X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-hybrid.pm;h=21a8fb523e875ef82339283e2de05542ca332edf;hp=0617881eb1b81224a29301660c5ed3ba1fd24f46;hb=5a7abf23fbc32d553a0e9369f6827f1b83c2ab43;hpb=b317fbd689b5ef362192025f797da0d451105f8e

diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm
index 0617881..21a8fb5 100644
--- a/cgi-auth-hybrid.pm
+++ b/cgi-auth-hybrid.pm
@@ -37,8 +37,11 @@ BEGIN {
 our @EXPORT_OK;
 
 use DBI;
-use CGI;
+use CGI qw/escapeHTML/;
 use Locale::gettext;
+use URI;
+use IO::File;
+use Data::Dumper;
 
 #---------- public utilities ----------
 
@@ -56,16 +59,17 @@ sub flatten_params ($) {
 #---------- default callbacks ----------
 
 sub has_a_param ($$) {
-    my ($c,$r,$cn) = @_;
+    my ($r,$cn) = @_;
     foreach my $pn (@{ $r->{S}{$cn} }) {
-	return 1 if $r->_cm('get_param',$pn);
+	return 1 if $r->_ch('get_param',$pn);
     }
     return 0;
 }
 
-sub get_params ($$) {
-    my ($c,$r) = @_;
+sub get_params ($) {
+    my ($r) = @_;
     my %p;
+    my $c = $r->{Cgi};
     foreach my $name ($c->param()) {
 	$p{$name} = [ $c->param($name) ];
     }
@@ -88,11 +92,9 @@ sub login_ok_password ($$) {
 
 sub do_redirect_cgi ($$$$) {
     my ($c, $r, $new_url, $cookie) = @_;
-    my @ha = ('text/html',
-	      -status => '303 See other',
-	      -location => $new_url);
-    push @ha, (-cookie => $cookie) if defined $cookie;
-    $r->_print($c->header(@ha),
+    $r->_print($c->header($r->_cgi_header_args($cookie,
+					       -status => '303 See other',
+					       -location => $new_url)),
 	       $r->_ch('gen_start_html',$r->_gt('Redirection')),
 	       '<a href="'.escapeHTML($new_url).'">',
 	       $r->_gt("If you aren't redirected, click to continue."),
@@ -104,20 +106,20 @@ sub gen_plain_login_form ($$) {
     my ($c,$r, $params) = @_;
     my @form;
     push @form, ('<form method="POST" action="'.
-		 escapeHTML($r->_ch('get_url')).'>'.
+		 escapeHTML($r->_ch('get_url')).'">'.
 		 '<table>');
     my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
     foreach my $up (@{ $r->{S}{username_param_names}}) {
 	push @form, ('<tr><td>',$r->_gt(ucfirst $up),'</td>',
-		     '<td><input type="text" ',$sz.
-		     ' name=',$up,'></td></tr>');
+		     '<td><input type="text" '.$sz.
+		     ' name='.$up.'></td></tr>');
     }
     push @form, ('<tr><td>'.$r->_gt('Password'),'</td>',
 		 '<td><input type="password" '.$sz.
 		 ' name="'.$r->{S}{password_param_name}.'"></td></tr>');
     push @form, ('<tr><td colspan="2">',
 		 '<input type="submit"'.
-		 ' name="'.$r->{S}{login_submit_name}.'"'.
+		 ' name="'.$r->{S}{login_submit_name}[0].'"'.
 		 ' value="'.$r->_gt('Login').'"></td></tr>',
 		 '</table>');
     foreach my $n (keys %$params) {
@@ -152,6 +154,7 @@ sub new_verifier {
 	    associdlen => 128, # bits
 	    login_timeout => 86400, # seconds
 	    assoc_param_name => 'cah_associd',
+	    cookie_name => "cah_associd",
 	    password_param_name => 'password',
 	    username_param_names => [qw(username)],
 	    form_entry_size => 60,
@@ -174,12 +177,13 @@ sub new_verifier {
 	    do_redirect => \&do_redirect_cgi, # this hook is allowed to throw
 	    cookie_path => "/",
 	    get_cookie_domain => \&get_cookie_domain,
-	    encrypted_only => 0,
+	    encrypted_only => 1,
 	    gen_start_html => sub { $_[0]->start_html($_[2]); },
 	    gen_end_html => sub { $_[0]->end_html(); },
 	    gen_login_form => \&gen_plain_login_form,
 	    gen_login_link => \&gen_plain_login_link,
 	    gettext => sub { gettext($_[2]); },
+	    print => sub { print $_[2] or die $!; },
 	},
 	Dbh => undef,
     };
@@ -204,15 +208,18 @@ sub _dbopen ($) {
     my $u = umask 077;
     $dbh = DBI->connect($dsn, $v->{S}{assocdb_user}, 
                         $v->{S}{assocdb_password}, { 
-                            AutoCommit => 0, RaiseError => 1,
+                            AutoCommit => 0,
+                            RaiseError => 1,
+                            ShowErrorStatement => 1,
                         });
     die "$dsn $! ?" unless $dbh;
     $v->{Dbh} = $dbh;
 
