X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-flexible.pm;h=137de002125ffd661342d9de22bcbcedcb50ed14;hp=e5b89244476da131f03615daf19a367b6c12c0ac;hb=0e3eb3aef176eac1e7209f01ad73e2e91f782507;hpb=031ab04359164ef2e3d311e61637491479e6098d diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index e5b8924..137de00 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -18,7 +18,7 @@ # along with this program. If not, see . use strict; -use warnings; +use warnings FATAL => 'all'; package CGI::Auth::Flexible; require Exporter; @@ -32,7 +32,7 @@ BEGIN { @EXPORT = qw(); %EXPORT_TAGS = ( ); # eg: TAG => [ qw!name1 name2! ], - @EXPORT_OK = qw(setup); + @EXPORT_OK = qw(); } our @EXPORT_OK; @@ -47,6 +47,9 @@ use Digest; use Digest::HMAC; use Digest::SHA; use Data::Dumper; +use File::Copy; +use Cwd qw/realpath/; + #---------- public utilities ---------- @@ -54,6 +57,7 @@ sub flatten_params ($) { my ($p) = @_; my @p; foreach my $k (keys %$p) { + next if $k eq ''; foreach my $v (@{ $p->{$k} }) { push @p, $k, $v; } @@ -92,7 +96,8 @@ sub login_ok_password ($$) { my $username_params = $r->{S}{username_param_names}; my $username = $r->_ch('get_param',$username_params->[0]); my $password = $r->_rp('password_param_name'); - return $r->_ch('username_password_ok', $username, $password); + my $error = $r->_ch('username_password_error', $username, $password); + return defined($error) ? (undef,$error) : ($username,undef); } sub do_redirect_cgi ($$$$) { @@ -104,39 +109,66 @@ sub do_redirect_cgi ($$$$) { '', $r->_gt("If you aren't redirected, click to continue."), "", - $c->_ch('gen_end_html')); + $r->_ch('gen_end_html')); } -sub gen_plain_login_form ($$) { - my ($c,$r, $params) = @_; +sub gen_some_form ($$) { + my ($r, $params, $bodyfn) = @_; + # Calls $bodyfn->($c,$r) which returns @formbits + my $c = $r->{Cgi}; my @form; + my $pathinfo = ''; + $pathinfo .= $params->{''}[0] if $params->{''}; push @form, ('
'. - ''); - my $sz = 'size="'.$r->{S}{form_entry_size}.'"'; - foreach my $up (@{ $r->{S}{username_param_names}}) { - push @form, ('', - ''); - } - push @form, ('', - ''); - push @form, ('', - '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password').'
', - '
'); + escapeHTML($r->_ch('get_url').$pathinfo).'">'); + push @form, $bodyfn->($c,$r); foreach my $n (keys %$params) { - push @form, (''); + next if $n eq ''; + foreach my $val (@{ $params->{$n} }) { + push @form, (''); + } } push @form, ('
'); return join "\n", @form; } -sub gen_login_link ($$) { +sub gen_plain_login_form ($$) { + my ($c,$r, $params) = @_; + return $r->gen_some_form($params, sub { + my @form; + push @form, (''); + my $sz = 'size="'.$r->{S}{form_entry_size}.'"'; + foreach my $up (@{ $r->{S}{username_param_names}}) { + push @form, ('', + ''); + } + push @form, ('', + ''); + push @form, ('', + '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password').'
', + '
'); + return @form; + }); +} + +sub gen_postmainpage_form ($$$) { + my ($c,$r, $params) = @_; + return $r->gen_some_form($params, sub { + my @form; + push @form, (''); + return @form; + }); +} + +sub gen_plain_login_link ($$) { my ($c,$r, $params) = @_; my $url = $r->url_with_query_params($params); return (''. @@ -144,6 +176,240 @@ sub gen_login_link ($$) { ''); } +sub gen_srcdump_link_html ($$$$) { + my ($c,$r,$anchor,$specval) = @_; + my %params = ($r->{S}{srcdump_param_name} => [ $specval ]); + return ''.$anchor.""; +} +sub gen_plain_licence_link_html ($$) { + my ($c,$r) = @_; + gen_srcdump_link_html($c,$r, 'GNU Affero GPL', 'licence'); +} +sub gen_plain_source_link_html ($$) { + my ($c,$r) = @_; + gen_srcdump_link_html($c,$r, 'Source available', 'source'); +} + +sub gen_plain_footer_html ($$) { + my ($c,$r) = @_; + return ('
', + ("Powered by Free / Libre / Open Source Software". + " according to the ".$r->_ch('gen_licence_link_html')."."), + $r->_ch('gen_source_link_html').".", + '
