login' ); if( OFF == $t_anon_allowed ) { return false; diff --git a/core/authentication_api.php b/core/authentication_api.php index 32961f1..b81a5ea 100644 --- a/core/authentication_api.php +++ b/core/authentication_api.php @@ -112,6 +112,16 @@ function auth_prepare_username( $p_username ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + /* Patch for HTTP authentication + * Add these two variables in config_inc.php + * $g_login_method = HTTP_AUTH; + * $g_sso_user_regex = '/^(.*)@<YOUR DOMAIN>$/i'; + */ + if (isset($_SERVER['REMOTE_USER'])) { + preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match); + $f_username = $user_match[1]; + } + /* End patch */ if( isset( $_SERVER['PHP_AUTH_USER'] ) ) { $f_username = $_SERVER['PHP_AUTH_USER']; } @@ -144,6 +154,9 @@ function auth_prepare_password( $p_password ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + if (isset($_SERVER['REMOTE_USER'])) { # $_SERVER['AUTH_TYPE'] == 'Negotiate' ) + $f_password = ''; + } /* this will never get hit - see auth_prepare_username */ if( isset( $_SERVER['PHP_AUTH_PW'] ) ) { @@ -226,7 +239,8 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) { if( !user_is_anonymous( $t_user_id ) ) { # anonymous login didn't work, so check the password - if( !auth_does_password_match( $t_user_id, $p_password ) ) { + # if( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -778,7 +792,7 @@ function auth_get_current_user_id() { if( null !== $g_cache_current_user_id ) { return $g_cache_current_user_id; } - + $t_cookie_string = auth_get_current_user_cookie(); if( $t_result = user_search_cache( 'cookie_string', $t_cookie_string ) ) { -- 1.7.3.1

From b767230c7a3135e3e1f0360738d9ecbde60c28df Mon Sep 17 00:00:00 2001 From: Alberto Zigoni <alberto.zigoni@gmail.com> Date: Tue, 8 Feb 2011 01:50:54 +0200 Subject: [PATCH] Enable MantisBT to participate in SSO scenarios When MantisBT is part of a larger installation it is not unusual for logins to be delegated to another service, which in turn sets an HTTP header with the authentication result. This commit allows MantisBT to participate in such scenarios. Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com> --- api/soap/mc_api.php | 6 ++++++ config_defaults_inc.php | 16 ++++++++++++++-- core/authentication_api.php | 11 ++++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php index 2306eb1..cef1ffa 100644 --- a/api/soap/mc_api.php +++ b/api/soap/mc_api.php @@ -36,6 +36,12 @@ function mci_is_mantis_offline() { # return user_id if successful, otherwise false. function mci_check_login( $p_username, $p_password ) { + + $t_login_method = config_get( 'login_method' ); + if(HTTP_AUTH == $t_login_method) { + $p_username = auth_prepare_username(''); + } + if( mci_is_mantis_offline() ) { return false; } diff --git a/config_defaults_inc.php b/config_defaults_inc.php index aab2e35..8061226 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -2639,13 +2639,25 @@ $g_allow_no_category = OFF; /** * login method - * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH. You can simply change this at - * will. MantisBT will try to figure out how the passwords were encrypted. + * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or HTTP_AUTH. You can simply change + * this at will. MantisBT will try to figure out how the passwords were encrypted. * @global int $g_login_method */ $g_login_method = MD5; /** + * SSO regular expression for matching users + * + * <p>This is only useful when <tt>$g_login_method</tt> is set to <tt>HTTP_AUTH</tt> + * as it will extract the username from the HTTP headers.</p> + * + * <p>Example value: <tt>'/^(.*)@example.com$/i';</tt></p> + * + * @global int $g_sso_user_regex + */ +$g_sso_user_regex = ''; + +/** * limit reporters. Set to ON if you wish to limit reporters to only viewing * bugs that they report. * @global int $g_limit_reporters diff --git a/core/authentication_api.php b/core/authentication_api.php index 631fb0c..0dc8c28 100644 --- a/core/authentication_api.php +++ b/core/authentication_api.php @@ -146,6 +146,12 @@ function auth_prepare_username( $p_username ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + + if (isset($_SERVER['REMOTE_USER'])) { + preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match); + $f_username = $user_match[1]; + } + if( isset( $_SERVER['PHP_AUTH_USER'] ) ) { $f_username = $_SERVER['PHP_AUTH_USER']; } @@ -178,6 +184,9 @@ function auth_prepare_password( $p_password ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + if (isset($_SERVER['REMOTE_USER'])) { + $f_password = ''; + } /* this will never get hit - see auth_prepare_username */ if( isset( $_SERVER['PHP_AUTH_PW'] ) ) { @@ -260,7 +269,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) { if( !user_is_anonymous( $t_user_id ) ) { # anonymous login didn't work, so check the password - if( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } -- 1.7.1

