Class: ApacheAuthTkt

Inherits:

Object

Object
ApacheAuthTkt

show all

Defined in:: lib/apache_auth_tkt.rb

Instance Attribute Summary collapse

#base64encode ⇒ Object

Returns the value of attribute base64encode.
#conf_file ⇒ Object

Returns the value of attribute conf_file.
#digest_type ⇒ Object

Returns the value of attribute digest_type.
#error ⇒ Object

Returns the value of attribute error.
#ipaddr ⇒ Object

Returns the value of attribute ipaddr.
#lifetime ⇒ Object

Returns the value of attribute lifetime.
#secret ⇒ Object

Returns the value of attribute secret.

Instance Method Summary collapse

#_get_secret(filename) ⇒ Object
#create_ticket(user_opts = {}) ⇒ Object

based on meso.net/mod_auth_tkt.
#expired?(tkt) ⇒ Boolean
#get_digest(ts, ipaddr, user, tokens, data) ⇒ Object
#initialize(args) ⇒ ApacheAuthTkt constructor

A new instance of ApacheAuthTkt.
#ip2long(ip) ⇒ Object

from meso.net/mod_auth_tkt function adapted according to php: generates an IPv4 Internet network address from its Internet standard format (dotted string) representation.
#parse_ticket(tkt) ⇒ Object
#validate_ticket(tkt, ipaddr = '0.0.0.0') ⇒ Object

Constructor Details

#initialize(args) ⇒ `ApacheAuthTkt`

Returns a new instance of ApacheAuthTkt.

# File 'lib/apache_auth_tkt.rb', line 33

def initialize(args)

   #puts args.inspect

   # set defaults
   if (args.has_key? :ipaddr)
      @ipaddr = args[:ipaddr]
   else
      @ipaddr = '0.0.0.0'
   end

   if (args.has_key? :secret)
      @secret = args[:secret]
   elsif (args.has_key? :conf_file)
      @secret = _get_secret(args[:conf_file])
      if (!@secret.length)
         raise "Can't parse secret from " + args[:conf_file]
      end
   else
      raise "Must pass 'secret' or 'conf_file'"
   end

   if (args[:digest_type])
      @digest_type = args[:digest_type]
   else
      @digest_type = 'md5'
   end

   if (args.has_key? :base64encode)
      @base64encode = args[:base64encode]
   else
      @base64encode = true
   end

   if (args.has_key? :lifetime)
      @lifetime = args[:lifetime]
   else
      # 8 hours.
      @lifetime = 28800
   end

end

Instance Attribute Details

#base64encode ⇒ `Object`

Returns the value of attribute base64encode.



30
31
32

# File 'lib/apache_auth_tkt.rb', line 30

def base64encode
  @base64encode
end

#conf_file ⇒ `Object`

Returns the value of attribute conf_file.



28
29
30

# File 'lib/apache_auth_tkt.rb', line 28

def conf_file
  @conf_file
end

#digest_type ⇒ `Object`

Returns the value of attribute digest_type.



27
28
29

# File 'lib/apache_auth_tkt.rb', line 27

def digest_type
  @digest_type
end

#error ⇒ `Object`

Returns the value of attribute error.



29
30
31

# File 'lib/apache_auth_tkt.rb', line 29

def error
  @error
end

#ipaddr ⇒ `Object`

Returns the value of attribute ipaddr.



26
27
28

# File 'lib/apache_auth_tkt.rb', line 26

def ipaddr
  @ipaddr
end

#lifetime ⇒ `Object`

Returns the value of attribute lifetime.



31
32
33

# File 'lib/apache_auth_tkt.rb', line 31

def lifetime
  @lifetime
end

#secret ⇒ `Object`

Returns the value of attribute secret.



25
26
27

# File 'lib/apache_auth_tkt.rb', line 25

def secret
  @secret
end

Instance Method Details

#_get_secret(filename) ⇒ `Object`

# File 'lib/apache_auth_tkt.rb', line 76

def _get_secret(filename)
   # based on http://meso.net/mod_auth_tkt
   if (!File.file? filename)
      raise "#{filename} is not a file"
   end
   secret_str = ''
   open(filename) do |file|
      file.each do |line|
         if line.include? 'TKTAuthSecret'
            secret_str = line.gsub('TKTAuthSecret', '').strip.gsub("\"", '').gsub("'",'')
            break
         end
      end
   end
   return secret_str
end