'); +} + +#---------- licence and source code ---------- + +sub srcdump_dump ($$$) { + my ($c,$r, $thing) = @_; + die if $thing =~ m/\W/ || $thing !~ m/\w/; + my $path = $r->_get_path('srcdump'); + my $ctf = new IO::File "$path/$thing.ctype", 'r' + or die "$path/$thing.ctype $!"; + my $ct = <$ctf>; + chomp $ct or die "$path/$thing ?"; + $ctf->close or die "$path/$thing $!"; + my $df = new IO::File "$path/$thing.data", 'r' + or die "$path/$thing.data $!"; + $r->_ch('dump', $ct, $df); +} + +sub dump_plain ($$$$) { + my ($c, $r, $ct, $df) = @_; + $r->_print($c->header('-type' => $ct)); + my $buffer; + for (;;) { + my $got = read $df, $buffer, 65536; + die $! unless defined $got; + return if !$got; + $r->_print($buffer); + } +} + +sub srcdump_process_item ($$$$$$) { + my ($c, $v, $dumpdir, $item, $outfn, $needlicence, $dirsdone) = @_; + if ($v->_ch('srcdump_system_dir', $item)) { + $outfn->("srcdump_process_item: srcdump_system_dir, skipping $item"); + return; + } + my $upwards = $item; + for (;;) { + $upwards =~ s#/+$##; + $upwards =~ s#/+\.$##; + last unless $upwards =~ m#[^/]#; + foreach my $try (@{ $v->{S}{srcdump_vcs_dirs} }) { +#print STDERR "TRY $item $upwards $try\n"; + if (!stat "$upwards/$try") { + $!==&ENOENT or $!==&ENOTDIR or die "check $upwards/$try $!"; + next; + } +#print STDERR "VCS $item $upwards $try\n"; + if ($dirsdone->{$upwards}++) { + $outfn->("srcdump_process_item: did $upwards,". + " skipping $item"); + return; + } +#print STDERR "VCS $item $upwards $try GO\n"; + $try =~ m/\w+/ or die; + return $v->_ch('srcdump_byvcs', $dumpdir, $upwards, $outfn, lc $&); + } + $upwards =~ s#/*[^/]+$##; + } + return $v->_ch('srcdump_novcs', $dumpdir, $item, $outfn); +} + +sub srcdump_novcs ($$$$$) { + my ($c, $v, $dumpdir, $item, $outfn) = @_; + stat $item or die "$item $!"; + if (-d _) { + my $script = 'find -type f -perm +004'; + foreach my $excl (@{ $v->{S}{srcdump_excludes} }) { + $script .= " \\! -name '$excl'"; + } + $script .= " -print0"; + return srcdump_dir_cpio($c,$v,$dumpdir,$item,$outfn,'novcs',$script); + } elsif (-f _) { + return srcdump_file($c,$v,$dumpdir,$item,$outfn); + } else { + die "$item not file or directory"; + } +} + +sub srcdump_byvcs ($$$$$$) { + my ($c, $v, $dumpdir, $dir, $outfn, $vcs) = @_; +#print STDERR "BYVCS GIT $dir\n"; + return srcdump_dir_cpio($c,$v,$dumpdir,$dir,$outfn,$vcs, + $v->{S}{"srcdump_vcsscript_$vcs"}); +} + +sub srcdump_file ($$$$) { + my ($c,$v,$dumpdir,$file,$outfn) = @_; + my $outfile = $outfn->("srcdump_file saved $file", "src"); + copy($file,$outfile) or die "$file $outfile $!"; +} + +sub srcdump_dir_cpio ($$$$$$$) { + my ($c,$v,$dumpdir,$dir,$outfn,$how,$script) = @_; + my $outfile = $outfn->("srcdump_dir_cpio $how saved $dir", "tar"); +#print STDERR "CPIO $dir >$script<\n"; + my $pid = fork(); + defined $pid or die $!; + if (!$pid) { + $SIG{__DIE__} = sub { + print STDERR "CGI::Auth::Flexible srcdump error: $@\n"; + exit 127; + }; + open STDOUT, ">", $outfile or die "$outfile $!"; + chdir $dir or die "chdir $dir: $!"; + exec '/bin/bash','-ec'," + set -o pipefail + ( + $script + ) | ( + cpio -Hustar -o --quiet -0 -R 1000:1000 || \ + cpio -Hustar -o --quiet -0 + ) + "; + die $!; + } + $!=0; (waitpid $pid, 0) == $pid or die "$!"; + die "$dir ($how $script) $outfile $?" if $?; +} + +sub srcdump_dirscan_prepare ($$) { + my ($c, $v) = @_; + my $dumpdir = $v->_get_path('srcdump'); + mkdir $dumpdir or $!==&EEXIST or die "mkdir $dumpdir $!"; + my $lockf = new IO::File "$dumpdir/generate.lock", 'w+' + or die "$dumpdir/generate.lock $!"; + flock $lockf, LOCK_EX or die "$dumpdir/generate.lock $!"; + my $needlicence = "$dumpdir/licence.tmp"; + unlink $needlicence or $!==&ENOENT or die "rm $needlicence $!"; + if (defined $v->{S}{srcdump_licence_path}) { + copy($v->{S}{srcdump_licence_path}, $needlicence) + or die "$v->{S}{srcdump_licence_path} $!"; + $needlicence = undef; + } + unlink <"$dumpdir/s.[a-z][a-z][a-z].*">; + my @srcfiles = qw(licence.data manifest.txt); + my $srcoutcounter = 'aaa'; + + my $reportfh = new IO::File "$dumpdir/manifest.txt", 'w' or die $!; + my $outfn = sub { + my ($message, $extension) = @_; + if (defined $extension) { + my $leaf = "s.$srcoutcounter.