X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-hybrid.pm;h=ec44c7a52816469be2e90d18a5892b835a31ec7f;hp=27cf367d64cbb8f17359e755f0cd818cc8555eae;hb=2ef4865c1dd278a4c1226c8cb81416a6fff9e74c;hpb=60a18a794dd5345198d4fd23a6a863453e614c1d diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm index 27cf367..ec44c7a 100644 --- a/cgi-auth-hybrid.pm +++ b/cgi-auth-hybrid.pm @@ -2,6 +2,7 @@ # This is part of CGI::Auth::Hybrid, a perl CGI authentication module. # Copyright (C) 2012 Ian Jackson. +# Copyright (C) 2012 Citrix. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -16,6 +17,12 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +use strict; +use warnings; + +package CGI::Auth::Hybrid; +require Exporter; + BEGIN { use Exporter (); our ($VERSION, @ISA, @EXPORT, @EXPORT_OK, %EXPORT_TAGS); @@ -31,27 +38,38 @@ our @EXPORT_OK; use DBI; use CGI; -use Locale::Gettext; +use Locale::gettext; + +#---------- public utilities ---------- + +sub flatten_params ($) { + my ($p) = @_; + my @p; + foreach my $k (keys %$p) { + foreach my $v (@{ $p->{$k} }) { + push @p, $k, $v; + } + } + return @p; +} #---------- default callbacks ---------- sub has_a_param ($$) { my ($c,$cn) = @_; foreach my $pn (@{ $r->{S}{$cn} }) { - return 1 if $r->_cm('get_param')($pn); + return 1 if $r->_cm('get_param',$pn); } return 0; } -sub get_param_list ($$) { +sub get_params ($$) { my ($c) = @_; - my @p = ( ); + my %p; foreach my $name ($c->param()) { - foreach my $val ($c->param($name)) { - push @p, $name, $val; - } + $p{$name} = [ $c->param($name) ]; } - return @p; + return \%p; } sub get_cookie_domain ($$$) { @@ -61,13 +79,21 @@ sub get_cookie_domain ($$$) { } sub construct_cookie ($$$) { - my ($c, $r, $cookv) = @_; - return $c->cookie(-name => $r->{S}{cookie_name}, - -value => $cookv, - -path => $r->{S}{cookie_path}, - -domain => $r->_ch('get_cookie_domain'), - -expires => '+'.$r->{S}{login_timeout}.'s', - -secure => $r->{S}{encrypted_only}); + my ($r, $cookv) = @_; + return $r->{Cgi}->cookie(-name => $r->{S}{cookie_name}, + -value => $cookv, + -path => $r->{S}{cookie_path}, + -domain => $r->_ch('get_cookie_domain'), + -expires => '+'.$r->{S}{login_timeout}.'s', + -secure => $r->{S}{encrypted_only}); +} + +sub login_ok_password ($$) { + my ($c, $r) = @_; + my $username_params = $r->{S}{username_param_names}; + my $username = $r->_ch('get_param',$username_params->[0]); + my $password = $r->_rp('password_param_name'); + return $r->_ch('username_password_ok', $username, $password); } sub do_redirect_cgi ($$$$) { @@ -77,7 +103,7 @@ sub do_redirect_cgi ($$$$) { -location => $new_url); push @ha, (-cookie => $cookie) if defined $cookie; $r->_print($c->header(@ha), - $r->_ch('gen_start_html')($r->_gt('Redirection')), + $r->_ch('gen_start_html',$r->_gt('Redirection')), '', $r->_gt("If you aren't redirected, click to continue."), "", @@ -85,26 +111,49 @@ sub do_redirect_cgi ($$$$) { } sub gen_plain_login_form ($$) { - my ($c,$r) = @_; + my ($c,$r, $params) = @_; my @form; - push @form, ('
{S}{form_entry_size}.'"'; foreach my $up (@{ $r->{S}{username_param_names}}) { - push @form, ''.$r-> - push @form - ''. - '' - ''. + push @form, ('', + ''); + } + push @form, ('', + ''); + push @form, ('', + '
',$r->_gt(ucfirst $up),'
