Commit | Line | Data |
---|---|---|
7c87e995 MG |
1 | package Apache2::Authen::Passphrase; |
2 | ||
f4cc782b MG |
3 | use 5.014000; |
4 | use strict; | |
5 | use warnings; | |
6 | use parent qw/Exporter/; | |
788a3738 | 7 | use subs qw/OK HTTP_UNAUTHORIZED/; |
f4cc782b | 8 | |
8443f44e MG |
9 | our $VERSION = 0.002001; |
10 | ||
11 | use constant USER_REGEX => qr/^\w{2,20}$/pas; | |
12 | use constant PASSPHRASE_VERSION => 1; | |
13 | use constant INVALID_USER => "invalid-user\n"; | |
14 | use constant BAD_PASSWORD => "bad-password\n"; | |
f4cc782b | 15 | |
788a3738 MG |
16 | use if $ENV{MOD_PERL}, 'Apache2::RequestRec'; |
17 | use if $ENV{MOD_PERL}, 'Apache2::Access'; | |
18 | use if $ENV{MOD_PERL}, 'Apache2::Const' => qw/OK HTTP_UNAUTHORIZED/; | |
f4cc782b MG |
19 | use Authen::Passphrase; |
20 | use Authen::Passphrase::BlowfishCrypt; | |
21 | use YAML::Any qw/LoadFile DumpFile/; | |
22 | ||
23 | our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/; | |
24 | ||
25 | ################################################## | |
26 | ||
8443f44e MG |
27 | our $rootdir; |
28 | $rootdir //= $ENV{AAP_ROOTDIR}; | |
f4cc782b MG |
29 | |
30 | sub pwhash{ | |
31 | my ($pass)=@_; | |
32 | ||
33 | my $ppr=Authen::Passphrase::BlowfishCrypt->new( | |
34 | cost => 10, | |
35 | passphrase => $pass, | |
36 | salt_random => 1, | |
37 | ); | |
38 | ||
39 | $ppr->as_rfc2307 | |
40 | } | |
41 | ||
42 | sub pwset{ | |
43 | my ($user, $pass)=@_; | |
44 | ||
f7fdbaad | 45 | my $file = "$rootdir/$user.yml"; |
f4cc782b MG |
46 | my $conf = eval { LoadFile $file } // undef; |
47 | $conf->{passphrase}=pwhash $pass; | |
48 | $conf->{passphrase_version}=PASSPHRASE_VERSION; | |
49 | DumpFile $file, $conf; | |
50 | ||
51 | chmod 0660, $file; | |
52 | } | |
53 | ||
54 | sub pwcheck{ | |
55 | my ($user, $pass)=@_; | |
8443f44e | 56 | die INVALID_USER unless $user =~ USER_REGEX; ## no critic (RequireCarping) |
f4cc782b | 57 | $user=${^MATCH};# Make taint shut up |
f7fdbaad | 58 | my $conf=LoadFile "$rootdir/$user.yml"; |
f4cc782b | 59 | |
8443f44e | 60 | ## no critic (RequireCarping) |
f4cc782b MG |
61 | die BAD_PASSWORD unless keys $conf;# Empty hash means no such user |
62 | die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass); | |
8443f44e | 63 | ## use critic |
f4cc782b MG |
64 | pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION |
65 | } | |
66 | ||
67 | sub handler{ | |
68 | my $r=shift; | |
f7fdbaad | 69 | local $rootdir = $r->dir_config('AuthenPassphraseRootdir'); |
f4cc782b MG |
70 | |
71 | my ($rc, $pass) = $r->get_basic_auth_pw; | |
72 | return $rc unless $rc == OK; | |
73 | ||
74 | my $user=$r->user; | |
75 | unless (eval { pwcheck $user, $pass; 1 }) { | |
76 | $r->note_basic_auth_failure; | |
77 | return HTTP_UNAUTHORIZED | |
78 | } | |
79 | ||
80 | OK | |
81 | } | |
82 | ||
83 | 1; | |
84 | __END__ | |
85 | ||
86 | =head1 NAME | |
87 | ||
88 | Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase | |
89 | ||
90 | =head1 SYNOPSIS | |
91 | ||
92 | use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/; | |
f7fdbaad | 93 | $Apache2::Authen::Passphrase::rootdir = "/path/to/user/directory" |
f4cc782b MG |
94 | my $hash = pwhash $username, $password; |
95 | pwset $username, "pass123"; | |
96 | eval { pwcheck $username, "pass123" }; | |
97 | ||
98 | # In Apache2 config | |
99 | <Location /secret> | |
100 | PerlAuthenHandler Apache2::Authen::Passphrase | |
f7fdbaad | 101 | PerlSetVar AuthenPassphraseRootdir /path/to/user/directory |
f4cc782b MG |
102 | AuthName MyAuth |
103 | Require valid-user | |
104 | </Location> | |
105 | ||
106 | =head1 DESCRIPTION | |
107 | ||
108 | Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler. | |
109 | ||
7c87e995 MG |
110 | The password hashes are stored in YAML files in an directory (called the C<rootdir>), one file per user. |
111 | ||
112 | Set the C<rootdir> like this: | |
113 | ||
114 | $Apache2::Authen::Passphrase::rootdir = '/path/to/rootdir'; | |
115 | ||
116 | or by setting the C<AAP_ROOTDIR> enviroment variable to the desired value. | |
117 | ||
f4cc782b MG |
118 | =head1 FUNCTIONS |
119 | ||
120 | =over | |
121 | ||
122 | =item B<pwhash>() | |
123 | ||
124 | Takes the password as a single argument and returns the password hash. | |
125 | ||
126 | =item B<pwset>(I<$username>, I<$password>) | |
127 | ||
128 | Sets the password of $username to $password. | |
129 | ||
130 | =item B<pwcheck>(I<$username>, I<$password>) | |
131 | ||
132 | Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect. | |
133 | ||
134 | =item B<handler> | |
135 | ||
136 | The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication. | |
137 | ||
138 | =item B<USER_REGEX> | |
139 | ||
140 | A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>). | |
141 | ||
142 | =item B<INVALID_USER> | |
143 | ||
144 | Exception thrown if the username does not match C<USER_REGEX>. | |
145 | ||
146 | =item B<BAD_PASSWORD> | |
147 | ||
148 | Exception thrown if the password is different from the one stored in the user's yml file. | |
149 | ||
150 | =item B<PASSPHRASE_VERSION> | |
151 | ||
152 | The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far: | |
153 | ||
154 | =over | |
155 | ||
156 | =item Version 1 B<(current)> | |
157 | ||
158 | Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10 | |
159 | ||
160 | =back | |
161 | ||
162 | =back | |
163 | ||
7c87e995 MG |
164 | =head1 ENVIRONMENT |
165 | ||
166 | =over | |
167 | ||
168 | =item AAP_ROOTDIR | |
169 | ||
170 | If the C<rootdir> is not explicitly set, it is taken from this environment variable. | |
171 | ||
172 | =back | |
173 | ||
f4cc782b MG |
174 | =head1 AUTHOR |
175 | ||
176 | Marius Gavrilescu, E<lt>marius@ieval.roE<gt> | |
177 | ||
178 | =head1 COPYRIGHT AND LICENSE | |
179 | ||
180 | Copyright (C) 2013 by Marius Gavrilescu | |
181 | ||
182 | This library is free software; you can redistribute it and/or modify | |
183 | it under the same terms as Perl itself, either Perl version 5.14.2 or, | |
184 | at your option, any later version of Perl 5 you may have available. | |
185 | ||
186 | ||
187 | =cut |