$extension"; + $srcoutcounter++; + push @srcfiles, $leaf; + print $reportfh "$leaf: $message\n" or die $!; + return "$dumpdir/$leaf"; + } else { + print $reportfh "none: $message\n" or die $!; + return undef; + } + }; + my %dirsdone; + foreach my $item ($v->_ch('srcdump_listitems')) { + if ($item eq '.' && $v->{S}{srcdump_filter_cwd}) { + my @bad = grep { !m#^/# } values %INC; + die "filtering . from srcdump items and \@INC but already". + " included @bad " if @bad; + @INC = grep { $_ ne '.' } @INC; + next; + } + if (!lstat "$item") { + die "stat $item $!" unless $!==&ENOENT; + $outfn->("srcdump_dirscan_prepare stat ENOENT, skipping $item"); + next; + }; + if (-l _) { + $item = realpath($item); + if (!defined $item) { + die "realpath $item $!" unless $!==&ENOENT; + $outfn->("srcdump_dirscan_prepare realpath ENOENT,". + " skipping $item"); + } + } + if (defined $needlicence) { + foreach my $try (@{ $v->{S}{srcdump_licence_files} }) { + last if copy("$item/$try", $needlicence); + $!==&ENOENT or $!==&ENOTDIR or die "copy $item/$try $!"; + } + } + $v->_ch('srcdump_process_item', $dumpdir, $item, + $outfn, \$needlicence, \%dirsdone); + $dirsdone{$item}++; + } + close $reportfh or die $!; + srcdump_install($c,$v, $dumpdir, 'licence', 'text/plain'); + $!=0; + my @cmd = (qw(tar -zvvcf), "$dumpdir/source.tmp", + "-C", $dumpdir, qw( --), @srcfiles); + my $r = system(@cmd); + if ($r) { + print STDERR "CGI::Auth::Flexible tar failed ($r $!) @cmd\n"; + die "tar failed"; + } + die "licence file not found" unless defined $needlicence; + srcdump_install($c,$v, $dumpdir, 'source', 'application/octet-stream'); + close $lockf or die $!; +} + +sub srcdump_install ($$$$$) { + my ($c,$v, $dumpdir, $which, $ctype) = @_; + rename "$dumpdir/$which.tmp", "$dumpdir/$which.data" + or die "$dumpdir/$which.data $!"; + my $ctf = new IO::File "$dumpdir/$which.tmp", 'w' + or die "$dumpdir/$which.tmp $!"; + print $ctf $ctype, "\n" or die $!; + close $ctf or die $!; + rename "$dumpdir/$which.tmp", "$dumpdir/$which.ctype" + or die "$dumpdir/$which.ctype $!"; +} + #---------- verifier object methods ---------- sub new_verifier { @@ -151,8 +417,10 @@ sub new_verifier { my $verifier = { S => { dir => undef, + assocdb_dbh => undef, # must have AutoCommit=0, RaiseError=1 assocdb_path => 'caf-assocs.db', keys_path => 'caf-keys', + srcdump_path => 'caf-srcdump', assocdb_dsn => undef, assocdb_user => '', assocdb_password => '', @@ -164,22 +432,25 @@ sub new_verifier { login_form_timeout => 3600, # seconds key_rollover => 86400, # seconds assoc_param_name => 'caf_assochash', + dummy_param_name_prefix => 'caf__', cookie_name => "caf_assocsecret", password_param_name => 'password', + srcdump_param_name => 'caf_srcdump', username_param_names => [qw(username)], form_entry_size => 60, logout_param_names => [qw(caf_logout)], - login_submit_name => [qw(caf_login)], loggedout_param_names => [qw(caf_loggedout)], promise_check_mutate => 0, get_param => sub { $_[0]->param($_[2]) }, get_params => sub { $_[1]->get_params() }, + get_path_info => sub { $_[0]->path_info() }, get_cookie => sub { $_[0]->cookie($_[1]->{S}{cookie_name}) }, get_method => sub { $_[0]->request_method() }, + check_https => sub { !!$_[0]->https() }, get_url => sub { $_[0]->url(); }, is_login => sub { defined $_[1]->_rp('password_param_name') }, login_ok => \&login_ok_password, - username_password_ok => sub { die }, + username_password_error => sub { die }, is_logout => sub { $_[1]->has_a_param('logout_param_names') }, is_loggedout => sub { $_[1]->has_a_param('loggedout_param_names') }, is_page => sub { return 1 }, @@ -189,21 +460,53 @@ sub new_verifier { get_cookie_domain => \&get_cookie_domain, encrypted_only => 1, gen_start_html => sub { $_[0]->start_html($_[2]); }, + gen_footer_html => \&gen_plain_footer_html, + gen_licence_link_html => \&gen_plain_licence_link_html, + gen_source_link_html => \&gen_plain_source_link_html, gen_end_html => sub { $_[0]->end_html(); }, gen_login_form => \&gen_plain_login_form, gen_login_link => \&gen_plain_login_link, + gen_postmainpage_form => \&gen_postmainpage_form, + srcdump_dump => \&srcdump_dump, + srcdump_prepare => \&srcdump_dirscan_prepare, + srcdump_licence_path => undef, + srcdump_licence_files => [qw(AGPLv3 CGI/Auth/Flexible/AGPLv3)], + srcdump_listitems => sub { (@INC, $ENV{'SCRIPT_FILENAME'}, $0); }, + srcdump_filter_cwd => 1, + srcdump_system_dir => sub { + $_[2] =~ m#^/etc/|^/usr/(?!local/)(?!lib/cgi)#; + }, + srcdump_process_item => \&srcdump_process_item, + srcdump_vcs_dirs => [qw(.git .hg .bzr .svn CVS)], + srcdump_vcsscript_git => " + git ls-files -z + git ls-files -z --others --exclude-from=.gitignore + find .git -print0 + ", + srcdump_vcsscript_hg => "false hg", + srcdump_vcsscript_bzr => "false bzr", + srcdump_vcsscript_svn => "false svn", + srcdump_vcsscript_cvs => "false cvs", + srcdump_byvcs => \&srcdump_byvcs, + srcdump_novcs => \&srcdump_novcs, + srcdump_excludes => [qw(*~ *.bak *.tmp), '#*#'], + dump => \&dump_plain, gettext => sub { gettext($_[2]); }, print => sub { print $_[2] or die $!; }, + debug => sub { }, # like print; msgs contain trailing \n }, Dbh => undef, }; my ($k,$v); while (($k,$v,@_) = @_) { - die "unknown setting $k" unless exists $verifier->{S}{$k}; + die "unknown setting $k" unless + $k =~ m/^promise_/ or + exists $verifier->{S}{$k}; $verifier->{S}{$k} = $v; } bless $verifier, $class; $verifier->_dbopen(); + $verifier->_ch('srcdump_prepare'); return $verifier; } @@ -223,17 +526,24 @@ sub _dbopen ($) { my $dbh = $v->{Dbh}; return $dbh if $dbh; - $v->{S}{assocdb_dsn} ||= "dbi:SQLite:dbname=".$v->_get_path('assocdb'); - my $dsn = $v->{S}{assocdb_dsn}; - - my $u = umask 077; - $dbh = DBI->connect($dsn, $v->{S}{assocdb_user}, - $v->{S}{assocdb_password}, { - AutoCommit => 0, - RaiseError => 1, - ShowErrorStatement => 1, - }); - die "$dsn $! ?" unless $dbh; + $dbh = $v->{S}{assocdb_dbh}; + if ($dbh) { + die if $dbh->{AutoCommit}; + die unless $dbh->{RaiseError}; + } else { + $v->{S}{assocdb_dsn} ||= "dbi:SQLite:dbname=".$v->_get_path('assocdb'); + my $dsn = $v->{S}{assocdb_dsn}; + + my $u = umask 077; + $dbh = DBI->connect($dsn, $v->{S}{assocdb_user}, + $v->{S}{assocdb_password}, { + AutoCommit => 0, + RaiseError => 1, + ShowErrorStatement => 1, + }); + umask $u; + die "$dsn $! ?" unless $dbh; + } $v->{Dbh} = $dbh; $v->_db_setup_do("CREATE TABLE $v->{S}{assocdb_table} (". @@ -259,31 +569,31 @@ sub _db_transaction ($$) { my $retries = 10; my $rv; my $dbh = $v->{Dbh}; -print STDERR "DT entry\n"; +#print STDERR "DT entry\n"; for (;;) { -print STDERR "DT loop\n"; +#print STDERR "DT loop\n"; if (!eval { $rv = $fn->(); -print STDERR "DT fn ok\n"; +#print STDERR "DT fn ok\n"; 1; }) { -print STDERR "DT fn error\n"; +#print STDERR "DT fn error\n"; { local ($@); $dbh->rollback(); } -print STDERR "DT fn throwing\n"; +#print STDERR "DT fn throwing\n"; die $@; } -print STDERR "DT fn eval ok\n"; +#print STDERR "DT fn eval ok\n"; if (eval { $dbh->commit(); -print STDERR "DT commit ok\n"; +#print STDERR "DT commit ok\n"; 1; }) { -print STDERR "DT commit eval ok $rv\n"; +#print STDERR "DT commit eval ok ",Dumper($rv); return $rv; } -print STDERR "DT commit throw?\n"; +#print STDERR "DT commit throw?\n"; die $@ if !--$retries; -print STDERR "DT loop again\n"; +#print STDERR "DT loop again\n"; } } @@ -318,11 +628,21 @@ sub _rp ($$@) { my $p = scalar $r->_ch('get_param',$pn) } +sub _debug ($@) { + my ($r,@args) = @_; + $r->_ch('debug',@args); +} + sub _get_path ($$) { - my ($v,$keybase) = @_; - my $leaf = $v->{S}{"${keybase}_path"}; - my $dir = $v->{S}{dir}; + my ($r,$keybase) = @_; + my $leaf = $r->{S}{"${keybase}_path"}; + return $r->_absify_path($leaf); +} + +sub _absify_path ($$) { + my ($v,$leaf) = @_; return $leaf if $leaf =~ m,^/,; + my $dir = $v->{S}{dir}; die "relying on cwd by default ?! set dir" unless defined $dir; return "$dir/$leaf"; } @@ -341,15 +661,15 @@ my @ca = (-name => $r->{S}{cookie_name}, -expires => '+'.$r->{S}{login_timeout}.'s', -secure => $r->{S}{encrypted_only}); my $cookie = $c->cookie(@ca); -print STDERR "CC $r $c $cooks $cookie (@ca).\n"; +#print STDERR "CC $r $c $cooks $cookie (@ca).\n"; return $cookie; } # pages/param-sets are # n normal non-mutating page -# r retrieval of information for JS, non-mutating +# r retrieval of information for JS etc., non-mutating # m mutating page -# u update of information by JS, mutating +# u update of information by JS etc., mutating # i login # o logout # O "you have just logged out" page load @@ -458,15 +778,34 @@ print STDERR "CC $r $c $cooks $cookie (@ca).