Alfresco integration

Hi Guys,

I am working on integrating RT with Alfresco and I am having some difficulties with authentication. Essentially my requirement is that we can get something very similar to the saved search dashlet from RT into an Alfresco Share dashlet. As the two services are not hosted on the same box I am using the REST API to do this.

In my original testing, using a REST client rather than a browser, I was able to follow the wiki instructions to download a cookie for my user, save it and pass it in the request, this works fine. When I came to trying to implement this in code I hit two problems, one is figuring out how I can send the cookie with xmlhttprequest (this is not the normal javascript xmlHttpRequest, rather Nathan McMinn’s contributed class from http://www.unorganizedmachines.com/site/software-and-technology/34-software-development/97-calling-web-services-from-alfresco-web-scripts). The second issue is that to get the cookie in the first place I need the plaintext password of the user.

For now I have developed my dashlet using a newly created user: RESTuser, who has very restricted rights to actually affect tickets but can see them from all queue’s. I pass the user and pass values for this user with the request (which I know is entirely insecure, however at least in this case the javascript is server side). This is OK for the time being as RT and Alfresco still see very restricted use within the company, however before we go production I need this to be set up in such a way that the tickets someone views in their dashlet are ticket’s that their user account has rights to view. Both Alfresco and RT authenticate off the same AD so the usernames will always be the same.

I see a few possible ways to implement this. First to mind is that I could attempt to make a change to the REST interface allowing me to add a get parameter like restrictUser=JohnDoe and have RT do the rights calculation. Or I could attempt to build in some logic into the Share dashlet to at least filter by queue based on Alfresco security groups, but keeping the non-AD groups synced between RT and Alf feels like a nightmare waiting to happen.

So does anyone see an easier way to figure this out? I am leaning towards the former of the two options above but I am just getting my foot into the perl pool so I am not sure how successful I’ll be.

Regards

Chris O’Kelly
Web Administrator

Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.auhttp://www.minecorp.com.au

P: 07 3723 1000
M: 0450 586 190
E: Chris.okelly@minecorp.com.aumailto:Chris.okelly@minecorp.com.au
S: chris.okelly.mvshttp://skype.com

[http://oi46.tinypic.com/mw8nbd.jpg]

Hello,

Just a quick followup, having done some more work on this: I think I am getting a little closer here but I am still running up against some problems. I have modified REST/1.0/search/ticket as follows:

<%ARGS>
$restrictUser => undef
$query
$format => undef
$orderby => undef
$fields => undef
</%ARGS>
<%INIT>
use RT::Interface::REST;
my $output = “”;
my $status = “200 Ok”;
my $user = new RT::User;
$user->Load($restrictUser) if ( defined $restrictUser );
$user = $session{CurrentUser} unless ( $user->Id );
my $tickets = RT::Tickets->new($user);

There are no changes anywhere further down in the file. The error message I am getting is:
RT/4.0.6 400 Bad request

Invalid query: 'No currentuser at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Base.pm line 139.
RT::Base::loc(‘RT::User=HASH(0x7f14e81bff60)’, ‘Valid Query’) called at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Base.pm line 135
RT::Base::loc(‘RT::Tickets=HASH(0x7f14e81c0068)’, ‘Valid Query’) called at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Tickets_SQL.pm line 339
RT::tickets::FromSQL(‘RT::Tickets=HASH(0x7f14e81c0068)’, ‘queue='ithelp'’) called at /var/www/ticket.obfuscated.com/share/html/REST/1.0/search/ticket line 93
eval {…} called at /var/www/ticket.obfuscated.com/share/html/REST/1.0/search/ticket line 92
HTML::Mason::Commands::ANON(‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’) called at /usr/local/share/perl/5.10.1/HTML/Mason/Component.pm line 138
HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0x637c348)’, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1305
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1295
HTML::Mason::Request::comp(undef, undef, undef, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 958
HTML::Mason::Request::call_next(‘RT::Interface::Web::Request=HASH(0x610a820)’) called at /var/www/ticket.obfuscated.com/share/html/REST/1.0/autohandler line 54
HTML::Mason::Commands::ANON(‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’) called at /usr/local/share/perl/5.10.1/HTML/Mason/Component.pm line 138
HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0x638c730)’, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1305
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1295
HTML::Mason::Request::comp(undef, undef, undef, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, …) called at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Interface/Web.pm line 568
RT::Interface::Web::ShowRequestedPage(‘HASH(0x6386cc0)’) called at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Interface/Web.pm line 318
RT::Interface::Web::HandleRequest(‘HASH(0x6386cc0)’) called at /var/www/ticket.obfuscated.com/share/html/autohandler line 53
HTML::Mason::Commands::ANON(‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’) called at /usr/local/share/perl/5.10.1/HTML/Mason/Component.pm line 138
HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0x638d0c0)’, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, ‘chriso’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1300
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 1295
HTML::Mason::Request::comp(undef, undef, undef, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 484
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 484
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/Request.pm line 436
HTML::Mason::Request::exec(‘RT::Interface::Web::Request=HASH(0x610a820)’) called at /usr/local/share/perl/5.10.1/HTML/Mason/PSGIHandler.pm line 85
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/PSGIHandler.pm line 85
HTML::Mason::Request::PSGI::exec(‘RT::Interface::Web::Request=HASH(0x610a820)’) called at /usr/local/share/perl/5.10.1/HTML/Mason/Interp.pm line 345
HTML::Mason::Interp::exec(undef, undef, ‘pass’, ‘obfuscated’, ‘query’, ‘queue='ithelp'’, ‘restrictUser’, ‘chriso’, ‘user’, …) called at /usr/local/share/perl/5.10.1/HTML/Mason/PSGIHandler.pm line 48
eval {…} called at /usr/local/share/perl/5.10.1/HTML/Mason/PSGIHandler.pm line 48
HTML::Mason::PSGIHandler::invoke_mason(‘HTML::Mason::PSGIHandler::Streamy=HASH(0x6222bf8)’, ‘HTML::Mason::FakeApache=HASH(0x631a2d8)’, ‘HASH(0x375e6d8)’) called at /usr/local/share/perl/5.10.1/HTML/Mason/PSGIHandler/Streamy.pm line 52
HTML::Mason::PSGIHandler::Streamy::ANON(‘CODE(0x6317778)’) called at /var/www/ticket.obfuscated.com/sbin/…/lib/RT/Interface/Web/Handler.pm line 263
RT::Interface::Web::Handler::ANON(‘CODE(0x6317778)’) called at /usr/local/share/perl/5.10.1/Plack/Util.pm line 301
Plack::Util::ANON(‘CODE(0x63174d8)’) called at /usr/local/share/perl/5.10.1/Plack/Handler/FCGI.pm line 130
Plack::Handler::FCGI::run(‘Plack::Handler::FCGI=HASH(0x6258528)’, ‘CODE(0x60f4760)’) called at /usr/local/share/perl/5.10.1/Plack/Loader.pm line 84
Plack::Loader::run(‘Plack::Loader=HASH(0x622f070)’, ‘Plack::Handler::FCGI=HASH(0x6258528)’) called at /usr/local/share/perl/5.10.1/Plack/Runner.pm line 267
Plack::runner::run(‘Plack::Runner=HASH(0x5b596b8)’, ‘CODE(0x60f4760)’) called at /var/www/ticket.obfuscated.com/sbin/rt-server.fcgi line 232
eval {…} called at /var/www/ticket.obfuscated.com/sbin/rt-server.fcgi line 232

