[apache2-authen-passphrase.git] / lib / Apache2 / Authen / Passphrase.pm

package Apache2::Authen::Passphrase 0.001;

use 5.014000;
use strict;
use warnings;
use parent qw/Exporter/;

use constant +{
  USER_REGEX => qr/^\w{2,20}$/pa,
  PASSPHRASE_VERSION => 1,
  INVALID_USER => "invalid-user\n",
  BAD_PASSWORD => "bad-password\n",
};

use Apache2::RequestRec;
use Apache2::Access;
use Apache2::Const qw/OK HTTP_UNAUTHORIZED/;
use Authen::Passphrase;
use Authen::Passphrase::BlowfishCrypt;
use YAML::Any qw/LoadFile DumpFile/;

our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/;

##################################################

our $rootdir;

sub pwhash{
  my ($pass)=@_;

  my $ppr=Authen::Passphrase::BlowfishCrypt->new(
	cost => 10,
	passphrase => $pass,
	salt_random => 1,
  );

  $ppr->as_rfc2307
}

sub pwset{
  my ($user, $pass)=@_;

  my $file = "$rootdir/us/$user.yml";
  my $conf = eval { LoadFile $file } // undef;
  $conf->{passphrase}=pwhash $pass;
  $conf->{passphrase_version}=PASSPHRASE_VERSION;
  DumpFile $file, $conf;

  chmod 0660, $file;
}

sub pwcheck{
  my ($user, $pass)=@_;
  die INVALID_USER unless $user =~ USER_REGEX;
  $user=${^MATCH};# Make taint shut up
  my $conf=LoadFile "$rootdir/us/$user.yml";

  die BAD_PASSWORD unless keys $conf;# Empty hash means no such user
  die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass);
  pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION
}

sub handler{
  my $r=shift;

  my ($rc, $pass) = $r->get_basic_auth_pw;
  return $rc unless $rc == OK;

  my $user=$r->user;
  unless (eval { pwcheck $user, $pass; 1 }) {
	$r->note_basic_auth_failure;
	return HTTP_UNAUTHORIZED
  }

  OK
}

1;
__END__

=head1 NAME

Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase

=head1 SYNOPSIS

  use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/;
  my $hash = pwhash $username, $password;
  pwset $username, "pass123";
  eval { pwcheck $username, "pass123" };

  # In Apache2 config
  <Location /secret>
    PerlAuthenHandler Apache2::Authen::Passphrase
    AuthName MyAuth
    Require valid-user
  </Location>

=head1 DESCRIPTION

Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler.

=head1 FUNCTIONS

=over

=item B<pwhash>()

Takes the password as a single argument and returns the password hash.

=item B<pwset>(I<$username>, I<$password>)

Sets the password of $username to $password.

=item B<pwcheck>(I<$username>, I<$password>)

Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect.

=item B<handler>

The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication.

=item B<USER_REGEX>

A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>).

=item B<INVALID_USER>

Exception thrown if the username does not match C<USER_REGEX>.

=item B<BAD_PASSWORD>

Exception thrown if the password is different from the one stored in the user's yml file.

=item B<PASSPHRASE_VERSION>

The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far:

=over

=item Version 1 B<(current)>

Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10

=back

=back

=head1 AUTHOR

Marius Gavrilescu, E<lt>marius@ieval.roE<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2013 by Marius Gavrilescu

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.14.2 or,
at your option, any later version of Perl 5 you may have available.