\n"; sub _check_divert_core ($) { my ($r) = @_; - my $meth = $r->_ch('get_method'); + my $srcdump = $r->_rp('srcdump_param_name'); + if ($srcdump) { + die if $srcdump =~ m/\W/; + return ({ Kind => 'SRCDUMP-'.uc $srcdump, + Message => undef, + CookieSecret => undef, + Params => { } }); + } + my $cooks = $r->_ch('get_cookie'); + + if ($r->{S}{encrypted_only} && !$r->_ch('check_https')) { + return ({ Kind => 'REDIRECT-HTTPS', + Message => $r->_gt("Redirecting to secure server..."), + CookieSecret => undef, + Params => { } }); + } + + my $meth = $r->_ch('get_method'); my $parmh = $r->_rp('assoc_param_name'); my $cookh = defined $cooks ? $r->hash($cooks) : undef; my ($cookt,$cooku) = $r->_identify($cookh, $cooks); - my $parmt = $r->_identify($parmh, undef); + my $parms = (defined $cooks && defined $parmh && $parmh eq $cookh) + ? $cooks : undef; + my ($parmt) = $r->_identify($parmh, $parms); - print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n"; + $r->_debug("_c_d_c cookt=$cookt parmt=$parmt\n"); if ($r->_ch('is_logout')) { $r->_must_be_post(); @@ -474,49 +813,53 @@ sub _check_divert_core ($) { $r->_db_revoke($cookh); $r->_db_revoke($parmh); return ({ Kind => 'REDIRECT-LOGGEDOUT', - Message => "Logging out...", + Message => $r->_gt("Logging out..."), CookieSecret => '', Params => { } }); } if ($r->_ch('is_loggedout')) { die unless $meth eq 'GET'; - die unless $cookt; - die unless $parmt; + die if $cookt eq 'y'; + die if $parmt; return ({ Kind => 'SMALLPAGE-LOGGEDOUT', - Message => "You have been logged out.", + Message => $r->_gt("You have been logged out."), CookieSecret => '', Params => { } }); } if ($r->_ch('is_login')) { $r->_must_be_post(); die unless $parmt; - if (!$cookt && $parmt eq 't') { + if (!$cookt && $parmt eq 'n') { return ({ Kind => 'SMALLPAGE-NOCOOKIE', - Message => "You do not seem to have cookies enabled. ". - "You must enable cookies as we use them for login.", - CookieSecret => $r->_fresh_secret(), - Params => $r->_chain_params() }) + Message => $r->_gt("You do not seem to have cookies". + " enabled. You must enable cookies". + " as we use them for login."), + CookieSecret => $r->_fresh_secret(), + Params => $r->chain_params() }) } if (!$cookt || $cookt eq 'n' || $cookh ne $parmh) { $r->_db_revoke($cookh); return ({ Kind => 'LOGIN-STALE', - Message => "Stale session; you need to log in again.", + Message => $r->_gt("Stale session;". + " you need to log in again."), CookieSecret => $r->_fresh_secret(), Params => { } }) } die unless $parmt eq 't' || $parmt eq 'y'; - my $username = $r->_ch('login_ok'); + my ($username, $login_errormessage) = $r->_ch('login_ok'); unless (defined $username && length $username) { + $login_errormessage = $r->_gt("Incorrect username/password.") + if !$login_errormessage; return ({ Kind => 'LOGIN-BAD', - Message => "Incorrect username/password.", + Message => $login_errormessage, CookieSecret => $cooks, - Params => $r->_chain_params() }) + Params => $r->chain_params() }) } $r->_db_record_login_ok($parmh,$username); return ({ Kind => 'REDIRECT-LOGGEDIN', - Message => "Logging in...", + Message => $r->_gt("Logging in..."), CookieSecret => $cooks, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } if ($cookt eq 't') { $cookt = ''; @@ -534,13 +877,13 @@ sub _check_divert_core ($) { my $news = $r->_fresh_secret(); if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', - Message => "You need to log in again.", + Message => $r->_gt("You need to log in."), CookieSecret => $news, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } else { $r->_db_revoke($parmh); return ({ Kind => 'LOGIN-FRESH', - Message => "You need to log in again.", + Message => $r->_gt("You need to log in."), CookieSecret => $news, Params => { } }); } @@ -549,7 +892,7 @@ sub _check_divert_core ($) { if (!