X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;ds=sidebyside;f=cgi-auth-flexible.pm;h=af4c30b48b2c7938412f6208172fe218da46305d;hb=af3159edbfe74d267bb6441c1e7dc7360168ad6e;hp=e5b89244476da131f03615daf19a367b6c12c0ac;hpb=031ab04359164ef2e3d311e61637491479e6098d;p=cgi-auth-flexible.git diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index e5b8924..af4c30b 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -18,7 +18,7 @@ # along with this program. If not, see . use strict; -use warnings; +use warnings FATAL => 'all'; package CGI::Auth::Flexible; require Exporter; @@ -54,6 +54,7 @@ sub flatten_params ($) { my ($p) = @_; my @p; foreach my $k (keys %$p) { + next if $k eq ''; foreach my $v (@{ $p->{$k} }) { push @p, $k, $v; } @@ -92,7 +93,8 @@ sub login_ok_password ($$) { my $username_params = $r->{S}{username_param_names}; my $username = $r->_ch('get_param',$username_params->[0]); my $password = $r->_rp('password_param_name'); - return $r->_ch('username_password_ok', $username, $password); + return undef unless $r->_ch('username_password_ok', $username, $password); + return $username; } sub do_redirect_cgi ($$$$) { @@ -104,39 +106,66 @@ sub do_redirect_cgi ($$$$) { '', $r->_gt("If you aren't redirected, click to continue."), "", - $c->_ch('gen_end_html')); + $r->_ch('gen_end_html')); } -sub gen_plain_login_form ($$) { - my ($c,$r, $params) = @_; +sub gen_some_form ($$) { + my ($r, $params, $bodyfn) = @_; + # Calls $bodyfn->($c,$r) which returns @formbits + my $c = $r->{Cgi}; my @form; + my $pathinfo = ''; + $pathinfo .= $params->{''}[0] if $params->{''}; push @form, ('
'. - ''); - my $sz = 'size="'.$r->{S}{form_entry_size}.'"'; - foreach my $up (@{ $r->{S}{username_param_names}}) { - push @form, ('', - ''); - } - push @form, ('', - ''); - push @form, ('', - '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password').'
', - '
'); + escapeHTML($r->_ch('get_url').$pathinfo).'">'); + push @form, $bodyfn->($c,$r); foreach my $n (keys %$params) { - push @form, (''); + next if $n eq ''; + foreach my $val (@{ $params->{$n} }) { + push @form, (''); + } } push @form, ('
'); return join "\n", @form; } -sub gen_login_link ($$) { +sub gen_plain_login_form ($$) { + my ($c,$r, $params) = @_; + return $r->gen_some_form($params, sub { + my @form; + push @form, (''); + my $sz = 'size="'.$r->{S}{form_entry_size}.'"'; + foreach my $up (@{ $r->{S}{username_param_names}}) { + push @form, ('', + ''); + } + push @form, ('', + ''); + push @form, ('', + '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password').'
', + '
'); + return @form; + }); +} + +sub gen_postmainpage_form ($$$) { + my ($c,$r, $params) = @_; + return $r->gen_some_form($params, sub { + my @form; + push @form, (''); + return @form; + }); +} + +sub gen_plain_login_link ($$) { my ($c,$r, $params) = @_; my $url = $r->url_with_query_params($params); return (''. @@ -164,16 +193,17 @@ sub new_verifier { login_form_timeout => 3600, # seconds key_rollover => 86400, # seconds assoc_param_name => 'caf_assochash', + dummy_param_name_prefix => 'caf__', cookie_name => "caf_assocsecret", password_param_name => 'password', username_param_names => [qw(username)], form_entry_size => 60, logout_param_names => [qw(caf_logout)], - login_submit_name => [qw(caf_login)], loggedout_param_names => [qw(caf_loggedout)], promise_check_mutate => 0, get_param => sub { $_[0]->param($_[2]) }, get_params => sub { $_[1]->get_params() }, + get_path_info => sub { $_[0]->path_info() }, get_cookie => sub { $_[0]->cookie($_[1]->{S}{cookie_name}) }, get_method => sub { $_[0]->request_method() }, get_url => sub { $_[0]->url(); }, @@ -192,6 +222,7 @@ sub new_verifier { gen_end_html => sub { $_[0]->end_html(); }, gen_login_form => \&gen_plain_login_form, gen_login_link => \&gen_plain_login_link, + gen_postmainpage_form => \&gen_postmainpage_form, gettext => sub { gettext($_[2]); }, print => sub { print $_[2] or die $!; }, }, @@ -278,7 +309,7 @@ print STDERR "DT fn eval ok\n"; print STDERR "DT commit ok\n"; 1; }) { -print STDERR "DT commit eval ok $rv\n"; +print STDERR "DT commit eval ok ",Dumper($rv); return $rv; } print STDERR "DT commit throw?