Apache-AuthTkt
view release on metacpan or search on metacpan
my $cookie_fmt = "%s=%s%s%s%s";
my $path_elt = "; path=$arg{cookie_path}";
my $domain_elt = $arg{cookie_domain} ? "; domain=$arg{cookie_domain}" : '';
my $secure_elt = $arg{cookie_secure} ? "; secure" : '';
return sprintf $cookie_fmt,
$arg{cookie_name}, $ticket, $domain_elt, $path_elt, $secure_elt;
}
# Returns a hashref representing the original ticket components
# Returns undef if there were any errors
sub validate_ticket
{
my $self = shift;
my $ticket = shift || croak "No ticket passed to validate_ticket";
my %arg = ( %$self, @_ );
$arg{ip_addr} = $arg{ignore_ip} ? '0.0.0.0' : $ENV{REMOTE_ADDR}
unless exists $arg{ip_addr};
# 0 or undef ip_addr treated as 0.0.0.0
$arg{ip_addr} ||= '0.0.0.0';
# Parse ticket
my $info = $self->parse_ticket($ticket);
($parts->{tokens},$parts->{data}) = split m/!/, $extra, 2;
}
else {
$parts->{data} = $extra;
}
}
return $parts;
}
# Alias for compatibility with Jose/Ton's original patch
*valid_ticket = \&validate_ticket;
1;
__END__
=head1 NAME
Apache::AuthTkt - module to generate authentication tickets for
mod_auth_tkt apache module.
=head1 INTRODUCTION
Apache::AuthTkt is a module for generating and validating
authentication tickets used with the 'mod_auth_tkt' apache module.
Tickets are typically generated by a login web page of some kind
when a user has been authenticated. The ticket contains a username/uid
for the authenticated user, and often also the IP address they
authenticated from, a set of authorisation tokens, and any other user
data required. The ticket also includes an MD5 hash of all the included
user data plus a shared secret, so that tickets can be validated by
mod_auth_tkt without requiring access to the user repository.
See http://www.openfusion.com.au/labs/mod_auth_tkt for mod_auth_tkt
itself.
=head1 DESCRIPTION
=head2 CONSTRUCTOR
=item cookie_secure
Flag whether to set the 'secure' cookie flag, so that the cookie is
returned only in HTTPS contexts. Default: $at->require_ssl, or 0.
=back
=head2 TICKET PARSING AND VALIDATION
You may parse and validate existing tickets with the validate_ticket()
method. It takes as its first parameter the ticket to be validated, and
then an optional list of named parameter overrides
(e.g. ip_addr => 'x.x.x.x'). If the ticket is valid, validate_ticket
returns a hashref with the following key/value pairs:
=over 4
=item digest
=item ts
=item uid
=item tokens
=item data
=back
validate_ticket() will return undef if any errors with the ticket value
are encountered.
The validate_ticket() method algorithm is analogous to the function with
the same name in the mod_auth_tkt C module.
There is also a parse_ticket() method available that parses the ticket
without running it through the validation phase, and returns the same
data as validate_ticket(). This is only safe to use where you are certain
that the ticket has been validated elsewhere. In general it's considerably
safer to just use validate_ticket.
=head2 DIGEST TYPES
As of version 2.1.0, mod_auth_tkt supports multiple digest types. The
following digest_types are currently supported:
=over 4
=item MD5
README
AuthTkt.pm
t/01_basic.t
t/02_ticket.t
t/03_cookie.t
t/04_parse_conf.t
t/05_defaults.t
t/06_expires.t
t/07_mutator.t
t/08_ignore_ip.t
t/09_validate_ticket.t
t/10_digest.t
t/t01/mod_auth_tkt.conf
t/t02/complex1
t/t02/complex2
t/t02/defaults
t/t02/ignore_ip
t/t02/mod_auth_tkt.conf
t/t03/cookie_domain1
t/t03/cookie_domain2
t/t03/cookie_name
Apache::AuthTkt
==================
Apache::AuthTkt is a perl module used to generate and validate
authentication tickets used with the 'mod_auth_tkt' apache
authentication module. mod_auth_tkt is a lightweight cookie-based
authentication module written in C that is user repository agnostic
(i.e. not tied to ldap/pam/radius etc.), and supports single-signon
across multiple apaches and machines.