$r->{S}{promise_check_mutate}) { if ($meth ne 'POST') { return ({ Kind => 'MAINPAGEONLY', - Message => 'Entering via cross-site link.', + Message => $r->_gt('Entering via cross-site link.'), CookieSecret => $cooks, Params => { } }); # NB caller must then ignore params & path! @@ -559,15 +902,18 @@ sub _check_divert_core ($) { } die unless $cookt eq 'y'; - die unless $parmt eq 'y'; - die unless $cookh eq $parmh; + unless ($r->{S}{promise_check_mutate} && $meth eq 'GET') { + die unless $parmt eq 'y'; + die unless $cookh eq $parmh; + } + $r->{ParmT} = $parmt; $r->{AssocSecret} = $cooks; $r->{UserOK} = $cooku; - print STDERR "C-D-C OK\n"; +#print STDERR "C-D-C OK\n"; return undef; } -sub _chain_params ($) { +sub chain_params ($) { my ($r) = @_; my %p = %{ $r->_ch('get_params') }; foreach my $pncn (keys %{ $r->{S} }) { @@ -585,6 +931,12 @@ sub _chain_params ($) { delete $p{$name}; } } + my $dummy_prefix = $r->{S}{dummy_param_name_prefix}; + foreach my $name (grep /^$dummy_prefix/, keys %p) { + delete $p{$name}; + } + die if exists $p{''}; + $p{''} = [ $r->_ch('get_path_info') ]; return \%p; } @@ -594,7 +946,9 @@ sub _identify ($$) { # where $t is one of "t" "y" "n", or "" (for -) # either $s must be undef, or $h eq $r->hash($s) +#print STDERR "_identify\n"; return '' unless defined $h && length $h; +#print STDERR "_identify h=$h s=".(defined $s ? $s : '')."\n"; my $dbh = $r->{Dbh}; @@ -606,6 +960,7 @@ sub _identify ($$) { " FROM $r->{S}{assocdb_table}". " WHERE assochash = ?", {}, $h); if (defined $row) { +#print STDERR "_identify h=$h s=$s YES @$row\n"; my ($nusername, $nlast) = @$row; return ('y', $nusername); } @@ -618,15 +973,20 @@ sub _identify ($$) { my ($keyt, $signature, $message, $noncet, $nonce) = $s =~ m/^(\d+)\.(\w+)\.((\d+)\.(\w+))$/ or die; - return 'n' if time > $noncet + $r->{S}{form_timeout}; + return 'n' if time > $noncet + $r->{S}{login_form_timeout}; + +#print STDERR "_identify noncet=$noncet ok\n"; my $keys = $r->_open_keys(); while (my ($rkeyt, $rkey, $line) = $r->_read_key($keys)) { +#print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey\n"; last if $rkeyt < $keyt; # too far down in the file my $trysignature = $r->_hmac($rkey, $message); +#print STDERR "_identify search rkeyt=$rkeyt rkey=$rkey try=$trysignature\n"; return 't' if $trysignature eq $signature; } # oh well +#print STDERR "_identify NO\n"; $keys->error and die $!; return 'n'; @@ -647,7 +1007,7 @@ sub _db_record_login_ok ($$$) { $r->_db_revoke($h); my $dbh = $r->{Dbh}; $dbh->do("INSERT INTO $r->{S}{assocdb_table}". - " (associd, username, last) VALUES (?,?,?)", {}, + " (assochash, username, last) VALUES (?,?,?)", {}, $h, $user, time); } @@ -659,7 +1019,7 @@ sub check_divert ($) { my $dbh = $r->{Dbh}; $r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); }); $dbh->commit(); - print STDERR Dumper($r->{Divert}); + $r->_debug(Data::Dumper->Dump([$r->{Divert}],[qw(divert)])); return $r->{Divert}; } @@ -676,10 +1036,17 @@ sub get_username ($) { return $r->{UserOK}; } -sub url_with_query_params ($$) { - my ($r, $params) = @_; +sub url_with_query_params ($$;$) { + my ($r, $params, $nonpagetype) = @_; +#print STDERR "PARAMS ",Dumper($params); my $uri = URI->new($r->_ch('get_url')); - $uri->query_form(flatten_params($params)); + $uri->path($uri->path() . $params->{''}[0]) if $params->{''}; + my @flatparams = flatten_params($params); + if (defined $nonpagetype + && $r->nonpage_get_needs_secret_hidden($nonpagetype)) { + push @flatparams, $r->{S}{assoc_param_name}, $r->secret_hidden_val(); + } + $uri->query_form(@flatparams); return $uri->as_string(); } @@ -687,7 +1054,7 @@ sub _cgi_header_args ($$@) { my ($r, $cookie, @ha) = @_; unshift @ha, qw(-type text/html); push @ha, (-cookie => $cookie) if defined $cookie; - print STDERR "_cgi_header_args ",join('|',@ha),".\n"; +#print STDERR "_cgi_header_args ",join('|',@ha),".\n"; return @ha; } @@ -705,43 +1072,59 @@ sub check_ok ($) { my $params = $divert->{Params}; my $cookie = $r->construct_cookie($cookiesecret); - if (defined $cookiesecret) { - $params->{$r->{S}{assoc_param_name}} = $r->hash($cookiesecret); + if ($kind =~ m/^SRCDUMP-(\w+)$/) { + $r->_ch('srcdump_dump', (lc $1)); + return 0; } if ($kind =~ m/^REDIRECT-/) { # for redirects, we honour stored NextParams and SetCookie, # as we would for non-divert if ($kind eq 'REDIRECT-LOGGEDOUT') { - $params->{$r->{S}{loggedout_param_names}[0]} = 1; + $params->{$r->{S}{loggedout_param_names}[0]} = [ 1 ]; } elsif ($kind eq 'REDIRECT-LOGOUT') { - $params->{$r->{S}{logout_param_names}[0]} = 1; - } elsif ($kind eq 'REDIRECT-LOGGEDIN') { + $params->{$r->{S}{logout_param_names}[0]} = [ 