Apache2-AuthAny
view release on metacpan or search on metacpan
t/00-load.t
t/pod-coverage.t
MANIFEST
LICENSE
lib/Apache2/AuthAny.pm
lib/Apache2/AuthAny/AuthenHandler.pm
lib/Apache2/AuthAny/RequestConfig.pm
lib/Apache2/AuthAny/DB.pm
lib/Apache2/AuthAny/MapToStorageHandler.pm
lib/Apache2/AuthAny/FixupHandler.pm
lib/Apache2/AuthAny/Cookie.pm
lib/Apache2/AuthAny/AuthUtil.pm
lib/Apache2/AuthAny/AuthzHandler.pm
db/auth_any.sql
Changes
google/check-auth.php
google/redirect.php
google/common.php
examples/demo/d7/.htaccess
examples/demo/index.php
examples/demo/d6/.htaccess
bin/clean-cookie-table.pl view on Meta::CPAN
#!/usr/bin/perl
use strict;
use warnings;
use Apache2::AuthAny::DB ();
use Data::Dumper qw(Dumper);
my $db = Apache2::AuthAny::DB->new();
$db->cleanupCookies();
db/auth_any.sql view on Meta::CPAN
`active` tinyint(1) default NULL,
`timeout` int(11) default NULL,
`firstName` tinytext,
`lastName` tinytext,
PRIMARY KEY (`UID`),
UNIQUE KEY `username` (`username`)
) ENGINE=MyISAM AUTO_INCREMENT=166 DEFAULT CHARSET=utf8;
SET character_set_client = @saved_cs_client;
--
-- Table structure for table `userAACookie`
--
DROP TABLE IF EXISTS `userAACookie`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `userAACookie` (
`PID` varchar(100) NOT NULL,
`SID` tinytext,
`authId` varchar(100) default NULL,
`authProvider` varchar(100) default NULL,
`last` int(11) default NULL,
`created` datetime NOT NULL,
`state` enum('logged_out','recognized','authenticated') NOT NULL default 'logged_out',
`logoutKey` tinytext NOT NULL,
PRIMARY KEY (`PID`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
examples/demo-config/demo_auth_any_database.sql view on Meta::CPAN
-- Dumping data for table `user`
--
LOCK TABLES `user` WRITE;
/*!40000 ALTER TABLE `user` DISABLE KEYS */;
INSERT INTO `user` VALUES (164,'babbage','2011-01-17 16:23:52',1,30,'Charles','Babbage'),(165,'turing','2011-01-17 20:40:21',1,120,'Alan','Turing');
/*!40000 ALTER TABLE `user` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `userAACookie`
--
DROP TABLE IF EXISTS `userAACookie`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `userAACookie` (
`PID` varchar(100) NOT NULL,
`SID` tinytext,
`authId` varchar(100) default NULL,
`authProvider` varchar(100) default NULL,
`last` int(11) default NULL,
`created` datetime NOT NULL,
`state` enum('logged_out','recognized','authenticated') NOT NULL default 'logged_out',
`logoutKey` tinytext NOT NULL,
PRIMARY KEY (`PID`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
SET character_set_client = @saved_cs_client;
--
-- Dumping data for table `userAACookie`
--
LOCK TABLES `userAACookie` WRITE;
/*!40000 ALTER TABLE `userAACookie` DISABLE KEYS */;
INSERT INTO `userAACookie` VALUES ('0257682d03bee509c98df8eba48abc10','0f867d18bf8c0d4f21af10f3af1981e6','aatest3','basic',1299612418,'2011-02-10 10:09:33','recognized','639ae4fb44d92ff26b2554f1456aaac4'),('5d5acf85adfbbc586bafac708b86f732','7705f3ab...
