line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Mojolicious::Plugin::PlugAuthLite; |
2
|
|
|
|
|
|
|
|
3
|
10
|
|
|
10
|
|
4143
|
use Mojo::Base qw( Mojolicious::Plugin ); |
|
10
|
|
|
|
|
27
|
|
|
10
|
|
|
|
|
82
|
|
4
|
10
|
|
|
10
|
|
2081
|
use Mojo::ByteStream qw( b ); |
|
10
|
|
|
|
|
24
|
|
|
10
|
|
|
|
|
483
|
|
5
|
10
|
|
|
10
|
|
213
|
use 5.010001; |
|
10
|
|
|
|
|
35
|
|
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
# ABSTRACT: Add a minimal PlugAuth server to your Mojolicious application. |
8
|
|
|
|
|
|
|
our $VERSION = '0.36_01'; # TRIAL VERSION |
9
|
|
|
|
|
|
|
$VERSION = eval $VERSION; |
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
sub register |
13
|
|
|
|
|
|
|
{ |
14
|
9
|
|
|
9
|
1
|
416
|
my($self, $app, $conf) = @_; |
15
|
|
|
|
|
|
|
|
16
|
9
|
|
100
|
2
|
|
52
|
my $cb_auth = $conf->{auth} // sub { 0 }; |
|
2
|
|
|
|
|
9
|
|
17
|
9
|
|
100
|
1
|
|
52
|
my $cb_authz = $conf->{authz} // sub { 1 }; |
|
1
|
|
|
|
|
5
|
|
18
|
9
|
|
100
|
0
|
|
53
|
my $cb_host = $conf->{host} // sub { 0 }; |
|
0
|
|
|
|
|
0
|
|
19
|
9
|
|
50
|
|
|
59
|
my $realm = $conf->{realm} // 'PlugAuthLite'; |
20
|
9
|
|
66
|
|
|
83
|
my $base_url = $conf->{url} // $conf->{uri} // ''; |
|
|
|
50
|
|
|
|
|
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
$app->routes->get("$base_url/auth" => sub { |
23
|
14
|
|
|
14
|
|
507793
|
my $self = shift; |
24
|
14
|
|
|
|
|
57
|
eval { |
25
|
14
|
|
|
|
|
82
|
my $auth_header = $self->req->headers->authorization; |
26
|
14
|
100
|
|
|
|
543
|
unless($auth_header) |
27
|
|
|
|
|
|
|
{ |
28
|
5
|
|
|
|
|
33
|
$self->res->headers->www_authenticate("Basic \"$realm\""); |
29
|
5
|
|
|
|
|
178
|
$self->render(text => 'please authenticate', status => 401); |
30
|
5
|
|
|
|
|
2358
|
return; |
31
|
|
|
|
|
|
|
} |
32
|
9
|
|
|
|
|
66
|
my ($method,$str) = split / /,$auth_header; |
33
|
9
|
|
|
|
|
90
|
my ($user,$pw) = split /:/, b($str)->b64_decode; |
34
|
9
|
100
|
|
|
|
397
|
if($cb_auth->($user, $pw)) |
35
|
|
|
|
|
|
|
{ |
36
|
4
|
|
|
|
|
67
|
$self->render(text => 'ok', status => 200); |
37
|
|
|
|
|
|
|
} |
38
|
|
|
|
|
|
|
else |
39
|
|
|
|
|
|
|
{ |
40
|
5
|
|
|
|
|
60
|
$self->render(text => 'not ok', status => 403); |
41
|
|
|
|
|
|
|
} |
42
|
|
|
|
|
|
|
}; |
43
|
14
|
50
|
|
|
|
4939
|
$self->render(text => 'not ok', status => 503) if $@; |
44
|
9
|
|
|
|
|
107
|
})->name('plugauth_auth'); |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
$app->routes->get("$base_url/authz/user/#user/#action/(*resource)" => { resource => '/' } => sub { |
47
|
6
|
|
|
6
|
|
215793
|
my $self = shift; |
48
|
6
|
|
|
|
|
19
|
eval { |
49
|
6
|
|
|
|
|
18
|
my($user, $resource, $action) = map { $self->stash($_) } qw( user resource action ); |
|
18
|
|
|
|
|
170
|
|
50
|
6
|
|
|
|
|
98
|
$resource =~ s{^/?}{/}; |
51
|
6
|
100
|
|
|
|
40
|
if($cb_authz->($user, $action, $resource)) |
52
|
|
|
|
|
|
|
{ |
53
|
4
|
|
|
|
|
2501
|
$self->render(text => 'ok', status => 200); |
54
|
|
|
|
|
|
|
} |
55
|
|
|
|
|
|
|
else |
56
|
|
|
|
|
|
|
{ |
57
|
2
|
|
|
|
|
1875
|
$self->render(text => 'not ok', status => 403); |
58
|
|
|
|
|
|
|
} |
59
|
|
|
|
|
|
|
}; |
60
|
6
|
50
|
|
|
|
2471
|
$self->render(text => 'not ok', status => 503) if $@; |
61
|
9
|
|
|
|
|
3727
|
})->name('plugauth_authz'); |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
$app->routes->get("$base_url/host/#host/:tag" => sub { |
64
|
2
|
|
|
2
|
|
68175
|
my $self = shift; |
65
|
2
|
|
|
|
|
9
|
eval { |
66
|
2
|
|
|
|
|
11
|
my ($host,$tag) = map $self->stash($_), qw/host tag/; |
67
|
2
|
50
|
|
|
|
51
|
if ($cb_host->($host,$tag)) { |
68
|
0
|
|
|
|
|
0
|
return $self->render(text => 'ok', status => 200); |
69
|
|
|
|
|
|
|
} |
70
|
2
|
|
|
|
|
14
|
return $self->render(text => 'not ok', status => 403); |
71
|
|
|
|
|
|
|
}; |
72
|
2
|
50
|
|
|
|
994
|
$self->render(text => 'not ok', status => 503) if $@; |
73
|