1 ]; + } elsif ($kind =~ m/REDIRECT-(?:LOGGEDIN|HTTPS)/) { } else { die; } my $new_url = $r->url_with_query_params($params); + if ($kind eq 'REDIRECT-HTTPS') { + my $uri = URI->new($new_url); + die unless $uri->scheme eq 'http'; + $uri->scheme('https'); + $new_url = $uri->as_string(); + } $r->_ch('do_redirect',$new_url, $cookie); return 0; } + if (defined $cookiesecret) { + $params->{$r->{S}{assoc_param_name}} = [ $r->hash($cookiesecret) ]; + } + my ($title, @body); if ($kind =~ m/^LOGIN-/) { $title = $r->_gt('Login'); - push @body, $r->_gt($divert->{Message}); + push @body, $divert->{Message}; push @body, $r->_ch('gen_login_form', $params); } elsif ($kind =~ m/^SMALLPAGE-/) { $title = $r->_gt('Not logged in'); - push @body, $r->_gt($divert->{Message}); - push @body, $r->_ch('gen_login_link'); + push @body, $divert->{Message}; + push @body, $r->_ch('gen_login_link', $params); + } elsif ($kind =~ m/^MAINPAGEONLY$/) { + $title = $r->_gt('Entering secure site.'); + push @body, $divert->{Message}; + push @body, $r->_ch('gen_postmainpage_form', $params); } else { die $kind; } $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)), $r->_ch('gen_start_html',$title), - (join "\n", @body), - $r->_ch('gen_end_html')); + (join "\n", (@body, + $r->_ch('gen_footer_html'), + $r->_ch('gen_end_html')))); return 0; } @@ -752,19 +1135,19 @@ sub _random ($$) { my $rsp = $r->{S}{random_source}; if (!$rsf) { $v->{RandomHandle} = $rsf = new IO::File $rsp, '<' or die "$rsp $!"; -print STDERR "RH $rsf\n"; +#print STDERR "RH $rsf\n"; } my $bin; $!=0; read($rsf,$bin,$bytes) == $bytes or die "$rsp $!"; my $out = unpack "H*", $bin; - print STDERR "_random out $out\n"; +#print STDERR "_random out $out\n"; return $out; } sub _random_key ($) { my ($r) = @_; - print STDERR "_random_key\n"; +#print STDERR "_random_key\n"; my $bytes = ($r->{S}{secretbits} + 7) >> 3; return $r->_random($bytes); } @@ -786,28 +1169,28 @@ sub _open_keys ($) { my ($r) = @_; my $spath = $r->_get_path('keys'); for (;;) { - print STDERR "_open_keys\n"; +#print STDERR "_open_keys\n"; my $keys = new IO::File $spath, 'r+'; if ($keys) { - print STDERR "_open_keys open\n"; +#print STDERR "_open_keys open\n"; stat $keys or die $!; # NB must not disturb stat _ my $size = (stat _)[7]; my $age = time - (stat _)[9]; - print STDERR "_open_keys open size=$size age=$age\n"; +#print STDERR "_open_keys open size=$size age=$age\n"; return $keys if $size && $age <= $r->{S}{key_rollover} / 2; - print STDERR "_open_keys open bad\n"; +#print STDERR "_open_keys open bad\n"; } # file doesn't exist, or is empty or too old if (!$keys) { - print STDERR "_open_keys closed\n"; +#print STDERR "_open_keys closed\n"; die "$spath $!" unless $!==&ENOENT; # doesn't exist, so create it just so we can lock it $keys = new IO::File $spath, 'a+'; die "$keys $!" unless $keys; stat $keys or die $!; # NB must not disturb stat _ my $size = (stat _)[7]; - print STDERR "_open_keys created size=$size\n"; +#print STDERR "_open_keys created size=$size\n"; next if $size; # oh someone else has done it, reopen and read it } # file now exists is empty or too old, we must try to replace it @@ -815,23 +1198,23 @@ sub _open_keys ($) { flock $keys, LOCK_EX or die "$spath $!"; stat $spath or die "$spath $!"; my $path_inum = (stat _)[1]; - print STDERR "_open_keys locked our=$our_inum path=$path_inum\n"; +#print STDERR "_open_keys locked our=$our_inum path=$path_inum\n"; next if $our_inum != $path_inum; # someone else has done it # We now hold the lock! - print STDERR "_open_keys creating\n"; +#print STDERR "_open_keys creating\n"; my $newkeys = new IO::Handle; sysopen $newkeys, "$spath.new", O_CREAT|O_TRUNC|O_WRONLY, 0600 or die "$spath.new $!"; # we add the new key to the front which means it's always sorted print $newkeys time, ' ', $r->_random_key(), "\n" or die $!; while (my ($gen,$key,$line) = $r->_read_key($keys)) { - print STDERR "_open_keys copy1\n"; +#print STDERR "_open_keys copy1\n"; print $newkeys, $line or die $!; } $keys->error and die $!; close $newkeys or die "$spath.new $!"; rename "$spath.new", "$spath" or die "$spath: $!"; - print STDERR "_open_keys installed\n"; +#print STDERR "_open_keys installed\n"; # that rename effective unlocks, since it makes the name refer # to the new file which we haven't locked # we go round again opening the file at the beginning @@ -841,7 +1224,7 @@ sub _open_keys ($) { sub _fresh_secret ($) { my ($r) = @_; - print STDERR "_fresh_secret\n"; +#print STDERR "_fresh_secret\n"; my $keys = $r->_open_keys(); my ($keyt, $key) = $r->_read_key($keys); @@ -853,7 +1236,7 @@ sub _fresh_secret ($) { my $signature = $r->_hmac($key, $message); my $secret = "$keyt.