#create_ticket(user_opts = {}) ⇒ `Object`

based on meso.net/mod_auth_tkt

# File 'lib/apache_auth_tkt.rb', line 105

def create_ticket(user_opts={})
   options = {
      :user       => 'guest',
      :tokens     => '',
      :user_data  => '',
      :ignore_ip  => false,
      :ts         => Time.now.to_i
   }.merge(user_opts)

   timestamp  = options[:ts]
   ip_address = options[:ignore_ip] ? '0.0.0.0' : @ipaddr
   digest = get_digest(timestamp, ip_address, options[:user], options[:tokens], options[:user_data])
   tkt = sprintf("%s%08x%s!%s!%s", digest, timestamp, options[:user], options[:tokens], options[:user_data])

   if (@base64encode)
      tkt = Base64.encode64(tkt).gsub("\n", '').strip
   end

   return tkt

end

#expired?(tkt) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/apache_auth_tkt.rb', line 196

def expired?(tkt)
   return false if @lifetime.nil?
   parsed = self.parse_ticket(tkt)
   if (!parsed)
      return false
   end
   !(parsed[:ts] + @lifetime >= Time.now.to_i)
end

#get_digest(ts, ipaddr, user, tokens, data) ⇒ `Object`

# File 'lib/apache_auth_tkt.rb', line 127

def get_digest(ts, ipaddr, user, tokens, data)
   ipts = [ip2long(ipaddr), ts].pack("NN")
   digest0 = nil
   digest  = nil
   raw     = ipts + @secret + user + "\0" + tokens + "\0" + data
   if (@digest_type == 'md5')
      digest0 = Digest::MD5.hexdigest(raw)
      digest  = Digest::MD5.hexdigest(digest0 + @secret)
   elsif (@digest_type == 'sha256')
      digest0 = Digest::SHA256.hexdigest(raw)
      digest  = Digest::SHA256.hexdigest(digest0 + @secret)
   else
      raise "unsupported digest type: " + @digest_type
   end
   return digest
end

#ip2long(ip) ⇒ `Object`

from meso.net/mod_auth_tkt function adapted according to php: generates an IPv4 Internet network address from its Internet standard format (dotted string) representation.

# File 'lib/apache_auth_tkt.rb', line 96

def ip2long(ip)
   long = 0
   ip.split( /\./ ).reverse.each_with_index do |x, i|
      long += x.to_i << ( i * 8 )
   end
   long
end

#parse_ticket(tkt) ⇒ `Object`

# File 'lib/apache_auth_tkt.rb', line 157

def parse_ticket(tkt)
   # strip possible lead/trail quotes
   tkt = tkt.gsub(/^"|"$/,'')

   # test if base64 encoded before decoding
   if (@base64encode && tkt.length % 4 == 0 && tkt =~ /^[A-Za-z0-9+\/=]+\Z/)
      tkt = Base64.decode64(tkt)
   end

   # sanity checks
   if (tkt.length < 40)
      @error = "ticket string too short"
      return false
   end
   if (!tkt.index('!'))
      @error = "ticket missing !"
      return false
   end

   # parse it
   parts = tkt.split(/\!/)
   parsed = {:tokens => '', :data => ''}
   if (packed = parts[0].match('^(.{32})(.{8})(.+)$'))
      parsed[:digest] = packed[1]
      parsed[:ts]     = packed[2].hex
      parsed[:user]    = packed[3]
      if (parts.length == 3)
         parsed[:tokens] = parts[1]
         parsed[:data]   = parts[2]
      elsif (parts.length == 2)
         parsed[:tokens] = parts[1]
      end
   else
      @error = "invalid ticket pattern"
      return false
   end
   return parsed
end

#validate_ticket(tkt, ipaddr = '0.0.0.0') ⇒ `Object`

# File 'lib/apache_auth_tkt.rb', line 144

def validate_ticket(tkt, ipaddr='0.0.0.0')
   parsed = parse_ticket(tkt)
   if (!parsed)
      return false
   end
   expected_digest = get_digest(parsed[:ts], ipaddr, parsed[:user], parsed[:tokens], parsed[:data])
   if (expected_digest == parsed[:digest])
      return parsed
   else
      return false
   end
end

Class: ApacheAuthTkt

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(args) ⇒ ApacheAuthTkt

Instance Attribute Details

#base64encode ⇒ Object

#conf_file ⇒ Object

#digest_type ⇒ Object

#error ⇒ Object

#ipaddr ⇒ Object

#lifetime ⇒ Object

#secret ⇒ Object

Instance Method Details

#_get_secret(filename) ⇒ Object

#create_ticket(user_opts = {}) ⇒ Object

#expired?(tkt) ⇒ Boolean

#get_digest(ts, ipaddr, user, tokens, data) ⇒ Object

#ip2long(ip) ⇒ Object

#parse_ticket(tkt) ⇒ Object

#validate_ticket(tkt, ipaddr = '0.0.0.0') ⇒ Object