'.$r->_gt('Password'),'
', + '
'); + foreach my $n (keys %$params) { + push @form, (''); + } + push @form, ('
'); + return join "\n", @form; +} + +sub gen_login_link ($$) { + my ($c,$r, $params) = @_; + my $url = $r->url_with_query_params($params); + return (''. + $r->_gt('Log in again to continue.'). + ''); +} #---------- verifier object methods ---------- sub new_verifier { my $class = shift; - my $s = { + my $verifier = { S => { - assocdb_path => 'cah-assocs.db'; + assocdb_path => 'cah-assocs.db', assocdb_dsn => undef, assocdb_user => '', assocdb_password => '', @@ -117,15 +166,17 @@ sub new_verifier { username_param_names => [qw(username)], form_entry_size => 60, logout_param_names => [qw(cah_logout)], + login_submit_name => [qw(cah_login)], loggedout_param_names => [qw(cah_loggedout)], promise_check_mutate => 0, get_param => sub { $_[0]->param($_[2]) }, - get_param_list => sub { $_[1]->get_param_list() }, + get_params => sub { $_[1]->get_params() }, get_cookie => sub { $_[0]->cookie($s->{S}{cookie_name}) }, get_method => sub { $_[0]->request_method() }, get_url => sub { $_[0]->url(); }, is_login => sub { defined $_[1]->_rp('password_param_name') }, - login_ok => sub { die }, + login_ok => \&login_ok_password, + username_password_ok => sub { die }, is_logout => sub { $_[1]->has_a_param('logout_param_names') }, is_loggedout => sub { $_[1]->has_a_param('loggedout_param_names') }, is_page => sub { return 1 }, @@ -137,8 +188,8 @@ sub new_verifier { gen_start_html => sub { $_[0]->start_html($_[2]); }, gen_end_html => sub { $_[0]->end_html(); }, gen_login_form => \&gen_plain_login_form, + gen_login_link => \&gen_plain_login_link, gettext => sub { gettext($_[2]); }, - }; }, Dbh => undef, }; @@ -147,38 +198,45 @@ sub new_verifier { die "unknown setting $k" unless exists $s->{S}{$k}; $s->{S}{$k} = $v; } - bless $s, $class; - $s->_dbopen(); - return $s; + bless $verifier, $class; + $verifier->_dbopen(); + return $verifier; } sub _dbopen ($) { - my ($s) = @_; - my $dbh = $s->{Dbh}; + my ($v) = @_; + my $dbh = $v->{Dbh}; return $dbh if $dbh; - $s->{S}{assocdb_dsn} ||= "dbi:SQLite:dbname=$s->{S}{assocdb_path}"; + $v->{S}{assocdb_dsn} ||= "dbi:SQLite:dbname=$v->{S}{assocdb_path}"; my $u = umask 077; - $dbh = DBI->open($s->{S}{assocdb_dsn}, $s->{S}{assocdb_user}, - $s->{S}{assocdb_password}, { - AutoCommit => 0, RaiseError => 1, - }); + $dbh = DBI->connect($v->{S}{assocdb_dsn}, $v->{S}{assocdb_user}, + $v->{S}{assocdb_password}, { + AutoCommit => 0, RaiseError => 1, + }); die "${assocdb_dsn} $! ?" unless $dbh; - $s->{Dbh} = $dbh; + $v->{Dbh} = $dbh; $dbh->do("BEGIN"); eval { - $dbh->do("CREATE TABLE $s->{S}{assocdb_table} (". + $dbh->do("CREATE TABLE $v->{S}{assocdb_table} (". " associdh VARCHAR PRIMARY KEY,". " username VARCHAR,". - " last INTEGER NOT NULL" + " last INTEGER NOT NULL". ")"); }; return $dbh; } +sub disconnect ($) { + my ($v) = @_; + my $dbh = $v->{Dbh}; + return unless $dbh; + $dbh->disconnect(); +} + #---------- request object methods ---------- sub new_request { @@ -189,6 +247,7 @@ sub new_request { die if @extra; } my $r = { + V => $classbase, S => $classbase->{S}, Dbh => $classbase->{Dbh}, Cgi => $cgi, @@ -208,8 +267,8 @@ sub _rp ($$@) { my $p = scalar $r->_ch('get_param',$pn) } -sub _gt ($$) { my ($r, $t) = @_; return $r->_ch('gettext')($t); } -sub _print ($$) { my ($r, @t) = @_; return $r->_ch('print')(join '', @t); } +sub _gt ($$) { my ($r, $t) = @_; return $r->_ch('gettext',$t); } +sub _print ($$) { my ($r, @t) = @_; return $r->_ch('print', join '', @t); } # pages/param-sets are # n normal non-mutating page @@ -318,7 +377,6 @@ sub _print ($$) { my ($r, @t) = @_; return $r->_ch('print')(join '', @t); } # fail sub _check_divert_core ($) { -fixme needs wrapping with something to make and commit a transaction my ($r) = @_; my $meth = $r->_ch('get_method'); @@ -335,8 +393,8 @@ fixme needs wrapping with something to make and commit a transaction $r->_db_revoke($parmv); return ({ Kind => 'REDIRECT-LOGGEDOUT', Message => "Logging out...", - Cookie => '', - Params => [ ] }); + CookieVal => '', + Params => { } }); } if ($r->_ch('is_loggedout')) { die unless $meth eq 'GET'; @@ -344,35 +402,35 @@ fixme needs wrapping with something to make and commit a transaction die unless $parmt; return ({ Kind => 'SMALLPAGE-LOGGEDOUT', Message => "You have been logged out.", - Cookie => '', - Params => [ ] }); + CookieVal => '', + Params => { } }); } if ($r->_ch('is_login')) { $r->_must_be_post(); return ({ Kind => 'LOGIN-STALE', Message => "Stale session; you need to log in again.", - Cookie => $r->_fresh_cookie(), - Params => [ ] }) + CookieVal => $r->_fresh_cookie(), + Params => { } }) if $parmt eq 'n'; die unless $parmt eq 't' || $parmt eq 'y'; return ({ Kind => 'SMALLPAGE-NOCOOKIE', Message => "You do not seem to have cookies enabled. ". "You must enable cookies as we use them for login.", - Cookie => $r->_fresh_cookie(), + CookieVal => $r->_fresh_cookie(), Params => $r->_chain_params() }) if !$cookt && $parmt eq 't'; + my $username = $r->_ch('login_ok'); return ({ Kind => 'LOGIN-BAD', Message => "Incorrect username/password.", - Cookie => $cookv, + CookieVal => $cookv, Params => $r->_chain_params() }) unless defined $username && length $username; $r->_db_revoke($cookv) if defined $cookv && !(defined $parmv && $cookv eq $parmv); - my $username = $r->_ch('login_ok'); $r->_db_record_login_ok($parmv,$username); return ({ Kind => 'REDIRECT-LOGGEDIN', Message => "Logging in...", - Cookie => $parmv, + CookieVal => $parmv, Params => $r->_chain_params() }); } if ($cookt eq 't') { @@ -391,13 +449,13 @@ fixme needs wrapping with something to make and commit a transaction if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', Message => "You need to log in again.", - Cookie => $parmv, + CookieVal => $parmv, Params => $r->_chain_params() }); } else { - return ((Kind => 'LOGIN-FRESH', - Message => "You need to log in again.", - Cookie => $parmv, - Params => [ ]); + return ({ Kind => 'LOGIN-FRESH', + Message => "You need to log in again.", + CookieVal => $parmv, + Params => { } }); } } @@ -405,8 +463,8 @@ fixme needs wrapping with something to make and commit a transaction if ($meth ne 'POST') { return ({ Kind => 'MAINPAGEONLY', Message => 'Entering via cross-site link.', - Cookie => $cookv, - Params => [ ] }); + CookieVal => $cookv, + Params => { } }); # NB caller must then ignore params & path! # if this is too hard they can spit out a small form # with a "click