/*!40000 ALTER TABLE `userAACookie` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `userIdent`
--
DROP TABLE IF EXISTS `userIdent`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `userIdent` (
examples/demo-gate/gate-logic.php view on Meta::CPAN
# Get logoutKey
$dbPassword = trim(file_get_contents($_SERVER[AUTH_ANY_DB_PW_FILE]));
$dbUserName = $_SERVER[AUTH_ANY_DB_USER];
$projectDbName = $_SERVER[AUTH_ANY_DB_NAME];
$projectDbHost = $_SERVER[AUTH_ANY_DB_HOST];
$host = $projectDbHost ? $projectDbHost : 'localhost';
$conection = @mysql_connect($host, $dbUserName, $dbPassword);
mysql_select_db($projectDbName) or die (mysql_error());
$sql = "SELECT logoutKey FROM userAACookie WHERE PID = '$_COOKIE[AA_PID]'";
mysql_query('set character set utf8');
$content = mysql_query($sql) or die (mysql_error());
$rs = mysql_fetch_array($content);
$logoutKey = $rs['logoutKey'];
$provider_string = $provider . "_aa-key_" . $logoutKey;
return("/aa_auth/$provider_string/redirect?req=$encoded_req");
}
?>
google/check-auth.php view on Meta::CPAN
$projectDbName = $_SERVER[AUTH_ANY_DB_NAME];
$projectDbHost = $_SERVER[AUTH_ANY_DB_HOST];
$host = $projectDbHost ? $projectDbHost : 'localhost';
$conection = @mysql_connect($host, $dbUserName, $dbPassword);
mysql_select_db($projectDbName) or abortSignin( mysql_error() );
mysql_query('set character set utf8');
$nowsec = time();
$psql = "UPDATE userAACookie SET authId = '$result[email]', authProvider = '$atype',
SID = '$sid', state = 'authenticated', last = '$nowsec'
WHERE PID = '$pid'";
if (mysql_query($psql)) {
setcookie($c_name, $c_value, $c_expire, $c_path, $c_domain);
} else {
$result[msg] .= mysql_error();
}
} else {
google/check-auth.php view on Meta::CPAN
}
if ($result[msg]) {
abortSignin("$result[msg]");
}
header("Location: $req");
$page = <<<PAGE
<html>
<body>
<h1>Cookie setter and redirector</h1>
<b>you are $result[email]</b><br/>
Your cookie has been set. Click <a href="$req">here</a> to continue.
</body>
</html>
PAGE;
print($page);
lib/Apache2/AuthAny/AuthUtil.pm view on Meta::CPAN
package Apache2::AuthAny::AuthUtil;
use strict;
use URI::Escape;
use Data::Dumper;
use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED REDIRECT);
use CGI::Cookie ();
use Apache2::AuthAny::DB ();
our $aaDB;
our $VERSION = '0.201';
sub goToGATE {
my $r = shift;
my $reason = shift;
my $subReason = shift;
lib/Apache2/AuthAny/AuthUtil.pm view on Meta::CPAN
}
$r->headers_out->set(Location => $gate);
return Apache2::Const::REDIRECT;
}
sub logout {
my $r = shift;
my $pid = shift;
my $aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
unless ($aaDB->logoutPCookie($pid)) {
die "logout failed";
}
my $request = $r->unparsed_uri;
# prevent redirect loops
$request =~ s/aalogout/aadisabled/g;
$r->headers_out->set(Location => $request);
return Apache2::Const::REDIRECT;
}
sub login {
my $r = shift;
my $pid = shift;
my $aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
unless ($aaDB->logoutPCookie($pid)) {
die "logout failed";
}
my $request = $r->unparsed_uri;
# prevent redirect loops
$request =~ s/aalogout/aadisabled/g;
$r->headers_out->set(Location => $request);
return Apache2::Const::REDIRECT;
lib/Apache2/AuthAny/Cookie.pm view on Meta::CPAN
package Apache2::AuthAny::Cookie;
use strict;
use CGI::Cookie ();
use Apache2::Cookie ();
use Apache2::Request ();
