]> iEval git - apache2-authen-passphrase.git/blob - lib/Apache2/Authen/Passphrase.pm
ae8d01c7d33b0fb99871c71aa86fa13fa71d477f
[apache2-authen-passphrase.git] / lib / Apache2 / Authen / Passphrase.pm
1 package Apache2::Authen::Passphrase;
2
3 use 5.014000;
4 use strict;
5 use warnings;
6 use parent qw/Exporter/;
7 use subs qw/OK HTTP_UNAUTHORIZED/;
8
9 our $VERSION = 0.002001;
10
11 use constant USER_REGEX => qr/^\w{2,20}$/pas;
12 use constant PASSPHRASE_VERSION => 1;
13 use constant INVALID_USER => "invalid-user\n";
14 use constant BAD_PASSWORD => "bad-password\n";
15
16 use if $ENV{MOD_PERL}, 'Apache2::RequestRec';
17 use if $ENV{MOD_PERL}, 'Apache2::Access';
18 use if $ENV{MOD_PERL}, 'Apache2::Const' => qw/OK HTTP_UNAUTHORIZED/;
19 use Authen::Passphrase;
20 use Authen::Passphrase::BlowfishCrypt;
21 use YAML::Any qw/LoadFile DumpFile/;
22
23 our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/;
24
25 ##################################################
26
27 our $rootdir;
28 $rootdir //= $ENV{AAP_ROOTDIR};
29
30 sub pwhash{
31 my ($pass)=@_;
32
33 my $ppr=Authen::Passphrase::BlowfishCrypt->new(
34 cost => 10,
35 passphrase => $pass,
36 salt_random => 1,
37 );
38
39 $ppr->as_rfc2307
40 }
41
42 sub pwset{
43 my ($user, $pass)=@_;
44
45 my $file = "$rootdir/$user.yml";
46 my $conf = eval { LoadFile $file } // undef;
47 $conf->{passphrase}=pwhash $pass;
48 $conf->{passphrase_version}=PASSPHRASE_VERSION;
49 DumpFile $file, $conf;
50
51 chmod 0660, $file;
52 }
53
54 sub pwcheck{
55 my ($user, $pass)=@_;
56 die INVALID_USER unless $user =~ USER_REGEX; ## no critic (RequireCarping)
57 $user=${^MATCH};# Make taint shut up
58 my $conf=LoadFile "$rootdir/$user.yml";
59
60 ## no critic (RequireCarping)
61 die BAD_PASSWORD unless keys $conf;# Empty hash means no such user
62 die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass);
63 ## use critic
64 pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION
65 }
66
67 sub handler{
68 my $r=shift;
69 local $rootdir = $r->dir_config('AuthenPassphraseRootdir');
70
71 my ($rc, $pass) = $r->get_basic_auth_pw;
72 return $rc unless $rc == OK;
73
74 my $user=$r->user;
75 unless (eval { pwcheck $user, $pass; 1 }) {
76 $r->note_basic_auth_failure;
77 return HTTP_UNAUTHORIZED
78 }
79
80 OK
81 }
82
83 1;
84 __END__
85
86 =head1 NAME
87
88 Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase
89
90 =head1 SYNOPSIS
91
92 use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/;
93 $Apache2::Authen::Passphrase::rootdir = "/path/to/user/directory"
94 my $hash = pwhash $username, $password;
95 pwset $username, "pass123";
96 eval { pwcheck $username, "pass123" };
97
98 # In Apache2 config
99 <Location /secret>
100 PerlAuthenHandler Apache2::Authen::Passphrase
101 PerlSetVar AuthenPassphraseRootdir /path/to/user/directory
102 AuthName MyAuth
103 Require valid-user
104 </Location>
105
106 =head1 DESCRIPTION
107
108 Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler.
109
110 The password hashes are stored in YAML files in an directory (called the C<rootdir>), one file per user.
111
112 Set the C<rootdir> like this:
113
114 $Apache2::Authen::Passphrase::rootdir = '/path/to/rootdir';
115
116 or by setting the C<AAP_ROOTDIR> enviroment variable to the desired value.
117
118 =head1 FUNCTIONS
119
120 =over
121
122 =item B<pwhash>()
123
124 Takes the password as a single argument and returns the password hash.
125
126 =item B<pwset>(I<$username>, I<$password>)
127
128 Sets the password of $username to $password.
129
130 =item B<pwcheck>(I<$username>, I<$password>)
131
132 Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect.
133
134 =item B<handler>
135
136 The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication.
137
138 =item B<USER_REGEX>
139
140 A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>).
141
142 =item B<INVALID_USER>
143
144 Exception thrown if the username does not match C<USER_REGEX>.
145
146 =item B<BAD_PASSWORD>
147
148 Exception thrown if the password is different from the one stored in the user's yml file.
149
150 =item B<PASSPHRASE_VERSION>
151
152 The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far:
153
154 =over
155
156 =item Version 1 B<(current)>
157
158 Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10
159
160 =back
161
162 =back
163
164 =head1 ENVIRONMENT
165
166 =over
167
168 =item AAP_ROOTDIR
169
170 If the C<rootdir> is not explicitly set, it is taken from this environment variable.
171
172 =back
173
174 =head1 AUTHOR
175
176 Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
177
178 =head1 COPYRIGHT AND LICENSE
179
180 Copyright (C) 2013 by Marius Gavrilescu
181
182 This library is free software; you can redistribute it and/or modify
183 it under the same terms as Perl itself, either Perl version 5.14.2 or,
184 at your option, any later version of Perl 5 you may have available.
185
186
187 =cut
This page took 0.064642 seconds and 4 git commands to generate.