9
|
|
|
|
|
4049
|
})->name('plugauth_host'); |
74
|
|
|
|
|
|
|
|
75
|
9
|
|
|
|
|
2772
|
return; |
76
|
|
|
|
|
|
|
} |
77
|
|
|
|
|
|
|
|
78
|
|
|
|
|
|
|
1; |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
__END__ |
81
|
|
|
|
|
|
|
|
82
|
|
|
|
|
|
|
=pod |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
=encoding UTF-8 |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
=head1 NAME |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
Mojolicious::Plugin::PlugAuthLite - Add a minimal PlugAuth server to your Mojolicious application. |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
=head1 VERSION |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
version 0.36_01 |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
=head1 SYNOPSIS |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
use Mojolicious::Lite |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
plugin 'plug_auth_lite', |
99
|
|
|
|
|
|
|
auth => sub { |
100
|
|
|
|
|
|
|
my($user, $pass) = @_; |
101
|
|
|
|
|
|
|
if($user eq 'optimus' && $pass eq 'matrix') |
102
|
|
|
|
|
|
|
{ return 1; } |
103
|
|
|
|
|
|
|
else |
104
|
|
|
|
|
|
|
{ return 0; } |
105
|
|
|
|
|
|
|
}, |
106
|
|
|
|
|
|
|
authz => sub { |
107
|
|
|
|
|
|
|
my($user, $action, $resource) = @_; |
108
|
|
|
|
|
|
|
if($user eq 'optimus && $action eq 'open' && $resource =~ m{^/matrix}) |
109
|
|
|
|
|
|
|
{ return 1 } |
110
|
|
|
|
|
|
|
else |
111
|
|
|
|
|
|
|
{ return 0 } |
112
|
|
|
|
|
|
|
}; |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
=head1 DESCRIPTION |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
This plugin provides a very minimal but customizable L<PlugAuth> server which can |
117
|
|
|
|
|
|
|
be included with your L<Mojolicious> application for L<Clustericious> applications |
118
|
|
|
|
|
|
|
to authenticate against. If you do not need specialized plugins for LDAP or DBI, |
119
|
|
|
|
|
|
|
and if you do not need the user/group/resource management provided by a the full |
120
|
|
|
|
|
|
|
featured L<PlugAuth> server then this plugin may be for you. |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
The script L<plugauthlite> included with this distribution provides PlugAuth |
123
|
|
|
|
|
|
|
style authentication (but not authorization) using a simple Apache style password |
124
|
|
|
|
|
|
|
file. |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=head1 CONFIGURATION |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
=head2 auth |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
Subroutine which checks the authentication of a user. It is passed two arguments, |
131
|
|
|
|
|
|
|
the username and the password. If they are authentic this call back should return |
132
|
|
|
|
|
|
|
1. Otherwise it should return 0. |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
=head2 authz |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
Subroutine which checks the authorization of a user. It is passwd three arguments, |
137
|
|
|
|
|
|
|
the username, action (usually a verb) and resource (usually the path part of a URL). |
138
|
|
|
|
|
|
|
If the user is authorized for the action on that resource the call back should return |
139
|
|
|
|
|
|
|
1. Otherwise it should return 0. |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
=head2 url |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
The prefix to prepend to the standard PlugAuth API routes. Usually the authentication |
144
|
|
|
|
|
|
|
route is /auth and the authorization route is /authz, but if the PlugAuth.conf client |
145
|
|
|
|
|
|
|
configuration is set to http://example.com/foo the client expects the authentication |
146
|
|
|
|
|
|
|
route to be /foo/auth and the authorization route to be /foo/authz. In this case you |
147
|
|
|
|
|
|
|
would set this configuration item to '/foo'. |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