use Digest::MD5 qw(md5_hex);
use Apache2::AuthAny::DB ();
use Apache2::AuthAny::AuthUtil ();
use Data::Dumper qw(Dumper);
use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED REDIRECT OK);
our $aaDB;
our $VERSION = '0.201';
lib/Apache2/AuthAny/Cookie.pm view on Meta::CPAN
sub post_login {
my $r = shift;
my $uri = $r->uri;
my ($authProvider) = ($uri =~ m{/aa_auth/(.*?)/});
$authProvider =~ s/_aa-key_.*//;
my $get_params = Apache2::Request->new($r);
my $location = $get_params->param('req');
unless ($location) {
$r->log->warn("Apache2::AuthAny::Cookie: missing req redirect after login with $authProvider");
$location = "/";
}
$aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
unless ($aaDB) {
my $msg = "Cannot connect to database.";
$r->log->crit("AuthAny::Cookie: $msg");
return Apache2::AuthAny::AuthUtil::goToGATE($r, 'tech', {msg => $msg});
}
my $authId = $ENV{REMOTE_USER} || $r->user;
if ($authId) {
my $map_file = "$ENV{AUTH_ANY_CONFIG_ROOT}/provider-mapping.pl";
if (-f $map_file) {
open(MAPPING, "<$map_file") || die "$map_file ?? $!";
my @cts = <MAPPING>;
my $contents = "@cts";
close(MAPPING);
my $mapping = eval $contents;
if ($mapping->{$authProvider}) {
my $orig = $authId;
$authId =~ s/$mapping->{$authProvider}//;
if ($authId eq $orig) {
$r->log->error("AuthAny::Cookie: mapping had no effect");
}
}
}
} else {
my $msg = 'Please try another login method';
$r->log->error("Cookie: Auth method at '$uri' did not set REMOTE_USER");
return Apache2::AuthAny::AuthUtil::goToGATE($r, 'authen', {msg => $msg});
}
######################################################################
# Cookie
######################################################################
my $pid = $r->pnotes('pid');
my $sCookie = md5_hex(time . rand);
if ($aaDB->loginPCookie($pid->{PID}, $sCookie, $authId, $authProvider)) {
my $new_sid_cookie = CGI::Cookie->new(-name => 'AA_SID',
-value => $sCookie,
);
$r->err_headers_out->add('Set-Cookie' => $new_sid_cookie);
} else {
my $msg = "Could not write to DB";
$r->log->crit("Apache2::AuthAny::Cookie: " . $msg);
return Apache2::AuthAny::AuthUtil::goToGATE($r, 'authen', {msg => $msg});
}
blank_shibsession($r);
$r->headers_out->set(Location => $location);
$r->log->info("Apache2::AuthAny::Cookie: Location => $location");
return Apache2::Const::REDIRECT;
}
# NOTE: These are not a handlers
sub cookie_util {
my $r = shift;
$aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
my $jar = Apache2::Cookie::Jar->new($r);
my @cookies;
my ($pidCookie, $sidCookie);
eval {
if ($jar && $jar->cookies) {
$sidCookie = $jar->cookies->get('AA_SID')->value if $jar->cookies->get('AA_SID');
$pidCookie = $jar->cookies->get('AA_PID')->value if $jar->cookies->get('AA_PID');
@cookies = $jar->cookies;
}
};
if ($@) {
$r->log->error("Cookie error $@");
}
my $shibsession_name;
my $shibsession_value;
foreach my $cookie (@cookies) {
if ($cookie =~ /_shibsession_/) {
$r->log->error("Cookie: duplicate shibsession cookies found") if $shibsession_name;
$shibsession_name = $cookie;
$shibsession_value = $jar->cookies($shibsession_name);
}
}
return {pidCookie => $pidCookie,
sidCookie => $sidCookie,
shibsession_name => $shibsession_name,
shibsession_value => $shibsession_value,
};
}
sub blank_shibsession {
my $r = shift;
my $cookies = cookie_util($r);
if ($cookies->{shibsession_value}) {
