Apache-SecSess
view release on metacpan or search on metacpan
sub issue ($$) {
my($self, $r) = @_;
my $log = $r->log;
my($resp, $msg);
## don't perform in subrequests
unless ($r->is_initial_req) { return OK; }
$log->debug(ref($self), "->issue():");
$resp = $self->verifyIdentity($r);
if (ref($resp)) {
if ($msg = $resp->{message}) { $log->info($msg); }
if ($resp->{fill_form}) { return OK; }
if ($resp->{auth_required}) { return AUTH_REQUIRED; }
unless ($resp->{uri}) { return SERVER_ERROR; }
$r->header_out(Location => $resp->{uri});
return REDIRECT;
}
$resp = $self->issueCredentials($r);
unless (ref($resp)) { $log->error($resp); return SERVER_ERROR; }
$cred = $self->getCredentials($r);
$resp = $self->validateCredentials($r, $cred);
if (ref($resp)) {
if ($msg = $resp->{message}) { $log->info($msg); }
unless ($resp->{uri}) { return SERVER_ERROR; }
$r->header_out(Location => $resp->{uri});
return REDIRECT;
}
## make sure request is consistent and comes from an administrator
$resp = $self->verifyAdminRequest($r);
unless (ref($resp)) { $log->error($resp); return SERVER_ERROR; }
if ($msg = $resp->{message}) { $log->info($msg); }
if ($resp->{forbidden}) { return FORBIDDEN; } # non-admin
if ($resp->{fill_form}) { return OK; }
unless ($uid = $resp->{newuid}) {
unless ($uri = $resp->{uri}) { return SERVER_ERROR; }
$r->header_out(Location => $uri);
return REDIRECT;
}
SecSess/Cookie.pm view on Meta::CPAN
return ($bs <=> $as) ? ($bs <=> $as) : ($ba <=> $aa);
} (keys %ckys);
$max = $tags[0];
unless (defined($max)) { return 'No cookie found.'; }
$log->debug(sprintf("Found Cookie: %s:%s=%s", $realm, $max, $ckys{$max}));
return $self->{wrapper}->unwraphash($ckys{$max});
}
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity { my $self = shift; return undef }
## issue cookies
sub issueCredentials {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my(@cky, %args, $url);
$log->debug(ref($self), "->issueCredentials():");
SecSess/Cookie.pm view on Meta::CPAN
## remaining parameters (domain, expires, ... )
for $par (keys %{$params}) {
next if $par eq 'path';
next if $par eq 'secure';
$cookie .= sprintf("; %s=%s", $par, $params->{$par});
}
return $cookie;
}
## verify an administration request
# Note: this is currently implemented as a CGI like GET then POST form.
sub verifyAdminRequest {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($uid, $form, %args, $newuid, $pw, $status, $msg);
$log->debug(ref($self), "->verifyAdminRequest():");
## is the user really an admin?
unless ($uid = $r->user) { return 'No user ID provided from authen.'; }
unless ($self->{dbo}->is_administrator($uid)) {
return {
message => "User '$uid' is not an administrator.",
forbidden => 'true'
};
}
SecSess/Cookie/BasicAuth.pm view on Meta::CPAN
use Apache::Constants qw(:common :response);
use Apache::SecSess::Cookie;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::Cookie);
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($uid, $res, $pw, $msg);
$log->debug(ref($self), "->verifyIdentity():");
## read password and user id if present, bail otherwise
($res, $pw) = $r->get_basic_auth_pw;
unless ($res eq OK) { # I hate this
return {
message => "Basic auth required.",
auth_required => 'true'
};
}
$uid = $r->user;
SecSess/Cookie/LoginForm.pm view on Meta::CPAN
use Apache::SecSess::Cookie;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::Cookie);
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my(%params, $uid, $pw, %args, $url, $form, $msg);
$log->debug(ref($self), "->verifyIdentity():");
## is this the initial visit to the form?
unless ($r->method eq 'POST') { # allow no GET for now ...
