Module: ModAuthPubTkt
- Defined in:
- lib/mod_auth_pubtkt.rb
Overview
A ruby module for creating tickets that are compatible with the Apache module mod_auth_pubtkt.
See neon1.net/mod_auth_pubtkt/ for more details
Class Method Summary collapse
-
.create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0) ⇒ Object
Create a ticket for use in a mod_auth_pubtkt cookie.
-
.encrypt(string, key) ⇒ Object
Encrypt the string using key.
-
.open_key_file(path, type) ⇒ Object
Get the SSL key.
-
.verify(tkt, key) ⇒ Object
Verify a ticket is good / not been tampered with.
Class Method Details
.create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0) ⇒ Object
Create a ticket for use in a mod_auth_pubtkt cookie
See neon1.net/mod_auth_pubtkt/ for more details
Parameters
-
uid: (required; 32 chars max.)
The user ID / username the ticket has been issued for, passed to the environment in REMOTE_USER
-
expires: (required.)
A Time object that describes when this ticket will expire
-
key_path: (required.)
Path to your SSL key to sign the ticket with
- key_type: (required.)
The type of key ("RSA" or "DSA")
-
cip: (optional; 39 chars max.)
The client IP address.
-
tokens: (optional; 255 chars max.)
A comma-separated list of words (group names etc.) The contents of this field are available to the environment in REMOTE_USER_TOKENS
-
udata: (optional; 255 chars max.)
User data, for use by scripts; made available to the environment in REMOTE_USER_DATA
-
grace_period: (optional)
A number of seconds grace period before ticket is refreshed
46 47 48 49 50 51 52 53 54 55 56 |
# File 'lib/mod_auth_pubtkt.rb', line 46 def create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0) key = open_key_file(key_path, key_type) tkt = "uid=#{uid};validuntil=#{expires.to_i};cip=#{cip};tokens=#{tokens};udata=#{udata};graceperiod=#{(expires - grace_period).to_i}"; sig = encrypt tkt, key tkt + ";sig=" + Base64.encode64(sig).gsub("\n", '').strip end |
.encrypt(string, key) ⇒ Object
Encrypt the string using key
78 79 80 81 82 83 84 85 86 |
# File 'lib/mod_auth_pubtkt.rb', line 78 def encrypt(string, key) if key.class == OpenSSL::PKey::DSA key.sign(OpenSSL::Digest::DSS1.new, string) elsif key.class == OpenSSL::PKey::RSA key.sign(OpenSSL::Digest::SHA1.new, string) end end |
.open_key_file(path, type) ⇒ Object
Get the SSL key
89 90 91 92 93 94 95 |
# File 'lib/mod_auth_pubtkt.rb', line 89 def open_key_file(path, type) if type == 'DSA' OpenSSL::PKey::DSA.new File.read(path) elsif type == 'RSA' OpenSSL::PKey::RSA.new File.read(path) end end |
.verify(tkt, key) ⇒ Object
Verify a ticket is good / not been tampered with. NB: This should be done by the apache module but is useful for testing here too
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/mod_auth_pubtkt.rb', line 60 def verify(tkt, key) if tkt =~ /(.*);sig=(.*)/ str = $1 sig = Base64.decode64($2) else raise "Invalid ticket format" end if key.class == OpenSSL::PKey::DSA key.verify(OpenSSL::Digest::DSS1.new, sig, str) elsif key.class == OpenSSL::PKey::RSA key.verify(OpenSSL::Digest::SHA1.new, sig, str) end end |