chiark
/
gitweb
/
~ian
/
cgi-auth-flexible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
wip
[cgi-auth-flexible.git]
/
cgi-auth-hybrid.pm
diff --git
a/cgi-auth-hybrid.pm
b/cgi-auth-hybrid.pm
index 0617881eb1b81224a29301660c5ed3ba1fd24f46..21a8fb523e875ef82339283e2de05542ca332edf 100644
(file)
--- a/
cgi-auth-hybrid.pm
+++ b/
cgi-auth-hybrid.pm
@@
-37,8
+37,11
@@
BEGIN {
our @EXPORT_OK;
use DBI;
our @EXPORT_OK;
use DBI;
-use CGI;
+use CGI
qw/escapeHTML/
;
use Locale::gettext;
use Locale::gettext;
+use URI;
+use IO::File;
+use Data::Dumper;
#---------- public utilities ----------
#---------- public utilities ----------
@@
-56,16
+59,17
@@
sub flatten_params ($) {
#---------- default callbacks ----------
sub has_a_param ($$) {
#---------- default callbacks ----------
sub has_a_param ($$) {
- my ($
c,$
r,$cn) = @_;
+ my ($r,$cn) = @_;
foreach my $pn (@{ $r->{S}{$cn} }) {
foreach my $pn (@{ $r->{S}{$cn} }) {
- return 1 if $r->_c
m
('get_param',$pn);
+ return 1 if $r->_c
h
('get_param',$pn);
}
return 0;
}
}
return 0;
}
-sub get_params ($
$
) {
- my ($
c,$
r) = @_;
+sub get_params ($) {
+ my ($r) = @_;
my %p;
my %p;
+ my $c = $r->{Cgi};
foreach my $name ($c->param()) {
$p{$name} = [ $c->param($name) ];
}
foreach my $name ($c->param()) {
$p{$name} = [ $c->param($name) ];
}
@@
-88,11
+92,9
@@
sub login_ok_password ($$) {
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
sub do_redirect_cgi ($$$$) {
my ($c, $r, $new_url, $cookie) = @_;
- my @ha = ('text/html',
- -status => '303 See other',
- -location => $new_url);
- push @ha, (-cookie => $cookie) if defined $cookie;
- $r->_print($c->header(@ha),
+ $r->_print($c->header($r->_cgi_header_args($cookie,
+ -status => '303 See other',
+ -location => $new_url)),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
$r->_ch('gen_start_html',$r->_gt('Redirection')),
'<a href="'.escapeHTML($new_url).'">',
$r->_gt("If you aren't redirected, click to continue."),
@@
-104,20
+106,20
@@
sub gen_plain_login_form ($$) {
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
my ($c,$r, $params) = @_;
my @form;
push @form, ('<form method="POST" action="'.
- escapeHTML($r->_ch('get_url')).'>'.
+ escapeHTML($r->_ch('get_url')).'
"
>'.
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
'<table>');
my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
foreach my $up (@{ $r->{S}{username_param_names}}) {
push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
- '<td><input type="text" '
,
$sz.
- ' name='
,$up,
'></td></tr>');
+ '<td><input type="text" '
.
$sz.
+ ' name='
.$up.
'></td></tr>');
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
}
push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
'<td><input type="password" '.$sz.
' name="'.$r->{S}{password_param_name}.'"></td></tr>');
push @form, ('<tr><td colspan="2">',
'<input type="submit"'.
- ' name="'.$r->{S}{login_submit_name}.'"'.
+ ' name="'.$r->{S}{login_submit_name}
[0]
.'"'.