$signature.$message"; - print STDERR "FRESH $secret\n"; +#print STDERR "FRESH $secret\n"; return $secret; } @@ -861,11 +1244,11 @@ sub _hmac ($$$) { my ($r, $keyhex, $message) = @_; my $keybin = pack "H*", $keyhex; my $alg = $r->{S}{hash_algorithm}; -print STDERR "hmac $alg\n"; +#print STDERR "hmac $alg\n"; my $base = new Digest $alg; -print STDERR "hmac $alg $base\n"; +#print STDERR "hmac $alg $base\n"; my $digest = new Digest::HMAC $keybin, $base; -print STDERR "hmac $alg $base $digest\n"; +#print STDERR "hmac $alg $base $digest\n"; $digest->add($message); return $digest->hexdigest(); } @@ -873,7 +1256,7 @@ print STDERR "hmac $alg $base $digest\n"; sub hash ($$) { my ($r, $message) = @_; my $alg = $r->{S}{hash_algorithm}; -print STDERR "hash $alg"; +#print STDERR "hash $alg\n"; my $digest = new Digest $alg; $digest->add($message); return $digest->hexdigest(); @@ -884,12 +1267,60 @@ sub _assert_checked ($) { die "unchecked" unless exists $r->{Divert}; } +sub _is_post ($) { + my ($r) = @_; + my $meth = $r->_ch('get_method'); + return $meth eq 'POST'; +} + +sub _must_be_post ($) { + my ($r) = @_; + my $meth = $r->_ch('get_method'); + die "mutating non-POST" if $meth ne 'POST'; +} + sub check_mutate ($) { my ($r) = @_; $r->_assert_checked(); die if $r->{Divert}; - my $meth = $r->_ch('get_method'); - die "mutating non-POST" if $meth ne 'POST'; + $r->_must_be_post(); +} + +sub mutate_ok ($) { + my ($r) = @_; + $r->_assert_checked(); + die if $r->{Divert}; + return $r->_is_post(); +} + +our %_resource_get_needs_secret_hidden = + (map { $_ => 0 } qw(PAGE FRAME IFRAME SRCDUMP STYLESHEET FAVICON ROBOTS), + map { $_ => 1 } qw(IMAGE SCRIPT AJAX-XML AJAX-JSON AJAX-OTHER)); + +sub update_get_need_add_hidden ($$) { + my ($r, $reqtype, $value) = @_; + my $hash = ref $r + ? ($r->{GetNeedsSecretHidden} ||= { }) + : \%_resource_get_needs_secret_hidden; + $hash->{$reqtype} = $value; +} + +sub need_add_hidden ($$) { + my ($r, $method, $reqtype) = @_; + return 1 if $method ne 'GET'; + my $ent = $r->{GetNeedsSecretHidden}{$reqtype}; + return $ent if defined $ent; + my $ent = $_resource_get_needs_secret_hidden{$reqtype}; + return $ent if defined $ent; + die "unsupported nonpage GET type $reqtype"; +} + +sub check_nonpage ($$) { + my ($r, $reqtype) = @_; + $r->_assert_checked(); + return unless $r->resource_get_needs_secret_hidden($nonpagetype); + return if $r->{ParmT}; + die "missing hidden secret parameter on nonpage request $nonpagetype"; } #---------- output ---------- @@ -903,7 +1334,7 @@ sub secret_cookie_val ($) { sub secret_hidden_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? r->hash($r->{AssocSecret}) : ''; + return defined $r->{AssocSecret} ? $r->hash($r->{AssocSecret}) : ''; } sub secret_hidden_html ($) { @@ -922,40 +1353,4 @@ sub secret_cookie ($) { return $cookv; } -__END__ - -=head1 NAME - -CGI::Auth::Flexible - web authentication optionally using cookies - -=head1 SYNOPSYS - - my $verifier = CGI::Auth::Flexible->new_verifier(setting => value,...); - my $authreq = $verifier->new_request($cgi_request_object); - - my $authreq = CGI::Auth::Flexible->new_request($cgi_request_object, - setting => value,...); - -=head1 USAGE PATTERN FOR SIMPLE APPLICATIONS - - $authreq->check_ok() or return; - - blah blah blah - $authreq->check_mutate(); - blah blah blah - -=head1 USAGE PATTERN FOR FANCY APPLICATIONS - - my $divert_kind = $authreq->check_divert(); - if ($divert_kind) { - if ($divert_kind eq 'LOGGEDOUT') { - print "goodbye you are now logged out" and quit - } elsif ($divert_kind eq 'NOCOOKIES') { - print "you need cookies" and quit - ... etc. - } - } - - blah blah blah - $authreq->check_mutate(); - blah blah blah +1;