to continue" @@ -416,13 +474,14 @@ fixme needs wrapping with something to make and commit a transaction die unless $cookt eq 'y'; die unless $parmt eq 'y'; die unless $cookv eq $parmv; + $r->{Assoc} = $cookv; $r->{UserOK} = $cooku; return undef; } sub _chain_params ($) { my ($r) = @_; - my %elim = { }; + my %p = %{ $r->_ch('get_params') }; foreach my $pncn (keys %{ $r->{S} }) { if ($pncn =~ m/_param_name$/) { my $name = $r->{S}{$pncn}; @@ -434,18 +493,10 @@ sub _chain_params ($) { next; } foreach my $param (@$names) { - $elim{$name} = 1; + delete $p{$name}; } } - my @p = $r->_ch('get_param_list'); - my ($name,$val); - my @q = (); - while (@p) { - ($name,$val,@p) = @p; - next if $elim{$name}; - push @q, $name, $val; - } - return @q; + return \%p; } sub _db_lookup ($$) { @@ -488,147 +539,140 @@ sub _db_record_login_ok ($$$) { $v, $user, time); } -sub url_with_query_params ($@) { - my ($r, @params) = @_; +sub check_divert ($) { + my ($r) = @_; + my $divert; + if (exists $r->{Divert}) { + return $r->{Divert}; + } + $dbh->do("BEGIN"); + if (!eval { + $divert = $r->_check_divert_core(); + 1; + }) { + $dbh->do("ABORT"); + die $@; + } + $r->{Divert} = $divert; + $dbh->do("COMMIT"); + return $divert; +} + +sub get_divert ($) { + my ($r) = @_; + die "unchecked" unless exists $r->{Divert}; + return $r->{Divert}; +} + +sub get_username ($) { + my ($r) = @_; + my $divert = $r->get_divert(); + return undef if $divert; + return $r->{UserOK}; +} + +sub url_with_query_params ($$) { + my ($r, $params) = @_; my $uri = URI->new($r->_ch('get_url')); - $uri->query_form(\@params); + $uri->query_form(flatten_params($params)); return $uri->as_string(); } sub check_ok ($) { my ($r) = @_; - my ($divert) = $authreq->check_divert(); + my ($divert) = $r->check_divert(); return 1 if $divert; - my $handled = $r->_ch('handle_divert')($divert); + my $handled = $r->_ch('handle_divert',$divert); return 0 if $handled; my $kind = $divert->{Kind}; - my $cookie = $divert->{Cookie}; + my $cookieval = $divert->{CookieVal}; my $params = $divert->{Params}; if ($kind =~ m/^REDIRECT-/) { # for redirects, we honour stored NextParams and SetCookie, # as we would for non-divert if ($divert_kind eq 'REDIRECT-LOGGEDOUT') { - push @$params, $r->{S}{cah_loggedout}[0], 1; + $params{$r->{S}{loggedout_param_names}[0]} = 1; } elsif ($divert_kind eq 'REDIRECT-LOGOUT') { - push @$params, $r->{S}{cah_logout}[0], 1; + $params{$r->{S}{logout_param_names}[0]} = 1; } elsif ($divert_kind eq 'REDIRECT-LOGGEDIN') { } else { die; } - my $new_url = $r->url_with_query_params(@$params); - $r->_ch('do_redirect')($new_url, $cookie); + my $new_url = $r->url_with_query_params($params); + my $cookie = $r->construct_cookie($r, $cookieval); + $r->_ch('do_redirect',$new_url, $cookie); return 0; } - $kind =~ m/^SMALLPAGE|^LOGIN/ or die; my ($title, @body); if ($kind =~ m/^LOGIN-/) { $title = $r->_gt('Login'); push @body, $r->_gt($divert->{Message}); - push @body, $r->_ch('gen_login_form'); - $body .