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
' value="'.$r->_gt('Login').'"></td></tr>',
'</table>');
foreach my $n (keys %$params) {
@@
-152,6
+154,7
@@
sub new_verifier {
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
associdlen => 128, # bits
login_timeout => 86400, # seconds
assoc_param_name => 'cah_associd',
+ cookie_name => "cah_associd",
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
password_param_name => 'password',
username_param_names => [qw(username)],
form_entry_size => 60,
@@
-174,12
+177,13
@@
sub new_verifier {
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
cookie_path => "/",
get_cookie_domain => \&get_cookie_domain,
- encrypted_only =>
0
,
+ encrypted_only =>
1
,
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
gen_start_html => sub { $_[0]->start_html($_[2]); },
gen_end_html => sub { $_[0]->end_html(); },
gen_login_form => \&gen_plain_login_form,
gen_login_link => \&gen_plain_login_link,
gettext => sub { gettext($_[2]); },
+ print => sub { print $_[2] or die $!; },
},
Dbh => undef,
};
},
Dbh => undef,
};
@@
-204,15
+208,18
@@
sub _dbopen ($) {
my $u = umask 077;
$dbh = DBI->connect($dsn, $v->{S}{assocdb_user},
$v->{S}{assocdb_password}, {
my $u = umask 077;
$dbh = DBI->connect($dsn, $v->{S}{assocdb_user},
$v->{S}{assocdb_password}, {
- AutoCommit => 0, RaiseError => 1,
+ AutoCommit => 0,
+ RaiseError => 1,
+ ShowErrorStatement => 1,
});
die "$dsn $! ?" unless $dbh;
$v->{Dbh} = $dbh;
eval {
});
die "$dsn $! ?" unless $dbh;
$v->{Dbh} = $dbh;
eval {
- $r->_db_transaction(sub {
+ $v->_db_transaction(sub {
+ local ($dbh->{PrintError}) = 0;
$dbh->do("CREATE TABLE $v->{S}{assocdb_table} (".
$dbh->do("CREATE TABLE $v->{S}{assocdb_table} (".
- " associd
h
VARCHAR PRIMARY KEY,".
+ " associd VARCHAR PRIMARY KEY,".
" username VARCHAR,".
" last INTEGER NOT NULL".
")");
" username VARCHAR,".
" last INTEGER NOT NULL".
")");
@@
-229,25
+236,35
@@
sub disconnect ($) {
}
sub _db_transaction ($$) {
}
sub _db_transaction ($$) {
- my ($
r
, $fn) = @_;
+ my ($
v
, $fn) = @_;
my $retries = 10;
my $rv;
my $dbh = $v->{Dbh};
my $retries = 10;
my $rv;
my $dbh = $v->{Dbh};
+print STDERR "DT entry\n";
for (;;) {
for (;;) {
+print STDERR "DT loop\n";
if (!eval {
$rv = $fn->();
if (!eval {
$rv = $fn->();
+print STDERR "DT fn ok\n";
1;
}) {
1;
}) {
+print STDERR "DT fn error\n";
{ local ($@); $dbh->rollback(); }
{ local ($@); $dbh->rollback(); }
+print STDERR "DT fn throwing\n";
die $@;
}
die $@;
}
+print STDERR "DT fn eval ok\n";
if (eval {
$dbh->commit();
if (eval {
$dbh->commit();
+print STDERR "DT commit ok\n";
1;
}) {
1;
}) {
+print STDERR "DT commit eval ok $rv\n";
return $rv;
}
return $rv;
}
+print STDERR "DT commit throw?\n";
die $@ if !--$retries;
die $@ if !--$retries;
+print STDERR "DT loop again\n";
}
}
}
}
@@
-272,6
+289,7
@@
sub new_request {
sub _ch ($$@) { # calls an application hook
my ($r,$methname, @args) = @_;
my $methfunc = $r->{S}{$methname};
sub _ch ($$@) { # calls an application hook
my ($r,$methname, @args) = @_;
my $methfunc = $r->{S}{$methname};
+ die "$methname ?" unless $methfunc;
return $methfunc->($r->{Cgi}, $r, @args);
}
return $methfunc->($r->{Cgi}, $r, @args);
}
@@
-286,12
+304,17
@@
sub _print ($$) { my ($r, @t) = @_; return $r->_ch('print', join '', @t); }
sub construct_cookie ($$$) {
my ($r, $cookv) = @_;
sub construct_cookie ($$$) {
my ($r, $cookv) = @_;
- return $r->{Cgi}->cookie(-name => $r->{S}{cookie_name},
+ return undef unless $cookv;
+ my $c = $r->{Cgi};
+my @ca = (-name => $r->{S}{cookie_name},
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
-value => $cookv,
-path => $r->{S}{cookie_path},
