X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FAuth.pm;h=2323a28412243e8332713e1fdf1b0014566a2575;hb=3a7079558f44e4b80670327e70b565c8caf52a0e;hp=2e49aff302e63f73c28fcb0779b305c89ecce368;hpb=dbda14c263efd93aca3b7114015a47d86b8581e3;p=kivitendo-erp.git diff --git a/SL/Auth.pm b/SL/Auth.pm index 2e49aff30..2323a2841 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -7,6 +7,7 @@ use IO::File; use Time::HiRes qw(gettimeofday); use List::MoreUtils qw(uniq); use YAML; +use Regexp::IPv6 qw($IPv6_re); use SL::Auth::ColumnInformation; use SL::Auth::Constants qw(:all); @@ -32,18 +33,12 @@ use Rose::Object::MakeMethods::Generic ( sub new { - $main::lxdebug->enter_sub(); + my ($type, %params) = @_; + my $self = bless {}, $type; - my $type = shift; - my $self = {}; - - bless $self, $type; - - $self->_read_auth_config(); + $self->_read_auth_config(%params); $self->reset; - $main::lxdebug->leave_sub(); - return $self; } @@ -98,17 +93,21 @@ sub mini_error { } sub _read_auth_config { - $main::lxdebug->enter_sub(); - - my $self = shift; + my ($self, %params) = @_; map { $self->{$_} = $::lx_office_conf{authentication}->{$_} } keys %{ $::lx_office_conf{authentication} }; # Prevent password leakage to log files when dumping Auth instances. $self->{admin_password} = sub { $::lx_office_conf{authentication}->{admin_password} }; - $self->{DB_config} = $::lx_office_conf{'authentication/database'}; - $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; + if ($params{unit_tests_database}) { + $self->{DB_config} = $::lx_office_conf{'testing/database'}; + $self->{module} = 'DB'; + + } else { + $self->{DB_config} = $::lx_office_conf{'authentication/database'}; + $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; + } if ($self->{module} eq 'DB') { $self->{authenticator} = SL::Auth::DB->new($self); @@ -138,8 +137,6 @@ sub _read_auth_config { $self->{session_timeout} *= 1; $self->{session_timeout} = 8 * 60 if (!$self->{session_timeout}); - - $main::lxdebug->leave_sub(); } sub has_access_to_client { @@ -160,18 +157,14 @@ SQL } sub authenticate_root { - $main::lxdebug->enter_sub(); - my ($self, $password) = @_; my $session_root_auth = $self->get_session_value(SESSION_KEY_ROOT_AUTH()); if (defined $session_root_auth && $session_root_auth == OK) { - $::lxdebug->leave_sub; return OK; } if (!defined $password) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } @@ -181,35 +174,27 @@ sub authenticate_root { my $result = $password eq $admin_password ? OK : ERR_PASSWORD; $self->set_session_value(SESSION_KEY_ROOT_AUTH() => $result); - $::lxdebug->leave_sub; return $result; } sub authenticate { - $main::lxdebug->enter_sub(); - my ($self, $login, $password) = @_; if (!$self->client || !$self->has_access_to_client($login)) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } my $session_auth = $self->get_session_value(SESSION_KEY_USER_AUTH()); if (defined $session_auth && $session_auth == OK) { - $::lxdebug->leave_sub; return OK; } if (!defined $password) { - $::lxdebug->leave_sub; return ERR_PASSWORD; } my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; $self->set_session_value(SESSION_KEY_USER_AUTH() => $result, login => $login, client_id => $self->client->{id}); - - $::lxdebug->leave_sub; return $result; } @@ -232,13 +217,10 @@ sub get_stored_password { } sub dbconnect { - $main::lxdebug->enter_sub(2); - my $self = shift; my $may_fail = shift; if ($self->{dbh}) { - $main::lxdebug->leave_sub(2); return $self->{dbh}; } @@ -257,27 +239,19 @@ sub dbconnect { $main::form->error($main::locale->text('The connection to the authentication database failed:') . "\n" . $DBI::errstr); } - $main::lxdebug->leave_sub(2); - return $self->{dbh}; } sub dbdisconnect { - $main::lxdebug->enter_sub(); - my $self = shift; if ($self->{dbh}) { $self->{dbh}->disconnect(); delete $self->{dbh}; } - - $main::lxdebug->leave_sub(); } sub check_tables { - $main::lxdebug->enter_sub(); - my ($self, $dbh) = @_; $dbh ||= $self->dbconnect(); @@ -285,26 +259,18 @@ sub check_tables { my ($count) = $dbh->selectrow_array($query); - $main::lxdebug->leave_sub(); - return $count > 0; } sub check_database { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(1); - $main::lxdebug->leave_sub(); - return $dbh ? 