     eval {
-	$r->_db_transaction(sub {
+	$v->_db_transaction(sub {
+            local ($dbh->{PrintError}) = 0;
 	    $dbh->do("CREATE TABLE $v->{S}{assocdb_table} (".
-		     " associdh VARCHAR PRIMARY KEY,".
+		     " associd VARCHAR PRIMARY KEY,".
 		     " username VARCHAR,".
 		     " last INTEGER NOT NULL".
 		     ")");
@@ -229,25 +236,35 @@ sub disconnect ($) {
 }
 
 sub _db_transaction ($$) {
-    my ($r, $fn) = @_;
+    my ($v, $fn) = @_;
     my $retries = 10;
     my $rv;
     my $dbh = $v->{Dbh};
+print STDERR "DT entry\n";
     for (;;) {
+print STDERR "DT loop\n";
 	if (!eval {
 	    $rv = $fn->();
+print STDERR "DT fn ok\n";
 	    1;
 	}) {
+print STDERR "DT fn error\n";
 	    { local ($@); $dbh->rollback(); }
+print STDERR "DT fn throwing\n";
 	    die $@;
 	}
+print STDERR "DT fn eval ok\n";
 	if (eval {
 	    $dbh->commit();
+print STDERR "DT commit ok\n";
 	    1;
 	}) {
+print STDERR "DT commit eval ok $rv\n";
 	    return $rv;
 	}
+print STDERR "DT commit throw?\n";
 	die $@ if !--$retries;
+print STDERR "DT loop again\n";
     }
 }
 
@@ -272,6 +289,7 @@ sub new_request {
 sub _ch ($$@) { # calls an application hook
     my ($r,$methname, @args) = @_;
     my $methfunc = $r->{S}{$methname};
+    die "$methname ?" unless $methfunc;
     return $methfunc->($r->{Cgi}, $r, @args);
 }
 
@@ -286,12 +304,17 @@ sub _print ($$) { my ($r, @t) = @_; return $r->_ch('print', join '', @t); }
 
 sub construct_cookie ($$$) {
     my ($r, $cookv) = @_;
-    return $r->{Cgi}->cookie(-name => $r->{S}{cookie_name},
+    return undef unless $cookv;
+    my $c = $r->{Cgi};
+my @ca = (-name => $r->{S}{cookie_name},
                              -value => $cookv,
                              -path => $r->{S}{cookie_path},
                              -domain => $r->_ch('get_cookie_domain'),
                              -expires => '+'.$r->{S}{login_timeout}.'s',
                              -secure => $r->{S}{encrypted_only});
+    my $cookie = $c->cookie(@ca);
+print STDERR "CC $r $c $cookv $cookie (@ca).\n";
+    return $cookie;
 }
 
 # pages/param-sets are
@@ -309,7 +332,7 @@ sub construct_cookie ($$$) {
 #    y, yN     value corresponds to logged-in user
 #    n, nN     value not in our db
 #    x, xN     t or y
-#    -         no value supplied
+#    -         no value supplied (represented in code as $cookt='')
 # if N differs the case applies only when the two values differ
 # (eg,   a1 y2   does not apply when the logged-in value is supplied twice)
 
@@ -388,8 +411,9 @@ sub construct_cookie ($$$) {
     #                           revoke y2
     #                           treat as   -/n n POST
     #
-    #  -/n n   GET   n        cross-site link but user not logged in
+    #  -/n -/n GET   n        cross-site link but user not logged in
     #                           show login form with redirect to orig params
+    #                           generate fresh cookie
     #
     #  -/n n   GET    rmu     user not logged in
     #                           fail
@@ -410,6 +434,8 @@ sub _check_divert_core ($) {
     my ($cookt,$cooku) = $r->_db_lookup($cookv);
     my $parmt = $r->_db_lookup($parmv);
 