-domain => $r->_ch('get_cookie_domain'),
-expires => '+'.$r->{S}{login_timeout}.'s',
-secure => $r->{S}{encrypted_only});
+ my $cookie = $c->cookie(@ca);
+print STDERR "CC $r $c $cookv $cookie (@ca).\n";
+ return $cookie;
}
# pages/param-sets are
}
# pages/param-sets are
@@
-309,7
+332,7
@@
sub construct_cookie ($$$) {
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
# y, yN value corresponds to logged-in user
# n, nN value not in our db
# x, xN t or y
-# - no value supplied
+# - no value supplied
(represented in code as $cookt='')
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
# if N differs the case applies only when the two values differ
# (eg, a1 y2 does not apply when the logged-in value is supplied twice)
@@
-388,8
+411,9
@@
sub construct_cookie ($$$) {
# revoke y2
# treat as -/n n POST
#
# revoke y2
# treat as -/n n POST
#
- # -/n
n
GET n cross-site link but user not logged in
+ # -/n
-/n
GET n cross-site link but user not logged in
# show login form with redirect to orig params
# show login form with redirect to orig params
+ # generate fresh cookie
#
# -/n n GET rmu user not logged in
# fail
#
# -/n n GET rmu user not logged in
# fail
@@
-410,6
+434,8
@@
sub _check_divert_core ($) {
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
my ($cookt,$cooku) = $r->_db_lookup($cookv);
my $parmt = $r->_db_lookup($parmv);
+ print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
+
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
if ($r->_ch('is_logout')) {
$r->_must_be_post();
die unless $parmt;
@@
-470,15
+496,17
@@
sub _check_divert_core ($) {
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
if ($cookt ne 'y') {
die unless !$cookt || $cookt eq 'n';
die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+ my $newv = $r->_fresh_cookie();
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
if ($meth eq 'GET') {
return ({ Kind => 'LOGIN-INCOMINGLINK',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => $r->_chain_params() });
} else {
Params => $r->_chain_params() });
} else {
+ $r->_db_revoke($parmv);
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
return ({ Kind => 'LOGIN-FRESH',
Message => "You need to log in again.",
- CookieVal => $
parm
v,
+ CookieVal => $
new
v,
Params => { } });
}
}
Params => { } });
}
}
@@
-500,6
+528,7
@@
sub _check_divert_core ($) {
die unless $cookv eq $parmv;
$r->{Assoc} = $cookv;
$r->{UserOK} = $cooku;
die unless $cookv eq $parmv;
$r->{Assoc} = $cookv;
$r->{UserOK} = $cooku;
+ print STDERR "C-D-C OK\n";
return undef;
}
return undef;
}
@@
-568,14
+597,14
@@
sub _db_record_login_ok ($$$) {
sub check_divert ($) {
my ($r) = @_;
sub check_divert ($) {
my ($r) = @_;
- my $divert;
if (exists $r->{Divert}) {
return $r->{Divert};
}
my $dbh = $r->{Dbh};
$r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); });
$dbh->commit();
if (exists $r->{Divert}) {
return $r->{Divert};
}
my $dbh = $r->{Dbh};
$r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); });
$dbh->commit();
- return $divert;
+ print STDERR Dumper($r->{Divert});
+ return $r->{Divert};
}
sub get_divert ($) {
}
sub get_divert ($) {
@@
-598,11
+627,19
@@
sub url_with_query_params ($$) {
return $uri->as_string();
}
return $uri->as_string();
}
+sub _cgi_header_args ($$@) {
+ my ($r, $cookie, @ha) = @_;
+ unshift @ha, qw(-type text/html);
+ push @ha, (-cookie => $cookie) if defined $cookie;
+ print STDERR "_cgi_header_args ",join('|',@ha),".\n";
+ return @ha;
+}
+
sub check_ok ($) {
my ($r) = @_;
my ($divert) = $r->check_divert();
sub check_ok ($) {
my ($r) = @_;
my ($divert) = $r->check_divert();
- return 1 if $divert;
+ return 1 if
!
