Navigation

← Previous Changeset
Next Changeset →

Changeset 1662

Timestamp:

11/11/08 17:45:35 (2 months ago)

Author:

ton

Message:

Fixed problem where an existing session for a user which logged in with
the authtkt_default_username was thrown back out because the ids did not
match

Files:

trunk/opsview-web/lib/Opsview/Web/Controller/Root.pm (modified) (1 diff)
trunk/opsview-web/t/040auth.t (modified) (2 diffs)
trunk/opsview-web/t/800login.t (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/opsview-web/lib/Opsview/Web/Controller/Root.pm

r1656	r1662
143	143	}
144	144
145		~~# Check session matches with auth_tkt user~~
146		~~# Need this, otherwise effectively logs in user each time~~
147		~~if ($c->user_exists) {~~
148		~~# For some reason, sometimes $c->user could return undef back~~
149		~~if ($c->user && $info->{'uid'} ne $c->user->username()) {~~
150		~~$c->stash( login_error => $c->loc("Authentication ticket does not match with existing session user") );~~
151		~~my $audit_text = $c->loc("Authentication ticket contains '[_1]' but current session is '[_2]'", $info->{uid}, $c->user->username());~~
152		~~$c->log->info($audit_text);~~
153		~~Opsview::Auditlog->system($audit_text);~~
154		~~$c->forward("/expire_ticket");~~
155		~~return 0;~~
156		}
157		}
158
159	145	# Create user
	146	# If a session cookie is found, will restore the user from the session cookie
	147	# This also will check that the user exists in the database
160	148	if (! $c->user) {
161	149	$c->log->debug("Going to retrieve info for $info->{'uid'}");

trunk/opsview-web/t/040auth.t

r1635	r1662
1	1	#!/usr/bin/perl
2	2
3		use Test::More tests => 33;
	3	use Test::More tests => 29;
4	4
5	5	use FindBin qw($Bin);
…	…
87	87	is( $stash->{login_error}, "Authentication ticket has expired" );
88	88
89		~~$forward = "";~~
90	89	$c->config->{session}->{expires} = 4000;
91		~~$c->set_true("user_exists");~~
92		~~$rc = Opsview::Web::Controller::Root->validate_ticket( $c );~~
93		~~is( $rc, 0, "Returned 0 because of different userid in ticket" );~~
94		~~is( $log_info, "Authentication ticket contains '[_1]' but current session is '[_2]'" );~~
95		~~is( $forward, "/expire_ticket" );~~
96		~~is( $stash->{login_error}, "Authentication ticket does not match with existing session user" );~~
97	90
98	91	$forward = "";

trunk/opsview-web/t/800login.t

r1502	r1662
17	17	use Opsview::Contact;
18	18
19		use Test::More tests => 31;
	19	use Test::More tests => 37;
20	20	use Test::Deep;
21	21
…	…
97	97
98	98
	99	# NOTE: This is no longer checked because of authtkt_default_username
99	100	# Have a ticket with a mismatch of uid
100		$hacked_auth_tkt->[1] = $tkt->ticket( uid => "differentadmin", ip_addr => "127.0.0.1" );
101		$cookies_hash->{auth_tkt} = $hacked_auth_tkt;
102		$cookies_hash->{opsview_web_session} = $saved_session;
103		$ua->get("http://$hostname/status/hostgroup");
104		like( $ua->content, "/login_username/", "Got login page" );
105		like( $ua->content, "/authentication ticket does not match with existing session user/i", "Got mismatch of usernames error" );
	101	#$hacked_auth_tkt->[1] = $tkt->ticket( uid => "differentadmin", ip_addr => "127.0.0.1" );
	102	#$cookies_hash->{auth_tkt} = $hacked_auth_tkt;
	103	#$cookies_hash->{opsview_web_session} = $saved_session;
	104	#$ua->get("http://$hostname/status/hostgroup");
	105	#like( $ua->content, "/login_username/", "Got login page" );
	106	#like( $ua->content, "/authentication ticket does not match with existing session user/i", "Got mismatch of usernames error" );
106	107
107	108
…	…
142	143
143	144
	145
144	146	# Test with a newly generated ticket cookie. Add the cookie directly to the request
145	147	use HTTP::Request;
…	…
149	151	my $response = $ua->request( $request );
150	152	like( $response->content, "/Status Summary For Hostgroup Opsview/", "Found HH page from self generated cookie");
151
152	153
153	154	# Try same, but use ip_addr as 0.0.0.0. This should fail because Opsview will use the incoming ip address
…	…
159	160	like( $response->content, "/Invalid authentication ticket/i", "Displayed error of invalid authentication ticket" );
160	161
	162
	163
	164
	165	# This test is to prove that a user which is deleted in the backend will not be
	166	# allowed access in again, even if they have an authtkt and a session cookie
	167	$ua = WWW::Mechanize->new;
	168	$res = $ua->get("http://$hostname/");
	169	ok( $res->is_success, "Got successful response" );
	170	is( $res->code, 200, "Status 200" );
	171	like( $res->content, "/login_username/s", "Returned login_username, so is a login page" );
	172	unlike( $res->content, "/<h3>/s", "Check that no login error is displayed" );
	173
	174	$ua->field( 'login_username', 'somehosts' );
	175	$ua->field( 'login_password', 'somehosts' );
	176	$ua->current_form->action;
	177	$ua->submit;
	178
	179	ok( $ua->res->is_success, "Successful reply" );
	180
	181	$ua->get("http://$hostname/");
	182	like( $ua->content, "/Status Summary/" );
	183
	184	Opsview::Contact->search( name => "somehosts" )->delete_all;
	185	$ua->get("http://$hostname/");
	186	like( $ua->content, "/login_username/s", "Login page" );
	187	like( $ua->content, "/Authentication ticket found, but user does not exist/" );