X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=507562c6c7cdd52afc8d0fcbe55de7cf8120af7d;hb=656e911d618002b6df61c989b19e452979f4d8c7;hp=e3ca145e3cf802fd2647fd09c8e48a9f3e00e781;hpb=490754a879478bb59a403e73618773f3fc9d6638;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm index e3ca145..507562c 100644 --- a/lib/Catalyst/Authentication/Credential/HTTP.pm +++ b/lib/Catalyst/Authentication/Credential/HTTP.pm @@ -9,40 +9,68 @@ use URI::Escape (); use Catalyst (); use Digest::MD5 (); -BEGIN { - __PACKAGE__->mk_accessors(qw/_config realm/); -} - -our $VERSION = "1.002"; +__PACKAGE__->mk_accessors(qw/ + _config + authorization_required_message + password_field + username_field + type + realm + algorithm + use_uri_for + no_unprompted_authorization_required + require_ssl + broken_dotnet_digest_without_query_string +/); + +our $VERSION = '1.014'; sub new { my ($class, $config, $app, $realm) = @_; - - my $self = { _config => $config, _debug => $app->debug }; + + $config->{username_field} ||= 'username'; + # _config is shity back-compat with our base class. + my $self = { %$config, _config => $config, _debug => $app->debug ? 1 : 0 }; bless $self, $class; - + $self->realm($realm); - - my $type = $self->_config->{'type'} ||= 'any'; - + + $self->init; + return $self; +} + +sub init { + my ($self) = @_; + my $type = $self->type || 'any'; + if (!grep /$type/, ('basic', 'digest', 'any')) { Catalyst::Exception->throw(__PACKAGE__ . " used with unsupported authentication type: " . $type); } - return $self; + $self->type($type); } sub authenticate { my ( $self, $c, $realm, $auth_info ) = @_; my $auth; + $self->authentication_failed( $c, $realm, $auth_info ) + if $self->require_ssl ? $c->req->base->scheme ne 'https' : 0; + $auth = $self->authenticate_digest($c, $realm, $auth_info) if $self->_is_http_auth_type('digest'); return $auth if $auth; $auth = $self->authenticate_basic($c, $realm, $auth_info) if $self->_is_http_auth_type('basic'); return $auth if $auth; - - $self->authorization_required_response($c, $realm, $auth_info); - die $Catalyst::DETACH; + + $self->authentication_failed( $c, $realm, $auth_info ); +} + +sub authentication_failed { + my ( $self, $c, $realm, $auth_info ) = @_; + unless ($self->no_unprompted_authorization_required) { + $self->authorization_required_response($c, $realm, $auth_info); + die $Catalyst::DETACH; + } } sub authenticate_basic { @@ -53,15 +81,22 @@ sub authenticate_basic { my $headers = $c->req->headers; if ( my ( $username, $password ) = $headers->authorization_basic ) { - my $user_obj = $realm->find_user( { username => $username }, $c); - if (ref($user_obj)) { - if ($self->check_password($user_obj, {$self->_config->{password_field} => $password})) { - $c->set_authenticated($user_obj); + my $user_obj = $realm->find_user( { $self->username_field => $username }, $c); + if (ref($user_obj)) { + my $opts = {}; + $opts->{$self->password_field} = $password + if $self->password_field; + if ($self->check_password($user_obj, $opts)) { return $user_obj; } - } - else { - $c->log->debug("Unable to locate user matching user info provided") if $c->debug; + else { + $c->log->debug("Password mismatch!") if $c->debug; + return; + } + } + else { + $c->log->debug("Unable to locate user matching user info provided") + if $c->debug; return; } } @@ -92,11 +127,13 @@ sub authenticate_digest { $c->log->debug('Checking authentication parameters.') if $c->debug; - my $uri = '/' . $c->request->path; + my $uri = $c->request->uri->path_query; my $algorithm = $res{algorithm} || 'MD5'; my $nonce_count = '0x' . $res{nc}; - my $check = $uri eq $res{uri} + my $check = ($uri eq $res{uri} || + ($self->broken_dotnet_digest_without_query_string && + $c->request->uri->path eq $res{uri})) && ( exists $res{username} ) && ( exists $res{qop} ) && ( exists $res{cnonce} ) @@ -117,12 +154,12 @@ sub authenticate_digest { my $username = $res{username}; - my $user; + my $user_obj; - unless ( $user = $auth_info->{user} ) { - $user = $realm->find_user( { username => $username }, $c); + unless ( $user_obj = $auth_info->{user} ) { + $user_obj = $realm->find_user( { $self->username_field => $username }, $c); } - unless ($user) { # no user, no authentication + unless ($user_obj) { # no user, no authentication $c->log->debug("Unable to locate user matching user info provided") if $c->debug; return; } @@ -141,13 +178,12 @@ sub authenticate_digest { # the idea of the for loop: # if we do not want to store the plain password in our user store, # we can store md5_hex("$username:$realm:$password") instead - my $password_field = $self->_config->{password_field}; + my $password_field = $self->password_field; for my $r ( 0 .. 1 ) { - # FIXME - Do not assume accessor is called password. # calculate H(A1) as per spec - my $A1_digest = $r ? $user->$password_field() : do { + my $A1_digest = $r ? $user_obj->$password_field() : do { $ctx = Digest::MD5->new; - $ctx->add( join( ':', $username, $realm->name, $user->$password_field() ) ); + $ctx->add( join( ':', $username, $realm->name, $user_obj->$password_field() ) ); $ctx->hexdigest; }; if ( $nonce->algorithm eq 'MD5-sess' ) { @@ -162,11 +198,10 @@ sub authenticate_digest { $A2_digest ); my $rq_digest = Digest::MD5::md5_hex($digest_in); $nonce->nonce_count($nonce_count); - $c->cache->set( __PACKAGE__ . '::opaque:' . $nonce->opaque, - $nonce ); + my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque; + $self->store_digest_authorization_nonce( $c, $key, $nonce ); if ($rq_digest eq $res{response}) { - $c->set_authenticated($user); - return 1; + return $user_obj; } } } @@ -183,7 +218,7 @@ sub _check_cache { sub _is_http_auth_type { my ( $self, $type ) = @_; - my $cfgtype = lc( $self->_config->{'type'} || 'any' ); + my $cfgtype = lc( $self->type ); return 1 if $cfgtype eq 'any' || $cfgtype eq lc $type; return 0; } @@ -193,10 +228,10 @@ sub authorization_required_response { $c->res->status(401); $c->res->content_type('text/plain'); - if (exists $self->_config->{authorization_required_message}) { + if (exists $self->{authorization_required_message}) { # If you set the key to undef, don't stamp on the body. - $c->res->body($self->_config->{authorization_required_message}) - if defined $c->res->body($self->_config->{authorization_required_message}); + $c->res->body($self->authorization_required_message) + if defined $self->authorization_required_message; } else { $c->res->body('Authorization required.'); @@ -223,9 +258,9 @@ sub _add_authentication_header { sub _create_digest_auth_response { my ( $self, $c, $opts ) = @_; - + return unless $self->_is_http_auth_type('digest'); - + if ( my $digest = $self->_build_digest_auth_header( $c, $opts ) ) { _add_authentication_header( $c, $digest ); return 1; @@ -236,7 +271,7 @@ sub _create_digest_auth_response { sub _create_basic_auth_response { my ( $self, $c, $opts ) = @_; - + return unless $self->_is_http_auth_type('basic'); if ( my $basic = $self->_build_basic_auth_header( $c, $opts ) ) { @@ -248,38 +283,34 @@ sub _create_basic_auth_response { } sub _build_auth_header_realm { - my ( $self ) = @_; - - if ( my $realm = $self->realm ) { - my $realm_name = String::Escape::qprintable($realm->name); + my ( $self, $c, $opts ) = @_; + if ( my $realm_name = String::Escape::qprintable($opts->{realm} ? $opts->{realm} : $self->realm->name) ) { $realm_name = qq{"$realm_name"} unless $realm_name =~ /^"/; return 'realm=' . $realm_name; - } + } return; } sub _build_auth_header_domain { my ( $self, $c, $opts ) = @_; - if ( my $domain = $opts->{domain} ) { Catalyst::Exception->throw("domain must be an array reference") unless ref($domain) && ref($domain) eq "ARRAY"; my @uris = - $self->_config->{use_uri_for} + $self->use_uri_for ? ( map { $c->uri_for($_) } @$domain ) : ( map { URI::Escape::uri_escape($_) } @$domain ); return qq{domain="@uris"}; - } + } return; } sub _build_auth_header_common { my ( $self, $c, $opts ) = @_; - return ( - $self->_build_auth_header_realm(), + $self->_build_auth_header_realm($c, $opts), $self->_build_auth_header_domain($c, $opts), ); } @@ -295,7 +326,7 @@ sub _build_digest_auth_header { my $nonce = $self->_digest_auth_nonce($c, $opts); my $key = __PACKAGE__ . '::opaque:' . $nonce->opaque; - + $self->store_digest_authorization_nonce( $c, $key, $nonce ); return _join_auth_header_parts( Digest => @@ -316,7 +347,7 @@ sub _digest_auth_nonce { my $nonce = $package->new; - if ( my $algorithm = $opts->{algorithm} || $self->_config->{algorithm}) { + if ( my $algorithm = $opts->{algorithm} || $self->algorithm) { $nonce->algorithm( $algorithm ); } @@ -330,7 +361,7 @@ sub _join_auth_header_parts { sub get_digest_authorization_nonce { my ( $self, $c, $key ) = @_; - + _check_cache($c); return $c->cache->get( $key ); } @@ -383,9 +414,10 @@ for Catalyst. /; __PACKAGE__->config( authentication => { - realms => { - example => { - credential => { + default_realm => 'example', + realms => { + example => { + credential => { class => 'HTTP', type => 'any', # or 'digest' or 'basic' password_type => 'clear', @@ -404,12 +436,27 @@ for Catalyst. sub foo : Local { my ( $self, $c ) = @_; - $c->authenticate({ realm => "example" }); + $c->authenticate({ realm => "example" }); # either user gets authenticated or 401 is sent + # Note that the authentication realm sent to the client (in the + # RFC 2617 sense) is overridden here, but this *does not* + # effect the Catalyst::Authentication::Realm used for + # authentication - to do that, you need + # $c->authenticate({}, 'otherrealm') do_stuff(); } + sub always_auth : Local { + my ( $self, $c ) = @_; + + # Force authorization headers onto the response so that the user + # is asked again for authentication, even if they successfully + # authenticated. + my $realm = $c->get_auth_realm('example'); + $realm->credential->authorization_required_response($c, $realm); + } + # with ACL plugin __PACKAGE__->deny_access_unless("/path", sub { $_[0]->authenticate }); @@ -447,6 +494,10 @@ C methods as shown below. Simple constructor. +=item init + +Validates that $config is ok. + =item authenticate $c, $realm, \%auth_info Tries to authenticate the user, and if that fails calls @@ -457,15 +508,55 @@ Looks inside C<< $c->request->headers >> and processes the digest and basic This will only try the methods set in the configuration. First digest, then basic. -This method just passes the options through untouched. See the next two methods for what \%auth_info can contain. +The %auth_info hash can contain a number of keys which control the authentication behaviour: + +=over + +=item realm + +Sets the HTTP authentication realm presented to the client. Note this does not alter the +Catalyst::Authentication::Realm object used for the authentication. + +=item domain + +Array reference to domains used to build the authorization headers. + +This list of domains defines the protection space. If a domain URI is an +absolute path (starts with /), it is relative to the root URL of the server being accessed. +An absolute URI in this list may refer to a different server than the one being accessed. + +The client will use this list to determine the set of URIs for which the same authentication +information may be sent. + +If this is omitted or its value is empty, the client will assume that the +protection space consists of all URIs on the responding server. + +Therefore, if your application is not hosted at the root of this domain, and you want to +prevent the authentication credentials for this application being sent to any other applications. +then you should use the I configuration option, and pass a domain of I. + +=back =item authenticate_basic $c, $realm, \%auth_info -Acts like L, and will lookup the user's password as detailed in that module. +Performs HTTP basic authentication. =item authenticate_digest $c, $realm, \%auth_info -Assumes that your user object has a hard coded method which returns a clear text password. +Performs HTTP digest authentication. + +The password_type B be I for digest authentication to +succeed. If you do not want to store your user passwords as clear +text, you may instead store the MD5 digest in hex of the string +'$username:$realm:$password'. + +L is used for persistent storage of the nonce +values (see L). It must be loaded in your application, unless +you override the C and +C methods as shown below. + +Takes an additional parameter of I, the possible values of which are 'MD5' (the default) +and 'MD5-sess'. For more information about 'MD5-sess', see section 3.2.2.2 in RFC 2617. =item authorization_required_response $c, $realm, \%auth_info @@ -486,15 +577,19 @@ Set or get the C<$nonce> object used by the digest auth mode. You may override these methods. By default they will call C and C on C<< $c->cache >>. +=item authentication_failed + +Sets the 401 response and calls C<< $ctx->detach >>. + =back =head1 CONFIGURATION -All configuration is stored in C<< YourApp->config(authentication => { yourrealm => { credential => { class => 'HTTP', %config } } } >>. +All configuration is stored in C<< YourApp->config('Plugin::Authentication' => { yourrealm => { credential => { class => 'HTTP', %config } } } >>. This should be a hash, and it can contain the following entries: -=over 4 +=over =item type @@ -507,6 +602,53 @@ not the "manual" methods. Set this to a string to override the default body content "Authorization required.", or set to undef to suppress body content being generated. +=item password_type + +The type of password returned by the user object. Same usage as in +L + +=item password_field + +The name of accessor used to retrieve the value of the password field from the user object. Same usage as in +L + +=item username_field + +The field name that the user's username is mapped into when finding the user from the realm. Defaults to 'username'. + +=item use_uri_for + +If this configuration key has a true value, then the domain(s) for the authorization header will be +run through $c->uri_for(). Use this configuration option if your application is not running at the root +of your domain, and you want to ensure that authentication credentials from your application are not shared with +other applications on the same server. + +=item require_ssl + +If this configuration key has a true value then authentication will be denied +(and a 401 issued in normal circumstances) unless the request is via https. + +=item no_unprompted_authorization_required + +Causes authentication to fail as normal modules do, without calling +C<< $c->detach >>. This means that the basic auth credential can be used as +part of the progressive realm. + +However use like this is probably not optimum it also means that users in +browsers ill never get a HTTP authenticate dialogue box (unless you manually +return a 401 response in your application), and even some automated +user agents (for APIs) will not send the Authorization header without +specific manipulation of the request headers. + +=item broken_dotnet_digest_without_query_string + +Enables support for .NET (or other similarly broken clients), which +fails to include the query string in the uri in the digest +Authorization header, contrary to rfc2617. + +This option has no effect on clients that include the query string; +they will continue to work as normal. + =back =head1 RESTRICTIONS @@ -523,7 +665,7 @@ C methods return a hashed or salted version of the password. Updated to current name space and currently maintained by: Tomas Doran C. -Original module by: +Original module by: =over @@ -535,6 +677,20 @@ Original module by: =back +=head1 CONTRIBUTORS + +Patches contributed by: + +=over + +=item Peter Corlett + +=item Devin Austin (dhoss) C + +=item Ronald J Kimball + +=back + =head1 SEE ALSO RFC 2617 (or its successors), L, L