$divert;
my $handled = $r->_ch('handle_divert',$divert);
return 0 if $handled;
my $handled = $r->_ch('handle_divert',$divert);
return 0 if $handled;
@@
-610,6
+647,7
@@
sub check_ok ($) {
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
my $kind = $divert->{Kind};
my $cookieval = $divert->{CookieVal};
my $params = $divert->{Params};
+ my $cookie = $r->construct_cookie($cookieval);
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
if ($kind =~ m/^REDIRECT-/) {
# for redirects, we honour stored NextParams and SetCookie,
@@
-623,7
+661,6
@@
sub check_ok ($) {
die;
}
my $new_url = $r->url_with_query_params($params);
die;
}
my $new_url = $r->url_with_query_params($params);
- my $cookie = $r->construct_cookie($r, $cookieval);
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
$r->_ch('do_redirect',$new_url, $cookie);
return 0;
}
@@
-641,9
+678,10
@@
sub check_ok ($) {
die $kind;
}
die $kind;
}
- $r->_print($r->_ch('start_html',$title),
- @body,
- $r->_ch('end_html'));
+ $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)),
+ $r->_ch('gen_start_html',$title),
+ (join "\n", @body),
+ $r->_ch('gen_end_html'));
return 0;
}
return 0;
}
@@
-659,18
+697,26
@@
sub _random ($$) {
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
$!=0;
read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
close $rsf;
- return unpack "H*", $bin;
+ my $out = unpack "H*", $bin;
+ print STDERR "_random out $out\n";
+ return $out;
}
sub _fresh_cookie ($) {
my ($r) = @_;
}
sub _fresh_cookie ($) {
my ($r) = @_;
+ print STDERR "_fresh_cookie\n";
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}
my $bytes = ($r->{S}{associdlen} + 7) >> 3;
return $r->_random($bytes);
}
-sub
check_mutate
($) {
+sub
_assert_checked
($) {
my ($r) = @_;
die "unchecked" unless exists $r->{Divert};
my ($r) = @_;
die "unchecked" unless exists $r->{Divert};
+}
+
+sub check_mutate ($) {
+ my ($r) = @_;
+ $r->_assert_checked();
die if $r->{Divert};
my $meth = $r->_ch('get_method');
die "mutating non-POST" if $meth ne 'POST';
die if $r->{Divert};
my $meth = $r->_ch('get_method');
die "mutating non-POST" if $meth ne 'POST';
@@
-680,7
+726,7
@@
sub check_mutate ($) {
sub secret_val ($) {
my ($r) = @_;
sub secret_val ($) {
my ($r) = @_;
- $r->
check
();
+ $r->
_assert_checked
();
return defined $r->{Assoc} ? $r->{Assoc} : '';
}
return defined $r->{Assoc} ? $r->{Assoc} : '';
}
@@
-692,7
+738,10
@@
sub secret_hidden_html ($) {
sub secret_cookie ($) {
my ($r) = @_;
sub secret_cookie ($) {
my ($r) = @_;
- return $r->construct_cookie($r->secret_val());
+#print STDERR "SC\n";
+ my $cookv = $r->construct_cookie($r->secret_val());
+#print STDERR "SC=$cookv\n";
+ return $cookv;
}
__END__
}
__END__