Notes
(0027075) rombert (developer) 2010-10-18 16:48	Thanks for the patch and for the detailed explanation. Can you provide a git patch as outlined at http://docs.mantisbt.org/master/en/developers.html#DEV.CONTRIB.SUBMIT [^] ?

(0027083) zigo73 (reporter) 2010-10-19 06:18	Here is the patch. It is my first time with Git, I hope I have not messed up with it.

(0027094) rombert (developer) 2010-10-20 04:47	The patch looks fine so far. Excellent even, given that it's your first git patch :-) A couple of comments: 1. You don't need the patch start/patch end comments, it's clear from the git history who introduced them. 2. There are some whitespace-only changes, which should be removed.. 3. If you can leave the $g_sso_user_regex configuration out, do that. If you think that it must be added, please add it to config_defaults_inc.php and document it in docbook/Admin_Guide/en-US/Customizing.xml .

(0027103) rombert (developer) 2010-10-20 17:28	If you require the g_ sso_user_regex parameter, how about making it something which is globally useful, like (.)(@. )? Don't know top of my head if that really works but I would like to make it as easy as usable out-of-the-box as possible.

(0027104) zigo73 (reporter) 2010-10-20 17:39	Well, the thing is that only in Kerberos based authentication the user takes the form of username@KERBEROS.REALM. When using other kinds of HTTP authentication (like for example using a db) there is no need to strip off the '@REALM' part. In fact, your regex (.)(@.) would not even work in case of non kerberos based HTTP authentication: - in case of LDAP authentication the username would be something like cn=username,dn=acme,dn=com - with NTLM you would have DOMAIN\username This is the reason behind using a regular expression. Anyway, I have only experimented with mod_auth_kerb so far.

(0027105) rombert (developer) 2010-10-20 17:57	Thanks for pointing this out. Then I suggest adding a default regexp like (.*) , and suggesting what good values you have for mod_auth_kerb in the default value documentation and in the reference guide . We can add more documentation later, if available.

(0027713) zigo73 (reporter) 2010-12-27 05:34	Rombert, that's fine for me. I am not a PHP developer, I just needed to make things work, so I've done it "quick and dirty". Let me know if you need more help, I will be glad to help testing this feature in upcoming versions. I think Integrated Windows Authentication is something very interesting to provide as a standard Mantis feature.

(0027714) rombert (developer) 2010-12-27 05:44	OK then. Can you please add ( either in the patch, or as an issue comment ) some suggestions regarding the good values for 'sso_user_regex' that you know of?

(0027730) zigo73 (reporter) 2010-12-27 10:32	I think that for mod_auth_kerb based authentication, a good regular expression is '/^(.*)@YOUR\.KERBEROS\.REALM$/i' To make it simpler, you could define a boolean variable called something like "spnego_strip_off_realm" to decide, in case of SPNEGO authentication, if the realm should be stripped off or not. In this case, you can simply evaluate a substring of the REMOTE_USER env variable. Anyway, I think the best way to implement this would be as a Mantis plugin.

(0027733) rombert (developer) 2010-12-27 10:57	Thanks. I'm going to focus on getting the patch implemented and documented. We'll see about convenience later.