my $shib_empty = CGI::Cookie->new(-name => $cookies->{shibsession_name},
-value => '',
);
$r->err_headers_out->add('Set-Cookie' => $shib_empty);
}
}
sub pid {
my $r = shift;
my $cookies = cookie_util($r);
my $pid;
my $pCookie = $cookies->{pidCookie};
my $sCookie = $cookies->{sidCookie};
if ($pCookie) {
$pid = $aaDB->getUserCookieByPID($pCookie) || {};
if ($pid && $pid->{PID}) {
unless ($sCookie && $pid->{SID} && $sCookie eq $pid->{SID}) {
# There has been no login during this session
$pid->{SID} = '';
}
} else {
$r->log->error("AuthAny: " . "PID, '$pCookie' missing from DB");
$pid = generate_pid($r);
}
} else {
$pid = generate_pid($r);
}
# warn $r->uri . " --- " . Dumper($pid);
return $pid;
}
sub generate_pid {
my $r = shift;
my $pCookie = md5_hex(time . rand);
my $sCookie = md5_hex(time . rand);
my $logout_key = md5_hex(time . rand);
if ($aaDB->insertPCookie($pCookie, $sCookie, $logout_key)) {
my $new_pid_cookie = CGI::Cookie->new(-name => 'AA_PID',
-value => $pCookie,
-expires => '+3y',
);
my $new_sid_cookie = CGI::Cookie->new(-name => 'AA_SID',
-value => $sCookie,
);
$r->err_headers_out->add('Set-Cookie' => $new_pid_cookie);
$r->err_headers_out->add('Set-Cookie' => $new_sid_cookie);
return {PID => $pCookie,
SID => $sCookie,
logoutKey => $logout_key,
state => 'logged_out',
};
} else {
die "AuthAny::Cookie: Could not write to DB";
}
}
1;
lib/Apache2/AuthAny/DB.pm view on Meta::CPAN
die $dbHandle->errstr;
}
}
sub getValidRoles {
my $self = shift;
$self->useDB();
return $dbHandle->selectcol_arrayref('SELECT DISTINCT role FROM userRole');
}
sub getUserCookieByPID {
my $self = shift;
$self->useDB();
my $pid = shift;
return unless $pid;
my $getCookieSql = 'select * from userAACookie where PID = ? limit 1';
my $res = $dbHandle->selectrow_hashref($getCookieSql, undef, $pid);
if ($res) {
return $res;
} elsif ($dbHandle->errstr) {
die $dbHandle->errstr;
} else {
warn "DB entry for PID cookie, '$pid' missing";
return;
}
}
lib/Apache2/AuthAny/DB.pm view on Meta::CPAN
$self->useDB();
if ( $dbHandle->do($sql, undef, $UID, $role)
&& $dbHandle->do($sql2, undef, $UID, $role)) {
return 1;
} else {
warn $dbHandle->errstr;
return undef;
}
}
sub loginPCookie {
my $self = shift;
my ($pCookie, $sCookie, $authId, $authProvider) = @_;
unless ($pCookie && $authId && $authProvider) {
warn "Missing pid, authId, or authProvider. Got input @_";
return 0;
}
my $sql = "UPDATE userAACookie
SET authId = ?, authProvider = ?, SID = ?, state = ?, last = ?
WHERE PID = ?";
$self->useDB();
if ($dbHandle->do($sql, undef,
$authId, $authProvider, $sCookie, 'authenticated', time, $pCookie)) {
return 1;
} else {
warn $dbHandle->errstr;
return 0;
}
}
sub logoutPCookie {
my $self = shift;
my ($pid) = @_;
my $pCookie = $pid->{PID};
unless ($pCookie) {
warn "Missing pid. Got input @_";
return 0;
}
my $logout_key = md5_hex(time . rand);
my $sql = "UPDATE userAACookie SET state = ?, logoutKey = ?
WHERE PID = ?";
$self->useDB();
if ($dbHandle->do($sql, undef, 'logged_out', $logout_key, $pCookie)) {
$pid->{state} = 'logged_out';
return 1;
} else {
warn $dbHandle->errstr;
return 0;
}
}
sub statePCookie {
my $self = shift;
my ($pid, $state) = @_;
my $pCookie = $pid->{PID};
unless ($pCookie && $state) {
warn "Missing pid or state. Got input @_";
return 0;
}
my $sql = "UPDATE userAACookie SET state = ?
