Apache2-Authen-OdinAuth
view release on metacpan or search on metacpan
lib/Apache2/Authen/OdinAuth.pm view on Meta::CPAN
use APR::Table;
use YAML::XS;
use Sys::Hostname;
=head1 SYNOPSIS
This module defines an Apache handler for the Odin Authenticator
single sign-on system. The system is based on the GodAuth script,
available at L<http://github.com/exflickr/GodAuth/>.
=head1 USAGE
To make Apache use the handler for authentication, enable mod_perl and
add following directives in apache2.conf:
PerlSetVar odinauth_config /path/to/odin_auth.yml
PerlFixupHandler Apache2::Authen::OdinAuth
The C<PerlSetVar> statement needs to be global; the
C<PerlFixupHandler> statement can be global or occur in a
C<VirtualHost>, C<Directory>, or C<Location> section.
=head2 YAML CONFIG
The handler reads (and automatically reloads if it's older than
C<reload_timeout> seconds) an additional YAML config file. It sets
configures the shared secret, cookie name, authorizer app URL, and
permissions (which are unfortunately regexp-based).
A sample configuration file looks like this:
# Sample config for Apache2::Authen::OdinAuth
permissions:
# URLs no auth
- url: !!perl/regexp ^localhost
who: all
# Require a role
- url: !!perl/regexp ^dev\.myapp\.com
who: role:admin
# Require username
- url: !!perl/regexp ^debug\.myapp\.com/
who: cal
# A list is fine too
- url: !!perl/regexp ^debug2\.myapp\.com/
who:
- role:devel
- cal
- myles
# Allow any authenticated user
- url: !!perl/regexp ^debug3\.myapp\.com/
who: authed
# log_file: /tmp/odin.log
secret: ****************
reload_timeout: 600
need_auth_url: http://example.com/?NA
invalid_cookie_url: http://example.com/?CIU
not_on_list_url: http://example.com/?NOL
cookie: oa
NOTE: The config is better than original GodAuth configuration, but
will probably need to be refactored; it would be best to make it live
inside Apache's configuration. I'm still not sure how to make it
happen in mod_perl.
=cut
use constant RELOAD_TIMEOUT => 10*60; # reload config every 10 minutes
=head1 SUBROUTINES
=head2 Configuration closure
=cut
{
my $last_reload_time = -1;
my $config_file = undef;
my $config = undef;
=head3 config
Reloads configuration if older than RELOAD_TIMEOUT
=cut
sub config {
if ( time() - $last_reload_time > RELOAD_TIMEOUT ) {
$config = YAML::XS::LoadFile($config_file);
}
$config;
}
=head3 init_config(request)
Finds config file and loads it for the first time
=cut
sub init_config {
my $r = shift;
$config_file ||=
$r->server->dir_config('odinauth_config');
config;
}
}
$| = 1;
=head2 handler(request)
Main Apache mod_perl handler
=cut
sub handler {
#
# get URL
#
my $r = shift;
lib/Apache2/Authen/OdinAuth.pm view on Meta::CPAN
#
if (!$cookie) {
return &redir($r, config->{need_auth_url});
}
if ($cookie_is_invalid) {
return &redir($r, config->{invalid_cookie_url}, $cookie_is_invalid);
}
#########################################################
#
# 5) set user; exit now for authed
#
$r->user($cookie_user);
$r->subprocess_env('REMOTE_USER' => $cookie_user);
$r->set_basic_credentials($cookie_user, '*****');
if (ref $allow ne 'ARRAY') {
if ($allow eq 'authed') {
return Apache2::Const::OK;
}
}
#########################################################
#
# 5) now we need to match usernames and/or roles
#
# get arrayref of allowed roles
unless (ref $allow eq 'ARRAY'){
$allow = [$allow];
}
# get arrayref of our roles
my $matches = [$cookie_user];
for my $role (split /,/, $cookie_roles) {
if ($role ne '_') {
push @{$matches}, 'role:'.$role;
}
}
for my $a (@{$allow}) {
for my $b (@{$matches}) {
if ($a eq $b) {
return Apache2::Const::OK;
}
}
}
#
# send the user to the not-on-list page
#
return &redir($r, config->{not_on_list_url});
}
=head2 redir(request, target, reason)
Redirect to Authorizer App
=cut
sub redir {
my ($r, $target, $reason) = @_;
my $ref = &urlencode($r->construct_url($r->unparsed_uri));
$target .= ($target =~ /\?/) ? "&ref=$ref" : "?ref=$ref";
$target .= '&reason='.urlencode($reason) if $reason;
$r->headers_out->set('Location', $target);
return Apache2::Const::REDIRECT;
}
=head2 parse_cookie_jar(jar)
Parse cookies into a hashref
=cut
sub parse_cookie_jar {
my ($jar) = @_;
return {} unless defined $jar;
my @bits = split /;\s*/, $jar;
my $out = {};
for my $bit (@bits) {
my ($k, $v) = split '=', $bit, 2;
$k = &urldecode($k);
$v = &urldecode($v);
$out->{$k} = $v;
}
return $out;
}
=head2 urldecode(str)
=cut
sub urldecode {
$_[0] =~ s!\+! !g;
$_[0] =~ s/%([a-fA-F0-9]{2,2})/chr(hex($1))/eg;
return $_[0];
}
=head2 urlencode(str)
=cut
sub urlencode {
$_[0] =~ s!([^a-zA-Z0-9-_ ])! sprintf('%%%02x', ord $1) !gex;
$_[0] =~ s! !+!g;
return $_[0];
}
=head1 AUTHOR
Maciej Pasternacki, C<< <maciej at pasternacki.net> >>
( run in 0.566 second using v1.01-cache-2.11-cpan-9581c071862 )