Class: ApacheAuthTkt

Inherits:

Object

• Object
• ApacheAuthTkt

Defined in:

lib/apache_authtkt.rb

Defined Under Namespace

Classes: InvalidDigestTypeError

Constant Summary

DIGEST_LENGTHS =

{
  'md5' => 32,
  'sha256' => 64,
  'sha512' => 128,
}

Instance Attribute Summary

• #base64encode ⇒ Object

  Returns the value of attribute base64encode.

• #conf_file ⇒ Object

  Returns the value of attribute conf_file.

• #digest_type ⇒ Object

  Returns the value of attribute digest_type.

• #error ⇒ Object

  Returns the value of attribute error.

• #ipaddr ⇒ Object

  Returns the value of attribute ipaddr.

• #lifetime ⇒ Object

  Returns the value of attribute lifetime.

• #secret ⇒ Object

  Returns the value of attribute secret.

Instance Method Summary

• #_get_secret(filename) ⇒ Object
• #create_ticket(user_opts = {}) ⇒ Object

  based on meso.net/mod_auth_tkt.

• #expired?(tkt) ⇒ Boolean
• #get_digest(ts, ipaddr, user, tokens, data) ⇒ Object
• #initialize(args) ⇒ ApacheAuthTkt constructor

  A new instance of ApacheAuthTkt.

• #ip2long(ip) ⇒ Object

  from meso.net/mod_auth_tkt function adapted according to php: generates an IPv4 Internet network address from its Internet standard format (dotted string) representation.

• #parse_ticket(tkt) ⇒ Object
• #validate_ticket(tkt, ipaddr = '0.0.0.0') ⇒ Object

Constructor Details

#initialize(args) ⇒ ApacheAuthTkt

Returns a new instance of ApacheAuthTkt.

Raises:

• (InvalidDigestTypeError)

# File 'lib/apache_authtkt.rb', line 40

def initialize(args)

   #puts args.inspect

   # set defaults
   if (args.has_key? :ipaddr)
      @ipaddr = args[:ipaddr]
   else
      @ipaddr = '0.0.0.0'
   end

   if (args.has_key? :secret)
      @secret = args[:secret]
   elsif (args.has_key? :conf_file)
      @secret = _get_secret(args[:conf_file])
      if (!@secret.length)
         raise "Can't parse secret from " + args[:conf_file]
      end
   else
      raise "Must pass 'secret' or 'conf_file'"
   end

   if (args[:digest_type])
      @digest_type = args[:digest_type]
   else
      @digest_type = 'md5'
   end

   raise(InvalidDigestTypeError, @digest_type) unless DIGEST_LENGTHS[@digest_type.downcase]

   if (args.has_key? :base64encode)
      @base64encode = args[:base64encode]
   else
      @base64encode = true
   end

   if (args.has_key? :lifetime)
      @lifetime = args[:lifetime]
   else
      # 8 hours.
      @lifetime = 28800
   end

end

Instance Attribute Details

#base64encode ⇒ Object

Returns the value of attribute base64encode.

# File 'lib/apache_authtkt.rb', line 31

def base64encode
  @base64encode
end

#conf_file ⇒ Object

Returns the value of attribute conf_file.

# File 'lib/apache_authtkt.rb', line 29

def conf_file
  @conf_file
end

#digest_type ⇒ Object

Returns the value of attribute digest_type.

# File 'lib/apache_authtkt.rb', line 28

def digest_type
  @digest_type
end

#error ⇒ Object

Returns the value of attribute error.

# File 'lib/apache_authtkt.rb', line 30

def error
  @error
end

#ipaddr ⇒ Object

Returns the value of attribute ipaddr.

# File 'lib/apache_authtkt.rb', line 27

def ipaddr
  @ipaddr
end

#lifetime ⇒ Object

Returns the value of attribute lifetime.

# File 'lib/apache_authtkt.rb', line 32

def lifetime
  @lifetime
end

#secret ⇒ Object

Returns the value of attribute secret.