WHERE PID = ?";
$self->useDB();
if ($dbHandle->do($sql, undef, $state, $pCookie)) {
$pid->{state} = $state;
return 1;
} else {
warn $dbHandle->errstr;
return 0;
}
}
sub insertPCookie {
my $self = shift;
my ($pCookie, $sCookie, $logout_key) = @_;
unless ($pCookie && $sCookie && $logout_key) {
warn "Missing cookies or logout_key. Got input @_";
return 0;
}
my $sql = "INSERT INTO userAACookie (PID, SID, logoutKey, last, created)
VALUES (?, ?, ?, ?, now())";
$self->useDB();
if ($dbHandle->do($sql, undef, $pCookie, $sCookie, $logout_key, time)) {
return 1;
} else {
warn $dbHandle->errstr;
return 0;
}
}
sub updatePCookieLastAccess {
my $self = shift;
my ($pCookie) = @_;
unless ($pCookie) {
warn "Missing pid";
return 0;
}
my $sql = "UPDATE userAACookie
SET last = ?
WHERE pid = ?";
$self->useDB();
if ($dbHandle->do($sql, undef, time, $pCookie) eq 1) {
return 1;
} else {
warn "Could not update DB with PID, '$pCookie'" . $dbHandle->errstr;
return 0;
}
}
sub updatePCookieLogoutKey {
my $self = shift;
my ($pCookie) = @_;
unless ($pCookie) {
warn "Missing pid";
return 0;
}
my $sql = "UPDATE userAACookie
SET logoutKey = ?
WHERE pid = ?";
$self->useDB();
my $logout_key = md5_hex(time . rand);
if ($dbHandle->do($sql, undef, $logout_key, $pCookie)) {
return 1;
} else {
warn $dbHandle->errstr;
return 0;
}
}
sub cleanupCookies {
my $self = shift;
$self->useDB();
my $sql = qq[DELETE FROM userAACookie WHERE authId IS NULL and now() - created > 300];
my $rc = $dbHandle->do($sql);
if ($rc) {
return $rc;
} else {
warn $dbHandle->errstr;
return 0;
}
}
1;
lib/Apache2/AuthAny/FixupHandler.pm view on Meta::CPAN
use Apache2::AuthAny::DB qw();
our $aaDB;
our $VERSION = '0.201';
sub handler {
my $r = shift;
if (!$ENV{AA_SCRIPTED} && $ENV{AA_STATE} eq 'authenticated') {
# not already timed out
my $pid = $r->pnotes('pid');
$aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
$aaDB->updatePCookieLastAccess($pid->{PID}) || warn "Could not update last access";
}
return Apache2::Const::DECLINED;
}
###!!!! MOVE THIS TO Cookie.pm
# called after basic login
sub update_logout_key {
my $r = shift;
my $pid = $r->pnotes('pid');
$aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
$aaDB->updatePCookieLogoutKey($pid->{PID}) || warn "Could not update last access";
return Apache2::Const::DECLINED;
}
1;
lib/Apache2/AuthAny/RequestConfig.pm view on Meta::CPAN
use Apache2::Module ();
use Apache2::Access ();
use Apache2::Request ();
use URI::Escape;
use Digest::MD5 qw(md5_hex);
use MIME::Base64;
use Apache2::Const -compile => qw(OK DECLINED REDIRECT HTTP_UNAUTHORIZED);
use Data::Dumper("Dumper");
use CGI;
use CGI::Cookie;
use Apache2::AuthAny::Cookie ();
use Apache2::AuthAny::DB ();
use Apache2::AuthAny::AuthUtil ();
our $aaDB;
our $VERSION = '0.201';
my @system_skip_auth = qw(/Shibboleth);
sub handler {
my $r = shift;
lib/Apache2/AuthAny/RequestConfig.pm view on Meta::CPAN
$r->log->info("Apache2::AuthAny::RequestConfig: Authenticating with '$auth_provider'");
if (lc($r->auth_type) eq 'auth-any') {
# This auth provider does not use the Authen/Authz phases. To prevent
# errors from DocumentRoot level Require directives, disable the
# Authen/Authz phases
$r->set_handlers(PerlAuthenHandler => "sub {Apache2::Const::OK}");
$r->set_handlers(PerlAuthzHandler => "sub {Apache2::Const::OK}");
}
my $pid = Apache2::AuthAny::Cookie::pid($r);
$r->pnotes(pid => $pid);
if ($auth_provider ne 'google') { # Google auth using PHP
$r->handler('perl-script');
$r->set_handlers(PerlResponseHandler => 'Apache2::AuthAny::Cookie::post_login');