See http://www.openfusion.com.au/labs/mod_auth_tkt/ for details,
and the Apache::AuthTkt perldocs.
t/09_validate_ticket.t view on Meta::CPAN
# Default settings
print TktUtil::get_auth_ticket(ts => $ts, base64 => 0, uid => 'guest', ip_addr => $ENV{REMOTE_ADDR}) . "\n" if $TU;
$ticket = $at->ticket(ts => $ts, base64 => 0);
report $ticket, 'defaults';
is($ticket, $result{defaults}, 'ticket using defaults ok');
ok($parsed = $at->parse_ticket($ticket), 'parse ticket using defaults');
is($parsed->{uid}, 'guest', 'uid parsed');
is($parsed->{ts}, $ts, 'ts parsed');
is($parsed->{tokens}, '', "tokens ''");
is($parsed->{data}, '', "data ''");
is_deeply($at->validate_ticket( $ticket ), $parsed, "MD5 checked");
is($different_at->validate_ticket( $ticket ), undef, "Different secret so no data returned" );
# TKTAuthIgnoreIP tickets
print TktUtil::get_auth_ticket(ts => $ts, uid => 'guest', ip_addr => '0.0.0.0') . "\n" if $TU;
$ticket = $at->ticket(ts => $ts, ip_addr => 0);
report $ticket, 'ignore_ip';
is($ticket, $result{ignore_ip}, 'ticket ignore ip 1 ok');
ok($parsed = $at->parse_ticket($ticket), 'parse ticket ignore ip 1');
is($parsed->{uid}, 'guest', 'uid parsed');
is($parsed->{ts}, $ts, 'ts parsed');
is($parsed->{tokens}, '', "tokens ''");
is($parsed->{data}, '', "data ''");
is_deeply($at->validate_ticket( $ticket, ip_addr => '0.0.0.0' ), $parsed, "MD5 checked");
is_deeply($different_at_ip_ignore->validate_ticket( $ticket ), $parsed, "MD5 checked with ignore_ip set on constructor");
is($different_at->validate_ticket( $ticket ), undef, "Different secret so no data returned" );
$ticket = $at->ticket(ts => $ts, ip_addr => undef);
report $ticket, 'ignore_ip';
is($ticket, $result{ignore_ip}, 'ticket ignore ip 2 ok');
ok($parsed = $at->parse_ticket($ticket), 'parse ticket ignore ip 2');
is($parsed->{uid}, 'guest', 'uid parsed');
is($parsed->{ts}, $ts, 'ts parsed');
is($parsed->{tokens}, '', "tokens ''");
is($parsed->{data}, '', "data ''");
is_deeply($at->validate_ticket( $ticket, ip_addr => undef ), $parsed, "MD5 checked");
is_deeply($different_at_ip_ignore->validate_ticket( $ticket ), $parsed, "MD5 checked with ignore_ip set on constructor");
is($different_at->validate_ticket( $ticket ), undef, "Different secret so no data returned" );
# Complex tickets
print TktUtil::get_auth_ticket(ts => $ts, base64 => 0, uid => 'gavin', ip_addr => $ENV{REMOTE_ADDR}, tokens => 'finance,admin,it', data => 'Mary had a little lamb') . "\n" if $TU;
$ticket = $at->ticket(ts => $ts, base64 => 0, uid => 'gavin', tokens => 'finance, admin, it', data => 'Mary had a little lamb');
report $ticket, 'complex1';
is($ticket, $result{complex1}, 'ticket complex 1 ok');
ok($parsed = $at->parse_ticket($ticket), 'parse ticket complex 1');
is($parsed->{uid}, 'gavin', 'uid parsed');
is($parsed->{ts}, $ts, 'ts parsed');
is($parsed->{tokens}, 'finance,admin,it', 'tokens parsed');
is($parsed->{data}, 'Mary had a little lamb', 'data parsed');
is_deeply($at->validate_ticket( $ticket ), $parsed, "MD5 checked");
is($different_at->validate_ticket( $ticket ), undef, "Different secret so no data returned" );
print TktUtil::get_auth_ticket(ts => $ts, base64 => 1, uid => 'freddy', ip_addr => $ENV{REMOTE_ADDR}, data => $ENV{REMOTE_ADDR}) . "\n" if $TU;
$ticket = $at->ticket(ts => $ts, base64 => 1, uid => 'freddy', data => $ENV{REMOTE_ADDR});
report $ticket, 'complex2';
is($ticket, $result{complex2}, 'ticket complex 2 ok');
ok($parsed = $at->parse_ticket($ticket), 'parse ticket complex 2');
is($parsed->{uid}, 'freddy', 'uid parsed');
is($parsed->{ts}, $ts, 'ts parsed');
is($parsed->{tokens}, '', "tokens ''");
is($parsed->{data}, $ENV{REMOTE_ADDR}, 'data parsed');
is_deeply($at->validate_ticket( $ticket ), $parsed, "MD5 checked");
is($different_at->validate_ticket( $ticket ), undef, "Different secret so no data returned" );
# vim:ft=perl
( run in 0.524 second using v1.01-cache-2.11-cpan-4d50c553e7e )