Bugzilla::Auth - An object that authenticates the login credentials for a user.
Handles authentication for Bugzilla users.
Authentication from Bugzilla involves two sets of modules. One set is used to obtain the username/password (from CGI, email, etc), and the other set uses this data to authenticate against the datasource (the Bugzilla DB, LDAP, PAM, etc.).
Modules for obtaining the username/password are subclasses of Bugzilla::Auth::Login, and modules for authenticating are subclasses of Bugzilla::Auth::Verify.
Whenever a method in the Bugzilla::Auth family fails in some way,
it will return a hashref containing at least a single key called failure.
failure will point to an integer error code,
and depending on the error code the hashref may contain more data.
The error codes are explained here below.
AUTH_NODATAInsufficient login data was provided by the user. This may happen in several cases, such as cookie authentication when the cookie is not present.
AUTH_ERRORAn error occurred when trying to use the login mechanism.
The hashref will also contain an error element,
which is the name of an error from template/en/default/global/code-error.html -- the same type of error that would be thrown by Bugzilla::Error::ThrowCodeError.
The hashref *may* contain an element called details,
which is a hashref that should be passed to Bugzilla::Error::ThrowCodeError as the various fields to be used in the error message.
AUTH_LOGINFAILEDAn incorrect username or password was given.
AUTH_NO_SUCH_USERThis is an optional more-specific version of AUTH_LOGINFAILED.
Modules should throw this error when they discover that the requested user account actually does not exist,
according to them.
That is, for example, Bugzilla::Auth::Verify::LDAP would throw this if the user didn't exist in LDAP.
The difference between AUTH_NO_SUCH_USER and AUTH_LOGINFAILED should never be communicated to the user,
for security reasons.
AUTH_DISABLEDThe user successfully logged in,
but their account has been disabled.
Usually this is throw only by Bugzilla::Auth::login.
The login function (below) can do different types of login,
depending on what constant you pass into it:
LOGIN_OPTIONALA login is never required to access this data. Attempting to login is still useful, because this allows the page to be personalised. Note that an incorrect login will still trigger an error, even though the lack of a login will be OK.
LOGIN_NORMALA login may or may not be required, depending on the setting of the requirelogin parameter. This is the default if you don't specify a type.
LOGIN_REQUIREDA login is always required to access this data.
These are methods that can be called on a Bugzilla::Auth object itself.
login($type)Description: Logs a user in.
For more details on how this works internally,
see the section entitled "STRUCTURE." Params: $type - One of the Login Types from above.
Returns: An authenticated Bugzilla::User.
Or,
if the type was not LOGIN_REQUIRED,
then we return an empty Bugzilla::User if no login data was passed in.
These are methods that give information about the Bugzilla::Auth object.
can_change_passwordDescription: Tells you whether or not the current login system allows changing passwords.
Params: None Returns: true if users and administrators should be allowed to change passwords,
false otherwise.
can_loginDescription: Tells you whether or not the current login system allows users to log in through the web interface.
Params: None Returns: true if users can log in through the web interface,
false otherwise.
can_logoutDescription: Tells you whether or not the current login system allows users to log themselves out.
Params: None Returns: true if users can log themselves out,
false otherwise.
If a user isn't logged in,
we always return false.
user_can_create_accountDescription: Tells you whether or not users are allowed to manually create their own accounts,
based on the current login system in use.
Note that this doesn't check the createemailregexp parameter--you have to do that by yourself in your code.
Params: None Returns: true if users are allowed to create new Bugzilla accounts,
false otherwise.
can_change_emailDescription: Whether or not the current login system allows users to change their own email address.
Params: None Returns: true if users can change their own email address,
false otherwise.
This section is mostly interesting to developers who want to implement a new authentication type.
It describes the general structure of the Bugzilla::Auth family,
and how the login function works.
A Bugzilla::Auth object is essentially a collection of a few other objects: the "Info Getter," the "Verifier," and the "Persistence Mechanism."
They are used inside the login function in the following order:
This is a Bugzilla::Auth::Login object.
Basically,
it gets the username and password from the user,
somehow.
Or,
it just gets enough information to uniquely identify a user,
and passes that on down the line.
(For example,
a user_id is enough to uniquely identify a user,
even without a username and password.)
Some Info Getters don't require any verification.
For example,
if we got the user_id from a Cookie,
we don't need to check the username and password.
If an Info Getter returns only a user_id and no username/password,
then it MUST NOT require verification.
If an Info Getter requires verfication,
then it MUST return at least a username.
This verifies that the username and password are valid.
It's possible that some methods of verification don't require a password.
This makes it so that the user doesn't have to log in on every page. Normally this object just sends a cookie to the user's web browser, as that's the most common method of "login persistence."
After we verify the username and password, sometimes we automatically create an account in the Bugzilla database, for certain authentication types. We use the "Account Source" to get data about the user, and create them in the database. (Or, if their data has changed since the last time they logged in, their data gets updated.)
$login_data HashAll of the Bugzilla::Auth::Login and Bugzilla::Auth::Verify methods take an argument called $login_data.
This is basically a hash that becomes more and more populated as we go through the login function.
All Bugzilla::Auth::Login and Bugzilla::Auth::Verify methods also *return* the $login_data structure,
when they succeed.
They may have added new data to it.
For all Bugzilla::Auth::Login and Bugzilla::Auth::Verify methods,
the rule is "you must return the same hashref you were passed in." You can modify the hashref all you want,
but you can't create a new one.
The only time you can return a new one is if you're returning some error code instead of the $login_data structure.
Each Bugzilla::Auth::Login or Bugzilla::Auth::Verify method explains in its documentation which $login_data elements are required by it,
and which are set by it.
Here are all of the elements that *may* be in $login_data:
user_idA Bugzilla user_id that uniquely identifies a user.
usernameThe username that was provided by the user.
bz_usernameThe username of this user inside of Bugzilla.
Sometimes this differs from username.
passwordThe password provided by the user.
realnameThe real name of the user.
extern_idSome string that uniquely identifies the user in an external account source.
If this extern_id already exists in the database with a different username,
the username will be *changed* to be the username specified in this $login_data.
That is,
let's my extern_id is mkanat.
I already have an account in Bugzilla with the username of mkanat@foo.com.
But this time,
when I log in,
I have an extern_id of mkanat and a username of mkanat@bar.org.
So now,
Bugzilla will automatically change my username to mkanat@bar.org instead of mkanat@foo.com.
userA Bugzilla::User object representing the authenticated user.
Note that Bugzilla::Auth::login may modify this object at various points.