\n"; @@ -464,7 +495,9 @@ sub _check_divert_core ($) { my $cookh = defined $cooks ? $r->hash($cooks) : undef; my ($cookt,$cooku) = $r->_identify($cookh, $cooks); - my $parmt = $r->_identify($parmh, undef); + my $parms = (defined $cooks && defined $parmh && $parmh eq $cookh) + ? $cooks : undef; + my ($parmt) = $r->_identify($parmh, $parms); print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n"; @@ -494,8 +527,8 @@ sub _check_divert_core ($) { return ({ Kind => 'SMALLPAGE-NOCOOKIE', Message => "You do not seem to have cookies enabled. ". "You must enable cookies as we use them for login.", - CookieSecret => $r->_fresh_secret(), - Params => $r->_chain_params() }) + CookieSecret => $r->_fresh_secret(), + Params => $r->chain_params() }) } if (!$cookt || $cookt eq 'n' || $cookh ne $parmh) { $r->_db_revoke($cookh); @@ -510,13 +543,13 @@ sub _check_divert_core ($) { return ({ Kind => 'LOGIN-BAD', Message => "Incorrect username/password.", CookieSecret => $cooks, - Params => $r->_chain_params() }) + Params => $r->chain_params() }) } $r->_db_record_login_ok($parmh,$username); return ({ Kind => 'REDIRECT-LOGGEDIN', Message => "Logging in...", CookieSecret => $cooks, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } if ($cookt eq 't') { $cookt = ''; @@ -534,13 +567,13 @@ sub _check_divert_core ($) { my $news = $r->_fresh_secret(); if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', - Message => "You need to log in again.", + Message => "You need to log in.", CookieSecret => $news, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } else { $r->_db_revoke($parmh); return ({ Kind => 'LOGIN-FRESH', - Message => "You need to log in again.", + Message => "You need to log in.", CookieSecret => $news, Params => { } }); } @@ -559,15 +592,17 @@ sub _check_divert_core ($) { } die unless $cookt eq 'y'; - die unless $parmt eq 'y'; - die unless $cookh eq $parmh; + unless ($r->{S}{promise_check_mutate} && $meth eq 'GET') { + die unless $parmt eq 'y'; + die unless $cookh eq $parmh; + } $r->{AssocSecret} = $cooks; $r->{UserOK} = $cooku; print STDERR "C-D-C OK\n"; return undef; } -sub _chain_params ($) { +sub chain_params ($) { my ($r) = @_; my %p = %{ $r->_ch('get_params') }; foreach my $pncn (keys %{ $r->{S} }) { @@ -585,6 +620,12 @@ sub _chain_params ($) { delete $p{$name}; } } + my $dummy_prefix = $r->{S}{dummy_param_name_prefix}; + foreach my $name (grep /^$dummy_prefix/, keys %p) { + delete $p{$name}; + } + die if exists $p{''}; + $p{''} = [ $r->_ch('get_path_info') ]; return \%p; } @@ -594,7 +635,9 @@ sub _identify ($$) { # where $t is one of "t" "y" "n", or "" (for -) # either $s must be undef, or $h eq $r->hash($s) +print STDERR "_identify\n"; return '' unless defined $h && length $h; +print STDERR "_identify h=$h s=".(defined $s ? $s : '')."\n"; my $dbh = $r->{Dbh}; @@ -606,6 +649,7 @@ sub _identify ($$) { " FROM $r->{S}{assocdb_table}". " WHERE assochash = ?", {}, $h); if (defined $row) { +print STDERR "_identify h=$h s=$s YES @$row\n"; my ($nusername, $nlast) = @$row; return ('y', $nusername); } @@ -618,15 +662,20 @@ sub _identify ($$) { my ($keyt, $signature, $message, $noncet, $nonce) = $s =~ m/^(\d+)\.(\w+)\.((\d+)\.