=head2 realm |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
The realm to use for HTTP Basic authentication. The default is PlugAuthLite. |
152
|
|
|
|
|
|
|
|
153
|
|
|
|
|
|
|
=head1 ROUTES |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=head2 GET /auth |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=over 4 |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
=item * if username and password provided using BASIC authentication and are correct |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
Return 200 ok |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
=item * if username and password provided using BASIC authentication but are not correct |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
Return 403 not ok |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=item * if username and password are not provided using BASIC authentication |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
Return 401 please authenticate |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
=back |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
=head2 GET /authz/user/#user/#action/(*resource) |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
=over 4 |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
=item * if the given user (#user) is permitted to perform the given action (#action) on the given resource (*resource) |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
Return 200 ok |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
=item * otherwise |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
return 403 not ok |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
=back |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
=head1 METHODS |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
=head2 register |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
This method adds the routes to your application required to implement the PlugAuth |
192
|
|
|
|
|
|
|
API. |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
=head1 LIMITATIONS |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
This implementation of the PlugAuth protocol does not support these features provided |
197
|
|
|
|
|
|
|
by the full fledged L<PlugAuth> server: |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=over 4 |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
=item * |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
Groups |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
=item * |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
Management API for creating/removing/modifying users/groups/resources |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
=item * |
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
Standard Clustericious routes like "/version" and "/status" |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=item * |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
Clustericious configuration file (~/etc/PlugAuth.conf) |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
=item * |
218
|
|
|
|
|
|
|
|
219
|
|
|
|
|
|
|
Support for L<PlugAuth> plugins (L<PlugAuth::Plugin>). |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=item * |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
Probably many others. |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
=back |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
=head1 SEE ALSO |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
L<plugauthlite>, |
230
|
|
|
|
|
|
|
L<PlugAuth::Lite>, |
231
|
|
|
|
|
|
|
L<PlugAuth> |
232
|
|
|
|
|
|
|
|
233
|
|
|
|
|
|
|
=head1 AUTHOR |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
Graham Ollis <plicease@cpan.org> |
236
|
|
|
|
|
|
|
|
237
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
This software is copyright (c) 2013 by Graham Ollis. |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
242
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
=cut |