1 : 0; } sub create_database { - $main::lxdebug->enter_sub(); - my $self = shift; my %params = @_; @@ -354,25 +320,17 @@ sub create_database { } $dbh->disconnect(); - - $main::lxdebug->leave_sub(); } sub create_tables { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(); $dbh->rollback(); SL::DBUpgrade2->new(form => $::form)->process_query($dbh, 'sql/auth_db.sql'); - - $main::lxdebug->leave_sub(); } sub save_user { - $main::lxdebug->enter_sub(); - my $self = shift; my $login = shift; my %params = @_; @@ -409,8 +367,6 @@ sub save_user { } $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub can_change_password { @@ -420,20 +376,14 @@ sub can_change_password { } sub change_password { - $main::lxdebug->enter_sub(); - my ($self, $login, $new_password) = @_; my $result = $self->{authenticator}->change_password($login, $new_password); - $main::lxdebug->leave_sub(); - return $result; } sub read_all_users { - $main::lxdebug->enter_sub(); - my $self = shift; my $dbh = $self->dbconnect(); @@ -466,14 +416,10 @@ sub read_all_users { $sth->finish(); - $main::lxdebug->leave_sub(); - return %users; } sub read_user { - $main::lxdebug->enter_sub(); - my ($self, %params) = @_; my $dbh = $self->dbconnect(); @@ -513,35 +459,30 @@ sub read_user { $sth->finish(); - $main::lxdebug->leave_sub(); - return %user_data; } sub get_user_id { - $main::lxdebug->enter_sub(); - my $self = shift; my $login = shift; my $dbh = $self->dbconnect(); my ($id) = selectrow_query($main::form, $dbh, qq|SELECT id FROM auth."user" WHERE login = ?|, $login); - $main::lxdebug->leave_sub(); - return $id; } sub delete_user { - $::lxdebug->enter_sub; - my $self = shift; my $login = shift; my $dbh = $self->dbconnect; my $id = $self->get_user_id($login); - $dbh->rollback and return $::lxdebug->leave_sub if (!$id); + if (!$id) { + $dbh->rollback; + return; + } $dbh->begin_work; @@ -553,8 +494,6 @@ sub delete_user { # do_query($::form, $u_dbh, qq|UPDATE employee SET deleted = 't' WHERE login = ?|, $login) if $u_dbh && $user_db_exists; $dbh->commit; - - $::lxdebug->leave_sub; } # -------------------------------------- @@ -562,8 +501,6 @@ sub delete_user { my $session_id; sub restore_session { - $main::lxdebug->enter_sub(); - my $self = shift; $session_id = $::request->{cgi}->cookie($self->get_session_cookie_name()); @@ -572,7 +509,6 @@ sub restore_session { $self->{SESSION} = { }; if (!$session_id) { - $main::lxdebug->leave_sub(); return $self->session_restore_result(SESSION_NONE()); } @@ -582,7 +518,6 @@ sub restore_session { # Don't fail if the auth DB doesn't yet. if (!( $dbh = $self->dbconnect(1) )) { - $::lxdebug->leave_sub; return $self->session_restore_result(SESSION_NONE()); } @@ -592,7 +527,6 @@ sub restore_session { if (!($sth = $dbh->prepare($query)) || !$sth->execute($session_id)) { $sth->finish if $sth; - $::lxdebug->leave_sub; return $self->session_restore_result(SESSION_NONE()); } @@ -602,16 +536,15 @@ sub restore_session { # The session ID provided is valid in the following cases: # 1. session ID exists in the database # 2. hasn't expired yet - # 3. if form field '{AUTH}api_token' is given: form field must equal database column 'auth.session.api_token' for the session ID - # 4. if form field '{AUTH}api_token' is NOT given then: the requestee's IP address must match the stored IP address + # 3. if cookie for the API token is given: the cookie's value equal database column 'auth.session.api_token' for the session ID + # 4. if cookie for the API token is NOT given then: the requestee's IP address must match the stored IP address $self->{api_token} = $cookie->{api_token} if $cookie; my $api_token_cookie = $self->get_api_token_cookie; my $cookie_is_bad = !$cookie || $cookie->{is_expired}; $cookie_is_bad ||= $api_token_cookie && ($api_token_cookie ne $cookie->{api_token}) if $api_token_cookie; - $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie; + $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie && $ENV{REMOTE_ADDR} !~ /^$IPv6_re$/; if ($cookie_is_bad) { $self->destroy_session(); - $main::lxdebug->leave_sub(); return $self->session_restore_result($cookie ? SESSION_EXPIRED() : SESSION_NONE()); } @@ -621,8 +554,6 @@ sub restore_session { $self->_load_without_auto_restore_column($dbh, $session_id); } - $main::lxdebug->leave_sub(); - return $self->session_restore_result(SESSION_OK()); } @@ -705,8 +636,6 @@ SQL } sub destroy_session { - $main::lxdebug->enter_sub(); - my $self = shift; if ($session_id) { @@ -724,8 +653,6 @@ sub destroy_session { $session_id = undef; $self->{SESSION} = { }; } - - $main::lxdebug->leave_sub(); } sub active_session_ids { @@ -740,11 +667,9 @@ sub active_session_ids { } sub expire_sessions { - $main::lxdebug->enter_sub(); - my $self = shift; - $main::lxdebug->leave_sub and return if !$self->session_tables_present; + return if !$self->session_tables_present; my $dbh = $self->dbconnect(); @@ -769,20 +694,14 @@ sub expire_sessions { $dbh->commit(); } - - $main::lxdebug->leave_sub(); } sub _create_session_id { - $main::lxdebug->enter_sub(); - my @data; map { push @data, int(rand() * 255); } (1..32); my $id = md5_hex(pack 'C*', @data); - $main::lxdebug->leave_sub(); - return $id; } @@ -791,13 +710,12 @@ sub create_or_refresh_session { } sub save_session { - $::lxdebug->enter_sub; my $self = shift; my $provided_dbh = shift; my $dbh = $provided_dbh || $self->dbconnect(1); - $::lxdebug->leave_sub && return unless $dbh && $session_id; + return unless $dbh && $session_id; $dbh->begin_work unless $provided_dbh; @@ -805,7 +723,6 @@ sub save_session { # the admin is just trying to create the auth database. if (!$dbh->do(qq|LOCK auth.session_content|)) { $dbh->rollback unless $provided_dbh; - $::lxdebug->leave_sub; return; } @@ -857,12 +774,9 @@ sub save_session { } $dbh->commit() unless $provided_dbh; - $::lxdebug->leave_sub; } sub set_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; my @params = @_; @@ -883,32 +797,22 @@ sub set_session_value { } } - $main::lxdebug->leave_sub(); - return $self; } sub delete_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; $self->{SESSION} ||= { }; delete @{ $self->{SESSION} }{ @_ }; - $main::lxdebug->leave_sub(); - return $self; } sub get_session_value { - $main::lxdebug->enter_sub(); - my $self = shift; my $data = $self->{SESSION} && $self->{SESSION}->{ $_[0] } ? $self->{SESSION}->{ $_[0] }->get : undef; - $main::lxdebug->leave_sub(); - return $data; } @@ -987,108 +891,61 @@ sub get_api_token_cookie { $::request->{cgi}->cookie($self->get_session_cookie_name(type => 'api_token')); } -sub session_tables_present { - $main::lxdebug->enter_sub(); +sub is_api_token_cookie_valid { + my ($self) = @_; + my $provided_api_token = $self->get_api_token_cookie; + return $self->{api_token} && $provided_api_token && ($self->{api_token} eq $provided_api_token); +} - my $self = shift; +sub _tables_present { + my ($self, @tables) = @_; + my $cache_key = join '_', @tables; # Only re-check for the presence of auth tables if either the check # hasn't been done before of if they weren't present. - if ($self->{session_tables_present}) { - $main::lxdebug->leave_sub(); - return $self->{session_tables_present}; - } - - my $dbh = $self->dbconnect(1); + return $self->{"$cache_key\_tables_present"} ||= do { + my $dbh = $self->dbconnect(1); - if (!$dbh) { - $main::lxdebug->leave_sub(); - return 0; - } + if (!