Commit | Line | Data |
---|---|---|
f4cc782b MG |
1 | package Apache2::Authen::Passphrase 0.001; |
2 | ||
3 | use 5.014000; | |
4 | use strict; | |
5 | use warnings; | |
6 | use parent qw/Exporter/; | |
7 | ||
8 | use constant +{ | |
9 | USER_REGEX => qr/^\w{2,20}$/pa, | |
10 | PASSPHRASE_VERSION => 1, | |
11 | INVALID_USER => "invalid-user\n", | |
12 | BAD_PASSWORD => "bad-password\n", | |
13 | }; | |
14 | ||
15 | use Apache2::RequestRec; | |
16 | use Apache2::Access; | |
17 | use Apache2::Const qw/OK HTTP_UNAUTHORIZED/; | |
18 | use Authen::Passphrase; | |
19 | use Authen::Passphrase::BlowfishCrypt; | |
20 | use YAML::Any qw/LoadFile DumpFile/; | |
21 | ||
22 | our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/; | |
23 | ||
24 | ################################################## | |
25 | ||
26 | our $rootdir; | |
27 | ||
28 | sub pwhash{ | |
29 | my ($pass)=@_; | |
30 | ||
31 | my $ppr=Authen::Passphrase::BlowfishCrypt->new( | |
32 | cost => 10, | |
33 | passphrase => $pass, | |
34 | salt_random => 1, | |
35 | ); | |
36 | ||
37 | $ppr->as_rfc2307 | |
38 | } | |
39 | ||
40 | sub pwset{ | |
41 | my ($user, $pass)=@_; | |
42 | ||
43 | my $file = "$rootdir/us/$user.yml"; | |
44 | my $conf = eval { LoadFile $file } // undef; | |
45 | $conf->{passphrase}=pwhash $pass; | |
46 | $conf->{passphrase_version}=PASSPHRASE_VERSION; | |
47 | DumpFile $file, $conf; | |
48 | ||
49 | chmod 0660, $file; | |
50 | } | |
51 | ||
52 | sub pwcheck{ | |
53 | my ($user, $pass)=@_; | |
54 | die INVALID_USER unless $user =~ USER_REGEX; | |
55 | $user=${^MATCH};# Make taint shut up | |
56 | my $conf=LoadFile "$rootdir/us/$user.yml"; | |
57 | ||
58 | die BAD_PASSWORD unless keys $conf;# Empty hash means no such user | |
59 | die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass); | |
60 | pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION | |
61 | } | |
62 | ||
63 | sub handler{ | |
64 | my $r=shift; | |
65 | ||
66 | my ($rc, $pass) = $r->get_basic_auth_pw; | |
67 | return $rc unless $rc == OK; | |
68 | ||
69 | my $user=$r->user; | |
70 | unless (eval { pwcheck $user, $pass; 1 }) { | |
71 | $r->note_basic_auth_failure; | |
72 | return HTTP_UNAUTHORIZED | |
73 | } | |
74 | ||
75 | OK | |
76 | } | |
77 | ||
78 | 1; | |
79 | __END__ | |
80 | ||
81 | =head1 NAME | |
82 | ||
83 | Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase | |
84 | ||
85 | =head1 SYNOPSIS | |
86 | ||
87 | use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/; | |
88 | my $hash = pwhash $username, $password; | |
89 | pwset $username, "pass123"; | |
90 | eval { pwcheck $username, "pass123" }; | |
91 | ||
92 | # In Apache2 config | |
93 | <Location /secret> | |
94 | PerlAuthenHandler Apache2::Authen::Passphrase | |
95 | AuthName MyAuth | |
96 | Require valid-user | |
97 | </Location> | |
98 | ||
99 | =head1 DESCRIPTION | |
100 | ||
101 | Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler. | |
102 | ||
103 | =head1 FUNCTIONS | |
104 | ||
105 | =over | |
106 | ||
107 | =item B<pwhash>() | |
108 | ||
109 | Takes the password as a single argument and returns the password hash. | |
110 | ||
111 | =item B<pwset>(I<$username>, I<$password>) | |
112 | ||
113 | Sets the password of $username to $password. | |
114 | ||
115 | =item B<pwcheck>(I<$username>, I<$password>) | |
116 | ||
117 | Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect. | |
118 | ||
119 | =item B<handler> | |
120 | ||
121 | The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication. | |
122 | ||
123 | =item B<USER_REGEX> | |
124 | ||
125 | A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>). | |
126 | ||
127 | =item B<INVALID_USER> | |
128 | ||
129 | Exception thrown if the username does not match C<USER_REGEX>. | |
130 | ||
131 | =item B<BAD_PASSWORD> | |
132 | ||
133 | Exception thrown if the password is different from the one stored in the user's yml file. | |
134 | ||
135 | =item B<PASSPHRASE_VERSION> | |
136 | ||
137 | The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far: | |
138 | ||
139 | =over | |
140 | ||
141 | =item Version 1 B<(current)> | |
142 | ||
143 | Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10 | |
144 | ||
145 | =back | |
146 | ||
147 | =back | |
148 | ||
149 | =head1 AUTHOR | |
150 | ||
151 | Marius Gavrilescu, E<lt>marius@ieval.roE<gt> | |
152 | ||
153 | =head1 COPYRIGHT AND LICENSE | |
154 | ||
155 | Copyright (C) 2013 by Marius Gavrilescu | |
156 | ||
157 | This library is free software; you can redistribute it and/or modify | |
158 | it under the same terms as Perl itself, either Perl version 5.14.2 or, | |
159 | at your option, any later version of Perl 5 you may have available. | |
160 | ||
161 | ||
162 | =cut |