Stack:
[/usr/local/share/perl/5.10.1/Carp.pm:101]
[/var/www/ticket.obfuscated.com/sbin/…/lib/RT/Base.pm:139]
[/var/www/ticket.obfuscated.com/sbin/…/lib/RT/Base.pm:135]
[/var/www/ticket.obfuscated.com/sbin/…/lib/RT/Tickets_SQL.pm:339]
[/var/www/ticket.obfuscated.com/share/html/REST/1.0/search/ticket:93]
[/var/www/ticket.obfuscated.com/share/html/REST/1.0/autohandler:54]
[/var/www/ticket.obfuscated.com/sbin/…/lib/RT/Interface/Web.pm:568]
[/var/www/ticket.obfuscated.com/sbin/…/lib/RT/Interface/Web.pm:318]
[/var/www/ticket.obfuscated.com/share/html/autohandler:53]
'.

So it seems to get through to running the query in search/ticket, and in Tickets_SQL it gets to the point of returning “Valid Query”, however I have problems when it gets to this ‘loc’ function. Reading suggests to me it is for localization of strings but I flat out do not understand it’s logic. If I read Base.pm correctly (and I assume I did not), the loc sub checks if it’s passed argument has an OriginalUser property and, if it does, returns the value returned by calling itself on that user… if the argument does have an OriginalUser method it returns an error. This makes it seems as though it will always either return an error or begin an infinite loop. I’ve added a logger statement right before the loc call in Tickets_SQL.pm to log the value of $Self->OriginalUser->Id and it always logs a value (my id, fwiw) so as far as I can tell there is an OriginalUser property. Any thoughts?

Chris O’Kelly
Web Administrator

Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.auhttp://www.minecorp.com.au

P: 07 3723 1000
M: 0450 586 190
E: Chris.okelly@minecorp.com.aumailto:Chris.okelly@minecorp.com.au
S: chris.okelly.mvshttp://skype.com

[http://oi46.tinypic.com/mw8nbd.jpg]

Hi All,

I’ve figured it out, I had been using the RT::User object class where I should have been using RT::CurrentUser. A little more thought about what I was implementing also alerted me to the fact that what I am building is a possible security hole.

I’ll repeat that in case anyone has found this on google and plans to use it:

THIS CODE IS A POSSIBLE SECURITY FLAW! THINK LONG AND HARD!

Anyhoo, I’m fairly sure I understand and have addressed the security issues here, so here’s how I sorted this out for myself:

In …/share/html/REST/1.0/search/ticket, changed the first few lines as such:
<%ARGS>
$restrictUser => undef
$query
$format => undef
$orderby => undef
$fields => undef
</%ARGS>
<%INIT>
use RT::Interface::REST;
my $output = “”;
my $status = “200 Ok”;
my $user = new RT::User;
my $current_user_obj = $session{CurrentUser};
if (lc $current_user_obj->UserObj->Name eq “restuser”)
{
$user->Load($restrictUser) if ( defined $restrictUser );
}
$user = $session{CurrentUser} unless ( $user->Id );
my $current_user = RT::CurrentUser->new( $user );

my $tickets = RT::Tickets->new($current_user);

Parse and validate any field specifications.

…(the rest of the file)

Now, just to point out and make absolutely clear, the possible security flaw here is that a user can view tickets they do not have the right to see. In this case I have circumvented this by only making use of $restrictUser when the logged in user is RestUser. As I am the only one who knows the password for restUser this functionality will only be accessible in scripts that I have created and setup to use RestUser.

I’d very much appreciate, if anyone can see any further security holes or other bugs with what I’ve done, if you’d let me know.

Regards

Chris O’Kelly
Web Administrator

Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.auhttp://www.minecorp.com.au

P: 07 3723 1000
M: 0450 586 190
E: Chris.okelly@minecorp.com.aumailto:Chris.okelly@minecorp.com.au
S: chris.okelly.mvshttp://skype.com

[http://oi46.tinypic.com/mw8nbd.jpg]