= $r->_ch( - - $r->_print( - $r->_ch('start_html')($title), - - - - if ($kind =~ m/^SMALLPAGE - -if (defined $cookie) { - $r->_ch('header_out')($cookie); + push @body, $r->_ch('gen_login_form', $params); + } elsif ($kind =~ m/^SMALLPAGE-/) { + $title = $r->_gt('Not logged in'); + push @body, $r->_gt($divert->{Message}); + push @body, $r->_ch('gen_login_link'); + } else { + die $kind; } - -UP TO HERE -sub record_login ($$) { - my ($r,$nusername) = @_; - my $rsp = $r->{S}{random_source}; - my $rsf = new IO::File $rsp, '<' or die "$rsp $!"; - my $bytes = ($r->{S}{associdlen} + 7) >> 3; - my $nassocbin; - $!=0; - read($rsf,$nassocbin,$bytes) == $bytes or die "$rsp $!"; - close $rsf; - my $nassoc = unpack "H*", $nassocbin; - my $dbh = $r->{Dbh}; - $dbh->do("INSERT INTO $r->{S}{assocdb_table}". - " (associd, username, last) VALUES (?,?,?)", {}, - $nassoc, $nusername, time); - $dbh->do("COMMIT"); - $r->{U} = $nusername; - $r->{A} = $nassoc; + $r->_print($r->_ch('start_html',$title), + @body, + $r->_ch('end_html')); + return 0; } -sub _check ($) { - my ($r) = @_; - - return if exists $r->{Username}; - ($r->{Username}, $r->{Assoc}, $r->{Mutate}) = $r->_check(); - - if (defined $r->{Assoc}) { - $dbh->do("UPDATE $r->{S}{assocdb_table}". - " SET last = ?". - " WHERE associd = ?", {}, time, $nassoc); - $dbh->do("COMMIT"); +sub _random ($$) { + my ($r, $bytes) = @_; + my $v = $r->{V}; + if (!$v->{RandomHandle}) { + my $rsp = $r->{S}{random_source}; + my $rsf = new IO::File $rsp, '<' or die "$rsp $!"; + $v->{RandomHandle} = $rsf; } + my $bin; + $!=0; + read($rsf,$bin,$bytes) == $bytes or die "$rsp $!"; + close $rsf; + return unpack "H*", $bin; } -sub logout ($) { - my ($r) = @_; - - my ($nusername, $nassoc, $nmutate) = $r->_check(); - return undef unless $nmutate; - $dbh->do("DELETE FROM $r->{S}{assocdb_table}". - " WHERE associd = ?", {}, $nassoc); - $dbh->do("COMMIT"); - return $nusername; -} - -sub check ($) { +sub _fresh_cookie ($) { my ($r) = @_; - $r->_check(); - return !!defined $r->{Username}; + my $bytes = ($r->{S}{associdlen} + 7) >> 3; + return $r->_random($bytes); } sub check_mutate ($) { my ($r) = @_; - $r->check(); - return $r->{Mutate}; + die "unchecked" unless exists $r->{Divert}; + die if $r->{Divert}; + my $meth = $r->_ch('get_method'); + die "mutating non-POST" if $meth ne 'POST'; } -sub username ($) { - my ($r) = @_; - $r->check(); - return $r->{Username}; +#---------- output ---------- -sub hidden_val ($) { +sub secret_val ($) { my ($r) = @_; $r->check(); return defined $r->{Assoc} ? $r->{Assoc} : ''; } -#---------- simple wrappers ---------- - -sub hidden_hargs ($) { - my ($r) = @_; - return (-name => $r->{S}{param_name}, - -default => $r->hidden_val()); -} - -sub hidden_html ($) { +sub secret_hidden_html ($) { my ($r) = @_; - return hidden($r->hidden_hargs()); + return $r->{Cgi}->hidden(-name => $r->{S}{assoc_param_name}, + -default => $r->secret_val()); } -sub cookiea_cargs ($) { +sub secret_cookie ($) { my ($r) = @_; - return (-name => $r->{S}{cookie_name}, - -value => hidden_val()); + return $r->construct_cookie($r->secret_val()); } __END__ @@ -650,7 +694,7 @@ CGI::Auth::Hybrid - web authentication optionally using cookies $authreq->check_ok() or return; blah blah blah - $authreq->mutating(); + $authreq->check_mutate(); blah blah blah =head1 USAGE PATTERN FOR FANCY APPLICATIONS @@ -665,3 +709,6 @@ CGI::Auth::Hybrid - web authentication optionally using cookies } } + blah blah blah + $authreq->check_mutate(); + blah blah blah