# File 'lib/apache_authtkt.rb', line 26

def secret
  @secret
end

Instance Method Details

#_get_secret(filename) ⇒ Object

# File 'lib/apache_authtkt.rb', line 85

def _get_secret(filename)
   # based on http://meso.net/mod_auth_tkt
   if (!File.file? filename)
      raise "#{filename} is not a file"
   end
   secret_str = ''
   open(filename) do |file|
      file.each do |line|
         if line.include? 'TKTAuthSecret'
            secret_str = line.gsub('TKTAuthSecret', '').strip.gsub("\"", '').gsub("'",'')
            break
         end
      end
   end
   return secret_str
end

#create_ticket(user_opts = {}) ⇒ Object

based on meso.net/mod_auth_tkt

# File 'lib/apache_authtkt.rb', line 114

def create_ticket(user_opts={})
   options = {
      :user       => 'guest',
      :tokens     => '',
      :user_data  => '',
      :ignore_ip  => false,
      :ts         => Time.now.to_i
   }.merge(user_opts)

   timestamp  = options[:ts]
   ip_address = options[:ignore_ip] ? '0.0.0.0' : @ipaddr
   digest = get_digest(timestamp, ip_address, options[:user], options[:tokens], options[:user_data])
   tkt = sprintf("%s%08x%s!%s!%s", digest, timestamp, options[:user], options[:tokens], options[:user_data])

   if (@base64encode)
      tkt = Base64.encode64(tkt).gsub("\n", '').strip
   end

   return tkt

end

#expired?(tkt) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/apache_authtkt.rb', line 199

def expired?(tkt)
   return false if @lifetime.nil?
   parsed = self.parse_ticket(tkt)
   if (!parsed)
      return false
   end
   !(parsed[:ts] + @lifetime >= Time.now.to_i)
end

#get_digest(ts, ipaddr, user, tokens, data) ⇒ Object

# File 'lib/apache_authtkt.rb', line 136

def get_digest(ts, ipaddr, user, tokens, data)
   ipts = [ip2long(ipaddr), ts].pack("NN")
   digest0 = nil
   digest  = nil
   raw     = ipts + @secret + user + "\0" + tokens + "\0" + data
   digest0 = digest_klass.hexdigest(raw)
   digest  = digest_klass.hexdigest(digest0 + @secret)
   return digest
end

#ip2long(ip) ⇒ Object

from meso.net/mod_auth_tkt function adapted according to php: generates an IPv4 Internet network address from its Internet standard format (dotted string) representation.

# File 'lib/apache_authtkt.rb', line 105

def ip2long(ip)
   long = 0
   ip.split( /\./ ).reverse.each_with_index do |x, i|
      long += x.to_i << ( i * 8 )
   end
   long
end

#parse_ticket(tkt) ⇒ Object

# File 'lib/apache_authtkt.rb', line 159

def parse_ticket(tkt)
   # strip possible lead/trail quotes
   tkt = tkt.gsub(/^"|"$/,'')

   # test if base64 encoded before decoding
   if (@base64encode && tkt.length % 4 == 0 && tkt =~ /^[A-Za-z0-9+\/=]+\Z/)
      tkt = Base64.decode64(tkt)
   end

   # sanity checks
   if (tkt.length < 40)
      @error = "ticket string too short"
      return false
   end
   if (!tkt.index('!'))
      @error = "ticket missing !"
      return false
   end

   # parse it
   parts = tkt.split(/\!/)
   parsed = {:tokens => '', :data => ''}
   digest_length = DIGEST_LENGTHS[@digest_type.downcase]
   if (packed = parts[0].match("^(.{#{digest_length}})(.{8})(.+)$"))
      parsed[:digest] = packed[1]
      parsed[:ts]     = packed[2].hex
      parsed[:user]    = packed[3]
      if (parts.length == 3)
         parsed[:tokens] = parts[1]
         parsed[:data]   = parts[2]
      elsif (parts.length == 2)
         parsed[:tokens] = parts[1]
      end
   else
      @error = "invalid ticket pattern"
      return false
   end
   return parsed
end

#validate_ticket(tkt, ipaddr = '0.0.0.0') ⇒ Object

# File 'lib/apache_authtkt.rb', line 146

def validate_ticket(tkt, ipaddr='0.0.0.0')
   parsed = parse_ticket(tkt)
   if (!parsed)
      return false
   end
   expected_digest = get_digest(parsed[:ts], ipaddr, parsed[:user], parsed[:tokens], parsed[:data])
   if (expected_digest == parsed[:digest])
      return parsed
   else
      return false
   end
end