(\w+))$/ or die; - return 'n' if time > $noncet + $r->{S}{form_timeout}; + return 'n' if time > $noncet + $r->{S}{login_form_timeout}; + +print STDERR "_identify noncet=$noncet ok\n"; my $keys = $r->_open_keys(); while (my ($rkeyt, $rkey, $line) = $r->_read_key($keys)) { +print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey\n"; last if $rkeyt < $keyt; # too far down in the file my $trysignature = $r->_hmac($rkey, $message); +print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey trysig=$trysignature\n"; return 't' if $trysignature eq $signature; } # oh well +print STDERR "_identify NO\n"; $keys->error and die $!; return 'n'; @@ -647,7 +696,7 @@ sub _db_record_login_ok ($$$) { $r->_db_revoke($h); my $dbh = $r->{Dbh}; $dbh->do("INSERT INTO $r->{S}{assocdb_table}". - " (associd, username, last) VALUES (?,?,?)", {}, + " (assochash, username, last) VALUES (?,?,?)", {}, $h, $user, time); } @@ -678,7 +727,9 @@ sub get_username ($) { sub url_with_query_params ($$) { my ($r, $params) = @_; +print STDERR "PARAMS ",Dumper($params); my $uri = URI->new($r->_ch('get_url')); + $uri->path($uri->path() . $params->{''}[0]) if $params->{''}; $uri->query_form(flatten_params($params)); return $uri->as_string(); } @@ -705,17 +756,13 @@ sub check_ok ($) { my $params = $divert->{Params}; my $cookie = $r->construct_cookie($cookiesecret); - if (defined $cookiesecret) { - $params->{$r->{S}{assoc_param_name}} = $r->hash($cookiesecret); - } - if ($kind =~ m/^REDIRECT-/) { # for redirects, we honour stored NextParams and SetCookie, # as we would for non-divert if ($kind eq 'REDIRECT-LOGGEDOUT') { - $params->{$r->{S}{loggedout_param_names}[0]} = 1; + $params->{$r->{S}{loggedout_param_names}[0]} = [ 1 ]; } elsif ($kind eq 'REDIRECT-LOGOUT') { - $params->{$r->{S}{logout_param_names}[0]} = 1; + $params->{$r->{S}{logout_param_names}[0]} = [ 1 ]; } elsif ($kind eq 'REDIRECT-LOGGEDIN') { } else { die; @@ -725,6 +772,10 @@ sub check_ok ($) { return 0; } + if (defined $cookiesecret) { + $params->{$r->{S}{assoc_param_name}} = [ $r->hash($cookiesecret) ]; + } + my ($title, @body); if ($kind =~ m/^LOGIN-/) { $title = $r->_gt('Login'); @@ -733,7 +784,11 @@ sub check_ok ($) { } elsif ($kind =~ m/^SMALLPAGE-/) { $title = $r->_gt('Not logged in'); push @body, $r->_gt($divert->{Message}); - push @body, $r->_ch('gen_login_link'); + push @body, $r->_ch('gen_login_link', $params); + } elsif ($kind =~ m/^MAINPAGEONLY$/) { + $title = $r->_gt('Entering secure site.'); + push @body, $r->_gt($divert->{Message}); + push @body, $r->_ch('gen_postmainpage_form', $params); } else { die $kind; } @@ -873,7 +928,7 @@ print STDERR "hmac $alg $base $digest\n"; sub hash ($$) { my ($r, $message) = @_; my $alg = $r->{S}{hash_algorithm}; -print STDERR "hash $alg"; +print STDERR "hash $alg\n"; my $digest = new Digest $alg; $digest->add($message); return $digest->hexdigest(); @@ -884,12 +939,30 @@ sub _assert_checked ($) { die "unchecked" unless exists $r->{Divert}; } +sub _is_post ($) { + my ($r) = @_; + my $meth = $r->_ch('get_method'); + return $meth eq 'POST'; +} + +sub _must_be_post ($) { + my ($r) = @_; + my $meth = $r->_ch('get_method'); + die "mutating non-POST" if $meth ne 'POST'; +} + sub check_mutate ($) { my ($r) = @_; $r->_assert_checked(); die if $r->{Divert}; - my $meth = $r->_ch('get_method'); - die "mutating non-POST" if $meth ne 'POST'; + $r->_must_be_post(); +} + +sub mutate_ok ($) { + my ($r) = @_; + $r->_assert_checked(); + die if $r->{Divert}; + return $r->_is_post(); } #---------- output ---------- @@ -903,7 +976,7 @@ sub secret_cookie_val ($) { sub secret_hidden_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? r->hash($r->{AssocSecret}) : ''; + return defined $r->{AssocSecret} ? $r->hash($r->{AssocSecret}) : ''; } sub secret_hidden_html ($) {