Mailing List Archive

rt branch, 5.0/disable-password-option-for-authtoken, created. rt-5.0.0-4-g92300de6dc
The branch, 5.0/disable-password-option-for-authtoken has been created
at 92300de6dc1cd4498ce625154d0290f691116986 (commit)

- Log -----------------------------------------------------------------
commit eada50f40613a7651bd1d315e091ee899e489fa5
Author: Aaron Trevena <ast@bestpractical.com>
Date: Wed Jun 24 10:00:30 2020 +0100

Add config option to disable password for auth tokens

Added and documented new configuration option to not require a password
when adding a new auth token, this solves problems with requiring a password
in a hybrid RT where both external and local accounts are used.

diff --git a/docs/authentication.pod b/docs/authentication.pod
index eba5b36be1..b2aa8d51f0 100644
--- a/docs/authentication.pod
+++ b/docs/authentication.pod
@@ -31,6 +31,14 @@ your RT Apache configuration to allow RT to access the Authorization header.

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm :
+
+ Set($DisablePasswordForAuthToken, 1);
+
+
You can find more information about tokens in L<RT::Authen::Token>.

=head1 External Authentication
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index a7301b3436..4868ce1485 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1476,8 +1476,19 @@ fail to exist in an external service; this is so requestors who
are not in LDAP can still be created when they email in.
See L<RT::Authen::ExternalAuth> for details.

+=item C<$DisablePasswordForAuthToken>
+
+If you have a mix of local and external authentication you can disable
+requiring a password to create tokens with the following line
+in RT_SiteConfig.pm. You can find more information about tokens
+in L<RT::Authen::Token>.
+
=back

+=cut
+
+Set($DisablePasswordForAuthToken, 0);
+

=head2 Initialdata Formats

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 400dd5ac22..79e54f1ad1 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1290,6 +1290,12 @@ our %META;
Widget => '/Widgets/Form/Boolean',
},

+ DisablePasswordForAuthToken => {
+ Immutable => 1,
+ Widget => '/Widgets/Form/Boolean',
+ },
+
+
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index ce7c78f679..b8bd1c52ac 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -5001,15 +5001,20 @@ sub ProcessAuthToken {
if ( $args_ref->{Create} ) {

# Don't require password for systems with some form of federated auth
+ # or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+ my $require_password = 1;
+ if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+ }

if ( !length( $args_ref->{Description} ) ) {
push @results, loc("Description cannot be blank.");
}
- elsif ( $res{'CanSet'} && !length( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !length( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password.");
}
- elsif ( $res{'CanSet'} && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
+ elsif ( $require_password && !$session{CurrentUser}->IsPassword( $args_ref->{Password} ) ) {
push @results, loc("Please enter your current password correctly.");
}
else {
diff --git a/share/html/Elements/AuthToken/Create b/share/html/Elements/AuthToken/Create
index 653374c332..01d82cd8f1 100644
--- a/share/html/Elements/AuthToken/Create
+++ b/share/html/Elements/AuthToken/Create
@@ -57,7 +57,7 @@
<div class="modal-body">
<form method="POST">
<input type="hidden" name="Owner" value="<% $Owner %>">
-% if ( $res{'CanSet'} ){
+% if ( $require_password ){
<div class="form-row">
<div class="label col-4">
<&|/l, $session{'CurrentUser'}->Name()&>[_1]'s current password</&>:
@@ -89,8 +89,13 @@
</div>

<%INIT>
-# Don't require password for systems with some form of federated auth
+# Don't require password for systems with some form of federated auth,
+# or if configured to not require a password
my %res = $session{'CurrentUser'}->CurrentUserRequireToSetPassword();
+my $require_password = 1;
+if ( RT->Config->Get('DisablePasswordForAuthToken') or not $res{'CanSet'}) {
+ $require_password = 0;
+}
</%INIT>

<%ARGS>

commit 90bbcae9197211f93fab00ae58716a2d95828870
Author: Aaron Trevena <ast@bestpractical.com>
Date: Mon Aug 3 17:18:23 2020 +0100