$dbh) { + return 0; + } - my $query = - qq|SELECT COUNT(*) - FROM pg_tables - WHERE (schemaname = 'auth') - AND (tablename IN ('session', 'session_content'))|; + my $query = + qq|SELECT COUNT(*) + FROM pg_tables + WHERE (schemaname = 'auth') + AND (tablename IN (@{[ join ', ', ('?') x @tables ]}))|; - my ($count) = selectrow_query($main::form, $dbh, $query); + my ($count) = selectrow_query($main::form, $dbh, $query, @tables); - $self->{session_tables_present} = 2 == $count; + return scalar @tables == $count; + } +} - $main::lxdebug->leave_sub(); +sub session_tables_present { + $_[0]->_tables_present('session', 'session_content'); +} - return $self->{session_tables_present}; +sub master_rights_present { + $_[0]->_tables_present('master_rights'); } # -------------------------------------- sub all_rights_full { - my $locale = $main::locale; - - my @all_rights = ( - ["--crm", $locale->text("CRM optional software")], - ["crm_search", $locale->text("CRM search")], - ["crm_new", $locale->text("CRM create customers, vendors and contacts")], - ["crm_service", $locale->text("CRM services")], - ["crm_admin", $locale->text("CRM admin")], - ["crm_adminuser", $locale->text("CRM user")], - ["crm_adminstatus", $locale->text("CRM status")], - ["crm_email", $locale->text("CRM send email")], - ["crm_termin", $locale->text("CRM termin")], - ["crm_opportunity", $locale->text("CRM opportunity")], - ["crm_knowhow", $locale->text("CRM know how")], - ["crm_follow", $locale->text("CRM follow up")], - ["crm_notices", $locale->text("CRM notices")], - ["crm_other", $locale->text("CRM other")], - ["--master_data", $locale->text("Master Data")], - ["customer_vendor_edit", $locale->text("Create customers and vendors. Edit all vendors. Edit only customers where salesman equals employee (login)")], - ["customer_vendor_all_edit", $locale->text("Create customers and vendors. Edit all vendors. Edit all customers")], - ["part_service_assembly_edit", $locale->text("Create and edit parts, services, assemblies")], - ["project_edit", $locale->text("Create and edit projects")], - ["--ar", $locale->text("AR")], - ["sales_quotation_edit", $locale->text("Create and edit sales quotations")], - ["sales_order_edit", $locale->text("Create and edit sales orders")], - ["sales_delivery_order_edit", $locale->text("Create and edit sales delivery orders")], - ["invoice_edit", $locale->text("Create and edit invoices and credit notes")], - ["dunning_edit", $locale->text("Create and edit dunnings")], - ["sales_all_edit", $locale->text("View/edit all employees sales documents")], - ["edit_prices", $locale->text("Edit prices and discount (if not used, textfield is ONLY set readonly)")], - ["--ap", $locale->text("AP")], - ["request_quotation_edit", $locale->text("Create and edit RFQs")], - ["purchase_order_edit", $locale->text("Create and edit purchase orders")], - ["purchase_delivery_order_edit", $locale->text("Create and edit purchase delivery orders")], - ["vendor_invoice_edit", $locale->text("Create and edit vendor invoices")], - ["--warehouse_management", $locale->text("Warehouse management")], - ["warehouse_contents", $locale->text("View warehouse content")], - ["warehouse_management", $locale->text("Warehouse management")], - ["--general_ledger_cash", $locale->text("General ledger and cash")], - ["general_ledger", $locale->text("Transactions, AR transactions, AP transactions")], - ["datev_export", $locale->text("DATEV Export")], - ["cash", $locale->text("Receipt, payment, reconciliation")], - ["--reports", $locale->text('Reports')], - ["report", $locale->text('All reports')], - ["advance_turnover_tax_return", $locale->text('Advance turnover tax return')], - ["--batch_printing", $locale->text("Batch Printing")], - ["batch_printing", $locale->text("Batch Printing")], - ["--others", $locale->text("Others")], - ["email_bcc", $locale->text("May set the BCC field when sending emails")], - ["config", $locale->text("Change kivitendo installation settings (all menu entries beneath 'System')")], - ["admin", $locale->text("Administration (Used to access instance administration from user logins)")], - ["productivity", $locale->text("Productivity")], - ["display_admin_link", $locale->text("Show administration link")], - ); - - return @all_rights; + my ($self) = @_; + + @{ $self->{master_rights} ||= do { + $self->dbconnect->selectall_arrayref("SELECT name, description, category FROM auth.master_rights ORDER BY id"); + } + } } sub all_rights { - return grep !