Apache2-Authen-OdinAuth

 view release on metacpan or  search on metacpan

lib/Apache2/Authen/OdinAuth.pm  view on Meta::CPAN

use APR::Table;
use YAML::XS;

use Sys::Hostname;

=head1 SYNOPSIS

This module defines an Apache handler for the Odin Authenticator
single sign-on system. The system is based on the GodAuth script,
available at L<http://github.com/exflickr/GodAuth/>.

=head1 USAGE

To make Apache use the handler for authentication, enable mod_perl and
add following directives in apache2.conf:

    PerlSetVar odinauth_config /path/to/odin_auth.yml
    PerlFixupHandler Apache2::Authen::OdinAuth

The C<PerlSetVar> statement needs to be global; the
C<PerlFixupHandler> statement can be global or occur in a
C<VirtualHost>, C<Directory>, or C<Location> section.

=head2 YAML CONFIG

The handler reads (and automatically reloads if it's older than
C<reload_timeout> seconds) an additional YAML config file. It sets
configures the shared secret, cookie name, authorizer app URL, and
permissions (which are unfortunately regexp-based).

A sample configuration file looks like this:

    # Sample config for Apache2::Authen::OdinAuth
    
    permissions:
      # URLs no auth
      - url: !!perl/regexp ^localhost
        who: all
      # Require a role
      - url: !!perl/regexp ^dev\.myapp\.com
        who: role:admin
      # Require username
      - url: !!perl/regexp ^debug\.myapp\.com/
        who: cal
      # A list is fine too
      - url: !!perl/regexp ^debug2\.myapp\.com/
        who:
          - role:devel
          - cal
          - myles
      # Allow any authenticated user
      - url: !!perl/regexp ^debug3\.myapp\.com/
        who: authed
    
    
    # log_file: /tmp/odin.log
    secret: ****************
    reload_timeout: 600
    need_auth_url: http://example.com/?NA
    invalid_cookie_url: http://example.com/?CIU
    not_on_list_url: http://example.com/?NOL
    cookie: oa

NOTE: The config is better than original GodAuth configuration, but
will probably need to be refactored; it would be best to make it live
inside Apache's configuration. I'm still not sure how to make it
happen in mod_perl.

=cut

use constant RELOAD_TIMEOUT => 10*60; # reload config every 10 minutes

=head1 SUBROUTINES

=head2 Configuration closure

=cut
{
  my $last_reload_time = -1;
  my $config_file = undef;
  my $config = undef;

=head3 config

Reloads configuration if older than RELOAD_TIMEOUT

=cut
  sub config {
    if ( time() - $last_reload_time > RELOAD_TIMEOUT ) {
      $config = YAML::XS::LoadFile($config_file);
    }
    $config;
  }

=head3 init_config(request)

Finds config file and loads it for the first time

=cut
  sub init_config {
    my $r = shift;
    $config_file ||=
      $r->server->dir_config('odinauth_config');
    config;
  }
}

$| = 1;

=head2 handler(request)

Main Apache mod_perl handler

=cut
sub handler {
  #
  # get URL
  #

  my $r = shift;

lib/Apache2/Authen/OdinAuth.pm  view on Meta::CPAN

  #

  if (!$cookie) {
    return &redir($r, config->{need_auth_url});
  }

  if ($cookie_is_invalid) {
    return &redir($r, config->{invalid_cookie_url}, $cookie_is_invalid);
  }


  #########################################################
  #
  # 5) set user; exit now for authed
  #

  $r->user($cookie_user);
  $r->subprocess_env('REMOTE_USER' => $cookie_user);
  $r->set_basic_credentials($cookie_user, '*****');

  if (ref $allow ne 'ARRAY') {
    if ($allow eq 'authed') {
      return Apache2::Const::OK;
    }
  }


  #########################################################
  #
  # 5) now we need to match usernames and/or roles
  #

  # get arrayref of allowed roles
  unless (ref $allow eq 'ARRAY'){
    $allow = [$allow];
  }

  # get arrayref of our roles
  my $matches = [$cookie_user];
  for my $role (split /,/, $cookie_roles) {
    if ($role ne '_') {
      push @{$matches}, 'role:'.$role;
    }
  }


  for my $a (@{$allow}) {
    for my $b (@{$matches}) {

      if ($a eq $b) {
        return Apache2::Const::OK;
      }
    }
  }


  #
  # send the user to the not-on-list page
  #

  return &redir($r, config->{not_on_list_url});
}

=head2 redir(request, target, reason)

Redirect to Authorizer App

=cut
sub redir {
  my ($r, $target, $reason) = @_;
  my $ref = &urlencode($r->construct_url($r->unparsed_uri));
  $target .= ($target =~ /\?/) ? "&ref=$ref" : "?ref=$ref";
  $target .= '&reason='.urlencode($reason) if $reason;

  $r->headers_out->set('Location', $target);
  return Apache2::Const::REDIRECT;
}

=head2 parse_cookie_jar(jar)

Parse cookies into a hashref

=cut
sub parse_cookie_jar {
  my ($jar) = @_;

  return {} unless defined $jar;

  my @bits = split /;\s*/, $jar;
  my $out = {};
  for my $bit (@bits) {
    my ($k, $v) = split '=', $bit, 2;
    $k = &urldecode($k);
    $v = &urldecode($v);
    $out->{$k} = $v;
  }
  return $out;
}

=head2 urldecode(str)

=cut
sub urldecode {
  $_[0] =~ s!\+! !g;
  $_[0] =~ s/%([a-fA-F0-9]{2,2})/chr(hex($1))/eg;
  return $_[0];
}

=head2 urlencode(str)

=cut
sub urlencode {
  $_[0] =~ s!([^a-zA-Z0-9-_ ])! sprintf('%%%02x', ord $1) !gex;
  $_[0] =~ s! !+!g;
  return $_[0];
}


=head1 AUTHOR

Maciej Pasternacki, C<< <maciej at pasternacki.net> >>



( run in 0.566 second using v1.01-cache-2.11-cpan-9581c071862 )