}
if (lc($r->auth_type) eq 'basic') {
# The AuthName randomizer is needed for IE to keep it
# from skipping the challenge when a known AuthName is sent.
my $auth_name = $r->auth_name() || 'Private';
my $rand_int = int(100000 * (1 + rand(4)));
$r->auth_name($auth_name . $rand_int);
# Make sure the auth request is going to the current directory
lib/Apache2/AuthAny/RequestConfig.pm view on Meta::CPAN
} elsif (lc($r->auth_type) eq 'auth-any') {
$aaDB = Apache2::AuthAny::DB->new() unless $aaDB;
my $pid;
my $scripted_pid = get_scripted_pid($r, $cf);
# First, check for scripted access by looking in "Authorization" header
if ($scripted_pid) {
$pid = $scripted_pid;
} else {
$pid = Apache2::AuthAny::Cookie::pid($r);
}
$r->pnotes(pid => $pid);
my $req = Apache2::Request->new($r);
if (defined $req->param('aalogout') ) {
return Apache2::AuthAny::AuthUtil::logout($r, $pid);
}
if (defined $req->param('aalogin') ) {
return Apache2::AuthAny::AuthUtil::goToGATE($r, 'first_access');
lib/Apache2/AuthAny/RequestConfig.pm view on Meta::CPAN
my $timeout = 155520000; # defaults to 5 years
if (defined $identifiedUser->{timeout}) {
$timeout = $identifiedUser->{timeout};
} elsif (defined $cf->{AuthAnyTimeout}) {
$timeout = $cf->{AuthAnyTimeout};
}
if ($pid->{state} eq 'authenticated' && time() - $pid->{last} < $timeout) {
$r->subprocess_env(AA_TIMEOUT => $timeout);
} elsif ($authId ) {
$aaDB->statePCookie($pid, 'recognized');
} else {
$aaDB->statePCookie($pid, 'logged_out');
}
$r->subprocess_env(AA_STATE => $pid->{state});
# Passing gate for logout convienience
$r->subprocess_env();
}
sub get_scripted_pid {
my $r = shift;
my $cf = shift;
use lib ("$ENV{AUTH_ANY_ROOT}/lib");
use Apache2::RequestRec ();
use Apache2::Log ();
use Apache2::Request ();
use Apache2::Module ();
use Apache2::ServerRec ();
use Apache2::AuthAny::FixupHandler ();
use Apache2::AuthAny::Cookie ();
1;
t/00-load.t view on Meta::CPAN
#!perl -T
use Test::More tests => 9;
BEGIN {
use_ok( 'Apache2::AuthAny' );
use_ok( 'Apache2::AuthAny::AuthenHandler' );
use_ok( 'Apache2::AuthAny::AuthUtil' );
use_ok( 'Apache2::AuthAny::AuthzHandler' );
use_ok( 'Apache2::AuthAny::Cookie' );
use_ok( 'Apache2::AuthAny::DB' );
use_ok( 'Apache2::AuthAny::FixupHandler' );
use_ok( 'Apache2::AuthAny::MapToStorageHandler' );
use_ok( 'Apache2::AuthAny::RequestConfig' );
}
diag( "Testing Apache2::AuthAny $Apache2::AuthAny::VERSION, Perl $], $^X" );
#!/bin/bash
TEST_PAGE=https://authany.cirg.washington.edu/demo/d3/demo.php
# Sign in and then grab your SID out of the userCookie table
AA_PID=10387726461268184698
CONCURRENCY=10
NUM_REQUESTS=10000
/usr/sbin/ab -q -c $CONCURRENCY -n $NUM_REQUESTS -C AA_PID=$AA_PID $TEST_PAGE
( run in 0.567 second using v1.01-cache-2.11-cpan-e9199f4ba4c )