lib/Apache2/Authen/Passphrase.pm

   1 package Apache2::Authen::Passphrase;
   2
   3 use 5.014000;
   4 use strict;
   5 use warnings;
   6 use parent qw/Exporter/;
   7 use subs qw/OK HTTP_UNAUTHORIZED/;
   8
   9 our $VERSION = 0.002001;
  10
  11 use constant USER_REGEX => qr/^\w{2,20}$/pas;
  12 use constant PASSPHRASE_VERSION => 1;
  13 use constant INVALID_USER => "invalid-user\n";
  14 use constant BAD_PASSWORD => "bad-password\n";
  15
  16 use if $ENV{MOD_PERL}, 'Apache2::RequestRec';
  17 use if $ENV{MOD_PERL}, 'Apache2::Access';
  18 use if $ENV{MOD_PERL}, 'Apache2::Const' => qw/OK HTTP_UNAUTHORIZED/;
  19 use Authen::Passphrase;
  20 use Authen::Passphrase::BlowfishCrypt;
  21 use YAML::Any qw/LoadFile DumpFile/;
  22
  23 our @EXPORT_OK = qw/pwset pwcheck pwhash USER_REGEX PASSPHRASE_VERSION INVALID_USER BAD_PASSWORD/;
  24
  25 ##################################################
  26
  27 our $rootdir;
  28 $rootdir //= $ENV{AAP_ROOTDIR};
  29
  30 sub pwhash{
  31   my ($pass)=@_;
  32
  33   my $ppr=Authen::Passphrase::BlowfishCrypt->new(
  34         cost => 10,
  35         passphrase => $pass,
  36         salt_random => 1,
  37   );
  38
  39   $ppr->as_rfc2307
  40 }
  41
  42 sub pwset{
  43   my ($user, $pass)=@_;
  44
  45   my $file = "$rootdir/$user.yml";
  46   my $conf = eval { LoadFile $file } // undef;
  47   $conf->{passphrase}=pwhash $pass;
  48   $conf->{passphrase_version}=PASSPHRASE_VERSION;
  49   DumpFile $file, $conf;
  50
  51   chmod 0660, $file;
  52 }
  53
  54 sub pwcheck{
  55   my ($user, $pass)=@_;
  56   die INVALID_USER unless $user =~ USER_REGEX; ## no critic (RequireCarping)
  57   $user=${^MATCH};# Make taint shut up
  58   my $conf=LoadFile "$rootdir/$user.yml";
  59
  60   ## no critic (RequireCarping)
  61   die BAD_PASSWORD unless keys $conf;# Empty hash means no such user
  62   die BAD_PASSWORD unless Authen::Passphrase->from_rfc2307($conf->{passphrase})->match($pass);
  63   ## use critic
  64   pwset $user, $pass if $conf->{passphrase_version} < PASSPHRASE_VERSION
  65 }
  66
  67 sub handler{
  68   my $r=shift;
  69   local $rootdir = $r->dir_config('AuthenPassphraseRootdir');
  70
  71   my ($rc, $pass) = $r->get_basic_auth_pw;
  72   return $rc unless $rc == OK;
  73
  74   my $user=$r->user;
  75   unless (eval { pwcheck $user, $pass; 1 }) {
  76         $r->note_basic_auth_failure;
  77         return HTTP_UNAUTHORIZED
  78   }
  79
  80   OK
  81 }
  82
  83 1;
  84 __END__
  85
  86 =head1 NAME
  87
  88 Apache2::Authen::Passphrase - basic authentication with Authen::Passphrase
  89
  90 =head1 SYNOPSIS
  91
  92   use Apache2::Authen::Passphrase qw/pwcheck pwset pwhash/;
  93   $Apache2::Authen::Passphrase::rootdir = "/path/to/user/directory"
  94   my $hash = pwhash $username, $password;
  95   pwset $username, "pass123";
  96   eval { pwcheck $username, "pass123" };
  97
  98   # In Apache2 config
  99   <Location /secret>
 100     PerlAuthenHandler Apache2::Authen::Passphrase
 101     PerlSetVar AuthenPassphraseRootdir /path/to/user/directory
 102     AuthName MyAuth
 103     Require valid-user
 104   </Location>
 105
 106 =head1 DESCRIPTION
 107
 108 Apache2::Authen::Passphrase is a perl module which provides easy-to-use Apache2 authentication. It exports some utility functions and it contains a PerlAuthenHandler.
 109
 110 The password hashes are stored in YAML files in an directory (called the C<rootdir>), one file per user.
 111
 112 Set the C<rootdir> like this:
 113
 114   $Apache2::Authen::Passphrase::rootdir = '/path/to/rootdir';
 115
 116 or by setting the C<AAP_ROOTDIR> enviroment variable to the desired value.
 117
 118 =head1 FUNCTIONS
 119
 120 =over
 121
 122 =item B<pwhash>()
 123
 124 Takes the password as a single argument and returns the password hash.
 125
 126 =item B<pwset>(I<$username>, I<$password>)
 127
 128 Sets the password of $username to $password.
 129
 130 =item B<pwcheck>(I<$username>, I<$password>)
 131
 132 Checks the given username and password, throwing an exception if the username is invalid or the password is incorrect.
 133
 134 =item B<handler>
 135
 136 The PerlAuthenHandler for use in apache2. It uses Basic Access Authentication.
 137
 138 =item B<USER_REGEX>
 139
 140 A regex that matches valid usernames. Usernames must be at least 2 characters, at most 20 characters, and they may only contain word characters (C<[A-Za-z0-9_]>).
 141
 142 =item B<INVALID_USER>
 143
 144 Exception thrown if the username does not match C<USER_REGEX>.
 145
 146 =item B<BAD_PASSWORD>
 147
 148 Exception thrown if the password is different from the one stored in the user's yml file.
 149
 150 =item B<PASSPHRASE_VERSION>
 151
 152 The version of the passphrase. It is incremented each time the passphrase hashing scheme is changed. Versions so far:
 153
 154 =over
 155
 156 =item Version 1 B<(current)>
 157
 158 Uses C<Authen::Passphrase::BlowfishCrypt> with a cost factor of 10
 159
 160 =back
 161
 162 =back
 163
 164 =head1 ENVIRONMENT
 165
 166 =over
 167
 168 =item AAP_ROOTDIR
 169
 170 If the C<rootdir> is not explicitly set, it is taken from this environment variable.
 171
 172 =back
 173
 174 =head1 AUTHOR
 175
 176 Marius Gavrilescu, E<lt>marius@ieval.roE<gt>
 177
 178 =head1 COPYRIGHT AND LICENSE
 179
 180 Copyright (C) 2013 by Marius Gavrilescu
 181
 182 This library is free software; you can redistribute it and/or modify
 183 it under the same terms as Perl itself, either Perl version 5.14.2 or,
 184 at your option, any later version of Perl 5 you may have available.
 185
 186
 187 =cut