=cut
Commit	Line	Data
f4cc782b MG	1	package Apache2::Authen::Passphrase 0.001;
	2
	3	use 5.014000;
	4	use strict;
	5	use warnings;
	6	use parent qw/Exporter/;
	7
	8	use constant +{
	9	USER_REGEX => qr/^\w{2,20}$/pa,
	10	PASSPHRASE_VERSION => 1,
	11	INVALID_USER => "invalid-user\n",
	12	BAD_PASSWORD => "bad-password\n",
	13	};
	14
	15	use Apache2::RequestRec;
	16	use Apache2::Access;
	17	use Apache2::Const qw/OK HTTP_UNAUTHORIZED/;
	18	use Authen::Passphrase;
	19	use Authen::Passphrase::BlowfishCrypt;
	20	use YAML::Any qw/LoadFile DumpFile/;
	21
	22	our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/;
	23
	24	##################################################
	25
	26	our $rootdir;
	27
	28	sub pwhash{
	29	my ($pass)=@_;
	30
	31	my $ppr=Authen::Passphrase::BlowfishCrypt->new(
	32	cost => 10,
	33	passphrase => $pass,
	34	salt_random => 1,
	35	);
	36
	37	$ppr->as_rfc2307
	38	}
	39
	40	sub pwset{
	41	my ($user, $pass)=@_;
	42
	43	my $file = "$rootdir/us/$user.yml";
	44	my $conf = eval { LoadFile $file } // undef;
	45	$conf->{passphrase}=pwhash $pass;
	46	$conf->{passphrase_version}=PASSPHRASE_VERSION;
	47	DumpFile $file, $conf;
	48
	49	chmod 0660, $file;
	50	}
	51
	52	sub pwcheck{
	53	my ($user, $pass)=@_;
	54	die INVALID_USER unless $user =~ USER_REGEX;
	55	$user=${^MATCH};# Make taint shut up
	56	my $conf=LoadFile "$rootdir/us/$user.yml";
	57
	58	die BAD_PASSWORD unless keys $conf;# Empty hash means no such user
	59	die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass);
	60	pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION
	61	}
	62
	63	sub handler{
	64	my $r=shift;
65
66	my ($rc, $pass) = $r->get_basic_auth_pw;
67	return $rc unless $rc == OK;
68
69	my $user=$r->user;
70	unless (eval { pwcheck $user, $pass; 1 }) {
71	$r->note_basic_auth_failure;
72	return HTTP_UNAUTHORIZED
73	}
74
75	OK
76	}
77
78	1;
79	__END__
80
81	=head1 NAME
82
83	Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase
84
85	=head1 SYNOPSIS
86
87	use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/;
88	my $hash = pwhash $username, $password;
89	pwset $username, "pass123";
90	eval { pwcheck $username, "pass123" };
91
92	# In Apache2 config
93	<Location /secret>
94	PerlAuthenHandler Apache2::Authen::Passphrase
95	AuthName MyAuth
96	Require valid-user
97	</Location>
98
99	=head1 DESCRIPTION
100
101	Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler.
102
103	=head1 FUNCTIONS
104
105	=over
106
107	=item B<pwhash>()
108
109	Takes the password as a single argument and returns the password hash.
110
111	=item B<pwset>(I<$username>, I<$password>)
112
113	Sets the password of $username to $password.
114
115	=item B<pwcheck>(I<$username>, I<$password>)
116
117	Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect.
118
119	=item B<handler>
120
121	The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication.
122
123	=item B<USER_REGEX>
124
125	A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>).
126
127	=item B<INVALID_USER>
128
129	Exception thrown if the username does not match C<USER_REGEX>.
130
131	=item B<BAD_PASSWORD>
132
133	Exception thrown if the password is different from the one stored in the user's yml file.
134
135	=item B<PASSPHRASE_VERSION>
136
137	The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far:
138
139	=over
140
141	=item Version 1 B<(current)>
142
143	Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10
144
145	=back
146
147	=back
148
149	=head1 AUTHOR
150
151	Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
152
153	=head1 COPYRIGHT AND LICENSE
154
155	Copyright (C) 2013 by Marius Gavrilescu
156
157	This library is free software; you can redistribute it and/or modify
158	it under the same terms as Perl itself, either Perl version 5.14.2 or,
159	at your option, any later version of Perl 5 you may have available.
160
161
162	=cut