Rt-auth-user

From Request Tracker Wiki
Jump to navigation Jump to search

Perl script authenticating users against RT

UPDATE: this script is OK but a much cleaner solution to the problem mentioned below is using RT's REST interface. Requires RT::Authen::ExternalAuth (but you may also do without it if you need only local auth).

Problem

We have many different web applications and an RT installation that we have configured to let a lot of users login (e.g. the sources of RT-Authen-ExternalAuth are 2 LDAP servers and 1 external DB). The users of each web application are a subset of RT's users. So, we would like to use RT as a central authentication service.

Solution

A perl script that calls RT's APIs, and tries to authenticate a user in 2 steps:

  1. Against all the auth sources we configured for RT::Authen::ExternalAuth
  2. Against the local RT's DB

Code

#!/usr/bin/perl -w

use lib qw(/opt/rt4/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib);

#use strict;
use RT::Interface::CLI qw(CleanEnv GetMessageContent loc);

CleanEnv();       # Clean our the environment
use RT;
RT::LoadConfig(); # Load the RT configuration
RT::Init();       # Initialise RT

use Getopt::Long;
my $username = ;
my $pass = ;
GetOptions ("user=s" => \$username,
            "pass=s"   => \$pass);


use RT::Authen::ExternalAuth;

my $result="";
my %session;
my ($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$username,$pass);
#$RT::Logger->debug("Someone called ExternalAuth. Response: ($val, $msg)");
$result = $val;

unless($result == 1) {
  my $user = new RT::User($RT::SystemUser);
  $user->Load($username);

  if($user->IsPassword($pass)) {
    $result = "1";
  } else {
    $result = "0";
  }
}

print STDOUT $result;
exit;

 

Usage

rt-auth-user --user $username --pass $password

(Std) output

"1" if auth succeeds; "0" otherwise.


Client example (PHP)

​function auth_rt($username, $password) {
        # check the user trying to authenticate is whitelisted
        $user_row = db_getUser($username);
        if(empty($user_row)) return false;

        # now check the credentials are correct
        global $RT_HOST;
        $cmd = "/opt/rt4/sbin/custom/rt-auth-user --user $username --pass $password";
        $result = shell_exec("ssh selfservice@$RT_HOST $cmd");
        if( $result == 0 ) return false;
        return $user_row;
}


This PHP function authenticates a user against an RT installation.

Note. In the first lines we have implemented an authorization mechanism based on a whitelist of users that are able to login to our PHP application.

Note2. This function is supposed to have input validated by some other methods (eg. in the Model class), as a precondition