(0028194) rombert (developer) 2011-02-08 17:01	I've added all the core devs here, since this is as far as I can go with my review. I do not know that part of the code well, and will not be able to commit it. @core devs: I would appreciate if one of you could take it from here, as I've done all I dare for this issue.

(0028256) dhx (developer) 2011-02-18 21:28	Agreed with the idea. Just some comments on the patch from 2011-02-07: * Documentation inside config_inc.php (and anywhere else for that matter) should not contain SGML tags (<tt>, etc) as the documentation in this context is plaintext. * Documentation of new and updated configuration values needs to be placed in the docbook documentation too. * Code style for the patch chunk in auth_prepare_username() is not consistent (lack of spacing around parenthesis) with the remainder of the code and the style guidelines for MantisBT. * Can we change the name of the new configuration option "sso_user_regex" to something more descriptive such as "http_auth_username_extraction_regex"? This will make the code easier to read for people not accustomed to the concept of SSO and how MantisBT handles it. Otherwise the patch seems OK from what I can see. I have changed the target version from 1.2.x to 1.3.x as the stable branch should not be seeing new features - that should be reserved for the development branch. Well done!

(0033418) iwan (reporter) 2012-11-03 06:47	Is this issue still alive? I took a look at the nightly build towards 1.3.x, but last night I couldn't see any of the proposed changes in mc_api.php and authentication_api.php Ofcourse I will adjust my 1.2.x installation using the ziggo73's explanation, tnx! :)

(0034225) rombert (developer) 2012-11-04 13:39	I'm going to have a look after the next release.

Issue History
Date Modified	Username	Field	Change
2010-10-18 10:55	zigo73	New Issue
2010-10-18 16:48	rombert	Note Added: 0027075
2010-10-18 16:48	rombert	Severity	major => minor
2010-10-18 16:48	rombert	Status	new => feedback
2010-10-18 16:48	rombert	Target Version	=> 1.2.4
2010-10-19 06:17	zigo73	File Added: http_auth_web_services_mantisbt1.2.3.patch
2010-10-19 06:18	zigo73	Note Added: 0027083
2010-10-19 06:18	zigo73	Status	feedback => new
2010-10-20 04:47	rombert	Note Added: 0027094
2010-10-20 04:47	rombert	Assigned To	=> rombert
2010-10-20 04:47	rombert	Status	new => assigned
2010-10-20 04:47	rombert	OS	Centos =>
2010-10-20 04:47	rombert	OS Version	5.5 =>
2010-10-20 04:47	rombert	Platform	Linux =>
2010-10-20 04:47	rombert	Description Updated	View Revisions
2010-10-20 04:51	rombert	Tag Attached: patch
2010-10-20 17:28	rombert	Note Added: 0027103
2010-10-20 17:39	zigo73	Note Added: 0027104
2010-10-20 17:57	rombert	Note Added: 0027105
2010-10-20 17:57	rombert	Assigned To	rombert => scoates
2010-10-29 16:44	rombert	Assigned To	scoates => rombert
2010-12-14 21:05	jreese	Target Version	1.2.4 => 1.2.5
2010-12-25 15:38	rombert	Status	assigned => feedback
2010-12-27 05:34	zigo73	Note Added: 0027713
2010-12-27 05:34	zigo73	Status	feedback => assigned
2010-12-27 05:44	rombert	Note Added: 0027714
2010-12-27 10:32	zigo73	Note Added: 0027730
2010-12-27 10:57	rombert	Note Added: 0027733
2011-02-07 18:54	rombert	File Added: 0001-Enable-MantisBT-to-participate-in-SSO-scenarios.patch
2011-02-08 17:01	rombert	Note Added: 0028194
2011-02-18 21:18	dhx	Target Version	1.2.5 => 1.3.x
2011-02-18 21:18	dhx	Description Updated	View Revisions
2011-02-18 21:28	dhx	Note Added: 0028256
2012-11-03 06:47	iwan	Note Added: 0033418
2012-11-04 13:39	rombert	Note Added: 0034225
2013-05-14 16:52	atrol	Relationship added	related to 0011084