+    print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
+
     if ($r->_ch('is_logout')) {
 	$r->_must_be_post();
 	die unless $parmt;
@@ -470,15 +496,17 @@ sub _check_divert_core ($) {
     if ($cookt ne 'y') {
 	die unless !$cookt || $cookt eq 'n';
 	die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+	my $newv = $r->_fresh_cookie();
 	if ($meth eq 'GET') {
 	    return ({ Kind => 'LOGIN-INCOMINGLINK',
 		      Message => "You need to log in again.",
-		      CookieVal => $parmv,
+		      CookieVal => $newv,
 		      Params => $r->_chain_params() });
 	} else {
+	    $r->_db_revoke($parmv);
 	    return ({ Kind => 'LOGIN-FRESH',
                       Message => "You need to log in again.",
-                      CookieVal => $parmv,
+                      CookieVal => $newv,
                       Params => { } });
 	}
     }
@@ -500,6 +528,7 @@ sub _check_divert_core ($) {
     die unless $cookv eq $parmv;
     $r->{Assoc} = $cookv;
     $r->{UserOK} = $cooku;
+    print STDERR "C-D-C OK\n";
     return undef;
 }
 
@@ -568,14 +597,14 @@ sub _db_record_login_ok ($$$) {
 
 sub check_divert ($) {
     my ($r) = @_;
-    my $divert;
     if (exists $r->{Divert}) {
         return $r->{Divert};
     }
     my $dbh = $r->{Dbh};
     $r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); });
     $dbh->commit();
-    return $divert;
+    print STDERR Dumper($r->{Divert});
+    return $r->{Divert};
 }
 
 sub get_divert ($) {
@@ -598,11 +627,19 @@ sub url_with_query_params ($$) {
     return $uri->as_string();
 }
 
+sub _cgi_header_args ($$@) {
+    my ($r, $cookie, @ha) = @_;
+    unshift @ha, qw(-type text/html);
+    push @ha, (-cookie => $cookie) if defined $cookie;
+    print STDERR "_cgi_header_args ",join('|',@ha),".\n";
+    return @ha;
+}
+
 sub check_ok ($) {
     my ($r) = @_;
 
     my ($divert) = $r->check_divert();
-    return 1 if $divert;
+    return 1 if !$divert;
 
     my $handled = $r->_ch('handle_divert',$divert);
     return 0 if $handled;
@@ -610,6 +647,7 @@ sub check_ok ($) {
     my $kind = $divert->{Kind};
     my $cookieval = $divert->{CookieVal};
     my $params = $divert->{Params};
+    my $cookie = $r->construct_cookie($cookieval);
 
     if ($kind =~ m/^REDIRECT-/) {
 	# for redirects, we honour stored NextParams and SetCookie,
@@ -623,7 +661,6 @@ sub check_ok ($) {
 	    die;
 	}
 	my $new_url = $r->url_with_query_params($params);
-        my $cookie = $r->construct_cookie($r, $cookieval);
 	$r->_ch('do_redirect',$new_url, $cookie);
 	return 0;
     }
@@ -641,9 +678,10 @@ sub check_ok ($) {
 	die $kind;
     }
 
-    $r->_print($r->_ch('start_html',$title),
-	       @body,
-	       $r->_ch('end_html'));
+    $r->_print($r->{Cgi}->header($r->_cgi_header_args($cookie)),
+	       $r->_ch('gen_start_html',$title),
+	       (join "\n", @body),
+	       $r->_ch('gen_end_html'));
     return 0;
 }
 
@@ -659,18 +697,26 @@ sub _random ($$) {
     $!=0;
     read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
     close $rsf;
-    return unpack "H*", $bin;
+    my $out = unpack "H*", $bin;
+    print STDERR "_random out $out\n";
+    return $out;
 }
 
 sub _fresh_cookie ($) {
     my ($r) = @_;
+    print STDERR "_fresh_cookie\n";
     my $bytes = ($r->{S}{associdlen} + 7) >> 3;
     return $r->_random($bytes);
 }
 
-sub check_mutate ($) {
+sub _assert_checked ($) {
     my ($r) = @_;
     die "unchecked" unless exists $r->{Divert};
+}
+
+sub check_mutate ($) {
+    my ($r) = @_;
+    $r->_assert_checked();
     die if $r->{Divert};
     my $meth = $r->_ch('get_method');
     die "mutating non-POST" if $meth ne 'POST';
@@ -680,7 +726,7 @@ sub check_mutate ($) {
 
 sub secret_val ($) {
     my ($r) = @_;
-    $r->check();
+    $r->_assert_checked();
     return defined $r->{Assoc} ? $r->{Assoc} : '';
 }
 
@@ -692,7 +738,10 @@ sub secret_hidden_html ($) {
 
 sub secret_cookie ($) {
     my ($r) = @_;
-    return $r->construct_cookie($r->secret_val());
+#print STDERR "SC\n";
+    my $cookv = $r->construct_cookie($r->secret_val()); 
+#print STDERR "SC=$cookv\n";
+    return $cookv;
 }
 
 __END__