/^--/, map { $_->[0] } all_rights_full(); + return map { $_->[0] } grep { !$_->[2] } $_[0]->all_rights_full; } sub read_groups { - $main::lxdebug->enter_sub(); - my $self = shift; my $form = $main::form; @@ -1132,18 +989,14 @@ sub read_groups { $group->{rights}->{$row->{right}} |= $row->{granted}; } - map { $group->{rights}->{$_} = 0 if (!defined $group->{rights}->{$_}); } all_rights(); + map { $group->{rights}->{$_} = 0 if (!defined $group->{rights}->{$_}); } $self->all_rights; } $sth->finish(); - $main::lxdebug->leave_sub(); - return $groups; } sub save_group { - $main::lxdebug->enter_sub(); - my $self = shift; my $group = shift; @@ -1184,13 +1037,9 @@ sub save_group { $sth->finish(); $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub delete_group { - $main::lxdebug->enter_sub(); - my $self = shift; my $id = shift; @@ -1204,13 +1053,9 @@ sub delete_group { do_query($form, $dbh, qq|DELETE FROM auth."group" WHERE id = ?|, $id); $dbh->commit(); - - $main::lxdebug->leave_sub(); } sub evaluate_rights_ary { - $main::lxdebug->enter_sub(2); - my $ary = shift; my $value = 0; @@ -1236,14 +1081,10 @@ sub evaluate_rights_ary { } } - $main::lxdebug->leave_sub(2); - return $value; } sub _parse_rights_string { - $main::lxdebug->enter_sub(2); - my $self = shift; my $login = shift; @@ -1270,7 +1111,6 @@ sub _parse_rights_string { pop @stack; if (!@stack) { - $main::lxdebug->leave_sub(2); return 0; } @@ -1286,14 +1126,10 @@ sub _parse_rights_string { my $result = ($access || (1 < scalar @stack)) ? 0 : evaluate_rights_ary($stack[0]); - $main::lxdebug->leave_sub(2); - return $result; } sub check_right { - $main::lxdebug->enter_sub(2); - my $self = shift; my $login = shift; my $right = shift; @@ -1312,17 +1148,13 @@ sub check_right { my $granted = $self->{FULL_RIGHTS}->{$login}->{$right}; $granted = $default if (!defined $granted); - $main::lxdebug->leave_sub(2); - return $granted; } sub assert { - $::lxdebug->enter_sub(2); my ($self, $right, $dont_abort) = @_; if ($self->check_right($::myconfig{login}, $right)) { - $::lxdebug->leave_sub(2); return 1; } @@ -1331,19 +1163,17 @@ sub assert { $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); } - $::lxdebug->leave_sub(2); - return 0; } sub load_rights_for_user { - $::lxdebug->enter_sub; - my ($self, $login) = @_; my $dbh = $self->dbconnect; my ($query, $sth, $row, $rights); - $rights = { map { $_ => 0 } all_rights() }; + $rights = { map { $_ => 0 } $self->all_rights }; + + return $rights if !$self->client || !$login; $query = qq|SELECT gr."right", gr.granted @@ -1365,8 +1195,6 @@ sub load_rights_for_user { } $sth->finish(); - $::lxdebug->leave_sub; - return $rights; } @@ -1381,7 +1209,7 @@ __END__ SL::Auth - Authentication and session handling -=head1 FUNCTIONS +=head1 METHODS =over 4 @@ -1431,7 +1259,7 @@ Stores the session values in the database. This is the only function that actually stores stuff in the database. Neither the various setters nor the deleter access the database. -=item +=item C Stores the content of C<$params{form}> (default: C<$::form>) in the session using L. @@ -1445,7 +1273,7 @@ can be given as an array ref in C<$params{skip_keys}>. Returns the unique key under which the form is stored. -=item +=item C Restores the form from the session into C<$params{form}> (default: C<$::form>). @@ -1456,6 +1284,14 @@ is on by default. Returns C<$self>. +=item C + +C deletes every state information from previous requests, but does not +close the database connection. + +Creating a new database handle on each request can take up to 30% of the +pre-request startup time, so we want to avoid that for fast ajax calls. + =back =head1 BUGS