return {
message => 'Initial visit to login form.',
fill_form => 'true'
}
}
## extract user ID, password and other data
SecSess/Cookie/URL.pm view on Meta::CPAN
use Apache::SecSess::Cookie;
use Apache::SecSess::Wrapper;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::Cookie);
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my(%args, $ctxt, $urlcred);
$log->debug(ref($self), "->verifyIdentity():");
## extract ciphertext from URL
%args = $r->args;
$ctxt = $args{$self->authRealm};
$urlcred = $self->{wrapper}->unwraphash($ctxt);
## validate URL credentials as we would at higher level
return $self->validateCredentials($r, $urlcred);
}
SecSess/Cookie/X509.pm view on Meta::CPAN
use Apache::SecSess::Cookie;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::Cookie);
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($subr, $email, $uid);
$log->debug(ref($self), "->verifyIdentity():");
## resolve user ID from certificate DN email
$subr = $r->lookup_uri($r->uri);
$email = $subr->subprocess_env('SSL_CLIENT_S_DN_Email');
$uid = $self->{dbo}->x509email_to_uid($email);
unless ($uid) {
return {
message => "Untrusted certificate DN '$email'.",
uri => $self->errorURL
};
SecSess/Cookie/X509PIN.pm view on Meta::CPAN
use Apache::SecSess::Cookie;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::Cookie);
## validate (usually non-cookie) credentials used to authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($subr, $email, $uid, %params, $pin, %args, $url, $form, $msg);
$log->debug(ref($self), "->verifyIdentity():");
## resolve user ID from certificate DN email
$subr = $r->lookup_uri($r->uri);
$email = $subr->subprocess_env('SSL_CLIENT_S_DN_Email');
$uid = $self->{dbo}->x509email_to_uid($email);
unless ($uid) {
return {
message => "Untrusted certificate DN '$email'.",
uri => $self->errorURL
};
SecSess/URL.pm view on Meta::CPAN
@ISA = qw(Apache::SecSess);
## extract appropriate credentials from headers and decrypt contents
sub getCredentials {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my(%args, $ctxt);
$log->debug(ref($self), "->verifyIdentity():");
## extract ciphertext from URL
%args = $r->args;
$ctxt = $args{$self->authRealm};
unless ($ctxt) { return 'No URL credentials found.'; }
return $self->{wrapper}->unwraphash($ctxt);
}
## validate (usually non-url) credentials used to authenicate user
sub verifyIdentity { my $self = shift; return undef }
## issue credentials
sub issueCredentials {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($uid, $realm, $ctxt, %args, $requrl, $idx, @chains, $chain, $url, $sep);
my($backurl);
$log->debug(ref($self), "->issueCredentials():");
SecSess/URL/Cookie.pm view on Meta::CPAN
use Apache::SecSess::URL;
use Apache::SecSess::Wrapper;
use vars qw(@ISA $VERSION);
$VERSION = sprintf("%d.%02d", (q$Name: SecSess_Release_0_09 $ =~ /\d+/g));
@ISA = qw(Apache::SecSess::URL);
## validate credentials used to first authenicate user
sub verifyIdentity {
my $self = shift;
my($r) = @_;
my $log = $r->log;
my($realm, $ckyhead, %ckys, @tags, $max, $url, $ckycred);
$log->debug(ref($self), "->verifyIdentity():");
## extract strongest cookie with appropriate name/tag pair
$realm = $self->authRealm;
$ckyhead = $r->headers_in->get('Cookie');
%ckys = ($ckyhead =~ /${realm}:([^=]+)=([^;]+)/g);
@tags = sort {
my($as, $aa) = split(',', $a);
my($bs, $ba) = split(',', $b);
return ($bs <=> $as) ? ($bs <=> $as) : ($ba <=> $aa);
} (keys %ckys);
utils/mkcerts view on Meta::CPAN
# display
if ($opt_d) {
printf(":\n: Newly Signed Certificate for '%s'\n:\n", $name);
system(
"openssl x509 -in $cert -noout -text"
) == 0 or die "problem printing certificate: $cert";
printf(":\n: Verifying '%s' ...\n:\n", $name);
system(
"openssl x509 -in $cert -noout -fingerprint"
) == 0 or die "certificate fingerprint problem: $name";
printf("verifying signature ...\n");
system(
"openssl verify -verbose -CAfile $cacert $cert"
) == 0 or die "certificate fingerprint problem: $name";
}
}
#
# create the SSL server certs under CA's domain
#
sub mksslserv {
my $s = shift;
my($servdns, $name);
( run in 1.565 second using v1.01-cache-2.11-cpan-5467b0d2c73 )