Module: ModAuthPubTkt

Defined in:

lib/mod_auth_pubtkt.rb

Overview

A ruby module for creating tickets that are compatible with the Apache module mod_auth_pubtkt.

See neon1.net/mod_auth_pubtkt/ for more details

Author:

• Matt Haynes <matt@matthaynes.net>

Class Method Summary

• .create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0) ⇒ Object

  Create a ticket for use in a mod_auth_pubtkt cookie.

• .encrypt(string, key) ⇒ Object

  Encrypt the string using key.

• .open_key_file(path, type) ⇒ Object

  Get the SSL key.

• .verify(tkt, key) ⇒ Object

   Verify a ticket is good / not been tampered with.

Class Method Details

.create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0) ⇒ Object

Create a ticket for use in a mod_auth_pubtkt cookie

See neon1.net/mod_auth_pubtkt/ for more details

Parameters

• uid: (required; 32 chars max.)

  The user ID / username the ticket has been issued for, passed to the environment in REMOTE_USER
  

• expires: (required.)

  A Time object that describes when this ticket will expire
  

• key_path: (required.)

  Path to your SSL key to sign the ticket with
  

 - key_type: (required.)

The type of key ("RSA" or "DSA")

• cip: (optional; 39 chars max.)

  The client IP address.
  

• tokens: (optional; 255 chars max.)

  A comma-separated list of words (group names etc.) The contents of this field are available
  to the environment in REMOTE_USER_TOKENS
  

• udata: (optional; 255 chars max.)

  User data, for use by scripts; made available to the environment in REMOTE_USER_DATA
  

• grace_period: (optional)

  A number of seconds grace period before ticket is refreshed
  

# File 'lib/mod_auth_pubtkt.rb', line 46

def create_ticket(uid, expires, key_path, key_type, cip = '', tokens = '', udata = '', grace_period = 0)

  key    = open_key_file(key_path, key_type)

  tkt    = "uid=#{uid};validuntil=#{expires.to_i};cip=#{cip};tokens=#{tokens};udata=#{udata};graceperiod=#{(expires - grace_period).to_i}";

  sig    = encrypt tkt, key

  tkt + ";sig=" + Base64.encode64(sig).gsub("\n", '').strip

end

.encrypt(string, key) ⇒ Object

Encrypt the string using key

# File 'lib/mod_auth_pubtkt.rb', line 78

def encrypt(string, key)

  if key.class == OpenSSL::PKey::DSA
    key.sign(OpenSSL::Digest::DSS1.new, string)
  elsif key.class == OpenSSL::PKey::RSA
    key.sign(OpenSSL::Digest::SHA1.new, string)
  end

end

.open_key_file(path, type) ⇒ Object

Get the SSL key

# File 'lib/mod_auth_pubtkt.rb', line 89

def open_key_file(path, type)
  if type == 'DSA'
    OpenSSL::PKey::DSA.new File.read(path)
  elsif type == 'RSA'
    OpenSSL::PKey::RSA.new File.read(path)
  end
end

.verify(tkt, key) ⇒ Object

 Verify a ticket is good / not been tampered with. NB: This should be done by the apache module but is useful for testing here too

# File 'lib/mod_auth_pubtkt.rb', line 60

def verify(tkt, key)

  if tkt =~ /(.*);sig=(.*)/
    str = $1
    sig = Base64.decode64($2)
  else
    raise "Invalid ticket format"
  end

  if key.class == OpenSSL::PKey::DSA
    key.verify(OpenSSL::Digest::DSS1.new, sig, str)
  elsif key.class == OpenSSL::PKey::RSA
    key.verify(OpenSSL::Digest::SHA1.new, sig, str)
  end

end