Add flag to not hide configuration otherwise masked as password

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 79e54f1ad1..8bfcf96db5 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1727,6 +1727,7 @@ our %META;
},
MinimumPasswordLength => {
Widget => '/Widgets/Form/Integer',
+ DoNotObfuscate => 1,
},
MoreAboutRequestorGroupsLimit => {
Widget => '/Widgets/Form/Integer',
diff --git a/share/html/Admin/Tools/Config/Elements/Option b/share/html/Admin/Tools/Config/Elements/Option
index f10e84e284..7cfd7576b9 100644
--- a/share/html/Admin/Tools/Config/Elements/Option
+++ b/share/html/Admin/Tools/Config/Elements/Option
@@ -66,7 +66,7 @@ $doc_version =~ s/\.\d+-\d+-g\w+$//; # 4.4.3-1-g123 -> 4.4
my $name = $option->{Name};
my $meta = RT->Config->Meta( $name );
return if $meta->{Invisible} || $meta->{Deprecated};
-return if $name =~ /Password/i && $name !~ /MinimumPasswordLength/;
+return if ($name =~ /Password/i and not (defined $meta->{DoNotObfuscate} && $meta->{DoNotObfuscate}) );

my $has_execute_code = $session{CurrentUser}->HasRight(Right => 'ExecuteCode', Object => RT->System);

diff --git a/share/html/Admin/Tools/Configuration.html b/share/html/Admin/Tools/Configuration.html
index 5e6cdce28b..958740f9e7 100644
--- a/share/html/Admin/Tools/Configuration.html
+++ b/share/html/Admin/Tools/Configuration.html
@@ -91,7 +91,7 @@ foreach my $key ( RT->Config->Options( Overridable => undef, Sorted => 0 ) ) {
<div class="form-row <% $index_conf%2 ? 'oddline' : 'evenline'%>">
<div class="value col-4 collection-as-table"><% $key %></div>
<div class="value col-4 collection-as-table">
-% if ( $key =~ /Password/i and $key !~ /MinimumPasswordLength/ ) {
+% if ( $key =~ /Password/i and not (defined $meta->{DoNotObfuscate} && $meta->{DoNotObfuscate} ) ) {
<em><% loc('Password not printed' ) %></em>\
% } else {
<% stringify($val) |n %>\
@@ -123,11 +123,12 @@ my $index_var;
foreach my $key ( sort keys %{*RT::} ) {
next if !${'RT::'.$key} || ref ${'RT::'.$key} || $config_opt{ $key };
$index_var++;
+ my $meta = RT->Config->Meta( $key );
</%PERL>
<div class="form-row collection-as-table <% $index_var%2 ? 'oddline' : 'evenline'%>">
<div class="value col-6 collection-as-table">RT::<% $key %></div>
<div class="value col-6 collection-as-table">
-% if ( $key =~ /Password(?!Length)/i ) {
+% if ($key =~ /Password/i and not (defined $meta->{DoNotObfuscate} && $meta->{DoNotObfuscate})) {
<em><% loc('Password not printed' ) %></em>\
% } else {
<% ${'RT::'.$key} %>
diff --git a/share/html/Admin/Tools/EditConfig.html b/share/html/Admin/Tools/EditConfig.html
index 2a33c93348..872f30357d 100644
--- a/share/html/Admin/Tools/EditConfig.html
+++ b/share/html/Admin/Tools/EditConfig.html
@@ -94,7 +94,8 @@ if (delete $ARGS{Update}) {
next if !!$val eq !!$prev;
}

- if ( $meta->{Immutable} || $meta->{Obfuscate} || ($key =~ /Password/i and $key !~ /MinimumPasswordLength/ )) {
+ if ( $meta->{Immutable} || $meta->{Obfuscate}
+ || ($key =~ /Password/i and not (defined $meta->{DoNotObfuscate} && $meta->{DoNotObfuscate} )) ) {
push @results, loc("Cannot change [_1]: Permission Denied", $key);
$has_error++;
next;

commit 92300de6dc1cd4498ce625154d0290f691116986
Author: Aaron Trevena <ast@bestpractical.com>
Date: Mon Aug 3 14:40:10 2020 +0100

Add flag to not hide new field to disable password for auth tokens

Allow editing of the new disable password for auth token field

fixup immutable new token config

diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 8bfcf96db5..409af9428e 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1291,11 +1291,10 @@ our %META;
},

DisablePasswordForAuthToken => {
- Immutable => 1,
Widget => '/Widgets/Form/Boolean',
+ DoNotObfuscate => 1,
},

-
ExternalSettings => {
Immutable => 1,
Obfuscate => sub {

-----------------------------------------------------------------------
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit